Search found 27 matches

by dcz
Thu Jul 10, 2014 8:32 am
Forum: [3.x] Discussion
Topic: A way to actually control page titles
Replies: 2
Views: 2152

A way to actually control page titles

Hello, I think that there should be a way to actually control page titles. I know there are several handy event to decide what will be dumped into {PAGE_TITLE} but this is far from actual page title : <title><!-- IF UNREAD_NOTIFICATIONS_COUNT -->({UNREAD_NOTIFICATIONS_COUNT}) <!-- ENDIF --><!-- IF n...
by dcz
Thu Jul 10, 2014 8:12 am
Forum: [3.x] Discussion
Topic: Sommething wrong/blocking in overall_header.html
Replies: 11
Views: 7038

Sommething wrong/blocking in overall_header.html

Hello,

in 3.1.0-RC1 (and before), we can find :

Code: Select all

<meta name="keywords" content="" />
<meta name="description" content="" />
in prosilver's overall_header.html

I think this should be removed as is it useless and does not allow overall_header_head_append event to set these meta.

++
by dcz
Thu Jul 10, 2014 8:07 am
Forum: [3.x] Event Requests
Topic: [PHP] core.pagination_generate_page_link
Replies: 9
Views: 9390

[PHP] core.pagination_generate_page_link

Hello, An event to alter pagination links would be very handy in \phpbb\pagination\generate_page_link This could be handled like in append_sid with something like :     /**     * Generate a pagination link based on the url and the page information     *     * @param string $base_url is url prepended...
by dcz
Tue Sep 11, 2012 8:59 am
Forum: [3.x] Discussion
Topic: make_jumpbox in login_box
Replies: 1
Views: 1993

make_jumpbox in login_box

Hello,

I'm not so sure if this is a bug or not, but I don't get why make_jumpbox is called within login_box, since login_box uses login_body.html as template with nothing in it to display the jumpbox.

Did I miss something ?
by dcz
Thu Nov 17, 2011 10:52 am
Forum: [3.0/Olympus] Discussion
Topic: Thoughts about the object reviving threat
Replies: 10
Views: 11461

Re: Thoughts about the object reviving threat

BTW, if anyone wondered, I of course leaves these above pieces of code in the public domain, free to be used in compliance with the phpBB GPL licence or even GPLed licensed themselves (your choice).
by dcz
Wed Nov 16, 2011 8:45 am
Forum: [3.0/Olympus] Discussion
Topic: Thoughts about the object reviving threat
Replies: 10
Views: 11461

Re: Thoughts about the object reviving threat

Well, for user input, it's rather easy, you could just strpos($mod_code, 'unserialize') during the mod validation process to find out if the mod is itself using unserialize, and if so issue a warning to have the user use the phpbb_unserialize function with proper $allow_obj setting : /** * unseriali...
by dcz
Tue Nov 15, 2011 5:18 pm
Forum: [3.0/Olympus] Discussion
Topic: Thoughts about the object reviving threat
Replies: 10
Views: 11461

Re: Thoughts about the object reviving threat

If it is possible to deserialize an object as part of an exploit, then it is possible for someone to legitimately be deserializing objects. No? Of course. The cache point of view may not have been the bast way to evaluate the need to think about this threat. The problematic indeed needs to be treat...
by dcz
Wed Nov 09, 2011 12:14 pm
Forum: [3.0/Olympus] Discussion
Topic: Thoughts about the object reviving threat
Replies: 10
Views: 11461

Re: Thoughts about the object reviving threat

The cache system currently doesn't restrict what you can put in it, so if a MOD happens to cache objects, users using the file system cache would not get the full benefit of having a cache. I'm not so sure that storing objects is relevant with all acm's, and even less that in case they all allow it...
by dcz
Wed Nov 09, 2011 8:06 am
Forum: [3.0/Olympus] Discussion
Topic: Thoughts about the object reviving threat
Replies: 10
Views: 11461

Re: Thoughts about the object reviving threat

Well, this all came from my recent acknowledgement of such wicked unserialize exploit that made me audit my code again. And if I did not find any way to use such exploit, I still preferred to state the obvious wherever possible when object where not desired as a result of an unserialize call. And I ...
by dcz
Tue Nov 08, 2011 6:50 pm
Forum: [3.0/Olympus] Discussion
Topic: Thoughts about the object reviving threat
Replies: 10
Views: 11461

Thoughts about the object reviving threat

Hello, I first posted this in the security tracker, but bantu told me that since this was not a security issue with the current phpBB code, this should rather be discussed publicly here. So here is my original post : While investigating upon unserialize security concerns, it came to my mind that php...