mbirth/LuckyCoinkydink
Archived
1
0
Fork 0
Code Issues Pull Requests Activity

* Add ability to plugins to check uploaded media files for invalid

Browse Source 
file extensions. Added more escaping to user- and groupnames
      for untrusted author environments, thanks to Hanno Boeck.
      (garvinhicking)
This commit is contained in:
Garvin Hicking
2008-02-01 14:10:14 +00:00
parent 18c462062e
commit 3739631a6e
13 changed files with 41 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
include/admin/category.inc.php
View File

@ -120,9 +120,9 @@ if ($serendipity['GET']['adminAction'] == 'doDelete' && serendipity_checkFormTok
|| (serendipity_checkPermission('adminCategoriesDelete') && ($serendipity['authorid'] == $this_cat['authorid'] || $this_cat['authorid'] == '0'))
|| (serendipity_checkPermission('adminCategoriesDelete') && serendipity_ACLCheck($serendipity['authorid'], $serendipity['GET']['cid'], 'category', 'write'))) {
?>
<form method="POST" name="serendipityCategory" action="?serendipity[adminModule]=category&amp;serendipity[adminAction]=doDelete&amp;serendipity[cid]=<?php echo $serendipity['GET']['cid'] ?>">
<form method="POST" name="serendipityCategory" action="?serendipity[adminModule]=category&amp;serendipity[adminAction]=doDelete&amp;serendipity[cid]=<?php echo (int)$serendipity['GET']['cid'] ?>">
<?php echo serendipity_setFormToken(); ?>
<h3><?php echo $this_cat['category_name']; ?></h3>
<h3><?php echo htmlspecialchars($this_cat['category_name']); ?></h3>
<?php echo CATEGORY_REMAINING ?>:
<select name="serendipity[cat][remaining_catid]">
<option value="0">- <?php echo NO_CATEGORY ?> -</option>
@ -170,7 +170,7 @@ if ($serendipity['GET']['adminAction'] == 'doDelete' && serendipity_checkFormTok
<tr>
<td><?php echo NAME; ?></td>
<td><input class="input_textbox" type="text" name="serendipity[cat][name]" value="<?php echo isset($this_cat['category_name']) ? htmlspecialchars($this_cat['category_name']) : ''; ?>" /></td>
<td rowspan="5" align="center" valign="middle" width="200" style="border: 1px solid #ccc"><img src="<?php echo isset($this_cat['category_icon']) ? $this_cat['category_icon'] : '' ?>" id="imagepreview" <?php echo empty($this_cat['category_icon']) ? 'style="display: none"' : '' ?> /></td>
<td rowspan="5" align="center" valign="middle" width="200" style="border: 1px solid #ccc"><img src="<?php echo isset($this_cat['category_icon']) ? htmlspecialchars($this_cat['category_icon']) : '' ?>" id="imagepreview" <?php echo empty($this_cat['category_icon']) ? 'style="display: none"' : '' ?> /></td>
</tr>
<tr>
@ -279,7 +279,7 @@ if ( $serendipity['GET']['adminAction'] == 'view' ) {
<td width="16"><?php if ( !empty($category['category_icon']) ) {?><img src="<?php echo serendipity_getTemplateFile('admin/img/thumbnail.png') ?>" alt="" /><?php } else echo '&nbsp;' ?></td>
<td width="300" style="padding-left: <?php echo ($category['depth']*15)+20 ?>px"><img src="<?php echo serendipity_getTemplateFile('admin/img/folder.png') ?>" style="vertical-align: bottom;"> <?php echo htmlspecialchars($category['category_name']) ?></td>
<td><?php echo htmlspecialchars($category['category_description']) ?></td>
<td align="right"><?php echo ($category['authorid'] == '0' ? ALL_AUTHORS : $category['realname']); ?></td>
<td align="right"><?php echo ($category['authorid'] == '0' ? ALL_AUTHORS : htmlspecialchars($category['realname'])); ?></td>
</tr>
<?php }
} ?>

