Merge pull request #3780 from Spuds/Fixes

Fixes

Author: Spuds

bootstrap.php

@@ -23,6 +23,7 @@
 use ElkArte\Helper\TokenHash;
 use ElkArte\Hooks;
 use ElkArte\MembersList;
+use ElkArte\Request;
 use ElkArte\Server;
 use ElkArte\Themes\ThemeLoader;
 use ElkArte\User;
@@ -446,7 +447,7 @@ public function ssi_main()
 		}
 
 		// We need to set up user agent, and make more checks on the request
-		$req = request();
+		$req = Request::instance();
 
 		// Make sure they didn't muss around with the settings... but only if it's not cli.
 		if (isset($_SERVER['REMOTE_ADDR']) && session_id() === '')

sources/ElkArte/Controller/Auth.php

@@ -24,6 +24,7 @@
 use ElkArte\Helper\Util;
 use ElkArte\Http\Headers;
 use ElkArte\Languages\Txt;
+use ElkArte\Request;
 use ElkArte\User;
 use ElkArte\UserSettingsLoader;
 
@@ -143,7 +144,7 @@ public function action_login2()
 		}
 
 		// Are you guessing with a script?
-		checkSession('post');
+		checkSession();
 		validateToken('login');
 		spamProtection('login');
 
@@ -234,7 +235,7 @@ public function action_login2()
 		$member_found = loadExistingMember($_POST['user']);
 		$db = database();
 		$cache = Cache::instance();
-		$req = request();
+		$req = Request::instance();
 
 		$user = new UserSettingsLoader($db, $cache, $req);
 		$user->loadUserById($member_found === false ? 0 : $member_found['id_member'], true, '');
@@ -377,10 +378,15 @@ private function _other_passwords($posted_password, $member_name, $passwrd, $pas
 		$pw_strlen = strlen($passwrd);
 
 		// Start off with none, that's safe
-		$other_passwords = array();
+		$other_passwords = [];
+
+		if (empty($modSettings['enable_password_conversion']))
+		{
+			return $other_passwords;
+		}
 
 		// None of the below cases will be used most of the time (because the salt is normally set.)
-		if (!empty($modSettings['enable_password_conversion']) && $password_salt === '')
+		if ($password_salt === '')
 		{
 			// YaBB SE, Discus, MD5 (used a lot), SHA-1 (used some), SMF 1.0.x, IkonBoard, and none at all.
 			$other_passwords[] = crypt($posted_password, substr($posted_password, 0, 2));
@@ -415,7 +421,7 @@ private function _other_passwords($posted_password, $member_name, $passwrd, $pas
 			$other_passwords[] = crypt($posted_password, $passwrd);
 		}
 		// The hash should be 40 if it's SHA-1, so we're safe with more here too.
-		elseif (!empty($modSettings['enable_password_conversion']) && $pw_strlen === 32)
+		elseif ($pw_strlen === 32)
 		{
 			// vBulletin 3 style hashing?  Let's welcome them with open arms \o/.
 			$other_passwords[] = md5(md5($posted_password) . stripslashes($password_salt));
@@ -460,7 +466,7 @@ private function _other_passwords($posted_password, $member_name, $passwrd, $pas
 			}
 		}
 		// SHA-256 will be 64 characters long, lets check some of these possibilities
-		elseif (!empty($modSettings['enable_password_conversion']) && $pw_strlen === 64)
+		elseif ($pw_strlen === 64)
 		{
 			// PHP-Fusion7
 			$other_passwords[] = hash_hmac('sha256', $posted_password, $password_salt);
@@ -782,7 +788,7 @@ function doLogin(UserSettingsLoader $user)
 	}
 
 	// You're one of us: need to know all about you now, IP, stuff.
-	$req = request();
+	$req = Request::instance();
 
 	// You've logged in, haven't you?
 	require_once(SUBSDIR . '/Members.subs.php');

sources/ElkArte/Controller/PersonalMessage.php

@@ -1181,13 +1181,13 @@ public function action_send2()
 		$bbc_parser = ParserWrapper::instance();
 
