[gentoo-commits] gentoo-projects commit in forums/htdocs: common.php groupcp.php privmsg.php profile.php rss.php search.php - gentoo-commits

From:	"Dean Stephens (desultory)" <desultory@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-projects commit in forums/htdocs: common.php groupcp.php privmsg.php profile.php rss.php search.php
Date:	Thu, 30 Jul 2009 06:38:54
Message-Id:	`E1MWPHu-0007bX-J6@stork.gentoo.org`

1

desultory    09/07/30 06:38:50

2

3

  Modified:             common.php groupcp.php privmsg.php profile.php

4

                        rss.php search.php

5

  Log:

6

  Upgrade to 2.0.23, add some proxy fixes, fix bug 191626 and bug 170166.

7

8

Revision  Changes    Path

9

1.9                  forums/htdocs/common.php

10

11

file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?rev=1.9&view=markup

12

plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?rev=1.9&content-type=text/plain

13

diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?r1=1.8&r2=1.9

14

15

Index: common.php

16

===================================================================

17

RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/common.php,v

18

retrieving revision 1.8

19

retrieving revision 1.9

20

diff -u -r1.8 -r1.9

21

--- common.php	9 Jun 2006 19:14:17 -0000	1.8

22

+++ common.php	30 Jul 2009 06:38:50 -0000	1.9

23

@@ -6,7 +6,7 @@

24

  *   copyright            : (C) 2001 The phpBB Group

25

  *   email                : support@×××××.com

26

*

27

- *   $Id: common.php,v 1.8 2006/06/09 19:14:17 tomk Exp $

28

+ *   $Id: common.php,v 1.9 2009/07/30 06:38:50 desultory Exp $

29

*

30

  ***************************************************************************/

31

32

@@ -204,6 +204,28 @@

33

 // even bother complaining ... go scream and shout at the idiots out there who feel

34

 // "clever" is doing harm rather than good ... karma is a great thing ... :)

35

 $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );

36

+

37

+// Only trust a proxy on the same host as the server, but do not assume that it is always present.

38

+if( $client_ip == '127.0.0.1' )

39

+{

40

+	$x_forwarded_for = ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) ) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : "";

41

+

42

+	if( !empty($x_forwarded_for) ) // The client might actually be on the local host.

43

+	{

44

+

45

+		// Pull the last IP out and use it for client_ip, the last in the list being the one added by the most recent proxy.

46

+		// The most recent proxy being the only one which is actually trusted to give correct information.

47

+		$addrs = explode(', ',$x_forwarded_for);

48

+		$client_ip = array_pop($addrs);

49

+

50

+		// A better regex might be in order, but this shoudl do for now.

51

+		if(!preg_match('/^[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]$/',$client_ip))

52

+		{

53

+			message_die(CRITICAL_ERROR, "Bad address from proxy: $client_ip");

54

+		}

55

+	}

56

+}

57

+

58

 $user_ip = encode_ip($client_ip);

59

60

//

1.7                  forums/htdocs/groupcp.php

65

66

file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?rev=1.7&view=markup

67

plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?rev=1.7&content-type=text/plain

68

diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?r1=1.6&r2=1.7

69

70

Index: groupcp.php

71

===================================================================

72

RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/groupcp.php,v

73

retrieving revision 1.6

74

retrieving revision 1.7

75

diff -u -r1.6 -r1.7

76

--- groupcp.php	29 Dec 2006 11:52:49 -0000	1.6

77

+++ groupcp.php	30 Jul 2009 06:38:50 -0000	1.7

78

@@ -6,7 +6,7 @@

79

  *   copyright            : (C) 2001 The phpBB Group

80

  *   email                : support@×××××.com

81

*

82

- *   $Id: groupcp.php,v 1.6 2006/12/29 11:52:49 tomk Exp $

83

+ *   $Id: groupcp.php,v 1.7 2009/07/30 06:38:50 desultory Exp $

84

*

85

*

86

  ***************************************************************************/

87

@@ -120,7 +120,8 @@

88

 $script_name = preg_replace('/^\/?(.*?)\/?$/', "\\1", trim($board_config['script_path']));

89

 $script_name = ( $script_name != '' ) ? $script_name . '/groupcp.'.$phpEx : 'groupcp.'.$phpEx;

90

 $server_name = trim($board_config['server_name']);

91

-$server_protocol = ( isset($_SERVER['HTTPS']) || $board_config['cookie_secure'] ) ? 'https://' : 'http://';

92

+// 2008-12 desultory -- Another page, another proxy tweak.

