! Error in poll if more than 256 choices are added

! later versions of photoshop CS4+ use cellTextIsHtml causing false image infection positives. !short disallowed bbcode in signatures disallow longer that starts with the same letter [Bug 4936] ! Loading external avatars %20 is dropped [Bug 4904] ! Search for members in admin panel for date fails starting from 2nd spage [Bug 4880] + some changes to avoid write into $_POST ! searchbox hidden in header when search is not allowed [Bug 4862] ! template parser error [Bug 4937] ! fixed bypassing of deflate step during unzip when in fact they should have been deflated
SimpleMachines · Jan 27, 2012 · 43a398c · 43a398c
1 parent b2951f6
commit 43a398c
Show file tree

Hide file tree

Showing 9 changed files with 98 additions and 81 deletions.
diff --git a/Sources/DbPackages-mysql.php b/Sources/DbPackages-mysql.php
@@ -121,30 +121,7 @@ function smf_db_create_table($table_name, $columns, $indexes = array(), $paramet
 	// Righty - let's do the damn thing!
 	$table_query = 'CREATE TABLE ' . $table_name . "\n" . '(';
 	foreach ($columns as $column)
-	{
-		// Auto increment is easy here!
-		if (!empty($column['auto']))
-		{
-			$default = 'auto_increment';
-		}
-		elseif (isset($column['default']) && $column['default'] !== null)
-			$default = 'default \'' . $smcFunc['db_escape_string']($column['default']) . '\'';
-		else
-			$default = '';
-
-		// Sort out the size... and stuff...
-		$column['size'] = isset($column['size']) && is_numeric($column['size']) ? $column['size'] : null;
-		list ($type, $size) = $smcFunc['db_calculate_type']($column['type'], $column['size']);
-
-		// Allow unsigned integers (mysql only)
-		$unsigned = in_array($type, array('int', 'tinyint', 'smallint', 'mediumint', 'bigint')) && !empty($column['unsigned']) ? 'unsigned ' : '';
-
-		if ($size !== null)
-			$type = $type . '(' . $size . ')';
-
-		// Now just put it together!
-		$table_query .= "\n\t`" .$column['name'] . '` ' . $type . ' ' . (!empty($unsigned) ? $unsigned : '') . (!empty($column['null']) ? '' : 'NOT NULL') . ' ' . $default . ',';
-	}
+		$table_query .= "\n\t" . smf_db_create_query_column($column);
 
 	// Loop through the indexes next...
 	foreach ($indexes as $index)
@@ -259,9 +236,7 @@ function smf_db_add_column($table_name, $column_info, $parameters = array(), $if
 	// Now add the thing!
 	$query = '
 		ALTER TABLE ' . $table_name . '
-		ADD `' . $column_info['name'] . '` ' . $type . ' ' . (!empty($unsigned) ? $unsigned : '') . (empty($column_info['null']) ? 'NOT NULL' : '') . ' ' .
-			(!isset($column_info['default']) ? '' : 'default \'' . $smcFunc['db_escape_string']($column_info['default']) . '\'') . ' ' .
-			(empty($column_info['auto']) ? '' : 'auto_increment primary key') . ' ';
+		ADD ' . smf_db_create_query_column($column_info);
 	$smcFunc['db_query']('', $query,
 		array(
 			'security_override' => true,
@@ -643,4 +618,30 @@ function smf_db_list_indexes($table_name, $detail = false, $parameters = array()
 	return $indexes;
 }
 
+function smf_db_create_query_column($column)
+{
+	// Auto increment is easy here!
+	if (!empty($column['auto']))
+	{
+		$default = 'auto_increment';
+	}
+	elseif (isset($column['default']) && $column['default'] !== null)
+		$default = 'default \'' . $smcFunc['db_escape_string']($column['default']) . '\'';
+	else
+		$default = '';
+
+	// Sort out the size... and stuff...
+	$column['size'] = isset($column['size']) && is_numeric($column['size']) ? $column['size'] : null;
+	list ($type, $size) = $smcFunc['db_calculate_type']($column['type'], $column['size']);
+
+	// Allow unsigned integers (mysql only)
+	$unsigned = in_array($type, array('int', 'tinyint', 'smallint', 'mediumint', 'bigint')) && !empty($column['unsigned']) ? 'unsigned ' : '';
+
+	if ($size !== null)
+		$type = $type . '(' . $size . ')';
+
+	// Now just put it together!
+	return '`' .$column['name'] . '` ' . $type . ' ' . (!empty($unsigned) ? $unsigned : '') . (!empty($column['null']) ? '' : 'NOT NULL') . ' ' . $default . ',';
+}
+
 ?>
diff --git a/Sources/ManageMembers.php b/Sources/ManageMembers.php
@@ -156,23 +156,19 @@ function ViewMemberlist()
 		// Clean the input.
 		foreach ($_POST['delete'] as $key => $value)
 		{
-			$_POST['delete'][$key] = (int) $value;
 			// Don't delete yourself, idiot.
-			if ($value == $user_info['id'])
-				unset($_POST['delete'][$key]);
+			if ($value != $user_info['id'])
+				$delete[$key] = (int) $value;
 		}
 
