mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

Patch by hanno boeck

Browse Source
This commit is contained in:
Garvin Hicking 2008-03-25 12:39:55 +00:00
parent 40a8c11d13
commit 6ea572211b
4 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/NEWS
View File

@ -10,6 +10,9 @@ Version 1.4 ()
Version 1.3.1 () Version 1.3.1 ()
------------------------------------------------------------------------ ------------------------------------------------------------------------
* Add XSS security checks for installer, even though very
hypothetical application :) (Hanno Böck)
* Add {serendipity_getImageSize} smarty function (judebert) * Add {serendipity_getImageSize} smarty function (judebert)
* Add escaping to "Top Referrers" plugin and honor local configuration * Add escaping to "Top Referrers" plugin and honor local configuration

8
include/db/mysql.inc.php
View File

@ -96,13 +96,13 @@ function &serendipity_db_query($sql, $single = false, $result_type = "both", $re
} }
if (!$expectError && mysql_error($serendipity['dbConn']) != '') { if (!$expectError && mysql_error($serendipity['dbConn']) != '') {
$msg = '<pre>' . $sql . '</pre> / ' . mysql_error($serendipity['dbConn']); $msg = '<pre>' . $sql . '</pre> / ' . htmlspecialchars(mysql_error($serendipity['dbConn']));
return $msg; return $msg;
} }
if (!$c) { if (!$c) {
if (!$expectError && !$serendipity['production']) { if (!$expectError && !$serendipity['production']) {
print '<pre>' . $sql . '</pre> / ' . mysql_error($serendipity['dbConn']); print '<pre>' . $sql . '</pre> / ' . htmlspecialchars(mysql_error($serendipity['dbConn']));
if (function_exists('debug_backtrace') && $reportErr == true) { if (function_exists('debug_backtrace') && $reportErr == true) {
highlight_string(var_export(debug_backtrace(), 1)); highlight_string(var_export(debug_backtrace(), 1));
} }
@ -340,7 +340,7 @@ function serendipity_db_probe($hash, &$errs) {
if (!($c = @mysql_connect($hash['dbHost'], $hash['dbUser'], $hash['dbPass']))) { if (!($c = @mysql_connect($hash['dbHost'], $hash['dbUser'], $hash['dbPass']))) {
$errs[] = 'Could not connect to database; check your settings.'; $errs[] = 'Could not connect to database; check your settings.';
$errs[] = 'The mySQL error was: ' . mysql_error(); $errs[] = 'The mySQL error was: ' . htmlspecialchars(mysql_error());
return false; return false;
} }
@ -348,7 +348,7 @@ function serendipity_db_probe($hash, &$errs) {
if (!@mysql_select_db($hash['dbName'])) { if (!@mysql_select_db($hash['dbName'])) {
$errs[] = 'The database you specified does not exist.'; $errs[] = 'The database you specified does not exist.';
$errs[] = 'The mySQL error was: ' . mysql_error(); $errs[] = 'The mySQL error was: ' . htmlspecialchars(mysql_error());
return false; return false;
} }

4
include/db/mysqli.inc.php
View File

@ -319,7 +319,7 @@ function serendipity_db_probe($hash, &$errs) {
if (!$c) { if (!$c) {
$errs[] = 'Could not connect to database; check your settings.'; $errs[] = 'Could not connect to database; check your settings.';
$errs[] = 'The mySQL error was: ' . mysqli_connect_error(); $errs[] = 'The mySQL error was: ' . htmlspecialchars(mysqli_connect_error());
return false; return false;
} }
@ -327,7 +327,7 @@ function serendipity_db_probe($hash, &$errs) {
if ( !@mysqli_select_db($c, $hash['dbName']) ) { if ( !@mysqli_select_db($c, $hash['dbName']) ) {
$errs[] = 'The database you specified does not exist.'; $errs[] = 'The database you specified does not exist.';
$errs[] = 'The mySQL error was: ' . mysqli_error($c); $errs[] = 'The mySQL error was: ' . htmlspecialchars(mysqli_error($c));
return false; return false;
} }

