Calendar

三月 2012
M T W T F S S
« Jan   Apr »
 1234
567891011
12131415161718
19202122232425
262728293031  

Categories

NexusPHP v1.5 beta4 到 beta5 的改變

擺在這沒啥特別用意,單純是借用一下 syntax highlight 的功能方便手動 patch。
因為有些站台原本用 beta4 架的已經被大幅變更過了。
不知道的也別問這是啥。

diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/RELEASENOTE nexusphp.v1.5.beta5.20120301/RELEASENOTE
--- nexusphp.v1.5.beta4.20100919.with.update3/RELEASENOTE	2010-09-19 10:15:58.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/RELEASENOTE	2012-03-01 23:56:06.000000000 +0800
@@ -1,3 +1,13 @@
+Release note for v1.5 beta 5 20120301
+Fix: several security issues
+Fix: takesignup not checking invitation code
+Fix: function sqlesc() with numeric value
+Fix: sendmail delay issue
+Fix: language file in docleanup()
+Fix: language setting at FAQ and Rules
+Mod: default promotion display type to 'icon'
+thank http://wiki.nexusphp.org for reporting bugs
+
 Release note for v1.5 beta 4 20100919
 Fix: "There is a minimum announce time of 30 seconds", caused by timezone settings. Now you should set correct timezone in php.ini
 Fix: varchar column length exceed 255 characters, which causes errors in MySQL 5.0.3 and later
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/_db/dbstructure.sql nexusphp.v1.5.beta5.20120301/_db/dbstructure.sql
--- nexusphp.v1.5.beta4.20100919.with.update3/_db/dbstructure.sql	2012-02-28 10:29:32.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/_db/dbstructure.sql	2012-03-01 23:39:26.000000000 +0800
@@ -2415,7 +2415,7 @@ CREATE TABLE IF NOT EXISTS `users` (
   `timetype` enum('timeadded','timealive') DEFAULT 'timealive',
   `appendsticky` enum('yes','no') DEFAULT 'yes',
   `appendnew` enum('yes','no') DEFAULT 'yes',
-  `appendpromotion` enum('highlight','word','icon','off') DEFAULT 'highlight',
+  `appendpromotion` enum('highlight','word','icon','off') DEFAULT 'icon',
   `appendpicked` enum('yes','no') DEFAULT 'yes',
   `dlicon` enum('yes','no') DEFAULT 'yes',
   `bmicon` enum('yes','no') DEFAULT 'yes',
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/announce.php nexusphp.v1.5.beta5.20120301/announce.php
--- nexusphp.v1.5.beta4.20100919.with.update3/announce.php	2010-05-10 13:36:32.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/announce.php	2012-03-01 22:44:32.000000000 +0800
@@ -60,7 +60,7 @@ if (!$az) err("Invalid passkey! Re-downl
 $userid = 0+$az['id'];
 
 //3. CHECK IF CLIENT IS ALLOWED
-$clicheck_res = check_client($peer_id,$agent,&$client_familyid);
+$clicheck_res = check_client($peer_id,$agent,$client_familyid);
 if($clicheck_res){
 	if ($az['showclienterror'] == 'no')
 	{
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/bannedemails.php nexusphp.v1.5.beta5.20120301/bannedemails.php
--- nexusphp.v1.5.beta4.20100919.with.update3/bannedemails.php	2010-05-08 16:56:26.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/bannedemails.php	2012-03-01 22:45:26.000000000 +0800
@@ -1,5 +1,4 @@
 <?php
-define("VERSION", "BAN EMAIL");
 require "include/bittorrent.php";
 dbconn();
 loggedinorreturn();
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/faq.php nexusphp.v1.5.beta5.20120301/faq.php
--- nexusphp.v1.5.beta4.20100919.with.update3/faq.php	2010-05-09 21:35:52.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/faq.php	2012-03-01 23:32:02.000000000 +0800
@@ -16,9 +16,7 @@ begin_main_frame();
 begin_frame($lang_faq['text_welcome_to'].$SITENAME." - ".$SLOGAN);
 print($lang_faq['text_welcome_content_one'].$lang_faq['text_welcome_content_two']);
 end_frame();
-if ($CURUSER)
-$lang_id = $CURUSER['lang'];
-else
+
 $lang_id = get_guest_lang_id();
 $is_rulelang = get_single_value("language","rule_lang","WHERE id = ".sqlesc($lang_id));
 if (!$is_rulelang){
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/include/cleanup.php nexusphp.v1.5.beta5.20120301/include/cleanup.php
--- nexusphp.v1.5.beta4.20100919.with.update3/include/cleanup.php	2010-06-16 23:35:32.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/include/cleanup.php	2012-03-01 23:36:26.000000000 +0800
@@ -2,7 +2,6 @@
 # IMPORTANT: Do not edit below unless you know what you are doing!
 if(!defined('IN_TRACKER'))
 die('Hacking attempt!');
-require_once($rootpath . '/lang/_target/lang_cleanup.php');
 
