Otsikko: Added function to calendar and SSI.php "is it safe?"
Kirjoitti: kimncris - marraskuu 11, 2005, 09:46:29 IP
Kirjoitti: kimncris - marraskuu 11, 2005, 09:46:29 IP
So I am using 1.0.5
I added a field to my database and added some lines of code to 4 of my SMF files.
My main question is: I did not add anything that strips trailing slashes or anything like this
so my qustion is: Should I? It is currently working so I really do not want to mess with a good thing, but if this leaves us open to hacking attacks then maybe I should. Only full members can add calendar events, so I think I have control over strangers messing with us, but I'd like to know the dangers if there are any.
here is my code with the changes in blue.
From post.template.php
from Post.php
snip
From calendar.php
snip
the new fuction from my edited SSI.php this is pretty much all a re-write so it could be sketchy
and lastly in index.english.php
so: Is it Safe?
in the end, all it does is this:
What you type here:
Appears Here:
-cris
I added a field to my database and added some lines of code to 4 of my SMF files.
My main question is: I did not add anything that strips trailing slashes or anything like this
Koodi [Valitse]
// Hack to make it so 񏋤... can't happen.
$_POST['subject'] = preg_replace('~&#\d+$~', '', $_POST['subject']);so my qustion is: Should I? It is currently working so I really do not want to mess with a good thing, but if this leaves us open to hacking attacks then maybe I should. Only full members can add calendar events, so I think I have control over strangers messing with us, but I'd like to know the dangers if there are any.
here is my code with the changes in blue.
From post.template.php
Lainaa
// Are you posting a calendar event?
if ($context['make_event'])
{
echo '
<tr>
<td align="right">
<b', isset($context['post_error']['no_event']) ? '
style="color: #FF0000;"' : '', '>', $txt['calendar12'], '</b>
</td>
<td class="smalltext">
<input type="text" name="evtitle" maxlength="60"
size="60" value="', $context['event']['title'], '" />
</td>
</tr>
<tr>
<td align="right">
<b', isset($context['post_error']['no_event']) ? '
style="color: #FF0000;"' : '', '>', $txt['calendar14'], '</b>
</td>
<td class="smalltext">
<input type="text" name="evdetails"
maxlength="250" size="120" value="', $context['event']['details'], '" />
</td>
</tr>
from Post.php
Lainaa
if ($context['make_event'])
{
// They might want to pick a board.
if (!isset($context['current_board']))
$context['current_board'] = 0;
// Start loading up the event info.
$context['event'] = array();
$context['event']['title'] = isset($_REQUEST['evtitle']) ? $_REQUEST['evtitle'] : '';
$context['event']['details'] = isset($_REQUEST['evdetails']) ? $_REQUEST['evdetails'] : '';
$context['event']['id'] = isset($_REQUEST['eventid']) ? (int) $_REQUEST['eventid'] : -1;
$context['event']['new'] = $context['event']['id'] == -1;
// Permissions check!
isAllowedTo('calendar_post');
// Editing an event? (but NOT previewing!?)
if (!$context['event']['new'] && !isset($_REQUEST['subject']))
{
// Get the current event information.
$request = db_query("
SELECT
title, details, MONTH(eventDate) AS month, DAYOFMONTH(eventDate) AS day,
YEAR(eventDate) AS year, ID_MEMBER
FROM {$db_prefix}calendar
WHERE ID_EVENT = " . $context['event']['id'] . "
LIMIT 1", __FILE__, __LINE__);
$row = mysql_fetch_assoc($request);
mysql_free_result($request);
// Make sure the user is allowed to edit this event.
if ($row['ID_MEMBER'] != $ID_MEMBER)
isAllowedTo('calendar_edit_any');
elseif (!allowedTo('calendar_edit_any'))
isAllowedTo('calendar_edit_own');
$context['event']['month'] = $row['month'];
$context['event']['day'] = $row['day'];
$context['event']['year'] = $row['year'];
$context['event']['details'] = $row['details']; $context['event']['title'] = $row['title'];
}
else
{
$today = getdate();
snip
Lainaa
// Editing or posting an event?
if (isset($_POST['calendar']) && (!isset($_REQUEST['eventid']) || $_REQUEST['eventid'] == -1))
{
require_once($sourcedir . '/Calendar.php');
calendarCanLink();
calendarInsertEvent($board, $topic, $_POST['evtitle'], $ID_MEMBER, $_POST['month'], $_POST['day'], $_POST['year'], isset($_POST['span']) ? $_POST['span'] : null, $_POST['evdetails']);
}
elseif (isset($_POST['calendar']))
{
$_REQUEST['eventid'] = (int) $_REQUEST['eventid'];
// Validate the post...
require_once($sourcedir . '/Subs-Post.php');
calendarValidatePost();
// If you're not allowed to edit any events, you have to be the poster.
if (!allowedTo('calendar_edit_any'))
{
// Get the event's poster.