93

+$server_protocol = ( isset($_SERVER['HTTPS']) || isset($_SERVER["HTTP_FRONT_END_HTTPS"]) || $board_config['cookie_secure'] ) ? 'https://' : 'http://';

94

 $server_port = ( $board_config['server_port'] <> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/';

95

96

 $server_url = $server_protocol . $server_name . $server_port . $script_name;

97

@@ -146,6 +147,7 @@

98

99

 $confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : 0;

100

 $cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : 0;

101

+$sid = ( isset($HTTP_POST_VARS['sid']) ) ? $HTTP_POST_VARS['sid'] : '';

102

103

 $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;

104

 $start = ($start < 0) ? 0 : $start;

105

@@ -210,6 +212,10 @@

106

{

107

 		redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true));

108

}

109

+	else if ( $sid !== $userdata['session_id'] )

110

+	{

111

+		message_die(GENERAL_ERROR, $lang['Session_invalid']);

112

+	}

113

114

 	$sql = "SELECT ug.user_id, g.group_type

115

 		FROM " . USER_GROUP_TABLE . " ug, " . GROUPS_TABLE . " g 

116

@@ -322,10 +328,14 @@

117

{

118

 		redirect(append_sid("groupcp.$phpEx", true));

119

}

120

-	elseif ( !$userdata['session_logged_in'] )

121

+	else if ( !$userdata['session_logged_in'] )

122

{

123

 		redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true));

124

}

125

+	else if ( $sid !== $userdata['session_id'] )

126

+	{

127

+		message_die(GENERAL_ERROR, $lang['Session_invalid']);

128

+	}

129

130

 	if ( $confirm )

131

{

132

@@ -374,6 +384,7 @@

133

 		$unsub_msg = ( isset($HTTP_POST_VARS['unsub']) ) ? $lang['Confirm_unsub'] : $lang['Confirm_unsub_pending'];

134

135

 		$s_hidden_fields = '<input type="hidden" name="' . POST_GROUPS_URL . '" value="' . $group_id . '" /><input type="hidden" name="unsub" value="1" />';

136

+		$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';

137

138

 		$page_title = $lang['Group_Control_Panel'];

139

 		include($phpbb_root_path . 'includes/page_header.'.$phpEx);

140

@@ -431,7 +442,7 @@

141

 							WHERE aa.group_id = g.group_id  

142

)

143

)

144

-				ORDER BY aa.auth_mod DESC";

145

+				ORDER BY auth_mod DESC";

146

 			break;

147

148

 		case 'oracle':

149

@@ -472,6 +483,10 @@

150

 			if ( !$userdata['session_logged_in'] )

151

{

152

 				redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true));

153

+			} 

154

+			else if ( $sid !== $userdata['session_id'] )

155

+			{

156

+				message_die(GENERAL_ERROR, $lang['Session_invalid']);

157

}

158

159

 			if ( !$is_moderator )

160

@@ -926,7 +941,7 @@

161

162

 	generate_user_info($group_moderator, $board_config['default_dateformat'], $is_moderator, $from, $posts, $joined, $poster_avatar, $profile_img, $profile, $search_img, $search, $pm_img, $pm, $email_img, $email, $www_img, $www, $icq_status_img, $icq_img, $icq, $aim_img, $aim, $msn_img, $msn, $yim_img, $yim);

163

164

-	$s_hidden_fields .= '';

165

+	$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';

166

167

 	$template->assign_vars(array(

168

 		'L_GROUP_INFORMATION' => $lang['Group_Information'],

169

@@ -1306,4 +1321,4 @@

170

171

 include($phpbb_root_path . 'includes/page_tail.'.$phpEx);

172

173

-?>

174

\ No newline at end of file

175

+?>

1.15                 forums/htdocs/privmsg.php

180

181

file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?rev=1.15&view=markup

182

plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?rev=1.15&content-type=text/plain

