8.1.20

adminzone/pages/modules/admin_stats.php

@@ -1372,7 +1372,6 @@ function install_geolocation_data()
 			$i++;
 		}
 		fclose($file);
-		fix_permissions($path);
 		if (count($to_insert['begin_num'])!=0)
 		{
 			$GLOBALS['SITE_DB']->query_insert('ip_country',$to_insert);

adminzone/pages/modules/admin_themes.php

@@ -1260,15 +1260,15 @@ function _edit_templates()
 
 			// The file we're LOADING from for edit (maybe $file, maybe some old versions being restored)
 			$restore_from=filter_naughty(get_param('restore_from',$file));
-			if (file_exists(get_file_base().'/themes/'.$restore_from))
+			if (file_exists(get_custom_file_base().'/themes/'.$restore_from))
 			{
-				$path=get_file_base().'/themes/'.$restore_from;
+				$path=get_custom_file_base().'/themes/'.$restore_from;
 				$contents=file_get_contents($path,FILE_TEXT);
 				$last_path=$path;
 			}
-			elseif (file_exists(get_custom_file_base().'/themes/'.$restore_from))
+			elseif (file_exists(get_file_base().'/themes/'.$restore_from))
 			{
-				$path=get_custom_file_base().'/themes/'.$restore_from;
+				$path=get_file_base().'/themes/'.$restore_from;
 				$contents=file_get_contents($path,FILE_TEXT);
 				$last_path=$path;
 			} else

adminzone/pages/modules/admin_themewizard.php

@@ -252,6 +252,7 @@ function step4()
 		$dark=post_param_integer('dark');
 		$inherit_css=post_param_integer('inherit_css');
 
+		echo ' '; // HACKHACK: FastCGI seems to have a weird issue with 'slowish spiky process not continuing with output' - this works around it. Not ideal as would break headers in any hook.
 		if (function_exists('set_time_limit')) @set_time_limit(0);
 
 		breadcrumb_set_parents(array(array('_SELF:_SELF:misc',do_lang_tempcode('THEMEWIZARD'))));

adminzone/pages/modules/admin_zones.php

@@ -316,6 +316,8 @@ function _editor()
 						$_preview.=do_lang('BROKEN_XHTML_FIXED');
 					}
 				}
+
+				if ($GLOBALS['XSS_DETECT']) ocp_mark_as_escaped($_preview);
 			} else $_preview=NULL;
 
 			$is_panel=(substr($for,0,6)=='panel_');

data/areaedit/plugins/SpellChecker/spell-check-logic.php

@@ -345,9 +345,9 @@ function aspell_check($aspelldictionaries,$aspellcommand,$temptext,$lang,$text,$
 	if (is_null($words_skip)) $words_skip=array();
 
 	// Convert UTF-8 multi-bytes into decimal character entities.  This is because aspell isn't fully utf8-aware
-	$text=preg_replace('/([\xC0-\xDF][\x80-\xBF])/e',"'&#'.strval(utf8_ord('\$1')).';'",$text);
-	$text=preg_replace('/([\xE0-\xEF][\x80-\xBF][\x80-\xBF])/e',"'&#'.strval(utf8_ord('\$1')).';'",$text);
-	$text=preg_replace('/([\xF0-\xF7][\x80-\xBF][\x80-\xBF][\x80-\xBF])/e',"'&#'.strval(utf8_ord('\$1')).';'",$text);
+	$text=@preg_replace('/([\xC0-\xDF][\x80-\xBF])/e',"'&#'.strval(utf8_ord('\$1')).';'",$text);
+	$text=@preg_replace('/([\xE0-\xEF][\x80-\xBF][\x80-\xBF])/e',"'&#'.strval(utf8_ord('\$1')).';'",$text);
+	$text=@preg_replace('/([\xF0-\xF7][\x80-\xBF][\x80-\xBF][\x80-\xBF])/e',"'&#'.strval(utf8_ord('\$1')).';'",$text);
 
