MyBB 1.8.22

admin/modules/config/plugins.php

@@ -67,7 +67,7 @@
 	// Convert to mods site version codes
 	$search_version = ($major_version_code/100).'x';
 
-	$contents = fetch_remote_file("https://community.mybb.com/xmlbrowse.php?type=plugins&version={$search_version}{$keywords}{$url_page}", $post_data);
+	$contents = fetch_remote_file("https://community.mybb.com/xmlbrowse.php?api=2&type=plugins&version={$search_version}{$keywords}{$url_page}", $post_data);
 
 	if(!$contents)
 	{
@@ -107,14 +107,12 @@
 		{
 			$result['name']['value'] = htmlspecialchars_uni($result['name']['value']);
 			$result['description']['value'] = htmlspecialchars_uni($result['description']['value']);
-			$result['author']['value'] = $post_parser->parse_message($result['author']['value'], array(
-					'allow_html' => true
-				)
-			);
+			$result['author']['url']['value'] = htmlspecialchars_uni($result['author']['url']['value']);
+			$result['author']['name']['value'] = htmlspecialchars_uni($result['author']['name']['value']);
 			$result['version']['value'] = htmlspecialchars_uni($result['version']['value']);
 			$result['download_url']['value'] = htmlspecialchars_uni(html_entity_decode($result['download_url']['value']));
 
-			$table->construct_cell("<strong>{$result['name']['value']}</strong><br /><small>{$result['description']['value']}</small><br /><i><small>{$lang->created_by} {$result['author']['value']}</small></i>");
+			$table->construct_cell("<strong>{$result['name']['value']}</strong><br /><small>{$result['description']['value']}</small><br /><i><small>{$lang->created_by} <a href=\"{$result['author']['url']['value']}\" target=\"_blank\" rel=\"noopener\">{$result['author']['name']['value']}</a></small></i>");
 			$table->construct_cell($result['version']['value'], array("class" => "align_center"));
 			$table->construct_cell("<strong><a href=\"https://community.mybb.com/{$result['download_url']['value']}\" target=\"_blank\" rel=\"noopener\">{$lang->download}</a></strong>", array("class" => "align_center"));
 			$table->construct_row();

admin/modules/config/settings.php

@@ -1041,12 +1041,21 @@
 			}
 		}
 
+		// reject dangerous/unsupported upload paths
 		$fields = array(
 			'uploadspath',
 			'cdnpath',
 			'avataruploadpath',
 		);
-
+
+		$dynamic_include_directories = array(
+			MYBB_ROOT.'cache/',
+			MYBB_ROOT.'inc/plugins/',
+			MYBB_ROOT.'inc/languages/',
+			MYBB_ROOT.'inc/tasks/',
+		);
+		$dynamic_include_directories_realpath = array_map('realpath', $dynamic_include_directories);
+
 		foreach($fields as $field)
 		{
 			if(
@@ -1055,9 +1064,27 @@
 				strpos($mybb->input['upsetting'][$field], '://') !== false)
 			{
 				unset($mybb->input['upsetting'][$field]);
+				continue;
+			}
+
+			$realpath = realpath(MYBB_ROOT.$mybb->input['upsetting'][$field]);
+
+			if ($realpath === false) {
+				unset($mybb->input['upsetting'][$field]);
+				continue;
+			}
+
+			foreach ($dynamic_include_directories_realpath as $forbidden_realpath)
+			{
+				if ($realpath === $forbidden_realpath || strpos($realpath, $forbidden_realpath.DIRECTORY_SEPARATOR) === 0)
+				{
+					unset($mybb->input['upsetting'][$field]);
+					continue 2;
+				}
 			}
 		}
 
+
 		if(is_array($mybb->input['upsetting']))
 		{
 			foreach($mybb->input['upsetting'] as $name => $value)

admin/modules/home/index.php

@@ -105,42 +105,28 @@
 
 		foreach($feed_parser->items as $item)
 		{
-			$description = $item['description'];
-			$content = $item['content'];
-
-			$description = $post_parser->parse_message($description, array(
-					'allow_html' => true,
-				)
-			);
-
-			$content = $post_parser->parse_message($content, array(
-					'allow_html' => true,
-				)
-			);
-
-			$description = preg_replace('#<img(.*)/>#', '', $description);
-			$content = preg_replace('#<img(.*)/>#', '', $content);
-
 			if(!isset($updated_cache['news'][2]))
 			{
 				$updated_cache['news'][] = array(
-					'title' => htmlspecialchars_uni($item['title']),
-					'description' => $description,
-					'link' => htmlspecialchars_uni($item['link']),
-					'author' => htmlspecialchars_uni($item['author']),
+					'title' => $item['title'],
+					'description' => $item['description'],
+					'link' => $item['link'],
+					'author' => $item['author'],
 					'dateline' => $item['date_timestamp'],
 				);
 			}
 