 function printProgress($msg) {
 	echo $msg.'...done<br />';
@@ -18,6 +17,9 @@ function docleanup($forceAll = 0, $print
 	global $neverdelete_account, $neverdeletepacked_account, $deletepacked_account, $deleteunpacked_account, $deletenotransfer_account, $deletenotransfertwo_account, $deletepeasant_account, $psdlone_account, $psratioone_account, $psdltwo_account, $psratiotwo_account, $psdlthree_account, $psratiothree_account, $psdlfour_account, $psratiofour_account, $psdlfive_account, $psratiofive_account, $putime_account, $pudl_account, $puprratio_account, $puderatio_account, $eutime_account, $eudl_account, $euprratio_account, $euderatio_account, $cutime_account, $cudl_account, $cuprratio_account, $cuderatio_account, $iutime_account, $iudl_account, $iuprratio_account, $iuderatio_account, $vutime_account, $vudl_account, $vuprratio_account, $vuderatio_account, $exutime_account, $exudl_account, $exuprratio_account, $exuderatio_account, $uutime_account, $uudl_account, $uuprratio_account, $uuderatio_account, $nmtime_account, $nmdl_account, $nmprratio_account, $nmderatio_account, $getInvitesByPromotion_class;
 	global $enablenoad_advertisement, $noad_advertisement;
 	global $Cache;
+	global $rootpath;
+
+	require_once($rootpath . '/lang/_target/lang_cleanup.php');
 
 	set_time_limit(0);
 	ignore_user_abort(1);
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/include/core.php nexusphp.v1.5.beta5.20120301/include/core.php
--- nexusphp.v1.5.beta4.20100919.with.update3/include/core.php	2010-09-19 10:09:22.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/include/core.php	2012-03-01 22:46:16.000000000 +0800
@@ -2,7 +2,7 @@
 if(!defined('IN_TRACKER'))
   die('Hacking attempt!');
 error_reporting(E_ERROR | E_PARSE);
-ini_set('display_errors', 1);
+ini_set('display_errors', 0);
 include_once($rootpath . 'classes/class_cache.php'); //Require the caching class
 $Cache = NEW CACHE(); //Load the caching class
 $Cache->setLanguageFolderArray(get_langfolder_list());
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/include/functions.php nexusphp.v1.5.beta5.20120301/include/functions.php
--- nexusphp.v1.5.beta4.20100919.with.update3/include/functions.php	2010-09-19 10:07:36.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/include/functions.php	2012-03-01 23:10:18.000000000 +0800
@@ -1841,8 +1841,6 @@ function autoclean() {
 }
 
 function unesc($x) {
-	if (get_magic_quotes_gpc())
-	return stripslashes($x);
 	return $x;
 }
 
