Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - CerealGuy
1
Archived fixes / [CSS] .postheader and previous/next post title looking bad
« on January 16th, 03:01 PM »
There are some problems with .postheader and the .prevnext_prev/.prevnext_next css clasess.
- .postheader does align the items in center but strecht is better because otherwise items don't
vertically aligned on the same level.
- #top_subject has no fixed weight. Set to 60% (prev's have 20%)
- All the elements should have an word-wrap: break-word.

Fix:
Code: (section.css) [Select]
// Topic title and Quick access
.posthead
width: 100%
padding: 8px
border-radius: 12px
background: rgba(0,0,0, .015)
box-sizing: border-box
@if ie[-7]
div mixes .inline-block
@elseif $can_flex
display: flex
align-items: stretch
> div
flex: 1 1 auto
@else
display: table
> div
display: table-cell
vertical-align: middle
@endif

#top_subject
padding: 4px 8px
font: 100 1.6em/1.2em $head_font
text-align: center
color: gray
letter-spacing: -1px
width: 60%

#top_subject, .prevnext_prev
word-wrap: break-word;

// Previous/next topic links inside .posthead
.prevnext_prev
font: 400 1em/1.3em $main_font
text-align: left
width: 20%
a
color: $reddish

.prevnext_next extends .prevnext_prev
text-align: right

Pictures:
before:

after:


PR: https://github.com/Wedge/wedge/pull/49

EDIT: You can watch this bug right in this topic :lol:
2
Plugins / [Plugin] Advanced Home Topics
« on January 15th, 02:06 PM »
Advanced Home Topics

A plugin for wedge giving you more control over the topics block you can add to you Homepage->Custom Content.
Features:
  - Multiple working `topics` blocks
  - Change title of each `topics` block
  - Limit include boards
  - Limit exclude boards
  - Modify steps in which n increases
 
Can you give me an Example?
Sure, look here:


How to install?

Drop the `advanced-home-topics` folder which you can find in this repository in to your `<wedge_install>/plugins` folder and activate it over your Admin Control Panel.

How to configure?

1. Go to `Admin->Configuration->General Options->Homepage`
2. Modify `Custom Contents`
3. Add something like `topics:1|Some Special Posts|3;4||false|1;2;3;4;5;6;7`
4. Format looks like this `topics:<num posts to show by default>|<custom name, empty for default>|<include these boards, empty for all, divide with ;>|<exclude these boards, empty for none, divide with ;>|<set to true if you want to hide Boards>|<steps in which we shall increase. By default 5;10;20;50;100. Divide with ;>`

Where to find?
https://github.com/C3realGuy/AdvancedHomeTopics
3
Archived fixes / [LOW-SQLi] Possible SQL injection on ssi_recentTopics
« on January 14th, 12:31 PM »
ssi_recentTopics() is not filtering the $num_recent argument correctly.
Code: [Select]
// Find all the posts in distinct topics. Newer ones will have higher IDs.
$request = wesql::query('
SELECT
t.id_topic, b.id_board, b.name AS board_name, b.url
FROM {db_prefix}topics AS t
INNER JOIN {db_prefix}messages AS ml ON (ml.id_msg = t.id_last_msg)
LEFT JOIN {db_prefix}boards AS b ON (b.id_board = t.id_board)
WHERE {query_see_topic}
AND t.id_last_msg >= {int:min_message_id}' . (empty($exclude_boards) ? '' : '
AND b.id_board NOT IN ({array_int:exclude_boards})') . '' . (empty($include_boards) ? '' : '
AND b.id_board IN ({array_int:include_boards})') . '
AND {query_wanna_see_board}' . (empty(we::$user['can_skip_approval']) ? '
AND ml.approved = {int:is_approved}' : '') . '
ORDER BY t.id_last_msg DESC
LIMIT ' . $num_recent,
array(
'include_boards' => empty($include_boards) ? '' : $include_boards,
'exclude_boards' => empty($exclude_boards) ? '' : $exclude_boards,
'min_message_id' => $settings['maxMsgID'] - 35 * $num_recent,
'is_approved' => 1,
)
);

The dangerous part: 'LIMIT ' . $num_recent,'
You can exploit it through custom homepage contents over acp. (Adding something like 'topics:10 UNION SELECT...'). But you need permissions to acp. And even if you have them, the anti hacking protection of wedge looks quite nice. No multiple statemants, it detects weird behaviour couldn't really exploit it besides an more or less useless blind sqli which just worked once :lol:.
But still, better fix it.

How to fix:
Code: [Select]

// Find all the posts in distinct topics. Newer ones will have higher IDs.
$request = wesql::query('
SELECT
t.id_topic, b.id_board, b.name AS board_name, b.url
FROM {db_prefix}topics AS t
INNER JOIN {db_prefix}messages AS ml ON (ml.id_msg = t.id_last_msg)
LEFT JOIN {db_prefix}boards AS b ON (b.id_board = t.id_board)
WHERE {query_see_topic}
AND t.id_last_msg >= {int:min_message_id}' . (empty($exclude_boards) ? '' : '
AND b.id_board NOT IN ({array_int:exclude_boards})') . '' . (empty($include_boards) ? '' : '
AND b.id_board IN ({array_int:include_boards})') . '
AND {query_wanna_see_board}' . (empty(we::$user['can_skip_approval']) ? '
AND ml.approved = {int:is_approved}' : '') . '
ORDER BY t.id_last_msg DESC
LIMIT {int:num_recent}',
array(
'num_recent' => $num_recent,
'include_boards' => empty($include_boards) ? '' : $include_boards,
'exclude_boards' => empty($exclude_boards) ? '' : $exclude_boards,
'min_message_id' => $settings['maxMsgID'] - 35 * $num_recent,
'is_approved' => 1,
)
);

PR: https://github.com/Wedge/wedge/pull/43

Many limit arguments don't get passed parameterized in SSI.php. We should change that.

EDIT1: WTF. This is nearly the same in the SMF codebase. Do I miss something or is this just really bad practice? I mean, i don't know if they have a hacking protection like wedge, but if they don't...
Besides that it looks like they fixed it sometimes and sometimes not :whistle:
https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/SSI.php#L518

EDIT2: Fixed other limits too. https://github.com/Wedge/wedge/pull/44
4
Code: (diff) [Select]
-$txt['mark_read_short'] = 'Ale Themen als gelesen markieren';
 +$txt['mark_read_short'] = 'Alle Themen als gelesen markieren';

https://github.com/Wedge/languages/pull/30
5
Archived fixes / [CSS] Login looking bad on small screens
« on December 19th, 2016, 06:33 PM »


Idea is to do something like this, but would need CSS3.
https://jsfiddle.net/1dqm3rgt/ (zoom in/out to see the difference)
6
Archived fixes / [CSS] Quote not aligning left in center block
« on December 19th, 2016, 04:28 PM »
Bug:
When centering a quote block, the header text and icon get's centered too. Should be still left aligned.
Because of that the icon is also behind the text.

Example:
foo
Quote from bar
lorem ipsum

Fix:
Forcing text-align: left for bbc_quote->header
Code: [Select]
.bbc_quote>header {
    padding: 2px 2px 2px 24px;
    text-align: left;
}

PR: https://github.com/Wedge/wedge/pull/47
7
Archived fixes / Low flood/spam limits are ignored
« on October 16th, 2016, 12:40 PM »
spamProtection does not handle low limits correctly.

Example #1: If $settings['search_floodcontrol_time'] is 0 (disabled, not null/undefined) this setting will be ignored and a limit of 1 will be used instead.

Example #2: If user has moderator permissions, every limit will be overridden by 2. This does trouble if the set limit is lower than 2 (for example disabled).

