@@ -449,7 +449,7 @@
@@ -491,7 +491,7 @@
if ($fid): ?>
+
- :
- :
diff -urN punbb-1.2.6/upload/profile.php punbb-1.2.17/upload/profile.php
--- punbb-1.2.6/upload/profile.php 2005-07-07 22:53:17.000000000 +0200
+++ punbb-1.2.17/upload/profile.php 2007-11-19 00:14:16.000000000 +0100
@@ -87,6 +87,9 @@
if (isset($_POST['form_sent']))
{
+ if ($pun_user['g_id'] < PUN_GUEST)
+ confirm_referrer('profile.php');
+
$old_password = isset($_POST['req_old_password']) ? trim($_POST['req_old_password']) : '';
$new_password1 = trim($_POST['req_new_password1']);
$new_password2 = trim($_POST['req_new_password2']);
@@ -190,7 +193,7 @@
$result = $db->query('SELECT activate_string, activate_key FROM '.$db->prefix.'users WHERE id='.$id) or error('Unable to fetch activation data', __FILE__, __LINE__, $db->error());
list($new_email, $new_email_key) = $db->fetch_row($result);
- if ($key != $new_email_key)
+ if ($key == '' || $key != $new_email_key)
message($lang_profile['E-mail key bad'].' '.$pun_config['o_admin_email'].'.');
else
{
@@ -201,6 +204,9 @@
}
else if (isset($_POST['form_sent']))
{
+ if (pun_hash($_POST['req_password']) !== $pun_user['password'])
+ message($lang_profile['Wrong pass']);
+
require PUN_ROOT.'include/email.php';
// Validate the email-address
@@ -264,7 +270,7 @@
}
$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Profile'];
- $required_fields = array('req_new_email' => $lang_profile['New e-mail']);
+ $required_fields = array('req_new_email' => $lang_profile['New e-mail'], 'req_password' => $lang_common['Password']);
$focus_element = array('change_email', 'req_new_email');
require PUN_ROOT.'header.php';
@@ -279,6 +285,7 @@
@@ -362,12 +369,17 @@
message($lang_profile['Move failed'].' '.$pun_config['o_admin_email'].'.');
// Now check the width/height
- list($width, $height, ,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
+ list($width, $height, $type,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
if (empty($width) || empty($height) || $width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height'])
{
@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
message($lang_profile['Too wide or high'].' '.$pun_config['o_avatars_width'].'x'.$pun_config['o_avatars_height'].' '.$lang_profile['pixels'].'.');
}
+ else if ($type == 1 && $uploaded_file['type'] != 'image/gif') // Prevent dodgy uploads
+ {
+ @unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
+ message($lang_profile['Bad type']);
+ }
// Delete any old avatars and put the new one in place
@unlink($pun_config['o_avatars_dir'].'/'.$id.$extensions[0]);
@@ -710,6 +722,14 @@
message($lang_common['Invalid e-mail']);
}
+ // Make sure we got a valid language string
+ if (isset($form['language']))
+ {
+ $form['language'] = preg_replace('#[\.\\\/]#', '', $form['language']);
+ if (!file_exists(PUN_ROOT.'lang/'.$form['language'].'/common.php'))
+ message($lang_common['Bad request']);
+ }
+
break;
}
@@ -735,7 +755,7 @@
}
// Add http:// if the URL doesn't contain it already
