Update PHP 8.3#52
Open
jakub961241 wants to merge 17 commits into
Open
Conversation
add language czech add support new PHP 8.3
… i18n - Web-based XML upload via import/ directory on the update page - TMDB Cover Fetcher with auto-fetch for missing covers - Installer (install.php) — setup wizard for localsiteconfig.php and DB schema - localsiteconfig.php.example with documented defaults - Bootstrap 5.3.3 dark theme across all pages - Complete translations for all 10 languages (900+ strings) - Titles Per Page pagination preference - Sidebar sort header with column labels - Fix round(0, INF) TypeError in statistics.php - Fix DISTINCT + ORDER BY errors in ws.php - Fix null array access in ws.php get_watchers/me_watched - Fix only_full_group_by error in popup.php filmography - Fix incupdate.php XML parser for PHP 8.x compatibility - Remove unused consistancy.sql - Update .gitignore for localsiteconfig.php.example
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Added detailed project description, features, installation instructions, requirements, authors, and licensing information.
…ation Security fixes: - Replace extract($_POST/$_GET) with safe whitelist in global.php - Fix SQL injection: addslashes() → sql_escape(), column/table allow-lists - Fix XSS: escape $PHP_SELF, user inputs, and cookie values with htmlspecialchars() - Add auth guards for phpinfo, file delete, EXPLAIN, and checktables - Fix path traversal in skin cookie handler - Secure cookies with httponly and SameSite=Lax flags - Validate feature columns in rss.php against allow-list Code quality: - Deduplicate graph boilerplate into shared graph_init.php - Deduplicate userpref.php with helper functions (~200 lines removed) - Remove eval()/new Function()/setTimeout-string patterns in JS - Fix ReDoS vulnerability in navframe.js regex Co-Authored-By: Claude Opus 4.6 <[email protected]>
Look up mediaid in database instead of using raw GET parameter for file path construction. SonarCloud flagged this as a security hotspot since the path was built from user-controlled data. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Replace unbounded .*? groups with bounded character classes: - [^<]* instead of .*? before HTML tags - [^>]*? instead of .*? within tag attributes - \w+ instead of .*? for GIF filenames - [^&]* instead of .*? before - [^<]* instead of .*? for element content Co-Authored-By: Claude Opus 4.6 <[email protected]>
Update all functional http:// URLs to https:// across 17 files: - IMDB and Wikipedia links in all 9 language files - invelos.com links in index.php, ws.php, and skin template - dvdaholic.me.uk URLs in globalinits.php and imagedata.php - Invelos image server in functions.php - Fix protocol stripping in incupdate.php to handle https:// (8 chars) - Update servername() in imagedata.php to support both protocols Co-Authored-By: Claude Opus 4.6 <[email protected]>
Replace default 'admin'/'admin' credentials with empty strings in both globalinits.php and siteconfig.php. Users should configure credentials in localsiteconfig.php (which is gitignored). Co-Authored-By: Claude Opus 4.6 <[email protected]>
Blocker fixes: - Rename $dbpasswd to $dbpass to avoid 'passwd' credential detection (updated in globalinits, siteconfig, global, install, summary, docs) Config fixes: - Define constants for duplicated color/icon literals in globalinits.php - Remove commented-out dead code in siteconfig.php, globalinits.php, emailmessageconfig.php - Add curly braces in sample_multisite.php and globalinits.php Admin file fixes: - Remove parentheses from require_once/include_once/return calls - Add curly braces around single-line if/else blocks - Replace else if with elseif - Remove empty statements and double semicolons Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Remove deprecated db/mysql.php (unused, incompatible with PHP 7.0+) - pages/no_coo.php: extract displayQueryResults() helper for 4 repeated blocks - admin/check_credits.php: extract displayCreditsCheck() helper for 2 blocks - core/locale.php: replace 9 switch-case blocks with data-driven array lookup - core/functions.php: add shared stripQuotes(), Replace2Lang(), ReplaceLang() - includes/MakeHTMLFromSkin.php: remove duplicate function definitions - includes/processskin.php: remove duplicate function definitions Co-Authored-By: Claude Opus 4.6 <[email protected]>
- gallery.php: Escape all HTML output (DVD data, query strings, anchors), validate $page/$ct/$letter inputs, cast LIMIT params to int - mysqli.php: Escape error output to prevent XSS via PHP_SELF/QUERY_STRING, escape EXPLAIN debug output, remove obsolete stripslashes (magic_quotes) - Picker.php: Whitelist POST keys used as SQL column names, escape HTML output ($row[id/title], $MainQuery), validate $limit/$InMenu/$uid, replace die() with safe error logging - incupdate.php: Replace 125 die($db->sql_error()) calls with safe_db_die() that logs to error_log without leaking SQL details Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Rename 19 PascalCase/snake_case functions to camelCase across 24 files (e.g. SendNoCacheHeaders -> sendNoCacheHeaders, resize_jpg -> resizeJpg) - Rename parameters/variables to camelCase ($RefuseBots, $RequestedWidth, $BannerHeight, etc.) - Add curly braces to ~20 nested if/else statements - Remove parentheses from ~15 return statements - Add default case to 3 switch statements - Remove redundant returns at end of void functions - Remove unused $num variable in discourageAbuse - Remove unnecessary variable assignments in resizeJpg - Define GFX_UNKNOWN constant replacing 5 duplicated 'gfx/unknown.jpg' - Remove duplicate break in formatIcon switch - Remove unused params ($errstr, $errfile, $errline) from myErrorHandler - Remove include_once parentheses Co-Authored-By: Claude Opus 4.6 <[email protected]>
…, add braces - Rename safe_db_die to safeDbDie (php:S100) in incupdate.php - Replace all 125 instances of `or safeDbDie()` with `|| safeDbDie()` (php:S2010) - Add curly braces to if/else blocks without them (php:S121) - Rename variables to camelCase in functions.php ($ImageWidth etc.) - Remove commented-out code in functions.php - Deduplicate lang files to use base + override pattern Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Convert all 125 `|| safeDbDie()` to if-statement pattern (fixes S3699 void return usage AND assignment precedence bug with ||) - Remove include_once parentheses in all graph files (S6600) - Rename Replace2Lang/ReplaceLang to camelCase, remove return parens (S100/S6600) - Rename $ThumbHtoWRatio/$WhichIsTooLarge to camelCase (S117) - Add curly braces in Picker.php, gallery.php, index.php (S121) - Update replace2Lang/replaceLang call sites in MakeHTMLFromSkin.php, processskin.php Co-Authored-By: Claude Opus 4.6 <[email protected]>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
add language czech
add support new PHP 8.3