1 Topic by Johu

(1 replies, posted in PunBB 1.3 troubleshooting)

File extern.php Line 251 punBB RC1.3

// Determine what type of feed to output
    $type = 'html';
    if (isset($_GET['type']) && is_scalar($_GET['type']))
    {
        if (strtolower($_GET['type']) == 'rss')
            $type = 'rss';
        else if (strtolower($_GET['type']) == 'atom')
            $type = 'atom';
        else if (strtolower($_GET['type']) == 'xml')
            $type = 'xml';
    }

I wouldn't use this method to make sure that type is valid. Instead I would check if function 'output'.$type exists. This way it is easier to plugin and there would be no need for silly hook and it would still be secure.

I am adding output methods while 'feed' action suits well. At this point I have to make my own action just to add my new $type's.

Go to forum: PunBB 1.3 troubleshooting

2 Reply by Johu

(151 replies, posted in PunBB 1.3 extensions)

Slavok wrote:

Johu, why you think that usage ex_start in insecure?
If you need to make checking like this (Line 81-82):

if ($forum_user['g_read_board'] == '0')
    exit($lang_common['No view']);

Just do it (checking) in hook "ex_start". To add new action use hook "ex_new_action"

well as I told it is usable as a workaround but it is not good. Maybe there will be some other checks added later on?

I think I'll make a new topic about extern file as I find one part of it paranoid and hard to plugin.

// Edit:
http://punbb.informer.com/forums/post/116292/#p116292

Go to forum: PunBB 1.3 extensions

3 Reply by Johu

(151 replies, posted in PunBB 1.3 extensions)

I'd like a hook at:
extern.php line 84 or 245 to add output methods as ex_start is insecure (usable as workaround).

Go to forum: PunBB 1.3 extensions