File extern.php Line 251 punBB RC1.3

// Determine what type of feed to output
    $type = 'html';
    if (isset($_GET['type']) && is_scalar($_GET['type']))
        if (strtolower($_GET['type']) == 'rss')
            $type = 'rss';
        else if (strtolower($_GET['type']) == 'atom')
            $type = 'atom';
        else if (strtolower($_GET['type']) == 'xml')
            $type = 'xml';

I wouldn't use this method to make sure that type is valid. Instead I would check if function 'output'.$type exists. This way it is easier to plugin and there would be no need for silly hook and it would still be secure.

I am adding output methods while 'feed' action suits well. At this point I have to make my own action just to add my new $type's.


(151 replies, posted in PunBB 1.3 extensions)

Slavok wrote:

Johu, why you think that usage ex_start in insecure?
If you need to make checking like this (Line 81-82):

if ($forum_user['g_read_board'] == '0')
    exit($lang_common['No view']);

Just do it (checking) in hook "ex_start". To add new action use hook "ex_new_action"

well as I told it is usable as a workaround but it is not good. Maybe there will be some other checks added later on?

I think I'll make a new topic about extern file as I find one part of it paranoid and hard to plugin.

// Edit:


(151 replies, posted in PunBB 1.3 extensions)

I'd like a hook at:
extern.php line 84 or 245 to add output methods as ex_start is insecure (usable as workaround).