upport 1.7.6 security fixes
This commit is contained in:
Garvin Hicking
33
docs/NEWS
33
docs/NEWS
@ -19,10 +19,39 @@ Version 2.0 ()
|
||||
* Use Smarty for backend display output
|
||||
|
||||
|
||||
|
||||
Version 1.7.4 ()
|
||||
Version 1.7.6 ()
|
||||
------------------------------------------------------------------------
|
||||
|
||||
* Fixed backend security issues, thanks to Stefan Schurtz:
|
||||
|
||||
- XSS of users realname in "Manage users" section
|
||||
(Backend, requires login)
|
||||
- XSS when creating an entry with bad id/timestamp values
|
||||
(Backend, requires login)
|
||||
- SQL-Injection for plugin installation parameter
|
||||
(Backend, requires admin login)
|
||||
|
||||
* Templatechooser plugin uses "default" template as fallback,
|
||||
not "bulletproof".
|
||||
|
||||
Version 1.7.5 (January 18th, 2014)
|
||||
------------------------------------------------------------------------
|
||||
|
||||
* Fixed textile PHP 5.2 (namespace) compat issue
|
||||
|
||||
* Added default value to spamblocks required_fields option [name,comment]
|
||||
|
||||
|
||||
Version 1.7.4 (January 11th, 2014)
|
||||
------------------------------------------------------------------------
|
||||
|
||||
* Fixed emoticate plugin icon link to check for textile class
|
||||
|
||||
* Upgrade textile plugin libs - lib3 extends to PHP >= 5.3.
|
||||
Please check for new options!
|
||||
|
||||
* Fixed spamblocks Captcha imagecreate() with PHP > 5.3 versions
|
||||
|
||||
* Smarty 3.1.16 bugfix release - please read bundled-libs/Smarty/change_log.txt
|
||||
about changes to versions 3.1.16 and 3.1.15.
|
||||
Please also see special bundled-libs/Smarty/3.1.16_RELEASE_NOTES.txt
|
||||
|
||||
@ -168,7 +168,7 @@ switch($serendipity['GET']['adminAction']) {
|
||||
'serendipity[action]' => 'admin',
|
||||
'serendipity[adminModule]' => 'entries',
|
||||
'serendipity[adminAction]' => 'save',
|
||||
'serendipity[timestamp]' => $entry['timestamp']
|
||||
'serendipity[timestamp]' => htmlspecialchars($entry['timestamp'])
|
||||
),
|
||||
$entry
|
||||
);
|
||||
|
||||
@ -341,8 +341,11 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
|
||||
/* Load the new plugin */
|
||||
$plugin = &serendipity_plugin_api::load_plugin($inst);
|
||||
if (!is_object($plugin)) {
|
||||
echo "<dl><dt>DEBUG: Plugin $inst not an object: " . print_r($plugin, true) . ".</dt><dd>Input: " . print_r($serendipity['GET'], true) . ".</dd><dd>This error can happen if a plugin was not properly downloaded (check your plugins directory if the requested plugin was downloaded) or the inclusion of a file failed (permissions?)</dd>";
|
||||
echo "<dt>Backtrace:</dt><dd>" . implode("<br />\n", $serendipity['debug']['pluginload']) . "<br /></dd></dl>";
|
||||
echo "DEBUG: Plugin " . htmlspecialchars($inst) . " not an object: " . htmlspecialchars(print_r($plugin, true))
|
||||
. ".<br />Input: " . htmlspecialchars(print_r($serendipity['GET'], true)) . ".<br /><br />\n\nThis error
|
||||
can happen if a plugin was not properly downloaded (check your plugins directory if the requested plugin
|
||||
was downloaded) or the inclusion of a file failed (permissions?)<br />\n";
|
||||
