diff options
author | Ludovic Arnaud <ludovic_arnaud@users.sourceforge.net> | 2002-10-17 02:50:50 +0000 |
---|---|---|
committer | Ludovic Arnaud <ludovic_arnaud@users.sourceforge.net> | 2002-10-17 02:50:50 +0000 |
commit | 80864fa7ee6e1d7e76a1f490d186fb9a7f5b1162 (patch) | |
tree | a01b78d812ef3a2931dd3ef8ea76ccddfa0a263b /phpBB | |
parent | fafd167dde6726df46cd3cd9523ec6ad8af22b13 (diff) | |
download | forums-80864fa7ee6e1d7e76a1f490d186fb9a7f5b1162.tar forums-80864fa7ee6e1d7e76a1f490d186fb9a7f5b1162.tar.gz forums-80864fa7ee6e1d7e76a1f490d186fb9a7f5b1162.tar.bz2 forums-80864fa7ee6e1d7e76a1f490d186fb9a7f5b1162.tar.xz forums-80864fa7ee6e1d7e76a1f490d186fb9a7f5b1162.zip |
Random bugfixes, (hopefully) improved admin panel security.
git-svn-id: file:///svn/phpbb/trunk@2954 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB')
-rw-r--r-- | phpBB/admin/pagestart.php | 16 | ||||
-rw-r--r-- | phpBB/common.php | 5 | ||||
-rw-r--r-- | phpBB/db/mysql.php | 19 | ||||
-rw-r--r-- | phpBB/includes/page_header.php | 4 | ||||
-rw-r--r-- | phpBB/includes/page_tail.php | 2 | ||||
-rw-r--r-- | phpBB/includes/session.php | 25 |
6 files changed, 39 insertions, 32 deletions
diff --git a/phpBB/admin/pagestart.php b/phpBB/admin/pagestart.php index 59df5b0f40..b640029279 100644 --- a/phpBB/admin/pagestart.php +++ b/phpBB/admin/pagestart.php @@ -37,6 +37,17 @@ $user = new user($userdata); // End session management // +// +// If session_ids do not match, rewrite the URL correctly then redirect the user +// +if ($_REQUEST['sid'] != $userdata['session_id']) +{ + $url = preg_replace('/sid=([^&]*)(&?)/i', '', $_SERVER['REQUEST_URI']); + $url = preg_replace('/\?$/', '', $url); + $url .= ((strpos($url, '?')) ? '&' : '?') . 'sid=' . $userdata['session_id']; + redirect($url); +} + // ----------------------------- // Functions function page_header($sub_title, $meta = '', $table_html = true) @@ -106,6 +117,8 @@ function page_footer($copyright_html = true) { global $board_config, $db, $lang, $phpEx; + // Close our DB connection. + $db->sql_close(); ?> </td> @@ -128,9 +141,6 @@ function page_footer($copyright_html = true) } - // Close our DB connection. - $db->sql_close(); - exit; } diff --git a/phpBB/common.php b/phpBB/common.php index ccc468c451..fe1ff62a12 100644 --- a/phpBB/common.php +++ b/phpBB/common.php @@ -24,7 +24,8 @@ if ( !defined('IN_PHPBB') ) die('Hacking attempt'); } -error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables +error_reporting(E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables +//error_reporting(E_ALL); set_magic_quotes_runtime(0); require($phpbb_root_path . 'config.'.$phpEx); @@ -149,7 +150,7 @@ $template = new Template(); $db = new sql_db($dbhost, $dbuser, $dbpasswd, $dbname, $dbport, false); // Obtain users IP -if ( $_SERVER['HTTP_X_FORWARDED_FOR'] != '' || $_ENV['HTTP_X_FORWARDED_FOR'] != '' ) +if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) || !empty($_ENV['HTTP_X_FORWARDED_FOR'])) { $user_ip = ( !empty($_SERVER['REMOTE_ADDR']) ) ? $_SERVER['REMOTE_ADDR'] : ( ( !empty($_ENV['REMOTE_ADDR']) ) ? $_ENV['REMOTE_ADDR'] : $REMOTE_ADDR ); $x_ip = ( !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_ENV['HTTP_X_FORWARDED_FOR']; diff --git a/phpBB/db/mysql.php b/phpBB/db/mysql.php index 12ce33aed7..b7a4dafed8 100644 --- a/phpBB/db/mysql.php +++ b/phpBB/db/mysql.php @@ -196,19 +196,12 @@ class sql_db $query .= ' LIMIT ' . ( ( !empty($offset) ) ? $offset . ', ' . $total : $total ); } - if ( !($this->query_result = @mysql_query($query, $this->db_connect_id)) ) - { - $this->sql_error($query); - } - - $this->open_queries[] = $this->query_result; + return $this->sql_query($query); } else { return false; } - - return ( $this->query_result) ? $this->query_result : ( ( $transaction == END_TRANSACTION ) ? true : false ); } // Idea for this from Ikonboard @@ -296,7 +289,7 @@ class sql_db $query_id = $this->query_result; } - return ( $query_id ) ? @mysql_fetch_array($query_id) : false; + return ( $query_id ) ? @mysql_fetch_assoc($query_id) : false; } function sql_fetchrowset($query_id = 0) @@ -309,7 +302,7 @@ class sql_db { unset($this->rowset[$query_id]); unset($this->row[$query_id]); - while($this->rowset[$query_id] = @mysql_fetch_array($query_id)) + while($this->rowset[$query_id] = @mysql_fetch_assoc($query_id)) { $result[] = $this->rowset[$query_id]; } @@ -389,7 +382,7 @@ class sql_db function sql_error($sql = '') { - global $HTTP_SERVER_VARS, $HTTP_ENV_VARS; + global $_SERVER, $_ENV; if ( !