76 (edited by Visman 2021-03-17 15:35)

Re: PunBB 1.4.4

In PunbB email bbode is changed differently (Google Translate terribly translates from Russian into English, it does not correctly understand the connection of words, and this results in confusion in the end.)

https://i.ibb.co/7rzK08f/146.png
In PunBB 1.4.6, they simply removed the ability to insert other bbcodes into email bbcode. Rearranging the processing of email bbcode above does not play any role. (UPDATE: Here I was wrong. The permutation affected the display of the email bbcode if there is another bbcode inside it. )
I, in the 39th fix, encode the email which is inserted into the href attribute via the rawurlencode() function. As a result, even if there were some bbcodes, they will no longer be converted to html.

Example:

[email]%3Cscript%3Ealert%281%29%3C%2Fscript%3E@examle.com[/email]
[email]my.super.puper<>email@mail.com[/email]
[email=<b>ffff</b>@<b>ffff</b>][b]test email and bbcode[/b][/email]

[email=javascript:alert(1)]<script>alert(2)</script>[/email]
[email]<script>alert(2)</script>[/email]

-->

<a href="mailto:%3Cscript%3Ealert%281%29%3C%2Fscript%3E@examle.com">%3Cscript%3Ealert%281%29%3C%2Fscript%3E@examle.com</a><br />
<a href="mailto:my.super.puper%26lt%3B%26gt%3Bemail@mail.com">my.super.puper&lt;&gt;email@mail.com</a><br />
<a href="mailto:%26lt%3Bb%26gt%3Bffff%26lt%3B%2Fb%26gt%3B@%26lt%3Bb%26gt%3Bffff%26lt%3B%2Fb%26gt%3B"><strong>test email and bbcode</strong></a>

<a href="mailto:javascript%3Aalert%281%29">&lt;script&gt;alert(2)&lt;/script&gt;</a><br />
<a href="mailto:%26lt%3Bscript%26gt%3Balert%282%29%26lt%3B%2Fscript%26gt%3B">&lt;script&gt;alert(2)&lt;/script&gt;</a>

P.S. And I repeat once again: I have doubts about the possibility of the existence of XSS.
P.P.S. Why then url bbcode is not changed. There is a similar situation wink
P.P.P.S. If I'm not clear, Google Translate is to blame smile

ForkBB
I speak only Russian  :P

Re: PunBB 1.4.4

Hello Visman !
Is there a place to download a full pack of the latest PunBB modified by you ?

https://agora.chauvigne.info/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

78

Re: PunBB 1.4.4

The current variant https://github.com/MioVisman/punbb/arch … master.zip has been tested on Win7 + PHP 8.2 RC2 + mysql 5.7.24. I found no problems.

ForkBB
I speak only Russian  :P

Re: PunBB 1.4.4

Thank you Visman ! I am not sure that your version implements SQLite3 or is it only for Mysql ? Can you tell me ?

https://agora.chauvigne.info/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

80

Re: PunBB 1.4.4

Quickly tested installing the forum from scratch, creating a new category, creating a new partition, creating a new message on Win7 + PHP 8.2 RC2 + SQLite3 3.33.0. There are no warnings or errors.

ForkBB
I speak only Russian  :P

Re: PunBB 1.4.4

Many thanks, I try and tell you.

https://agora.chauvigne.info/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

Re: PunBB 1.4.4

Hello Visman !
I passed the 1.4.6 files over my present install (sqlite3), and with php8, I get a display problem on home page : each category title displaying before :

Trying to access array offset on value of type int in /homepages/1/d813290445/htdocs/forum/index.php(172) : eval()'d code on line 27

The rest of the site displays correctly.
The error disapears when I go back to php 7.4.

What should I look at ? Should I make a clean install and then manage to use my sqlite file ?

https://agora.chauvigne.info/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

83

Re: PunBB 1.4.4

eval()'d code on line

Extension failed. Turn them off one at a time to find the culprit.

ForkBB
I speak only Russian  :P

Re: PunBB 1.4.4

Thanks !
And the culprit is ...
pan_statistic - Статистика форума PunBB
version 0.7.5

https://agora.chauvigne.info/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

85

Re: PunBB 1.4.4

40. Fix for PHP 8.1
https://github.com/MioVisman/punbb/comm … 6d3a2a77ac
https://github.com/MioVisman/punbb/comm … 2af6ba15a8
https://github.com/MioVisman/punbb/comm … f802e34c82

41. Update install
https://github.com/MioVisman/punbb/comm … f0e71a9e1b
https://github.com/MioVisman/punbb/comm … 1b8f09dbdd
https://github.com/MioVisman/punbb/comm … ed5db23ab3
https://github.com/MioVisman/punbb/comm … c9bfcfea68

42. Fix db_update
https://github.com/MioVisman/punbb/comm … 76e0d2853d

43. Minor/secur updates
https://github.com/MioVisman/punbb/comm … 69a0104ace
https://github.com/MioVisman/punbb/comm … 9b0cd7525e
https://github.com/MioVisman/punbb/comm … 8af03fb5d0
https://github.com/MioVisman/punbb/comm … 08b760a9dd
https://github.com/MioVisman/punbb/comm … a3ce66ef5e
https://github.com/MioVisman/punbb/comm … 8c95dc4cba
https://github.com/MioVisman/punbb/comm … a8a8d54fb1

44. Fix for PHP 8.2
https://github.com/MioVisman/punbb/comm … 4c3ebd87e3

45. Again trying to solve the “database is locked” problem for SQLite  (Change transaction mode for multithreaded mode.)
https://github.com/MioVisman/punbb/comm … c8b1d5d659

config.php

// SQLite3 busy timeout -> after waiting for that time we get 'db is locked' error (in msec)
//define('FORUM_SQLITE3_BUSY_TIMEOUT', 10000);

// SQLite3 WAL mode has better control over concurrency. Source: https://www.sqlite.org/wal.html
//define('FORUM_SQLITE3_WAL_ON', 1);

replace to or add

// SQLite3 busy timeout -> after waiting for that time we get 'db is locked' error (in msec)
define('FORUM_SQLITE3_BUSY_TIMEOUT', 5000);

// SQLite3 WAL mode has better control over concurrency. Source: https://www.sqlite.org/wal.html
define('FORUM_SQLITE3_WAL_ON', 1);
ForkBB
I speak only Russian  :P

86

Re: PunBB 1.4.4

46. Optimize the sef_friendly() function

1. Removed mb_convert_encoding() (this is an encoding conversion, not a character conversion) and utf8_decode() (inferior to the initial conversion strtr($str, $lang_url_replace)). There is no point in using them.
2. The transliterator will be called only if a character not belonging to the basic Latin is found in the string.
3. The transliterator_transliterate() function has been replaced with creating a transliterator, since this function creates a new transliterator each time, which on some systems (probably where there are old ICU libraries) can significantly slow down the script ( https://forkbb.ru/post/286#p286 )

https://github.com/MioVisman/punbb/comm … 276dfa7519

ForkBB
I speak only Russian  :P