[phpBB] svn: r82 - in branches/2.0.6d-2/phpbb2: . patches

jeroen at wolffelaar.nl jeroen at wolffelaar.nl
Thu Mar 18 00:25:02 CET 2004


Author: jeroen
Date: 2004-03-18 00:24:47 +0100 (Thu, 18 Mar 2004)
New Revision: 82

Added:
   branches/2.0.6d-2/phpbb2/patches/000_security_stolen_from_207.diff
Modified:
   branches/2.0.6d-2/phpbb2/changelog
Log:
Patch 2.0.6, so that the code if effectively 2.0.7... but not in name (eases
release)


Modified: branches/2.0.6d-2/phpbb2/changelog
===================================================================
--- branches/2.0.6d-2/phpbb2/changelog	2004-03-17 21:35:21 UTC (rev 81)
+++ branches/2.0.6d-2/phpbb2/changelog	2004-03-17 23:24:47 UTC (rev 82)
@@ -1,3 +1,11 @@
+phpbb2 (2.0.6d-2) unstable; urgency=medium
+
+  * Security ``just before leaving for a week'' release, featuring an
+    cross-site scripting fix from 2.0.7, plus a minor bugfix, but nothing
+    else (Closes: #237869)
+
+ -- Jeroen van Wolffelaar <jeroen at wolffelaar.nl>  Wed, 17 Mar 2004 22:45:10 +0100
+
 phpbb2 (2.0.6d-1) unstable; urgency=low
 
   * New upstream release to fix cross-site scripting issue, and a few minor

Added: branches/2.0.6d-2/phpbb2/patches/000_security_stolen_from_207.diff
===================================================================
--- branches/2.0.6d-2/phpbb2/patches/000_security_stolen_from_207.diff	2004-03-17 21:35:21 UTC (rev 81)
+++ branches/2.0.6d-2/phpbb2/patches/000_security_stolen_from_207.diff	2004-03-17 23:24:47 UTC (rev 82)
@@ -0,0 +1,355 @@
+diff -ur phpBB2.orig/includes/auth.php phpBB2/includes/auth.php
+--- phpBB2.orig/includes/auth.php	2003-07-20 17:42:24.000000000 +0200
++++ phpBB2/includes/auth.php	2004-03-13 17:21:53.000000000 +0100
+@@ -172,6 +171,7 @@
+ 			}
+ 			while( $row = $db->sql_fetchrow($result) );
+ 		}
++		$db->sql_freeresult($result);
+ 	}
+ 
+ 	$is_admin = ( $userdata['user_level'] == ADMIN && $userdata['session_logged_in'] ) ? TRUE : 0;
+diff -ur phpBB2.orig/includes/bbcode.php phpBB2/includes/bbcode.php
+--- phpBB2.orig/includes/bbcode.php	2003-09-10 18:37:50.000000000 +0200
++++ phpBB2/includes/bbcode.php	2004-03-13 17:21:53.000000000 +0100
+@@ -104,7 +104,7 @@
+ 	$bbcode_tpl['url3'] = str_replace('{URL}', '\\1', $bbcode_tpl['url']);
+ 	$bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\\2', $bbcode_tpl['url3']);
+ 
+-	$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']); 
++	$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
+ 	$bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url4']);
+ 
+ 	$bbcode_tpl['email'] = str_replace('{EMAIL}', '\\1', $bbcode_tpl['email']);
+@@ -197,21 +197,21 @@
+ 	$patterns[] = "#\[img:$uid\](.*?)\[/img:$uid\]#si";
+ 	$replacements[] = $bbcode_tpl['img'];
+ 
+-	// matches a [url]xxxx://www.phpbb.com[/url] code.. 
+-	$patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is"; 
+-	$replacements[] = $bbcode_tpl['url1']; 
+-
+-	// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix). 
+-	$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is"; 
+-	$replacements[] = $bbcode_tpl['url2']; 
+-
+-	// [url=xxxx://www.phpbb.com]phpBB[/url] code.. 
+-	$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is"; 
+-	$replacements[] = $bbcode_tpl['url3']; 
+-
+-	// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix). 
+-	$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is"; 
+-	$replacements[] = $bbcode_tpl['url4']; 
++	// matches a [url]xxxx://www.phpbb.com[/url] code..
