From 130a3ce80d18fe961bfabb9867c39c1eb5f40d6a Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Wed, 23 Sep 2015 00:02:47 -0400 Subject: [PATCH] Apply patch made from smf_2-0-11_install.tar.bz2 to get up to date --- SSI.php | 44 +++-- Sources/Class-Package.php | 6 +- Sources/DbPackages-postgresql.php | 6 +- Sources/Display.php | 4 +- Sources/Load.php | 61 ++++++- Sources/LogInOut.php | 6 +- Sources/ManageAttachments.php | 4 +- Sources/ManageMembers.php | 4 +- Sources/ManageNews.php | 4 +- Sources/ManageServer.php | 4 +- Sources/Memberlist.php | 41 ++++- Sources/Modlog.php | 4 +- Sources/News.php | 9 +- Sources/PackageGet.php | 3 +- Sources/Packages.php | 25 ++- Sources/Post.php | 17 +- Sources/QueryString.php | 28 ++- Sources/ScheduledTasks.php | 6 +- Sources/Search.php | 10 +- Sources/Subs-Auth.php | 8 +- Sources/Subs-Db-mysql.php | 26 ++- Sources/Subs-Editor.php | 18 +- Sources/Subs-Graphics.php | 4 +- Sources/Subs-OpenID.php | 4 +- Sources/Subs-Package.php | 26 ++- Sources/Subs-Post.php | 99 +++++++---- Sources/Subs.php | 54 ++++-- Sources/Subscriptions-PayPal.php | 10 +- Themes/default/ManagePermissions.template.php | 6 +- Themes/default/Post.template.php | 4 +- Themes/default/Search.template.php | 6 +- .../default/images/buttons/restore_topic.gif | Bin Themes/default/images/construction.png | Bin Themes/default/images/theme/submit_bg.png | Bin .../default/languages/ManagePaid.english.php | 17 +- Themes/default/languages/index.english.php | 4 +- Themes/default/scripts/editor.js | 11 +- Themes/default/scripts/fader.js | 5 +- Themes/default/scripts/script.js | 4 +- index.php | 5 +- news_readme.html | 4 +- readme.html | 162 ++++++++++++------ 42 files changed, 545 insertions(+), 218 deletions(-) mode change 100644 => 100755 Themes/default/images/buttons/restore_topic.gif mode change 100644 => 100755 Themes/default/images/construction.png mode change 100644 => 100755 Themes/default/images/theme/submit_bg.png diff --git a/SSI.php b/SSI.php index b0e28c1..7fab1a6 100644 --- a/SSI.php +++ b/SSI.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.10 */ // Don't do anything if SMF is already loaded. @@ -316,7 +316,7 @@ function ssi_fetchPosts($post_ids = array(), $override_permissions = false, $out ); // Then make the query and dump the data. - return ssi_queryPosts($query_where, $query_where_params, '', 'm.id_msg DESC', $output_method, false, $override_permissions); + return ssi_queryPosts($query_where, $query_where_params, '', 'm.id_msg DESC', $output_method); } // This removes code duplication in other queries - don't call it direct unless you really know what you're up to. @@ -1219,12 +1219,20 @@ function ssi_showPoll($topic = null, $output_method = 'echo') $smcFunc['db_free_result']($request); // Check if they can vote. + $already_voted = false; if (!empty($row['expire_time']) && $row['expire_time'] < time()) $allow_vote = false; - elseif ($user_info['is_guest'] && $row['guest_vote'] && (!isset($_COOKIE['guest_poll_vote']) || !in_array($row['id_poll'], explode(',', $_COOKIE['guest_poll_vote'])))) - $allow_vote = true; elseif ($user_info['is_guest']) - $allow_vote = false; + { + // There's a difference between "allowed to vote" and "already voted"... + $allow_vote = $row['guest_vote']; + + // Did you already vote? + if (isset($_COOKIE['guest_poll_vote']) && in_array($row['id_poll'], explode(',', $_COOKIE['guest_poll_vote']))) + { + $already_voted = true; + } + } elseif (!empty($row['voting_locked']) || !allowedTo('poll_vote', $row['id_board'])) $allow_vote = false; else @@ -1241,12 +1249,13 @@ function ssi_showPoll($topic = null, $output_method = 'echo') ) ); $allow_vote = $smcFunc['db_num_rows']($request) == 0; + $already_voted = $allow_vote; $smcFunc['db_free_result']($request); } // Can they view? $is_expired = !empty($row['expire_time']) && $row['expire_time'] < time(); - $allow_view_results = allowedTo('moderate_board') || $row['hide_results'] == 0 || ($row['hide_results'] == 1 && !$allow_vote) || $is_expired; + $allow_view_results = allowedTo('moderate_board') || $row['hide_results'] == 0 || ($row['hide_results'] == 1 && $already_voted) || $is_expired; $request = $smcFunc['db_query']('', ' SELECT COUNT(DISTINCT id_member) @@ -1327,7 +1336,7 @@ function ssi_showPoll($topic = null, $output_method = 'echo') '; } - elseif ($return['allow_view_results']) + else { echo '
@@ -1335,23 +1344,30 @@ function ssi_showPoll($topic = null, $output_method = 'echo')
'; foreach ($return['options'] as $option) + { echo '
', $option['option'], '
-
+
'; + + if ($return['allow_view_results']) + { + echo '
- ', $option['votes'], ' (', $option['percent'], '%) + ', $option['votes'], ' (', $option['percent'], '%)'; + } + + echo '
'; + } + echo ' -
- ', $txt['poll_total_voters'], ': ', $return['total_votes'], ' + ', ($return['allow_view_results'] ? ' + '. $txt['poll_total_voters'] .': '. $return['total_votes'] .'' : ''), '
'; } - // Cannot see it I'm afraid! - else - echo $txt['poll_cannot_see']; } // Takes care of voting - don't worry, this is done automatically. diff --git a/Sources/Class-Package.php b/Sources/Class-Package.php index e5e5399..7868228 100644 --- a/Sources/Class-Package.php +++ b/Sources/Class-Package.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.8 */ if (!defined('SMF')) @@ -69,7 +69,7 @@ class xmlArray public function __construct($data, $auto_trim = false, $level = null, $is_clone = false) { // If we're using this try to get some more memory. - @ini_set('memory_limit', '32M'); + @ini_set('memory_limit', '128M'); // Set the debug level. $this->debug_level = $level !== null ? $level : error_reporting(); @@ -573,7 +573,7 @@ class xmlArray $trans_tbl = array_flip(get_html_translation_table(HTML_ENTITIES, ENT_QUOTES)); // Translate all the entities out. - $data = strtr(preg_replace_callback('~&#(\d{1,4});~', create_function('$m', 'return chr("$m[1]");'), $data), $trans_tbl); + $data = strtr(preg_replace_callback('~&#(\d{1,4});~', 'return_chr__preg_callback', $data), $trans_tbl); return $this->trim ? trim($data) : $data; } diff --git a/Sources/DbPackages-postgresql.php b/Sources/DbPackages-postgresql.php index bdf4b70..b3b4a5a 100644 --- a/Sources/DbPackages-postgresql.php +++ b/Sources/DbPackages-postgresql.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0 + * @version 2.0.10 */ if (!defined('SMF')) @@ -368,11 +368,11 @@ function smf_db_change_column($table_name, $old_column, $column_info, $parameter if (!$column_info['null']) { // We have to set it to something if we are making it NOT NULL. - $setTo = isset($column_info['default']) ? $column_info['default'] : ''; + $setTo = isset($column_info['default']) ? $column_info['default'] : (strpos($old_info['type'], 'int') !== false ? 0 : ''); $smcFunc['db_query']('', ' UPDATE ' . $table_name . ' SET ' . $column_info['name'] . ' = \'' . $setTo . '\' - WHERE ' . $column_info['name'] . ' = NULL', + WHERE ' . $column_info['name'] . ' IS NULL', array( 'security_override' => true, ) diff --git a/Sources/Display.php b/Sources/Display.php index cf7b531..d827400 100644 --- a/Sources/Display.php +++ b/Sources/Display.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.9 */ if (!defined('SMF')) @@ -748,7 +748,7 @@ function Display() // 4. you've waited long enough for the poll to expire. (whether hide_results is 1 or 2.) $context['allow_poll_view'] = allowedTo('moderate_board') || $pollinfo['hide_results'] == 0 || ($pollinfo['hide_results'] == 1 && $context['poll']['has_voted']) || $context['poll']['is_expired']; $context['poll']['show_results'] = $context['allow_poll_view'] && (isset($_REQUEST['viewresults']) || isset($_REQUEST['viewResults'])); - $context['show_view_results_button'] = $context['allow_vote'] && (!$context['allow_poll_view'] || !$context['poll']['show_results'] || !$context['poll']['has_voted']); + $context['show_view_results_button'] = $context['allow_vote'] && $context['allow_poll_view'] && !$context['poll']['show_results']; // You're allowed to change your vote if: // 1. the poll did not expire, and diff --git a/Sources/Load.php b/Sources/Load.php index f10b529..6c3bb3a 100644 --- a/Sources/Load.php +++ b/Sources/Load.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.11 */ if (!defined('SMF')) @@ -180,7 +180,41 @@ function reloadSettings() return $num < 0x20 || $num > 0x10FFFF || ($num >= 0xD800 && $num <= 0xDFFF) || $num === 0x202E || $num === 0x202D ? \'\' : \'&#\' . $num . \';\';'), 'htmlspecialchars' => create_function('$string, $quote_style = ENT_COMPAT, $charset = \'ISO-8859-1\'', ' global $smcFunc; - return ' . strtr($ent_check[0], array('&' => '&')) . 'htmlspecialchars($string, $quote_style, ' . ($utf8 ? '\'UTF-8\'' : '$charset') . ')' . $ent_check[1] . ';'), + return ' . ($utf8 ? '$smcFunc[\'fix_utf8mb4\'](' : '') . strtr($ent_check[0], array('&' => '&')) . 'htmlspecialchars($string, $quote_style, ' . ($utf8 ? '\'UTF-8\'' : '$charset') . ')' . $ent_check[1] . ($utf8 ? ')' : '') . ';'), + 'fix_utf8mb4' => create_function('$string', ' + $i = 0; + $len = strlen($string); + $new_string = \'\'; + while ($i < $len) + { + $ord = ord($string[$i]); + if ($ord < 128) + { + $new_string .= $string[$i]; + $i++; + } + elseif ($ord < 224) + { + $new_string .= $string[$i] . $string[$i+1]; + $i += 2; + } + elseif ($ord < 240) + { + $new_string .= $string[$i] . $string[$i+1] . $string[$i+2]; + $i += 3; + } + elseif ($ord < 248) + { + // Magic happens. + $val = (ord($string[$i]) & 0x07) << 18; + $val += (ord($string[$i+1]) & 0x3F) << 12; + $val += (ord($string[$i+2]) & 0x3F) << 6; + $val += (ord($string[$i+3]) & 0x3F); + $new_string .= \'&#\' . $val . \';\'; + $i += 4; + } + } + return $new_string;'), 'htmltrim' => create_function('$string', ' global $smcFunc; return preg_replace(\'~^(?:[ \t\n\r\x0B\x00' . $space_chars . ']| )+|(?:[ \t\n\r\x0B\x00' . $space_chars . ']| )+$~' . ($utf8 ? 'u' : '') . '\', \'\', ' . implode('$string', $ent_check) . ');'), @@ -325,7 +359,7 @@ function loadUserSettings() // Fix a security hole in PHP 4.3.9 and below... if (preg_match('~^a:[34]:\{i:0;(i:\d{1,6}|s:[1-8]:"\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\d{1,14};(i:3;i:\d;)?\}$~i', $_COOKIE[$cookiename]) == 1) { - list ($id_member, $password) = @unserialize($_COOKIE[$cookiename]); + list ($id_member, $password) = safe_unserialize($_COOKIE[$cookiename]); $id_member = !empty($id_member) && strlen($password) > 0 ? (int) $id_member : 0; } else @@ -334,7 +368,7 @@ function loadUserSettings() elseif (empty($id_member) && isset($_SESSION['login_' . $cookiename]) && ($_SESSION['USER_AGENT'] == $_SERVER['HTTP_USER_AGENT'] || !empty($modSettings['disableCheckUA']))) { // !!! Perhaps we can do some more checking on this, such as on the first octet of the IP? - list ($id_member, $password, $login_span) = @unserialize($_SESSION['login_' . $cookiename]); + list ($id_member, $password, $login_span) = safe_unserialize($_SESSION['login_' . $cookiename]); $id_member = !empty($id_member) && strlen($password) == 40 && $login_span > time() ? (int) $id_member : 0; } @@ -2699,12 +2733,21 @@ function cache_put_data($key, $value, $ttl = 120) else { $cache_data = '<' . '?' . 