mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-01-17 20:58:30 +01:00
Code Issues Releases Wiki Activity

Merge pull request #228 from Deltik/master

Browse Source 
[security] Protection for exposed emails, Message-Handler constants etc. Thank you Deltik
This commit is contained in:
Cameron 2013-05-10 16:21:38 -07:00
commit 0ebd25252f
5 changed files with 51 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -16,7 +16,7 @@ e107 is a free (open-source) content management system which allows you to easil
### Reporting Bugs
Be sure you are using the most recent version prior to reporting an issue.
Your may report any bugs or feature requests on Github (https://github.com/e107inc/e107/issues)
You may report any bugs or feature requests on GitHub (https://github.com/e107inc/e107/issues)
### Pull-Requests

31
e107_core/shortcodes/batch/user_shortcodes.php
View File

@ -226,7 +226,9 @@ class user_shortcodes extends e_shortcode
function sc_user_email_link($parm)
{
$tp = e107::getParser();
return ($this->var['user_hideemail'] && !ADMIN) ? "<i>".LAN_USER_35."</i>" : $tp->parseTemplate("{email={$this->var['user_email']}-link}");
return /* Condition */ ($this->var['user_hideemail'] && !ADMIN) ?
/* Hidden and Not Admin */ "<i>".LAN_USER_35."</i>" :
/* Not Hidden or Admin */ $tp->parseTemplate("{email={$this->var['user_email']}-link}");
}
@ -234,7 +236,30 @@ class user_shortcodes extends e_shortcode
function sc_user_email($parm)
{
$tp = e107::getParser();
return ($this->var['user_hideemail'] && !ADMIN) ? "<i>".LAN_USER_35."</i>" : $tp->toHTML($this->var['user_email'],"no_replace");
return /* Condition */ ($this->var['user_hideemail'] && !ADMIN) ?
/* Hidden and Not Admin */ "<i>".LAN_USER_35."</i>" :
/* Not Hidden or Admin */ "<span style='unicode-bidi:bidi-override; direction: rtl;'>" . strrev($tp->toHTML($this->var['user_email'],"no_replace")) . "</span>";
########################################################
# Security Note - 04 May 2013 #
########################################################
# #
# The CSS code direction rtl is an effective way to #
# prevent spam bots from scraping emails that are #
# not hidden. #
# #
# You can find empirical support for this method at #
# <http://superuser.com/a/235965>. #
# #
# {e_CORE}templates/user_template.php was modified to #
# support this code. In $USER_FULL_TEMPLATE, the #
# LAN_USER_60 value {USER_EMAIL_LINK} was changed to #
# {USER_EMAIL}. I couldn't figure out how the two #
# shortcodes were different, so I took precautions in #
# hopes that the CSS direction won't break actual HTML #
# tags. #
# #
# -- Deltik #
########################################################
}
@ -745,4 +770,4 @@ class user_shortcodes extends e_shortcode
}
?>
?>

4
e107_core/templates/user_template.php
View File

@ -142,7 +142,7 @@ $USER_FULL_TEMPLATE = "{SETIMAGE: w=250}
<tr>
<td {$main_colspan} class='forumheader3'>
<div class='f-left'>{USER_EMAIL_ICON} ".LAN_USER_60."</div>
<div class='f-right right'>{USER_EMAIL_LINK}</div>
<div class='f-right right'>{USER_EMAIL}</div>
</td>
</tr>
@ -213,4 +213,4 @@ $USER_EMBED_USERPROFILE_TEMPLATE = "
<tr><td colspan='2' class='fcaption'>{USER_EMBED_USERPROFILE_CAPTION}</td></tr>
<tr><td colspan='2' class='forumheader3'>{USER_EMBED_USERPROFILE_TEXT}</td></tr>";
?>
?>

19
e107_handlers/message_handler.php
View File

@ -18,6 +18,10 @@ if (!defined('e107_INIT')) { exit; }
/*
* Type defines
* XXX - convert to eMessage class constants
* @note 07 May 2013: These have been converted to eMessage class constants!
* Example: eMessage::E_MESSAGE_SUCCESS is 'success'
* -- Deltik
* P.S. Now somebody needs to get rid of these universal constants...
*/
define('E_MESSAGE_INFO', 'info');
define('E_MESSAGE_SUCCESS', 'success');
@ -39,6 +43,17 @@ define('E_MESSAGE_NODISPLAY', 'nodisplay'); // Appears to be needed by update_ro
*/
class eMessage
{
/**
* Type defines
*/
const E_INFO = 'info';
const E_SUCCESS = 'success';
const E_WARNING = 'warning';
const E_ERROR = 'error';
const E_DEBUG = 'debug';
const E_NODISPLAY = 'nodisplay';
/**
* System Message Array
* in format [type][message_stack] = array(message[, ...])
@ -172,7 +187,7 @@ class eMessage
* @param boolean $session
* @return eMessage
*/
public function add($message, $type = E_MESSAGE_INFO, $session = false)
public function add($message, $type = eMessage::E_INFO, $session = false)
{
if(empty($message)) return $this;
@ -997,4 +1012,4 @@ function show_emessage($mode, $message, $line = 0, $file = "") {
}
}
?>
?>

6
e107_handlers/model_class.php
View File

@ -3485,7 +3485,7 @@ class e_admin_tree_model extends e_front_tree_model
$idstr = implode(', ', $ids);
$sql = e107::getDb();
$res = $sql->db_Delete($this->getModelTable(), $this->getFieldIdName().' IN ('.$idstr.')');
$res = $sql->db_Delete($this->getModelTable(), $this->getFieldIdName().' IN (\''.$idstr.'\')');
$this->_db_errno = $sql->getLastErrorNumber();
$this->_db_errmsg = $sql->getLastErrorText();
$modelCacheCheck = $this->getParam('clearModelCache');
@ -3493,7 +3493,7 @@ class e_admin_tree_model extends e_front_tree_model
{
if($sql->getLastErrorNumber())
{
$this->addMessageError('SQL Delete Error', $session_messages); //TODO - Lan
$this->addMessageError('SQL Delete Error: ' . $sql->getLastQuery(), $session_messages); //TODO - Lan
$this->addMessageDebug('SQL Error #'.$sql->getLastErrorNumber().': '.$sql->getLastErrorText());
}
}
@ -3561,4 +3561,4 @@ class e_admin_tree_model extends e_front_tree_model
}
return $ret;
}
}
}