 		// Construct the list of recipients.
-		$recipientList = array();
-		$namedRecipientList = array();
-		$namesNotFound = array();
-		foreach (array('to', 'bcc') as $recipientType)
+		$recipientList = [];
+		$namedRecipientList = [];
+		$namesNotFound = [];
+		foreach (['to', 'bcc'] as $recipientType)
 		{
 			// First, let's see if there's user ID's given.
-			$recipientList[$recipientType] = array();
+			$recipientList[$recipientType] = [];
 			$type = 'recipient_' . $recipientType;
 			if (!empty($this->_req->post->{$type}) && is_array($this->_req->post->{$type}))
 			{
@@ -1216,7 +1216,7 @@ public function action_send2()
 					}
 				}
 
-				// Now see if we can resolve the entered name to an actual user
+				// Now see if we can resolve any entered name (not suggest selected) to an actual user
 				if (!empty($namedRecipientList[$recipientType]))
 				{
 					$foundMembers = findMembers($namedRecipientList[$recipientType]);

sources/ElkArte/Controller/Register.php

@@ -30,6 +30,7 @@
 use ElkArte\Languages\Txt;
 use ElkArte\PrivacyPolicy;
 use ElkArte\Profile\ProfileOptions;
+use ElkArte\Request;
 
 /**
  * It registers new members, and it allows the administrator moderate member registration
@@ -523,7 +524,7 @@ public function do_register()
 		}
 
 		// Registration needs to know your IP
-		$req = request();
+		$req = Request::instance();
 
 		$regOptions['ip'] = $this->user->ip;
 		$regOptions['ip2'] = $req->ban_ip();

sources/ElkArte/Errors/Errors.php

@@ -180,7 +180,7 @@ public function log_error($error_message, $error_type = 'general', $file = '', $
 		$query_string = $this->parseQueryString();
 
 		// Make sure the category that was specified is a valid one
-		$error_type = in_array($error_type, $this->getErrorTypes()) && $error_type !== true ? $error_type : 'general';
+		$error_type = in_array($error_type, $this->getErrorTypes(), true) && $error_type !== true ? $error_type : 'general';
 
 		// Insert the error into the database.
 		$this->insertLog($query_string, $error_message, $error_type, $file, $line);
@@ -254,7 +254,6 @@ protected function getErrorTypes()
 	 * @param string|bool $error_type
 	 * @param string $file
 	 * @param int $line
-	 * @throws \Exception
 	 */
 	private function insertLog($query_string, $error_message, $error_type, $file, $line)
 	{

sources/ElkArte/Languages/Login/English.php

@@ -21,7 +21,7 @@
 $txt['need_username'] = 'You need to fill in a username.';
 $txt['no_password'] = 'You didn\'t enter your password.';
 $txt['improper_password'] = 'The supplied password is too long.';
-$txt['incorrect_password'] = 'Password incorrect';
+$txt['incorrect_password'] = 'Incorrect Username or Password';
 $txt['maintain_mode'] = 'Maintenance Mode';
 $txt['registration_successful'] = 'Registration Successful';
 $txt['valid_email_needed'] = 'Please enter a valid email address, %1$s.';

sources/ElkArte/Mail/Mail.php

@@ -101,8 +101,8 @@ public function sendPHP($mail_to_array, $subject, $message, $headers, $message_i
 				// Keep our post via email log
 				if ($this->mailList)
 				{
-					$this->unqPBEHead[] = time();
-					$this->unqPBEHead[] = $sendTo;
+					$this->unqPBEHead[3] = time();
+					$this->unqPBEHead[4] = $sendTo;
 					$sent[] = $this->unqPBEHead;
 				}
 
@@ -240,8 +240,8 @@ public function SMTP($mail_to_array, $subject, $message, $headers, $message_id =
 			// Keep our post via email log
 			if ($this->mailList)
 			{
-				$this->unqPBEHead[] = time();
-				$this->unqPBEHead[] = $mail_to;
+				$this->unqPBEHead[3] = time();
+				$this->unqPBEHead[4] = $mail_to;
 				$sent[] = $this->unqPBEHead;
 			}
 

sources/ElkArte/Request.php

@@ -27,7 +27,7 @@
 final class Request
 {
 	/** @var Request Sole private Request instance */
-	private static $_req;
+	private static $_instance;
 