-		if (!empty($_POST['delete']))
+		if (!empty($delete))
 		{
 			// Delete all the selected members.
 			require_once($sourcedir . '/Subs-Members.php');
 			deleteMembers($_POST['delete'], true);
 		}
 	}
 
-	if ($context['sub_action'] == 'query' && !empty($_REQUEST['params']) && empty($_POST))
-		$_POST += @unserialize(base64_decode($_REQUEST['params']));
-
 	// Check input after a member search has been submitted.
 	if ($context['sub_action'] == 'query')
 	{
@@ -284,6 +280,19 @@ function ViewMemberlist()
 
 		call_integration_hook('integrate_view_members_params', array(&$params));
 
+		$search_params = array();
+		if ($context['sub_action'] == 'query' && !empty($_REQUEST['params']) && empty($_POST))
+			$search_params = @unserialize(base64_decode($_REQUEST['params']));
+		elseif (!empty($_POST))
+		{
+			$search_params['types'] = $_POST['types'];
+			foreach ($params as $param_name => $param_info)
+				if (isset($_POST[$param_name]))
+					$search_params[$param_name] = $_POST[$param_name];
+		}
+
+		$search_url_params = isset($search_params) ? base64_encode(serialize($search_params)) : null;
+
 		// @todo Validate a little more.
 
 		// Loop through every field of the form.
@@ -292,73 +301,73 @@ function ViewMemberlist()
 		foreach ($params as $param_name => $param_info)
 		{
 			// Not filled in?
-			if (!isset($_POST[$param_name]) || $_POST[$param_name] === '')
+			if (!isset($search_params[$param_name]) || $search_params[$param_name] === '')
 				continue;
 
 			// Make sure numeric values are really numeric.
 			if (in_array($param_info['type'], array('int', 'age')))
-				$_POST[$param_name] = (int) $_POST[$param_name];
+				$search_params[$param_name] = (int) $search_params[$param_name];
 			// Date values have to match the specified format.
 			elseif ($param_info['type'] == 'date')
 			{
 				// Check if this date format is valid.
-				if (preg_match('/^\d{4}-\d{1,2}-\d{1,2}$/', $_POST[$param_name]) == 0)
+				if (preg_match('/^\d{4}-\d{1,2}-\d{1,2}$/', $search_params[$param_name]) == 0)
 					continue;
 
-				$_POST[$param_name] = strtotime($_POST[$param_name]);
+				$search_params[$param_name] = strtotime($search_params[$param_name]);
 			}
 
 			// Those values that are in some kind of range (<, <=, =, >=, >).
 			if (!empty($param_info['range']))
 			{
 				// Default to '=', just in case...
-				if (empty($range_trans[$_POST['types'][$param_name]]))
-					$_POST['types'][$param_name] = '=';
+				if (empty($range_trans[$search_params['types'][$param_name]]))
+					$search_params['types'][$param_name] = '=';
 
 				// Handle special case 'age'.
 				if ($param_info['type'] == 'age')
 				{
 					// All people that were born between $lowerlimit and $upperlimit are currently the specified age.
 					$datearray = getdate(forum_time());
-					$upperlimit = sprintf('%04d-%02d-%02d', $datearray['year'] - $_POST[$param_name], $datearray['mon'], $datearray['mday']);
-					$lowerlimit = sprintf('%04d-%02d-%02d', $datearray['year'] - $_POST[$param_name] - 1, $datearray['mon'], $datearray['mday']);
-					if (in_array($_POST['types'][$param_name], array('-', '--', '=')))
+					$upperlimit = sprintf('%04d-%02d-%02d', $datearray['year'] - $search_params[$param_name], $datearray['mon'], $datearray['mday']);
+					$lowerlimit = sprintf('%04d-%02d-%02d', $datearray['year'] - $search_params[$param_name] - 1, $datearray['mon'], $datearray['mday']);
+					if (in_array($search_params['types'][$param_name], array('-', '--', '=')))
 					{
 						$query_parts[] = ($param_info['db_fields'][0]) . ' > {string:' . $param_name . '_minlimit}';
-						$where_params[$param_name . '_minlimit'] = ($_POST['types'][$param_name] == '--' ? $upperlimit : $lowerlimit);
+						$where_params[$param_name . '_minlimit'] = ($search_params['types'][$param_name] == '--' ? $upperlimit : $lowerlimit);
 					}
-					if (in_array($_POST['types'][$param_name], array('+', '++', '=')))
+					if (in_array($search_params['types'][$param_name], array('+', '++', '=')))
 					{
 						$query_parts[] = ($param_info['db_fields'][0]) . ' <= {string:' . $param_name . '_pluslimit}';
-						$where_params[$param_name . '_pluslimit'] = ($_POST['types'][$param_name] == '++' ? $lowerlimit : $upperlimit);
+						$where_params[$param_name . '_pluslimit'] = ($search_params['types'][$param_name] == '++' ? $lowerlimit : $upperlimit);
 
