From 3c94d07beba64154ecd707805fa87f2eaf5e4d02 Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Sat, 26 Jan 2013 16:53:23 +0000 Subject: store choices for recent changes and diff views in cookie (FS#2438 and FS#2700) Note: These changes don't work yet. The cookie is not set and deletes the old one. --- inc/common.php | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index bc49e76b2..c74010223 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1560,4 +1560,30 @@ function get_doku_pref($pref, $default) { return $default; } +/** + * Add a preference to the DokuWiki cookie + */ +function set_doku_pref($pref, $val) { + global $conf; + $orig = get_doku_pref($pref, false); + $cookieVal = ''; + + if($orig && ($orig != $val)) { + $parts = explode('#', $_COOKIE['DOKU_PREFS']); + $cnt = count($parts); + for($i = 0; $i < $cnt; $i += 2) { + if($parts[$i] == $pref) { + $parts[$i + 1] = urlencode($val); + } + } + $cookieVal = implode('#', $parts); + } else if (!$orig) { + $cookieVal = $_COOKIE['DOKU_PREFS'].'#'.urlencode($pref).'#'.urlencode($val); + } + + if (!empty($cookieVal)) { + setcookie('DOKU_PREFS', $cookieVal, mktime('+1 year'), DOKU_BASE, '', ($conf['securecookie'] && is_ssl())); + } +} + //Setup VIM: ex: et ts=2 : -- cgit v1.2.3 From c18b2212cfd6c8b085b8f82e0a43fe052c5fb57f Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Sat, 26 Jan 2013 17:18:14 +0000 Subject: fixed setting cookie not working --- inc/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index c74010223..e436ec263 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1582,7 +1582,7 @@ function set_doku_pref($pref, $val) { } if (!empty($cookieVal)) { - setcookie('DOKU_PREFS', $cookieVal, mktime('+1 year'), DOKU_BASE, '', ($conf['securecookie'] && is_ssl())); + setcookie('DOKU_PREFS', $cookieVal, strtotime('+1 year'), DOKU_BASE, '', ($conf['securecookie'] && is_ssl())); } } -- cgit v1.2.3 From 50f261f7d8fd4138fab3fca8c9b9eea290a3885b Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Sat, 26 Jan 2013 18:24:07 +0100 Subject: Fix set_doku_pref cookie date and value --- inc/common.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index e436ec263..88e60f02c 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1574,15 +1574,16 @@ function set_doku_pref($pref, $val) { for($i = 0; $i < $cnt; $i += 2) { if($parts[$i] == $pref) { $parts[$i + 1] = urlencode($val); + break; } } $cookieVal = implode('#', $parts); } else if (!$orig) { - $cookieVal = $_COOKIE['DOKU_PREFS'].'#'.urlencode($pref).'#'.urlencode($val); + $cookieVal = ($_COOKIE['DOKU_PREFS'] ? $_COOKIE['DOKU_PREFS'].'#' : '').urlencode($pref).'#'.urlencode($val); } if (!empty($cookieVal)) { - setcookie('DOKU_PREFS', $cookieVal, strtotime('+1 year'), DOKU_BASE, '', ($conf['securecookie'] && is_ssl())); + setcookie('DOKU_PREFS', $cookieVal, time()+365*24*3600, DOKU_BASE, '', ($conf['securecookie'] && is_ssl())); } } -- cgit v1.2.3 From c94fb9c2885704fc57d2eaef079f50465715c332 Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Sun, 3 Feb 2013 17:14:15 +0000 Subject: urldecode DOKU_PREFS cookie values --- inc/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 88e60f02c..5861e9b90 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1553,7 +1553,7 @@ function get_doku_pref($pref, $default) { $cnt = count($parts); for($i = 0; $i < $cnt; $i += 2) { if($parts[$i] == $pref) { - return $parts[$i + 1]; + return urldecode($parts[$i + 1]); } } } -- cgit v1.2.3 From 58bedc8a310955dbc00e738bec1dc4f442eaff4e Mon Sep 17 00:00:00 2001 From: borekb Date: Wed, 30 Jan 2013 21:51:39 +0100 Subject: Updated idfilter() function for IIS There is a condition inside idfilter() function that helps Apache on Windows to properly handle colon as a namespace separator by replacing it with semicolon. However, this is not necessary on Microsoft IIS server so the condition was improved. --- inc/common.