 	if (!$ret)
 	{

lang/EN/stats.ini

@@ -5,7 +5,7 @@ DOC_SUBMISSION_STATISTICS=This statistics screen shows a line-graph of the numbe
 DOC_LOAD_TIMES=This statistics screen shows a bar chart of how long each page (at minimum) takes to be generated and outputted. This is useful for optimising your site; finding bottlenecks and jams, where things could be spread out more (e.g. putting fifteen blocks on different pages, instead of the same one).
 DOC_TOP_REFERRERS=This statistics screen shows a pie chart of the top referrers to the site, with a text-listing of the same statistics below. Such data is invaluable in finding out where to get your site advertised, which advertising schemes aren't working, etc.
 DOC_TOP_SEARCH_KEYWORDS=This statistics screen shows a pie chart of the top Google keywords used to find the site, with a text-listing of the same statistics below. Such data helps you see how to refine your website to be better in tune with what people are searching for.
-DOC_INSTALL_GEOLOCATION_DATA=The software comes with a large list of mappings that allow it to determine where on the planet (with a reasonable degree of accuracy) an IP address is. This allows more detailed statistics concerning placement of members and visitors. However, this list is too long to sensibly be installed when the software is installed, so it has to be installed separately. To do this, you simply click the "Install geolocation data" link in the "Site statistics" section of the left-hand Admin Zone menu. The resulting page will automatically refresh many times so that it can easily install all the required data.
+DOC_INSTALL_GEOLOCATION_DATA=The software comes with a large list of mappings that allow it to determine where on the planet (with a reasonable degree of accuracy) an IP address is. This allows more detailed statistics concerning placement of members and visitors. However, this list is too long to sensibly be installed when the software is installed, so it has to be installed separately. To do this, you simply click the "Install geolocation data" link in the "Site statistics" section of the Admin Zone menu. The resulting page will automatically refresh many times so that it can easily install all the required data.
 DOC_STATISTICS=It's always nice to be able to summarise your site's activity: average visitor counts, which search engine terms are finding your site, the browsers your visitors are using, and so on. You can view all the collected statistics using state-of-the-art [abbr="Scaleable Vector Graphics"]SVG[/abbr] technology (which allows you to view the graphs interactively).
 
 HIT=Hit to {1}

site/pages/modules/cedi.php

@@ -540,7 +540,7 @@ function page()
 			'type'=>'CEDI Page',
 			'title'=>get_translated_text($page['title']),
 			'identifier'=>'_SEARCH:cedi:misc:'.strval($page['id']),
-			'description'=>get_translated_text($page['description']),
+			'description'=>(strlen($description_comcode)<200)?$description_comcode:'',
 			'numposts'=>strval($num_posts),
 			'image'=>find_theme_image('bigicons/cedi'),
 		);
@@ -732,7 +732,7 @@ function do_cedi_merge()
 		$markers=$this->get_markers();
 		foreach ($markers as $id)
 		{
-			$GLOBALS['SITE_DB']->query_delete('seedy_posts',array('id'=>$id),'',1);
+			cedi_delete_post($id);
 		}
 
 		$GLOBALS['SITE_DB']->query_insert('seedy_changes',array('the_page'=>get_param_integer('id'),'the_action'=>'MERGE_CEDI_POSTS','date_and_time'=>time(),'ip'=>get_ip_address(),'the_user'=>get_member()));

sources/calendar2.php

@@ -245,8 +245,8 @@ function delete_calendar_event($id)
 	require_code('seo2');
 	seo_meta_erase_storage('event',strval($id));
 
-	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'events','rating_for_id'=>$id));
-	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'events','trackback_for_id'=>$id));
+	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'events','rating_for_id'=>strval($id)));
+	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'events','trackback_for_id'=>strval($id)));
 
 	delete_lang($myrow['e_title']);
 	require_code('attachments2');

sources/catalogues2.php

@@ -992,8 +992,8 @@ function actual_delete_catalogue_entry($id)
 	$GLOBALS['SITE_DB']->query_delete('catalogue_efv_integer',array('ce_id'=>$id));
 