3
include/admin/comments.inc.php
View File

@ -16,7 +16,7 @@ $summaryLength = 200;
if ($serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity['POST']['delete']) != 0 && serendipity_checkFormToken()) {
foreach ( $serendipity['POST']['delete'] as $k => $v ) {
serendipity_deleteComment($k, $v);
echo DONE . ': '. sprintf(COMMENT_DELETED, $k) . '<br />';
echo DONE . ': '. sprintf(COMMENT_DELETED, (int)$k) . '<br />';
}
}
@ -89,7 +89,6 @@ if (isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActio
if ($rs === false) {
echo ERROR .': '. sprintf(COMMENT_ALREADY_APPROVED, (int)$serendipity['GET']['id']);
} else {
serendipity_approveComment($serendipity['GET']['id'], $rs['entry_id'], true, true);
echo DONE . ': '. sprintf(COMMENT_MODERATED, (int)$serendipity['GET']['id']);
}

4
include/admin/entries.inc.php
View File

@ -116,7 +116,7 @@ function serendipity_drawList() {
$users = serendipity_fetchUsers();
if (is_array($users)) {
foreach ($users AS $user) {
echo '<option value="' . $user['authorid'] . '" ' . (isset($serendipity['GET']['filter']['author']) && $serendipity['GET']['filter']['author'] == $user['authorid'] ? 'selected="selected"' : '') . '>' . $user['realname'] . '</option>' . "\n";
echo '<option value="' . $user['authorid'] . '" ' . (isset($serendipity['GET']['filter']['author']) && $serendipity['GET']['filter']['author'] == $user['authorid'] ? 'selected="selected"' : '') . '>' . htmlspecialchars($user['realname']) . '</option>' . "\n";
}
}
?> </select> <select name="serendipity[filter][isdraft]">
@ -133,7 +133,7 @@ function serendipity_drawList() {
$categories = serendipity_fetchCategories();
$categories = serendipity_walkRecursive($categories, 'categoryid', 'parentid', VIEWMODE_THREADED);
foreach ( $categories as $cat ) {
echo '<option value="'. $cat['categoryid'] .'"'. ($serendipity['GET']['filter']['category'] == $cat['categoryid'] ? ' selected="selected"' : '') .'>'. str_repeat('&nbsp;', $cat['depth']) . $cat['category_name'] .'</option>' . "\n";
echo '<option value="'. $cat['categoryid'] .'"'. ($serendipity['GET']['filter']['category'] == $cat['categoryid'] ? ' selected="selected"' : '') .'>'. str_repeat('&nbsp;', $cat['depth']) . htmlspecialchars($cat['category_name']) .'</option>' . "\n";
}
?> </select>
</td>

2
include/admin/entries_overview.inc.php
View File

@ -7,6 +7,6 @@ if (IN_serendipity !== true) {
die ('Don\'t hack!');
}
echo WELCOME_BACK . ' ' . $_SESSION['serendipityUser'];
echo WELCOME_BACK . ' ' . htmlspecialchars($_SESSION['serendipityUser']);
?>

