Sanitize input coming from MyBB server #1617

Closed
PirataNervo opened this Issue Nov 15, 2014 · 9 comments

Projects

None yet

8 participants

@PirataNervo
Contributor

All input coming from the MyBB server/pages should be sanitized in case the server gets compromised.

@PirataNervo PirataNervo self-assigned this Nov 15, 2014
@PirataNervo PirataNervo added this to the 1.8.3 milestone Nov 15, 2014
@Destroy666x Destroy666x added the p:high label Nov 15, 2014
@PirataNervo PirataNervo added p:immediate and removed p:high labels Nov 16, 2014
@PirataNervo PirataNervo added a commit to PirataNervo/mybb that referenced this issue Nov 16, 2014
@PirataNervo PirataNervo Fix #1617 Sanitize input from MyBB server 3df708c
@PirataNervo PirataNervo added the s:fixed label Nov 16, 2014
@labrocca

Can I seriously suggest you add a setting or config option (Disable Version Checking) to remove the call to MyBB? That or just make it so a button on the admin index for "Update Info" to manually grab the info.

@JN-Jones
Contributor

It should work when you disable the version check task (1.8)

@Nik101010
Contributor

@JN-Jones news and plugins and all the other stuff is still loaded in that case 😉

@Stefan-ST
Member

@labrocca Is that really needed when we make entirely sure no external code can be injected?

@JN-Jones
Contributor

Only if you click on the specific link, nothing is loaded automatically then anymore.

@euantorano
Member

I don't see how adding the option would would hurt. It doesn't exactly take much effort. Could even just put it in config.php rather than putting it through the main settings system...

@labrocca

I see in 1.8 a version check task was added. That does help to resolve the issue.

@PirataNervo PirataNervo added a commit to PirataNervo/mybb that referenced this issue Nov 17, 2014
@PirataNervo PirataNervo Fix #1617 Sanitize input from MyBB server 7cca220
@PirataNervo PirataNervo added a commit to PirataNervo/mybb that referenced this issue Nov 17, 2014
@PirataNervo PirataNervo Fix #1617 Sanitize input from MyBB server 8f1bf04
@PirataNervo PirataNervo closed this in #1618 Nov 19, 2014
@PirataNervo PirataNervo reopened this Nov 19, 2014
@Stefan-ST
Member

@PirataNervo
The fixes for browsing mods and themes don't work. The links to the author no display HTML and the download links are broken.

@Stefan-ST Stefan-ST reopened this Nov 20, 2014
@Stefan-ST Stefan-ST added a commit to Stefan-ST/mybb that referenced this issue Nov 20, 2014
@Stefan-ST Stefan-ST Fixes #1617 Sanitize input coming from MyBB server bd60ebb
@Stefan-ST Stefan-ST added s:fixed and removed s:feedback labels Nov 20, 2014
@Stefan-ST Stefan-ST modified the milestone: 1.8.3, 1.8.4 Nov 20, 2014
@PirataNervo
Contributor

@Stefan-ST thanks I will test your PR later when I get home.

@PirataNervo PirataNervo closed this in #1640 Nov 20, 2014
@ATofighi ATofighi removed the p:immediate label Nov 21, 2014
@PirataNervo PirataNervo removed their assignment Jan 12, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment