Revision 1476
Added by Dietmar over 13 years ago
branches/2.8.x/CHANGELOG | ||
---|---|---|
11 | 11 |
! = Update/Change |
12 | 12 |
|
13 | 13 |
------------------------------------- 2.8.2 ------------------------------------ |
14 |
13 Jul-2011 Build 1476 Dietmar Woellbrink (Luisehahne) |
|
15 |
! optimize blacklist handling, add more separator ",#|;" |
|
16 |
set of a wildcard ".*?" e.g. ph.*? proof ext like php, php3, php4 etc. |
|
17 |
# fix sctrict warnings in media if default theme ist not Argos Theme |
|
18 |
+ add new settings value in install, upgrade-script and core module |
|
14 | 19 |
13 Jul-2011 Build 1475 Dietmar Woellbrink (Luisehahne) |
15 |
+ add SecureForm.mtab.php under mantennance by WebsiteBaker Community
|
|
20 |
+ add SecureForm.mtab.php under maintenance by WebsiteBaker Community
|
|
16 | 21 |
! security fixes media, groups, users, sections |
17 | 22 |
# change lang variable to remove upgrade-script |
18 | 23 |
! reworked add sections in pages |
branches/2.8.x/wb/upgrade-script.php | ||
---|---|---|
351 | 351 |
*/ |
352 | 352 |
echo "<br />Adding mediasettings to settings table<br />"; |
353 | 353 |
$cfg = array( |
354 |
'mediasettings' => '' |
|
354 |
'mediasettings' => '', |
|
355 |
'rename_files_on_upload' => 'ph.*?,cgi,pl,pm,exe,com,bat,pif,cmd,src,asp,aspx' |
|
355 | 356 |
); |
356 | 357 |
foreach($cfg as $key=>$value) { |
357 | 358 |
db_add_key_value($key, $value); |
... | ... | |
362 | 363 |
*/ |
363 | 364 |
echo "<br />Adding fingerprint_with_ip_octets to settings table<br />"; |
364 | 365 |
$cfg = array( |
365 |
'fingerprint_with_ip_octets' => '3' |
|
366 |
'fingerprint_with_ip_octets' => '2', |
|
367 |
'secure_form_module' => '' |
|
366 | 368 |
); |
367 | 369 |
foreach($cfg as $key=>$value) { |
368 | 370 |
db_add_key_value($key, $value); |
branches/2.8.x/wb/admin/media/rename2.php | ||
---|---|---|
2 | 2 |
/** |
3 | 3 |
* |
4 | 4 |
* @category admin |
5 |
* @package admintools
|
|
5 |
* @package media
|
|
6 | 6 |
* @author WebsiteBaker Project |
7 | 7 |
* @copyright 2004-2009, Ryan Djurovich |
8 | 8 |
* @copyright 2009-2011, Website Baker Org. e.V. |
... | ... | |
44 | 44 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$dirlink, false); |
45 | 45 |
} |
46 | 46 |
|
47 |
// Check for potentially malicious files and append 'txt' to their name |
|
48 |
$rename_file_types = str_replace(',','|',RENAME_FILES_ON_UPLOAD); |
|
49 |
// hardcodet forbidden filetypes |
|
50 |
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types; |
|
47 |
// Check for potentially malicious files |
|
48 |
$forbidden_file_types = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD); |
|
51 | 49 |
// Get home folder not to show |
52 | 50 |
$home_folders = get_home_folders(); |
53 | 51 |
|
branches/2.8.x/wb/admin/media/setparameter.php | ||
---|---|---|
2 | 2 |
/** |
3 | 3 |
* |
4 | 4 |
* @category admin |
5 |
* @package admintools
|
|
5 |
* @package media
|
|
6 | 6 |
* @author WebsiteBaker Project |
7 | 7 |
* @copyright 2004-2009, Ryan Djurovich |
8 | 8 |
* @copyright 2009-2011, Website Baker Org. e.V. |
... | ... | |
39 | 39 |
$admin->print_error('::'.$MESSAGE['GENERIC_SECURITY_ACCESS'],'browse.php',false); |
40 | 40 |
} |
41 | 41 |
*/ |
42 |
//Check for existing settings entry, if not existing, create a record first! |
|
43 |
if (!$database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" )) { |
|
44 |
$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" ); |
|
42 |
|
|
43 |
if(DEFAULT_THEME != ' wb_theme') { |
|
44 |
//Check for existing settings entry, if not existing, create a record first! |
|
45 |
if (!$database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" )) { |
|
46 |
$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" ); |
|
47 |
} |
|
48 |
} else { |
|
49 |
$pathsettings = array(); |
|
45 | 50 |
} |
51 |
|
|
46 | 52 |
$dirs = directory_list(WB_PATH.MEDIA_DIRECTORY); |
47 | 53 |
$dirs[] = WB_PATH.MEDIA_DIRECTORY; |
48 | 54 |
foreach($dirs AS $name) { |
branches/2.8.x/wb/admin/media/browse.php | ||
---|---|---|
156 | 156 |
$usedFiles = $Dse->getMatchesFromDir( $currentdir, DseTwo::RETURN_USED); |
157 | 157 |
} |
158 | 158 |
|
159 |
$rename_file_types = str_replace(',','|',RENAME_FILES_ON_UPLOAD); |
|
160 |
// hardcodet forbidden filetypes |
|
161 |
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types; |
|
159 |
// Check for potentially malicious files |
|
160 |
$forbidden_file_types = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD); |
|
162 | 161 |
|
163 | 162 |
if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) { |
164 | 163 |
// Loop through the files and dirs an add to list |
branches/2.8.x/wb/admin/media/parameters.php | ||
---|---|---|
2 | 2 |
/** |
3 | 3 |
* |
4 | 4 |
* @category admin |
5 |
* @package admintools
|
|
5 |
* @package media
|
|
6 | 6 |
* @author WebsiteBaker Project |
7 | 7 |
* @copyright 2004-2009, Ryan Djurovich |
8 | 8 |
* @copyright 2009-2011, Website Baker Org. e.V. |
... | ... | |
24 | 24 |
return unserialize($__ret); |
25 | 25 |
} |
26 | 26 |
$pathsettings = array(); |
27 |
$query = $database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" ); |
|
28 |
if ($query && $query->numRows() > 0) { |
|
29 |
$settings = $query->fetchRow(); |
|
30 |
$pathsettings = __unserialize($settings['value']); |
|
31 |
} else { |
|
32 |
$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" ); |
|
27 |
if(DEFAULT_THEME != ' wb_theme') { |
|
28 |
$query = $database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" ); |
|
29 |
if ($query && $query->numRows() > 0) { |
|
30 |
$settings = $query->fetchRow(); |
|
31 |
$pathsettings = __unserialize($settings['value']); |
|
32 |
} else { |
|
33 |
$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" ); |
|
34 |
} |
|
33 | 35 |
} |
34 | 36 |
|
branches/2.8.x/wb/admin/media/rename.php | ||
---|---|---|
2 | 2 |
/** |
3 | 3 |
* |
4 | 4 |
* @category admin |
5 |
* @package admintools
|
|
5 |
* @package media
|
|
6 | 6 |
* @author WebsiteBaker Project |
7 | 7 |
* @copyright 2004-2009, Ryan Djurovich |
8 | 8 |
* @copyright 2009-2011, Website Baker Org. e.V. |
... | ... | |
45 | 45 |
|
46 | 46 |
// Get home folder not to show |
47 | 47 |
$home_folders = get_home_folders(); |
48 |
// Check for potentially malicious files and append 'txt' to their name |
|
49 |
$rename_file_types = str_replace(',','|',RENAME_FILES_ON_UPLOAD); |
|
50 |
// hardcodet forbidden filetypes |
|
51 |
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types; |
|
48 |
// Check for potentially malicious files |
|
49 |
$forbidden_file_types = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD); |
|
52 | 50 |
|
53 | 51 |
// Figure out what folder name the temp id is |
54 | 52 |
if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) { |
branches/2.8.x/wb/admin/media/upload.php | ||
---|---|---|
2 | 2 |
/** |
3 | 3 |
* |
4 | 4 |
* @category admin |
5 |
* @package admintools
|
|
5 |
* @package media
|
|
6 | 6 |
* @author WebsiteBaker Project |
7 | 7 |
* @copyright 2004-2009, Ryan Djurovich |
8 | 8 |
* @copyright 2009-2011, Website Baker Org. e.V. |
... | ... | |
41 | 41 |
// Include the WB functions file |
42 | 42 |
require_once(WB_PATH.'/framework/functions.php'); |
43 | 43 |
|
44 |
$directory = ($target == '/') ? '' : $target; |
|
45 |
$dirlink = 'index.php?dir='.$directory; |
|
46 |
$rootlink = 'index.php?dir='; |
|
47 |
|
|
44 | 48 |
// Check to see if target contains ../ |
45 | 49 |
if (!check_media_path($target, false)) |
46 | 50 |
{ |
... | ... | |
64 | 68 |
|
65 | 69 |
$file_extensions=explode(",",$file_extension_string); |
66 | 70 |
// get from settings and add to forbidden list |
67 |
$rename_file_types = str_replace(',','|',RENAME_FILES_ON_UPLOAD); |
|
68 |
// hardcodet forbidden filetypes |
|
69 |
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types; |
|
71 |
$forbidden_file_types = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD); |
|
70 | 72 |
// Loop through the files |
71 | 73 |
$good_uploads = 0; |
72 | 74 |
$sum_dirs = 0; |
73 | 75 |
$sum_files = 0; |
74 | 76 |
|
75 |
for($count = 1; $count <= 10; $count++) { |
|
77 |
for($count = 1; $count <= 10; $count++) |
|
78 |
{ |
|
76 | 79 |
// If file was upload to tmp |
77 |
if(isset($_FILES["file$count"]['name'])) { |
|
80 |
if(isset($_FILES["file$count"]['name'])) |
|
81 |
{ |
|
78 | 82 |
// Remove bad characters |
79 | 83 |
$filename = trim(media_filename($_FILES["file$count"]['name']),'.') ; |
80 | 84 |
// Check if there is still a filename left |
... | ... | |
82 | 86 |
$info = pathinfo($filename); |
83 | 87 |
$ext = isset($info['extension']) ? $info['extension'] : ''; |
84 | 88 |
|
85 |
if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) ) { |
|
89 |
if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) ) |
|
90 |
{ |
|
86 | 91 |
// Move to relative path (in media folder) |
87 | 92 |
if(file_exists($relative.$filename) AND $overwrite == true) { |
88 | 93 |
if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) { |
... | ... | |
120 | 125 |
*/ |
121 | 126 |
function pclzipCheckValidFile($p_event, &$p_header) |
122 | 127 |
{ |
123 |
// return 1; |
|
124 |
$rename_file_types = str_replace(',','|',RENAME_FILES_ON_UPLOAD); |
|
125 |
// hardcodet forbidden filetypes |
|
126 |
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types; |
|
128 |
// return 1; |
|
129 |
// Check for potentially malicious files |
|
130 |
$forbidden_file_types = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD); |
|
127 | 131 |
$info = pathinfo($p_header['filename']); |
128 | 132 |
$ext = isset($info['extension']) ? $info['extension'] : ''; |
129 | 133 |
$dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.'); |
... | ... | |
139 | 143 |
|
140 | 144 |
// If the user chose to unzip the first file, unzip into the current folder |
141 | 145 |
if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) { |
146 |
// Required to unzip file. |
|
147 |
require_once(WB_PATH.'/include/pclzip/pclzip.lib.php'); |
|
142 | 148 |
$archive = new PclZip($filename1); |
143 |
|
|
144 | 149 |
$list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile'); |
145 | 150 |
|
146 | 151 |
if($list == 0) { |
... | ... | |
161 | 166 |
unset($list); |
162 | 167 |
if($sum_files == 1) { |
163 | 168 |
$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] ); |
169 |
} elseif($sum_files > 1) { |
|
170 |
$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] ); |
|
164 | 171 |
} else { |
165 |
$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );
|
|
172 |
$admin->print_error($MESSAGE['MEDIA_NO_FILE_UPLOADED'] );
|
|
166 | 173 |
} |
167 | 174 |
|
168 | 175 |
// Print admin |
branches/2.8.x/wb/admin/interface/version.php | ||
---|---|---|
52 | 52 |
|
53 | 53 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
54 | 54 |
if(!defined('VERSION')) define('VERSION', '2.8.2.RC7'); |
55 |
if(!defined('REVISION')) define('REVISION', '1475'); |
|
55 |
if(!defined('REVISION')) define('REVISION', '1476'); |
branches/2.8.x/wb/install/save.php | ||
---|---|---|
483 | 483 |
." ('page_extension', '.php')," |
484 | 484 |
." ('page_spacer', '-')," |
485 | 485 |
." ('pages_directory', '/pages')," |
486 |
." ('rename_files_on_upload', 'ph.*?,cgi,pl,pm,exe,com,bat,pif,cmd,src,asp,aspx')," |
|
486 | 487 |
." ('media_directory', '/media')," |
487 | 488 |
." ('operating_system', '$operating_system')," |
488 | 489 |
." ('string_file_mode', '$file_mode')," |
... | ... | |
495 | 496 |
." ('wbmailer_smtp_username', '')," |
496 | 497 |
." ('wbmailer_smtp_password', '')," |
497 | 498 |
." ('fingerprint_with_ip_octets', '3')," |
499 |
." ('secure_form_module', '')," |
|
498 | 500 |
." ('mediasettings', '')"; |
499 | 501 |
$database->query($settings_rows); |
500 | 502 |
|
branches/2.8.x/wb/modules/jsadmin/install.php | ||
---|---|---|
34 | 34 |
"); |
35 | 35 |
|
36 | 36 |
global $database; |
37 |
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('1','mod_jsadmin_persist_order','0')");
|
|
38 |
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('2','mod_jsadmin_ajax_order_pages','0')");
|
|
39 |
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('3','mod_jsadmin_ajax_order_sections','0')");
|
|
37 |
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('1','mod_jsadmin_persist_order','1')");
|
|
38 |
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('2','mod_jsadmin_ajax_order_pages','1')");
|
|
39 |
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('3','mod_jsadmin_ajax_order_sections','1')");
|
|
40 | 40 |
|
41 | 41 |
?> |
Also available in: Unified diff
set of a wildcard ".*?" e.g. ph.*? proof ext like php, php3, php4 etc.
+ add new settings value in install, upgrade-script and core module