1 |
desultory 09/07/30 06:38:50 |
2 |
|
3 |
Modified: common.php groupcp.php privmsg.php profile.php |
4 |
rss.php search.php |
5 |
Log: |
6 |
Upgrade to 2.0.23, add some proxy fixes, fix bug 191626 and bug 170166. |
7 |
|
8 |
Revision Changes Path |
9 |
1.9 forums/htdocs/common.php |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?rev=1.9&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?rev=1.9&content-type=text/plain |
13 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?r1=1.8&r2=1.9 |
14 |
|
15 |
Index: common.php |
16 |
=================================================================== |
17 |
RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/common.php,v |
18 |
retrieving revision 1.8 |
19 |
retrieving revision 1.9 |
20 |
diff -u -r1.8 -r1.9 |
21 |
--- common.php 9 Jun 2006 19:14:17 -0000 1.8 |
22 |
+++ common.php 30 Jul 2009 06:38:50 -0000 1.9 |
23 |
@@ -6,7 +6,7 @@ |
24 |
* copyright : (C) 2001 The phpBB Group |
25 |
* email : support@×××××.com |
26 |
* |
27 |
- * $Id: common.php,v 1.8 2006/06/09 19:14:17 tomk Exp $ |
28 |
+ * $Id: common.php,v 1.9 2009/07/30 06:38:50 desultory Exp $ |
29 |
* |
30 |
***************************************************************************/ |
31 |
|
32 |
@@ -204,6 +204,28 @@ |
33 |
// even bother complaining ... go scream and shout at the idiots out there who feel |
34 |
// "clever" is doing harm rather than good ... karma is a great thing ... :) |
35 |
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') ); |
36 |
+ |
37 |
+// Only trust a proxy on the same host as the server, but do not assume that it is always present. |
38 |
+if( $client_ip == '127.0.0.1' ) |
39 |
+{ |
40 |
+ $x_forwarded_for = ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) ) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : ""; |
41 |
+ |
42 |
+ if( !empty($x_forwarded_for) ) // The client might actually be on the local host. |
43 |
+ { |
44 |
+ |
45 |
+ // Pull the last IP out and use it for client_ip, the last in the list being the one added by the most recent proxy. |
46 |
+ // The most recent proxy being the only one which is actually trusted to give correct information. |
47 |
+ $addrs = explode(', ',$x_forwarded_for); |
48 |
+ $client_ip = array_pop($addrs); |
49 |
+ |
50 |
+ // A better regex might be in order, but this shoudl do for now. |
51 |
+ if(!preg_match('/^[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]$/',$client_ip)) |
52 |
+ { |
53 |
+ message_die(CRITICAL_ERROR, "Bad address from proxy: $client_ip"); |
54 |
+ } |
55 |
+ } |
56 |
+} |
57 |
+ |
58 |
$user_ip = encode_ip($client_ip); |
59 |
|
60 |
// |
61 |
|
62 |
|
63 |
|
64 |
1.7 forums/htdocs/groupcp.php |
65 |
|
66 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?rev=1.7&view=markup |
67 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?rev=1.7&content-type=text/plain |
68 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?r1=1.6&r2=1.7 |
69 |
|
70 |
Index: groupcp.php |
71 |
=================================================================== |
72 |
RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/groupcp.php,v |
73 |
retrieving revision 1.6 |
74 |
retrieving revision 1.7 |
75 |
diff -u -r1.6 -r1.7 |
76 |
--- groupcp.php 29 Dec 2006 11:52:49 -0000 1.6 |
77 |
+++ groupcp.php 30 Jul 2009 06:38:50 -0000 1.7 |
78 |
@@ -6,7 +6,7 @@ |
79 |
* copyright : (C) 2001 The phpBB Group |
80 |
* email : support@×××××.com |
81 |
* |
82 |
- * $Id: groupcp.php,v 1.6 2006/12/29 11:52:49 tomk Exp $ |
83 |
+ * $Id: groupcp.php,v 1.7 2009/07/30 06:38:50 desultory Exp $ |
84 |
* |
85 |
* |
86 |
***************************************************************************/ |
87 |
