Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10790

Strict comparison on user_id for sending pms

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.10
    • Fix Version/s: 3.0.11-RC1
    • Component/s: Other
    • Labels:
      None

      Description

      F.e. includes/functions_privmsgs.php

      				// Additionally, do not include the sender if he is in the group he wants to send to. ;)
      				if ($row['user_id'] === $user->data['user_id'])
      				{
      					continue;
      				}

      This code compares two strings to be exactly the same. If there is a MOD that casts the global user_id to int (which I think is a security addition), the comparison will fail.
      (In this case it sends group pms also to the sender.)
      The code should either check == only, or both values should be casted to int.

        Issue Links

          Activity

          Hide
          bantu Andreas Fischer added a comment -

          $user->data['user_id'] is cast to integer in session::session_create(), so it seems this statement is only true on databases adjusting the php type accordingly.

          Show
          bantu Andreas Fischer added a comment - $user->data ['user_id'] is cast to integer in session::session_create(), so it seems this statement is only true on databases adjusting the php type accordingly.
          Hide
          bantu Andreas Fischer added a comment -
          Show
          bantu Andreas Fischer added a comment - Introduced by https://github.com/phpbb/phpbb3/commit/78b1c4caaa17cc8760b685ad41c19f15f9d89b68 which basically never had an effect.
          Hide
          bantu Andreas Fischer added a comment -

          Actually, I'm not sure what the expected behaviour would be.

          [01:42:19] <bantu> If I send a PM to the development team, am I supposed to get the PM too?
          [01:42:27] <bantu> nn-: oh hey
          [01:42:52] <nn-> good question
          [01:43:14] <bantu> How the code says it should be: No
          [01:43:18] <bantu> How the code is: Yes
          [01:43:36] <nn-> i'm always 50/50 on what should happen
          [01:44:28] <bantu> I'd argue that not receiving it would be magic.
          [01:44:42] <bantu> And it kind of makes sense to have PMs in the Inbox "for the record".

          Show
          bantu Andreas Fischer added a comment - Actually, I'm not sure what the expected behaviour would be. [01:42:19] <bantu> If I send a PM to the development team, am I supposed to get the PM too? [01:42:27] <bantu> nn-: oh hey [01:42:52] <nn-> good question [01:43:14] <bantu> How the code says it should be: No [01:43:18] <bantu> How the code is: Yes [01:43:36] <nn-> i'm always 50/50 on what should happen [01:44:28] <bantu> I'd argue that not receiving it would be magic. [01:44:42] <bantu> And it kind of makes sense to have PMs in the Inbox "for the record".
          Hide
          A_Jelly_Doughnut A_Jelly_Doughnut added a comment -

          In Google Mail, when I send mail to a list of which I am a member, no copy is placed in my inbox. To me, this is unexpected behavior.

          If this check has been broken forever, then I would say remove it. (git blame says this was last touched in 2009, and before that no such check existed.)

          Show
          A_Jelly_Doughnut A_Jelly_Doughnut added a comment - In Google Mail, when I send mail to a list of which I am a member, no copy is placed in my inbox. To me, this is unexpected behavior. If this check has been broken forever, then I would say remove it. (git blame says this was last touched in 2009, and before that no such check existed.)
          Hide
          imkingdavid David King added a comment -

          I agree with the PM author receiving the PM if sent to a group. Every recipient (aka everyone in every group that is listed as a recipient) should receive a copy, whether they sent it or not.

          Show
          imkingdavid David King added a comment - I agree with the PM author receiving the PM if sent to a group. Every recipient (aka everyone in every group that is listed as a recipient) should receive a copy, whether they sent it or not.

            People

            • Assignee:
              bantu Andreas Fischer
              Reporter:
              nickvergessen Joas Schilling
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development