[phpMyChat CVS] CVS: phpMyChat-0.15/chat/lib/commands whois.cmd.php3,1.7,1.8 save.cmd.php3,1.4,1.5 quit.cmd.php3,1.6,1.7 promote.cmd.php3,1.5,1.6 priv_msg.cmd.php3,1.5,1.6 me.cmd.php3,1.8,1.9 kick.cmd.php3,1.4,1.5 join.cmd.php3,1.7,1.8 invite.cmd.php3,1.10,1.11 ignore.cmd.php3,1.6,1.7 banish.cmd.php3,1.9,1.10 announce.cmd.php3,1.8,1.9

[Lo?c C. <lo...@us...>]

Update of /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands
In directory usw-pr-cvs1:/tmp/cvs-serv15437/chat/lib/commands

Modified Files:
	whois.cmd.php3 save.cmd.php3 quit.cmd.php3 promote.cmd.php3 
	priv_msg.cmd.php3 me.cmd.php3 kick.cmd.php3 join.cmd.php3 
	invite.cmd.php3 ignore.cmd.php3 banish.cmd.php3 
	announce.cmd.php3 
Log Message:
Fixed some possibily security issues

Index: whois.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/whois.cmd.php3,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -r1.7 -r1.8
*** whois.cmd.php3	2001/04/30 22:44:57	1.7
--- whois.cmd.php3	2001/05/30 08:07:12	1.8
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Check for invalid characters in the target user name
   */ 
***************
*** 46,56 ****
  	$dbLink->cleanResults();
  
! 	// Not a registered users -> show IP if the current user is administrator
! 	// or moderator of the current room, or if the target user is itself
  	if (!$isProfile)
  	{
  		$error			= sprintf(L_NONREG_USER, $cmd[1]);
! 		if (($dbSessionVars['status'] == 'a' || $dbSessionVars['status'] == 'm')
! 			|| $dbSessionVars['nick'] == $cmd[1])
  		{
  			$dbLink->query("SELECT ip FROM " . C_USR_TBL . " WHERE username='" . $slashedTarget . "' LIMIT 1");
--- 56,65 ----
  	$dbLink->cleanResults();
  
! 	// Not a registered users -> show IP if the current user is the
! 	// administrator or use the command for himself
  	if (!$isProfile)
  	{
  		$error			= sprintf(L_NONREG_USER, $cmd[1]);
! 		if ($dbSessionVars['status'] == 'a' || $dbSessionVars['nick'] == $cmd[1])
  		{
  			$dbLink->query("SELECT ip FROM " . C_USR_TBL . " WHERE username='" . $slashedTarget . "' LIMIT 1");

Index: save.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/save.cmd.php3,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -r1.4 -r1.5
*** save.cmd.php3	2001/04/30 22:44:57	1.4
--- save.cmd.php3	2001/05/30 08:07:12	1.5
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Ensure there are some messages to save
   *

Index: quit.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/quit.cmd.php3,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -r1.6 -r1.7
*** quit.cmd.php3	2001/05/07 21:15:00	1.6
--- quit.cmd.php3	2001/05/30 08:07:12	1.7
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Put the message in the messages table if required
   *

Index: promote.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/promote.cmd.php3,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -r1.5 -r1.6
*** promote.cmd.php3	2001/04/21 19:37:39	1.5
--- promote.cmd.php3	2001/05/30 08:07:12	1.6
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Check for invalid characters in the target user name
   */
***************
*** 76,80 ****
  
  			$dbLink->query("UPDATE " . C_REG_TBL . " SET perms = 'moderator', rooms = '$slashedModeratedRooms' WHERE username = '$slashedTarget'");
! 			$dbLink->query("UPDATE " . C_USR_TBL . " SET status = 'm' WHERE username = '$slashedTarget'");
  			$msgQuery	= 'INSERT INTO ' . C_MSG_TBL . ' '
  						. '(type, room, username, latin1, m_time, address, color, msg_original, msg_enhanced) '
--- 86,90 ----
  
  			$dbLink->query("UPDATE " . C_REG_TBL . " SET perms = 'moderator', rooms = '$slashedModeratedRooms' WHERE username = '$slashedTarget'");
! 			$dbLink->query("UPDATE " . C_USR_TBL . " SET status = 'm' WHERE username = '$slashedTarget' AND room = '$slashedCurrentRoomName'");
  			$msgQuery	= 'INSERT INTO ' . C_MSG_TBL . ' '
  						. '(type, room, username, latin1, m_time, address, color, msg_original, msg_enhanced) '

Index: priv_msg.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/priv_msg.cmd.php3,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -r1.5 -r1.6
*** priv_msg.cmd.php3	2001/05/07 21:15:00	1.5
--- priv_msg.cmd.php3	2001/05/30 08:07:12	1.6
***************
*** 25,28 ****
--- 25,38 ----
  
  
+ /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
  $cmd[2]	= trim($cmd[2]);
  $cmd[3]	= trim($cmd[3]);

Index: me.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/me.cmd.php3,v
retrieving revision 1.8
retrieving revision 1.9
diff -C2 -r1.8 -r1.9
*** me.cmd.php3	2001/05/10 11:46:33	1.8
--- me.cmd.php3	2001/05/30 08:07:12	1.9
***************
*** 25,28 ****
--- 25,38 ----
  
  
+ /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
  // Store the strict original message
  $strictMessage		= $message;

Index: kick.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/kick.cmd.php3,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -r1.4 -r1.5
*** kick.cmd.php3	2001/05/26 11:54:25	1.4
--- kick.cmd.php3	2001/05/30 08:07:12	1.5
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Check for invalid characters in the target user name
   */

Index: join.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/join.cmd.php3,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -r1.7 -r1.8
*** join.cmd.php3	2001/05/25 22:49:22	1.7
--- join.cmd.php3	2001/05/30 08:07:12	1.8
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Get the swearing library and defines some variables
   *

Index: invite.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/invite.cmd.php3,v
retrieving revision 1.10
retrieving revision 1.11
diff -C2 -r1.10 -r1.11
*** invite.cmd.php3	2001/05/26 11:54:25	1.10
--- invite.cmd.php3	2001/05/30 08:07:12	1.11
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Check for invalid characters in the target user name
   */

Index: ignore.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/ignore.cmd.php3,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -r1.6 -r1.7
*** ignore.cmd.php3	2001/04/30 22:44:57	1.6
--- ignore.cmd.php3	2001/05/30 08:07:12	1.7
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Check for invalid characters in the target user name
   */

Index: banish.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/banish.cmd.php3,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -r1.9 -r1.10
*** banish.cmd.php3	2001/05/26 11:54:25	1.9
--- banish.cmd.php3	2001/05/30 08:07:12	1.10
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * Check for invalid characters in the target user name
   */

Index: announce.cmd.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/commands/announce.cmd.php3,v
retrieving revision 1.8
retrieving revision 1.9
diff -C2 -r1.8 -r1.9
*** announce.cmd.php3	2001/05/07 21:15:00	1.8
--- announce.cmd.php3	2001/05/30 08:07:12	1.9
***************
*** 26,29 ****
--- 26,39 ----
  
  /**
+  * Ensure this library is called by another of the phpMyChat scripts (fix a
+  * security hole)
+  */
+ if (!dbSessionIsRegistered('lang'))
+ {
+ 	exit();
+ }
+ 
+ 
+ /**
   * The current user is administrator -> insert the message in the 'messages'
   * table