From 7bc56a9e08ad6ff2c6a304fd8b8b2a51f680c14e Mon Sep 17 00:00:00 2001 From: Juribiyan Date: Thu, 24 May 2018 19:46:15 +0500 Subject: [PATCH] =?UTF-8?q?[=E2=9A=A0=EF=B8=8FSECURITY]=20Staff=20rights?= =?UTF-8?q?=20changes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * XSS threats eliminated (Raw HTML allowed for admin only) * Board owners allowed to modpost --- board.php | 14 ++++---- dwoo/templates/board_main_loop.tpl | 4 +-- inc/classes/manage.class.php | 57 +++++++++++++++++++++++------- inc/classes/posting.class.php | 25 +++++++++---- inc/func/validation.php | 16 --------- inc/lang/ru/LC_MESSAGES/kusaba.po | 5 ++- manage_menu.php | 2 +- 7 files changed, 78 insertions(+), 45 deletions(-) delete mode 100644 inc/func/validation.php diff --git a/board.php b/board.php index 8af4366..04d3c80 100644 --- a/board.php +++ b/board.php @@ -197,7 +197,7 @@ if (isset($_POST['makepost'])) { // A more evident way to identify post action, $dice = ($board_class->board['dice']) ? true : false; $ipmd5 = md5($_SERVER['REMOTE_ADDR']); // If they are just a normal user, or vip... - if (isNormalUser($user_authority)) { + if ($user_authority <= 0) { // If the thread is locked if ($thread_locked == 1) { // Don't let the user post @@ -206,17 +206,19 @@ if (isset($_POST['makepost'])) { // A more evident way to identify post action, $post_message = $parse_class->ParsePost($_POST['message'], $board_class->board['name'], $thread_replyto, $board_class->board['id'], false, $ua, $dice, $ipmd5); // Or, if they are a moderator/administrator... - } else { + } + else { // If they checked the D checkbox, set the variable to tell the script to display their staff status (Admin/Mod) on the post during insertion if (isset($_POST['displaystaffstatus'])) { $post_displaystaffstatus = true; } - // If they checked the RH checkbox, set the variable to tell the script to insert the post as-is... - if (isset($_POST['rawhtml'])) { + // If they checked the RH checkbox, set the variable to tell the script to insert the post as-is... (admin only) + if (isset($_POST['rawhtml']) && $user_authority==1) { $post_message = $_POST['message']; // Otherwise, parse it as usual... - } else { + } + else { $post_message = $parse_class->ParsePost($_POST['message'], $board_class->board['name'], $thread_replyto, $board_class->board['id'], false, $ua, $dice, $ipmd5); // (Moved) check against blacklist and detect flood } @@ -291,7 +293,7 @@ if (isset($_POST['makepost'])) { // A more evident way to identify post action, $lock = 0; } - if (!$post_displaystaffstatus && $user_authority > 0 && $user_authority != 3) { + if (!$post_displaystaffstatus && $user_authority > 0) { $user_authority_display = 0; } elseif ($user_authority > 0) { $user_authority_display = $user_authority; diff --git a/dwoo/templates/board_main_loop.tpl b/dwoo/templates/board_main_loop.tpl index c019daa..f4e8021 100644 --- a/dwoo/templates/board_main_loop.tpl +++ b/dwoo/templates/board_main_loop.tpl @@ -61,10 +61,10 @@ {/strip} {if $post.posterauthority eq 1} ## {t}Admin{/t} ## - {elseif $post.posterauthority eq 4} - ## {t}Super Mod{/t} ## {elseif $post.posterauthority eq 2} ## {t}Mod{/t} ## + {elseif $post.posterauthority eq 3} + ## {t}Board owner{/t} ## {/if} {$post.timestamp_formatted} diff --git a/inc/classes/manage.class.php b/inc/classes/manage.class.php index dea9a88..9dc8375 100755 --- a/inc/classes/manage.class.php +++ b/inc/classes/manage.class.php @@ -905,7 +905,7 @@ class Manage { $log .= _gettext('Moderator'); break; case 3: - $log .= _gettext('Board Owner'); + $log .= _gettext('Userboards Owner'); break; } $log .= ' '. $_POST['username']; @@ -963,7 +963,7 @@ class Manage { } elseif ($_POST['type'] == '0') { $logentry .= _gettext('Janitor'); } elseif ($_POST['type'] == '3') { - $logentry .= _gettext('Board Owner'); + $logentry .= _gettext('Userboards Owner'); } else { exitWithErrorPage('Something went wrong.'); } @@ -994,7 +994,7 @@ class Manage { $tpl_page .= ($type==1) ? '' : ''; $tpl_page .= ($type==2) ? '' : ''; $tpl_page .= ($type==0) ? '' : ''; - $tpl_page .= ($type==3) ? '' : ''; + $tpl_page .= ($type==3) ? '' : ''; $tpl_page .= '

'; $tpl_page .= _gettext('Moderates') . '
@@ -1025,7 +1025,7 @@ class Manage { - +
@@ -1045,7 +1045,7 @@ class Manage { $stafftype = 'Janitor'; $numtype = 0; } elseif ($i == 4) { - $stafftype = 'Board Owner'; + $stafftype = 'Userboards Owner'; $numtype = 3; } $tpl_page .= ''. _gettext($stafftype) . ''. "\n"; @@ -4500,13 +4500,14 @@ class Manage { } $instantban = false; if ((isset($_GET['instant']) || isset($_GET['cp'])) && $ban_ip) { + // TODO: if (isset($_GET['cp'])) { $ban_reason = "You have been banned for posting Child Pornography. Your IP has been logged, and the proper authorities will be notified."; } else { if($_GET['reason']) { $ban_reason = urldecode($_GET['reason']); } else { - $ban_Reason = KU_BANREASON; + $ban_reason = KU_BANREASON; } } $instantban = true; @@ -4565,6 +4566,10 @@ class Manage { $ban_reason = ($instantban) ? $ban_reason : $_POST['reason']; $ban_note = ($instantban) ? '' : $_POST['staffnote']; + if (! $this->CurrentUserIsAdministrator()) { + $ban_reason = htmlspecialchars($ban_reason); + $ban_note = htmlspecialchars($ban_note); + } $ban_appealat = 0; if (KU_APPEAL != '' && !$instantban) { $ban_appealat = intval($_POST['appealdays'] * 86400); @@ -4583,8 +4588,31 @@ class Manage { } if ($bans_class->BanUser($ban_ip, $_SESSION['manageusername'], $ban_globalban, $ban_duration, $ban_boards, $ban_reason, $ban_note, $ban_appealat, $ban_type, $ban_allowread)) { $regenerated = array(); - if (((KU_BANMSG != '' || $_POST['banmsg'] != '') && isset($_POST['addbanmsg']) && (isset($_POST['quickbanpostid']) || isset($_POST['quickmultibanpostid']))) || $instantban ) { - $ban_msg = ((KU_BANMSG == $_POST['banmsg']) || empty($_POST['banmsg'])) ? KU_BANMSG : $_POST['banmsg']; + if ( + ( + ( + KU_BANMSG != '' + || + $_POST['banmsg'] != '' + ) + && + isset($_POST['addbanmsg']) + && + ( + isset($_POST['quickbanpostid']) + || + isset($_POST['quickmultibanpostid']) + ) + ) + || + $instantban + ) { + $ban_msg = (KU_BANMSG == $_POST['banmsg'] || empty($_POST['banmsg'])) + ? KU_BANMSG + : $_POST['banmsg']; + if (! $this->CurrentUserIsAdministrator()) { + $ban_msg = '
'.htmlspecialchars($ban_msg).''; + } if (isset($ban_post_id)) $postids = Array($ban_post_id); else @@ -4606,7 +4634,8 @@ class Manage { } } $tpl_page .= _gettext('Ban successfully placed.')."
