mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

Security fixes from Tim Coen (file upload, comment token escaping, 2k11 js comment name escaping)

Browse Source
This commit is contained in:
Garvin Hicking 2015-07-24 13:27:21 +02:00
parent c4f9b721e7
commit 00be5d7b4c
7 changed files with 21 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/NEWS
View File

@ -60,6 +60,17 @@ Version 2.1 ()
Version 2.0.2 ()
------------------------------------------------------------------------
* Fix security issues reported by Tim Coen of Curesec.com:
- Forbid uploading files with PHP contents and possible
PHP execution by authenticated users (critical if
you have possible untrustworthy authors)
- Add proper escaping for comment approval tokens to prevent
SQL injection (authenticated authors only)
- Add proper escaping of comment's author names in the
comment reply form to prevent XSS (2k11 template, javascript
based)
* CKEDITOR bugfix releases to 4.4.8 - please read the changelog.
Including widget, lineutils, fakeobjects Plugins and S9y added
cheatsheet and procurator Plugins.

4
docs/RELEASE
View File

@ -1,2 +1,2 @@
stable:2.0.1
beta:2.0.1
stable:2.0.2
beta:2.0.2

6
include/admin/comments.inc.php
View File

@ -19,7 +19,7 @@ $msg = '';
if ($serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity['POST']['delete']) != 0 && serendipity_checkFormToken()) {
if ($serendipity['POST']['togglemoderate'] != '') {
foreach ( $serendipity['POST']['delete'] as $k => $v ) {
$ac = serendipity_approveComment($k, $v, false, 'flip');
$ac = serendipity_approveComment((int)$k, (int)$v, false, 'flip');
if ($ac > 0) {
$msg .= DONE . ': '. sprintf(COMMENT_APPROVED, (int)$k);
} else {
@ -87,7 +87,7 @@ if (isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActio
if ($rs === false) {
$errormsg .= ERROR .': '. sprintf(COMMENT_ALREADY_APPROVED, (int)$serendipity['GET']['id']);
} else {
serendipity_approveComment($serendipity['GET']['id'], $rs['entry_id']);
serendipity_approveComment((int)$serendipity['GET']['id'], (int)$rs['entry_id']);
$msg .= DONE . ': '. sprintf(COMMENT_APPROVED, (int)$serendipity['GET']['id']);
}
}
@ -103,7 +103,7 @@ if (isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActio
if ($rs === false) {
$errormsg .= ERROR .': '. sprintf(COMMENT_ALREADY_APPROVED, (int)$serendipity['GET']['id']);
} else {
serendipity_approveComment($serendipity['GET']['id'], $rs['entry_id'], true, true);
serendipity_approveComment((int)$serendipity['GET']['id'], (int)$rs['entry_id'], true, true);
$msg .= DONE . ': '. sprintf(COMMENT_MODERATED, (int)$serendipity['GET']['id']);
}
}

4
include/functions_comments.inc.php
View File

@ -24,14 +24,14 @@ function serendipity_checkCommentToken($token, $cid) {
WHERE okey LIKE 'comment_%' AND name < " . (time() - 604800) );
// Get the token for this comment id
$tokencheck = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}options
WHERE okey = 'comment_" . $cid . "' LIMIT 1", true, 'assoc');
WHERE okey = 'comment_" . (int)$cid . "' LIMIT 1", true, 'assoc');
// Verify it against the passed key
if (is_array($tokencheck)) {
if ($tokencheck['value'] == $token) {
$goodtoken = true; // use this to bypass security checks later
// if using tokens, delete this comment from that list no matter how we got here
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options
WHERE okey = 'comment_" . $cid . "'");
WHERE okey = 'comment_" . (int)$cid . "'");
}
}

2
include/functions_images.inc.php
View File

@ -18,7 +18,7 @@ function serendipity_isActiveFile($file) {
return true;
}
$core = preg_match('@\.(php.*|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
$core = preg_match('@\.(php.*|[psj]html?|pht|aspx?|cgi|jsp|py|pl)$@i', $file);
if ($core) {
return true;
}

2
serendipity_config.inc.php
View File

@ -47,7 +47,7 @@ if (defined('USE_MEMSNAP')) {
}
// The version string
$serendipity['version'] = '2.1-alpha1';
$serendipity['version'] = '2.1-alpha2';
// Setting this to 'false' will enable debugging output. All alpha/beta/cvs snapshot versions will emit debug information by default. To increase the debug level (to enable Smarty debugging), set this flag to 'debug'.

2
templates/2k11/js/2k11.min.js vendored
View File

@ -17,4 +17,4 @@ var AccessifyHTML5=function(a,b){"use strict";var f,g,h,i,j,k,l,m,n,o,c={article
/*! http://mths.be/placeholder v2.0.7 by @mathias */
!function(a,b,c){function k(a){var b={},d=/^jQuery\d+$/;return c.each(a.attributes,function(a,c){c.specified&&!d.test(c.name)&&(b[c.name]=c.value)}),b}function l(a,b){var d=this,e=c(d);if(d.value==e.attr("placeholder")&&e.hasClass("placeholder"))if(e.data("placeholder-password")){if(e=e.hide().next().show().attr("id",e.removeAttr("id").data("placeholder-id")),a===!0)return e[0].value=b;e.focus()}else d.value="",e.removeClass("placeholder"),d==n()&&d.select()}function m(){var a,b=this,d=c(b),e=this.id;if(""==b.value){if("password"==b.type){if(!d.data("placeholder-textinput")){try{a=d.clone().attr({type:"text"})}catch(f){a=c("<input>").attr(c.extend(k(this),{type:"text"}))}a.removeAttr("name").data({"placeholder-password":d,"placeholder-id":e}).bind("focus.placeholder",l),d.data({"placeholder-textinput":a,"placeholder-id":e}).before(a)}d=d.removeAttr("id").hide().prev().attr("id",e).show()}d.addClass("placeholder"),d[0].value=d.attr("placeholder")}else d.removeClass("placeholder")}function n(){try{return b.activeElement}catch(a){}}var i,j,d="placeholder"in b.createElement("input"),e="placeholder"in b.createElement("textarea"),f=c.fn,g=c.valHooks,h=c.propHooks;d&&e?(j=f.placeholder=function(){return this},j.input=j.textarea=!0):(j=f.placeholder=function(){var a=this;return a.filter((d?"textarea":":input")+"[placeholder]").not(".placeholder").bind({"focus.placeholder":l,"blur.placeholder":m}).data("placeholder-enabled",!0).trigger("blur.placeholder"),a},j.input=d,j.textarea=e,i={get:function(a){var b=c(a),d=b.data("placeholder-password");return d?d[0].value:b.data("placeholder-enabled")&&b.hasClass("placeholder")?"":a.value},set:function(a,b){var d=c(a),e=d.data("placeholder-password");return e?e[0].value=b:d.data("placeholder-enabled")?(""==b?(a.value=b,a!=n()&&m.call(a)):d.hasClass("placeholder")?l.call(a,!0,b)||(a.value=b):a.value=b,d):a.value=b}},d||(g.input=i,h.value=i),e||(g.textarea=i,h.value=i),c(function(){c(b).delegate("form","submit.placeholder",function(){var a=c(".placeholder",this).each(l);setTimeout(function(){a.each(m)},10)})}),c(a).bind("beforeunload.placeholder",function(){c(".placeholder").each(function(){this.value=""})}))}(this,document,jQuery);
/*! 2k11 main JS */
jQuery(document).ready(function(a){AccessifyHTML5({header:"#banner",footer:"#colophon"}),a("input[type=search]").parents("form").attr("role","search");a('html').addClass(a.fn.details.support ? 'details' : 'no-details');a('details').details();var b=a("<select/>");a("#primary-nav li").each(function(){var c=a(this);c.find("span").length?a("<option/>",{selected:"selected",value:"",text:c.text()}).appendTo(b):a("<option/>",{value:c.find("a").attr("href"),text:c.text()}).appendTo(b)}),b.children().size()>0&&b.appendTo("#primary-nav").change(function(){window.location=a(this).find("option:selected").val()}),"string"==typeof lsbase&&a('<div id="LSResult" style="display: none;"><div id="LSShadow"></div></div>').appendTo("#searchform>div"),a("input, textarea").placeholder(),a("#content>article").fitVids(),a("#trackback_url>a,.short-url").click(function(){var b=a(this).attr("title");return alert(b),!1}),a(".comment_reply").click(function(){var b=a(this).attr("id").replace(/serendipity_reply_/g,"");a("#serendipity_replyTo").val(b)}),a(".comment_source_ownerlink").click(function(){var b=a(this).attr("title");return confirm(b)}),a("#c").insertAfter("#feedback"),a(".comment_reply").click(function(){a("#reply-to-comment").remove();var b='<p id="reply-to-comment">'+a("#reply-to-hint").text()+" "+a("#serendipity_replyTo :selected").text()+"</p>";a("#serendipity_replyTo").after(b)}),a("#reply-to-hint,#serendipity_replyTo").addClass("visuallyhidden"),a(".reply_origin").click(function(){if(location.pathname.replace(/^\//,"")==this.pathname.replace(/^\//,"")&&location.hostname==this.hostname){var b=a(this.hash);if(b=b.length&&b||a("[name="+this.hash.slice(1)+"]"),b.length){var c=b.offset().top;return a("html,body").animate({scrollTop:c},700),!1}}})});
jQuery(document).ready(function(a){AccessifyHTML5({header:"#banner",footer:"#colophon"}),a("input[type=search]").parents("form").attr("role","search");a('html').addClass(a.fn.details.support ? 'details' : 'no-details');a('details').details();var b=a("<select/>");a("#primary-nav li").each(function(){var c=a(this);c.find("span").length?a("<option/>",{selected:"selected",value:"",text:c.text()}).appendTo(b):a("<option/>",{value:c.find("a").attr("href"),text:c.text()}).appendTo(b)}),b.children().size()>0&&b.appendTo("#primary-nav").change(function(){window.location=a(this).find("option:selected").val()}),"string"==typeof lsbase&&a('<div id="LSResult" style="display: none;"><div id="LSShadow"></div></div>').appendTo("#searchform>div"),a("input, textarea").placeholder(),a("#content>article").fitVids(),a("#trackback_url>a,.short-url").click(function(){var b=a(this).attr("title");return alert(b),!1}),a(".comment_reply").click(function(){var b=a(this).attr("id").replace(/serendipity_reply_/g,"");a("#serendipity_replyTo").val(b)}),a(".comment_source_ownerlink").click(function(){var b=a(this).attr("title");return confirm(b)}),a("#c").insertAfter("#feedback"),a(".comment_reply").click(function(){a("#reply-to-comment").remove();var b='<p id="reply-to-comment">'+a("#reply-to-hint").text()+" "+a("#serendipity_replyTo :selected").html()+"</p>";a("#serendipity_replyTo").after(b)}),a("#reply-to-hint,#serendipity_replyTo").addClass("visuallyhidden"),a(".reply_origin").click(function(){if(location.pathname.replace(/^\//,"")==this.pathname.replace(/^\//,"")&&location.hostname==this.hostname){var b=a(this.hash);if(b=b.length&&b||a("[name="+this.hash.slice(1)+"]"),b.length){var c=b.offset().top;return a("html,body").animate({scrollTop:c},700),!1}}})});