From b776d02682492077a4fafd8835d7c4a17e50762d Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Tue, 2 Jun 2009 14:12:23 +0000 Subject: Okay, a first ci of the new captcha plugins. We'll add dynamic template includes later, as well as documentation on how to use this. I'm prepared to get yelled at for bugs (oh, I know that there are plenty); but please blame spammers for broken styles and MODs. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9524 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 40 ++++++++-------------------------------- 1 file changed, 8 insertions(+), 32 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 043a637584..e039fce6e1 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -891,7 +891,7 @@ class session */ function session_gc() { - global $db, $config; + global $db, $config, $phpbb_root_path, $phpEx; $batch_size = 10; @@ -949,40 +949,16 @@ class session WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time'])); $db->sql_query($sql); } - $this->confirm_gc(); - } - - return; - } - - function confirm_gc($type = 0) - { - global $db, $config; - - $sql = 'SELECT DISTINCT c.session_id - FROM ' . CONFIRM_TABLE . ' c - LEFT JOIN ' . SESSIONS_TABLE . ' s ON (c.session_id = s.session_id) - WHERE s.session_id IS NULL' . - ((empty($type)) ? '' : ' AND c.confirm_type = ' . (int) $type); - $result = $db->sql_query($sql); - - if ($row = $db->sql_fetchrow($result)) - { - $sql_in = array(); - do - { - $sql_in[] = (string) $row['session_id']; - } - while ($row = $db->sql_fetchrow($result)); - - if (sizeof($sql_in)) + + // only called from CRON; should be a safe workaround until the infrastructure gets going + if (!class_exists('captcha_factory')) { - $sql = 'DELETE FROM ' . CONFIRM_TABLE . ' - WHERE ' . $db->sql_in_set('session_id', $sql_in); - $db->sql_query($sql); + include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx); } + captcha_factory::garbage_collect($config['captcha_plugin']); } - $db->sql_freeresult($result); + + return; } -- cgit v1.2.1 From a539fca62b10f53a5f5dadf07f9ab07340fdabf9 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 7 Jun 2009 11:34:01 +0000 Subject: some corrections, only very minor things. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9554 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index e039fce6e1..8c6606d680 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -949,7 +949,7 @@ class session WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time'])); $db->sql_query($sql); } - + // only called from CRON; should be a safe workaround until the infrastructure gets going if (!class_exists('captcha_factory')) { @@ -961,7 +961,6 @@ class session return; } - /** * Sets a cookie * -- cgit v1.2.1 From be81ae9e46a5f79742b8f1bbf04ee86927eeff77 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Fri, 19 Jun 2009 12:38:08 +0000 Subject: should fix garbage collection git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9627 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 8c6606d680..b04a73be41 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -955,7 +955,7 @@ class session { include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx); } - captcha_factory::garbage_collect($config['captcha_plugin']); + phpbb_captcha_factory::garbage_collect($config['captcha_plugin']); } return; -- cgit v1.2.1 From 433de350c0fa2e1e09c23e6f5f29f118222d2df8 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sat, 20 Jun 2009 18:45:16 +0000 Subject: - [Feature] New "Newly Registered Users" group for assigning permissions to newly registered users. They will be removed from this group once they reach a defineable amount of posts. - [Feature] Ability to define if the "Newly Registered Users" group will be assigned as the default group to newly registered users. As a coincidence also Bug #46535 got fixed. Additionally the error message displayed with trigger_error() if accessing the private message tab in the ucp is now displayed inline in addition to a slightly different message for newly registered users to let them know that access permissions may be lifted over time. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9636 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 61 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index b04a73be41..6b87bcc866 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -396,6 +396,11 @@ class session WHERE session_id = '" . $db->sql_escape($this->session_id) . "'"; $db->sql_query($sql); } + + if ($this->data['user_id'] != ANONYMOUS && !empty($config['new_member_post_limit']) && $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts']) + { + $this->leave_newly_registered(); + } } $this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false; @@ -2234,6 +2239,62 @@ class user extends session return $var; } } + + /** + * Funtion to make the user leave the NEWLY_REGISTERED system group. + * @access public + */ + function leave_newly_registered() + { + global $db; + + if (!function_exists('group_user_del')) + { + global $phpbb_root_path, $phpEx; + + include($phpbb_root_path . 'includes/functions_user.' . $phpEx); + } + + $sql = 'SELECT group_id + FROM ' . GROUPS_TABLE . " + WHERE group_name = 'NEWLY_REGISTERED' + AND group_type = " . GROUP_SPECIAL; + $result = $db->sql_query($sql); + $group_id = (int) $db->sql_fetchfield('group_id'); + $db->sql_freeresult($result); + + if (!$group_id) + { + return false; + } + + // We need to call group_user_del here, because this function makes sure everything is correctly changed. + // A downside for a call within the session handler is that the language is not set up yet - so no log entry + group_user_del($group_id, $this->data['user_id']); + + // Set user_new to 0 to let this not be triggered again + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_new = 0 + WHERE user_id = ' . $this->data['user_id']; + $db->sql_query($sql); + + $this->data['user_permissions'] = ''; + $this->data['user_new'] = 0; + + // The new users group was the users default group? + if ($this->data['group_id'] == $group_id) + { + // Which group is now the users default one? + $sql = 'SELECT group_id + FROM ' . USERS_TABLE . ' + WHERE user_id = ' . $this->data['user_id']; + $result = $db->sql_query($sql); + $this->data['group_id'] = $db->sql_fetchfield('group_id'); + $db->sql_freeresult($result); + } + + return true; + } } ?> \ No newline at end of file -- cgit v1.2.1 From afc0ef93c51f659247f4942a3691405d95947383 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 21 Jun 2009 11:13:20 +0000 Subject: add check to newly registered function to not execute this more than once git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9644 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 6b87bcc866..4dc6933236 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -2248,6 +2248,11 @@ class user extends session { global $db; + if (empty($this->data['user_new'])) + { + return false; + } + if (!function_exists('group_user_del')) { global $phpbb_root_path, $phpEx; -- cgit v1.2.1 From 794e122cfa01539e912786455da59e25d459a56f Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sun, 21 Jun 2009 14:31:00 +0000 Subject: add quicktool to remove users from the newly registered special group. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9646 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 41 +++++------------------------------------ 1 file changed, 5 insertions(+), 36 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 4dc6933236..f74a7c5acc 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -2253,51 +2253,20 @@ class user extends session return false; } - if (!function_exists('group_user_del')) + if (!function_exists('remove_newly_registered')) { global $phpbb_root_path, $phpEx; include($phpbb_root_path . 'includes/functions_user.' . $phpEx); } - - $sql = 'SELECT group_id - FROM ' . GROUPS_TABLE . " - WHERE group_name = 'NEWLY_REGISTERED' - AND group_type = " . GROUP_SPECIAL; - $result = $db->sql_query($sql); - $group_id = (int) $db->sql_fetchfield('group_id'); - $db->sql_freeresult($result); - - if (!$group_id) + if ($group = remove_newly_registered($this->data['user_id'], $this->data)) { - return false; + $this->data['group_id'] = $group; + } - - // We need to call group_user_del here, because this function makes sure everything is correctly changed. - // A downside for a call within the session handler is that the language is not set up yet - so no log entry - group_user_del($group_id, $this->data['user_id']); - - // Set user_new to 0 to let this not be triggered again - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_new = 0 - WHERE user_id = ' . $this->data['user_id']; - $db->sql_query($sql); - $this->data['user_permissions'] = ''; $this->data['user_new'] = 0; - - // The new users group was the users default group? - if ($this->data['group_id'] == $group_id) - { - // Which group is now the users default