Fixed major security bug and image deleting

This commit is contained in:
Savetheinternet 2011-01-01 22:12:31 +11:00
parent 2179b03980
commit e401668732
5 changed files with 64 additions and 31 deletions

View File

@ -99,6 +99,8 @@
*/
define('ALLOW_ZIP', false, true);
define('ZIP_IMAGE', 'static/zip.png', true);
define('DELETED_IMAGE', 'static/deleted.png', true);
/**
Redraw the image using GD functions to strip any excess data (commonly ZIP archives)
@ -131,6 +133,7 @@
define('POST_URL', ROOT . 'post.php', true);
define('FILE_INDEX', 'index.html', true);
define('FILE_PAGE', '%d.html', true);
define('FILE_MOD', 'mod.php', true);
// Multi-board (%s is board abbreviation)
define('BOARD_PATH', '%s/', true);
@ -232,6 +235,9 @@
'|' .
str_replace('%s', '\w{1,8}', preg_quote(BOARD_PATH, '/')) .
str_replace('%d', '\d+', preg_quote(FILE_PAGE, '/')) .
'|' .
preg_quote(FILE_MOD, '/') .
'\?\/.+' .
')$/i', true);
if(ROOT_FILE) {

View File

@ -49,7 +49,7 @@
}
class Post {
public function __construct($id, $thread, $subject, $email, $name, $trip, $body, $time, $thumb, $thumbx, $thumby, $file, $filex, $filey, $filesize, $filename, $ip, $root=ROOT) {
public function __construct($id, $thread, $subject, $email, $name, $trip, $body, $time, $thumb, $thumbx, $thumby, $file, $filex, $filey, $filesize, $filename, $ip, $root=ROOT, $mod=false) {
$this->id = $id;
$this->thread = $thread;
$this->subject = utf8tohtml($subject);
@ -68,34 +68,33 @@
$this->filename = $filename;
$this->ip = $ip;
$this->root = $root;
$this->mod = $mod;
}
public function postControls() {
global $mod;
$built = '';
if($mod) {
if($this->mod) {
// Mod controls (on posts)
$built .= '<span class="controls">';
// Delete
if($mod['type'] >= MOD_DELETE)
if($this->mod['type'] >= MOD_DELETE)
$built .= ' <a title="Delete" href="?/b/delete/' . $this->id . '">' . MOD_LINK_DELETE . '</a>';
// Delete all posts by IP
if($mod['type'] >= MOD_DELETEBYIP)
if($this->mod['type'] >= MOD_DELETEBYIP)
$built .= ' <a title="Delete all posts by IP" href="?/b/deletebyip/' . $this->id . '">' . MOD_LINK_DELETEBYIP . '</a>';
// Ban
if($mod['type'] >= MOD_BAN)
if($this->mod['type'] >= MOD_BAN)
$built .= ' <a title="Ban" href="?/b/ban/' . $this->id . '">' . MOD_LINK_BAN . '</a>';
// Ban & Delete
if($mod['type'] >= MOD_BANDELETE)
if($this->mod['type'] >= MOD_BANDELETE)
$built .= ' <a title="Ban & Delete" href="?/b/ban&amp;delete/' . $this->id . '">' . MOD_LINK_BANDELETE . '</a>';
// Delete file (keep post)
if(!empty($this->file) && $mod['type'] >= MOD_DELETEFILE)
$built .= ' <a title="Remove file" href="?/b/file/' . $this->id . '">' . MOD_LINK_DELETEFILE . '</a>';
if(!empty($this->file) && $this->mod['type'] >= MOD_DELETEFILE)
$built .= ' <a title="Remove file" href="?/b/deletefile/' . $this->id . '">' . MOD_LINK_DELETEFILE . '</a>';
$built .= '</span>';
}
@ -103,7 +102,7 @@
}
public function build($index=false) {
global $board, $mod;
global $board;
$built = '<div class="post reply"' . (!$index?' id="reply_' . $this->id . '"':'') . '>' .
'<p class="intro"' . (!$index?' id="' . $this->id . '"':'') . '>';
@ -120,7 +119,7 @@
. (!empty($this->trip) ? ' <span class="trip">'.$this->trip.'</span>':'');
// IP Address
if($mod && $mod['type'] >= MOD_SHOW_IP) {
