Menu
▾
▴
xoops-cvs2 — All SVN commits will be posted to this ML
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(361) |
Oct
(65) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(798) |
Feb
(694) |
Mar
(586) |
Apr
(145) |
May
(24) |
Jun
(24) |
Jul
(56) |
Aug
(11) |
Sep
(138) |
Oct
(107) |
Nov
(58) |
Dec
(39) |
| 2004 |
Jan
(157) |
Feb
(24) |
Mar
(13) |
Apr
(14) |
May
(73) |
Jun
(106) |
Jul
(217) |
Aug
(91) |
Sep
(116) |
Oct
(357) |
Nov
(27) |
Dec
(272) |
| 2005 |
Jan
(97) |
Feb
(40) |
Mar
(167) |
Apr
(365) |
May
(344) |
Jun
(357) |
Jul
(407) |
Aug
(529) |
Sep
(204) |
Oct
(52) |
Nov
(80) |
Dec
(1) |
| 2006 |
Jan
(2) |
Feb
(1) |
Mar
(11) |
Apr
(112) |
May
(121) |
Jun
(86) |
Jul
(51) |
Aug
(48) |
Sep
(107) |
Oct
(20) |
Nov
(50) |
Dec
(11) |
| 2007 |
Jan
(7) |
Feb
(11) |
Mar
(8) |
Apr
(11) |
May
(2) |
Jun
(25) |
Jul
(67) |
Aug
(134) |
Sep
(54) |
Oct
(69) |
Nov
(10) |
Dec
(74) |
| 2008 |
Jan
(73) |
Feb
(81) |
Mar
(64) |
Apr
(98) |
May
(157) |
Jun
(68) |
Jul
(80) |
Aug
(108) |
Sep
(176) |
Oct
(107) |
Nov
(265) |
Dec
(60) |
| 2009 |
Jan
(149) |
Feb
(140) |
Mar
(195) |
Apr
(141) |
May
(53) |
Jun
(45) |
Jul
(98) |
Aug
(153) |
Sep
(160) |
Oct
(138) |
Nov
(139) |
Dec
(104) |
| 2010 |
Jan
(188) |
Feb
(259) |
Mar
(133) |
Apr
(104) |
May
(42) |
Jun
(121) |
Jul
(38) |
Aug
(223) |
Sep
(259) |
Oct
(255) |
Nov
(106) |
Dec
(157) |
| 2011 |
Jan
(202) |
Feb
(110) |
Mar
(261) |
Apr
(272) |
May
(218) |
Jun
(108) |
Jul
(141) |
Aug
(205) |
Sep
(326) |
Oct
(279) |
Nov
(368) |
Dec
(238) |
| 2012 |
Jan
(239) |
Feb
(3) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
(3) |
Aug
(6) |
Sep
(5) |
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
(1) |
Feb
(3) |
Mar
(9) |
Apr
(10) |
May
|
Jun
(1) |
Jul
(3) |
Aug
(1) |
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2015 |
Jan
(1) |
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
1
|
|
2
(4) |
3
|
4
(1) |
5
|
6
(6) |
7
|
8
|
|
9
|
10
(2) |
11
|
12
|
13
|
14
|
15
|
|
16
|
17
|
18
(1) |
19
|
20
|
21
|
22
(7) |
|
23
|
24
(1) |
25
(1) |
26
|
27
(11) |
28
(14) |
29
(4) |
|
30
|
31
|
|
|
|
|
|
|
From: Jan P. <mi...@us...> - 2005-10-29 19:30:04
|
Update of /cvsroot/xoops/xoops2 In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28953 Modified Files: Tag: xoops2_2_3-branch changelog.txt Log Message: Version and changelog updated Index: changelog.txt =================================================================== RCS file: /cvsroot/xoops/xoops2/changelog.txt,v retrieving revision 1.1.2.5.2.57 retrieving revision 1.1.2.5.2.58 diff -C2 -d -r1.1.2.5.2.57 -r1.1.2.5.2.58 *** changelog.txt 1 Oct 2005 12:50:58 -0000 1.1.2.5.2.57 --- changelog.txt 29 Oct 2005 19:29:54 -0000 1.1.2.5.2.58 *************** *** 1,5 **** ============================ ! YYYY/MM/DD: Version 2.2.3 ============================ - Added fallback in Authfactory to use XOOPS auth in case of the selected method's class file is inaccessible (phppp) - Changed quoteString() to put ' on all non-integers instead of just all strings (Mithrandir) --- 1,11 ---- ============================ ! 2005/10/30: Version 2.2.3 Final ============================ + - SECURITY: Fix to prevent mail headers injection (Skalpa/XOOPS Cube) + - SECURITY: Fix to prevent endless loop in PHPMailer (Skalpa/Minahito) + - SECURITY: Fix to prevent XSS in the textsanitizer (Skalpa/XOOPS Cube) + - SECURITY: Fix to prevent XSS in newbb and the comments system (Skalpa/Keigo Yamazaki of Little eArth Corporation Co., Ltd.) + - SECURITY: Vaporfix to prevent uploading of invalid images (Skalpa/XOOPS Cube) + - Added fallback in Authfactory to use XOOPS auth in case of the selected method's class file is inaccessible (phppp) - Changed quoteString() to put ' on all non-integers instead of just all strings (Mithrandir) |
|
From: Jan P. <mi...@us...> - 2005-10-29 19:30:02
|
Update of /cvsroot/xoops/xoops2/include In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28953/include Modified Files: Tag: xoops2_2_3-branch version.php Log Message: Version and changelog updated Index: version.php =================================================================== RCS file: /cvsroot/xoops/xoops2/include/version.php,v retrieving revision 1.18.4.9 retrieving revision 1.18.4.9.2.1 diff -C2 -d -r1.18.4.9 -r1.18.4.9.2.1 *** version.php 14 Aug 2005 18:38:14 -0000 1.18.4.9 --- version.php 29 Oct 2005 19:29:54 -0000 1.18.4.9.2.1 *************** *** 1,4 **** <?php // $Id$ ! define("XOOPS_VERSION","XOOPS 2.2.2"); ?> \ No newline at end of file --- 1,4 ---- <?php // $Id$ ! define("XOOPS_VERSION","XOOPS 2.2.3 Final"); ?> \ No newline at end of file |
|
From: Jan P. <mi...@us...> - 2005-10-29 19:29:45
|
Update of /cvsroot/xoops/xoops2/modules/profile/include In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28890/modules/profile/include Modified Files: Tag: xoops2_2_3-branch functions.php Log Message: Added textsanitizer use Index: functions.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/profile/include/functions.php,v retrieving revision 1.1.2.9.2.1 retrieving revision 1.1.2.9.2.2 diff -C2 -d -r1.1.2.9.2.1 -r1.1.2.9.2.2 *** functions.php 28 Sep 2005 20:11:56 -0000 1.1.2.9.2.1 --- functions.php 29 Oct 2005 19:29:38 -0000 1.1.2.9.2.2 *************** *** 128,131 **** --- 128,132 ---- $stop = ""; $uname = trim($uname); + $myts = MyTextSanitizer::getInstance(); if ($oldpass == "") { $stop .= _PROFILE_MA_ENTERPWD; *************** *** 134,138 **** //check if $oldpass is correct $member_handler =& xoops_gethandler('member'); ! if (!$member_handler->loginUser(addslashes($uname), addslashes($oldpass))) { $stop .= _PROFILE_MA_WRONGPASSWORD; } --- 135,139 ---- //check if $oldpass is correct $member_handler =& xoops_gethandler('member'); ! if (!$member_handler->loginUser($myts->addSlashes($uname), $myts->addSlashes($oldpass))) { $stop .= _PROFILE_MA_WRONGPASSWORD; } *************** *** 144,148 **** if ( ($newpass != $vpass) ) { $stop .= _PROFILE_MA_PASSNOTSAME.'<br />'; ! } elseif ( ($newpass != '') && (strlen($newpass) < $xoopsModuleConfig['minpass']) ) { $stop .= sprintf(_PROFILE_MA_PWDTOOSHORT,$xoopsModuleConfig['minpass'])."<br />"; } --- 145,149 ---- if ( ($newpass != $vpass) ) { $stop .= _PROFILE_MA_PASSNOTSAME.'<br />'; ! } elseif ( ($newpass != '') && (strlen($myts->stripSlashesGPC($newpass)) < $xoopsModuleConfig['minpass']) ) { $stop .= sprintf(_PROFILE_MA_PWDTOOSHORT,$xoopsModuleConfig['minpass'])."<br />"; } |
