Browse Source

Fix #183: Apache "NOYB"

Apparently a common Apache identifier used to prevent version
identification. With thanks to folderol and Zegnat for reporting.
master
Kroc Camen 6 years ago
parent
commit
9d075d7a7a
9 changed files with 118 additions and 100 deletions
  1. +5
    -2
      HISTORY.txt
  2. +5
    -5
      INSTALL.txt
  3. +78
    -75
      README.txt
  4. +4
    -4
      lib/functions.php
  5. +5
    -5
      lib/utf8safe.php
  6. +3
    -1
      start.php
  7. +9
    -4
      themes/greyscale/theme.css
  8. +0
    -2
      themes/greyscale/thread.html
  9. +9
    -2
      thread.php

+ 5
- 2
HISTORY.txt View File

@@ -1,8 +1,10 @@
v26
* Stick and Unstick thread buttons when logged in as the Admin (the admin is now the first person listed in mods.txt)
* Fixed problems with transliteration when on PHP5.4 without all the necessary libs in place
* Stick and Unstick thread buttons when logged in as the Admin (the Admin is now the first person listed in mods.txt)
NOTE: the lock and unlock links have been changed into buttons, make sure to update custom translations / CSS!
* Windows 8 snap-view
* Apache version is now verified (1&1 are still using v1.3!)
* Apache version is now verified (1&1 are still using v1.3!),
also the Apache identifier "NOYB" (None Of Your Business) is skipped
* Updated to DOMTemplate v17, fix for major bug corrupting querystrings and attributes,
with thanks to Bruno Héridet for narrowing down and Zegnat for suggesting a fix
* Fix for `@name` corrupting posts when HTAccess off, with thanks to Stephen Taylor
@@ -10,6 +12,7 @@ v26
(this may break some permalinks if deleting a corrupted post before the last page)
* Delete and Append buttons have new icons to look less like voting buttons!
* Moved some functions into a new "utf-8 safe" library for sanitising input / output
- NOTE: Very incomplete. Will improve over multiple releases
- Declared UTF-8 in the content-type header to prevent UTF-7 attacks
- a `safeTrim` function to trim all kinds of whitespace outside of TAB / SPACE / CRLF
- the superglobals (`$_GET` / `$_POST` &c.) are preprocessed with `stripslashes`, `safeTrim` & UTF-8 safety

+ 5
- 5
INSTALL.txt View File

@@ -10,7 +10,7 @@ Contents:
[1.2] Install using GIT
[1.3] Installation (continued)
[1.4] Updating NoNonsense Forum
[1.5] Running without HTAccess
[1.5] Running without HTAccess
[2] Customising
[2.1] 'config.php'
[2.2] 'theme.config.php'
@@ -24,8 +24,8 @@ Contents:
========================================================================
* PHP 5.2.3 or above
* Apache 2.1 or above, preferably with ".htaccess" files enabled
(though optional), or any other webserver, whereby NNF will
operate in "no-htaccess" mode
(though optional), or any other webserver, whereby NNF will
operate in "no-htaccess" mode

Browser support: (default 'greyscale' theme)
* IE6, 7, 8, 9, 10+
@@ -40,7 +40,7 @@ Browser support: (default 'greyscale' theme)
* Firefox Mobile
* Opera Mobile & Mini
* Amazon Kindle (e-ink) & Fire
* IE9/Mobile (untested)
* IE9/Mobile (untested)

Unsupported:
* Firefox 2 or earlier, Camino 1
@@ -134,7 +134,7 @@ aware of the impact of some new feature.

<github.com/Kroc/NoNonsenseForum/commits/master>

[1.5] Running without HTAccess:
[1.5] Running without HTAccess:
------------------------------------------------------------------------
NoNonsense Forum will automatically detect if the ".htaccess" file is
missing or disabled and automatically switch to running without.

+ 78
- 75
README.txt View File

@@ -51,7 +51,7 @@ editing the RSS file. Instead, text can be appended to the end of posts.

