diff options
| author | Nils Adermann <naderman@naderman.de> | 2007-02-25 22:09:53 +0000 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2007-02-25 22:09:53 +0000 |
| commit | b66e0fcd34d3209ca86059d1737125699a726a7d (patch) | |
| tree | 96f2a08d958122e7f0c4780c718694646ac4e846 /phpBB/includes | |
| parent | 424a520d0e3d8f668b70c632a8d787f004d8098b (diff) | |
| download | forums-b66e0fcd34d3209ca86059d1737125699a726a7d.tar forums-b66e0fcd34d3209ca86059d1737125699a726a7d.tar.gz forums-b66e0fcd34d3209ca86059d1737125699a726a7d.tar.bz2 forums-b66e0fcd34d3209ca86059d1737125699a726a7d.tar.xz forums-b66e0fcd34d3209ca86059d1737125699a726a7d.zip | |
- fix htmlspecialchars handling in search (search backends get specialchared input, and should return specialchared output), current backends strip entities anyway [includes Bug #8156]
- allow cancelling search index creation/removal
- custom CSS class name input too short [Bug #8328]
- give an error message if a password wasn't convertable (special characters in non-standard encoding)
- moved still_on_time to functions.php, used by acp_search and converter, might be useful for MODs (or complex cron scripts)
- do not allow empty passwords on login
- add sids to local URLs in posts (this was a really terrible bug to fix ;-)) [Bug #7892]
- ignore invalid HTTP_X_FORWARDED_FOR headers (just use REMOTE_ADDR if invalid) [Bug #8314]
- changed forum listing code on search page and acp_attachments [Bug #6658]
- search indexing uses still_on_time(), smaller batch size (1000) and meta_refresh() instead of redirect(), this should solve a few problems [Bugs #8034, #8270]
- made password requirement language strings clearer
- ALPHA is not meant to be alphanumric [Bug #7764]
- display bug in firefox on linux making the pagination wrap on search results page (caused by )
git-svn-id: file:///svn/phpbb/trunk@7076 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/acp/acp_attachments.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_search.php | 234 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 47 | ||||
| -rw-r--r-- | phpBB/includes/constants.php | 1 | ||||
| -rw-r--r-- | phpBB/includes/functions.php | 61 | ||||
| -rw-r--r-- | phpBB/includes/functions_convert.php | 32 | ||||
| -rw-r--r-- | phpBB/includes/message_parser.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/session.php | 11 |
8 files changed, 238 insertions, 164 deletions
diff --git a/phpBB/includes/acp/acp_attachments.php b/phpBB/includes/acp/acp_attachments.php index 23b67aadc7..81ecc4c963 100644 --- a/phpBB/includes/acp/acp_attachments.php +++ b/phpBB/includes/acp/acp_attachments.php @@ -766,6 +766,8 @@ class acp_attachments if ($row['left_id'] > $cat_right) { + // make sure we don't forget anything + $s_forum_id_options .= $holding; $holding = ''; } @@ -781,6 +783,12 @@ class acp_attachments $holding = ''; } } + + if ($holding) + { + $s_forum_id_options .= $holding; + } + $db->sql_freeresult($result); unset($padding_store); diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index 1dfda1b684..ab81721311 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -9,6 +9,16 @@ */ /** +* @ignore +*/ +if (!defined('IN_PHPBB')) +{ + exit; +} +// make sure, a start time is saved +still_on_time(); + +/** * @package acp */ class acp_search @@ -17,7 +27,7 @@ class acp_search var $state; var $search; var $max_post_id; - var $batch_size = 5000; + var $batch_size = 1000; function main($id, $mode) { @@ -143,7 +153,7 @@ class acp_search if (!method_exists($search, 'init') || !($error = $search->init())) { set_config('search_type', $cfg_array['search_type']); - + if (!