From 8c0fee4cb1b672876e04ae08cb4dedccf098e4cd Mon Sep 17 00:00:00 2001
From: Achim Ennenbach <achim@simsync.de>
Date: Wed, 11 Jul 2018 15:54:51 +0200
Subject: [PATCH] Limited allowed userclasses for 'post_script' to a smaller
 group: No One, (Main-) Admins, Mods and custom groups Added a check on
 opening of the prefs page to make sure, that the set value is only one of the
 allowed classes. Otherwise, class "No One" will be set and saved. Replaced
 deprecated function calls with their successor...

---
 e107_admin/prefs.php | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/e107_admin/prefs.php b/e107_admin/prefs.php
index e5eaa9a9a..767124f29 100644
--- a/e107_admin/prefs.php
+++ b/e107_admin/prefs.php
@@ -55,7 +55,7 @@ $tp = e107::getParser();
 /*	RESET DISPLAY NAMES	*/
 if(isset($_POST['submit_resetdisplaynames']))
 {
-	e107::getDb()->db_Update('user', 'user_name=user_loginname');
+	e107::getDb()->update('user', 'user_name=user_loginname');
 	$mes->addInfo(PRFLAN_157);
 }
 
@@ -647,7 +647,8 @@ $ga = e107::getDate();
 $date1 = $ga->convert_date(time(), "short");
 $date2 = $ga->convert_date(time(), "long");
 $date3 = $ga->convert_date(time(), "forum");
-$date4 = e107::getDate()->convert(time(),"input");
+//$core_pref$date4 = e107::getDate()->convert(time(),"input");
+$date4 = $tp->toDate(time(),"input");
 
 $text .= "
 		<fieldset class='e-hideme' id='core-prefs-date'>
@@ -1086,14 +1087,37 @@ $text .= "
 
 
 /* text render options */
-
+$savePrefs = false;
 if(!isset($pref['post_html']))
 {
 	$pref['post_html'] = '250';
-	save_prefs();
+	$savePrefs = true;
+	//save_prefs();
 }
 
-$text .= "
+// Make sure, the "post_script" setting is set and if not, set it to "No One" (255)
+// This should close a possible security hole...
+if(!isset($pref['post_script']))
+{
+	$pref['post_script'] = '255';
+	$savePrefs = true;
+	//save_prefs();
+}
+else
+{
+	// Make sure, that the pref is one of the allowed userclasses
+	// Close possible security hole
+	if (!array_key_exists($pref['post_script'], $e_userclass->uc_required_class_list('nobody,admin,main,classes,no-excludes', true)))
+	{
+		$pref['post_script'] = 255; //set to userclass "no one" if the old class isn't part of the list of allowed userclasses
+		$savePrefs = true;
+	}
+}
+
+if ($savePrefs) $core_pref->setPref($pref)->save(false, true);
+
+
+	$text .= "
 		<fieldset class='e-hideme' id='core-prefs-textpost'>
 			<legend>".PRFLAN_101."</legend>
 			<table class='table adminform'>
@@ -1186,7 +1210,9 @@ $text .= "
 					<tr>
 						<td><label for='post-script'>".PRFLAN_215.":</label></td>
 						<td>
-							".r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')."
+							".//r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')
+							$e_userclass->uc_dropdown('post_script',$pref['post_script'],'off','nobody,admin,main,classes,no-excludes')
+							."
 							<div class='smalltext field-help'>".PRFLAN_216."</div>
 						</td>
 					</tr>