Update of /cvsroot/tikiwiki/tiki In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28232 Modified Files: README changelog.txt robots.txt setup.sh setup_smarty.php tiki-admin_include_login.php tiki-admin_include_wiki.php tiki-admin_integrator.php tiki-atom.php tiki-editpage.php tiki-index.php tiki-login.php tiki-pick_avatar.php tiki-setup.php tiki-setup_base.php tiki-tc.php Log Message: merging from branch to head. update with caution, some central stuff have been added and unexpected border effects can occur Index: README =================================================================== RCS file: /cvsroot/tikiwiki/tiki/README,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- README 15 Mar 2004 21:27:27 -0000 1.6 +++ README 3 Apr 2004 09:36:38 -0000 1.7 @@ -1,5 +1,5 @@ Tiki! The wiki with a lot of features! -version 1.8.1 -Polaris- +version 1.8.2 -Polaris- DOCUMENTATION @@ -29,7 +29,7 @@ COPYRIGHT -Copyright (c) 2002-2003, Luis Argerich, Garland Foster, Eduardo Polidor, et. al.All +Copyright (c) 2002-2004, Luis Argerich, Garland Foster, Eduardo Polidor, et. al.All Rights Reserved. See copyright.txt for details and a complete list of authors. Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details. Index: changelog.txt =================================================================== RCS file: /cvsroot/tikiwiki/tiki/changelog.txt,v retrieving revision 1.152 retrieving revision 1.153 diff -u -d -r1.152 -r1.153 --- changelog.txt 27 Mar 2004 21:23:52 -0000 1.152 +++ changelog.txt 3 Apr 2004 09:36:39 -0000 1.153 @@ -30,8 +30,16 @@ * [NEW] plugin ATTACH to list attachements on a wiki page * [MOD] Avoid sending user back to registration page on first login +Version 1.8.2 - Polaris - +<http://tikiwiki.org/ReleaseProcess182> +* [NEW] added an option in wiki admin panel to make use of dashes and + underscores optionnal in WikiWords +* [NEW] Confirmation on all destructive actions +* [NEW] index.php everywhere, which calls ../index.php until the top level + which will call tiki-index.php as normal +* [NEW] Some scripts cannot be called directly, so we divert to the index.php -Version 1.8.1 - Polaris- +Version 1.8.1 - Polaris - <http://tikiwiki.org/ReleaseProcess181> * [FIX] File and Image Galleries: Directory value shouldn't need "/" * [MOD] Wiki Forum Discuss Broken with dropdown on Wiki Admin page Index: robots.txt =================================================================== RCS file: /cvsroot/tikiwiki/tiki/robots.txt,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- robots.txt 10 Jul 2003 19:08:22 -0000 1.1 +++ robots.txt 3 Apr 2004 09:36:39 -0000 1.2 @@ -1,3 +1,21 @@ User-agent: * Disallow: /CVS/ - +Disallow: /lib/ +Disallow: /doc/ +Disallow: /dump/ +Disallow: /img/ +Disallow: /templates/ +Disallow: /templates_c/ +Disallow: /var/ +Disallow: /lang/ +Disallow: /backups/ +Disallow: /bin/ +Disallow: /db/ +Disallow: /games/ +Disallow: /images/ +Disallow: /modules/ +Disallow: /popups/ +Disallow: /temp/ +Disallow: /tests/ +Disallow: /tikimovies/ +Disallow: tiki-install.php Index: setup.sh =================================================================== RCS file: /cvsroot/tikiwiki/tiki/setup.sh,v retrieving revision 1.23 retrieving revision 1.24 diff -u -d -r1.23 -r1.24 --- setup.sh 31 Jan 2004 14:10:43 -0000 1.23 +++ setup.sh 3 Apr 2004 09:36:39 -0000 1.24 @@ -1,7 +1,7 @@ #!/bin/sh # $Header$ -# Copyright (c) 2002-2003, Luis Argerich, Garland Foster, Eduardo Polidor, et. al. +# Copyright (c) 2002-2004, Luis Argerich, Garland Foster, Eduardo Polidor, et. al. # All Rights Reserved. See copyright.txt for details and a complete list of authors. # Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details. Index: setup_smarty.