[1.2] Post deleting:
------------------------------------------------------------------------
To avoid abuse, users cannot permenantly delete their own posts.
To avoid abuse, users cannot permanently delete their own posts.

* When a user deletes their post, the text is removed and
replaced with a message like "This post was deleted by its
@@ -59,7 +59,7 @@ To avoid abuse, users cannot permenantly delete their own posts.

* A moderator can delete any post, likewise

* A blanked-out deleted post can be removed permenantly from the
* A blanked-out deleted post can be removed permanently from the
thread by a moderator by deleting it again, but only if the
post is on the last page of replies -- so as to not break any
permalinks by rearranging page boundaries
@@ -127,10 +127,10 @@ Some moderator actions require the user to sign-in.
close the tab or window), or clear your browser's cache to
sign out

* Unfortunately, due to a flaw in HTTP authentication, users with
accented / unicode letters in their name will not be able to
sign-in. Moderators and members must limit their chosen names
to basic letters, numbers and punctuation
* Unfortunately, due to a flaw in HTTP authentication, users with
accented / unicode letters in their name will not be able to
sign-in. Moderators and members must limit their chosen names
to basic letters, numbers and punctuation


[5] Forum Locking:
@@ -190,120 +190,123 @@ contributing directly to NoNonsense Forum.
I'd like to also thank the users of Camen Design Forum
<forum.camendesign.com> for testing and support.

Name Issue
Name Issue
------------------------------------------------------------------------
bh8(dot)vn & zuchto
* Suggestion to improve transliteration further
* Fallback if "iconv" is missing
* Suggestion to improve transliteration further
* Fallback if "iconv" is missing

Bruno Héridet
* Duplicate ID in the HTML
* Major DOMTemplate bug munging querystrings
* Duplicate ID in the HTML
* Major DOMTemplate bug munging querystrings

David Hund
* Code typo in `DOMDocument`
* Major DOMTemplate bug munging querystrings
* Code typo in `DOMDocument`
* Major DOMTemplate bug munging querystrings

folderol
* Reporting of Apache "NOYB" identifier
fyra
* IDN URLs
* UTF-8 characters no longer hex-encoded in the output
* IDN URLs
* UTF-8 characters no longer hex-encoded in the output

gardener
* Critical typo in "lang.example.php"
* Critical typo in "lang.example.php"

JBark
* Use `clearstatcache` to ensure index ordering is right
* Accidental double-`<link>` to favicon
* Use `clearstatcache` to ensure index ordering is right
* Accidental double-`<link>` to favicon

JJ
* Wrong usage of PHP header function
* Add "noindex, nofollow" to delete page
* Blockquote syntax idea
* Wrong usage of PHP header function
* Add "noindex, nofollow" to delete page
* Blockquote syntax idea

Jon Gjengset / Jonhoo
* Original "Grayscale" theme
* Original mobile theme
* `$` alternative syntax for code blocks
* Read-locking of threads during writes
* Help with HTTPS support
* Raised issue with PHP short tags
* Delete message the same when deleting thread and post
* Many HTML & CSS fixes
* Original "Grayscale" theme
* Original mobile theme
* `$` alternative syntax for code blocks
* Read-locking of threads during writes
* Help with HTTPS support
* Raised issue with PHP short tags
* Delete message the same when deleting thread and post
* Many HTML & CSS fixes

