vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.0 Full Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=33)
-   -   Disable conditional function filters (https://vborg.vbsupport.ru/showthread.php?t=67947)

Brad 08-02-2004 10:00 PM
Disable conditional function filters
 
This hack will allow you to by-pass the function filters built into the template conditional's. Currently you are restricted to the following functions:

PHP Code:
        $safe_functions = array(
            // logical stuff
            => 'and',              // logical and
            => 'or',               // logical or
            => 'xor',              // logical xor

            // built-in variable checking functions
            'in_array',              // used for checking
            'is_array',              // used for checking
            'is_numeric',            // used for checking
            'isset',                 // used for checking
            'empty',                 // used for checking
            'defined',               // used for checking
            'array',                 // used for checking

            // vBulletin-defined functions
            'can_moderate',          // obvious one
            'can_moderate_calendar'// another obvious one
            'exec_switch_bg',        // harmless function that we use sometimes
            'is_browser',            // function to detect browser and versions
            'is_member_of',          // function to check if $user is member of $usergroupid
        ); 
With this hack installed you will be allowed to use ANY avaiable php or vBulletin defined function within your templates. I have also included a on/off switch that allows you to disable filtering via config.php.

PHP Code:
// filtering off
define('C_PASSTHRU'false);

// filtering on
define('C_PASSTHRU'true); 

This hack is ment to be used on test boards for functionality testing, do not run it in production enviroments.

Zachery 08-03-2004 10:05 AM
mm coolies

/me runs off to test

nexialys 08-03-2004 10:13 AM
i'm not sure to understand here... do you have a patent example before i put this in ?

Brad 08-03-2004 10:15 AM
Quote:
Originally Posted by nexialys
i'm not sure to understand here... do you have a patent example before i put this in ?
It just allows you to pass anything via the templates to be prased into php code, use it for some form of checking that you can not currently to with allowed functions. I use it to quickly do some dirty checking in the templates when I build hacks, later on I go back and put the logic into the php code.

This is just something to make it a little eaiser on developers, I found it to save some time while developing with vBulletin on local test copies.

nexialys 08-03-2004 10:17 AM
ok then... (i never code inside the templates, i prefer directly into files, so anyway...)

Brad 08-03-2004 10:27 AM
Checking with the templates has its benifits in some cases, lets say I created some new functions to be used to display differing html inside forums depending on what the forumid is.

So lets asume I have two functions i've inserted into functions.php:

PHP Code:
// returns list of forumid's
fetch_forumids()
{
       $forumids '1,2,3';
       return $forumids;
}

// Match current forumid to list of ids
match_forums($forumid)
{
    eval('$var = in_array($forumid, array(' fetch_forumids() . '));');
    return $var;

So with these functions I wan't to code my template like this:
HTML Code:
<if conditional="match_forums($forumid)">
// do special forum display here
<else />
// do normal forum display here
</if>
With filtering on I have to edit this block in adminfunctions_template.php everytime I want to use a new function in the templates:

PHP Code:
 $safe_functions = array(
            // logical stuff
            => 'and',              // logical and
            => 'or',               // logical or
            => 'xor',              // logical xor

            // built-in variable checking functions
            'in_array',              // used for checking
            'is_array',              // used for checking
            'is_numeric',            // used for checking
            'isset',                 // used for checking
            'empty',                 // used for checking
            'defined',               // used for checking
            'array',                 // used for checking

            // vBulletin-defined functions
            'can_moderate',          // obvious one
            'can_moderate_calendar'// another obvious one
            'exec_switch_bg',        // harmless function that we use sometimes
            'is_browser',            // function to detect browser and versions
            'is_member_of',          // function to check if $user is member of $usergroupid
        ); 
If you are like me your code is changing all the time, keeping this block up to date in the development phase gets old fast :)

CarCdr 08-03-2004 10:50 AM
Nice.

Unless there are cases where the user can inject code, the default should be less restrictive. It is very handy to have more power on the template side.

Natch 08-03-2004 11:01 AM
Excellent work - what a great thought!

Xenon 08-03-2004 12:21 PM
It's so simple and i didn't come across the idea myself. ^^

Aurous 08-04-2004 06:17 PM
Excellent stuff Brad!! Will be using it from now on.

CarCdr 09-02-2004 10:17 AM
You can execute any PHP function without requiring a mod, simply by inserting something between the name of the function and the parenthesis of the argument list.

For example, the following examples will work fine:
Code:


<if condition="$foobar = time/**/()">
Time: $foobar
</if>

<if condition="execute_some_function/**/()">

</if>

HiDeo 09-02-2004 10:28 AM
Good job thanks ;)

Xenon 09-02-2004 05:37 PM
@Car: have you reported this as a bug?

CarCdr 09-03-2004 10:03 AM
Quote:
Originally Posted by Xenon
@Car: have you reported this as a bug?
No Xenon. There is no good way to fix it without writing a complete PHP expression parser, and, I do not think it should be fixed. If an administrator wants to use this trick, I see no reason to disallow it.

In all the time that vB has been used at sites, I doubt very strongly that anyone has done this accidently.

BTW, I think that one could probably go as far as defining and running functions in a template, if one was so twisted. :)

Xenon 09-03-2004 08:24 PM
Well, but it IS a bug and therefore it should be reported in my eyes.

The defs will then say themselve if they want to fix it or not.

Actually i see a reason for it. Because why are some functions not allowed is because they didn't want to let every admin change the permissions themselves, but with that bug, it's easyli possible, and therefore it's a security problem (still normally if you make someone and admin, you should trust him that far, but hey, i have not designed the permission system ;))

CarCdr 09-03-2004 08:37 PM
The permission system has little to do with this imo. If you make someone an admin, they hardly need to mess about with writing funky template conditionals to subvert permissions. By definition, if you give AdminCP access to someone who can overwrite template, with or without conditionals, it is someone you trust.

The list of allowed functions is pretty silly anyway. Why aren't the hundred other benign PHP functions allowed? I mean, what damage can one do with 'strlen(...)'.

Anyway, we need not argue. If you think it is a bug, you know what to do. :)

Cheers

Xenon 09-03-2004 08:46 PM
I meant the Adminpermission system.
Why have it if those admins can change them themselves ;)

but as you already said, it's nothing we have to argue about, i'll just report it and we'll see what the dev's think about.

Scott MacVicar 09-09-2004 04:17 PM
Was to stop people putting backdoors into styles, you make a nice style with a backdoor and post it on your website and an unsuspecting admin installs it.

Its easy to see hacks with backdoors but if you think about styles, there could be 1000's of lines of code.


All times are GMT. The time now is 07:17 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01211 seconds
  • Memory Usage 1,785KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_html_printable
  • (4)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (18)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete