Steps to reproduce:
1) Upload a PHP script to the Media Libray,
naming it "test" (or any other name
without extension).
2) Rename it to "exploit.php." (trailing dot!)
On Linux, the file will be renamed to
"exploit.php..", which is safe and
cannot be exploited.
On Windows though, the file will be
renemad to "exploit.php" and is then
remotely executable by calling it
from "/uploads/exploit.php".
Thanks to Junyu Zhang <rgdz.eye@gmail.com>
for spotting this!
Signed-off-by: Thomas Hochstein <thh@inter.net>
After fixing the other ML file renaming bugs,
it was now possible to rename a file without
extension into a file that *does* have an
extension - so we need to check against
active content.
Signed-off-by: Thomas Hochstein <thh@inter.net>
The renaming code added a dot '.' to the
filename on disk even if the file hat no
extension. Therefore, the file name on disk was
different from the name in the database,
triggering the database purging code on the
next ML display.
(serendipity_displayImageList() will delete
files from the database that don't exist
any longer on disk.)
This code won't add spurious dots for
empty extensions, keeping disk and
database in sync.
Signed-off-by: Thomas Hochstein <thh@inter.net>
* plugin_api.inc.php:
- Add static list of bundled plugins.
- Add function to check if plugin is
bundled.
* plugins.inc.php:
- Set source of plugin
(Spartacus, bundled or local).
* plugins.inc.tpl:
- Display plugin source.
* Add language constants.
Add link to Spartacus for all plugins,
don't skip installed plugins.
Add author to details of installed plugins.
Cherry-picked from master.
Signed-off-by: Thomas Hochstein <thh@inter.net>
If $limit is empty(), no limit is set, so we can
set the LIMIT statement to "" to achieve the same.
But an empty() $limit can be "0", so the
generated SQL statement could end with "0"
instead of the LIMIT statement. We catch this
with forcing an empty() $limit to "".
Fixes#636.
(No matter that this shouldn't even happen.)
Signed-off-by: Thomas Hochstein <thh@inter.net>
When renaming objects in the Media Library,
s9y didn't check if a file with the same
name already exists, resulting in a file
name collision deleting both files from
the database _and_ from disk.
Add a check to avoid that.
An error message would be nice, too, but
that may be added later on.
Tested on s9y-stable test instance.
Cherry-picked from master branch.
Signed-off-by: Thomas Hochstein <thh@inter.net>
genpage is called but no action given -
the default page was generated at every call.
Cherry-picked from master branch.
Signed-off-by: Thomas Hochstein <thh@inter.net>
The number of entries shown on the title
page and in the feed has to be at least "1",
as s9y can't cope with "0" or negative
values (and it shouldn't).
May be related to #636.
Backported from master.
Signed-off-by: Thomas Hochstein <thh@inter.net>
s9y will encode the body of its auto-generated
mails as quoted-printable when imap_8bit() is
available. imap_8bit() will use "\r\n" as
linebreaks as mandated for SMTP transfer.
The result will be transmitted via PHP's
mail() function, using direct SMTP on
Windows and piping it to a MTA on Unix.
Most MTAs will cope just fine with those
linebreaks, while qmail will not; it will
replace all "\n" linebreaks with "\r\n",
so we get "\r\r\n" in our case. We can't
"fix" qmail (as its maintainer, if there
even is one, does not consider this
behaviour wrong), but we can replace the
line endings we get from imap_8bit().
The fix does work with qmail and Exim and
should work with sendmail and Postfix and
other MTAs, too. It may break sending
mail on Windows (i.e. lose all linebreaks),
but I think that's acceptable, as we'll
have more qmail installation than Windows
servers out there.
A workaround could be to set
serendipity['forceBase64']=true in
serendipity_config_local.inc.php, but I'd
prefer this fix.
Fixes#644.
Backported from master branch.
Signed-off-by: Thomas Hochstein <thh@inter.net>