 	/** @var string Remote IP, if we can know it easily (as found in $_SERVER['REMOTE_ADDR']) */
 	private $_client_ip;
@@ -210,12 +210,12 @@ private function _getBanIP()
 	 */
 	public static function instance()
 	{
-		if (self::$_req === null)
+		if (self::$_instance === null)
 		{
-			self::$_req = new Request();
+			self::$_instance = new Request();
 		}
 
-		return self::$_req;
+		return self::$_instance;
 	}
 
 	/**

sources/ElkArte/SiteDispatcher.php

@@ -239,6 +239,7 @@ protected function determineAction()
 
 		// The file and function weren't found yet?  Then set a default!
 		$this->setDefaultActionAndControllerIfEmpty();
+
 		$this->handleApiCall();
 
 		// Ensure both the controller and action exist and are callable

sources/ElkArte/Themes/ThemeLoader.php

@@ -21,6 +21,7 @@
 use ElkArte\Helper\ValuesContainer;
 use ElkArte\Hooks;
 use ElkArte\Languages\Txt;
+use ElkArte\Request;
 use ElkArte\User;
 use ElkArte\UserInfo;
 
@@ -608,7 +609,7 @@ private function setupContext()
 		]);
 
 		// Just some mobile-friendly settings
-		if (strpos(request()->user_agent(), 'Mobi'))
+		if (strpos(Request::instance()->user_agent(), 'Mobi'))
 		{
 			// Disable the search dropdown.
 			$modSettings['search_dropdown'] = false;

sources/ElkArte/User.php

@@ -50,7 +50,7 @@ public static function load($compat_mode = false)
 		{
 			$db = database();
 			$cache = Cache::instance();
-			$req = request();
+			$req = Request::instance();
 
 			self::$instance = new UserSettingsLoader($db, $cache, $req);
 			$already_verified = self::loadFromIntegration();

sources/Logging.php

@@ -17,6 +17,7 @@
 use ElkArte\Cache\Cache;
 use ElkArte\Helper\FileFunctions;
 use ElkArte\Helper\Util;
+use ElkArte\Request;
 use ElkArte\User;
 
 /**
@@ -124,7 +125,7 @@ function writeLog($force = false)
 	if (ELK !== 'SSI' && !empty(User::$info->last_login) && User::$info->last_login < time() - 60)
 	{
 		// We log IPs the request came with, around here
-		$req = request();
+		$req = Request::instance();
 
 		// Don't count longer than 15 minutes.
 		if (time() - $_SESSION['timeOnlineUpdated'] > 60 * 15)

sources/Security.php

@@ -23,6 +23,7 @@
 use ElkArte\Helper\Util;
 use ElkArte\Http\Headers;
 use ElkArte\Languages\Txt;
+use ElkArte\Request;
 use ElkArte\User;
 
 /**
@@ -765,7 +766,7 @@ function checkSession($type = 'post', $from_action = '', $is_fatal = true)
 	global $modSettings, $boardurl;
 
 	// We'll work out user agent checks
-	$req = request();
+	$req = Request::instance();
 
 	// Is it in as $_POST['sc']?
 	if ($type === 'post')
@@ -927,7 +928,7 @@ function createToken($action, $type = 'post')
 	$token = $tokenizer->generate_hash(32);
 
 	// We need user agent and the client IP
-	$req = request();
+	$req = Request::instance();
 	$csrf_hash = hash('sha1', $token . $req->client_ip() . $req->user_agent());
 
 	// Save the session token and make it available to the forms
@@ -983,7 +984,7 @@ function validateToken($action, $type = 'post', $reset = true, $fatal = true)
 	}
 
 	// We need the user agent and client IP
-	$req = request();
+	$req = Request::instance();
 
