Protector Tweaks

htdocs/xoops_lib/modules/protector/admin/advisory.php

@@ -52,6 +52,22 @@
 }
 echo "</b><br><br></dl>\n";
 
+// register_long_arrays -- enabling deprecated feature opens potential attack surface
+// This option was removed in PHP 5.4, and is no longer supported in XOOPS.
+// Any code still using the the long arrays ($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS)
+// should be considered "suspect."
+if (version_compare(PHP_VERSION, '5.4.0', '<')) {
+    echo "<dl><dt>'register_long_arrays' : ";
+    $safe = !ini_get('register_long_arrays');
+    if ($safe) {
+        echo "off &nbsp; <span style='color:green;font-weight:bold;'>OK</span></dt>\n";
+    } else {
+        echo "on  &nbsp; <span style='color:red;font-weight:bold;'>" . _AM_ADV_NOTSECURE . "</span></dt>\n";
+        echo '<dd>' . 'register_long_arrays deprecated/removed' . '</dd>';
+    }
+    echo "</b><br><br></dl>\n";
+}
+
 // session.use_trans_sid
 echo "<dl><dt>'session.use_trans_sid' : ";
 $safe = !ini_get('session.use_trans_sid');

htdocs/xoops_lib/modules/protector/admin/center.php

@@ -127,6 +127,7 @@
 
 // title
 echo "<h3 style='text-align:left;'>" . $xoopsModule->name() . "</h3>\n";
+echo '<style>td.log_description {width: 80em; display: inline-block; word-wrap: break-word; white-space: pre-line;}</style>';
 
 // configs writable check
 if (!is_writable(dirname(__DIR__) . '/configs')) {
@@ -219,11 +220,19 @@
 $oddeven = 'odd';
 while (list($lid, $uid, $ip, $agent, $type, $description, $timestamp, $uname) = $db->fetchRow($prs)) {
     $oddeven = ($oddeven === 'odd' ? 'even' : 'odd');
+    $style = '';
 
-    $ip          = htmlspecialchars($ip, ENT_QUOTES);
-    $type        = htmlspecialchars($type, ENT_QUOTES);
+    $ip = htmlspecialchars($ip, ENT_QUOTES);
+    $type = htmlspecialchars($type, ENT_QUOTES);
+    if ('{"' == substr($description, 0, 2)) {
+        $temp = json_decode($description);
+        if (is_object($temp)) {
+            $description = json_encode($temp, JSON_PRETTY_PRINT|JSON_UNESCAPED_UNICODE);
+            $style = ' log_description';
+        }
+    }
     $description = htmlspecialchars($description, ENT_QUOTES);
-    $uname       = htmlspecialchars(($uid ? $uname : _GUESTS), ENT_QUOTES);
+    $uname = htmlspecialchars(($uid ? $uname : _GUESTS), ENT_QUOTES);
 
     // make agents shorter
     if (preg_match('/MSIE\s+([0-9.]+)/', $agent, $regs)) {
@@ -243,7 +252,7 @@
     <td class='$oddeven'>$uname</td>
     <td class='$oddeven'>$ip<br>$agent_desc</td>
     <td class='$oddeven'>$type</td>
-    <td class='$oddeven' width='100%'>$description</td>
+    <td class='{$oddeven}{$style}'>$description</td>
   </tr>\n";
 }
 

htdocs/xoops_lib/modules/protector/filters_disabled/postcommon_post_language_match.php

@@ -59,7 +59,7 @@ class protector_postcommon_post_language_match extends ProtectorFilterAbstract
     protected $minLength = 15;
 
     /** @var string[] script names we do NOT want to process */
-    protected $skipThese = array('edituser.php', 'register.php', 'search.php');
+    protected $skipThese = array('edituser.php', 'register.php', 'search.php', 'user.php', 'lostpass.php');
 
     // map regex compatible unicode script range to a XOOPS language name
     // http://php.net/manual/en/regexp.reference.unicode.php
@@ -175,17 +175,19 @@ public function execute()
         if ($percent > $this->maximumTolerance) {
             $report = array(
                 'score' => $percent,
+                'uri' => $_SERVER['REQUEST_URI'],
                 'post' => $_POST,
             );
             $this->protector->message = json_encode($report);
             $this->protector->output_log('SPAM Language Map', $uid);
             if ($uid > 0 && $percent > (2.0 * $this->maximumTolerance)) {
                 $this->protector->deactivateCurrentUser();
+                $this->protector->_should_be_banned_time0 = true;
             } else {
                 $this->protector->purgeNoExit();
             }
             // write any message as you like
-            echo 'Your post has been denied by the language filter. '
+            echo 'Your post has been denied. '
                 . 'If you feel this is in error, please contact the site administrator.';
             exit;
         }