From 71c6f12d9c4431fb97f870a3d67fffecb12e6a7c Mon Sep 17 00:00:00 2001 From: Leinad4Mind Date: Sat, 23 Aug 2025 20:41:29 +0100 Subject: [PATCH 1/2] Fix insecure redirection bug on notifications --- core/notification/events/phpbbgallery_image_approved.php | 3 ++- .../events/phpbbgallery_image_for_approval.php | 7 ++++--- .../events/phpbbgallery_image_not_approved.php | 3 ++- core/notification/events/phpbbgallery_new_comment.php | 6 +++--- core/notification/events/phpbbgallery_new_image.php | 7 ++++--- core/notification/events/phpbbgallery_new_report.php | 7 ++++--- core/notification/helper.php | 1 + 7 files changed, 20 insertions(+), 14 deletions(-) diff --git a/core/notification/events/phpbbgallery_image_approved.php b/core/notification/events/phpbbgallery_image_approved.php index 11aaaa77..cd019440 100644 --- a/core/notification/events/phpbbgallery_image_approved.php +++ b/core/notification/events/phpbbgallery_image_approved.php @@ -139,7 +139,7 @@ public function get_email_template_variables() */ public function get_url() { - return $this->get_data('album_url'); + return $this->get_data('album_id') ? append_sid($this->phpbb_root_path . 'gallery/album/' . $this->get_data('album_id')) : $this->get_data('album_url'); } /** @@ -166,6 +166,7 @@ public function create_insert_array($data, $pre_create_data = array()) { $this->set_data('album_name', $data['album_name']); $this->set_data('album_url', $data['album_url']); + $this->set_data('album_id', $data['album_id']); parent::create_insert_array($data, $pre_create_data); } } diff --git a/core/notification/events/phpbbgallery_image_for_approval.php b/core/notification/events/phpbbgallery_image_for_approval.php index ad84145d..272b38b9 100644 --- a/core/notification/events/phpbbgallery_image_for_approval.php +++ b/core/notification/events/phpbbgallery_image_for_approval.php @@ -66,7 +66,7 @@ public function is_available() */ public static function get_item_id($data) { - return $data['last_image_id']; + return (int) $data['last_image_id']; } /** @@ -78,7 +78,7 @@ public static function get_item_id($data) public static function get_item_parent_id($data) { // No parent - return $data['album_id']; + return (int) $data['album_id']; } /** @@ -155,7 +155,7 @@ public function get_email_template_variables() */ public function get_url() { - return $this->get_data('album_url'); + return $this->get_data('album_id') ? append_sid($this->phpbb_root_path . 'gallery/album/' . $this->get_data('album_id')) : $this->get_data('album_url'); } /** @@ -181,6 +181,7 @@ public function create_insert_array($data, $pre_create_data = array()) { $this->set_data('album_name', $data['album_name']); $this->set_data('album_url', $data['album_url']); + $this->set_data('album_id', $data['album_id']); $this->set_data('uploader', $data['uploader']); parent::create_insert_array($data, $pre_create_data); } diff --git a/core/notification/events/phpbbgallery_image_not_approved.php b/core/notification/events/phpbbgallery_image_not_approved.php index 17128a81..c8f34f9c 100644 --- a/core/notification/events/phpbbgallery_image_not_approved.php +++ b/core/notification/events/phpbbgallery_image_not_approved.php @@ -139,7 +139,7 @@ public function get_email_template_variables() */ public function get_url() { - return $this->get_data('album_url'); + return $this->get_data('album_id') ? append_sid($this->phpbb_root_path . 