diff options
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/functions.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/functions_content.php | 29 | ||||
| -rw-r--r-- | phpBB/includes/functions_convert.php | 30 | ||||
| -rw-r--r-- | phpBB/includes/functions_posting.php | 6 | ||||
| -rw-r--r-- | phpBB/includes/functions_user.php | 101 | ||||
| -rw-r--r-- | phpBB/includes/message_parser.php | 5 | ||||
| -rw-r--r-- | phpBB/includes/session.php | 9 |
7 files changed, 106 insertions, 76 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 099e680cae..7eba95ed04 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -745,7 +745,7 @@ function tz_select($default = '', $truncate = false) { if ($truncate) { - $zone_trunc = truncate_string($zone, 50, false, '...'); + $zone_trunc = truncate_string($zone, 50, 255, false, '...'); } else { diff --git a/phpBB/includes/functions_content.php b/phpBB/includes/functions_content.php index 73ab553cf0..bc31bf44d7 100644 --- a/phpBB/includes/functions_content.php +++ b/phpBB/includes/functions_content.php @@ -435,6 +435,7 @@ function generate_text_for_display($text, $uid, $bitfield, $flags) function generate_text_for_storage(&$text, &$uid, &$bitfield, &$flags, $allow_bbcode = false, $allow_urls = false, $allow_smilies = false) { $uid = $bitfield = ''; + $flags = (($allow_bbcode) ? OPTION_FLAG_BBCODE : 0) + (($allow_smilies) ? OPTION_FLAG_SMILIES : 0) + (($allow_urls) ? OPTION_FLAG_LINKS : 0); if (!$text) { @@ -458,7 +459,6 @@ function generate_text_for_storage(&$text, &$uid, &$bitfield, &$flags, $allow_bb $uid = ''; } - $flags = (($allow_bbcode) ? OPTION_FLAG_BBCODE : 0) + (($allow_smilies) ? OPTION_FLAG_SMILIES : 0) + (($allow_urls) ? OPTION_FLAG_LINKS : 0); $bitfield = $message_parser->bbcode_bitfield; return; @@ -563,7 +563,7 @@ function make_clickable_callback($type, $whitespace, $url, $relative_url, $class $relative_url = preg_replace('/[&?]sid=[0-9a-f]{32}$/', '', preg_replace('/([&?])sid=[0-9a-f]{32}&/', '$1', $relative_url)); $url = $url . '/' . $relative_url; $text = $relative_url; - + // this url goes to http://domain.tld/path/to/board/ which // would result in an empty link if treated as local so // don't touch it and let MAGIC_URL_FULL take care of it. @@ -1062,8 +1062,16 @@ function extension_allowed($forum_id, $extension, &$extensions) /** * Truncates string while retaining special characters if going over the max length * The default max length is 60 at the moment +* The maximum storage length is there to fit the string within the given length. The string may be further truncated due to html entities. +* For example: string given is 'a "quote"' (length: 9), would be a stored as 'a "quote"' (length: 19) +* +* @param string $string The text to truncate to the given length. String is specialchared. +* @param int $max_length Maximum length of string (multibyte character count as 1 char / Html entity count as 1 char) +* @param int $max_store_length Maximum character length of string (multibyte character count as 1 char / Html entity count as entity chars). +* @param bool $allow_reply Allow Re: in front of string +* @param string $append String to be appended */ -function truncate_string($string, $max_length = 60, $allow_reply = true, $append = '') +function truncate_string($string, $max_length = 60, $max_store_length = 255, $allow_reply = true, $append = '') { $chars = array(); @@ -1086,6 +1094,21 @@ function truncate_string($string, $max_length = 60, $allow_reply = true, $append $stripped = true; } + // Due to specialchars, we may not be able to store the string... + if (utf8_strlen($string) > $max_store_length) + { + // let's split again, we do not want half-baked strings where entities are split + $_chars = utf8_str_split(htmlspecialchars_decode($string)); + $chars = array_map('utf8_htmlspecialchars', $_chars); + + do + { + array_pop($chars); + $string = implode('', $chars); + } + while (utf8_strlen($string) > $max_store_length || !sizeof($chars)); + } + if ($strip_reply) { $string = 'Re: ' . $string; diff --git a/phpBB/includes/functions_convert.php b/phpBB/includes/functions_convert.php index 592fcf13f3..7a28cc2665 100644 --- a/phpBB/includes/functions_convert.php +++ b/phpBB/includes/functions_convert.php @@ -148,7 +148,7 @@ function auto_id($pad = 0) { return $convert_row['max_id'] + $pad; } - + return $auto_id + $pad; } @@ -280,7 +280,7 @@ function get_config_value($config_name) { $convert_config = get_config(); } - + if (!isset($convert_config[$config_name])) { return false; @@ -669,12 +669,12 @@ function import_avatar($source, $use_target = false, $user_id = false) { $convert->p_master->error(sprintf($user->lang['CONV_ERROR_NO_AVATAR_PATH'], 'import_avatar()'), __LINE__, __FILE__); } - + if ($use_target === false && $user_id !