183

diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?r1=1.14&r2=1.15

184

185

Index: privmsg.php

186

===================================================================

187

RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/privmsg.php,v

188

retrieving revision 1.14

189

retrieving revision 1.15

190

diff -u -r1.14 -r1.15

191

--- privmsg.php	29 Dec 2006 11:57:00 -0000	1.14

192

+++ privmsg.php	30 Jul 2009 06:38:50 -0000	1.15

193

@@ -6,7 +6,7 @@

194

  *   copyright            : (C) 2001 The phpBB Group

195

  *   email                : support@×××××.com

196

*

197

- *   $Id: privmsg.php,v 1.14 2006/12/29 11:57:00 tomk Exp $

198

+ *   $Id: privmsg.php,v 1.15 2009/07/30 06:38:50 desultory Exp $

199

*

200

*

201

  ***************************************************************************/

202

@@ -674,6 +674,7 @@

203

{

204

 		$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" />';

205

 		$s_hidden_fields .= ( isset($HTTP_POST_VARS['delete']) ) ? '<input type="hidden" name="delete" value="true" />' : '<input type="hidden" name="deleteall" value="true" />';

206

+		$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';

207

208

 		for($i = 0; $i < count($mark_list); $i++)

209

{

210

@@ -704,7 +705,7 @@

211

 		include($phpbb_root_path . 'includes/page_tail.'.$phpEx);

212

213

}

214

-	else if ( $confirm )

215

+	else if ($confirm && $sid === $userdata['session_id'])

216

{

217

 		$delete_sql_id = '';

1.7                  forums/htdocs/profile.php

223

224

file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?rev=1.7&view=markup

225

plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?rev=1.7&content-type=text/plain

226

diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?r1=1.6&r2=1.7

227

228

Index: profile.php

229

===================================================================

230

RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/profile.php,v

231

retrieving revision 1.6

232

retrieving revision 1.7

233

diff -u -r1.6 -r1.7

234

--- profile.php	30 Apr 2006 13:54:45 -0000	1.6

235

+++ profile.php	30 Jul 2009 06:38:50 -0000	1.7

236

@@ -6,7 +6,7 @@

237

  *   copyright            : (C) 2001 The phpBB Group

238

  *   email                : support@×××××.com

239

*

240

- *   $Id: profile.php,v 1.6 2006/04/30 13:54:45 tomk Exp $

241

+ *   $Id: profile.php,v 1.7 2009/07/30 06:38:50 desultory Exp $

242

*

243

*

244

  ***************************************************************************/

245

@@ -56,7 +56,8 @@

246

 $script_name = preg_replace('/^\/?(.*?)\/?$/', '\1', trim($board_config['script_path']));

247

 $script_name = ( $script_name != '' ) ? $script_name . '/profile.'.$phpEx : 'profile.'.$phpEx;

248

 $server_name = trim($board_config['server_name']);

249

-$server_protocol = ( isset($_SERVER['HTTPS']) || $board_config['cookie_secure'] ) ? 'https://' : 'http://';

250

+// 2008-12 desultory -- Proxies possibly possessing protective properties provide potentially pesky problems.

251

+$server_protocol = ( isset($_SERVER['HTTPS']) || isset($_SERVER["HTTP_FRONT_END_HTTPS"]) || $board_config['cookie_secure'] ) ? 'https://' : 'http://';

252

 $server_port = ( $board_config['server_port'] <> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/';

253

254

 $server_url = $server_protocol . $server_name . $server_port . $script_name;

255

@@ -146,4 +147,4 @@

256

257

 redirect(append_sid("index.$phpEx", true));

258

259

-?>

260

\ No newline at end of file

261

+?>

1.7                  forums/htdocs/rss.php

266

267

file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?rev=1.7&view=markup

268

plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?rev=1.7&content-type=text/plain

269

diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?r1=1.6&r2=1.7

270

271

Index: rss.php

272

===================================================================

273

RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/rss.php,v

274

retrieving revision 1.6

275

retrieving revision 1.7

276

diff -u -r1.6 -r1.7

277

--- rss.php	8 Jun 2006 22:08:45 -0000	1.6

278

+++ rss.php	30 Jul 2009 06:38:50 -0000	1.7

279

@@ -6,7 +6,7 @@

280

  *   copyright            : (C) 2005 Tom Knight

281

  *   email                : tomk@g.o

282

*

283

- *   $Id: rss.php,v 1.6 2006/06/08 22:08:45 tomk Exp $

284

+ *   $Id: rss.php,v 1.7 2009/07/30 06:38:50 desultory Exp $

285

*

286

*

287

  ***************************************************************************/

288

@@ -37,6 +37,9 @@

289

 if (isset($_SERVER['HTTP_HOST']) && isset($_SERVER['SERVER_ADDR']) && isset($_SERVER['REMOTE_ADDR']))

