From 41ee55a1b2dadacdc646f5ca9797d2aa3cc91c10 Mon Sep 17 00:00:00 2001 From: undido Date: Wed, 20 Mar 2013 00:56:59 -0300 Subject: [PATCH 01/17] Update auto-reload.js check if viewing a thread or viewing a board page when updating a thread so new posts do not appear at bottom of page while viewing threads list not sure if this was because of an outdated template but I thought I should point out this as it may affect html templates no matter the code as the banner code is the only code that checks where the user currently is. --- js/auto-reload.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/js/auto-reload.js b/js/auto-reload.js index c0c63056..5d96146a 100644 --- a/js/auto-reload.js +++ b/js/auto-reload.js @@ -16,6 +16,9 @@ $(document).ready(function(){ if($('div.banner').length == 0) return; // not index + + if($(".post.op").size() != 1) + return; //not thread page var poll_interval; From b4ff535128e6c169d2b4966e6227faa511780621 Mon Sep 17 00:00:00 2001 From: undido Date: Tue, 16 Apr 2013 19:09:58 -0300 Subject: [PATCH 02/17] update to pages.php minor exploit A lot of bans can be removed from a tinyboard database because it isn't limited A staff member could select 100 users all at once with a simple javascript function and unban them all this needs to be limited because a staff member on an image board if they feel hostile they can just remove all bans on the tinyboard site easily without being limited to how many people they can unban at a time, this adds an option to limit it. --- inc/mod/pages.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 5d736a1a..6a780474 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -651,7 +651,8 @@ function mod_bans($page_no = 1) { if (preg_match('/^ban_(\d+)$/', $name, $match)) $unban[] = $match[1]; } - + if (isset($config['mod']['unban_limit'])){ + if (count($unban) <= $config['mod']['unban_limit'] || $config['mod']['unban_limit'] == -1){ if (!empty($unban)) { query('DELETE FROM `bans` WHERE `id` = ' . implode(' OR `id` = ', $unban)) or error(db_error()); @@ -659,7 +660,21 @@ function mod_bans($page_no = 1) { modLog("Removed ban #{$id}"); } } + } else { + error(sprintf($config['error']['toomanyunban'], $config['mod']['unban_limit'], count($unban) )); + } + + } else { + + if (!empty($unban)) { + query('DELETE FROM `bans` WHERE `id` = ' . implode(' OR `id` = ', $unban)) or error(db_error()); + + foreach ($unban as $id) { + modLog("Removed ban #{$id}"); + } + } + } header('Location: ?/bans', true, $config['redirect_http']); } From 83401b3a68b4031b4e3c33230acf0d99df7e45fe Mon Sep 17 00:00:00 2001 From: undido Date: Tue, 16 Apr 2013 19:14:51 -0300 Subject: [PATCH 03/17] update config.php config for unban limit Adding config and error for unban list when a user tries to unban more users than they are allowed too. --- inc/config.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/inc/config.php b/inc/config.php index 8eed50fa..900d540a 100644 --- a/inc/config.php +++ b/inc/config.php @@ -686,6 +686,7 @@ $config['error']['captcha'] = _('You seem to have mistyped the verification.'); // Moderator errors + $config['error']['toomanyunban'] = _('You are only allowed to unban %s users at a time. You tried to unban %u users.'); $config['error']['invalid'] = _('Invalid username and/or password.'); $config['error']['notamod'] = _('You are not a mod…'); $config['error']['invalidafter'] = _('Invalid username and/or password. Your user may have been deleted or changed.'); @@ -768,6 +769,9 @@ * Mod settings * ==================== */ + + // Limit how many bans can be removed via the ban list. (Set too -1 to remove limit.) + $config['mod']['unban_limit'] = 5; // Whether or not to lock moderator sessions to the IP address that was logged in with. $config['mod']['lock_ip'] = true; From 3bcc87caf294cd67f221854d1dc13065706f5a81 Mon Sep 17 00:00:00 2001 From: Macil Tech Date: Wed, 27 Mar 2013 22:09:39 +0800 Subject: [PATCH 04/17] Fix PM count caching. cache::get() returns null if the key wasn't found (at least when using the Redis cache backend). --- inc/mod/auth.php | 2 +- inc/mod/pages.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inc/mod/auth.php b/inc/mod/auth.php index f594af4b..d4a2ea1c 100644 --- a/inc/mod/auth.php +++ b/inc/mod/auth.php @@ -125,7 +125,7 @@ if (isset($_COOKIE[$config['cookies']['mod']])) { function create_pm_header() { global $mod, $config; - if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) !== false) { + if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) != false) { if ($header === true) return false; diff --git a/inc/mod/pages.php b/inc/mod/pages.php index cf06e7d9..726ed735 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -89,7 +89,7 @@ function mod_dashboard() { } } - if (!$config['cache']['enabled'] || ($args['unread_pms'] = cache::get('pm_unreadcount_' . $mod['id'])) === false) { + if (!$config['cache']['enabled'] || ($args['unread_pms'] = cache::get('pm_unreadcount_' . $mod['id'])) == false) { $query = prepare('SELECT COUNT(*) FROM `pms` WHERE `to` = :id AND `unread` = 1'); $query->bindValue(':id', $mod['id']); $query->execute() or error(db_error($query)); From a92bb182d91ae98b2a2bc7787d5650050868f1f1 Mon Sep 17 00:00:00 2001 From: Macil Tech Date: Tue, 2 Apr 2013 17:28:04 +0800 Subject: [PATCH 05/17] Fix display issues with RTL control characters in post names, subjects, and filenames. --- inc/display.php | 33 +++++++++++++++++++ .../Twig/Extensions/Extension/Tinyboard.php | 1 + templates/post_reply.html | 8 ++--- templates/post_thread.html | 14 ++++---- 4 files changed, 45 insertions(+), 11 deletions(-) diff --git a/inc/display.php b/inc/display.php index 57110224..ab96eb26 100644 --- a/inc/display.php +++ b/inc/display.php @@ -213,6 +213,39 @@ function truncate($body, $url, $max_lines = false, $max_chars = false) { return $body; } +function bidi_cleanup($str){ + # Closes all embedded RTL and LTR unicode formatting blocks in a string so that + # it can be used inside another without controlling its direction. + # More info: http://www.iamcal.com/understanding-bidirectional-text/ + # + # LRE - U+202A - 0xE2 0x80 0xAA + # RLE - U+202B - 0xE2 0x80 0xAB + # LRO - U+202D - 0xE2 0x80 0xAD + # RLO - U+202E - 0xE2 0x80 0xAE + # + # PDF - U+202C - 0xE2 0x80 0xAC + # + $explicits = '\xE2\x80\xAA|\xE2\x80\xAB|\xE2\x80\xAD|\xE2\x80\xAE'; + $pdf = '\xE2\x80\xAC'; + + $stack = 0; + $str = preg_replace_callback("!(?$explicits)|(?$pdf)!", function($match) use (&$stack) { + if (isset($match['explicits']) && $match['explicits']) { + $stack++; + } else { + if ($stack) + $stack--; + else + return ''; + } + return $match[0]; + }, $str); + for ($i=0; $i<$stack; $i++){ + $str .= "\xE2\x80\xAC"; + } + return $str; +} + function secure_link_confirm($text, $title, $confirm_message, $href) { global $config; diff --git a/inc/lib/Twig/Extensions/Extension/Tinyboard.php b/inc/lib/Twig/Extensions/Extension/Tinyboard.php index 0a128e7b..7592d1b4 100644 --- a/inc/lib/Twig/Extensions/Extension/Tinyboard.php +++ b/inc/lib/Twig/Extensions/Extension/Tinyboard.php @@ -25,6 +25,7 @@ class Twig_Extensions_Extension_Tinyboard extends Twig_Extension 'until' => new Twig_Filter_Function('until'), 'split' => new Twig_Filter_Function('twig_split_filter'), 'push' => new Twig_Filter_Function('twig_push_filter'), + 'bidi_cleanup' => new Twig_Filter_Function('bidi_cleanup'), 'addslashes' => new Twig_Filter_Function('addslashes') ); } diff --git a/templates/post_reply.html b/templates/post_reply.html index ddd0afd4..c5735a0e 100644 --- a/templates/post_reply.html +++ b/templates/post_reply.html @@ -7,14 +7,14 @@