$this->return_on_error ) { @@ -398,8 +391,8 @@ class sql_db $this->sql_transaction(ROLLBACK); } - $this_page = ( !empty($HTTP_SERVER_VARS['PHP_SELF']) ) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_ENV_VARS['PHP_SELF']; - $this_page .= '&' . ( ( !empty($HTTP_SERVER_VARS['QUERY_STRING']) ) ? $HTTP_SERVER_VARS['QUERY_STRING'] : $HTTP_ENV_VARS['QUERY_STRING'] ); + $this_page = ( !empty($_SERVER['PHP_SELF']) ) ? $_SERVER['PHP_SELF'] : $_ENV['PHP_SELF']; + $this_page .= '&' . ( ( !empty($_SERVER['QUERY_STRING']) ) ? $_SERVER['QUERY_STRING'] : $_ENV['QUERY_STRING'] ); $message = '<u>SQL ERROR</u> [ ' . SQL_LAYER . ' ]<br /><br />' . @mysql_error() . '<br /><br /><u>PAGE</u><br /><br />' . $this_page . ( ( $sql != '' ) ? '<br /><br /><u>SQL</u><br /><br />' . $sql : '' ) . '<br />'; message_die(ERROR, $message); diff --git a/phpBB/includes/page_header.php b/phpBB/includes/page_header.php index e813254fbe..7bbd33a2a4 100644 --- a/phpBB/includes/page_header.php +++ b/phpBB/includes/page_header.php @@ -264,8 +264,8 @@ else // // Generate HTML required for Mozilla Navigation bar // -/* $nav_links_html = ''; +/* $nav_link_proto = '<link rel="%s" href="%s" title="%s" />' . "\n"; foreach ( $nav_links as $nav_item => $nav_array ) { @@ -295,7 +295,7 @@ $template->assign_vars(array( 'CURRENT_TIME' => sprintf($lang['Current_time'], $user->format_date(time())), 'TOTAL_USERS_ONLINE' => $l_online_users, 'LOGGED_IN_USER_LIST' => $online_userlist, - 'RECORD_USERS' => sprintf($lang['Record_online_users'], $board_config['record_online_users'], $user->format_date($$board_config['record_online_date'])), + 'RECORD_USERS' => sprintf($lang['Record_online_users'], $board_config['record_online_users'], $user->format_date($board_config['record_online_date'])), 'PRIVATE_MESSAGE_INFO' => $l_privmsgs_text, 'PRIVATE_MESSAGE_INFO_UNREAD' => $l_privmsgs_text_unread, 'PRIVATE_MESSAGE_NEW_FLAG' => $s_privmsg_new, diff --git a/phpBB/includes/page_tail.php b/phpBB/includes/page_tail.php index 6893641c6d..96360cb5e6 100644 --- a/phpBB/includes/page_tail.php +++ b/phpBB/includes/page_tail.php @@ -51,7 +51,7 @@ if (defined('DEBUG')) $template->assign_vars(array( 'PHPBB_VERSION' => $board_config['version'], - 'ADMIN_LINK' => ( $auth->acl_get('a_') ) ? '<a href="' . "admin/index.$phpEx$SID" . '">' . $lang['Admin_panel'] . '</a><br /><br />' : '', + 'ADMIN_LINK' => ( $auth->acl_get('a_') ) ? '<a href="' . "admin/index.$phpEx?sid=" . $userdata['session_id'] . '">' . $lang['Admin_panel'] . '</a><br /><br />' : '', 'DEBUG_OUTPUT' => (defined('DEBUG')) ? $debug_output : '' )); diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 0712b4b902..9e8ea85e4c 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -40,7 +40,7 @@ class session { { $sessiondata = ( isset($_COOKIE[$board_config['cookie_name'] . '_data']) ) ? unserialize(stripslashes($_COOKIE[$board_config['cookie_name'] . '_data'])) : ''; $this->session_id = ( isset($_COOKIE[$board_config['cookie_name'] . '_sid']) ) ? $_COOKIE[$board_config['cookie_name'] . '_sid'] : ''; - $SID = '?sid='; + $SID = (defined('IN_ADMIN')) ? '?sid=' . $this->session_id : '?sid='; } else { @@ -114,18 +114,21 @@ class session { $sessiondata = array(); $current_time = time(); - // Limit sessions in 1 minute period - $sql = "SELECT COUNT(*) AS sessions - FROM " . SESSIONS_TABLE . " - WHERE session_time >= " . ( $current_time - 60 ); - $result = $db->sql_query($sql); + if ( intval($board_config['active_sessions']) ) + { + // Limit sessions in 1 minute period + $sql = "SELECT COUNT(*) AS sessions + FROM " . SESSIONS_TABLE . " + WHERE session_time >= " . ( $current_time - 60 ); + $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); - if ( intval($board_config['active_sessions']) && intval($row['sessions']) > intval($board_config['active_sessions']) ) - { - message_die(MESSAGE, 'Board_unavailable'); + if ( intval($row['sessions']) > intval($board_config['active_sessions']) ) + { + message_die(MESSAGE, 'Board_unavailable'); + } } // Garbage collection ... remove old sessions updating user information |