101

(75 replies, posted in Supported extensions)

chovy wrote:

I found a problem when used with openid extension...after registering with openid, I can sign in fine, but the pun stop bot question keeps popping up when I put a valid answer -- the result is I'm unable to post.

I have the same problem with the latest version of punbb and pun stop bots, sometimes it keeps asking with good answers and it seems that when it does, it's non stop, until you try with another browser or delete cookies and come back, so i guess this bug is a problem of cookies ?

102

(5 replies, posted in PunBB 1.4 bug reports)

Hello, when i switch from php 5.6 to php 7.0 i get these errors on the top of the forum :
"Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; DBLayer has a deprecated constructor in /xxx.com/punbb/include/dblayer/mysqli.php on line 16 Warning: Cannot modify header information - headers already sent by (output started at /xxx.com/punbb/include/dblayer/mysqli.php:16) in /xxx.com/punbb/header.php on line 16 Warning: Cannot modify header information - headers already sent by (output started at /xxx.com/punbb/include/dblayer/mysqli.php:16) in /xxx.com/punbb/header.php on line 17 Warning: Cannot modify header information - headers already sent by (output started at /xxx.com/punbb/include/dblayer/mysqli.php:16) in /xxx.com/punbb/header.php on line 18 Warning: Cannot modify header information - headers already sent by (output started at /xxx.com/punbb/include/dblayer/mysqli.php:16) in /xxx.com/punbb/header.php on line 19 Warning: Cannot modify header information - headers already sent by (output started at /xxx.com/punbb/include/dblayer/mysqli.php:16) in /xxx.com/punbb/header.php on line 22"

and at the beginning of the topics list in a forum, these errors :
"Warning: gmdate() expects parameter 2 to be integer, float given in /xxx.com/punbb/include/functions.php on line 453 Warning: gmdate() expects parameter 2 to be integer, float given in /xxx.com/punbb/include/functions.php on line 457 Warning: gmdate() expects parameter 2 to be integer, float given in /xxx.com/punbb/include/functions.php on line 472"

These errors will be fixed in the next version ? Anyway to fix it ?
Thanks,

Pierre

Hello, as you may already know, there will be a bug in the date system after 2038, due to the way the dates are coded in databases :
"What is the unix time stamp?
The unix time stamp is a way to track time as a running total of seconds. This count starts at the Unix Epoch on January 1st, 1970 at UTC. Therefore, the unix time stamp is merely the number of seconds between a particular date and the Unix Epoch. It should also be pointed out (thanks to the comments from visitors to this site) that this point in time technically does not change no matter where you are located on the globe. This is very useful to computer systems for tracking and sorting dated information in dynamic and distributed applications both online and client side.

What happens on January 19, 2038?
On this date the Unix Time Stamp will cease to work due to a 32-bit overflow. Before this moment millions of applications will need to either adopt a new convention for time stamps or be migrated to 64-bit systems which will buy the time stamp a "bit" more time."

I've made some tests and when i put a date of 2038 in a post, it changes to 1903 or something like that...
How much the 64 bits systems will delay the bug of the timestamp coding ?
Thanks,

Pierre

I've seen it is possible to put flash games into posts (a .swf works inside the post) with that extension, maybe it's not risky.
But i've made a bug of the forum trying the possibily of a javascript code, this sounds risky...
Just with that script inside a post (which is not risky script, just an effect on letters but it closed the topic, nobody could answer, and also closed the possibility of editing or deleting the post, so what about a risky javascript ?) :

<h2>
<script language="JavaScript1.2">

/*
Neon Lights Text
*/

var message="Welcome to JavaScript Kit!"
var neonbasecolor="gray"
var neontextcolor="yellow"
var flashspeed=100  //in milliseconds

///No need to edit below this line/////

var n=0
if (document.all||document.getElementById){
document.write('')
for (m=0;m<message.length;m++)
document.write('<span id="neonlight'+m+'">'+message.charAt(m)+'</span>')
document.write('')
}
else
document.write(message)

function crossref(number){
var crossobj=document.all? eval("document.all.neonlight"+number) : document.getElementById("neonlight"+number)
return crossobj
}

function neon(){

//Change all letters to base color
if (n==0){
for (m=0;m<message.length;m++)
//eval("document.all.neonlight"+m).style.color=neonbasecolor
crossref(m).style.color=neonbasecolor
}

//cycle through and change individual letters to neon color
crossref(n).style.color=neontextcolor

if (n<message.length-1)
n++
else{
n=0
clearInterval(flashing)
setTimeout("beginneon()",1500)
return
}
}

function beginneon(){
if (document.all||document.getElementById)
flashing=setInterval("neon()",flashspeed)
}
beginneon()


</script>
</h2>

If a javascript code can cause dysfonctions of the forum, i guess it would be better not allowing javascript in the html code.
EDIT : if i put "<script>" at the beginning it doesn't try to run the script, i guess the script could run because of the  "<script language="JavaScript1.2">" at the beginning of the script, a case that wasn't expected in the extension and let the script trying to run and cause dysfonctions.

Ok, maybe the script in the last version is secure enough, i don't know, what do you think ?
About security, i've seen that part in the script code :

//Removing possible attacks
          if (strpos($text, '<script>') !== false && strpos($text, '</script>') !== false )
                       {
                          $text = str_replace(array('<script>', '</script>'), ' ', $text);
                            }
                            elseif (strpos($text, '<body>') !== false && strpos($text, '</body>') !== false )
                       {
                          $text = str_replace(array('<body>', '</body>'), ' ', $text);
                            }
                            elseif (strpos($text, '<html>') !== false && strpos($text, '</html>') !== false )
                       {
                          $text = str_replace(array('<html>', '</html>'), ' ', $text);
                            }
                            elseif (strpos($text, '<head>') !== false && strpos($text, '</head>') !== false )
                       {
                          $text = str_replace(array('<head>', '</head>'), ' ', $text);
                            }
          elseif (strpos($text, '<script>') !== false)
                       {
                          $text = str_replace('<script>', ' ', $text);
                            }
          elseif (strpos($text, '</script>') !== false)
                       {
                          $text = str_replace('</script>', ' ', $text);
                            }
          elseif (strpos($text, 'text/javascript') !== false)
                       {
                          $text = str_replace('text/javascript', ' ', $text);
                            }
        elseif (strpos($text, '</head>') !== false)
                       {
                          $text = str_replace('</head>', ' ', $text);
                            }
         elseif (strpos($text, '</body>') !== false)
                       {
                          $text = str_replace('</body>', ' ', $text);
                            }
         elseif (strpos($text, '<head>') !== false)
                       {
                          $text = str_replace('<head>', ' ', $text);
                            }
         elseif (strpos($text, '<body>') !== false)
                       {
                          $text = str_replace('<body>', ' ', $text);
                            }
         elseif (strpos($text, '<html>') !== false)
                       {
                          $text = str_replace('<html>', ' ', $text);
                            }
         elseif (strpos($text, '</html>') !== false)
                       {
                          $text = str_replace('</html>', ' ', $text);
                            }

Is it safe enough like that ?

Yes i have tried before, it works as a user, new user or guest (if we allow guests to post).
Maybe a way to avoid news users to use htm would be to hide the html button from bbcode buttons and tell the html function only to users that you know well ? If it helps in some functions allowing html for some members.
I've seen Abir made some changes to avoid some security attacks, maybe it's secure enough now, i don't know, i guess it would be enough if new users don't see it o can't do it.

Hello, i guess that allowing every new user to post html may be dangerous, would that be possible to allow only admin to post and edit html in post ?