Home Explore Help
Register Sign In
Omnimaga
/
SMF2.1
mirror of [email protected]:Omnimaga/SMF2.1.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge pull request #291 from emanuele45/master

Another string and security fixes from 2.0.3 and 2.0.4
emanuele45 12 years ago
parent
775fa61059 5ed0020c24
commit
54f3af811c
9 changed files with 56 additions and 14 deletions
Unified View Show Diff Stats
  1. 14 4
      Sources/LogInOut.php
  2. 9 4
      Sources/ManageErrors.php
  3. 12 1
      Sources/ManageLanguages.php
  4. 1 1
      Sources/Modlog.php
  5. 1 1
      Sources/Register.php
  6. 1 1
      Sources/Reminder.php
  7. 14 1
      Sources/Security.php
  8. 3 0
      Sources/Themes.php
  9. 1 1
      Themes/default/languages/Post.english.php

+ 14 - 4
Sources/LogInOut.php
View File 

@@ -739,14 +739,24 @@ function validatePasswordFlood($id_member, $password_flood_value = false, $was_c
 
 	if ($password_flood_value !== false)
 
 	if ($password_flood_value !== false)
 
 		@list ($time_stamp, $number_tries) = explode('|', $password_flood_value);
 
 		@list ($time_stamp, $number_tries) = explode('|', $password_flood_value);
 
 
 
-	// Timestamp invalid or non-existent?
 
-	if (empty($number_tries) || $time_stamp < (time() - 10))
 
+	// Timestamp or number of tries invalid?
 
+	if (empty($number_tries) || empty($time_stamp))
 
 	{
 
 	{
 
-		// If it wasn't *that* long ago, don't give them another five goes.
 
-		$number_tries = !empty($number_tries) && $time_stamp < (time() - 20) ? 2 : 0;
 
+		$number_tries = 0;
 
 		$time_stamp = time();
 
 		$time_stamp = time();
 
 	}
 
 	}
 
 
 
+	// They've failed logging in already
 
+	if (!empty($number_tries))
 
+	{
 
+		// Give them less chances if they failed before
 
+		$number_tries = $time_stamp < time() - 20 ? 2 : $number_tries;
 
+
 
+		// They are trying too fast, make them wait longer
 
+		if ($time_stamp < time() - 10)
 
+			$time_stamp = time();
 
+	}
 
+
 
 	$number_tries++;
 
 	$number_tries++;
 
 
 
 	// Broken the law?
 
 	// Broken the law?

+ 9 - 4
Sources/ManageErrors.php
View File 

@@ -332,16 +332,21 @@ function deleteErrors()
 
  */
 
  */
 
 function ViewFile()
 
 function ViewFile()
 
 {
 
 {
 
-	global $context, $txt, $boarddir, $sourcedir;
 
+	global $context, $txt, $boarddir, $sourcedir, $cachedir;
 
 	// Check for the administrative permission to do this.
 
 	// Check for the administrative permission to do this.
 
 	isAllowedTo('admin_forum');
 
 	isAllowedTo('admin_forum');
 
 
 
-	// decode the file and get the line
 
-	$file = base64_decode($_REQUEST['file']);
 
+	// Decode the file and get the line
 
+	$file = realpath(base64_decode($_REQUEST['file']));
 
+	$real_board = realpath($boarddir);
 
+	$real_source = realpath($sourcedir);
 
+	$real_cache = realpath($cachedir);
 
+	$basename = strtolower(basename($file));
 
+	$ext = strrchr($basename, '.');
 
 	$line = isset($_REQUEST['line']) ? (int) $_REQUEST['line'] : 0;
 
 	$line = isset($_REQUEST['line']) ? (int) $_REQUEST['line'] : 0;
 
 
 
 	// Make sure the file we are looking for is one they are allowed to look at
 
 	// Make sure the file we are looking for is one they are allowed to look at
 
-	if (!is_readable($file) || (strpos($file, '../') !== false && ( strpos($file, $boarddir) === false || strpos($file, $sourcedir) === false)))
 
+	if ($ext != '.php' || (strpos($file, $real_board) === false && strpos($file, $real_source) === false) || ($basename == 'settings.php' || $basename == 'settings_bak.php') || strpos($file, $real_cache) !== false || !is_readable($file))
 
 		fatal_lang_error('error_bad_file', true, array(htmlspecialchars($file)));
 
 		fatal_lang_error('error_bad_file', true, array(htmlspecialchars($file)));
 
 
 
 	// get the min and max lines
 
 	// get the min and max lines

+ 12 - 1
Sources/ManageLanguages.php
View File 

@@ -574,7 +574,18 @@ function ModifyLanguages()
 
 		checkSession();
 
 		checkSession();
 
 		validateToken('admin-lang');
 
 		validateToken('admin-lang');
 
 
 
-		if ($_POST['def_language'] != $language)
 
+		getLanguages(true, false);
 
+		$lang_exists = false;
 
+		foreach ($context['languages'] as $lang)
 
+		{
 
+			if ($_POST['def_language'] == $lang['filename'])
 