== false) { $use_target = $config['avatar_salt'] . '_' . $user_id . '.' . substr(strrchr($source, '.'), 1); } - + $result = _import_check('avatar_path', $source, $use_target); return ((!empty($user_id)) ? $user_id : $use_target) . '.' . substr(strrchr($source, '.'), 1); @@ -946,7 +946,7 @@ function get_remote_avatar_dim($src, $axis) unset($remote_avatar_cache); return $retval; } - + $url_info = @parse_url($src); if (empty($url_info['host'])) { @@ -962,19 +962,19 @@ function get_remote_avatar_dim($src, $axis) case 'ftp': $port = 21; break; - + case 'https': $port = 443; break; - + default: $port = 80; } } - + $timeout = @ini_get('default_socket_timeout'); @ini_set('default_socket_timeout', 2); - + // We're just trying to reach the server to avoid timeouts $fp = @fsockopen($host, $port, $errno, $errstr, 1); if ($fp) @@ -982,11 +982,11 @@ function get_remote_avatar_dim($src, $axis) $remote_avatar_cache[$src] = @getimagesize($src); fclose($fp); } - + $default_x = (defined('DEFAULT_AVATAR_X_CUSTOM')) ? DEFAULT_AVATAR_X_CUSTOM : DEFAULT_AVATAR_X; $default_y = (defined('DEFAULT_AVATAR_Y_CUSTOM')) ? DEFAULT_AVATAR_Y_CUSTOM : DEFAULT_AVATAR_Y; $default = array($default_x, $default_y); - + if (empty($remote_avatar_cache[$src]) || empty($remote_avatar_cache[$src][0]) || empty($remote_avatar_cache[$src][1])) { $remote_avatar_cache[$src] = $default; @@ -1002,7 +1002,7 @@ function get_remote_avatar_dim($src, $axis) $remote_avatar_cache[$src][1] = (int)($remote_avatar_cache[$src][1] * $ratio); } } - + @ini_set('default_socket_timeout', $timeout); return $remote_avatar_cache[$src][$axis]; } @@ -1112,7 +1112,7 @@ function words_unique(&$words) function add_user_group($group_id, $user_id, $group_leader=false) { global $convert, $config, $user, $db; - + $sql = 'INSERT INTO ' . USER_GROUP_TABLE . ' ' . $db->sql_build_array('INSERT', array( 'group_id' => $group_id, 'user_id' => $user_id, @@ -1282,7 +1282,7 @@ function restore_config($schema) // Most are... if (is_string($config_value)) { - $config_value = truncate_string(utf8_htmlspecialchars($config_value), 255, false); + $config_value = truncate_string(utf8_htmlspecialchars($config_value), 255, 255, false); } set_config($config_name, $config_value); @@ -2440,7 +2440,7 @@ function get_smiley_display() function fill_dateformat($user_dateformat) { global $config; - + return ((empty($user_dateformat)) ? $config['default_dateformat'] : $user_dateformat); } diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php index d35cb44c9c..e59ecca30a 100644 --- a/phpBB/includes/functions_posting.php +++ b/phpBB/includes/functions_posting.php @@ -360,7 +360,7 @@ function upload_attachment($form_name, $forum_id, $local = false, $local_storage { $upload->set_disallowed_content(explode('|', $config['mime_triggers'])); } - + if (!$local) { $filedata['post_attach'] = ($upload->is_valid($form_name)) ? true : false; @@ -1340,7 +1340,7 @@ function delete_post($forum_id, $topic_id, $post_id, &$data) else if ($data['topic_first_post_id'] == $post_id) { $post_mode = 'delete_first_post'; - } + } else if ($data['topic_last_post_id'] == $post_id) { $post_mode = 'delete_last_post'; @@ -1646,7 +1646,7 @@ function submit_post($mode, $subject, $username, $topic_type, &$poll, &$data, $u // Display edit info if edit reason given or user is editing his post, which is not the last within the topic. if ($data['post_edit_reason'] || (!$auth->acl_get('m_edit', $data['forum_id']) && ($post_mode == 'edit' || $post_mode == 'edit_first_post'))) { - $data['post_edit_reason'] = truncate_string($data['post_edit_reason'], 255, false); + $data['post_edit_reason'] = truncate_string($data['post_edit_reason'], 255, 255, false); $sql_data[POSTS_TABLE]['sql'] = array( 'post_edit_time' => $current_time, diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 59fdc0a0f5..ba77a56562 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -733,70 +733,65 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas case 'user': $type = 'ban_userid'; - if (in_array('*', $ban_list)) - { - // Ban all users (it's a good thing that you can exclude people) - $banlist_ary[] = '*'; - } - else - { - // Select the relevant user_ids. - $sql_usernames = array(); + // At the moment we do not support wildcard username banning + + // Select the relevant user_ids. + $sql_usernames = array(); - foreach ($ban_list as $username) + foreach ($ban_list as $username) + { + $username = trim($username); + if ($username != '') { - $username = trim($username); - if ($username != '') + $clean_name = utf8_clean_string($username); + if ($clean_name == $user->data['username_clean']) { - $clean_name = utf8_clean_string($username); - if ($clean_name == $user->data['username_clean']) - { - trigger_error('CANNOT_BAN_YOURSELF', E_USER_WARNING); - } - if (in_array($clean_name, $founder_names)) - { - trigger_error('CANNOT_BAN_FOUNDER', E_USER_WARNING); - } - $sql_usernames[] = $clean_name; + trigger_error('CANNOT_BAN_YOURSELF', E_USER_WARNING); + } + if (in_array($clean_name, $founder_names)) + { + trigger_error('CANNOT_BAN_FOUNDER', E_USER_WARNING); } + $sql_usernames[] = $clean_name; } + } - // Make sure we have been given someone to ban - if (!sizeof($sql_usernames)) - { - trigger_error('NO_USER_SPECIFIED'); - } + // Make sure we have been given someone to ban + if (!sizeof($sql_usernames)) + { + trigger_error('NO_USER_SPECIFIED'); + } - $sql = 'SELECT user_id - FROM ' . USERS_TABLE . ' - WHERE ' . $db->sql_in_set('username_clean', $sql_usernames); + $sql = 'SELECT user_id + FROM ' . USERS_TABLE . ' + WHERE ' . $db->sql_in_set('username_clean', $sql_usernames); - // Do not allow banning yourself - if (sizeof($founder)) - { - $sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), array($user->data['user_id'])), true); - } - else - { - $sql .= ' AND user_id <> ' . $user->data['user_id']; - } + // Do not allow banning yourself + if (sizeof($founder)) + { + $sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), array($user->data['user_id'])), true); + } + else + { + $sql .= ' AND user_id <> ' . $user->data['user_id']; + } - $result = $db->sql_query($sql); + $result = $db->sql_query($sql); - if ($row = $db->sql_fetchrow($result)) - { - do - { - $banlist_ary[] = (int) $row['user_id']; - } - while ($row = $db->sql_fetchrow($result)); - } - else + if ($row = $db->sql_fetchrow($result)) + { + do { - trigger_error('NO_USERS'); + $banlist_ary[] = (int) $row['user_id']; } + while ($row = $db->sql_fetchrow($result)); + } + else + { $db->sql_freeresult($result); + trigger_error('NO_USERS'); } + $db->sql_freeresult($result); break; case 'ip': @@ -996,7 +991,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas switch ($mode) { case 'user': - $sql_where = (in_array('*', $banlist_ary)) ? '' : 'WHERE ' . $db->sql_in_set('session_user_id', $banlist_ary); + $sql_where = 'WHERE ' . $db->sql_in_set('session_user_id', $banlist_ary); break; case 'ip': @@ -2850,7 +2845,7 @@ function group_user_attributes($action, $group_id, $user_id_ary = false, $userna { case 'demote': case 'promote': - + $sql = 'SELECT user_id FROM ' . USER_GROUP_TABLE . " WHERE group_id = $group_id AND user_pending = 1 @@ -2862,7 +2857,7 @@ function group_user_attributes($action, $group_id, $user_id_ary = false, $userna { return 'NO_VALID_USERS'; } - + $sql = 'UPDATE ' . USER_GROUP_TABLE . ' SET group_leader = ' . (($action == 'promote') ? 1 : 0) . " WHERE group_id = $group_id diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index d9c5dbaa31..a31e7b094c 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -400,7 +400,10 @@ class bbcode_firstpass extends bbcode case 'php': $remove_tags = false; - $code = str_replace(array('<', '>'), array('<', '>'), $code); + + $str_from = array('<', '>', '[', ']', '.', ':', ':'); + $str_to = array('<', '>', '[', ']', '.', ':', ':'); + $code = str_replace($str_from, $str_to, $code); if (!preg_match('/\<\?.*?\?\>/is', $code)) { diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index a3a3a60061..14c21714d5 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1113,6 +1113,14 @@ class session // To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again $this->session_kill(false); + // A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page + if (defined('IN_CRON')) + { + garbage_collection(); + exit_handler(); + exit; + } + trigger_error($message); } @@ -1582,6 +1590,7 @@ class user extends session $localised_images = true; } + $row['image_filename'] = rawurlencode($row['image_filename']); $this->img_array[$row['image_name']] = $row; } $db->sql_freeresult($result); |