danwin1210/le-chat-php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Better check whether messaging is really allowed when validating new messages

Browse Source
This commit is contained in:
Daniel Winzen
2017-10-04 17:38:31 +02:00
parent d832cf64ec
commit 5cfe783649
1 changed files with 21 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
chat.php
View File

@ -2873,23 +2873,32 @@ function validate_input(){
}elseif($_REQUEST['sendto']==='s &' && $U['status']>=6){ }elseif($_REQUEST['sendto']==='s &' && $U['status']>=6){
$poststatus=6; $poststatus=6;
$displaysend=sprintf(get_setting('msgsendadm'), style_this(htmlspecialchars($U['nickname']), $U['style'])); $displaysend=sprintf(get_setting('msgsendadm'), style_this(htmlspecialchars($U['nickname']), $U['style']));
}else{// known nick in room? }else{ // known nick in room?
if(get_setting('disablepm')){ if(get_setting('disablepm')){
//PMs disabled
return; return;
} }
$stmt=$db->prepare('SELECT * FROM (SELECT nickname, style, 1 AS inbox FROM ' . PREFIX . 'members WHERE nickname=? AND eninbox!=0 AND eninbox<=? AND nickname NOT IN (SELECT nickname FROM ' . PREFIX . 'sessions) UNION SELECT nickname, style, 0 AS inbox FROM ' . PREFIX . 'sessions WHERE nickname=?) AS t WHERE nickname NOT IN (SELECT ign FROM ' . PREFIX . 'ignored WHERE ignby=? UNION SELECT ignby FROM ' . PREFIX . 'ignored WHERE ign=?);'); $stmt=$db->prepare('SELECT null FROM ' . PREFIX . 'ignored WHERE (ignby=? AND ign=?) OR (ign=? AND ignby=?);');
$stmt->execute([$_REQUEST['sendto'], $U['status'], $_REQUEST['sendto'], $U['nickname'], $U['nickname']]); $stmt->execute([$_REQUEST['sendto'], $U['nickname'], $_REQUEST['sendto'], $U['nickname']]);
if($tmp=$stmt->fetch(PDO::FETCH_ASSOC)){ if($stmt->fetch(PDO::FETCH_NUM)){
$recipient=$_REQUEST['sendto']; //ignored
$poststatus=9;
$displaysend=sprintf(get_setting('msgsendprv'), style_this(htmlspecialchars($U['nickname']), $U['style']), style_this(htmlspecialchars($recipient), $tmp['style']));
$inbox=$tmp['inbox'];
}
if(empty($recipient)){// nick left already or ignores us
$message='';
$rejected='';
return; return;
} }
$tmp=false;
$stmt=$db->prepare('SELECT s.style, 0 AS inbox FROM ' . PREFIX . 'sessions AS s LEFT JOIN ' . PREFIX . 'members AS m ON (m.nickname=s.nickname) WHERE s.nickname=? AND (s.incognito=0 OR (m.eninbox!=0 AND m.eninbox<=?));');
$stmt->execute([$_REQUEST['sendto'], $U['status']]);
if(!$tmp=$stmt->fetch(PDO::FETCH_ASSOC)){
$stmt=$db->prepare('SELECT style, 1 AS inbox FROM ' . PREFIX . 'members WHERE nickname=? AND eninbox!=0 AND eninbox<=?;');
$stmt->execute([$_REQUEST['sendto'], $U['status']]);
if(!$tmp=$stmt->fetch(PDO::FETCH_ASSOC)){
//nickname left or disabled offline inbox for us
return;
}
}
$recipient=$_REQUEST['sendto'];
$poststatus=9;
$displaysend=sprintf(get_setting('msgsendprv'), style_this(htmlspecialchars($U['nickname']), $U['style']), style_this(htmlspecialchars($recipient), $tmp['style']));
$inbox=$tmp['inbox'];
} }
if($poststatus!==9 && preg_match('~^/me~iu', $message)){ if($poststatus!==9 && preg_match('~^/me~iu', $message)){
$displaysend=style_this(htmlspecialchars("$U[nickname] "), $U['style']); $displaysend=style_this(htmlspecialchars("$U[nickname] "), $U['style']);