 						// Make sure that members that didn't set their birth year are not queried.
 						$query_parts[] = ($param_info['db_fields'][0]) . ' > {date:dec_zero_date}';
 						$where_params['dec_zero_date'] = '0004-12-31';
 					}
 				}
 				// Special case - equals a date.
-				elseif ($param_info['type'] == 'date' && $_POST['types'][$param_name] == '=')
+				elseif ($param_info['type'] == 'date' && $search_params['types'][$param_name] == '=')
 				{
-					$query_parts[] = $param_info['db_fields'][0] . ' > ' . $_POST[$param_name] . ' AND ' . $param_info['db_fields'][0] . ' < ' . ($_POST[$param_name] + 86400);
+					$query_parts[] = $param_info['db_fields'][0] . ' > ' . $search_params[$param_name] . ' AND ' . $param_info['db_fields'][0] . ' < ' . ($search_params[$param_name] + 86400);
 				}
 				else
-					$query_parts[] = $param_info['db_fields'][0] . ' ' . $range_trans[$_POST['types'][$param_name]] . ' ' . $_POST[$param_name];
+					$query_parts[] = $param_info['db_fields'][0] . ' ' . $range_trans[$search_params['types'][$param_name]] . ' ' . $search_params[$param_name];
 			}
 			// Checkboxes.
 			elseif ($param_info['type'] == 'checkbox')
 			{
 				// Each checkbox or no checkbox at all is checked -> ignore.
-				if (!is_array($_POST[$param_name]) || count($_POST[$param_name]) == 0 || count($_POST[$param_name]) == count($param_info['values']))
+				if (!is_array($search_params[$param_name]) || count($search_params[$param_name]) == 0 || count($search_params[$param_name]) == count($param_info['values']))
 					continue;
 
 				$query_parts[] = ($param_info['db_fields'][0]) . ' IN ({array_string:' . $param_name . '_check})';
-				$where_params[$param_name . '_check'] = $_POST[$param_name];
+				$where_params[$param_name . '_check'] = $search_params[$param_name];
 			}
 			else
 			{
 				// Replace the wildcard characters ('*' and '?') into MySQL ones.
-				$parameter = strtolower(strtr($smcFunc['htmlspecialchars']($_POST[$param_name], ENT_QUOTES), array('%' => '\%', '_' => '\_', '*' => '%', '?' => '_')));
+				$parameter = strtolower(strtr($smcFunc['htmlspecialchars']($search_params[$param_name], ENT_QUOTES), array('%' => '\%', '_' => '\_', '*' => '%', '?' => '_')));
 
 				$query_parts[] = '(' . implode( ' LIKE {string:' . $param_name . '_normal} OR ', $param_info['db_fields']) . ' LIKE {string:' . $param_name . '_normal})';
 				$where_params[$param_name . '_normal'] = '%' . $parameter . '%';
@@ -369,15 +378,15 @@ function ViewMemberlist()
 		$mg_query_parts = array();
 
 		// Primary membergroups, but only if at least was was not selected.
-		if (!empty($_POST['membergroups'][1]) && count($context['membergroups']) != count($_POST['membergroups'][1]))
+		if (!empty($search_params['membergroups'][1]) && count($context['membergroups']) != count($search_params['membergroups'][1]))
 		{
 			$mg_query_parts[] = 'mem.id_group IN ({array_int:group_check})';
-			$where_params['group_check'] = $_POST['membergroups'][1];
+			$where_params['group_check'] = $search_params['membergroups'][1];
 		}
 
