#vichan custom
@ -119,6 +119,11 @@ WebM support
Read `inc/lib/webm/README.md` for information about enabling webm.
Read `inc/lib/webm/README.md` for information about enabling webm.
Vichan comes with a Dockerfile and docker-compose configuration, the latter aimed primarily at development and testing.
See the `docker/doc.md` file for more information.
vichan API
vichan API
vichan provides by default a 4chan-compatible JSON API. For documentation on this, see:
vichan provides by default a 4chan-compatible JSON API. For documentation on this, see:
$dir = "static/banners/";
$files = scandir($dir, SCANDIR_SORT_NONE);
$images = array_diff($files, array('.', '..'));
$name = $images[array_rand($images)];
// open the file in a binary mode
$fp = fopen($dir . $name, 'rb');
// send the right headers
$files = scandir('static/banners/', SCANDIR_SORT_NONE);
header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1
$files = array_diff($files, ['.', '..']);
header('Pragma: no-cache'); // HTTP 1.0
header('Expires: 0'); // Proxies
$fstat = fstat($fp);
header('Content-Type: ' . mime_content_type($dir . $name));
header('Content-Length: ' . $fstat['size']);
// dump the picture and stop the script
$name = $files[array_rand($files)];
header("Location: /static/banners/$name", true, 307);
header('Cache-Control: no-cache');
"gettext/gettext": "^5.5",
"gettext/gettext": "^5.5",
"mrclay/minify": "^2.1.6",
"mrclay/minify": "^2.1.6",
"geoip/geoip": "^1.17",
"geoip/geoip": "^1.17",
"dapphp/securimage": "^4.0"
"dapphp/securimage": "^4.0",
"erusev/parsedown": "^1.7.4"
"autoload": {
"autoload": {
"classmap": ["inc/"],
"classmap": ["inc/"],
"license": "Tinyboard + vichan",
"license": "Tinyboard + vichan",
#nginx webserver + php 8.x
context: .
dockerfile: ./docker/nginx/Dockerfile
- "9090:80"
- db
- ./local-instances/1/www:/var/www/html
- ./docker/nginx/vichan.conf:/etc/nginx/conf.d/default.conf
- ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf
- ./docker/nginx/proxy.conf:/etc/nginx/conf.d/proxy.conf
- php
context: .
dockerfile: ./docker/php/Dockerfile
- ./local-instances/1/www:/var/www
- ./docker/php/www.conf:/usr/local/etc/php-fpm.d/www.conf
- ./docker/php/jit.ini:/usr/local/etc/php/conf.d/jit.ini
#MySQL Service
image: mysql:8.0.35
container_name: db
restart: unless-stopped
tty: true
- "3306:3306"
- ./local-instances/1/mysql:/var/lib/mysql
The `php-fpm` process runs containerized.
The php application always uses `/var/www` as it's work directory and home folder, and if `/var/www` is bind mounted it
is necessary to adjust the path passed via FastCGI to `php-fpm` by changing the root directory to `/var/www`.
This can achieved in nginx by setting the `fastcgi_param SCRIPT_FILENAME` to `/var/www/$fastcgi_script_name;`
The default docker compose settings are intended for development and testing purposes.
The folder structure expected by compose is as follows
└── local-instances
└── 1
├── mysql
└── www
The vichan container is by itself much less rigid.
Use `docker compose up --build` to start the docker compose.
Use `docker compose up --build -d php` to rebuild just the vichan container while the compose is running. Useful for development.
FROM nginx:1.25.3-alpine
COPY . /code
RUN adduser --system www-data \
&& adduser www-data www-data
CMD [ "nginx", "-g", "daemon off;" ]
# This and proxy.conf are based on
# https://github.com/dead-guru/devichan/blob/master/nginx/nginx.conf
user www-data;
worker_processes auto;
error_log /dev/stdout warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Switch logging to console out to view via Docker
access_log /dev/stdout;
error_log /dev/stdout warn;
sendfile on;
keepalive_timeout 5;
gzip on;
gzip_http_version 1.0;
gzip_vary on;
gzip_comp_level 6;
gzip_types text/xml text/plain text/css application/xhtml+xml application/xml application/rss+xml application/atom_xml application/x-javascript application/x-httpd-php;
gzip_disable "MSIE [1-6]\.";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-available/*.conf;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=czone:4m max_size=50m inactive=120m;
proxy_temp_path /var/tmp/nginx;
proxy_cache_key "$scheme://$host$request_uri";
map $http_forwarded_request_id $x_request_id {
"" $request_id;
default $http_forwarded_request_id;
map $http_forwarded_forwarded_host $forwardedhost {
"" $host;
default $http_forwarded_forwarded_host;
map $http_x_forwarded_proto $fcgi_https {
default "";
https on;
map $http_x_forwarded_proto $real_scheme {
default $scheme;
https https;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
upstream php-upstream {
server php:9000;
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name vichan;
root /var/www/html;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
index index.html index.php;
charset utf-8;
location ~ ^([^.\?]*[^\/])$ {
try_files $uri @addslash;
# Expire rules for static content
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|webp|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
access_log off;
log_not_found off;
add_header Cache-Control "public";
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
log_not_found off;
add_header Cache-Control "public";
location ~* \.(html)$ {
expires -1;
location @addslash {
return 301 $uri/;
location / {
try_files $uri $uri/ /index.php$is_args$args;
client_max_body_size 2G;
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Request-Id $x_request_id;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Forwarded-Request-Id $x_request_id;
fastcgi_pass php-upstream;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/$fastcgi_script_name;
fastcgi_read_timeout 600;
include fastcgi_params;
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
# Based on https://github.com/dead-guru/devichan/blob/master/php-fpm/Dockerfile
FROM composer AS composer
FROM php:8.1-fpm-alpine
RUN apk add --no-cache \
zlib \
zlib-dev \
libpng \
libpng-dev \
libjpeg-turbo \
libjpeg-turbo-dev \
libwebp \
libwebp-dev \
libcurl \
curl-dev \
imagemagick \
graphicsmagick \
gifsicle \
ffmpeg \
bind-tools \
gettext \
gettext-dev \
icu-dev \
oniguruma \
oniguruma-dev \
libmcrypt \
libmcrypt-dev \
lz4-libs \
lz4-dev \
imagemagick-dev \
pcre-dev \
&& docker-php-ext-configure gd \
--with-webp=/usr/include/webp \
--with-jpeg=/usr/include \
&& docker-php-ext-install -j$(nproc) \
gd \
curl \
bcmath \
opcache \
pdo_mysql \
gettext \
intl \
mbstring \
&& pecl update-channels \
&& pecl install -o -f igbinary \
&& pecl install redis \
&& pecl install imagick \
$$ docker-php-ext-enable \
igbinary \
redis \
imagick \
&& apk del \
zlib-dev \
libpng-dev \
libjpeg-turbo-dev \
libwebp-dev \
curl-dev \
gettext-dev \
oniguruma-dev \
libmcrypt-dev \
lz4-dev \
imagemagick-dev \
pcre-dev \
&& rm -rf /var/cache/*
RUN rmdir /var/www/html \
&& install -d -m 744 -o www-data -g www-data /var/www \
&& install -d -m 700 -o www-data -g www-data /var/tmp/vichan \
&& install -d -m 700 -o www-data -g www-data /var/cache/gen-cache \
&& install -d -m 700 -o www-data -g www-data /var/cache/template-cache
# Copy the bootstrap script.
COPY ./docker/php/bootstrap.sh /usr/local/bin/bootstrap.sh
COPY --from=composer /usr/bin/composer /usr/local/bin/composer
# Copy the actual project (use .dockerignore to exclude stuff).
COPY . /code
# Install the compose depedencies.
RUN cd /code && composer install
WORKDIR "/var/www"
CMD [ "bootstrap.sh" ]
# syntax = devthefuture/dockerfile-x
INCLUDE ./docker/php/Dockerfile
RUN apk add --no-cache \
linux-headers \
&& pecl update-channels \
&& pecl install xdebug \
&& docker-php-ext-enable xdebug \
&& apk del \
linux-headers \
&& rm -rf /var/cache/*
ENV XDEBUG_OUT_DIR=/var/www/xdebug_out
CMD [ "bootstrap.sh" ]
set -eu
function set_cfg() {
if [ -L "/var/www/inc/$1" ]; then
echo "INFO: Resetting $1"
rm "/var/www/inc/$1"
cp "/code/inc/$1" "/var/www/inc/$1"
chown www-data "/var/www/inc/$1"
chgrp www-data "/var/www/inc/$1"
chmod 600 "/var/www/inc/$1"
echo "INFO: Using existing $1"
if ! mountpoint -q /var/www; then
echo "WARNING: '/var/www' is not a mountpoint. All the data will remain inside the container!"
if [ ! -w /var/www ] ; then
echo "ERROR: '/var/www' is not writable. Closing."
exit 1
if [ -z "${XDEBUG_OUT_DIR:-''}" ] ; then
echo "INFO: Initializing xdebug out directory at $XDEBUG_OUT_DIR"
mkdir -p "$XDEBUG_OUT_DIR"
chown www-data "$XDEBUG_OUT_DIR"
chgrp www-data "$XDEBUG_OUT_DIR"
chmod 755 "$XDEBUG_OUT_DIR"
# Link the entrypoints from the exposed directory.
ln -nfs \
/code/tools/ \
/code/*.php \
/code/LICENSE.* \
/code/install.sql \
# Static files accessible from the webserver must be copied.
cp -ur /code/static /var/www/
cp -ur /code/stylesheets /var/www/
# Ensure correct permissions are set, since this might be bind mount.
chown www-data /var/www
chgrp www-data /var/www
# Initialize an empty robots.txt with the default if it doesn't exist.
touch /var/www/robots.txt
# Link the cache and tmp files directory.
ln -nfs /var/tmp/vichan /var/www/tmp
# Link the javascript directory.
ln -nfs /code/js /var/www/
# Link the html templates directory and it's cache.
ln -nfs /code/templates /var/www/
ln -nfs -T /var/cache/template-cache /var/www/templates/cache
chown -h www-data /var/www/templates/cache
chgrp -h www-data /var/www/templates/cache
# Link the generic cache.
ln -nfs -T /var/cache/gen-cache /var/www/tmp/cache
chown -h www-data /var/www/tmp/cache
chgrp -h www-data /var/www/tmp/cache
# Create the included files directory and link them
install -d -m 700 -o www-data -g www-data /var/www/inc
for file in /code/inc/*; do
if [ ! -e /var/www/inc/$file ]; then
ln -s /code/inc/$file /var/www/inc/
# Copy an empty instance configuration if the file is a link (it was linked because it did not exist before).
set_cfg 'instance-config.php'
set_cfg 'secrets.php'
# Link the composer dependencies.
ln -nfs /code/vendor /var/www/
# Start the php-fpm server.
exec php-fpm
access.log = /proc/self/fd/2
; Ensure worker stdout and stderr are sent to the main error log.
catch_workers_output = yes
decorate_workers_output = no
user = www-data
group = www-data
listen =
pm = static
pm.max_children = 16
xdebug.mode = profile
xdebug.start_with_request = start
error_reporting = E_ALL
xdebug.output_dir = /var/www/xdebug_out
@ -123,7 +123,7 @@ class AntiBot {
$html = '';
$html = '';
if ($count === false) {
if ($count === false) {
$count = mt_rand(1, abs(count($this->inputs) / 15) + 1);
$count = mt_rand(1, (int)abs(count($this->inputs) / 15) + 1);
if ($count === true) {
if ($count === true) {
use Vichan\Functions\Format;
use Lifo\IP\CIDR;
use Lifo\IP\CIDR;
class Bans {
class Bans {
@ -369,16 +370,14 @@ class Bans {
$query->bindValue(':post', null, PDO::PARAM_NULL);
$query->bindValue(':post', null, PDO::PARAM_NULL);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
if (isset($mod['id']) && $mod['id'] == $mod_id) {
modLog('Created a new ' .
$ban_len = $length > 0 ? preg_replace('/^(\d+) (\w+?)s?$/', '$1-$2', Format\until($length)) : 'permanent';
($length > 0 ? preg_replace('/^(\d+) (\w+?)s?$/', '$1-$2', until($length)) : 'permanent') .
$ban_board = $ban_board ? "/$ban_board/" : 'all boards';
' ban on ' .
$ban_ip = filter_var($mask, FILTER_VALIDATE_IP) !== false ? "<a href=\"?/IP/$cloaked_mask\">$cloaked_mask</a>" : $cloaked_mask;
($ban_board ? '/' . $ban_board . '/' : 'all boards') .
$ban_id = $pdo->lastInsertId();
' for ' .
$ban_reason = $reason ? 'reason: ' . utf8tohtml($reason) : 'no reason';
(filter_var($mask, FILTER_VALIDATE_IP) !== false ? "<a href=\"?/IP/$cloaked_mask\">$cloaked_mask</a>" : $cloaked_mask) .
' (<small>#' . $pdo->lastInsertId() . '</small>)' .
modLog("Created a new $ban_len ban on $ban_board for $ban_ip (<small># $ban_id </small>) with $ban_reason");
@ -165,31 +165,3 @@ class Cache {
return false;
return false;
class Twig_Cache_TinyboardFilesystem extends Twig\Cache\FilesystemCache
private $directory;
private $options;
* {@inheritdoc}
public function __construct($directory, $options = 0)
parent::__construct($directory, $options);
$this->directory = $directory;
* This function was removed in Twig 2.x due to developer views on the Twig library. Who says we can't keep it for ourselves though?
public function clear()
foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($this->directory), RecursiveIteratorIterator::LEAVES_ONLY) as $file) {
if ($file->isFile()) {
// been generated. This keeps the script from querying the database and causing strain when not needed.
// been generated. This keeps the script from querying the database and causing strain when not needed.
$config['has_installed'] = '.installed';
$config['has_installed'] = '.installed';
// Use syslog() for logging all error messages and unauthorized login attempts.
// Deprecated, use 'log_system'.
$config['syslog'] = false;
$config['syslog'] = false;
$config['log_system'] = [];
// Log all error messages and unauthorized login attempts.
// Can be "syslog", "error_log" (default), "file", "stderr" or "none".
$config['log_system']['type'] = 'error_log';
// The application name used by the logging system. Defaults to "tinyboard" for backwards compatibility.
$config['log_system']['name'] = 'tinyboard';
// Only relevant if 'log_system' is set to "syslog". If true, double print the logs also in stderr.
// Defaults to false.
$config['log_system']['syslog_stderr'] = false;
// Only relevant if "log_system" is set to `file`. Sets the file that vichan will log to.
// Defaults to '/var/log/vichan.log'.
$config['log_system']['file_path'] = '/var/log/vichan.log';
// Use `host` via shell_exec() to lookup hostnames, avoiding query timeouts. May not work on your system.
// Use `host` via shell_exec() to lookup hostnames, avoiding query timeouts. May not work on your system.
// Requires safe_mode to be disabled.
// Requires safe_mode to be disabled.
$config['dns_system'] = false;
$config['dns_system'] = false;
// How long should the cookies last (in seconds). Defines how long should moderators should remain logged
// How long should the cookies last (in seconds). Defines how long should moderators should remain logged
// in (0 = browser session).
// in (0 = browser session).