- if ($form['url'] != '' && !stristr($form['url'], 'http://'))
+ if ($form['url'] != '' && strpos(strtolower($form['url']), 'http://') !== 0)
$form['url'] = 'http://'.$form['url'];
break;
@@ -746,7 +766,7 @@
$form = extract_elements(array('jabber', 'icq', 'msn', 'aim', 'yahoo'));
// If the ICQ UIN contains anything other than digits it's invalid
- if ($form['icq'] != '' && preg_match('/[^0-9]/', $form['icq']))
+ if ($form['icq'] != '' && @preg_match('/[^0-9]/', $form['icq']))
message($lang_prof_reg['Bad ICQ']);
break;
diff -urN punbb-1.2.6/upload/register.php punbb-1.2.17/upload/register.php
--- punbb-1.2.6/upload/register.php 2005-07-07 22:53:17.000000000 +0200
+++ punbb-1.2.17/upload/register.php 2007-01-14 23:58:16.000000000 +0100
@@ -79,6 +79,13 @@
else if (isset($_POST['form_sent']))
{
+ // Check that someone from this IP didn't register a user within the last hour (DoS prevention)
+ $result = $db->query('SELECT 1 FROM '.$db->prefix.'users WHERE registration_ip=\''.get_remote_address().'\' AND registered>'.(time() - 3600)) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+
+ if ($db->num_rows($result))
+ message('A new user was registered with the same IP address as you within the last hour. To prevent registration flooding, at least an hour has to pass between registrations from the same IP. Sorry for the inconvenience.');
+
+
$username = pun_trim($_POST['req_username']);
$email1 = strtolower(trim($_POST['req_email1']));
@@ -166,12 +173,21 @@
$dupe_list[] = $cur_dupe['username'];
}
- $timezone = intval($_POST['timezone']);
- $language = isset($_POST['language']) ? $_POST['language'] : $pun_config['o_default_lang'];
+ // Make sure we got a valid language string
+ if (isset($_POST['language']))
+ {
+ $language = preg_replace('#[\.\\\/]#', '', $_POST['language']);
+ if (!file_exists(PUN_ROOT.'lang/'.$language.'/common.php'))
+ message($lang_common['Bad request']);
+ }
+ else
+ $language = $pun_config['o_default_lang'];
+
+ $timezone = round($_POST['timezone'], 1);
$save_pass = (!isset($_POST['save_pass']) || $_POST['save_pass'] != '1') ? '0' : '1';
$email_setting = intval($_POST['email_setting']);
- if ($email_setting < 0 && $email_setting > 2) $email_setting = 1;
+ if ($email_setting < 0 || $email_setting > 2) $email_setting = 1;
// Insert the new user into the database. We do this now to get the last inserted id for later use.
$now = time();
diff -urN punbb-1.2.6/upload/search.php punbb-1.2.17/upload/search.php
--- punbb-1.2.6/upload/search.php 2005-07-07 22:53:16.000000000 +0200
+++ punbb-1.2.17/upload/search.php 2008-02-08 02:29:45.000000000 +0100
@@ -51,6 +51,7 @@
$action = (isset($_GET['action'])) ? $_GET['action'] : null;
$forum = (isset($_GET['forum'])) ? intval($_GET['forum']) : -1;
$sort_dir = (isset($_GET['sort_dir'])) ? (($_GET['sort_dir'] == 'DESC') ? 'DESC' : 'ASC') : 'DESC';
+ if (isset($search_id)) unset($search_id);
// If a search_id was supplied
if (isset($_GET['search_id']))
@@ -121,7 +122,7 @@
$keyword_results = $author_results = array();
// Search a specific forum?
