Search results

  1. Kent

    Design issue Email verification is skipped when an account is flagged for spam

    For example, anything@gmial.com will get flagged as spam and the email verification for the account will be skipped, since it will be set for administrator approval. I noticed this because of a typo a user made when registering.
  2. Kent

    Fixed IPv6 ending in :: is incorrectly displayed

    An IPv6 address with :: at the end is incorrectly displayed as a single :. ex. 2a03:2880:2050:3ff1:: is displayed as 2a03:2880:2050:3ff1:.
  3. Kent

    Fixed Invalid UTF8 sequence in truncated message(?)

    Someone had the bright idea to make their "about" field a giant blob of stacking diacritics, which went over the hard-coded limit of 65535 characters. Stacking diacritics look like this, and can be posted fine when under the character limit...
  4. Kent

    Lack of interest Limit/throttle likes

    It's reasonable that someone may end up liking many posts quickly. It's not reasonable that someone may like 100 posts within a minute. Tested on XenForo 1.1.5 without any addons enabled. A reasonable throttle should be added to prevent something like... use warnings; use strict; use...
  5. Kent

    Fixed Passing param "_" as an array causes an error

    Example: http://xenforo.com/community/index.php?_[]=anything http://xenforo.com/community/admin.php?_[]=anything Edit: On a side note, the autolinker doesn't like underscores. Similar errors occur in many places where an array isn't expected and wouldn't happen under normal use...
  6. Kent

    Fixed Addon actions not consistent with debug mode

    The links to edit, export, and create addons are only visible on the addon list when debug mode is enabled, but they can be accessed directly and still function without debug mode. The uninstall addon page links to the edit addon page, regardless of debug mode.
  7. Kent

    Better customer verification tokens

    The customer verification requires only a token and optionally a domain. It's up to whoever is asking for the token to keep it safe and check the domain by having a unique file uploaded. This may not always happen. If tokens are instead generated using a secret salt and a message they could...
  8. Kent

    Not planned Add reCaptcha keys to configuration

    To change the keys, you must edit library/XenForo/Captcha/ReCaptcha.php directly. It'd be nice if this could be changed in the admin settings instead, so it won't get overwritten with updates or marked as an invalid file. Doing so prevents a known attack with reCaptcha caused by using global...
  9. Kent

    Fixed Deleting own post gives permission error, still works

    Deleting my own post directly gives the error "You do not have permission to view this page or perform this action." But the delete does work: http://xenforo.com/community/threads/delete-test.48747/ Using the inline delete works without an error.
  10. Kent

    Lack of interest Redirect after deleting post

    Deleting a post directly doesn't indicate the post was successfully deleted, it just reloads the delete post page which also doesn't indicate the post is already deleted. Example: http://xenforo.com/community/posts/522662/delete Perhaps this could be considered a bug, since the inline delete...
  11. Kent

    Fixed Setting mutliple nodes to "Private" causes unpredicatble results, errors

    Reproduce: attempt to set multiple nodes to "Private" at the same time. This takes longer on servers with more content, so I wasn't able to reproduce it in a test environment without addons. The result was nodes that displayed as set to private in the admincp while actually being accessible by...
  12. Kent

    Fixed Web server filesize limit causes "undefined" error

    The uploader detects PHP's upload limit, but not the web server's limit. If the web server's file upload size limit is lower than XenForo's, it causes the uploader to just return an error "undefined." JS console produces this after a few upload progress updates: Uploaded 8060928/11290580...
  13. Kent

    Implemented Implement bcrypt and PBKDF2 for password storage

    XenForo currently uses sha256, or sha1 if that isn't available. Basically this: hash('sha256', hash('sha256', $password) . $salt); sha1(sha1($password) . $salt); These hashes aren't ideal for password storage because they are fast and can be cracked fast. I think XenForo should add support for...
  14. Kent

    Fixed Time limit password reset

    An unused password reset code can be used at any time so long as another password reset isn't requested. Sorry if a time limit is already implemented and I missed it. Reproduce: insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`)...
  15. Kent

    Implemented Change Admin CP "password" input to not remember passwords

    Remembering passwords in the admin control panel causes them to be stored in plaintext on the computer. HTML5 has a new attribute for the input element called autocomplete, which tells the browser not to remember the entered value, and not to bring up previously remembered values, though it...
  16. Kent

    Implemented Censor "password" and "password_confirm" on login/register errors

    If a user is registering or logging in and a server error occurs during the request, the full state of the request gets sent to the error log, including the user's password. I believe this information should censored in the log to protect user privacy and confidence in security. Censoring the...
  17. Kent

    Lack of interest "User Has Banned Email" notice option

    Currently I use the "banned emails" list to disallow all Microsoft emails, because they completely block our emails (doesn't even go to the spam inbox) so users will never get their confirmation email. This also means that many of our users who previously used Microsoft emails can no longer get...
  18. Kent

    Fixed Error log/JSON error

    Viewing an error log via AJAX causes a JSON error if the log contains certain unicode. Viewing the error directly by browsing works without error. This error occurred from someone scanning my websites for vulnerabilities, not form normal usage. \xC0\xAE and \xC0\xAF were used, which is a unicode...
  19. Kent

    Fixed css.php user variable checking

    css.php doesn't check user variables' data types, so passing an array for example will cause a (harmless) error. This shouldn't happen under normal usage, and doesn't appear to have any potential security concern so long as the error is caught, however, some functions may return unexpected...
  20. Kent

    Fixed Template "revert" and "delete" wording inconsistent

    Using the template search returns a list with a red X on the right. The hover text on this X is "Delete..." which is a bit confusing, since viewing modified templates from /admin.php?styles/default-style.1/templates has "Revert the customizations to this template" as the hover text, and...
Top