 			$stamp = '';
 			if($item['date_timestamp'])
 			{
-				$stamp = my_date('relative', $item['date_timestamp']);
+				$stamp = my_date('relative', (int)$item['date_timestamp']);
 			}
 
 			$link = htmlspecialchars_uni($item['link']);
+			$title = htmlspecialchars_uni($item['title']);
+			$description = htmlspecialchars_uni(strip_tags($item['description']));
 
-			$table->construct_cell("<span style=\"font-size: 16px;\"><strong>".htmlspecialchars_uni($item['title'])."</strong></span><br /><br />{$content}<strong><span style=\"float: right;\">{$stamp}</span><br /><br /><a href=\"{$link}\" target=\"_blank\" rel=\"noopener\">&raquo; {$lang->read_more}</a></strong>");
+			$table->construct_cell("<span style=\"font-size: 16px;\"><strong>{$title}</strong></span><br /><br />{$description}<strong><span style=\"float: right;\">{$stamp}</span><br /><br /><a href=\"{$link}\" target=\"_blank\" rel=\"noopener\">&raquo; {$lang->read_more}</a></strong>");
 			$table->construct_row();
 		}
 	}
@@ -356,11 +342,15 @@
 	{
 		foreach($update_check['news'] as $news_item)
 		{
-			$posted = my_date('relative', $news_item['dateline']);
-			$table->construct_cell("<strong><a href=\"{$news_item['link']}\" target=\"_blank\" rel=\"noopener\">{$news_item['title']}</a></strong><br /><span class=\"smalltext\">{$posted}</span>");
+			$posted = my_date('relative', (int)$news_item['dateline']);
+			$link = htmlspecialchars_uni($news_item['link']);
+			$title = htmlspecialchars_uni($news_item['title']);
+			$description = htmlspecialchars_uni(strip_tags($news_item['description']));
+
+			$table->construct_cell("<strong><a href=\"{$link}\" target=\"_blank\" rel=\"noopener\">{$title}</a></strong><br /><span class=\"smalltext\">{$posted}</span>");
 			$table->construct_row();
 
-			$table->construct_cell($news_item['description']);
+			$table->construct_cell($description);
 			$table->construct_row();
 		}
 	}

admin/modules/style/themes.php

@@ -168,7 +168,7 @@
 	// Convert to mods site version codes
 	$search_version = ($major_version_code/100).'x';
 
-	$contents = fetch_remote_file("https://community.mybb.com/xmlbrowse.php?type=themes&version={$search_version}{$keywords}{$url_page}", $post_data);
+	$contents = fetch_remote_file("https://community.mybb.com/xmlbrowse.php?api=2&type=themes&version={$search_version}{$keywords}{$url_page}", $post_data);
 
 	if(!$contents)
 	{
@@ -208,14 +208,12 @@
 			$result['thumbnail']['value'] = htmlspecialchars_uni($result['thumbnail']['value']);
 			$result['name']['value'] = htmlspecialchars_uni($result['name']['value']);
 			$result['description']['value'] = htmlspecialchars_uni($result['description']['value']);
-			$result['author']['value'] = $post_parser->parse_message($result['author']['value'], array(
-					'allow_html' => true
-				)
-			);
+			$result['author']['url']['value'] = htmlspecialchars_uni($result['author']['url']['value']);
+			$result['author']['name']['value'] = htmlspecialchars_uni($result['author']['name']['value']);
 			$result['download_url']['value'] = htmlspecialchars_uni(html_entity_decode($result['download_url']['value']));
 
 			$table->construct_cell("<img src=\"https://community.mybb.com/{$result['thumbnail']['value']}\" alt=\"{$lang->theme_thumbnail}\" title=\"{$lang->theme_thumbnail}\"/>", array("class" => "align_center", "width" => 100));
-			$table->construct_cell("<strong>{$result['name']['value']}</strong><br /><small>{$result['description']['value']}</small><br /><i><small>{$lang->created_by} {$result['author']['value']}</small></i>");
+			$table->construct_cell("<strong>{$result['name']['value']}</strong><br /><small>{$result['description']['value']}</small><br /><i><small>{$lang->created_by} <a href=\"{$result['author']['url']['value']}\" target=\"_blank\" rel=\"noopener\">{$result['author']['name']['value']}</a></small></i>");
 			$table->construct_cell("<strong><a href=\"https://community.mybb.com/{$result['download_url']['value']}\" target=\"_blank\" rel=\"noopener\">{$lang->download}</a></strong>", array("class" => "align_center"));
 			$table->construct_row();
 		}