- $forum_sql = ($forum != -1) ? ' AND t.forum_id = '.$forum : '';
+ $forum_sql = ($forum != -1 || ($forum == -1 && $pun_config['o_search_all_forums'] == '0' && $pun_user['g_id'] >= PUN_GUEST)) ? ' AND t.forum_id = '.$forum : '';
if (!empty($author) || !empty($keywords))
{
@@ -159,7 +160,7 @@
{
$num_chars = pun_strlen($word);
- if ($num_chars < 3 || $num_chars > 20 || in_array($word, $stopwords))
+ if ($word !== 'or' && ($num_chars < 3 || $num_chars > 20 || in_array($word, $stopwords)))
unset($keywords_array[$i]);
}
@@ -169,6 +170,7 @@
$word_count = 0;
$match_type = 'and';
+ $result_list = array();
@reset($keywords_array);
while (list(, $cur_word) = @each($keywords_array))
{
@@ -197,7 +199,7 @@
}
else
{
- $cur_word = str_replace('*', '%', $cur_word);
+ $cur_word = $db->escape(str_replace('*', '%', $cur_word));
$sql = 'SELECT m.post_id FROM '.$db->prefix.'search_words AS w INNER JOIN '.$db->prefix.'search_matches AS m ON m.word_id = w.id WHERE w.word LIKE \''.$cur_word.'\''.$search_in_cond;
}
@@ -324,7 +326,7 @@
if ($pun_user['is_guest'])
message($lang_common['No permission']);
- $result = $db->query('SELECT t.id FROM '.$db->prefix.'topics AS t INNER JOIN '.$db->prefix.'forums AS f ON f.id=t.forum_id LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.last_post>'.$pun_user['last_visit']) or error('Unable to fetch topic list', __FILE__, __LINE__, $db->error());
+ $result = $db->query('SELECT t.id FROM '.$db->prefix.'topics AS t INNER JOIN '.$db->prefix.'forums AS f ON f.id=t.forum_id LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.last_post>'.$pun_user['last_visit'].' AND t.moved_to IS NULL') or error('Unable to fetch topic list', __FILE__, __LINE__, $db->error());
$num_hits = $db->num_rows($result);
if (!$num_hits)
@@ -333,7 +335,7 @@
// If it's a search for todays posts
else if ($action == 'show_24h')
{
- $result = $db->query('SELECT t.id FROM '.$db->prefix.'topics AS t INNER JOIN '.$db->prefix.'forums AS f ON f.id=t.forum_id LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.last_post>'.(time() - 86400)) or error('Unable to fetch topic list', __FILE__, __LINE__, $db->error());
+ $result = $db->query('SELECT t.id FROM '.$db->prefix.'topics AS t INNER JOIN '.$db->prefix.'forums AS f ON f.id=t.forum_id LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.last_post>'.(time() - 86400).' AND t.moved_to IS NULL') or error('Unable to fetch topic list', __FILE__, __LINE__, $db->error());
$num_hits = $db->num_rows($result);
if (!$num_hits)
@@ -386,6 +388,7 @@
// Prune "old" search results
+ $old_searches = array();
$result = $db->query('SELECT ident FROM '.$db->prefix.'online') or error('Unable to fetch online list', __FILE__, __LINE__, $db->error());
if ($db->num_rows($result))
@@ -427,7 +430,6 @@
// Fetch results to display
if ($search_results != '')
{
- $group_by_sql = '';
switch ($sort_by)
{
case 1:
@@ -447,14 +449,8 @@
break;
default:
- {
$sort_by_sql = ($show_as == 'topics') ? 't.posted' : 'p.posted';
-
- if ($show_as == 'topics')
- $group_by_sql = ', t.posted';
-
break;
- }
}
if ($show_as == 'posts')
@@ -463,7 +459,7 @@
$sql = 'SELECT p.id AS pid, p.poster AS pposter, p.posted AS pposted, p.poster_id, '.$substr_sql.'(p.message, 1, 1000) AS message, t.id AS tid, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.forum_id FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'topics AS t ON t.id=p.topic_id WHERE p.id IN('.$search_results.') ORDER BY '.$sort_by_sql;
}
else
- $sql = 'SELECT t.id AS tid, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.closed, t.forum_id FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'topics AS t ON t.id=p.topic_id WHERE t.id IN('.$search_results.') GROUP BY t.id, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.closed, t.forum_id'.$group_by_sql.' ORDER BY '.$sort_by_sql;
