Cool_Tools/vichan
1
0
Fork 0
mirror of https://github.com/vichan-devel/vichan.git synced 2025-02-17 11:28:41 +01:00
Code Releases Wiki Activity

[SECURITY] Lessen security impact

Browse Source 
post.php: misc fixes
This commit is contained in:
czaks 2017-05-17 14:03:48 -04:00
parent 37eaea6312
commit 736e982945
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mod.php
View File

@ -94,10 +94,10 @@ $pages = array(
'/config/(\%b)' => 'secure_POST config', // config editor '/config/(\%b)' => 'secure_POST config', // config editor
// these pages aren't listed in the dashboard without $config['debug'] // these pages aren't listed in the dashboard without $config['debug']
'/debug/antispam' => 'debug_antispam', //'/debug/antispam' => 'debug_antispam',
'/debug/recent' => 'debug_recent_posts', //'/debug/recent' => 'debug_recent_posts',
'/debug/apc' => 'debug_apc', //'/debug/apc' => 'debug_apc',
'/debug/sql' => 'secure_POST debug_sql', //'/debug/sql' => 'secure_POST debug_sql',
// This should always be at the end: // This should always be at the end:
'/(\%b)/' => 'view_board', '/(\%b)/' => 'view_board',

6
post.php
View File

@ -210,7 +210,7 @@ if (isset($_POST['delete'])) {
error($config['error']['nodelete']); error($config['error']['nodelete']);
foreach ($delete as &$id) { foreach ($delete as &$id) {
$query = prepare(sprintf("SELECT `thread`, `time`,`password` FROM ``posts_%s`` WHERE `id` = :id", $board['uri'])); $query = prepare(sprintf("SELECT `id`,`thread`,`time`,`password` FROM ``posts_%s`` WHERE `id` = :id", $board['uri']));
$query->bindValue(':id', $id, PDO::PARAM_INT); $query->bindValue(':id', $id, PDO::PARAM_INT);
$query->execute() or error(db_error($query)); $query->execute() or error(db_error($query));
@ -240,7 +240,7 @@ if (isset($_POST['delete'])) {
deletePost($id); deletePost($id);
modLog("User deleted his own post #$id"); modLog("User deleted his own post #$id");
} }
_syslog(LOG_INFO, 'Deleted post: ' . _syslog(LOG_INFO, 'Deleted post: ' .
'/' . $board['dir'] . $config['dir']['res'] . link_for($post) . ($post['thread'] ? '#' . $id : '') '/' . $board['dir'] . $config['dir']['res'] . link_for($post) . ($post['thread'] ? '#' . $id : '')
); );
@ -318,7 +318,7 @@ if (isset($_POST['delete'])) {
$post = $query->fetch(PDO::FETCH_ASSOC); $post = $query->fetch(PDO::FETCH_ASSOC);
$error = event('report', array('ip' => $_SERVER['REMOTE_ADDR'], 'board' => $board['uri'], 'post' => $post, 'reason' => $reason)); $error = event('report', array('ip' => $_SERVER['REMOTE_ADDR'], 'board' => $board['uri'], 'post' => $post, 'reason' => $reason, 'link' => link_for($post)));
if ($error) { if ($error) {
error($error); error($error);