Menu
▾
▴
xoops-svn
|
From: <be...@us...> - 2014-11-27 20:16:06
|
Revision: 12877
http://sourceforge.net/p/xoops/svn/12877
Author: beckmi
Date: 2014-11-27 20:15:53 +0000 (Thu, 27 Nov 2014)
Log Message:
-----------
Adding 2.5.7.1 patch
Modified Paths:
--------------
XoopsCore/branches/2.5.x/2.5.7.1/docs/changelog.250.txt
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/uploader.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsfilterinput.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsrequest.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/common.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/version.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/kernel/session.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/pmlite.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/readpmsg.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/viewpmsg.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/admin/modulesadmin/main.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/themes/default/default.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/pmlite.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/readpmsg.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/viewpmsg.php
XoopsCore/branches/2.5.x/2.5.7.1/release_notes.txt
Modified: XoopsCore/branches/2.5.x/2.5.7.1/docs/changelog.250.txt
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/docs/changelog.250.txt 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/docs/changelog.250.txt 2014-11-27 20:15:53 UTC (rev 12877)
@@ -1,5 +1,17 @@
XOOPS 2.5.x Changelog (Language changes: see: /docs/lang_diff.txt)
+=================================
+2014/06/14: Version 2.5.7.1 Final
+=================================
+
+This patch for XOOPS 2.5.7 corrects the following issues:
+
+- CSRF and XSS issues reported by Dingjie 'Daniel' Yang of Qualsys
+- XSS and best practice issues reported by Narendra Bhati
+
+All XOOPS 2.5.7 users are advised to apply this patch as soon as possible. Any users that are running an older XOOPS version are advised to update to XOOPS 2.5.7.1 now.
+
+
===============================
2014/06/14: Version 2.5.7 Final
===============================
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/uploader.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/uploader.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/uploader.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package kernel
* @since 2.0.0
@@ -589,7 +589,7 @@
} else {
$ret = '';
if (count($this->errors) > 0) {
- $ret = '<h4>' . sprintf(_ER_UP_ERRORSRETURNED, $this->mediaName) . '</h4>';
+ $ret = '<h4>' . sprintf(_ER_UP_ERRORSRETURNED, htmlspecialchars($this->mediaName, ENT_QUOTES)) . '</h4>';
foreach ($this->errors as $error) {
$ret .= $error . '<br />';
}
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsfilterinput.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsfilterinput.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsfilterinput.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -13,7 +13,7 @@
* XoopsFilterInput is a class for filtering input from any data source
*
* Forked from the php input filter library by Daniel Morris
- *
+ *
* Original Contributors: Gianpaolo Racca, Ghislain Picard,
* Marco Wandschneider, Chris Tobin and Andrew Eddie.
*
@@ -26,7 +26,7 @@
* @author Richard Griffith <ri...@ge...>
* @copyright 2005 Daniel Morris
* @copyright 2005 - 2013 Open Source Matters, Inc. All rights reserved.
- * @copyright 2011-2013 The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright 2011-2014 The XOOPS Project http://sourceforge.net/projects/xoops/
* @license GNU GPL 2 or later (http://www.gnu.org/licenses/gpl-2.0.html)
* @version Release: 1.0
* @link http://xoops.org
@@ -66,10 +66,10 @@
$xssAuto = 1
) {
// make sure user defined arrays are in lowercase
- for ($i = 0; $i < count($tagsArray); $i++) {
+ for ($i = 0; $i < count($tagsArray); ++$i) {
$tagsArray[$i] = strtolower($tagsArray[$i]);
}
- for ($i = 0; $i < count($attrArray); $i++) {
+ for ($i = 0; $i < count($attrArray); ++$i) {
$attrArray[$i] = strtolower($attrArray[$i]);
}
// assign to member vars
@@ -121,11 +121,11 @@
}
/**
- * Method to be called by another php script. Processes for XSS and
+ * Method to be called by another php script. Processes for XSS and
* any specified bad code.
