Steps to reproduce:
1) Upload a PHP script to the Media Libray,
naming it "test" (or any other name
without extension).
2) Rename it to "exploit.php." (trailing dot!)
On Linux, the file will be renamed to
"exploit.php..", which is safe and
cannot be exploited.
On Windows though, the file will be
renemad to "exploit.php" and is then
remotely executable by calling it
from "/uploads/exploit.php".
Thanks to Junyu Zhang <rgdz.eye@gmail.com>
for spotting this!
Signed-off-by: Thomas Hochstein <thh@inter.net>
* plugin_api.inc.php:
- Add static list of bundled plugins.
- Add function to check if plugin is
bundled.
* plugins.inc.php:
- Set source of plugin
(Spartacus, bundled or local).
* plugins.inc.tpl:
- Display plugin source.
* Add language constants.
Signed-off-by: Thomas Hochstein <thh@inter.net>
If $limit is empty(), no limit is set, so we can
set the LIMIT statement to "" to achieve the same.
But an empty() $limit can be "0", so the
generated SQL statement could end with "0"
instead of the LIMIT statement. We catch this
with forcing an empty() $limit to "".
Fixes#636.
(No matter that this shouldn't even happen.)
Signed-off-by: Thomas Hochstein <thh@inter.net>
When renaming objects in the Media Library,
s9y didn't check if a file with the same
name already exists, resulting in a file
name collision deleting both files from
the database _and_ from disk.
Add a check to avoid that.
An error message would be nice, too, but
that may be added later on.
Tested on s9y-stable test instance.
Signed-off-by: Thomas Hochstein <thh@inter.net>
Those plugins will only be released with
s9y proper - so we could and should announce
changes with the release.
Signed-off-by: Thomas Hochstein <thh@inter.net>
We shouldn't swap prev/next links for archive
pages. With stable archives, the title page is
the last page of the archive, not the first, so
all other pages are "previos", and we should
display it like that.
That may seem counterintuitive at first, but
otherwise archive page directions and pagination
directions don't match (see bulletproof), and we
shouldn't count archive pages differently from
the URL. With the current code, page 100 of 100
archive pages would be shown in footer_info as
page 1, page 99 as page 2, and that doesn't make
sense either.
Signed-off-by: Thomas Hochstein <thh@inter.net>
Quite some information is missing from
the list of installed plugins; and the
list of installable plugins has some
more information, but not everything
that is present on Spartacus, i.e.
the last modification date.
So let's add a link to the plugin entry
on Spartacus (in the chosen language
version).
Fixes#471.
Signed-off-by: Thomas Hochstein <thh@inter.net>