$request = db_query("
SELECT ID_MEMBER
FROM {$db_prefix}calendar
WHERE ID_EVENT = $_REQUEST[eventid]", __FILE__, __LINE__);
$row = mysql_fetch_assoc($request);
mysql_free_result($request);
// Silly hacker, Trix are for kids. ...probably trademarked somewhere, this is FAIR USE! (parody...)
isAllowedTo('calendar_edit_' . ($row['ID_MEMBER'] == $ID_MEMBER ? 'own' : 'any'));
}
// Delete it?
if (isset($_REQUEST['deleteevent']))
db_query("
DELETE FROM {$db_prefix}calendar
WHERE ID_EVENT = $_REQUEST[eventid]
LIMIT 1", __FILE__, __LINE__);
// ... or just update it?
else
db_query("
UPDATE {$db_prefix}calendar
SET eventDate = '$_REQUEST[year]-$_REQUEST[month]-$_REQUEST[day]',
details = '" . htmlspecialchars($_REQUEST['evdetails'], ENT_QUOTES) . "',
title = '" . htmlspecialchars($_REQUEST['evtitle'], ENT_QUOTES) . "'
WHERE ID_EVENT = $_REQUEST[eventid]
LIMIT 1", __FILE__, __LINE__);
updateStats('calendar');
}
From calendar.php
Lainaa
// Create an array of events occurring in this day/month.
function calendarEventArray($low_date, $high_date, $use_permissions = true)
{
global $db_prefix, $ID_MEMBER, $scripturl, $modSettings, $user_info, $sc;
// Find all the calendar info...
$result = db_query("
SELECT
cal.ID_EVENT, DAYOFMONTH(cal.eventDate) AS day, cal.title, cal.details, cal.ID_MEMBER,
cal.ID_TOPIC,
cal.ID_BOARD, b.memberGroups, t.ID_FIRST_MSG
FROM {$db_prefix}calendar AS cal, {$db_prefix}boards AS b, {$db_prefix}topics AS t
WHERE cal.eventDate BETWEEN '$low_date' AND '$high_date'
AND cal.ID_TOPIC = t.ID_TOPIC
AND cal.ID_BOARD = b.ID_BOARD" . ($use_permissions ? "
AND $user_info[query_see_board]" : ''), __FILE__, __LINE__);
$events = array();
while ($row = mysql_fetch_assoc($result))
{
// Censor the title.
censorText($row['title']);
// If we're using permissions (calendar pages?) then just ouput normal contextual style information.
if ($use_permissions)
$events[$row['day']][] = array(
'id' => $row['ID_EVENT'],
'title' => $row['title'],
'can_edit' => allowedTo('calendar_edit_any') || ($row['ID_MEMBER'] == $ID_MEMBER &&
allowedTo('calendar_edit_own')),
'modify_href' => $scripturl . '?action=post;msg=' . $row['ID_FIRST_MSG'] . ';topic=' .
$row['ID_TOPIC'] . '.0;calendar;eventid=' . $row['ID_EVENT'] . ';sesc=' . $sc,
'href' => $scripturl . '?topic=' . $row['ID_TOPIC'] . '.0',
'link' => '<a href="' . $scripturl . '?topic=' . $row['ID_TOPIC'] . '.0">' .
$row['title'] . '</a>',
'is_last' => false
);
// Otherwise, this is going to be cached and the VIEWER'S permissions should apply... just put together
some info.
else
$events[$row['day']][] = array(
'id' => $row['ID_EVENT'],
'title' => $row['title'],
'details' => $row['details'], 'topic' => $row['ID_TOPIC'],
'msg' => $row['ID_FIRST_MSG'],
'poster' => $row['ID_MEMBER'],
'is_last' => false,
'allowed_groups' => explode(',', $row['memberGroups'])
);
}
mysql_free_result($result);
// If we're doing normal contextual data, go through and make things clear to the templates ;).
if ($use_permissions)
{
foreach ($events as $mday => $array)
$events[$mday][count($array) - 1]['is_last'] = true;
}
return $events;
}
snip
Lainaa
// Consolidating the various INSERT statements into this function.
function calendarInsertEvent($id_board, $id_topic, $title, $id_member, $month, $day, $year, $span, $details)
{
global $db_prefix;
// Add special chars to the title.
$title = htmlspecialchars($title, ENT_QUOTES);
// Add special chars to the details.
