Fix some potential security hazards

2026-04-03 14:10:57 +08:00 · 2023-05-20 00:17:17 +08:00
parent 167af06cfa
commit fa95279e66
11 changed files with 16 additions and 15 deletions
--- a/config/sanctum.php
+++ b/config/sanctum.php
@@ -29,7 +29,7 @@ return [
    |
    */

-    'expiration' => null,
+    'expiration' => 129600,

    /*
    |--------------------------------------------------------------------------
--- a/include/constants.php
+++ b/include/constants.php
@@ -1,6 +1,6 @@
 <?php
 defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.8.4');
-defined('RELEASE_DATE') || define('RELEASE_DATE', '2023-05-15');
+defined('RELEASE_DATE') || define('RELEASE_DATE', '2023-05-20');
 defined('IN_TRACKER') || define('IN_TRACKER', false);
 defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
 defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
--- a/public/attachment.php
+++ b/public/attachment.php
@@ -230,7 +230,7 @@ if ($Attach->enable_attachment())
 				$dlkey = md5($db_file_location.".".$ext);
 				sql_query("INSERT INTO attachments (userid, width, added, filename, filetype, filesize, location, dlkey, isimage, thumb) VALUES (".$CURUSER['id'].", ".$width.", ".sqlesc(date("Y-m-d H:i:s")).", ".sqlesc($origfilename).", ".sqlesc($filetype).", ".$filesize.", ".sqlesc($db_file_location.".".$ext).", ".sqlesc($dlkey).", ".($isimage ? 1 : 0).", ".($hasthumb ? 1 : 0).")") or sqlerr(__FILE__, __LINE__);
 				$count_left--;
-				if (!empty($_REQUEST['callback_func'])) {
+				if (!empty($_REQUEST['callback_func']) && preg_match('/^preview_custom_field_image_\d+$/', $_REQUEST['callback_func'])) {
 				    $url = $httpdirectory_attachment."/".$db_file_location . ".$ext";
                    if ($hasthumb) {
                        $url .= ".thumb.jpg";
--- a/public/faqactions.php
+++ b/public/faqactions.php
@@ -36,7 +36,7 @@ function clear_faq_cache()

 // ACTION: reorder - reorder sections and items
 if (isset($_GET['action']) && $_GET['action'] == "reorder") {
-	foreach($_POST[order] as $id => $position) sql_query("UPDATE `faq` SET `order`=".sqlesc($position)." WHERE id=".sqlesc($id)) or sqlerr();
+	foreach($_POST['order'] as $id => $position) sql_query("UPDATE `faq` SET `order`=".sqlesc($position)." WHERE id=".sqlesc($id)) or sqlerr();
 	header("Location: " . get_protocol_prefix() . "$BASEURL/faqmanage.php");
 	die;
 }
@@ -113,7 +113,7 @@ elseif (isset($_GET['action']) && $_GET['action'] == "editsect" && $_POST['id']

 // ACTION: delete - delete a section or item
 elseif (isset($_GET['action']) && $_GET['action'] == "delete" && isset($_GET['id'])) {
-	if ($_GET[confirm] == "yes") {
+	if ($_GET['confirm'] == "yes") {
 		sql_query("DELETE FROM `faq` WHERE `id`=".sqlesc(intval($_GET['id'] ?? 0))." LIMIT 1") or sqlerr();
 		header("Location: " . get_protocol_prefix() . "$BASEURL/faqmanage.php");
 		die;
@@ -122,7 +122,8 @@ elseif (isset($_GET['action']) && $_GET['action'] == "delete" && isset($_GET['id
 		stdhead("FAQ Management");
 		begin_main_frame();
 		print("<h1 align=\"center\">Confirmation required</h1>");
-		print("<table border=\"1\" cellspacing=\"0\" cellpadding=\"5\" align=\"center\" width=\"95%\">\n<tr><td align=\"center\">Please click <a href=\"faqactions.php?action=delete&id={$_GET['id']}&confirm=yes\">here</a> to confirm.</td></tr>\n</table>\n");
+        $id = intval($_GET['id'] ?? 0);
+		print("<table border=\"1\" cellspacing=\"0\" cellpadding=\"5\" align=\"center\" width=\"95%\">\n<tr><td align=\"center\">Please click <a href=\"faqactions.php?action=delete&id={$id}&confirm=yes\">here</a> to confirm.</td></tr>\n</table>\n");
 		end_main_frame();
 		stdfoot();
 	}
--- a/public/friends.php
+++ b/public/friends.php
@@ -65,7 +65,7 @@ if ($action == 'delete')
 {
 	$targetid = $_GET['targetid'];
 	$sure = $_GET['sure'];
-	$type = $_GET['type'];
+	$type = htmlspecialchars($_GET['type']);

