XMB Forum
Not logged in [Login - Register]
Search the forums Search   Frequently Asked Questions FAQ   View member list Member List   Today's Posts Today's Posts   Forum Stats Stats   Board Rules Board Rules  Download Download   SVN SVN   PHPXref PHPXref   Bug Tracker Bug Tracker   Manuals Manuals  Back to: XMB Forum Home Page
XMB Forum » XMB Forum » Fixes / Patches » XMB 1.9.9 » 1.9.10 diff and Patch Information Go To Bottom

Printable Version  
Author: Subject: 1.9.10 diff and Patch Information
miqrogroove
XMB 1.9.11 Lead Developer
*********

Avatar


Posts: 3380
Registered: 10-1-2002
Location: Michigan
Member Is Offline

Mood: $allowurlcode = ( $ismood != 'yes' );

[*] posted on 6-10-2008 at 02:50 AM
1.9.10 diff and Patch Information

For XMB 1.9.9 - Advanced Webmasters Only

requirements: MySQL 4.0.16 or higher & PHP 4.3.0 or higher.

diff: Attached

lang: (diff) English, (replace) Dutch, Portuguese, and Spanish (see International Support forums as we are working to restore community translation efforts)

templates: Included as templates.xmb in diff

sql: None / No Change

Files with no substantial change:
config.php
include/smtp.inc.php
js/bbcodefns-ie.js
js/bbcodefns-opera.js
js/buddy.js
js/buddylistedit.js
js/popup.js
js/ticker.js

Files that should be replaced, if possible:
header.php
misc.php
post.php
topicadmin.php
db/mysql.php
include/admin.inc.php
include/captcha.inc.php
include/global.inc.php
include/spelling.inc.php
include/u2u.inc.php
include/validate.inc.php
js/header.js

Files added in this version:
vtmisc.php
lang/Dutch.lang.php
lang/Portuguese.lang.php
lang/Spanish.lang.php

The expected impact on existing hacks and mods is medium-high. This version focussed on internal problems that required major changes to flow-of-control.

Modders and hackers should be aware of the following changes:

Deleted Code: The checkOutput() function in functions.inc.php, as well as the getVar(), formVar(), and valInt() functions in validate.inc.php were removed due to their connection with multiple critical security exposures.

cleanHtml() was deleted from validate.inc.php because it was unused.

Explicit magic quoting was removed from global.inc.php. function getRequestVar() was updated accordingly.

Deprecated Code: function checkInput() in functions.inc.php, and formArray() in validate.inc.php are deprecated and must not be used in any new code, including new hacks and mods.

Style Changes: Every file that calls require('header.php'); must first define a new global constant named X_SCRIPT. This is a self-identifying string that is used for client permissions checking instead of the URL.

All SQL input sanitizing is now accomplished by calling $db->escape(). addslashes() must not be used for this purpose in any new code.

All SQL LIKE statements must be sanitized using $db->like_escape().

All SQL REGEXP statements must be sanitized using $db->regexp_escape().

New functions elevateUser() and loginUser() are responsible for all account password authentications. They guarantee the $xmbuser value is db-safe and the $xmbpw and $self['password'] values are set to null strings. All related code has been removed from header.php and post.php.

postedVar() is now the preferred method of accessing all GPC string input values. It was used to replace several other functions in version 1.9.10. Superglobals should not be used to directly access GPC string input because of the removal of explicit magic quoting. Superglobals may or may not be magic quoted depending on server configuration, which is likely to cause extra slashes or security problems if they are used with the version 1.9.10 code base.

$xmbuser is the preferred username value for queries. $self['username'] and {$self['username']} are the preferred alternatives for cdata output. For URL output, also use recodeOut(). For raw output (such as inside safe email functions) use htmlspecialchars_decode().

functions rawHTMLmessage() and rawHTMLsubject() are now used to wrap every instance of message output to improve consistency with the use of censor() and encoding security. postify() should be used instead of rawHTMLmessage() whenever appropriate. Double-slashing issues are still handled outside these functions.

function fnameOut() is now used to wrap every instance of forum name output to ensure HTML is always allowed and stripslashes is always called.

I hope this is thorough and useful. :yes:

Attachment: XMB-1.9.9-to-1.9.10.diff.txt (650kB)
This file has been downloaded 515 times

View user's profile Visit user's homepage View All Posts By User
TerryConwell
New Poster
**



Posts: 1
Registered: 3-2-2010
Member Is Offline


[*] posted on 3-2-2010 at 03:43 PM


Nice. I'm new to this and was wondering if it's still ok to use this patch or if there was an updated one or a newer version? if so could you point me in the right direction please. Thanks.
Xenadrine | Lipo 6



View user's profile View All Posts By User
Mouser
XMB Contributor
*******

Avatar


Posts: 1152
Registered: 4-14-2008
Member Is Offline

Mood: On vacation till early October 2010

[*] posted on 3-3-2010 at 09:53 AM


Start by reading...
Quote:
1.9.10 diff and Patch Information


For XMB 1.9.9 - Advanced Webmasters Only


Download the latest version (1.9.11.8) - and you don't need this;
http://forums.xmbforum.com/download.php



Mouser @ On vacation till early October 2010
View user's profile View All Posts By User

 XMB Forum » XMB Forum » Fixes / Patches » XMB 1.9.9 » 1.9.10 diff and Patch Information   Go To Top

Powered by XMB 1.9.11
XMB Forum Software © 2001-2010 The XMB Group
[Queries: 17] [PHP: 63.3% - SQL: 36.7%]