Browse Source

remove breaking get_magic_quotes_gpc

master
Nils 7 months ago
parent
commit
093070db51
2 changed files with 47 additions and 41 deletions
  1. +27
    -7
      README.txt
  2. +20
    -34
      lib/utf8safe.php

+ 27
- 7
README.txt View File

@@ -1,3 +1,23 @@
Install-Log Uberspace

Hat erstmal nicht geklappt. Error 500. Logs angemacht: https://manual.uberspace.de/web-logs.html
[Fri Apr 03 17:09:15 2020] [alert] [pid 26989] config.c(2230): [client 2a0a:a541::] /var/www/virtual/luduceda/html/bugs/.htaccess: Option FollowSymLinks not allowed here

Falls Sie symbolische Links verwenden möchten, ersetzen Sie alle Vorkommen von „FollowSymLinks“ durch „SymLinksIfOwnerMatch“. Beispiel:
Options +SymLinksIfOwnerMatch
Das war nur einmal drin ganz oben.

mods.txt angelegt, nach anleitung. laborejo. dann members.txt angelegt: nils, lss angelegt und dann direkt nen eintrag gemacht um die namen zu schützen. Alle drei das gleiche pw:

Ich habe ein subforum Done angelegt (s. README des Forums) wo ich erledigte reinschiebe. Den Titel zu ändern ist schwer möglich.





Original Manual


NoNonsense Forum v26 © Copyright (CC-BY) Kroc Camen 2010-2015
========================================================================
A simple forum that focuses on discussion and simplicity.
@@ -42,7 +62,7 @@ Contents:
========================================================================
[1.1] Set Up:
------------------------------------------------------------------------
The first thing you need to do is provide a username for the admin,
The first thing you need to do is provide a username for the admin,
and any moderators you would like

* Create a "mods.txt" file in the forum / sub-forum
@@ -61,7 +81,7 @@ SpeedoJoe

* Mods in sub-forums ("/news/mods.txt") can only moderate in that
sub-forum
NOTE: Make sure that admin and mod accounts are created (by posting
once), otherwise anybody could steal the name and take control!

@@ -134,7 +154,7 @@ of a forum, regardless of page.

* To un/lock or un/sticky a thread, first sign-in as the admin

* Click the Un/Lock or Un/Sticky thread button
* Click the Un/Lock or Un/Sticky thread button


[5] Forum Locking:
@@ -165,7 +185,7 @@ have moderator powers; they are your participants in restricted forums.

* Members of the root forum are not automatically members of all
sub-forums (unlike mods)
* Members must sign-in to be able to post in locked forums

[5.2] A Note on Private Forums:
@@ -198,7 +218,7 @@ Name Issue
------------------------------------------------------------------------
1seann [github]
* Discovering path error in sitemap.xml
bh8(dot)vn & zuchto
* Suggestion to improve transliteration further
* Fallback if "iconv" is missing
@@ -213,7 +233,7 @@ David Hund

folderol
* Reporting of Apache "NOYB" identifier
fyra
* IDN URLs
* UTF-8 characters no longer hex-encoded in the output
@@ -316,4 +336,4 @@ Temukki
* Delete page missing
* Timezone option

Anybody else forgotten along the way, get in touch.
Anybody else forgotten along the way, get in touch.

+ 20
- 34
lib/utf8safe.php View File

@@ -4,7 +4,7 @@
v1 copyright © Kroc Camen <kroc@camendesign.com> 2012-2015, licenced under Creative Commons Attribution 3.0 licence
you may do whatever you want with this code as long as you give credit
special thanks to Zegnat for help and support with UTF-8
*//*
*//*
who / what is the utf8safe library for?
====================================================================================================================== */
/* this set of functions applies to all developers of all skill levels, but especially those new to PHP
@@ -16,7 +16,7 @@
language that actually understood that there was this thing out there called the World Wide Web and that it's actually
quite popular and that, if you don't escape things properly, bad things happen -- we must instead fret over every input
and output just like the days before buffer overflow protections in C/C++
the utf8safe library therefore provides *help* (but only where the developer is wise enough to use it) in making sure
your inputs are safe to begin with and that when you output to HTML, some nasty won't manage to flow through your code,
tucked away in a string, and land on the page intact & dangerous
@@ -28,7 +28,7 @@
//default to UTF-8 in multi-byte functions throughout PHP
mb_internal_encoding ('UTF-8');
mb_regex_encoding ('UTF-8');
/* UTF-7 XSS protection
---------------------------------------------------------------------------------------------------------------------- */
//failure to explicitly define a character set, either by HTTP header or meta tag, can result in IE defaulting to UTF-7
@@ -42,20 +42,6 @@ header ('Content-Type: text/html; charset=UTF-8');
contents of your inputs (SQL/HTML injection, XSS &c.), and always safely combine strings (`safeURL`) and output safely
(`safeHTML`), but this process helps against the less-obvious Unicode-based attacks */
function preprocess_superglobals () {
/* "magic quotes" was a rather weak attempt at preventing injection attacks by automatically escaping the inputs
(`$_GET`, `$_POST` & `$_COOKIE`) with slashes (i.e. "won\'t"). this is however only relevant for SQL and not
HTML so introduces more complications in processing and outputting. this feature is removed entirely in PHP5.4.
if magic quotes is on, we strip the extra slashes from the inputs so as to normalise behaviour across different
servers and PHP versions */
if (get_magic_quotes_gpc ()) {
//great care has to be taken to pass and process the superglobals by reference
$gpc = array (&$_GET, &$_POST, &$_COOKIE, &$_ENV);
//drill through the selected superglobals, applying `stripslashes`
foreach ($gpc as &$_) array_walk_recursive ($_, create_function (
'&$value, $key',
'if (is_string ($value)) $value = stripslashes ($value);'
));
}
//magic quotes only applies to GET, POST, COOKIE & ENV, but we'll need to run the other sanitising functions
//on all the superglobals
$all = array (
@@ -65,7 +51,7 @@ function preprocess_superglobals () {
&$_POST, //form-submitted parameters
&$_FILES, //uploaded files
&$_COOKIE,
&$_SESSION,
&$_SESSION,
&$_ENV //environment variables
);
foreach ($all as &$_) if (!is_null ($_)) array_walk_recursive ($_, 'safeUTF8');
@@ -85,12 +71,12 @@ function safeUTF8 (
//when `mb_convert_encoding` is used below, we want it to use the recommended Unicode replacement character
//rather than just "?" <stackoverflow.com/a/13695364>
mb_substitute_character(0xFFFD);
//what's given could be any imaginable encoding, normalise it into UTF-8 though it may not yet be web-safe.
//adapted from <php.net/mb_check_encoding#89286>, with thanks to Zegnat. this works by importing the current byte
//stream into UTF-32 which has enough scope to contain any other encoding, then downsizing in to UTF-8
$text = mb_convert_encoding (mb_convert_encoding ($text, 'UTF-32', 'UTF-8'), 'UTF-8', 'UTF-32');
