50 most recent check-ins
|
2025-12-11
| ||
| 19:30:16 | Add notes, send-message.sh, and xmppc-patches. These were previously being passed around in a tarball along with the patches against asmbb-3.0, but since we have a proper repository now they should be made available here. Leaf check-in: 1a60d3a903 user: unmush tags: trunk | |
| 17:18:43 | Adjust userinfo.tpl for all skins to include the current permLock and permIgnoreLock status. check-in: 73fa878567 user: unmush tags: trunk | |
| 17:14:48 | Add thread locking. Adds a 'Locked' flag field to the Threads table. Adds two new permissions, permLock and permIgnoreLock. Adds a 'threadlocked' result column to showthread.sql, threadinfo.sql, and threadlist.sql. Adjusts 'EditUserMessage', 'DeletePost', 'Vote', [special:canpost], [special:candelete], [special:canedit], and [special:canvote] to honor the combination of 'Locked' flag and permIgnoreLock. In the process, adds SearchFieldHash and uses it in RenderTemplate.complex_permission, where previously no handling of hash collisions was done (!). Adds template commands [special:canlock] and [special:canignorelock]. Adds '!lock' and '!unlock' commands, both implemented by LockThread. Adds new Message rows for 'error_cant_lock' and 'error_cant_unlock'. Adjusts thread_info.tpl for all skins to include a homegrown, ethically-sourced, organic, artisanal lock icon when the thread being shown is locked. Adjusts form_editinfo.tpl and form_settings.tpl for all skins to support showing and editing the new permLock and permIgnoreLock permissions. Adjusts nav_thread.tpl for all skins to include ' (locked)' after the caption if the thread is locked, and if the requesting client has the permLock permission, show either a 'Lock' or 'Unlock' button depending on whether the thread is currently locked. Adjusts the Urban Sunrise post_view.tpl to not show a quote button when a logged-in user doesn't have permission to post in the thread containing that post. This brings it in line with the other skins. It still shows the quote button when a non-locked thread is viewed without being logged in, but links to the login page instead. In other words, we assume it is better for users with permIgnoreLock to have to find their own way to the login page than to have regular users confused why they have a quote button that goes away when they log in ("did a mod do something to my account??? Did (((they))) shut it down?"). check-in: e18db73c74 user: unmush tags: trunk | |
| 17:14:45 | Fix double-free in CreateAtomFeed. A double-free would previously occur whenever a tag existed but had no associated threads. This would be triggered by accessing /TAGNAME/!feed, causing a crash. To my knowledge such tags aren't linked to anywhere, but the vile foe, bingbot, will remember them from when they were referenced and try to access it anyway. check-in: ea6d673c22 user: unmush tags: trunk | |
| 17:14:43 | Add support for account activation addresses other than email. In addition to an address (formerly an email address), each user now has an address_type. This is a lowercase-canonicalized string indicating the type of the address. For example, email is represented by the string "smtp". This requires a database schema change, which can be accomplished using the new source/migration4.sql file. Other types can be implemented using the new message_exec parameter. It is passed 5 named arguments: --type (address type), --from (sender account username, --to (full target address), --host (smtp_host), and --subject. All included skins have been updated to support specifying the address type for normal registration, address change, admin account creation, and password reset. Some other miscellaneous changes: the "mirrors" parameter now has a proper UI in the settings page. Sending emails longer than PIPE_BUF to smtp_exec no longer causes the calling thread to hang indefinitely. check-in: b808cdca53 user: unmush tags: trunk | |
| 17:14:41 | Prevent newlines in email addresses. Newlines in email addresses can cause a mail client to interpret part of the email address as different headers, potentially allowing arbitrary headers to be set, so that mail may be sent to an email address different from the one used to register. check-in: 7162d80b76 user: unmush tags: trunk | |
| 17:14:39 | Fix behavior of [case:...] with large values. "case" treats digits as part of a number, whitespace as nonexistent, and everything else as a unary digit (that is, it increments the accumulator by 1). For example: a5b6 would be interpreted as ((((1 * 10) + 5) + 1) * 10) + 6 = 166. If an arbitrary string is used, it is therefore possible for extremely large corresponding case values to be used. Previously, this would cause problems because the appropriate case clause is located by decrementing the case value for each non-nested "|" encountered and checking whether this makes the case value *negative* when treated as a signed 32-bit twos-complement value. But when it is being constructed it is treated as an *unsigned* 32-bit value. This can lead to *all* of the clauses being deleted (that is, none of them being "chosen"). To resolve this, increment the case value after it is constructed, and check when decrementing makes it zero, instead of negative. Additionally, it is possible for the case value to wrap around as it is being constructed, such that a sufficiently large case string may end up causing clause 0 to be expanded. To resolve this, use saturated arithmetic such that the largest possible case value is 0xFFFFFFFE, and any larger than that will be clamped to that value. check-in: c316316f60 user: unmush tags: trunk | |