+			{
 
+				$lang_exists = true;
 
+				break;
 
+			}
 
+		}
 
+
 
+		if ($_POST['def_language'] != $language && $lang_exists)
 
 		{
 
 		{
 
 			require_once($sourcedir . '/Subs-Admin.php');
 
 			require_once($sourcedir . '/Subs-Admin.php');
 
 			updateSettingsFile(array('language' => '\'' . $_POST['def_language'] . '\''));
 
 			updateSettingsFile(array('language' => '\'' . $_POST['def_language'] . '\''));

+ 1 - 1
Sources/Modlog.php
View File 

@@ -284,7 +284,7 @@ function ViewModlog()
 
 				'position' => 'below_table_data',
 
 				'position' => 'below_table_data',
 
 				'value' => '
 
 				'value' => '
 
 					' . $txt['modlog_search'] . ' (' . $txt['modlog_by'] . ': ' . $context['search']['label'] . '):
 
 					' . $txt['modlog_search'] . ' (' . $txt['modlog_by'] . ': ' . $context['search']['label'] . '):
 
-					<input type="text" name="search" size="18" value="' . $context['search']['string'] . '" class="input_text" />
 
+					<input type="text" name="search" size="18" value="' . $smcFunc['htmlspecialchars']($context['search']['string']) . '" class="input_text" />
 
 					<input type="submit" name="is_search" value="' . $txt['modlog_go'] . '" class="button_submit" style="float:none" />
 
 					<input type="submit" name="is_search" value="' . $txt['modlog_go'] . '" class="button_submit" style="float:none" />
 
 					' . ($context['can_delete'] ? '&nbsp;|
 
 					' . ($context['can_delete'] ? '&nbsp;|
 
 					<input type="submit" name="remove" value="' . $txt['modlog_remove'] . '" onclick="return confirm(\'' . $txt['modlog_remove_selected_confirm'] . '\');" class="button_submit" />
 
 					<input type="submit" name="remove" value="' . $txt['modlog_remove'] . '" onclick="return confirm(\'' . $txt['modlog_remove_selected_confirm'] . '\');" class="button_submit" />

+ 1 - 1
Sources/Register.php
View File 

@@ -572,7 +572,7 @@ function Activate()
 
 	$smcFunc['db_free_result']($request);
 
 	$smcFunc['db_free_result']($request);
 
 
 
 	// Change their email address? (they probably tried a fake one first :P.)
 
 	// Change their email address? (they probably tried a fake one first :P.)
 
-	if (isset($_POST['new_email'], $_REQUEST['passwd']) && sha1(strtolower($row['member_name']) . $_REQUEST['passwd']) == $row['passwd'])
 
+	if (isset($_POST['new_email'], $_REQUEST['passwd']) && sha1(strtolower($row['member_name']) . $_REQUEST['passwd']) == $row['passwd'] && ($row['is_activated'] == 0 || $row['is_activated'] == 2))
 
 	{
 
 	{
 
 		if (empty($modSettings['registration_method']) || $modSettings['registration_method'] == 3)
 
 		if (empty($modSettings['registration_method']) || $modSettings['registration_method'] == 3)
 
 			fatal_lang_error('no_access', false);
 
 			fatal_lang_error('no_access', false);

+ 1 - 1
Sources/Reminder.php
View File 

@@ -241,7 +241,7 @@ function setPassword2()
 
 	require_once($sourcedir . '/LogInOut.php');
 
 	require_once($sourcedir . '/LogInOut.php');
 
 
 
 	// Quit if this code is not right.
 
 	// Quit if this code is not right.
 
-	if (empty($_POST['code']) || substr($realCode, 0, 10) != substr(md5($_POST['code']), 0, 10))
 
+	if (empty($_POST['code']) || substr($realCode, 0, 10) !== substr(md5($_POST['code']), 0, 10))
 
 	{
 
 	{
 
 		// Stop brute force attacks like this.
 
 		// Stop brute force attacks like this.
 
 		validatePasswordFlood($_POST['u'], $flood_value, false);
 
 		validatePasswordFlood($_POST['u'], $flood_value, false);

+ 14 - 1
Sources/Security.php
View File 

@@ -60,6 +60,7 @@ function validateSession($type = 'admin')
 
 		if ($good_password || $_POST[$type . '_hash_pass'] == sha1($user_info['passwd'] . $sc))
 
 		if ($good_password || $_POST[$type . '_hash_pass'] == sha1($user_info['passwd'] . $sc))
 
 		{
 
 		{
 
 			$_SESSION[$type . '_time'] = time();
 
 			$_SESSION[$type . '_time'] = time();
 
+			unset($_SESSION['request_referer']);
 
 			return;
 
 			return;
 
 		}
 
 		}
 
 	}
 
 	}
 
@@ -74,6 +75,7 @@ function validateSession($type = 'admin')
 
 		if ($good_password || sha1(strtolower($user_info['username']) . $_POST[$type . '_pass']) == $user_info['passwd'])
 
 		if ($good_password || sha1(strtolower($user_info['username']) . $_POST[$type . '_pass']) == $user_info['passwd'])
 
 		{
 
 		{
 
 			$_SESSION[$type . '_time'] = time();
 
 			$_SESSION[$type . '_time'] = time();
 
+			unset($_SESSION['request_referer']);
 
 			return;
 
 			return;
 
 		}
 
 		}
 
 	}
 
 	}
 
@@ -84,9 +86,17 @@ function validateSession($type = 'admin')
 
 		smf_openID_revalidate();
 
 		smf_openID_revalidate();
 
 
 
 		$_SESSION[$type . '_time'] = time();
 
 		$_SESSION[$type . '_time'] = time();
 
+		unset($_SESSION['request_referer']);
 
 		return;
 
 		return;
 
 	}
 
 	}
 
 
 
+
 
+	// Better be sure to remember the real referer
 
+	if (empty($_SESSION['request_referer']))
 
+		$_SESSION['request_referer'] = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
 
+	elseif (empty($_POST))
 
+		unset($_SESSION['request_referer']);
 
+
 
 	// Need to type in a password for that, man.
 
 	// Need to type in a password for that, man.
 
 	if (!isset($_GET['xml']))
 
 	if (!isset($_GET['xml']))
 
 		adminLogin($type);
 
 		adminLogin($type);
 
@@ -647,7 +657,10 @@ function checkSession($type = 'post', $from_action = '', $is_fatal = true)
 
 	}
 
 	}
 
 
 
 	// Check the referring site - it should be the same server at least!
 
 	// Check the referring site - it should be the same server at least!
 
-	$referrer = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
 
+	if (isset($_SESSION['request_referer']))
 
+		$referrer = $_SESSION['request_referer'];
 
+	else
 
+		$referrer = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
 
 	if (!empty($referrer['host']))
 
 	if (!empty($referrer['host']))
 
 	{
 
 	{
 
 		if (strpos($_SERVER['HTTP_HOST'], ':') !== false)
 
 		if (strpos($_SERVER['HTTP_HOST'], ':') !== false)

+ 3 - 0
Sources/Themes.php
View File 

@@ -1804,6 +1804,9 @@ function EditTheme()
 
 	list ($theme_dir, $context['theme_id']) = $smcFunc['db_fetch_row']($request);
 
 	list ($theme_dir, $context['theme_id']) = $smcFunc['db_fetch_row']($request);
 
 	$smcFunc['db_free_result']($request);
 
 	$smcFunc['db_free_result']($request);
 
 
 
+	if (!file_exists($theme_dir . '/index.template.php') && !file_exists($theme_dir . '/css/index.css'))
 
+		fatal_lang_error('theme_edit_missing', false);
 
+
 
 	if (!isset($_REQUEST['filename']))
 
 	if (!isset($_REQUEST['filename']))
 
 	{
 
 	{
 
 		if (isset($_GET['directory']))
 
 		if (isset($_GET['directory']))

+ 1 - 1
Themes/default/languages/Post.english.php
View File 

@@ -221,7 +221,7 @@ $txt['error_temp_attachments_new'] = 'There are attachments which you had previo
 
 $txt['error_temp_attachments_found'] = 'The following attachments were found which you had previously attached to another post but not posted. It is advisable that you do not post until these are either removed or that post has been submited.<br />Click %1$s to remove those attachments. Or %2$s to return to that post.%3$s';
 
 $txt['error_temp_attachments_found'] = 'The following attachments were found which you had previously attached to another post but not posted. It is advisable that you do not post until these are either removed or that post has been submited.<br />Click %1$s to remove those attachments. Or %2$s to return to that post.%3$s';
 
 $txt['error_temp_attachments_lost'] = 'The following attachments were found which you had previously attached to another post but not posted. It is advisable that you do not upload any more attachments until these are removed or that post has been submitedd.<br />Click %1$s to remove these attachments.%2$s';
 
 $txt['error_temp_attachments_lost'] = 'The following attachments were found which you had previously attached to another post but not posted. It is advisable that you do not upload any more attachments until these are removed or that post has been submitedd.<br />Click %1$s to remove these attachments.%2$s';
 
 $txt['error_temp_attachments_gone'] = 'Those attachments have now been removed and you have been returned to the page you were previously on';
 
 $txt['error_temp_attachments_gone'] = 'Those attachments have now been removed and you have been returned to the page you were previously on';
 
-$txt['error_temp_attachments_flushed'] = 'Please note that any files which had been previously attached but not posted. Have now been removed.';
 
+$txt['error_temp_attachments_flushed'] = 'Please note that any files which had been previously attached but not posted have now been removed.';
 
 $txt['error_topic_already_announced'] = 'Please note that this topic has already been announced.';
 
 $txt['error_topic_already_announced'] = 'Please note that this topic has already been announced.';
 
 
 
 $txt['cant_access_upload_path'] = 'Cannot access attachments upload path!';
 
 $txt['cant_access_upload_path'] = 'Cannot access attachments upload path!';