mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

Security fixes and

Browse Source 
Merge branch 'master' of github.com:s9y/Serendipity

Conflicts:
	docs/NEWS
This commit is contained in:
Garvin Hicking 2014-02-06 09:38:05 +01:00
commit 40aaef8313
11 changed files with 67 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/NEWS
View File

@ -3,12 +3,23 @@
Version 1.7.6 ()
------------------------------------------------------------------------
* Fixed nl2br non-working WYSIWYG treatment and added general markup behaviour notes
* Fixed backend security issues, thanks to Stefan Schurtz:
- XSS of users realname in "Manage users" section
(Backend, requires login)
- XSS when creating an entry with bad id/timestamp values
(Backend, requires login)
- SQL-Injection for plugin installation parameter
(Backend, requires admin login)
* Templatechooser plugin uses "default" template as fallback,
not "bulletproof".
* Fixed nl2br non-working WYSIWYG treatment and added general markup
behaviour notes
* Fixed textile compat fix
Version 1.7.5 (January 18th, 2014)
------------------------------------------------------------------------

2
include/admin/entries.inc.php
View File

@ -502,7 +502,7 @@ switch($serendipity['GET']['adminAction']) {
'serendipity[action]' => 'admin',
'serendipity[adminModule]' => 'entries',
'serendipity[adminAction]' => 'save',
'serendipity[timestamp]' => $entry['timestamp']
'serendipity[timestamp]' => htmlspecialchars($entry['timestamp'])
),
$entry

7
include/admin/plugins.inc.php
View File

@ -513,8 +513,11 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
/* Load the new plugin */
$plugin = &serendipity_plugin_api::load_plugin($inst);
if (!is_object($plugin)) {
echo "DEBUG: Plugin $inst not an object: " . print_r($plugin, true) . ".<br />Input: " . print_r($serendipity['GET'], true) . ".<br /><br />\n\nThis error can happen if a plugin was not properly downloaded (check your plugins directory if the requested plugin was downloaded) or the inclusion of a file failed (permissions?)<br />\n";
echo "Backtrace:<br />\n" . implode("<br />\n", $serendipity['debug']['pluginload']) . "<br />";
echo "DEBUG: Plugin " . htmlspecialchars($inst) . " not an object: " . htmlspecialchars(print_r($plugin, true))
. ".<br />Input: " . htmlspecialchars(print_r($serendipity['GET'], true)) . ".<br /><br />\n\nThis error
can happen if a plugin was not properly downloaded (check your plugins directory if the requested plugin
was downloaded) or the inclusion of a file failed (permissions?)<br />\n";
echo "Backtrace:<br />\n" . nl2br(htmlspecialchars(implode("\n", $serendipity['debug']['pluginload']))) . "<br />";
}
$bag = new serendipity_property_bag;
$plugin->introspect($bag);

2
include/admin/users.inc.php
View File

@ -203,7 +203,7 @@ if (is_array($users)) {
<td><img src="<?php echo $img ?>" alt="" style="border: 0px none ; vertical-align: bottom; display: inline;" /> <?php echo htmlspecialchars($user['realname']); ?></td>
<td width="100" align="center"><?php echo $user['userlevel']; ?></td>
<td width="300" align="right">
<a target="_blank" href="<?php echo serendipity_authorURL($user); ?>" title="<?php echo PREVIEW . ' ' . $user['realname']; ?>" class="serendipityIconLink">
<a target="_blank" href="<?php echo serendipity_authorURL($user); ?>" title="<?php echo PREVIEW . ' ' . htmlspecialchars($user['realname']); ?>" class="serendipityIconLink">
<img src="<?php echo serendipity_getTemplateFile('admin/img/zoom.png'); ?>" alt="<?php echo PREVIEW; ?>" /><?php echo PREVIEW ?></a>
<a href="?serendipity[adminModule]=users&amp;serendipity[adminAction]=edit&amp;serendipity[userid]=<?php echo $user['authorid'] ?>#editform" title="<?php echo EDIT . " " . htmlspecialchars($user['realname']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT . " " . htmlspecialchars($user['realname']); ?>" /><?php echo EDIT ?></a>
<a href="?<?php echo serendipity_setFormToken('url'); ?>&amp;serendipity[adminModule]=users&amp;serendipity[adminAction]=delete&amp;serendipity[userid]=<?php echo $user['authorid'] ?>" title="<?php echo DELETE . " " . htmlspecialchars($user['realname']); ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE . " " . htmlspecialchars($user['realname']); ?>" /><?php echo DELETE ?></a></td>