'php if (!defined(\'SMF\')) die; if (' . (time() + $ttl) . ' < time()) $expired = true; else{$expired = false; $value = \'' . addcslashes($value, '\\\'') . '\';}' . '?' . '>'; + // Write the file. + if (function_exists('file_put_contents')) + { + $cache_bytes = @file_put_contents($cachedir . '/data_' . $key . '.php', $cache_data, LOCK_EX); + if ($cache_bytes != strlen($cache_data)) + @unlink($cachedir . '/data_' . $key . '.php'); + } + else + { // Write the file. if (function_exists('file_put_contents')) { $cache_bytes = @file_put_contents($cachedir . '/data_' . $key . '.php', $cache_data, LOCK_EX); if ($cache_bytes != strlen($cache_data)) - @unlink($cachedir . '/data_' . $key . '.php'); + @unlink($cachedir . '/data_' . $key . '.php'); } else { @@ -2724,11 +2767,19 @@ function cache_put_data($key, $value, $ttl = 120) @unlink($cachedir . '/data_' . $key . '.php'); } } + } } } if (isset($db_show_debug) && $db_show_debug === true) $cache_hits[$cache_count]['t'] = array_sum(explode(' ', microtime())) - array_sum(explode(' ', $st)); + + // Invalidate the opcode cache + if (function_exists('opcache_invalidate')) + opcache_invalidate($cachedir . '/data_' . $key . '.php', true); + + if (function_exists('apc_delete_file')) + @apc_delete_file($cachedir . '/data_' . $key . '.php'); } function cache_get_data($key, $ttl = 120) diff --git a/Sources/LogInOut.php b/Sources/LogInOut.php index de642ee..6816300 100644 --- a/Sources/LogInOut.php +++ b/Sources/LogInOut.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.11 */ if (!defined('SMF')) @@ -101,9 +101,9 @@ function Login2() if (isset($_GET['sa']) && $_GET['sa'] == 'salt' && !$user_info['is_guest']) { if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\{i:0;(i:\d{1,6}|s:[1-8]:"\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\d{1,14};(i:3;i:\d;)?\}$~', $_COOKIE[$cookiename]) === 1) - list (, , $timeout) = @unserialize($_COOKIE[$cookiename]); + list (, , $timeout) = safe_unserialize($_COOKIE[$cookiename]); elseif (isset($_SESSION['login_' . $cookiename])) - list (, , $timeout) = @unserialize($_SESSION['login_' . $cookiename]); + list (, , $timeout) = safe_unserialize($_SESSION['login_' . $cookiename]); else trigger_error('Login2(): Cannot be logged in without a session or cookie', E_USER_ERROR); diff --git a/Sources/ManageAttachments.php b/Sources/ManageAttachments.php index 0c07f94..0727e34 100644 --- a/Sources/ManageAttachments.php +++ b/Sources/ManageAttachments.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0 + * @version 2.0.10 */ if (!defined('SMF')) @@ -416,7 +416,7 @@ function BrowseFiles() // Add a link to the topic in case of an attachment. if ($context[\'browse_type\'] !== \'avatars\') - $date .= sprintf(\'
%1$s %5$s\', $txt[\'in\'], $scripturl, $rowData[\'id_topic\'], $rowData[\'id_msg\'], $rowData[\'subject\']); + $date .= sprintf(\'
%1$s %5$s\', $txt[\'in\'], $scripturl, $rowData[\'id_topic\'], $rowData[\'id_msg\'], $rowData[\'subject\']); return $date; '), diff --git a/Sources/ManageMembers.php b/Sources/ManageMembers.php index 7c8dc75..6d34cf4 100644 --- a/Sources/ManageMembers.php +++ b/Sources/ManageMembers.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0 + * @version 2.0.11 */ if (!defined('SMF')) @@ -199,7 +199,7 @@ function ViewMemberlist() } if ($context['sub_action'] == 'query' && !empty($_REQUEST['params']) && empty($_POST)) - $_POST += @unserialize(base64_decode($_REQUEST['params'])); + $_POST += safe_unserialize(base64_decode($_REQUEST['params'])); // Check input after a member search has been submitted. if ($context['sub_action'] == 'query') diff --git a/Sources/ManageNews.php b/Sources/ManageNews.php index 14bb9c3..8d0eb8b 100644 --- a/Sources/ManageNews.php +++ b/Sources/ManageNews.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.5 + * @version 2.0.10 */ if (!defined('SMF')) @@ -364,7 +364,7 @@ function ComposeMailing() FROM {db_prefix}ban_items AS bi INNER JOIN {db_prefix}ban_groups AS bg ON (bg.id_ban_group = bi.id_ban_group) WHERE (bg.cannot_access = {int:cannot_access} OR bg.cannot_login = {int:cannot_login}) - AND (COALESCE(bg.expire_time, 1=1) OR bg.expire_time > {int:current_time}) + AND (bg.expire_time IS NULL OR bg.expire_time > {int:current_time}) AND bi.email_address != {string:blank_string}', array( 'cannot_access' => 1, diff --git a/Sources/ManageServer.php b/Sources/ManageServer.php index b20d387..740a198 100644 --- a/Sources/ManageServer.php +++ b/Sources/ManageServer.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.5 + * @version 2.0.10 */ if (!defined('SMF')) @@ -1873,7 +1873,7 @@ function prepareDBSettingContext(&$config_vars) if ($config_var[0] == 'select' && !empty($config_var['multiple'])) { $context['config_vars'][$config_var[1]]['name'] .= '[]'; - $context['config_vars'][$config_var[1]]['value'] = unserialize($context['config_vars'][$config_var[1]]['value']); + $context['config_vars'][$config_var[1]]['value'] = !empty($context['config_vars'][$config_var[1]]['value']) ? unserialize($context['config_vars'][$config_var[1]]['value']) : array(); } // If it's associative diff --git a/Sources/Memberlist.php b/Sources/Memberlist.php index 54d4b72..c52bdbf 100644 --- a/Sources/Memberlist.php +++ b/Sources/Memberlist.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.2 + * @version 2.0.8 */ if (!defined('SMF')) @@ -437,7 +437,22 @@ function MLSearch() if (isset($_REQUEST['search']) && isset($_REQUEST['fields'])) { $_POST['search'] = trim(isset($_GET['search']) ? $_GET['search'] : $_POST['search']); - $_POST['fields'] = isset($_GET['fields']) ? explode(',', $_GET['fields']) : $_POST['fields']; + + if (!get_magic_quotes_gpc()) + { + // Escape things just in case... + if (isset($_GET['fields'])) + { + $_POST['fields'] = explode(',', addslashes($_GET['fields'])); + } + else + { + $temp = implode(',', $_POST['fields']); + $_POST['fields'] = explode(',', addslashes($temp)); + } + } + else + $_POST['fields'] = isset($_GET['fields']) ? explode(',', $_GET['fields']) : $_POST['fields']; $context['old_search'] = $_REQUEST['search']; $context['old_search_value'] = urlencode($_REQUEST['search']); @@ -453,24 +468,39 @@ function MLSearch() 'search' => '%' . strtr($smcFunc['htmlspecialchars']($_POST['search'], ENT_QUOTES), array('_' => '\\_', '%' => '\\%', '*' => '%')) . '%', ); + $search_fields = array(); + // Search for a name? if (in_array('name', $_POST['fields'])) + { $fields = array('member_name', 'real_name'); + $search_fields[] = 'name'; + } else $fields = array(); // Search for messengers... if (in_array('messenger', $_POST['fields']) && (!$user_info['is_guest'] || empty($modSettings['guest_hideContacts']))) + { $fields += array(3 => 'msn', 'aim', 'icq', 'yim'); + $search_fields[] = 'messenger'; + } // Search for websites. if (in_array('website', $_POST['fields'])) + { $fields += array(7 => 'website_title', 'website_url'); + $search_fields[] = 'website'; + } // Search for groups. if (in_array('group', $_POST['fields'])) + { $fields += array(9 => 'IFNULL(group_name, {string:blank_string})'); + $search_fields[] = 'group'; + } // Search for an email address? if (in_array('email', $_POST['fields'])) { $fields += array(2 => allowedTo('moderate_forum') ? 'email_address' : '(hide_email = 0 AND email_address'); + $search_fields[] = 'email'; $condition = allowedTo('moderate_forum') ? '' : ')'; } else @@ -487,9 +517,14 @@ function MLSearch() $customJoin[] = 'LEFT JOIN {db_prefix}themes AS t' . $curField . ' ON (t' . $curField . '.variable = {string:t' . $curField . '} AND t' . $curField . '.id_theme = 1 AND t' . $curField . '.id_member = mem.id_member)'; $query_parameters['t' . $curField] = $curField; $fields += array($customCount++ => 'IFNULL(t' . $curField . '.value, {string:blank_string})'); + $search_fields[] = $field; } } + // No search fields? That means you're trying to hack things + if (empty($search_fields)) + fatal_lang_error('invalid_search_string', false); + $query = $_POST['search'] == '' ? '= {string:blank_string}' : 'LIKE {string:search}'; $request = $smcFunc['db_query']('', ' @@ -505,7 +540,7 @@ function MLSearch() list ($numResults) = $smcFunc['db_fetch_row']($request); $smcFunc['db_free_result']($request); - $context['page_index'] = constructPageIndex($scripturl . '?action=mlist;sa=search;search=' . $_POST['search'] . ';fields=' . implode(',', $_POST['fields']), $_REQUEST['start'], $numResults, $modSettings['defaultMaxMembers']); + $context['page_index'] = constructPageIndex($scripturl . '?action=mlist;sa=search;search=' . $_POST['search'] . ';fields=' . implode(',', $search_fields), $_REQUEST['start'], $numResults, $modSettings['defaultMaxMembers']); // Find the members from the database. // !!!SLOW This query is slow. diff --git a/Sources/Modlog.php b/Sources/Modlog.php index dc517cc..9ecfd3e 100644 --- a/Sources/Modlog.php +++ b/Sources/Modlog.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.11 */ if (!defined('SMF')) @@ -107,7 +107,7 @@ function ViewModlog() if (!empty($_REQUEST['params']) && empty($_REQUEST['is_search'])) { $search_params = base64_decode(strtr($_REQUEST['params'], array(' ' => '+'))); - $search_params = @unserialize($search_params); + $search_params = safe_unserialize($search_params); } // This array houses all the valid search types. diff --git a/Sources/News.php b/Sources/News.php index 0bbe504..4c5f4e8 100644 --- a/Sources/News.php +++ b/Sources/News.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.8 */ if (!defined('SMF')) @@ -377,7 +377,7 @@ function fix_possible_url($val) if (empty($modSettings['queryless_urls']) || ($context['server']['is_cgi'] && @ini_get('cgi.fix_pathinfo') == 0 && @get_cfg_var('cgi.fix_pathinfo') == 0) || (!$context['server']['is_apache'] && !$context['server']['is_lighttpd'])) return $val; - $val = preg_replace_callback('~^' . preg_quote($scripturl, '/') . '\?((?:board|topic)=[^#"]+)(#[^"]*)?$~', create_function('$m', 'global $scripturl; return $scripturl . \'/\' . strtr("$m[1]", \'&;=\', \'//,\') . \'.html\' . (isset($m[2]) ? $m[2] : "");'), $val); + $val = preg_replace_callback('~^' . preg_quote($scripturl, '/') . '\?((?:board|topic)=[^#"]+)(#[^"]*)?$~', 'feed_fix__preg_callback', $val); return $val; } @@ -969,4 +969,9 @@ function getXmlProfile($xml_format) return $data; } +function feed_fix__preg_callback($matches) +{ + global $scripturl; + return $scripturl . '/' . strtr($matches[1], '&;=', '//,') . '.html' . (isset($matches[2]) ? $matches[2] : ''); +} ?> \ No newline at end of file diff --git a/Sources/PackageGet.php b/Sources/PackageGet.php index 15bca4c..dd3f7b8 100644 --- a/Sources/PackageGet.php +++ b/Sources/PackageGet.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0 + * @version 2.0.9 */ if (!defined('SMF')) @@ -410,7 +410,6 @@ function PackageGBrowse() $package['download_conflict'] = is_array($already_exists) && $already_exists['id'] == $package['id'] && $already_exists['version'] != $package['version']; $package['href'] = $url . '/' . $package['filename']; - $package['name'] = $smcFunc['htmlspecialchars']($package['name']); $package['link'] = '' . $package['name'] . ''; $package['download']['href'] = $scripturl . '?action=admin;area=packages;get;sa=download' . $server_att . ';package=' . $current_url . $package['filename'] . ($package['download_conflict'] ? ';conflict' : '') . ';' . $context['session_var'] . '=' . $context['session_id']; $package['download']['link'] = '' . $package['name'] . ''; diff --git a/Sources/Packages.php b/Sources/Packages.php index 8d26d3b..ffb332d 100644 --- a/Sources/Packages.php +++ b/Sources/Packages.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.2 + * @version 2.0.11 */ if (!defined('SMF')) @@ -353,6 +353,7 @@ function PackageInstallTest() if (!empty($action['parse_bbc'])) { require_once($sourcedir . '/Subs-Post.php'); + $context['package_readme'] = preg_replace('~\[[/]?html\]~i', '', $context['package_readme']); preparsecode($context['package_readme']); $context['package_readme'] = parse_bbc($context['package_readme']); } @@ -954,7 +955,7 @@ function PackageInstall() elseif ($action['type'] == 'redirect' && !empty($action['redirect_url'])) { $context['redirect_url'] = $action['redirect_url']; - $context['redirect_text'] = !empty($action['filename']) && file_exists($boarddir . '/Packages/temp/' . $context['base_path'] . $action['filename']) ? file_get_contents($boarddir . '/Packages/temp/' . $context['base_path'] . $action['filename']) : ($context['uninstalling'] ? $txt['package_uninstall_done'] : $txt['package_installed_done']); + $context['redirect_text'] = !empty($action['filename']) && file_exists($boarddir . '/Packages/temp/' . $context['base_path'] . $action['filename']) ? $smcFunc['htmlspecialchars'](file_get_contents($boarddir . '/Packages/temp/' . $context['base_path'] . $action['filename'])) : ($context['uninstalling'] ? $txt['package_uninstall_done'] : $txt['package_installed_done']); $context['redirect_timeout'] = $action['redirect_timeout']; // Parse out a couple of common urls. @@ -1055,6 +1056,14 @@ function PackageInstall() // What failed steps? $failed_step_insert = serialize($failed_steps); + // Un-sanitize things before we insert them... + $keys = array('filename', 'name', 'id', 'version'); + foreach ($keys as $key) + { + // Yay for variable variables... + ${"package_$key"} = un_htmlspecialchars($packageInfo[$key]); + } + $smcFunc['db_insert']('', '{db_prefix}log_packages', array( @@ -1064,7 +1073,7 @@ function PackageInstall() 'member_removed' => 'int', 'db_changes' => 'string', ), array( - $packageInfo['filename'], $packageInfo['name'], $packageInfo['id'], $packageInfo['version'], + $package_filename, $package_name, $package_id, $package_version, $user_info['id'], $user_info['name'], time(), $is_upgrade ? 2 : 1, $failed_step_insert, $themes_installed, 0, $db_changes, @@ -1099,7 +1108,7 @@ function PackageInstall() deltree($boarddir . '/Packages/temp'); // Log what we just did. - logAction($context['uninstalling'] ? 'uninstall_package' : (!empty($is_upgrade) ? 'upgrade_package' : 'install_package'), array('package' => $smcFunc['htmlspecialchars']($packageInfo['name']), 'version' => $smcFunc['htmlspecialchars']($packageInfo['version'])), 'admin'); + logAction($context['uninstalling'] ? 'uninstall_package' : (!empty($is_upgrade) ? 'upgrade_package' : 'install_package'), array('package' => $packageInfo['name'], 'version' => $packageInfo['version']), 'admin'); // Just in case, let's clear the whole cache to avoid anything going up the swanny. clean_cache(); @@ -1783,7 +1792,7 @@ function PackagePermissions() // Have we got a load of back-catalogue trees to expand from a submit etc? if (!empty($_GET['back_look'])) { - $potententialTrees = unserialize(base64_decode($_GET['back_look'])); + $potententialTrees = safe_unserialize(base64_decode($_GET['back_look'])); foreach ($potententialTrees as $tree) $context['look_for'][] = $tree; } @@ -2032,7 +2041,7 @@ function PackagePermissionsAction() // Continuing? if (isset($_POST['toProcess'])) - $_POST['permStatus'] = unserialize(base64_decode($_POST['toProcess'])); + $_POST['permStatus'] = safe_unserialize(base64_decode($_POST['toProcess'])); if (isset($_POST['permStatus'])) { @@ -2112,7 +2121,7 @@ function PackagePermissionsAction() $context['predefined_type'] = isset($_POST['predefined']) ? $_POST['predefined'] : 'restricted'; $context['total_items'] = isset($_POST['totalItems']) ? (int) $_POST['totalItems'] : 0; - $context['directory_list'] = isset($_POST['dirList']) ? unserialize(base64_decode($_POST['dirList'])) : array(); + $context['directory_list'] = isset($_POST['dirList']) ? safe_unserialize(base64_decode($_POST['dirList'])) : array(); $context['file_offset'] = isset($_POST['fileOffset']) ? (int) $_POST['fileOffset'] : 0; @@ -2174,7 +2183,7 @@ function PackagePermissionsAction() elseif ($context['predefined_type'] == 'free') $context['special_files'] = array(); else - $context['special_files'] = unserialize(base64_decode($_POST['specialFiles'])); + $context['special_files'] = safe_unserialize(base64_decode($_POST['specialFiles'])); // Now we definitely know where we are, we need to go through again doing the chmod! foreach ($context['directory_list'] as $path => $dummy) diff --git a/Sources/Post.php b/Sources/Post.php index dcdd916..db76e29 100644 --- a/Sources/Post.php +++ b/Sources/Post.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.10 */ if (!defined('SMF')) @@ -855,7 +855,7 @@ function Post() { // It goes 0 = outside, 1 = begin tag, 2 = inside, 3 = close tag, repeat. if ($i % 4 == 0) - $parts[$i] = preg_replace_callback('~\[html\](.+?)\[/html\]~is', create_function('$m', ' return \'[html]\' . preg_replace(\'~~i\', \'<br />
\', "$m[1]") . \'[/html]\';'), $parts[$i]); + $parts[$i] = preg_replace_callback('~\[html\](.+?)\[/html\]~is', 'strip_html_bbc__preg_callback', $parts[$i]); } $form_message = implode('', $parts); } @@ -1246,7 +1246,15 @@ function Post2() // Previewing? Go back to start. if (isset($_REQUEST['preview'])) + { + if (checkSession('post', '', false) != '') + { + loadLanguage('Errors'); + $context['post_errors']['message'][] = $txt['error_session_timeout']; + unset ($_POST['preview'], $_REQUEST['xml']); // just in case + } return Post(); + } // Prevent double submission of this form. checkSubmitOnce('check'); @@ -2947,4 +2955,9 @@ function checkForBump() { return; } } + +function strip_html_bbc__preg_callback($matches) +{ + return '[html]' . preg_replace('~~i', '<br />
', $matches[1]) . '[/html]'; +} ?> \ No newline at end of file diff --git a/Sources/QueryString.php b/Sources/QueryString.php index 413dd68..58b180d 100644 --- a/Sources/QueryString.php +++ b/Sources/QueryString.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.9 */ if (!defined('SMF')) @@ -253,6 +253,13 @@ function cleanRequest() if (isset($_GET['action'])) $_GET['action'] = (string) $_GET['action']; + // Some mail providers like to encode semicolons in activation URLs... + if (!empty($_REQUEST['action']) && substr($_SERVER['QUERY_STRING'], 0, 18) == 'action=activate%3b') + { + header('Location: ' . $scripturl . '?' . str_replace('%3b', ';', $_SERVER['QUERY_STRING'])); + exit; + } + // Make sure we have a valid REMOTE_ADDR. if (!isset($_SERVER['REMOTE_ADDR'])) { @@ -474,14 +481,25 @@ function ob_sessrewrite($buffer) if (!empty($modSettings['queryless_urls']) && (!$context['server']['is_cgi'] || @ini_get('cgi.fix_pathinfo') == 1 || @get_cfg_var('cgi.fix_pathinfo') == 1) && ($context['server']['is_apache'] || $context['server']['is_lighttpd'])) { // Let's do something special for session ids! - if (defined('SID') && SID != '') - $buffer = preg_replace_callback('~"' . preg_quote($scripturl, '/') . '\?(?:' . SID . '(?:;|&|&))((?:board|topic|page)=[^#"]+?)(#[^"]*?)?"~', create_function('$m', 'global $scripturl; return \'"\' . $scripturl . "/" . strtr("$m[1]", \'&;=\', \'//,\') . ".html?" . SID . (isset($m[2]) ? $m[2] : "") . \'"\';'), $buffer); - else - $buffer = preg_replace_callback('~"' . preg_quote($scripturl, '/') . '\?((?:board|topic|page)=[^#"]+?)(#[^"]*?)?"~', create_function('$m', 'global $scripturl; return \'"\' . $scripturl . "/" . strtr("$m[1]", \'&;=\', \'//,\') . ".html" . (isset($m[2]) ? $m[2] : "") . \'"\';'), $buffer); + if (defined('SID') && SID != '') + $buffer = preg_replace_callback('~"' . preg_quote($scripturl, '/') . '\?(?:' . SID . '(?:;|&|&))((?:board|topic|page)=[^#"]+?)(#[^"]*?)?"~', 'sid_insert__preg_callback', $buffer); + else + $buffer = preg_replace_callback('~"' . preg_quote($scripturl, '/') . '\?((?:board|topic|page)=[^#"]+?)(#[^"]*?)?"~', 'pathinfo_insert__preg_callback', $buffer); } // Return the changed buffer. return $buffer; } +function sid_insert__preg_callback($matches) +{ + global $scripturl; + return '"' . $scripturl . "/" . strtr($matches[1], '&;=', '//,') . ".html?" . SID . (isset($matches[2]) ? $matches[2] : "") . '"'; +} + +function pathinfo_insert__preg_callback($matches) +{ + global $scripturl; + return '"' . $scripturl . "/" . strtr($matches[1], '&;=', '//,') . ".html" . (isset($matches[2]) ? $matches[2] : "") . '"'; +} ?> \ No newline at end of file diff --git a/Sources/ScheduledTasks.php b/Sources/ScheduledTasks.php index 8881f29..e0824a6 100644 --- a/Sources/ScheduledTasks.php +++ b/Sources/ScheduledTasks.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.9 */ if (!defined('SMF')) @@ -1473,11 +1473,11 @@ function scheduled_weekly_maintenance() SELECT id_report FROM {db_prefix}log_reported WHERE time_started < {int:time_started} - AND closed = {int:not_closed} + AND closed = {int:closed} AND ignore_all = {int:not_ignored}', array( 'time_started' => $t, - 'not_closed' => 0, + 'closed' => 1, 'not_ignored' => 0, ) ); diff --git a/Sources/Search.php b/Sources/Search.php index e08aab8..25bf14c 100644 --- a/Sources/Search.php +++ b/Sources/Search.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.9 */ if (!defined('SMF')) @@ -1922,7 +1922,7 @@ function prepareSearchContext($reset = false) $message['body'] = ''; foreach ($matches[0] as $index => $match) { - $match = strtr(htmlspecialchars($match, ENT_QUOTES), array("\n" => ' ')); + $match = strtr($smcFunc['htmlspecialchars']($match, ENT_QUOTES), array("\n" => ' ')); $message['body'] .= '...... ' . $match . ' ......'; } } @@ -2064,7 +2064,7 @@ function prepareSearchContext($reset = false) // Fix the international characters in the keyword too. $query = strtr($smcFunc['htmlspecialchars']($query), array('\\\'' => '\'')); - $body_highlighted = preg_replace_callback('/((<[^>]*)|' . preg_quote(strtr($query, array('\'' => ''')), '/') . ')/i' . ($context['utf8'] ? 'u' : ''), create_function('$m', 'return isset($m[2]) && "$m[2]" == "$m[1]" ? stripslashes("$m[1]") : "$m[1]";'), $body_highlighted); + $body_highlighted = preg_replace_callback('/((<[^>]*)|' . preg_quote(strtr($query, array('\'' => ''')), '/') . ')/i' . ($context['utf8'] ? 'u' : ''), 'search_highlight__preg_callback', $body_highlighted); $subject_highlighted = preg_replace('/(' . preg_quote($query, '/') . ')/i' . ($context['utf8'] ? 'u' : ''), '$1', $subject_highlighted); } @@ -2102,4 +2102,8 @@ function searchSort($a, $b) return $searchAPI->searchSort($a, $b); } +function search_highlight__preg_callback($matches) +{ + return isset($matches[2]) && $matches[2] == $matches[1] ? stripslashes($matches[1]) : '' . $matches[1] . ''; +} ?> \ No newline at end of file diff --git a/Sources/Subs-Auth.php b/Sources/Subs-Auth.php index fd36866..f1a2dfa 100644 --- a/Sources/Subs-Auth.php +++ b/Sources/Subs-Auth.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.11 */ if (!defined('SMF')) @@ -111,7 +111,7 @@ function setLoginCookie($cookie_length, $id, $password = '') $cookie_state = (empty($modSettings['localCookies']) ? 0 : 1) | (empty($modSettings['globalCookies']) ? 0 : 2); if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\{i:0;(i:\d{1,6}|s:[1-8]:"\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\d{1,14};(i:3;i:\d;)?\}$~', $_COOKIE[$cookiename]) === 1) { - $array = @unserialize($_COOKIE[$cookiename]); + $array = safe_unserialize($_COOKIE[$cookiename]); // Out with the old, in with the new! if (isset($array[3]) && $array[3] != $cookie_state) @@ -242,7 +242,7 @@ function KickGuest() // Display a message about the forum being in maintenance mode, etc. function InMaintenance() { - global $txt, $mtitle, $mmessage, $context; + global $txt, $mtitle, $mmessage, $context, $smcFunc; loadLanguage('Login'); loadTemplate('Login'); @@ -252,7 +252,7 @@ function InMaintenance() // Basic template stuff.. $context['sub_template'] = 'maintenance'; - $context['title'] = &$mtitle; + $context['title'] = $smcFunc['htmlspecialchars']($mtitle); $context['description'] = &$mmessage; $context['page_title'] = $txt['maintain_mode']; } diff --git a/Sources/Subs-Db-mysql.php b/Sources/Subs-Db-mysql.php index 052d57a..3999462 100644 --- a/Sources/Subs-Db-mysql.php +++ b/Sources/Subs-Db-mysql.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.4 + * @version 2.0.9 */ if (!defined('SMF')) @@ -243,6 +243,28 @@ function smf_db_query($identifier, $db_string, $db_values = array(), $connection // Decide which connection to use. $connection = $connection == null ? $db_connection : $connection; + // Special queries that need processing. + $replacements = array( + 'alter_table_boards' => array( + '~(.+)~' => '', + ), + 'boardindex_fetch_boards' => array( + '~(.)$~' => '$1 ORDER BY b.board_order', + ), + 'messageindex_fetch_boards' => array( + '~(.)$~' => '$1 ORDER BY b.board_order', + ), + 'order_by_board_order' => array( + '~(.)$~' => '$1 ORDER BY b.board_order', + ), + ); + + if (isset($replacements[$identifier])) + $db_string = preg_replace(array_keys($replacements[$identifier]), array_values($replacements[$identifier]), $db_string); + + if (trim($db_string) == '') + return false; + // One more query.... $db_count = !isset($db_count) ? 1 : $db_count + 1; @@ -250,7 +272,7 @@ function smf_db_query($identifier, $db_string, $db_values = array(), $connection smf_db_error_backtrace('Hacking attempt...', 'Illegal character (\') used in query...', true, __FILE__, __LINE__); // Use "ORDER BY null" to prevent Mysql doing filesorts for Group By clauses without an Order By - if (strpos($db_string, 'GROUP BY') !== false && strpos($db_string, 'ORDER BY') === false && strpos($db_string, 'INSERT INTO') === false) + if (strpos($db_string, 'GROUP BY') !== false && strpos($db_string, 'ORDER BY') === false && preg_match('~^\s+SELECT~i', $db_string)) { // Add before LIMIT if ($pos = strpos($db_string, 'LIMIT ')) diff --git a/Sources/Subs-Editor.php b/Sources/Subs-Editor.php index f41bab6..956ffbe 100644 --- a/Sources/Subs-Editor.php +++ b/Sources/Subs-Editor.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.11 */ if (!defined('SMF')) @@ -132,7 +132,7 @@ function bbc_to_html($text) $text = preg_replace(array_keys($working_html), array_values($working_html), $text); // Parse unique ID's and disable javascript into the smileys - using the double space. - $text = preg_replace_callback('~(?:\s| )?<(img\ssrc="' . preg_quote($modSettings['smileys_url'], '~') . '/[^<>]+?/([^<>]+?)"\s*)[^<>]*?class="smiley" />~', create_function('$m', 'static $i = 1; return \'<\' . ' . 'stripslashes($m[1]) . \'alt="" title="" onresizestart="return false;" id="smiley_\' . ' . "\$" . 'i++ . \'_\' . $m[2] . \'" style="padding: 0 3px 0 3px;" />\';'), $text); + $text = preg_replace_callback('~(?:\s| )?<(img\ssrc="' . preg_quote($modSettings['smileys_url'], '~') . '/[^<>]+?/([^<>]+?)"\s*)[^<>]*?class="smiley" />~', 'uniq_smiley__preg_callback', $text); return $text; } @@ -804,7 +804,7 @@ function html_to_bbc($text) '~~i' => "<ins>", '~~i' => "</ins>", ); - $text = preg_replace_callback('~<(td|th)\s[^<>]*?colspan="?(\d{1,2})"?.*?' . '>~i', create_function('$m', 'return str_repeat(\'[td][/td]\', $m[2] - 1) . \'[td]\';'), $text); + $text = preg_replace_callback('~<(td|th)\s[^<>]*?colspan="?(\d{1,2})"?.*?' . '>~i', 'td_count__preg_callback', $text); $text = preg_replace(array_keys($tags), array_values($tags), $text); // Please give us just a little more time. @@ -2130,7 +2130,7 @@ function AutoSuggestHandler($checkRegistered = null) loadTemplate('Xml'); // Any parameters? - $context['search_param'] = isset($_REQUEST['search_param']) ? unserialize(base64_decode($_REQUEST['search_param'])) : array(); + $context['search_param'] = isset($_REQUEST['search_param']) ? safe_unserialize(base64_decode($_REQUEST['search_param'])) : array(); if (isset($_REQUEST['suggest_type'], $_REQUEST['search']) && isset($searchTypes[$_REQUEST['suggest_type']])) { @@ -2183,4 +2183,14 @@ function AutoSuggest_Search_Member() return $xml_data; } +function uniq_smiley__preg_callback($matches) +{ + static $i = 1; + return '<' . stripslashes($matches[1]) . 'alt="" title="" onresizestart="return false;" id="smiley_' . ($i++) . '_' . $matches[2] . '" style="padding: 0 3px 0 3px;" />'; +} + +function td_count__preg_callback($matches) +{ + return str_repeat('[td][/td]', $matches[2] - 1) . '[td]'; +} ?> \ No newline at end of file diff --git a/Sources/Subs-Graphics.php b/Sources/Subs-Graphics.php index 385d22f..2c0db2a 100644 --- a/Sources/Subs-Graphics.php +++ b/Sources/Subs-Graphics.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0 + * @version 2.0.9 */ // TrueType fonts supplied by www.LarabieFonts.com @@ -279,7 +279,7 @@ function checkImageContents($fileName, $extensiveCheck = false) else { // Check for potential infection - if (preg_match('~(iframe|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1) + if (preg_match('~(iframe|(? $v) { if (in_array($k, $octdec)) @@ -273,6 +270,9 @@ function read_tgz_data($data, $destination, $single_file = false, $overwrite = f $current[$k] = trim($v); } + if ($current['type'] == 5 && substr($current['filename'], -1) != '/') + $current['filename'] .= '/'; + $checksum = 256; for ($i = 0; $i < 148; $i++) $checksum += ord($header{$i}); @@ -515,6 +515,9 @@ function loadInstalledPackages() $found[] = $row['package_id']; + // Clean things up first... + $row = htmlspecialchars__recursive($row); + $installed[] = array( 'id' => $row['id_install'], 'name' => $row['name'], @@ -563,9 +566,20 @@ function getPackageInfo($gzfilename) $packageInfo = $packageInfo->path('package-info[0]'); $package = $packageInfo->to_array(); + $package = htmlspecialchars__recursive($package); $package['xml'] = $packageInfo; $package['filename'] = $gzfilename; + // Don't want to mess with code... + $types = array('install', 'uninstall', 'upgrade'); + foreach($types as $type) + { + if (isset($package[$type]['code'])) + { + $package[$type]['code'] = un_htmlspecialchars($package[$type]['code']); + } + } + if (!isset($package['type'])) $package['type'] = 'modification'; @@ -2443,7 +2457,7 @@ function package_get_contents($filename) if (!isset($package_cache)) { // Windows doesn't seem to care about the memory_limit. - if (!empty($modSettings['package_disable_cache']) || ini_set('memory_limit', '128M') !== false || strpos(strtolower(PHP_OS), 'win') !== false) + if (!empty($modSettings['package_disable_cache']) || @ini_set('memory_limit', '128M') !== false || strpos(strtolower(PHP_OS), 'win') !== false) $package_cache = array(); else $package_cache = false; @@ -2463,7 +2477,7 @@ function package_put_contents($filename, $data, $testing = false) if (!isset($package_cache)) { // Try to increase the memory limit - we don't want to run out of ram! - if (!empty($modSettings['package_disable_cache']) || ini_set('memory_limit', '128M') !== false || strpos(strtolower(PHP_OS), 'win') !== false) + if (!empty($modSettings['package_disable_cache']) || @ini_set('memory_limit', '128M') !== false || strpos(strtolower(PHP_OS), 'win') !== false) $package_cache = array(); else $package_cache = false; diff --git a/Sources/Subs-Post.php b/Sources/Subs-Post.php index 5649940..9b3453f 100644 --- a/Sources/Subs-Post.php +++ b/Sources/Subs-Post.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.10 */ if (!defined('SMF')) @@ -163,7 +163,7 @@ function preparsecode(&$message, $previewing = false) $message = preg_replace('~&#(\d{4,5}|[2-9]\d{2,4}|1[2-9]\d);~', '&#$1;', $message); // Clean up after nobbc ;). - $message = preg_replace_callback('~\[nobbc\](.+?)\[/nobbc\]~i', create_function('$m', ' return "[nobbc]" . strtr("$m[1]", array("[" => "[", "]" => "]", ":" => ":", "@" => "@")) . "[/nobbc]";'), $message); + $message = preg_replace_callback('~\[nobbc\](.+?)\[/nobbc\]~is', 'nobbc__preg_callback', $message); // Remove \r's... they're evil! $message = strtr($message, array("\r" => '')); @@ -249,14 +249,14 @@ function preparsecode(&$message, $previewing = false) } // Let's look at the time tags... - $parts[$i] = preg_replace_callback('~\[time(?:=(absolute))*\](.+?)\[/time\]~i', create_function('$m', 'global $modSettings, $user_info; return "[time]" . (is_numeric("$m[2]") || @strtotime("$m[2]") == 0 ? "$m[2]" : strtotime("$m[2]") - ("$m[1]" == "absolute" ? 0 : (($modSettings["time_offset"] + $user_info["time_offset"]) * 3600))) . "[/time]";'), $parts[$i]); + $parts[$i] = preg_replace_callback('~\[time(?:=(absolute))*\](.+?)\[/time\]~i', 'time_fix__preg_callback', $parts[$i]); // Change the color specific tags to [color=the color]. $parts[$i] = preg_replace('~\[(black|blue|green|red|white)\]~', '[color=$1]', $parts[$i]); // First do the opening tags. $parts[$i] = preg_replace('~\[/(black|blue|green|red|white)\]~', '[/color]', $parts[$i]); // And now do the closing tags // Make sure all tags are lowercase. - $parts[$i] = preg_replace_callback('~\[([/]?)(list|li|table|tr|td)((\s[^\]]+)*)\]~i', create_function('$m', ' return "[$m[1]" . strtolower("$m[2]") . "$m[3]]";'), $parts[$i]); + $parts[$i] = preg_replace_callback('~\[([/]?)(list|li|table|tr|td)((\s[^\]]+)*)\]~i', 'lowercase_tags__preg_callback', $parts[$i]); $list_open = substr_count($parts[$i], '[list]') + substr_count($parts[$i], '[list '); $list_close = substr_count($parts[$i], '[/list]'); @@ -392,11 +392,11 @@ function un_preparsecode($message) // If $i is a multiple of four (0, 4, 8, ...) then it's not a code section... if ($i % 4 == 0) { - $parts[$i] = preg_replace_callback('~\[html\](.+?)\[/html\]~i', create_function('$m', 'return "[html]" . strtr(htmlspecialchars("$m[1]", ENT_QUOTES), array("\\"" => """, "&#13;" => "
", "&#32;" => " ", "&#91;" => "[", "&#93;" => "]")) . "[/html]";'), $parts[$i]); + $parts[$i] = preg_replace_callback('~\[html\](.+?)\[/html\]~i', 'htmlspecial_html__preg_callback', $parts[$i]); // $parts[$i] = preg_replace('~\[html\](.+?)\[/html\]~ie', '\'[html]\' . strtr(htmlspecialchars(\'$1\', ENT_QUOTES), array(\'\\"\' => \'"\', \'&#13;\' => \'
\', \'&#32;\' => \' \', \'&#38;\' => \'&\', \'&#91;\' => \'[\', \'&#93;\' => \']\')) . \'[/html]\'', $parts[$i]); // Attempt to un-parse the time to something less awful. - $parts[$i] = preg_replace_callback('~\[time\](\d{0,10})\[/time\]~i', create_function('$m', ' return "[time]" . timeformat("$m[1]", false) . "[/time]";'), $parts[$i]); + $parts[$i] = preg_replace_callback('~\[time\](\d{0,10})\[/time\]~i', 'time_format__preg_callback', $parts[$i]); } } @@ -478,7 +478,7 @@ function fixTags(&$message) fixTag($message, $param['tag'], $param['protocols'], $param['embeddedUrl'], $param['hasEqualSign'], !empty($param['hasExtra'])); // Now fix possible security problems with images loading links automatically... - $message = preg_replace_callback('~(\[img.*?\])(.+?)\[/img\]~is', create_function('$m', 'return "$m[1]" . preg_replace("~action(=|%3d)(?!dlattach)~i", "action-", "$m[2]") . "[/img]";'), $message); + $message = preg_replace_callback('~(\[img.*?\])(.+?)\[/img\]~is', 'action_fix__preg_callback', $message); // Limit the size of images posted? if (!empty($modSettings['max_image_width']) || !empty($modSettings['max_image_height'])) @@ -1186,7 +1186,7 @@ function sendpm($recipients, $subject, $message, $store_outbox = false, $from = censorText($message); censorText($subject); - $message = trim(un_htmlspecialchars(strip_tags(strtr(parse_bbc(htmlspecialchars($message), false), array('
' => "\n", '' => "\n", '' => "\n", '[' => '[', ']' => ']'))))); + $message = trim(un_htmlspecialchars(strip_tags(strtr(parse_bbc($smcFunc['htmlspecialchars']($message), false), array('
' => "\n", '' => "\n", '' => "\n", '[' => '[', ']' => ']'))))); foreach ($notifications as $lang => $notification_list) { @@ -1234,7 +1234,7 @@ function mimespecialchars($string, $with_charset = true, $hotmail_fix = false, $ unset($matches); if ($simple) - $string = preg_replace_callback('~&#(\d{3,8});~', create_function('$m', ' return chr("$m[1]");'), $string); + $string = preg_replace_callback('~&#(\d{3,8});~', 'return_chr__preg_callback', $string); else { // Try to convert the string to UTF-8. @@ -1272,33 +1272,8 @@ function mimespecialchars($string, $with_charset = true, $hotmail_fix = false, $ $string = $newstring; } - $entityConvert = create_function('$c', ' - if (strlen($c) === 1 && ord($c[0]) <= 0x7F) - return $c; - elseif (strlen($c) === 2 && ord($c[0]) >= 0xC0 && ord($c[0]) <= 0xDF) - return "&#" . (((ord($c[0]) ^ 0xC0) << 6) + (ord($c[1]) ^ 0x80)) . ";"; - elseif (strlen($c) === 3 && ord($c[0]) >= 0xE0 && ord($c[0]) <= 0xEF) - return "&#" . (((ord($c[0]) ^ 0xE0) << 12) + ((ord($c[1]) ^ 0x80) << 6) + (ord($c[2]) ^ 0x80)) . ";"; - elseif (strlen($c) === 4 && ord($c[0]) >= 0xF0 && ord($c[0]) <= 0xF7) - return "&#" . (((ord($c[0]) ^ 0xF0) << 18) + ((ord($c[1]) ^ 0x80) << 12) + ((ord($c[2]) ^ 0x80) << 6) + (ord($c[3]) ^ 0x80)) . ";"; - else - return "";'); - - $entityConvert = create_function('$m', ' - $c = $m[1]; - if (strlen($c) === 1 && ord($c[0]) <= 0x7F) - return $c; - elseif (strlen($c) === 2 && ord($c[0]) >= 0xC0 && ord($c[0]) <= 0xDF) - return "&#" . (((ord($c[0]) ^ 0xC0) << 6) + (ord($c[1]) ^ 0x80)) . ";"; - elseif (strlen($c) === 3 && ord($c[0]) >= 0xE0 && ord($c[0]) <= 0xEF) - return "&#" . (((ord($c[0]) ^ 0xE0) << 12) + ((ord($c[1]) ^ 0x80) << 6) + (ord($c[2]) ^ 0x80)) . ";"; - elseif (strlen($c) === 4 && ord($c[0]) >= 0xF0 && ord($c[0]) <= 0xF7) - return "&#" . (((ord($c[0]) ^ 0xF0) << 18) + ((ord($c[1]) ^ 0x80) << 12) + ((ord($c[2]) ^ 0x80) << 6) + (ord($c[3]) ^ 0x80)) . ";"; - else - return "";'); - // Convert all 'special' characters to HTML entities. - return array($charset, preg_replace_callback('~([\x80-\x{10FFFF}])~u', $entityConvert, $string), '7bit'); + return array($charset, preg_replace_callback('~([\x80-\x{10FFFF}])~u', 'mime_convert__preg_callback', $string), '7bit'); } // We don't need to mess with the subject line if no special characters were in it.. @@ -3302,4 +3277,58 @@ function user_info_callback($matches) return $use_ref ? $ref : $matches[0]; } +function action_fix__preg_callback($matches) +{ + return $matches[1] . preg_replace('~action(=|%3d)(?!dlattach)~i', 'action-', $matches[2]) . '[/img]'; +} + +function mime_convert__preg_callback($matches) +{ + // I get the feeling we could possibly ditch this and reuse fixchar__callback but handling for < 0x20 + // may not be appropriate here. + + $c = $matches[1]; + if (strlen($c) === 1 && ord($c[0]) <= 0x7F) + return $c; + elseif (strlen($c) === 2 && ord($c[0]) >= 0xC0 && ord($c[0]) <= 0xDF) + return '&#' . (((ord($c[0]) ^ 0xC0) << 6) + (ord($c[1]) ^ 0x80)) . ';'; + elseif (strlen($c) === 3 && ord($c[0]) >= 0xE0 && ord($c[0]) <= 0xEF) + return '&#' . (((ord($c[0]) ^ 0xE0) << 12) + ((ord($c[1]) ^ 0x80) << 6) + (ord($c[2]) ^ 0x80)) . ';'; + elseif (strlen($c) === 4 && ord($c[0]) >= 0xF0 && ord($c[0]) <= 0xF7) + return '&#' . (((ord($c[0]) ^ 0xF0) << 18) + ((ord($c[1]) ^ 0x80) << 12) + ((ord($c[2]) ^ 0x80) << 6) + (ord($c[3]) ^ 0x80)) . ';'; + else + return ''; +} + +function time_fix__preg_callback($matches) +{ + global $modSettings, $user_info; + return '[time]' . (is_numeric($matches[2]) || @strtotime($matches[2]) == 0 ? $matches[2] : strtotime($matches[2]) - ($matches[1] == 'absolute' ? 0 : (($modSettings['time_offset'] + $user_info['time_offset']) * 3600))) . '[/time]'; +} + +function nobbc__preg_callback($matches) +{ + return '[nobbc]' . strtr($matches[1], array('[' => '[', ']' => ']', ':' => ':', '@' => '@')) . '[/nobbc]'; +} + +function lowercase_tags__preg_callback($matches) +{ + return '[' . $matches[1] . strtolower($matches[2]) . $matches[3] . ']'; +} + +function htmlspecial_html__preg_callback($matches) +{ + // Since we're calling htmlspecialchars we probably should know what charset we're using. + global $modSettings, $txt; + static $charset = null; + if ($charset === null) + $charset = empty($modSettings['global_character_set']) ? $txt['lang_character_set'] : $modSettings['global_character_set']; + + return '[html]' . strtr(htmlspecialchars($matches[1], ENT_QUOTES, $charset), array('\\"' => '"', '&#13;' => '
', '&#32;' => ' ', '&#91;' => '[', '&#93;' => ']')) . '[/html]'; +} + +function time_format__preg_callback($matches) +{ + return '[time]' . timeformat($matches[1], false) . '[/time]'; +} ?> \ No newline at end of file diff --git a/Sources/Subs.php b/Sources/Subs.php index 9506aff..d558748 100644 --- a/Sources/Subs.php +++ b/Sources/Subs.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.11 */ if (!defined('SMF')) @@ -219,6 +219,9 @@ if (!defined('SMF')) void remove_integration_function(string hook, string function) - removes the given function from the given hook. - does nothing if the functions is not available. + + array safe_unserialize(string data) + - sanitizes input before unserializing string. */ // Update some basic statistics... @@ -2034,7 +2037,7 @@ function parse_bbc($message, $smileys = true, $cache_id = '', $parse_tags = arra $data = strtr($data, array($breaker => '< >', ' ' => $context['utf8'] ? "\xC2\xA0" : "\xA0")); $data = preg_replace_callback( '~(?<=[>;:!? ' . $non_breaking_space . '\]()]|^)([\w' . ($context['utf8'] ? '\pL' : '') . '\.]{' . $modSettings['fixLongWords'] . ',})~' . ($context['utf8'] ? 'u' : ''), - create_function('$m', 'return preg_replace(\'~(.{' . ($modSettings['fixLongWords'] - 1) . '})~' . ($context['utf8'] ? 'u' : '') . '\', \'$1< >\', "$m[1]");'), + 'word_break__preg_callback', $data); $data = strtr($data, array('< >' => $breaker, $context['utf8'] ? "\xC2\xA0" : "\xA0" => ' ')); } @@ -2692,8 +2695,8 @@ function parsesmileys(&$message) // Replace away! // TODO: When SMF supports only PHP 5.3+, we can change this to "uses" keyword and simplify this. - $callback = pregReplaceCurry('smielyPregReplaceCallback', 2); - $message = preg_replace_callback($smileyPregSearch, $callback($smileyPregReplacements), $message); + $context['smiley_replacements'] = $smileyPregReplacements; + $message = preg_replace_callback($smileyPregSearch, 'smileyPregReplaceCallback', $message); } // This allows use to do delayed argument binding and bring in the replacement variables for some preg replacements. @@ -2714,9 +2717,10 @@ function pregReplaceCurry($func, $arity) } // Our callback that does the actual smiley replacements. -function smielyPregReplaceCallback($replacements, $matches) +function smileyPregReplaceCallback($matches) { - return $replacements[$matches[1]]; + global $context; + return $context['smiley_replacements'][$matches[1]]; } // Highlight any code... function highlight_php_code($code) @@ -2931,10 +2935,10 @@ function redirectexit($setLocation = '', $refresh = false) if (!empty($modSettings['queryless_urls']) && (empty($context['server']['is_cgi']) || @ini_get('cgi.fix_pathinfo') == 1 || @get_cfg_var('cgi.fix_pathinfo') == 1) && (!empty($context['server']['is_apache']) || !empty($context['server']['is_lighttpd']))) { - if (defined('SID') && SID != '') - $setLocation = preg_replace_callback('~"' . preg_quote($scripturl, '/') . '\?(?:' . SID . '(?:;|&|&))((?:board|topic|page)=[^#]+?)(#[^"]*?)?$~', create_function('$m', 'global $scripturl; return $scripturl . \'/\' . strtr("$m[1]", \'&;=\', \'//,\') . \'.html?\' . SID . (isset($m[2]) ? "$m[2]" : "");'), $setLocation); - else - $setLocation = preg_replace_callback('~"' . preg_quote($scripturl, '/') . '\?((?:board|topic|page)=[^#"]+?)(#[^"]*?)?$~', create_function('$m', 'global $scripturl; return $scripturl . \'/\' . strtr("$m[1]", \'&;=\', \'//,\') . \'.html\' . (isset($m[2]) ? "$m[2]" : "");'), $setLocation); + if (defined('SID') && SID != '') + $setLocation = preg_replace_callback('~^' . preg_quote($scripturl, '/') . '\?(?:' . SID . '(?:;|&|&))((?:board|topic|page)=[^#]+?)(#[^"]*?)?$~', 'fix_redirect_sid__preg_callback', $setLocation); + else + $setLocation = preg_replace_callback('~^' . preg_quote($scripturl, '/') . '\?((?:board|topic|page)=[^#"]+?)(#[^"]*?)?$~', 'fix_redirect_path__preg_callback', $setLocation); } // Maybe integrations want to change where we are heading? @@ -4615,4 +4619,34 @@ function remove_integration_function($hook, $function) $modSettings[$hook] = implode(',', $functions); } +function word_break__preg_callback($matches) +{ + global $modSettings, $context; + return preg_replace('~(.{' . ($modSettings['fixLongWords'] - 1) . '})~' . ($context['utf8'] ? 'u' : ''), '$1< >', $matches[1]); +} + +function fix_redirect_sid__preg_callback($matches) +{ + global $scripturl; + return $scripturl . '/' . strtr($matches[1], '&;=', '//,') . '.html?' . SID . (isset($matches[2]) ? $matches[2] : ''); +} + +function fix_redirect_path__preg_callback($matches) +{ + global $scripturl; + return $scripturl . '/' . strtr($matches[1], '&;=', '//,') . '.html' . (isset($matches[2]) ? $matches[2] : ''); +} + +function return_chr__preg_callback($matches) +{ + return chr($matches[1]); +} + +function safe_unserialize($data) +{ + // There's no reason input should contain an object, + // user is up to no good... + if (preg_match('/(^|;|{|})O:([0-9]|\+|\-)+/', $data) === 0) + return @unserialize($data); +} ?> diff --git a/Sources/Subscriptions-PayPal.php b/Sources/Subscriptions-PayPal.php index 3198a28..9dca2fb 100644 --- a/Sources/Subscriptions-PayPal.php +++ b/Sources/Subscriptions-PayPal.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.3 + * @version 2.0.10 */ // This won't be dedicated without this - this must exist in each gateway! @@ -25,8 +25,10 @@ class paypal_display { global $txt; + /// We add email and additional emails (the latter for recurring payments) $setting_data = array( array('text', 'paypal_email', 'subtext' => $txt['paypal_email_desc']), + array('text', 'paypal_additional_emails', 'subtext' => $txt['paypal_additional_emails_desc']), ); return $setting_data; @@ -117,7 +119,7 @@ class paypal_payment // Correct email address? if (!isset($_POST['business'])) $_POST['business'] = $_POST['receiver_email']; - if ($modSettings['paypal_email'] != $_POST['business'] && (empty($modSettings['paypal_additional_emails']) || !in_array($_POST['business'], explode(',', $modSettings['paypal_additional_emails'])))) + if (strtolower($modSettings['paypal_email']) != strtolower($_POST['business']) && (empty($modSettings['paypal_additional_emails']) || !in_array(strtolower($_POST['business']), explode(',', strtolower($modSettings['paypal_additional_emails']))))) return false; return true; } @@ -205,7 +207,7 @@ class paypal_payment exit; // Check that this is intended for us. - if ($modSettings['paypal_email'] != $_POST['business'] && (empty($modSettings['paypal_additional_emails']) || !in_array($_POST['business'], explode(',', $modSettings['paypal_additional_emails'])))) + if (strtolower($modSettings['paypal_email']) != strtolower($_POST['business']) && (empty($modSettings['paypal_additional_emails']) || !in_array(strtolower($_POST['business']), explode(',', strtolower($modSettings['paypal_additional_emails']))))) exit; // Is this a subscription - and if so it's it a secondary payment that we need to process? @@ -214,7 +216,7 @@ class paypal_payment $this->_findSubscription(); // Verify the currency! - if (strtolower($_POST['mc_currency']) != $modSettings['paid_currency_code']) + if (strtolower($_POST['mc_currency']) != strtolower($modSettings['paid_currency_code'])) exit; // Can't exist if it doesn't contain anything. diff --git a/Themes/default/ManagePermissions.template.php b/Themes/default/ManagePermissions.template.php index 28be570..569baca 100644 --- a/Themes/default/ManagePermissions.template.php +++ b/Themes/default/ManagePermissions.template.php @@ -7,7 +7,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0 + * @version 2.0.9 */ function template_permission_index() @@ -523,11 +523,13 @@ function template_modify_group() else template_modify_group_classic($context['permission_type']); + echo ' + '; + // If this is general permissions also show the default profile. if ($context['permission_type'] == 'membergroup') { echo ' -