290

{

291

 	// we're being run from apache

292

+	/* I fail to grasp the logic behind retaining this feature, especially 

293

+	 * without patching it against abuse via squid, and don't feel like patching 

294

+	 * it. -- desultory

295

 	if ($_SERVER['SERVER_ADDR'] == $_SERVER['REMOTE_ADDR'])

296

{

297

 		// and we're being run locally

298

@@ -47,6 +50,7 @@

299

 			$glsa_mode = $_HTTP_GET_VARS['mode'];

300

}

301

}

302

+	*/

303

}

304

 elseif (isset($_SERVER['USER']) && isset($_SERVER['LOGNAME']))

305

{

1.27                 forums/htdocs/search.php

310

311

file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?rev=1.27&view=markup

312

plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?rev=1.27&content-type=text/plain

313

diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?r1=1.26&r2=1.27

314

315

Index: search.php

316

===================================================================

317

RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/search.php,v

318

retrieving revision 1.26

319

retrieving revision 1.27

320

diff -u -r1.26 -r1.27

321

--- search.php	1 Jul 2008 21:59:28 -0000	1.26

322

+++ search.php	30 Jul 2009 06:38:50 -0000	1.27

323

@@ -6,7 +6,7 @@

324

  *   copyright            : (C) 2001 The phpBB Group

325

  *   email                : support@×××××.com

326

*

327

- *   $Id: search.php,v 1.26 2008/07/01 21:59:28 tomk Exp $

328

+ *   $Id: search.php,v 1.27 2009/07/30 06:38:50 desultory Exp $

329

*

330

*

331

  ***************************************************************************/

332

@@ -1401,7 +1401,8 @@

333

}

334

335

 // 2005-11-19 tomk - Cache form values when using https

336

-if (isset($_SERVER['HTTPS']))

337

+// 2008-12 desultory -- Do the same behind an https proxy.

338

+if (isset($_SERVER['HTTPS']) || isset($_SERVER["HTTP_FRONT_END_HTTPS"]))

339

{

340

 	define('IN_SEARCH', true);