10
include/functions_entries_admin.inc.php
View File

@ -135,8 +135,8 @@ function serendipity_printEntryForm($targetURL, $hiddens = array(), $entry = arr
foreach($hiddens as $key => $value) {
$hidden .= ' <input type="hidden" name="' . $key . '" value="' . $value . '" />' . $n;
}
$hidden .= ' <input type="hidden" id="entryid" name="serendipity[id]" value="' . (isset($entry['id']) ? $entry['id'] : '') . '" />' . $n;
$hidden .= ' <input type="hidden" name="serendipity[timestamp]" value="' . (isset($entry['timestamp']) ? serendipity_serverOffsetHour($entry['timestamp']) : serendipity_serverOffsetHour(time())) . '" />' . $n;
$hidden .= ' <input type="hidden" id="entryid" name="serendipity[id]" value="' . (isset($entry['id']) ? (int)$entry['id'] : '') . '" />' . $n;
$hidden .= ' <input type="hidden" name="serendipity[timestamp]" value="' . (isset($entry['timestamp']) ? htmlspecialchars(serendipity_serverOffsetHour($entry['timestamp'])) : serendipity_serverOffsetHour(time())) . '" />' . $n;
$hidden .= ' <input type="hidden" name="serendipity[preview]" value="false" />';
$hidden .= ' ' . serendipity_setFormToken();
@ -219,9 +219,9 @@ function serendipity_printEntryForm($targetURL, $hiddens = array(), $entry = arr
<b><?php echo DATE; ?>:</b>
</td>
<td>
<input type="hidden" name="serendipity[chk_timestamp]" value="<?php echo serendipity_serverOffsetHour(isset($entry['timestamp']) && $entry['timestamp'] > 0 ? $entry['timestamp'] : time()); ?>" />
<input class="input_textbox" type="text" name="serendipity[new_timestamp]" id="serendipityNewTimestamp" value="<?php echo date(DATE_FORMAT_2, serendipity_serverOffsetHour(isset($entry['timestamp']) && $entry['timestamp'] > 0 ? $entry['timestamp'] : time())); ?>" />
<a href="#" onclick="document.getElementById('serendipityNewTimestamp').value = '<?php echo date(DATE_FORMAT_2, serendipity_serverOffsetHour(time())) ?>'; return false;" title="<?php echo RESET_DATE_DESC ?>"><img src="<?php echo serendipity_getTemplateFile('admin/img/clock.png') ?>" border="0" style="vertical-align: text-top;" alt="<?php echo RESET_DATE ?>" /></a>
<input type="hidden" name="serendipity[chk_timestamp]" value="<?php echo htmlspecialchars(serendipity_serverOffsetHour(isset($entry['timestamp']) && $entry['timestamp'] > 0 ? $entry['timestamp'] : time())); ?>" />
<input class="input_textbox" type="text" name="serendipity[new_timestamp]" id="serendipityNewTimestamp" value="<?php echo htmlspecialchars(date(DATE_FORMAT_2, serendipity_serverOffsetHour(isset($entry['timestamp']) && $entry['timestamp'] > 0 ? $entry['timestamp'] : time()))); ?>" />
<a href="#" onclick="document.getElementById('serendipityNewTimestamp').value = '<?php echo htmlspecialchars(date(DATE_FORMAT_2, serendipity_serverOffsetHour(time()))) ?>'; return false;" title="<?php echo RESET_DATE_DESC ?>"><img src="<?php echo serendipity_getTemplateFile('admin/img/clock.png') ?>" border="0" style="vertical-align: text-top;" alt="<?php echo RESET_DATE ?>" /></a>
</td>
<td align="right">
<?php