@@ -120,7 +120,8 @@ |
88 |
$script_name = preg_replace('/^\/?(.*?)\/?$/', "\\1", trim($board_config['script_path'])); |
89 |
$script_name = ( $script_name != '' ) ? $script_name . '/groupcp.'.$phpEx : 'groupcp.'.$phpEx; |
90 |
$server_name = trim($board_config['server_name']); |
91 |
-$server_protocol = ( isset($_SERVER['HTTPS']) || $board_config['cookie_secure'] ) ? 'https://' : 'http://'; |
92 |
+// 2008-12 desultory -- Another page, another proxy tweak. |
93 |
+$server_protocol = ( isset($_SERVER['HTTPS']) || isset($_SERVER["HTTP_FRONT_END_HTTPS"]) || $board_config['cookie_secure'] ) ? 'https://' : 'http://'; |
94 |
$server_port = ( $board_config['server_port'] <> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/'; |
95 |
|
96 |
$server_url = $server_protocol . $server_name . $server_port . $script_name; |
97 |
@@ -146,6 +147,7 @@ |
98 |
|
99 |
$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : 0; |
100 |
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : 0; |
101 |
+$sid = ( isset($HTTP_POST_VARS['sid']) ) ? $HTTP_POST_VARS['sid'] : ''; |
102 |
|
103 |
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0; |
104 |
$start = ($start < 0) ? 0 : $start; |
105 |
@@ -210,6 +212,10 @@ |
106 |
{ |
107 |
redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true)); |
108 |
} |
109 |
+ else if ( $sid !== $userdata['session_id'] ) |
110 |
+ { |
111 |
+ message_die(GENERAL_ERROR, $lang['Session_invalid']); |
112 |
+ } |
113 |
|
114 |
$sql = "SELECT ug.user_id, g.group_type |
115 |
FROM " . USER_GROUP_TABLE . " ug, " . GROUPS_TABLE . " g |
116 |
@@ -322,10 +328,14 @@ |
117 |
{ |
118 |
redirect(append_sid("groupcp.$phpEx", true)); |
119 |
} |
120 |
- elseif ( !$userdata['session_logged_in'] ) |
121 |
+ else if ( !$userdata['session_logged_in'] ) |
122 |
{ |
123 |
redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true)); |
124 |
} |
125 |
+ else if ( $sid !== $userdata['session_id'] ) |
126 |
+ { |
127 |
+ message_die(GENERAL_ERROR, $lang['Session_invalid']); |
128 |
+ } |
129 |
|
130 |
if ( $confirm ) |
131 |
{ |
132 |
@@ -374,6 +384,7 @@ |
133 |
$unsub_msg = ( isset($HTTP_POST_VARS['unsub']) ) ? $lang['Confirm_unsub'] : $lang['Confirm_unsub_pending']; |
134 |
|
135 |
$s_hidden_fields = '<input type="hidden" name="' . POST_GROUPS_URL . '" value="' . $group_id . '" /><input type="hidden" name="unsub" value="1" />'; |
136 |
+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />'; |
137 |
|
138 |
$page_title = $lang['Group_Control_Panel']; |
139 |
include($phpbb_root_path . 'includes/page_header.'.$phpEx); |
140 |
@@ -431,7 +442,7 @@ |
141 |
WHERE aa.group_id = g.group_id |
142 |
) |
143 |
) |
144 |
- ORDER BY aa.auth_mod DESC"; |
145 |
+ ORDER BY auth_mod DESC"; |
146 |
break; |
147 |
|
148 |
case 'oracle': |
149 |
@@ -472,6 +483,10 @@ |
150 |
if ( !$userdata['session_logged_in'] ) |
151 |
{ |
152 |
redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true)); |
153 |
+ } |
154 |
+ else if ( $sid !== $userdata['session_id'] ) |
155 |
+ { |
156 |
+ message_die(GENERAL_ERROR, $lang['Session_invalid']); |
157 |
} |
158 |
|
159 |
if ( !$is_moderator ) |
160 |
@@ -926,7 +941,7 @@ |
161 |
|
162 |
generate_user_info($group_moderator, $board_config['default_dateformat'], $is_moderator, $from, $posts, $joined, $poster_avatar, $profile_img, $profile, $search_img, $search, $pm_img, $pm, $email_img, $email, $www_img, $www, $icq_status_img, $icq_img, $icq, $aim_img, $aim, $msn_img, $msn, $yim_img, $yim); |
163 |
|
164 |
- $s_hidden_fields .= ''; |
165 |
+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />'; |
166 |
|
167 |
$template->assign_vars(array( |
168 |
'L_GROUP_INFORMATION' => $lang['Group_Information'], |
169 |
@@ -1306,4 +1321,4 @@ |
170 |
|
171 |
include($phpbb_root_path . 'includes/page_tail.'.$phpEx); |
172 |
|
173 |
-?> |
174 |
\ No newline at end of file |
175 |
+?> |
176 |
|
177 |
|
178 |
|
179 |
1.15 forums/htdocs/privmsg.php |
180 |
|
181 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?rev=1.15&view=markup |
182 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?rev=1.15&content-type=text/plain |
183 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?r1=1.14&r2=1.15 |
184 |
|
185 |
Index: privmsg.php |
186 |
=================================================================== |
187 |
RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/privmsg.php,v |
188 |
retrieving revision 1.14 |
189 |
retrieving revision 1.15 |
190 |
diff -u -r1.14 -r1.15 |
191 |
--- privmsg.php 29 Dec 2006 11:57:00 -0000 1.14 |
192 |
+++ privmsg.php 30 Jul 2009 06:38:50 -0000 1.15 |
193 |
@@ -6,7 +6,7 @@ |
194 |
* copyright : (C) 2001 The phpBB Group |
195 |
* email : support@×××××.com |
196 |
* |
197 |
- * $Id: privmsg.php,v 1.14 2006/12/29 11:57:00 tomk Exp $ |
198 |
+ * $Id: privmsg.php,v 1.15 2009/07/30 06:38:50 desultory Exp $ |
199 |
* |
200 |
* |
201 |
***************************************************************************/ |
202 |
@@ -674,6 +674,7 @@ |
203 |
{ |
204 |
$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" />'; |
205 |
$s_hidden_fields .= ( isset($HTTP_POST_VARS['delete']) ) ? '<input type="hidden" name="delete" value="true" />' : '<input type="hidden" name="deleteall" value="true" />'; |
206 |
+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />'; |
207 |
|
208 |
for($i = 0; $i < count($mark_list); $i++) |
209 |
{ |
210 |
@@ -704,7 +705,7 @@ |
211 |
include($phpbb_root_path . 'includes/page_tail.'.$phpEx); |
212 |
|
213 |
} |
214 |
- else if ( $confirm ) |
215 |
+ else if ($confirm && $sid === $userdata['session_id']) |
216 |
{ |
217 |
$delete_sql_id = ''; |
218 |
|
219 |
|
220 |
|
221 |
|
222 |
1.7 forums/htdocs/profile.php |
223 |
|
224 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?rev=1.7&view=markup |
225 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?rev=1.7&content-type=text/plain |
226 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?r1=1.6&r2=1.7 |
227 |
|
228 |
Index: profile.php |
229 |
=================================================================== |
230 |
RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/profile.php,v |
231 |
retrieving revision 1.6 |
232 |
retrieving revision 1.7 |
233 |
diff -u -r1.6 -r1.7 |
234 |
--- profile.php 30 Apr 2006 13:54:45 -0000 1.6 |
235 |
+++ profile.php 30 Jul 2009 06:38:50 -0000 1.7 |
236 |
@@ -6,7 +6,7 @@ |
237 |
* copyright : (C) 2001 The phpBB Group |
238 |
* email : support@×××××.com |
239 |
* |
240 |
- * $Id: profile.php,v 1.6 2006/04/30 13:54:45 tomk Exp $ |
241 |
+ * $Id: profile.php,v 1.7 2009/07/30 06:38:50 desultory Exp $ |
242 |
* |
243 |
* |
244 |
***************************************************************************/ |
245 |
@@ -56,7 +56,8 @@ |
246 |
$script_name = preg_replace('/^\/?(.*?)\/?$/', '\1', trim($board_config['script_path'])); |
247 |
$script_name = ( $script_name != '' ) ? $script_name . '/profile.'.$phpEx : 'profile.'.$phpEx; |
248 |
$server_name = trim($board_config['server_name']); |
249 |
-$server_protocol = ( isset($_SERVER['HTTPS']) || $board_config['cookie_secure'] ) ? 'https://' : 'http://'; |
250 |
+// 2008-12 desultory -- Proxies possibly possessing protective properties provide potentially pesky problems. |
251 |
