mirror of
https://github.com/e107inc/e107.git
synced 2025-08-03 05:07:27 +02:00
Merge pull request #228 from Deltik/master
[security] Protection for exposed emails, Message-Handler constants etc. Thank you Deltik
This commit is contained in:
@@ -16,7 +16,7 @@ e107 is a free (open-source) content management system which allows you to easil
|
|||||||
### Reporting Bugs
|
### Reporting Bugs
|
||||||
|
|
||||||
Be sure you are using the most recent version prior to reporting an issue.
|
Be sure you are using the most recent version prior to reporting an issue.
|
||||||
Your may report any bugs or feature requests on Github (https://github.com/e107inc/e107/issues)
|
You may report any bugs or feature requests on GitHub (https://github.com/e107inc/e107/issues)
|
||||||
|
|
||||||
### Pull-Requests
|
### Pull-Requests
|
||||||
|
|
||||||
|
@@ -226,7 +226,9 @@ class user_shortcodes extends e_shortcode
|
|||||||
function sc_user_email_link($parm)
|
function sc_user_email_link($parm)
|
||||||
{
|
{
|
||||||
$tp = e107::getParser();
|
$tp = e107::getParser();
|
||||||
return ($this->var['user_hideemail'] && !ADMIN) ? "<i>".LAN_USER_35."</i>" : $tp->parseTemplate("{email={$this->var['user_email']}-link}");
|
return /* Condition */ ($this->var['user_hideemail'] && !ADMIN) ?
|
||||||
|
/* Hidden and Not Admin */ "<i>".LAN_USER_35."</i>" :
|
||||||
|
/* Not Hidden or Admin */ $tp->parseTemplate("{email={$this->var['user_email']}-link}");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -234,7 +236,30 @@ class user_shortcodes extends e_shortcode
|
|||||||
function sc_user_email($parm)
|
function sc_user_email($parm)
|
||||||
{
|
{
|
||||||
$tp = e107::getParser();
|
$tp = e107::getParser();
|
||||||
return ($this->var['user_hideemail'] && !ADMIN) ? "<i>".LAN_USER_35."</i>" : $tp->toHTML($this->var['user_email'],"no_replace");
|
return /* Condition */ ($this->var['user_hideemail'] && !ADMIN) ?
|
||||||
|
/* Hidden and Not Admin */ "<i>".LAN_USER_35."</i>" :
|
||||||
|
/* Not Hidden or Admin */ "<span style='unicode-bidi:bidi-override; direction: rtl;'>" . strrev($tp->toHTML($this->var['user_email'],"no_replace")) . "</span>";
|
||||||
|
########################################################
|
||||||
|
# Security Note - 04 May 2013 #
|
||||||
|
########################################################
|
||||||
|
# #
|
||||||
|
# The CSS code direction rtl is an effective way to #
|
||||||
|
# prevent spam bots from scraping emails that are #
|
||||||
|
# not hidden. #
|
||||||
|
# #
|
||||||
|
# You can find empirical support for this method at #
|
||||||
|
# <http://superuser.com/a/235965>. #
|
||||||
|
# #
|
||||||
|
# {e_CORE}templates/user_template.php was modified to #
|
||||||
|
# support this code. In $USER_FULL_TEMPLATE, the #
|
||||||
|
# LAN_USER_60 value {USER_EMAIL_LINK} was changed to #
|
||||||
|
# {USER_EMAIL}. I couldn't figure out how the two #
|
||||||
|
# shortcodes were different, so I took precautions in #
|
||||||
|
# hopes that the CSS direction won't break actual HTML #
|
||||||
|
# tags. #
|
||||||
|
# #
|
||||||
|
# -- Deltik #
|
||||||
|
########################################################
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -745,4 +770,4 @@ class user_shortcodes extends e_shortcode
|
|||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
|
@@ -142,7 +142,7 @@ $USER_FULL_TEMPLATE = "{SETIMAGE: w=250}
|
|||||||
<tr>
|
<tr>
|
||||||
<td {$main_colspan} class='forumheader3'>
|
<td {$main_colspan} class='forumheader3'>
|
||||||
<div class='f-left'>{USER_EMAIL_ICON} ".LAN_USER_60."</div>
|
<div class='f-left'>{USER_EMAIL_ICON} ".LAN_USER_60."</div>
|
||||||
<div class='f-right right'>{USER_EMAIL_LINK}</div>
|
<div class='f-right right'>{USER_EMAIL}</div>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
@@ -213,4 +213,4 @@ $USER_EMBED_USERPROFILE_TEMPLATE = "
|
|||||||
<tr><td colspan='2' class='fcaption'>{USER_EMBED_USERPROFILE_CAPTION}</td></tr>
|
<tr><td colspan='2' class='fcaption'>{USER_EMBED_USERPROFILE_CAPTION}</td></tr>
|
||||||
<tr><td colspan='2' class='forumheader3'>{USER_EMBED_USERPROFILE_TEXT}</td></tr>";
|
<tr><td colspan='2' class='forumheader3'>{USER_EMBED_USERPROFILE_TEXT}</td></tr>";
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@@ -18,6 +18,10 @@ if (!defined('e107_INIT')) { exit; }
|
|||||||
/*
|
/*
|
||||||
* Type defines
|
* Type defines
|
||||||
* XXX - convert to eMessage class constants
|
* XXX - convert to eMessage class constants
|
||||||
|
* @note 07 May 2013: These have been converted to eMessage class constants!
|
||||||
|
* Example: eMessage::E_MESSAGE_SUCCESS is 'success'
|
||||||
|
* -- Deltik
|
||||||
|
* P.S. Now somebody needs to get rid of these universal constants...
|
||||||
*/
|
*/
|
||||||
define('E_MESSAGE_INFO', 'info');
|
define('E_MESSAGE_INFO', 'info');
|
||||||
define('E_MESSAGE_SUCCESS', 'success');
|
define('E_MESSAGE_SUCCESS', 'success');
|
||||||
@@ -39,6 +43,17 @@ define('E_MESSAGE_NODISPLAY', 'nodisplay'); // Appears to be needed by update_ro
|
|||||||
*/
|
*/
|
||||||
class eMessage
|
class eMessage
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* Type defines
|
||||||
|
*/
|
||||||
|
const E_INFO = 'info';
|
||||||
|
const E_SUCCESS = 'success';
|
||||||
|
const E_WARNING = 'warning';
|
||||||
|
const E_ERROR = 'error';
|
||||||
|
const E_DEBUG = 'debug';
|
||||||
|
const E_NODISPLAY = 'nodisplay';
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* System Message Array
|
* System Message Array
|
||||||
* in format [type][message_stack] = array(message[, ...])
|
* in format [type][message_stack] = array(message[, ...])
|
||||||
@@ -172,7 +187,7 @@ class eMessage
|
|||||||
* @param boolean $session
|
* @param boolean $session
|
||||||
* @return eMessage
|
* @return eMessage
|
||||||
*/
|
*/
|
||||||
public function add($message, $type = E_MESSAGE_INFO, $session = false)
|
public function add($message, $type = eMessage::E_INFO, $session = false)
|
||||||
{
|
{
|
||||||
if(empty($message)) return $this;
|
if(empty($message)) return $this;
|
||||||
|
|
||||||
@@ -997,4 +1012,4 @@ function show_emessage($mode, $message, $line = 0, $file = "") {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
@@ -3485,7 +3485,7 @@ class e_admin_tree_model extends e_front_tree_model
|
|||||||
$idstr = implode(', ', $ids);
|
$idstr = implode(', ', $ids);
|
||||||
|
|
||||||
$sql = e107::getDb();
|
$sql = e107::getDb();
|
||||||
$res = $sql->db_Delete($this->getModelTable(), $this->getFieldIdName().' IN ('.$idstr.')');
|
$res = $sql->db_Delete($this->getModelTable(), $this->getFieldIdName().' IN (\''.$idstr.'\')');
|
||||||
$this->_db_errno = $sql->getLastErrorNumber();
|
$this->_db_errno = $sql->getLastErrorNumber();
|
||||||
$this->_db_errmsg = $sql->getLastErrorText();
|
$this->_db_errmsg = $sql->getLastErrorText();
|
||||||
$modelCacheCheck = $this->getParam('clearModelCache');
|
$modelCacheCheck = $this->getParam('clearModelCache');
|
||||||
@@ -3493,7 +3493,7 @@ class e_admin_tree_model extends e_front_tree_model
|
|||||||
{
|
{
|
||||||
if($sql->getLastErrorNumber())
|
if($sql->getLastErrorNumber())
|
||||||
{
|
{
|
||||||
$this->addMessageError('SQL Delete Error', $session_messages); //TODO - Lan
|
$this->addMessageError('SQL Delete Error: ' . $sql->getLastQuery(), $session_messages); //TODO - Lan
|
||||||
$this->addMessageDebug('SQL Error #'.$sql->getLastErrorNumber().': '.$sql->getLastErrorText());
|
$this->addMessageDebug('SQL Error #'.$sql->getLastErrorNumber().': '.$sql->getLastErrorText());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -3561,4 +3561,4 @@ class e_admin_tree_model extends e_front_tree_model
|
|||||||
}
|
}
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user