Search results

  1. Kent

    TaigaChat Pro - Realtime chat/shoutbox [Paid]

    Some shoutbox actions do not use CSRF tokens and can be triggered by linking to them via img tags or similar. One of my users informed me of this problem. Temporary fix, remove ban/delete permissions from all users/groups or 403 the actions via the webserver. If the viewing user has permission...
  2. Kent

    Design issue Email verification is skipped when an account is flagged for spam

    For example, will get flagged as spam and the email verification for the account will be skipped, since it will be set for administrator approval. I noticed this because of a typo a user made when registering.
  3. Kent

    Fixed IPv6 ending in :: is incorrectly displayed

    An IPv6 address with :: at the end is incorrectly displayed as a single :. ex. 2a03:2880:2050:3ff1:: is displayed as 2a03:2880:2050:3ff1:.
  4. Kent

    Fixed Default IP Information URL does not support IPv6

    It would be best to query the whois databases directly, rather than rely on an external service for whois information. I use host and whois for my needs. But, RIPE does have a pretty good API which searches the other databases as well...
  5. Kent

    XF 1.2 when ip banning users it shows wrong ip

    You must match against, since anyone can set that header. And if possible, this should be done by the webserver.
  6. Kent

    Fixed Invalid UTF8 sequence in truncated message(?)

    Someone had the bright idea to make their "about" field a giant blob of stacking diacritics, which went over the hard-coded limit of 65535 characters. Stacking diacritics look like this, and can be posted fine when under the character limit...
  7. Kent

    XF 1.2 Why would a promotion fail to be achieved when the limits have been met?

    Users that are marked as promoted in the log won't get doubly promoted, so if your cron was run before the promotion was properly configured this could be the cause. You can check the promotion log ( /admin.php?user-group-promotions/manage ) to see if the selected users are considered as having...
  8. Kent

    Lack of interest Find Users that match IPs with other users.

    Most users who register multiple accounts do so because they have forgotten about their old account or don't know how to operate the site. If you're worried about users registering new accounts for malicious purposes you should consider enabling admin approval of accounts. You can then check...
  9. Kent


    @Stuart Wright I believe the order there has always been wrong, same thing on XF 1.1.5.
  10. Kent

    TaigaChat Pro - Realtime chat/shoutbox [Paid]

    You could do something like this: Or customise it to be a blacklist for user ids.
  11. Kent

    Lack of interest Limit/throttle likes

    It's reasonable that someone may end up liking many posts quickly. It's not reasonable that someone may like 100 posts within a minute. Tested on XenForo 1.1.5 without any addons enabled. A reasonable throttle should be added to prevent something like... use warnings; use strict; use...
  12. Kent

    xF IRC is here! has address Seems to be owned by It's quite annoying that many hosts disallow IRC simply because it's associated with piracy.
  13. Kent

    Fixed Passing param "_" as an array causes an error

    Seems the fix you applied also fixed the input filter itself as strval would previously error when passing things like _xfResponseType and in cookies xf_session as an array.
  14. Kent

    Fixed Passing param "_" as an array causes an error

    Example:[]=anything[]=anything Edit: On a side note, the autolinker doesn't like underscores. Similar errors occur in many places where an array isn't expected and wouldn't happen under normal use...
  15. Kent

    Fixed Addon actions not consistent with debug mode

    The links to edit, export, and create addons are only visible on the addon list when debug mode is enabled, but they can be accessed directly and still function without debug mode. The uninstall addon page links to the edit addon page, regardless of debug mode.
  16. Kent

    Lack of interest canonical:, full:, please add secure:

    Then I misunderstood. What is your goal or reason for doing so?
  17. Kent

    Lack of interest canonical:, full:, please add secure:

    It'll do you no good if a targeted user requests a single page over HTTP, as it could be modified to send the entered username/password on the login form or cookie to an external site. The user wouldn't even be aware it happened.
  18. Kent

    Better customer verification tokens

    Doing the method described in my original post is not good because it can lead to a hash extension attack, so disregard it completely. Though I still believe a better method could be used to verify customers which does not put customers at the risk of impersonation.
  19. Kent

    Better customer verification tokens

    Anyone you send it to for validation, and anyone who has access to the medium in which it is sent, not limited to the intended recipient. The token can be misused during this time until it is re-generated. @Adam Howard Uh, that is an unexpected development. Wonder what is being used to...
  20. Kent

    Better customer verification tokens

    Multiple tokens can be generated for different purposes at the same time without invalidating previous tokens. None of the information needs to be stored as the server can re-generate it on its own later. When sending your token/domain to anyone, you're fully trusting them not to misuse that...