14
include/admin/groups.inc.php
View File

@ -14,7 +14,7 @@ if (!serendipity_checkPermission('adminUsersGroups')) {
if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
$group = serendipity_fetchGroup($serendipity['POST']['group']);
serendipity_deleteGroup($serendipity['POST']['group']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . DELETED_GROUP . '</div>', $serendipity['POST']['group'], $group['name']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . DELETED_GROUP . '</div>', htmlspecialchars($serendipity['POST']['group']), htmlspecialchars($group['name']));
}
/* Save new group */
@ -22,7 +22,7 @@ if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
$serendipity['POST']['group'] = serendipity_addGroup($serendipity['POST']['name']);
$perms = serendipity_getAllPermissionNames();
serendipity_updateGroupConfig($serendipity['POST']['group'], $perms, $serendipity['POST'], false, $serendipity['POST']['forbidden_plugins'], $serendipity['POST']['forbidden_hooks']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . CREATED_GROUP . '</div>', '#' . $serendipity['POST']['group'] . ', ' . $serendipity['POST']['name']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . CREATED_GROUP . '</div>', '#' . htmlspecialchars($serendipity['POST']['group']) . ', ' . htmlspecialchars($serendipity['POST']['name']));
}
@ -30,7 +30,7 @@ if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
if (isset($_POST['SAVE_EDIT']) && serendipity_checkFormToken()) {
$perms = serendipity_getAllPermissionNames();
serendipity_updateGroupConfig($serendipity['POST']['group'], $perms, $serendipity['POST'], false, $serendipity['POST']['forbidden_plugins'], $serendipity['POST']['forbidden_hooks']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . MODIFIED_GROUP . '</div>', $serendipity['POST']['name']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . MODIFIED_GROUP . '</div>', htmlspecialchars($serendipity['POST']['name']));
}
if ( $serendipity['GET']['adminAction'] != 'delete' ) {
@ -57,8 +57,8 @@ foreach($groups as $group) {
<table width="100%">
<tr>
<td><?php echo htmlspecialchars($group['name']); ?></td>
<td width="200" align="right"> <a href="?serendipity[adminModule]=groups&amp;serendipity[adminAction]=edit&amp;serendipity[group]=<?php echo $group['id'] ?>" title="<?php echo EDIT . " " . $group['name']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . $group['name']; ?>" /><?php echo EDIT ?></a>
<a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=groups&amp;serendipity[adminAction]=delete&amp;serendipity[group]=<?php echo $group['id'] ?>" title="<?php echo DELETE . " " . $group['name']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . $group['name']; ?>" /><?php echo DELETE ?></a></td>
<td width="200" align="right"> <a href="?serendipity[adminModule]=groups&amp;serendipity[adminAction]=edit&amp;serendipity[group]=<?php echo $group['id'] ?>" title="<?php echo EDIT . " " . htmlspecialchars($group['name']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . htmlspecialchars($group['name']); ?>" /><?php echo EDIT ?></a>
<a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=groups&amp;serendipity[adminAction]=delete&amp;serendipity[group]=<?php echo $group['id'] ?>" title="<?php echo DELETE . " " . htmlspecialchars($group['name']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . htmlspecialchars($group['name']); ?>" /><?php echo DELETE ?></a></td>
</tr>
</table>
</div>
@ -247,10 +247,10 @@ if ($serendipity['GET']['adminAction'] == 'edit') { ?>
?>
<form action="?serendipity[adminModule]=groups" method="post">
<div>
<?php printf(DELETE_GROUP, $serendipity['GET']['group'], $group['name']); ?>
<?php printf(DELETE_GROUP, (int)$serendipity['GET']['group'], htmlspecialchars($group['name'])); ?>
<br /><br />
<?php echo serendipity_setFormToken(); ?>
<input type="hidden" name="serendipity[group]" value="<?php echo $serendipity['GET']['group']; ?>" />
<input type="hidden" name="serendipity[group]" value="<?php echo htmlspecialchars($serendipity['GET']['group']); ?>" />
<input type="submit" name="DELETE_YES" value="<?php echo DUMP_IT; ?>" class="serendipityPrettyButton input_button" />
<input type="submit" name="NO" value="<?php echo NOT_REALLY; ?>" class="serendipityPrettyButton input_button" />
</div>

