public/takestaffmess.php

<?php
require "../include/bittorrent.php";
if ($_SERVER["REQUEST_METHOD"] != "POST")
	stderr("Error", "Permission denied!");
dbconn();
loggedinorreturn();

if (get_user_class() < UC_ADMINISTRATOR)
	stderr("Sorry", "Permission denied.");

$sender_id = ($_POST['sender'] == 'system' ? 0 : (int)$CURUSER['id']);
$dt = sqlesc(date("Y-m-d H:i:s"));
$msg = trim($_POST['msg']);
if (!$msg)
	stderr("Error","Don't leave any fields blank.");
$updateset = $_POST['clases'];
if (is_array($updateset)) {
	foreach ($updateset as &$class) {
        $class=intval($class);
		if (!is_valid_id($class) && $class != 0)
			stderr("Error","Invalid Class");
	}
}else{
	if (!is_valid_id($updateset) && $updateset != 0)
		stderr("Error","Invalid Class");
}
$subject = trim($_POST['subject']);
$size = 10000;
$page = 1;
set_time_limit(300);
$conditions = [];
if (!empty($_POST['classes'])) {
    $conditions[] = "class IN (" . implode(', ', $_POST['classes']) . ")";
}
$conditions = apply_filter("role_query_conditions", $conditions, $_POST);
if (empty($conditions)) {
    stderr("Error","No valid filter");
}
$whereStr = implode(' OR ', $conditions);
while (true) {
    $msgValues = [];
    $offset = ($page - 1) * $size;
    $query = sql_query("SELECT id FROM users WHERE ($whereStr) and `enabled` = 'yes' and `status` = 'confirmed' limit $offset, $size");
    while($dat=mysql_fetch_assoc($query))
    {
        $msgValues[] = sprintf('(%s, %s, %s, %s, %s)', $sender_id, $dat['id'], $dt, sqlesc($subject), sqlesc($msg));
    }
    if (empty($msgValues)) {
        break;
    }
    $sql = "INSERT INTO messages (sender, receiver, added,  subject, msg) VALUES " . implode(', ', $msgValues);
    sql_query($sql);
    $page++;
}

header("Location: staffmess.php?sent=1");
?>
init 2020-12-26 01:42:23 +08:00			`<?php`
add composer 2021-01-13 19:32:26 +08:00			`require "../include/bittorrent.php";`
init 2020-12-26 01:42:23 +08:00			`if ($_SERVER["REQUEST_METHOD"] != "POST")`
			`stderr("Error", "Permission denied!");`
			`dbconn();`
modal show global 2022-08-10 17:38:05 +08:00			`loggedinorreturn();`
init 2020-12-26 01:42:23 +08:00
			`if (get_user_class() < UC_ADMINISTRATOR)`
			`stderr("Sorry", "Permission denied.");`

			`$sender_id = ($_POST['sender'] == 'system' ? 0 : (int)$CURUSER['id']);`
			`$dt = sqlesc(date("Y-m-d H:i:s"));`
			`$msg = trim($_POST['msg']);`
			`if (!$msg)`
			`stderr("Error","Don't leave any fields blank.");`
			`$updateset = $_POST['clases'];`
			`if (is_array($updateset)) {`
修复3个安全漏洞 (#15) * 修复趣味盒未授权访问漏洞趣味盒页面未做鉴权游客可以任意查看或发送内容 * 修复sql注入漏洞 * 修复sql注入详见描述代码第19行 if (!is_valid_id($class) && $class != 0) 如果class 为"sleep(5)" 虽然过不了is_valid_id校验但是由于php 弱类型非数字开头的字符串最终会判断为 $class = 0 绕过了校验另外建议is_valid_id 改为更直接的intval 将用户输入的的数据强制转换成int 防止sql注入 2021-05-19 13:49:41 +08:00			`foreach ($updateset as &$class) {`
			`$class=intval($class);`
init 2020-12-26 01:42:23 +08:00			`if (!is_valid_id($class) && $class != 0)`
			`stderr("Error","Invalid Class");`
			`}`
			`}else{`
			`if (!is_valid_id($updateset) && $updateset != 0)`
			`stderr("Error","Invalid Class");`
			`}`
			`$subject = trim($_POST['subject']);`
modal show global 2022-08-10 17:38:05 +08:00			`$size = 10000;`
			`$page = 1;`
			`set_time_limit(300);`
add role filter to bulk message 2022-09-20 18:47:33 +08:00			`$conditions = [];`
			`if (!empty($_POST['classes'])) {`
			`$conditions[] = "class IN (" . implode(', ', $_POST['classes']) . ")";`
			`}`
			`$conditions = apply_filter("role_query_conditions", $conditions, $_POST);`
			`if (empty($conditions)) {`
			`stderr("Error","No valid filter");`
			`}`
			`$whereStr = implode(' OR ', $conditions);`
modal show global 2022-08-10 17:38:05 +08:00			`while (true) {`
fix stassmess 2022-08-11 23:41:11 +08:00			`$msgValues = [];`
modal show global 2022-08-10 17:38:05 +08:00			`$offset = ($page - 1) * $size;`
add role filter to bulk message 2022-09-20 18:47:33 +08:00			$query = sql_query("SELECT id FROM users WHERE ($whereStr) and `enabled` = 'yes' and `status` = 'confirmed' limit $offset, $size");
modal show global 2022-08-10 17:38:05 +08:00			`while($dat=mysql_fetch_assoc($query))`
			`{`
			`$msgValues[] = sprintf('(%s, %s, %s, %s, %s)', $sender_id, $dat['id'], $dt, sqlesc($subject), sqlesc($msg));`
			`}`
fix stassmess 2022-08-11 23:41:11 +08:00			`if (empty($msgValues)) {`
modal show global 2022-08-10 17:38:05 +08:00			`break;`
			`}`
			`$sql = "INSERT INTO messages (sender, receiver, added, subject, msg) VALUES " . implode(', ', $msgValues);`
			`sql_query($sql);`
			`$page++;`
init 2020-12-26 01:42:23 +08:00			`}`

fix: Change Refresh into Location If use Refresh, it will not work on some browser and some protocols (e.g. HTTP/2). So, change Refresh into Location. Signed-off-by: SPC <github@spcsky.com> 2025-02-19 19:46:51 +08:00			`header("Location: staffmess.php?sent=1");`
init 2020-12-26 01:42:23 +08:00			`?>`