5
include/plugin_api.inc.php
View File

@ -155,6 +155,7 @@ class serendipity_plugin_api
$id = md5(uniqid(''));
$key = $plugin_class_id . ':' . $id;
$key = serendipity_db_escape_string($key);
// Secure Plugin path. No leading slashes, no backslashes, no "up" directories
$pluginPath = preg_replace('@^(/)@', '', $pluginPath);
@ -174,7 +175,7 @@ class serendipity_plugin_api
$serendipity['debug']['pluginload'][] = "Installing plugin: " . print_r(func_get_args(), true);
$iq = "INSERT INTO {$serendipity['dbPrefix']}plugins (name, sort_order, placement, authorid, path) values ('$key', $nextidx, '$default_placement', '$authorid', '$pluginPath')";
$iq = "INSERT INTO {$serendipity['dbPrefix']}plugins (name, sort_order, placement, authorid, path) values ('" . htmlspecialchars($key) . "', $nextidx, '$default_placement', '$authorid', '" . htmlspecialchars($pluginPath) . "')";
$serendipity['debug']['pluginload'][] = $iq;
serendipity_db_query($iq);
serendipity_plugin_api::hook_event('backend_plugins_new_instance', $key, array('default_placement' => $default_placement));
@ -189,7 +190,7 @@ class serendipity_plugin_api
$plugin->install();
} else {
$serendipity['debug']['pluginload'][] = "Loading plugin failed painfully. File not found?";
echo ERROR . ': ' . $key . ' (' . $pluginPath . ')<br />';
echo ERROR . ': ' . htmlspecialchars($key) . ' (' . htmlspecialchars($pluginPath) . ')<br />';
}
return $key;

32
plugins/serendipity_event_nl2br/serendipity_event_nl2br.php
View File

@ -1,6 +1,6 @@
<?php #
# serendipity_event_nl2br.php 2013-10-08 Ian $
# serendipity_event_nl2br.php 2014-02-01 Ian $
@serendipity_plugin_api::load_language(dirname(__FILE__));
@ -16,7 +16,7 @@ class serendipity_event_nl2br extends serendipity_event
$propbag->add('description', PLUGIN_EVENT_NL2BR_DESC);
$propbag->add('stackable', false);
$propbag->add('author', 'Serendipity Team');
$propbag->add('version', '2.18');
$propbag->add('version', '2.19');
$propbag->add('requirements', array(
'serendipity' => '0.8',
'smarty' => '2.6.7',
@ -85,6 +85,23 @@ class serendipity_event_nl2br extends serendipity_event
return true;
}
function example() {
echo '<h3>PLEASE NOTE the implications of this markup plugin:</h3>
<p>This plugin transfers linebreaks to HTML-linebreaks, so that they show up in your blog entry.</p>
<p>In two cases this can raise problematic issues for you:</p>
<ul>
<li>if you use a <strong>WYSIWYG editor</strong> to write your entries. In that case, the WYSIWYG editor already inserts proper HTML linebreaks, so the nl2br plugin would actually double those linebreaks.</li>
<li>if you use any other markup plugins in conjunction with this plugin that already translate linebreaks. The <strong>TEXTILE and MARKDOWN plugins</strong> are examples for plugins like these.</li>
</ul>
<p>To prevent problems, you should disable the nl2br plugin on entries globally or per entry within the "Extended properties" section of an entry, if you have the entryproperties plugin installed.</p>
<p>Generally advice: The nl2br plugin only makes sense if you</p>
<ul>
<li>A) do not use other markup plugins or</li>
<li>B) you do not use the WYSIWYG editor or</li>
<li>C) you only want to apply linebreak transformations on comments to your blog entries, and do not allow any possible markup of other plugins that you only use for blog entries.</li>
</ul>'."\n";
}
function install() {
serendipity_plugin_api::hook_event('backend_cache_entries', $this->title);
}
@ -204,13 +221,12 @@ class serendipity_event_nl2br extends serendipity_event
$serendipity['nl2br']['entry_disabled_markup'] = true;
}
// don't add additional br or p tags, if the wysiwyg-editor, the textile, or markdown plugin already took care about markup
if($markup) {
if ( ($serendipity['wysiwyg'] && serendipity_userLoggedIn()) ||
($serendipity['nl2br']['entry_disabled_markup'] === false && (class_exists('serendipity_event_textile') || class_exists('serendipity_event_markdown'))) ) {
return true;
}
// don't run, if the textile, or markdown plugin already took care about markup
if ($markup && $serendipity['nl2br']['entry_disabled_markup'] === false && (class_exists('serendipity_event_textile') || class_exists('serendipity_event_markdown'))) {
return true;
}
// NOTE: the wysiwyg-editor needs to send its own ['properties']['ep_no_nl2br'] to disable the nl2br() parser!
// check for users isolation tags
if ($isolate === null) {
$isolate = $this->get_config('isolate');

