Журнал изменений

Remove trailing PHP close tags from language files (clients, whois) per PSR-12; update array() → [] syntax in modules/clients/pclzip.lib.php for PHP 8.4 style consistency.

Core changes:

1. Close tag removal (modules/clients/language/.php, modules/whois/language/.php):

2. lang-english.php, lang-french.php, lang-german.php, lang-polish.php, lang-russian.php, lang-ukrainian.php (clients module)

3. en.php, de.php, fr.php, pl.php, ru.php, uk.php (whois module)
4. Trailing ?> removed from all 12 language files
5. Array syntax modernization (modules/clients/pclzip.lib.php):
6. array() → [] for option arrays in PclZip::add() and related methods
7. No logic change — purely syntactic modernization

Benefits: - PSR-12 compliant: PHP-only files must not have closing ?> tags - Eliminates risk of accidental whitespace output after closing tag - Consistent array syntax throughout the codebase

Technical notes: - pclzip.lib.php is a vendored library; only array syntax touched, no logic - Language files: 12 files × 1 line removed = 12 deletions

Add return type declarations to all module functions; replace list() with [] destructuring; update config access from module-specific globals ($conffo, $confnews, etc.) to $conf['module_name']['key']; modernize setHead() calls with explicit title arrays.

Core changes:

1. Return type declarations added (all 29 module index files):
2. account(), newuser(), finnewuser() → : void
3. forum(), topic_view(), post_add() → : void
4. news(), view(), add_news() → : void
5. All public-facing module functions now have explicit return types
6. list() → [] destructuring (modules with SQL result rows):
7. forum/index.php: all while(list(...)) → while([...]) in topic/post loops
8. files/index.php, media/index.php, shop/index.php, links/index.php
9. news/index.php, pages/index.php, faq/index.php, jokes/index.php
10. All sql_fetchrow() result assignments updated
11. Config access modernization (forum/index.php):
12. global $conffo removed from all forum functions
13. $conffo['listnum'] → $conf['forum']['listnum']
14. $conffo['defis'] → $conf['forum']['defis']
15. $conffo['pop'] → $conf['forum']['pop']
16. $conffo['pnum'] → $conf['forum']['pnum']
17. setHead() with explicit titles (account/index.php):
18. setHead() → setHead(['title' => _USERREGLOGIN])
19. setHead() → setHead(['title' => _REGNEWUSER])
20. setHead() → setHead(['title' => _ACCOUNTCREATED])
21. Pattern applied across all account flow functions
22. Miscellaneous cleanup:
23. Unused $catlink variable removed from forum/index.php
24. whois/index.php: geo_ip lookup updated to current API
25. search/index.php: query variable cleanup
26. voting/index.php: type declarations added

Benefits: - PHP 8.4 compatible — all functions have explicit return types - $conffo/$confnews/etc. global removal reduces import surface - list() removal aligns with PHP 7.1+ best practices throughout - setHead() with title enables proper SEO meta generation

Technical notes: - Config access via $conf['module']['key'] — no behavioral change - [] destructuring is functionally identical to list() in all contexts - 29 module files modified across 5 module subdirectories

Replace deprecated $aroute alias with $afile throughout admin/index.php; harden SHOW TABLE STATUS queries in database.php and monitor.php against SQL injection via database/table name validation; add command injection guard in monitor.php getCommandOutput(); update editor info pages.

Core changes:

1. Alias replacement (admin/index.php):
2. global $aroute → global $afile in getAdminPanelBlocks() and getAdminPanel()
3. All $aroute.'.php?name=' → $afile.'.php?name=' references updated
4. SQL hardening (admin/modules/database.php):
5. $confdb['name'] → $dbname = preg_replace('#[^a-zA-Z0-9_]#', '', ...) before use
6. Empty $dbname guard added — returns early with warning on invalid DB name

7. SHOW TABLE STATUS, ANALYZE TABLE, OPTIMIZE TABLE, REPAIR TABLE: $confdb['name'] replaced with sanitized $dbname throughout

8. Table name now validated with preg_match('#^[a-zA-Z0-9_]+$#') before queries
9. Variable renaming: $rowResult/$rowData → $res/$row (SLAED naming convention)
10. $infoText → $info (short naming convention)
11. SQL hardening (admin/modules/monitor.php):
12. SHOW TABLE STATUS FROM: $confdb['name'] → $dbname with same sanitization
13. $dbname empty guard added — skips DB stats block if name is invalid
14. Removed uptime block that used platform-specific /proc/uptime path
15. Command injection guard (admin/modules/monitor.php):
16. getCommandOutput(): added preg_match for shell metacharacters [;&|`><\r\n]
17. Returns [] immediately if command string contains dangerous characters
18. Editor info pages updated (admin/info/editor/*.html):
19. Reference to core/geo_ip.php and $COUNTRY_NAMES removed
20. Updated to: "Use user_geo_ip() output as the valid country value reference"

Benefits: - SHOW TABLE STATUS SQL injection prevented via name sanitization - Table-level query injection prevented via table name whitelist validation - Command injection in exec() calls blocked by metacharacter guard - $aroute deprecated alias fully removed from admin panel code

Technical notes: - admin/modules/blocks.php: minor 1-line cleanup (unused variable) - admin/modules/messages.php: 4-line formatting/variable rename cleanup - Database name regex: [^a-zA-Z0-9_] — matches MySQL identifier rules

Remove accidental debug statements left in plugins/filemanager/include/ftp_class.php that were leaking server information: shell_exec('whoami'), ftp_pwd() echo, and error_get_last() echo were all outputting sensitive data to the HTTP response.

