From 6d533d2f8630d5bed2bfdbfd09cc9c689fbad1b5 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Wed, 12 Nov 2014 10:30:27 +0100 Subject: [ticket/13280] Revert "Merge pull request #3107 from marc1706/ticket/13280" This reverts commit a1b58d05d158ff7afd789c1b27821e17198f8d58, reversing changes made to 0e772afb9db640e54e84cfccaddcf74f3edbb3fb. PHPBB3-13280 --- phpBB/phpbb/session.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb/session.php') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index a06ff9c594..14b4c63207 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -43,7 +43,7 @@ class session // First of all, get the request uri... $script_name = $symfony_request->getScriptName(); - $args = explode('&', $symfony_request->getQueryString()); + $args = explode('&', $symfony_request->getQueryString()); // If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support... if (!$script_name) @@ -61,8 +61,8 @@ class session // Since some browser do not encode correctly we need to do this with some "special" characters... // " -> %22, ' => %27, < -> %3C, > -> %3E - $find = array('"', "'", '<', '>', '"', '<', '>'); - $replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E'); + $find = array('"', "'", '<', '>'); + $replace = array('%22', '%27', '%3C', '%3E'); foreach ($args as $key => $argument) { -- cgit v1.2.1 From 0dfe1d0d8b007ec7b7cae0715cfb2e5f4e33bad4 Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Wed, 12 Nov 2014 11:44:56 +0100 Subject: [ticket/13280] Output escaping for the symfony request object PHPBB3-13280 --- phpBB/phpbb/session.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'phpBB/phpbb/session.php') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 14b4c63207..dc90d942c3 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -31,10 +31,11 @@ class session var $update_session_page = true; /** - * Extract current session page - * - * @param string $root_path current root path (phpbb_root_path) - */ + * Extract current session page + * + * @param string $root_path current root path (phpbb_root_path) + * @return array + */ static function extract_current_page($root_path) { global $request, $symfony_request, $phpbb_filesystem; @@ -42,8 +43,8 @@ class session $page_array = array(); // First of all, get the request uri... - $script_name = $symfony_request->getScriptName(); - $args = explode('&', $symfony_request->getQueryString()); + $script_name = $request->escape($symfony_request->getScriptName(), true); + $args = $request->escape(explode('&', $symfony_request->getQueryString()), true); // If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support... if (!$script_name) @@ -61,8 +62,8 @@ class session // Since some browser do not encode correctly we need to do this with some "special" characters... // " -> %22, ' => %27, < -> %3C, > -> %3E - $find = array('"', "'", '<', '>'); - $replace = array('%22', '%27', '%3C', '%3E'); + $find = array('"', "'", '<', '>', '"', '<', '>'); + $replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E'); foreach ($args as $key => $argument) { -- cgit v1.2.1 From 30f292f5a2b3db5a1feb86790da1a3685b2f5fb3 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Sun, 26 Oct 2014 21:17:37 +0100 Subject: [ticket/11613] Allow cookies to work on netbios domains PHPBB3-11613 --- phpBB/phpbb/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb/session.php') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index cf8ea1877e..098c69c636 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1053,7 +1053,7 @@ class session $name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata); $expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime); - $domain = (!$config['cookie_domain'] || $config['cookie_domain'] == 'localhost' || $config['cookie_domain'] == '127.0.0.1') ? '' : '; domain=' . $config['cookie_domain']; + $domain = (!$config['cookie_domain'] || $config['cookie_domain'] == '127.0.0.1' || strpos($config['cookie_domain'], '.') === false) ? '' : '; domain=' . $config['cookie_domain']; header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . ';' . (($httponly) ? ' HttpOnly' : ''), false); } -- cgit v1.2.1 From 566510769b37f093542bfe18834ce2e4771eaf77 Mon Sep 17 00:00:00 2001 From: MasterShredder Date: Sun, 7 Dec 2014 05:57:07 +0400 Subject: [ticket/13422] Add new event core.session_check_user_session PHPBB3-13422 --- phpBB/phpbb/session.