if($this->mod && $this->mod['type'] >= MOD_SHOW_IP) {
$built .= ' [<a style="margin:0;" href="?/IP/' . $this->ip . '">' . $this->ip . '</a>]';
}
@ -140,7 +139,7 @@
'</p>';
// File info
if(!empty($this->file)) {
if(!empty($this->file) && $this->file != 'deleted') {
$built .= '<p class="fileinfo">File: <a href="' . ROOT . $board['dir'] . DIR_IMG . $this->file .'">' . $this->file . '</a> <span class="unimportant">(' .
// Filesize
format_bytes($this->filesize) . ', ' .
@ -156,6 +155,8 @@
// Thumbnail
'<a href="' . ROOT . $board['dir'] . DIR_IMG . $this->file.'"><img src="' . ROOT . $board['dir'] . DIR_THUMB . $this->thumb.'" style="width:'.$this->thumbx.'px;height:'.$this->thumby.'px;" /></a>';
} elseif($this->file == 'deleted') {
$built .= '<img src="' . ROOT . DELETED_IMAGE . '" />';
}
$built .= $this->postControls();
@ -169,7 +170,7 @@
class Thread {
public $omitted = 0;
public function __construct($id, $subject, $email, $name, $trip, $body, $time, $thumb, $thumbx, $thumby, $file, $filex, $filey, $filesize, $filename, $ip, $sticky, $root=ROOT) {
public function __construct($id, $subject, $email, $name, $trip, $body, $time, $thumb, $thumbx, $thumby, $file, $filex, $filey, $filesize, $filename, $ip, $sticky, $root=ROOT, $mod=false) {
$this->id = $id;
$this->subject = utf8tohtml($subject);
$this->email = $email;
@ -190,36 +191,35 @@
$this->ip = $ip;
$this->sticky = $sticky;
$this->root = $root;
$this->mod = $mod;
}
public function add(Post $post) {
$this->posts[] = $post;
}
public function postControls() {
global $mod;
public function postControls() {
$built = '';
if($mod) {
if($this->mod) {
// Mod controls (on posts)
$built .= '<span class="controls op">';
// Delete
if($mod['type'] >= MOD_DELETE)
if($this->mod['type'] >= MOD_DELETE)
$built .= ' <a title="Delete" href="?/b/delete/' . $this->id . '">' . MOD_LINK_DELETE . '</a>';
// Delete all posts by IP
if($mod['type'] >= MOD_DELETEBYIP)
if($this->mod['type'] >= MOD_DELETEBYIP)
$built .= ' <a title="Delete all posts by IP" href="?/b/deletebyip/' . $this->id . '">' . MOD_LINK_DELETEBYIP . '</a>';
// Ban
if($mod['type'] >= MOD_BAN)
if($this->mod['type'] >= MOD_BAN)
$built .= ' <a title="Ban" href="?/b/ban/' . $this->id . '">' . MOD_LINK_BAN . '</a>';
// Ban & Delete
if($mod['type'] >= MOD_BANDELETE)
if($this->mod['type'] >= MOD_BANDELETE)
$built .= ' <a title="Ban & Delete" href="?/b/ban&amp;delete/' . $this->id . '">' . MOD_LINK_BANDELETE . '</a>';
// Delete file (keep post)
if($mod['type'] >= MOD_STICKY)
if($this->mod['type'] >= MOD_STICKY)
if($this->sticky)
$built .= ' <a title="Make thread not sticky" href="?/b/unsticky/' . $this->id . '">' . MOD_LINK_DESTICKY . '</a>';
else
@ -231,7 +231,7 @@
}
public function build($index=false) {
global $board, $mod;
global $board;
$built = '<p class="fileinfo">File: <a href="' . ROOT . $board['dir'] . DIR_IMG . $this->file .'">' . $this->file . '</a> <span class="unimportant">(' .
// Filesize
@ -262,7 +262,7 @@
. (!empty($this->trip) ? ' <span class="trip">'.$this->trip.'</span>':'');
// IP Address
if($mod && $mod['type'] >= MOD_SHOW_IP) {
if($this->mod && $this->mod['type'] >= MOD_SHOW_IP) {
$built .= ' [<a style="margin:0;" href="?/IP/' . $this->ip . '">' . $this->ip . '</a>]';
}