Core changes:

1. Debug statements removed (ftp_class.php — getDirListing()):
2. echo shell_exec('whoami').' is who i am' — exposes OS username
3. echo 'Current directory is now: '.ftp_pwd(...) — exposes directory path
4. echo error_get_last() — exposes internal PHP error details

Benefits: - Prevents server username and directory structure disclosure to clients - Eliminates shell_exec() output from HTTP responses - Closes information-disclosure vulnerability in FTP file manager

Technical notes: - getDirListing() return value unchanged — only debug echo statements removed - Missing newline at EOF also added for POSIX compliance

Delete the legacy MaxMind-based geo-IP lookup module (geo_ip.php + binary data file geo_ip.dat). The module relied on an outdated GeoIP binary format and an unmaintained lookup class; functionality replaced by the user_geo_ip() helper in core/user.php which uses a maintained alternative.

Core changes:

1. Files deleted:
2. core/geo_ip.dat — binary MaxMind GeoLite database (outdated format)
3. core/geo_ip.php — PHP wrapper class for the binary database

Benefits: - Removes ~80 KB unmaintained binary from repository - Eliminates dependency on deprecated GeoIP binary format - Reduces core/ directory size and maintenance surface

Technical notes: - Callers updated to use user_geo_ip() output for country name reference - admin/info/editor/*.html updated to reflect the new reference source - No module functionality lost — geo lookups remain available via user_geo_ip()

Remove $aroute/$admin_file transition aliases from core/security.php; remove tpl_eval(), tpl_func(), tpl_warn() legacy eval-based functions from core/template.php; consolidate theme loading into system.php boot sequence, removing redundant setThemeInclude() calls from index.php.

Core changes:

1. Deprecated aliases removed (core/security.php):
2. $aroute removed — was duplicate of $afile (conf['security']['afile'])
3. $admin_file removed — was duplicate of $afile; all callers use $afile
4. SQL injection fix in is_admin_god(): id → :id prepared statement
5. Legacy eval functions removed (core/template.php):
6. tpl_eval() removed — used eval() internally; replaced by setTemplateBasic()
7. tpl_func() removed — used eval() with static cache; replaced by setTemplateBasic()
8. tpl_warn() removed — used eval(); replaced by setTemplateWarning()
9. All three functions had been deprecated since 6.3.0 planning phase
10. Theme boot consolidation (index.php):
11. setThemeInclude() calls removed from $go1, $go2, admin-god branches

12. Theme/template loading now happens once in core/system.php boot sequence (getTheme() + template require_once added in previous system.php commit)

13. tpl_warn() call on line 97 replaced with setTemplateWarning()

Benefits: - $aroute/$admin_file removal eliminates stale alias confusion - tpl_eval/tpl_func/tpl_warn removal eliminates eval() security surface - Single theme boot point prevents double-include on complex request paths

Technical notes: - Any remaining tpl_eval/tpl_func/tpl_warn calls will now fatal — none exist - setTemplateWarning() signature: (string $tpl, array $vars): string - setThemeInclude() still exists but is no longer called from index.php

Remove deprecated getAdminInfo() and navi_gen() functions; add explicit typed parameters to all remaining functions that used func_get_args() or untyped variadic signatures, aligning core/admin.php with PHP 8.4 standards.

Core changes:

1. Functions removed (core/admin.php):

2. getAdminInfo(): legacy info-page reader/editor — replaced by direct template rendering in individual admin modules that need it

3. navi_gen(...$arg): variadic wrapper around getAdminTabs() — all callers updated to call getAdminTabs() directly with explicit arguments

4. func_get_args() removal — typed signatures added:
5. ajax_cat(): (string $modul, int $obj) replaces variadic
6. cat_order(): (): void — no parameters
7. catacess(): (string $name, string $class, string $selected, int $limit)
8. ajax_block(): (): string — no parameters
9. blocks_order(): (): void
10. fav_aliste(): (int $obj): string
11. fav_adel(): (): void
12. ajax_privat(): (int $obj): string
13. ajax_privat_del(): (): void

Benefits: - getAdminInfo() removal eliminates file_put_contents without path validation - All admin core functions now have explicit PHP 8.4 type declarations - navi_gen() removal removes one variadic wrapper layer

Technical notes: - Callers of navi_gen() updated to use getAdminTabs() directly - getAdminInfo() callers updated to inline equivalent logic - No behavioral change — only signature and wrapper-layer simplification

Remove all func_get_args() calls and replace every raw $_GET/$_POST access with getVar() in core/user.php, completing input-validation guardrail coverage for all user-facing core functions.

Core changes:

1. func_get_args() removal (core/user.php):
2. setComShow(): explicit typed parameters replace variadic signature
3. prmess(): typed parameters (int $id, string $mod, int $pg)
4. favorliste(): typed parameters (string $mod, int $id, int $pg)
5. Superglobals → getVar() (core/user.php):
6. savecom(): $_POST fields (name, email, text, etc.) → getVar()
7. editpost(): $_POST content fields → getVar()
8. prmesssend(), prmesssave(), prmessdel(): message POST fields → getVar()
9. favoradd(), favordel(): GET/POST id and mod params → getVar()
10. rss_channel(): name, cat, num, id → getVar() with POST-over-GET fallback
11. stat switch block: $_GET['stat'] and $_GET['img'] → getVar()

Benefits: - All superglobal access in core/user.php eliminated (getVar guardrail) - func_get_args() fully removed — PHP 8.4 typed parameters throughout - Consistent validation: POST-over-GET fallback pattern matches core/system.php

Technical notes: - getVar() returns false for empty values; code updated with ?: fallback - rss_channel(): getVar('post',...) ?: getVar('get',...) pattern throughout - No $_FILES access in user.php — only form data replaced

Eliminate all func_get_args() usage and replace every raw $_GET/$_POST/$_REQUEST access with getVar(); add filterMarkdown() Markdown parser and bb_decode() as a unified text-processing orchestrator; harden SQL with prepared statements.

Core changes:

1. func_get_args() removal (core/system.php):

2. getcat(), catlink(), catids(), catmids() — explicit typed parameters * catlink($id, $mod, $cat) replaces variadic signature

3. getVoting(), num_ajax(), ad_save(), rss_select(), addBackupDb()
4. setPageNumbers(), preview(), get_user_search(), url_types()
5. addmail(), textarea(), cat_modul(), ashowcom(), numcom(), update_points()
6. Superglobals → getVar() (core/system.php):
7. goto_url(): $_REQUEST → isset($_GET[..]) || isset($_POST[..]) (presence-only)
8. getThemeFile(): $_GET['cat'] → getVar('get', 'cat', 'num', 0)
9. save_datetime(): dynamic key → getVar('post'/$name, 'raw', '')
10. add_kasse() / del_kasse(): $_GET['id'] → getVar('get', 'id', 'num', 0)
11. show_files(): 4 superglobals → getVar() with appropriate types
12. fields_in(): $_POST['field'] → getVar('post', 'field', 'raw', '')
13. get_user(): $_GET['term'] → getVar('get', 'term', 'text', '')
14. ajax_rating(): 5 superglobals (id, typ, mod, rate, stl) → getVar()
15. upload(): $_POST['token'], $_POST['sitefile'] → getVar(); $_FILES unchanged

16. editcom() / closecom() / avoting_save(): redundant isset() → getVar() * avoting_save(): $_POST['questions'] (array) handled with isset+is_array guard

17. SQL prepared statements (core/system.php):

18. setCategories(): $mod/$locale/$id → named placeholders :mod/:loc/:pid * catid IN clause now uses dynamic :c0/:c1/... placeholders

19. New functions added (core/system.php):

20. filterMarkdown(string $src, bool $safe, string $mod): string * Safe Markdown→HTML parser; $safe=true blocks dangerous constructs

21. bb_decode(): updated to delegate inline processing to filterMarkdown()

22. setRedirect(string $url, bool $refer, int $code): never * Auto-upgrades 302→303 on POST; replaces inline header()+exit patterns

23. Theme boot sequence moved to system.php:
24. getTheme() + template require_once added to core boot (removed from callers)
25. Deprecated functions removed:
26. checkConfigFingerprint() — unused after fingerprint refactor
27. isCompare(), isDate() — unused legacy helpers

Benefits: - All superglobal access in core/system.php eliminated (getVar guardrail) - func_get_args() fully removed — PHP 8.4 typed parameters throughout - SQL injection prevented in setCategories() and catid IN clause - filterMarkdown() and bb_decode() provide unified safe text pipeline

Technical notes: - $_FILES not replaced — getVar() has no file-upload equivalent - $_POST['questions'] (array) remains direct access with is_array() guard - setRedirect() auto-detects POST → sends 303 instead of 302 - filterMarkdown($src, $safe, $mod): $mod reserved for future bb/md/mixed modes

Replace all legacy tpl_eval()/tpl_func() interpolation in HTML templates with named {%key%} placeholders and setTemplateBasic() callers.

Stage 1: quote, code, hide, spoiler (core/system.php BB-code functions) Stage 2: pagenum, preview, cat-navi, list-bottom, title

     (core/system.php, core/admin.php, modules/account, jokes)

Stage 3: forum-* templates (modules/forum/index.php, 16 HTML files) Stage 4: voting-open/close/post/view, kasse-open/basic/close (core/system.php),

     assoc-open/basic/close (modules/media/index.php)

Themes updated: lite, default, admin (where applicable). Remaining: tpl_warn('warn',...) calls, comment/basic/liste templates (Stage 5).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>