Antwort #1 am: 05. August 2012, 13:45:46
Hallo Torsten,
bin mir nicht mehr sicher ob ich die damals so übernommen hatte.
Ein Vergleich mit der Aktuellen SP1d + letzter "security fix" zeigt aber Unterschiede!
Auch das Datum von meiner inc/ weist zwar bereits eine Überarbeitung auf aber es stimmt mit der von 2011 nicht überein.
Hier mal meine bestehende:
<?php/* -----------------------------------------------------------------------------------------
$Id: xtc_validate_email.inc.php 2085 2011-08-03 15:25:38Z web28 $
modified eCommerce Shopsoftware - community made shopping
http://www.modified eCommerce Shopsoftware.org
Copyright (c) 2010 modified eCommerce Shopsoftware
-----------------------------------------------------------------------------------------
based on:
(c) 2000-2001 The Exchange Project (earlier name of osCommerce)
(c) 2002-2003 osCommerce(validations.php,v 1.11 2003/02/11); www.oscommerce.com
(c) 2003 nextcommerce (xtc_validate_email.inc.php,v 1.5 2003/08/14); www.nextcommerce.org
(c) 2003 XT-Commerce (xtc_validate_email.inc.php 899 2005-04-29)
(c) 2010 osCommerce (validations.php)
Released under the GNU General Public License
---------------------------------------------------------------------------------------*/ //////////////////////////////////////////////////////////////////////////////////////////////// // // Function : xtc_validate_email // // Arguments : email email address to be checked // // Return : true - valid email address // false - invalid email address // // Description : function for validating email address that conforms to RFC 822 specs // // This function will first attempt to validate the Email address using the filter // extension for performance. If this extension is not available it will // fall back to a regex based validator which doesn't validate all RFC822 // addresses but catches 99.9% of them. The regex is based on the code found at // http://www.regular-expressions.info/email.html // // Optional validation for validating the domain name is also valid is supplied // and can be enabled using the administration tool. // // Sample Valid Addresses: // // first.last@host.com // firstlast@host.to // first-last@host.com // first_last@host.com // // Invalid Addresses: // // first last@host.com // first@last@host.com // //////////////////////////////////////////////////////////////////////////////////////////////// function xtc_validate_email
($email) { //BOF - web28 - 2011-07-31 - SQL nullbyte injection fix 16.02.2011 if (strpos($email,"\0")!== false) {return false;} if (strpos($email,"\x00")!== false) {return false;} if (strpos($email,"\u0000")!== false) {return false;} if (strpos($email,"\000")!== false) {return false;} //EOF - web28 - 2011-07-31 - SQL nullbyte injection fix 16.02.2011 $email = trim($email); $valid_address = false; if (strlen($email) > 255) { $valid_address = false; } else { if ( substr_count( $email, '@' ) > 1 ) { $valid_address = false; } //web28 - 2011-07-28 - new $regex see http://www.regular-expressions.info/email.html $regex = "/^[a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|asia|jobs|museum)$/i"; $valid_address = preg_match($regex, $email); } if ($valid_address && ENTRY_EMAIL_ADDRESS_CHECK
== 'true') { $domain = explode('@', $email); if (!checkdnsrr($domain[1], "MX") && !checkdnsrr($domain[1], "A")) { $valid_address = false; } } return $valid_address; }?> und die vom Fix:
<?php/* -----------------------------------------------------------------------------------------
$Id: xtc_validate_email.inc.php 899 2005-04-29 02:40:57Z hhgag $
XT-Commerce - community made shopping
http://www.(( Wir dulden keine kommerziellen Werbelinks - Bitte <a href="index.php?topic=3013.0">Forenregeln</a> beachten! ))
Copyright (c) 2003 XT-Commerce
-----------------------------------------------------------------------------------------
based on:
(c) 2000-2001 The Exchange Project (earlier name of osCommerce)
(c) 2002-2003 osCommerce(validations.php,v 1.11 2003/02/11); www.oscommerce.com
(c) 2003 nextcommerce (xtc_validate_email.inc.php,v 1.5 2003/08/14); www.nextcommerce.org
Released under the GNU General Public License
