From 9526f5ed1c5664fa8e12d6c43c20ef4fd2171e93 Mon Sep 17 00:00:00 2001 From: czaks Date: Tue, 8 Jul 2014 09:43:04 +0200 Subject: [PATCH] fix #72 --- inc/mod/pages.php | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 9b9d3127..0cd49408 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -232,7 +232,7 @@ function mod_search($type, $search_query_escaped, $page_no = 1) { // Which `field` to search? if ($type == 'posts') - $sql_field = array('body_nomarkup', 'filename', 'file', 'subject', 'filehash', 'ip', 'name', 'trip'); + $sql_field = array('body_nomarkup', 'files', 'subject', 'filehash', 'ip', 'name', 'trip'); if ($type == 'IP_notes') $sql_field = 'body'; if ($type == 'bans') @@ -739,28 +739,31 @@ function mod_view_thread50($boardName, $thread) { function mod_ip_remove_note($ip, $id) { global $config, $mod; + $ip = rawurldecode($ip); if (!hasPermission($config['mod']['remove_notes'])) error($config['error']['noaccess']); - if (filter_var($ip, FILTER_VALIDATE_IP) === false) - error("Invalid IP address."); + //if (filter_var($ip, FILTER_VALIDATE_IP) === false) + // error("Invalid IP address."); $query = prepare('DELETE FROM ``ip_notes`` WHERE `ip` = :ip AND `id` = :id'); $query->bindValue(':ip', $ip); $query->bindValue(':id', $id); $query->execute() or error(db_error($query)); - modLog("Removed a note for {$ip}"); + modLog("Removed a note for ".htmlspecialchars($ip).""); - header('Location: ?/IP/' . $ip . '#notes', true, $config['redirect_http']); + header('Location: ?/IP/' . rawurlencode($ip) . '#notes', true, $config['redirect_http']); } function mod_page_ip($ip) { global $config, $mod; - if (filter_var($ip, FILTER_VALIDATE_IP) === false) - error("Invalid IP address."); + $ip = rawurldecode($ip); + + //if (filter_var($ip, FILTER_VALIDATE_IP) === false) + // error("Invalid IP address."); if (isset($_POST['ban_id'], $_POST['unban'])) { if (!hasPermission($config['mod']['unban'])) @@ -768,7 +771,7 @@ function mod_page_ip($ip) { Bans::delete($_POST['ban_id'], true); - header('Location: ?/IP/' . $ip . '#bans', true, $config['redirect_http']); + header('Location: ?/IP/' . rawurlencode($ip) . '#bans', true, $config['redirect_http']); return; } @@ -785,9 +788,9 @@ function mod_page_ip($ip) { $query->bindValue(':body', $_POST['note']); $query->execute() or error(db_error($query)); - modLog("Added a note for {$ip}"); + modLog("Added a note for ".htmlspecialchars($ip).""); - header('Location: ?/IP/' . $ip . '#notes', true, $config['redirect_http']); + header('Location: ?/IP/' . rawurlencode($ip) . '#notes', true, $config['redirect_http']); return; } @@ -803,7 +806,7 @@ function mod_page_ip($ip) { openBoard($board['uri']); if (!hasPermission($config['mod']['show_ip'], $board['uri'])) continue; - $query = prepare(sprintf('SELECT * FROM ``posts_%s`` WHERE `ip` = :ip ORDER BY `sticky` DESC, `id` DESC LIMIT :limit', $board['uri'])); + $query = prepare(sprintf('SELECT * FROM ``posts_%s`` WHERE `ip` = :ip OR `password` = :ip ORDER BY `sticky` DESC, `id` DESC LIMIT :limit', $board['uri'])); $query->bindValue(':ip', $ip); $query->bindValue(':limit', $config['mod']['ip_recentposts'], PDO::PARAM_INT); $query->execute() or error(db_error($query)); @@ -846,7 +849,7 @@ function mod_page_ip($ip) { $args['security_token'] = make_secure_link_token('IP/' . $ip); - mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']); + mod_page(sprintf('%s: %s', _('IP'), htmlspecialchars($ip)), 'mod/view_ip.html', $args, $args['hostname']); } function mod_ban() {