341

}

1	desultory 09/07/30 06:38:50
2
3	Modified: common.php groupcp.php privmsg.php profile.php
4	rss.php search.php
5	Log:
6	Upgrade to 2.0.23, add some proxy fixes, fix bug 191626 and bug 170166.
7
8	Revision Changes Path
9	1.9 forums/htdocs/common.php
10
11	file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?rev=1.9&view=markup
12	plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?rev=1.9&content-type=text/plain
13	diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/common.php?r1=1.8&r2=1.9
14
15	Index: common.php
16	===================================================================
17	RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/common.php,v
18	retrieving revision 1.8
19	retrieving revision 1.9
20	diff -u -r1.8 -r1.9
21	--- common.php 9 Jun 2006 19:14:17 -0000 1.8
22	+++ common.php 30 Jul 2009 06:38:50 -0000 1.9
23	@@ -6,7 +6,7 @@
24	* copyright : (C) 2001 The phpBB Group
25	* email : support@×××××.com
26	*
27	- * $Id: common.php,v 1.8 2006/06/09 19:14:17 tomk Exp $
28	+ * $Id: common.php,v 1.9 2009/07/30 06:38:50 desultory Exp $
29	*
30	***************************************************************************/
31
32	@@ -204,6 +204,28 @@
33	// even bother complaining ... go scream and shout at the idiots out there who feel
34	// "clever" is doing harm rather than good ... karma is a great thing ... :)
35	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );
36	+
37	+// Only trust a proxy on the same host as the server, but do not assume that it is always present.
38	+if( $client_ip == '127.0.0.1' )
39	+{
40	+ $x_forwarded_for = ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) ) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : "";
41	+
42	+ if( !empty($x_forwarded_for) ) // The client might actually be on the local host.
43	+ {
44	+
45	+ // Pull the last IP out and use it for client_ip, the last in the list being the one added by the most recent proxy.
46	+ // The most recent proxy being the only one which is actually trusted to give correct information.
47	+ $addrs = explode(', ',$x_forwarded_for);
48	+ $client_ip = array_pop($addrs);
49	+
50	+ // A better regex might be in order, but this shoudl do for now.
51	+ if(!preg_match('/^[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]\.[12]?[0-9]?[0-9]$/',$client_ip))
52	+ {
53	+ message_die(CRITICAL_ERROR, "Bad address from proxy: $client_ip");
54	+ }
55	+ }
56	+}
57	+
58	$user_ip = encode_ip($client_ip);
59
60	//
61
62
63
64	1.7 forums/htdocs/groupcp.php
65
66	file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?rev=1.7&view=markup
67	plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?rev=1.7&content-type=text/plain
68	diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/groupcp.php?r1=1.6&r2=1.7
69
70	Index: groupcp.php
71	===================================================================
72	RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/groupcp.php,v
73	retrieving revision 1.6
74	retrieving revision 1.7
75	diff -u -r1.6 -r1.7
76	--- groupcp.php 29 Dec 2006 11:52:49 -0000 1.6
77	+++ groupcp.php 30 Jul 2009 06:38:50 -0000 1.7
78	@@ -6,7 +6,7 @@
79	* copyright : (C) 2001 The phpBB Group
80	* email : support@×××××.com
81	*
82	- * $Id: groupcp.php,v 1.6 2006/12/29 11:52:49 tomk Exp $
83	+ * $Id: groupcp.php,v 1.7 2009/07/30 06:38:50 desultory Exp $
84	*
85	*
86	***************************************************************************/
87	@@ -120,7 +120,8 @@
88	$script_name = preg_replace('/^\/?(.*?)\/?$/', "\\1", trim($board_config['script_path']));
89	$script_name = ( $script_name != '' ) ? $script_name . '/groupcp.'.$phpEx : 'groupcp.'.$phpEx;
90	$server_name = trim($board_config['server_name']);
91	-$server_protocol = ( isset($_SERVER['HTTPS']) \|\| $board_config['cookie_secure'] ) ? 'https://' : 'http://';
92	+// 2008-12 desultory -- Another page, another proxy tweak.
93	+$server_protocol = ( isset($_SERVER['HTTPS']) \|\| isset($_SERVER["HTTP_FRONT_END_HTTPS"]) \|\| $board_config['cookie_secure'] ) ? 'https://' : 'http://';
94	$server_port = ( $board_config['server_port'] <> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/';
95
96	$server_url = $server_protocol . $server_name . $server_port . $script_name;
97	@@ -146,6 +147,7 @@
98
99	$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : 0;
100	$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : 0;
101	+$sid = ( isset($HTTP_POST_VARS['sid']) ) ? $HTTP_POST_VARS['sid'] : '';
102
103	$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
