From 411a756085d864dc6f40dd1186c8452a4a01d4b1 Mon Sep 17 00:00:00 2001
From: Roman Kelesidis <roman25052006.kelesh@gmail.com>
Date: Wed, 12 Jun 2024 13:12:25 +0700
Subject: [PATCH] Some security enhancements (#1505)

* Some security enhancements

* Update CHANGELOG.md
---
 CHANGELOG.md           | 1 +
 library/ajax/posts.php | 3 ++-
 library/config.php     | 4 ++--
 posting.php            | 2 +-
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 75ab68ff7..89741a656 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
 
 - Release 2.4.4 🦩 ([belomaxorka](https://github.com/belomaxorka))
 - Some security improvements 🔑 [\#1503](https://github.com/torrentpier/torrentpier/pull/1503) ([belomaxorka](https://github.com/belomaxorka))
+- Some security enhancements (Part 2) [\#1505](https://github.com/torrentpier/torrentpier/pull/1505) ([belomaxorka](https://github.com/belomaxorka))
 - Some improvements for integrity checker [\#1501](https://github.com/torrentpier/torrentpier/pull/1501) ([belomaxorka](https://github.com/belomaxorka))
 - Minor improvements [\#1502](https://github.com/torrentpier/torrentpier/pull/1502) ([belomaxorka](https://github.com/belomaxorka))
 - New Crowdin updates [\#1504](https://github.com/torrentpier/torrentpier/pull/1504) ([Exileum](https://github.com/Exileum))
diff --git a/library/ajax/posts.php b/library/ajax/posts.php
index f62f1f55d..b4427e960 100644
--- a/library/ajax/posts.php
+++ b/library/ajax/posts.php
@@ -76,9 +76,10 @@ switch ($this->request['type']) {
         $message = "[quote=\"" . $quote_username . "\"][qpost=" . $post['post_id'] . "]" . $post['post_text'] . "[/quote]\r";
 
         // hide user passkey
-        $message = preg_replace('#(?<=\?uk=)[a-zA-Z0-9](?=&)#', 'passkey', $message);
+        $message = preg_replace('#(?<=[\?&;]' . $bb_cfg['passkey_key'] . '=)[a-zA-Z0-9]#', 'passkey', $message);
         // hide sid
         $message = preg_replace('#(?<=[\?&;]sid=)[a-zA-Z0-9]#', 'sid', $message);
+
         $message = $wordCensor->censorString($message);
 
         if ($post['post_id'] == $post['topic_first_post_id']) {
diff --git a/library/config.php b/library/config.php
index b9cfaf2b4..d59609681 100644
--- a/library/config.php
+++ b/library/config.php
@@ -108,8 +108,8 @@ $bb_cfg['client_ban'] = [
     // The second argument is being shown in the torrent client as a failure message
     // Handy client list: https://github.com/transmission/transmission/blob/f85c3b6f8db95d5363f6ec38eee603f146c6adb6/libtransmission/clients.cc#L504
     'clients' => [
-        '-UT' => "uTorrent — NOT ad-free and open-source",
-        '-MG' => 'Mostly leeching client'
+        '-UT' => 'uTorrent — NOT ad-free and open-source',
+        '-MG' => 'Mostly leeching client',
     ]
 ];
 
diff --git a/posting.php b/posting.php
index e866d85e1..bf7324bf3 100644
--- a/posting.php
+++ b/posting.php
@@ -463,7 +463,7 @@ if ($refresh || $error_msg || ($submit && $topic_has_new_posts)) {
             $message = '[quote="' . $quote_username . '"][qpost=' . $post_info['post_id'] . ']' . $message . '[/quote]';
 
             // hide user passkey
-            $message = preg_replace('#(?<=\?uk=)[a-zA-Z0-9](?=&)#', 'passkey', $message);
+            $message = preg_replace('#(?<=[\?&;]' . $bb_cfg['passkey_key'] . '=)[a-zA-Z0-9]#', 'passkey', $message);
             // hide sid
             $message = preg_replace('#(?<=[\?&;]sid=)[a-zA-Z0-9]#', 'sid', $message);