Merge pull request #3281 from SimSync/pref_update_218

Fixed typo in prefs.php, Added check&update to update routine
2025-01-18 05:09:05 +01:00 · 2018-07-14 12:51:26 -07:00 · 2018-07-14 12:51:26 -07:00 · 5a689397eb
commit 5a689397eb
parent 10b7afe281 8fea5fa53e
2 changed files with 15 additions and 4 deletions
--- a/e107_admin/prefs.php
+++ b/e107_admin/prefs.php
@ -1210,9 +1210,7 @@ if ($savePrefs) $core_pref->setPref($pref)->save(false, true);
 					<tr>
 						<td><label for='post-script'>".PRFLAN_215.":</label></td>
 						<td>
-							".//r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')
-							$e_userclass->uc_dropdown('post_script',$pref['post_script'],'off','nobody,admin,main,classes,no-excludes')
-							."
+							".$e_userclass->uc_dropdown('post_script',$pref['post_script'],'nobody,admin,main,classes,no-excludes')."
 							<div class='smalltext field-help'>".PRFLAN_216."</div>
 						</td>
 					</tr>
--- a/e107_admin/update_routines.php
+++ b/e107_admin/update_routines.php
@ -584,12 +584,25 @@ function update_core_database($type = '')
 		}


-		//todo add check for post_html pref value. 
+		// Make sure, that the pref "post_script" contains one of the allowed userclasses
+		// Close possible security hole
+		if (!array_key_exists(e107::getPref('post_script'), e107::getUserClass()->uc_required_class_list('nobody,admin,main,classes,no-excludes', true)))
+		{
+			if ($just_check)
+			{
+				return update_needed("Pref 'Class which can post < script > and similar tags' contains an invalid value"); // NO LAN.
+			}
+			else
+			{
+				e107::getConfig()->setPref('post_script', 255)->save(false, true);
+			}
+		}


 		return $just_check;


+
 	}