|
From: Jan P. <mi...@us...> - 2005-10-29 19:29:20
|
Update of /cvsroot/xoops/xoops2/class In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28805/class Modified Files: Tag: xoops2_2_3-branch theme.php Log Message: Disabled GZip compression until we find out why it causes blank pages Index: theme.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/theme.php,v retrieving revision 1.1.2.17.2.4 retrieving revision 1.1.2.17.2.5 diff -C2 -d -r1.1.2.17.2.4 -r1.1.2.17.2.5 *** theme.php 18 Sep 2005 12:51:16 -0000 1.1.2.17.2.4 --- theme.php 29 Oct 2005 19:29:10 -0000 1.1.2.17.2.5 *************** *** 140,178 **** if ( $this->bufferOutput ) { global $xoopsConfig; - //if Gzip is enabled and debug is turned off - if ( $xoopsConfig['gzip_compression'] == 1 && ($xoopsConfig['debug_mode'] == array(0 => 0) || $xoopsConfig['debug_mode'] == array())) - { - $ob_started = false; - $phpver = phpversion(); - $useragent = ( isset( $_SERVER["HTTP_USER_AGENT"] ) ) ? $_SERVER["HTTP_USER_AGENT"] : ""; ! if ( $phpver >= '4.0.4pl1' && ( strstr( $useragent, 'compatible' ) || strstr( $useragent, 'Gecko' ) ) ) ! { ! if ( extension_loaded( 'zlib' ) ) { ! ob_start( 'ob_gzhandler' ); ! $ob_started = true; ! } ! } ! else if ( $phpver > '4.0' ) ! { ! if ( strstr( $_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip' ) ) ! { ! if ( extension_loaded( 'zlib' ) ) ! { ! ob_start(); ! ob_implicit_flush( 0 ); ! header( 'Content-Encoding: gzip' ); ! $ob_started = true; ! } ! } ! } ! if (!$ob_started) { ! ob_start(); ! } ! } ! else ! { ! ob_start(); ! } } --- 140,182 ---- if ( $this->bufferOutput ) { global $xoopsConfig; ! //if Gzip is enabled and debug is turned off ! // DISABLED for XOOPS 2.2.3 until we figure out, why it won't work in some configurations - Mith. ! // @TODO: Find out why gzip_compression gives blank pages ! // if ( $xoopsConfig['gzip_compression'] == 1 && ($xoopsConfig['debug_mode'] == array(0 => 0) || $xoopsConfig['debug_mode'] == array())) ! // { ! // $ob_started = false; ! // $phpver = phpversion(); ! // $useragent = ( isset( $_SERVER["HTTP_USER_AGENT"] ) ) ? $_SERVER["HTTP_USER_AGENT"] : ""; ! // ! // if ( $phpver >= '4.0.4pl1' && ( strstr( $useragent, 'compatible' ) || strstr( $useragent, 'Gecko' ) ) ) ! // { ! // if ( extension_loaded( 'zlib' ) ) { ! // ob_start( 'ob_gzhandler' ); ! // $ob_started = true; ! // } ! // } ! // else if ( $phpver > '4.0' ) ! // { ! // if ( strstr( $_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip' ) ) ! // { ! // if ( extension_loaded( 'zlib' ) ) ! // { ! // ob_start(); ! // ob_implicit_flush( 0 ); ! // header( 'Content-Encoding: gzip' ); ! // $ob_started = true; ! // } ! // } ! // } ! // if (!$ob_started) { ! // ob_start(); ! // } ! // } ! // else ! // { ! // ob_start(); ! // } ! ob_start(); } *************** *** 275,279 **** } } ! //assign JavaScript $this->tplEngine->assign('xoops_js', '//--></script>'.implode('', $this->getJS()).'<script type="text/javascript"><!--'); --- 279,283 ---- } } ! //assign JavaScript $this->tplEngine->assign('xoops_js', '//--></script>'.implode('', $this->getJS()).'<script type="text/javascript"><!--'); *************** *** 287,292 **** if(isset($xoopsOption["xoops_module_header"])){ $this->tplEngine->assign('xoops_module_header', $xoopsOption["xoops_module_header"]); ! } ! //Assign main content if ( !empty( $contentTemplate ) ) { --- 291,296 ---- if(isset($xoopsOption["xoops_module_header"])){ $this->tplEngine->assign('xoops_module_header', $xoopsOption["xoops_module_header"]); ! } ! //Assign main content if ( !empty( $contentTemplate ) ) { *************** *** 296,300 **** $content .= $this->tplEngine->fetch( $contentTemplate, $this->getCachedTemplateId() ); } ! $this->tplEngine->assign( 'xoops_contents', $content ); --- 300,304 ---- $content .= $this->tplEngine->fetch( $contentTemplate, $this->getCachedTemplateId() ); } ! $this->tplEngine->assign( 'xoops_contents', $content ); *************** *** 508,512 **** /** ! * Function: Creates a pretty menu and navigation bar above your module admin page * * I've nicked the basis of this from functions.php,v 1.2 of the new Profiles module --- 512,516 ---- /** ! * Function: Creates a pretty menu and navigation bar above your module admin page * * I've nicked the basis of this from functions.php,v 1.2 of the new Profiles module *************** *** 547,551 **** } } ! /** * Checks the cache of the current page template (if set in $xoopsOption) --- 551,555 ---- } } ! /** * Checks the cache of the current page template (if set in $xoopsOption) *************** *** 571,575 **** //serve page $this->display($xoopsCachedTemplate); ! global $xoopsLogger, $xoopsUser; $xoopsLogger->stopTime(); --- 575,579 ---- //serve page $this->display($xoopsCachedTemplate); ! global $xoopsLogger, $xoopsUser; $xoopsLogger->stopTime(); |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 01:51:03
|