$config['cookies']['expire'] = 60 * 60 * 24 * 30 * 6; // ~6 months
$config['cookies']['expire'] = 60 * 60 * 24 * 7; // 1 week.
// Make this something long and random for security.
// Make this something long and random for security.
$config['cookies']['salt'] = 'abcdefghijklmnopqrstuvwxyz09123456789!@#$%^&*()';
$config['cookies']['salt'] = 'abcdefghijklmnopqrstuvwxyz09123456789!@#$%^&*()';
// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
$config['cookies']['httponly'] = true;
$config['cookies']['httponly'] = true;
// Do not allow logins via unsecure connections.
// 0 = off. Allow logins on unencrypted HTTP connections. Should only be used in testing environments.
// 1 = on, trust HTTP headers. Allow logins on (at least reportedly partial) HTTPS connections. Use this only if you
// use a proxy, CDN or load balancer via an unencrypted connection. Be sure to filter 'HTTP_X_FORWARDED_PROTO' in
// the remote server, since an attacker could inject the header from the client.
// 2 = on, do not trust HTTP headers. Secure default, allow logins only on HTTPS connections.
$config['cookies']['secure_login_only'] = 2;
// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
// Example: Custom secure tripcode.
// Example: Custom secure tripcode.
// $config['custom_tripcode']['##securetrip'] = '!!somethingelse';
// $config['custom_tripcode']['##securetrip'] = '!!somethingelse';
//Disable tripcodes. This will make it so all new posts will act as if no tripcode exists.
$config['disable_tripcodes'] = false;
// Allow users to mark their image as a "spoiler" when posting. The thumbnail will be replaced with a
// Allow users to mark their image as a "spoiler" when posting. The thumbnail will be replaced with a
// static spoiler image instead (see $config['spoiler_image']).
// static spoiler image instead (see $config['spoiler_image']).
$config['spoiler_images'] = false;
@ -979,11 +1003,11 @@
// Timezone to use for displaying dates/times.
// Timezone to use for displaying dates/times.
$config['timezone'] = 'America/Los_Angeles';
$config['timezone'] = 'America/Los_Angeles';
// The format string passed to strftime() for displaying dates.
// The format string passed to DateTime::format() for displaying dates. ISO 8601-like by default.
// http://www.php.net/manual/en/function.strftime.php
// https://www.php.net/manual/en/datetime.format.php
$config['post_date'] = '%m/%d/%y (%a) %H:%M:%S';
$config['post_date'] = 'm/d/y (D) H:i:s';
// Same as above, but used for "you are banned' pages.
// Same as above, but used for "you are banned' pages.
$config['ban_date'] = '%A %e %B, %Y';
$config['ban_date'] = 'l j F, Y';
// The names on the post buttons. (On most imageboards, these are both just "Post").
// The names on the post buttons. (On most imageboards, these are both just "Post").
$config['button_newtopic'] = _('New Topic');
$config['button_newtopic'] = _('New Topic');
$config['error']['captcha'] = _('You seem to have mistyped the verification.');
$config['error']['captcha'] = _('You seem to have mistyped the verification.');
$config['error']['flag_undefined'] = _('The flag %s is undefined, your PHP version is too old!');
$config['error']['flag_undefined'] = _('The flag %s is undefined, your PHP version is too old!');
$config['error']['flag_wrongtype'] = _('defined_flags_accumulate(): The flag %s is of the wrong type!');
$config['error']['flag_wrongtype'] = _('defined_flags_accumulate(): The flag %s is of the wrong type!');
$config['error']['remote_io_error'] = _('IO error while interacting with a remote service.');
$config['error']['local_io_error'] = _('IO error while interacting with a local resource or service.');
// Moderator errors
// Moderator errors
$config['error']['toomanyunban'] = _('You are only allowed to unban %s users at a time. You tried to unban %u users.');
$config['error']['toomanyunban'] = _('You are only allowed to unban %s users at a time. You tried to unban %u users.');
$config['error']['invalid'] = _('Invalid username and/or password.');
$config['error']['invalid'] = _('Invalid username and/or password.');
$config['error']['insecure'] = _('Login on insecure connections is disabled.');
$config['error']['notamod'] = _('You are not a mod…');
$config['error']['notamod'] = _('You are not a mod…');
$config['error']['invalidafter'] = _('Invalid username and/or password. Your user may have been deleted or changed.');
$config['error']['invalidafter'] = _('Invalid username and/or password. Your user may have been deleted or changed.');
$config['error']['malformed'] = _('Invalid/malformed cookies.');
$config['error']['malformed'] = _('Invalid/malformed cookies.');
// Boards for searching
// Boards for searching
//$config['search']['boards'] = array('a', 'b', 'c', 'd', 'e');
//$config['search']['boards'] = array('a', 'b', 'c', 'd', 'e');
// Blacklist boards for searching, basically the opposite of the one above
//$config['search']['disallowed_boards'] = array('j', 'z');
// Enable public logs? 0: NO, 1: YES, 2: YES, but drop names
// Enable public logs? 0: NO, 1: YES, 2: YES, but drop names
$config['public_logs'] = 0;
$config['public_logs'] = 0;
namespace Vichan;
use Vichan\Driver\{HttpDriver, HttpDrivers, Log, LogDrivers};
defined('TINYBOARD') or exit;
interface DependencyFactory {
public function buildLogDriver(): Log;
public function buildHttpDriver(): HttpDriver;
class WebDependencyFactory implements DependencyFactory {
private array $config;
public function __construct(array $config) {
$this->config = $config;
public function buildLogDriver(): Log {
$name = $this->config['log_system']['name'];
$level = $this->config['debug'] ? Log::DEBUG : Log::NOTICE;
$backend = $this->config['log_system']['type'];
// Check 'syslog' for backwards compatibility.
if ((isset($this->config['syslog']) && $this->config['syslog']) || $backend === 'syslog') {
return LogDrivers::syslog($name, $level, $this->config['log_system']['syslog_stderr']);
} elseif ($backend === 'file') {
return LogDrivers::file($name, $level, $this->config['log_system']['file_path']);
} elseif ($backend === 'stderr') {
return LogDrivers::stderr($name, $level);
} elseif ($backend === 'none') {
return LogDrivers::none();
} else {
return LogDrivers::error_log($name, $level);
public function buildHttpDriver(): HttpDriver {
return HttpDrivers::getHttpDriver(
class Context {
private DependencyFactory $factory;
private ?Log $log;
private ?HttpDriver $http;
public function __construct(DependencyFactory $factory) {
$this->factory = $factory;
public function getLog(): Log {
return $this->log ??= $this->factory->buildLogDriver();
public function getHttpDriver(): HttpDriver {
return $this->http ??= $this->factory->buildHttpDriver();
function error($message, $priority = true, $debug_stuff = false) {
function error($message, $priority = true, $debug_stuff = []) {
global $board, $mod, $config, $db_error;
global $board, $mod, $config, $db_error;
if ($config['syslog'] && $priority !== false) {
if ($config['syslog'] && $priority !== false) {
@ -351,13 +351,20 @@ class Post {
if (isset($this->files) && $this->files) {
if (isset($this->files) && $this->files) {
$this->files = is_string($this->files) ? json_decode($this->files) : $this->files;
$this->files = is_string($this->files) ? json_decode($this->files) : $this->files;
// Compatibility for posts before individual file hashing
// Compatibility for posts before individual file hashing
foreach ($this->files as $i => &$file) {
foreach ($this->files as $i => &$file) {
if (empty($file)) {
if (empty($file)) {
if (!isset($file->hash))
if (is_array($file)) {
$file->hash = $this->filehash;
if (!isset($file['hash'])) {
$file['hash'] = $this->filehash;
} else if (is_object($file)) {
if (!isset($file->hash)) {
$file->hash = $this->filehash;
<?php // Honestly this is just a wrapper for cURL. Still useful to mock it and have an OOP API on PHP 7.
namespace Vichan\Driver;
use RuntimeException;
defined('TINYBOARD') or exit;
class HttpDrivers {
private const DEFAULT_USER_AGENT = 'Tinyboard';
public static function getHttpDriver(int $timeout, int $max_file_size): HttpDriver {
return new HttpDriver($timeout, self::DEFAULT_USER_AGENT, $max_file_size);
class HttpDriver {
private mixed $inner;
private int $timeout;
private string $user_agent;
private int $max_file_size;
private function resetTowards(string $url, int $timeout): void {
curl_setopt_array($this->inner, array(
CURLOPT_URL => $url,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_USERAGENT => $this->user_agent,
private function setSizeLimit(): void {
// Adapted from: https://stackoverflow.com/a/17642638
curl_setopt($this->inner, CURLOPT_NOPROGRESS, false);
curl_setopt($this->inner, CURLOPT_XFERINFOFUNCTION, function($res, $next_dl, $dl, $next_up, $up) {
return (int)($dl <= $this->max_file_size);
} else {
curl_setopt($this->inner, CURLOPT_PROGRESSFUNCTION, function($res, $next_dl, $dl, $next_up, $up) {
return (int)($dl <= $this->max_file_size);
function __construct($timeout, $user_agent, $max_file_size) {
$this->inner = curl_init();
$this->timeout = $timeout;
$this->user_agent = $user_agent;
$this->max_file_size = $max_file_size;
function __destruct() {
* Execute a GET request.
* @param string $endpoint Uri endpoint.
* @param ?array $data Optional GET parameters.
* @param int $timeout Optional request timeout in seconds. Use the default timeout if 0.
* @return string Returns the body of the response.
* @throws RuntimeException Throws on IO error.
public function requestGet(string $endpoint, ?array $data, int $timeout = 0): string {
if (!empty($data)) {
$endpoint .= '?' . http_build_query($data);
if ($timeout == 0) {
$timeout = $this->timeout;
$this->resetTowards($endpoint, $timeout);
curl_setopt($this->inner, CURLOPT_RETURNTRANSFER, true);
$ret = curl_exec($this->inner);
if ($ret === false) {
throw new \RuntimeException(curl_error($this->inner));
return $ret;
* Execute a POST request.
* @param string $endpoint Uri endpoint.
* @param ?array $data Optional POST parameters.
* @param int $timeout Optional request timeout in seconds. Use the default timeout if 0.
* @return string Returns the body of the response.
* @throws RuntimeException Throws on IO error.
public function requestPost(string $endpoint, ?array $data, int $timeout = 0): string {
if ($timeout == 0) {
$timeout = $this->timeout;
$this->resetTowards($endpoint, $timeout);
curl_setopt($this->inner, CURLOPT_POST, true);
if (!empty($data)) {
curl_setopt($this->inner, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($this->inner, CURLOPT_RETURNTRANSFER, true);
$ret = curl_exec($this->inner);
if ($ret === false) {
throw new \RuntimeException(curl_error($this->inner));
return $ret;
* Download the url's target with curl.
* @param string $url Url to the file to download.
* @param ?array $data Optional GET parameters.
* @param resource $fd File descriptor to save the content to.
* @param int $timeout Optional request timeout in seconds. Use the default timeout if 0.
* @return bool Returns true on success, false if the file was too large.
* @throws RuntimeException Throws on IO error.
public function requestGetInto(string $endpoint, ?array $data, mixed $fd, int $timeout = 0): bool {
if (!empty($data)) {
$endpoint .= '?' . http_build_query($data);
if ($timeout == 0) {
$timeout = $this->timeout;
$this->resetTowards($endpoint, $timeout);
curl_setopt($this->inner, CURLOPT_FAILONERROR, true);
curl_setopt($this->inner, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($this->inner, CURLOPT_FILE, $fd);
curl_setopt($this->inner, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
$ret = curl_exec($this->inner);
if ($ret === false) {
if (curl_errno($this->inner) === CURLE_ABORTED_BY_CALLBACK) {
return false;
throw new \RuntimeException(curl_error($this->inner));
return true;
<?php // Logging
namespace Vichan\Driver;
use InvalidArgumentException;
use RuntimeException;
defined('TINYBOARD') or exit;
class LogDrivers {
public static function levelToString(int $level): string {
switch ($level) {
case Log::EMERG:
return 'EMERG';
case Log::ERROR:
return 'ERROR';
case Log::WARNING:
return 'WARNING';
case Log::NOTICE:
return 'NOTICE';
case Log::INFO:
return 'INFO';
case Log::DEBUG:
return 'DEBUG';
throw new InvalidArgumentException('Not a logging level');
* Log to syslog.
public static function syslog(string $name, int $level, bool $print_stderr): Log {
$flags = LOG_ODELAY;
if ($print_stderr) {
$flags |= LOG_PERROR;
if (!openlog($name, $flags, LOG_USER)) {
throw new RuntimeException('Unable to open syslog');
return new class($level) implements Log {
private $level;
public function __construct(int $level) {
$this->level = $level;
public function log(int $level, string $message): void {
if ($level <= $this->level) {
// CGI
syslog($level, "$message - client: {$_SERVER['REMOTE_ADDR']}, request: \"{$_SERVER['REQUEST_METHOD']} {$_SERVER['REQUEST_URI']}\"");
} else {
syslog($level, $message);
* Log via the php function error_log.
public static function error_log(string $name, int $level): Log {
return new class($name, $level) implements Log {
private string $name;
private int $level;
public function __construct(string $name, int $level) {
$this->name = $name;
$this->level = $level;
public function log(int $level, string $message): void {
if ($level <= $this->level) {
$lv = LogDrivers::levelToString($level);
$line = "{$this->name} $lv: $message";
error_log($line, 0, null, null);
* Log to a file.
public static function file(string $name, int $level, string $file_path): Log {
* error_log is slow as hell in it's 3rd mode, so use fopen + file locking instead.
* https://grobmeier.solutions/performance-ofnonblocking-write-to-files-via-php-21082009.html
* Whatever file appending is atomic is contentious:
* - There are no POSIX guarantees: https://stackoverflow.com/a/7237901
* - But linus suggested they are on linux, on some filesystems: https://web.archive.org/web/20151201111541/http://article.gmane.org/gmane.linux.kernel/43445
* - But it doesn't seem to be always the case: https://www.notthewizard.com/2014/06/17/are-files-appends-really-atomic/
* So we just use file locking to be sure.
$fd = fopen($file_path, 'a');
if ($fd === false) {
throw new RuntimeException("Unable to open log file at $file_path");
$logger = new class($name, $level, $fd) implements Log {
private string $name;
private int $level;
private mixed $fd;
public function __construct(string $name, int $level, mixed $fd) {
$this->name = $name;
$this->level = $level;
$this->fd = $fd;
public function log(int $level, string $message): void {
if ($level <= $this->level) {
$lv = LogDrivers::levelToString($level);
$line = "{$this->name} $lv: $message\n";
flock($this->fd, LOCK_EX);
fwrite($this->fd, $line);
flock($this->fd, LOCK_UN);
public function close() {
// Close the file on shutdown.
register_shutdown_function([$logger, 'close']);
return $logger;
* Log to php's standard error file stream.
public static function stderr(string $name, int $level): Log {
return new class($name, $level) implements Log {
private $name;
private $level;
public function __construct(string $name, int $level) {
$this->name = $name;
$this->level = $level;
public function log(int $level, string $message): void {
if ($level <= $this->level) {
$lv = LogDrivers::levelToString($level);
fwrite(STDERR, "{$this->name} $lv: $message\n");
* No-op logging system.
public static function none(): Log {
return new class() implements Log {
public function log($level, $message): void {
// No-op.
interface Log {
public const EMERG = LOG_EMERG;
public const ERROR = LOG_ERR;
public const WARNING = LOG_WARNING;
public const NOTICE = LOG_NOTICE;
public const INFO = LOG_INFO;
public const DEBUG = LOG_DEBUG;
* Log a message if the level of relevancy is at least the minimum.
* @param int $level Message level. Use Log interface constants.
* @param string $message The message to log.
public function log(int $level, string $message): void;
function init_locale($locale, $error='error') {
function init_locale($locale, $error='error') {
if (extension_loaded('gettext')) {
if (extension_loaded('gettext')) {
if (setlocale(LC_ALL, $locale) === false) {
setlocale(LC_ALL, $locale);
//$error('The specified locale (' . $locale . ') does not exist on your platform!');
bindtextdomain('tinyboard', './inc/locale');
bindtextdomain('tinyboard', './inc/locale');
bind_textdomain_codeset('tinyboard', 'UTF-8');
bind_textdomain_codeset('tinyboard', 'UTF-8');
if (isset($config['cache_config']) &&
if (isset($config['cache_config']) &&
$config['cache_config'] &&
$config['cache_config'] &&
$config = Cache::get('config_' . $boardsuffix ) ) {
$config = Cache::get('config_' . $boardsuffix))
$events = Cache::get('events_' . $boardsuffix );
$events = Cache::get('events_' . $boardsuffix );
@ -66,11 +65,10 @@ function loadConfig() {
if ($config['locale'] != $current_locale) {
if ($config['locale'] != $current_locale) {
$current_locale = $config['locale'];
$current_locale = $config['locale'];
init_locale($config['locale'], $error);
init_locale($config['locale'], $error);
} else {
else {
$config = array();
$config = array();
@ -180,8 +178,8 @@ function loadConfig() {
'(' .
'(' .
str_replace('%d', '\d+', preg_quote($config['file_page'], '/')) . '|' .
str_replace('%d', '\d+', preg_quote($config['file_page'], '/')) . '|' .
str_replace('%d', '\d+', preg_quote($config['file_page50'], '/')) . '|' .
str_replace('%d', '\d+', preg_quote($config['file_page50'], '/')) . '|' .
str_replace(array('%d', '%s'), array('\d+', '[a-z0-9-]+'), preg_quote($config['file_page_slug'], '/')) . '|' .
str_replace(array('%d', '%s'), array('\d+', '[a-z0-9-]+'), preg_quote($config['file_page_slug'], '/')) . '|' .
str_replace(array('%d', '%s'), array('\d+', '[a-z0-9-]+'), preg_quote($config['file_page50_slug'], '/')) .
str_replace(array('%d', '%s'), array('\d+', '[a-z0-9-]+'), preg_quote($config['file_page50_slug'], '/')) .
')' .
')' .
'|' .
'|' .
preg_quote($config['file_mod'], '/') . '\?\/.+' .
preg_quote($config['file_mod'], '/') . '\?\/.+' .
$__version = file_exists('.installed') ? trim(file_get_contents('.installed')) : false;
$__version = file_exists('.installed') ? trim(file_get_contents('.installed')) : false;
$config['version'] = $__version;
$config['version'] = $__version;
if ($config['allow_roll'])
if ($config['allow_roll']) {
event_handler('post', 'diceRoller');
event_handler('post', 'diceRoller');
if (in_array('webm', $config['allowed_ext_files']) ||
if (in_array('webm', $config['allowed_ext_files']) || in_array('mp4', $config['allowed_ext_files'])) {
in_array('mp4', $config['allowed_ext_files']))
event_handler('post', 'postHandler');
event_handler('post', 'postHandler');
// Effectful config processing below:
@ -280,8 +279,7 @@ function loadConfig() {
if ($config['cache']['enabled'])
if ($config['cache']['enabled'])
require_once 'inc/cache.php';
require_once 'inc/cache.php';
if (in_array('webm', $config['allowed_ext_files']) ||
if (in_array('webm', $config['allowed_ext_files']) || in_array('mp4', $config['allowed_ext_files']))
in_array('mp4', $config['allowed_ext_files']))
require_once 'inc/lib/webm/posthandler.php';
require_once 'inc/lib/webm/posthandler.php';
@ -428,10 +426,10 @@ function rebuildThemes($action, $boardname = false) {
$board = $_board;
$board = $_board;
// Reload the locale
// Reload the locale
if ($config['locale'] != $current_locale) {
if ($config['locale'] != $current_locale) {
$current_locale = $config['locale'];
$current_locale = $config['locale'];
if (PHP_SAPI === 'cli') {
if (PHP_SAPI === 'cli') {
echo "Rebuilding theme ".$theme['theme']."... ";
echo "Rebuilding theme ".$theme['theme']."... ";
@ -450,8 +448,8 @@ function rebuildThemes($action, $boardname = false) {
// Reload the locale
// Reload the locale
if ($config['locale'] != $current_locale) {
if ($config['locale'] != $current_locale) {
$current_locale = $config['locale'];
$current_locale = $config['locale'];
@ -517,12 +515,11 @@ function mb_substr_replace($string, $replacement, $start, $length) {
function setupBoard($array) {
function setupBoard($array) {
global $board, $config;
global $board, $config;
$board = array(
$board = [
'uri' => $array['uri'],
'uri' => $array['uri'],
'title' => $array['title'],
'title' => $array['title'],
'subtitle' => $array['subtitle'],
'subtitle' => $array['subtitle'],
#'indexed' => $array['indexed'],
// older versions
// older versions
$board['name'] = &$board['title'];
$board['name'] = &$board['title'];
@ -718,12 +715,18 @@ function file_unlink($path) {
$debug['unlink'][] = $path;
$debug['unlink'][] = $path;
$ret = @unlink($path);
if (file_exists($path)) {
$ret = @unlink($path);
} else {
$ret = true;
if ($config['gzip_static']) {
if ($config['gzip_static']) {
$gzpath = "$path.gz";
$gzpath = "$path.gz";
if (file_exists($gzpath)) {
if (isset($config['purge']) && $path[0] != '/' && isset($_SERVER['HTTP_HOST'])) {
if (isset($config['purge']) && $path[0] != '/' && isset($_SERVER['HTTP_HOST'])) {
@ -797,42 +800,6 @@ function listBoards($just_uri = false) {
return $boards;
return $boards;
function until($timestamp) {
$difference = $timestamp - time();
case ($difference < 60):
return $difference . ' ' . ngettext('second', 'seconds', $difference);
case ($difference < 3600): //60*60 = 3600
return ($num = round($difference/(60))) . ' ' . ngettext('minute', 'minutes', $num);
case ($difference < 86400): //60*60*24 = 86400
return ($num = round($difference/(3600))) . ' ' . ngettext('hour', 'hours', $num);
case ($difference < 604800): //60*60*24*7 = 604800
return ($num = round($difference/(86400))) . ' ' . ngettext('day', 'days', $num);
case ($difference < 31536000): //60*60*24*365 = 31536000
return ($num = round($difference/(604800))) . ' ' . ngettext('week', 'weeks', $num);
return ($num = round($difference/(31536000))) . ' ' . ngettext('year', 'years', $num);
function ago($timestamp) {
$difference = time() - $timestamp;
case ($difference < 60) :
return $difference . ' ' . ngettext('second', 'seconds', $difference);
case ($difference < 3600): //60*60 = 3600
return ($num = round($difference/(60))) . ' ' . ngettext('minute', 'minutes', $num);
case ($difference < 86400): //60*60*24 = 86400
return ($num = round($difference/(3600))) . ' ' . ngettext('hour', 'hours', $num);
case ($difference < 604800): //60*60*24*7 = 604800
return ($num = round($difference/(86400))) . ' ' . ngettext('day', 'days', $num);
case ($difference < 31536000): //60*60*24*365 = 31536000
return ($num = round($difference/(604800))) . ' ' . ngettext('week', 'weeks', $num);
return ($num = round($difference/(31536000))) . ' ' . ngettext('year', 'years', $num);
function displayBan($ban) {
function displayBan($ban) {
global $config, $board;
global $config, $board;
@ -1267,25 +1234,25 @@ function deletePost($id, $error_if_doesnt_exist=true, $rebuild_after=true) {
$query->bindValue(':board', $board['uri']);
$query->bindValue(':board', $board['uri']);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
// No need to run on OPs
// No need to run on OPs
if ($config['anti_bump_flood'] && isset($thread_id)) {
if ($config['anti_bump_flood'] && isset($thread_id)) {
$query = prepare(sprintf("SELECT `sage` FROM ``posts_%s`` WHERE `id` = :thread", $board['uri']));
$query = prepare(sprintf("SELECT `sage` FROM ``posts_%s`` WHERE `id` = :thread", $board['uri']));
$query->bindValue(':thread', $thread_id);
$query->bindValue(':thread', $thread_id);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
$bumplocked = (bool)$query->fetchColumn();
$bumplocked = (bool)$query->fetchColumn();
if (!$bumplocked) {
if (!$bumplocked) {
$query = prepare(sprintf("SELECT `time` FROM ``posts_%s`` WHERE (`thread` = :thread AND NOT email <=> 'sage') OR `id` = :thread ORDER BY `time` DESC LIMIT 1", $board['uri']));
$query = prepare(sprintf("SELECT `time` FROM ``posts_%s`` WHERE (`thread` = :thread AND NOT email <=> 'sage') OR `id` = :thread ORDER BY `time` DESC LIMIT 1", $board['uri']));
$query->bindValue(':thread', $thread_id);
$query->bindValue(':thread', $thread_id);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
$bump = $query->fetchColumn();
$bump = $query->fetchColumn();
$query = prepare(sprintf("UPDATE ``posts_%s`` SET `bump` = :bump WHERE `id` = :thread", $board['uri']));
$query = prepare(sprintf("UPDATE ``posts_%s`` SET `bump` = :bump WHERE `id` = :thread", $board['uri']));
$query->bindValue(':bump', $bump);
$query->bindValue(':bump', $bump);
$query->bindValue(':thread', $thread_id);
$query->bindValue(':thread', $thread_id);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
if (isset($rebuild) && $rebuild_after) {
if (isset($rebuild) && $rebuild_after) {
function remove_modifiers($body) {
function remove_modifiers($body) {
return preg_replace('@<tinyboard ([\w\s]+)>(.+?)</tinyboard>@usm', '', $body);
return $body ? preg_replace('@<tinyboard ([\w\s]+)>(.+?)</tinyboard>@usm', '', $body) : null;
function markup(&$body, $track_cites = false, $op = false) {
function markup(&$body, $track_cites = false, $op = false) {
function defined_flags_accumulate($desired_flags) {
function defined_flags_accumulate($desired_flags) {
global $config;
$output_flags = 0x0;
$output_flags = 0x0;
foreach ($desired_flags as $flagname) {
foreach ($desired_flags as $flagname) {
if (defined($flagname)) {
if (defined($flagname)) {
@ -2315,7 +2283,7 @@ function defined_flags_accumulate($desired_flags) {
function utf8tohtml($utf8) {
function utf8tohtml($utf8) {
$flags = defined_flags_accumulate(['ENT_NOQUOTES', 'ENT_SUBSTITUTE', 'ENT_DISALLOWED']);
$flags = defined_flags_accumulate(['ENT_NOQUOTES', 'ENT_SUBSTITUTE', 'ENT_DISALLOWED']);
return htmlspecialchars($utf8, $flags, 'UTF-8');
return $utf8 ? htmlspecialchars($utf8, $flags, 'UTF-8') : '';
function ordutf8($string, &$offset) {
function ordutf8($string, &$offset) {
return array($name, $trip);
return array($name, $trip);
// Highest common factor
function hcf($a, $b){
$gcd = 1;
if ($a>$b) {
$a = $a+$b;
$b = $a-$b;
$a = $a-$b;
if ($b==(round($b/$a))*$a)
else {
for ($i=round($a/2);$i;$i--) {
if ($a == round($a/$i)*$i && $b == round($b/$i)*$i) {
$gcd = $i;
$i = false;
return $gcd;
function fraction($numerator, $denominator, $sep) {
$gcf = hcf($numerator, $denominator);
$numerator = $numerator / $gcf;
$denominator = $denominator / $gcf;
return "{$numerator}{$sep}{$denominator}";
function getPostByHash($hash) {
function getPostByHash($hash) {
global $board;
global $board;
$query = prepare(sprintf("SELECT `id`,`thread` FROM ``posts_%s`` WHERE `filehash` = :hash", $board['uri']));
$query = prepare(sprintf("SELECT `id`,`thread` FROM ``posts_%s`` WHERE `filehash` = :hash", $board['uri']));
if ($slug === false) {
if ($slug === false) {
$query = prepare(sprintf("SELECT `slug` FROM ``posts_%s`` WHERE `id` = :id", $b['uri']));
$query = prepare(sprintf("SELECT `slug` FROM ``posts_%s`` WHERE `id` = :id", $b['uri']));
$query->bindValue(':id', $id, PDO::PARAM_INT);
$query->bindValue(':id', $id, PDO::PARAM_INT);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
$thread = $query->fetch(PDO::FETCH_ASSOC);
$thread = $query->fetch(PDO::FETCH_ASSOC);
$slug = $thread['slug'];
$slug = $thread['slug'];
@ -2854,7 +2793,7 @@ function link_for($post, $page50 = false, $foreignlink = false, $thread = false)
if ( $page50 && $slug) $tpl = $config['file_page50_slug'];
if ( $page50 && $slug) $tpl = $config['file_page50_slug'];
else if (!$page50 && $slug) $tpl = $config['file_page_slug'];
else if (!$page50 && $slug) $tpl = $config['file_page_slug'];
else if ( $page50 && !$slug) $tpl = $config['file_page50'];
else if ( $page50 && !$slug) $tpl = $config['file_page50'];
else if (!$page50 && !$slug) $tpl = $config['file_page'];
else if (!$page50 && !$slug) $tpl = $config['file_page'];
return str_replace("\t", '	', str_replace("\n", ' ', htmlentities($s)));
return str_replace("\t", '	', str_replace("\n", ' ', htmlentities($s)));
/*class HTMLPurifier_URIFilter_NoExternalImages extends HTMLPurifier_URIFilter {
public $name = 'NoExternalImages';
public function filter(&$uri, $c, $context) {
global $config;
$ct = $context->get('CurrentToken');
if (!$ct || $ct->name !== 'img') return true;
if (!isset($uri->host) && !isset($uri->scheme)) return true;
if (!in_array($uri->scheme . '://' . $uri->host . '/', $config['allowed_offsite_urls'])) {
error('No off-site links in board announcement images.');
return true;
function purify_html($s) {
function purify_html($s) {
global $config;
global $config;
@ -2899,7 +2820,6 @@ function purify_html($s) {
function markdown($s) {
function markdown($s) {
$pd = new Parsedown();
$pd = new Parsedown();
return $pd->text($s);
return $pd->text($s);
@ -2918,7 +2838,20 @@ function generation_strategy($fun, $array=array()) { global $config;
return 'rebuild';
return 'rebuild';
case 'defer':
case 'defer':
// Ok, it gets interesting here :)
// Ok, it gets interesting here :)
get_queue('generate')->push(serialize(array('build', $fun, $array, $action)));
$queue = Queues::get_queue($config, 'generate');
if ($queue === false) {
if ($config['syslog']) {
_syslog(LOG_ERR, "Could not initialize generate queue, falling back to immediate rebuild strategy");
return 'rebuild';
$ret = $queue->push(serialize(array('build', $fun, $array, $action)));
if ($ret === false) {
if ($config['syslog']) {
_syslog(LOG_ERR, "Could not push item in the queue, falling back to immediate rebuild strategy");
return 'rebuild';
return 'ignore';
return 'ignore';
case 'build_on_load':
case 'build_on_load':
return 'delete';
return 'delete';
namespace Vichan\Functions\Format;
function format_timestamp(int $delta): string {
switch (true) {
case $delta < 60:
return $delta . ' ' . ngettext('second', 'seconds', $delta);
case $delta < 3600: //60*60 = 3600
return ($num = round($delta/ 60)) . ' ' . ngettext('minute', 'minutes', $num);
case $delta < 86400: //60*60*24 = 86400
return ($num = round($delta / 3600)) . ' ' . ngettext('hour', 'hours', $num);
case $delta < 604800: //60*60*24*7 = 604800
return ($num = round($delta / 86400)) . ' ' . ngettext('day', 'days', $num);
case $delta < 31536000: //60*60*24*365 = 31536000
return ($num = round($delta / 604800)) . ' ' . ngettext('week', 'weeks', $num);
return ($num = round($delta / 31536000)) . ' ' . ngettext('year', 'years', $num);
function until(int $timestamp): string {
return format_timestamp($timestamp - time());
function ago(int $timestamp): string {
return format_timestamp(time() - $timestamp);
namespace Vichan\Functions\Net;
* @param bool $trust_headers. If true, trust the `HTTP_X_FORWARDED_PROTO` header to check if the connection is HTTPS.
* @return bool Returns if the client-server connection is an encrypted one (HTTPS).
function is_connection_secure(bool $trust_headers): bool {
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
return true;
} elseif ($trust_headers && isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
return true;
return false;
namespace Vichan\Functions\Num;
// Highest common factor
function hcf($a, $b){
$gcd = 1;
if ($a > $b) {
$a = $a+$b;
$b = $a-$b;
$a = $a-$b;
if ($b == (round($b / $a)) * $a) {
$gcd = $a;
} else {
for ($i = round($a / 2); $i; $i--) {
if ($a == round($a / $i) * $i && $b == round($b / $i) * $i) {
$gcd = $i;
$i = false;
return $gcd;
function fraction($numerator, $denominator, $sep) {
$gcf = hcf($numerator, $denominator);
$numerator = $numerator / $gcf;
$denominator = $denominator / $gcf;
return "{$numerator}{$sep}{$denominator}";
} else {
} else {
rename($this->temp, $src);
rename($this->temp, $src);
chmod($src, 0664);
chmod($src, 0664);
$this->temp = false;
public function width() {
public function width() {
@ -300,8 +301,10 @@ class ImageConvert extends ImageBase {
return $this->height;
return $this->height;
public function destroy() {
public function destroy() {
if ($this->temp !== false) {
$this->temp = false;
$this->temp = false;
public function resize() {
public function resize() {
global $config;
global $config;
class Lock {
function __construct($key) { global $config;
if ($config['lock']['enabled'] == 'fs') {
$key = str_replace('/', '::', $key);
$key = str_replace("\0", '', $key);
$this->f = fopen("tmp/locks/$key", "w");
class Locks {
private static function filesystem(string $key): Lock|false {
$key = str_replace('/', '::', $key);
$key = str_replace("\0", '', $key);
// Get a shared lock
$fd = fopen("tmp/locks/$key", "w");
function get($nonblock = false) { global $config;
if ($fd === false) {
if ($config['lock']['enabled'] == 'fs') {
return false;
$wouldblock = false;
flock($this->f, LOCK_SH | ($nonblock ? LOCK_NB : 0), $wouldblock);
if ($nonblock && $wouldblock) return false;
return $this;
// Get an exclusive lock
return new class($fd) implements Lock {
function get_ex($nonblock = false) { global $config;
// Resources have no type in php.
if ($config['lock']['enabled'] == 'fs') {
private mixed $f;
$wouldblock = false;
flock($this->f, LOCK_EX | ($nonblock ? LOCK_NB : 0), $wouldblock);
if ($nonblock && $wouldblock) return false;
return $this;
// Free a lock
function free() { global $config;
function __construct($fd) {
if ($config['lock']['enabled'] == 'fs') {
$this->f = $fd;
flock($this->f, LOCK_UN);
return $this;
public function get(bool $nonblock = false): Lock|false {
$wouldblock = false;
flock($this->f, LOCK_SH | ($nonblock ? LOCK_NB : 0), $wouldblock);
if ($nonblock && $wouldblock) {
return false;
return $this;
public function get_ex(bool $nonblock = false): Lock|false {
$wouldblock = false;
flock($this->f, LOCK_EX | ($nonblock ? LOCK_NB : 0), $wouldblock);
if ($nonblock && $wouldblock) {
return false;
return $this;
public function free(): Lock {
flock($this->f, LOCK_UN);
return $this;
* No-op. Can be used for mocking.
public static function none(): Lock|false {
return new class() implements Lock {
public function get(bool $nonblock = false): Lock|false {
return $this;
public function get_ex(bool $nonblock = false): Lock|false {
return $this;
public function free(): Lock {
return $this;
public static function get_lock(array $config, string $key): Lock|false {
if ($config['lock']['enabled'] == 'fs') {
return self::filesystem($key);
} else {
return self::none();
interface Lock {
// Get a shared lock
public function get(bool $nonblock = false): Lock|false;
// Get an exclusive lock
public function get_ex(bool $nonblock = false): Lock|false;
// Free a lock
public function free(): Lock;
@ -4,10 +4,12 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
* Copyright (c) 2010-2013 Tinyboard Development Group
use Vichan\Functions\Net;
defined('TINYBOARD') or exit;
defined('TINYBOARD') or exit;
// create a hash/salt pair for validate logins
// create a hash/salt pair for validate logins
function mkhash($username, $password, $salt = false) {
function mkhash(string $username, string $password, mixed $salt = false): array|string {
global $config;
global $config;
if (!$salt) {
if (!$salt) {
@ -31,55 +33,52 @@ function mkhash($username, $password, $salt = false) {
), 0, 20
), 0, 20
if (isset($generated_salt))
if (isset($generated_salt)) {
return array($hash, $salt);
return [ $hash, $salt ];
} else {
return $hash;
return $hash;
function crypt_password_old($password) {
function crypt_password(string $password): array {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($password));
return array($salt, $password);
function crypt_password($password) {
global $config;
global $config;
// `salt` database field is reused as a version value. We don't want it to be 0.
// `salt` database field is reused as a version value. We don't want it to be 0.
$version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1;
$version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1;
$new_salt = generate_salt();
$new_salt = generate_salt();
$password = crypt($password, $config['password_crypt'] . $new_salt . "$");
$password = crypt($password, $config['password_crypt'] . $new_salt . "$");
return array($version, $password);
return [ $version, $password ];
function test_password($password, $salt, $test) {
function test_password(string $password, string $salt, string $test): array {
global $config;
// Version = 0 denotes an old password hashing schema. In the same column, the
// Version = 0 denotes an old password hashing schema. In the same column, the
// password hash was kept previously
// password hash was kept previously
$version = (strlen($salt) <= 8) ? (int) $salt : 0;
$version = strlen($salt) <= 8 ? (int)$salt : 0;
if ($version == 0) {
if ($version == 0) {
$comp = hash('sha256', $salt . sha1($test));
$comp = hash('sha256', $salt . sha1($test));
} else {
else {
$comp = crypt($test, $password);
$comp = crypt($test, $password);
return array($version, hash_equals($password, $comp));
return [ $version, hash_equals($password, $comp) ];
function generate_salt() {
function generate_salt(): string {
// mcrypt_create_iv() was deprecated in PHP 7.1.0, only use it if we're below that version number.
if (PHP_VERSION_ID < 70100) {
// 128 bits of entropy
return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
// Otherwise, use random_bytes()
return strtr(base64_encode(random_bytes(16)), '+', '.');
return strtr(base64_encode(random_bytes(16)), '+', '.');
function login($username, $password) {
function calc_cookie_name(bool $is_https, bool $is_path_jailed, string $base_name): string {
if ($is_https) {
if ($is_path_jailed) {
return "__Host-$base_name";
} else {
return "__Secure-$base_name";
} else {
return $base_name;
function login(string $username, string $password): array|false {
global $mod, $config;
global $mod, $config;
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `version` FROM ``mods`` WHERE BINARY `username` = :username");
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `version` FROM ``mods`` WHERE BINARY `username` = :username");
@ -100,40 +99,83 @@ function login($username, $password) {
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
return $mod = array(
return $mod = [
'id' => $user['id'],
'id' => $user['id'],
'type' => $user['type'],
'type' => $user['type'],
'username' => $username,
'username' => $username,
'hash' => mkhash($username, $user['password']),
'hash' => mkhash($username, $user['password']),
'boards' => explode(',', $user['boards'])
'boards' => explode(',', $user['boards'])
return false;
return false;
function setCookies() {
function setCookies(): void {
global $mod, $config;
global $mod, $config;
if (!$mod)
if (!$mod) {
error('setCookies() was called for a non-moderator!');
error('setCookies() was called for a non-moderator!');
$is_https = Net\is_connection_secure($config['cookies']['secure_login_only'] === 1);
$mod['username'] . // username
$is_path_jailed = $config['cookies']['jail'];
':' .
$name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);
$mod['hash'][0] . // password
':' .
// <username>:<password>:<salt>
$mod['hash'][1], // salt
$value = "{$mod['username']}:{$mod['hash'][0]}:{$mod['hash'][1]}";
time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', $config['cookies']['httponly']);
$options = [
'expires' => time() + $config['cookies']['expire'],
'path' => $is_path_jailed ? $config['cookies']['path'] : '/',
'secure' => $is_https,
'httponly' => $config['cookies']['httponly'],
'samesite' => 'Strict'
setcookie($name, $value, $options);
function destroyCookies() {
function destroyCookies(): void {
global $config;
global $config;
// Delete the cookies
$base_name = $config['cookies']['mod'];
setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
$del_time = time() - 60 * 60 * 24 * 365; // 1 year.
$jailed_path = $config['cookies']['jail'] ? $config['cookies']['path'] : '/';
$http_only = $config['cookies']['httponly'];
$options_multi = [
$base_name => [
'expires' => $del_time,
'path' => $jailed_path ,
'secure' => false,
'httponly' => $http_only,
'samesite' => 'Strict'
"__Host-$base_name" => [
'expires' => $del_time,
'path' => $jailed_path,
'secure' => true,
'httponly' => $http_only,
'samesite' => 'Strict'
"__Secure-$base_name" => [
'expires' => $del_time,
'path' => '/',
'secure' => true,
'httponly' => $http_only,
'samesite' => 'Strict'
foreach ($options_multi as $name => $options) {
if (isset($_COOKIE[$name])) {
setcookie($name, 'deleted', $options);
function modLog($action, $_board=null) {
function modLog(string $action, ?string $_board = null): void {
global $mod, $board, $config;
global $mod, $board, $config;
$query = prepare("INSERT INTO ``modlogs`` VALUES (:id, :ip, :board, :time, :text)");
$query = prepare("INSERT INTO ``modlogs`` VALUES (:id, :ip, :board, :time, :text)");
$query->bindValue(':id', (isset($mod['id']) ? $mod['id'] : -1), PDO::PARAM_INT);
$query->bindValue(':id', (isset($mod['id']) ? $mod['id'] : -1), PDO::PARAM_INT);
@ -148,16 +190,18 @@ function modLog($action, $_board=null) {
$query->bindValue(':board', null, PDO::PARAM_NULL);
$query->bindValue(':board', null, PDO::PARAM_NULL);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
if ($config['syslog'])
if ($config['syslog']) {
_syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action);
_syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action);
function create_pm_header() {
function create_pm_header(): mixed {
global $mod, $config;
global $mod, $config;
if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) != false) {
if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) != false) {
if ($header === true)
if ($header === true) {
return false;
return false;
return $header;
return $header;
@ -166,31 +210,39 @@ function create_pm_header() {
$query->bindValue(':id', $mod['id'], PDO::PARAM_INT);
$query->bindValue(':id', $mod['id'], PDO::PARAM_INT);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
if ($pm = $query->fetch(PDO::FETCH_ASSOC))
if ($pm = $query->fetch(PDO::FETCH_ASSOC)) {
$header = array('id' => $pm['id'], 'waiting' => $query->rowCount() - 1);
$header = [ 'id' => $pm['id'], 'waiting' => $query->rowCount() - 1 ];
} else {
$header = true;
$header = true;
if ($config['cache']['enabled'])
if ($config['cache']['enabled']) {
cache::set('pm_unread_' . $mod['id'], $header);
cache::set('pm_unread_' . $mod['id'], $header);
if ($header === true)
if ($header === true) {
return false;
return false;
return $header;
return $header;
function make_secure_link_token($uri) {
function make_secure_link_token(string $uri): string {
global $mod, $config;
global $mod, $config;
return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8);
return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8);
function check_login($prompt = false) {
function check_login(bool $prompt = false): void {
global $config, $mod;
global $config, $mod;
$is_https = Net\is_connection_secure($config['cookies']['secure_login_only'] === 1);
$is_path_jailed = $config['cookies']['jail'];
$expected_cookie_name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);
// Validate session
// Validate session
if (isset($_COOKIE[$config['cookies']['mod']])) {
if (isset($_COOKIE[$expected_cookie_name])) {
// Should be username:hash:salt
// Should be username:hash:salt
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
$cookie = explode(':', $_COOKIE[$expected_cookie_name]);
if (count($cookie) != 3) {
if (count($cookie) != 3) {
// Malformed cookies
// Malformed cookies
@ -3,9 +3,13 @@
* Copyright (c) 2010-2013 Tinyboard Development Group
* Copyright (c) 2010-2013 Tinyboard Development Group
use Vichan\Functions\Format;
use Vichan\Functions\Net;
defined('TINYBOARD') or exit;
defined('TINYBOARD') or exit;
function mod_page($title, $template, $args, $subtitle = false) {
function mod_page($title, $template, $args, $subtitle = false) {
global $config, $mod;
global $config, $mod;
@ -29,9 +33,12 @@ function mod_page($title, $template, $args, $subtitle = false) {
function mod_login($redirect = false) {
function mod_login($redirect = false) {
global $config;
global $config;
$args = array();
$args = [];
if (isset($_POST['login'])) {
$secure_login_mode = $config['cookies']['secure_login_only'];
if ($secure_login_mode !== 0 && !Net\is_connection_secure($secure_login_mode === 1)) {
$args['error'] = $config['error']['insecure'];
} elseif (isset($_POST['login'])) {
// Check if inputs are set and not empty
// Check if inputs are set and not empty
if (!isset($_POST['username'], $_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') {
if (!isset($_POST['username'], $_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') {
$args['error'] = $config['error']['invalid'];
$args['error'] = $config['error']['invalid'];
@ -1335,8 +1342,8 @@ function mod_move($originBoard, $postID) {
if ($targetBoard === $originBoard)
if ($targetBoard === $originBoard)
error(_('Target and source board are the same.'));
error(_('Target and source board are the same.'));
// copy() if leaving a shadow thread behind; else, rename().
// link() if leaving a shadow thread behind; else, rename().
$clone = $shadow ? 'copy' : 'rename';
$clone = $shadow ? 'link' : 'rename';
// indicate that the post is a thread
// indicate that the post is a thread
$post['op'] = true;
$post['op'] = true;
@ -1553,7 +1560,7 @@ function mod_ban_post($board, $delete, $post, $token = false) {
if (isset($_POST['public_message'], $_POST['message'])) {
if (isset($_POST['public_message'], $_POST['message'])) {
// public ban message
// public ban message
$length_english = Bans::parse_time($_POST['length']) ? 'for ' . until(Bans::parse_time($_POST['length'])) : 'permanently';
$length_english = Bans::parse_time($_POST['length']) ? 'for ' . Format\until(Bans::parse_time($_POST['length'])) : 'permanently';
$_POST['message'] = preg_replace('/[\r\n]/', '', $_POST['message']);
$_POST['message'] = preg_replace('/[\r\n]/', '', $_POST['message']);
$_POST['message'] = str_replace('%length%', $length_english, $_POST['message']);
$_POST['message'] = str_replace('%length%', $length_english, $_POST['message']);
$_POST['message'] = str_replace('%LENGTH%', strtoupper($length_english), $_POST['message']);
$_POST['message'] = str_replace('%LENGTH%', strtoupper($length_english), $_POST['message']);
@ -1,49 +1,98 @@
class Queue {
class Queues {
function __construct($key) { global $config;
private static $queues = array();
if ($config['queue']['enabled'] == 'fs') {
$this->lock = new Lock($key);
$key = str_replace('/', '::', $key);
$key = str_replace("\0", '', $key);
$this->key = "tmp/queue/$key/";
function push($str) { global $config;
if ($config['queue']['enabled'] == 'fs') {
file_put_contents($this->key.microtime(true), $str);
return $this;
function pop($n = 1) { global $config;
if ($config['queue']['enabled'] == 'fs') {
* This queue implementation isn't actually ordered, so it works more as a "bag".
$dir = opendir($this->key);
private static function filesystem(string $key, Lock $lock): Queue {
$paths = array();
$key = str_replace('/', '::', $key);
while ($n > 0) {
$key = str_replace("\0", '', $key);
$path = readdir($dir);
$key = "tmp/queue/$key/";
if ($path === FALSE) break;
elseif ($path == '.' || $path == '..') continue;
return new class($key, $lock) implements Queue {
else { $paths[] = $path; $n--; }
private Lock $lock;
private string $key;
$out = array();
foreach ($paths as $v) {
$out []= file_get_contents($this->key.$v);
function __construct(string $key, Lock $lock) {
$this->lock = $lock;
$this->key = $key;
return $out;
public function push(string $str): bool {
$ret = file_put_contents($this->key . microtime(true), $str);
return $ret !== false;
public function pop(int $n = 1): array {
$dir = opendir($this->key);
$paths = array();
while ($n > 0) {
$path = readdir($dir);
if ($path === false) {
} elseif ($path == '.' || $path == '..') {
} else {
$paths[] = $path;
$out = array();
foreach ($paths as $v) {
$out[] = file_get_contents($this->key . $v);
unlink($this->key . $v);
return $out;
* No-op. Can be used for mocking.
public static function none(): Queue {
return new class() implements Queue {
public function push(string $str): bool {
return true;
public function pop(int $n = 1): array {
return array();
public static function get_queue(array $config, string $name): Queue|false {
if (!isset(self::$queues[$name])) {
if ($config['queue']['enabled'] == 'fs') {
$lock = Locks::get_lock($config, $name);
if ($lock === false) {
return false;
self::$queues[$name] = self::filesystem($name, $lock);
} else {
self::$queues[$name] = self::none();
return self::$queues[$name];
// Don't use the constructor. Use the get_queue function.
interface Queue {
$queues = array();
// Push a string in the queue.
public function push(string $str): bool;
function get_queue($name) { global $queues;
// Get a string from the queue.
return $queues[$name] = isset ($queues[$name]) ? $queues[$name] : new Queue($name);
public function pop(int $n = 1): array;
Normal file
Normal file
@ -0,0 +1,102 @@
<?php // Verify captchas server side.
namespace Vichan\Service;
use Vichan\Driver\HttpDriver;
defined('TINYBOARD') or exit;
class RemoteCaptchaQuery {
private HttpDriver $http;
private string $secret;
private string $endpoint;
* Creates a new CaptchaRemoteQueries instance using the google recaptcha service.
* @param HttpDriver $http The http client.
* @param string $secret Server side secret.
* @return CaptchaRemoteQueries A new captcha query instance.
public static function withRecaptcha(HttpDriver $http, string $secret): RemoteCaptchaQuery {
return new self($http, $secret, 'https://www.google.com/recaptcha/api/siteverify');
* Creates a new CaptchaRemoteQueries instance using the hcaptcha service.
* @param HttpDriver $http The http client.
* @param string $secret Server side secret.
* @return CaptchaRemoteQueries A new captcha query instance.
public static function withHCaptcha(HttpDriver $http, string $secret): RemoteCaptchaQuery {
return new self($http, $secret, 'https://hcaptcha.com/siteverify');
private function __construct(HttpDriver $http, string $secret, string $endpoint) {
$this->http = $http;
$this->secret = $secret;
$this->endpoint = $endpoint;
* Checks if the user at the remote ip passed the captcha.
* @param string $response User provided response.
* @param string $remote_ip User ip.
* @return bool Returns true if the user passed the captcha.
* @throws RuntimeException|JsonException Throws on IO errors or if it fails to decode the answer.
public function verify(string $response, string $remote_ip): bool {
$data = array(
'secret' => $this->secret,
'response' => $response,
'remoteip' => $remote_ip
$ret = $this->http->requestGet($this->endpoint, $data);
$resp = json_decode($ret, true, 16, JSON_THROW_ON_ERROR);
return isset($resp['success']) && $resp['success'];
class NativeCaptchaQuery {
private HttpDriver $http;
private string $domain;
private string $provider_check;
* @param HttpDriver $http The http client.
* @param string $domain The server's domain.
* @param string $provider_check Path to the endpoint.
function __construct(HttpDriver $http, string $domain, string $provider_check) {
$this->http = $http;
$this->domain = $domain;
$this->provider_check = $provider_check;
* Checks if the user at the remote ip passed the native vichan captcha.
* @param string $extra Extra http parameters.
* @param string $user_text Remote user's text input.
* @param string $user_cookie Remote user cookie.
* @return bool Returns true if the user passed the check.
* @throws RuntimeException Throws on IO errors.
public function verify(string $extra, string $user_text, string $user_cookie): bool {
$data = array(
'mode' => 'check',
'text' => $user_text,
'extra' => $extra,
'cookie' => $user_cookie
$ret = $this->http->requestGet($this->domain . '/' . $this->provider_check, $data);
return $ret === '1';
@ -11,12 +11,14 @@ $twig = false;
function load_twig() {
function load_twig() {
global $twig, $config;
global $twig, $config;
$cache_dir = "{$config['dir']['template']}/cache/";
$loader = new Twig\Loader\FilesystemLoader($config['dir']['template']);
$loader = new Twig\Loader\FilesystemLoader($config['dir']['template']);
$twig = new Twig\Environment($loader, array(
$twig = new Twig\Environment($loader, array(
'autoescape' => false,
'autoescape' => false,
'cache' => is_writable('templates') || (is_dir('templates/cache') && is_writable('templates/cache')) ?
'cache' => is_writable('templates/') || (is_dir($cache_dir) && is_writable($cache_dir)) ?
new Twig_Cache_TinyboardFilesystem("{$config['dir']['template']}/cache") : false,
new TinyboardTwigCache($cache_dir) : false,
'debug' => $config['debug'],
'debug' => $config['debug'],
'auto_reload' => $config['twig_auto_reload']
'auto_reload' => $config['twig_auto_reload']
@ -58,7 +60,7 @@ function Element($templateFile, array $options) {
// Read the template file
// Read the template file
if (@file_get_contents("{$config['dir']['template']}/${templateFile}")) {
if (@file_get_contents("{$config['dir']['template']}/{$templateFile}")) {
$body = $twig->render($templateFile, $options);
$body = $twig->render($templateFile, $options);
if ($config['minify_html'] && preg_match('/\.html$/', $templateFile)) {
if ($config['minify_html'] && preg_match('/\.html$/', $templateFile)) {
@ -67,7 +69,33 @@ function Element($templateFile, array $options) {
return $body;
return $body;
} else {
} else {
throw new Exception("Template file '${templateFile}' does not exist or is empty in '{$config['dir']['template']}'!");
throw new Exception("Template file '{$templateFile}' does not exist or is empty in '{$config['dir']['template']}'!");
class TinyboardTwigCache extends Twig\Cache\FilesystemCache {
private string $directory;
public function __construct(string $directory) {
$this->directory = $directory;
* This function was removed in Twig 2.x due to developer views on the Twig library.
* Who says we can't keep it for ourselves though?
public function clear() {
$iter = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($this->directory),
foreach ($iter as $file) {
if ($file->isFile()) {
@ -93,8 +121,8 @@ class Tinyboard extends Twig\Extension\AbstractExtension
new Twig\TwigFilter('date', 'twig_date_filter'),
new Twig\TwigFilter('date', 'twig_date_filter'),
new Twig\TwigFilter('poster_id', 'poster_id'),
new Twig\TwigFilter('poster_id', 'poster_id'),
new Twig\TwigFilter('count', 'count'),
new Twig\TwigFilter('count', 'count'),
new Twig\TwigFilter('ago', 'ago'),
new Twig\TwigFilter('ago', 'Vichan\Functions\Format\ago'),
new Twig\TwigFilter('until', 'until'),
new Twig\TwigFilter('until', 'Vichan\Functions\Format\until'),
new Twig\TwigFilter('push', 'twig_push_filter'),
new Twig\TwigFilter('push', 'twig_push_filter'),
new Twig\TwigFilter('bidi_cleanup', 'bidi_cleanup'),
new Twig\TwigFilter('bidi_cleanup', 'bidi_cleanup'),
new Twig\TwigFilter('addslashes', 'addslashes'),
new Twig\TwigFilter('addslashes', 'addslashes'),
@ -113,7 +141,6 @@ class Tinyboard extends Twig\Extension\AbstractExtension
return array(
return array(
new Twig\TwigFunction('time', 'time'),
new Twig\TwigFunction('time', 'time'),
new Twig\TwigFunction('floor', 'floor'),
new Twig\TwigFunction('floor', 'floor'),
new Twig\TwigFunction('timezone', 'twig_timezone_function'),
new Twig\TwigFunction('hiddenInputs', 'hiddenInputs'),
new Twig\TwigFunction('hiddenInputs', 'hiddenInputs'),
new Twig\TwigFunction('hiddenInputsHash', 'hiddenInputsHash'),
new Twig\TwigFunction('hiddenInputsHash', 'hiddenInputsHash'),
new Twig\TwigFunction('ratio', 'twig_ratio_function'),
new Twig\TwigFunction('ratio', 'twig_ratio_function'),
@ -134,17 +161,18 @@ class Tinyboard extends Twig\Extension\AbstractExtension
function twig_timezone_function() {
return 'Z';
function twig_push_filter($array, $value) {
function twig_push_filter($array, $value) {
array_push($array, $value);
array_push($array, $value);
return $array;
return $array;
function twig_date_filter($date, $format) {
function twig_date_filter($date, $format) {
return gmstrftime($format, $date);
if (is_numeric($date)) {
$date = new DateTime("@$date", new DateTimeZone('UTC'));
} else {
$date = new DateTime($date, new DateTimeZone('UTC'));
return $date->format($format);
function twig_hasPermission_filter($mod, $permission, $board = null) {
function twig_hasPermission_filter($mod, $permission, $board = null) {
@ -1,7 +1,7 @@
// Installation/upgrade file
// Installation/upgrade file
define('VERSION', '5.1.4');
define('VERSION', '5.2.0');
require 'inc/bootstrap.php';
require 'inc/bootstrap.php';
@ -689,6 +689,8 @@ if ($step == 0) {
echo Element('page.html', $page);
echo Element('page.html', $page);
} elseif ($step == 1) {
} elseif ($step == 1) {
// The HTTPS check doesn't work properly when in those arrays, so let's run it here and pass along the result during the actual check.
$httpsvalue = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
$page['title'] = 'Pre-installation test';
$page['title'] = 'Pre-installation test';
$can_exec = true;
$can_exec = true;
@ -734,13 +736,6 @@ if ($step == 0) {
'required' => true,
'required' => true,
'message' => 'vichan requires PHP 7.4 or better.',
'message' => 'vichan requires PHP 7.4 or better.',
'category' => 'PHP',
'name' => 'PHP ≥ 5.6',
'result' => PHP_VERSION_ID >= 50600,
'required' => false,
'message' => 'vichan works best on PHP 5.6 or better.',
'category' => 'PHP',
'category' => 'PHP',
'name' => 'mbstring extension installed',
'name' => 'mbstring extension installed',
@ -856,14 +851,14 @@ if ($step == 0) {
'category' => 'File permissions',
'category' => 'File permissions',
'name' => getcwd() . '/templates/cache',
'name' => getcwd() . '/templates/cache',
'result' => is_writable('templates') || (is_dir('templates/cache') && is_writable('templates/cache')),
'result' => is_dir('templates/cache/') && is_writable('templates/cache/'),
'required' => true,
'required' => true,
'message' => 'You must give vichan permission to create (and write to) the <code>templates/cache</code> directory or performance will be drastically reduced.'
'message' => 'You must give vichan permission to create (and write to) the <code>templates/cache</code> directory or performance will be drastically reduced.'
'category' => 'File permissions',
'category' => 'File permissions',
'name' => getcwd() . '/tmp/cache',
'name' => getcwd() . '/tmp/cache',
'result' => is_dir('tmp/cache') && is_writable('tmp/cache'),
'result' => is_dir('tmp/cache/') && is_writable('tmp/cache/'),
'required' => true,
'required' => true,
'message' => 'You must give vichan permission to write to the <code>tmp/cache</code> directory.'
'message' => 'You must give vichan permission to write to the <code>tmp/cache</code> directory.'
@ -874,6 +869,13 @@ if ($step == 0) {
'required' => false,
'required' => false,
'message' => 'vichan does not have permission to make changes to <code>inc/secrets.php</code>. To complete the installation, you will be asked to manually copy and paste code into the file instead.'
'message' => 'vichan does not have permission to make changes to <code>inc/secrets.php</code>. To complete the installation, you will be asked to manually copy and paste code into the file instead.'
'category' => 'Misc',
'name' => 'HTTPS not being used',
'result' => $httpsvalue,
'required' => false,
'message' => 'You are not currently using https for vichan, or at least for your backend server. If this intentional, add "$config[\'cookies\'][\'secure_login_only\'] = 0;" (or 1 if using a proxy) on a new line under "Additional configuration" on the next page.'
'category' => 'Misc',
'category' => 'Misc',
'name' => 'Caching available (APCu, Memcached or Redis)',
'name' => 'Caching available (APCu, Memcached or Redis)',
@ -989,12 +991,16 @@ if ($step == 0) {
$queries[] = Element('posts.sql', array('board' => 'b'));
$queries[] = Element('posts.sql', array('board' => 'b'));
$sql_errors = '';
$sql_errors = '';
$sql_err_count = 0;
foreach ($queries as $query) {
foreach ($queries as $query) {
if ($mysql_version < 50503)
if ($mysql_version < 50503)
$query = preg_replace('/(CHARSET=|CHARACTER SET )utf8mb4/', '$1utf8', $query);
$query = preg_replace('/(CHARSET=|CHARACTER SET )utf8mb4/', '$1utf8', $query);
$query = preg_replace('/^([\w\s]*)`([0-9a-zA-Z$_\x{0080}-\x{FFFF}]+)`/u', '$1``$2``', $query);
$query = preg_replace('/^([\w\s]*)`([0-9a-zA-Z$_\x{0080}-\x{FFFF}]+)`/u', '$1``$2``', $query);
if (!query($query))
if (!query($query)) {
$sql_errors .= '<li>' . db_error() . '</li>';
$error = db_error();
$sql_errors .= "<li>$sql_err_count<ul><li>$query</li><li>$error</li></ul></li>";
$page['title'] = 'Installation complete';
$page['title'] = 'Installation complete';
@ -1033,4 +1039,3 @@ if ($step == 0) {
echo Element('page.html', $page);
echo Element('page.html', $page);
@ -30,17 +30,7 @@ function catalog() {
var link = document.createElement('a');
var link = document.createElement('a');
link.href = catalog_url;
link.href = catalog_url;
if (pages) {
if (!pages) {
link.textContent = _('Catalog');
link.style.color = '#F10000';
link.style.padding = '4px';
link.style.paddingLeft = '9px';
link.style.borderLeft = '1px solid';
link.style.borderLeftColor = '#A8A8A8';
link.style.textDecoration = "underline";
} else {
link.textContent = '['+_('Catalog')+']';
link.textContent = '['+_('Catalog')+']';
link.style.paddingLeft = '10px';
link.style.paddingLeft = '10px';
link.style.textDecoration = "underline";
link.style.textDecoration = "underline";
@ -17,29 +17,40 @@ $(document).ready(function(){
'use strict';
'use strict';
var iso8601 = function(s) {
var iso8601 = function(s) {
s = s.replace(/\.\d\d\d+/,""); // remove milliseconds
var parts = s.split('T');
s = s.replace(/-/,"/").replace(/-/,"/");
if (parts.length === 2) {
s = s.replace(/T/," ").replace(/Z/," UTC");
var timeParts = parts[1].split(':');
s = s.replace(/([\+\-]\d\d)\:?(\d\d)/," $1$2"); // -04:00 -> -0400
if (timeParts.length === 3) {
var secondsParts = timeParts[2].split('.');
if (secondsParts[0] > 59) {
secondsParts[0] = '59';
timeParts[2] = secondsParts.join('.');
parts[1] = timeParts.join(':');
s = parts.join('T');
if (!s.endsWith('Z')) {
s += 'Z';
return new Date(s);
return new Date(s);
var zeropad = function(num, count) {
var zeropad = function(num, count) {
return [Math.pow(10, count - num.toString().length), num].join('').substr(1);
return [Math.pow(10, count - num.toString().length), num].join('').substr(1);
var dateformat = (typeof strftime === 'undefined') ? function(t) {
var dateformat = (typeof strftime === 'undefined') ? function(t) {
return zeropad(t.getMonth() + 1, 2) + "/" + zeropad(t.getDate(), 2) + "/" + t.getFullYear().toString().substring(2) +
return zeropad(t.getMonth() + 1, 2) + "/" + zeropad(t.getDate(), 2) + "/" + t.getFullYear().toString().substring(2) +
" (" + [_("Sun"), _("Mon"), _("Tue"), _("Wed"), _("Thu"), _("Fri"), _("Sat"), _("Sun")][t.getDay()] + ") " +
" (" + ["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"][t.getDay()] + ") " +
// time
// time
zeropad(t.getHours(), 2) + ":" + zeropad(t.getMinutes(), 2) + ":" + zeropad(t.getSeconds(), 2);
zeropad(t.getHours(), 2) + ":" + zeropad(t.getMinutes(), 2) + ":" + zeropad(t.getSeconds(), 2);
} : function(t) {
} : function(t) {
// post_date is defined in templates/main.js
// post_date is defined in templates/main.js
return strftime(window.post_date, t, datelocale);
return strftime(window.post_date, t, datelocale);
function timeDifference(current, previous) {
function timeDifference(current, previous) {
var msPerMinute = 60 * 1000;
var msPerMinute = 60 * 1000;
var msPerHour = msPerMinute * 60;
var msPerHour = msPerMinute * 60;
var msPerDay = msPerHour * 24;
var msPerDay = msPerHour * 24;
@ -51,15 +62,15 @@ $(document).ready(function(){
if (elapsed < msPerMinute) {
if (elapsed < msPerMinute) {
return 'Just now';
return 'Just now';
} else if (elapsed < msPerHour) {
} else if (elapsed < msPerHour) {
return Math.round(elapsed/msPerMinute) + (Math.round(elapsed/msPerMinute)<=1 ? ' minute ago':' minutes ago');
return Math.round(elapsed / msPerMinute) + (Math.round(elapsed / msPerMinute) <= 1 ? ' minute ago' : ' minutes ago');
} else if (elapsed < msPerDay ) {
} else if (elapsed < msPerDay) {
return Math.round(elapsed/msPerHour ) + (Math.round(elapsed/msPerHour)<=1 ? ' hour ago':' hours ago');
return Math.round(elapsed / msPerHour) + (Math.round(elapsed / msPerHour) <= 1 ? ' hour ago' : ' hours ago');
} else if (elapsed < msPerMonth) {
} else if (elapsed < msPerMonth) {
return Math.round(elapsed/msPerDay) + (Math.round(elapsed/msPerDay)<=1 ? ' day ago':' days ago');
return Math.round(elapsed / msPerDay) + (Math.round(elapsed / msPerDay) <= 1 ? ' day ago' : ' days ago');
} else if (elapsed < msPerYear) {
} else if (elapsed < msPerYear) {
return Math.round(elapsed/msPerMonth) + (Math.round(elapsed/msPerMonth)<=1 ? ' month ago':' months ago');
return Math.round(elapsed / msPerMonth) + (Math.round(elapsed / msPerMonth) <= 1 ? ' month ago' : ' months ago');
} else {
} else {
return Math.round(elapsed/msPerYear ) + (Math.round(elapsed/msPerYear)<=1 ? ' year ago':' years ago');
return Math.round(elapsed / msPerYear) + (Math.round(elapsed / msPerYear) <= 1 ? ' year ago' : ' years ago');
@ -67,20 +78,19 @@ $(document).ready(function(){
var times = elem.getElementsByTagName('time');
var times = elem.getElementsByTagName('time');
var currentTime = Date.now();
var currentTime = Date.now();
for(var i = 0; i < times.length; i++) {
for (var i = 0; i < times.length; i++) {
var t = times[i].getAttribute('datetime');
var t = times[i].getAttribute('datetime');
var postTime = new Date(t);
var postTime = iso8601(t);
times[i].setAttribute('data-local', 'true');
times[i].setAttribute('data-local', 'true');
if (localStorage.show_relative_time === 'false') {
if (localStorage.show_relative_time === 'false') {
times[i].innerHTML = dateformat(iso8601(t));
times[i].innerHTML = dateformat(postTime);
times[i].setAttribute('title', timeDifference(currentTime, postTime.getTime()));
times[i].setAttribute('title', timeDifference(currentTime, postTime.getTime()));
} else {
} else {
times[i].innerHTML = timeDifference(currentTime, postTime.getTime());
times[i].innerHTML = timeDifference(currentTime, postTime.getTime());
times[i].setAttribute('title', dateformat(iso8601(t)));
times[i].setAttribute('title', dateformat(postTime));
@ -101,7 +111,7 @@ $(document).ready(function(){
if (localStorage.show_relative_time !== 'false') {
if (localStorage.show_relative_time !== 'false') {
$('#show-relative-time>input').attr('checked', 'checked');
interval_id = setInterval(do_localtime, 30000, document);
interval_id = setInterval(do_localtime, 30000, document);
@ -375,7 +375,7 @@ if (active_page === 'thread' || active_page === 'index' || active_page === 'cata
var list = getList();
var list = getList();
var postId = $post.find('.post_no').not('[id]').text();
var postId = $post.find('.post_no').not('[id]').text();
var name, trip, uid, subject, comment;
var name, trip, uid, subject, comment, flag;
var i, length, array, rule, pattern; // temp variables
var i, length, array, rule, pattern; // temp variables
var boardId = $post.data('board');
var boardId = $post.data('board');
@ -388,6 +388,7 @@ if (active_page === 'thread' || active_page === 'index' || active_page === 'cata
var hasTrip = ($post.find('.trip').length > 0);
var hasTrip = ($post.find('.trip').length > 0);
var hasSub = ($post.find('.subject').length > 0);
var hasSub = ($post.find('.subject').length > 0);
var hasFlag = ($post.find('.flag').length > 0);
$post.data('hidden', false);
$post.data('hidden', false);
$post.data('hiddenByUid', false);
$post.data('hiddenByUid', false);
@ -396,6 +397,7 @@ if (active_page === 'thread' || active_page === 'index' || active_page === 'cata
$post.data('hiddenByTrip', false);
$post.data('hiddenByTrip', false);
$post.data('hiddenBySubject', false);
$post.data('hiddenBySubject', false);
$post.data('hiddenByComment', false);
$post.data('hiddenByComment', false);
$post.data('hiddenByFlag', false);
// add post with matched UID to localList
// add post with matched UID to localList
if (hasUID &&
if (hasUID &&
@ -436,6 +438,8 @@ if (active_page === 'thread' || active_page === 'index' || active_page === 'cata
comment = array.join(' ');
comment = array.join(' ');
if (hasFlag)
flag = $post.find('.flag').attr('title')
for (i = 0, length = list.generalFilter.length; i < length; i++) {
for (i = 0, length = list.generalFilter.length; i < length; i++) {
rule = list.generalFilter[i];
rule = list.generalFilter[i];
@ -467,6 +471,12 @@ if (active_page === 'thread' || active_page === 'index' || active_page === 'cata
case 'flag':
if (hasFlag && pattern.test(flag)) {
$post.data('hiddenByFlag', true);
} else {
} else {
switch (rule.type) {
switch (rule.type) {
@ -496,6 +506,13 @@ if (active_page === 'thread' || active_page === 'index' || active_page === 'cata
case 'flag':
pattern = new RegExp('\\b'+ rule.value+ '\\b');
if (hasFlag && pattern.test(flag)) {
$post.data('hiddenByFlag', true);
@ -621,7 +638,8 @@ if (active_page === 'thread' || active_page === 'index' || active_page === 'cata
name: 'name',
name: 'name',
trip: 'tripcode',
trip: 'tripcode',
sub: 'subject',
sub: 'subject',
com: 'comment'
com: 'comment',
flag: 'flag'
@ -660,6 +678,7 @@ if (active_page === 'thread' || active_page === 'index' || active_page === 'cata
'<option value="trip">'+_('Tripcode')+'</option>' +
'<option value="trip">'+_('Tripcode')+'</option>' +
'<option value="sub">'+_('Subject')+'</option>' +
'<option value="sub">'+_('Subject')+'</option>' +
'<option value="com">'+_('Comment')+'</option>' +
'<option value="com">'+_('Comment')+'</option>' +
'<option value="flag">'+_('Flag')+'</option>' +
'</select>' +
'</select>' +
'<input type="text">' +
'<input type="text">' +
'<input type="checkbox">' +
'<input type="checkbox">' +
@ -5,6 +5,11 @@
require_once 'inc/bootstrap.php';
require_once 'inc/bootstrap.php';
use Vichan\{Context, WebDependencyFactory};
use Vichan\Driver\{HttpDriver, Log};
use Vichan\Service\{RemoteCaptchaQuery, NativeCaptchaQuery};
use Vichan\Functions\Format;
* Utility functions
* Utility functions
@ -61,54 +66,27 @@ function strip_symbols($input) {
* Download the url's target with curl.
* @param string $url Url to the file to download.
* @param int $timeout Request timeout in seconds.
* @param File $fd File descriptor to save the content to.
* @return null|string Returns a string on error.
function download_file_into($url, $timeout, $fd) {
$err = null;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_FAILONERROR, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($curl, CURLOPT_TIMEOUT, $timeout);
curl_setopt($curl, CURLOPT_USERAGENT, 'Tinyboard');
curl_setopt($curl, CURLOPT_FILE, $fd);
if (curl_exec($curl) === false) {
$err = curl_error($curl);
return $err;
* Download a remote file from the given url.
* Download a remote file from the given url.
* The file is deleted at shutdown.
* The file is deleted at shutdown.
* @param HttpDriver $http The http client.
* @param string $file_url The url to download the file from.
* @param string $file_url The url to download the file from.
* @param int $request_timeout Timeout to retrieve the file.
* @param int $request_timeout Timeout to retrieve the file.
* @param array $extra_extensions Allowed file extensions.
* @param array $extra_extensions Allowed file extensions.
* @param string $tmp_dir Temporary directory to save the file into.
* @param string $tmp_dir Temporary directory to save the file into.
* @param array $error_array An array with error codes, used to create exceptions on failure.
* @param array $error_array An array with error codes, used to create exceptions on failure.
* @return array Returns an array describing the file on success.
* @return array|false Returns an array describing the file on success, or false if the file was too large
* @throws Exception on error.
* @throws InvalidArgumentException|RuntimeException Throws on invalid arguments and IO errors.
function download_file_from_url($file_url, $request_timeout, $allowed_extensions, $tmp_dir, &$error_array) {
function download_file_from_url(HttpDriver $http, $file_url, $request_timeout, $allowed_extensions, $tmp_dir, &$error_array) {
if (!preg_match('@^https?://@', $file_url)) {
if (!preg_match('@^https?://@', $file_url)) {
throw new InvalidArgumentException($error_array['invalidimg']);
throw new InvalidArgumentException($error_array['invalidimg']);
if (mb_strpos($file_url, '?') !== false) {
$param_idx = mb_strpos($file_url, '?');
$url_without_params = mb_substr($file_url, 0, mb_strpos($file_url, '?'));
if ($param_idx !== false) {
$url_without_params = mb_substr($file_url, 0, $param_idx);
} else {
} else {
$url_without_params = $file_url;
$url_without_params = $file_url;
@ -128,10 +106,13 @@ function download_file_from_url($file_url, $request_timeout, $allowed_extensions
$fd = fopen($tmp_file, 'w');
$fd = fopen($tmp_file, 'w');
$dl_err = download_file_into($fd, $request_timeout, $fd);
try {
$success = $http->requestGetInto($url_without_params, null, $fd, $request_timeout);
if ($dl_err !== null) {
if (!$success) {
throw new Exception($error_array['nomove'] . '<br/>Curl says: ' . $dl_err);
return false;
} finally {
return array(
return array(
@ -165,6 +146,7 @@ function ocr_image(array $config, string $img_path): string {
return trim($ret);
return trim($ret);
* Trim an image's EXIF metadata
* Trim an image's EXIF metadata
@ -173,7 +155,7 @@ function ocr_image(array $config, string $img_path): string {
* @throws RuntimeException Throws on IO errors.