104	$start = ($start < 0) ? 0 : $start;
105	@@ -210,6 +212,10 @@
106	{
107	redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true));
108	}
109	+ else if ( $sid !== $userdata['session_id'] )
110	+ {
111	+ message_die(GENERAL_ERROR, $lang['Session_invalid']);
112	+ }
113
114	$sql = "SELECT ug.user_id, g.group_type
115	FROM " . USER_GROUP_TABLE . " ug, " . GROUPS_TABLE . " g
116	@@ -322,10 +328,14 @@
117	{
118	redirect(append_sid("groupcp.$phpEx", true));
119	}
120	- elseif ( !$userdata['session_logged_in'] )
121	+ else if ( !$userdata['session_logged_in'] )
122	{
123	redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true));
124	}
125	+ else if ( $sid !== $userdata['session_id'] )
126	+ {
127	+ message_die(GENERAL_ERROR, $lang['Session_invalid']);
128	+ }
129
130	if ( $confirm )
131	{
132	@@ -374,6 +384,7 @@
133	$unsub_msg = ( isset($HTTP_POST_VARS['unsub']) ) ? $lang['Confirm_unsub'] : $lang['Confirm_unsub_pending'];
134
135	$s_hidden_fields = '<input type="hidden" name="' . POST_GROUPS_URL . '" value="' . $group_id . '" /><input type="hidden" name="unsub" value="1" />';
136	+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
137
138	$page_title = $lang['Group_Control_Panel'];
139	include($phpbb_root_path . 'includes/page_header.'.$phpEx);
140	@@ -431,7 +442,7 @@
141	WHERE aa.group_id = g.group_id
142	)
143	)
144	- ORDER BY aa.auth_mod DESC";
145	+ ORDER BY auth_mod DESC";
146	break;
147
148	case 'oracle':
149	@@ -472,6 +483,10 @@
150	if ( !$userdata['session_logged_in'] )
151	{
152	redirect(append_sid("login.$phpEx?redirect=groupcp.$phpEx&" . POST_GROUPS_URL . "=$group_id", true));
153	+ }
154	+ else if ( $sid !== $userdata['session_id'] )
155	+ {
156	+ message_die(GENERAL_ERROR, $lang['Session_invalid']);
157	}
158
159	if ( !$is_moderator )
160	@@ -926,7 +941,7 @@
161
162	generate_user_info($group_moderator, $board_config['default_dateformat'], $is_moderator, $from, $posts, $joined, $poster_avatar, $profile_img, $profile, $search_img, $search, $pm_img, $pm, $email_img, $email, $www_img, $www, $icq_status_img, $icq_img, $icq, $aim_img, $aim, $msn_img, $msn, $yim_img, $yim);
163
164	- $s_hidden_fields .= '';
165	+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
166
167	$template->assign_vars(array(
168	'L_GROUP_INFORMATION' => $lang['Group_Information'],
169	@@ -1306,4 +1321,4 @@
170
171	include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
172
173	-?>
174	\ No newline at end of file
175	+?>
176
177
178
179	1.15 forums/htdocs/privmsg.php
180
181	file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?rev=1.15&view=markup
182	plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?rev=1.15&content-type=text/plain
183	diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/privmsg.php?r1=1.14&r2=1.15
184
185	Index: privmsg.php
186	===================================================================
187	RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/privmsg.php,v
188	retrieving revision 1.14
189	retrieving revision 1.15
190	diff -u -r1.14 -r1.15
191	--- privmsg.php 29 Dec 2006 11:57:00 -0000 1.14
192	+++ privmsg.php 30 Jul 2009 06:38:50 -0000 1.15
193	@@ -6,7 +6,7 @@
194	* copyright : (C) 2001 The phpBB Group
195	* email : support@×××××.com
196	*
197	- * $Id: privmsg.php,v 1.14 2006/12/29 11:57:00 tomk Exp $
198	+ * $Id: privmsg.php,v 1.15 2009/07/30 06:38:50 desultory Exp $
199	*
200	*
201	***************************************************************************/
202	@@ -674,6 +674,7 @@
203	{
204	$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" />';
205	$s_hidden_fields .= ( isset($HTTP_POST_VARS['delete']) ) ? '<input type="hidden" name="delete" value="true" />' : '<input type="hidden" name="deleteall" value="true" />';
206	+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
207
208	for($i = 0; $i < count($mark_list); $i++)
209	{
210	@@ -704,7 +705,7 @@
211	include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
212
213	}
214	- else if ( $confirm )
215	+ else if ($confirm && $sid === $userdata['session_id'])
216	{
217	$delete_sql_id = '';
218
219
220
221
222	1.7 forums/htdocs/profile.php
223
224	file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?rev=1.7&view=markup
225	plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?rev=1.7&content-type=text/plain
226	diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/profile.php?r1=1.6&r2=1.7
227
228	Index: profile.php
229	===================================================================
