mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-07-27 09:50:49 +02:00
Code Issues Releases Wiki Activity

Security - protect from php injections in the (almost same) way 0.7 does it

Browse Source
This commit is contained in:
secretr
2011-03-19 11:54:12 +00:00
parent 6ecf44adb8
commit b8f183f46b
1 changed files with 16 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
e107_handlers/e_parse_class.php
View File

@@ -2,7 +2,7 @@
/* /*
* e107 website system * e107 website system
* *
* Copyright (C) 2008-2010 e107 Inc (e107.org) * Copyright (C) 2008-2011 e107 Inc (e107.org)
* Released under the terms and conditions of the * Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt) * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
* *
@@ -1367,9 +1367,11 @@ class e_parse
// Not sure whether checks are necessary now we've reorganised // Not sure whether checks are necessary now we've reorganised
// if (!$matches[3]) $bbcode = str_replace($search, $replace, $matches[4]); // if (!$matches[3]) $bbcode = str_replace($search, $replace, $matches[4]);
// Because we're bypassing most of the initial parser processing, we should be able to just reverse the effects of toDB() and execute the code // Because we're bypassing most of the initial parser processing, we should be able to just reverse the effects of toDB() and execute the code
// [SecretR] - avoid php code injections, missing php.bb will completely disable user posted php blocks
$bbcode = file_get_contents($bbFile);
if (!$matches[3]) if (!$matches[3])
{ {
$bbcode = html_entity_decode($matches[4], ENT_QUOTES, 'UTF-8'); $code_text = html_entity_decode($matches[4], ENT_QUOTES, 'UTF-8');
} }
break; break;
@@ -1408,7 +1410,7 @@ class e_parse
// Do the 'normal' processing - in principle, as previously - but think about the order. // Do the 'normal' processing - in principle, as previously - but think about the order.
if ($proc_funcs) if ($proc_funcs && !empty($full_text)) // some more speed
{ {
// Split out and ignore any scripts and style blocks. With just two choices we can match the closing tag in the regex // Split out and ignore any scripts and style blocks. With just two choices we can match the closing tag in the regex
@@ -2179,10 +2181,14 @@ class e_parse
public function toEmail($text, $posted = "", $mods = "parse_sc, no_make_clickable") public function toEmail($text, $posted = "", $mods = "parse_sc, no_make_clickable")
{ {
if($posted === TRUE && MAGIC_QUOTES_GPC) if ($posted === TRUE)
{
if (MAGIC_QUOTES_GPC)
{ {
$text = stripslashes($text); $text = stripslashes($text);
} }
$text = preg_replace('#\[(php)#i', '[\\1', $text);
}
$text = (strtolower($mods) != "rawtext") ? $this->replaceConstants($text, "full") : $text; $text = (strtolower($mods) != "rawtext") ? $this->replaceConstants($text, "full") : $text;
$text = $this->toHTML($text, TRUE, $mods); $text = $this->toHTML($text, TRUE, $mods);