mbirth/smf-shoutbox
Archived
1
0
Fork 0
Code

* version 1.17

Browse Source 
x security fixes: trying to prevent SQL injection, filter out bad numeric entities
* prevent guests from manually loading sboxDB.php, show login-message instead
This commit is contained in:
mbirth 2008-02-20 22:46:17 +00:00
parent 35438d6d53
commit 9e79adb291
3 changed files with 50 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
package-info.xml
View File

@ -4,9 +4,9 @@
<name>SMF Shoutbox</name>
<id>Deep:SMF_Shoutbox</id>
<type>modification</type>
<version>1.16</version>
<version>1.17</version>
<install for="1.1, 1.1.1, 1.1.2, 1.1.3">
<install>
<require-file name="sbox.php" destination="$sourcedir" />
<require-file name="sboxDB.php" destination="$sourcedir" />
<require-file name="sbox.english.php" destination="$languagedir" />
@ -21,12 +21,12 @@
Originally written By Deep (diem4@gmx.net), inspired by Matthew Wolf (a.k.a Grudge)
Heavily improved by Markus Birth (mbirth@webwriters.de)
Copyright 2006 - Neither this package or any of it's contents may be distributed without authorisation.
Copyright 2006-2008 - Neither this package or any of it's contents may be distributed without authorisation.
]]></readme>
<modification type="file">sbox_latest.xml</modification>
</install>
<upgrade from="1.10" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.10">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.
PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
@ -42,7 +42,7 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<code type="file">sbox_upgrade.php</code>
<modification type="file">sbox_latest.xml</modification>
</upgrade>
<upgrade from="1.11" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.11">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.
PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
@ -58,7 +58,7 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<code type="file">sbox_upgrade.php</code>
<modification type="file">sbox_latest.xml</modification>
</upgrade>
<upgrade from="1.12" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.12">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.
PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
@ -74,7 +74,7 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<code type="file">sbox_upgrade.php</code>
<modification type="file">sbox_latest.xml</modification>
</upgrade>
<upgrade from="1.13" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.13">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.
PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
@ -90,7 +90,7 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<code type="file">sbox_upgrade.php</code>
<modification type="file">sbox_latest.xml</modification>
</upgrade>
<upgrade from="1.14" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.14">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.]]></readme>
<require-file name="sboxDB.php" destination="$sourcedir" />
<require-file name="sbox.english.php" destination="$languagedir" />
@ -98,12 +98,12 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<require-file name="sbox.french.php" destination="$languagedir" />
<require-file name="sbox.template.php" destination="$themedir" />
</upgrade>
<upgrade from="1.15b" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.15b">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.]]></readme>
<require-file name="sbox.template.php" destination="$themedir" />
</upgrade>
<uninstall for="1.1, 1.1.1, 1.1.2, 1.1.3">
<uninstall>
<readme type="inline">Uninstall will remove all the changes made by the shoutbox.</readme>
<modification type="file" reverse="true">sbox_latest.xml</modification>
<remove-file name="$sourcedir/sbox.php" />

68
sboxDB.php
View File

@ -8,8 +8,12 @@ require("../SSI.php");
if (!defined('SMF'))
die('Hacking attempt...');
loadLanguage('Errors');
loadLanguage('sbox');
if ($context['user']['is_guest'] && $modSettings['sbox_GuestVisible'] != '1')
die($txt[1] . ' ' . $txt['sbox_Login']);
/***[ BEGIN CONFIGURATION ]***************************************************/
$sbox_HistoryFile = $boarddir . '/sbox.history.html';
@ -27,14 +31,14 @@ $sbox_DateSuffix = ']';
// BEGIN: BORROWED FROM http://de2.php.net/manual/en/function.flock.php
/*
* I hope this is usefull.
* If mkdir() is atomic,
* I hope this is usefull.
* If mkdir() is atomic,
* then we do not need to worry about race conditions while trying to make the lockDir,
* unless of course we're writing to NFS, for which this function will be useless.
* so thats why i pulled out the usleep(rand()) piece from the last version
*
* Again, its important to tailor some of the parameters to ones indivdual usage
* I set the default $timeLimit to 3/10th's of a second (maximum time allowed to achieve a lock),
* I set the default $timeLimit to 3/10th's of a second (maximum time allowed to achieve a lock),
* but if you're writing some extrememly large files, and/or your server is very slow, you may need to increase it.
* Obviously, the $staleAge of the lock directory will be important to consider as well if the writing operations might take a while.
* My defaults are extrememly general and you're encouraged to set your own
@ -86,14 +90,15 @@ function missinghtmlentities($text) {
global $context;
// entitify missing characters, ignore entities already there (Unicode / UTF8) (hopefully in &#123;-notation)
$split = preg_split('/(&#[\d]+;)/', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
// filter out "ANSI_X3.4-1968" charset, which just means plain old ASCII ... replace by UTF-8
if (strpos($context['character_set'], 'ANSI_') !== false) $charset = 'UTF-8'; else $charset = $context['character_set'];
$result = '';
foreach ($split as $s) {
if (substr($s, 0, 2) != '&#' || substr($s, -1, 1) != ';') {
// filter out "ANSI_X3.4-1968" charset, which just means plain old ASCII ... replace by UTF-8
if (strpos($context['character_set'], 'ANSI_') !== false) $charset = 'UTF-8'; else $charset = $context['character_set'];
$result .= @htmlentities($s, ENT_NOQUOTES, $charset);
if (substr($s, 0, 2) == '&#' || substr($s, -1, 1) == ';') {
// Convert to std character and htmlentity-fy it again - to re-convert e.g. &#3c; to &lt; so that XSS isn't possible
$result .= @htmlentities(@html_entity_decode($s, ENT_NOQUOTES, $charset), ENT_NOQUOTES, $charset);
} else {
$result .= $s;
$result .= @htmlentities($s, ENT_NOQUOTES, $charset);
}
}
return $result;
@ -103,7 +108,7 @@ function missinghtmlentities($text) {
echo '<html xmlns="http://www.w3.org/1999/xhtml"' . ($context['right_to_left']?' dir="rtl"':'') . '>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=', $context['character_set'], '" />';
$result = db_query("SELECT time FROM {$db_prefix}sbox_content ORDER BY time DESC LIMIT 1", __FILE__, __LINE__);
$row = mysql_fetch_assoc($result);
$refreshBlocked = false;
@ -136,7 +141,7 @@ echo '
}
// ]]></script>
<style type="text/css">
.windowbg2 {
font-family: ' . $modSettings['sbox_FontFamily'] . ';
font-style: normal;
@ -150,14 +155,14 @@ echo '
font-weight: normal;
text-decoration: none;
}
body {
width: 100%;
padding: 0;
margin: 0;
border: 0;
}
.Kill, A.Kill {
color: #ff0000;
}
@ -165,42 +170,43 @@ echo '
if (!empty($_REQUEST['action'])) switch ($_REQUEST['action']) {
case 'write':
if (((!$context['user']['is_guest']) || ($modSettings['sbox_GuestAllowed'] == '1')) && !empty($_REQUEST['sboxText'])) {
is_not_banned(true); // die with message, if user is banned, let him read everything though
$content = $_REQUEST['sboxText'];
// get current timestamp
$date = time();
$posterip = $user_info['ip'];
$pip = explode('.', $posterip);
$piph = sprintf("%02s%02s%02s%02s", dechex($pip[0]), dechex($pip[1]), dechex($pip[2]), dechex($pip[3]));
// handle special characters
$content = addslashes($piph . $content);
$content = mysql_escape_string($content);
// insert shout message into database
$sql = "INSERT INTO " . $db_prefix . "sbox_content (ID_MEMBER, content, time) VALUES ('" . $context['user']['id'] . "', '" . $content . "', '$date')";
db_query($sql, __FILE__, __LINE__);
// delete old shout messages (get id of last shouting and delete all shoutings as defined in settings
$result = db_query("SELECT id FROM " . $db_prefix . "sbox_content WHERE ID_MEMBER='" . $context['user']['id'] . "' AND content='" . $content . "' AND time='$date'", __FILE__, __LINE__);
$rows = mysql_fetch_assoc($result);
$sql = 'DELETE FROM ' . $db_prefix . "sbox_content WHERE id < '" . ($rows["id"]-$modSettings['sbox_MaxLines']) . "'";
db_query($sql, __FILE__, __LINE__);
// write into history if needed
if ($modSettings['sbox_DoHistory'] == '1') {
$ds = $sbox_DatePrefix . date('Y-m-d', $date) . $sbox_DateSeparator . date('H:i.s', $date) . $sbox_DateSuffix;
$content = stripslashes($content); // shouting content
$content = substr($content, 8);
$content = missinghtmlentities($content);
if ($modSettings['sbox_AllowBBC'] == '1' && ($context['user']['id'] > 0 || $modSettings['sbox_GuestBBC'] == '1')) {
$content = parse_bbc($content);
}
$output = $ds . '&nbsp;' . $sbox_NickPrefix;
if ($context['user']['id'] > 0) {
$output .= '<a href="' . $scripturl . '?action=profile;u=' . $context['user']['id'] . '" target="_blank" class="' . $divclass . '">';
@ -210,16 +216,16 @@ if (!empty($_REQUEST['action'])) switch ($_REQUEST['action']) {
$output .= $sbox_NickInnerPrefix . 'Guest-' . base_convert($piph, 16, 36) . $sbox_NickInnerSuffix;
}
$output .= $sbox_NickSuffix . '&nbsp;' . $content . '</div><br />' . "\n";
if (!file_exists($sbox_HistoryFile)) {
// TODO: Prepare file ... HTML-header, stylesheet, etc.
}
locked_filewrite($sbox_HistoryFile, $output);
}
}
break;
case 'clearhist':
if ($context['user']['is_admin']) {
if (file_exists($sbox_HistoryFile)) {
@ -239,7 +245,7 @@ if (!empty($_REQUEST['action'])) switch ($_REQUEST['action']) {
db_query($sql, __FILE__, __LINE__);
}
break;
}
// close header and open body
@ -288,7 +294,7 @@ if (!empty($settings['display_who_viewing'])) {
// get shout messages out of database
$result = db_query("
SELECT *
FROM {$db_prefix}sbox_content AS sb
FROM {$db_prefix}sbox_content AS sb
LEFT JOIN {$db_prefix}members AS mem ON (mem.ID_MEMBER = sb.ID_MEMBER)
ORDER BY id DESC, time ASC LIMIT " . $modSettings['sbox_MaxLines'], __FILE__, __LINE__);
if(mysql_num_rows($result)) {
@ -311,11 +317,11 @@ if(mysql_num_rows($result)) {
if (!empty($_REQUEST['ts']) && !$div && $date<$_REQUEST['ts']) {
if ($count > 0 && $modSettings['sbox_NewShoutsBar'] == '1') {
echo '<hr>' . "\n";
echo '<hr />' . "\n";
}
$div = true;
}
if ($name != $lname) {
$count++; // increase counter
}
@ -347,15 +353,15 @@ if(mysql_num_rows($result)) {
echo "\n" . '<div class="' . $divclass . '" style="color: #' . $colh . '">'; */
echo "\n" . '<div class="' . $divclass . '">';
if ($context['user']['is_admin'] || ($modSettings['sbox_ModsRule'] && count(boardsAllowedTo('moderate_board'))>0)) {
echo '[<a title="' . $txt['sbox_KillShout'] . '" class="Kill" onClick="return kill();" href="' . $_SERVER['PHP_SELF'] . '?action=kill&kill=' . $row['id'] . '">X</a>]';
}
$wd = $txt['days_short'][date('w', $date)];
$ts = date('H:i', $date);
$ds = $sbox_DatePrefix . $wd . $sbox_DateSeparator . $ts . $sbox_DateSuffix;
// highlight username, realname and make sound
if (!empty($context['user']['name']) && strpos($content, $context['user']['name']) !== false) {
if ($div === false) $alert = true;
@ -365,7 +371,7 @@ if(mysql_num_rows($result)) {
if ($div === false) $alert = true;
$content = str_replace($user_info['username'], '<b><u>' . $user_info['username'] . '</u></b>', $content);
}
echo $ds . '&nbsp;' . $sbox_NickPrefix;
if ($name > 0) {
if ($modSettings['sbox_UserLinksVisible'] == '1') echo '<a href="' . $scripturl . '?action=profile;u=' . $name . '" target="_top" style="text-decoration: none;"><span class="' . $divclass . '">';

6
sbox_latest.xml
View File

@ -17,7 +17,7 @@
<modification xmlns="http://www.simplemachines.org/xml/modification" xmlns:smf="http://www.simplemachines.org/">
<!-- This information needs to be the same as that in the package-info.xml. -->
<id>Deep:SMF_Shoutbox</id>
<version>1.16</version>
<version>1.17</version>
<!-- Edit BoardIndex.template.php in the SMF Default Theme. -->
<file name="$themedir/BoardIndex.template.php">
@ -121,7 +121,7 @@ function sbox() {
//SMF Shoutbox
$helptxt['sbox_Visible'] = 'Here you can decide wether the shoutbox is visible at all or not.';
$helptxt['sbox_ModsRule'] = 'This enables anyone who has the <i>moderate_board</i> permission on at least one board, to delete shouts.';
$helptxt['sbox_DoHistory'] = 'Defines whether all shouts should be written to a file so that an Administrator can check what was going on.';
$helptxt['sbox_DoHistory'] = 'Defines whether all shouts should be written to a file so that an Administrator can check what was going on. The filename is defined in the sboxDB.php. <b>Change it to a path where only Admins have access to!</b>';
$helptxt['sbox_GuestVisible'] = 'Defines whether the Shoutbox is visible to guests at all.';
$helptxt['sbox_GuestAllowed'] = 'Here you can decide whether guests are allowed to post new shouts.';
@ -151,7 +151,7 @@ $helptxt['sbox_DarkThemes'] = 'Enter all of your dark theme\'s directories separ
//SMF Shoutbox
$helptxt['sbox_Visible'] = 'Hier k&ouml;nnen Sie einstellen, ob die Shoutbox sichtbar ist oder nicht. Diese Einstellung gilt f&uuml;r ALLE Benutzer.';
$helptxt['sbox_ModsRule'] = 'Dies erlaubt jedem, der die <i>moderate_board</i>-Berechtigung auf mindestens einem Board hat, Shouts zu l&ouml;schen.';
$helptxt['sbox_DoHistory'] = 'Legt fest, ob alle Shouts auch in eine Verlaufsdatei geschrieben werden sollen, so dass ein Administrator angebliche Vorf&auml;lle nachpr&uuml;fen kann.';
$helptxt['sbox_DoHistory'] = 'Legt fest, ob alle Shouts auch in eine Verlaufsdatei geschrieben werden sollen, so dass ein Administrator angebliche Vorf&auml;lle nachpr&uuml;fen kann. Der Dateiname wird in der sboxDB.php festgelegt. <b>Bitte auf einen Pfad setzen, wo nur der Administrator Zugriff hat!</b>';
$helptxt['sbox_GuestVisible'] = 'Hiermit k&ouml;nnen Sie festlegen, ob G&auml;ste die Shoutbox &uuml;berhaupt sehen k&ouml;nnen oder nicht.';
$helptxt['sbox_GuestAllowed'] = 'Hier k&ouml;nnen Sie einstellen, ob G&auml;ste die Shoutbox benutzen d&uuml;rfen.';