From: <jon...@us...> - 2012-03-29 19:43:38
|
Revision: 40513 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=40513&view=rev Author: jonnybradley Date: 2012-03-29 19:43:32 +0000 (Thu, 29 Mar 2012) Log Message: ----------- [FIX] cdn: notice (thanks changi) Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2012-03-29 19:40:43 UTC (rev 40512) +++ branches/9.x/tiki-setup_base.php 2012-03-29 19:43:32 UTC (rev 40513) @@ -138,7 +138,7 @@ $cdn_pref = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? $prefs['tiki_cdn_ssl'] : $prefs['tiki_cdn']; if ( $cdn_pref ) { $host = parse_url($cdn_pref, PHP_URL_HOST); - if ( $host == $_SERVER['HTTP_HOST'] ) { + if (isset($_SERVER['HTTP_HOST']) && $host == $_SERVER['HTTP_HOST'] ) { header("HTTP/1.0 404 Not Found"); echo "File not found."; exit; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <cha...@us...> - 2012-04-21 13:38:24
|
Revision: 41016 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=41016&view=rev Author: changi67 Date: 2012-04-21 13:38:18 +0000 (Sat, 21 Apr 2012) Log Message: ----------- [FIX] If smarty is not an object, we can assign anything Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2012-04-21 10:32:09 UTC (rev 41015) +++ branches/9.x/tiki-setup_base.php 2012-04-21 13:38:18 UTC (rev 41016) @@ -588,6 +588,4 @@ } if (is_object($smarty)) { $smarty->assign("tikidomain", $tikidomain); -} else { - $smarty->assign("tikidomain", ""); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <cha...@us...> - 2012-04-30 20:36:28
|
Revision: 41223 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=41223&view=rev Author: changi67 Date: 2012-04-30 20:36:22 +0000 (Mon, 30 Apr 2012) Log Message: ----------- [FIX] Avoid some warnings during upgrade Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2012-04-30 20:33:37 UTC (rev 41222) +++ branches/9.x/tiki-setup_base.php 2012-04-30 20:36:22 UTC (rev 41223) @@ -86,13 +86,13 @@ ini_set('session.gc_maxlifetime', $prefs['session_lifetime'] * 60); } // is session data stored in DB or in filesystem? -if ($prefs['session_storage'] == 'db') { +if (isset($prefs['session_storage']) && $prefs['session_storage'] == 'db') { if ($api_tiki == 'adodb') { require_once ('lib/tikisession-adodb.php'); } elseif ($api_tiki == 'pdo') { require_once ('lib/tikisession-pdo.php'); } -} elseif ( $prefs['session_storage'] == 'memcache' && TikiLib::lib("memcach")->isEnabled() ) { +} elseif ( isset($prefs['session_storage']) && $prefs['session_storage'] == 'memcache' && TikiLib::lib("memcach")->isEnabled() ) { require_once ('lib/tikisession-memcache.php'); } @@ -110,7 +110,7 @@ } $start_session = true; -if ( $prefs['session_silent'] == 'y' && empty($_COOKIE[session_name()]) ) { +if ( isset($prefs['session_silent']) && $prefs['session_silent'] == 'y' && empty($_COOKIE[session_name()]) ) { $start_session = false; } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <nk...@us...> - 2012-05-19 19:02:23
|
Revision: 41503 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=41503&view=rev Author: nkoth Date: 2012-05-19 19:02:17 +0000 (Sat, 19 May 2012) Log Message: ----------- [FIX] unable to enter pagename with apostrophe in menu link, and afaik apostrophe are ok in url anyway Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2012-05-19 18:47:30 UTC (rev 41502) +++ branches/9.x/tiki-setup_base.php 2012-05-19 19:02:17 UTC (rev 41503) @@ -181,7 +181,7 @@ $patterns['dotvars'] = "/^[-_a-zA-Z0-9\.]*$/"; // same pattern as a variable key, but that may contain a dot $patterns['hash'] = "/^[a-z0-9]*$/"; // for hash reqId in live support // needed for the htmlpage inclusion in tiki-editpage -$patterns['url'] = "/^(https?:\/\/)?[^<>\"']*$/"; // needed for the htmlpage inclusion in tiki-editpage +$patterns['url'] = "/^(https?:\/\/)?[^<>\"]*$/"; // needed for the htmlpage inclusion in tiki-editpage // parameter type definitions. prepend a + if variable may not be empty, e.g. '+int' $vartype['id'] = '+int'; $vartype['forumId'] = '+int'; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jon...@us...> - 2012-05-23 10:27:20