230	RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/profile.php,v
231	retrieving revision 1.6
232	retrieving revision 1.7
233	diff -u -r1.6 -r1.7
234	--- profile.php 30 Apr 2006 13:54:45 -0000 1.6
235	+++ profile.php 30 Jul 2009 06:38:50 -0000 1.7
236	@@ -6,7 +6,7 @@
237	* copyright : (C) 2001 The phpBB Group
238	* email : support@×××××.com
239	*
240	- * $Id: profile.php,v 1.6 2006/04/30 13:54:45 tomk Exp $
241	+ * $Id: profile.php,v 1.7 2009/07/30 06:38:50 desultory Exp $
242	*
243	*
244	***************************************************************************/
245	@@ -56,7 +56,8 @@
246	$script_name = preg_replace('/^\/?(.*?)\/?$/', '\1', trim($board_config['script_path']));
247	$script_name = ( $script_name != '' ) ? $script_name . '/profile.'.$phpEx : 'profile.'.$phpEx;
248	$server_name = trim($board_config['server_name']);
249	-$server_protocol = ( isset($_SERVER['HTTPS']) \|\| $board_config['cookie_secure'] ) ? 'https://' : 'http://';
250	+// 2008-12 desultory -- Proxies possibly possessing protective properties provide potentially pesky problems.
251	+$server_protocol = ( isset($_SERVER['HTTPS']) \|\| isset($_SERVER["HTTP_FRONT_END_HTTPS"]) \|\| $board_config['cookie_secure'] ) ? 'https://' : 'http://';
252	$server_port = ( $board_config['server_port'] <> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/';
253
254	$server_url = $server_protocol . $server_name . $server_port . $script_name;
255	@@ -146,4 +147,4 @@
256
257	redirect(append_sid("index.$phpEx", true));
258
259	-?>
260	\ No newline at end of file
261	+?>
262
263
264
265	1.7 forums/htdocs/rss.php
266
267	file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?rev=1.7&view=markup
268	plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?rev=1.7&content-type=text/plain
269	diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/rss.php?r1=1.6&r2=1.7
270
271	Index: rss.php
272	===================================================================
273	RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/rss.php,v
274	retrieving revision 1.6
275	retrieving revision 1.7
276	diff -u -r1.6 -r1.7
277	--- rss.php 8 Jun 2006 22:08:45 -0000 1.6
278	+++ rss.php 30 Jul 2009 06:38:50 -0000 1.7
279	@@ -6,7 +6,7 @@
280	* copyright : (C) 2005 Tom Knight
281	* email : tomk@g.o
282	*
283	- * $Id: rss.php,v 1.6 2006/06/08 22:08:45 tomk Exp $
284	+ * $Id: rss.php,v 1.7 2009/07/30 06:38:50 desultory Exp $
285	*
286	*
287	***************************************************************************/
288	@@ -37,6 +37,9 @@
289	if (isset($_SERVER['HTTP_HOST']) && isset($_SERVER['SERVER_ADDR']) && isset($_SERVER['REMOTE_ADDR']))
290	{
291	// we're being run from apache
292	+ /* I fail to grasp the logic behind retaining this feature, especially
293	+ * without patching it against abuse via squid, and don't feel like patching
294	+ * it. -- desultory
295	if ($_SERVER['SERVER_ADDR'] == $_SERVER['REMOTE_ADDR'])
296	{
297	// and we're being run locally
298	@@ -47,6 +50,7 @@
299	$glsa_mode = $_HTTP_GET_VARS['mode'];
300	}
301	}
302	+ */
303	}
304	elseif (isset($_SERVER['USER']) && isset($_SERVER['LOGNAME']))
305	{
306
307
308
309	1.27 forums/htdocs/search.php
310
311	file : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?rev=1.27&view=markup
312	plain: http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?rev=1.27&content-type=text/plain
313	diff : http://sources.gentoo.org/viewcvs.py/gentoo-projects/forums/htdocs/search.php?r1=1.26&r2=1.27
314
315	Index: search.php
316	===================================================================
317	RCS file: /var/cvsroot/gentoo-projects/forums/htdocs/search.php,v
318	retrieving revision 1.26
319	retrieving revision 1.27
320	diff -u -r1.26 -r1.27
321	--- search.php 1 Jul 2008 21:59:28 -0000 1.26
322	+++ search.php 30 Jul 2009 06:38:50 -0000 1.27
323	@@ -6,7 +6,7 @@
324	* copyright : (C) 2001 The phpBB Group
325	* email : support@×××××.com
326	*
327	- * $Id: search.php,v 1.26 2008/07/01 21:59:28 tomk Exp $
328	+ * $Id: search.php,v 1.27 2009/07/30 06:38:50 desultory Exp $
329	*
330	*
331	***************************************************************************/
332	@@ -1401,7 +1401,8 @@
333	}
334
335	// 2005-11-19 tomk - Cache form values when using https
336	-if (isset($_SERVER['HTTPS']))
337	+// 2008-12 desultory -- Do the same behind an https proxy.
338	+if (isset($_SERVER['HTTPS']) \|\| isset($_SERVER["HTTP_FRONT_END_HTTPS"]))
339	{
340	define('IN_SEARCH', true);
341	}

Gentoo Archives: gentoo-commits