*
* @param Mixed $source - input string/array-of-string to be 'cleaned'
- *
+ *
* @return String $source - 'cleaned' version of input parameter
*/
public function process($source)
@@ -258,7 +258,7 @@
* Internal method to iteratively remove all unwanted tags and attributes
*
* @param String $source - input string to be 'cleaned'
- *
+ *
* @return String $source - 'cleaned' version of input parameter
*/
protected function remove($source)
@@ -267,7 +267,7 @@
// provides nested-tag protection
while ($source != $this->filterTags($source)) {
$source = $this->filterTags($source);
- $loopCounter++;
+ ++$loopCounter;
}
return $source;
@@ -275,9 +275,9 @@
/**
* Internal method to strip a string of certain tags
- *
+ *
* @param String $source - input string to be 'cleaned'
- *
+ *
* @return String $source - 'cleaned' version of input parameter
*/
protected function filterTags($source)
@@ -355,7 +355,7 @@
$attr = substr($fromSpace, 0, $nextSpace);
}
// one or neither exist
-
+
} else {
// no more equals exist
$attr = substr($fromSpace, 0, $nextSpace);
@@ -378,7 +378,7 @@
if (!$isCloseTag) {
$attrSet = $this->filterAttr($attrSet);
$preTag .= '<' . $tagName;
- for ($i = 0; $i < count($attrSet); $i++) {
+ for ($i = 0; $i < count($attrSet); ++$i) {
$preTag .= ' ' . $attrSet[$i];
}
// reformat single tags to XHTML
@@ -406,14 +406,14 @@
* Internal method to strip a tag of certain attributes
*
* @param array $attrSet attributes
- *
+ *
* @return Array $newSet stripped attributes
*/
protected function filterAttr($attrSet)
{
$newSet = array();
// process attributes
- for ($i = 0; $i <count($attrSet); $i++) {
+ for ($i = 0; $i <count($attrSet); ++$i) {
// skip blank spaces in tag
if (!$attrSet[$i]) {
continue;
@@ -483,7 +483,7 @@
* Try to convert to plaintext
*
* @param String $source string to decode
- *
+ *
* @return String $source decoded
*/
protected function decode($source)
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsrequest.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsrequest.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsrequest.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -21,7 +21,7 @@
* @author Richard Griffith <ri...@ge...>
* @author trabis <lus...@gm...>
* @author Joomla!
- * @copyright 2011-2013 The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 or later (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @version Release: 1.0
* @link http://xoops.org
@@ -429,6 +429,11 @@
$var = trim($var);
}
+ // convert $var in array if $type is ARRAY
+ if (strtoupper($type) == 'ARRAY' && !is_array($var)) {
+ $var = array($var);
+ }
+
// Now we handle input filtering
if ($mask & 2) {
// If the allow raw flag is set, do not modify the variable
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/common.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/common.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/common.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package kernel
* @version $Id$
@@ -130,6 +130,14 @@
trigger_error('File Path Error: ' . 'var/configs/xoopsconfig.php' . ' does not exist.');
}
+/**
+ * clickjack protection - Add option to HTTP header restrictig using site in an iframe
+ */
+$xFrameOptions = isset($xoopsConfig['xFrameOptions']) ? $xoopsConfig['xFrameOptions'] : 'sameorigin';
+if (!headers_sent() && !empty($xFrameOptions)) {
+ header('X-Frame-Options: ' .$xFrameOptions);
+}
+
//check if user set a local timezone (from XavierS)
// $xoops_server_timezone="Etc/GMT";
// if ($xoopsConfig["server_TZ"]>0) {
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/version.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/version.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/version.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -30,4 +30,4 @@
/**
* Define XOOPS version
*/
-define('XOOPS_VERSION', 'XOOPS 2.5.7');