', $txt['permissions_board'], '

diff --git a/Themes/default/Post.template.php b/Themes/default/Post.template.php index df09f65..37fa497 100644 --- a/Themes/default/Post.template.php +++ b/Themes/default/Post.template.php @@ -7,7 +7,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0 + * @version 2.0.10 */ // The main template for the post page. @@ -583,7 +583,7 @@ function template_main() } // !!! Currently not sending poll options and option checkboxes. var x = new Array(); - var textFields = [\'subject\', ', JavaScriptEscape($context['post_box_name']), ', \'icon\', \'guestname\', \'email\', \'evtitle\', \'question\', \'topic\']; + var textFields = [\'subject\', ', JavaScriptEscape($context['post_box_name']), ', \'icon\', \'guestname\', \'email\', \'evtitle\', \'question\', \'topic\', ', JavaScriptEscape($context['session_var']), ']; var numericFields = [ \'board\', \'topic\', \'last_msg\', \'eventid\', \'calendar\', \'year\', \'month\', \'day\', diff --git a/Themes/default/Search.template.php b/Themes/default/Search.template.php index 9f9a1d1..64979bb 100644 --- a/Themes/default/Search.template.php +++ b/Themes/default/Search.template.php @@ -7,7 +7,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0 + * @version 2.0.10 */ function template_main() @@ -168,8 +168,8 @@ function template_main()
    '; echo ' -
  • - +
  • +
    • '; $i ++; diff --git a/Themes/default/images/buttons/restore_topic.gif b/Themes/default/images/buttons/restore_topic.gif old mode 100644 new mode 100755 diff --git a/Themes/default/images/construction.png b/Themes/default/images/construction.png old mode 100644 new mode 100755 diff --git a/Themes/default/images/theme/submit_bg.png b/Themes/default/images/theme/submit_bg.png old mode 100644 new mode 100755 diff --git a/Themes/default/languages/ManagePaid.english.php b/Themes/default/languages/ManagePaid.english.php index b264253..9bb78bf 100644 --- a/Themes/default/languages/ManagePaid.english.php +++ b/Themes/default/languages/ManagePaid.english.php @@ -1,5 +1,5 @@ Note:
    For subscriptions to be automatically updated for your users, you - will need to setup a return URL for each of your payment methods. For all payment types, this return URL should be set as:

    +$txt['paid_note'] = 'Note:
    +SMF currently supports PayPal as the installed payment method.
    +   •  It is not necessary to enable IPN in your PayPal account; if you do, the forum will receive payment notifications for all payments made to your account, and this will generate Paid Subscriptions errors for payments that are not subscription related.
    +   •  You must have a business or premier account to use recurring payments.
    +   •  You must provide your primary PayPal email address for validation purposes.

    + +If you install a different payment gateway, you may need to set up a return URL for payment notification. For all payment types, this return URL should be set as:

      •  ' . $boardurl . '/subscriptions.php

    - You can edit the link for paypal directly, by clicking here.
    - For the other gateways (If installed) you can normally find it in your customer panels, usually under the term "Return URL" or "Callback URL".'; +You can normally find it in your customer panels, usually under the term "Return URL" or "Callback URL".


    '; + +$txt['paypal_additional_emails'] = 'Primary PayPal email address'; +$txt['paypal_additional_emails_desc'] = 'If different (for business account)'; // View subscription strings. $txt['paid_name'] = 'Name'; diff --git a/Themes/default/languages/index.english.php b/Themes/default/languages/index.english.php index 94e2e2e..0d5e29e 100644 --- a/Themes/default/languages/index.english.php +++ b/Themes/default/languages/index.english.php @@ -1,5 +1,5 @@ %1$s | - SMF © 2014, Simple Machines'; + SMF © 2015, Simple Machines'; $txt['birthdays'] = 'Birthdays:'; $txt['events'] = 'Events:'; diff --git a/Themes/default/scripts/editor.js b/Themes/default/scripts/editor.js index 910bb6f..db251d5 100644 --- a/Themes/default/scripts/editor.js +++ b/Themes/default/scripts/editor.js @@ -602,16 +602,7 @@ smc_Editor.prototype.insertText = function(sText, bClear, bForceEntityReverse, i // This includes a work around for FF to get the cursor to show! this.oFrameDocument.body.innerHTML = sText; - // If FF trick the cursor into coming back! - if (is_ff || is_opera) - { - // For some entirely unknown reason FF3 Beta 2 and some Opera versions - // require this. - this.oFrameDocument.body.contentEditable = false; - - this.oFrameDocument.designMode = 'off'; - this.oFrameDocument.designMode = 'on'; - } + // This used to be the home of a slightly ugly bug in Firefox (but it's long gone) } else this.oTextHandle.value = sText; diff --git a/Themes/default/scripts/fader.js b/Themes/default/scripts/fader.js index bad2c01..671ba4d 100644 --- a/Themes/default/scripts/fader.js +++ b/Themes/default/scripts/fader.js @@ -48,7 +48,8 @@ smf_NewsFader.prototype.init = function init() var oForeEl, oForeColor, oBackEl, oBackColor; // Try to find the fore- and background colors. - if ('currentStyle' in this.oFaderHandle) + var modern_browser = 'MozOpacity' in this.oFaderHandle.style || 'Opacity' in this.oFaderHandle.style || 'filter' in this.oFaderHandle.style; + if ('currentStyle' in this.oFaderHandle && !modern_browser) { oForeColor = this.oFaderHandle.currentStyle.color.match(/#([\da-f][\da-f])([\da-f][\da-f])([\da-f][\da-f])/); this.oFadeFrom = { @@ -68,7 +69,7 @@ smf_NewsFader.prototype.init = function init() b: eval('0x' + oBackColor[3]) }; } - else if (!('opera' in window) && 'defaultView' in document) + else if (!('opera' in window) && 'defaultView' in document && !modern_browser) { oForeEl = this.oFaderHandle; while (document.defaultView.getComputedStyle(oForeEl, null).getPropertyCSSValue('color') == null && 'parentNode' in oForeEl && 'tagName' in oForeEl.parentNode) diff --git a/Themes/default/scripts/script.js b/Themes/default/scripts/script.js index f6a08d2..49f9205 100644 --- a/Themes/default/scripts/script.js +++ b/Themes/default/scripts/script.js @@ -16,7 +16,7 @@ var is_opera96 = ua.indexOf('opera/9.6') != -1 || ua.indexOf('opera 9.6') != -1; var is_opera10 = (ua.indexOf('opera/9.8') != -1 || ua.indexOf('opera 9.8') != -1 || ua.indexOf('opera/10.') != -1 || ua.indexOf('opera 10.') != -1) || ua.indexOf('version/10.') != -1; var is_opera95up = is_opera95 || is_opera96 || is_opera10; -var is_ff = (ua.indexOf('firefox') != -1 || ua.indexOf('iceweasel') != -1 || ua.indexOf('icecat') != -1 || ua.indexOf('shiretoko') != -1 || ua.indexOf('minefield') != -1) && !is_opera; +var is_ff = (ua.indexOf('firefox') != -1 || ua.indexOf('iceweasel') != -1 || ua.indexOf('icecat') != -1 || ua.indexOf('shiretoko') != -1 || ua.indexOf('minefield') != -1 || ua.indexOf('PaleMoon') != -1) && !is_opera; var is_gecko = ua.indexOf('gecko') != -1 && !is_opera; var is_chrome = ua.indexOf('chrome') != -1; @@ -877,7 +877,7 @@ smc_Toggle.prototype.changeState = function(bCollapse, bInit) if ('oCookieOptions' in this.opt && this.opt.oCookieOptions.bUseCookie) this.oCookie.set(this.opt.oCookieOptions.sCookieName, this.bCollapsed ? '1' : '0'); - if ('oThemeOptions' in this.opt && this.opt.oThemeOptions.bUseThemeSettings) + if (!bInit && 'oThemeOptions' in this.opt && this.opt.oThemeOptions.bUseThemeSettings) smf_setThemeOption(this.opt.oThemeOptions.sOptionName, this.bCollapsed ? '1' : '0', 'sThemeId' in this.opt.oThemeOptions ? this.opt.oThemeOptions.sThemeId : null, this.opt.oThemeOptions.sSessionId, this.opt.oThemeOptions.sSessionVar, 'sAdditionalVars' in this.opt.oThemeOptions ? this.opt.oThemeOptions.sAdditionalVars : null); } diff --git a/index.php b/index.php index 0fa28a9..9fb87b6 100644 --- a/index.php +++ b/index.php @@ -8,7 +8,7 @@ * @copyright 2011 Simple Machines * @license http://www.simplemachines.org/about/smf/license.php BSD * - * @version 2.0.7 + * @version 2.0.11 */ /* This, as you have probably guessed, is the crux on which SMF functions. @@ -24,7 +24,8 @@ require_once('/home/www-data/htdocs/agreed.php'); -$forum_version = 'SMF 2.0.7'; +$forum_version = 'SMF 2.0.11'; +@ini_set('memory_limit', '128M'); // Get everything started up... define('SMF', 1); diff --git a/news_readme.html b/news_readme.html index 62257b7..1981a7a 100644 --- a/news_readme.html +++ b/news_readme.html @@ -1,7 +1,7 @@ - News Scripting for SMF 2.0 + News Scripting for SMF 2.0/title> <style type="text/css"> body { @@ -55,6 +55,6 @@ <br /> This shows an example of how one might change the limit on the news items. <br /><br /> - Copyright ©2014 <a href="http://www.simplemachines.org/about/license.php" title="License" target="_blank">Simple Machines</a>.<br /> + Copyright ©2013 <a href="http://www.simplemachines.org/about/license.php" title="License" target="_blank">Simple Machines</a>.<br /> </body> </html> \ No newline at end of file diff --git a/readme.html b/readme.html index 3c21e46..851a1c4 100644 --- a/readme.html +++ b/readme.html @@ -1,9 +1,13 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> - <title>SMF 2.0 Upgrade Guide + SMF 2.0 Installation Guide
-

Recommendations for best performance:

+
+

Recommendations for best performance

  • Windows, Linux or another Unix based operating system.
  • the GNU Aspell 0.50 or higher and its dictionaries for spell checking functionality.
    • @@ -175,27 +203,17 @@

    If your server does not meet these requirements, SMF may not work properly.

-

Backing up data

-

Before starting the upgrade process, a backup of the live database should be taken. This protects the forum from accidental damage and any issues from upgrading. Although all steps are taken, and extensive testing carried out, sometimes issues develop. Therefore, having a backup is crucial. The upgrading tool can backup all database tables before it runs, however the best practice is to have a full backup available.

-

Back up a database using SMF

-

From SMF, navigate to Forum Maintenance. (Administration Center -> Maintenance -> Forum Maintenance) On the database section, save the data and the structure. Then, compress the file. Select "Download" and wait for the database to complete the download completely. It is recommended if you use this method to verify that the backup is complete by opening the file and checking the last line. If the file is not complete and has an error please try one of the other methods to backup your database.

-

Back up a database using PHPMyAdmin

-

PHPMyAdmin gives the option to export a database, from the initial page, select the "Export" option and follow the instructions. Select your SMF database. These are different based on host.

-

Back up a database using a control panel

-

If your hosting service provides a control panel interface, this can be used to back up a database. Selecting the "Backups" or "Backups Wizard" options should take you to a page, prompting you to back up your database. With different hosts, these options may have different titles.

-
-
-

Upload files: using FTP

-

You can use an FTP client and an FTP access to upload the files to your server.

-

All you need to do is upload all of the files in this package, excluding this file itself, to your server. You should upload it to the same directory as your previous installation of SMF or YaBB SE. If you are given the option to "resume" uploads, make sure you do not do that - you must upload all of the files. You may wish to make sure that all of the files were uploaded, such as those in Themes/default/languages, because some FTP clients have been known to drop files.

+

Upload files method 1: manually uploading files

+

The first thing you need to do is upload all of the files in this package, excluding this file itself, to your server. You can upload it to any directory accessible by URL, but if you're not sure where to put it, a directory named "forum" is a good choice. You may wish to make sure that all of the folders were uploaded, such as Themes/default/languages, because some FTP clients have been known to drop files.

+

If you want or need to install any languages other than English, download the corresponding versions from the download page, and upload them to the same directory you uploaded SMF to. This should put additional files in Themes/default/languages and, in most cases, Themes/default/images.

Language files

If you are using additional languages it will be useful to upload also the updated versions of the language files along with the upgrading packages. Doing so all updated text strings will appear correctly after the upgrade, and will allow the upgrade to run in your selected language.

Set file permissions

-

After the upgrade archive has been uploaded and extracted, you need to set the files' permissions. This is commonly done by use of the Unix utility CHMOD. The correct CHMOD value for SMF files is either 777, 775 or 755, depending on your hosting service. There are two methods for this step, the method used depends on the hosting service that you use.

-

Setting File Permissions With the Upgrader

-

The SMF upgrader can set file permissions simply and easily. Navigating to the directory where SMF is located should redirect you to the upgrade.php file and prompt the upgrader. For example: www.yourdomain.com/forum/upgrade.php. If the upgrader detects files that need their permissions adjusted it will prompt for FTP details so it can CHMOD the files it requires for the upgrade. This may not work on some servers. +

After the install archive has been uploaded and extracted, you need to set the files' permissions. This is commonly done by use of the Unix utility CHMOD. The correct CHMOD value for SMF files is either 777, 775 or 755, depending on your hosting service. There are two methods for this step, the method used depends on the hosting service that you use.

+

Setting File Permissions With the Installer

+

The SMF installer can set file permissions simply and easily. Navigating to the directory where SMF is located should redirect you to the install.php file and prompt the installer. For example: www.yourdomain.com/forum/install.php. If the installer detects files that need their permissions adjusted it will prompt for FTP details so it can CHMOD the files it requires for the install. This may not work on some servers.

Setting File Permissions With FTP

Using a control panel or FTP client, file permissions can be changed quickly and easily. Usually, FTP programs will allow permissions to be changed by right-clicking files/directories and selecting "Properties", "Attributes" or "Permissions". The desired numerical value can be entered, or if provided, check boxes can be changed.

@@ -206,30 +224,76 @@
  • /Packages/installed.list
  • /Smileys
  • /Themes +
  • /Themes/default/languages/Install.english.php
  • agreement.txt
  • Settings.php
  • Settings_bak.php -
  • upgrade.php +
  • install.php
    • -

    If the permission on your files or folders does not make them writable, the SMF upgrader will report the problem. In that case, use your FTP client or host panel to reset the permissions for the files or folders the upgrader reports.

    +

    If the permission on your files or folders does not make them writable, the SMF installer will report the problem. In that case, use your FTP client or host panel to reset the permissions for the files or folders the installer reports.

    -

    Run the upgrading tool

    -

    The final step in upgrading SMF, is to run the upgrading tool. Navigate to the directory where SMF is located. It should redirect you to the upgrade.php file and prompt you to run the upgrade. In example: www.yourdomain.com/forum/upgrade.php.

    +

    Create a database and a database user

    +

    Before running the installer, a database and a database user will need to be created. A database will store all of the information a forum requires, such as members, posts, and topics. A database user will allow the forum to access the stored information. Remember this information about the database and database user. You will need it when it comes time to run the installer.

    +

    Creating a database using PHPMyAdmin

    +

    Most shared hosting services disable this option. If the option to create databases through PHPMyAdmin is available through the hosting service you use, the database can be created from the PHPMyAdmin home page.

    +

    Creating a database using a control panel

    +

    Shared hosting services usually disable the ability to create a database through PHPMyAdmin. If the hosting service provides a control panel interface, then this can be used to create a database. Selecting the "MySQL Databases" or "Database Wizard" options should take you to a page prompting you to creating a MySQL database. With different hosts, these options may have different names.

    SMF 2.0 has the ability to support other database types, including PostgreSQL and SQLite. SMF 1.1 supports only MySQL database types.

    +

    Creating a database user

    +

    A database user can be created through the control panel provided by your hosting service. Selecting the "MySQL Databases" or "Database Wizard" options should take you to a page, prompting you to create a MySQL database user. With different hosts, these options may have different names.

    +

    The database user requires the following permissions: SELECT, INSERT, UPDATE, DELETE, ALTER, and INDEX. Additional permissions may be granted, if desired.

    +
    +
    +

    Run the installer

    +

    The final step in installing SMF is running the installer. The information from the previous steps will be used in the installation process.

    The first page you see may request your FTP information. If you see this screen, it is because the installer found some files or folders with inadequate permissions for SMF to run properly. If you enter your FTP information here, the installer can automatically fix these permissions for you. Please note that the path should be the same path you see in your FTP client. For example, it might be "public_html/forum". And remember, the installer will not save your FTP password anywhere.

    -

    Upgrade settings

    +

    The SMF install screen looks different for SMF 2.0 and SMF 1.1, however, both still require the same information. Navigating to the directory where SMF is located, should redirect you to the install.php file, and prompt the installer to run. For example: www.yourdomain.com/forum/install.php

    +

    Basic forum settings

    -
    Backup database with the prefix "backup_"
    -
    Selecting this option will get the upgrade tool to copy all data in the database before upgrading within the original database.
    -
    Maintenance Mode
    -
    Selecting this option will place the forum into maintenance mode while upgrading rather than showing errors, this is highly recommended.
    -
    Output extra debugging information.
    -
    The upgrade tool can give detailed information while performing an upgrade by selecting this option, it will aid the support team to solve any errors if they occur while upgrading.
    +
    Forum Name
    +
    The name for the forum being installed should go here. By default this is set to "My Community". This can be changed later via the server settings section of the administration center if needed.
    +
    Forum URL
    +
    The URL the forum can be found at, without the trailing slash. The SMF installer will most likely have this correct, so it is safe to leave this field alone.
    +
    Gzip Output
    +
    If Gzip output tests pass, this can be used to save bandwidth and make pages load faster.
    +
    Database Sessions
    +
    Sessions can be stored in the database, or in files. Database sessions are more reliable, secure, and may work better on sites with multiple servers.
    +
    UTF-8 Character Set
    +
    UTF-8 character sets are useful for international forums, or forums that use languages other than English.
    +
    Allow Stat Collection
    +
    This option allows Simple Machines to collect statistics from your forum, anonymously, so the software can grow to meet the needs of its user base.
    +

    Database server settings

    +
    +
    Database type
    +
    The database schema can be selected here from a list of database schemas supported by the server being used. Newer schemas (for SMF 2.0) such as PostgreSQL and SQLite may be listed here if available. MySQL and PostgreSQL are recommended.
    +
    Server name
    +
    The location of the database is specified here. 99% of the time this will be localhost.
    +
    Username
    +
    The username used for the database user should be placed here. If help is required for this, the hosting service provider should be contacted.
    +
    Password
    +
    The password for the database user is entered here.
    +
    Database name
    +
    The name used for the database should be placed here. If help is required for this, the hosting service provider should be contacted.
    +
    Database prefix
    +
    The prefix for all tables associated with this install is specified here. Prefixing tables with unique prefixes enables more than one application, or SMF install, to use the same database safely.
    +
    +

    Creating an administrator account

    +

    The SMF installer will ask for information to create the forum's administrator account. This information includes username, password, and e-mail address, just like a regular account. Once created, this account can be used to visit the Administration Center to manage and configure the forum.

    -

    Finishing the upgrade and cleaning up

    -

    Once all parts of the upgrade have completed, check the box to remove the upgrade files from the server. If this does not work, they will need to be deleted via FTP. All upgrade files should be removed from the server once the upgrade process is complete. These files are upgrade.php and the .sql files whose name starts with 'upgrade'. They are a major security risk if they are left on a server unattended. Once SMF has been upgraded, they are no longer needed.

    +

    Upload files method 2: using webinstall.php

    +

    Your server may support webinstall.php. This script will automatically download SMF to your server. This may not work on all servers and also may require providing it with FTP details.

    +

    The first thing you need to do is upload webinstall.php to the location of where SMF is to exist on your server.

    +

    After you have finished uploading the file, point your browser to http://www.yourdomain.tld/forum/webinstall.php - where www.yourdomain.tld/forum is the URL to where you uploaded it. You should then see the webinstall interface.

    +

    The first page you see may request your FTP information. If you see this screen, it is because the webinstaller found some files or folders with inadequate permissions for SMF to run properly. If you enter your FTP information here, the webinstaller can automatically fix these permissions for you. Please note that the path should be the same path you see in your FTP client. For example, it might be "public_html/forum". And remember, the webinstaller will not save your FTP password anywhere.

    +

    On the webinstall interface you have an option to login, this is useful for charter members to easily download early releases. You may have an option to select multiple versions of SMF to download. It is up to you to decide which version of SMF you wish to install. Additionally you may have options of additional languages to download.

    +

    After specifying these options and agreeing to the agreement, webinstall will attempt to download al SMF files and decompress them in the same folder as webinstall.php. If successful you will be prompted to the SMF upgrade screen. If this fails you will need to follow the process below to upload files.

    +

    In most cases, you'll want to have "Put the forum into maintenance mode during upgrade." checked, because it will ensure that nothing is messed with while the upgrader is working. You may also wish to check "Backup tables in your database...", which will make a backup of your old information and tables before making any changes in the database.

    +
    +
    +

    Finishing everything up

    +

    Once all steps of the installation process have been completed, check the box to remove the install files from the server. If this does not work, they will need to be deleted via FTP. All installer files should be removed from the server once the installation process is complete, as they are a major security risk if left on a server unattended. Once SMF is installed they are no longer needed.

    Good luck!
    Simple Machines

    @@ -237,7 +301,7 @@