Plugin Directory

Changeset 532918


Ignore:
Timestamp:
04/18/2012 04:00:31 PM (13 years ago)
Author:
lucidcrew
Message:

fixing harmless "exploits"

Location:
forum-server/trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • forum-server/trunk/fs-admin/fs-admin.php

    r383269 r532918  
    559559                $options = array( 'forum_posts_per_page'        => $wpdb->escape($_POST['forum_posts_per_page']),
    560560                                'forum_threads_per_page'        => $wpdb->escape($_POST['forum_threads_per_page']),
    561                                 'forum_require_registration'    => $_POST['forum_require_registration'],
     561                                'forum_require_registration'    => $wpdb->escape($_POST['forum_require_registration']),
    562562                                'forum_date_format'             => $wpdb->escape($_POST['forum_date_format']),
    563                                 'forum_use_gravatar'            => $_POST['forum_use_gravatar'],
     563                                'forum_use_gravatar'            => $wpdb->escape($_POST['forum_use_gravatar']),
    564564                                'forum_skin'                    => $op['forum_skin'],
    565                                 'forum_allow_post_in_solved'    => $_POST['forum_allow_post_in_solved'],
     565                                'forum_allow_post_in_solved'    => $wpdb->escape($_POST['forum_allow_post_in_solved']),
    566566                                'set_sort'                      => $op['set_sort'],
    567                                 'forum_use_spam'                => $_POST['forum_use_spam'],
    568                                 'forum_use_bbcode'              => $_POST['forum_use_bbcode'],
    569                                 'forum_captcha'                 => $_POST['forum_captcha'],
    570                                 'hot_topic'                     => $_POST['hot_topic'],
    571                                 'veryhot_topic'                 => $_POST['veryhot_topic'],
    572                                 'forum_seo_urls'                => $_POST['forum_seo_urls'],
    573                                 'forum_lang'                    => $_POST['forum_lang']
     567                                'forum_use_spam'                => $wpdb->escape($_POST['forum_use_spam']),
     568                                'forum_use_bbcode'              => $wpdb->escape($_POST['forum_use_bbcode']),
     569                                'forum_captcha'                 => $wpdb->escape($_POST['forum_captcha']),
     570                                'hot_topic'                     => $wpdb->escape($_POST['hot_topic']),
     571                                'veryhot_topic'                 => $wpdb->escape($_POST['veryhot_topic']),
     572                                'forum_seo_urls'                => $wpdb->escape($_POST['forum_seo_urls']),
     573                                'forum_lang'                    => $wpdb->escape($_POST['forum_lang'])
    574574                );
    575575
     
    686686            $add_forum_description = $wpdb->escape($_POST['add_forum_description']);
    687687            $add_forum_name = $wpdb->escape($_POST['add_forum_name']);
    688             $add_forum_group_id = $_POST['add_forum_group_id'];
     688            $add_forum_group_id = $wpdb->escape($_POST['add_forum_group_id']);
    689689            if($_POST['add_forum_group_id'] == "add_forum_null")
    690690                return __("You must select a category", "vasthtml");
  • forum-server/trunk/fs-admin/wpf-edit-forum-group.php

    r136715 r532918  
    22if(isset($_POST['edit_save_group'])){
    33    global $wpdb, $table_prefix;
    4     $usergroups = $_POST['usergroups'];
     4    $usergroups = $wpdb->escape($_POST['usergroups']);
    55    $edit_group_name = $wpdb->escape($_POST['edit_group_name']);
    66    $edit_group_description = $wpdb->escape($_POST['edit_group_description']);
    7     $edit_group_id = $_POST['edit_group_id'];
     7    $edit_group_id = $wpdb->escape($_POST['edit_group_id']);
    88
    99    if($_POST['edit_group_name'] == "")
     
    2828    $edit_forum_name = $wpdb->escape($_POST['edit_forum_name']);
    2929    $edit_forum_description = $wpdb->escape($_POST['edit_forum_description']);
    30     $edit_forum_id = $_POST['edit_forum_id'];
     30    $edit_forum_id = $wpdb->escape($_POST['edit_forum_id']);
    3131    if($edit_forum_name == "")
    3232        echo "<div id='message' class='updated fade'><p>".__("You must specify a forum name", "vasthtml")."</p></div>";
     
    4040
    4141    $usergroups = $vasthtml->get_usergroups();
    42     $usergroups_with_access = $this->get_usersgroups_with_access_to_group($_GET['groupid']);
    43     $group_name = stripslashes($vasthtml->get_groupname($_GET['groupid']));
     42    $usergroups_with_access = $this->get_usersgroups_with_access_to_group((int)$_GET['groupid']);
     43    $group_name = stripslashes($vasthtml->get_groupname((int)$_GET['groupid']));
    4444    global $wpdb, $table_prefix;
    4545    $table = $table_prefix."forum_groups";
     
    104104            </tr>
    105105
    106             <input type='hidden' name='edit_group_id' value='".$_GET['groupid']."' />";
     106            <input type='hidden' name='edit_group_id' value='".(int)$_GET['groupid']."' />";
    107107   
    108108    echo "</table>";
     
    115115if(($_GET['do'] == "editforum") && (!isset($_POST['edit_save_forum']))){
    116116
    117     echo "<h2>".__("Edit forum", "vasthtml")." \"".stripslashes($vasthtml->get_forumname($_GET['forumid']))."\"</h2>";
     117    echo "<h2>".__("Edit forum", "vasthtml")." \"".stripslashes($vasthtml->get_forumname((int)$_GET['forumid']))."\"</h2>";
    118118    echo "<form id='edit_forum_form' name='edit_forum_form' action='' method='post'>";
    119119   
     
    121121    echo "<tr>
    122122            <th>".__("Name:", "vasthtml")."</th>
    123             <td><input type='text' name='edit_forum_name' value='".stripslashes($vasthtml->get_forumname($_GET['forumid']))."' /></td>
     123            <td><input type='text' name='edit_forum_name' value='".stripslashes($vasthtml->get_forumname((int)$_GET['forumid']))."' /></td>
    124124        </tr>
    125125        <tr>
    126126            <th>".__("Description:", "vasthtml")."</th>
    127             <td><textarea name='edit_forum_description' ".ADMIN_ROW_COL.">".stripslashes($vasthtml->get_forum_description($_GET['forumid']))."</textarea></td>
     127            <td><textarea name='edit_forum_description' ".ADMIN_ROW_COL.">".stripslashes($vasthtml->get_forum_description((int)$_GET['forumid']))."</textarea></td>
    128128        </tr>
    129129        <tr>
     
    131131            <td><input type='submit' name='edit_save_forum' value='".__("Save forum", "vasthtml")."' /></td>
    132132        </tr>
    133         <input type='hidden' name='edit_forum_id' value='".$_GET['forumid']."' />";
     133        <input type='hidden' name='edit_forum_id' value='".(int)$_GET['forumid']."' />";
    134134
    135135    echo "</table></form>";
  • forum-server/trunk/fs-admin/wpf-usergroup-edit.php

    r136715 r532918  
    44    $edit_usergroup_name = $wpdb->escape($_POST['edit_usergroup_name']);
    55    $edit_usergroup_description = $wpdb->escape($_POST['edit_usergroup_description']);
    6     $edit_usergroup_id = $_POST['edit_usergroup_id'];
     6    $edit_usergroup_id = $wpdb->escape($_POST['edit_usergroup_id']);
    77   
    88    if(!$edit_usergroup_name)
  • forum-server/trunk/readme.txt

    r521986 r532918  
    77Requires at least: 2.6
    88Tested up to: 3.3.1
    9 Stable tag: 1.7.2
     9Stable tag: 1.7.3
    1010
    1111This Wordpress plugin is a complete forum system for your wordpress blog.
     
    8585
    8686== Changelog ==
     87
     88= 1.7.4 =
     89* fixing harmless "exploits"
    8790
    8891= 1.7.3 =
  • forum-server/trunk/wpf-main.php

    r521986 r532918  
    55    Author URI: http://forumpress.org/
    66    Plugin URI: http://forumpress.org/
    7     Version: 1.7.3
     7    Version: 1.7.4
    88*/
    99
  • forum-server/trunk/wpf.class.php

    r401171 r532918  
    28332833            $p = unserialize($u->meta_value);
    28342834
    2835             if(in_array($thread, $p['notify_topics']) ){
     2835            if(is_array($p['notify_topics']) AND in_array($thread, $p['notify_topics']) ){
    28362836
    28372837                $user = get_userdata($u->user_id);
Note: See TracChangeset for help on using the changeset viewer.