2
include/admin/installer.inc.php
View File

@ -478,7 +478,7 @@ if ( (int)$serendipity['GET']['step'] == 0 ) {
serendipity_installDatabase();
echo ' <strong>' . DONE . '</strong><br />';
echo sprintf(CREATING_PRIMARY_AUTHOR, $_POST['user']) .'...';
echo sprintf(CREATING_PRIMARY_AUTHOR, htmlspecialchars($_POST['user'])) .'...';
$authorid = serendipity_addAuthor($_POST['user'], $_POST['pass'], $_POST['realname'], $_POST['email'], USERLEVEL_ADMIN);
$mail_comments = (serendipity_db_bool($_POST['want_mail']) ? 1 : 0);
serendipity_set_user_var('mail_comments', $mail_comments, $authorid);

2
include/admin/overview.inc.php
View File

@ -11,7 +11,7 @@ $user = serendipity_fetchAuthor($serendipity['authorid']);
$bookmarklet = "javascript:bm=document.selection?document.selection.createRange().text:document.getSelection();void(newwin=open('" . $serendipity['baseURL'] . "serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new&serendipity[title]='+ escape(document.title) + '&serendipity[body]=' + escape(bm) +'&serendipity[url]=' + escape(location.href), 'new_log_entry','resizable=yes, scrollbars=yes, width=800, height=600, location=yes,status=yes')); newwin.focus();";
$output = array(
'welcome' => WELCOME_BACK . ' ' . $user[0]['realname'],
'welcome' => WELCOME_BACK . ' ' . htmlspecialchars($user[0]['realname']),
'show_links' => true,
'links_title' => FURTHER_LINKS,
'bookmarklet' => $bookmarklet,

2
include/admin/personal.inc.php
View File

@ -94,7 +94,7 @@ if ($serendipity['GET']['adminAction'] == 'save' && serendipity_checkFormToken()
}
$from = $_POST;
?>
<div class="serendipityAdminMsgSuccess"><img width="22px" height="22px" style="border: 0px; padding-right: 4px; vertical-align: middle" src="<?php echo serendipity_getTemplateFile('admin/img/admin_msg_success.png'); ?>" alt="" /><?php echo sprintf(MODIFIED_USER, $_POST['realname']) ?></div>
<div class="serendipityAdminMsgSuccess"><img width="22px" height="22px" style="border: 0px; padding-right: 4px; vertical-align: middle" src="<?php echo serendipity_getTemplateFile('admin/img/admin_msg_success.png'); ?>" alt="" /><?php echo sprintf(MODIFIED_USER, htmlspecialchars($_POST['realname'])) ?></div>
<?php }
} ?>

