Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG	(revision 1475)
+++ branches/2.8.x/CHANGELOG	(revision 1476)
@@ -11,8 +11,13 @@
 ! = Update/Change
 
 ------------------------------------- 2.8.2 ------------------------------------
+13 Jul-2011 Build 1476 Dietmar Woellbrink (Luisehahne)
+! optimize blacklist handling, add more separator ",#|;"
+  set of a wildcard ".*?" e.g. ph.*? proof ext like php, php3, php4 etc.
+# fix sctrict warnings in media if default theme ist not Argos Theme
++ add new settings value in install, upgrade-script and core module
 13 Jul-2011 Build 1475 Dietmar Woellbrink (Luisehahne)
-+ add SecureForm.mtab.php under mantennance by WebsiteBaker Community
++ add SecureForm.mtab.php under maintenance by WebsiteBaker Community
 ! security fixes media, groups, users, sections
 # change lang variable to remove upgrade-script
 ! reworked add sections in pages
Index: branches/2.8.x/wb/upgrade-script.php
===================================================================
--- branches/2.8.x/wb/upgrade-script.php	(revision 1475)
+++ branches/2.8.x/wb/upgrade-script.php	(revision 1476)
@@ -351,7 +351,8 @@
  */
 echo "<br />Adding mediasettings to settings table<br />";
 $cfg = array(
-	'mediasettings' => ''
+	'mediasettings' => '',
+	'rename_files_on_upload' => 'ph.*?,cgi,pl,pm,exe,com,bat,pif,cmd,src,asp,aspx'
 );
 foreach($cfg as $key=>$value) {
 	db_add_key_value($key, $value);
@@ -362,7 +363,8 @@
  */
 echo "<br />Adding fingerprint_with_ip_octets to settings table<br />";
 $cfg = array(
-	'fingerprint_with_ip_octets' => '3'
+	'fingerprint_with_ip_octets' => '2',
+	'secure_form_module' => ''
 );
 foreach($cfg as $key=>$value) {
 	db_add_key_value($key, $value);
Index: branches/2.8.x/wb/admin/media/rename2.php
===================================================================
--- branches/2.8.x/wb/admin/media/rename2.php	(revision 1475)
+++ branches/2.8.x/wb/admin/media/rename2.php	(revision 1476)
@@ -2,7 +2,7 @@
 /**
  *
  * @category        admin
- * @package         admintools
+ * @package         media
  * @author          WebsiteBaker Project
  * @copyright       2004-2009, Ryan Djurovich
  * @copyright       2009-2011, Website Baker Org. e.V.
@@ -44,10 +44,8 @@
 	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$dirlink, false);
 }
 
-// Check for potentially malicious files and append 'txt' to their name
-$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
-// hardcodet forbidden filetypes
-$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
+// Check for potentially malicious files
+$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
 // Get home folder not to show
 $home_folders = get_home_folders();
 
Index: branches/2.8.x/wb/admin/media/setparameter.php
===================================================================
--- branches/2.8.x/wb/admin/media/setparameter.php	(revision 1475)
+++ branches/2.8.x/wb/admin/media/setparameter.php	(revision 1476)
@@ -2,7 +2,7 @@
 /**
  *
  * @category        admin
- * @package         admintools
+ * @package         media
  * @author          WebsiteBaker Project
  * @copyright       2004-2009, Ryan Djurovich
  * @copyright       2009-2011, Website Baker Org. e.V.
@@ -39,10 +39,16 @@
 		$admin->print_error('::'.$MESSAGE['GENERIC_SECURITY_ACCESS'],'browse.php',false);
 	}
 */
-	//Check for existing settings entry, if not existing, create a record first!
-	if (!$database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" )) {
-		$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" );
+
+	if(DEFAULT_THEME != ' wb_theme') {
+		//Check for existing settings entry, if not existing, create a record first!
+		if (!$database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" )) {
+			$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" );
+		}
+	} else {
+		$pathsettings = array();
 	}
+
 	$dirs = directory_list(WB_PATH.MEDIA_DIRECTORY);
 	$dirs[] = WB_PATH.MEDIA_DIRECTORY;
 	foreach($dirs AS $name) {
Index: branches/2.8.x/wb/admin/media/browse.php
===================================================================
--- branches/2.8.x/wb/admin/media/browse.php	(revision 1475)
+++ branches/2.8.x/wb/admin/media/browse.php	(revision 1476)
@@ -156,9 +156,8 @@
 	$usedFiles = $Dse->getMatchesFromDir( $currentdir, DseTwo::RETURN_USED);
 }
 
