It actually isn't as bad as you think 
It's more of an issue for XSS/SQL inject, since I can put quotes, HTML, etc into the request URI. However, I don't think you can redirect people to arbitrary sites that way.
But I don't think REQUEST_URI is what you're looking for. That's data on the current page, not on any referring page. If you want to see how 1.3 deals with the issue, check out the prev_url column in the online table.
526 2008-03-22 21:07
Re: Using request_uri safely (5 replies, posted in Programming)
527 2008-03-22 21:04
Re: PunBB 1.2.17 (69 replies, posted in News)
neofutur: Look harder at the hdiff. The lines moved.
MattF: Good point, that's certainly possible
528 2008-03-22 21:00
Re: avatar upload (7 replies, posted in PunBB 1.2 troubleshooting)
The code works fine, I just tested it.
I believe you actually have to send a POST request without req_file set to trigger that error.
529 2008-03-22 20:58
Re: avatar upload (7 replies, posted in PunBB 1.2 troubleshooting)
Moved to Troubleshooting, since that's 1.2 code, not 1.3 code.
The code in 1.3 did have a slight issue with an undefined index, which I'm fixing now.
530 2008-03-21 23:32
Re: Search results are unparsed (8 replies, posted in PunBB 1.3 troubleshooting)
It would also lose meaning.
For example:
[url=http://punbb.org/forums/viewtopic.php?id=6859]You might want to try this modification[/url] ;)versus
You might want to try this modification ;)Not to mention that stripping it would be very annoying to code.
An extension, possibly, but I doubt it will go in the core.
531 2008-03-21 23:30
Re: PunBB 1.2.17 (69 replies, posted in News)
Could the users have deleted their messages?
There are no outstanding security vulnerabilities as of 1.2.17, so if that's what you're using, then I doubt it's due to that.
532 2008-03-21 20:55
Re: A couple of mods needed... (17 replies, posted in PunBB 1.2 modifications, plugins and integrations)
Then that's not admin activation per-se, that's simply trying to block spam registrations. For example:
http://www.punres.org/desc.php?pid=347
http://www.punres.org/desc.php?pid=400
533 2008-03-21 20:43
Re: A couple of mods needed... (17 replies, posted in PunBB 1.2 modifications, plugins and integrations)
I'm not seeing the difference between what you want and what I'm suggesting. Turn off the permission to Read board for that group and they're essentially not activated.
As for mass deleting users, try the User Management plugin
534 2008-03-21 20:38
Re: Search results are unparsed (8 replies, posted in PunBB 1.3 troubleshooting)
535 2008-03-21 20:36
Re: A couple of mods needed... (17 replies, posted in PunBB 1.2 modifications, plugins and integrations)
1. Set the default usergroup to one that can't see much of anything. Manually move people out of it.
2. I don't know that anyone has written that one.
536 2008-03-21 20:34
Re: PunBB 1.2.17 (69 replies, posted in News)
erased messages? I don't know what that means, it's not possible that updating the forum would do that.
As for double login, I usually see that in sites that are accessible both with and without the www., like yours is. You can either redirect all traffic to one of the two or set $cookie_domain in config.php to .forocure.com.ar
537 2008-03-21 16:07
Re: Custom BBCode. (12 replies, posted in PunBB 1.2 troubleshooting)
Check out preparse_bbcode, I think you'll need to add your stuff there.
538 2008-03-21 15:20
Re: Error: can't create new topic or post reply (3 replies, posted in PunBB 1.2 troubleshooting)
Upgrading is a good idea.
If that doesn't fix it, enable debug mode and paste the full error.
539 2008-03-21 15:12
Re: Translations... (2 replies, posted in PunBB 1.3 troubleshooting)
The language strings are not yet finalized, so while you're welcome to get started, there is no guarantee that we won't add/change/remove strings.
540 2008-03-21 15:11
Re: Custom BBCode. (12 replies, posted in PunBB 1.2 troubleshooting)
I don't know how GeSHi works, but my assumption is that it's the result of a double escaping via htmlspecialchars.
Try
FIND
$geshi = @new GeSHi($text, "autoit", PUN_ROOT."/include");REPLACE WITH
$geshi = @new GeSHi(html_entity_decode($text), "autoit", PUN_ROOT."/include");541 2008-03-21 14:48
Re: Custom BBCode. (12 replies, posted in PunBB 1.2 troubleshooting)
Look at how URL BBCode is handled in the code you just pasted. Emulate that.
542 2008-03-21 13:21
Re: Custom BBCode. (12 replies, posted in PunBB 1.2 troubleshooting)
make a function, like is done for the URL tags, parse in there and return the parsed value.
543 2008-03-21 13:07
Re: New posts (7 replies, posted in PunBB 1.3 troubleshooting)
Consider them a reminder that the HEAD revision from SVN of beta software is not meant to be used on a production website.
544 2008-03-21 12:49
Re: Custom BBCode. (12 replies, posted in PunBB 1.2 troubleshooting)
If you're running that outside of the parser, the HTML is going to be sanitized for obvious reasons./
545 2008-03-21 12:47
Re: A strange bug in an extension (5 replies, posted in PunBB 1.3 extensions)
546 2008-03-21 12:24
Re: My own logout link? (21 replies, posted in PunBB 1.2 modifications, plugins and integrations)
Right. We added a CSRF token to the logout URL, with the token being a pun_hash of user ID prepended to the current IP.
547 2008-03-21 12:23
Re: A strange bug in an extension (5 replies, posted in PunBB 1.3 extensions)
Because that was not using an unbuffered query. 
However, buffered query or not, it is never a good idea to run a query in a loop.
548 2008-03-21 12:14
Re: Long Posts Timeout in Safari. (5 replies, posted in PunBB 1.2 troubleshooting)
My original thought was that you had the Akismet modification installed and that was the reason for the delay, but since you don't have the plugin, I doubt the modification was installed.
Anyway, your best bet would be to enable debug mode and see if the page generation time when posting in those cases is high or not. If it is, then you need to figure out what is causing there (most likely a modification of some kind).
549 2008-03-21 12:11
Re: Don't know how to install Antibot (2 replies, posted in PunBB 1.2 troubleshooting)
PUN_ROOT is where your forum is on your server (eg: where config.php is).