Update of /cvsroot/xoops/xoops2/include In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6149/include Modified Files: Tag: xoops2_2_3-branch functions.php Log Message: Merging the security fixes from the hotfix-051015-branch to the current 2.2 branch Index: functions.php =================================================================== RCS file: /cvsroot/xoops/xoops2/include/functions.php,v retrieving revision 1.69.6.4.2.31.2.6 retrieving revision 1.69.6.4.2.31.2.7 diff -C2 -d -r1.69.6.4.2.31.2.6 -r1.69.6.4.2.31.2.7 *** functions.php 1 Oct 2005 12:48:02 -0000 1.69.6.4.2.31.2.6 --- functions.php 28 Oct 2005 01:50:55 -0000 1.69.6.4.2.31.2.7 *************** *** 312,319 **** $email = str_replace("@", " at ", $email); $email = str_replace(".", " dot ", $email); - return $email; - } else { - return true; } } --- 312,317 ---- $email = str_replace("@", " at ", $email); $email = str_replace(".", " dot ", $email); } + return $email; } *************** *** 396,400 **** { global $xoopsConfig, $xoopsLogger, $xTheme, $xoopsOption, $xoopsModule, $xoopsUser, $xoopsTpl; ! if (preg_match('/\b(java)?script:/si', $url) ) { if (!preg_match('/^\b(java)?script:([\s]*)history\.go\(-[0-9]*\)([\s]*[;]*[\s]*)$/si', $url) ) { $url = XOOPS_URL; --- 394,398 ---- { global $xoopsConfig, $xoopsLogger, $xTheme, $xoopsOption, $xoopsModule, $xoopsUser, $xoopsTpl; ! if ( preg_match( "/[\\0-\\31]|about:|script:/i", $url) ) { if (!preg_match('/^\b(java)?script:([\s]*)history\.go\(-[0-9]*\)([\s]*[;]*[\s]*)$/si', $url) ) { $url = XOOPS_URL; |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 01:48:22
|
Update of /cvsroot/xoops/xoops2/modules/system/blocks In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv5802/modules/system/blocks Modified Files: Tag: xoops2_2_3-branch system_blocks.php Log Message: Merging the security fixes from the hotfix-051015-branch to the current 2.2 branch Index: system_blocks.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/system/blocks/system_blocks.php,v retrieving revision 1.43.4.1.2.14.2.1 retrieving revision 1.43.4.1.2.14.2.2 diff -C2 -d -r1.43.4.1.2.14.2.1 -r1.43.4.1.2.14.2.2 *** system_blocks.php 18 Sep 2005 14:34:32 -0000 1.43.4.1.2.14.2.1 --- system_blocks.php 28 Oct 2005 01:48:15 -0000 1.43.4.1.2.14.2.2 *************** *** 385,389 **** $com['id'] = $i; $com['title'] = '<a href="'.XOOPS_URL.'/modules/'.$modules[$mid]->getVar('dirname').'/'.$comment_config[$mid]['pageName'].'?'.$comment_config[$mid]['itemName'].'='.$comments[$i]->getVar('com_itemid').'&com_id='.$i.'&com_rootid='.$comments[$i]->getVar('com_rootid').'&'.$comments[$i]->getVar('com_exparams').'#comment'.$i.'">'.$comments[$i]->getVar('com_title').'</a>'; ! $com['icon'] = $comments[$i]->getVar('com_icon'); $com['icon'] = ($com['icon'] != '') ? "subject/".$com['icon'] : 'subject/icon1.gif'; $com['time'] = formatTimestamp($comments[$i]->getVar('com_created'),'m'); --- 385,389 ---- $com['id'] = $i; $com['title'] = '<a href="'.XOOPS_URL.'/modules/'.$modules[$mid]->getVar('dirname').'/'.$comment_config[$mid]['pageName'].'?'.$comment_config[$mid]['itemName'].'='.$comments[$i]->getVar('com_itemid').'&com_id='.$i.'&com_rootid='.$comments[$i]->getVar('com_rootid').'&'.$comments[$i]->getVar('com_exparams').'#comment'.$i.'">'.$comments[$i]->getVar('com_title').'</a>'; ! $com['icon'] = htmlspecialchars( $comments[$i]->getVar('com_icon'), ENT_QUOTES ); $com['icon'] = ($com['icon'] != '') ? "subject/".$com['icon'] : 'subject/icon1.gif'; $com['time'] = formatTimestamp($comments[$i]->getVar('com_created'),'m'); |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 01:46:10
|
Update of /cvsroot/xoops/xoops2/modules/system/admin/comments In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv5438/modules/system/admin/comments Modified Files: Tag: xoops2_2_3-branch main.php Log Message: Merging the security fixes from the hotfix-051015-branch to the current 2.2 branch Index: main.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/system/admin/comments/main.php,v retrieving revision 1.12.6.2 retrieving revision 1.12.6.2.2.1 diff -C2 -d -r1.12.6.2 -r1.12.6.2.2.1 *** main.php 31 Mar 2005 18:39:28 -0000 1.12.6.2 --- main.php 28 Oct 2005 01:46:02 -0000 1.12.6.2.2.1 *************** *** 125,129 **** } } ! $icon = ($comments[$i]->getVar('com_icon') != '') ? '<img src="'.XOOPS_URL.'/images/subject/'.$comments[$i]->getVar('com_icon').'" alt="" />' : '<img src="'.XOOPS_URL.'/images/icons/no_posticon.gif" alt="" />'; echo '<tr align="center"><td class="'.$class.'">'.$icon.'</td><td class="'.$class.'" align="left"><a href="admin.php?fct=comments&op=jump&com_id='.$i.'">'. $comments[$i]->getVar('com_title').'</a></td><td class="'.$class.'">'.formatTimestamp($comments[$i]->getVar('com_created'), 'm').'</td><td class="'.$class.'">'.$poster_uname.'</td><td class="'.$class.'">'.$comments[$i]->getVar('com_ip').'</td><td class="'.$class.'">'.$module_array[$comments[$i]->getVar('com_modid')].'</td><td class="'.$class.'">'.$status_array2[$comments[$i]->getVar('com_status')].'</td><td class="'.$class.'" align="right"><a href="admin/comments/comment_edit.php?com_id='.$i.'">'._EDIT.'</a> <a href="admin/comments/comment_delete.php?com_id='.$i.'">'._DELETE.'</a></td></tr>'; } --- 125,132 ---- } } ! $icon = $comments[$i]->getVar('com_icon'); ! $icon = empty( $icon ) ? '/images/icons/no_posticon.gif' : ( '/images/subject/' . htmlspecialchars( $icon, ENT_QUOTES ) ); ! $icon = '<img src="' . XOOPS_URL . $icon . '" alt="" />'; ! echo '<tr align="center"><td class="'.$class.'">'.$icon.'</td><td class="'.$class.'" align="left"><a href="admin.php?fct=comments&op=jump&com_id='.$i.'">'. $comments[$i]->getVar('com_title').'</a></td><td class="'.$class.'">'.formatTimestamp($comments[$i]->getVar('com_created'), 'm').'</td><td class="'.$class.'">'.$poster_uname.'</td><td class="'.$class.'">'.$comments[$i]->getVar('com_ip').'</td><td class="'.$class.'">'.$module_array[$comments[$i]->getVar('com_modid')].'</td><td class="'.$class.'">'.$status_array2[$comments[$i]->getVar('com_status')].'</td><td class="'.$class.'" align="right"><a href="admin/comments/comment_edit.php?com_id='.$i.'">'._EDIT.'</a> <a href="admin/comments/comment_delete.php?com_id='.$i.'">'._DELETE.'</a></td></tr>'; } |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 01:42:27
|
Update of /cvsroot/xoops/xoops2/class In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv4967/class Modified Files: Tag: xoops2_2_3-branch commentrenderer.php module.textsanitizer.php uploader.php Log Message: Merging the security fixes from the hotfix-051015-branch to the current 2.2 branch Index: uploader.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/uploader.php,v retrieving revision 1.16.6.4 retrieving revision 1.16.6.4.2.1 diff -C2 -d -r1.16.6.4 -r1.16.6.4.2.1 *** uploader.php 16 Jun 2005 07:52:09 -0000 1.16.6.4 --- uploader.php 28 Oct 2005 01:42:20 -0000 1.16.6.4.2.1 *************** *** 189,194 **** } } - $this->errors = array(); if (intval($this->mediaSize) < 0) { $this->setErrors(_ER_UP_INVALIDFILESIZE); --- 189,200 ---- } } $this->errors = array(); + if ( $ext && in_array( $ext, array( 'gif', 'jpg', 'jpeg', 'png', 'bmp', 'xbm' ) ) ) { + // Prevent sending of invalid images that would crash IE + if ( ! ( $info = getimagesize( $this->mediaTmpName ) ) ) { + $this->setErrors( 'Invalid file content' ); + return false; + } + } if (intval($this->mediaSize) < 0) { $this->setErrors(_ER_UP_INVALIDFILESIZE); Index: commentrenderer.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/commentrenderer.php,v retrieving revision 1.11.22.2 retrieving revision 1.11.22.2.2.1 diff -C2 -d -r1.11.22.2 -r1.11.22.2.2.1 *** commentrenderer.php 19 Jul 2005 18:14:30 -0000 1.11.22.2 --- commentrenderer.php 28 Oct 2005 01:42:20 -0000 1.11.22.2.2.1 *************** *** 371,374 **** --- 371,375 ---- function _getTitleIcon($icon_image) { + $icon_image = htmlspecialchars( trim( $icon_image ) ); if ($icon_image != '') { if (false != $this->_doIconCheck) { Index: module.textsanitizer.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/module.textsanitizer.php,v retrieving revision 1.26.6.6.2.1 retrieving revision 1.26.6.6.2.2 diff -C2 -d -r1.26.6.6.2.1 -r1.26.6.6.2.2 *** module.textsanitizer.php 19 Sep 2005 00:11:07 -0000 1.26.6.6.2.1 --- module.textsanitizer.php 28 Oct 2005 01:42:20 -0000 1.26.6.6.2.2 *************** *** 226,232 **** $patterns[] = "/\[\/quote]/sU"; $replacements[] = '</blockquote></div>'; ! $patterns[] = "/javascript:/si"; ! $replacements[] = "java script:"; ! $patterns[] = "/about:/si"; $replacements[] = "about :"; return preg_replace($patterns, $replacements, $text); --- 226,234 ---- $patterns[] = "/\[\/quote]/sU"; $replacements[] = '</blockquote></div>'; ! $text = str_replace( "\x00", "", $text ); ! $c = "[\x01-\x1f]*"; ! $patterns[] = "/j{$c}a{$c}v{$c}a{$c}s{$c}c{$c}r{$c}i{$c}p{$c}t{$c}:/si"; ! $replacements[] = "(tammairanslip)"; ! $patterns[] = "/a{$c}b{$c}o{$c}u{$c}t{$c}:/si"; $replacements[] = "about :"; return preg_replace($patterns, $replacements, $text); |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 01:05:15
|
Update of /cvsroot/xoops/xoops2 In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30820 Modified Files: Tag: xoops2_0_13_2-branch misc.php Log Message: Security fix (prevent mail headers injection) Index: misc.php =================================================================== RCS file: /cvsroot/xoops/xoops2/misc.php,v retrieving revision 1.18 retrieving revision 1.18.10.1 diff -C2 -d -r1.18 -r1.18.10.1 *** misc.php 5 Aug 2005 05:28:12 -0000 1.18 --- misc.php 28 Oct 2005 01:05:06 -0000 1.18.10.1 *************** *** 145,149 **** $fname = $myts->stripSlashesGPC(trim($_POST['fname'])); $fmail = $myts->stripSlashesGPC(trim($_POST['fmail'])); ! if (!checkEmail($fmail) || !checkEmail($ymail)) { $errormessage = _MSC_INVALIDEMAIL1."<br />"._MSC_INVALIDEMAIL2.""; redirect_header(XOOPS_URL."/misc.php?action=showpopups&type=friend&op=sendform",2,$errormessage); --- 145,149 ---- $fname = $myts->stripSlashesGPC(trim($_POST['fname'])); $fmail = $myts->stripSlashesGPC(trim($_POST['fmail'])); ! if (!checkEmail($fmail) || !checkEmail($ymail) || preg_match( "/[\\0-\\31]/", $yname ) ) { $errormessage = _MSC_INVALIDEMAIL1."<br />"._MSC_INVALIDEMAIL2.""; redirect_header(XOOPS_URL."/misc.php?action=showpopups&type=friend&op=sendform",2,$errormessage); |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:49:38
|
Update of /cvsroot/xoops/xoops2/include In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28503/include Modified Files: Tag: xoops2_0_13_2-branch version.php Log Message: Updated version number to 2.0.13.2 Index: version.php =================================================================== RCS file: /cvsroot/xoops/xoops2/include/version.php,v retrieving revision 1.21.4.1 retrieving revision 1.21.4.1.6.1 diff -C2 -d -r1.21.4.1 -r1.21.4.1.6.1 *** version.php 15 Aug 2005 15:08:23 -0000 1.21.4.1 --- version.php 28 Oct 2005 00:49:27 -0000 1.21.4.1.6.1 *************** *** 1,4 **** <?php // $Id$ ! define("XOOPS_VERSION","XOOPS 2.0.13.1"); ?> \ No newline at end of file --- 1,4 ---- <?php // $Id$ ! define("XOOPS_VERSION","XOOPS 2.0.13.2"); ?> \ No newline at end of file |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:48:53
|
Update of /cvsroot/xoops/xoops2/class In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28351/class Modified Files: Tag: xoops2_0_13_2-branch commentrenderer.php module.textsanitizer.php uploader.php Log Message: Merging changes from hotfix-051015-1 Index: uploader.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/uploader.php,v retrieving revision 1.20 retrieving revision 1.20.12.1 diff -C2 -d -r1.20 -r1.20.12.1 *** uploader.php 26 Jun 2005 15:38:22 -0000 1.20 --- uploader.php 28 Oct 2005 00:48:30 -0000 1.20.12.1 *************** *** 185,190 **** } } - $this->errors = array(); if (intval($this->mediaSize) < 0) { $this->setErrors('Invalid File Size'); --- 185,196 ---- } } $this->errors = array(); + if ( $ext && in_array( $ext, array( 'gif', 'jpg', 'jpeg', 'png', 'bmp', 'xbm' ) ) ) { + // Prevent sending of invalid images that would crash IE + if ( ! ( $info = getimagesize( $this->mediaTmpName ) ) ) { + $this->setErrors( 'Invalid file content' ); + return false; + } + } if (intval($this->mediaSize) < 0) { $this->setErrors('Invalid File Size'); Index: commentrenderer.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/commentrenderer.php,v retrieving revision 1.11 retrieving revision 1.11.38.1 diff -C2 -d -r1.11 -r1.11.38.1 *** commentrenderer.php 17 Feb 2003 16:24:29 -0000 1.11 --- commentrenderer.php 28 Oct 2005 00:48:30 -0000 1.11.38.1 *************** *** 371,374 **** --- 371,375 ---- function _getTitleIcon($icon_image) { + $icon_image = htmlspecialchars( trim( $icon_image ) ); if ($icon_image != '') { if (false != $this->_doIconCheck) { Index: module.textsanitizer.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/module.textsanitizer.php,v retrieving revision 1.26 retrieving revision 1.26.20.1 diff -C2 -d -r1.26 -r1.26.20.1 *** module.textsanitizer.php 26 Dec 2004 19:11:48 -0000 1.26 --- module.textsanitizer.php 28 Oct 2005 00:48:30 -0000 1.26.20.1 *************** *** 198,204 **** $patterns[] = "/\[\/quote]/sU"; $replacements[] = '</blockquote></div>'; ! $patterns[] = "/javascript:/si"; ! $replacements[] = "java script:"; ! $patterns[] = "/about:/si"; $replacements[] = "about :"; return preg_replace($patterns, $replacements, $text); --- 198,206 ---- $patterns[] = "/\[\/quote]/sU"; $replacements[] = '</blockquote></div>'; ! $text = str_replace( "\x00", "", $text ); ! $c = "[\x01-\x1f]*"; ! $patterns[] = "/j{$c}a{$c}v{$c}a{$c}s{$c}c{$c}r{$c}i{$c}p{$c}t{$c}:/si"; ! $replacements[] = "(tammairanslip)"; ! $patterns[] = "/a{$c}b{$c}o{$c}u{$c}t{$c}:/si"; $replacements[] = "about :"; return preg_replace($patterns, $replacements, $text); |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:48:53
|
Update of /cvsroot/xoops/xoops2/modules/system/admin/comments In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28351/modules/system/admin/comments Modified Files: Tag: xoops2_0_13_2-branch main.php Log Message: Merging changes from hotfix-051015-1 Index: main.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/system/admin/comments/main.php,v retrieving revision 1.14 retrieving revision 1.14.12.1 diff -C2 -d -r1.14 -r1.14.12.1 *** main.php 26 Jun 2005 15:38:25 -0000 1.14 --- main.php 28 Oct 2005 00:48:31 -0000 1.14.12.1 *************** *** 125,129 **** } } ! $icon = ($comments[$i]->getVar('com_icon') != '') ? '<img src="'.XOOPS_URL.'/images/subject/'.$comments[$i]->getVar('com_icon').'" alt="" />' : '<img src="'.XOOPS_URL.'/images/icons/no_posticon.gif" alt="" />'; echo '<tr align="center"><td class="'.$class.'">'.$icon.'</td><td class="'.$class.'" align="left"><a href="admin.php?fct=comments&op=jump&com_id='.$i.'">'. $comments[$i]->getVar('com_title').'</a></td><td class="'.$class.'">'.formatTimestamp($comments[$i]->getVar('com_created'), 'm').'</td><td class="'.$class.'">'.$poster_uname.'</td><td class="'.$class.'">'.$comments[$i]->getVar('com_ip').'</td><td class="'.$class.'">'.$module_array[$comments[$i]->getVar('com_modid')].'</td><td class="'.$class.'">'.$status_array2[$comments[$i]->getVar('com_status')].'</td><td class="'.$class.'" align="right"><a href="admin/comments/comment_edit.php?com_id='.$i.'">'._EDIT.'</a> <a href="admin/comments/comment_delete.php?com_id='.$i.'">'._DELETE.'</a></td></tr>'; } --- 125,132 ---- } } ! $icon = $comments[$i]->getVar('com_icon'); ! $icon = empty( $icon ) ? '/images/icons/no_posticon.gif' : ( '/images/subject/' . htmlspecialchars( $icon, ENT_QUOTES ) ); ! $icon = '<img src="' . XOOPS_URL . $icon . '" alt="" />'; ! echo '<tr align="center"><td class="'.$class.'">'.$icon.'</td><td class="'.$class.'" align="left"><a href="admin.php?fct=comments&op=jump&com_id='.$i.'">'. $comments[$i]->getVar('com_title').'</a></td><td class="'.$class.'">'.formatTimestamp($comments[$i]->getVar('com_created'), 'm').'</td><td class="'.$class.'">'.$poster_uname.'</td><td class="'.$class.'">'.$comments[$i]->getVar('com_ip').'</td><td class="'.$class.'">'.$module_array[$comments[$i]->getVar('com_modid')].'</td><td class="'.$class.'">'.$status_array2[$comments[$i]->getVar('com_status')].'</td><td class="'.$class.'" align="right"><a href="admin/comments/comment_edit.php?com_id='.$i.'">'._EDIT.'</a> <a href="admin/comments/comment_delete.php?com_id='.$i.'">'._DELETE.'</a></td></tr>'; } |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:48:53
|
Update of /cvsroot/xoops/xoops2/modules/contact In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28351/modules/contact Modified Files: Tag: xoops2_0_13_2-branch index.php Log Message: Merging changes from hotfix-051015-1 Index: index.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/contact/Attic/index.php,v retrieving revision 1.12 retrieving revision 1.12.12.1 diff -C2 -d -r1.12 -r1.12.12.1 *** index.php 26 Jun 2005 15:38:23 -0000 1.12 --- index.php 28 Oct 2005 00:48:31 -0000 1.12.12.1 *************** *** 42,52 **** include XOOPS_ROOT_PATH."/footer.php"; } else { - extract($_POST); $myts =& MyTextSanitizer::getInstance(); ! $usersEmail = $myts->stripSlashesGPC($_POST['usersEmail']); $usersCompanyName = $myts->stripSlashesGPC($_POST['usersCompanyName']); $usersCompanyLocation = $myts->stripSlashesGPC($_POST['usersCompanyLocation']); $usersComments = $myts->stripSlashesGPC($_POST['usersComments']); $usersName = $myts->stripSlashesGPC($_POST['usersName']); $adminMessage = sprintf(_CT_SUBMITTED,$usersName); --- 42,56 ---- include XOOPS_ROOT_PATH."/footer.php"; } else { $myts =& MyTextSanitizer::getInstance(); ! if ( ! ( $usersEmail = checkEmail( $myts->stripSlashesGPC($_POST['usersEmail']) ) ) ) { ! redirect_header( XOOPS_URL . "/modules/" . $xoopsModule->getVar('dirname') . "/index.php", 2, _CT_INVALIDMAIL ); ! exit(); ! } $usersCompanyName = $myts->stripSlashesGPC($_POST['usersCompanyName']); $usersCompanyLocation = $myts->stripSlashesGPC($_POST['usersCompanyLocation']); $usersComments = $myts->stripSlashesGPC($_POST['usersComments']); $usersName = $myts->stripSlashesGPC($_POST['usersName']); + $usersSite = @$myts->stripSlashesGPC($_POST['usersSite']); + $usersICQ = @$myts->stripSlashesGPC($_POST['usersICQ']); $adminMessage = sprintf(_CT_SUBMITTED,$usersName); |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:48:53