Jose Pedro Arvela / jparvela
* Changing `static::` to `self::`
* Suggestion for "@user" syntax
* Changing `static::` to `self::`
* Suggestion for "@user" syntax

macsupport.gr
* Regex backtrace limit
Martijn
* Lynx support
* Use `rel="nofollow external"` on external links
* Improved ".htaccess" compatibility with Mac OS
* Title-line self links (this was quite complex)
* Duplicate appends
* Help with various transliteration aspects
* Better whitespace trimming
* Help fixing missing "?" in no-HTACCESS URLs
* Constant support improving the UTF-8 handling
* Major DOMTemplate bug munging querystrings
* Regex backtrace limit
Martijn/Zegnat
* Lynx support
* Use `rel="nofollow external"` on external links
* Improved ".htaccess" compatibility with Mac OS
* Title-line self links (this was quite complex)
* Duplicate appends
* Help with various transliteration aspects
* Better whitespace trimming
* Help fixing missing "?" in no-HTACCESS URLs
* Constant support improving the UTF-8 handling
* Major DOMTemplate bug munging querystrings

nkrs
* Opera speed dial help
* Opera speed dial help

Nicolai
* Unecessary ChromeFrame header in ".htaccess"
* Unecessary ChromeFrame header in ".htaccess"

Nikolai
* Changing `static::` to `self::`
* Opera speed dial help
* Changing `static::` to `self::`
* Opera speed dial help

oldtimes
* Original suggestion to transliterate thread titles
* Original suggestion to transliterate thread titles

Paul M
* Lock button sometimes showing by accident
* Lock button sometimes showing by accident

Philip Butkiewicz
* Fix up `<script>` outputting in DOMTemplate
* Fix up `<script>` outputting in DOMTemplate

Richard van Velzen / rvanvelzen
* Running in a sub-folder
* HTTPS support
* Remove "/users/" from "robots.txt"
* CSS fixes
* Inline code, heading and divider markup implementation
* Fault with adding new threads
* URL parsing with subdomains containing a dash
* `$1` being stripped from code spans / blocks
* Suggestion to improve error messages
* Closing bracket in URL when URL is last text in a quote
* Block quote regex fixes
* Post starting with code block doesn't show that block
* Running in a sub-folder
* HTTPS support
* Remove "/users/" from "robots.txt"
* CSS fixes
* Inline code, heading and divider markup implementation
* Fault with adding new threads
* URL parsing with subdomains containing a dash
* `$1` being stripped from code spans / blocks
* Suggestion to improve error messages
* Closing bracket in URL when URL is last text in a quote
* Block quote regex fixes
* Post starting with code block doesn't show that block

Sani
* Better tag matching when repairing output HTML
* Stickies not showing if no other threads
* Add leading '0' to "Expires" header to comply with spec
* Debugging DOMTemplate speed
* Suggestion for HiDPI graphics
* Better tag matching when repairing output HTML
* Stickies not showing if no other threads
* Add leading '0' to "Expires" header to comply with spec
* Debugging DOMTemplate speed
* Suggestion for HiDPI graphics

starbeamrainbowlab
* Discovering missing "?" in no-HTACCESS URLs
* Discovering missing "?" in no-HTACCESS URLs

Stephen Taylor
* Reported bug with appends double-encoding HTML
* "@name" not working with no HTAccess
* Reported bug with appends double-encoding HTML
* "@name" not working with no HTAccess

Steve Bir
* Pages not working in sub forums
* Pages not working in sub forums

TCB
* iOS testing for the rotation / zooming bug
* iOS testing for the rotation / zooming bug

Temukki
* Delete page missing
* Timezone option
* Delete page missing
* Timezone option

Anybody else forgotten along the way, get in touch.

+ 4
- 4
lib/functions.php View File

@@ -24,8 +24,8 @@ function url (
return HTACCESS
//if htaccess is on, then use pretty URLs:
? $filepath.($page ? "+$page" : '').rtrim ('?'.implode ('&', array_filter (array (
//single actions without any ID
!$action_id && in_array ($action, array ('delete', 'lock', 'unlock')) ? $action : '',
//single actions without any ID (only delete, un/lock use form buttons)
!$action_id && ($action == 'delete') ? $action : '',
//otherwise, actions with an ID?
$action_id ? "$action=$action_id" : ''
))), '?')
@@ -35,8 +35,8 @@ function url (
($file ? 'thread.php' : 'index.php').rtrim ('?'.
//concatenate a query string
implode ('&', array_filter (array (
//actions without an ID
!$action_id && in_array ($action, array ('delete', 'lock', 'unlock')) ? $action : '',
//actions without an ID (only delete, un/lock use form buttons)
!$action_id && ($action == 'delete') ? $action : '',
//append or delete post
$action_id ? "$action=$action_id" : '',
//sub-forum? for no-htaccess, all links must be made relative from the NNF folder root

