From bb81e9e0c37a302d4ae7e30aca53f5c3f2e9b404 Mon Sep 17 00:00:00 2001 From: 8chan Date: Sat, 20 Dec 2014 14:00:48 -0800 Subject: [PATCH 1/6] Fix weird "Default object created from empty vlaue" error Looks like $file can be NULL sometimes, though that should be illegal. Probably an unfixed post.php bug... --- inc/display.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/inc/display.php b/inc/display.php index 9561c4b8..929f2a91 100644 --- a/inc/display.php +++ b/inc/display.php @@ -357,9 +357,14 @@ class Post { if (isset($this->files) && $this->files) { $this->files = json_decode($this->files); // Compatibility for posts before individual file hashing - foreach ($this->files as &$file) + foreach ($this->files as $i => &$file) { + if (empty($file)) { + unset($this->files[$i]); + continue; + } if (!isset($file->hash)) $file->hash = $this->filehash; + } } $this->subject = utf8tohtml($this->subject); From 906611e7ac744ff3f59df713aaa965a90f637aea Mon Sep 17 00:00:00 2001 From: 8chan Date: Sat, 20 Dec 2014 14:02:03 -0800 Subject: [PATCH 2/6] Don't expand webm or YouTube videos on js/expand-all-images.js --- js/expand-all-images.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/js/expand-all-images.js b/js/expand-all-images.js index 82ea6340..6d7b4ca0 100644 --- a/js/expand-all-images.js +++ b/js/expand-all-images.js @@ -23,6 +23,14 @@ onready(function(){ .text(_('Expand all images')) .click(function() { $('a img.post-image').each(function() { + // Don't expand YouTube embeds + if ($(this).parent().parent().hasClass('video-container')) + return; + + // or WEBM + if (/^\/player\.php\?/.test($(this).parent().attr('href'))) + return; + if (!$(this).parent()[0].dataset.expanded) $(this).parent().click(); }); From 87e914948b0942efdd5effd43c98662a7234b0fe Mon Sep 17 00:00:00 2001 From: 8chan Date: Wed, 24 Dec 2014 06:08:19 -0800 Subject: [PATCH 3/6] SECURITY / XSS : ?/edit allowed arbitrary HTML to be added by any user thru addition of 1 This allowed ANY user with ?/edit privilege to also have raw_html regardless of whether they had $config['mod']['rawhtml'] Now, any changes to markup modifiers via ?/edit are not allowed. They are removed at read time, and before write they are removed again and the ones in the database (which should be clean...) are inserted instead. Please immediately apply this patch to your instance if you are running any version of 8chan/infinity. --- inc/functions.php | 4 ++++ inc/mod/pages.php | 20 +++++++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index e72708fd..ca58bbfa 100755 --- a/inc/functions.php +++ b/inc/functions.php @@ -1707,6 +1707,10 @@ function extract_modifiers($body) { return $modifiers; } +function remove_modifiers($body) { + return preg_replace('@(.+?)@usm', '', $body); +} + function markup(&$body, $track_cites = false, $op = false) { global $board, $config, $markup_urls; diff --git a/inc/mod/pages.php b/inc/mod/pages.php index a933f95a..46dc4613 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -1599,6 +1599,15 @@ function mod_edit_post($board, $edit_raw_html, $postID) { error($config['error']['404']); if (isset($_POST['name'], $_POST['email'], $_POST['subject'], $_POST['body'])) { + // Remove any modifiers they may have put in + $_POST['body'] = remove_modifiers($_POST['body']); + + // Add back modifiers in the original post + $modifiers = extract_modifiers($post['body_nomarkup']); + foreach ($modifiers as $key => $value) { + $_POST['body'] .= "$value"; + } + if ($edit_raw_html) $query = prepare(sprintf('UPDATE ``posts_%s`` SET `name` = :name, `email` = :email, `subject` = :subject, `body` = :body, `body_nomarkup` = :body_nomarkup, `edited_at` = NOW() WHERE `id` = :id', $board)); else @@ -1656,15 +1665,20 @@ function mod_edit_post($board, $edit_raw_html, $postID) { header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . sprintf($config['file_page'], $post['thread'] ? $post['thread'] : $postID) . '#' . $postID, true, $config['redirect_http']); } else { + // Remove modifiers + $post['body_nomarkup'] = remove_modifiers($post['body_nomarkup']); + + $post['body_nomarkup'] = utf8tohtml($post['body_nomarkup']); + $post['body'] = utf8tohtml($post['body']); if ($config['minify_html']) { - $post['body_nomarkup'] = str_replace("\n", ' ', utf8tohtml($post['body_nomarkup'])); - $post['body'] = str_replace("\n", ' ', utf8tohtml($post['body'])); + $post['body_nomarkup'] = str_replace("\n", ' ', $post['body_nomarkup']); + $post['body'] = str_replace("\n", ' ', $post['body']); $post['body_nomarkup'] = str_replace("\r", '', $post['body_nomarkup']); $post['body'] = str_replace("\r", '', $post['body']); $post['body_nomarkup'] = str_replace("\t", ' ', $post['body_nomarkup']); $post['body'] = str_replace("\t", ' ', $post['body']); } - + mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post)); } } From d63dea93c52cab59b926e12daa2de36cdb1d4e3c Mon Sep 17 00:00:00 2001 