one? - $sql = 'SELECT group_id - FROM ' . USERS_TABLE . ' - WHERE user_id = ' . $this->data['user_id']; - $result = $db->sql_query($sql); - $this->data['group_id'] = $db->sql_fetchfield('group_id'); - $db->sql_freeresult($result); - } - + return true; } } -- cgit v1.2.1 From b1584a8d5c709c4c909826e23286ca6aa438cf41 Mon Sep 17 00:00:00 2001 From: Ruslan Uzdenov Date: Mon, 22 Jun 2009 16:16:04 +0000 Subject: Fix bug #46965 - File named install in php directory Authorised by: acydburn git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9654 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index f74a7c5acc..509e11e524 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1756,7 +1756,7 @@ class user extends session // Disable board if the install/ directory is still present // For the brave development army we do not care about this, else we need to comment out this everytime we develop locally - if (!defined('DEBUG_EXTRA') && !defined('ADMIN_START') && !defined('IN_INSTALL') && !defined('IN_LOGIN') && file_exists($phpbb_root_path . 'install')) + if (!defined('DEBUG_EXTRA') && !defined('ADMIN_START') && !defined('IN_INSTALL') && !defined('IN_LOGIN') && file_exists($phpbb_root_path . 'install') && !is_file($phpbb_root_path . 'install')) { // Adjust the message slightly according to the permissions if ($auth->acl_gets('a_', 'm_') || $auth->acl_getf_global('m_')) -- cgit v1.2.1 From 19e2dcd5db7f2a910409b82ce315265608ae8266 Mon Sep 17 00:00:00 2001 From: Gabriel Vazquez Date: Wed, 24 Jun 2009 02:56:05 +0000 Subject: Fixed Bug #47145 - [Fix] Correctly check banned users when force password change Authorised by: AcydBurn git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9665 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 509e11e524..c1bc4b3f31 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1833,7 +1833,7 @@ class user extends session // Does the user need to change their password? If so, redirect to the // ucp profile reg_details page ... of course do not redirect if we're already in the ucp - if (!defined('IN_ADMIN') && !defined('ADMIN_START') && $config['chg_passforce'] && $this->data['is_registered'] && $auth->acl_get('u_chgpasswd') && $this->data['user_passchg'] < time() - ($config['chg_passforce'] * 86400)) + if (!defined('IN_ADMIN') && !defined('ADMIN_START') && $config['chg_passforce'] && !empty($this->data['is_registered']) && $auth->acl_get('u_chgpasswd') && $this->data['user_passchg'] < time() - ($config['chg_passforce'] * 86400)) { if (strpos($this->page['query_string'], 'mode=reg_details') === false && $this->page['page_name'] != "ucp.$phpEx") { -- cgit v1.2.1 From adaeec1ec9f7cd55522a5c4d0bf0538dbc0c6f99 Mon Sep 17 00:00:00 2001 From: Ruslan Uzdenov Date: Sat, 27 Jun 2009 08:36:40 +0000 Subject: Fixed Bug #45115 - Signature parsing flags are not stored in DB Authorised by: AcydBurn git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9696 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index c1bc4b3f31..9ae5a7c793 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1431,8 +1431,8 @@ class user extends session var $img_lang; var $img_array = array(); - // Able to add new option (id 7) - var $keyoptions = array('viewimg' => 0, 'viewflash' => 1, 'viewsmilies' => 2, 'viewsigs' => 3, 'viewavatars' => 4, 'viewcensors' => 5, 'attachsig' => 6, 'bbcode' => 8, 'smilies' => 9, 'popuppm' => 10); + // Able to add new options (up to id 31) + var $keyoptions = array('viewimg' => 0, 'viewflash' => 1, 'viewsmilies' => 2, 'viewsigs' => 3, 'viewavatars' => 4, 'viewcensors' => 5, 'attachsig' => 6, 'bbcode' => 8, 'smilies' => 9, 'popuppm' => 10, 'sig_bbcode' => 15, 'sig_smilies' => 16, 'sig_links' => 17); var $keyvalues = array(); /** -- cgit v1.2.1 From f84cbee47c06dd9df3b2cf7085a3b37ab9095d09 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 24 Jul 2009 08:52:56 +0000 Subject: Fix bug #18005 - Do not add style-parameter to URL again, after admin re-authentification - Patch by leviatan21 Authorised by: AcydBurn git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9841 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 9ae5a7c793..c8617057c4 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1534,7 +1534,7 @@ class user extends session $this->add_lang($lang_set); unset($lang_set); - if (!empty($_GET['style']) && $auth->acl_get('a_styles')) + if (!empty($_GET['style']) && $auth->acl_get('a_styles') && !defined('ADMIN_START')) { global $SID, $_EXTRA_URL; -- cgit v1.2.1 From 3461eaf828848bd27d4777cfd796319dd55c53ce Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sat, 1 Aug 2009 11:01:18 +0000 Subject: Fallback options for missing language files. (Bug #38575 - Patch by EXreaction) git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9901 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index c8617057c4..a49716a8db 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -2006,6 +2006,34 @@ class user extends session $language_filename = $this->lang_path . $this->lang_name . '/' . (($use_help) ? 