Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2014-08-02 00:56:35

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Security fix (only) upgrade option?

I run a heavily modified version of FluxBB 1.5.3 so running the full upgrade it not an option. Is there a security fix only upgrade path?

Cheers,
Squiggles

Offline

#2 2014-08-02 10:02:37

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 5,929
Website

Re: Security fix (only) upgrade option?


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#3 2014-08-02 20:19:24

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 703
Website

Re: Security fix (only) upgrade option?

There is a mod here which will apply the fix, this is what I used (for 1.5.4 anyway)

Last edited by chris98 (2014-08-02 20:19:54)

Offline

#4 2014-08-02 23:47:51

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: Security fix (only) upgrade option?

chris98 wrote:

There is a mod here which will apply the fix, this is what I used (for 1.5.4 anyway)

I looked at that but it appears to apply a single security fix (changes one line of code). I'm looking to apply all security fixes since 1.5.3 was released.

Last edited by Squiggles (2014-08-02 23:49:05)

Offline

#5 2014-08-02 23:48:32

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: Security fix (only) upgrade option?

Thanks Franz, I'll take a look at these and report any problems I encounter.

Offline

#6 2014-08-05 09:38:03

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: Security fix (only) upgrade option?

I've tried applying the security fixes you provided but it seems purhaps I'm missing some??

For example, my v1.5.3 files don't have the following lines which seem to be referenced in the above links, this kind of makes it hard to update.

 // Make sure they got here from the site
 confirm_referrer('');

Are there any other updates that should be applied first? As I said It would be nearly impossible for me to fully upgrade to the latest version so I really only want all security related fixes.

Offline

#7 2014-08-05 09:39:50

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 703
Website

Re: Security fix (only) upgrade option?

For example, my v1.5.3 files don't have the following lines which seem to be referenced in the above links, this kind of makes it hard to update.

That's because in 1.5.3 it's

if ($is_admmod)
confirm_referrer('page_url.php');

Last edited by chris98 (2014-08-05 09:40:33)

Offline

#8 2014-08-05 09:41:05

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 5,929
Website

Re: Security fix (only) upgrade option?

Did you apply these patches in the order I posted them?

Sorry, some of them were changed multiple times...


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#9 2014-08-05 09:51:15

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: Security fix (only) upgrade option?

Yes I did.

Starting with the very first fix https://github.com/fluxbb/fluxbb/commit … 158fa3c999, my functions.php file doesn't even contain the following line.

if (!is_array($script))

Offline

#10 2014-08-10 00:53:14

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: Security fix (only) upgrade option?

Any thoughts on this one? I'd love to to move forward with the security patching.

Offline

#11 2014-08-10 08:53:17

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 703
Website

Re: Security fix (only) upgrade option?

Squiggles wrote:

Yes I did.

Starting with the very first fix https://github.com/fluxbb/fluxbb/commit … 158fa3c999, my functions.php file doesn't even contain the following line.

if (!is_array($script))

Well, it's in the confirm_referrer() function, could you post that for us below?

Offline

#12 2014-08-10 09:32:20

adaur
Developer
From: France
Registered: 2010-01-07
Posts: 728
Website

Re: Security fix (only) upgrade option?

Just replace your whole confirm_referrer wink


Please excuse my bad english, I'm french tongue.

Offline

#13 2014-08-15 02:09:35

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: Security fix (only) upgrade option?

Those files are so contradicting, especially when it comes to the functions.php file yikes

One file tells you to use $scripts, the next tells you use $script as well as having other lines that aren't even in my file. Every time I edit the functions.php it throws an error.

Could someone please provide me with a fully patched v.1.5.3 functions file?

Cheers,
Squiggles

Offline

#14 2014-08-15 03:01:54

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: Security fix (only) upgrade option?

OK, I think I found the problem

Looking at https://github.com/fluxbb/fluxbb/commit … b0a473dd2a, include/functions.php

This line

 // Check the host and path match. Ignore the scheme, port, etc.
- if ($referrer['host'] != $valid['host'] || ($referrer['path'] != $valid['path'] && $valid['path'] != '/'))
- message($error_msg ? $error_msg : $lang_common['Bad referrer']);
+ if ($referrer['host'] != $valid_host || !in_array($referrer['path'], $valid_paths))
+ message($error_msg ? $error_msg : $lang_common['Bad referrer']);}
}

There's two } } at the end, the error goes away when I remove the last }

Offline

#15 2014-08-15 14:18:07

adaur
Developer
From: France
Registered: 2010-01-07
Posts: 728
Website

Re: Security fix (only) upgrade option?

The commit is guilty, the function in the repo is OK:

//
// Make sure that HTTP_REFERER matches base_url/script
//
function confirm_referrer($scripts, $error_msg = false)
{
	global $lang_common;

	if (!is_array($scripts))
		$scripts = array($scripts);

	// There is no referrer
	if (empty($_SERVER['HTTP_REFERER']))
		message($error_msg ? $error_msg : $lang_common['Bad referrer']);

	$referrer = parse_url(strtolower($_SERVER['HTTP_REFERER']));
	// Remove www subdomain if it exists
	if (strpos($referrer['host'], 'www.') === 0)
		$referrer['host'] = substr($referrer['host'], 4);

	$valid_paths = array();
	foreach ($scripts as $script)
	{
		$valid = parse_url(strtolower(get_base_url().'/'.$script));
		// Remove www subdomain if it exists
		if (strpos($valid['host'], 'www.') === 0)
			$valid['host'] = substr($valid['host'], 4);

		$valid_host = $valid['host'];
		$valid_paths[] = $valid['path'];
	}

	// Check the host and path match. Ignore the scheme, port, etc.
	if ($referrer['host'] != $valid_host || !in_array($referrer['path'], $valid_paths, true))
		message($error_msg ? $error_msg : $lang_common['Bad referrer']);
}

Please excuse my bad english, I'm french tongue.

Offline

#16 2014-08-16 04:02:20

Squiggles
Member
Registered: 2012-12-14
Posts: 278

Re: Security fix (only) upgrade option?

Thanks adaur, that's exactly what I ended up using. It just took a while to work out the right from wrong in the links Franz posted.

Offline

Board footer

Powered by FluxBB 1.5.7