@@ -3330,9 +3328,6 @@ function GetVar ($name) {
 	} else {
 		if ( !isset($_REQUEST[$name]) )
 		return false;
-		if ( get_magic_quotes_gpc() ) {
-			$_REQUEST[$name] = ssr($_REQUEST[$name]);
-		}
 		$GLOBALS[$name] = $_REQUEST[$name];
 		return $GLOBALS[$name];
 	}
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/include/functions_announce.php nexusphp.v1.5.beta5.20120301/include/functions_announce.php
--- nexusphp.v1.5.beta4.20100919.with.update3/include/functions_announce.php	2010-09-19 10:10:14.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/include/functions_announce.php	2012-03-01 23:16:00.000000000 +0800
@@ -167,7 +167,7 @@ function ipv4_to_compact($ip, $port)
 	return $compact;
 }
 
-function check_client($peer_id, $agent, $agent_familyid)
+function check_client($peer_id, $agent, &$agent_familyid)
 {
 	global $BASEURL, $Cache;
 
@@ -296,7 +296,7 @@ function check_client($peer_id, $agent, 
 
 	if($allowed_flag_peer_id && $allowed_flag_agent)
 	{
-		if($exception = 'yes')
+		if($exception == 'yes')
 		{
 			if (!$clients_exp = $Cache->get_value('allowed_client_exception_family_'.$family_id.'_list')){
 				$clients_exp = array();
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/include/globalfunctions.php nexusphp.v1.5.beta5.20120301/include/globalfunctions.php
--- nexusphp.v1.5.beta4.20100919.with.update3/include/globalfunctions.php	2010-05-14 16:27:34.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/include/globalfunctions.php	2012-03-01 23:10:36.000000000 +0800
@@ -73,14 +73,7 @@ function sql_query($query)
 }
 
 function sqlesc($value) {
-	// Stripslashes
-	if (get_magic_quotes_gpc()) {
-		$value = stripslashes($value);
-	}
-	// Quote if not a number or a numeric string
-	if (!is_numeric($value)) {
 		$value = "'" . mysql_real_escape_string($value) . "'";
-	}
 	return $value;
 }
 
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/lang/_target/lang_cleanup.php nexusphp.v1.5.beta5.20120301/lang/_target/lang_cleanup.php
--- nexusphp.v1.5.beta4.20100919.with.update3/lang/_target/lang_cleanup.php	2009-11-25 23:43:50.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/lang/_target/lang_cleanup.php	2012-03-01 23:29:26.000000000 +0800
@@ -7,7 +7,7 @@ $lang_cleanup_target = array
 	'msg_your_ratio_warning_removed' => "Your warning of low ratio have been removed and auto-promoted to [b]User[/b]. We highly recommend you to keep a your ratio up to not be warned again.\n",
 	'msg_promoted_to' => "Promoted to ",
 	'msg_now_you_are' => "Congratulations, you have been auto-promoted to [b]",
-	'msg_see_faq' => "[/b]. :)\nPlease see the [b][url=faq.php#idid22]FAQ[/url][/b] for what you can do now.\n",
+	'msg_see_faq' => "[/b]. :)\nPlease see the [b][url=faq.php#id22]FAQ[/url][/b] for what you can do now.\n",
 	'msg_demoted_to' => "Demoted to ",
 	'msg_demoted_from' => "You have been auto-demoted from [b]",
 	'msg_to' => "[/b] to [b]",
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/rules.php nexusphp.v1.5.beta5.20120301/rules.php
--- nexusphp.v1.5.beta4.20100919.with.update3/rules.php	2010-05-09 21:45:16.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/rules.php	2012-03-01 23:31:44.000000000 +0800
@@ -11,9 +11,7 @@ $Cache->add_whole_row();
 //make_folder("cache/" , get_langfolder_cookie());
 //cache_check ('rules');
 begin_main_frame();
-if ($CURUSER)
-$lang_id = $CURUSER['lang'];
-else
+
 $lang_id = get_guest_lang_id();
 $is_rulelang = get_single_value("language","rule_lang","WHERE id = ".sqlesc($lang_id));
 if (!$is_rulelang){
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/takeinvite.php nexusphp.v1.5.beta5.20120301/takeinvite.php
--- nexusphp.v1.5.beta4.20100919.with.update3/takeinvite.php	2010-05-08 17:06:42.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/takeinvite.php	2012-03-01 23:19:14.000000000 +0800
@@ -47,6 +47,9 @@ $hash  = md5(mt_rand(1,10000).$CURUSER['
 
