mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-03 05:07:27 +02:00
Code Issues Releases Wiki Activity

Merge pull request #228 from Deltik/master

Browse Source 
[security] Protection for exposed emails, Message-Handler constants etc. Thank you Deltik
This commit is contained in:
Cameron
2013-05-10 16:21:38 -07:00
parent 24d0aba27c 1ebd758fcd
commit 0ebd25252f
5 changed files with 51 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -16,7 +16,7 @@ e107 is a free (open-source) content management system which allows you to easil
### Reporting Bugs ### Reporting Bugs
Be sure you are using the most recent version prior to reporting an issue. Be sure you are using the most recent version prior to reporting an issue.
Your may report any bugs or feature requests on Github (https://github.com/e107inc/e107/issues) You may report any bugs or feature requests on GitHub (https://github.com/e107inc/e107/issues)
### Pull-Requests ### Pull-Requests

31
e107_core/shortcodes/batch/user_shortcodes.php
View File

@@ -226,7 +226,9 @@ class user_shortcodes extends e_shortcode
function sc_user_email_link($parm) function sc_user_email_link($parm)
{ {
$tp = e107::getParser(); $tp = e107::getParser();
return ($this->var['user_hideemail'] && !ADMIN) ? "<i>".LAN_USER_35."</i>" : $tp->parseTemplate("{email={$this->var['user_email']}-link}"); return /* Condition */ ($this->var['user_hideemail'] && !ADMIN) ?
/* Hidden and Not Admin */ "<i>".LAN_USER_35."</i>" :
/* Not Hidden or Admin */ $tp->parseTemplate("{email={$this->var['user_email']}-link}");
} }
@@ -234,7 +236,30 @@ class user_shortcodes extends e_shortcode
function sc_user_email($parm) function sc_user_email($parm)
{ {
$tp = e107::getParser(); $tp = e107::getParser();
return ($this->var['user_hideemail'] && !ADMIN) ? "<i>".LAN_USER_35."</i>" : $tp->toHTML($this->var['user_email'],"no_replace"); return /* Condition */ ($this->var['user_hideemail'] && !ADMIN) ?
/* Hidden and Not Admin */ "<i>".LAN_USER_35."</i>" :
/* Not Hidden or Admin */ "<span style='unicode-bidi:bidi-override; direction: rtl;'>" . strrev($tp->toHTML($this->var['user_email'],"no_replace")) . "</span>";
########################################################
# Security Note - 04 May 2013 #
########################################################
# #
# The CSS code direction rtl is an effective way to #
# prevent spam bots from scraping emails that are #
# not hidden. #
# #
# You can find empirical support for this method at #
# <http://superuser.com/a/235965>. #
# #
# {e_CORE}templates/user_template.php was modified to #
# support this code. In $USER_FULL_TEMPLATE, the #
# LAN_USER_60 value {USER_EMAIL_LINK} was changed to #
# {USER_EMAIL}. I couldn't figure out how the two #
# shortcodes were different, so I took precautions in #
# hopes that the CSS direction won't break actual HTML #
# tags. #
# #
# -- Deltik #
########################################################
} }
@@ -745,4 +770,4 @@ class user_shortcodes extends e_shortcode
} }
?> ?>

4
e107_core/templates/user_template.php
View File

@@ -142,7 +142,7 @@ $USER_FULL_TEMPLATE = "{SETIMAGE: w=250}
<tr> <tr>
<td {$main_colspan} class='forumheader3'> <td {$main_colspan} class='forumheader3'>
<div class='f-left'>{USER_EMAIL_ICON} ".LAN_USER_60."</div> <div class='f-left'>{USER_EMAIL_ICON} ".LAN_USER_60."</div>
<div class='f-right right'>{USER_EMAIL_LINK}</div> <div class='f-right right'>{USER_EMAIL}</div>
</td> </td>
</tr> </tr>
@@ -213,4 +213,4 @@ $USER_EMBED_USERPROFILE_TEMPLATE = "
<tr><td colspan='2' class='fcaption'>{USER_EMBED_USERPROFILE_CAPTION}</td></tr> <tr><td colspan='2' class='fcaption'>{USER_EMBED_USERPROFILE_CAPTION}</td></tr>
<tr><td colspan='2' class='forumheader3'>{USER_EMBED_USERPROFILE_TEXT}</td></tr>"; <tr><td colspan='2' class='forumheader3'>{USER_EMBED_USERPROFILE_TEXT}</td></tr>";
?> ?>

19
e107_handlers/message_handler.php
View File

@@ -18,6 +18,10 @@ if (!defined('e107_INIT')) { exit; }
/* /*
* Type defines * Type defines
* XXX - convert to eMessage class constants * XXX - convert to eMessage class constants
* @note 07 May 2013: These have been converted to eMessage class constants!
* Example: eMessage::E_MESSAGE_SUCCESS is 'success'
* -- Deltik
* P.S. Now somebody needs to get rid of these universal constants...
*/ */
define('E_MESSAGE_INFO', 'info'); define('E_MESSAGE_INFO', 'info');
define('E_MESSAGE_SUCCESS', 'success'); define('E_MESSAGE_SUCCESS', 'success');
@@ -39,6 +43,17 @@ define('E_MESSAGE_NODISPLAY', 'nodisplay'); // Appears to be needed by update_ro
*/ */
class eMessage class eMessage
{ {
/**
* Type defines
*/
const E_INFO = 'info';
const E_SUCCESS = 'success';
const E_WARNING = 'warning';
const E_ERROR = 'error';
const E_DEBUG = 'debug';
const E_NODISPLAY = 'nodisplay';
/** /**
* System Message Array * System Message Array
* in format [type][message_stack] = array(message[, ...]) * in format [type][message_stack] = array(message[, ...])
@@ -172,7 +187,7 @@ class eMessage
* @param boolean $session * @param boolean $session
* @return eMessage * @return eMessage
*/ */
public function add($message, $type = E_MESSAGE_INFO, $session = false) public function add($message, $type = eMessage::E_INFO, $session = false)
{ {
if(empty($message)) return $this; if(empty($message)) return $this;
@@ -997,4 +1012,4 @@ function show_emessage($mode, $message, $line = 0, $file = "") {
} }
} }
?> ?>

6
e107_handlers/model_class.php
View File

@@ -3485,7 +3485,7 @@ class e_admin_tree_model extends e_front_tree_model
$idstr = implode(', ', $ids); $idstr = implode(', ', $ids);
$sql = e107::getDb(); $sql = e107::getDb();
$res = $sql->db_Delete($this->getModelTable(), $this->getFieldIdName().' IN ('.$idstr.')'); $res = $sql->db_Delete($this->getModelTable(), $this->getFieldIdName().' IN (\''.$idstr.'\')');
$this->_db_errno = $sql->getLastErrorNumber(); $this->_db_errno = $sql->getLastErrorNumber();
$this->_db_errmsg = $sql->getLastErrorText(); $this->_db_errmsg = $sql->getLastErrorText();
$modelCacheCheck = $this->getParam('clearModelCache'); $modelCacheCheck = $this->getParam('clearModelCache');
@@ -3493,7 +3493,7 @@ class e_admin_tree_model extends e_front_tree_model
{ {
if($sql->getLastErrorNumber()) if($sql->getLastErrorNumber())
{ {
$this->addMessageError('SQL Delete Error', $session_messages); //TODO - Lan $this->addMessageError('SQL Delete Error: ' . $sql->getLastQuery(), $session_messages); //TODO - Lan
$this->addMessageDebug('SQL Error #'.$sql->getLastErrorNumber().': '.$sql->getLastErrorText()); $this->addMessageDebug('SQL Error #'.$sql->getLastErrorNumber().': '.$sql->getLastErrorText());
} }
} }
@@ -3561,4 +3561,4 @@ class e_admin_tree_model extends e_front_tree_model
} }
return $ret; return $ret;
} }
} }