mirror of
https://github.com/vichan-devel/vichan.git
synced 2024-11-25 07:50:23 +01:00
Security fix: Added defaults to the banned boards list to protect core folders of the codebase.
Added banned boards restriction to the mod_new_board function.
This commit is contained in:
parent
03ac1426f5
commit
0df4afe917
@ -602,6 +602,17 @@
|
||||
|
||||
// How many ban appeals can be made for a single ban?
|
||||
$config['ban_appeals_max'] = 1;
|
||||
|
||||
// Blacklisted board names. Default values to protect existing folders in the core codebase.
|
||||
$config['banned_boards'] = array(
|
||||
'.git',
|
||||
'inc',
|
||||
'js',
|
||||
'static',
|
||||
'stylesheets',
|
||||
'templates',
|
||||
'tools'
|
||||
);
|
||||
|
||||
// Show moderator name on ban page.
|
||||
$config['show_modname'] = false;
|
||||
@ -1326,8 +1337,8 @@
|
||||
// Capcode permissions.
|
||||
$config['mod']['capcode'] = array(
|
||||
// JANITOR => array('Janitor'),
|
||||
MOD => array('Mod'),
|
||||
ADMIN => true
|
||||
MOD => array('Mod'),
|
||||
ADMIN => true
|
||||
);
|
||||
|
||||
// Example: Allow mods to post with "## Moderator" as well
|
||||
@ -1410,7 +1421,7 @@
|
||||
$config['mod']['view_banlist'] = MOD;
|
||||
// View the username of the mod who made a ban
|
||||
$config['mod']['view_banstaff'] = MOD;
|
||||
// If the moderator doesn't fit the $config['mod']['view_banstaff''] (previous) permission, show him just
|
||||
// If the moderator doesn't fit the $config['mod']['view_banstaff'] (previous) permission, show him just
|
||||
// a "?" instead. Otherwise, it will be "Mod" or "Admin".
|
||||
$config['mod']['view_banquestionmark'] = false;
|
||||
// Show expired bans in the ban list (they are kept in cache until the culprit returns)
|
||||
|
@ -495,7 +495,15 @@ function mod_new_board() {
|
||||
if (openBoard($_POST['uri'])) {
|
||||
error(sprintf($config['error']['boardexists'], $board['url']));
|
||||
}
|
||||
|
||||
foreach ($config['banned_boards'] as $i => $w) {
|
||||
if ($w[0] !== '/') {
|
||||
if (strpos($_POST['uri'],$w) !== false)
|
||||
error(_("Cannot create board with banned word $w"));
|
||||
} else {
|
||||
if (preg_match($w,$_POST['uri']))
|
||||
error(_("Cannot create board matching banned pattern $w"));
|
||||
}
|
||||
}
|
||||
$query = prepare('INSERT INTO ``boards`` (``uri``, ``title``, ``subtitle``) VALUES (:uri, :title, :subtitle)');
|
||||
$query->bindValue(':uri', $_POST['uri']);
|
||||
$query->bindValue(':title', $_POST['title']);
|
||||
|
Loading…
Reference in New Issue
Block a user