From c2b29c317f2d3bf41ed737c9eb3d49bce41ec432 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 17 May 2010 09:40:32 +0200 Subject: [ticket/9612] Introduce new function gen_rand_string_friendly(). Introduce new function gen_rand_string_friendly() for user friendly random strings like passwords and captcha codes. Strings generated by gen_rand_string_friendly() will not contain the characters 0 and O. By adding a new function we can increase the entropy of strings generated by gen_rand_string() by putting 0 and O back in. PHPBB3-9612 --- phpBB/includes/functions.php | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index cd8447a2a3..2b5b8e6092 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -195,10 +195,27 @@ function set_config_count($config_name, $increment, $is_dynamic = false) /** * Generates an alphanumeric random string of given length +* +* @return string */ function gen_rand_string($num_chars = 8) +{ + // [a, z] + [0, 9] = 36 + return strtoupper(base_convert(unique_id(), 16, 36)); +} + +/** +* Generates a user-friendly alphanumeric random string of given length +* We remove 0 and O so users cannot confuse those in passwords etc. +* +* @return string +*/ +function gen_rand_string_friendly($num_chars = 8) { $rand_str = unique_id(); + + // Remove Z and Y from the base_convert(), replace 0 with Z and O with Y + // [a, z] + [0, 9] - {z, y} = [a, z] + [0, 9] - {0, o} = 34 $rand_str = str_replace(array('0', 'O'), array('Z', 'Y'), strtoupper(base_convert($rand_str, 16, 34))); return substr($rand_str, 0, $num_chars); -- cgit v1.2.1 From 593e193bdc7bab20ec8460348b2fe597355dccda Mon Sep 17 00:00:00 2001 From: Cullen Walsh Date: Sun, 11 Jul 2010 15:35:31 -0700 Subject: [ticket/9715] Better email regex Using email regex created by James Watts and Francisco Jose Martin Moreno. This passes many more tests for RFC valid emails. PHPBB3-9715 --- phpBB/includes/functions.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 9c74a524ee..bc3d721de5 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3355,7 +3355,9 @@ function get_preg_expression($mode) switch ($mode) { case 'email': - return '(?:[a-z0-9\'\.\-_\+\|]++|&)+@[a-z0-9\-]+\.(?:[a-z0-9\-]+\.)*[a-z]+'; + // Regex written by James Watts and Francisco Jose Martin Moreno + // http://fightingforalostcause.net/misc/2006/compare-email-regex.php + return '([\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+\.)*(?:[\w\!\#$\%\'\*\+\-\/\=\?\^\`{\|\}\~]|&)+@((((([a-z0-9]{1}[a-z0-9\-]{0,62}[a-z0-9]{1})|[a-z])\.)+[a-z]{2,6})|(\d{1,3}\.){3}\d{1,3}(\:\d{1,5})?)'; break; case 'bbcode_htm': -- cgit v1.2.1 From 24e23755cfe57afcf3125ba9c684b32942425696 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Wed, 19 May 2010 17:42:44 +0200 Subject: [ticket/9599] Reimplement phpbb_checkdnsrr() function. Use gethostbyname(), checkdnsrr(), dns_get_record() or nslookup via exec(). PHPBB3-9599 --- phpBB/includes/functions.php | 169 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 152 insertions(+), 17 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index bc3d721de5..a61c28cb23 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3440,26 +3440,110 @@ function short_ipv6($ip, $length) /** * Wrapper for php's checkdnsrr function. * -* The windows failover is from the php manual -* Please make sure to check the return value for === true and === false, since NULL could -* be returned too. +* @param string $host Fully-Qualified Domain Name +* @param string $type Resource record type to lookup +* Supported types are: MX (default), A, AAAA, NS, TXT, CNAME +* Other types may work or may not work * -* @return true if entry found, false if not, NULL if this function is not supported by this environment +* @return mixed true if entry found, +* false if entry not found, +* null if this function is not supported by this environment +* +* Since null can also be returned, you probably want to compare the result +* with === true or === false, +* +* @author bantu */ -function phpbb_checkdnsrr($host, $type = '') +function phpbb_checkdnsrr($host, $type = 'MX') { - $type = (!$type) ? 'MX' : $type; + // The dot indicates to search the DNS root (helps those having DNS prefixes on the same domain) + if (substr($host, -1) == '.') + { + $host_fqdn = $host; + $host = substr($host, 0, -1); + } + else + { + $host_fqdn = $host . '.'; + } + // $host has format some.host.example.com + // $host_fqdn has format some.host.example.com. - // Call checkdnsrr() if available. This is also the case on Windows with PHP 5.3 or later. - if (function_exists('checkdnsrr')) + // If we're looking for an A record we can use gethostbyname() + if ($type == 'A' && function_exists('gethostbyname')) { - // The dot indicates to search the DNS root (helps those having DNS prefixes on the same domain) - return checkdnsrr($host . '.', $type); + return (@gethostbyname($host_fqdn) == $host_fqdn) ? false : true; } - else if (DIRECTORY_SEPARATOR == '\\' && function_exists('exec')) + + // checkdnsrr() is available on Windows since PHP 5.3, + // but until 5.3.3 it only works for MX records + // See: http://bugs.php.net/bug.php?id=51844 + + // Call checkdnsrr() if + // we're looking for an MX record or + // we're not on Windows or + // we're running a PHP version where #51844 has been fixed + + // checkdnsrr() supports AAAA since 5.0.0 + // checkdnsrr() supports TXT since 5.2.4 + if ( + ($type == 'MX' || DIRECTORY_SEPARATOR != '\\' || version_compare(PHP_VERSION, '5.3.3', '>=')) && + ($type != 'AAAA' || version_compare(PHP_VERSION, '5.0.0', '>=')) && + ($type != 'TXT' || version_compare(PHP_VERSION, '5.2.4', '>=')) && + function_exists('checkdnsrr') + ) + { + return checkdnsrr($host_fqdn, $type); + } + + // dns_get_record() is available since PHP 5; since PHP 5.3 also on Windows, + // but on Windows it does not work reliable for AAAA records before PHP 5.3.1 + + // Call dns_get_record() if + // we're not looking for an AAAA record or + // we're not on Windows or + // we're running a PHP version where AAAA lookups work reliable + if ( + ($type != 'AAAA' || DIRECTORY_SEPARATOR != '\\' || version_compare(PHP_VERSION, '5.3.1', '>=')) && + function_exists('dns_get_record') + ) { - // @exec('nslookup -retry=1 -timout=1 -type=' . escapeshellarg($type) . ' ' . escapeshellarg($host), $output); - @exec('nslookup -type=' . escapeshellarg($type) . ' ' . escapeshellarg($host) . '.', $output); + // dns_get_record() expects an integer as second parameter + // We have to convert the string $type to the corresponding integer constant. + $type_constant = 'DNS_' . $type; + $type_param = (defined($type_constant)) ? constant($type_constant) : DNS_ANY; + + // dns_get_record() might throw E_WARNING and return false for records that do not exist + $resultset = @dns_get_record($host_fqdn, $type_param); + + if (empty($resultset) || !is_array($resultset)) + { + return false; + } + else if ($type_param == DNS_ANY) + { + // $resultset is a non-empty array + return true; + } + + foreach ($resultset as $result) + { + if ( + isset($result['host']) && $result['host'] == $host && + isset($result['type']) && $result['type'] == $type + ) + { + return true; + } + } + + return false; + } + + // If we're on Windows we can still try to call nslookup via exec() as a last resort + if (DIRECTORY_SEPARATOR == '\\' && function_exists('exec')) + { + @exec('nslookup -type=' . escapeshellarg($type) . ' ' . escapeshellarg($host_fqdn), $output); // If output is empty, the nslookup failed if (empty($output)) @@ -3469,15 +3553,66 @@ function phpbb_checkdnsrr($host, $type = '') foreach ($output as $line) { - if (!trim($line)) + $line = trim($line); + + if (empty($line)) { continue; } - // Valid records begin with host name: - if (strpos($line, $host) === 0) + // Squash tabs and multiple whitespaces to a single whitespace. + $line = preg_replace('/\s+/', ' ', $line); + + switch ($type) { - return true; + case 'MX': + if (stripos($line, "$host MX") === 0) + { + return true; + } + break; + + case 'NS': + if (stripos($line, "$host nameserver") === 0) + { + return true; + } + break; + + case 'TXT': + if (stripos($line, "$host text") === 0) + { + return true; + } + break; + + case 'CNAME': + if (stripos($line, "$host canonical name") === 0) + { + return true; + } + + default: + case 'A': + case 'AAAA': + if (!empty($host_matches)) + { + // Second line + if (stripos($line, "Address: ") === 0) + { + return true; + } + else + { + $host_matches = false; + } + } + else if (stripos($line, "Name: $host") === 0) + { + // First line + $host_matches = true; + } + break; } } -- cgit v1.2.1 From 013f0b62b8094ac537dc5aa025d82d9cb59250f1 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Sun, 8 Aug 2010 16:14:05 +0100 Subject: [ticket/9771] Remove query string parameters that have no name. PHPBB3-9771 --- phpBB/includes/functions.php | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index bc3d721de5..4c461b5ee8 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2519,6 +2519,11 @@ function build_url($strip_vars = false) $key = $arguments[0]; unset($arguments[0]); + if ($key === '') + { + continue; + } + $query[$key] = implode('=', $arguments); } -- cgit v1.2.1 From d53312174169f311714da389b6a36fe6a4bc8f9a Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 20 Aug 2010 09:21:15 -0400 Subject: [ticket/9780] Add length check back to gen_rand_string(). PHPBB3-9780 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 980a26d525..36b9e18176 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -201,7 +201,7 @@ function set_config_count($config_name, $increment, $is_dynamic = false) function gen_rand_string($num_chars = 8) { // [a, z] + [0, 9] = 36 - return strtoupper(base_convert(unique_id(), 16, 36)); + return substr(strtoupper(base_convert(unique_id(), 16, 36)), 0, $num_chars); } /** -- cgit v1.2.1