View File

@ -131,7 +131,7 @@
if($query->rowcount() < 1 && $page > 1) return false;
while($th = $query->fetch()) {
$thread = new Thread($th['id'], $th['subject'], $th['email'], $th['name'], $th['trip'], $th['body'], $th['time'], $th['thumb'], $th['thumbwidth'], $th['thumbheight'], $th['file'], $th['filewidth'], $th['fileheight'], $th['filesize'], $th['filename'], $th['ip'], $th['sticky'], $mod ? '?/' : ROOT);
$thread = new Thread($th['id'], $th['subject'], $th['email'], $th['name'], $th['trip'], $th['body'], $th['time'], $th['thumb'], $th['thumbwidth'], $th['thumbheight'], $th['file'], $th['filewidth'], $th['fileheight'], $th['filesize'], $th['filename'], $th['ip'], $th['sticky'], $mod ? '?/' : ROOT, $mod);
$posts = prepare(sprintf("SELECT `id`, `subject`, `email`, `name`, `trip`, `body`, `time`, `thumb`, `thumbwidth`, `thumbheight`, `file`, `filewidth`, `fileheight`, `filesize`, `filename`,`ip` FROM `posts_%s` WHERE `thread` = ? ORDER BY `time` DESC LIMIT ?", $board['uri']));
$posts->bindValue(1, $th['id']);
@ -151,7 +151,7 @@
}
while($po = $posts->fetch()) {
$thread->add(new Post($po['id'], $th['id'], $po['subject'], $po['email'], $po['name'], $po['trip'], $po['body'], $po['time'], $po['thumb'], $po['thumbwidth'], $po['thumbheight'], $po['file'], $po['filewidth'], $po['fileheight'], $po['filesize'], $po['filename'], $po['ip'], $mod ? '?/' : ROOT));
$thread->add(new Post($po['id'], $th['id'], $po['subject'], $po['email'], $po['name'], $po['trip'], $po['body'], $po['time'], $po['thumb'], $po['thumbwidth'], $po['thumbheight'], $po['file'], $po['filewidth'], $po['fileheight'], $po['filesize'], $po['filename'], $po['ip'], $mod ? '?/' : ROOT, $mod));
}
$thread->posts = array_reverse($thread->posts);
@ -319,9 +319,9 @@
while($post = $query->fetch()) {
if(!isset($thread)) {
$thread = new Thread($post['id'], $post['subject'], $post['email'], $post['name'], $post['trip'], $post['body'], $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $post['sticky'], $mod ? '?/' : ROOT);
$thread = new Thread($post['id'], $post['subject'], $post['email'], $post['name'], $post['trip'], $post['body'], $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $post['sticky'], $mod ? '?/' : ROOT, $mod);
} else {
$thread->add(new Post($post['id'], $thread->id, $post['subject'], $post['email'], $post['name'], $post['trip'], $post['body'], $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $mod ? '?/' : ROOT));
$thread->add(new Post($post['id'], $thread->id, $post['subject'], $post['email'], $post['name'], $post['trip'], $post['body'], $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $mod ? '?/' : ROOT, $mod));
}
}

View File

@ -159,7 +159,12 @@
// Delete file
@unlink($board['dir'] . DIR_IMG . $post['file']);
// Update database
$query = prepare(sprintf("UPDATE `posts_%s` SET `thumb` = NULL, `thumbwidth` = NULL, `thumbheight` = NULL, `filewidth` = NULL, `fileheight` = NULL, `filesize` = NULL, `filename` = NULL, `filehash` = NULL, `file` = 'deleted' WHERE `id` = :id OR `thread` = :id", $board['uri']));
$query->bindValue(':id', $id, PDO::PARAM_INT);
$query->execute() or error(db_error($query));
buildThread($post['thread']);
}
// Delete a post (reply or thread)

26
mod.php
View File

@ -219,7 +219,7 @@
if(!openBoard($boardName))
error(ERROR_NOBOARD);
if(!$page = index(empty($matches[2]) || $matches[2] == FILE_INDEX ? 1 : $matches[2], true)) {
if(!$page = index(empty($matches[2]) || $matches[2] == FILE_INDEX ? 1 : $matches[2], $mod)) {
error(ERROR_404);
}
$page['pages'] = getPages(true);
@ -235,9 +235,31 @@
if(!openBoard($boardName))
error(ERROR_NOBOARD);
$page = buildThread($thread, true, true);
$page = buildThread($thread, true, $mod);
echo $page;
} elseif(preg_match('/^\/' . $regex['board'] . 'deletefile\/(\d+)$/', $query, $matches)) {
if($mod['type'] < MOD_DELETEFILE) error(ERROR_NOACCESS);
// Delete file from post
$boardName = $matches[1];
$post = $matches[2];
// Open board
if(!openBoard($boardName))
error(ERROR_NOBOARD);
// Delete post
deleteFile($post);
// Rebuild board
buildIndex();
// Redirect
if(isset($_SERVER['HTTP_REFERER']))
header('Location: ' . $_SERVER['HTTP_REFERER'], true, REDIRECT_HTTP);
else
header('Location: ?/' . sprintf(BOARD_PATH, $boardName) . FILE_INDEX, true, REDIRECT_HTTP);
} elseif(preg_match('/^\/' . $regex['board'] . 'delete\/(\d+)$/', $query, $matches)) {
if($mod['type'] < MOD_DELETE) error(ERROR_NOACCESS);
// Delete post