 		// Additional membergroups (these are only relevant if not all primary groups where selected!).
-		if (!empty($_POST['membergroups'][2]) && (empty($_POST['membergroups'][1]) || count($context['membergroups']) != count($_POST['membergroups'][1])))
-			foreach ($_POST['membergroups'][2] as $mg)
+		if (!empty($search_params['membergroups'][2]) && (empty($search_params['membergroups'][1]) || count($context['membergroups']) != count($search_params['membergroups'][1])))
+			foreach ($search_params['membergroups'][2] as $mg)
 			{
 				$mg_query_parts[] = 'FIND_IN_SET({int:add_group_' . $mg . '}, mem.additional_groups) != 0';
 				$where_params['add_group_' . $mg] = $mg;
@@ -388,23 +397,21 @@ function ViewMemberlist()
 			$query_parts[] = '(' . implode(' OR ', $mg_query_parts) . ')';
 
 		// Get all selected post count related membergroups.
-		if (!empty($_POST['postgroups']) && count($_POST['postgroups']) != count($context['postgroups']))
+		if (!empty($search_params['postgroups']) && count($search_params['postgroups']) != count($context['postgroups']))
 		{
 			$query_parts[] = 'id_post_group IN ({array_int:post_groups})';
-			$where_params['post_groups'] = $_POST['postgroups'];
+			$where_params['post_groups'] = $search_params['postgroups'];
 		}
 
 		// Construct the where part of the query.
 		$where = empty($query_parts) ? '1' : implode('
 			AND ', $query_parts);
-
-		$search_params = base64_encode(serialize($_POST));
 	}
 	else
-		$search_params = null;
+		$search_url_params = null;
 
 	// Construct the additional URL part with the query info in it.
-	$context['params_url'] = $context['sub_action'] == 'query' ? ';sa=query;params=' . $search_params : '';
+	$context['params_url'] = $context['sub_action'] == 'query' ? ';sa=query;params=' . $search_url_params : '';
 
 	// Get the title and sub template ready..
 	$context['page_title'] = $txt['admin_members'];

diff --git a/Sources/Poll.php b/Sources/Poll.php
@@ -641,6 +641,8 @@ function EditPoll2()
 	}
 	if ($optionCount < 2)
 		$poll_errors[] = 'poll_few';
+	elseif ($optionCount > 256)
+		$poll_errors[] = 'poll_many';
 
 	// Also - ensure they are not removing the question.
 	if (trim($_POST['question']) == '')

diff --git a/Sources/Post.php b/Sources/Post.php
@@ -1524,6 +1524,8 @@ function Post2()
 		// What are you going to vote between with one choice?!?
 		if (count($_POST['options']) < 2)
 			$post_errors[] = 'poll_few';
+		elseif (count($_POST['options']) > 256)
+			$post_errors[] = 'poll_many';
 	}
 
 	if ($posterIsGuest)

diff --git a/Sources/Profile-Modify.php b/Sources/Profile-Modify.php
@@ -2675,7 +2675,7 @@ function profileSaveAvatarData(&$value)
 		removeAttachments(array('id_member' => $memID));
 
 		// @todo http://www.simplemachines.org/community/index.php?topic=462089.msg3226650#msg3226650
-		$profile_vars['avatar'] = str_replace('%20', ' ', preg_replace('~action(?:=|%3d)(?!dlattach)~i', 'action-', $_POST['userpicpersonal']));
+		$profile_vars['avatar'] = str_replace(' ', '%20', preg_replace('~action(?:=|%3d)(?!dlattach)~i', 'action-', $_POST['userpicpersonal']));
 
 		if ($profile_vars['avatar'] == 'http://' || $profile_vars['avatar'] == 'http:///')
 			$profile_vars['avatar'] = '';
@@ -2993,7 +2993,7 @@ function profileValidateSignature(&$value)
 		$disabledSigBBC = implode('|', $disabledTags);
 		if (!empty($disabledSigBBC))
 		{
-			if (preg_match('~\[(' . $disabledSigBBC . ')~i', $unparsed_signature, $matches) !== false && isset($matches[1]))
+			if (preg_match('~\[(' . $disabledSigBBC . '[ =\]/])~i', $unparsed_signature, $matches) !== false && isset($matches[1]))
 			{
 				$disabledTags = array_unique($disabledTags);
 				$txt['profile_error_signature_disabled_bbc'] = sprintf($txt['profile_error_signature_disabled_bbc'], implode(', ', $disabledTags));

diff --git a/Sources/Subs-Graphics.php b/Sources/Subs-Graphics.php
@@ -121,7 +121,7 @@ function checkImageContents($fileName, $extensiveCheck = false)
 		else
 		{
 			// Check for potential infection
-			if (preg_match('~(iframe|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1)
+			if (preg_match('~(iframe|(?<!cellTextIs)html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1)
 			{
 				fclose($fp);
 				return false;