+ $sql = 'SELECT t.id AS tid, t.poster, t.subject, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.closed, t.forum_id FROM '.$db->prefix.'topics AS t WHERE t.id IN('.$search_results.') ORDER BY '.$sort_by_sql;
// Determine the topic or post offset (based on $_GET['p'])
diff -urN punbb-1.2.6/upload/style/imports/base.css punbb-1.2.17/upload/style/imports/base.css
--- punbb-1.2.6/upload/style/imports/base.css 2005-07-07 22:53:17.000000000 +0200
+++ punbb-1.2.17/upload/style/imports/base.css 2007-01-14 23:52:29.000000000 +0100
@@ -43,12 +43,19 @@
DIV>DIV>DIV.postfootleft, DIV>DIV>DIV.postfootright {PADDING-TOP: 1px; MARGIN-TOP: -1px}
-/* 3.2 This is only visible to IE Windows and cures various bugs. Do not alter comments */
-
-/* Begin IEWin Fix \*/
-* HTML .inbox, * HTML .inform, * HTML .pun, * HTML .intd, * HTML .tclcon {HEIGHT: 1px}
+/* 3.2 This is only visible to IE6 Windows and cures various bugs. Do not alter comments */
+
+/* Begin IE6Win Fix \*/
+* HTML .inbox, * HTML .inform, * HTML .pun, * HTML .intd, * HTML .tclcon {HEIGHT: 1px}
* HTML .inbox DIV.postmsg {WIDTH: 98%}
-/* End of IEWin Fix */
+/* End of IE6Win Fix */
+
+/* 3.3 This is the equivelant of 3.2 but for IE7. It is visible to other browsers
+but does no harm */
+
+/*Begin IE7Win Fix */
+.pun, .pun .inbox, .pun .inform, .pun .intd, .pun .tclcon {min-height: 1px}
+/* End of IE7Win Fix */
/****************************************************************/
/* 4. HIDDEN ELEMENTS */
@@ -168,7 +175,8 @@
DIV.postleft, DIV.postfootleft {
FLOAT:left;
WIDTH: 18em;
- OVERFLOW: hidden
+ OVERFLOW: hidden;
+ POSITION: relative;
}
DIV.postright, DIV.postfootright {
diff -urN punbb-1.2.6/upload/userlist.php punbb-1.2.17/upload/userlist.php
--- punbb-1.2.6/upload/userlist.php 2005-07-07 22:53:16.000000000 +0200
+++ punbb-1.2.17/upload/userlist.php 2007-04-10 23:37:34.000000000 +0200
@@ -41,7 +41,7 @@
// Determine if we are allowed to view post counts
$show_post_count = ($pun_config['o_show_post_count'] == '1' || $pun_user['g_id'] < PUN_GUEST) ? true : false;
-$username = (isset($_GET['username']) && $pun_user['g_search_users'] == '1') ? $_GET['username'] : '';
+$username = (isset($_GET['username']) && $pun_user['g_search_users'] == '1') ? pun_trim($_GET['username']) : '';
$show_group = (!isset($_GET['show_group']) || intval($_GET['show_group']) < -1 && intval($_GET['show_group']) > 2) ? -1 : intval($_GET['show_group']);
$sort_by = (!isset($_GET['sort_by']) || $_GET['sort_by'] != 'username' && $_GET['sort_by'] != 'registered' && ($_GET['sort_by'] != 'num_posts' || !$show_post_count)) ? 'username' : $_GET['sort_by'];
$sort_dir = (!isset($_GET['sort_dir']) || $_GET['sort_dir'] != 'ASC' && $_GET['sort_dir'] != 'DESC') ? 'ASC' : strtoupper($_GET['sort_dir']);
@@ -116,7 +116,7 @@
$where_sql[] = 'u.group_id='.$show_group;
// Fetch user count
-$result = $db->query('SELECT COUNT(id) FROM '.$db->prefix.'users AS u'.(!empty($where_sql) ? ' WHERE u.id>1 AND '.implode(' AND ', $where_sql) : '')) or error('Unable to fetch user list count', __FILE__, __LINE__, $db->error());
+$result = $db->query('SELECT COUNT(id) FROM '.$db->prefix.'users AS u WHERE u.id>1'.(!empty($where_sql) ? ' AND '.implode(' AND ', $where_sql) : '')) or error('Unable to fetch user list count', __FILE__, __LINE__, $db->error());
$num_users = $db->result($result);
diff -urN punbb-1.2.6/upload/viewforum.php punbb-1.2.17/upload/viewforum.php
--- punbb-1.2.6/upload/viewforum.php 2005-07-07 22:53:16.000000000 +0200
+++ punbb-1.2.17/upload/viewforum.php 2005-09-22 00:39:30.000000000 +0200
@@ -242,7 +242,7 @@