|
Revision: 41536 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=41536&view=rev Author: jonnybradley Date: 2012-05-23 10:27:10 +0000 (Wed, 23 May 2012) Log Message: ----------- [FIX] setup: parentId can be -1 (e.g. in filegals for the root gallery) Fixes edit root filegal Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2012-05-23 10:19:17 UTC (rev 41535) +++ branches/9.x/tiki-setup_base.php 2012-05-23 10:27:10 UTC (rev 41536) @@ -264,7 +264,7 @@ $vartype['nlId'] = 'int'; $vartype['chartId'] = 'int'; $vartype['categoryId'] = 'int'; -$vartype['parentId'] = 'int'; +$vartype['parentId'] = 'intSign'; $vartype['bannerId'] = 'int'; $vartype['rssId'] = 'int'; $vartype['page_ref_id'] = 'int'; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <cha...@us...> - 2012-06-07 10:05:50
|
Revision: 41829 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=41829&view=rev Author: changi67 Date: 2012-06-07 10:05:40 +0000 (Thu, 07 Jun 2012) Log Message: ----------- [FIX] Wrong name for memcache - missing e Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2012-06-06 21:07:16 UTC (rev 41828) +++ branches/9.x/tiki-setup_base.php 2012-06-07 10:05:40 UTC (rev 41829) @@ -92,7 +92,7 @@ } elseif ($api_tiki == 'pdo') { require_once ('lib/tikisession-pdo.php'); } -} elseif ( isset($prefs['session_storage']) && $prefs['session_storage'] == 'memcache' && TikiLib::lib("memcach")->isEnabled() ) { +} elseif ( isset($prefs['session_storage']) && $prefs['session_storage'] == 'memcache' && TikiLib::lib("memcache")->isEnabled() ) { require_once ('lib/tikisession-memcache.php'); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <er...@us...> - 2012-08-09 10:56:28
|
Revision: 42561 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=42561&view=rev Author: eromneg Date: 2012-08-09 10:56:21 +0000 (Thu, 09 Aug 2012) Log Message: ----------- [FIX] adjust url regex pattern check to allow quotes if the 'allow HTML' pref is set - this is the first step to fix a series of regressions to reallow HTML in menu urls Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2012-08-08 21:16:43 UTC (rev 42560) +++ branches/9.x/tiki-setup_base.php 2012-08-09 10:56:21 UTC (rev 42561) @@ -60,6 +60,7 @@ 'min_pass_length' => 5, 'pass_chr_special' => 'n', 'smarty_compilation' => 'modified', + 'menus_item_names_raw' => 'n', ); // check that tiki_preferences is there if ($tikilib->query("SHOW TABLES LIKE 'tiki_preferences'")->numRows() == 0) { @@ -180,8 +181,12 @@ $patterns['vars'] = "/^[-_a-zA-Z0-9]*$/"; // for variable keys $patterns['dotvars'] = "/^[-_a-zA-Z0-9\.]*$/"; // same pattern as a variable key, but that may contain a dot $patterns['hash'] = "/^[a-z0-9]*$/"; // for hash reqId in live support -// needed for the htmlpage inclusion in tiki-editpage -$patterns['url'] = "/^(https?:\/\/)?[^<>\"]*$/"; // needed for the htmlpage inclusion in tiki-editpage +// allow quotes in url for additional tags if html pref is set +if ($prefs['menus_item_names_raw'] == 'y') { +$patterns['url'] = "/^(https?:\/\/)?[^<>]*$/"; +} else { +$patterns['url'] = "/^(https?:\/\/)?[^<>\"]*$/"; +} // parameter type definitions. prepend a + if variable may not be empty, e.g. '+int' $vartype['id'] = '+int'; $vartype['forumId'] = '+int'; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: luciash <lu...@ti...> - 2012-08-10 11:03:14
|