| 17:14:37 | Validate skin cookie. Previously, the only requirement was that this string, when prefixed with $CWD/templates/ and suffixed with "/main_html_start.tpl", corresponded to an existing filename. This meant that anybody with the permission to create a suitable directory on the same system could cause asmbb to expand arbitrary templates, which could do things like exfiltrate any file that asmbb has read access to, such as the database. check-in: 647f456d4f user: unmush tags: trunk | |
| 17:14:34 | Always use English in email body template, add "mirrors" param support. [special:lang] currently is never expanded in this template, so it always chooses German, which is a bad default. This removes all the other languages for now - if [special:lang] starts working again they can come back. This also adds activation links to any mirrors in the comma-separated list in [param:mirrors]. It does this using [head:...], [tail:...], the fact that [equ:...] can reassign to the same key, and two helper templates, string_join.tpl and string_join2.tpl. check-in: 7513efe9fd user: unmush tags: trunk | |
| 17:14:32 | Fix email subject template. Two problems with the subject template previously: 1. [special:lang] is never expanded for this template, so it will always choose case option 14, which in practice means it's always German. This is not a good default. 2. It includes a newline prior to the actual subject. check-in: bdf2058987 user: unmush tags: trunk | |
| 17:14:30 | Fix processing of [include:...] when a null TSpecialParams is passed. This rearranges the setup and teardown for RenderTemplate so that the directory of the current skin directory is always saved in [.skinDir] for future use from the start. The initial process of computing the skin directory properly checks for .pSpecial = 0 and uses a fallback, whereas .cmd_include does not, so modify .cmd_include to use [.skinDir]. Finally, modify teardown to free [.skinDir]. check-in: f3cdf770f4 user: unmush tags: trunk | |
| 17:14:28 | Add [param:...], [head:...], and [tail:...] commands. [param:KEY] looks up the string with id KEY in the Params table. If it is not found, an empty string is substituted instead. If KEY is the empty string, no substitution is performed. [head:STRING] is substituted with the longest prefix of STRING that does not contain a comma. [tail:STRING] is substituted with the suffix following the first comma in STRING or, if there are no commas, with the empty string. The first command makes it possible for templates to directly use values from Params. The latter two make it possible, together with a self-including trick, to process comma-delimited lists. check-in: c46acaaeeb user: unmush tags: trunk | |
| 17:14:26 | Don't allow any part of the case value to be re-expanded. Case commands are processed like so: 1. A '[' is encountered and its position is pushed on the stack for later use. 2. The text following it is parsed and expanded as normal, until a '|' outside of any nested square brackets is encountered. 3. The expanded text following the initial '[' is checked to see whether it matches 'case:'. If it does, the expanded text following the 'case:' is parsed up to the first '|' and converted into a number. 4. In an inner loop, each clause is parsed (but not expanded). When the end of a clause is reached, it is deleted unless its index matches the number obtained in (3) or it ends with a ']'. 5. This leaves exactly one clause remaining, which is parsed and expanded as usual. The problem is between steps (3) and (4): the clauses are currently parsed starting from the '|' where (3) left off, instead of from the '|' encountered in (2). But (3) may have left off in the middle of expanded commands, including ones with attacker-controlled results. check-in: 38d3c8e093 user: unmush tags: trunk | |
| 17:14:24 | SendActivationEmail: verify that user email is not null. It's possible to end up with rows in the WaitingActivation table that have a null email address at the same time as email activation is enabled. This happens if someone registers when email activation is not enabled (so an email address is not required), and then email activation is later enabled and ProcessActivationEmails is called. In this case, SendActivationEmail would segfault. Since the sqlCleanWaiting statement is only run after attempting to send activation emails, the segfault always prevents it from happening, so the failure is persistent. This fixes that. check-in: d69d4cb114 user: unmush tags: trunk | |
| 17:14:22 | Add blank line to separate headers from email body in smtp_exec case. check-in: b13c11d862 user: unmush tags: trunk | |