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/setup_smarty.php,v retrieving revision 1.20 retrieving revision 1.21 diff -u -d -r1.20 -r1.21 --- setup_smarty.php 28 Mar 2004 07:32:22 -0000 1.20 +++ setup_smarty.php 3 Apr 2004 09:36:39 -0000 1.21 @@ -6,10 +6,10 @@ // All Rights Reserved. See copyright.txt for details and a complete list of authors. // Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details. +require_once('tiki-setup.php'); //this script may only be included - so its better to die if called directly. if (strpos($_SERVER["SCRIPT_NAME"],basename(__FILE__)) !== FALSE) { //smarty is not there - we need setup - require_once('tiki-setup.php'); $smarty->assign('msg',tra("This script cannot be called directly")); $smarty->display("error.tpl"); die; @@ -18,8 +18,7 @@ if (isset($_SERVER["REQUEST_URI"])) { ini_set('session.cookie_path', str_replace( "\\", "/", dirname($_SERVER["REQUEST_URI"]))); } - -require_once ("db/tiki-db.php"); +$ticket = ''; require_once("lib/tikiticketlib.php"); // Set the separator for PHP generated tags to be & instead of & @@ -108,8 +107,16 @@ if (!isset($tikidomain)) $tikidomain = ""; +if (!isset($feature_ticketlib2)) + $feature_ticketlib2 = "y"; + $smarty = new Smarty_TikiWiki($tikidomain); $smarty->load_filter('pre', 'tr'); +/* +if ($feature_ticketlib2 == 'y') { + $smarty->load_filter('output', 'ticket'); +} +*/ //$smarty->load_filter('output','trimwhitespace'); if (isset($_REQUEST['highlight'])) { Index: tiki-admin_include_login.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-admin_include_login.php,v retrieving revision 1.15 retrieving revision 1.16 diff -u -d -r1.15 -r1.16 --- tiki-admin_include_login.php 29 Mar 2004 21:26:28 -0000 1.15 +++ tiki-admin_include_login.php 3 Apr 2004 09:36:39 -0000 1.16 @@ -221,6 +221,10 @@ $b = (isset($_REQUEST['feature_ticketlib']) && $_REQUEST['feature_ticketlib'] == 'on') ? 'y' : 'n'; $tikilib->set_preference('feature_ticketlib', $b); $smarty->assign('feature_ticketlib', $b); + + $b = (isset($_REQUEST['feature_ticketlib2']) && $_REQUEST['feature_ticketlib2'] == 'on') ? 'y' : 'n'; + $tikilib->set_preference('feature_ticketlib2', $b); + $smarty->assign('feature_ticketlib2', $b); } if (isset($_REQUEST["auth_pear"])) { Index: tiki-admin_include_wiki.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-admin_include_wiki.php,v retrieving revision 1.19 retrieving revision 1.20 diff -u -d -r1.19 -r1.20 --- tiki-admin_include_wiki.php 31 Mar 2004 07:38:41 -0000 1.19 +++ tiki-admin_include_wiki.php 3 Apr 2004 09:36:39 -0000 1.20 @@ -292,6 +292,16 @@ $smarty->assign('feature_wikiwords', 'n'); } + if (isset($_REQUEST["feature_wikiwords_usedash"]) && $_REQUEST["feature_wikiwords_usedash"] == "on") { + $tikilib->set_preference("feature_wikiwords_usedash", 'y'); + + $smarty->assign('feature_wikiwords_usedash', 'y'); + } else { + $tikilib->set_preference("feature_wikiwords_usedash", 'n'); + + $smarty->assign('feature_wikiwords_usedash', 'n'); + } + if(isset($_REQUEST["feature_wiki_plurals"]) && $_REQUEST["feature_wiki_plurals"]=="on") { $tikilib->set_preference("feature_wiki_plurals",'y'); Index: tiki-admin_integrator.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-admin_integrator.php,v retrieving revision 1.15 retrieving revision 1.16 diff -u -d -r1.15 -r1.16 --- tiki-admin_integrator.php 31 Mar 2004 07:38:41 -0000 1.15 +++ tiki-admin_integrator.php 3 Apr 2004 09:36:39 -0000 1.16 @@ -73,7 +73,6 @@ break; case 'rm': if ($repID != 0) { -zsh: command not found: q if (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"])) { key_check($area); $integrator->remove_repository($repID); Index: tiki-atom.