 	$GLOBALS['SITE_DB']->query_delete('catalogue_entries',array('id'=>$id),'',1);
-	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'catalogues','trackback_for_id'=>$id));
-	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'catalogues','rating_for_id'=>$id));
+	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'catalogues','trackback_for_id'=>strval($id)));
+	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'catalogues','rating_for_id'=>strval($id)));
 
 	require_code('seo2');
 	seo_meta_erase_storage('catalogue_entry',strval($id));

sources/form_templates.php

@@ -276,7 +276,7 @@ function get_field_restrict_property($property,$field,$page=NULL,$type=NULL)
 				foreach ($_restrictions as $bits)
 				{
 					list($restriction,$attributes)=$bits;
-					if (strtolower($restriction)==strtolower($field)) return $bits['embed'];
+					if (strtolower($restriction)==strtolower($property)) return $bits[1]['embed'];
 				}
 			}
 		}

sources/galleries2.php

@@ -509,8 +509,8 @@ function delete_image($id,$delete_full)
 
 	// Delete from database
 	$GLOBALS['SITE_DB']->query_delete('images',array('id'=>$id),'',1);
-	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'images','rating_for_id'=>$id));
-	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'images','trackback_for_id'=>$id));
+	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'images','rating_for_id'=>strval($id)));
+	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'images','trackback_for_id'=>strval($id)));
 
 	require_code('seo2');
 	seo_meta_erase_storage('image',strval($id));
@@ -782,7 +782,7 @@ function edit_video($id,$title,$cat,$comments,$url,$thumb_url,$validated,$allow_
  */
 function delete_video($id,$delete_full)
 {
-	$rows=$GLOBALS['SITE_DB']->query_select('videos',array('title','comments','cat'),array('id'=>$id));
+	$rows=$GLOBALS['SITE_DB']->query_select('videos',array('title','comments','cat'),array('id'=>$id),'',1);
 	$title=$rows[0]['title'];
 	$comments=$rows[0]['comments'];
 	$cat=$rows[0]['cat'];
@@ -800,8 +800,8 @@ function delete_video($id,$delete_full)
 
 	// Delete from database
 	$GLOBALS['SITE_DB']->query_delete('videos',array('id'=>$id),'',1);
-	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'videos','rating_for_id'=>$id));
-	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'videos','trackback_for_id'=>$id));
+	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'videos','rating_for_id'=>strval($id)));
+	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'videos','trackback_for_id'=>strval($id)));
 
 	require_code('seo2');
 	seo_meta_erase_storage('video',strval($id));

sources/global2.php

@@ -18,6 +18,8 @@
  * @package		core
  */
 
+/*EXTRA FUNCTIONS: iconv*/
+
 /**
  * Standard code module initialisation function.
  */
@@ -1403,7 +1405,11 @@ function post_param($name,$default=false,$html=false,$conv_from_wysiwyg=true)
 
 	if (($GLOBALS['BOOTSTRAPPING']==0) && ($GLOBALS['MICRO_AJAX_BOOTUP']==0))
 	{
-		check_posted_field($name,$ret);
+		if ($ret!==$default)
+			check_posted_field($name,$ret);
+
+		// Custom fields.xml filter system
+		$ret=filter_form_field_default($name,$ret);
 	}
 
 	if ($ret===$default) return $ret;
@@ -1532,7 +1538,11 @@ function post_param_integer($name,$default=false)
 
 	if (($GLOBALS['BOOTSTRAPPING']==0) && ($GLOBALS['MICRO_AJAX_BOOTUP']==0))
 	{
-		check_posted_field($name,$ret);
+		if ($ret!==$default)
+			check_posted_field($name,$ret);
+
+		// Custom fields.xml filter system
+		$ret=filter_form_field_default($name,$ret);
 	}
 
 	if (($default===NULL) && ($ret==='')) return NULL;