+ 5
- 5
lib/utf8safe.php View File

@@ -106,8 +106,8 @@ function safeUTF8 (
'\x{1FFFE}\x{1FFFF}\x{2FFFE}\x{2FFFF}\x{3FFFE}\x{3FFFF}\x{4FFFE}\x{4FFFF}'.
'\x{5FFFE}\x{5FFFF}\x{6FFFE}\x{6FFFF}\x{7FFFE}\x{7FFFF}\x{8FFFE}\x{8FFFF}'.
'\x{9FFFE}\x{9FFFF}\x{AFFFE}\x{AFFFF}\x{BFFFE}\x{BFFFF}\x{CFFFE}\x{CFFFF}'.
'\x{DFFFE}\x{DFFFF}\x{EFFFE}\x{EFFFF}\x{FFFFE}\x{FFFFF}\x{10FFFE}\x{10FFFF}]+/u', '',
$text);
'\x{DFFFE}\x{DFFFF}\x{EFFFE}\x{EFFFF}\x{FFFFE}\x{FFFFF}\x{10FFFE}\x{10FFFF}]+/u',
'', $text);
//TODO: strip invalid byte-sequences
//see: http://stackoverflow.com/questions/8215050/replacing-invalid-utf-8-characters-by-question-marks-mbstring-substitute-charac/13695364#13695364
@@ -221,9 +221,9 @@ function safeTransliterate ($text) {
//check if the transliterator is present (PHP 5.4+)
function_exists ('transliterator_transliterate')
/* even though the server might be on PHP5.4+ the server might not have the transliteration libraries
installed (happens on free / shared hosts). check to see if the transliteration we want is even
possible and */
/* even though the server might be on PHP5.4+ it might not have the transliteration libraries installed
(happens on free / shared hosts). check to see if the transliteration we want is even possible.
with thanks to Zegnat for the specific fix, and numerous others for reporting & testing */
&& count (array_intersect (
array ('Any-NFKD', 'Any-Latin', 'Latin-ASCII', 'Any-Remove', 'Any-Lower'),
transliterator_list_ids ()

+ 3
- 1
start.php View File

@@ -92,7 +92,9 @@ if (function_exists ('apache_get_version')) if (!preg_match (
//depending on the `ServerTokens` directive, the Apache version string might be nothing more than "Apache",
//allow this, but if a version number is present detect v2.1-99+
//<php.net/manual/en/function.apache-get-version.php#75591>
'/apache(?:\/(?:2(?:\.[1-9]|\.[1-9][0-9]+)?|[3-9]|[1-9][0-9]+)?)?/i', apache_get_version ())
//also note that the string "NOYB" (None Of Your Business) is surprisingly common and we need to allow this through
//(with thanks to folderol and Zegnat for reporting)
'/noyb|apache(?:\/(?:2(?:\.[1-9]|\.[1-9][0-9]+)?|[3-9]|[1-9][0-9]+)?)?/i', apache_get_version ())
) require FORUM_LIB.'error_apachever.php';

//shared / library code

+ 9
- 4
themes/greyscale/theme.css View File

@@ -365,7 +365,10 @@ input[type=text],

/* site footer
====================================================================================================================== */
form#nnf_admin {float: right; border: none;}
form#nnf_admin {float: right; border: none;
/* this padding is so that on a very narrow screen, the mods list can flow underneath
the admin buttons, but not be too close to them */
padding-bottom: 20px;}
form#nnf_admin input {margin-left: 20px; padding-left: 20px; border: none;
text-transform: uppercase; cursor: pointer;
/* TODO: webkit-appearance: none */}
@@ -384,8 +387,8 @@ footer {position: absolute; height: 60px; margin: 0; padding: 20px 0 0; left:
footer p {margin: 0 auto 0 10%; font-size: .9em; color: #f7f6f7;}
footer p a {color: #888;}

