Warning: preg_replace_callback(): Requires argument 2, '$func['entity_fix']('\2')', to be a valid callback in /nfs/c01/h06/mnt/10927/domains/dragonprime.net/html/Sources/Load.php(225) : runtime-created function on line 3
Critical Bug: Preferences
DragonPrime - LoGD Resource Community
Welcome Guest
  • Good morning, Guest.
    Please log in, or register.
  • September 21, 2019, 10:41:58 AM
Home Forums News Downloads Login Register Advanced Search
* * *
DragonPrime Menu
Login
 
 
Resource Pages
Search

Pages: [1]   Go Down
  Print  
Author Topic: Critical Bug: Preferences  (Read 7296 times)
0 Members and 1 Guest are viewing this topic.
Sunday
Codemeister
****
Offline Offline

Posts: 406


So meme'd up.


View Profile
« on: May 12, 2016, 02:55:36 PM »

Well, finally time to put this out here. The preference.php page needs to be rewrote entirely. There are game breaking advantages that can be made through this preference system. This includes giving some staff flags such as access to the 'Letter Opener' module, the 'Alt Character List', and even gameplay advantages such as whatever 'Clan Forge' level or favor you want, using the 'Keep Gold' module to generate maximum gold, or doing the same with the 'Gems in bank' modules. I am working on a module to fix this, but we really need to step ahead in fixing this.
« Last Edit: May 13, 2016, 02:28:07 AM by Stephen.Kise » Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5

A new server in the making...
MarcTheSlayer
Mod God
*****
Offline Offline

Posts: 1752


View Profile
« Reply #1 on: May 14, 2016, 05:29:41 PM »

Do you mean the prefs.php file in the root directory? Smiley

I'm not sure what you mean by "generate maximum gold" with the keepgold.php module. How can the code be abused?
« Last Edit: May 14, 2016, 05:38:28 PM by Afkamm » Logged

Check My Modules for the latest versions.
Aeolus
Mod God
*****
Offline Offline

Posts: 1934


You're welcome.


View Profile WWW
« Reply #2 on: May 14, 2016, 06:57:50 PM »

I'm going to assume that it would be by changing the name of any preference on the site through Inspect Element to match the keepgold pref, setting it to whatever you wish, then saving. Or something along those lines.
Logged

Sunday
Codemeister
****
Offline Offline

Posts: 406


So meme'd up.


View Profile
« Reply #3 on: May 15, 2016, 12:06:18 PM »

Do you mean the prefs.php file in the root directory? Smiley

I'm not sure what you mean by "generate maximum gold" with the keepgold.php module. How can the code be abused?

It is as Aeolus described it well. I was avoiding posting the details so people could not do it, since some modules will allow you to hijack sessions of moderators, or even gain staff abilities. I am working on a module that will fix this, but it needs updated in the core as well.

http://imgur.com/a/fMNmC

All that needs to be done to fix this is a small check for user_ or check_ at line 95:
Code:
if (strpos($key, 'user_') === false && strpos($key, 'check_') === false) {
    continue;
}
« Last Edit: May 15, 2016, 12:11:21 PM by Stephen.Kise » Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5

A new server in the making...
Aeolus
Mod God
*****
Offline Offline

Posts: 1934


You're welcome.


View Profile WWW
« Reply #4 on: May 15, 2016, 05:55:12 PM »

All that needs to be done to fix this is a small check for user_ or check_ at line 95:
Code:
if (strpos($key, 'user_') === false && strpos($key, 'check_') === false) {
    continue;
}

I've added the update to the bugs fixed core. Which really needs to be uploaded to the main downloads page.
Logged

austenmc
Militia
**
Offline Offline

Posts: 56



View Profile WWW
« Reply #5 on: May 15, 2016, 08:31:38 PM »

Offer stills stands to host people's core mods on https://github.com/lotgd Smiley
Logged
Aeolus
Mod God
*****
Offline Offline

Posts: 1934


You're welcome.


View Profile WWW
« Reply #6 on: May 15, 2016, 09:17:22 PM »

Offer stills stands to host people's core mods on https://github.com/lotgd Smiley

Thanks. I'll stick to using my Dropbox. Easier to access, directly from the file system.
Logged

Sunday
Codemeister
****
Offline Offline

Posts: 406


So meme'd up.


View Profile
« Reply #7 on: May 15, 2016, 11:51:53 PM »

Offer stills stands to host people's core mods on https://github.com/lotgd Smiley

I would rather keep mine localised until I change the way the installation process works, and the module system. Thank you though.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5

A new server in the making...
Aeolus
Mod God
*****
Offline Offline

Posts: 1934


You're welcome.


View Profile WWW
« Reply #8 on: June 25, 2016, 01:06:30 AM »

All that needs to be done to fix this is a small check for user_ or check_ at line 95:
Code:
if (strpos($key, 'user_') === false && strpos($key, 'check_') === false) {
    continue;
}

This needs updating to include core prefs that aren't module-based user prefs. For example, setting the pref "timeoffset" (Hours to offset time displays ([25/06 04:03am] currently displays as [25/06 06:33pm])?) fails both of these checks, and is not saved when updated.

Perhaps this would be better:

Code:
if (strpos($key, 'user_') === false && strpos($key, 'check_') === false) {
    if (isset($session['user']['prefs'][$key])) $session['user']['prefs'][$key] = httppost($key);
    continue;
}
Logged

Sunday
Codemeister
****
Offline Offline

Posts: 406


So meme'd up.


View Profile
« Reply #9 on: June 25, 2016, 10:09:01 AM »

This needs updating to include core prefs that aren't module-based user prefs. For example, setting the pref "timeoffset" (Hours to offset time displays ([25/06 04:03am] currently displays as [25/06 06:33pm])?) fails both of these checks, and is not saved when updated.
That shouldn't be happening, because timeoffset doesn't contain ___. I mentioned that there should be additional checks at the if statement on line 95:

Code:
            if (strstr($key, "___")) {
                if (strpos($key, 'user_') === false && strpos($key, 'check_') === false) {
                    continue;
                }
                $val = httppost($key);
                $x = explode("___", $key);
                $module = $x[0];
                $key = $x[1];
                modulehook("notifyuserprefchange",
                    array("name"=>$key,
                    "old"=>$oldvalues[$module."___".$key],
                    "new"=>$val)
                );
                set_module_pref($key, $val, $module);
                continue;
            }
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5

A new server in the making...
Aeolus
Mod God
*****
Offline Offline

Posts: 1934


You're welcome.


View Profile WWW
« Reply #10 on: June 25, 2016, 08:27:35 PM »

Ah, the checks were meant to be after the line with strstr. Okay, that makes more sense. I put it before.

(And I believe that so did the site who's owner you helped implement this fix, since that's where this issue occurred.)
Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  


*
DragonPrime Notices
Welcome to DragonPrime - The LoGD Resource Community!

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
38 Guests, 0 Users
Home Forums News Downloads Login Register Advanced Search