+define('XOOPS_VERSION', 'XOOPS 2.5.7.1');
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/kernel/session.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/kernel/session.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/kernel/session.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package kernel
* @since 2.0.0
@@ -26,7 +26,7 @@
*
* @author Kazumi Ono <on...@xo...>
* @author Taiwen Jiang <ph...@us...>
- * @copyright copyright (c) The XOOPS project XOOPS.org
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
*/
class XoopsSessionHandler
{
@@ -255,6 +255,6 @@
$session_name = ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') ? $xoopsConfig['session_name'] : session_name();
$session_expire = !is_null($expire) ? intval($expire) : (($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') ? $xoopsConfig['session_expire'] * 60 : ini_get("session.cookie_lifetime"));
$session_id = empty($sess_id) ? session_id() : $sess_id;
- setcookie($session_name, $session_id, $session_expire ? time() + $session_expire : 0, '/', XOOPS_COOKIE_DOMAIN, 0);
+ setcookie($session_name, $session_id, $session_expire ? time() + $session_expire : 0, '/', XOOPS_COOKIE_DOMAIN, false, true);
}
}
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/pmlite.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/pmlite.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/pmlite.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package pm
* @since 2.3.0
@@ -19,27 +19,33 @@
*/
if (!defined('XOOPS_MAINFILE_INCLUDED')) {
- include_once dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . 'mainfile.php';
+ include_once dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . 'mainfile.php';
} else {
chdir(XOOPS_ROOT_PATH . '/modules/pm/');
xoops_loadLanguage('main', 'pm');
}
-$reply = !empty($_GET['reply']) ? 1 : 0;
-$send = !empty($_GET['send']) ? 1 : 0;
-$send2 = !empty($_GET['send2']) ? 1 : 0;
-$sendmod = !empty($_POST['sendmod']) ? 1 : 0; // send from other modules with post data
-$to_userid = isset($_GET['to_userid']) ? intval($_GET['to_userid']) : 0;
-$msg_id = isset($_GET['msg_id']) ? intval($_GET['msg_id']) : 0;
+XoopsLoad::load('XoopsRequest');
-if (empty($_GET['refresh']) && isset($_POST['op']) && $_POST['op'] != "submit") {
+$subject_icons = XoopsLists::getSubjectsList();
+
+$op = XoopsRequest::getCmd('op', '', 'POST');
+
+$reply = XoopsRequest::getBool('reply', 0, 'GET');
+$send = XoopsRequest::getBool('send', 0, 'GET');
+$send2 = XoopsRequest::getBool('send2', 0, 'GET');
+$sendmod = XoopsRequest::getBool('sendmod', 0, 'POST'); // send from other modules with post data
+$to_userid = XoopsRequest::getInt('to_userid', 0, 'GET');
+$msg_id = XoopsRequest::getInt('msg_id', 0, 'GET');
+
+if (empty($_GET['refresh']) && $op != "submit") {
$jump = "pmlite.php?refresh=" . time();
if ($send == 1) {
- $jump .= "&send={$send}";
- } else if ($send2 == 1) {
- $jump .= "&send2={$send2}&to_userid={$to_userid}";
- } else if ($reply == 1) {
- $jump .= "&reply={$reply}&msg_id={$msg_id}";
+ $jump .= "&send={$send}";
+ } elseif ($send2 == 1) {
+ $jump .= "&send2={$send2}&to_userid={$to_userid}";
+ } elseif ($reply == 1) {
+ $jump .= "&reply={$reply}&msg_id={$msg_id}";
} else {
}
header('location: ' . $jump);
@@ -53,28 +59,26 @@
xoops_header();
$myts =& MyTextSanitizer::getInstance();
-if (isset($_POST['op']) && $_POST['op'] == "submit") {
+if ($op == "submit") {
$member_handler =& xoops_gethandler('member');
- $count = $member_handler->getUserCount(new Criteria('uid', intval($_POST['to_userid'])));
+ $count = $member_handler->getUserCount(new Criteria('uid', XoopsRequest::getInt('to_userid', 0, 'POST')));
if ($count != 1) {
echo "<br /><br /><div><h4>"._PM_USERNOEXIST."<br />";
echo _PM_PLZTRYAGAIN."</h4><br />";
echo "[ <a href='javascript:history.go(-1)'>"._PM_GOBACK."</a> ]</div>";
- } else if ($GLOBALS['xoopsSecurity']->check()) {