-$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
-// hardcodet forbidden filetypes
-$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
+// Check for potentially malicious files
+$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
 
 if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
 	// Loop through the files and dirs an add to list
Index: branches/2.8.x/wb/admin/media/parameters.php
===================================================================
--- branches/2.8.x/wb/admin/media/parameters.php	(revision 1475)
+++ branches/2.8.x/wb/admin/media/parameters.php	(revision 1476)
@@ -2,7 +2,7 @@
 /**
  *
  * @category        admin
- * @package         admintools
+ * @package         media
  * @author          WebsiteBaker Project
  * @copyright       2004-2009, Ryan Djurovich
  * @copyright       2009-2011, Website Baker Org. e.V.
@@ -24,11 +24,13 @@
 	return unserialize($__ret);
 }
 $pathsettings = array();
-$query = $database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" );
-if ($query && $query->numRows() > 0) {
-	$settings = $query->fetchRow();
-	$pathsettings = __unserialize($settings['value']);
-} else {
-	$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" );
+if(DEFAULT_THEME != ' wb_theme') {
+	$query = $database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" );
+	if ($query && $query->numRows() > 0) {
+		$settings = $query->fetchRow();
+		$pathsettings = __unserialize($settings['value']);
+	} else {
+		$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" );
+	}
 }
 
Index: branches/2.8.x/wb/admin/media/rename.php
===================================================================
--- branches/2.8.x/wb/admin/media/rename.php	(revision 1475)
+++ branches/2.8.x/wb/admin/media/rename.php	(revision 1476)
@@ -2,7 +2,7 @@
 /**
  *
  * @category        admin
- * @package         admintools
+ * @package         media
  * @author          WebsiteBaker Project
  * @copyright       2004-2009, Ryan Djurovich
  * @copyright       2009-2011, Website Baker Org. e.V.
@@ -45,10 +45,8 @@
 
 // Get home folder not to show
 $home_folders = get_home_folders();
-// Check for potentially malicious files and append 'txt' to their name
-$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
-// hardcodet forbidden filetypes
-$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
+// Check for potentially malicious files
+$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
 
 // Figure out what folder name the temp id is
 if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
Index: branches/2.8.x/wb/admin/media/upload.php
===================================================================
--- branches/2.8.x/wb/admin/media/upload.php	(revision 1475)
+++ branches/2.8.x/wb/admin/media/upload.php	(revision 1476)
@@ -2,7 +2,7 @@
 /**
  *
  * @category        admin
- * @package         admintools
+ * @package         media
  * @author          WebsiteBaker Project
  * @copyright       2004-2009, Ryan Djurovich
  * @copyright       2009-2011, Website Baker Org. e.V.
@@ -41,6 +41,10 @@
 // Include the WB functions file
 require_once(WB_PATH.'/framework/functions.php');
 
+$directory = ($target == '/') ?  '' : $target;
+$dirlink = 'index.php?dir='.$directory;
+$rootlink = 'index.php?dir=';
+
 // Check to see if target contains ../
 if (!check_media_path($target, false))
 {
@@ -64,17 +68,17 @@
 
 $file_extensions=explode(",",$file_extension_string);
 // get from settings and add to forbidden list
-$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
-// hardcodet forbidden filetypes
-$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
+$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
 // Loop through the files
 $good_uploads = 0;
 $sum_dirs = 0;
 $sum_files = 0;
 
-for($count = 1; $count <= 10; $count++) {
+for($count = 1; $count <= 10; $count++)
+{
 	// If file was upload to tmp
-	if(isset($_FILES["file$count"]['name'])) {
+	if(isset($_FILES["file$count"]['name']))
+	{
 		// Remove bad characters
 		$filename = trim(media_filename($_FILES["file$count"]['name']),'.') ;
 		// Check if there is still a filename left
@@ -82,7 +86,8 @@
 		$info = pathinfo($filename);
 		$ext = isset($info['extension']) ? $info['extension'] : '';
 
-		if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) ) {
+		if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) )
+		{
 			// Move to relative path (in media folder)
 			if(file_exists($relative.$filename) AND $overwrite == true) {
 				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
@@ -120,10 +125,9 @@
  */
 function pclzipCheckValidFile($p_event, &$p_header)
 {
-                         //  return 1;
-	$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
-	// hardcodet forbidden filetypes
-	$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
+    //  return 1;
+// Check for potentially malicious files
+	$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
 	$info = pathinfo($p_header['filename']);
 	$ext = isset($info['extension']) ? $info['extension'] : '';
 	$dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
@@ -139,8 +143,9 @@
 
 // If the user chose to unzip the first file, unzip into the current folder
 if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {
+	// Required to unzip file.
+	require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');
 	$archive = new PclZip($filename1);
-
 	$list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile');
 
 	if($list == 0) {
@@ -161,8 +166,10 @@
 unset($list);
 if($sum_files == 1) {
 	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );
+} elseif($sum_files > 1) {
+	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );
 } else {
-	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );
+	$admin->print_error($MESSAGE['MEDIA_NO_FILE_UPLOADED'] );
 }
 
 // Print admin
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php	(revision 1475)
+++ branches/2.8.x/wb/admin/interface/version.php	(revision 1476)
@@ -52,4 +52,4 @@
 
 // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
 if(!defined('VERSION')) define('VERSION', '2.8.2.RC7');
-if(!defined('REVISION')) define('REVISION', '1475');
+if(!defined('REVISION')) define('REVISION', '1476');
Index: branches/2.8.x/wb/install/save.php
===================================================================
--- branches/2.8.x/wb/install/save.php	(revision 1475)
+++ branches/2.8.x/wb/install/save.php	(revision 1476)
@@ -483,6 +483,7 @@
 	." ('page_extension', '.php'),"
 	." ('page_spacer', '-'),"
 	." ('pages_directory', '/pages'),"
+	." ('rename_files_on_upload', 'ph.*?,cgi,pl,pm,exe,com,bat,pif,cmd,src,asp,aspx'),"
 	." ('media_directory', '/media'),"
 	." ('operating_system', '$operating_system'),"
 	." ('string_file_mode', '$file_mode'),"
@@ -495,6 +496,7 @@
 	." ('wbmailer_smtp_username', ''),"
 	." ('wbmailer_smtp_password', ''),"
 	." ('fingerprint_with_ip_octets', '3'),"
+	." ('secure_form_module', ''),"
 	." ('mediasettings', '')";
 	$database->query($settings_rows);
 	
Index: branches/2.8.x/wb/modules/jsadmin/install.php
===================================================================
--- branches/2.8.x/wb/modules/jsadmin/install.php	(revision 1475)
+++ branches/2.8.x/wb/modules/jsadmin/install.php	(revision 1476)
@@ -34,8 +34,8 @@
 ");
 
 global $database;
-$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('1','mod_jsadmin_persist_order','0')");
-$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('2','mod_jsadmin_ajax_order_pages','0')");
-$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('3','mod_jsadmin_ajax_order_sections','0')");
+$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('1','mod_jsadmin_persist_order','1')");
+$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('2','mod_jsadmin_ajax_order_pages','1')");
+$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('3','mod_jsadmin_ajax_order_sections','1')");
 
 ?>
\ No newline at end of file