mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-25 11:01:48 +02:00
Code Issues Releases Wiki Activity

Remove user facing session_id checks, they remain in admin and mod panels, fix bug which allows sending email via board even when disabled

Browse Source 
git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@3481 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Paul S. Owen
2003-02-21 11:16:44 +00:00
parent e6e429b7f9
commit ea33ee4b11
9 changed files with 31 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
phpBB/includes/constants.php
View File

@@ -152,6 +152,7 @@ define('AUTH_ACCESS_TABLE', $table_prefix.'auth_access');
define('BANLIST_TABLE', $table_prefix.'banlist');
define('CATEGORIES_TABLE', $table_prefix.'categories');
define('CONFIG_TABLE', $table_prefix.'config');
define('CONFIRM_TABLE', $table_prefix.'confirm');
define('DISALLOW_TABLE', $table_prefix.'disallow');
define('FORUMS_TABLE', $table_prefix.'forums');
define('GROUPS_TABLE', $table_prefix.'groups');

5
phpBB/includes/functions_post.php
View File

@@ -222,7 +222,7 @@ function submit_post($mode, &$post_data, &$message, &$meta, &$forum_id, &$topic_
$current_time = time();
if ($mode == 'newtopic' || $mode == 'reply')
if ($mode == 'newtopic' || $mode == 'reply' || $mode == 'editpost')
{
//
// Flood control
@@ -242,7 +242,8 @@ function submit_post($mode, &$post_data, &$message, &$meta, &$forum_id, &$topic_
}
}
}
else if ($mode == 'editpost')
if ($mode == 'editpost')
{
remove_search_post($post_id);
}

14
phpBB/includes/usercp_email.php
View File

@@ -27,6 +27,12 @@ if ( !defined('IN_PHPBB') )
exit;
}
// Is send through board enabled? No, return to index
if (!$board_config['board_email_form'])
{
redirect(append_sid("index.$phpEx"));
}
if ( !empty($HTTP_GET_VARS[POST_USERS_URL]) || !empty($HTTP_POST_VARS[POST_USERS_URL]) )
{
$user_id = ( !empty($HTTP_GET_VARS[POST_USERS_URL]) ) ? intval($HTTP_GET_VARS[POST_USERS_URL]) : intval($HTTP_POST_VARS[POST_USERS_URL]);
@@ -61,12 +67,6 @@ if ( $result = $db->sql_query($sql) )
if ( isset($HTTP_POST_VARS['submit']) )
{
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
message_die(GENERAL_ERROR, 'Invalid_session');
}
$error = FALSE;
if ( !empty($HTTP_POST_VARS['subject']) )
@@ -175,7 +175,7 @@ if ( $result = $db->sql_query($sql) )
$template->assign_vars(array(
'USERNAME' => $username,
'S_HIDDEN_FIELDS' => '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />',
'S_HIDDEN_FIELDS' => '',
'S_POST_ACTION' => append_sid("profile.$phpEx?&amp;mode=email&amp;" . POST_USERS_URL . "=$user_id"),
'L_SEND_EMAIL_MSG' => $lang['Send_email_msg'],

12
phpBB/includes/usercp_register.php
View File

@@ -46,8 +46,8 @@ function show_coppa()
"AGREE_UNDER_13" => $lang['Agree_under_13'],
'DO_NOT_AGREE' => $lang['Agree_not'],
"U_AGREE_OVER13" => "profile.$phpEx?mode=register&amp;agreed=true&amp;sid=" . $userdata['session_id'],
"U_AGREE_UNDER13" => "profile.$phpEx?mode=register&amp;agreed=true&amp;coppa=true&amp;sid=" . $userdata['session_id'])
"U_AGREE_OVER13" => "profile.$phpEx?mode=register&amp;agreed=true",
"U_AGREE_UNDER13" => "profile.$phpEx?mode=register&amp;agreed=true&amp;coppa=true")
);
$template->pparse('body');
@@ -80,12 +80,6 @@ if (
isset($HTTP_POST_VARS['cancelavatar']) ||
$mode == 'register' )
{
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
message_die(GENERAL_ERROR, 'Invalid_session');
}
include($phpbb_root_path . 'includes/functions_validate.'.$phpEx);
include($phpbb_root_path . 'includes/bbcode.'.$phpEx);
include($phpbb_root_path . 'includes/functions_post.'.$phpEx);
@@ -765,7 +759,7 @@ else
}
}
$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />';
$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />';
if( $mode == 'editprofile' )
{
$s_hidden_fields .= '<input type="hidden" name="user_id" value="' . $userdata['user_id'] . '" />';

8
phpBB/includes/usercp_sendpasswd.php
View File

@@ -29,12 +29,6 @@ if ( !defined('IN_PHPBB') )
if ( isset($HTTP_POST_VARS['submit']) )
{
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
message_die(GENERAL_ERROR, 'Invalid_session');
}
$username = ( !empty($HTTP_POST_VARS['username']) ) ? trim(strip_tags($HTTP_POST_VARS['username'])) : '';
$email = ( !empty($HTTP_POST_VARS['email']) ) ? trim(strip_tags(htmlspecialchars($HTTP_POST_VARS['email']))) : '';
@@ -133,7 +127,7 @@ $template->assign_vars(array(
'L_SUBMIT' => $lang['Submit'],
'L_RESET' => $lang['Reset'],
'S_HIDDEN_FIELDS' => '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />',
'S_HIDDEN_FIELDS' => '',
'S_PROFILE_ACTION' => append_sid("profile.$phpEx?mode=sendpassword"))
);