'gallery/album/' . $this->get_data('album_id')) : $this->get_data('album_url'); } /** @@ -166,6 +166,7 @@ public function create_insert_array($data, $pre_create_data = array()) { $this->set_data('album_name', $data['album_name']); $this->set_data('album_url', $data['album_url']); + $this->set_data('album_id', $data['album_id']); parent::create_insert_array($data, $pre_create_data); } } diff --git a/core/notification/events/phpbbgallery_new_comment.php b/core/notification/events/phpbbgallery_new_comment.php index 059dac44..92fff08c 100644 --- a/core/notification/events/phpbbgallery_new_comment.php +++ b/core/notification/events/phpbbgallery_new_comment.php @@ -66,7 +66,7 @@ public function is_available() */ public static function get_item_id($data) { - return $data['comment_id']; + return (int) $data['comment_id']; } /** @@ -78,7 +78,7 @@ public static function get_item_id($data) public static function get_item_parent_id($data) { // No parent - return $data['image_id']; + return (int) $data['image_id']; } /** @@ -155,7 +155,7 @@ public function get_email_template_variables() */ public function get_url() { - return $this->get_data('url'); + return $this->get_data('image_id') ? append_sid($this->phpbb_root_path . 'gallery/image/' . $this->get_data('image_id')) : $this->get_data('url'); } /** diff --git a/core/notification/events/phpbbgallery_new_image.php b/core/notification/events/phpbbgallery_new_image.php index b3964dc4..69353ad8 100644 --- a/core/notification/events/phpbbgallery_new_image.php +++ b/core/notification/events/phpbbgallery_new_image.php @@ -66,7 +66,7 @@ public function is_available() */ public static function get_item_id($data) { - return $data['last_image_id']; + return (int) $data['last_image_id']; } /** @@ -78,7 +78,7 @@ public static function get_item_id($data) public static function get_item_parent_id($data) { // No parent - return $data['album_id']; + return (int) $data['album_id']; } /** @@ -149,7 +149,7 @@ public function get_email_template_variables() */ public function get_url() { - return $this->get_data('album_url'); + return $this->get_data('album_id') ? append_sid($this->phpbb_root_path . 'gallery/album/' . $this->get_data('album_id')) : $this->get_data('album_url'); } /** @@ -175,6 +175,7 @@ public function create_insert_array($data, $pre_create_data = array()) { $this->set_data('album_name', $data['album_name']); $this->set_data('album_url', $data['album_url']); + $this->set_data('album_id', $data['album_id']); parent::create_insert_array($data, $pre_create_data); } } diff --git a/core/notification/events/phpbbgallery_new_report.php b/core/notification/events/phpbbgallery_new_report.php index c86a1618..0b092679 100644 --- a/core/notification/events/phpbbgallery_new_report.php +++ b/core/notification/events/phpbbgallery_new_report.php @@ -66,7 +66,7 @@ public function is_available() */ public static function get_item_id($data) { - return $data['item_id']; + return (int) $data['item_id']; } /** @@ -154,7 +154,7 @@ public function users_to_query() */ public function get_url() { - return $this->get_data('url'); + return $this->get_data('reported_image_id') ? append_sid($this->phpbb_root_path . 'gallery/moderate/image/' . $this->get_data('reported_image_id')) : $this->get_data('url'); } /** @@ -170,7 +170,8 @@ public function create_insert_array($data, $pre_create_data = array()) { $this->set_data('item_id', $data['item_id']); $this->set_data('reporter', $data['reporter']); + $this->set_data('reported_image_id', $data['reported_image_id']); $this->set_data('url', $data['url']); - return parent::create_insert_array($data, $pre_create_data); + parent::create_insert_array($data, $pre_create_data); } } diff --git a/core/notification/helper.php b/core/notification/helper.php index effe1a37..159cedf7 100644 --- a/core/notification/helper.php +++ b/core/notification/helper.php @@ -129,6 +129,7 @@ public function notify($type, $target) 