 $title = $SITENAME.$lang_takeinvite['mail_tilte'];
 
+sql_query("INSERT INTO invites (inviter, invitee, hash, time_invited) VALUES ('".mysql_real_escape_string($id)."', '".mysql_real_escape_string($email)."', '".mysql_real_escape_string($hash)."', " . sqlesc(date("Y-m-d H:i:s")) . ")");
+sql_query("UPDATE users SET invites = invites - 1 WHERE id = ".mysql_real_escape_string($id)."") or sqlerr(__FILE__, __LINE__);
+
 $message = <<<EOD
 {$lang_takeinvite['mail_one']}{$arr[username]}{$lang_takeinvite['mail_two']}
 <b><a href="javascript:void(null)" onclick="window.open('http://$BASEURL/signup.php?type=invite&invitenumber=$hash')">{$lang_takeinvite['mail_here']}</a></b><br />
@@ -59,9 +62,6 @@ EOD;
 sent_mail($email,$SITENAME,$SITEEMAIL,change_email_encode(get_langfolder_cookie(), $title),change_email_encode(get_langfolder_cookie(),$message),"invitesignup",false,false,'',get_email_encode(get_langfolder_cookie()));
 //this email is sent only when someone give out an invitation
 
-sql_query("INSERT INTO invites (inviter, invitee, hash, time_invited) VALUES ('".mysql_real_escape_string($id)."', '".mysql_real_escape_string($email)."', '".mysql_real_escape_string($hash)."', " . sqlesc(date("Y-m-d H:i:s")) . ")");
-sql_query("UPDATE users SET invites = invites - 1 WHERE id = ".mysql_real_escape_string($id)."") or sqlerr(__FILE__, __LINE__);
-
 header("Refresh: 0; url=invite.php?id=".htmlspecialchars($id)."&sent=1");
 ?> 
 
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/takesignup.php nexusphp.v1.5.beta5.20120301/takesignup.php
--- nexusphp.v1.5.beta4.20100919.with.update3/takesignup.php	2010-05-12 18:51:02.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/takesignup.php	2012-03-01 23:21:12.000000000 +0800
@@ -51,6 +51,14 @@ if ($type=='invite')
 $inviter =  $_POST["inviter"];
 	int_check($inviter);
 $code = unesc($_POST["hash"]);
+
+//check invite code
+	$sq = sprintf("SELECT inviter FROM invites WHERE hash ='%s'",mysql_real_escape_string($code));
+	$res = sql_query($sq) or sqlerr(__FILE__, __LINE__);
+	$inv = mysql_fetch_assoc($res);
+	if (!$inv)
+		bark('invalid invite code');
+
 $ip = getip();
 
 
@@ -175,6 +183,19 @@ http://$BASEURL/confirm_resend.php
 {$lang_takesignup['mail_five']}
 EOD;
 
+if ($type == 'invite')
+{
+//don't forget to delete confirmed invitee's hash code from table invites
+sql_query("DELETE FROM invites WHERE hash = '".mysql_real_escape_string($code)."'");
+$dt = sqlesc(date("Y-m-d H:i:s"));
+$subject = sqlesc($lang_takesignup_target[get_user_lang($inviter)]['msg_invited_user_has_registered']);
+$msg = sqlesc($lang_takesignup_target[get_user_lang($inviter)]['msg_user_you_invited'].$usern.$lang_takesignup_target[get_user_lang($inviter)]['msg_has_registered']);
+//sql_query("UPDATE users SET uploaded = uploaded + 10737418240 WHERE id = $inviter"); //add 10GB to invitor's uploading credit
+sql_query("INSERT INTO messages (sender, receiver, subject, added, msg) VALUES(0, $inviter, $subject, $dt, $msg)") or sqlerr(__FILE__, __LINE__);
+$Cache->delete_value('user_'.$inviter.'_unread_message_count');
+$Cache->delete_value('user_'.$inviter.'_inbox_count');
+}
+
 if ($verification == 'admin'){
 	if ($type == 'invite')
 	header("Location: " . get_protocol_prefix() . "$BASEURL/ok.php?type=inviter");
@@ -188,16 +209,5 @@ else{
 	sent_mail($send_email,$SITENAME,$SITEEMAIL,change_email_encode(get_langfolder_cookie(), $title),change_email_encode(get_langfolder_cookie(),$body),"signup",false,false,'',get_email_encode(get_langfolder_cookie()));
 	header("Location: " . get_protocol_prefix() . "$BASEURL/ok.php?type=signup&email=" . rawurlencode($send_email));
 }
-if ($type == 'invite')
-{
-//don't forget to delete confirmed invitee's hash code from table invites
-sql_query("DELETE FROM invites WHERE hash = '".mysql_real_escape_string($code)."'");
-$dt = sqlesc(date("Y-m-d H:i:s"));
-$subject = sqlesc($lang_takesignup_target[get_user_lang($inviter)]['msg_invited_user_has_registered']);
-$msg = sqlesc($lang_takesignup_target[get_user_lang($inviter)]['msg_user_you_invited'].$usern.$lang_takesignup_target[get_user_lang($inviter)]['msg_has_registered']);
-//sql_query("UPDATE users SET uploaded = uploaded + 10737418240 WHERE id = $inviter"); //add 10GB to invitor's uploading credit
-sql_query("INSERT INTO messages (sender, receiver, subject, added, msg) VALUES(0, $inviter, $subject, $dt, $msg)") or sqlerr(__FILE__, __LINE__);
-$Cache->delete_value('user_'.$inviter.'_unread_message_count');
-$Cache->delete_value('user_'.$inviter.'_inbox_count');
-}
+
 ?>
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/takeupload.php nexusphp.v1.5.beta5.20120301/takeupload.php
--- nexusphp.v1.5.beta4.20100919.with.update3/takeupload.php	2010-05-10 02:30:14.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/takeupload.php	2012-03-01 23:12:08.000000000 +0800
@@ -205,8 +205,6 @@ function hex_esc2($matches) {
 
 //die(phpinfo());
 
-//die("magic:" . get_magic_quotes_gpc());
-
 //die("\\' pos:" . strpos($infohash,"\\") . ", after sqlesc:" . (strpos(sqlesc($infohash),"\\") == false ? "gone" : strpos(sqlesc($infohash),"\\")));
 
 //die(preg_replace_callback('/./s', "hex_esc2", $infohash));
diff -Nrupad nexusphp.v1.5.beta4.20100919.with.update3/viewsnatches.php nexusphp.v1.5.beta5.20120301/viewsnatches.php
--- nexusphp.v1.5.beta4.20100919.with.update3/viewsnatches.php	2010-06-03 14:23:06.000000000 +0800
+++ nexusphp.v1.5.beta5.20120301/viewsnatches.php	2012-03-01 23:28:10.000000000 +0800
@@ -44,7 +44,7 @@ if ($count){
 		$downrate = $arr["leechtime"] > 0 ? mksize($arr["downloaded"] / $arr["leechtime"]) : mksize(0);
 		//end
 
-		$highlight = $CURUSER["id"] == $arr["id"] ? " bgcolor=#00A527" : "";
+		$highlight = $CURUSER["id"] == $arr["userid"] ? " bgcolor=#00A527" : "";
 		$userrow = get_user_row($arr['userid']);
 		if ($userrow['privacy'] == 'strong'){
 			$username = $lang_viewsnatches['text_anonymous'];