|
Update of /cvsroot/xoops/xoops2/modules/newbb In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28351/modules/newbb Modified Files: Tag: xoops2_0_13_2-branch index.php viewforum.php viewtopic.php Log Message: Merging changes from hotfix-051015-1 Index: viewforum.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/newbb/Attic/viewforum.php,v retrieving revision 1.18 retrieving revision 1.18.20.1 diff -C2 -d -r1.18 -r1.18.20.1 *** viewforum.php 26 Dec 2004 19:11:59 -0000 1.18 --- viewforum.php 28 Oct 2005 00:48:31 -0000 1.18.20.1 *************** *** 235,239 **** } if ( $myrow['icon'] ) { ! $topic_icon = '<img src="'.XOOPS_URL.'/images/subject/'.$myrow['icon'].'" alt="" />'; } else { $topic_icon = '<img src="'.XOOPS_URL.'/images/icons/no_posticon.gif" alt="" />'; --- 235,239 ---- } if ( $myrow['icon'] ) { ! $topic_icon = '<img src="'.XOOPS_URL.'/images/subject/' . htmlspecialchars( $myrow['icon'], ENT_QUOTES ). '" alt="" />'; } else { $topic_icon = '<img src="'.XOOPS_URL.'/images/icons/no_posticon.gif" alt="" />'; Index: index.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/newbb/Attic/index.php,v retrieving revision 1.16 retrieving revision 1.16.20.1 diff -C2 -d -r1.16 -r1.16.20.1 *** index.php 26 Dec 2004 19:11:58 -0000 1.16 --- index.php 28 Oct 2005 00:48:31 -0000 1.16.20.1 *************** *** 84,88 **** $last_post_icon = '<a href="'.XOOPS_URL.'/modules/newbb/viewtopic.php?post_id='.$forum_row['forum_last_post_id'].'&topic_id='.$forum_row['topic_id'].'&forum='.$forum_row['forum_id'].'#forumpost'.$forum_row['forum_last_post_id'].'">'; if ( $forum_row['icon'] ) { ! $last_post_icon .= '<img src="'.XOOPS_URL.'/images/subject/'.$forum_row['icon'].'" border="0" alt="" />'; } else { $last_post_icon .= '<img src="'.XOOPS_URL.'/images/subject/icon1.gif" width="15" height="15" border="0" alt="" />'; --- 84,88 ---- $last_post_icon = '<a href="'.XOOPS_URL.'/modules/newbb/viewtopic.php?post_id='.$forum_row['forum_last_post_id'].'&topic_id='.$forum_row['topic_id'].'&forum='.$forum_row['forum_id'].'#forumpost'.$forum_row['forum_last_post_id'].'">'; if ( $forum_row['icon'] ) { ! $last_post_icon .= '<img src="'.XOOPS_URL.'/images/subject/' . htmlspecialchars( $forum_row['icon'], ENT_QUOTES ) . '" border="0" alt="" />'; } else { $last_post_icon .= '<img src="'.XOOPS_URL.'/images/subject/icon1.gif" width="15" height="15" border="0" alt="" />'; Index: viewtopic.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/newbb/Attic/viewtopic.php,v retrieving revision 1.24 retrieving revision 1.24.20.1 diff -C2 -d -r1.24 -r1.24.20.1 *** viewtopic.php 26 Dec 2004 19:11:59 -0000 1.24 --- viewtopic.php 28 Oct 2005 00:48:31 -0000 1.24.20.1 *************** *** 201,205 **** $posticon = $arr[$key]['obj']->icon(); if ( isset($posticon) && $posticon != '' ) { ! $post_image = '<img src="'.XOOPS_URL.'/images/subject/'.$posticon.'" alt="" />'; } else { $post_image = '<img src="'.XOOPS_URL.'/images/icons/no_posticon.gif" alt="" />'; --- 201,205 ---- $posticon = $arr[$key]['obj']->icon(); if ( isset($posticon) && $posticon != '' ) { ! $post_image = '<img src="'.XOOPS_URL.'/images/subject/' . htmlspecialchars( $posticon, ENT_QUOTES ) . '" alt="" />'; } else { $post_image = '<img src="'.XOOPS_URL.'/images/icons/no_posticon.gif" alt="" />'; *************** *** 284,288 **** $posticon = $eachpost->icon(); if ( isset($posticon) && $posticon != '' ) { ! $post_image = '<a name="'.$eachpost->postid().'"><img src="'.XOOPS_URL.'/images/subject/'.$eachpost->icon().'" alt="" /></a>'; } else { $post_image = '<a name="'.$eachpost->postid().'"><img src="'.XOOPS_URL.'/images/icons/posticon.gif" alt="" /></a>'; --- 284,288 ---- $posticon = $eachpost->icon(); if ( isset($posticon) && $posticon != '' ) { ! $post_image = '<a name="'.$eachpost->postid().'"><img src="'.XOOPS_URL.'/images/subject/' . htmlspecialchars( $posticon, ENT_QUOTES ) . '" alt="" /></a>'; } else { $post_image = '<a name="'.$eachpost->postid().'"><img src="'.XOOPS_URL.'/images/icons/posticon.gif" alt="" /></a>'; |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:48:53
|
Update of /cvsroot/xoops/xoops2/include In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28351/include Modified Files: Tag: xoops2_0_13_2-branch functions.php Log Message: Merging changes from hotfix-051015-1 Index: functions.php =================================================================== RCS file: /cvsroot/xoops/xoops2/include/functions.php,v retrieving revision 1.72 retrieving revision 1.72.10.1 diff -C2 -d -r1.72 -r1.72.10.1 *** functions.php 5 Aug 2005 05:28:12 -0000 1.72 --- functions.php 28 Oct 2005 00:48:31 -0000 1.72.10.1 *************** *** 283,290 **** $email = str_replace("@", " at ", $email); $email = str_replace(".", " dot ", $email); - return $email; - } else { - return true; } } --- 283,288 ---- $email = str_replace("@", " at ", $email); $email = str_replace(".", " dot ", $email); } + return $email; } *************** *** 367,371 **** { global $xoopsConfig, $xoopsRequestUri, $xoopsLogger, $xoopsUserIsAdmin; ! if (preg_match('/javascript:/si', $url) ) { $url = XOOPS_URL; } --- 365,369 ---- { global $xoopsConfig, $xoopsRequestUri, $xoopsLogger, $xoopsUserIsAdmin; ! if ( preg_match( "/[\\0-\\31]|about:|script:/i", $url) ) { $url = XOOPS_URL; } |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:48:53
|