'help_' : '') . $lang_file . '.' . $phpEx; } + if (!file_exists($language_filename)) + { + global $config; + + if ($this->lang_name == 'en') + { + // The user's selected language is missing the file, the board default's language is missing the file, and the file doesn't exist in /en. + $language_filename = str_replace($this->lang_path . 'en', $this->lang_path . $this->data['user_lang'], $language_filename); + trigger_error('Language file ' . $language_filename . ' couldn\'t be opened.', E_USER_ERROR); + } + else if ($this->lang_name == basename($config['default_lang'])) + { + // Fall back to the English Language + $this->lang_name = 'en'; + $this->set_lang($lang, $help, $lang_file, $use_db, $use_help); + } + else if ($this->lang_name == $this->data['user_lang']) + { + // Fall back to the board default language + $this->lang_name = basename($config['default_lang']); + $this->set_lang($lang, $help, $lang_file, $use_db, $use_help); + } + + // Reset the lang name + $this->lang_name = (file_exists($this->lang_path . $this->data['user_lang'] . "/common.$phpEx")) ? $this->data['user_lang'] : basename($config['default_lang']); + return; + } + // Do not suppress error if in DEBUG_EXTRA mode $include_result = (defined('DEBUG_EXTRA')) ? (include $language_filename) : (@include $language_filename); @@ -2262,11 +2290,11 @@ class user extends session if ($group = remove_newly_registered($this->data['user_id'], $this->data)) { $this->data['group_id'] = $group; - + } $this->data['user_permissions'] = ''; $this->data['user_new'] = 0; - + return true; } } -- cgit v1.2.1 From c8daec7c8239fab1cc45eb94829a1a99fd646d46 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 4 Aug 2009 10:04:54 +0000 Subject: Fix Bug #49035 - Fix general error while registration, through undefined variable $config in validate_referer (Patch by wjvriend) Authorised by: bantu git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9917 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index a49716a8db..b4d817daf9 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1364,6 +1364,8 @@ class session */ function validate_referer($check_script_path = false) { + global $config; + // no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason) if (empty($this->referer) || empty($this->host)) { @@ -1373,7 +1375,7 @@ class session $host = htmlspecialchars($this->host); $ref = substr($this->referer, strpos($this->referer, '://') + 3); - if (!(stripos($ref, $host) === 0) && (!$config['force_server'] || !(stripos($ref, $config['server_name']) === 0))) + if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] || !(stripos($ref, $config['server_name']) === 0))) { return false; } -- cgit v1.2.1 From f7009291e20969421f90ab81eed1347a4d977501 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 17 Aug 2009 14:45:14 +0000 Subject: Ability to define constant PHPBB_USE_BOARD_URL_PATH to use board url for images/avatars/ranks/imageset... This feature does not change anything for those not using the constant and this feature is also quite in-flux. We need to test this with some applications and bridges and there may be other locations able to benefit from it. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10008 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index b4d817daf9..d0b4c8c285 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -2196,7 +2196,10 @@ class user extends session return $img_data; } - $img_data['src'] = $phpbb_root_path . 'styles/' . rawurlencode($this->theme['imageset_path']) . '/imageset/' . ($this->img_array[$img]['image_lang'] ? $this->img_array[$img]['image_lang'] .'/' : '') . $this->img_array[$img]['image_filename']; + // Use URL if told so + $root_path = (defined('PHPBB_USE_BOARD_URL_PATH') && PHPBB_USE_BOARD_URL_PATH) ? generate_board_url() . '/' : $phpbb_root_path; + + $img_data['src'] = $root_path . 