* `strftime()` has been replaced with a polyfill based on `DateTime`.
* Explicit type casts/assertions added where required by PHP 8.1
* `filter_var(…, FILTER_SANITIZE_STRING)` replaced with `strip_tags()`
or HTML entity encoding of quotation marks, depending on a guess of
what the intended "sanitization" was
* `http_build_query()` usage type mismatches fixed
* Removed usages of the `FILE_TEXT` constant
* To avoid breaking PHP 5.6 compatibility (function return types),
`e_session_db` no longer implements `SessionHandlerInterface`.
Instead, the alternative non-OOP invocation of
`session_set_save_handler()` is used instead to apply the session
handler.
* The shim for `strptime()` still calls the native function if available
but now suppresses the deprecation warning.
* `e_db_pdo` explicitly asks for `PDO::ATTR_STRINGIFY_FETCHES` to
maintain consistent behavior with past versions of PHP.
* `e_db_mysql` explicitly sets `mysqli_report(MYSQLI_REPORT_OFF)` to
maintain consistent behavior with past versions of PHP.
* Removed pointless random number generator seed from `banner` plugin
* Workaround for `COUNT(*)` SQL query in
`validatorClass::dbValidateArray()` without a proper API for avoiding
SQL injection
Fixes: #4010
Related: #3111
==== Problem ====
If there are two download mirrors, `slow.example.com` and
`fast.example.com`, hotlink protection using an NGINX `secure_link_md5`
expression in the Downloads plugin cannot distinguish between these
hostnames.
This means that a user limited to `slow.example.com` can change the
download host to `fast.example.com` and download from the better mirror.
==== Solution ====
To solve this, `NginxSecureLinkMd5Decorator` needs to support the NGINX
`$host` variable. Having this variable in the expression will lock down
the secure link to the specific download host.
- Moved away from e107_admin/message.php to its own place in the Downloads admin area.
- Notification of broken downloads now controlled by e_notify (see Admin Area > Settings > Notify)
- Updated notification message
- Added e_dashboard addon to show latest status on broken download reports
- MOD: Refactored NGINX secure_link_md5 decorator into interface and
class in Downloads plugin
- NEW: Downloads plugin: Admin preferences UX improvement:
Preferences >> Protection now shows the user a list of
supported NGINX variables pulled from
NginxSecureLinkMd5Decorator
