From 77176faececfceceb4c35eb4bfa80a99ed76a677 Mon Sep 17 00:00:00 2001 From: czaks Date: Thu, 5 May 2016 09:56:54 +0200 Subject: [PATCH 1/4] enable javascript in mod panel --- inc/functions.php | 2 +- inc/mod/pages.php | 4 ++-- templates/page.html | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index 462bc173..c50336ae 100755 --- a/inc/functions.php +++ b/inc/functions.php @@ -880,7 +880,7 @@ function displayBan($ban) { Element('page.html', array( 'title' => _('Banned!'), 'config' => $config, - 'nojavascript' => true, + 'boardlist' => createBoardlist($mod), 'body' => Element('banned.html', array( 'config' => $config, 'ban' => $ban, diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 8b6f73c4..8380cfd3 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -15,7 +15,7 @@ function mod_page($title, $template, $args, $subtitle = false) { 'hide_dashboard_link' => $template == 'mod/dashboard.html', 'title' => $title, 'subtitle' => $subtitle, - 'nojavascript' => true, + 'boardlist' => createBoardlist($mod), 'body' => Element($template, array_merge( array('config' => $config, 'mod' => $mod), @@ -846,7 +846,7 @@ function mod_page_ip($ip) { $args['security_token'] = make_secure_link_token('IP/' . $ip); - mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']); + mod_page(sprintf('%s: %s', _('IP'), htmlspecialchars($ip)), 'mod/view_ip.html', $args, $args['hostname']); } function mod_ban() { diff --git a/templates/page.html b/templates/page.html index 13753c03..3522702f 100644 --- a/templates/page.html +++ b/templates/page.html @@ -9,6 +9,8 @@ {{ title }} + {{ boardlist.top }} + {% if pm %}
You have an unread PM{% if pm.waiting > 0 %}, plus {{ pm.waiting }} more waiting{% endif %}.
{% endif %}

{{ title }}

From c4b98e94cee5cb6bf89aea8dc36253ce754c6dcd Mon Sep 17 00:00:00 2001 From: czaks Date: Thu, 5 May 2016 10:17:14 +0200 Subject: [PATCH 2/4] [SECURITY] harden for imagetragick (we aren`t hit by the bug, but we were passing uncommon filetypes, like JPEG2000, directly to imagemagick) --- post.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/post.php b/post.php index 5c755a3c..dc303785 100644 --- a/post.php +++ b/post.php @@ -639,6 +639,9 @@ if (isset($_POST['delete'])) { if (!$size = @getimagesize($file['tmp_name'])) { error($config['error']['invalidimg']); } + if (!in_array($size[2], array(IMAGETYPE_PNG, IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_BMP))) { + error($config['error']['invalidimg']); + } if ($size[0] > $config['max_width'] || $size[1] > $config['max_height']) { error($config['error']['maxsize']); } From 4c827cf1059513aadf01c7f82284bc6ce4d0cd61 Mon Sep 17 00:00:00 2001 From: czaks Date: Thu, 5 May 2016 10:22:34 +0200 Subject: [PATCH 3/4] fix some nonsense --- post.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/post.php b/post.php index dc303785..b41b4b63 100644 --- a/post.php +++ b/post.php @@ -625,12 +625,14 @@ if (isset($_POST['delete'])) { if ($post['has_file']) { foreach ($post['files'] as $key => &$file) { - if ($file['is_an_image'] && $config['ie_mime_type_detection'] !== false) { - // Check IE MIME type detection XSS exploit - $buffer = file_get_contents($upload, null, null, null, 255); - if (preg_match($config['ie_mime_type_detection'], $buffer)) { - undoImage($post); - error($config['error']['mime_exploit']); + if ($file['is_an_image']) { + if ($config['ie_mime_type_detection'] !== false) { + // Check IE MIME type detection XSS exploit + $buffer = file_get_contents($upload, null, null, null, 255); + if (preg_match($config['ie_mime_type_detection'], $buffer)) { + undoImage($post); + error($config['error']['mime_exploit']); + } } require_once 'inc/image.php'; From 19b70663d7e786fca0425b53eb79412fd5987255 Mon Sep 17 00:00:00 2001 From: czaks Date: Thu, 5 May 2016 10:29:13 +0200 Subject: [PATCH 4/4] remove magic_quotes check; it`s 2016 after all --- mod.php | 10 ---------- post.php | 12 +----------- 2 files changed, 1 insertion(+), 21 deletions(-) diff --git a/mod.php b/mod.php index 5697e2b5..c005dcb5 100644 --- a/mod.php +++ b/mod.php @@ -12,16 +12,6 @@ require_once 'inc/mod/auth.php'; if ($config['debug']) $parse_start_time = microtime(true); -// Fix for magic quotes -if (get_magic_quotes_gpc()) { - function strip_array($var) { - return is_array($var) ? array_map('strip_array', $var) : stripslashes($var); - } - - $_GET = strip_array($_GET); - $_POST = strip_array($_POST); -} - $query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : ''; $pages = array( diff --git a/post.php b/post.php index b41b4b63..04665177 100644 --- a/post.php +++ b/post.php @@ -7,16 +7,6 @@ require_once 'inc/functions.php'; require_once 'inc/anti-bot.php'; require_once 'inc/bans.php'; -// Fix for magic quotes -if (get_magic_quotes_gpc()) { - function strip_array($var) { - return is_array($var) ? array_map('strip_array', $var) : stripslashes($var); - } - - $_GET = strip_array($_GET); - $_POST = strip_array($_POST); -} - if ((!isset($_POST['mod']) || !$_POST['mod']) && $config['board_locked']) { error("Board is locked"); } @@ -447,7 +437,7 @@ if (isset($_POST['delete'])) { $i = 0; foreach ($_FILES as $key => $file) { if ($file['size'] && $file['tmp_name']) { - $file['filename'] = urldecode(get_magic_quotes_gpc() ? stripslashes($file['name']) : $file['name']); + $file['filename'] = urldecode($file['name']); $file['extension'] = strtolower(mb_substr($file['filename'], mb_strrpos($file['filename'], '.') + 1)); if (isset($config['filename_func'])) $file['file_id'] = $config['filename_func']($file);