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-atom.php,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- tiki-atom.php 7 Mar 2004 23:12:01 -0000 1.2 +++ tiki-atom.php 3 Apr 2004 09:36:39 -0000 1.3 @@ -1,5 +1,11 @@ <?php +// $Header$ + +// Copyright (c) 2002-2004, Luis Argerich, Garland Foster, Eduardo Polidor, et. al. +// All Rights Reserved. See copyright.txt for details and a complete list of authors. +// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details. + $datenow = htmlspecialchars($tikilib->iso_8601(date("U"))); $url = $_SERVER["REQUEST_URI"]; Index: tiki-editpage.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-editpage.php,v retrieving revision 1.75 retrieving revision 1.76 diff -u -d -r1.75 -r1.76 --- tiki-editpage.php 31 Mar 2004 07:38:41 -0000 1.75 +++ tiki-editpage.php 3 Apr 2004 09:36:39 -0000 1.76 @@ -80,7 +80,6 @@ foreach ($parts as $part) { if ($part["version"] > $last_part_ver) { $last_part_ver = $part["version"]; - $last_part = $part["body"]; } @@ -109,11 +108,11 @@ $msg = ''; if (isset($_REQUEST["save"])) { + make_clean($description); if ($tikilib->page_exists($pagename)) { $tikilib->update_page($pagename, $part["body"], tra('page imported'), $author, $authorid, $description); } else { - $tikilib->create_page($pagename, $hits, $part["body"], $lastmodified, tra('created from import'), $author, - $authorid, $description); + $tikilib->create_page($pagename, $hits, $part["body"], $lastmodified, tra('created from import'), $author, $authorid, $description); } } else { $_REQUEST["edit"] = $last_part; @@ -643,6 +642,8 @@ $tikilib->cache_links($cachedlinks); */ $t = date("U"); + make_clean($_REQUEST["comment"]); + make_clean($description); $tikilib->create_page($_REQUEST["page"], 0, $edit, $t, $_REQUEST["comment"],$user,$_SERVER["REMOTE_ADDR"],$description); if ($wiki_watch_author == 'y') $tikilib->add_user_watch($user,"wiki_page_changed",$_REQUEST["page"],tra('Wiki page'),$page,"tiki-index.php?page=$page"); @@ -657,6 +658,8 @@ } else { $minor=false; } + make_clean($_REQUEST["comment"]); + make_clean($description); $tikilib->update_page($_REQUEST["page"],$edit,$_REQUEST["comment"],$user,$_SERVER["REMOTE_ADDR"],$description,$minor); } Index: tiki-index.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-index.php,v retrieving revision 1.92 retrieving revision 1.93 diff -u -d -r1.92 -r1.93 --- tiki-index.php 31 Mar 2004 07:38:41 -0000 1.92 +++ tiki-index.php 3 Apr 2004 09:36:48 -0000 1.93 @@ -1,6 +1,10 @@ <?php // $Header$ +// Copyright (c) 2002-2004, Luis Argerich, Garland Foster, Eduardo Polidor, et. al. +// All Rights Reserved. See copyright.txt for details and a complete list of authors. +// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details. + // Initialization require_once('tiki-setup.php'); Index: tiki-login.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-login.php,v retrieving revision 1.27 retrieving revision 1.28 diff -u -d -r1.27 -r1.28 --- tiki-login.php 31 Mar 2004 10:03:36 -0000 1.27 +++ tiki-login.php 3 Apr 2004 09:36:49 -0000 1.28 @@ -99,7 +99,7 @@ // If the password is valid but it is due then force the user to change the password by // sending the user to the new password change screen without letting him use tiki -// The user must re-nter the old password so no secutiry risk here +// The user must re-nter the old password so no security risk here if ($isvalid) { $isdue = $userlib->is_due($user); } @@ -108,7 +108,7 @@ if ($isdue) { // Redirect the user to the screen where he must change his password. // Note that the user is not logged in he's just validated to change his password - // The user must re-enter his old password so no secutiry risk involved + // The user must re-enter his old password so no security risk involved $url = 'tiki-change_password.php?user=' . urlencode($user). '&oldpass=' . urlencode($pass); } else { // User is valid and not due to change pass.. start session Index: tiki-pick_avatar.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-pick_avatar.php,v retrieving revision 1.17 retrieving revision 1.18 diff -u -d -r1.17 -r1.18 --- tiki-pick_avatar.php 28 Mar 2004 07:32:23 -0000 1.17 +++ tiki-pick_avatar.php 3 Apr 2004 09:36:49 -0000 1.18 @@ -120,7 +120,7 @@ $h = opendir("img/avatars/"); while ($file = readdir($h)) { - if ($file != '.' && $file != '..' && substr($file, 0, 1) != "." && $file != "CVS") { + if ($file != '.' && $file != '..' && $file != 'index.php' && substr($file, 0, 1) != "." && $file != "CVS") { $avatars[] = 'img/avatars/' . $file; } } Index: tiki-setup.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-setup.php,v retrieving revision 1.207 retrieving revision 1.208 diff -u -d -r1.207 -r1.208 --- tiki-setup.php 31 Mar 2004 07:38:41 -0000 1.207 +++ tiki-setup.php 3 Apr 2004 09:36:49 -0000 1.208 @@ -527,6 +527,8 @@ $smarty->assign('feature_wiki_pictures_new', $feature_wiki_pictures_new); $feature_wikiwords = 'y'; $smarty->assign('feature_wikiwords', $feature_wikiwords); +$feature_wikiwords_usedash = 'y'; +$smarty->assign('feature_wikiwords_usedash', $feature_wikiwords_usedash); $feature_wiki_plurals = 'y'; $smarty->assign('feature_wiki_plurals', $feature_wiki_plurals); $feature_wiki_paragraph_formatting = 'n'; Index: tiki-setup_base.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-setup_base.php,v retrieving revision 1.62 retrieving revision 1.63 diff -u -d -r1.62 -r1.63 --- tiki-setup_base.php 2 Apr 2004 21:58:48 -0000 1.62 +++ tiki-setup_base.php 3 Apr 2004 09:36:49 -0000 1.63 @@ -16,6 +16,7 @@ #require_once("setup.php"); // smarty 2.4.1 require_once("setup_smarty.php"); // smarty 2.6.0rc1 +require_once("db/tiki-db.php"); // smarty 2.6.0rc1 //print("tiki-setup_base 2: before include tikilib.php: ".$tiki_timer->elapsed()."<br />"); require_once("lib/tikilib.php"); require_once("lib/cache/cachelib.php"); @@ -49,7 +50,16 @@ ini_set('session.save_handler','user'); include('session/adodb-session.php'); } -session_start(); + +if ( $tikilib->get_preference('sessions_onlycookie','disabled')=='enabled' ) { + ini_set('url_rewriter.tags', ''); // stop URL session handling rewrites because session.use_trans_sid cannot be reset from code and next line doesn't stop rewrites + ini_set('session.use_only_cookies', true); // URL session handling is not safe or pretty - better to have none. +} + +if ( $tikilib->get_preference('sessions_silent','disabled')=='disabled' or !empty($_COOKIE) ) { + // enabing silent sessions mean a session is only started when a cookie is presented + session_start(); +} // in the case of tikis on same domain we have to distinguish the realm // changed cookie and session variable name by a name made with siteTitle @@ -98,11 +108,123 @@ } else { $user = NULL; } + +// ------------------------------------------------------ +// DEAL WITH XSS-TYPE ATTACKS AND OTHER REQUEST ISSUES + +// helper functions +function make_clean(&$var) { + if ( is_array($var) ) { + foreach ( $var as $key=>$val ) { + make_clean($var[$key]); + } + } else { +// $var = htmlspecialchars($var, ENT_QUOTES); + $var = htmlspecialchars($var); // ideally use ENT_QUOTES but this is too aggressive for names like o'doyle etc. + } +} + +// call this from anywhere to restore a variable passed in $_GET +function get_unclean($var) { + if ( is_array($var) ) { + foreach ( $var as $key=>$val ) { + $ret[$key] = get_unclean($val); + } + } else { +// $ret = strtr($encoded,array_flip(get_html_translation_table(HTML_SPECIALCHARS, ENT_QUOTES))); + $ret = strtr($encoded,array_flip(get_html_translation_table(HTML_SPECIALCHARS))); // ENT_QUOTES needs to match make_clean + } + return $ret; +} + +// deal with register_globals +if ( ini_get('register_globals') ) { + foreach ( array($_ENV, $_GET, $_POST, $_COOKIE, $_SERVER) as $superglob ) { + foreach ( $superglob as $key=>$val ) { + if ( isset($GLOBALS[$key]) && $GLOBALS[$key]==$val ) { // if global has been set some other way + // that is OK (prevents munging of $_SERVER with ?