$updated) { add_log('admin', 'LOG_CONFIG_SEARCH'); @@ -210,6 +220,13 @@ class acp_search } $this->state = explode(',', $config['search_indexing_state']); + if (isset($_POST['cancel'])) + { + $action = ''; + $this->state = array(); + $this->save_state(); + } + if ($action) { switch ($action) @@ -218,15 +235,15 @@ class acp_search $type = request_var('type', ''); $this->display_progress_bar($type); break; - + case 'delete': $this->state[1] = 'delete'; break; - + case 'create': $this->state[1] = 'create'; break; - + default: trigger_error('NO_ACTION', E_USER_ERROR); break; @@ -243,10 +260,8 @@ class acp_search { trigger_error($error . adm_back_link($this->u_action), E_USER_WARNING); } - - $action = &$this->state[1]; - @set_time_limit(0); + $action = &$this->state[1]; $this->max_post_id = $this->get_max_post_id(); @@ -254,116 +269,126 @@ class acp_search $this->state[2] = &$post_counter; $this->save_state(); - if ($action == 'delete') + switch ($action) { - if (method_exists($this->search, 'delete_index')) - { - // pass a reference to myself so the $search object can make use of save_state() and attributes - if ($error = $this->search->delete_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=delete", false))) + case 'delete': + if (method_exists($this->search, 'delete_index')) { - $this->state = array(''); - $this->save_state(); - trigger_error($error . adm_back_link($this->u_action) . $this->close_popup_js(), E_USER_WARNING); + // pass a reference to myself so the $search object can make use of save_state() and attributes + if ($error = $this->search->delete_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=delete", false))) + { + $this->state = array(''); + $this->save_state(); + trigger_error($error . adm_back_link($this->u_action) . $this->close_popup_js(), E_USER_WARNING); + } } - } - else - { - $sql = 'SELECT post_id, poster_id, forum_id - FROM ' . POSTS_TABLE . ' - WHERE post_id >= ' . (int) ($post_counter + 1) . ' - AND post_id < ' . (int) ($post_counter + $this->batch_size); - $result = $db->sql_query($sql); - - $ids = $posters = array(); - while ($row = $db->sql_fetchrow($result)) + else { - $ids[] = $row['post_id']; - $posters[] = $row['poster_id']; - $forum_ids[] = $row['forum_id']; - } - $db->sql_freeresult($result); + while (still_on_time() && $post_counter <= $this->max_post_id) + { + $sql = 'SELECT post_id, poster_id, forum_id + FROM ' . POSTS_TABLE . ' + WHERE post_id >= ' . (int) ($post_counter + 1) . ' + AND post_id < ' . (int) ($post_counter + $this->batch_size); + $result = $db->sql_query($sql); + + $ids = $posters = $forum_ids = array(); + while ($row = $db->sql_fetchrow($result)) + { + $ids[] = $row['post_id']; + $posters[] = $row['poster_id']; + $forum_ids[] = $row['forum_id']; + } + $db->sql_freeresult($result); - if (sizeof($ids)) - { - $this->search->index_remove($ids, $posters, $forum_ids); + if (sizeof($ids)) + { + $this->search->index_remove($ids, $posters, $forum_ids); + } + + $post_counter += $this->batch_size; + + // save the current state + $this->save_state(); + } + + if ($post_counter <= $this->max_post_id) + { + meta_refresh(1, $this->u_action . '&action=delete&skip_rows=' . $post_counter); + trigger_error(sprintf($user->lang['SEARCH_INDEX_DELETE_REDIRECT'], $post_counter)); + } } - - $post_counter += $this->batch_size; - - // save the current state + + $this->search->tidy(); + + $this->state = array(''); $this->save_state(); - - if ($post_counter <= $this->max_post_id) - { - redirect($this->u_action . '&action=delete'); - } - } - - $this->search->tidy(); - $this->state = array(''); - $this->save_state(); + trigger_error($user->lang['SEARCH_INDEX_REMOVED'] . adm_back_link($this->u_action) . $this->close_popup_js()); + break; - trigger_error($user->lang['SEARCH_INDEX_REMOVED'] . adm_back_link($this->u_action) . $this->close_popup_js()); - } - else - { - if (method_exists($this->search, 'create_index')) - { - // pass a reference to myself so the $search object can make use of save_state() and attributes - if ($error = $this->search->create_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=create", false))) + case 'create': + if (method_exists($this->search, 'create_index')) { - $this->state = array(''); - $this->save_state(); - trigger_error($error . adm_back_link($this->u_action) . $this->close_popup_js(), E_USER_WARNING); + // pass a reference to acp_search so the $search object can make use of save_state() and attributes + if ($error = $this->search->create_index($this, append_sid("{$phpbb_admin_path}index.$phpEx", "i=$id&mode=$mode&action=create", false))) + { + $this->state = array(''); + $this->save_state(); + trigger_error($error . adm_back_link($this->u_action) . $this->close_popup_js(), E_USER_WARNING); + } } - } - else - { - $sql = 'SELECT forum_id, enable_indexing - FROM ' . FORUMS_TABLE; - $result = $db->sql_query($sql, 3600); - - while ($row = $db->sql_fetchrow($result)) + else { - $forums[$row['forum_id']] = (bool) $row['enable_indexing']; - } - $db->sql_freeresult($result); + $sql = 'SELECT forum_id, enable_indexing + FROM ' . FORUMS_TABLE; + $result = $db->sql_query($sql, 3600); - $sql = 'SELECT post_id, post_subject, post_text, poster_id, forum_id - FROM ' . POSTS_TABLE . ' - WHERE post_id >= ' . (int) ($post_counter + 1) . ' - AND post_id < ' . (int) ($post_counter + $this->batch_size); - $result = $db->sql_query($sql); + while ($row = $db->sql_fetchrow($result)) + { + $forums[$row['forum_id']] = (bool) $row['enable_indexing']; + } + $db->sql_freeresult($result); - while ($row = $db->sql_fetchrow($result)) - { - // Indexing enabled for this forum or global announcement? - // Global announcements get indexed by default. - if (!$row['forum_id'] || (isset($forums[$row['forum_id']]) && $forums[$row['forum_id']])) + while (still_on_time() && $post_counter <= $this->max_post_id) { - $this->search->index('post', $row['post_id'], $row['post_text'], $row['post_subject'], $row['poster_id'], $row['forum_id']); + $sql = 'SELECT post_id, post_subject, post_text, poster_id, forum_id + FROM ' . POSTS_TABLE . ' + WHERE post_id >= ' . (int) ($post_counter + 1) . ' + AND post_id < ' . (int) ($post_counter + $this->batch_size); + $result = $db->sql_query($sql); + + while ($row = $db->sql_fetchrow($result)) + { + // Indexing enabled for this forum or global announcement? + // Global announcements get indexed by default. + if (!$row['forum_id'] || (isset($forums[$row['forum_id']]) && $forums[$row['forum_id']])) + { + $this->search->index('post', $row['post_id'], $row['post_text'], $row['post_subject'], $row['poster_id'], $row['forum_id']); + } + } + $db->sql_freeresult($result); + + $post_counter += $this->batch_size; + + // save the current state + $this->save_state(); + } + + if ($post_counter <= $this->max_post_id) + { + meta_refresh(1, $this->u_action . '&action=create&skip_rows=' . $post_counter); + trigger_error(sprintf($user->lang['SEARCH_INDEX_CREATE_REDIRECT'], $post_counter)); } } - $db->sql_freeresult($result); - $post_counter += $this->batch_size; - - // save the current state + $this->search->tidy(); + + $this->state = array(''); $this->save_state(); - - if ($post_counter <= $this->max_post_id) - { - redirect($this->u_action . '&action=create'); - } - } - - $this->search->tidy(); - - $this->state = array(''); - $this->save_state(); - trigger_error($user->lang['SEARCH_INDEX_CREATED'] . adm_back_link($this->u_action) . $this->close_popup_js()); + trigger_error($user->lang['SEARCH_INDEX_CREATED'] . adm_back_link($this->u_action) . $this->close_popup_js()); + break; } } @@ -469,14 +494,11 @@ class acp_search function close_popup_js() { - /** - * @todo remove Javascript - */ - return '<script type="text/javascript"> - <!-- - close_waitscreen = 1; - //--> - </script>'; + return "<script type=\"text/javascript\">\n" . + "<!--\n" . + " close_waitscreen = 1;\n" . + "//-->\n" . + "</script>\n"; } function get_search_types() diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index baf193ecdb..afea47d1c1 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -103,19 +103,44 @@ function login_db(&$username, &$password) $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; $password_new_format = ''; - set_var($password_new_format, $password_old_format, 'string'); + set_var($password_new_format, stripslashes($password_old_format), 'string'); - if ($password == $password_new_format && md5($password_old_format) == $row['user_password']) + if ($password == $password_new_format) { - // Update the password in the users table to the new format and remove user_pass_convert flag - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\', - user_pass_convert = 0 - WHERE user_id = ' . $row['user_id']; - $db->sql_query($sql); - - $row['user_pass_convert'] = 0; - $row['user_password'] = md5($password_new_format); + if (!function_exists('utf8_to_cp1252')) + { + global $phpbb_root_path, $phpEx; + include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx); + } + + // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding + if (md5($password_old_format) == $row['user_password'] || utf8_to_cp1252(md5($password_old_format)) == $row['user_password']) + { + // Update the password in the users table to the new format and remove user_pass_convert flag + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\', + user_pass_convert = 0 + WHERE user_id = ' . $row['user_id']; + $db->sql_query($sql); + + $row['user_pass_convert'] = 0; + $row['user_password'] = md5($password_new_format); + } + else if (preg_match('/[\x80-\xFF]/', $password_old_format)) + { + // Although we weren't able to convert this password we have to + // increase login attempt count to make sure this cannot be exploited + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_login_attempts = user_login_attempts + 1 + WHERE user_id = ' . $row['user_id']; + $db->sql_query($sql); + + return array( + 'status' => LOGIN_ERROR_PASSWORD_CONVERT, + 'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT', + 'user_row' => $row, + ); + } } } diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 99812363b7..cb6b816224 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -48,6 +48,7 @@ define('LOGIN_ERROR_PASSWORD', 11); define('LOGIN_ERROR_ACTIVE', 12); define('LOGIN_ERROR_ATTEMPTS', 13); define('LOGIN_ERROR_EXTERNAL_AUTH', 14); +define('LOGIN_ERROR_PASSWORD_CONVERT', 15); // Group settings define('GROUP_OPEN', 0); diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index e360ffb3a0..b9e9716743 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -175,6 +175,41 @@ function unique_id($extra = 'c') } /** +* Determine whether we are approaching the maximum execution time. Should be called once +* at the beginning of the script in which it's used. +* @return bool Either true if the maximum execution time is nearly reached, or false +* if some time is still left. +*/ +function still_on_time() +{ + static $max_execution_time, $start_time; + + $time = explode(' ', microtime()); + $current_time = $time[0] + $time[1]; + + if (empty($max_execution_time)) + { + $max_execution_time = (function_exists('ini_get')) ? (int) ini_get('max_execution_time') : (int) get_cfg_var('max_execution_time'); + + // If zero, then set to something higher to not let the user catch the ten seconds barrier. + if ($max_execution_time === 0) + { + $max_execution_time = 65; + } + + $max_execution_time = min(max(10, ($max_execution_time - 15)), 50); + + // For debugging purposes + // $max_execution_time = 10; + + global $starttime; + $start_time = (empty($starttime)) ? $current_time : $starttime; + } + + return (ceil($current_time - $start_time) < $max_execution_time) ? true : false; +} + +/** * Generate sort selection fields */ function gen_sort_selects(&$limit_days, &$sort_by_text, &$sort_days, &$sort_key, &$sort_dir, &$s_limit_days, &$s_sort_key, &$s_sort_dir, &$u_sort_param) @@ -1868,6 +1903,12 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa trigger_error('NO_AUTH_ADMIN_USER_DIFFER'); } + // do not allow empty password + if (!$password) + { + trigger_error('NO_PASSWORD_SUPPLIED'); + } + // If authentication is successful we redirect user to previous page $result = $auth->login($username, $password, $autologin, $viewonline, $admin); @@ -1955,6 +1996,16 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa break; + case LOGIN_ERROR_PASSWORD_CONVERT: + $err = sprintf( + $user->lang[$result['error_msg']], + ($config['email_enable']) ? '<a href="' . append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=sendpassword') . '">' : '', + ($config['email_enable']) ? '</a>' : '', + ($config['board_contact']) ? '<a href="mailto:' . htmlspecialchars($config['board_contact']) . '">' : '', + ($config['board_contact']) ? '</a>' : '' + ); + break; + // Username, password, etc... default: $err = $user->lang[$result['error_msg']]; @@ -1964,6 +2015,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa { $err = (!$config['board_contact']) ? sprintf($user->lang[$result['error_msg']], '', '') : sprintf($user->lang[$result['error_msg']], '<a href="mailto:' . htmlspecialchars($config['board_contact']) . '">', '</a>'); } + break; } } @@ -2254,7 +2306,7 @@ function decode_message(&$message, $bbcode_uid = '') $message = str_replace($match, $replace, $message); $match = get_preg_expression('bbcode_htm'); - $replace = array('\1', '\2', '\1', '', ''); + $replace = array('\1', '\1', '\2', '\1', '', ''); $message = preg_replace($match, $replace, $message); } @@ -2272,7 +2324,7 @@ function strip_bbcode(&$text, $uid = '') $text = preg_replace("#\[\/?[a-z0-9\*\+\-]+(?:=.*?)?(?::[a-z])?(\:?$uid)\]#", ' ', $text); $match = get_preg_expression('bbcode_htm'); - $replace = array('\1', '\2', '\1', '', ''); + $replace = array('\1', '\1', '\2', '\1', '', ''); $text = preg_replace($match, $replace, $text); } @@ -2399,7 +2451,7 @@ function make_clickable($text, $server_url = false) // relative urls for this board $magic_url_match[] = '#(^|[\n\t (])(' . preg_quote($server_url, '#') . ')/(' . get_preg_expression('relative_url_inline') . ')#ie'; - $magic_url_replace[] = "'\$1<!-- l --><a href=\"\$2/' . preg_replace('/(&|\?)sid=[0-9a-f]{32}/', '\\\\1', '\$3') . '\">' . ((strlen('\$3')) ? preg_replace('/(&|\?)sid=[0-9a-f]{32}/', '\\\\1', '\$3') : '\$2/') . '</a><!-- l -->'"; + $magic_url_replace[] = "'\$1<!-- l --><a href=\"' . append_sid('\$2/' . preg_replace('/(&|\?)sid=[0-9a-f]{32}$/', '', preg_replace('/(&|\?)sid=[0-9a-f]{32}&/', '\\\\1', '\$3'))) . '\">' . ((strlen('\$3')) ? preg_replace('/(&|\?)sid=[0-9a-f]{32}$/', '', preg_replace('/(&|\?)sid=[0-9a-f]{32}&/', '\\\\1', '\$3')) : '\$2/') . '</a><!