---------------------------------------------------------------------------------------*/ //////////////////////////////////////////////////////////////////////////////////////////////// // // Function : xtc_validate_email // // Arguments : email email address to be checked // // Return : true - valid email address // false - invalid email address // // Description : function for validating email address that conforms to RFC 822 specs // // This function is converted from a JavaScript written by // Sandeep V. Tamhankar (stamhankar@hotmail.com). The original JavaScript // is available at http://javascript.internet.com // // Sample Valid Addresses: // // first.last@host.com // firstlast@host.to // "first last"@host.com // "first@last"@host.com // first-last@host.com // first.last@[123.123.123.123] // // Invalid Addresses: // // first last@host.com // // //////////////////////////////////////////////////////////////////////////////////////////////// function xtc_validate_email
($email) { //Security Fix 2011-02-23 if (strpos($email,"\0")!==false) {return false;} $valid_address = true; $mail_pat = '^(.+)@(.+)$'; $valid_chars = "[^] \(\)<>@,;:\.\\\"\[]"; $atom = "$valid_chars+"; $quoted_user='(\"[^\"]*\")'; $word = "($atom|$quoted_user)"; $user_pat = "^$word(\.$word)*$"; $ip_domain_pat='^\[([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]$'; $domain_pat = "^$atom(\.$atom)*$"; if (preg_match('/'.$mail_pat.'/i', $email, $components)) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3 $user = $components[1]; $domain = $components[2]; // validate user if (preg_match('/'.$user_pat.'/i', $user)) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3 // validate domain if (preg_match('/'.$ip_domain_pat.'/i', $domain, $ip_components)) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3 // this is an IP address for ($i=1;$i<=4;$i++) { if ($ip_components[$i] > 255) { $valid_address = false; break; } } } else { // Domain is a name, not an IP if (preg_match('/'.$domain_pat.'/i', $domain)) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3 /* domain name seems valid, but now make sure that it ends in a valid TLD or ccTLD
and that there's a hostname preceding the domain or country. */ $domain_components = explode(".", $domain); // Make sure there's a host name preceding the domain. if (sizeof($domain_components) < 2) { $valid_address = false; } else { $top_level_domain = strtolower($domain_components[sizeof($domain_components)-1]); // Allow all 2-letter TLDs (ccTLDs) if (preg_match('/^[a-z][a-z]$/i', $top_level_domain) != 1) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3 $tld_pattern = ''; // Get authorized TLDs from text file $tlds = file(DIR_FS_INC
.'tld.txt'); while (list(,$line) = each($tlds)) { // Get rid of comments $words = explode('#', $line); $tld = trim($words[0]); // TLDs should be 3 letters or more if (preg_match('/^[a-z]{3,}$/i', $tld) == 1) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3 $tld_pattern .= '^' . $tld . '$|'; } } // Remove last '|' $tld_pattern = substr($tld_pattern, 0, -1); if (preg_match('/'.$tld_pattern.'/i', $top_level_domain) == 0) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3 $valid_address = false; } } } } else { $valid_address = false; } } } else { $valid_address = false; } } else { $valid_address = false; } if ($valid_address && ENTRY_EMAIL_ADDRESS_CHECK
== 'true') { if (!checkdnsrr($domain, "MX") && !checkdnsrr($domain, "A")) { $valid_address = false; } } return $valid_address; }?> und die password_doble_opt
ab ca. Zeile 90 (vom FIx)
//Security Fix 2011-02-23
xtc_db_query("update ".TABLE_CUSTOMERS." set customers_password = '".$crypted_password."' where customers_email_address = '".xtc_db_input($check_customer['customers_email_address'])."'");
//xtc_db_query("update ".TABLE_CUSTOMERS." set customers_password = '".$crypted_password."' where customers_email_address = '".$check_customer['customers_email_address']."'");
xtc_db_query("update ".TABLE_CUSTOMERS." set password_request_key = '' where customers_id = '".$check_customer['customers_id']."'");
// assign language to template for caching
und meine:
xtc_db_query("update ".TABLE_CUSTOMERS." set customers_password = '".$crypted_password."' where customers_email_address = '".$check_customer['customers_email_address']."'");
xtc_db_query("update ".TABLE_CUSTOMERS." set password_request_key = '' where customers_id = '".$check_customer['customers_id']."'");
// assign language to template for caching
Dachte bevor ich hier einen alten Fix einbaue (nach all den Updates) vieleicht ist das so und ursprünglich nicht mehr notwendig.
Ein paar klärende Worte wären nett.