+ } elseif ($GLOBALS['xoopsSecurity']->check()) {
$pm_handler =& xoops_getModuleHandler('message', 'pm');
$pm =& $pm_handler->create();
$pm->setVar("msg_time", time());
-//------------------ mamba
-if (isset($_POST['icon'])) {
- $pm->setVar("msg_image", $_POST['icon']);
+ $msg_image = XoopsRequest::getCmd('icon', null, 'POST');
+ if (in_array($msg_image, $subject_icons)) {
+ $pm->setVar("msg_image", $msg_image);
}
- //else $pm->setVar("msg_image", 'icon1.gif');
-//----------------- mamba
- $pm->setVar("subject", $_POST['subject']);
- $pm->setVar("msg_text", $_POST['message']);
- $pm->setVar("to_userid", $_POST['to_userid']);
+ $pm->setVar("subject", XoopsRequest::getString('subject', null, 'POST'));
+ $pm->setVar("msg_text", XoopsRequest::getString('message', null, 'POST'));
+ $pm->setVar("to_userid", XoopsRequest::getInt('to_userid', 0, 'POST'));
$pm->setVar("from_userid", $GLOBALS['xoopsUser']->getVar("uid"));
- if (isset($_REQUEST['savecopy']) && $_REQUEST['savecopy'] == 1) {
+ if (XoopsRequest::getBool('savecopy', 0)) {
//PMs are by default not saved in outbox
$pm->setVar('from_delete', 0);
}
@@ -91,14 +95,14 @@
echo "<br /><a href=\"javascript:window.close();\">"._PM_ORCLOSEWINDOW."</a>";
}
-} else if ($reply == 1 || $send == 1 || $send2 == 1 || $sendmod == 1) {
+} elseif ($reply == 1 || $send == 1 || $send2 == 1 || $sendmod == 1) {
if ($reply == 1) {
$pm_handler =& xoops_getModuleHandler('message', 'pm');
$pm =& $pm_handler->get($msg_id);
if ($pm->getVar("to_userid") == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_uname = XoopsUser::getUnameFromId($pm->getVar("from_userid"));
$message = "[quote]\n";
- $message .= sprintf(_PM_USERWROTE , $pm_uname);
+ $message .= sprintf(_PM_USERWROTE, $pm_uname);
$message .= "\n" . $pm->getVar("msg_text", "E") . "\n[/quote]";
} else {
unset($pm);
@@ -118,11 +122,11 @@
}
$GLOBALS['xoopsTpl']->assign('to_username', $pm_uname);
$pmform->addElement(new XoopsFormHidden('to_userid', $pm->getVar("from_userid")));
- } else if ($sendmod == 1) {
- $GLOBALS['xoopsTpl']->assign('to_username', XoopsUser::getUnameFromId($_POST["to_userid"]));
- $pmform->addElement(new XoopsFormHidden('to_userid', intval($_POST["to_userid"])));
- $subject = $myts->htmlSpecialChars($myts->stripSlashesGPC($_POST['subject']));
- $message = $myts->htmlSpecialChars($myts->stripSlashesGPC($_POST['message']));
+ } elseif ($sendmod == 1) {
+ $GLOBALS['xoopsTpl']->assign('to_username', XoopsUser::getUnameFromId(XoopsRequest::getInt("to_userid", 0, 'POST')));
+ $pmform->addElement(new XoopsFormHidden('to_userid', XoopsRequest::getInt("to_userid", 0, 'POST')));
+ $subject = $myts->htmlSpecialChars(XoopsRequest::getString('subject', '', 'POST'));
+ $message = $myts->htmlSpecialChars(XoopsRequest::getString('message', '', 'POST'));
} else {
if ($send2 == 1) {
$GLOBALS['xoopsTpl']->assign('to_username', XoopsUser::getUnameFromId($to_userid, false));
@@ -136,19 +140,11 @@
}
$pmform->addElement(new XoopsFormText('', 'subject', 30, 100, $subject), true);
-//----------------------------- mamba
- $msg_image='';
- $icons_radio = new XoopsFormRadio(_MESSAGEICON, 'msg_image', $msg_image);
- $subject_icons = XoopsLists::getSubjectsList();
- // foreach ($subject_icons as $iconfile) {
- // $icons_radio->addOption($iconfile, '<img src="' . XOOPS_URL . '/images/subject/' . $iconfile . '" alt="" />');
- // }
- // $pmform->addElement($icons_radio, true);
+ $msg_image='';
+ $icons_radio = new XoopsFormRadio(_MESSAGEICON, 'msg_image', $msg_image);
+ //$subject_icons = XoopsLists::getSubjectsList();
+ $xoopsTpl->assign('radio_icons', $subject_icons);
- $xoopsTpl->assign('radio_icons', $subject_icons);
-//------------------------------- mamba
-
-
$pmform->addElement(new XoopsFormDhtmlTextArea('', 'message', $message, 8, 37), true);
$pmform->addElement(new XoopsFormRadioYN('', 'savecopy', 0));