admin/modules/user/users.php

@@ -929,7 +929,7 @@
 	$page->extra_header .= <<<EOF
 
 	<link rel="stylesheet" href="../jscripts/sceditor/themes/mybb.css" type="text/css" media="all" />
-	<script type="text/javascript" src="../jscripts/sceditor/jquery.sceditor.bbcode.min.js?ver=1805"></script>
+	<script type="text/javascript" src="../jscripts/sceditor/jquery.sceditor.bbcode.min.js?ver=1822"></script>
 	<script type="text/javascript" src="../jscripts/bbcodes_sceditor.js?ver=1822"></script>
 	<script type="text/javascript" src="../jscripts/sceditor/plugins/undo.js?ver=1805"></script>
 EOF;

inc/functions.php

@@ -6561,6 +6561,8 @@ function rebuild_settings()
 	while($setting = $db->fetch_array($query))
 	{
 		$mybb->settings[$setting['name']] = $setting['value'];
+
+		$setting['name'] = addcslashes($setting['name'], "\\'");
 		$setting['value'] = addcslashes($setting['value'], '\\"$');
 		$settings .= "\$settings['{$setting['name']}'] = \"{$setting['value']}\";\n";
 	}

inc/tasks/versioncheck.php

@@ -67,20 +67,11 @@ function task_versioncheck($task)
 				break;
 			}
 
-			$description = $item['description'];
-
-			$description = $post_parser->parse_message($description, array(
-					'allow_html' => true,
-				)
-			);
-
-			$description = preg_replace('#<img(.*)/>#', '', $description);
-
 			$updated_cache['news'][] = array(
-				'title' => htmlspecialchars_uni($item['title']),
-				'description' => $description,
-				'link' => htmlspecialchars_uni($item['link']),
-				'author' => htmlspecialchars_uni($item['author']),
+				'title' => $item['title'],
+				'description' => $item['description'],
+				'link' => $item['link'],
+				'author' => $item['author'],
 				'dateline' => $item['date_timestamp']
 			);
 		}

install/index.php

@@ -2513,7 +2513,8 @@ function write_settings()
 	$query = $db->simple_select('settings', '*', '', array('order_by' => 'title'));
 	while($setting = $db->fetch_array($query))
 	{
-		$setting['value'] = str_replace("\"", "\\\"", $setting['value']);
+		$setting['name'] = addcslashes($setting['name'], "\\'");
+		$setting['value'] = addcslashes($setting['value'], '\\"$');
 		$settings .= "\$settings['{$setting['name']}'] = \"{$setting['value']}\";\n";
 	}
 	if(!empty($settings))

install/resources/mybb_theme.xml

@@ -13960,7 +13960,7 @@ if(use_xmlhttprequest == "1")
 <td class="trow1">{$mybb->user['username']} <span class="smalltext">[<strong><a href="member.php?action=logout&amp;logoutkey={$mybb->user['logoutkey']}">{$lang->change_user}</a></strong>]</span></td>
 </tr>]]></template>
 		<template name="codebuttons" version="1822"><![CDATA[<link rel="stylesheet" href="{$mybb->asset_url}/jscripts/sceditor/themes/{$theme['editortheme']}" type="text/css" media="all" />
-<script type="text/javascript" src="{$mybb->asset_url}/jscripts/sceditor/jquery.sceditor.bbcode.min.js?ver=1821"></script>
+<script type="text/javascript" src="{$mybb->asset_url}/jscripts/sceditor/jquery.sceditor.bbcode.min.js?ver=1822"></script>
 <script type="text/javascript" src="{$mybb->asset_url}/jscripts/bbcodes_sceditor.js?ver=1822"></script>
 <script type="text/javascript" src="{$mybb->asset_url}/jscripts/sceditor/plugins/undo.js?ver=1821"></script>
 <script type="text/javascript">

install/upgrade.php

@@ -983,7 +983,8 @@ function sync_settings($redo=0)
 	$query = $db->simple_select("settings", "*", "", array('order_by' => 'title'));
 	while($setting = $db->fetch_array($query))
 	{
-		$setting['value'] = str_replace("\"", "\\\"", $setting['value']);
+		$setting['name'] = addcslashes($setting['name'], "\\'");
+		$setting['value'] = addcslashes($setting['value'], '\\"$');
 		$settings .= "\$settings['{$setting['name']}'] = \"".$setting['value']."\";\n";
 	}
 	$settings = "<?php\n/*********************************\ \n  DO NOT EDIT THIS FILE, PLEASE USE\n  THE SETTINGS EDITOR\n\*********************************/\n\n$settings\n";
@@ -1129,7 +1130,8 @@ function write_settings()
 	$query = $db->simple_select("settings", "*", "", array('order_by' => 'title'));
 	while($setting = $db->fetch_array($query))
 	{
-		$setting['value'] = $db->escape_string($setting['value']);
+		$setting['name'] = addcslashes($setting['name'], "\\'");
+		$setting['value'] = addcslashes($setting['value'], '\\"$');
 		$settings .= "\$settings['{$setting['name']}'] = \"{$setting['value']}\";\n";
 	}
 	if(!empty($settings))

