Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x
Author Message
Coldy
Hangin' Around



Joined: Apr 24, 2004
Posts: 48
Location: Austria

PostPosted: Sat Aug 15, 2020 8:31 am Reply with quote

Hello,

I've found two bugs in the current Raven version.
In the mainfile there are curly braces in lines 1741 and 1743 (function encode_mail), which are no longer supported under PHP 7.4.
I noticed this through a content encoding error during a new test-installation. Wink

And the reviews have an error with the character output in function alpha.
Numbers are displayed here instead of letters.
The
Code:
foreach ($alphabet as $ltr => $value) {

should be replaced by:
Code:
foreach ($alphabet as $ltr) {


Coldy Cool
 
View user's profile Send private message
neralex
Site Admin



Joined: Aug 22, 2007
Posts: 1657

PostPosted: Sun Aug 16, 2020 1:17 am Reply with quote

Hey Coldy,

thank you - just added to the github-repo!

Reviews: [ Only registered users can see links on this board! Get registered or login! ]

mainfile: [ Only registered users can see links on this board! Get registered or login! ]

Danke, Cheers! Wink

_________________
Github: RavenNuke 
View user's profile Send private message
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6421

PostPosted: Sun Aug 23, 2020 2:09 pm Reply with quote

Hi neralex, I'm *finally* ready for some php 7.x testing. Which version is most stable with RN? Should I just use 7.4 to get performance improvements or should I expect more issues with 7.4?

_________________
I google, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG
 
View user's profile Send private message
neralex







PostPosted: Mon Aug 24, 2020 12:03 pm Reply with quote

Hi Kevin, stable for RN25x is php 7.3.x but I guess there are more issues with php 7.4.x as known. The goal is to get it ready for 7.4 Wink

I'm struggling currently with a big SQL-issue with specialchars based on the db-collation after switching from a mysql-serrver to maria-db, which is used since more than a year in debian and other known linux-distributions. This issue is also present here on this RPS. For example german specialchars (umlauts) in forum-posts are stored as ? in the database and I guess this is based on the collations of old db-table-fields after different imports back in the days. With a new installation it works fine but each imported database fails on the forums-posts like this: [ Only registered users can see links on this board! Get registered or login! ]
 
kguske







PostPosted: Mon Aug 24, 2020 12:34 pm Reply with quote

I found the same issue when I imported to a test MariaDB on XAMPP from a production MySQL.
 
kguske







PostPosted: Mon Aug 24, 2020 12:54 pm Reply with quote

After testing a few custom modules, it's working pretty well so far. Looking at some simple mods to enable a responsive theme...
 
Coldy







PostPosted: Tue Aug 25, 2020 3:08 am Reply with quote

The changes between 7.3 and 7.4 (current 7.4.9) are manageable. Wink
But I can't tell how far the Ravennuke core is concerned.
 
papamike
Theme Guru



Joined: Jan 11, 2006
Posts: 170

PostPosted: Mon Aug 31, 2020 6:21 pm Reply with quote

Hi Kguske (Kevin), I have edited most of the mods and have responsive themes over at [ Only registered users can see links on this board! Get registered or login! ]
 
View user's profile Send private message
neralex







PostPosted: Thu Nov 05, 2020 2:02 pm Reply with quote

I found some issues while testing PHP 7.4.12:

mainfile.php: Trying to access array offset on value of type null
[ Only registered users can see links on this board! Get registered or login! ]

modules/Your_Account/includes/ui-l10bbforums.php: Trying to access array offset on value of type null
[ Only registered users can see links on this board! Get registered or login! ]

modules/Your_Account/includes/ui-0headlines.php: Array and string offset access syntax with curly braces is deprecated
[ Only registered users can see links on this board! Get registered or login! ]

modules/Your_Account/public/userinfo.php: Trying to access array offset on value of type null
[ Only registered users can see links on this board! Get registered or login! ]

includes/SimplePie/idn/idna_convert.class.php: Array and string offset access syntax with curly braces is deprecated
[ Only registered users can see links on this board! Get registered or login! ]

The master-branch on Github is updated! The changes are working also with prior versions of php7.

Can someone please re-test the changes with a own local test environment like XAMPP or WAMP?
 
Doulos
Life Cycles Becoming CPU Cycles



Joined: Jun 06, 2005
Posts: 723

PostPosted: Sat Feb 27, 2021 2:39 pm Reply with quote

Has the insert image function been disabled?

[imgleft]https:doulos.us/test/cl.jpg[/imgleft]

[imgright]https:doulos.us/test/cl.jpg[/imgright]

[img]https:doulos.us/test/cl.jpg[/img]
(edited)


Image
 
View user's profile Send private message
neralex







PostPosted: Mon Mar 01, 2021 12:48 pm Reply with quote

Nope! You missed the double-slash after the double-point in your URLs. Wink
 
Doulos







PostPosted: Mon Mar 01, 2021 6:31 pm Reply with quote

I can't believe I did that. Thanks.
 
kguske







PostPosted: Sun Mar 07, 2021 8:52 am Reply with quote

I'm getting ready to replace it, but on php 5.4, this happens:
PHP Parse error: syntax error, unexpected T_FUNCTION in modules/Forums/viewtopic.php on line 1289, which is
function ($m1) use ($orig_word, $replacement_word)
in the code below:
Code:
      //

      // Replace naughty words
      //
      if (count($orig_word)) {
         $post_subject = preg_replace($orig_word, $replacement_word, $post_subject);
         if ($user_sig != '') {
            $user_sig = preg_replace_callback(
               '#(?!<.*)(?<!\w)([A-Za-z0-9_-]+)(?!\w|[^<>]*>)#i',
               function ($m1) use ($orig_word, $replacement_word) {
                  return preg_replace($orig_word, $replacement_word, $m1[1]);
               },
               $user_sig
            );
         }
         $message = preg_replace_callback(
            '#(?!<.*)(?<!\w)([A-Za-z0-9_-]+)(?!\w|[^<>]*>)#i',
            function ($m2) use ($orig_word, $replacement_word) {
               return preg_replace($orig_word, $replacement_word, $m2[1]);
            },
            $message
         );
      }

Is this an issue with 5.4?
 
neralex







PostPosted: Sun Mar 07, 2021 9:43 am Reply with quote

kguske, yes there were some issues with the e-modifier in the preg_replace function in php 7x. Here you can find the related commit: [ Only registered users can see links on this board! Get registered or login! ] and here you can find some explanations: [ Only registered users can see links on this board! Get registered or login! ] | [ Only registered users can see links on this board! Get registered or login! ]
 
kguske







PostPosted: Sun Mar 07, 2021 10:25 am Reply with quote

Changed to 7.3, and now all the modules are showing as not found. Very strange as I was able to change another domain without this issue. Have you seen that?
 
kguske







PostPosted: Sun Mar 07, 2021 10:34 am Reply with quote

The module $name is getting cleared by check_html function:
$name = addslashes(check_html(trim($name), 'nohtml')); //Fixes SQL Injection

because I hadn't updated the kses.php file... Sad
 
neralex







PostPosted: Sun Mar 07, 2021 12:16 pm Reply with quote

I'm glad you were able to solve it. There are a lot of changed files to get it ready for php7.
 
kguske







PostPosted: Sun Mar 07, 2021 7:44 pm Reply with quote

The nice thing about running multiple sites using the same software and a modified config file to connect the site's database is that you update all the sites at once.

The bad thing about this approach is that you find all the errors on all the sites (pretty quickly...).

Lots of undefined constants and ereg in the extra modules, blocks, etc...fun!
 
kguske







PostPosted: Tue Mar 09, 2021 8:25 am Reply with quote

The News module uses the TCPDF class to support viewing a story in PDF format. The class in RN is very outdated, and displays errors under PHP 7.x. The class is actively maintained and has many updates specifically for PHP 7.

You can (and probably should) disable this in the News config, but that simply removes the link to the printpdf.php file. Bots and others can still access it, and so I removed that file from public access.

If others want to continue using this, we might consider updating the class. The last release was December 2020, but there have been php 7.4 updates after that release.

My recommendation: remove this capability and the associated class & files (classes/tcpdf) from RN.

Code:
PHP Warning:  "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /classes/tcpdf/tcpdf.php on line 20655

PHP Warning:  chr() expects parameter 1 to be int, string given in /classes/tcpdf/tcpdf.php on line 7179
 
neralex







PostPosted: Tue Mar 09, 2021 1:25 pm Reply with quote

Thanks for reporting this! Never noticed new issues with this class since the early php7-fixes. I updated the new class-files from the tcpdf-repo on Github after some local tests. Please re-download the package from the master-branch on Github, replace the whole folder: /classes/tcpdf and give it a try. I uploaded the new class-files also here on RPS.
 
kguske







PostPosted: Fri Mar 19, 2021 6:30 am Reply with quote

Seeing a few warnings from nukesentinel.php on this line (479):
Code:
      if (isset($name) && !preg_match('/^name=' . $name . '/i', $pg) && stristr($nsnst_const['script_name'], 'modules.php')) { $mod_check = 1; }


The errors are:
Code:
PHP Warning:  preg_match(): Unknown modifier 'n' in /includes/nukesentinel.php on line 479

PHP Warning:  preg_match(): Unknown modifier 'd' in /includes/nukesentinel.php on line 479
PHP Warning:  preg_match(): Unknown modifier 't' in /includes/nukesentinel.php on line 479
PHP Warning:  preg_match(): Compilation failed: unmatched closing parenthesis at offset 11 in /public_html/includes/nukesentinel.php on line 479

Looks like the invalid modifier is in the $name variable. Maybe we should use a cleaned value of $name, and assume it's a script attack if $name doesn't match the cleaned version? I have a few modules with _ in the name (e.g. Your_Account) and one with - (PHP-Nuke_HOWTO) but the values after these characters don't correspond to some of the unknown modifiers identified above (d, t), so I assume these are resulting from attacks.

Stripping out the characters below from the $name value would also prevent the compilation warning.
Code:
[

]
^
$
\
.
(
)
?
*
+
{
}
,

Thoughts?
 
neralex







PostPosted: Sat Mar 20, 2021 1:44 am Reply with quote

Something like this?

php Code:
$name = 'Your_Account';

$bad_string = '_[-k ]^g$u\s.(k)? *e+/{},';
$name = $name.$bad_string;

function clean_string($string) {
// Remove all characters except A-Z, a-z, 0-9, dots, hyphens and spaces
return preg_replace('/[^A-Za-z0-9\-_]/', '', $string);
}

echo '<p>'. clean_string($name) . '</p>';


Result: Your_Account_-kguske
 
kguske







PostPosted: Sat Mar 20, 2021 7:35 am Reply with quote

Nice! I'll give that a try and see how it works.

We might want to call it function preg_clean_string to avoid possible conflicts with other functions with a different purpose. But if it's only in the nukesentinel.php file, that shouldn't be a problem.
 
hicuxunicorniobestbuildpc
The Mouse Is Extension Of Arm



Joined: Aug 13, 2009
Posts: 1053

PostPosted: Fri Mar 26, 2021 5:53 am Reply with quote

Yes but we got 3 lines with the same code.

3x
Code:
if (isset($name) && !preg_match('/^name=' . $name . '/i', $pg) && stristr($nsnst_const['script_name'], 'modules.php')) { $mod_check = 1; }
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©