Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Improved IMG BBCode fix

The recent img bbcode patchfixed one problem but it is still exploitable under certain conditions. I have been working on a long term solution and have created a more reliable fix. The Sourceforge files have been updated, existing users can download the new maincore.php file from the downloads area. If you prefer to update the code yourself click Read More for instructions.

Edit maincore.php and make the following changes:

1. After this function:

// Validate numeric input

function isnum($value) {

	return (preg_match("/^[0-9]+$/", $value));

}

Insert the following:

// Validate bbcode images

function isImage($matches) {

$im = $matches[1].str_replace(array("?","&","="),"",$matches[3]).$matches[4];

if (list($width, $height, $type, $attr) = @getimagesize($im)) {

$ret = "";

} else {

$ret = "[img]Image Blocked[/img]";

}

return $ret;

}

2. Remove these lines under the parseubb function:

$ubbs1[10] = '#\[img\](.*?)\[/img\]#si';

$ubbs2[10] = '';

or if you've applied the first bb fix remove these lines:

$ubbs1[10] = "#\[img\]((http|ftp|https|ftps)://)(.*?)(\.(jpg|jpeg|gif|png|JPG|JPEG|GIF|PNG))\[/img\]#sie";

$ubbs2[10] = "''";

3. After this line:

for ($i=0;$i < $ubbitems;$i++) $message = preg_replace($ubbs1, $ubbs2, $message);

Insert:

$message = preg_replace_callback("#\[img\]((http|ftp|https|ftps)://)(.*?)(\.(jpg|jpeg|gif|png|JPG|JPEG|GIF|PNG))\[/img\]#si","isImage",$message);

Falk August 07 2005 19,796

News Categories