| 17:14:20 | Allow null user agent to match null user agent when checking login ticket. In SQL, NULL != NULL. Consequently, a ticket issued without a user agent would never be able to match any submitted form, even if it also had no user agent. We resolve this by explicitly checking for the case in which both ticket and form have a null user agent. check-in: 84939fbdeb user: unmush tags: trunk | |
| 17:14:18 | Redirect to front page on spoofed skincookie page referrer. check-in: e1b0f81bd5 user: unmush tags: trunk | |
| 17:14:16 | Redirect to front page on spoofed logout page referrer. check-in: 96526c8d6a user: unmush tags: trunk | |
| 16:48:47 | Prevent newlines in email addresses. Newlines in email addresses can cause a mail client to interpret part of the email address as different headers, potentially allowing arbitrary headers to be set, so that mail may be sent to an email address different from the one used to register. Leaf check-in: 9043aaccbd user: unmush tags: trunk | |
| 16:47:34 | Fix behavior of [case:...] with large values. "case" treats digits as part of a number, whitespace as nonexistent, and everything else as a unary digit (that is, it increments the accumulator by 1). For example: a5b6 would be interpreted as ((((1 * 10) + 5) + 1) * 10) + 6 = 166. If an arbitrary string is used, it is therefore possible for extremely large corresponding case values to be used. Previously, this would cause problems because the appropriate case clause is located by decrementing the case value for each non-nested "|" encountered and checking whether this makes the case value *negative* when treated as a signed 32-bit twos-complement value. But when it is being constructed it is treated as an *unsigned* 32-bit value. This can lead to *all* of the clauses being deleted (that is, none of them being "chosen"). To resolve this, increment the case value after it is constructed, and check when decrementing makes it zero, instead of negative. Additionally, it is possible for the case value to wrap around as it is being constructed, such that a sufficiently large case string may end up causing clause 0 to be expanded. To resolve this, use saturated arithmetic such that the largest possible case value is 0xFFFFFFFE, and any larger than that will be clamped to that value. check-in: e386b87de6 user: unmush tags: trunk | |
| 16:46:33 | Validate skin cookie. Previously, the only requirement was that this string, when prefixed with $CWD/templates/ and suffixed with "/main_html_start.tpl", corresponded to an existing filename. This meant that anybody with the permission to create a suitable directory on the same system could cause asmbb to expand arbitrary templates, which could do things like exfiltrate any file that asmbb has read access to, such as the database. check-in: 806699256c user: unmush tags: trunk | |
| 16:45:07 | Always use English in email body template, add "mirrors" param support. [special:lang] currently is never expanded in this template, so it always chooses German, which is a bad default. This removes all the other languages for now - if [special:lang] starts working again they can come back. This also adds activation links to any mirrors in the comma-separated list in [param:mirrors]. It does this using [head:...], [tail:...], the fact that [equ:...] can reassign to the same key, and two helper templates, string_join.tpl and string_join2.tpl. check-in: ce8c530db0 user: unmush tags: trunk | |
| 16:27:28 | Fix email subject template. Two problems with the subject template previously: 1. [special:lang] is never expanded for this template, so it will always choose case option 14, which in practice means it's always German. This is not a good default. 2. It includes a newline prior to the actual subject. check-in: acdd4c286b user: unmush tags: trunk | |
| 16:26:14 | Fix processing of [include:...] when a null TSpecialParams is passed. This rearranges the setup and teardown for RenderTemplate so that the directory of the current skin directory is always saved in [.skinDir] for future use from the start. The initial process of computing the skin directory properly checks for .pSpecial = 0 and uses a fallback, whereas .cmd_include does not, so modify .cmd_include to use [.skinDir]. Finally, modify teardown to free [.skinDir]. check-in: 75cd98b6dd user: unmush tags: trunk | |
| 16:25:06 | Add [param:...], [head:...], and [tail:...] commands. [param:KEY] looks up the string with id KEY in the Params table. If it is not found, an empty string is substituted instead. If KEY is the empty string, no substitution is performed. [head:STRING] is substituted with the longest prefix of STRING that does not contain a comma. [tail:STRING] is substituted with the suffix following the first comma in STRING or, if there are no commas, with the empty string. The first command makes it possible for templates to directly use values from Params. The latter two make it possible, together with a self-including trick, to process comma-delimited lists. check-in: ca05ca6c3a user: unmush tags: trunk | |
| 16:24:10 | Don't allow any part of the case value to be re-expanded. Case commands are processed like so: 1. A '[' is encountered and its position is pushed on the stack for later use. 2. The text following it is parsed and expanded as normal, until a '|' outside of any nested square brackets is encountered. 3. The expanded text following the initial '[' is checked to see whether it matches 'case:'. If it does, the expanded text following the 'case:' is parsed up to the first '|' and converted into a number. 4. In an inner loop, each clause is parsed (but not expanded). When the end of a clause is reached, it is deleted unless its index matches the number obtained in (3) or it ends with a ']'. 5. This leaves exactly one clause remaining, which is parsed and expanded as usual. The problem is between steps (3) and (4): the clauses are currently parsed starting from the '|' where (3) left off, instead of from the '|' encountered in (2). But (3) may have left off in the middle of expanded commands, including ones with attacker-controlled results. check-in: fa56fe0fbf user: unmush tags: trunk | |
| 16:12:44 | SendActivationEmail: verify that user email is not null. It's possible to end up with rows in the WaitingActivation table that have a null email address at the same time as email activation is enabled. This happens if someone registers when email activation is not enabled (so an email address is not required), and then email activation is later enabled and ProcessActivationEmails is called. In this case, SendActivationEmail would segfault. Since the sqlCleanWaiting statement is only run after attempting to send activation emails, the segfault always prevents it from happening, so the failure is persistent. This fixes that. check-in: 0305cd92ca user: unmush tags: trunk | |
| 16:11:57 | Add blank line to separate headers from email body in smtp_exec case. check-in: 27595c0747 user: unmush tags: trunk | |
| 16:10:50 | Allow null user agent to match null user agent when checking login ticket. In SQL, NULL != NULL. Consequently, a ticket issued without a user agent would never be able to match any submitted form, even if it also had no user agent. We resolve this by explicitly checking for the case in which both ticket and form have a null user agent. check-in: aa5c2097ca user: unmush tags: trunk | |
| 16:10:15 | Redirect to front page on spoofed skincookie page referrer. check-in: 30b7ba4389 user: unmush tags: trunk | |
| 16:08:50 | Redirect to front page on spoofed logout page referrer. check-in: e129263c00 user: unmush tags: trunk | |
|
2024-11-13
| ||
| 07:40:03 | Another stupid bug. Leaf check-in: 7544654b24 user: johnfound tags: SkinNoCSS | |
| 07:17:36 | Fixed bug in __StrCatMinimag. check-in: a5d67a3ca9 user: johnfound tags: SkinNoCSS | |
|
2024-11-10
| ||
| 20:14:24 | Better processing of the minimag markup in __StrCatMinimag. Should be tested more. check-in: 31ce1bf757 user: johnfound tags: SkinNoCSS | |
| 18:55:43 | Fixed small bug in edit.asm. Fixed the autocomplete function in the editor. The problem was a duplicated tag ID in the main_html_start.tpl. check-in: 9146b624e3 user: johnfound tags: SkinNoCSS | |
| 15:37:14 | Sync the themes with the latest changes in the backend. check-in: 0eab86e6da user: johnfound tags: SkinNoCSS | |
|
2024-11-09
| ||
| 18:32:15 | Remove the </li> tag from the themes. check-in: 4de41bb25a user: johnfound tags: SkinNoCSS | |
| 08:56:14 | Clean the start and end whitespace from the quoted post (for BBCode). check-in: fa96f90abd user: johnfound tags: SkinNoCSS | |
| 08:55:17 | Removed the useless button "Reset" from the editor form. check-in: edc8320c7f user: johnfound tags: SkinNoCSS | |
|
2024-11-08
| ||
| 21:43:05 | The nested quotes feature implemented. The templates are fixed for NoCSS theme. check-in: 27639a891e user: johnfound tags: SkinNoCSS | |
| 14:05:44 | An option to strip the nested quotes from the quoted post. Need to implement the configuration that to make it optional and configurable. check-in: 66eb8e30d6 user: johnfound tags: SkinNoCSS | |
|
2024-11-03
| ||
| 10:51:40 | Implemented zoom of the posted figures on click. check-in: f0437d0d66 user: johnfound tags: SkinNoCSS | |
|
2024-10-31
| ||
| 20:24:10 | added debug.less to the project. check-in: 77f72d57c3 user: johnfound tags: SkinNoCSS | |
| 20:21:40 | Removed debug int3 check-in: 14a43e8f71 user: johnfound tags: SkinNoCSS | |
| 18:04:37 | Forgotten file added. check-in: a7ef3303c8 user: johnfound tags: SkinNoCSS | |
| 18:04:02 | Some improvement and simplification of the !debuginfo page. check-in: eff7e12c25 user: johnfound tags: SkinNoCSS | |
| 17:48:40 | Fixed probably very old bug in atomfead.asm check-in: 1fa605b704 user: johnfound tags: SkinNoCSS | |
| 17:27:24 | Better UI for the ignoring/uningnoring users. check-in: bba3e7860d user: johnfound tags: SkinNoCSS | |
| 15:27:25 | Added [special:?ignored=USERID] command in the render. check-in: 3a0d21ad1e user: johnfound tags: SkinNoCSS | |
| 14:05:34 | Now the ignore system works at first glance. Must to be tested in production. check-in: 1e4dbbf731 user: johnfound tags: SkinNoCSS | |