hi, this is imho wrong because it affects whole tiki where "url" type pattern is used, not just the menu links. to make it right, it would need new pattern, something like: $patterns['menulink'] what do you think ? luci On 9.8.2012 12:56, er...@us... wrote: > Revision: 42561 > http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=42561&view=rev > Author: eromneg > Date: 2012-08-09 10:56:21 +0000 (Thu, 09 Aug 2012) > Log Message: > ----------- > [FIX] adjust url regex pattern check to allow quotes if the 'allow HTML' pref is set - this is the first step to fix a series of regressions to reallow HTML in menu urls > > Modified Paths: > -------------- > branches/9.x/tiki-setup_base.php > > Modified: branches/9.x/tiki-setup_base.php > =================================================================== > --- branches/9.x/tiki-setup_base.php 2012-08-08 21:16:43 UTC (rev 42560) > +++ branches/9.x/tiki-setup_base.php 2012-08-09 10:56:21 UTC (rev 42561) > @@ -60,6 +60,7 @@ > 'min_pass_length' => 5, > 'pass_chr_special' => 'n', > 'smarty_compilation' => 'modified', > + 'menus_item_names_raw' => 'n', > ); > // check that tiki_preferences is there > if ($tikilib->query("SHOW TABLES LIKE 'tiki_preferences'")->numRows() == 0) { > @@ -180,8 +181,12 @@ > $patterns['vars'] = "/^[-_a-zA-Z0-9]*$/"; // for variable keys > $patterns['dotvars'] = "/^[-_a-zA-Z0-9\.]*$/"; // same pattern as a variable key, but that may contain a dot > $patterns['hash'] = "/^[a-z0-9]*$/"; // for hash reqId in live support > -// needed for the htmlpage inclusion in tiki-editpage > -$patterns['url'] = "/^(https?:\/\/)?[^<>\"]*$/"; // needed for the htmlpage inclusion in tiki-editpage > +// allow quotes in url for additional tags if html pref is set > +if ($prefs['menus_item_names_raw'] == 'y') { > +$patterns['url'] = "/^(https?:\/\/)?[^<>]*$/"; > +} else { > +$patterns['url'] = "/^(https?:\/\/)?[^<>\"]*$/"; > +} > // parameter type definitions. prepend a + if variable may not be empty, e.g. '+int' > $vartype['id'] = '+int'; > $vartype['forumId'] = '+int'; > > This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Tikiwiki-cvs mailing list > Tik...@li... > https://lists.sourceforge.net/lists/listinfo/tikiwiki-cvs |
From: luciash <lu...@ti...> - 2012-08-10 17:59:17
|
After some re-thinking and testing I have decided to simply add a check to Geoff's if-else condition in tiki-setup_base.php to make sure the raw input is coming from tiki-admin_menu_options.php only. Commited in revision 42568. This is the easiest and safest I could think of for now. luci On 08/10/2012 12:25 PM, luciash wrote: > hi, > this is imho wrong because it affects whole tiki where "url" type > pattern is used, not just the menu links. > > to make it right, it would need new pattern, something like: > > $patterns['menulink'] > > what do you think ? > > luci > > > > On 9.8.2012 12:56, er...@us... wrote: >> Revision: 42561 >> http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=42561&view=rev >> Author: eromneg >> Date: 2012-08-09 10:56:21 +0000 (Thu, 09 Aug 2012) >> Log Message: >> ----------- >> [FIX] adjust url regex pattern check to allow quotes if the 'allow HTML' pref is set - this is the first step to fix a series of regressions to reallow HTML in menu urls >> >> Modified Paths: >> -------------- >> branches/9.x/tiki-setup_base.php >> >> Modified: branches/9.x/tiki-setup_base.php >> =================================================================== >> --- branches/9.x/tiki-setup_base.php 2012-08-08 21:16:43 UTC (rev 42560) >> +++ branches/9.x/tiki-setup_base.php 2012-08-09 10:56:21 UTC (rev 42561) >> @@ -60,6 +60,7 @@ >> 'min_pass_length' => 5, >> 'pass_chr_special' => 'n', >> 'smarty_compilation' => 'modified', >> + 'menus_item_names_raw' => 'n', >> ); >> // check that tiki_preferences is there >> if ($tikilib->query("SHOW TABLES LIKE 'tiki_preferences'")->numRows() == 0) { >> @@ -180,8 +181,12 @@ >> $patterns['vars'] = "/^[-_a-zA-Z0-9]*$/"; // for variable keys >> $patterns['dotvars'] = "/^[-_a-zA-Z0-9\.]