From: 8chan Date: Wed, 24 Dec 2014 06:14:04 -0800 Subject: [PATCH 4/6] Remove links from ban list --- inc/bans.php | 11 +++++++++++ tools/hide_bans_links.php | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 tools/hide_bans_links.php diff --git a/inc/bans.php b/inc/bans.php index 215ff279..fed34938 100644 --- a/inc/bans.php +++ b/inc/bans.php @@ -322,6 +322,17 @@ class Bans { if ($post) { $post['board'] = $board['uri']; + $match_urls = '(?xi)\b((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))'; + + $matched = array(); + + preg_match_all("#$match_urls#im", $post['body_nomarkup'], $matched); + + if (isset($matched[0]) && $matched[0]) { + $post['body'] = str_replace($matched[0], '###Link-Removed###', $post['body']); + $post['body_nomarkup'] = str_replace($matched[0], '###Link-Removed###', $post['body_nomarkup']); + } + $query->bindValue(':post', json_encode($post)); } else $query->bindValue(':post', null, PDO::PARAM_NULL); diff --git a/tools/hide_bans_links.php b/tools/hide_bans_links.php new file mode 100644 index 00000000..5a8e02a6 --- /dev/null +++ b/tools/hide_bans_links.php @@ -0,0 +1,34 @@ +execute() or error(db_error($query)); +$num_bans = $query->rowCount(); +$iter = 0; + +while ($ban = $query->fetch(PDO::FETCH_ASSOC)) { + $iter++; + + if (!$ban['post']) + continue; + + $match_urls = '(?xi)\b((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))'; + + $matched = array(); + + $post = json_decode($ban['post']); + + preg_match_all("#$match_urls#im", $post->body_nomarkup, $matched); + + if (!isset($matched[0]) || !$matched[0]) + continue; + + $post->body = str_replace($matched[0], '###Link-Removed###', $post->body); + $post->body_nomarkup = str_replace($matched[0], '###Link-Removed###', $post->body_nomarkup); + + $update = prepare('UPDATE ``bans`` SET `post` = :post WHERE `id` = :id'); + $update->bindValue(':post', json_encode($post)); + $update->bindValue(':id', $ban['id']); + $update->execute() or error(db_error($update)); + echo "Processed $iter/$num_bans\n"; +} From f60c3f5935c94c85d5b4b7f2f2099a2cb181a369 Mon Sep 17 00:00:00 2001 From: 8chan Date: Wed, 24 Dec 2014 06:14:33 -0800 Subject: [PATCH 5/6] Preview board flags script --- inc/instance-config.php | 1 + js/flag-previews.js | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 js/flag-previews.js diff --git a/inc/instance-config.php b/inc/instance-config.php index de7affe2..91d1174c 100644 --- a/inc/instance-config.php +++ b/inc/instance-config.php @@ -141,6 +141,7 @@ $config['additional_javascript'][] = 'js/thread-stats.js'; $config['additional_javascript'][] = 'js/quote-selection.js'; $config['additional_javascript'][] = 'js/twemoji/twemoji.js'; + $config['additional_javascript'][] = 'js/flag-previews.js'; //$config['font_awesome_css'] = '/netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css'; diff --git a/js/flag-previews.js b/js/flag-previews.js new file mode 100644 index 00000000..b9530b17 --- /dev/null +++ b/js/flag-previews.js @@ -0,0 +1,17 @@ +/* + * flag-previews.js - Preview board flags + * + * Copyright (c) 2014 Fredrick Brennan + * +*/ + +$(document).on('ready', function() { + var flag_previews = function() { + if (!$('.flag_preview').length) $('[name=user_flag]').after(''); + + $('.flag_preview').attr('src', "/static/custom-flags/" + board_name + "/" + $(this).val() + '.png'); + } + + $('[name=user_flag]').on('change', flag_previews); + $(window).on('quick-reply', function(){$('[name=user_flag]').on('change', flag_previews)}); +}); From 06885de829c191c21b1a34e711b48ecc7279521d Mon Sep 17 00:00:00 2001 From: 8chan Date: Wed, 24 Dec 2014 06:16:40 -0800 Subject: [PATCH 6/6] README update: we inifinity now --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4292844d..4d0383e5 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,13 @@ -8chan - The infinitely expanding imageboard. +infinity ======================================================== About ------------ -8chan is a fork of vichan, with the difference that 8chan is geared towards allowing users to create their own boards. +infinity is a fork of vichan, with the difference that 8chan is geared towards allowing users to create their own boards. A running instance is at https://8chan.co. -Most things (other than installation) that apply to upstream vichan also apply to 8chan. See their readme for a detailed FAQ: https://github.com/vichan-devel/vichan/blob/master/README.md +Most things (other than installation) that apply to upstream vichan also apply to infinity. See their readme for a detailed FAQ: https://github.com/vichan-devel/vichan/blob/master/README.md -If you are not interested in letting your users make their own boards, install vichan instead of 8chan. +If you are not interested in letting your users make their own boards, install vichan instead of infinity. Because I cannot be bothered to maintain `install.php`, the install process is as such: