diff options
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/auth.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_apache.php | 4 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/auth/auth_ldap.php | 4 | ||||
| -rw-r--r-- | phpBB/includes/functions.php | 6 | ||||
| -rw-r--r-- | phpBB/includes/functions_user.php | 15 | ||||
| -rw-r--r-- | phpBB/includes/mcp/mcp_post.php | 2 | ||||
| -rwxr-xr-x | phpBB/includes/search/fulltext_native.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_pm_options.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_remind.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_resend.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/ucp/ucp_zebra.php | 10 | ||||
| -rw-r--r-- | phpBB/includes/utf/utf_tools.php | 35 |
13 files changed, 62 insertions, 26 deletions
diff --git a/phpBB/includes/auth.php b/phpBB/includes/auth.php index c5a3843063..8ff18bd4ec 100644 --- a/phpBB/includes/auth.php +++ b/phpBB/includes/auth.php @@ -714,7 +714,7 @@ class auth $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type FROM ' . USERS_TABLE . " - WHERE LOWER(username) = '" . $db->sql_escape(utf8_strtolower($username)) . "'"; + WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index 3ee0f1347f..35c266932c 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -141,7 +141,7 @@ function autologin_apache() $sql = 'SELECT * FROM ' . USERS_TABLE . " - WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; + WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($php_auth_user)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); @@ -178,7 +178,7 @@ function user_row_apache($username, $password) // generate user account data return array( 'username' => $username, - 'user_password' => $password, + 'user_password' => md5($password), 'user_email' => '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 9477fd92c3..618ad0a387 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -22,7 +22,7 @@ function login_db(&$username, &$password) $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts FROM ' . USERS_TABLE . " - WHERE username = '" . $db->sql_escape($username) . "'"; + WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 889f6d8661..b1ee7491b0 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -114,7 +114,7 @@ function login_ldap(&$username, &$password) $sql ='SELECT user_id, username, user_password, user_passchg, user_email, user_type FROM ' . USERS_TABLE . " - WHERE username = '" . $db->sql_escape($username) . "'"; + WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); @@ -159,7 +159,7 @@ function login_ldap(&$username, &$password) // generate user account data $ldap_user_row = array( 'username' => $username, - 'user_password' => $password, + 'user_password' => md5($password), 'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 4fbac96fe2..b050b6f5a4 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -1830,14 +1830,14 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa if (isset($_POST['login'])) { - $username = request_var('username', ''); - $password = request_var('password', ''); + $username = request_var('username', '', true); + $password = request_var('password', '', true); $autologin = (!empty($_POST['autologin'])) ? true : false; $viewonline = (!empty($_POST['viewonline'])) ? 0 : 1; $admin = ($admin) ? 1 : 0; // Check if the supplied username is equal to the one stored within the database if re-authenticating - if ($admin && utf8_strtolower($username) != utf8_strtolower($user->data['username'])) + if ($admin && utf8_clean_string($username) != utf8_clean_string($user->data['username'])) { // We log the attempt to use a different username... add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 9dc6dcc4a7..115165dc39 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -34,13 +34,13 @@ function user_get_id_name(&$user_id_ary, &$username_ary) $$which_ary = array($$which_ary); } - $sql_in = ($which_ary == 'user_id_ary') ? array_map('intval', $$which_ary) : $$which_ary; + $sql_in = ($which_ary == 'user_id_ary') ? array_map('intval', $$which_ary) : array_map('utf8_clean_string', $$which_ary); unset($$which_ary); $user_id_ary = $username_ary = array(); // Grab the user id/username records - $sql_where = ($which_ary == 'user_id_ary') ? 