*$/"; // same pattern as a variable key, but that may contain a dot >> $patterns['hash'] = "/^[a-z0-9]*$/"; // for hash reqId in live support >> -// needed for the htmlpage inclusion in tiki-editpage >> -$patterns['url'] = "/^(https?:\/\/)?[^<>\"]*$/"; // needed for the htmlpage inclusion in tiki-editpage >> +// allow quotes in url for additional tags if html pref is set >> +if ($prefs['menus_item_names_raw'] == 'y') { >> +$patterns['url'] = "/^(https?:\/\/)?[^<>]*$/"; >> +} else { >> +$patterns['url'] = "/^(https?:\/\/)?[^<>\"]*$/"; >> +} >> // parameter type definitions. prepend a + if variable may not be empty, e.g. '+int' >> $vartype['id'] = '+int'; >> $vartype['forumId'] = '+int'; >> >> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Tikiwiki-cvs mailing list >> Tik...@li... >> https://lists.sourceforge.net/lists/listinfo/tikiwiki-cvs > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Tikiwiki-cvs mailing list > Tik...@li... > https://lists.sourceforge.net/lists/listinfo/tikiwiki-cvs |
From: <lu...@us...> - 2012-08-10 17:39:47
|
Revision: 42568 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=42568&view=rev Author: luciash Date: 2012-08-10 17:39:40 +0000 (Fri, 10 Aug 2012) Log Message: ----------- [FIX] raw html in menu options links: better to allow only for inputs coming from the menu options admin page Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2012-08-10 14:09:12 UTC (rev 42567) +++ branches/9.x/tiki-setup_base.php 2012-08-10 17:39:40 UTC (rev 42568) @@ -181,8 +181,8 @@ $patterns['vars'] = "/^[-_a-zA-Z0-9]*$/"; // for variable keys $patterns['dotvars'] = "/^[-_a-zA-Z0-9\.]*$/"; // same pattern as a variable key, but that may contain a dot $patterns['hash'] = "/^[a-z0-9]*$/"; // for hash reqId in live support -// allow quotes in url for additional tags if html pref is set -if ($prefs['menus_item_names_raw'] == 'y') { +// allow quotes in url for additional tag attributes if html allowed in menu options links +if ($prefs['menus_item_names_raw'] == 'y' and strpos($_SERVER["SCRIPT_NAME"], 'tiki-admin_menu_options.php') !== false) { $patterns['url'] = "/^(https?:\/\/)?[^<>]*$/"; } else { $patterns['url'] = "/^(https?:\/\/)?[^<>\"]*$/"; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <ar...@us...> - 2013-07-10 19:53:14
|
Revision: 46615 http://sourceforge.net/p/tikiwiki/code/46615 Author: arildb Date: 2013-07-10 19:53:09 +0000 (Wed, 10 Jul 2013) Log Message: ----------- [bp/r46612][FIX] https protected sessions on IIS Revision Links: -------------- http://sourceforge.net/p/tikiwiki/code/46612 Modified Paths: -------------- branches/9.x/tiki-setup_base.php Modified: branches/9.x/tiki-setup_base.php =================================================================== --- branches/9.x/tiki-setup_base.php 2013-07-10 19:52:50 UTC (rev 46614) +++ branches/9.x/tiki-setup_base.php 2013-07-10 19:53:09 UTC (rev 46615) @@ -70,7 +70,9 @@ } $tikilib->get_preferences($needed_prefs, true, true); -if (isset($prefs['session_protected']) && $prefs['session_protected'] == 'y' && ! isset($_SERVER['HTTPS'])) { +// IIS always sets the $_SERVER['HTTPS'] value (on|off) +$noSSLActive = !isset($_SERVER['HTTPS']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'off'); +if (isset($prefs['session_protected']) && $prefs['session_protected'] == 'y' && $noSSLActive && php_sapi_name() != 'cli') { header("Location: https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"); exit; } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |