mbirth/smf-shoutbox
Archived
1
0
Fork 0
Code

* version 1.17

Browse Source 
x security fixes: trying to prevent SQL injection, filter out bad numeric entities
* prevent guests from manually loading sboxDB.php, show login-message instead
This commit is contained in:
mbirth 2008-02-20 22:46:17 +00:00
parent 35438d6d53
commit 9e79adb291
3 changed files with 50 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
package-info.xml
View File

@ -4,9 +4,9 @@
<name>SMF Shoutbox</name>
<id>Deep:SMF_Shoutbox</id>
<type>modification</type>
<version>1.16</version>
<version>1.17</version>
<install for="1.1, 1.1.1, 1.1.2, 1.1.3">
<install>
<require-file name="sbox.php" destination="$sourcedir" />
<require-file name="sboxDB.php" destination="$sourcedir" />
<require-file name="sbox.english.php" destination="$languagedir" />
@ -21,12 +21,12 @@
Originally written By Deep (diem4@gmx.net), inspired by Matthew Wolf (a.k.a Grudge)
Heavily improved by Markus Birth (mbirth@webwriters.de)
Copyright 2006 - Neither this package or any of it's contents may be distributed without authorisation.
Copyright 2006-2008 - Neither this package or any of it's contents may be distributed without authorisation.
]]></readme>
<modification type="file">sbox_latest.xml</modification>
</install>
<upgrade from="1.10" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.10">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.
PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
@ -42,7 +42,7 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<code type="file">sbox_upgrade.php</code>
<modification type="file">sbox_latest.xml</modification>
</upgrade>
<upgrade from="1.11" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.11">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.
PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
@ -58,7 +58,7 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<code type="file">sbox_upgrade.php</code>
<modification type="file">sbox_latest.xml</modification>
</upgrade>
<upgrade from="1.12" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.12">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.
PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
@ -74,7 +74,7 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<code type="file">sbox_upgrade.php</code>
<modification type="file">sbox_latest.xml</modification>
</upgrade>
<upgrade from="1.13" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.13">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.
PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
@ -90,7 +90,7 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<code type="file">sbox_upgrade.php</code>
<modification type="file">sbox_latest.xml</modification>
</upgrade>
<upgrade from="1.14" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.14">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.]]></readme>
<require-file name="sboxDB.php" destination="$sourcedir" />
<require-file name="sbox.english.php" destination="$languagedir" />
@ -98,12 +98,12 @@ PLEASE UNINSTALL ANY LANGUAGE PACK FOR SHOUTBOX BEFORE UPGRADING!]]></readme>
<require-file name="sbox.french.php" destination="$languagedir" />
<require-file name="sbox.template.php" destination="$themedir" />
</upgrade>
<upgrade from="1.15b" for="1.1, 1.1.1, 1.1.2, 1.1.3">
<upgrade from="1.15b">
<readme type="inline"><![CDATA[Thanks for trying the shiny new update feature. Although the Package manager might show you an error, the upgrade should work.]]></readme>
<require-file name="sbox.template.php" destination="$themedir" />
</upgrade>
<uninstall for="1.1, 1.1.1, 1.1.2, 1.1.3">
<uninstall>
<readme type="inline">Uninstall will remove all the changes made by the shoutbox.</readme>
<modification type="file" reverse="true">sbox_latest.xml</modification>
<remove-file name="$sourcedir/sbox.php" />