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/readpmsg.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/readpmsg.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/readpmsg.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package pm
* @since 2.3.0
@@ -18,7 +18,7 @@
* @version $Id$
*/
-include_once dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . 'mainfile.php';
+include_once dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . 'mainfile.php';
if (!is_object($GLOBALS['xoopsUser'])) {
redirect_header(XOOPS_URL, 3, _NOPERM);
@@ -36,12 +36,12 @@
if (is_object($pm) && ($pm->getVar('from_userid') != $GLOBALS['xoopsUser']->getVar('uid'))
&& ($pm->getVar('to_userid') != $GLOBALS['xoopsUser']->getVar('uid'))
-){
+) {
redirect_header(XOOPS_URL . '/modules/' . $GLOBALS['xoopsModule']->getVar("dirname", "n") . '/index.php', 2, _NOPERM);
exit();
}
-if (is_object($pm) && !empty($_POST['action']) ) {
+if (is_object($pm) && !empty($_POST['action'])) {
if (!$GLOBALS['xoopsSecurity']->check()) {
echo implode('<br />', $GLOBALS['xoopsSecurity']->getErrors());
exit();
@@ -49,7 +49,7 @@
$res = false;
if (!empty($_REQUEST['email_message'])) {
$res = $pm_handler->sendEmail($pm, $GLOBALS['xoopsUser']);
- } else if (!empty($_REQUEST['move_message'])
+ } elseif (!empty($_REQUEST['move_message'])
&& $_REQUEST['op'] != 'save'
&& !$GLOBALS['xoopsUser']->isAdmin()
&& $pm_handler->getSavecount() >= $GLOBALS['xoopsModuleConfig']['max_save']
@@ -58,10 +58,12 @@
} else {
switch ($_REQUEST['op']) {
case 'out':
- if ($pm->getVar('from_userid') != $GLOBALS['xoopsUser']->getVar('uid')) break;
+ if ($pm->getVar('from_userid') != $GLOBALS['xoopsUser']->getVar('uid')) {
+ break;
+ }
if (!empty($_REQUEST['delete_message'])) {
$res = $pm_handler->setFromdelete($pm);
- } else if (!empty($_REQUEST['move_message'])) {
+ } elseif (!empty($_REQUEST['move_message'])) {
$res = $pm_handler->setFromsave($pm);
}
break;
@@ -70,7 +72,7 @@
if (!empty($_REQUEST['delete_message'])) {
$res1 = $pm_handler->setTodelete($pm);
$res1 = ($res1) ? $pm_handler->setTosave($pm, 0) : false;
- } else if (!empty($_REQUEST['move_message'])) {
+ } elseif (!empty($_REQUEST['move_message'])) {
$res1 = $pm_handler->setTosave($pm, 0);
}
}
@@ -78,7 +80,7 @@
if (!empty($_REQUEST['delete_message'])) {
$res2 = $pm_handler->setFromDelete($pm);
$res2 = ($res2) ? $pm_handler->setFromsave($pm, 0) : false;
- } else if (!empty($_REQUEST['move_message'])) {
+ } elseif (!empty($_REQUEST['move_message'])) {
$res2 = $pm_handler->setFromsave($pm, 0);
}
}
@@ -92,14 +94,14 @@
}
if (!empty($_REQUEST['delete_message'])) {
$res = $pm_handler->setTodelete($pm);
- } else if (!empty($_REQUEST['move_message'])) {
+ } elseif (!empty($_REQUEST['move_message'])) {
$res = $pm_handler->setTosave($pm);
}
break;
}
}
$res_message = isset($res_message) ? $res_message : (($res) ? _PM_ACTION_DONE : _PM_ACTION_ERROR);
- redirect_header('viewpmsg.php?op=' . htmlspecialchars($_REQUEST['op'] ) , 2, $res_message);
+ redirect_header('viewpmsg.php?op=' . htmlspecialchars($_REQUEST['op']), 2, $res_message);
}
$start = !empty($_GET['start']) ? intval($_GET['start']) : 0;
$total_messages = !empty($_GET['total_messages']) ? intval($_GET['total_messages']) : 0;
@@ -111,10 +113,10 @@
$criteria = new CriteriaCompo(new Criteria('from_delete', 0));
$criteria->add(new Criteria('from_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$criteria->add(new Criteria('from_save', 0));
- } else if ($_REQUEST['op'] == "save") {
+ } elseif ($_REQUEST['op'] == "save") {
$crit_to = new CriteriaCompo(new Criteria('to_delete', 0));
$crit_to->add(new Criteria('to_save', 1));
- $crit_to->add(new Criteria('to_userid',$GLOBALS['xoopsUser']->getVar('uid')));
+ $crit_to->add(new Criteria('to_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$crit_from = new CriteriaCompo(new Criteria('from_delete', 0));
