From 0df4afe9171aff099654f8336b796338bc13b623 Mon Sep 17 00:00:00 2001 From: Forkless Date: Mon, 10 Nov 2014 04:49:26 -0600 Subject: [PATCH] Security fix: Added defaults to the banned boards list to protect core folders of the codebase. Added banned boards restriction to the mod_new_board function. --- inc/config.php | 17 ++++++++++++++--- inc/mod/pages.php | 10 +++++++++- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/inc/config.php b/inc/config.php index 10c9faa5..ebbe31a2 100644 --- a/inc/config.php +++ b/inc/config.php @@ -602,6 +602,17 @@ // How many ban appeals can be made for a single ban? $config['ban_appeals_max'] = 1; + + // Blacklisted board names. Default values to protect existing folders in the core codebase. + $config['banned_boards'] = array( + '.git', + 'inc', + 'js', + 'static', + 'stylesheets', + 'templates', + 'tools' + ); // Show moderator name on ban page. $config['show_modname'] = false; @@ -1326,8 +1337,8 @@ // Capcode permissions. $config['mod']['capcode'] = array( // JANITOR => array('Janitor'), - MOD => array('Mod'), - ADMIN => true + MOD => array('Mod'), + ADMIN => true ); // Example: Allow mods to post with "## Moderator" as well @@ -1410,7 +1421,7 @@ $config['mod']['view_banlist'] = MOD; // View the username of the mod who made a ban $config['mod']['view_banstaff'] = MOD; - // If the moderator doesn't fit the $config['mod']['view_banstaff''] (previous) permission, show him just + // If the moderator doesn't fit the $config['mod']['view_banstaff'] (previous) permission, show him just // a "?" instead. Otherwise, it will be "Mod" or "Admin". $config['mod']['view_banquestionmark'] = false; // Show expired bans in the ban list (they are kept in cache until the culprit returns) diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 1a56c99c..61920b46 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -495,7 +495,15 @@ function mod_new_board() { if (openBoard($_POST['uri'])) { error(sprintf($config['error']['boardexists'], $board['url'])); } - + foreach ($config['banned_boards'] as $i => $w) { + if ($w[0] !== '/') { + if (strpos($_POST['uri'],$w) !== false) + error(_("Cannot create board with banned word $w")); + } else { + if (preg_match($w,$_POST['uri'])) + error(_("Cannot create board matching banned pattern $w")); + } + } $query = prepare('INSERT INTO ``boards`` (``uri``, ``title``, ``subtitle``) VALUES (:uri, :title, :subtitle)'); $query->bindValue(':uri', $_POST['uri']); $query->bindValue(':title', $_POST['title']);