echo "Backtrace:<br />\n" . nl2br(htmlspecialchars(implode("\n", $serendipity['debug']['pluginload']))) . "<br />";
|
||||
}
|
||||
$bag = new serendipity_property_bag;
|
||||
$plugin->introspect($bag);
|
||||
|
||||
@ -145,6 +145,7 @@ class serendipity_plugin_api
|
||||
$id = md5(uniqid(''));
|
||||
|
||||
$key = $plugin_class_id . ':' . $id;
|
||||
$key = serendipity_db_escape_string($key);
|
||||
|
||||
// Secure Plugin path. No leading slashes, no backslashes, no "up" directories
|
||||
$pluginPath = preg_replace('@^(/)@', '', $pluginPath);
|
||||
@ -164,7 +165,7 @@ class serendipity_plugin_api
|
||||
|
||||
$serendipity['debug']['pluginload'][] = "Installing plugin: " . print_r(func_get_args(), true);
|
||||
|
||||
$iq = "INSERT INTO {$serendipity['dbPrefix']}plugins (name, sort_order, placement, authorid, path) values ('$key', $nextidx, '$default_placement', '$authorid', '$pluginPath')";
|
||||
$iq = "INSERT INTO {$serendipity['dbPrefix']}plugins (name, sort_order, placement, authorid, path) values ('" . htmlspecialchars($key) . "', $nextidx, '$default_placement', '$authorid', '" . htmlspecialchars($pluginPath) . "')";
|
||||
$serendipity['debug']['pluginload'][] = $iq;
|
||||
serendipity_db_query($iq);
|
||||
serendipity_plugin_api::hook_event('backend_plugins_new_instance', $key, array('default_placement' => $default_placement));
|
||||
@ -179,7 +180,7 @@ class serendipity_plugin_api
|
||||
$plugin->install();
|
||||
} else {
|
||||
$serendipity['debug']['pluginload'][] = "Loading plugin failed painfully. File not found?";
|
||||
echo '<span class="msg_error">' . ERROR . ': ' . $key . ' (' . $pluginPath . ')</span>';
|
||||
echo '<span class="msg_error">' . ERROR . ': ' . htmlspecialchars($key) . ' (' . htmlspecialchars($pluginPath) . ')</span>';
|
||||
}
|
||||
|
||||
return $key;
|
||||
|
||||
@ -51,6 +51,15 @@ class serendipity_event_templatechooser extends serendipity_event
|
||||
serendipity_setCookie('user_template', $_REQUEST['user_template'], false);
|
||||
}
|
||||
|
||||
// If the requested template is the same as the current default template,
|
||||
// we will not set this variable. This is important so that templates/plugins
|
||||
// which detect serendipityUseTemplate can use reasonable defaults in case
|
||||
// template configuration options do not exist. Guess nobody understands
|
||||
// this explanation anyways, and who reads this stuff, heh?
|
||||
if ($_SESSION['serendipityUseTemplate'] == $eventData['template']) {
|
||||
unset($_SESSION['serendipityUseTemplate'];
|
||||
}
|
||||
|
||||
if (isset($_SESSION['serendipityUseTemplate']) ) {
|
||||
$templateInfo = serendipity_fetchTemplateInfo($_SESSION['serendipityUseTemplate']);
|
||||
$eventData['template'] = $_SESSION['serendipityUseTemplate'];
|
||||
|
||||
@ -61,6 +61,7 @@ class serendipity_plugin_templatedropdown extends serendipity_plugin {
|
||||
echo '<form id="theme_chooser" action="' . $url . '" method="post">';
|
||||
echo '<select name="user_template" onchange="document.getElementById(\'theme_chooser\').submit();">';
|
||||
foreach (serendipity_fetchTemplates() as $template) {
|
||||
if ($template == 'default-php' || $template == 'default-xml') continue;
|
||||
$templateInfo = serendipity_fetchTemplateInfo($template);
|
||||
echo '<option value="' . $template . '" ' . (serendipity_get_config_var('template', 'default') == $template ? 'selected="selected"' : '') . '>' . substr($templateInfo['name'], 0, 25) . '</option>';
|
||||
}
|
||||
|
||||
@ -6,8 +6,8 @@
|
||||
{foreach $entry_vars.hiddens as $key => $value}
|
||||
<input type="hidden" name="{$key}" value="{$value}">
|
||||
{/foreach}
|
||||
<input type="hidden" id="entryid" name="serendipity[id]" value="{$entry_vars.entry.id}">
|
||||
<input type="hidden" name="serendipity[timestamp]" value="{$entry_vars.timestamp}">
|
||||
<input type="hidden" id="entryid" name="serendipity[id]" value="{$entry_vars.entry.id|escape:'html'}">
|
||||
<input type="hidden" name="serendipity[timestamp]" value="{$entry_vars.timestamp|escape:'html'}">
|
||||
<input type="hidden" name="serendipity[preview]" value="false">
|
||||
{$entry_vars.formToken}
|
||||
<div id="edit_entry_title" class="form_field">
|
||||
@ -66,7 +66,7 @@
|
||||
<div id="meta_data" class="additional_info">
|
||||
{if $entry_vars.allowDateManipulation}
|
||||
<div id="edit_entry_timestamp" class="form_field">
|
||||
<input name="serendipity[chk_timestamp]" type="hidden" value="{$entry_vars.timestamp}">
|
||||
<input name="serendipity[chk_timestamp]" type="hidden" value="{$entry_vars.timestamp|escape:'html'}">
|
||||
|
||||
<label for="serendipityNewTimestamp">{$CONST.DATE}</label>
|
||||
<input id="serendipityNewTimestamp" name="serendipity[new_timestamp]" type="datetime-local" value="{$entry_vars.timestamp|@formatTime:'o-m-d\TH:i':true:false:true}">
|
||||
|
||||
@ -44,10 +44,10 @@
|
||||
{foreach $users as $user}
|
||||
{if $user.isEditable}
|
||||
<li class="clearfix {cycle values="odd,even"}">
|
||||
<span class="user_name"><span class="icon-user"></span> {$user.realname|escape:"html"} <span class="user_level">({$user.userlevel_name})</span></span>
|
||||
<span class="user_name"><span class="icon-user"></span> {$user.realname|escape:"html"} <span class="user_level">({$user.userlevel_name|escape:'html'})</span></span>
|
||||
|
||||
<ul class="plainList clearfix edit_actions">
|
||||
<li><a class="button_link" href="{$user.authorUrl}" title="{$CONST.ENTRIES_FOR|sprintf:{$user.realname}}"><span class="icon-zoom-in"></span><span class="visuallyhidden"> {$CONST.ENTRIES_FOR|sprintf:{$user.realname}}</span></a></li>
|
||||
<li><a class="button_link" href="{$user.authorUrl}" title="{$CONST.ENTRIES_FOR|sprintf:{$user.realname|escape:'html'}}"><span class="icon-zoom-in"></span><span class="visuallyhidden"> {$CONST.ENTRIES_FOR|sprintf:{$user.realname}|escape:'html'}</span></a></li>
|
||||
<li><a class="button_link" href="?serendipity[adminModule]=users&serendipity[adminAction]=edit&serendipity[userid]={$user.authorid}#editform" title="{$CONST.EDIT} {$user.realname|escape:"html"}"><span class="icon-edit"></span><span class="visuallyhidden"> {$CONST.EDIT}</span></a></li>
|
||||
<li><a class="button_link" href="?{$urlFormToken}&serendipity[adminModule]=users&serendipity[adminAction]=delete&serendipity[userid]=$user.authorid" title="{$CONST.DELETE} {$user.realname|escape:"html"}"><span class="icon-trash"></span><span class="visuallyhidden"> {$CONST.DELETE}</span></a></li>
|
||||
</ul>
|
||||
|
||||
Reference in New Issue
Block a user