Simple Machines Community Forum

Customizing SMF => SMF Coding Discussion => Topic started by: Hoochie Coochie Man on November 01, 2008, 08:28:35 PM

Title: Is this create a security hole (or another) problem?
Post by: Hoochie Coochie Man on November 01, 2008, 08:28:35 PM
Hey everyone.

In Turkish boards, we have a tip.
This tip is solved "The Turkish letter  issue" on hotmail.

Normally, When you send e mail to users, from admin panel.
Turkish letters are not showing.

So when you do this tip.

Sources / Subs-Post.php
Code (find) Select
if (preg_match('~@(yahoo|hotmail)\.[a-zA-Z\.]{2,6}$~i', $to_address) === 1)

Removing 2-6

I mean like this:
if (preg_match('~@(yahoo|hotmail)\.[a-zA-Z\.]{}$~i', $to_address) === 1)

Then problem solved. All Turkish letters are appering.

So. Is this create a security hole (or another) problem?

Any help would be great, Thanks.
Title: Re: Is this create a security hole (or another) problem?
Post by: Oldiesmann on November 01, 2008, 10:00:16 PM
So Hotmail fully supports international characters now?

That change prevents SMF from applying special functionality to email messages being sent to Yahoo or Hotmail email addresses. This functionality was put in place due to previous problems with Yahoo and Hotmail supporting international characters.
Title: Re: Is this create a security hole (or another) problem?
Post by: Hoochie Coochie Man on November 02, 2008, 05:32:13 AM
Quote from: Oldiesmann on November 01, 2008, 10:00:16 PM
So Hotmail fully supports international characters now?
Yes. so, Is this create a security hole (or another) problem?
Title: Re: Is this create a security hole (or another) problem?
Post by: [SiNaN] on November 02, 2008, 10:39:38 AM
That will cause that preg_match() not to function properly; always fail. Just prevents hotmail/yahoo fix to get working. It is the same as removing the hotmail fix completely.

Although preg_match() is used to validate the input for security mostly, in this case it is to decide if e-mail provider is hotmail/yahoo international one or not. Nothing related to security.
Title: Re: Is this create a security hole (or another) problem?
Post by: Hoochie Coochie Man on November 02, 2008, 05:12:16 PM
So, it is safe.
Thanks ;)
Title: Re: Is this create a security hole (or another) problem?
Post by: Sinan ANDIRMAN on November 02, 2008, 05:15:21 PM
i have solved this problem this topic:
http://www.simplemachines.org/community/index.php?topic=199273.msg1765464#msg1765464

;)

this edit reason XSS attack.because include bad text,i know.

Example karlbenson's AVEAC Mod include pregmatch for this situation.

also i can know wrong this topic.i think karlbenson should look topic
Title: Re: Is this create a security hole (or another) problem?
Post by: Hoochie Coochie Man on November 02, 2008, 05:35:59 PM
Quote from: Sinan ANDIRMAN on November 02, 2008, 05:15:21 PM
i have solved this problem this topic:
http://www.simplemachines.org/community/index.php?topic=199273.msg1765464#msg1765464
;)


No you didn't.
You said that there is a security hole on this tip, and that's why I open this topic.
I wanted to learn if there is a really security hole.
Title: Re: Is this create a security hole (or another) problem?
Post by: Sinan ANDIRMAN on November 03, 2008, 06:55:57 AM
For example of video mod:

[mynet]23472947[/mynet] like you intend
or
[mynet]343&badvariable=badbadbadbad[/mynet]
For security reasons (to prevent XSS attack) the variable that is passed should be checked and validated with a preg_match.
This ensures that hackers can't pass bad strings, and is to a good way to check that the variable passed is valid.

This is only example.I make a connection example to this topic



Title: Re: Is this create a security hole (or another) problem?
Post by: [SiNaN] on November 03, 2008, 07:00:48 AM
That is just one use of it. http://tr2.php.net/preg_match Also you can search the function in google to find some information in your own language. I'm sure it will be better.
Title: Re: Is this create a security hole (or another) problem?
Post by: Sinan ANDIRMAN on November 03, 2008, 07:06:01 AM
hmmm i thank you for advice major Sinan.and i think karlbenson should look this topic