'styles/' . rawurlencode($this->theme['imageset_path']) . '/imageset/' . ($this->img_array[$img]['image_lang'] ? $this->img_array[$img]['image_lang'] .'/' : '') . $this->img_array[$img]['image_filename']; $img_data['width'] = $this->img_array[$img]['image_width']; $img_data['height'] = $this->img_array[$img]['image_height']; } -- cgit v1.2.1 From bec4b11b64fa8372d430add94f0eee30ee9d0762 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 20 Aug 2009 08:37:06 +0000 Subject: Because we store forwarded_for if the check is activated we need a better check git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10019 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index d0b4c8c285..8d41616123 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -213,7 +213,7 @@ class session $this->update_session_page = $update_session_page; $this->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : ''; $this->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : ''; - $this->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : ''; + $this->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? htmlspecialchars((string) $_SERVER['HTTP_X_FORWARDED_FOR']) : ''; $this->host = $this->extract_current_hostname(); $this->page = $this->extract_current_page($phpbb_root_path); @@ -221,10 +221,10 @@ class session // if the forwarded for header shall be checked we have to validate its contents if ($config['forwarded_for_check']) { - $this->forwarded_for = preg_replace('#, +#', ', ', $this->forwarded_for); + $this->forwarded_for = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->forwarded_for)); // split the list of IPs - $ips = explode(', ', $this->forwarded_for); + $ips = explode(' ', $this->forwarded_for); foreach ($ips as $ip) { // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly @@ -267,7 +267,7 @@ class session // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip. - $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars($_SERVER['REMOTE_ADDR']) : ''; + $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : ''; $this->load = false; // Load limit check (if applicable) @@ -606,7 +606,7 @@ class session } else { - $ips = explode(', ', $this->forwarded_for); + $ips = explode(' ', $this->forwarded_for); $ips[] = $this->ip; $this->check_ban($this->data['user_id'], $ips); } -- cgit v1.2.1 From d8a76b14428d9a5cc955dd0341f032e43f53c7d9 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 20 Aug 2009 08:43:10 +0000 Subject: Add some very basic checks to the users ip - related to bug #48995 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10020 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 8d41616123..112cf4e2fd 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -268,6 +268,27 @@ class session // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip. $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : ''; + $this->ip = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->ip)); + + // split the list of IPs + $ips = explode(' ', $this->ip); + + // Default IP if REMOTE_ADDR is invalid + $this->ip = '127.0.0.1'; + + foreach ($ips as $ip) + { + // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly + if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip)) + { + // Just break + break; + } + + // Use the last in chain + $this->ip = $ip; + } + $this->load = false; // Load limit check (if applicable) -- cgit v1.2.1 From 295fb5373ae0a37bfbc36a4461dc3ed2c3cbf9cb Mon Sep 17 00:00:00 2001 From: Jim Wigginton Date: Fri, 4 Sep 2009 14:53:35 +0000 Subject: - fixed bug #44975 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10103 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 112cf4e2fd..dcfde14159 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1361,6 +1361,20 @@ class session WHERE user_id = ' . (int) $user_id; $db->sql_query($sql); + // Update last visit info first before deleting sessions + $sql = 'SELECT session_time, session_page + FROM ' . SESSIONS_TABLE . ' + WHERE session_user_id = ' . (int) $user_id . ' + ORDER BY session_time DESC'; + $result = $db->sql_query_limit($sql, 1); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_lastvisit = ' . (int) $row['session_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' + WHERE user_id = " . (int) $user_id; + $db->sql_query($sql); + // Let's also clear any current sessions for the specified user_id // If it's the current user then we'll leave this session intact $sql_where = 'session_user_id = ' . (int) $user_id; -- cgit v1.2.1