sources/hooks/modules/admin_cleanup/criticise_mysql_fields.php

@@ -198,7 +198,6 @@ function run()
 							{
 								$type='INTEGER';
 							}
-							$type='INTEGER';
 						}
 						break;
 					case 'real':

sources/hooks/modules/admin_occle_fs/raw.php

@@ -172,7 +172,7 @@ function write_file($meta_dir,$meta_root_node,$file_name,$contents,&$occle_fs)
 			fclose($fh);
 			if ($output<strlen($contents)) warn_exit(do_lang_tempcode('COULD_NOT_SAVE_FILE'));
 			fix_permissions($path.'/'.$file_name);
-			sync_file($path.$file_name);
+			sync_file($path.'/'.$file_name);
 			return $output;
 		}
 		else return false; //File doesn't exist

sources/hooks/systems/notifications/catalogue_entry.php

@@ -76,11 +76,10 @@ function get_initial_setting($notification_code,$category=NULL)
 	function list_handled_codes()
 	{
 		$list=array();
-		$catalogues=$GLOBALS['SITE_DB']->query_select('catalogues',array('c_name','c_title'));
+		$catalogues=$GLOBALS['SITE_DB']->query_select('catalogues',array('c_name','c_title'),NULL,'WHERE c_name NOT LIKE \'\_%\'');
 		foreach ($catalogues as $catalogue)
 		{
 			$catalogue_name=$catalogue['c_name'];
-			if (substr($catalogue_name,0,1)=='_') continue;
 			$nl=do_lang('NOTIFICATION_TYPE_catalogue_entry__'.$catalogue_name,NULL,NULL,NULL,NULL,false);
 			if (is_null($nl))
 			{

sources/hooks/systems/notifications/catalogue_view_reports.php

@@ -24,7 +24,7 @@ class Hook_Notification_catalogue_view_reports extends Hook_Notification
 	function list_handled_codes()
 	{
 		$list=array();
-		$catalogues=$GLOBALS['SITE_DB']->query('SELECT c_name,c_title FROM '.get_table_prefix().'catalogues WHERE '.db_string_not_equal_to('c_send_view_reports','never'));
+		$catalogues=$GLOBALS['SITE_DB']->query('SELECT c_name,c_title FROM '.get_table_prefix().'catalogues WHERE c_name NOT LIKE \'\_%\' AND '.db_string_not_equal_to('c_send_view_reports','never'));
 		foreach ($catalogues as $catalogue)
 		{
 			$list['catalogue_view_reports__'.$catalogue['c_name']]=array(do_lang('GENERAL'),do_lang('NOTIFICATION_TYPE_catalogue_view_reports',get_translated_text($catalogue['c_title'])));

sources/hooks/systems/profiles_tabs/edit.php

@@ -66,6 +66,8 @@ function render_tab($member_id_of,$member_id_viewing,$leave_to_ajax_if_possible=
 
 		$tabs=array();
 
+		if (count($_POST)>0) echo ' '; // HACKHACK: FastCGI seems to have a weird issue with 'slowish spiky process not continuing with output' - this works around it. Not ideal as would break headers in any hook.
+
 		$hooks=find_all_hooks('systems','profiles_tabs_edit');
 		if (isset($hooks['settings'])) // Editing must go first, so changes reflect in the renders of the tabs
 		{

sources/hooks/systems/rss/chat.php

@@ -42,7 +42,7 @@ function run($_filters,$cutoff,$prefix,$date_string,$max)
 
 		require_code('chat');
 
-		$rows=$GLOBALS['SITE_DB']->query('SELECT m.* FROM '.$GLOBALS['SITE_DB']->get_table_prefix().'chat_messages m LEFT JOIN '.$GLOBALS['SITE_DB']->get_table_prefix().'chat_rooms r ON r.id=m.room_id WHERE r.is_im=0 AND date_and_time>'.strval(time()-$cutoff).' AND '.$filters.' ORDER BY date_and_time DESC',$max);
+		$rows=$GLOBALS['SITE_DB']->query('SELECT m.* FROM '.$GLOBALS['SITE_DB']->get_table_prefix().'chat_messages m LEFT JOIN '.$GLOBALS['SITE_DB']->get_table_prefix().'chat_rooms r ON r.id=m.room_id WHERE r.is_im=0 AND date_and_time>'.strval($cutoff).' AND '.$filters.' ORDER BY date_and_time DESC',$max);
 		$count=$GLOBALS['SITE_DB']->query_value('chat_rooms','COUNT(*)',array('is_im'=>0));
 		$categories=array();
 		if ($count<100)

sources/input_filter.php

@@ -103,7 +103,7 @@ function check_input_field_string($name,&$val,$posted=false)
 }
 
 /**
- * Check a posted field isn't 'evil'.
+ * Check a posted field isn't part of a malicious CSRF attack via referer checking (we do more checks for post fields than get fields).
  *
  * @param  string			The name of the parameter
  * @param  string			The value retrieved
@@ -113,41 +113,75 @@ function check_posted_field($name,&$val)
 {
 	if (strtolower(ocp_srv('REQUEST_METHOD'))=='post')
 	{
-		$true_referer=(substr(ocp_srv('HTTP_REFERER'),0,7)=='http://') || (substr(ocp_srv('HTTP_REFERER'),0,8)=='https://');
-		$canonical_referer=preg_replace('#^(\w+://[^/]+/).*$#','${1}',str_replace(':80','',str_replace('https://','http://',str_replace('www.','',ocp_srv('HTTP_REFERER')))));
-		$canonical_baseurl=preg_replace('#^(\w+://[^/]+/).*$#','${1}',str_replace(':80','',str_replace('https://','http://',str_replace('www.','',get_base_url()))));
+		$evil=false;
 
-		if (($true_referer) && (substr(strtolower($canonical_referer),0,strlen($canonical_baseurl))!=strtolower($canonical_baseurl)) && (!is_guest()))
+		$referer=ocp_srv('HTTP_REFERER');
+
+		$is_true_referer=(substr($referer,0,7)=='http://') || (substr($referer,0,8)=='https://');
+
+		if ($is_true_referer)
 		{
-			if (!in_array($name,array('login_username','password','remember','login_invisible')))
+			require_code('users_active_actions');
+			ocp_setcookie('has_referers','1'); // So we know for later requests that "blank" means a malicious external request (from third-party HTTPS URL, or a local file being executed)
+		}
+
+		if ((strtolower(ocp_srv('REQUEST_METHOD'))=='post') && (!is_guest()))
+		{
+			if ($is_true_referer)
 			{
-				$allowed_partners=explode(chr(10),get_option('allowed_post_submitters'));
-				$allowed_partners[]='paypal.com';
-				$allowed_partners[]='www.paypal.com';
-				$found=false;
-				foreach ($allowed_partners as $partner)
+				$canonical_referer_domain=strip_url_to_representative_domain($referer);
+				$canonical_baseurl_domain=strip_url_to_representative_domain(get_base_url());
+				if ($canonical_referer_domain!=$canonical_baseurl_domain)
 				{
-					if (trim($partner)=='') continue;
-
-					if (strpos(ocp_srv('HTTP_REFERER'),trim($partner))!==false)
+					if (!in_array($name,array('login_username','password','remember','login_invisible')))
 					{
-						$found=true;
-						break;
+						$allowed_partners=explode(chr(10),get_option('allowed_post_submitters'));
+						$allowed_partners[]='paypal.com';
+						$found=false;
+						foreach ($allowed_partners as $partner)
+						{
+							$partner=trim($partner);
+
+							if (($partner!='') && ($canonical_referer_domain==$partner))
+							{
+								$found=true;
+								break;
+							}
+						}
+						if (!$found)
+						{
+							$evil=true;
+						}
 					}
 				}
-				if (!$found)
-				{
-					$_POST=array(); // To stop loops
-					log_hack_attack_and_exit('EVIL_POSTED_FORM_HACK',ocp_srv('HTTP_REFERER'));
-				}
+			} elseif (ocp_admirecookie('has_referers')==='1')
+			{
+				$evil=true;
 			}
 		}
+
+		if ($evil)
+		{
+			$_POST=array(); // To stop loops
+			log_hack_attack_and_exit('EVIL_POSTED_FORM_HACK',$referer);
+		}
 	}
 