diff --git a/Sources/Subs-Package.php b/Sources/Subs-Package.php
@@ -260,9 +260,9 @@ function read_zip_data($data, $destination, $single_file = false, $overwrite = f
 		if ($file_info['general_purpose'] & 0x0008)
 		{
 			$unzipped2 = unpack("Vcrc/Vcompressed_size/Vsize", substr($$data, -12));
-			$unzipped['crc'] = $unzipped2['crc'];
-			$unzipped['compressed_size'] = $unzipped2['compressed_size'];
-			$unzipped['size'] = $unzipped2['size'];
+			$file_info['crc'] = $unzipped2['crc'];
+			$file_info['compressed_size'] = $unzipped2['compressed_size'];
+			$file_info['size'] = $unzipped2['size'];
 			unset($unzipped2);
 		}
 
@@ -290,7 +290,7 @@ function read_zip_data($data, $destination, $single_file = false, $overwrite = f
 		$file_info['data'] = substr($data, 26 + $file_info['filename_length'] + $file_info['extrafield_length']);
 
 		// Only inflate it if we need to ;)
-		if ($file_info['compressed_size'] != $file_info['size'])
+		if (!empty($file_info['compress_method']) || ($file_info['compressed_size'] != $file_info['size']))
 			$file_info['data'] = gzinflate($file_info['data']);
 
 		// Okay!  We can write this file, looks good from here...

diff --git a/Themes/default/index.template.php b/Themes/default/index.template.php
@@ -180,8 +180,8 @@ function template_html_above()
 	// Show all the relative links, such as help, search, contents, and the like.
 	echo '
 	<link rel="help" href="', $scripturl, '?action=help" />
-	<link rel="search" href="', $scripturl, '?action=search" />
-	<link rel="contents" href="', $scripturl, '" />';
+	<link rel="contents" href="', $scripturl, '" />', ($context['allow_search'] ? '
+	<link rel="search" href="' . $scripturl . '?action=search" />' : '');
 
 	// If RSS feeds are enabled, advertise the presence of one.
 	if (!empty($modSettings['xmlnews_enable']) && (!empty($modSettings['allow_guestAccess']) || $context['user']['is_logged']))
@@ -295,22 +295,26 @@ function template_body_above()
 
 	echo '
 			</div>
-			<div class="news normaltext">
+			<div class="news normaltext">';
+	if ($context['allow_search'])
+	{
+		echo '
 				<form id="search_form" action="', $scripturl, '?action=search2" method="post" accept-charset="', $context['character_set'], '">
 					<input type="text" name="search" value="" class="input_text" />&nbsp;
 					<input type="submit" name="submit" value="', $txt['search'], '" class="button_submit" />
 					<input type="hidden" name="advanced" value="0" />';
 
-	// Search within current topic?
-	if (!empty($context['current_topic']))
-		echo '
-					<input type="hidden" name="topic" value="', $context['current_topic'], '" />';
-	// If we're on a certain board, limit it to this board ;).
-	elseif (!empty($context['current_board']))
-		echo '
-					<input type="hidden" name="brd[', $context['current_board'], ']" value="', $context['current_board'], '" />';
+		// Search within current topic?
+		if (!empty($context['current_topic']))
+			echo '
+						<input type="hidden" name="topic" value="', $context['current_topic'], '" />';
+		// If we're on a certain board, limit it to this board ;).
+		elseif (!empty($context['current_board']))
+			echo '
+						<input type="hidden" name="brd[', $context['current_board'], ']" value="', $context['current_board'], '" />';
 
-	echo '</form>';
+		echo '</form>';
+	}
 
 	// Show a random news item? (or you could pick one from news_lines...)
 	if (!empty($settings['enable_news']))

diff --git a/Themes/default/languages/Errors.english.php b/Themes/default/languages/Errors.english.php
@@ -244,6 +244,7 @@
 $txt['error_bad_bcc'] = 'One or more \'bcc\'-recipients could not be found.';
 $txt['error_form_already_submitted'] = 'You already submitted this post!  You might have accidentally double clicked or tried to refresh the page.';
 $txt['error_poll_few'] = 'You must have at least two choices!';
+$txt['error_poll_many'] = 'You must have no more than 256 choices!';
 $txt['error_need_qr_verification'] = 'Please complete the verification section below to complete your post.';
 $txt['error_wrong_verification_code'] = 'The letters you typed don\'t match the letters that were shown in the picture.';
 $txt['error_wrong_verification_answer'] = 'You did not answer the verification questions correctly.';