diff options
author | Marc Alexander <admin@m-a-styles.de> | 2019-04-17 08:54:51 +0200 |
---|---|---|
committer | Marc Alexander <admin@m-a-styles.de> | 2019-04-17 08:54:51 +0200 |
commit | dc5a167c429a3813d66b0ae3d14242650466cac6 (patch) | |
tree | 9a23a88f7bc2d482cef19f42f437bf77be31f41f | |
parent | 507efee633fee769e7e2af4a2b298c951193f800 (diff) | |
download | forums-dc5a167c429a3813d66b0ae3d14242650466cac6.tar forums-dc5a167c429a3813d66b0ae3d14242650466cac6.tar.gz forums-dc5a167c429a3813d66b0ae3d14242650466cac6.tar.bz2 forums-dc5a167c429a3813d66b0ae3d14242650466cac6.tar.xz forums-dc5a167c429a3813d66b0ae3d14242650466cac6.zip |
[ticket/security/231] Disable remote avatar functionality & add warning
SECURITY-231
-rw-r--r-- | phpBB/includes/acp/acp_board.php | 3 | ||||
-rw-r--r-- | phpBB/language/en/acp/board.php | 4 | ||||
-rw-r--r-- | phpBB/phpbb/avatar/manager.php | 2 | ||||
-rw-r--r-- | phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php | 34 |
4 files changed, 39 insertions, 4 deletions
diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index f89f5535eb..5d3df2629a 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -122,6 +122,7 @@ class acp_board $avatar_vars = array(); foreach ($avatar_drivers as $current_driver) { + /** @var \phpbb\avatar\driver\driver_interface $driver */ $driver = $phpbb_avatar_manager->get_driver($current_driver, false); /* @@ -730,7 +731,7 @@ class acp_board $template->assign_block_vars('options', array( 'KEY' => $config_key, 'TITLE' => (isset($user->lang[$vars['lang']])) ? $user->lang[$vars['lang']] : $vars['lang'], - 'S_EXPLAIN' => $vars['explain'], + 'S_EXPLAIN' => $vars['explain'] && !empty($l_explain), 'TITLE_EXPLAIN' => $l_explain, 'CONTENT' => $content, ) diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php index eb53ac0370..9b45ffa45b 100644 --- a/phpBB/language/en/acp/board.php +++ b/phpBB/language/en/acp/board.php @@ -111,9 +111,9 @@ $lang = array_merge($lang, array( 'ALLOW_GRAVATAR' => 'Enable gravatar avatars', 'ALLOW_LOCAL' => 'Enable gallery avatars', 'ALLOW_REMOTE' => 'Enable remote avatars', - 'ALLOW_REMOTE_EXPLAIN' => 'Avatars linked to from another website.', + 'ALLOW_REMOTE_EXPLAIN' => 'Avatars linked to from another website.<br><em><strong class="error">Warning:</strong> Enabling this feature might allow users to check for the existence of files and services that are only accessible on the local network.</em>', 'ALLOW_REMOTE_UPLOAD' => 'Enable remote avatar uploading', - 'ALLOW_REMOTE_UPLOAD_EXPLAIN' => 'Allow uploading of avatars from another website.', + 'ALLOW_REMOTE_UPLOAD_EXPLAIN' => 'Allow uploading of avatars from another website.<br><em><strong class="error">Warning:</strong> Enabling this feature might allow users to check for the existence of files and services that are only accessible on the local network.</em>', 'ALLOW_UPLOAD' => 'Enable avatar uploading', 'AVATAR_GALLERY_PATH' => 'Avatar gallery path', 'AVATAR_GALLERY_PATH_EXPLAIN' => 'Path under your phpBB root directory for pre-loaded images, e.g. <samp>images/avatars/gallery</samp>.<br>Double dots like <samp>../</samp> will be stripped from the path for security reasons.', diff --git a/phpBB/phpbb/avatar/manager.php b/phpBB/phpbb/avatar/manager.php index 6d9604db04..a909a91042 100644 --- a/phpBB/phpbb/avatar/manager.php +++ b/phpBB/phpbb/avatar/manager.php @@ -271,7 +271,7 @@ class manager $config_name = $driver->get_config_name(); return array( - 'allow_avatar_' . $config_name => array('lang' => 'ALLOW_' . strtoupper(str_replace('\\', '_', $config_name)), 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => false), + 'allow_avatar_' . $config_name => array('lang' => 'ALLOW_' . strtoupper(str_replace('\\', '_', $config_name)), 'validate' => 'bool', 'type' => 'radio:yes_no', 'explain' => true), ); } diff --git a/phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php b/phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php new file mode 100644 index 0000000000..b08833fad4 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v32x/disable_remote_avatar.php @@ -0,0 +1,34 @@ +<?php +/** + * + * This file is part of the phpBB Forum Software package. + * + * @copyright (c) phpBB Limited <https://www.phpbb.com> + * @license GNU General Public License, version 2 (GPL-2.0) + * + * For full copyright and license information, please see + * the docs/CREDITS.txt file. + * + */ + +namespace phpbb\db\migration\data\v32x; + +use phpbb\db\migration\migration; + +class disable_remote_avatar extends migration +{ + static public function depends_on() + { + return array( + '\phpbb\db\migration\data\v32x\v325', + ); + } + + public function update_data() + { + return array( + array('config.update', array('allow_avatar_remote', '0')), + array('config.update', array('allow_avatar_remote_upload', '0')), + ); + } +} |