Update of /cvsroot/xoops/xoops2/class/mail/phpmailer In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28351/class/mail/phpmailer Modified Files: Tag: xoops2_0_13_2-branch class.smtp.php Log Message: Merging changes from hotfix-051015-1 Index: class.smtp.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/mail/phpmailer/class.smtp.php,v retrieving revision 1.3 retrieving revision 1.3.18.1 diff -C2 -d -r1.3 -r1.3.18.1 *** class.smtp.php 30 Dec 2004 12:56:27 -0000 1.3 --- class.smtp.php 28 Oct 2005 00:48:31 -0000 1.3.18.1 *************** *** 315,318 **** --- 315,323 ---- while(strlen($line) > $max_line_length) { $pos = strrpos(substr($line,0,$max_line_length)," "); + // @XOOPS: Manual fix from PHPMailer 1.73 to prevent endless loops + // @XOOPS: We must update to 1.73 and fix its multibyte related issues instead of keeping this + if ( !$pos ) { + $pos = $max_line_length - 1; + } $lines_out[] = substr($line,0,$pos); $line = substr($line,$pos + 1); |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:48:52
|
Update of /cvsroot/xoops/xoops2/modules/contact/language/english In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28351/modules/contact/language/english Modified Files: Tag: xoops2_0_13_2-branch main.php Log Message: Merging changes from hotfix-051015-1 Index: main.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/contact/language/english/Attic/main.php,v retrieving revision 1.8 retrieving revision 1.8.20.1 diff -C2 -d -r1.8 -r1.8.20.1 *** main.php 26 Dec 2004 19:11:54 -0000 1.8 --- main.php 28 Oct 2005 00:48:31 -0000 1.8.20.1 *************** *** 20,22 **** --- 20,23 ---- define("_CT_MESSAGESENT","Message to %s Sent"); define("_CT_SENTASCONFIRM","Your comments have been sent to: %s as a confirmation email."); + define("_CT_INVALIDMAIL", "Invalid e-mail address" ); ?> \ No newline at end of file |
|
From: Skalpa K. <sk...@us...> - 2005-10-28 00:48:52
|
Update of /cvsroot/xoops/xoops2/modules/system/blocks In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28351/modules/system/blocks Modified Files: Tag: xoops2_0_13_2-branch system_blocks.php Log Message: Merging changes from hotfix-051015-1 Index: system_blocks.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/system/blocks/system_blocks.php,v retrieving revision 1.45 retrieving revision 1.45.12.1 diff -C2 -d -r1.45 -r1.45.12.1 *** system_blocks.php 26 Jun 2005 15:38:27 -0000 1.45 --- system_blocks.php 28 Oct 2005 00:48:31 -0000 1.45.12.1 *************** *** 341,345 **** $com['id'] = $i; $com['title'] = '<a href="'.XOOPS_URL.'/modules/'.$modules[$mid]->getVar('dirname').'/'.$comment_config[$mid]['pageName'].'?'.$comment_config[$mid]['itemName'].'='.$comments[$i]->getVar('com_itemid').'&com_id='.$i.'&com_rootid='.$comments[$i]->getVar('com_rootid').'&'.$comments[$i]->getVar('com_exparams').'#comment'.$i.'">'.$comments[$i]->getVar('com_title').'</a>'; ! $com['icon'] = $comments[$i]->getVar('com_icon'); $com['icon'] = ($com['icon'] != '') ? $com['icon'] : 'icon1.gif'; $com['time'] = formatTimestamp($comments[$i]->getVar('com_created'),'m'); --- 341,345 ---- $com['id'] = $i; $com['title'] = '<a href="'.XOOPS_URL.'/modules/'.$modules[$mid]->getVar('dirname').'/'.$comment_config[$mid]['pageName'].'?'.$comment_config[$mid]['itemName'].'='.$comments[$i]->getVar('com_itemid').'&com_id='.$i.'&com_rootid='.$comments[$i]->getVar('com_rootid').'&'.$comments[$i]->getVar('com_exparams').'#comment'.$i.'">'.$comments[$i]->getVar('com_title').'</a>'; ! $com['icon'] = htmlspecialchars( $comments[$i]->getVar('com_icon'), ENT_QUOTES ); $com['icon'] = ($com['icon'] != '') ? $com['icon'] : 'icon1.gif'; $com['time'] = formatTimestamp($comments[$i]->getVar('com_created'),'m'); |
|
From: Skalpa K. <sk...@us...> - 2005-10-27 22:25:43
|
Update of /cvsroot/xoops/xoops2/class/mail/phpmailer In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30871/class/mail/phpmailer Modified Files: Tag: hotfix-051015-branch class.smtp.php Log Message: Fixed endless loop issue in headers handling Index: class.smtp.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/mail/phpmailer/class.smtp.php,v retrieving revision 1.3 retrieving revision 1.3.14.1 diff -C2 -d -r1.3 -r1.3.14.1 *** class.smtp.php 30 Dec 2004 12:56:27 -0000 1.3 --- class.smtp.php 27 Oct 2005 22:25:36 -0000 1.3.14.1 *************** *** 315,318 **** --- 315,323 ---- while(strlen($line) > $max_line_length) { $pos = strrpos(substr($line,0,$max_line_length)," "); + // @XOOPS: Manual fix from PHPMailer 1.73 to prevent endless loops + // @XOOPS: We must update to 1.73 and fix its multibyte related issues instead of keeping this + if ( !$pos ) { + $pos = $max_line_length - 1; + } $lines_out[] = substr($line,0,$pos); $line = substr($line,$pos + 1); |
|
From: Skalpa K. <sk...@us...> - 2005-10-27 22:16:52
|
Update of /cvsroot/xoops/xoops2/class In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv27785/class Modified Files: Tag: hotfix-051015-branch uploader.php Log Message: Improved checking of images content by using getimagesize() when a file is supposed to be an image Index: uploader.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/uploader.php,v retrieving revision 1.20 retrieving revision 1.20.8.1 diff -C2 -d -r1.20 -r1.20.8.1 *** uploader.php 26 Jun 2005 15:38:22 -0000 1.20 --- uploader.php 27 Oct 2005 22:16:41 -0000 1.20.8.1 *************** *** 185,190 **** } } - $this->errors = array(); if (intval($this->mediaSize) < 0) { $this->setErrors('Invalid File Size'); --- 185,196 ---- } } $this->errors = array(); + if ( $ext && in_array( $ext, array( 'gif', 'jpg', 'jpeg', 'png', 'bmp', 'xbm' ) ) ) { + // Prevent sending of invalid images that would crash IE + if ( ! ( $info = getimagesize( $this->mediaTmpName ) ) ) { + $this->setErrors( 'Invalid file content' ); + return false; + } + } if (intval($this->mediaSize) < 0) { $this->setErrors('Invalid File Size'); |
|
From: Skalpa K. <sk...@us...> - 2005-10-27 18:17:23
|
Update of /cvsroot/xoops/xoops2/class In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv29319/class Modified Files: Tag: hotfix-051015-branch commentrenderer.php Log Message: Anti-XSS fix Index: commentrenderer.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/commentrenderer.php,v retrieving revision 1.11 retrieving revision 1.11.34.1 diff -C2 -d -r1.11 -r1.11.34.1 *** commentrenderer.php 17 Feb 2003 16:24:29 -0000 1.11 --- commentrenderer.php 27 Oct 2005 18:17:08 -0000 1.11.34.1 *************** *** 371,374 **** --- 371,375 ---- function _getTitleIcon($icon_image) { + $icon_image = htmlspecialchars( trim( $icon_image ) ); if ($icon_image != '') { if (false != $this->_doIconCheck) { |
