1
0
mirror of https://github.com/vichan-devel/vichan.git synced 2024-11-29 01:34:31 +01:00

Security fix: Added defaults to the banned boards list to protect core folders of the codebase.

Added banned boards restriction to the mod_new_board function.
This commit is contained in:
Forkless 2014-11-10 04:49:26 -06:00
parent 03ac1426f5
commit 0df4afe917
2 changed files with 23 additions and 4 deletions

View File

@ -603,6 +603,17 @@
// How many ban appeals can be made for a single ban?
$config['ban_appeals_max'] = 1;
// Blacklisted board names. Default values to protect existing folders in the core codebase.
$config['banned_boards'] = array(
'.git',
'inc',
'js',
'static',
'stylesheets',
'templates',
'tools'
);
// Show moderator name on ban page.
$config['show_modname'] = false;
@ -1410,7 +1421,7 @@
$config['mod']['view_banlist'] = MOD;
// View the username of the mod who made a ban
$config['mod']['view_banstaff'] = MOD;
// If the moderator doesn't fit the $config['mod']['view_banstaff''] (previous) permission, show him just
// If the moderator doesn't fit the $config['mod']['view_banstaff'] (previous) permission, show him just
// a "?" instead. Otherwise, it will be "Mod" or "Admin".
$config['mod']['view_banquestionmark'] = false;
// Show expired bans in the ban list (they are kept in cache until the culprit returns)

View File

@ -495,7 +495,15 @@ function mod_new_board() {
if (openBoard($_POST['uri'])) {
error(sprintf($config['error']['boardexists'], $board['url']));
}
foreach ($config['banned_boards'] as $i => $w) {
if ($w[0] !== '/') {
if (strpos($_POST['uri'],$w) !== false)
error(_("Cannot create board with banned word $w"));
} else {
if (preg_match($w,$_POST['uri']))
error(_("Cannot create board matching banned pattern $w"));
}
}
$query = prepare('INSERT INTO ``boards`` (``uri``, ``title``, ``subtitle``) VALUES (:uri, :title, :subtitle)');
$query->bindValue(':uri', $_POST['uri']);
$query->bindValue(':title', $_POST['title']);