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'phpBB/phpbb/session.php') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 691d0d5bef..ef177ed072 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -215,7 +215,7 @@ class session function session_begin($update_session_page = true) { global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path; - global $request, $phpbb_container; + global $request, $phpbb_container, $phpbb_dispatcher; // Give us some basic information $this->time_now = time(); @@ -372,6 +372,14 @@ class session // Did the session exist in the DB? if (isset($this->data['user_id'])) { + /** + * Event to check user session + * + * @event core.session_check_user_session + * @since 3.1.3-RC1 + */ + $phpbb_dispatcher->dispatch('core.session_check_user_session'); + // Validate IP length according to admin ... enforces an IP // check on bots if admin requires this // $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check']; -- cgit v1.2.1 From 1896825f39225368e1843a28479818f2bf195da2 Mon Sep 17 00:00:00 2001 From: MasterShredder Date: Sun, 7 Dec 2014 05:59:20 +0400 Subject: [ticket/13422] Add new event core.session_set_custom_ban PHPBB3-13422 --- phpBB/phpbb/session.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'phpBB/phpbb/session.php') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index ef177ed072..35df71b92e 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1090,7 +1090,7 @@ class session */ function check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false) { - global $config, $db; + global $config, $db, $phpbb_dispatcher; if (defined('IN_CHECK_BAN') || defined('SKIP_CHECK_BAN')) { @@ -1204,6 +1204,20 @@ class session } $db->sql_freeresult($result); + /** + * Event to set custom ban type + * + * @event core.session_set_custom_ban + * @var bool return If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution + * @var bool banned Check if user already banned + * @var array ban_row Ban data + * @var string ban_triggered_by Custom ban type + * @since 3.1.3-RC1 + */ + $ban_row = isset($ban_row) ? $ban_row : false; + $vars = array('return', 'banned', 'ban_row', 'ban_triggered_by'); + extract($phpbb_dispatcher->trigger_event('core.session_set_custom_ban', compact($vars))); + if ($banned && !$return) { global $template, $phpbb_root_path, $phpEx; -- cgit v1.2.1 From fda5d8d637661dba083dc168745058628d38e5fd Mon Sep 17 00:00:00 2001 From: MasterShredder Date: Mon, 8 Dec 2014 08:50:05 +0400 Subject: [ticket/13422] Deleted event core.session_check_user_session --- phpBB/phpbb/session.php | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) (limited to 'phpBB/phpbb/session.php') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 35df71b92e..2a948fd885 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -215,7 +215,7 @@ class session function session_begin($update_session_page = true) { global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path; - global $request, $phpbb_container, $phpbb_dispatcher; + global $request, $phpbb_container; // Give us some basic information $this->time_now = time(); @@ -372,14 +372,6 @@ class session // Did the session exist in the DB? if (isset($this->data['user_id'])) { - /** - * Event to check user session - * - * @event core.session_check_user_session - * @since 3.1.3-RC1 - */ - $phpbb_dispatcher->dispatch('core.session_check_user_session'); - // Validate IP length according to admin ... enforces an IP // check on bots if admin requires this // $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check']; -- cgit v1.2.1 From 3f88be65273a9eeba15f822b24a7940c1e58872f Mon Sep 17 00:00:00 2001 From: MasterShredder Date: Sun, 28 Dec 2014 03:35:21 +0400 Subject: [ticket/13422] Changed variable descriptions PHPBB3-13422 --- phpBB/phpbb/session.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'phpBB/phpbb/session.php') diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 2a948fd885..0a6a18ffbe 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1200,10 +1200,10 @@ class session * Event to set custom ban type * * @event core.session_set_custom_ban - * @var bool return If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution - * @var bool banned Check if user already banned - * @var array ban_row Ban data - * @var string ban_triggered_by Custom ban type + * @var bool return If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution + * @var bool banned Check if user already banned + * @var array|false ban_row Ban data + * @var string ban_triggered_by Method that caused ban, can be your custom method * @since 3.1.3-RC1 */ $ban_row = isset($ban_row) ? $ban_row : false; -- cgit v1.2.1