++	$patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
++	$replacements[] = $bbcode_tpl['url1'];
++
++	// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
++	$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
++	$replacements[] = $bbcode_tpl['url2'];
++
++	// [url=xxxx://www.phpbb.com]phpBB[/url] code..
++	$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
++	$replacements[] = $bbcode_tpl['url3'];
++
++	// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
++	$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
++	$replacements[] = $bbcode_tpl['url4'];
+ 
+ 	// [email]user at domain.tld[/email] code..
+ 	$patterns[] = "#\[email\]([a-z0-9&\-_.]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+)\[/email\]#si";
+@@ -618,16 +618,16 @@
+ 	// pad it with a space so we can match things at the start of the 1st line.
+ 	$ret = ' ' . $text;
+ 
+-	// matches an "xxxx://yyyy" URL at the start of a line, or after a space. 
+-	// xxxx can only be alpha characters. 
+-	// yyyy is anything up to the first space, newline, comma, double quote or < 
+-	$ret = preg_replace("#(^|[\n ])([\w]+?://[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret); 
++	// matches an "xxxx://yyyy" URL at the start of a line, or after a space.
++	// xxxx can only be alpha characters.
++	// yyyy is anything up to the first space, newline, comma, double quote or <
++	$ret = preg_replace("#(^|[\n ])([\w]+?://[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret);
+ 
+-	// matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing 
+-	// Must contain at least 2 dots. xxxx contains either alphanum, or "-" 
++	// matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing
++	// Must contain at least 2 dots. xxxx contains either alphanum, or "-"
+ 	// zzzz is optional.. will contain everything up to the first space, newline, 
+-	// comma, double quote or <. 
+-	$ret = preg_replace("#(^|[\n ])((www|ftp)\.[^ \"\t\n\r<]*)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret); 
++	// comma, double quote or <.
++	$ret = preg_replace("#(^|[\n ])((www|ftp)\.[^ \"\t\n\r<]*)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret);
+ 
+ 	// matches an email at domain type address at the start of a line, or after a space.
+ 	// Note: Only the followed chars are valid; alphanums, "-", "_" and or ".".
+diff -ur phpBB2.orig/includes/topic_review.php phpBB2/includes/topic_review.php
+--- phpBB2.orig/includes/topic_review.php	2003-07-20 17:42:24.000000000 +0200
++++ phpBB2/includes/topic_review.php	2004-03-13 17:21:53.000000000 +0100
+@@ -51,6 +51,7 @@
+ 		{
+ 			message_die(GENERAL_MESSAGE, 'Topic_post_not_exist');
+ 		}
++		$db->sql_freeresult($result);
+ 
+ 		$forum_id = $forum_row['forum_id'];
+ 		$topic_title = $forum_row['topic_title'];
+@@ -207,6 +208,7 @@
+ 	{
+ 		message_die(GENERAL_MESSAGE, 'Topic_post_not_exist', '', __LINE__, __FILE__, $sql);
+ 	}
++	$db->sql_freeresult($result);
+ 
+ 	$template->assign_vars(array(
+ 		'L_AUTHOR' => $lang['Author'],
+diff -ur phpBB2.orig/includes/usercp_register.php phpBB2/includes/usercp_register.php
+--- phpBB2.orig/includes/usercp_register.php	2003-07-20 17:42:23.000000000 +0200
++++ phpBB2/includes/usercp_register.php	2004-03-13 17:21:53.000000000 +0100
+@@ -745,7 +745,7 @@