'user_id' : 'username'; + $sql_where = ($which_ary == 'user_id_ary') ? 'user_id' : 'username_clean'; $sql = 'SELECT user_id, username FROM ' . USERS_TABLE . ' WHERE ' . $db->sql_in_set($sql_where, $sql_in); @@ -134,6 +134,7 @@ function user_add($user_row, $cp_data = false) $sql_ary = array( 'username' => $user_row['username'], + 'username_clean' => utf8_clean_string($user_row['username']), 'user_password' => (isset($user_row['user_password'])) ? $user_row['user_password'] : '', 'user_email' => $user_row['user_email'], 'user_email_hash' => (int) crc32(strtolower($user_row['user_email'])) . strlen($user_row['user_email']), @@ -594,7 +595,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas $username = trim($username); if ($username != '') { - $sql_usernames[] = utf8_strtolower($username); + $sql_usernames[] = utf8_clean_string($username); } } @@ -606,7 +607,7 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas $sql = 'SELECT user_id FROM ' . USERS_TABLE . ' - WHERE ' . $db->sql_in_set('LOWER(username)', $sql_usernames); + WHERE ' . $db->sql_in_set('username_clean', $sql_usernames); // Do not allow banning yourself if (sizeof($founder)) @@ -1112,7 +1113,7 @@ function validate_username($username) { global $config, $db, $user; - if (utf8_strtolower($user->data['username']) == utf8_strtolower($username)) + if (utf8_clean_string($user->data['username']) == utf8_clean_string($username)) { return false; } @@ -1124,7 +1125,7 @@ function validate_username($username) $sql = 'SELECT username FROM ' . USERS_TABLE . " - WHERE LOWER(username) = '" . utf8_strtolower($db->sql_escape($username)) . "'"; + WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); @@ -1136,7 +1137,7 @@ function validate_username($username) $sql = 'SELECT group_name FROM ' . GROUPS_TABLE . " - WHERE LOWER(group_name) = '" . utf8_strtolower($db->sql_escape($username)) . "'"; + WHERE LOWER(group_name) = '" . $db->sql_escape(utf8_strtolower($username)) . "'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); diff --git a/phpBB/includes/mcp/mcp_post.php b/phpBB/includes/mcp/mcp_post.php index caf68b0f1b..d2b66871d4 100644 --- a/phpBB/includes/mcp/mcp_post.php +++ b/phpBB/includes/mcp/mcp_post.php @@ -246,7 +246,7 @@ function mcp_post_details($id, $mode, $action) while ($row = $db->sql_fetchrow($result)) { $users_ary[$row['user_id']]['username'] = $row['username']; - $usernames_ary[utf8_strtolower($row['username'])] = $users_ary[$row['user_id']]; + $usernames_ary[utf8_sclean_string($row['username'])] = $users_ary[$row['user_id']]; } $db->sql_freeresult($result); diff --git a/phpBB/includes/search/fulltext_native.php b/phpBB/includes/search/fulltext_native.php index f8ffda9570..f25a00687e 100755 --- a/phpBB/includes/search/fulltext_native.php +++ b/phpBB/includes/search/fulltext_native.php @@ -91,7 +91,7 @@ class fulltext_native extends search_backend } $open_bracket = $space = false; - for ($i = 0, $n = utf8_strlen($keywords); $i < $n; $i++) + for ($i = 0, $n = $keywords; $i < $n; $i++) { if ($open_bracket !