 	if ($type == 'friend')
 	$typename = $lang_friends['text_friend'];
--- a/public/ipsearch.php
+++ b/public/ipsearch.php
@@ -8,7 +8,7 @@ if (!user_can('userprofile'))
 	permissiondenied();
 else
 {
-	$ip = trim($_GET['ip']);
+	$ip = htmlspecialchars(trim($_GET['ip']));
 	if ($ip)
 	{
 		$regex = "/^(((1?\d{1,2})|(2[0-4]\d)|(25[0-5]))(\.\b|$)){4}$/";
--- a/public/staffbox.php
+++ b/public/staffbox.php
@@ -133,7 +133,7 @@ stdfoot();
       //////////////////////////

 if ($action == "answermessage") {
-        $answeringto = $_GET["answeringto"];
+        $answeringto = intval($_GET["answeringto"] ?? 0);
        $receiver = intval($_GET["receiver"] ?? 0);

        int_check($receiver,true);
--- a/public/subtitles.php
+++ b/public/subtitles.php
@@ -95,7 +95,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["action"]) && $_POST["a
 	//start process torrent ID
 	if(!$_POST["torrent_id"])
 	{
-		echo($lang_subtitles['std_missing_torrent_id']."$file[name]</b></font> !");
+		echo($lang_subtitles['std_missing_torrent_id'].htmlspecialchars($file['name'])."</b></font> !");
 		exit;
 	}
 	else
--- a/public/userhistory.php
+++ b/public/userhistory.php
@@ -5,7 +5,7 @@ require_once(get_langfile_path());
 loggedinorreturn();

 parked();
-$userid = $_GET["id"];
+$userid = intval($_GET["id"] ?? 0);
 int_check($userid,true);

 if ($CURUSER["id"] != $userid && !user_can('viewhistory'))
--- a/public/viewnfo.php
+++ b/public/viewnfo.php
@@ -4,7 +4,7 @@ dbconn();
 require_once(get_langfile_path());
 loggedinorreturn();
 parked();
-$id = $_GET["id"];
+$id = intval($_GET["id"] ?? 0);
 if (!user_can('viewnfo') || !is_valid_id($id) || $enablenfo_main != 'yes')
 permissiondenied();

--- a/public/viewrequests.php
+++ b/public/viewrequests.php
@@ -7,7 +7,7 @@ loggedinorreturn();
 parked();

 if (isset($_GET['id'])) {
-    $_GET['id'] = htmlspecialchars($_GET['id']);
+    $_GET['id'] = intval($_GET['id'] ?? 0);
 }
 $action = isset($_POST['action']) ? htmlspecialchars($_POST['action']) : (isset($_GET['action']) ? htmlspecialchars($_GET['action']) : '');
 $allowed_actions = array("list", "new", "newmessage", "view", "edit", "takeedit", "takeadded", "res", "takeres", "addamount", "delete", "confirm", "message", "search");
@@ -200,7 +200,7 @@ else {
                print(
                    "<form id=edit method=post name=edit action=viewrequests.php >\n
 		<input type=hidden name=action  value=takeedit >
-		<input type=hidden name=reqid  value=" . $_GET["id"] . " >
+		<input type=hidden name=reqid  value=" . intval($_GET["id"] ?? 0) . " >
 		");
                print("<table width=100% cellspacing=0 cellpadding=3><tr><td class=colhead align=center colspan=2>{$lang_functions['title_edit']}{$lang_viewrequests['request']}</td></tr>");
                tr("{$lang_functions['col_name']}：", "<input name=request value=\"" . $arr["request"] . "\" size=134 ><br/>", 1);
@@ -247,7 +247,7 @@ else {


                print(
-                    "<form id=reply name=reply method=post action=viewrequests.php >\n<input type=hidden name=action value=message ><input type=hidden name=id value=" . $_GET["id"] . " >\n");
+                    "<form id=reply name=reply method=post action=viewrequests.php >\n<input type=hidden name=action value=message ><input type=hidden name=id value=" . intval($_GET["id"] ?? 0) . " >\n");
                print("<table width=100% cellspacing=0 cellpadding=3>\n");

                print("<tr><td class=rowfollow align=left>");