From a5312ebe897036e89db57480abb0ae617a2bcb38 Mon Sep 17 00:00:00 2001 From: Michael Foster Date: Wed, 31 Jul 2013 21:02:26 -0400 Subject: [PATCH 1/4] Allow public ban messages on raw HTML posts --- inc/functions.php | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index 0b4ac211..b40b40d2 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -1423,6 +1423,7 @@ function markup(&$body, $track_cites = false) { if (preg_match_all('@<tinyboard ([\w\s]+)>(.+)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) { $skip_chars = 0; $body_tmp = $body; + $end_markup = false; foreach ($modifiers as $modifier) { // preg_match_all is not multibyte-safe @@ -1436,9 +1437,13 @@ function markup(&$body, $track_cites = false) { if ($modifier['type'] == 'ban message') { // Public ban message $replacement = sprintf($config['mod']['ban_message'], $modifier['content']); + if ($end_markup) { + $body .= $replacement; + } } elseif ($modifier['type'] == 'raw html') { $body = html_entity_decode($modifier['content']); - return array(); + $replacement = ''; + $end_markup = true; } elseif (preg_match('/^escape /', $modifier['type'])) { // Escaped (not a real modifier) $replacement = '<tinyboard ' . substr($modifier['type'], strlen('escape ')) . '>' . $modifier['content'] . '</tinyboard>'; @@ -1447,9 +1452,14 @@ function markup(&$body, $track_cites = false) { $replacement = ''; } - $body = mb_substr_replace($body, $replacement, $modifier[0][1] + $skip_chars, mb_strlen($modifier[0][0])); - $skip_chars += mb_strlen($replacement) - mb_strlen($modifier[0][0]); - + if (!$end_markup) { + $body = mb_substr_replace($body, $replacement, $modifier[0][1] + $skip_chars, mb_strlen($modifier[0][0])); + $skip_chars += mb_strlen($replacement) - mb_strlen($modifier[0][0]); + } + } + + if ($end_markup) { + return array(); } } From ea2b8cce077a092e0cbf136f9a45158668cc5ecf Mon Sep 17 00:00:00 2001 From: Michael Foster Date: Wed, 31 Jul 2013 21:24:17 -0400 Subject: [PATCH 2/4] Bugfix: HTML injection in post editing (introduces and fixes yet another bug) --- inc/functions.php | 4 ++-- inc/mod/pages.php | 9 ++++++--- templates/mod/edit_post_form.html | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index b40b40d2..9e1ce1fa 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -1420,7 +1420,7 @@ function markup(&$body, $track_cites = false) { $body = str_replace("\r", '', $body); $body = utf8tohtml($body); - if (preg_match_all('@<tinyboard ([\w\s]+)>(.+)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) { + if (preg_match_all('@<tinyboard ([\w\s]+)>(.+?)</tinyboard>@um', $body, $modifiers, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) { $skip_chars = 0; $body_tmp = $body; $end_markup = false; @@ -1436,7 +1436,7 @@ function markup(&$body, $track_cites = false) { if ($modifier['type'] == 'ban message') { // Public ban message - $replacement = sprintf($config['mod']['ban_message'], $modifier['content']); + $replacement = sprintf($config['mod']['ban_message'], html_entity_decode($modifier['content'])); if ($end_markup) { $body .= $replacement; } diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 7edc0ee6..2808dc56 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -1222,7 +1222,7 @@ function mod_ban_post($board, $delete, $post, $token = false) { $_POST['message'] = str_replace('%LENGTH%', strtoupper($length_english), $_POST['message']); $query = prepare(sprintf('UPDATE `posts_%s` SET `body_nomarkup` = CONCAT(`body_nomarkup`, :body_nomarkup) WHERE `id` = :id', $board)); $query->bindValue(':id', $post); - $query->bindValue(':body_nomarkup', sprintf("\n%s", $_POST['message'])); + $query->bindValue(':body_nomarkup', sprintf("\n%s", utf8tohtml($_POST['message']))); $query->execute() or error(db_error($query)); rebuildPost($post); @@ -1298,10 +1298,13 @@ function mod_edit_post($board, $edit_raw_html, $postID) { header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . sprintf($config['file_page'], $post['thread'] ? $post['thread'] : $postID) . '#' . $postID, true, $config['redirect_http']); } else { if ($config['minify_html']) { - $post['body_nomarkup'] = str_replace("\n", ' ', $post['body_nomarkup']); - $post['body'] = str_replace("\n", ' ', $post['body']); + // $post['body_nomarkup'] = str_replace("\n", ' ', $post['body_nomarkup']); + // $post['body'] = str_replace("\n", ' ', $post['body']); } + // Minifying this page causes an issue with newlines in the textarea. This is a temporary solution. + $config['minify_html'] = false; + mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post)); } } diff --git a/templates/mod/edit_post_form.html b/templates/mod/edit_post_form.html index 146e725b..b9359c68 100644 --- a/templates/mod/edit_post_form.html +++ b/templates/mod/edit_post_form.html @@ -32,7 +32,7 @@ {% trans %}Comment{% endtrans %} - + From ab364525433a7194d050e4ec13ae08d603fdad43 Mon Sep 17 00:00:00 2001 From: czaks Date: Wed, 31 Jul 2013 19:50:25 -0400 Subject: [PATCH 3/4] fix post editing for tinyboard markup --- inc/mod/pages.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 2808dc56..3ff6a9b1 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -1276,7 +1276,7 @@ function mod_edit_post($board, $edit_raw_html, $postID) { if (isset($_POST['name'], $_POST['email'], $_POST['subject'], $_POST['body'])) { if ($edit_raw_html) - $query = prepare(sprintf('UPDATE `posts_%s` SET `name` = :name, `email` = :email, `subject` = :subject, `body` = :body WHERE `id` = :id', $board)); + $query = prepare(sprintf('UPDATE `posts_%s` SET `name` = :name, `email` = :email, `subject` = :subject, `body` = :body, `body_nomarkup` = :body_nomarkup WHERE `id` = :id', $board)); else $query = prepare(sprintf('UPDATE `posts_%s` SET `name` = :name, `email` = :email, `subject` = :subject, `body_nomarkup` = :body WHERE `id` = :id', $board)); $query->bindValue(':id', $postID); @@ -1284,6 +1284,10 @@ function mod_edit_post($board, $edit_raw_html, $postID) { $query->bindValue(':email', $_POST['email']); $query->bindValue(':subject', $_POST['subject']); $query->bindValue(':body', $_POST['body']); + if ($edit_raw_html) { + $body_nomarkup = '' . $_POST['body'] . ''; + $query->bindValue(':body_nomarkup', $body_nomarkup); + } $query->execute() or error(db_error($query)); if ($edit_raw_html) { From 232f4ff8680e81dbee3902c01af6c702555fbc0f Mon Sep 17 00:00:00 2001 From: czaks Date: Wed, 31 Jul 2013 20:13:19 -0400 Subject: [PATCH 4/4] markup modifiers: make it even harder to escape --- inc/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/functions.php b/inc/functions.php index 9e1ce1fa..403f6112 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -1604,7 +1604,7 @@ function markup(&$body, $track_cites = false) { } function escape_markup_modifiers($string) { - return preg_replace('@(.+)@m', '$2', $string); + return preg_replace('@@m', '', $string); } function utf8tohtml($utf8) {