//remove Unicode bytes unsafe for XML: <www.w3.org/TR/REC-xml/#charsets>
$text = preg_replace (
//remove everything except:
@@ -99,7 +85,7 @@ function safeUTF8 (
//#10000-#10FFFF: extended Unicode space (mostly empty, but harmless)
'/[^\x{0009}\x{000a}\x{000d}\x{0020}-\x{D7FF}\x{E000}-\x{FFFD}\x{10000}-\x{10FFFF}]+/u', '',
$text);
//remove "compatibility characters" and "permanently undefined Unicode characters",
//see note proceeding: <www.w3.org/TR/REC-xml/#charsets>
$text = preg_replace (
@@ -112,13 +98,13 @@ function safeUTF8 (
'\x{9FFFE}\x{9FFFF}\x{AFFFE}\x{AFFFF}\x{BFFFE}\x{BFFFF}\x{CFFFE}\x{CFFFF}'.
'\x{DFFFE}\x{DFFFF}\x{EFFFE}\x{EFFFF}\x{FFFFE}\x{FFFFF}\x{10FFFE}\x{10FFFF}]+/u',
'', $text);
//TODO: strip invalid byte-sequences
//see: http://stackoverflow.com/a/13695364
//Some interesting references:
//http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php#54805
//we still need to return, despite the by-reference parameter because use of anonymous variables and functions
//for the call will not be by-reference
return $text;
@@ -162,16 +148,16 @@ function safeTransliterate ($text) {
Chinese, Japanese and more into ASCII! however, we use our manual (and crude) fallback *first* instead because
we will take the liberty of transliterating some things into more readable ASCII-friendly forms,
e.g. "100℃" > "100degc" instead of "100oc" */
/* manual transliteration list:
-------------------------------------------------------------------------------------------------------------- */
/* this list is supposed to be practical, not comprehensive, representing:
1. the most common accents and special letters that get typed, and
2. the most practical transliterations for readability;
given that I know nothing of other languages, I will need your assistance to improve this list,
mail <kroc@camendesign.com> with help and suggestions.
this data was produced with the help of:
http://www.unicode.org/charts/normalization/
http://www.yuiblog.com/sandbox/yui/3.3.0pr3/api/text-data-accentfold.js.html
@@ -194,7 +180,7 @@ function safeTransliterate ($text) {
'u' => '/[ÙŨŪŬŮŰŲƯǓȔȖṲṴṶṸṺỤỦỨỪỬỮỰùũūŭůűųưǔȕȗṳṵṷṹṻụủứừửữựµ]/u',
'v' => '/[ṼṾṽṿ]/u', 'w' => '/[ŴẀẂẄẆẈŵẁẃẅẇẉẘ]/u',
'x' => '/[ẊẌẋẍ×]/u', 'y' => '/[ÝŶŸȲẎỲỴỶỸýÿŷȳẏẙỳỵỷỹ]/u',
'z' => '/[ŹŻŽẐẒẔźżžẑẓẕ]/u',
'z' => '/[ŹŻŽẐẒẔźżžẑẓẕ]/u',
//combined letters and ligatures:
'ae' => '/[ÄǞÆǼǢäǟæǽǣ]/u', 'oe' => '/[ÖȪŒöȫœ]/u',
'dz' => '/[DŽDžDZDzdždz]/u',
@@ -211,18 +197,18 @@ function safeTransliterate ($text) {
);
//do the manual transliteration first
$text = preg_replace (array_values ($translit), array_keys ($translit), $text);
//flatten the text down to just a-z0-9 underscore and dash for spaces
//(<www.mattcutts.com/blog/dashes-vs-underscores/>)
$text = preg_replace (
//replace non a-z //de-duplicate //trim from start & end
array ('/[^_a-z0-9-]/i', '/-{2,}/', '/^-|-$/'),
array ('-', '-', '' ),
/* attempt transliteration with PHP5.4's transliteration engine (best):
(this method can handle near anything, including converting Chinese and Arabic letters to ASCII.
requires the 'intl' extension to be enabled) */
//check if the transliterator is present (PHP 5.4+)
function_exists ('transliterator_transliterate')
/* even though the server might be on PHP5.4+ it might not have the transliteration libraries installed
@@ -250,7 +236,7 @@ function safeTransliterate ($text) {
//the letter stripping above
'Lower',
$text)
//attempt transliteration with iconv: <php.net/manual/en/function.iconv.php>
: strtolower (function_exists ('iconv') ? str_replace (array ("'", '"', '`', '^', '~'), '', strtolower (
//note: results of this are different depending on iconv version,
@@ -258,9 +244,9 @@ function safeTransliterate ($text) {
iconv ('UTF-8', 'US-ASCII//IGNORE//TRANSLIT', $text)
)) : $text)
);
//old iconv versions and certain inputs may cause a null-string. don't allow a blank response
return !$text ? '_' : $text;
}

?>
?>

Loading…
Cancel
Save