PR: https://github.com/Wedge/wedge/pull/40

EDIT: Merged
8
Bug reports / [Behaviour] Keep post data on Login
« on July 21st, 2016, 11:57 PM »
Following problem occurs from time to time:
When I'm, trying to create a new post and during this the session expires, the content gets lost. I think that's true to all $_POST related stuff. $_GET stuff is fine because of the redirection after the login.

Idea: Put all $_POST data in a hidden form when the Login form is getting displayed and try to send that back to the original form/action. I will try to do that.
How is SMF doing this?
9
Archived fixes / Overflow Bug
« on July 17th, 2016, 01:35 PM »
Sometimes i see overflowing content.

Example:

i got this Error
Code: [Select]
Warning: mysqli_connect(): (28000/1045): Access denied for user 'Zeyad_Ahmed'@'10.2.1.20' (using password: YES) in /home/u289793038/public_html/gz/app/Class-DB.php on line 55
Access denied for user 'Zeyad_Ahmed'@'10.2.1.20' (using password: YES)


Fix:
sections.css
Code: [Select]
.postarea
    width: 75%

Git Commit:
https://github.com/C3realGuy/wedge/commit/de8ca6bbefb117d75b812e750a6efa6a8d0b6964

Git Pull Request:
https://github.com/Wedge/wedge/pull/34

EDIT:
Fixed: https://github.com/Wedge/wedge/commit/d71cdbe9438a53354866493fd18e63f1a74d228e
10
Bug reports / [Critical?] ImageMagick exploit
« on May 4th, 2016, 12:57 PM »
Didn't test it yet, i'm using GD2 but people with imagemagick should have a look at their servers maybe.
https://www.imagemagick.org/discourse-server/viewtopic.php?t=29588

Workarounds(?!):
- use GD2
- add imagemagick policies/wait for fix
- disable avatars/file attachements
11
Test board / Width Test
« on January 9th, 2016, 04:48 PM »
Fünf junge Leute mieten ein Campmobil und begeben sich bewaffnet mit Kameras auf die Suche nach Amerikas aufregendster Geisterhausattraktion. Solche Geisterbahnen nicht unähnliche Spukhäuser schießen vor Halloween wie Pilze aus dem Boden der amerikanischen Provinz und locken vergnügungssüchtige Gruselfreunde in Scharen mit ihren zumeist von Laienschauspielern verkörperten Monstern und Slashern. Manchmal jedoch wird aus Spaß blutiger Ernst, und das müssen auch die fünf Amateurreporter am eigenen Leib erfahren.
Gruseliger Mummenschanz liegt im Herbst im Trend, und das nicht nur in Horrorfilmregalen, sondern auch in Amerika, wo hunderte sogenannter Haunted Attractions um Kunden buhlen.



https://youtube.com/watch?v=4CxXdv3a4yQ#
12
Archived fixes / [Cookies] httponly not correctly set
« on September 4th, 2015, 10:54 PM »
Wedge already wants to do that (setting httponly) but it misses some true arguments on setcookie().
Httponly basically forbids the browser/js to access document.cookies which prevents bad exploitation of xss (otherwise the cookie could get stolen).
https://www.owasp.org/index.php/HttpOnly

https://github.com/C3realGuy/wedge/commit/71a066380d1301a82c95cc5144039edceca98c9e
13
Bug reports / [Security] BBCode in SQL Database
« on July 15th, 2015, 03:00 PM »
Why are the default bbcodes in the sql table {prefix}_bbcode? Wouldn't it be better to have those in the php code?
Also it's maybe a security issue to eval the validate_func from the sql database.
14
Bug reports / [Aeva] Non-SSL on SSL Connection
« on May 31st, 2015, 10:31 AM »
Aeva doesn't change the embedded url to https if the user views the site over a ssl connection. Therefore you have non ssl content on a ssl encrypted page, which gets blocked by most browsers, for all other browsers it's a security issue.
15
Bug reports / [Aeva] Cache of Aeva-Sites
« on May 17th, 2015, 11:28 PM »
After the latest update (the youtube thing) i had to remove Aeva-Sites.php to get it working. Why does that stuff get cached outside of /gz/app?