$details = htmlspecialchars($details, ENT_QUOTES);
// Span multiple days?
if (empty($span) || trim($span) == '')
$insertString = "
($id_board, $id_topic, '$title', $id_member, '$year-$month-$day','$details'),";
else
{
// Calculate the time...
$tVal = mktime(0, 0, 0, $month, $day, $year);
// I went for the simplest way I could think of for making the events span multiple days.
$insertString = '';
// For each day a row is added to the calendar table.
for ($i = 0; $i < $span; $i++)
{
$eventTime = array(
'day' => (int) strftime('%d', $tVal),
'month' => (int) strftime('%m', $tVal),
'year' => (int) strftime('%Y', $tVal)
);
$insertString .= "
($id_board, $id_topic, '$title', $id_member,
'$eventTime[year]-$eventTime[month]-$eventTime[day]','$details'),";
// Add a day...
$tVal = strtotime('tomorrow', $tVal);
}
}
// Insert the day(s)!
if (strlen($insertString) > 0)
{
$insertString = substr($insertString, 0, -1);
db_query("
INSERT INTO {$db_prefix}calendar
(ID_BOARD, ID_TOPIC, title, ID_MEMBER, eventDate, details)
VALUES $insertString", __FILE__, __LINE__);
}
updateStats('calendar');
}
the new fuction from my edited SSI.php this is pretty much all a re-write so it could be sketchy
Lainaa
/***************************dbEvents query**********************************/
// Show the next 7 upcoming events with dates in ASCENDING order even to guests.
function ssi_dbEvents($max_events = 7, $output_method = 'echo')
{
global $context,$db_prefix, $user_info, $scripturl, $modSettings, $txt, $sc;
// Find all events which are happening in the near future that the member can see.
$request = db_query("
SELECT
cal.ID_EVENT, DAYOFMONTH(cal.eventDate) AS day, cal.eventDate, year(cal.eventDate) AS year, MONTH(cal.eventDate) AS month, DAYOFWEEK(cal.eventDate) AS weekday, cal.title, cal.details, cal.ID_MEMBER, cal.ID_TOPIC,
cal.ID_BOARD, t.ID_FIRST_MSG
FROM {$db_prefix}calendar AS cal, {$db_prefix}boards AS b, {$db_prefix}topics AS t
WHERE cal.eventDate >= '" . strftime('%Y-%m-%d', forum_time(false)) . "'
AND cal.ID_TOPIC = t.ID_TOPIC
AND cal.ID_BOARD = b.ID_BOARD
GROUP BY cal.title /*use this to show only 1st date of multi day events*/
ORDER BY cal.eventdate ASC LIMIT $max_events", __FILE__, __LINE__);
$return = array();
while ($row = mysql_fetch_assoc($request))
{
//change the day number info from the database into a word
if ($row['weekday'] == "1") {$dayword=Sunday;}
elseif ($row['weekday'] == "2") {$dayword=Monday;}
elseif ($row['weekday'] == "3") {$dayword=Tuesday;}
elseif ($row['weekday'] == "4") {$dayword=Wednesday;}
elseif ($row['weekday'] == "5") {$dayword=Thursday;}
elseif ($row['weekday'] == "6") {$dayword=Friday;}
else {$dayword=Saturday;}
//set the year to only display the last 2 digits
$shortyear = substr($row['year'], -2);
//set the link info for echo
$hyperlink = $scripturl . '?topic=' . $row['ID_TOPIC'] . '.0';
//Censor the title.
censorText($row['title']);
//dont display links to guests
if ($context['user']['is_guest'])
{
echo '
<a href=" " title="' . $row['details'] . '">' . $dayword,' '. $row['month'],'/'. $row['day'],'/'. $shortyear, '<br>'. $row['title']. '<br><br></a>' ;
}
else
{
echo '
<a href="' . $hyperlink . '" title="' . $row['details'] . '">' . $dayword,' '. $row['month'],'/'. $row['day'],'/'. $shortyear, '<br>'. $row['title']. '<br><br></a>' ; }
}
mysql_free_result($request);
if ($output_method != 'echo' || empty($return))
return $return;
}
/******************************end dbevents******************************************/
and lastly in index.english.php
Lainaa
$txt['calendar3'] = 'Birthdays:';
$txt['calendar4'] = 'Events:';
$txt['calendar3b'] = 'Upcoming Birthdays:';
$txt['calendar4b'] = 'Upcoming Events:';
$txt['calendar5'] = ''; // Prompt for holidays in the calendar, leave blank to just display the holiday's name.
$txt['calendar9'] = 'Month:';
$txt['calendar10'] = 'Year:';
$txt['calendar11'] = 'Day:';
$txt['calendar12'] = 'Event Title:';
$txt['calendar13'] = 'Post In:';
$txt['calendar14'] = 'Popup Details:';
$txt['calendar20'] = 'Edit Event';
$txt['calendar21'] = 'Delete this event?';
$txt['calendar22'] = 'Delete Event';
$txt['calendar23'] = 'Post Event';
$txt['calendar24'] = 'Calendar';
$txt['calendar37'] = 'Link to Calendar';
$txt['calendar43'] = 'Link Event';
$txt['calendar47'] = 'Upcoming Calendar';
$txt['calendar47b'] = 'Today\'s Calendar';
$txt['calendar51'] = 'Week';
$txt['calendar54'] = 'Number of Days:';
$txt['calendar_how_edit'] = 'how do you edit these events?';
so: Is it Safe?
in the end, all it does is this:
What you type here:
Appears Here:
-cris
Otsikko: Re: Added funtion to calendar and SSI.php "is it safe?"
Kirjoitti: kimncris - marraskuu 13, 2005, 08:46:11 IP
Kirjoitti: kimncris - marraskuu 13, 2005, 08:46:11 IP
I added the full code above to hopefully make it easier to understand my question...
thanks again,
-cris
thanks again,
-cris
Otsikko: Re: Added funtion to calendar and SSI.php "is it safe?"
Kirjoitti: kimncris - marraskuu 18, 2005, 04:52:43 IP
Kirjoitti: kimncris - marraskuu 18, 2005, 04:52:43 IP
Lainaus käyttäjältä: kimncris - marraskuu 11, 2005, 09:46:29 IP
$txt['calendar3'] = 'Birthdays:';
$txt['calendar4'] = 'Events:';
$txt['calendar3b'] = 'Upcoming Birthdays:';
$txt['calendar4b'] = 'Upcoming Events:';
$txt['calendar5'] = ''; // Prompt for holidays in the calendar, leave blank to just display the holiday's name.
$txt['calendar9'] = 'Month:';
$txt['calendar10'] = 'Year:';
$txt['calendar11'] = 'Day:';
$txt['calendar12'] = 'Event Title:';
$txt['calendar13'] = 'Post In:';
$txt['calendar14'] = 'Popup Details:';
$txt['calendar20'] = 'Edit Event';
$txt['calendar21'] = 'Delete this event?';
$txt['calendar22'] = 'Delete Event';
$txt['calendar23'] = 'Post Event';
$txt['calendar24'] = 'Calendar';
$txt['calendar37'] = 'Link to Calendar';
$txt['calendar43'] = 'Link Event';
$txt['calendar47'] = 'Upcoming Calendar';
$txt['calendar47b'] = 'Today\'s Calendar';
$txt['calendar51'] = 'Week';
$txt['calendar54'] = 'Number of Days:';
$txt['calendar_how_edit'] = 'how do you edit these events?';
ooops I found an issue with this one- when you get a "post_error" it goes to errors.english.php where there was already a $txt['calendar14'] that said "event day is missing."
so I had to change it to this in both errors.english.php and index.english.php
Lainaa$txt['calendar57'] = 'Popup Details:';
which in turn required this edit in post.template.php
Lainaa<td class="smalltext">
<input type="text" name="evtitle" maxlength="60" size="60" value="', $context['event']['title'], '" />
</td>
</tr>
<tr>
<td align="right">
<b>', $txt['calendar57'], '</b> </td>
<td class="smalltext">
<input type="text" name="evdetails" maxlength="250" size="120" value="', $context['event']['details'], '" />
</td>
</tr>
I also simplified the display command since I do not want it to require the details- nor to turn red if they are missing.
sorry if anyone copied my work and got this error.
-cris
Otsikko: Re: Added function to calendar and SSI.php "is it safe?"
Kirjoitti: morph - marraskuu 19, 2005, 12:25:50 AP
Kirjoitti: morph - marraskuu 19, 2005, 12:25:50 AP
It is alright just be aware with each new release code may change and there is the chance that you will have to modify your code accordingly. Otherwise, nice addition :)
Otsikko: Re: Added function to calendar and SSI.php "is it safe?"
Kirjoitti: kimncris - marraskuu 19, 2005, 11:07:40 AP
Kirjoitti: kimncris - marraskuu 19, 2005, 11:07:40 AP
cool, thank you so much for the reply.
I accept the possibility that it may all go to hell when we upgrade, but at least for now it is working... :)
-cris
I accept the possibility that it may all go to hell when we upgrade, but at least for now it is working... :)
-cris