76 (edited by Visman 2021-03-17 15:35)

Re: PunBB 1.4.4

In PunbB email bbode is changed differently (Google Translate terribly translates from Russian into English, it does not correctly understand the connection of words, and this results in confusion in the end.)

https://i.ibb.co/7rzK08f/146.png
In PunBB 1.4.6, they simply removed the ability to insert other bbcodes into email bbcode. Rearranging the processing of email bbcode above does not play any role. (UPDATE: Here I was wrong. The permutation affected the display of the email bbcode if there is another bbcode inside it. )
I, in the 39th fix, encode the email which is inserted into the href attribute via the rawurlencode() function. As a result, even if there were some bbcodes, they will no longer be converted to html.

Example:

[email]%3Cscript%3Ealert%281%29%3C%2Fscript%3E@examle.com[/email]
[email]my.super.puper<>email@mail.com[/email]
[email=<b>ffff</b>@<b>ffff</b>][b]test email and bbcode[/b][/email]

[email=javascript:alert(1)]<script>alert(2)</script>[/email]
[email]<script>alert(2)</script>[/email]

-->

<a href="mailto:%3Cscript%3Ealert%281%29%3C%2Fscript%3E@examle.com">%3Cscript%3Ealert%281%29%3C%2Fscript%3E@examle.com</a><br />
<a href="mailto:my.super.puper%26lt%3B%26gt%3Bemail@mail.com">my.super.puper&lt;&gt;email@mail.com</a><br />
<a href="mailto:%26lt%3Bb%26gt%3Bffff%26lt%3B%2Fb%26gt%3B@%26lt%3Bb%26gt%3Bffff%26lt%3B%2Fb%26gt%3B"><strong>test email and bbcode</strong></a>

<a href="mailto:javascript%3Aalert%281%29">&lt;script&gt;alert(2)&lt;/script&gt;</a><br />
<a href="mailto:%26lt%3Bscript%26gt%3Balert%282%29%26lt%3B%2Fscript%26gt%3B">&lt;script&gt;alert(2)&lt;/script&gt;</a>

P.S. And I repeat once again: I have doubts about the possibility of the existence of XSS.
P.P.S. Why then url bbcode is not changed. There is a similar situation wink
P.P.P.S. If I'm not clear, Google Translate is to blame smile

Parserus, UserAgentAnalyzer.
I speak only Russian  :P

Re: PunBB 1.4.4

Hello Visman !
Is there a place to download a full pack of the latest PunBB modified by you ?

https://forum.revestou.fr/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

78

Re: PunBB 1.4.4

The current variant https://github.com/MioVisman/punbb/arch … master.zip has been tested on Win7 + PHP 8.2 RC2 + mysql 5.7.24. I found no problems.

Parserus, UserAgentAnalyzer.
I speak only Russian  :P

Re: PunBB 1.4.4

Thank you Visman ! I am not sure that your version implements SQLite3 or is it only for Mysql ? Can you tell me ?

https://forum.revestou.fr/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

80

Re: PunBB 1.4.4

Quickly tested installing the forum from scratch, creating a new category, creating a new partition, creating a new message on Win7 + PHP 8.2 RC2 + SQLite3 3.33.0. There are no warnings or errors.

Parserus, UserAgentAnalyzer.
I speak only Russian  :P

Re: PunBB 1.4.4

Many thanks, I try and tell you.

https://forum.revestou.fr/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

Re: PunBB 1.4.4

Hello Visman !
I passed the 1.4.6 files over my present install (sqlite3), and with php8, I get a display problem on home page : each category title displaying before :

Trying to access array offset on value of type int in /homepages/1/d813290445/htdocs/forum/index.php(172) : eval()'d code on line 27

The rest of the site displays correctly.
The error disapears when I go back to php 7.4.

What should I look at ? Should I make a clean install and then manage to use my sqlite file ?

https://forum.revestou.fr/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2

83

Re: PunBB 1.4.4

eval()'d code on line

Extension failed. Turn them off one at a time to find the culprit.

Parserus, UserAgentAnalyzer.
I speak only Russian  :P

Re: PunBB 1.4.4

Thanks !
And the culprit is ...
pan_statistic - Статистика форума PunBB
version 0.7.5

https://forum.revestou.fr/
PunBB 1.4.6
PHP: 8.0.24
Base de données    SQLite3 3.27.2