 	// Shortcut
 	$passed_token_var = $GLOBALS['_' . strtoupper($type)][$_SESSION['token'][$token_index][0]] ?? null;
@@ -1943,7 +1944,7 @@ function validLoginUrl($url, $match_board = false)
 		return false;
 	}
 
-	if (substr($url, 0, 7) !== 'http://' && substr($url, 0, 8) !== 'https://')
+	if (strpos($url, 'http://') !== 0 && strpos($url, 'https://') !== 0)
 	{
 		return false;
 	}
@@ -1953,7 +1954,8 @@ function validLoginUrl($url, $match_board = false)
 
 	foreach ($invalid_strings as $invalid_string => $valid_match)
 	{
-		if (strpos($url, $invalid_string) !== false || ($match_board === true && !empty($valid_match) && preg_match($valid_match, $url) == 0))
+		if (strpos($url, $invalid_string) !== false
+			|| ($match_board === true && !empty($valid_match) && preg_match($valid_match, $url) !== 1))
 		{
 			return false;
 		}

sources/Subs.php

@@ -25,6 +25,7 @@
 use ElkArte\Http\Headers;
 use ElkArte\Languages\Loader;
 use ElkArte\Notifications\Notifications;
+use ElkArte\Request;
 use ElkArte\Search\Search;
 use ElkArte\UrlGenerator\UrlGenerator;
 use ElkArte\User;
@@ -684,7 +685,7 @@ function obExit($header = null, $do_footer = null, $from_index = false, $from_fa
 	}
 
 	// Need user agent
-	$req = request();
+	$req = Request::instance();
 
 	setOldUrl();
 
@@ -705,7 +706,7 @@ function obExit($header = null, $do_footer = null, $from_index = false, $from_fa
 }
 
 /**
- * Takes care of a few dynamic maintenance items Maintenance
+ * Takes care of a few dynamic maintenance items
  */
 function handleMaintenance()
 {
@@ -1617,7 +1618,7 @@ function createList($listOptions)
  */
 function request()
 {
-	return ElkArte\Request::instance();
+	return Request::instance();
 }
 
 /**

sources/subs/Admin.subs.php

@@ -18,6 +18,7 @@
 
 use ElkArte\Cache\Cache;
 use ElkArte\Languages\Txt;
+use ElkArte\Request;
 use ElkArte\User;
 
 /**
@@ -99,7 +100,7 @@ function getServerVersions($checkFor)
 	// Server info
 	if (in_array('server', $checkFor))
 	{
-		$req = request();
+		$req = Request::instance();
 		$versions['server_header'] = ['header' => $txt['admin_server_settings']];
 		$versions['server'] = ['title' => $txt['support_versions_server'], 'version' => $req->server_software()];
 

sources/subs/Auth.subs.php

@@ -18,6 +18,7 @@
 use ElkArte\Helper\TokenHash;
 use ElkArte\Helper\Util;
 use ElkArte\Languages\Txt;
+use ElkArte\Request;
 use ElkArte\User;
 
 /**
@@ -124,6 +125,10 @@ function setLoginCookie($cookie_length, $id, $password = '')
 
 		// Get a new session id, and load it with the data
 		session_regenerate_id();
+
+		// If we generated new session values, be sure to use them as well
+		$oldSessionData['session_value'] = $_SESSION['session_value'] ?? $oldSessionData['session_value'];
+		$oldSessionData['session_var'] = $_SESSION['session_var'] ?? $oldSessionData['session_var'];
 		$_SESSION = $oldSessionData;
 
 		$_SESSION['login_' . $cookiename] = $data;
@@ -212,7 +217,7 @@ function adminLogin($type = 'admin')
 	if (isset($_POST[$type . '_hash_pass']) || isset($_POST[$type . '_pass']))
 	{
 		// log some info along with it! referer, user agent
-		$req = request();
+		$req = Request::instance();
 		$txt['security_wrong'] = sprintf($txt['security_wrong'], $_SERVER['HTTP_REFERER'] ?? $txt['unknown'], $req->user_agent(), User::$info->ip);
 		\ElkArte\Errors\Errors::instance()->log_error($txt['security_wrong'], 'critical');