+$server_protocol = ( isset($_SERVER['HTTPS']) || isset($_SERVER["HTTP_FRONT_END_HTTPS"]) || $board_config['cookie_secure'] ) ? 'https://' : 'http://'; |
252 |
$server_port = ( $board_config['server_port'] <> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/'; |
253 |
|
254 |
$server_url = $server_protocol . $server_name . $server_port . $script_name; |
255 |
@@ -146,4 +147,4 @@ |
256 |
|
257 |
redirect(append_sid("index.$phpEx", true)); |
258 |
|
259 |
-?> |
260 |
\ No newline at end of file |
261 |
+?> |
262 |
|
263 |
|
264 |
|
265 |
1.7 forums/htdocs/rss.php |
266 |
|
267 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?rev=1.7&view=markup |
268 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?rev=1.7&content-type=text/plain |
269 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?r1=1.6&r2=1.7 |
270 |
|
271 |
Index: rss.php |
272 |
=================================================================== |
273 |
RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/rss.php,v |
274 |
retrieving revision 1.6 |
275 |
retrieving revision 1.7 |
276 |
diff -u -r1.6 -r1.7 |
277 |
--- rss.php 8 Jun 2006 22:08:45 -0000 1.6 |
278 |
+++ rss.php 30 Jul 2009 06:38:50 -0000 1.7 |
279 |
@@ -6,7 +6,7 @@ |
280 |
* copyright : (C) 2005 Tom Knight |
281 |
* email : tomk@g.o |
282 |
* |
283 |
- * $Id: rss.php,v 1.6 2006/06/08 22:08:45 tomk Exp $ |
284 |
+ * $Id: rss.php,v 1.7 2009/07/30 06:38:50 desultory Exp $ |
285 |
* |
286 |
* |
287 |
***************************************************************************/ |
288 |
@@ -37,6 +37,9 @@ |
289 |
if (isset($_SERVER['HTTP_HOST']) && isset($_SERVER['SERVER_ADDR']) && isset($_SERVER['REMOTE_ADDR'])) |
290 |
{ |
291 |
// we're being run from apache |
292 |
+ /* I fail to grasp the logic behind retaining this feature, especially |
293 |
+ * without patching it against abuse via squid, and don't feel like patching |
294 |
+ * it. -- desultory |
295 |
if ($_SERVER['SERVER_ADDR'] == $_SERVER['REMOTE_ADDR']) |
296 |
{ |
297 |
// and we're being run locally |
298 |
@@ -47,6 +50,7 @@ |
299 |
$glsa_mode = $_HTTP_GET_VARS['mode']; |
300 |
} |
301 |
} |
302 |
+ */ |
303 |
} |
304 |
elseif (isset($_SERVER['USER']) && isset($_SERVER['LOGNAME'])) |
305 |
{ |
306 |
|
307 |
|
308 |
|
309 |
1.27 forums/htdocs/search.php |
310 |
|
311 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?rev=1.27&view=markup |
312 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?rev=1.27&content-type=text/plain |
313 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?r1=1.26&r2=1.27 |
314 |
|
315 |
Index: search.php |
316 |
=================================================================== |
317 |
RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/search.php,v |
318 |
retrieving revision 1.26 |
319 |
retrieving revision 1.27 |
320 |
diff -u -r1.26 -r1.27 |
321 |
--- search.php 1 Jul 2008 21:59:28 -0000 1.26 |
322 |
+++ search.php 30 Jul 2009 06:38:50 -0000 1.27 |
323 |
@@ -6,7 +6,7 @@ |
324 |
* copyright : (C) 2001 The phpBB Group |
325 |
* email : support@×××××.com |
326 |
* |
327 |
- * $Id: search.php,v 1.26 2008/07/01 21:59:28 tomk Exp $ |
328 |
+ * $Id: search.php,v 1.27 2009/07/30 06:38:50 desultory Exp $ |
329 |
* |
330 |
* |
331 |
***************************************************************************/ |
332 |
@@ -1401,7 +1401,8 @@ |
333 |
} |
334 |
|
335 |
// 2005-11-19 tomk - Cache form values when using https |
336 |
-if (isset($_SERVER['HTTPS'])) |
337 |
+// 2008-12 desultory -- Do the same behind an https proxy. |
338 |
+if (isset($_SERVER['HTTPS']) || isset($_SERVER["HTTP_FRONT_END_HTTPS"])) |
339 |
{ |
340 |
define('IN_SEARCH', true); |
341 |
} |