'user_ids' => array_diff($this->gallery_auth->acl_users_ids('m_report', $target['reported_album_id']), array($target['reporter_id'])), 'item_id' => $target['report_id'], 'reporter' => $target['reporter_id'], + 'reported_image_id' => $target['reported_image_id'], 'url' => $this->url->get_uri($this->helper->route('phpbbgallery_core_moderate_image', array('image_id' => $target['reported_image_id']))), ); $phpbb_notifications->add_notifications('phpbbgallery.core.notification.new_report', $notification_data); From 4f58973550d6317ee3bcb4aec45927404583a13d Mon Sep 17 00:00:00 2001 From: Leinad4Mind Date: Sun, 24 Aug 2025 01:32:02 +0100 Subject: [PATCH 2/2] Fix Webp --- core/acp/config_module.php | 2 +- core/file/file.php | 6 +++--- core/language/es/gallery_acp.php | 2 +- core/language/ru/gallery.php | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/core/acp/config_module.php b/core/acp/config_module.php index e54477c0..3a2b8d5b 100644 --- a/core/acp/config_module.php +++ b/core/acp/config_module.php @@ -376,7 +376,7 @@ public function get_display_vars($mode) 'allow_gif' => array('lang' => 'GIF_ALLOWED', 'validate' => 'bool', 'type' => 'radio:yes_no'), 'allow_jpg' => array('lang' => 'JPG_ALLOWED', 'validate' => 'bool', 'type' => 'radio:yes_no'), 'allow_png' => array('lang' => 'PNG_ALLOWED', 'validate' => 'bool', 'type' => 'radio:yes_no'), - 'allow_webp' => array('lang' => 'WEBP_ALLOWED', 'validate' => 'bool', 'type' => 'radio:yes_no'), + 'allow_webp' => array('lang' => 'WEBP_ALLOWED', 'validate' => 'bool', 'type' => 'radio:yes_no'), 'allow_zip' => array('lang' => 'ZIP_ALLOWED', 'validate' => 'bool', 'type' => 'radio:yes_no'), 'description_length' => array('lang' => 'IMAGE_DESC_MAX_LENGTH', 'validate' => 'int', 'type' => 'text:7:5', 'append' => 'CHARACTERS'), 'disp_nextprev_thumbnail' => array('lang' => 'DISP_NEXTPREV_THUMB','validate' => 'bool', 'type' => 'radio:yes_no'), diff --git a/core/file/file.php b/core/file/file.php index 2ee0c71d..7999e46a 100644 --- a/core/file/file.php +++ b/core/file/file.php @@ -127,7 +127,7 @@ static public function mimetype_by_filename($filename) case '.jpg': return 'image/jpeg'; break; - case '.webp': + case 'webp': return 'image/webp'; break; } @@ -149,7 +149,7 @@ static public function extension_by_filename($filename) case '.jpg': return 'jpg'; break; - case '.webp': + case 'webp': return 'webp'; break; } @@ -177,7 +177,7 @@ public function read_image($force_filesize = false) imagealphablending($this->image, true); // Set alpha blending on ... imagesavealpha($this->image, true); // ... and save alpha blending! break; - case '.webp': + case 'webp': $this->image_type = 'webp'; $this->image = imagecreatefromwebp($this->image_source); break; diff --git a/core/language/es/gallery_acp.php b/core/language/es/gallery_acp.php index 137a81fa..fa6d5cd1 100644 --- a/core/language/es/gallery_acp.php +++ b/core/language/es/gallery_acp.php @@ -284,7 +284,7 @@ 'RECENT_ON_INDEX_COUNT' => 'Conteo de imágenes recientes', 'PHPBB_INTEGRATION' => 'Integración de phpBB', 'PNG_ALLOWED' => 'Permitido subir archivos PNG', - 'WEBP_ALLOWED' => 'Allowed to upload WEBP files', + 'WEBP_ALLOWED' => 'Permitido subir archivos WEBP', 'PURGED_CACHE' => 'Purgó la caché', 'RATE_SCALE' => 'Escala de calificación', diff --git a/core/language/ru/gallery.php b/core/language/ru/gallery.php index d07c74b6..7d55d309 100644 --- a/core/language/ru/gallery.php +++ b/core/language/ru/gallery.php @@ -124,7 +124,7 @@ 'FILETYPES_GIF' => 'gif', 'FILETYPES_JPG' => 'jpg', 'FILETYPES_PNG' => 'png', - 'FILETYPES_WEBP' => 'webp', + 'FILETYPES_WEBP' => 'webp', 'FILETYPES_ZIP' => 'zip', 'FULL_EDITOR_GALLERY' => 'Редактировать',