Skip to content

Commit d50051d

Browse files
authored
Merge commit from fork
[2.1] Multiple Bugs
2 parents d49f255 + 938239b commit d50051d

4 files changed

Lines changed: 19 additions & 8 deletions

File tree

Sources/Reminder.php

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -145,7 +145,7 @@ function RemindPick()
145145
sendmail($row['email_address'], $emaildata['subject'], $emaildata['body'], null, 'reminder', $emaildata['is_html'], 1);
146146

147147
// Set the password in the database.
148-
updateMemberData($row['id_member'], array('validation_code' => substr(md5($password), 0, 10)));
148+
updateMemberData($row['id_member'], array('validation_code' => substr(md5($password), 0, 10)) . '|' . time());
149149

150150
// Set up the template.
151151
$context['sub_template'] = 'sent';
@@ -236,7 +236,9 @@ function setPassword2()
236236
if ($smcFunc['db_num_rows']($request) == 0)
237237
fatal_lang_error('invalid_userid', false);
238238

239-
list ($realCode, $username, $email, $flood_value) = $smcFunc['db_fetch_row']($request);
239+
list ($code, $username, $email, $flood_value) = $smcFunc['db_fetch_row']($request);
240+
list ($realCode, $issuedTime) = explode('|', $realCode);
241+
$issuedTime = empty($issuedTime) ? 0 : (int) $issuedTime;
240242
$smcFunc['db_free_result']($request);
241243

242244
// Is the password actually valid?
@@ -253,7 +255,7 @@ function setPassword2()
253255
require_once($sourcedir . '/LogInOut.php');
254256

255257
// Quit if this code is not right.
256-
if (empty($_POST['code']) || substr($realCode, 0, 10) !== substr(md5($_POST['code']), 0, 10))
258+
if (empty($_POST['code']) || substr($realCode, 0, 10) !== substr(md5($_POST['code']), 0, 10) || $issuedTime + 3600 < time())
257259
{
258260
// Stop brute force attacks like this.
259261
validatePasswordFlood($_POST['u'], $flood_value, false);

Sources/Subs-Auth.php

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -128,8 +128,7 @@ function setLoginCookie($cookie_length, $id, $password = '')
128128

129129
// Recreate and restore the new session.
130130
loadSession();
131-
// @todo should we use session_regenerate_id(true); now that we are 5.1+
132-
session_regenerate_id();
131+
session_regenerate_id(true);
133132
$_SESSION = $oldSessionData;
134133

135134
$_SESSION['login_' . $cookiename] = $data;

Sources/Subs-Package.php

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,17 @@ function read_tgz_data($data, $destination, $single_file = false, $overwrite = f
171171
elseif ($destination !== null && !$single_file)
172172
{
173173
// Protect from accidental parent directory writing...
174-
$current['filename'] = strtr($current['filename'], array('../' => '', '/..' => ''));
174+
do {
175+
$prev = $current['filename'];
176+
$current['filename'] = strtr($current['filename'], array(
177+
'../' => '',
178+
'/..' => '',
179+
'..' . DIRECTORY_SEPARATOR => '',
180+
DIRECTORY_SEPARATOR . '..' => '',
181+
'..\\' => '',
182+
'\\..' => '',
183+
));
184+
} while ($prev !== $current['filename']);
175185

176186
if (!file_exists($destination . '/' . $current['filename']))
177187
mktree($destination . '/' . $current['filename'], 0777);

proxy.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@ public function checkRequest()
117117
{
118118
global $boardurl;
119119

120-
if (!$this->enabled)
120+
if (!$this->enabled || $this->secret === 'smfisawesome')
121121
return false;
122122

123123
// Try to create the image cache directory if it doesn't exist
@@ -144,7 +144,7 @@ public function checkRequest()
144144
return false;
145145
}
146146

147-
if (hash_hmac('sha1', $request, $this->secret) != $hash)
147+
if (!hash_equals(hash_hmac('sha1', $request, $this->secret), $hash))
148148
return false;
149149

150150
// Ensure any non-ASCII characters in the URL are encoded correctly

0 commit comments

Comments
 (0)