 	// Custom fields.xml filter system
 	$val=filter_form_field_default($name,$val);
 }
 
+/**
+ * Convert a full URL to a domain name we will consider this a trust on.
+ *
+ * @param  URLPATH		The URL
+ * @return string			The domain
+ */
+function strip_url_to_representative_domain($url)
+{
+	return preg_replace('#^www\.#','',strtolower(parse_url($url,PHP_URL_HOST)));
+}
+
 /**
  * Filter input data for safety within potential filesystem calls.
  * Only called for non-privileged users, filters/alters rather than blocks, due to false-positive likelihood.

sources/iotds.php

@@ -106,8 +106,8 @@ function delete_iotd($id)
 
 	// Delete from the database
 	$GLOBALS['SITE_DB']->query_delete('iotd',array('id'=>$id),'',1);
-	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'iotds','rating_for_id'=>$id));
-	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'iotds','trackback_for_id'=>$id));
+	$GLOBALS['SITE_DB']->query_delete('rating',array('rating_for_type'=>'iotds','rating_for_id'=>strval($id)));
+	$GLOBALS['SITE_DB']->query_delete('trackbacks',array('trackback_for_type'=>'iotds','trackback_for_id'=>strval($id)));
 
 	decache('main_iotd');
 }

sources/lang3.php

@@ -289,7 +289,7 @@ function _lang_remap($id,$text,$connection=NULL,$comcode=false,$pass_id=NULL,$so
 	if (is_null($source_member)) $source_member=(function_exists('get_member'))?get_member():$GLOBALS['FORUM_DRIVER']->get_guest_id(); // This updates the Comcode reference to match the current user, which may not be the owner of the content this is for. This is for a reason - we need to parse with the security token of the current user, not the original content submitter.
 
 	$remap=array('broken'=>0,'text_original'=>$text,'text_parsed'=>$text2);
-	if ((function_exists('ocp_admirecookie')) && ((ocp_admirecookie('use_wysiwyg','1')=='0') && (get_value('edit_with_my_comcode_perms')==='1')) || (!has_specific_permission($source_member,'allow_html')) || (!has_specific_permission($member,'comcode_dangerous')) || (!has_specific_permission($source_member,'use_very_dangerous_comcode')))
+	if ((function_exists('ocp_admirecookie')) && ((ocp_admirecookie('use_wysiwyg','1')=='0') && (get_value('edit_with_my_comcode_perms')==='1')) || (!has_specific_permission($source_member,'allow_html')) || (!has_specific_permission($source_member,'comcode_dangerous')) || (!has_specific_permission($source_member,'use_very_dangerous_comcode')))
 		$remap['source_user']=$source_member;
 	if (!is_null($test)) // Good, we save into our own language, as we have a translation for the lang entry setup properly
 	{

sources/minikernel.php

@@ -99,6 +99,17 @@ function sync_file($filename)
 {
 }
 
+/**
+ * Find whether a particular PHP function is blocked.
+ *
+ * @param  string		Function name.
+ * @return boolean	Whether it is.
+ */
+function php_function_allowed($function)
+{
+	return (@preg_match('#(\s|,|^)'.str_replace('#','\#',preg_quote($function)).'(\s|$|,)#',strtolower(@ini_get('disable_functions').','.ini_get('suhosin.executor.func.blacklist').','.ini_get('suhosin.executor.include.blacklist').','.ini_get('suhosin.executor.eval.blacklist')))==0);
+}
+
 /**
  * Return a debugging back-trace of the current execution stack. Use this for debugging purposes.
  *