-- l -->'"; // matches a xxxx://aaaaa.bbb.cccc. ... $magic_url_match[] = '#(^|[\n\t (])(' . get_preg_expression('url_inline') . ')#ie'; @@ -3027,7 +3079,8 @@ function get_preg_expression($mode) case 'bbcode_htm': return array( '#<!\-\- e \-\-><a href="mailto:(.*?)">.*?</a><!\-\- e \-\->#', - '#<!\-\- ([lmw]) \-\-><a href="(.*?)">.*?</a><!\-\- \1 \-\->#', + '#<!\-\- l \-\-><a href="(.*?)(?:(&|\?)sid=[0-9a-f]{32})?">.*?</a><!\-\- l \-\->#', + '#<!\-\- ([mw]) \-\-><a href="(.*?)">.*?</a><!\-\- \1 \-\->#', '#<!\-\- s(.*?) \-\-><img src="\{SMILIES_PATH\}\/.*? \/><!\-\- s\1 \-\->#', '#<!\-\- .*? \-\->#s', '#<.*?>#s', diff --git a/phpBB/includes/functions_convert.php b/phpBB/includes/functions_convert.php index 87fe1c2649..f8702fcc29 100644 --- a/phpBB/includes/functions_convert.php +++ b/phpBB/includes/functions_convert.php @@ -17,38 +17,6 @@ define('DEFAULT_AVATAR_Y', 80); // Global functions - all functions can be used by convertors -/** -* Determine whether we are approaching the maximum execution time -*/ -function still_on_time() -{ - static $max_execution_time, $start_time; - - $time = explode(' ', microtime()); - $current_time = $time[0] + $time[1]; - - if (empty($max_execution_time)) - { - $max_execution_time = (function_exists('ini_get')) ? (int) ini_get('max_execution_time') : (int) get_cfg_var('max_execution_time'); - - // If zero, then set to something higher to not let the user catch the ten seconds barrier. - if ($max_execution_time === 0) - { - $max_execution_time = 65; - } - - $max_execution_time = min(max(10, ($max_execution_time - 15)), 50); - - // For debugging purposes - // $max_execution_time = 10; - - global $starttime; - $start_time = (empty($starttime)) ? $current_time : $starttime; - } - - return (ceil($current_time - $start_time) < $max_execution_time) ? true : false; -} - // SIMPLE FUNCTIONS /** diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index d358ec8f48..e2f3a2b271 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -366,9 +366,9 @@ class bbcode_firstpass extends bbcode // Additionally, magic url parsing should go after parsing bbcodes, but for safety those are stripped out too... $htm_match = get_preg_expression('bbcode_htm'); // $htm_match[3] = '/&#([0-9]+);/'; - unset($htm_match[3], $htm_match[4]); + unset($htm_match[4], $htm_match[5]); - $htm_replace = array('\1', '\2', '\1'); //, '&#\1;'); + $htm_replace = array('\1', '\1', '\2', '\1'); //, '&#\1;'); $out = ''; @@ -848,7 +848,9 @@ class bbcode_firstpass extends bbcode // Is this a link to somewhere inside this board? If so then remove the session id from the url if (strpos($url, generate_board_url()) !== false && strpos($url, 'sid=') !== false) { - $url = preg_replace('/(&|\?)sid=[0-9a-f]{32}/', '\1', $url); + $url = preg_replace('/(&|\?)sid=[0-9a-f]{32}&/', '\1', $url); + $url = preg_replace('/(&|\?)sid=[0-9a-f]{32}$/', '', $url); + $url = append_sid($url); } return ($var1) ? '[url=' . $this->bbcode_specialchars($url) . ':' . $this->bbcode_uid . ']' . $var2 . '[/url:' . $this->bbcode_uid . ']' : '[url:' . $this->bbcode_uid . ']' . $this->bbcode_specialchars($url) . '[/url:' . $this->bbcode_uid . ']'; diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 0a9084eb6d..351d284c62 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -168,14 +168,9 @@ class session // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly if (!empty($ip) && !preg_match($ipv4, $ip) && !preg_match($ipv6, $ip)) { - if (!defined('DEBUG_EXTRA')) - { - trigger_error('Hacking attempt!'); - } - else - { - trigger_error('Invalid HTTP_X_FORWARDED_FOR header detected: ' . htmlspecialchars($this->forwarded_for)); - } + // contains invalid data, don't use the forwarded for header + $this->forwarded_for = ''; + break; } } } |