24
include/functions_installer.inc.php
View File

@ -692,35 +692,35 @@ function serendipity_checkInstallation() {
// Check dirs // Check dirs
if (!is_dir($_POST['serendipityPath'])) { if (!is_dir($_POST['serendipityPath'])) {
$errs[] = sprintf(DIRECTORY_NON_EXISTANT, $_POST['serendipityPath']); $errs[] = sprintf(DIRECTORY_NON_EXISTANT, htmlspecialchars($_POST['serendipityPath']));
} }
/* This test has already been passed on the diagnosis page. Besides /* This test has already been passed on the diagnosis page. Besides
it's a partially bogus test. it's a partially bogus test.
elseif (!is_writable($_POST['serendipityPath']) ) { elseif (!is_writable($_POST['serendipityPath']) ) {
$errs[] = sprintf(DIRECTORY_WRITE_ERROR, $_POST['serendipityPath']); $errs[] = sprintf(DIRECTORY_WRITE_ERROR, htmlspecialchars($_POST['serendipityPath']));
}*/ }*/
elseif (!is_dir($_POST['serendipityPath'] . $_POST['uploadPath'] ) && @mkdir($_POST['serendipityPath'] . $_POST['uploadPath'], $umask) !== true) { elseif (!is_dir($_POST['serendipityPath'] . $_POST['uploadPath'] ) && @mkdir($_POST['serendipityPath'] . $_POST['uploadPath'], $umask) !== true) {
$errs[] = sprintf(DIRECTORY_CREATE_ERROR, $_POST['serendipityPath'] . $_POST['uploadPath']); $errs[] = sprintf(DIRECTORY_CREATE_ERROR, htmlspecialchars($_POST['serendipityPath']) . htmlspecialchars($_POST['uploadPath']));
} }
elseif (!is_writable($_POST['serendipityPath'] . $_POST['uploadPath'])) { elseif (!is_writable($_POST['serendipityPath'] . $_POST['uploadPath'])) {
$errs[] = sprintf(DIRECTORY_WRITE_ERROR, $_POST['serendipityPath'] . $_POST['uploadPath']); $errs[] = sprintf(DIRECTORY_WRITE_ERROR, htmlspecialchars($_POST['serendipityPath']) . htmlspecialchars($_POST['uploadPath']));
$errs[] = sprintf(DIRECTORY_RUN_CMD , 'chmod go+rws', $_POST['serendipityPath'] . $_POST['uploadPath']); $errs[] = sprintf(DIRECTORY_RUN_CMD , 'chmod go+rws', htmlspecialchars($_POST['serendipityPath']) . htmlspecialchars($_POST['uploadPath']));
} }
// Attempt to create the template compile directory, it might already be there, but we just want to be sure // Attempt to create the template compile directory, it might already be there, but we just want to be sure
if (!is_dir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && @mkdir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE, $umask) !== true) { if (!is_dir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && @mkdir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE, $umask) !== true) {
$errs[] = sprintf(DIRECTORY_CREATE_ERROR, $_POST['serendipityPath'] . PATH_SMARTY_COMPILE); $errs[] = sprintf(DIRECTORY_CREATE_ERROR, htmlspecialchars($_POST['serendipityPath']) . PATH_SMARTY_COMPILE);
$errs[] = sprintf(DIRECTORY_RUN_CMD , 'mkdir' , $_POST['serendipityPath'] . PATH_SMARTY_COMPILE); $errs[] = sprintf(DIRECTORY_RUN_CMD , 'mkdir' , htmlspecialchars($_POST['serendipityPath']) . PATH_SMARTY_COMPILE);
$errs[] = sprintf(DIRECTORY_RUN_CMD , 'chmod go+rwx', $_POST['serendipityPath'] . PATH_SMARTY_COMPILE); $errs[] = sprintf(DIRECTORY_RUN_CMD , 'chmod go+rwx', htmlspecialchars($_POST['serendipityPath']) . PATH_SMARTY_COMPILE);
} elseif (is_dir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && !is_writeable($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && @chmod($_POST['serendipityPath'] . PATH_SMARTY_COMPILE, $umask) !== true) { } elseif (is_dir($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && !is_writeable($_POST['serendipityPath'] . PATH_SMARTY_COMPILE) && @chmod($_POST['serendipityPath'] . PATH_SMARTY_COMPILE, $umask) !== true) {
$errs[] = sprintf(DIRECTORY_RUN_CMD , 'chmod go+rwx', $_POST['serendipityPath'] . PATH_SMARTY_COMPILE); $errs[] = sprintf(DIRECTORY_RUN_CMD , 'chmod go+rwx', htmlspecialchars($_POST['serendipityPath']) . PATH_SMARTY_COMPILE);
} }
// Attempt to create the archives directory // Attempt to create the archives directory
if (!is_dir($_POST['serendipityPath'] . PATH_ARCHIVES) && @mkdir($_POST['serendipityPath'] . PATH_ARCHIVES, $umask) !== true) { if (!is_dir($_POST['serendipityPath'] . PATH_ARCHIVES) && @mkdir($_POST['serendipityPath'] . PATH_ARCHIVES, $umask) !== true) {
$errs[] = sprintf(DIRECTORY_CREATE_ERROR, $_POST['serendipityPath'] . PATH_ARCHIVES); $errs[] = sprintf(DIRECTORY_CREATE_ERROR, htmlspecialchars($_POST['serendipityPath']) . PATH_ARCHIVES);
$errs[] = sprintf(DIRECTORY_RUN_CMD , 'mkdir' , $_POST['serendipityPath'] . PATH_ARCHIVES); $errs[] = sprintf(DIRECTORY_RUN_CMD , 'mkdir' , htmlspecialchars($_POST['serendipityPath']) . PATH_ARCHIVES);
$errs[] = sprintf(DIRECTORY_RUN_CMD , 'chmod go+rwx', $_POST['serendipityPath'] . PATH_ARCHIVES); $errs[] = sprintf(DIRECTORY_RUN_CMD , 'chmod go+rwx', htmlspecialchars($_POST['serendipityPath']) . PATH_ARCHIVES);
} }
// Check imagick // Check imagick