"; - } else { + } + else { exitWithErrorPage(_gettext('Sorry, a generic error has occurred.')); } @@ -4713,6 +4742,7 @@ class Manage { '; } if($this->CurrentUserIsAdministrator()) { + $banmsg = '
'.KU_BANMSG.''; $tpl_page .= '
@@ -4720,15 +4750,18 @@ class Manage { -
'. _gettext('The type of ban. A single IP can be banned by providing the full address. A whitelist ban prevents that IP from being banned. An IP range can be banned by providing the IP range you would like to ban, in this format: 123.123.12') . '

'; +
'. _gettext('The type of ban. A single IP can be banned by providing the full address. A whitelist ban prevents that IP from being banned. An IP range can be banned by providing the IP range you would like to ban, in this format: 123.123.12') . '
'; + } + else { + $banmsg = KU_BANMSG; } if ($isquickban && KU_BANMSG != '') { - $tpl_page .= ' + $tpl_page .= '
'. _gettext('If checked, the configured ban message will be added to the end of the post.') . '

- '; + '; } $tpl_page .=' diff --git a/inc/classes/posting.class.php b/inc/classes/posting.class.php index 3f7d7e7..ce9d04c 100644 --- a/inc/classes/posting.class.php +++ b/inc/classes/posting.class.php @@ -220,18 +220,29 @@ class Posting { if (isset($_POST['modpassword'])) { $results = $tc_db->GetAll("SELECT `type`, `boards` FROM `" . KU_DBPREFIX . "staff` WHERE `username` = '" . md5_decrypt($_POST['modpassword'], KU_RANDOMSEED) . "' LIMIT 1"); - if (count($results) > 0) { $entry = $results[0]; if ($entry['type'] == 1) { $user_authority = 1; // admin - } elseif ($entry['type'] == 2 && in_array($board_class->board['name'], explode('|', $entry['boards']) ) ) { + } + elseif ( + $entry['type'] == 2 + && + ( + in_array($board_class->board['name'], explode('|', $entry['boards'])) + || + $entry['boards'] == 'allboards' + ) + ) { $user_authority = 2; // mod - } elseif ($entry['type'] == 2 && $entry['boards'] == 'allboards') { - $user_authority = 2; - }/* elseif ($results[0][0] == 3) { - $user_authority = 3; // VIP - }*/ + } + elseif ( + $entry['type'] == 3 + && + in_array($board_class->board['name'], explode('|', $entry['boards'])) + ) { + $user_authority = 3; // 2.0 board owner + } if ($user_authority < 3) { /* set posting flags for mods and admins */ if (isset($_POST['displaystaffstatus'])) $flags .= 'D'; if (isset($_POST['lockonpost'])) $flags .= 'L'; diff --git a/inc/func/validation.php b/inc/func/validation.php deleted file mode 100644 index 3edcbc7..0000000 --- a/inc/func/validation.php +++ /dev/null @@ -1,16 +0,0 @@ - \ No newline at end of file diff --git a/inc/lang/ru/LC_MESSAGES/kusaba.po b/inc/lang/ru/LC_MESSAGES/kusaba.po index c064326..1849ae9 100644 --- a/inc/lang/ru/LC_MESSAGES/kusaba.po +++ b/inc/lang/ru/LC_MESSAGES/kusaba.po @@ -1786,9 +1786,12 @@ msgstr "Мамка в комнате" msgid "Expand images to full size" msgstr "Разворачивать картинки до исходного размера" -msgid "Board Owner" +msgid "Userboards Owner" msgstr "Владелец 2.0 досок" +msgid "Board Owner" +msgstr "Владелец доски" + msgid "Board limit exceeded. Delete the unused boards." msgstr "Превышен лимит 2.0 досок. Удалите неиспользуемые доски." diff --git a/manage_menu.php b/manage_menu.php index 7f62fb9..6b35104 100644 --- a/manage_menu.php +++ b/manage_menu.php @@ -54,7 +54,7 @@ if (!$manage_class->ValidateSession(true)) { } elseif ($manage_class->CurrentUserIsModerator()) { $tpl_links .= _gettext('Moderator'); } elseif ($manage_class->CurrentUserIsBoardOwner()) { - $tpl_links .= _gettext('Board Owner'); + $tpl_links .= _gettext('Userboards Owner'); $includelogo20 = '1'; } else { $tpl_links .= _gettext('Janitor');