16
include/admin/users.inc.php
View File

@ -25,7 +25,7 @@ if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
if (serendipity_checkPermission('adminUsersMaintainOthers') ||
(serendipity_checkPermission('adminUsersMaintainSame') && $group_intersect)) {
serendipity_deleteAuthor($user[0]['authorid']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . DELETED_USER . '</div>', $serendipity['POST']['user'], $user[0]['realname']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . DELETED_USER . '</div>', htmlspecialchars($serendipity['POST']['user']), htmlspecialchars($user[0]['realname']));
serendipity_plugin_api::hook_event('backend_users_delete', $user[0]);
} else {
echo '<div class="serendipityAdminMsgError"><img style="width: 22px; height: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_error.png') . '" alt="" />' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>';
@ -90,7 +90,7 @@ if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
}
serendipity_plugin_api::hook_event('backend_users_add', $serendipity['POST']['user']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . CREATED_USER . '</div>', '#' . $serendipity['POST']['user'] . ', ' . $_POST['realname']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . CREATED_USER . '</div>', '#' . htmlspecialchars($serendipity['POST']['user']) . ', ' . htmlspecialchars($_POST['realname']));
}
}
@ -161,7 +161,7 @@ if (isset($_POST['SAVE_EDIT']) && serendipity_checkFormToken()) {
serendipity_updatePermalink($pl_data, 'author');
serendipity_plugin_api::hook_event('backend_users_edit', $pl_data);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . MODIFIED_USER . '</div>', $_POST['realname']);
printf('<div class="serendipityAdminMsgSuccess"><img style="height: 22px; width: 22px; border: 0px; padding-right: 4px; vertical-align: middle" src="' . serendipity_getTemplateFile('admin/img/admin_msg_success.png') . '" alt="" />' . MODIFIED_USER . '</div>', htmlspecialchars($_POST['realname']));
}
}
@ -202,8 +202,8 @@ if (is_array($users)) {
<?php /* TODO: Add username to list once tom figures out how to fix uneven rowstyles */ ?>
<td><img src="<?php echo $img ?>" alt="" style="border: 0px none ; vertical-align: bottom; display: inline;" /> <?php echo htmlspecialchars($user['realname']); ?></td>
<td width="100" align="center"><?php echo $user['userlevel']; ?></td>
<td width="200" align="right"> <a href="?serendipity[adminModule]=users&amp;serendipity[adminAction]=edit&amp;serendipity[userid]=<?php echo $user['authorid'] ?>#editform" title="<?php echo EDIT . " " . $user['realname']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . $user['realname']; ?>" /><?php echo EDIT ?></a>
<a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=users&amp;serendipity[adminAction]=delete&amp;serendipity[userid]=<?php echo $user['authorid'] ?>" title="<?php echo DELETE . " " . $user['realname']; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . $user['realname']; ?>" /><?php echo DELETE ?></a></td>
<td width="200" align="right"> <a href="?serendipity[adminModule]=users&amp;serendipity[adminAction]=edit&amp;serendipity[userid]=<?php echo $user['authorid'] ?>#editform" title="<?php echo EDIT . " " . htmlspecialchars($user['realname']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . htmlspecialchars($user['realname']); ?>" /><?php echo EDIT ?></a>
<a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=users&amp;serendipity[adminAction]=delete&amp;serendipity[userid]=<?php echo $user['authorid'] ?>" title="<?php echo DELETE . " " . htmlspecialchars($user['realname']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . htmlspecialchars($user['realname']); ?>" /><?php echo DELETE ?></a></td>
</tr>
</table>
</div>
@ -253,7 +253,7 @@ if ($serendipity['GET']['adminAction'] == 'edit') {
echo EDIT;
$from = &$user[0];
unset($from['password']);
echo '<input type="hidden" name="serendipity[user]" value="' . $from['authorid'] . '" />';
echo '<input type="hidden" name="serendipity[user]" value="' . (int)$from['authorid'] . '" />';
} else {
echo '<strong>' . CREATE_NOT_AUTHORIZED . '</strong><br />';
echo EDIT;
@ -294,10 +294,10 @@ if ($serendipity['GET']['adminAction'] == 'edit') { ?>
?>
<form action="?serendipity[adminModule]=users" method="post">
<div>
<?php printf(DELETE_USER, $serendipity['GET']['userid'], $user[0]['realname']); ?>
<?php printf(DELETE_USER, (int)$serendipity['GET']['userid'], htmlspecialchars($user[0]['realname'])); ?>
<br /><br />
<?php echo serendipity_setFormToken(); ?>
<input type="hidden" name="serendipity[user]" value="<?php echo $serendipity['GET']['userid']; ?>" />
<input type="hidden" name="serendipity[user]" value="<?php echo (int)$serendipity['GET']['userid']; ?>" />
<input type="submit" name="DELETE_YES" value="<?php echo DUMP_IT; ?>" class="serendipityPrettyButton input_button" />
<input type="submit" name="NO" value="<?php echo NOT_REALLY; ?>" class="serendipityPrettyButton input_button" />
</div>

9
include/functions_images.inc.php
View File

@ -24,7 +24,14 @@ function serendipity_isActiveFile($file) {
return true;
}
return preg_match('@\.(php[345]?|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
$core = preg_match('@\.(php[345]?|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
if ($core) {
return true;
}
$eventData = false;
serendipity_plugin_api::hook_event('backend_media_check', $eventData, $file);
return $eventData;
}
/**