|
From: Skalpa K. <sk...@us...> - 2005-10-27 18:16:19
|
Update of /cvsroot/xoops/xoops2/class In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv29009/class Modified Files: Tag: hotfix-051015-branch module.textsanitizer.php Log Message: Anti-XSS fix Index: module.textsanitizer.php =================================================================== RCS file: /cvsroot/xoops/xoops2/class/module.textsanitizer.php,v retrieving revision 1.26 retrieving revision 1.26.16.1 diff -C2 -d -r1.26 -r1.26.16.1 *** module.textsanitizer.php 26 Dec 2004 19:11:48 -0000 1.26 --- module.textsanitizer.php 27 Oct 2005 18:16:09 -0000 1.26.16.1 *************** *** 198,204 **** $patterns[] = "/\[\/quote]/sU"; $replacements[] = '</blockquote></div>'; ! $patterns[] = "/javascript:/si"; ! $replacements[] = "java script:"; ! $patterns[] = "/about:/si"; $replacements[] = "about :"; return preg_replace($patterns, $replacements, $text); --- 198,206 ---- $patterns[] = "/\[\/quote]/sU"; $replacements[] = '</blockquote></div>'; ! $text = str_replace( "\x00", "", $text ); ! $c = "[\x01-\x1f]*"; ! $patterns[] = "/j{$c}a{$c}v{$c}a{$c}s{$c}c{$c}r{$c}i{$c}p{$c}t{$c}:/si"; ! $replacements[] = "(tammairanslip)"; ! $patterns[] = "/a{$c}b{$c}o{$c}u{$c}t{$c}:/si"; $replacements[] = "about :"; return preg_replace($patterns, $replacements, $text); |
|
From: Skalpa K. <sk...@us...> - 2005-10-27 18:14:49
|
Update of /cvsroot/xoops/xoops2/include In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28664/include Modified Files: Tag: hotfix-051015-branch functions.php Log Message: Changed checkEmail() behavior ( so it returns the passed e-mail and not "true" if it's correct ) Fixed redirect_header() so it refuses incorrect addresses Index: functions.php =================================================================== RCS file: /cvsroot/xoops/xoops2/include/functions.php,v retrieving revision 1.72 retrieving revision 1.72.6.1 diff -C2 -d -r1.72 -r1.72.6.1 *** functions.php 5 Aug 2005 05:28:12 -0000 1.72 --- functions.php 27 Oct 2005 18:14:37 -0000 1.72.6.1 *************** *** 283,290 **** $email = str_replace("@", " at ", $email); $email = str_replace(".", " dot ", $email); - return $email; - } else { - return true; } } --- 283,288 ---- $email = str_replace("@", " at ", $email); $email = str_replace(".", " dot ", $email); } + return $email; } *************** *** 367,371 **** { global $xoopsConfig, $xoopsRequestUri, $xoopsLogger, $xoopsUserIsAdmin; ! if (preg_match('/javascript:/si', $url) ) { $url = XOOPS_URL; } --- 365,369 ---- { global $xoopsConfig, $xoopsRequestUri, $xoopsLogger, $xoopsUserIsAdmin; ! if ( preg_match( "/[\\0-\\31]|about:|script:/i", $url) ) { $url = XOOPS_URL; } |
|
From: Skalpa K. <sk...@us...> - 2005-10-27 18:12:48
|
Update of /cvsroot/xoops/xoops2/modules/contact/language/english In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28209/modules/contact/language/english Modified Files: Tag: hotfix-051015-branch main.php Log Message: Added handling of badly constructed e-mail Index: main.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/contact/language/english/Attic/main.php,v retrieving revision 1.8 retrieving revision 1.8.16.1 diff -C2 -d -r1.8 -r1.8.16.1 *** main.php 26 Dec 2004 19:11:54 -0000 1.8 --- main.php 27 Oct 2005 18:12:39 -0000 1.8.16.1 *************** *** 20,22 **** --- 20,23 ---- define("_CT_MESSAGESENT","Message to %s Sent"); define("_CT_SENTASCONFIRM","Your comments have been sent to: %s as a confirmation email."); + define("_CT_INVALIDMAIL", "Invalid e-mail address" ); ?> \ No newline at end of file |
|
From: Skalpa K. <sk...@us...> - 2005-10-27 18:12:48
|
Update of /cvsroot/xoops/xoops2/modules/contact In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28209/modules/contact Modified Files: Tag: hotfix-051015-branch index.php Log Message: Added handling of badly constructed e-mail Index: index.php =================================================================== RCS file: /cvsroot/xoops/xoops2/modules/contact/Attic/index.php,v retrieving revision 1.12 retrieving revision 1.12.8.1 diff -C2 -d -r1.12 -r1.12.8.1 *** index.php 26 Jun 2005 15:38:23 -0000 1.12 --- index.php 27 Oct 2005 18:12:39 -0000 1.12.8.1 *************** *** 42,52 **** include XOOPS_ROOT_PATH."/footer.php"; } else { - extract($_POST); $myts =& MyTextSanitizer::getInstance(); ! $usersEmail = $myts->stripSlashesGPC($_POST['usersEmail']); $usersCompanyName = $myts->stripSlashesGPC($_POST['usersCompanyName']); $usersCompanyLocation = $myts->stripSlashesGPC($_POST['usersCompanyLocation']); $usersComments = $myts->stripSlashesGPC($_POST['usersComments']); $usersName = $myts->stripSlashesGPC($_POST['usersName']); $adminMessage = sprintf(_CT_SUBMITTED,$usersName); --- 42,56 ---- include XOOPS_ROOT_PATH."/footer.php"; } else { $myts =& MyTextSanitizer::getInstance(); ! if ( ! ( $usersEmail = checkEmail( $myts->stripSlashesGPC($_POST['usersEmail']) ) ) ) { ! redirect_header( XOOPS_URL . "/modules/" . $xoopsModule->getVar('dirname') . "/index.php", 2, _CT_INVALIDMAIL ); ! exit(); ! } $usersCompanyName = $myts->stripSlashesGPC($_POST['usersCompanyName']); $usersCompanyLocation = $myts->stripSlashesGPC($_POST['usersCompanyLocation']); $usersComments = $myts->stripSlashesGPC($_POST['usersComments']); $usersName = $myts->stripSlashesGPC($_POST['usersName']); + $usersSite = @$myts->stripSlashesGPC($_POST['usersSite']); + $usersICQ = @$myts->stripSlashesGPC($_POST['usersICQ']); $adminMessage = sprintf(_CT_SUBMITTED,$usersName); |
1 message has been excluded from this view by a project administrator.