+ {
+ 	include($phpbb_root_path . 'includes/usercp_avatar.'.$phpEx);
+ 
+-	$avatar_category = ( !empty($HTTP_POST_VARS['avatarcategory']) ) ? $HTTP_POST_VARS['avatarcategory'] : '';
++	$avatar_category = ( !empty($HTTP_POST_VARS['avatarcategory']) ) ? htmlspecialchars($HTTP_POST_VARS['avatarcategory']) : '';
+ 
+ 	$template->set_filenames(array(
+ 		'body' => 'profile_avatar_gallery.tpl')
+diff -ur phpBB2.orig/index.php phpBB2/index.php
+--- phpBB2.orig/index.php	2003-07-20 17:42:23.000000000 +0200
++++ phpBB2/index.php	2004-03-13 17:21:53.000000000 +0100
+@@ -119,6 +119,7 @@
+ }
+ 
+ while( $category_rows[] = $db->sql_fetchrow($result) );
++$db->sql_freeresult($result);
+ 
+ if( ( $total_categories = count($category_rows) ) )
+ {
+@@ -170,6 +171,7 @@
+ 	{
+ 		$forum_data[] = $row;
+ 	}
++	$db->sql_freeresult($result);
+ 
+ 	if ( !($total_forums = count($forum_data)) )
+ 	{
+@@ -197,6 +199,7 @@
+ 		{
+ 			$new_topic_data[$topic_data['forum_id']][$topic_data['topic_id']] = $topic_data['post_time'];
+ 		}
++		$db->sql_freeresult($result);
+ 	}
+ 
+ 	//
+@@ -222,6 +225,7 @@
+ 	{
+ 		$forum_moderators[$row['forum_id']][] = '<a href="' . append_sid("profile.$phpEx?mode=viewprofile&amp;" . POST_USERS_URL . "=" . $row['user_id']) . '">' . $row['username'] . '</a>';
+ 	}
++	$db->sql_freeresult($result);
+ 
+ 	$sql = "SELECT aa.forum_id, g.group_id, g.group_name 
+ 		FROM " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug, " . GROUPS_TABLE . " g 
+@@ -241,6 +245,7 @@
+ 	{
+ 		$forum_moderators[$row['forum_id']][] = '<a href="' . append_sid("groupcp.$phpEx?" . POST_GROUPS_URL . "=" . $row['group_id']) . '">' . $row['group_name'] . '</a>';
+ 	}
++	$db->sql_freeresult($result);
+ 
+ 	//
+ 	// Find which forums are visible for this user
+diff -ur phpBB2.orig/login.php phpBB2/login.php
+--- phpBB2.orig/login.php	2003-07-20 17:42:23.000000000 +0200
++++ phpBB2/login.php	2004-03-13 17:21:53.000000000 +0100
+@@ -83,7 +83,7 @@
+ 
+ 					if( $session_id )
+ 					{
+-						$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? $HTTP_POST_VARS['redirect'] : "index.$phpEx";
++						$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";
+ 						redirect(append_sid($url, true));
+ 					}
+ 					else
+@@ -93,7 +93,7 @@
+ 				}
+ 				else
+ 				{
+-					$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? $HTTP_POST_VARS['redirect'] : '';
++					$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : '';
+ 					$redirect = str_replace('?', '&', $redirect);
+ 
+ 					$template->assign_vars(array(
+@@ -108,7 +108,7 @@
+ 		}
+ 		else
+ 		{
+-			$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? $HTTP_POST_VARS['redirect'] : "";
++			$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "";
+ 			$redirect = str_replace("?", "&", $redirect);
+ 
+ 			$template->assign_vars(array(
+@@ -129,7 +129,7 @@
+ 
+ 		if (!empty($HTTP_POST_VARS['redirect']) || !empty($HTTP_GET_VARS['redirect']))
+ 		{
+-			$url = (!empty($HTTP_POST_VARS['redirect'])) ? $HTTP_POST_VARS['redirect'] : $HTTP_GET_VARS['redirect'];
++			$url = (!empty($HTTP_POST_VARS['redirect'])) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : htmlspecialchars($HTTP_GET_VARS['redirect']);
+ 			redirect(append_sid($url, true));
+ 		}
+ 		else
+@@ -139,7 +139,7 @@
