Version: 1.00, by Brad
Developer Last Online: Nov 2023
Version: 3.0.3
Rating:
Released: 08-02-2004
Last Update: Never
Installs: 5
Re-useable Code Translations
No support by the author.
This hack will allow you to by-pass the function filters built into the template conditional's. Currently you are restricted to the following functions:
// built-in variable checking functions
'in_array', // used for checking
'is_array', // used for checking
'is_numeric', // used for checking
'isset', // used for checking
'empty', // used for checking
'defined', // used for checking
'array', // used for checking
// vBulletin-defined functions
'can_moderate', // obvious one
'can_moderate_calendar', // another obvious one
'exec_switch_bg', // harmless function that we use sometimes
'is_browser', // function to detect browser and versions
'is_member_of', // function to check if $user is member of $usergroupid
);
With this hack installed you will be allowed to use ANY avaiable php or vBulletin defined function within your templates. I have also included a on/off switch that allows you to disable filtering via config.php.
PHP Code:
// filtering off
define('C_PASSTHRU', false);
// filtering on
define('C_PASSTHRU', true);
This hack is ment to be used on test boards for functionality testing, do not run it in production enviroments.
Show Your Support
This modification may not be copied, reproduced or published elsewhere without author's permission.
You can execute any PHP function without requiring a mod, simply by inserting something between the name of the function and the parenthesis of the argument list.
For example, the following examples will work fine:
No Xenon. There is no good way to fix it without writing a complete PHP expression parser, and, I do not think it should be fixed. If an administrator wants to use this trick, I see no reason to disallow it.
In all the time that vB has been used at sites, I doubt very strongly that anyone has done this accidently.
BTW, I think that one could probably go as far as defining and running functions in a template, if one was so twisted.
Well, but it IS a bug and therefore it should be reported in my eyes.
The defs will then say themselve if they want to fix it or not.
Actually i see a reason for it. Because why are some functions not allowed is because they didn't want to let every admin change the permissions themselves, but with that bug, it's easyli possible, and therefore it's a security problem (still normally if you make someone and admin, you should trust him that far, but hey, i have not designed the permission system )
The permission system has little to do with this imo. If you make someone an admin, they hardly need to mess about with writing funky template conditionals to subvert permissions. By definition, if you give AdminCP access to someone who can overwrite template, with or without conditionals, it is someone you trust.
The list of allowed functions is pretty silly anyway. Why aren't the hundred other benign PHP functions allowed? I mean, what damage can one do with 'strlen(...)'.
Anyway, we need not argue. If you think it is a bug, you know what to do.
Was to stop people putting backdoors into styles, you make a nice style with a backdoor and post it on your website and an unsuspecting admin installs it.
Its easy to see hacks with backdoors but if you think about styles, there could be 1000's of lines of code.