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index bc49e76b2..a270e4eaf 100644 --- a/inc/common.php +++ b/inc/common.php @@ -311,7 +311,7 @@ function breadcrumbs() { * * This is run on a ID before it is outputted somewhere * currently used to replace the colon with something else - * on Windows systems and to have proper URL encoding + * on Windows non-IIS systems and to have proper URL encoding * * Urlencoding is ommitted when the second parameter is false * @@ -322,7 +322,8 @@ function idfilter($id, $ue = true) { if($conf['useslash'] && $conf['userewrite']) { $id = strtr($id, ':', '/'); } elseif(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' && - $conf['userewrite'] + $conf['userewrite'] && + strpos($_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS') === false ) { $id = strtr($id, ':', ';'); } -- cgit v1.2.3 From 907f24f7352841e6c3030e143ec75661c55244d8 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 3 Feb 2013 21:12:06 +0100 Subject: added comment on use of whitelist vs blacklist --- inc/common.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index a270e4eaf..db39affc6 100644 --- a/inc/common.php +++ b/inc/common.php @@ -311,7 +311,11 @@ function breadcrumbs() { * * This is run on a ID before it is outputted somewhere * currently used to replace the colon with something else - * on Windows non-IIS systems and to have proper URL encoding + * on Windows (non-IIS) systems and to have proper URL encoding + * + * See discussions at https://github.com/splitbrain/dokuwiki/pull/84 and + * https://github.com/splitbrain/dokuwiki/pull/173 why we use a whitelist of + * unaffected servers instead of blacklisting affected servers here. * * Urlencoding is ommitted when the second parameter is false * -- cgit v1.2.3 From 66ab63caaa47f880a636d65d332b0faf69f0a77a Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Sun, 3 Feb 2013 20:14:15 +0000 Subject: check preferences in cookie against urldecoded key --- inc/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 5861e9b90..5582838de 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1552,7 +1552,7 @@ function get_doku_pref($pref, $default) { $parts = explode('#', $_COOKIE['DOKU_PREFS']); $cnt = count($parts); for($i = 0; $i < $cnt; $i += 2) { - if($parts[$i] == $pref) { + if(urldecode($parts[$i]) == $pref) { return urldecode($parts[$i + 1]); } } -- cgit v1.2.3 From 02143fe9eb35259159906959a1253735d9df4fe1 Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Sun, 3 Feb 2013 20:39:04 +0000 Subject: some urldecoding also needed in the cookie setter --- inc/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 5582838de..2626c0d92 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1572,7 +1572,7 @@ function set_doku_pref($pref, $val) { $parts = explode('#', $_COOKIE['DOKU_PREFS']); $cnt = count($parts); for($i = 0; $i < $cnt; $i += 2) { - if($parts[$i] == $pref) { + if(urldecode($parts[$i]) == $pref) { $parts[$i + 1] = urlencode($val); break; } -- cgit v1.2.3 From 36ec377e95e1b932a063729ea6582386dbafdb91 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Sun, 3 Feb 2013 21:06:25 +0000 Subject: update for encoded cookie value & using rawurlencode --- inc/common.php | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 2626c0d92..730f4dc80 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1548,12 +1548,14 @@ function valid_input_set($param, $valid_values, $array, $exc = '') { * Read a preference from the DokuWiki cookie */ function get_doku_pref($pref, $default) { - if(strpos($_COOKIE['DOKU_PREFS'], $pref) !== false) { - $parts = explode('#', $_COOKIE['DOKU_PREFS']); + // first, urldecode the cookie value + $doku_prefs = urldecode($_COOKIE['DOKU_PREFS']); + if(strpos($doku_prefs, $pref) !== false) { + $parts = explode('#', $doku_prefs); $cnt = count($parts); for($i = 0; $i < $cnt; $i += 2) { - if(urldecode($parts[$i]) == $pref) { - return urldecode($parts[$i + 1]); + if($parts[$i] == $pref) { + return $parts[$i + 1]; } } } @@ -1562,6 +1564,7 @@ function get_doku_pref($pref, $default) { /** * Add a preference to the DokuWiki cookie + * (remembering $_COOKIE['DOKU_PREFS'] is urlencoded) */ function set_doku_pref($pref, $val) { global $conf; @@ -1571,15 +1574,17 @@ function set_doku_pref($pref, $val) { if($orig && ($orig != $val)) { $parts = explode('#', $_COOKIE['DOKU_PREFS']); $cnt = count($parts); + // urlencode $pref for the comparison + $enc_pref = rawurlencode($pref); for($i = 0; $i < $cnt; $i += 2) { - if(urldecode($parts[$i]) == $pref) { - $parts[$i + 1] = urlencode($val); + if($parts[$i] == $enc_pref) { + $parts[$i + 1] = rawurlencode($val); break; } } $cookieVal = implode('#', $parts); } else if (!$orig) { - $cookieVal = ($_COOKIE['DOKU_PREFS'] ? $_COOKIE['DOKU_PREFS'].'#' : '').urlencode($pref).'#'.urlencode($val); + $cookieVal = ($_COOKIE['DOKU_PREFS'] ? $_COOKIE['DOKU_PREFS'].'#' : '').rawurlencode($pref).'#'.rawurlencode($val); } if (!empty($cookieVal)) { -- cgit v1.2.3 From 646a531a33fe5c5e32a932e2a889c43702505c48 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Sun, 3 Feb 2013 21:20:42 +0000 Subject: ensure getter works with keys & values containing '#' --- inc/common.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 730f4dc80..be369d28a 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1546,16 +1546,16 @@ function valid_input_set($param, $valid_values, $array, $exc = '') { /** * Read a preference from the DokuWiki cookie + * (remembering both keys & values are urlencoded) */ function get_doku_pref($pref, $default) { - // first, urldecode the cookie value - $doku_prefs = urldecode($_COOKIE['DOKU_PREFS']); - if(strpos($doku_prefs, $pref) !== false) { - $parts = explode('#', $doku_prefs); + $enc_pref = urlencode($pref); + if(strpos($_COOKIE['DOKU_PREFS'], $enc_pref) !== false) { + $parts = explode('#', $_COOKIE['DOKU_PREFS']); $cnt = count($parts); for($i = 0; $i < $cnt; $i += 2) { - if($parts[$i] == $pref) { - return $parts[$i + 1]; + if($parts[$i] == $enc_pref) { + return urldecode($parts[$i + 1]); } } } -- cgit v1.2.3 From 1015a57dff9a6f85b8e0534d280aa1e09945a598 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Sat, 16 Feb 2013 21:08:09 +0000 Subject: FS#2415 add to mediamanager (refactor pageinfo() and shift MEDIAMANAGER_STARTED after mediainfo() sets up ) --- inc/common.php | 68 ++++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 47 insertions(+), 21 deletions(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 28b527633..d4265f78c 100644 --- a/inc/common.php +++ b/inc/common.php @@ -86,32 +86,20 @@ function formSecurityToken($print = true) { } /** - * Return info about the current document as associative - * array. + * Determine basic information for a request of $id * - * @author Andreas Gohr + * @param unknown_type $id + * @param unknown_type $httpClient */ -function pageinfo() { - global $ID; - global $REV; - global $RANGE; +function basicinfo($id, $htmlClient=true){ global $USERINFO; - global $lang; - - // include ID & REV not redundant, as some parts of DokuWiki may temporarily change $ID, e.g. p_wiki_xhtml - // FIXME ... perhaps it would be better to ensure the temporary changes weren't necessary - $info['id'] = $ID; - $info['rev'] = $REV; // set info about manager/admin status. $info['isadmin'] = false; $info['ismanager'] = false; if(isset($_SERVER['REMOTE_USER'])) { - $sub = new Subscription(); - $info['userinfo'] = $USERINFO; - $info['perm'] = auth_quickaclcheck($ID); - $info['subscribed'] = $sub->user_subscription(); + $info['perm'] = auth_quickaclcheck($id); $info['client'] = $_SERVER['REMOTE_USER']; if($info['perm'] == AUTH_ADMIN) { @@ -127,12 +115,40 @@ function pageinfo() { } } else { - $info['perm'] = auth_aclcheck($ID, '', null); + $info['perm'] = auth_aclcheck($id, '', null); $info['subscribed'] = false; $info['client'] = clientIP(true); } - $info['namespace'] = getNS($ID); + $info['namespace'] = getNS($id); + + // mobile detection + if ($htmlClient) { + $info['ismobile'] = clientismobile(); + } + + return $info; + } + +/** + * Return info about the current document as associative + * array. + * + * @author Andreas Gohr + */ +function pageinfo() { + global $ID; + global $REV; + global $RANGE; + global $lang; + + $info = basicinfo($ID); + + // include ID & REV not redundant, as some parts of DokuWiki may temporarily change $ID, e.g. p_wiki_xhtml + // FIXME ... perhaps it would be better to ensure the temporary changes weren't necessary + $info['id'] = $ID; + $info['rev'] = $REV; + $info['locked'] = checklock($ID); $info['filepath'] = fullpath(wikiFN($ID)); $info['exists'] = @file_exists($info['filepath']); @@ -210,8 +226,18 @@ function pageinfo() { } } - // mobile detection - $info['ismobile'] = clientismobile(); + return $info; +} + +/** + * Return information about the current media item as an associative array. + */ +function mediainfo(){ + global $NS; + global $IMG; + + $info = basicinfo("$NS:*"); + $info['image'] = $IMG; return $info; } -- cgit v1.2.3 From 7e87a794494ea987ebc31decd939a25d44a5c00d Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Sun, 17 Feb 2013 20:03:38 +0000 Subject: fix missing 'subscribed' key --- inc/common.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index d4265f78c..5c28cf9c3 100644 --- a/inc/common.php +++ b/inc/common.php @@ -88,8 +88,8 @@ function formSecurityToken($print = true) { /** * Determine basic information for a request of $id * - * @param unknown_type $id - * @param unknown_type $httpClient + * @author Andreas Gohr + * @author Chris Smith */ function basicinfo($id, $htmlClient=true){ global $USERINFO; @@ -116,7 +116,6 @@ function basicinfo($id, $htmlClient=true){ } else { $info['perm'] = auth_aclcheck($id, '', null); - $info['subscribed'] = false; $info['client'] = clientIP(true); } @@ -149,6 +148,13 @@ function pageinfo() { $info['id'] = $ID; $info['rev'] = $REV; + if(isset($_SERVER['REMOTE_USER'])) { + $sub = new Subscription(); + $info['subscribed'] = $sub->user_subscription(); + } else { + $info['subscribed'] = false; + } + $info['locked'] = checklock($ID); $info['filepath'] = fullpath(wikiFN($ID)); $info['exists'] = @file_exists($info['filepath']); -- cgit v1.2.3 From c33b315b06b3a52a61cb1ecc2b3beadd4ecd0311 Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Mon, 18 Feb 2013 01:08:40 +0000 Subject: removed a bunch of functions which were deprecated in 2005/2006 --- inc/common.php | 21 --------------------- 1 file changed, 21 deletions(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 28b527633..471eb91b5 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1174,27 +1174,6 @@ function getGoogleQuery() { return $q; } -/** - * Try to set correct locale - * - * @deprecated No longer used - * @author Andreas Gohr - */ -function setCorrectLocale() { - global $conf; - global $lang; - - $enc = strtoupper($lang['encoding']); - foreach($lang['locales'] as $loc) { - //try locale - if(@setlocale(LC_ALL, $loc)) return; - //try loceale with encoding - if(@setlocale(LC_ALL, "$loc.$enc")) return; - } - //still here? try to set from environment - @setlocale(LC_ALL, ""); -} - /** * Return the human readable size of a file * -- cgit v1.2.3 From 0f4e009215bfa3136d334fa557335266637a7585 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 20 Mar 2013 00:06:07 +0000 Subject: add a token to fetch urls requiring image resize/crop to prevent external DDOS via fetch --- inc/common.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 471eb91b5..27f90b53b 100644 --- a/inc/common.php +++ b/inc/common.php @@ -436,6 +436,10 @@ function exportlink($id = '', $format = 'raw', $more = '', $abs = false, $sep = function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) { global $conf; if(is_array($more)) { + // add token for resized images + if($more['w'] || $more['h']){ + $more['tok'] = media_get_token($id,$more['w'],$more['h']); + } // strip defaults for shorter URLs if(isset($more['cache']) && $more['cache'] == 'cache') unset($more['cache']); if(!$more['w']) unset($more['w']); -- cgit v1.2.3 From 6db7468b987c4b5f9bcfdd7e98ceb1883c49a364 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 5 May 2013 14:38:10 +0200 Subject: make sure loaded text has the right encoding When pages contain non-UTF8 chars (eg. when posted through a script or when edited on the filesystem, parts of DokuWiki can break resulting in missing page content. This fixes these problems by forcing the content to UTF-8 on load. This will result in bad characters for input that is not latin1 but contents will at least be visible. --- inc/common.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 27f90b53b..110350951 100644 --- a/inc/common.php +++ b/inc/common.php @@ -781,11 +781,19 @@ function unlock($id) { /** * convert line ending to unix format * + * also makes sure the given text is valid UTF-8 + * * @see formText() for 2crlf conversion * @author Andreas Gohr */ function cleanText($text) { $text = preg_replace("/(\015\012)|(\015)/", "\012", $text); + + // if the text is not valid UTF-8 we simply assume latin1 + // this won't break any worse than it breaks with the wrong encoding + // but might actually fix the problem in many cases + if(!utf8_check($text)) $text = utf8_encode($text); + return $text; } -- cgit v1.2.3 From 5e7db1e21093dbb999f1d1cee487a791af3650eb Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Mon, 6 May 2013 01:06:16 +0100 Subject: ensure security token is included in media url when resize parameter is passed in string form, e.g. 'w=80' --- inc/common.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 110350951..4d939ac77 100644 --- a/inc/common.php +++ b/inc/common.php @@ -447,6 +447,14 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) if(isset($more['id']) && $direct) unset($more['id']); $more = buildURLparams($more, $sep); } else { + $matches = array(); + if (preg_match_all('/\b(w|h)=(\d*)\b/',$more,$matches,PREG_SET_ORDER)){ + $resize = array('w'=>0, 'h'=>0); + foreach ($matches as $match){ + $resize[$match[1]] = $match[2]; + } + $more .= $sep.'tok='.media_get_token($id,$resize['w'],$resize['h']); + } $more = str_replace('cache=cache', '', $more); //skip default $more = str_replace(',,', ',', $more); $more = str_replace(',', $sep, $more); -- cgit v1.2.3 From 826d276602b191ee09d3450f7a8f9476c0e787b1 Mon Sep 17 00:00:00 2001 From: Klap-in Date: Tue, 21 May 2013 12:06:16 +0200 Subject: Clean internal ids in ml(), that it matches with fetch.php The resize token was broken because fetch.php cleans the id before the token calculation, while ml() uses the raw id --- inc/common.