#signin {position: static; /* override default on form, this interferes with z-ordering in the footer */
margin: -60px 10% 0 auto; text-align: right; border: none;}
#signin {/* override default on form, this interferes with z-ordering in the footer */
position: static; margin: -60px 10% 0 auto; text-align: right; border: none;}
#signin input {margin: 0; padding: 0; border: none;
color: #f7f6f7; text-transform: uppercase;
background: none; cursor: pointer;}
@@ -496,7 +499,7 @@ input[type="text"], textarea, /* remove the field styling in iOS */
/* footer */
#mods p {padding-left: 0; padding-right: 0;
font-size: 13px;}
}

@media screen and (max-width: 800px) and (orientation: landscape) {
@@ -518,6 +521,8 @@ footer p {margin-left: 0 !important; padding-left: 0 !important; padding-right
text-align: center !important;}
#signin {margin: -100px 0 0 0; text-align: center;}

#nnf_mods {/* on a narrow screen, place the mods list underneath the admin buttons) */
clear: right;}
}

@media screen and (min-width: 480px) {

+ 0
- 2
themes/greyscale/thread.html View File

@@ -170,8 +170,6 @@
--><input type="submit" id="nnf_unstick" name="unstick" value="Unstick" /><!--
--><input type="submit" id="nnf_lock" name="lock" value="Lock" /><!--
--><input type="submit" id="nnf_unlock" name="unlock" value="Unlock" /><!--
--><!--<a id="nnf_lock" href="?lock" rel="noindex nofollow noarchive">Lock</a>--><!--
--><!--<a id="nnf_unlock" href="?unlock" rel="noindex nofollow noarchive">Unlock</a>--><!--
--></form><p id="nnf_mods-local">
Moderators for this sub-forum:
<span id="nnf_mods-local-list"><b class="nnf_mod">Alice</b></span>

+ 9
- 2
thread.php View File

@@ -44,6 +44,7 @@ if ( (isset ($_POST['stick']) || isset ($_POST['unstick'])) &&
//the site admin, or the first mod of the sub-forum have stick / unstick rights
(IS_ADMIN || strtolower (NAME) === strtolower ((string) @$MODS['LOCAL'][0]))
) {
//add or remove the filename from "sticky.txt"
if (in_array ("$FILE.rss", $stickies = getStickies ())) {
$stickies = array_diff ($stickies, array ("$FILE.rss"));
} else {
@@ -52,7 +53,12 @@ if ( (isset ($_POST['stick']) || isset ($_POST['unstick'])) &&
file_put_contents ('sticky.txt', implode ("\r\n", $stickies), LOCK_EX);
//TODO: redirect to eat the form submission
//regenerate the folder's RSS file
indexRSS ();
//redirect to eat the form submission
header ("Location: $url", true, 303);
exit;
}

/* ======================================================================================================================
@@ -94,6 +100,7 @@ if ((isset ($_POST['lock']) || isset ($_POST['unlock'])) && IS_MOD) {
//regenerate the folder's RSS file
indexRSS ();
//redirect to eat the form submission
header ("Location: $url", true, 303);
exit;
}
@@ -464,7 +471,7 @@ define ('IS_STICKY', in_array ("$FILE.rss", $stickies = getStickies ()));

/* load the template into DOM where we can manipulate it:
--------------------------------------------------------------------------------------------------------------------- */
//(see 'lib/domtemplate.php' or <camendesign.com/dom_templating> for more details)
//(see 'lib/domtemplate/domtemplate.php' or <camendesign.com/dom_templating> for more details)
$template = prepareTemplate (
THEME_ROOT.'thread.html',
//canonical URL of this thread

Loading…
Cancel
Save