To apply the fix manually for the CSRF vulnerability described above, do the following. However, please note that you will not be applying any of the other non-security related bug fixes included in 1.4.21 and you will also not be applying any other fixes included in previous versions before 1.4.21 unless you also apply every single one of them manually. It is strongly recommended that you update fully to version 1.4.21 by following the instructions above.
Replace the function bb_decode in file include/functions.inc.php with the following code:
// Allow the use of a limited set of phpBB bb codes in albums and image descriptions
// Based on phpBB code
/**
* bb_decode()
*
* @param $text
* @return
**/
function bb_decode($text)
{
$text = nl2br($text);
static $bbcode_tpl = array();
static $patterns = array();
static $replacements = array();
// First: If there isn't a "[" and a "]" in the message, don't bother.
if ((strpos($text, "[") === false || strpos($text, "]") === false)) {
return $text;
}
// [b] and [/b] for bolding text.
$text = str_replace("[b]", '<b>', $text);
$text = str_replace("[/b]", '</b>', $text);
// [u] and [/u] for underlining text.
$text = str_replace("[u]", '<u>', $text);
$text = str_replace("[/u]", '</u>', $text);
// [i] and [/i] for italicizing text.
$text = str_replace("[i]", '<i>', $text);
$text = str_replace("[/i]", '</i>', $text);
// colors
$text = preg_replace("/\[color=(\#[0-9A-F]{6}|[a-z]+)\]/", '<span style="color:$1">', $text);
$text = str_replace("[/color]", '</span>', $text);
// [i] and [/i] for italicizing text.
//$text = str_replace("[i:$uid]", $bbcode_tpl['i_open'], $text);
//$text = str_replace("[/i:$uid]", $bbcode_tpl['i_close'], $text);
if (!count($bbcode_tpl)) {
// We do URLs in several different ways..
// **** WARNING *******************************************************
// The [url] tag can be used for a serious attack against your website.
// So [url] tags are no longer processed to show links.
// This simple action here is not an ideal solution but is necessary.
// Now, [url] tags are processed as follows:
// [url=link]text[/url] shows 'text' with a dummy image for the link.
// [url]link[/url] shows 'link' as plain text with a dummy image.
// The following line is the original line that processed [url]:
// $bbcode_tpl['url'] = '<span class="bblink"><a href="{URL}" rel="external">{DESCRIPTION}</a></span>';
// ********************************************************************
// See this thread on the Coppermine forum for more information:
// http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
// Please read this thread carefully before deciding to process [url].
// ********************************************************************
$url_removed = '{URL}'; // put the image URL in the tooltip/mouse-over
$bbcode_tpl['url'] = '{DESCRIPTION}<img src="images/descending.gif" alt="" title="' . $url_removed . '" />';
$bbcode_tpl['email'] = '<span class="bblink"><a href="mailto:{EMAIL}">{EMAIL}</a></span>';
$bbcode_tpl['url1'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
$bbcode_tpl['url1'] = str_replace('{DESCRIPTION}', '\\1\\2', $bbcode_tpl['url1']);
$bbcode_tpl['url2'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
$bbcode_tpl['url2'] = str_replace('{DESCRIPTION}', '\\1', $bbcode_tpl['url2']);
$bbcode_tpl['url3'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
$bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url3']);
$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
$bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\2', $bbcode_tpl['url4']);
$bbcode_tpl['email'] = str_replace('{EMAIL}', '\\1', $bbcode_tpl['email']);
// [url]xxxx://www.phpbb.com[/url] code..
$patterns[1] = "#\[url\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
$replacements[1] = $bbcode_tpl['url1'];
// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
$patterns[2] = "#\[url\]([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
$replacements[2] = $bbcode_tpl['url2'];
// [url=xxxx://www.phpbb.com]phpBB[/url] code..
$patterns[3] = "#\[url=([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
$replacements[3] = $bbcode_tpl['url3'];
// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
$patterns[4] = "#\[url=([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
$replacements[4] = $bbcode_tpl['url4'];
// [email]user@domain.tld[/email] code..
$patterns[5] = "#\[email\]([a-z0-9\-_.]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+)\[/email\]#si";
$replacements[5] = $bbcode_tpl['email'];
// [img]xxxx://www.phpbb.com[/img] code..
// **** WARNING *******************************************************
// The [img] tag can be used for a serious attack against your website.
// So [img] tags are no longer processed to show the specified images.
// This simple action here is not an ideal solution but is necessary.
// Now [img] tags will show a dummy image instead as a placeholder.
// ********************************************************************
// The following line is the original line that processed [img]:
// $bbcode_tpl['img'] = '<img src="{URL}" alt="" />';
// ********************************************************************
// See this thread on the Coppermine forum for more information:
// http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
// Please read this thread carefully before deciding to process [img].
// ********************************************************************
$img_removed = '{URL}'; // put the image URL in the tooltip/mouse-over
$bbcode_tpl['img'] = '<img src="images/thumbnails.gif" alt="" title="' . $img_removed . '" />';
$bbcode_tpl['img'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['img']);
$patterns[6] = "#\[img\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/img\]#si";
$replacements[6] = $bbcode_tpl['img'];
}
$text = preg_replace($patterns, $replacements, $text);
return $text;
}