== false) { diff --git a/phpBB/includes/ucp/ucp_pm_options.php b/phpBB/includes/ucp/ucp_pm_options.php index 6948e0dfea..4344b32895 100644 --- a/phpBB/includes/ucp/ucp_pm_options.php +++ b/phpBB/includes/ucp/ucp_pm_options.php @@ -653,7 +653,7 @@ function define_cond_option($hardcoded, $cond_option, $rule_option, $global_rule { $sql = 'SELECT user_id FROM ' . USERS_TABLE . " - WHERE LOWER(username) = '" . $db->sql_escape(utf8_strtolower($rule_string)) . "'"; + WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($rule_string)) . "'"; $result = $db->sql_query($sql); $rule_user_id = (int) $db->sql_fetchfield('user_id'); $db->sql_freeresult($result); diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 4c0eb757fc..c1ea03f2c8 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -31,7 +31,7 @@ class ucp_remind $sql = 'SELECT user_id, username, user_email, user_jabber, user_notify_type, user_type, user_lang FROM ' . USERS_TABLE . " WHERE user_email = '" . $db->sql_escape($email) . "' - AND LOWER(username) = '" . $db->sql_escape(utf8_strtolower($username)) . "'"; + AND username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $user_row = $db->sql_fetchrow($result); $db->sql_freeresult($result); diff --git a/phpBB/includes/ucp/ucp_resend.php b/phpBB/includes/ucp/ucp_resend.php index fb44cbaff4..10f93ba408 100644 --- a/phpBB/includes/ucp/ucp_resend.php +++ b/phpBB/includes/ucp/ucp_resend.php @@ -31,7 +31,7 @@ class ucp_resend $sql = 'SELECT user_id, group_id, username, user_email, user_type, user_lang, user_actkey FROM ' . USERS_TABLE . " WHERE user_email = '" . $db->sql_escape($email) . "' - AND LOWER(username) = '" . $db->sql_escape(utf8_strtolower($username)) . "'"; + AND username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; $result = $db->sql_query($sql); $user_row = $db->sql_fetchrow($result); $db->sql_freeresult($result); diff --git a/phpBB/includes/ucp/ucp_zebra.php b/phpBB/includes/ucp/ucp_zebra.php index 7af77c7331..bf5c95d5a3 100644 --- a/phpBB/includes/ucp/ucp_zebra.php +++ b/phpBB/includes/ucp/ucp_zebra.php @@ -42,7 +42,7 @@ class ucp_zebra if ($data['add']) { - $data['add'] = array_map('trim', array_map('utf8_strtolower', explode("\n", $data['add']))); + $data['add'] = array_map('trim', array_map('utf8_clean_string', explode("\n", $data['add']))); // Do these name/s exist on a list already? If so, ignore ... we could be // 'nice' and automatically handle names added to one list present on @@ -59,11 +59,11 @@ class ucp_zebra { if ($row['friend']) { - $friends[] = utf8_strtolower($row['username']); + $friends[] = utf8_clean_string($row['username']); } else { - $foes[] = utf8_strtolower($row['username']); + $foes[] = utf8_clean_string($row['username']); } } $db->sql_freeresult($result); @@ -88,7 +88,7 @@ class ucp_zebra // remove the user himself from the username array $n = sizeof($data['add']); - $data['add'] = array_diff($data['add'], array(utf8_strtolower($user->data['username']))); + $data['add'] = array_diff($data['add'], array(utf8_clean_string($user->data['username']))); if (sizeof($data['add']) < $n) { @@ -101,7 +101,7 @@ class ucp_zebra { $sql = 'SELECT user_id, user_type FROM ' . USERS_TABLE . ' - WHERE ' . $db->sql_in_set('LOWER(username)', $data['add']) . ' + WHERE ' . $db->sql_in_set('username_clean', $data['add']) . ' AND user_type <> ' . USER_INACTIVE; $result = $db->sql_query($sql); diff --git a/phpBB/includes/utf/utf_tools.php b/phpBB/includes/utf/utf_tools.php index 1bcd92e75f..cb3e3b69ac 100644 --- a/phpBB/includes/utf/utf_tools.php +++ b/phpBB/includes/utf/utf_tools.php @@ -928,4 +928,39 @@ function utf8_case_fold($text, $option = 'full') return $text; } +function utf8_clean_string($text) +{ + $text = utf8_case_fold($text); + + if (!class_exists('utf_normalizer')) + { + global $phpbb_root_path, $phpEx; + include($phpbb_root_path . 'includes/utf/utf_normalizer.' . $phpEx); + } + + $text = utf_normalizer::nfc($text); + + static $homographs = array( + // cyrllic + "\xD0\xB0" => "\x61", + "\xD0\xB5" => "\x65", + "\xD0\xBE" => "\x6F", + "\xD1\x80" => "\x70", + "\xD1\x81" => "\x63", + "\xD1\x83" => "\x79", + "\xD1\x85" => "\x78", + "\xD1\x95" => "\x73", + "\xD1\x96" => "\x69", + "\xD1\x98" => "\x6A", + "\xD2\xBB" => "\x68", + // greek + "\xCE\xB1" => "\x61", + "\xCE\xBF" => "\x6F", + ); + + $text = strtr($text, $homographs); + + return $text; +} + ?>
\ No newline at end of file |