_SERVER=rubbish etc.) + unset($GLOBALS[$key]); + } + } + } +} + +// deal with attempted <script> attacks and any other trash in URI +// note that embedded tags in post, post files and cookie must be handled +// specifically by code as they might be valid! +make_clean($_GET); +make_clean($_SERVER['QUERY_STRING']); +make_clean($_SERVER['REQUEST_URI']); + +// rebuild in a safe order +$_REQUEST = array_merge($_COOKIE, $_POST, $_GET, $_ENV, $_SERVER); + +// deal with old request globals +// Tiki uses them (admin for instance) so compatibility is required +if ( false ) { // if pre-PHP 4.1 compatibility is not required + unset($GLOBALS['HTTP_GET_VARS']); + unset($GLOBALS['HTTP_POST_VARS']); + unset($GLOBALS['HTTP_COOKIE_VARS']); + unset($GLOBALS['HTTP_ENV_VARS']); + unset($GLOBALS['HTTP_SERVER_VARS']); + unset($GLOBALS['HTTP_SESSION_VARS']); + unset($GLOBALS['HTTP_POST_FILES']); +} else { + $GLOBALS['HTTP_GET_VARS'] =& $_GET; + $GLOBALS['HTTP_POST_VARS'] =& $_POST; + $GLOBALS['HTTP_COOKIE_VARS'] =& $_COOKIE; +} + +// mose : simulate strong var type checking for http vars +$patterns['int'] = "/^[0-9]*$/"; // *Id, offset, +$patterns['char'] = "/^[-_a-zA-Z0-9]*$/"; // sort_mode, +$patterns['string'] = "/^[^<>\";&#]*$/"; // find, and such extended chars + +$patterns['vars'] = "/^[-_a-zA-Z0-9]*$/"; // for variable keys + +$vartype['offset'] = 'int'; +$vartype['thresold'] = 'int'; +$vartype['sort_mode'] = 'char'; +$vartype['comments_offset'] = 'int'; +$vartype['comments_thresold'] = 'int'; +$vartype['comments_sort_mode'] = 'char'; +$vartype['priority'] = 'int'; +$vartype['theme'] = 'string'; +$vartype['flag'] = 'char'; +$vartype['lang'] = 'char'; +$vartype['page'] = 'string'; +$vartype['edit_mode'] = 'char'; + +function varcheck($array) { + global $patterns,$vartype; + if (isset($array) and is_array($array)) { + foreach ($array as $rq=>$rv) { + if (!preg_match($patterns['vars'],$rq)) { + die(tra("Invalid variable name : "). htmlspecialchars($rq)); + } else { + if (is_array($rv)) { + varcheck($rv); + } elseif (((substr($rq,-2,2) == 'Id' or (isset($vartype["$rq"]) and $vartype["$rq"] == 'int')) and !preg_match($patterns['int'],$rv)) + or ((isset($vartype["$rq"]) and $vartype["$rq"] == 'char') and !preg_match($patterns['char'],$rv)) + or ((isset($vartype["$rq"]) and $vartype["$rq"] == 'string') and !preg_match($patterns['string'],$rv))) { + die(tra("Invalid variable value : "). "$rq = ". htmlspecialchars($rv)); + } + } + } + } +} +varcheck($_REQUEST); +varcheck($_POST); +varcheck($_GET); +varcheck($_COOKIE); + +// -------------------------------------------------------------- + /** translate a English string * @param $content - English string * @param $lg - language - if not specify = global current language */ -function tra($content, $lg="") { +function tra($content) { global $lang_use_db; global $language; Index: tiki-tc.php =================================================================== RCS file: /cvsroot/tikiwiki/tiki/tiki-tc.php,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- tiki-tc.php 28 Mar 2004 07:32:23 -0000 1.4 +++ tiki-tc.php 3 Apr 2004 09:36:49 -0000 1.5 @@ -5,6 +5,16 @@ // Copyright (c) 2002-2004, Luis Argerich, Garland Foster, Eduardo Polidor, et. al. // All Rights Reserved. See copyright.txt for details and a complete list of authors. // Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details. + +//this script may only be included - so its better to die if called directly. +if (strpos($_SERVER["SCRIPT_NAME"],"comments.php")!=FALSE) { + //smarty is not there - we need setup + require_once('tiki-setup.php'); + $smarty->assign('msg',tra("This script cannot be called directly")); + $smarty->display("error.tpl"); + die; +} + if ($feature_theme_control == 'y') { // defined: $cat_type and cat_objid // search for theme for $cat_type |