Cool_Tools/vichan
1
0
Fork 0
mirror of https://github.com/vichan-devel/vichan.git synced 2024-11-25 07:50:23 +01:00
Code Releases Wiki Activity

Merge pull request #245 from forklessanon/patch-3

Browse Source 
Security fix: Added defaults to the banned boards
This commit is contained in:
Fredrick Brennan 2014-11-12 10:32:03 +08:00
commit 0da5d13e7e
2 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
inc/config.php
View File

@ -603,6 +603,17 @@
// How many ban appeals can be made for a single ban? // How many ban appeals can be made for a single ban?
$config['ban_appeals_max'] = 1; $config['ban_appeals_max'] = 1;
// Blacklisted board names. Default values to protect existing folders in the core codebase.
$config['banned_boards'] = array(
'.git',
'inc',
'js',
'static',
'stylesheets',
'templates',
'tools'
);
// Show moderator name on ban page. // Show moderator name on ban page.
$config['show_modname'] = false; $config['show_modname'] = false;
@ -1326,8 +1337,8 @@
// Capcode permissions. // Capcode permissions.
$config['mod']['capcode'] = array( $config['mod']['capcode'] = array(
// JANITOR => array('Janitor'), // JANITOR => array('Janitor'),
MOD => array('Mod'), MOD => array('Mod'),
ADMIN => true ADMIN => true
); );
// Example: Allow mods to post with "## Moderator" as well // Example: Allow mods to post with "## Moderator" as well
@ -1410,7 +1421,7 @@
$config['mod']['view_banlist'] = MOD; $config['mod']['view_banlist'] = MOD;
// View the username of the mod who made a ban // View the username of the mod who made a ban
$config['mod']['view_banstaff'] = MOD; $config['mod']['view_banstaff'] = MOD;
// If the moderator doesn't fit the $config['mod']['view_banstaff''] (previous) permission, show him just // If the moderator doesn't fit the $config['mod']['view_banstaff'] (previous) permission, show him just
// a "?" instead. Otherwise, it will be "Mod" or "Admin". // a "?" instead. Otherwise, it will be "Mod" or "Admin".
$config['mod']['view_banquestionmark'] = false; $config['mod']['view_banquestionmark'] = false;
// Show expired bans in the ban list (they are kept in cache until the culprit returns) // Show expired bans in the ban list (they are kept in cache until the culprit returns)

10
inc/mod/pages.php
View File

@ -495,7 +495,15 @@ function mod_new_board() {
if (openBoard($_POST['uri'])) { if (openBoard($_POST['uri'])) {
error(sprintf($config['error']['boardexists'], $board['url'])); error(sprintf($config['error']['boardexists'], $board['url']));
} }
foreach ($config['banned_boards'] as $i => $w) {
if ($w[0] !== '/') {
if (strpos($_POST['uri'],$w) !== false)
error(_("Cannot create board with banned word $w"));
} else {
if (preg_match($w,$_POST['uri']))
error(_("Cannot create board matching banned pattern $w"));
}
}
$query = prepare('INSERT INTO ``boards`` (``uri``, ``title``, ``subtitle``) VALUES (:uri, :title, :subtitle)'); $query = prepare('INSERT INTO ``boards`` (``uri``, ``title``, ``subtitle``) VALUES (:uri, :title, :subtitle)');
$query->bindValue(':uri', $_POST['uri']); $query->bindValue(':uri', $_POST['uri']);
$query->bindValue(':title', $_POST['title']); $query->bindValue(':title', $_POST['title']);