18
sboxDB.php
View File

@ -8,8 +8,12 @@ require("../SSI.php");
if (!defined('SMF'))
die('Hacking attempt...');
loadLanguage('Errors');
loadLanguage('sbox');
if ($context['user']['is_guest'] && $modSettings['sbox_GuestVisible'] != '1')
die($txt[1] . ' ' . $txt['sbox_Login']);
/***[ BEGIN CONFIGURATION ]***************************************************/
$sbox_HistoryFile = $boarddir . '/sbox.history.html';
@ -86,14 +90,15 @@ function missinghtmlentities($text) {
global $context;
// entitify missing characters, ignore entities already there (Unicode / UTF8) (hopefully in &#123;-notation)
$split = preg_split('/(&#[\d]+;)/', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
$result = '';
foreach ($split as $s) {
if (substr($s, 0, 2) != '&#' || substr($s, -1, 1) != ';') {
// filter out "ANSI_X3.4-1968" charset, which just means plain old ASCII ... replace by UTF-8
if (strpos($context['character_set'], 'ANSI_') !== false) $charset = 'UTF-8'; else $charset = $context['character_set'];
$result .= @htmlentities($s, ENT_NOQUOTES, $charset);
$result = '';
foreach ($split as $s) {
if (substr($s, 0, 2) == '&#' || substr($s, -1, 1) == ';') {
// Convert to std character and htmlentity-fy it again - to re-convert e.g. &#3c; to &lt; so that XSS isn't possible
$result .= @htmlentities(@html_entity_decode($s, ENT_NOQUOTES, $charset), ENT_NOQUOTES, $charset);
} else {
$result .= $s;
$result .= @htmlentities($s, ENT_NOQUOTES, $charset);
}
}
return $result;
@ -179,6 +184,7 @@ if (!empty($_REQUEST['action'])) switch ($_REQUEST['action']) {
// handle special characters
$content = addslashes($piph . $content);
$content = mysql_escape_string($content);
// insert shout message into database
$sql = "INSERT INTO " . $db_prefix . "sbox_content (ID_MEMBER, content, time) VALUES ('" . $context['user']['id'] . "', '" . $content . "', '$date')";
@ -311,7 +317,7 @@ if(mysql_num_rows($result)) {
if (!empty($_REQUEST['ts']) && !$div && $date<$_REQUEST['ts']) {
if ($count > 0 && $modSettings['sbox_NewShoutsBar'] == '1') {
echo '<hr>' . "\n";
echo '<hr />' . "\n";
}
$div = true;
}

6
sbox_latest.xml
View File

@ -17,7 +17,7 @@
<modification xmlns="http://www.simplemachines.org/xml/modification" xmlns:smf="http://www.simplemachines.org/">
<!-- This information needs to be the same as that in the package-info.xml. -->
<id>Deep:SMF_Shoutbox</id>
<version>1.16</version>
<version>1.17</version>
<!-- Edit BoardIndex.template.php in the SMF Default Theme. -->
<file name="$themedir/BoardIndex.template.php">
@ -121,7 +121,7 @@ function sbox() {
//SMF Shoutbox
$helptxt['sbox_Visible'] = 'Here you can decide wether the shoutbox is visible at all or not.';
$helptxt['sbox_ModsRule'] = 'This enables anyone who has the <i>moderate_board</i> permission on at least one board, to delete shouts.';
$helptxt['sbox_DoHistory'] = 'Defines whether all shouts should be written to a file so that an Administrator can check what was going on.';
$helptxt['sbox_DoHistory'] = 'Defines whether all shouts should be written to a file so that an Administrator can check what was going on. The filename is defined in the sboxDB.php. <b>Change it to a path where only Admins have access to!</b>';
$helptxt['sbox_GuestVisible'] = 'Defines whether the Shoutbox is visible to guests at all.';
$helptxt['sbox_GuestAllowed'] = 'Here you can decide whether guests are allowed to post new shouts.';
@ -151,7 +151,7 @@ $helptxt['sbox_DarkThemes'] = 'Enter all of your dark theme\'s directories separ
//SMF Shoutbox
$helptxt['sbox_Visible'] = 'Hier k&ouml;nnen Sie einstellen, ob die Shoutbox sichtbar ist oder nicht. Diese Einstellung gilt f&uuml;r ALLE Benutzer.';
$helptxt['sbox_ModsRule'] = 'Dies erlaubt jedem, der die <i>moderate_board</i>-Berechtigung auf mindestens einem Board hat, Shouts zu l&ouml;schen.';
$helptxt['sbox_DoHistory'] = 'Legt fest, ob alle Shouts auch in eine Verlaufsdatei geschrieben werden sollen, so dass ein Administrator angebliche Vorf&auml;lle nachpr&uuml;fen kann.';
$helptxt['sbox_DoHistory'] = 'Legt fest, ob alle Shouts auch in eine Verlaufsdatei geschrieben werden sollen, so dass ein Administrator angebliche Vorf&auml;lle nachpr&uuml;fen kann. Der Dateiname wird in der sboxDB.php festgelegt. <b>Bitte auf einen Pfad setzen, wo nur der Administrator Zugriff hat!</b>';
$helptxt['sbox_GuestVisible'] = 'Hiermit k&ouml;nnen Sie festlegen, ob G&auml;ste die Shoutbox &uuml;berhaupt sehen k&ouml;nnen oder nicht.';
$helptxt['sbox_GuestAllowed'] = 'Hier k&ouml;nnen Sie einstellen, ob G&auml;ste die Shoutbox benutzen d&uuml;rfen.';