+ 	}
+ 	else
+ 	{
+-		$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? $HTTP_POST_VARS['redirect'] : "index.$phpEx";
++		$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";
+ 		redirect(append_sid($url, true));
+ 	}
+ }
+diff -ur phpBB2.orig/memberlist.php phpBB2/memberlist.php
+--- phpBB2.orig/memberlist.php	2003-07-20 17:42:23.000000000 +0200
++++ phpBB2/memberlist.php	2004-03-13 17:21:53.000000000 +0100
+@@ -269,6 +269,7 @@
+ 		$i++;
+ 	}
+ 	while ( $row = $db->sql_fetchrow($result) );
++	$db->sql_freeresult($result);
+ }
+ 
+ if ( $mode != 'topten' || $board_config['topics_per_page'] < 10 )
+@@ -288,6 +289,7 @@
+ 
+ 		$pagination = generate_pagination("memberlist.$phpEx?mode=$mode&amp;order=$sort_order", $total_members, $board_config['topics_per_page'], $start). '&nbsp;';
+ 	}
++	$db->sql_freeresult($result);
+ }
+ else
+ {
+diff -ur phpBB2.orig/modcp.php phpBB2/modcp.php
+--- phpBB2.orig/modcp.php	2003-07-26 14:04:09.000000000 +0200
++++ phpBB2/modcp.php	2004-03-13 17:21:53.000000000 +0100
+@@ -80,6 +80,7 @@
+ if ( isset($HTTP_POST_VARS['mode']) || isset($HTTP_GET_VARS['mode']) )
+ {
+ 	$mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
++	$mode = htmlspecialchars($mode);
+ }
+ else
+ {
+diff -ur phpBB2.orig/posting.php phpBB2/posting.php
+--- phpBB2.orig/posting.php	2003-07-20 17:42:23.000000000 +0200
++++ phpBB2/posting.php	2004-03-13 17:21:53.000000000 +0100
+@@ -35,7 +35,7 @@
+ {
+ 	if ( !empty($HTTP_POST_VARS[$param]) || !empty($HTTP_GET_VARS[$param]) )
+ 	{
+-		$$var = ( !empty($HTTP_POST_VARS[$param]) ) ? $HTTP_POST_VARS[$param] : $HTTP_GET_VARS[$param];
++		$$var = ( !empty($HTTP_POST_VARS[$param]) ) ? htmlspecialchars($HTTP_POST_VARS[$param]) : htmlspecialchars($HTTP_GET_VARS[$param]);
+ 	}
+ 	else
+ 	{
+@@ -221,6 +221,7 @@
+ if ( $result = $db->sql_query($sql) )
+ {
+ 	$post_info = $db->sql_fetchrow($result);
++	$db->sql_freeresult($result);
+ 
+ 	$forum_id = $post_info['forum_id'];
+ 	$forum_name = $post_info['forum_name'];
+@@ -275,6 +276,7 @@
+ 				}
+ 				while ( $row = $db->sql_fetchrow($result) );
+ 			}
++			$db->sql_freeresult($result);
+ 
+ 			$post_data['edit_poll'] = ( ( !$poll_results_sum || $is_auth['auth_mod'] ) && $post_data['first_post'] ) ? true : 0;
+ 		}
+@@ -397,6 +399,7 @@
+ 		}
+ 
+ 		$notify_user = ( $db->sql_fetchrow($result) ) ? TRUE : $userdata['user_notify'];
++		$db->sql_freeresult($result);
+ 	}
+ 	else
+ 	{
+@@ -471,12 +474,12 @@
+ 				FROM " . VOTE_USERS_TABLE . "  
+ 				WHERE vote_id = $vote_id 
+ 					AND vote_user_id = " . $userdata['user_id'];
+-			if ( !($result = $db->sql_query($sql)) )
++			if ( !($result2 = $db->sql_query($sql)) )
+ 			{
+ 				message_die(GENERAL_ERROR, 'Could not obtain user vote data for this topic', '', __LINE__, __FILE__, $sql);
+ 			}
+ 
+-			if ( !($row = $db->sql_fetchrow($result)) )
++			if ( !($row = $db->sql_fetchrow($result2)) )
+ 			{
+ 				$sql = "UPDATE " . VOTE_RESULTS_TABLE . " 
+ 					SET vote_result = vote_result + 1 
+@@ -500,11 +503,13 @@
+ 			{
+ 				$message = $lang['Already_voted'];
+ 			}
++			$db->sql_freeresult($result2);
+ 		}
+ 		else
+ 		{
+ 			$message = $lang['No_vote_option'];
+ 		}
++		$db->sql_freeresult($result);
+ 
+ 		$template->assign_vars(array(
+ 			'META' => '<meta http-equiv="refresh" content="3;url=' . append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id") . '">')
+diff -ur phpBB2.orig/templates/subSilver/index_body.tpl phpBB2/templates/subSilver/index_body.tpl
+--- phpBB2.orig/templates/subSilver/index_body.tpl	2003-07-20 17:42:25.000000000 +0200
++++ phpBB2/templates/subSilver/index_body.tpl	2004-03-13 17:21:54.000000000 +0100
+@@ -91,13 +91,13 @@
+ 
+ <table cellspacing="3" border="0" align="center" cellpadding="0">
+   <tr> 
+-	<td width="20" align="center"><img src="templates/subSilver/images/folder_new.gif" alt="{L_NEW_POSTS}"/></td>
++	<td width="20" align="center"><img src="templates/subSilver/images/folder_new_big.gif" alt="{L_NEW_POSTS}"/></td>
+ 	<td><span class="gensmall">{L_NEW_POSTS}</span></td>
+ 	<td>&nbsp;&nbsp;</td>
+-	<td width="20" align="center"><img src="templates/subSilver/images/folder.gif" alt="{L_NO_NEW_POSTS}" /></td>
++	<td width="20" align="center"><img src="templates/subSilver/images/folder_big.gif" alt="{L_NO_NEW_POSTS}" /></td>
+ 	<td><span class="gensmall">{L_NO_NEW_POSTS}</span></td>
+ 	<td>&nbsp;&nbsp;</td>
+-	<td width="20" align="center"><img src="templates/subSilver/images/folder_lock.gif" alt="{L_FORUM_LOCKED}" /></td>
++	<td width="20" align="center"><img src="templates/subSilver/images/folder_locked_big.gif" alt="{L_FORUM_LOCKED}" /></td>
+ 	<td><span class="gensmall">{L_FORUM_LOCKED}</span></td>
+   </tr>
+ </table>
+diff -ur phpBB2.orig/viewforum.php phpBB2/viewforum.php
+--- phpBB2.orig/viewforum.php	2003-07-20 17:42:23.000000000 +0200
++++ phpBB2/viewforum.php	2004-03-13 17:21:53.000000000 +0100
+@@ -240,7 +240,7 @@
+ 
+ if ( !empty($HTTP_POST_VARS['topicdays']) || !empty($HTTP_GET_VARS['topicdays']) )
+ {
+-	$topic_days = ( !empty($HTTP_POST_VARS['topicdays']) ) ? $HTTP_POST_VARS['topicdays'] : $HTTP_GET_VARS['topicdays'];
++	$topic_days = ( !empty($HTTP_POST_VARS['topicdays']) ) ? intval($HTTP_POST_VARS['topicdays']) : intval($HTTP_GET_VARS['topicdays']);
+ 	$min_topic_time = time() - ($topic_days * 86400);
+ 
+ 	$sql = "SELECT COUNT(t.topic_id) AS forum_topics 
+diff -ur phpBB2.orig/viewtopic.php phpBB2/viewtopic.php
+--- phpBB2.orig/viewtopic.php	2003-07-20 17:42:23.000000000 +0200
++++ phpBB2/viewtopic.php	2004-03-13 17:21:53.000000000 +0100
+@@ -314,7 +314,7 @@
+ 
+ if( !empty($HTTP_POST_VARS['postdays']) || !empty($HTTP_GET_VARS['postdays']) )
+ {
+-	$post_days = ( !empty($HTTP_POST_VARS['postdays']) ) ? $HTTP_POST_VARS['postdays'] : $HTTP_GET_VARS['postdays'];
++	$post_days = ( !empty($HTTP_POST_VARS['postdays']) ) ? intval($HTTP_POST_VARS['postdays']) : intval($HTTP_GET_VARS['postdays']);
+ 	$min_post_time = time() - (intval($post_days) * 86400);
+ 
+ 	$sql = "SELECT COUNT(p.post_id) AS num_posts
+@@ -357,7 +357,7 @@
+ //
+ if ( !empty($HTTP_POST_VARS['postorder']) || !empty($HTTP_GET_VARS['postorder']) )
+ {
+-	$post_order = (!empty($HTTP_POST_VARS['postorder'])) ? $HTTP_POST_VARS['postorder'] : $HTTP_GET_VARS['postorder'];
++	$post_order = (!empty($HTTP_POST_VARS['postorder'])) ? htmlspecialchars($HTTP_POST_VARS['postorder']) : htmlspecialchars($HTTP_GET_VARS['postorder']);
+ 	$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
+ }
+ else





More information about the phpBB-l mailing list