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 4d939ac77..03236f7d4 100644 --- a/inc/common.php +++ b/inc/common.php @@ -435,6 +435,11 @@ function exportlink($id = '', $format = 'raw', $more = '', $abs = false, $sep = */ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) { global $conf; + $isexternalimage = preg_match('#^(https?|ftp)://#i', $id); + if(!$isexternalimage) { + $id = cleanID($id); + } + if(is_array($more)) { // add token for resized images if($more['w'] || $more['h']){ @@ -467,7 +472,7 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) } // external URLs are always direct without rewriting - if(preg_match('#^(https?|ftp)://#i', $id)) { + if($isexternalimage) { $xlink .= 'lib/exe/fetch.php'; // add hash: $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id), 0, 6); -- cgit v1.2.3 From cdcd66dfc2bcf16e481d10bfa2d3ff1b4d433f99 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 31 May 2013 09:22:45 +0200 Subject: use hmac for external ressource hash FS#2794 --- inc/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 4d939ac77..e096d8b30 100644 --- a/inc/common.php +++ b/inc/common.php @@ -470,7 +470,7 @@ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) if(preg_match('#^(https?|ftp)://#i', $id)) { $xlink .= 'lib/exe/fetch.php'; // add hash: - $xlink .= '?hash='.substr(md5(auth_cookiesalt().$id), 0, 6); + $xlink .= '?hash='.substr(PassHash::hmac('md5', $id, auth_cookiesalt()), 0, 6); if($more) { $xlink .= $sep.$more; $xlink .= $sep.'media='.rawurlencode($id); -- cgit v1.2.3 From a132f948f22ae344760ee3da82f9f92cf0f18b7b Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 31 May 2013 09:25:43 +0200 Subject: use HMAC for CSRF security tokens FS#2794 --- inc/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index e096d8b30..55c5b5ac4 100644 --- a/inc/common.php +++ b/inc/common.php @@ -56,7 +56,7 @@ function stripctl($string) { * @return string */ function getSecurityToken() { - return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']); + return PassHash::hmac('md5', session_id().$_SERVER['REMOTE_USER'], auth_cookiesalt()); } /** -- cgit v1.2.3 From b9ee6a44e7499b5c2e9f117096cedc769ef2e25d Mon Sep 17 00:00:00 2001 From: Klap-in Date: Sun, 9 Jun 2013 23:04:52 +0200 Subject: apply media_isexternal in ml() --- inc/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 59ceb0c0d..5f045e72d 100644 --- a/inc/common.php +++ b/inc/common.php @@ -435,7 +435,7 @@ function exportlink($id = '', $format = 'raw', $more = '', $abs = false, $sep = */ function ml($id = '', $more = '', $direct = true, $sep = '&', $abs = false) { global $conf; - $isexternalimage = preg_match('#^(https?|ftp)://#i', $id); + $isexternalimage = media_isexternal($id); if(!$isexternalimage) { $id = cleanID($id); } -- cgit v1.2.3 From e0086ca277bafe4f068079a4655a5601914a6f03 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Wed, 12 Jun 2013 21:45:37 +0200 Subject: check for spam in summary as well, added common spam summary --- inc/common.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index 59ceb0c0d..760a9f6dc 100644 --- a/inc/common.php +++ b/inc/common.php @@ -557,12 +557,13 @@ function checkwordblock($text = '') { global $TEXT; global $PRE; global $SUF; + global $SUM; global $conf; global $INFO; if(!$conf['usewordblock']) return false; - if(!$text) $text = "$PRE $TEXT $SUF"; + if(!$text) $text = "$PRE $TEXT $SUF $SUM"; // we prepare the text a tiny bit to prevent spammers circumventing URL checks $text = preg_replace('!(\b)(www\.[\w.:?\-;,]+?\.[\w.:?\-;,]+?[\w/\#~:.?+=&%@\!\-.:?\-;,]+?)([.:?\-;,]*[^\w/\#~:.?+=&%@\!\-.:?\-;,])!i', '\1http://\2 \2\3', $text); -- cgit v1.2.3