Hi,
This post is about some very annoying issues PFC chat has.. it is important that you patch your current version phpfreechat 1.3 right away to avoid problems with you chat room..
This will fix the following issues in your PFC chat 1.3.
1.- Flood issues with the “/notice” command.
Users will not kicked from chat if they use this command to spam your chat room.
2 .- Flood issues with the “/invite” command.
Again users using this command can flood your chat room and wont be kicked by noflood.
3.- Fixes problem when user doesn’t type anything in the chat room and press enter repeatedly.
Noflood.class.php script will count this as spam and kick the user doing it.
4.- Fixes a Mayor security problem with the “/notice” command. (IMPORTANT PATCH).
Users using this command can post any messages without showing their nick, and or
to pretend to be the admin webmaster or else.
Please copy paste the following code, they are going in two different documents in you current installation phpfreechat 1.3:
Patch no flood class, located at “/src/proxies/noflood.class.php
[php]
<?php
/**
* noflood.class.php
*
* Copyright © 2006 Stephane Gully <[email protected]>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the
* Free Software Foundation, 51 Franklin St, Fifth Floor,
* Boston, MA 02110-1301 USA
*/
require_once dirname(__FILE__)."/../pfci18n.class.php";
require_once dirname(__FILE__)."/../pfcuserconfig.class.php";
require_once dirname(__FILE__)."/../pfcproxycommand.class.php";
require_once dirname(__FILE__)."/../../lib/utf8/utf8_strlen.php";
/**
* pfcProxyCommand_noflood
* this proxy will protect the chat from flooders
* @author Stephane Gully <[email protected]>
* fixes noflood not detecting /notice, /invite and
* kicking user when the type empy string in chat.
* Neumann Valle, [email protected]
*/
class pfcProxyCommand_noflood extends pfcProxyCommand
{
function run(&$xml_reponse, $p)
{
$clientid = $p["clientid"];
$param = $p["param"];
$sender = $p["sender"];
$recipient = $p["recipient"];
$recipientid = $p["recipientid"];
$c =& pfcGlobalConfig::Instance();
$u =& pfcUserConfig::Instance();
/**
* fixes some anoying issues with noflood not detecting user flooding the chat
* those are notice and invite
*/
$cmdtocheck = array("send", "nick", "me","notice","invite");
// fixes the count of noflood even if the text posted was empty (Neumann Valle (UTAN))
if ( in_array($this->name, $cmdtocheck) && $param != "")
{
$container =& pfcContainer::Instance();
$nickid = $u->nickid;
$isadmin = $container->getUserMeta($nickid, ‘isadmin’);
$lastfloodtime = $container->getUserMeta($nickid, ‘floodtime’);
$flood_nbmsg = $container->getUserMeta($nickid, ‘flood_nbmsg’);
$flood_nbchar = $container->getUserMeta($nickid, ‘flood_nbchar’);
$floodtime = time();
if ($floodtime – $lastfloodtime <= $c->proxies_cfg[$this->proxyname]["delay"])
{
// update the number of posted message indicator
$flood_nbmsg++;
// update the number of posted characteres indicator
$flood_nbchar += utf8_strlen($param);
}
else
{
$flood_nbmsg = 0;
$flood_nbchar = 0;
}
if (!$isadmin &&
($flood_nbmsg>$c->proxies_cfg[$this->proxyname]["msglimit"] ||
$flood_nbchar>$c->proxies_cfg[$this->proxyname]["charlimit"])
)
{
// warn the flooder
$msg = _pfc("Please don’t post so many message, flood is not tolerated");
$xml_reponse->script("alert(‘".addslashes($msg)."’);");
// kick the flooder
$cmdp = $p;
$cmdp["param"] = null;
$cmdp["params"][0] = "ch";
$cmdp["params"][1] = $u->channels[$recipientid]["name"];
$cmdp["params"][2] .=_pfc("kicked from %s by %s", $u->channels[$recipientid]["name"], "noflood");
$cmd =& pfcCommand::Factory("leave");
$cmd->run($xml_reponse, $cmdp);
return false;
}
if ($flood_nbmsg == 0)
$container->setUserMeta($nickid, ‘floodtime’, $floodtime);
$container->setUserMeta($nickid, ‘flood_nbmsg’, $flood_nbmsg);
$container->setUserMeta($nickid, ‘flood_nbchar’, $flood_nbchar);
}
// forward the command to the next proxy or to the final command
$p["clientid"] = $clientid;
$p["param"] = $param;
$p["sender"] = $sender;
$p["recipient"] = $recipient;
$p["recipientid"] = $recipientid;
return $this->next->run($xml_reponse, $p);
}
}
?>
[/php]
Ok that one is down, lets locate the next document it is located at “src/commands/notice.class.php”
copy paste this code:
[php]<?php
/*
* Fixes a long problematic security breach, well somebody pose as Admin nick is a breach
* even if he doesn’t have admin powers..
* fix by UTAN aka Neumann Valle, you can contact me at [email protected]
* fix for notice, where any user could use it to pose as admin nick or other user, or non
* existence user, 05/01/2012.
*/
require_once(dirname(__FILE__)."/../pfccommand.class.php");
class pfcCommand_notice extends pfcCommand
{
function run(&$xml_reponse, $p)
{
$clientid = $p["clientid"];
$msg = $p["param"];
$sender = $p["sender"];
$recipient = $p["recipient"];
$recipientid = $p["recipientid"];
$flag = isset($p["flag"]) ? $p["flag"] : 7;
$c =& pfcGlobalConfig::Instance();
$u =& pfcUserConfig::Instance();
$ct =& pfcContainer::Instance();
if ($c->shownotice > 0 &&
($c->shownotice & $flag) == $flag)
{
$msg = phpFreeChat::FilterSpecialChar($msg);
$msg = $flag == 7 ? ‘(‘.$sender.’) ‘.$msg : $msg;
$nick = $ct->getNickname($u->nickid);
$res = $ct->write($recipient, $nick, "notice", $msg);
if (is_array($res))
{
$cmdp = $p;
$cmdp["param"] = implode(",",$res);
$cmd =& pfcCommand::Factory("error");
$cmd->run($xml_reponse, $cmdp);
return;
}
}
}
}
?>
[/php]
So that’s it, this is fix is all done, maybe Oldwolf friend can make this post sticky…