member.php

@@ -1960,6 +1960,16 @@
 
 			$mybb->input['url'] = str_replace('&', '&', $mybb->input['url']);
 
+			if(my_strpos($mybb->input['url'], $mybb->settings['bburl'].'/') !== 0)
+			{
+				if(my_strpos($mybb->input['url'], '/') === 0)
+				{
+					$mybb->input['url'] = my_substr($mybb->input['url'], 1);
+				}
+				$url_segments = explode('/', $mybb->input['url']);
+				$mybb->input['url'] = $mybb->settings['bburl'].'/'.end($url_segments);
+			}
+
 			// Redirect to the URL if it is not member.php
 			redirect($mybb->input['url'], $lang->redirect_loggedin);
 		}

moderation.php

@@ -3203,7 +3203,7 @@
 					clearinline($mybb->get_input('searchid', MyBB::INPUT_INT), 'search');
 					$lang->redirect_customtool_search = $lang->sprintf($lang->redirect_customtool_search, $tool['name']);
 					$return_url = htmlspecialchars_uni($mybb->get_input('url'));
-					redirect($return_url, $lang->redirect_customtool_search);
+					moderation_redirect($return_url, $lang->redirect_customtool_search);
 				}
 				else
 				{
@@ -3281,7 +3281,7 @@
 					clearinline($mybb->get_input('searchid', MyBB::INPUT_INT), 'search');
 					$lang->redirect_customtool_search = $lang->sprintf($lang->redirect_customtool_search, $tool['name']);
 					$return_url = htmlspecialchars_uni($mybb->get_input('url'));
-					redirect($return_url, $lang->redirect_customtool_search);
+					moderation_redirect($return_url, $lang->redirect_customtool_search);
 				}
 				else
 				{
@@ -3530,7 +3530,18 @@ function moderation_redirect($url, $message="", $title="")
 	global $mybb;
 	if(!empty($mybb->input['url']))
 	{
-		redirect(htmlentities($mybb->input['url']), $message, $title);
+		$url = htmlentities($mybb->input['url']);
 	}
+
+	if(my_strpos($url, $mybb->settings['bburl'].'/') !== 0)
+	{
+		if(my_strpos($url, '/') === 0)
+		{
+			$url = my_substr($url, 1);
+		}
+		$url_segments = explode('/', $url);
+		$url = $mybb->settings['bburl'].'/'.end($url_segments);
+	}
+
 	redirect($url, $message, $title);
 }

usercp.php

@@ -58,6 +58,16 @@
 
 $server_http_referer = htmlentities($_SERVER['HTTP_REFERER']);
 
+if(my_strpos($server_http_referer, $mybb->settings['bburl'].'/') !== 0)
+{
+	if(my_strpos($server_http_referer, '/') === 0)
+	{
+		$server_http_referer = my_substr($server_http_referer, 1);
+	}
+	$url_segments = explode('/', $server_http_referer);
+	$server_http_referer = $mybb->settings['bburl'].'/'.end($url_segments);
+}
+
 $plugins->run_hooks("usercp_start");
 if($mybb->input['action'] == "do_editsig" && $mybb->request_method == "post")
 {
@@ -1955,7 +1965,19 @@
 
 	if($mybb->get_input('referrer'))
 	{
-		$url = htmlspecialchars_uni($mybb->get_input('referrer'));
+		$mybb->input['referrer'] = $mybb->get_input('referrer');
+
+		if(my_strpos($mybb->input['referrer'], $mybb->settings['bburl'].'/') !== 0)
+		{
+			if(my_strpos($mybb->input['referrer'], '/') === 0)
+			{
+				$mybb->input['referrer'] = my_substr($mybb->input['url'], 1);
+			}
+			$url_segments = explode('/', $mybb->input['referrer']);
+			$mybb->input['referrer'] = $mybb->settings['bburl'].'/'.end($url_segments);
+		}
+
+		$url = htmlspecialchars_uni($mybb->input['referrer']);
 	}
 	else
 	{