badmanners/shimmie2
badmanners/shimmie2
Archived
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed comment-delete code-injection vulnerability

Browse source
This commit is contained in:
im-mi 2016-09-14 17:42:32 -04:00
parent 7efff25dcc
commit c1083bbea1
5 changed files with 42 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
core/util.inc.php
View file

@ -15,6 +15,16 @@ function html_escape($input) {
return htmlentities($input, ENT_QUOTES, "UTF-8");
}
/**
* Unescape data that was made safe for printing into HTML
*
* @param $input
* @return string
*/
function html_unescape($input) {
return html_entity_decode($input, ENT_QUOTES, "UTF-8");
}
/**
* Make sure some data is safe to be used in integer context
*

13
ext/comment/theme.php
View file

@ -259,8 +259,6 @@ class CommentListTheme extends Themelet {
else {
$h_userlink = '<a class="username" href="'.make_link('user/'.$h_name).'">'.$h_name.'</a>';
}
$stripped_nonl = str_replace("\n", "\\n", substr($tfe->stripped, 0, 50));
$stripped_nonl = str_replace("\r", "\\r", $stripped_nonl);
$hb = ($comment->owner_class == "hellbanned" ? "hb" : "");
if($trim) {
@ -280,9 +278,14 @@ class CommentListTheme extends Themelet {
}
$h_reply = " - <a href='javascript: replyTo($i_image_id, $i_comment_id, \"$h_name\")'>Reply</a>";
$h_ip = $user->can("view_ip") ? "<br>".show_ip($comment->poster_ip, "Comment posted {$comment->posted}") : "";
$h_del = $user->can("delete_comment") ?
' - <a onclick="return confirm(\'Delete comment by '.$h_name.':\\n'.$stripped_nonl.'\');" '.
'href="'.make_link('comment/delete/'.$i_comment_id.'/'.$i_image_id).'">Del</a>' : '';
$h_del = "";
if ($user->can("delete_comment")) {
$comment_preview = substr(html_unescape($tfe->stripped), 0, 50);
$j_delete_confirm_message = json_encode("Delete comment by {$comment->owner_name}:\n$comment_preview");
$h_delete_script = html_escape("return confirm($j_delete_confirm_message);");
$h_delete_link = make_link("comment/delete/$i_comment_id/$i_image_id");
$h_del = " - <a onclick='$h_delete_script' href='$h_delete_link'>Del</a>";
}
$html = "
<div class=\"comment $hb\" id=\"c$i_comment_id\">
<div class=\"info\">

13
themes/danbooru/comment.theme.php
View file

@ -111,12 +111,15 @@ class CustomCommentListTheme extends CommentListTheme {
$i_image_id = int_escape($comment->image_id);
$h_posted = autodate($comment->posted);
$stripped_nonl = str_replace("\n", "\\n", substr($tfe->stripped, 0, 50));
$stripped_nonl = str_replace("\r", "\\r", $stripped_nonl);
$h_userlink = "<a class='username' href='".make_link("user/$h_name")."'>$h_name</a>";
$h_del = $user->can("delete_comment") ?
' - <a onclick="return confirm(\'Delete comment by '.$h_name.':\\n'.$stripped_nonl.'\');" '.
'href="'.make_link('comment/delete/'.$i_comment_id.'/'.$i_image_id).'">Del</a>' : '';
$h_del = "";
if ($user->can("delete_comment")) {
$comment_preview = substr(html_unescape($tfe->stripped), 0, 50);
$j_delete_confirm_message = json_encode("Delete comment by {$comment->owner_name}:\n$comment_preview");
$h_delete_script = html_escape("return confirm($j_delete_confirm_message);");
$h_delete_link = make_link("comment/delete/$i_comment_id/$i_image_id");
$h_del = " - <a onclick='$h_delete_script' href='$h_delete_link'>Del</a>";
}
//$h_imagelink = $trim ? "<a href='".make_link("post/view/$i_image_id")."'>&gt;&gt;&gt;</a>\n" : "";
if($trim) {
return "<p class='comment'>$h_userlink $h_del<br/>$h_posted<br/>$h_comment</p>";

13
themes/danbooru2/comment.theme.php
View file

@ -101,12 +101,15 @@ class CustomCommentListTheme extends CommentListTheme {
$i_image_id = int_escape($comment->image_id);
$h_posted = autodate($comment->posted);
$stripped_nonl = str_replace("\n", "\\n", substr($tfe->stripped, 0, 50));
$stripped_nonl = str_replace("\r", "\\r", $stripped_nonl);
$h_userlink = "<a class='username' href='".make_link("user/$h_name")."'>$h_name</a>";
$h_del = $user->can("delete_comment") ?
' - <a onclick="return confirm(\'Delete comment by '.$h_name.':\\n'.$stripped_nonl.'\');" '.
'href="'.make_link('comment/delete/'.$i_comment_id.'/'.$i_image_id).'">Del</a>' : '';
$h_del = "";
if ($user->can("delete_comment")) {
$comment_preview = substr(html_unescape($tfe->stripped), 0, 50);
$j_delete_confirm_message = json_encode("Delete comment by {$comment->owner_name}:\n$comment_preview");
$h_delete_script = html_escape("return confirm($j_delete_confirm_message);");
$h_delete_link = make_link("comment/delete/$i_comment_id/$i_image_id");
$h_del = " - <a onclick='$h_delete_script' href='$h_delete_link'>Del</a>";
}
//$h_imagelink = $trim ? "<a href='".make_link("post/view/$i_image_id")."'>&gt;&gt;&gt;</a>\n" : "";
if($trim) {
return "<p class='comment'>$h_userlink $h_del<br/>$h_posted<br/>$h_comment</p>";

13
themes/futaba/comment.theme.php
View file

@ -70,13 +70,16 @@ class CustomCommentListTheme extends CommentListTheme {
$i_comment_id = int_escape($comment->comment_id);
$i_image_id = int_escape($comment->image_id);
$stripped_nonl = str_replace("\n", "\\n", substr($tfe->stripped, 0, 50));
$stripped_nonl = str_replace("\r", "\\r", $stripped_nonl);
$h_userlink = "<a href='".make_link("user/$h_name")."'>$h_name</a>";
$h_date = $comment->posted;
$h_del = $user->can("delete_comment") ?
' - <a onclick="return confirm(\'Delete comment by '.$h_name.':\\n'.$stripped_nonl.'\');" '.
'href="'.make_link('comment/delete/'.$i_comment_id.'/'.$i_image_id).'">Del</a>' : '';
$h_del = "";
if ($user->can("delete_comment")) {
$comment_preview = substr(html_unescape($tfe->stripped), 0, 50);
$j_delete_confirm_message = json_encode("Delete comment by {$comment->owner_name}:\n$comment_preview");
$h_delete_script = html_escape("return confirm($j_delete_confirm_message);");
$h_delete_link = make_link("comment/delete/$i_comment_id/$i_image_id");
$h_del = " - <a onclick='$h_delete_script' href='$h_delete_link'>Del</a>";
}
$h_reply = "[<a href='".make_link("post/view/$i_image_id")."'>Reply</a>]";
if($inner_id == 0) {