* @throws RuntimeException Throws on IO errors.
function strip_image_metadata(string $img_path): int {
function strip_image_metadata(string $img_path): int {
$err = shell_exec_error('exiftool -overwrite_original -ignoreMinorErrors -q -q -all= ' . escapeshellarg($img_path));
$err = shell_exec_error('exiftool -overwrite_original -ignoreMinorErrors -q -q -all= -Orientation ' . escapeshellarg($img_path));
if ($err === false) {
if ($err === false) {
throw new RuntimeException('Could not strip EXIF metadata!');
throw new RuntimeException('Could not strip EXIF metadata!');
@ -190,6 +172,7 @@ function strip_image_metadata(string $img_path): int {
$dropped_post = false;
$dropped_post = false;
$context = new Context(new WebDependencyFactory($config));
// Is it a post coming from NNTP? Let's extract it and pretend it's a normal post.
// Is it a post coming from NNTP? Let's extract it and pretend it's a normal post.
if (isset($_GET['Newsgroups']) && $config['nntpchan']['enabled']) {
if (isset($_GET['Newsgroups']) && $config['nntpchan']['enabled']) {
@ -268,7 +251,7 @@ if (isset($_GET['Newsgroups']) && $config['nntpchan']['enabled']) {
$content = file_get_contents("php://input");
$content = file_get_contents("php://input");
elseif ($ct == 'multipart/mixed' || $ct == 'multipart/form-data') {
elseif ($ct == 'multipart/mixed' || $ct == 'multipart/form-data') {
_syslog(LOG_INFO, "MM: Files: ".print_r($GLOBALS, true)); // Debug
$context->getLog()->log(Log::DEBUG, 'MM: Files: ' . print_r($GLOBALS, true));
$content = '';
$content = '';
@ -335,7 +318,7 @@ if (isset($_GET['Newsgroups']) && $config['nntpchan']['enabled']) {
$ret[] = ">>".$v['id'];
$ret[] = ">>".$v['id'];
return implode($ret, ", ");
return implode(", ", $ret);
}, $content);
}, $content);
@ -413,15 +396,16 @@ if (isset($_POST['delete'])) {
if ($post['time'] < time() - $config['max_delete_time'] && $config['max_delete_time'] != false) {
if ($post['time'] < time() - $config['max_delete_time'] && $config['max_delete_time'] != false) {
error(sprintf($config['error']['delete_too_late'], until($post['time'] + $config['max_delete_time'])));
error(sprintf($config['error']['delete_too_late'], Format\until($post['time'] + $config['max_delete_time'])));
if (!hash_equals($post['password'], $password) && (!$thread || !hash_equals($thread['password'], $password))) {
if (!hash_equals($post['password'], $password) && (!$thread || !hash_equals($thread['password'], $password))) {
if ($post['time'] > time() - $config['delete_time'] && (!$thread || !hash_equals($thread['password'], $password))) {
if ($post['time'] > time() - $config['delete_time'] && (!$thread || !hash_equals($thread['password'], $password))) {
error(sprintf($config['error']['delete_too_soon'], until($post['time'] + $config['delete_time'])));
error(sprintf($config['error']['delete_too_soon'], Format\until($post['time'] + $config['delete_time'])));
@ -435,8 +419,9 @@ if (isset($_POST['delete'])) {
modLog("User at $ip deleted their own post #$id");
modLog("User at $ip deleted their own post #$id");
_syslog(LOG_INFO, 'Deleted post: ' .
'/' . $board['dir'] . $config['dir']['res'] . link_for($post) . ($post['thread'] ? '#' . $id : '')
'Deleted post: /' . $board['dir'] . $config['dir']['res'] . link_for($post) . ($post['thread'] ? '#' . $id : '')
@ -489,22 +474,30 @@ if (isset($_POST['delete'])) {
if (count($report) > $config['report_limit'])
if (count($report) > $config['report_limit'])
if ($config['report_captcha'] && !isset($_POST['captcha_text'], $_POST['captcha_cookie'])) {
if ($config['report_captcha']) {
if ($config['report_captcha']) {
$ch = curl_init($config['domain'].'/'.$config['captcha']['provider_check'] . "?" . http_build_query([
if (!isset($_POST['captcha_text'], $_POST['captcha_cookie'])) {
'mode' => 'check',
'text' => $_POST['captcha_text'],
'extra' => $config['captcha']['extra'],
'cookie' => $_POST['captcha_cookie']
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$resp = curl_exec($ch);
if ($resp !== '1') {
try {
$query = new NativeCaptchaQuery(
$success = $query->verify(
if (!$success) {
} catch (RuntimeException $e) {
$context->getLog()->log(Log::ERROR, "Native captcha IO exception: {$e->getMessage()}");
@ -522,9 +515,7 @@ if (isset($_POST['delete'])) {
$post = $query->fetch(PDO::FETCH_ASSOC);
$post = $query->fetch(PDO::FETCH_ASSOC);
if ($post === false) {
if ($post === false) {
if ($config['syslog']) {
$context->getLog()->log(Log::INFO, "Failed to report non-existing post #{$id} in {$board['dir']}");
_syslog(LOG_INFO, "Failed to report non-existing post #{$id} in {$board['dir']}");
@ -533,11 +524,12 @@ if (isset($_POST['delete'])) {
if ($config['syslog'])
_syslog(LOG_INFO, 'Reported post: ' .
'/' . $board['dir'] . $config['dir']['res'] . link_for($post) . ($post['thread'] ? '#' . $id : '') .
'Reported post: /'
' for "' . $reason . '"'
. $board['dir'] . $config['dir']['res'] . link_for($post) . ($post['thread'] ? '#' . $id : '')
. " for \"$reason\""
$query = prepare("INSERT INTO ``reports`` VALUES (NULL, :time, :ip, :board, :post, :reason)");
$query = prepare("INSERT INTO ``reports`` VALUES (NULL, :time, :ip, :board, :post, :reason)");
$query->bindValue(':time', time(), PDO::PARAM_INT);
$query->bindValue(':time', time(), PDO::PARAM_INT);
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR'], PDO::PARAM_STR);
$query->bindValue(':ip', $_SERVER['REMOTE_ADDR'], PDO::PARAM_STR);
@ -600,62 +592,60 @@ if (isset($_POST['delete'])) {
// Check if banned
// Check if banned
// Check for CAPTCHA right after opening the board so the "return" link is in there
// Check for CAPTCHA right after opening the board so the "return" link is in there.
if ($config['recaptcha']) {
try {
if (!isset($_POST['g-recaptcha-response']))
// With our custom captcha provider
if ($config['captcha']['enabled'] || ($post['op'] && $config['new_thread_capt'])) {
$query = new NativeCaptchaQuery($context->getHttpDriver(), $config['domain'], $config['captcha']['provider_check']);
$success = $query->verify($config['captcha']['extra'], $_POST['captcha_text'], $_POST['captcha_cookie']);
// Check what reCAPTCHA has to say...
if (!$success) {
$resp = json_decode(file_get_contents(sprintf('https://www.recaptcha.net/recaptcha/api/siteverify?secret=%s&response=%s&remoteip=%s',
$_SERVER['REMOTE_ADDR'])), true);
if (actually_load_captcha !== undefined)
if (!$resp['success']) {
// Remote 3rd party captchas.
// hCaptcha
else {
if ($config['hcaptcha']) {
// recaptcha
if (!isset($_POST['h-captcha-response'])) {
if ($config['recaptcha']) {
if (!isset($_POST['g-recaptcha-response'])) {
$data = array(
$response = $_POST['g-recaptcha-response'];
'secret' => $config['hcaptcha_private'],
$query = RemoteCaptchaQuery::withRecaptcha($context->getHttpDriver(), $config['recaptcha_private']);
'response' => $_POST['h-captcha-response'],
'remoteip' => $_SERVER['REMOTE_ADDR']
// hCaptcha
elseif ($config['hcaptcha']) {
if (!isset($_POST['h-captcha-response'])) {
$hcaptchaverify = curl_init();
curl_setopt($hcaptchaverify, CURLOPT_URL, "https://hcaptcha.com/siteverify");
curl_setopt($hcaptchaverify, CURLOPT_POST, true);
$response = $_POST['h-captcha-response'];
curl_setopt($hcaptchaverify, CURLOPT_POSTFIELDS, http_build_query($data));
$query = RemoteCaptchaQuery::withHCaptcha($context->getHttpDriver(), $config['hcaptcha_private']);
curl_setopt($hcaptchaverify, CURLOPT_RETURNTRANSFER, true);
$hcaptcharesponse = curl_exec($hcaptchaverify);
if (isset($query, $response)) {
$resp = json_decode($hcaptcharesponse, true); // Decoding $hcaptcharesponse instead of $response
$success = $query->verify($response, $_SERVER['REMOTE_ADDR']);
if (!$success) {
if (!$resp['success']) {
} catch (RuntimeException $e) {
$context->getLog()->log(Log::ERROR, "Captcha IO exception: {$e->getMessage()}");
} catch (JsonException $e) {
$context->getLog()->log(Log::ERROR, "Bad JSON reply to captcha: {$e->getMessage()}");
// Same, but now with our custom captcha provider
if (($config['captcha']['enabled']) || (($post['op']) && ($config['new_thread_capt'])) ) {
$ch = curl_init($config['domain'].'/'.$config['captcha']['provider_check'] . "?" . http_build_query([
'mode' => 'check',
'text' => $_POST['captcha_text'],
'extra' => $config['captcha']['extra'],
'cookie' => $_POST['captcha_cookie']
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$resp = curl_exec($ch);
if ($resp !== '1') {
error($config['error']['captcha'] .
'<script>if (actually_load_captcha !== undefined) actually_load_captcha("'.$config['captcha']['provider_get'].'", "'.$config['captcha']['extra'].'");</script>');
if (!(($post['op'] && $_POST['post'] == $config['button_newtopic']) ||
if (!(($post['op'] && $_POST['post'] == $config['button_newtopic']) ||
(!$post['op'] && $_POST['post'] == $config['button_reply'])))
(!$post['op'] && $_POST['post'] == $config['button_reply'])))
@ -759,7 +749,21 @@ if (isset($_POST['delete'])) {
try {
try {
$_FILES['file'] = download_file_from_url($_POST['file_url'], $config['upload_by_url_timeout'], $allowed_extensions, $config['tmp'], $config['error']);
$ret = download_file_from_url(
if ($ret === false) {
error(sprintf3($config['error']['filesize'], array(
'filesz' => 'more than that',
'maxsz' => number_format($config['max_filesize'])
$_FILES['file'] = $ret;
} catch (Exception $e) {
} catch (Exception $e) {
@ -849,7 +853,12 @@ if (isset($_POST['delete'])) {
$trip = generate_tripcode($post['name']);
$trip = generate_tripcode($post['name']);
$post['name'] = $trip[0];
$post['name'] = $trip[0];
$post['trip'] = isset($trip[1]) ? $trip[1] : ''; // XX: Dropped posts and tripcodes
if ($config['disable_tripcodes'] = true && !$mod) {
$post['trip'] = '';
else {
$post['trip'] = isset($trip[1]) ? $trip[1] : ''; // XX: Dropped posts and tripcodes
$noko = false;
$noko = false;
if (strtolower($post['email']) == 'noko') {
if (strtolower($post['email']) == 'noko') {
@ -1028,7 +1037,7 @@ if (isset($_POST['delete'])) {
if ($file['is_an_image']) {
if ($file['is_an_image']) {
if ($config['ie_mime_type_detection'] !== false) {
if ($config['ie_mime_type_detection'] !== false) {
// Check IE MIME type detection XSS exploit
// Check IE MIME type detection XSS exploit
$buffer = file_get_contents($upload, null, null, null, 255);
$buffer = file_get_contents($upload, false, null, 0, 255);
if (preg_match($config['ie_mime_type_detection'], $buffer)) {
if (preg_match($config['ie_mime_type_detection'], $buffer)) {
@ -1048,19 +1057,24 @@ if (isset($_POST['delete'])) {
// The following code corrects the image orientation.
$file['exif_stripped'] = false;
if ($config['convert_auto_orient'] && ($size[2] == IMAGETYPE_JPEG)) {
// 'redraw_image' should already fix image orientation by itself
if ($file_image_has_operable_metadata && $config['convert_auto_orient']) {
if (!($config['redraw_image'])) {
// The following code corrects the image orientation.
// Currently only works with the 'convert' option selected but it could easily be expanded to work with the rest if you can be bothered.
if (!($config['redraw_image'] || (($config['strip_exif'] && !$config['use_exiftool'])))) {
if (in_array($config['thumb_method'], array('convert', 'convert+gifsicle', 'gm', 'gm+gifsicle'))) {
if (in_array($config['thumb_method'], array('convert', 'convert+gifsicle', 'gm', 'gm+gifsicle'))) {
$exif = @exif_read_data($file['tmp_name']);
$exif = @exif_read_data($file['tmp_name']);
$gm = in_array($config['thumb_method'], array('gm', 'gm+gifsicle'));
$gm = in_array($config['thumb_method'], array('gm', 'gm+gifsicle'));
if (isset($exif['Orientation']) && $exif['Orientation'] != 1) {
if (isset($exif['Orientation']) && $exif['Orientation'] != 1) {
$error = shell_exec_error(($gm ? 'gm ' : '') . 'convert ' .
$error = shell_exec_error(($gm ? 'gm ' : '') . 'convert ' .
escapeshellarg($file['tmp_name']) . ' -auto-orient ' . escapeshellarg($file['tmp_name']));
escapeshellarg($file['tmp_name']) . ' -auto-orient ' . escapeshellarg($upload));
if ($error)
if ($error)
error(_('Could not auto-orient image!'), null, $error);
error(_('Could not auto-orient image!'), null, $error);
$size = @getimagesize($file['tmp_name']);
$size = @getimagesize($file['tmp_name']);
if ($config['strip_exif'])
$file['exif_stripped'] = true;
@ -1109,16 +1123,14 @@ if (isset($_POST['delete'])) {
$dont_copy_file = false;
$dont_copy_file = false;
if ($config['redraw_image'] || (!@$file['exif_stripped'] && $config['strip_exif'] && ($file['extension'] == 'jpg' || $file['extension'] == 'jpeg'))) {
if ($config['redraw_image'] || ($file_image_has_operable_metadata && !$file['exif_stripped'] && $config['strip_exif'])) {
if (!$config['redraw_image'] && $config['use_exiftool']) {
if (!$config['redraw_image'] && $config['use_exiftool']) {
try {
try {
$file['size'] = strip_image_metadata($file['tmp_name']);
$file['size'] = strip_image_metadata($file['tmp_name']);
} catch (RuntimeException $e) {
} catch (RuntimeException $e) {
if ($config['syslog']) {
$context->getLog()->log(Log::ERROR, "Could not strip image metadata: {$e->getMessage()}");
_syslog(LOG_ERR, "Could not strip image metadata: {$e->getMessage()}");
// Since EXIF metadata can countain sensible info, fail the request.
// Since EXIF metadata can countain sensible info, fail the request.
error(_('Could not strip EXIF metadata!'), null, $error);
error(_('Could not strip EXIF metadata!'), null, $error);
} else {
} else {
@ -1154,9 +1166,7 @@ if (isset($_POST['delete'])) {
$post['body_nomarkup'] .= "<tinyboard ocr image $key>" . htmlspecialchars($value) . "</tinyboard>";
$post['body_nomarkup'] .= "<tinyboard ocr image $key>" . htmlspecialchars($value) . "</tinyboard>";
} catch (RuntimeException $e) {
} catch (RuntimeException $e) {
if ($config['syslog']) {
$context->getLog()->log(Log::ERROR, "Could not OCR image: {$e->getMessage()}");
_syslog(LOG_ERR, "Could not OCR image: {$e->getMessage()}");
@ -1309,14 +1319,22 @@ if (isset($_POST['delete'])) {
if (isset($_SERVER['HTTP_REFERER'])) {
if (isset($_SERVER['HTTP_REFERER'])) {
// Tell Javascript that we posted successfully
// Tell Javascript that we posted successfully
if (isset($_COOKIE[$config['cookies']['js']]))
if (isset($_COOKIE[$config['cookies']['js']])) {
$js = json_decode($_COOKIE[$config['cookies']['js']]);
$js = json_decode($_COOKIE[$config['cookies']['js']]);
} else {
$js = (object) array();
$js = (object)array();
// Tell it to delete the cached post for referer
// Tell it to delete the cached post for referer
$js->{$_SERVER['HTTP_REFERER']} = true;
$js->{$_SERVER['HTTP_REFERER']} = true;
// Encode and set cookie
setcookie($config['cookies']['js'], json_encode($js), 0, $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, false);
// Encode and set cookie.
$options = [
'expires' => 0,
'path' => $config['cookies']['jail'] ? $config['cookies']['path'] : '/',
'httponly' => false,
'samesite' => 'Strict'
setcookie($config['cookies']['js'], json_encode($js), $options);
$root = $post['mod'] ? $config['root'] . $config['file_mod'] . '?/' : $config['root'];
$root = $post['mod'] ? $config['root'] . $config['file_mod'] . '?/' : $config['root'];
@ -1346,9 +1364,10 @@ if (isset($_POST['delete'])) {
buildThread($post['op'] ? $id : $post['thread']);
buildThread($post['op'] ? $id : $post['thread']);
if ($config['syslog'])
_syslog(LOG_INFO, 'New post: /' . $board['dir'] . $config['dir']['res'] .
link_for($post) . (!$post['op'] ? '#' . $id : ''));
'New post: /' . $board['dir'] . $config['dir']['res'] . link_for($post) . (!$post['op'] ? '#' . $id : '')
if (!$post['mod']) header('X-Associated-Content: "' . $redirect . '"');
if (!$post['mod']) header('X-Associated-Content: "' . $redirect . '"');
@ -9,15 +9,22 @@
$queries_per_minutes_all = $config['search']['queries_per_minutes_all'];
$queries_per_minutes_all = $config['search']['queries_per_minutes_all'];
$search_limit = $config['search']['search_limit'];
$search_limit = $config['search']['search_limit'];
//Is there a whitelist? Let's list those boards and if not, let's list everything.
if (isset($config['search']['boards'])) {
if (isset($config['search']['boards'])) {
$boards = $config['search']['boards'];
$boards = $config['search']['boards'];
} else {
} else {
$boards = listBoards(TRUE);
$boards = listBoards(TRUE);
//Let's remove any disallowed boards from the above list (the blacklist)
if (isset($config['search']['disallowed_boards'])) {
$boards = array_values(array_diff($boards, $config['search']['disallowed_boards']));
$body = Element('search_form.html', Array('boards' => $boards, 'board' => isset($_GET['board']) ? $_GET['board'] : false, 'search' => isset($_GET['search']) ? str_replace('"', '"', utf8tohtml($_GET['search'])) : false));
$body = Element('search_form.html', Array('boards' => $boards, 'board' => isset($_GET['board']) ? $_GET['board'] : false, 'search' => isset($_GET['search']) ? str_replace('"', '"', utf8tohtml($_GET['search'])) : false));
if(isset($_GET['search']) && !empty($_GET['search']) && isset($_GET['board']) && in_array($_GET['board'], $boards)) {
if(isset($_GET['search']) && !empty($_GET['search']) && isset($_GET['board']) && in_array($_GET['board'], $boards)) {
$phrase = $_GET['search'];
$phrase = $_GET['search'];
$_body = '';
$_body = '';
@ -906,7 +906,8 @@ pre {
display: block;
display: block;
width: 100%;
width: 100%;
height: 100%;
height: 100%;
margin-top: 0px;
max-width: 620px;
margin: auto;
.mentioned {
.mentioned {
@ -1 +0,0 @@
@ -14,6 +14,18 @@
{% include 'header.html' %}
{% include 'header.html' %}
{% set meta_subject %}{% if config.thread_subject_in_title and thread.subject %}{{ thread.subject|e }}{% else %}{{ thread.body_nomarkup|remove_modifiers[:256]|e }}{% endif %}{% endset %}
<meta name="description" content="{{ meta_subject }}" />
<meta name="twitter:card" value="summary">
<meta name="twitter:title" content="{{ board.url }} - {{ board.title|e }}" />
<meta name="twitter:description" content="{{ meta_subject }}" />
<meta name="twitter:image" content="{{ config.domain }}/{{ config.logo }}" />
<meta property="og:title" content="{{ board.url }} - {{ board.title|e }}" />
<meta property="og:type" content="article" />
<meta property="og:image" content="{{ config.domain }}/{{ config.logo }}" />
<meta property="og:description" content="{{ meta_subject }}" />
<title>{{ board.url }} - {{ board.title|e }}</title>
<title>{{ board.url }} - {{ board.title|e }}</title>
<body class="8chan vichan {% if mod %}is-moderator{% else %}is-not-moderator{% endif %} active-{% if not no_post_form %}index{% else %}ukko{% endif %}" data-stylesheet="{% if config.default_stylesheet.1 != '' %}{{ config.default_stylesheet.1 }}{% else %}default{% endif %}">
<body class="8chan vichan {% if mod %}is-moderator{% else %}is-not-moderator{% endif %} active-{% if not no_post_form %}index{% else %}ukko{% endif %}" data-stylesheet="{% if config.default_stylesheet.1 != '' %}{{ config.default_stylesheet.1 }}{% else %}default{% endif %}">
@ -166,7 +166,7 @@
A newer version of vichan
A newer version of vichan
(<strong>v{{ newer_release.massive }}.{{ newer_release.major }}.{{ newer_release.minor }}</strong>) is available!
(<strong>v{{ newer_release.massive }}.{{ newer_release.major }}.{{ newer_release.minor }}</strong>) is available!
See <a href="https://engine.vichan.net">https://engine.vichan.net/</a> for upgrade instructions.
See <a href="https://vichan.info">https://vichan.info/</a> for upgrade instructions.
@ -5,7 +5,7 @@
<th>{% trans %}Markup method{% endtrans %}
<th>{% trans %}Markup method{% endtrans %}
{% set allowed_html = config.allowed_html %}
{% set allowed_html = config.allowed_html %}
{% trans %}<p class="unimportant">"markdown" is provided by <a href="http://parsedown.org/">parsedown</a>. Note: images disabled.</p>
{% trans %}<p class="unimportant">"markdown" is provided by <a href="http://parsedown.org/">parsedown</a></p>
<p class="unimportant">"html" allows the following tags:<br/>{{ allowed_html }}</p>
<p class="unimportant">"html" allows the following tags:<br/>{{ allowed_html }}</p>
<p class="unimportant">"infinity" is the same as what is used in posts.</p>
<p class="unimportant">"infinity" is the same as what is used in posts.</p>
<p class="unimportant">This page will not convert between formats,<br/>choose it once or do the conversion yourself!</p>{% endtrans %}
<p class="unimportant">This page will not convert between formats,<br/>choose it once or do the conversion yourself!</p>{% endtrans %}
@ -1 +1 @@
<time datetime="{{ post.time|date('%Y-%m-%dT%H:%M:%S') }}{{ timezone() }}">{{ post.time|date(config.post_date) }}</time>
<time datetime="{{ post.time|date('Y-m-d\\TH:i:s\Z') }}">{{ post.time|date(config.post_date) }}</time>
@ -29,7 +29,7 @@
{% else %}
{% else %}
<em>no subject</em>
<em>no subject</em>
{% endif %}
{% endif %}
<span class="unimportant"> — by {{ entry.name }} at {{ entry.time|date(config.post_date, config.timezone) }}</span>
<span class="unimportant"> — by {{ entry.name }} at {{ entry.time|date(config.post_date) }}</span>
<p>{{ entry.body }}</p>
<p>{{ entry.body }}</p>
{% endfor %}
{% endfor %}
@ -19,24 +19,24 @@
<span>{% trans 'Sort by' %}: </span>
<span>{% trans 'Sort by' %}: </span>
<select id="sort_by" style="display: inline-block">
<select id="sort_by" style="display: inline-block">
<option selected value="bump:desc">{% trans 'Bump order' %}</option>
<option selected value="bump:desc">{% trans 'Bump order' %}</option>
<option value="time:desc">{% trans 'Creation date' %}</option>
<option value="time:desc">{% trans 'Creation date' %}</option>
<option value="reply:desc">{% trans 'Reply count' %}</option>
<option value="reply:desc">{% trans 'Reply count' %}</option>
<option value="random:desc">{% trans 'Random' %}</option>
<option value="random:desc">{% trans 'Random' %}</option>
<span>{% trans 'Image size' %}: </span>
<span>{% trans 'Image size' %}: </span>
<select id="image_size" style="display: inline-block">
<select id="image_size" style="display: inline-block">
<option value="vsmall">{% trans 'Very small' %}</option>
<option value="vsmall">{% trans 'Very small' %}</option>
<option selected value="small">{% trans 'Small' %}</option>
<option selected value="small">{% trans 'Small' %}</option>
<option value="large">{% trans 'Large' %}</option>
<option value="large">{% trans 'Large' %}</option>
<div class="threads">
<div class="threads">
<div id="Grid">
<div id="Grid">
{% for post in recent_posts %}
{% for post in recent_posts %}
<div class="mix"
<div class="mix"
data-reply="{{ post.reply_count }}"
data-reply="{{ post.reply_count }}"
data-bump="{{ post.bump }}"
data-bump="{{ post.bump }}"
data-time="{{ post.time }}"
data-time="{{ post.time }}"
@ -44,18 +44,18 @@
data-sticky="{% if post.sticky %}true{% else %}false{% endif %}"
data-sticky="{% if post.sticky %}true{% else %}false{% endif %}"
data-locked="{% if post.locked %}true{% else %}false{% endif %}"
data-locked="{% if post.locked %}true{% else %}false{% endif %}"
<div class="thread grid-li grid-size-small">
<div class="thread grid-li grid-size-small">
<a href="{{post.link}}">
<a href="{{post.link}}">
{% if post.youtube %}
{% if post.youtube %}
<img src="//img.youtube.com/vi/{{ post.youtube }}/0.jpg"
<img src="//img.youtube.com/vi/{{ post.youtube }}/0.jpg"
{% else %}
{% else %}
<img src="{{post.file}}"
<img src="{{post.file}}"
{% endif %}
{% endif %}
id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject|e }}{% endif %}" data-name="{{ post.name|e }}" data-muhdifference="{{ post.muhdifference }}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject|e }}{% endif %}" data-name="{{ post.name|e }}" data-muhdifference="{{ post.muhdifference }}" class="{{post.board}} thread-image" title="{{post.bump|date('M d H:i')}}">
<div class="replies">
<div class="replies">
<strong>R: {{ post.reply_count }} / I: {{ post.image_count }}{% if post.sticky %} (sticky){% endif %}</strong>
<strong>R: {{ post.reply_count }} / I: {{ post.image_count }}{% if post.sticky %} (sticky){% endif %}</strong>
{% if post.subject %}
{% if post.subject %}
<p class="intro">
<p class="intro">
<span class="subject">
<span class="subject">
{{ post.subject|e }}
{{ post.subject|e }}
@ -66,12 +66,12 @@
{% endif %}
{% endif %}
{{ post.body }}
{{ post.body }}
{% endfor %}
{% endfor %}
{% include 'footer.html' %}
{% include 'footer.html' %}
@ -1,7 +1,14 @@
<!doctype html>
<!doctype html>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="twitter:card" value="summary">
<meta name="twitter:title" content="{{ settings.title }}" />
<meta name="twitter:image" content="{{ config.domain }}/{{ config.logo }}" />
<meta property="og:title" content="{{ settings.title }}" />
<meta property="og:type" content="article" />
<meta property="og:url" content="{{ config.domain }}" />
<meta property="og:image" content="{{ config.domain }}/{{ config.logo }}" />
<link rel="stylesheet" media="screen" href="{{ config.url_stylesheet }}">
<link rel="stylesheet" media="screen" href="{{ config.url_stylesheet }}">
<style type="text/css">
<style type="text/css">
@ -10,7 +10,7 @@
{% for thread in thread_list %}
{% for thread in thread_list %}
<loc>{{ settings.url ~ (config.board_path | format(board)) ~ config.dir.res ~ link_for(thread) }}</loc>
<loc>{{ settings.url ~ (config.board_path | format(board)) ~ config.dir.res ~ link_for(thread) }}</loc>
<lastmod>{{ thread.lastmod | date('%Y-%m-%dT%H:%M:%S') }}{{ timezone() }}</lastmod>
<lastmod>{{ thread.lastmod | date('Y-m-d\\TH:i:s\Z') }}</lastmod>
<changefreq>{{ settings.changefreq }}</changefreq>
<changefreq>{{ settings.changefreq }}</changefreq>
{% endfor %}
{% endfor %}
@ -15,6 +15,9 @@
<meta name="description" content="{{ board.url }} - {{ board.title|e }} - {{ meta_subject }}" />
<meta name="description" content="{{ board.url }} - {{ board.title|e }} - {{ meta_subject }}" />
<meta name="twitter:card" value="summary">
<meta name="twitter:card" value="summary">
<meta name="twitter:title" content="{{ meta_subject }}" />
<meta name="twitter:description" content="{{ thread.body_nomarkup|e }}" />
{% if thread.files.0.thumb %}<meta name="twitter:image" content="{{ config.domain }}/{{ board.uri }}/{{ config.dir.thumb }}{{ thread.files.0.thumb }}" />{% endif %}
<meta property="og:title" content="{{ meta_subject }}" />
<meta property="og:title" content="{{ meta_subject }}" />
<meta property="og:type" content="article" />
<meta property="og:type" content="article" />
<meta property="og:url" content="{{ config.domain }}/{{ board.uri }}/{{ config.dir.res }}{{ thread.id }}.html" />
<meta property="og:url" content="{{ config.domain }}/{{ board.uri }}/{{ config.dir.res }}{{ thread.id }}.html" />
Reference in New Issue
Block a user