9
plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php
View File

@ -50,6 +50,15 @@ class serendipity_event_templatechooser extends serendipity_event
$_SESSION['serendipityUseTemplate'] = $_REQUEST['user_template'];
serendipity_setCookie('user_template', $_REQUEST['user_template'], false);
}
// If the requested template is the same as the current default template,
// we will not set this variable. This is important so that templates/plugins
// which detect serendipityUseTemplate can use reasonable defaults in case
// template configuration options do not exist. Guess nobody understands
// this explanation anyways, and who reads this stuff, heh?
if ($_SESSION['serendipityUseTemplate'] == $eventData['template']) {
unset($_SESSION['serendipityUseTemplate'];
}
if (isset($_SESSION['serendipityUseTemplate']) ) {
$templateInfo = serendipity_fetchTemplateInfo($_SESSION['serendipityUseTemplate']);

6
plugins/serendipity_event_textile/serendipity_event_textile.php
View File

@ -14,7 +14,7 @@ class serendipity_event_textile extends serendipity_event
$propbag->add('description', PLUGIN_EVENT_TEXTILE_DESC);
$propbag->add('stackable', false);
$propbag->add('author', 'Serendipity Team', 'Lars Strojny');
$propbag->add('version', '1.8.1');
$propbag->add('version', '1.8.2');
$propbag->add('requirements', array(
'serendipity' => '0.8',
'smarty' => '2.6.7',
@ -276,10 +276,10 @@ class serendipity_event_textile extends serendipity_event
require_once S9Y_INCLUDE_PATH . 'plugins/serendipity_event_textile/lib3/src/Netcarver/Textile/Parser.php';
require_once S9Y_INCLUDE_PATH . 'plugins/serendipity_event_textile/lib3/src/Netcarver/Textile/DataBag.php';
require_once S9Y_INCLUDE_PATH . 'plugins/serendipity_event_textile/lib3/src/Netcarver/Textile/Tag.php';
include_once 'textile_namespace.inc.php'; // PHP 5.2 compat
include 'textile_namespace.inc.php'; // PHP 5.2 compat
// todo check for user-supplied output to restrict
# return $textile->textileRestricted($string);
return $textile->textileThis($string);
if (is_object($textile)) return $textile->textileThis($string);
} else {
trigger_error(' Textile lib3 needs at least PHP 5.3.0 running. Update your PHP version or use lib2 instead.', E_USER_WARNING);
}

1
plugins/serendipity_plugin_templatedropdown/serendipity_plugin_templatedropdown.php
View File

@ -61,6 +61,7 @@ class serendipity_plugin_templatedropdown extends serendipity_plugin {
echo '<form id="theme_chooser" action="' . $url . '" method="post">';
echo '<select name="user_template" onchange="document.getElementById(\'theme_chooser\').submit();">';
foreach (serendipity_fetchTemplates() as $template) {
if ($template == 'default-php' || $template == 'default-xml') continue;
$templateInfo = serendipity_fetchTemplateInfo($template);
echo '<option value="' . $template . '" ' . (serendipity_get_config_var('template', 'default') == $template ? 'selected="selected"' : '') . '>' . substr($templateInfo['name'], 0, 25) . '</option>';
}

2
templates/default/admin/entries.tpl
View File

@ -41,7 +41,7 @@
<b>{$CONST.DATE}:</b>
</td>
<td>
<input type="hidden" name="serendipity[chk_timestamp]" value="{$entry_vars.timestamp}" />
<input type="hidden" name="serendipity[chk_timestamp]" value="{$entry_vars.timestamp|@escape}" />
<input class="input_textbox" type="text" name="serendipity[new_timestamp]" id="serendipityNewTimestamp" value="{$entry_vars.timestamp|@formatTime:DATE_FORMAT_2:true:false:true}" />
<a href="#" onclick="document.getElementById('serendipityNewTimestamp').value = '{$entry_vars.reset_timestamp|@formatTime:DATE_FORMAT_2:true:false:true}'; return false;" title="{$CONST.RESET_DATE_DESC}"><img src="{serendipity_getFile file='admin/img/clock.png'}" border="0" style="vertical-align: text-top;" alt="{$CONST.RESET_DATE}" /></a>
</td>