$crit_from->add(new Criteria('from_save', 1));
$crit_from->add(new Criteria('from_userid', $GLOBALS['xoopsUser']->getVar('uid')));
@@ -139,7 +141,7 @@
if (is_object($pm) && !empty($pm)) {
if ($pm->getVar('from_userid') != $GLOBALS['xoopsUser']->getVar('uid')) {
$reply_button = new XoopsFormButton('', 'send', _PM_REPLY);
- $reply_button->setExtra("onclick='javascript:openWithSelfMain(\"" . XOOPS_URL . "/modules/pm/pmlite.php?reply=1&msg_id=".$pm->getVar("msg_id")."\", \"pmlite\", 565,500);'");
+ $reply_button->setExtra("onclick='javascript:openWithSelfMain(\"" . XOOPS_URL . "/modules/pm/pmlite.php?reply=1&msg_id=".$pm->getVar("msg_id")."\", \"pmlite\", 565,500);'");
$pmform->addElement($reply_button);
}
$pmform->addElement(new XoopsFormButton('', 'delete_message', _PM_DELETE, 'submit'));
@@ -168,6 +170,7 @@
$message = $pm->getValues();
$message['msg_time'] = formatTimestamp($pm->getVar("msg_time"));
+ $message['msg_image'] = htmlspecialchars($message['msg_image'], ENT_QUOTES);
}
$GLOBALS['xoopsTpl']->assign('message', $message);
$GLOBALS['xoopsTpl']->assign('op', $_REQUEST['op']);
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/viewpmsg.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/viewpmsg.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/viewpmsg.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package pm
* @since 2.3.0
@@ -18,7 +18,7 @@
* @version $Id$
*/
-include_once dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . 'mainfile.php';
+include_once dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . 'mainfile.php';
if (!is_object($GLOBALS['xoopsUser'])) {
redirect_header(XOOPS_URL, 3, _NOPERM);
@@ -34,15 +34,15 @@
$start = empty($_REQUEST["start"]) ? 0 : intval($_REQUEST["start"]);
$pm_handler =& xoops_getModuleHandler('message');
-if (isset($_POST['delete_messages']) && isset($_POST['msg_id'])) {
+if (isset($_POST['delete_messages']) && (isset($_POST['msg_id']) || isset($_POST['msg_ids']))) {
if (!$GLOBALS['xoopsSecurity']->check()) {
$GLOBALS['xoopsTpl']->assign('errormsg', implode('<br />', $GLOBALS['xoopsSecurity']->getErrors()));
- } else if (empty($_REQUEST['ok'])) {
- xoops_confirm(array('ok' => 1, 'delete_messages' => 1, 'op' => $_REQUEST['op'], 'msg_id'=> json_encode(array_map("intval", $_POST['msg_id']))), $_SERVER['REQUEST_URI'], _PM_SURE_TO_DELETE);
+ } elseif (empty($_REQUEST['ok'])) {
+ xoops_confirm(array('ok' => 1, 'delete_messages' => 1, 'op' => $_REQUEST['op'], 'msg_ids'=> json_encode(array_map("intval", $_POST['msg_id']))), $_SERVER['REQUEST_URI'], _PM_SURE_TO_DELETE);
include $GLOBALS['xoops']->path('footer.php');
exit();
} else {
- $clean_msg_id = json_decode($_POST['msg_id'], true, 2);
+ $clean_msg_id = json_decode($_POST['msg_ids'], true, 2);
if (!empty($clean_msg_id)) {
$clean_msg_id = array_map("intval", $clean_msg_id);
}
@@ -52,7 +52,7 @@
$pm =& $pm_handler->get($msg[$i]);
if ($pm->getVar('to_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_handler->setTodelete($pm);
- } else if ($pm->getVar('from_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
+ } elseif ($pm->getVar('from_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_handler->setFromdelete($pm);
}
unset($pm);
@@ -63,7 +63,7 @@
if (isset($_POST['move_messages']) && isset($_POST['msg_id'])) {
if (!$GLOBALS['xoopsSecurity']->check()) {
$GLOBALS['xoopsTpl']->assign('errormsg', implode('<br />', $GLOBALS['xoopsSecurity']->getErrors()));
- } else{
+ } else {
$size = count($_POST['msg_id']);
$msg = $_POST['msg_id'];
if ($_POST['op'] == 'save') {
@@ -71,7 +71,7 @@
$pm =& $pm_handler->get($msg[$i]);
if ($pm->getVar('to_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_handler->setTosave($pm, 0);
- } else if ($pm->getVar('from_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
+ ...
[truncated message content] |
Thanks for helping keep SourceForge clean.
X