Changeset 2742:8382f97c65e2

Timestamp:

08/27/14 23:23:43 (11 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Parents:

2741:014e6f1fedce (diff), 2735:7483b223ed79 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Backport bugfix from 2.6 branch to default branch

Files:

• .hgsubstate (modified) (1 diff)
• .hgtags (modified) (1 diff)
• .hgtags (modified) (1 diff)
• CHANGELOG (modified) (1 diff)
• CHANGELOG (modified) (1 diff)
• admin/search.php (modified) (5 diffs)
• admin/search.php (modified) (2 diffs)
• inc/prepend.php (modified) (3 diffs)

.hgsubstate

@@ -1 @@
-187bfdeb25f8169132d5fd4e7a6dd5948abe7a21 inc/libs/clearbricks
+db7d5fa1b5fbf48444f782857a53091aadf24c68 inc/libs/clearbricks

.hgtags

@@ -19 +19 @@
 185f7650c1d86e4a5680c2d3b1da5628253091f5 2.6.1
 1f8978ee39fc70bf9a6c345cf3b550722b819173 2.6.2
+121f94747a10af7f58a88c00537eafc4e0d29685 2.6.3
 80d565483595acca5b1d9e149aa8a2a9fe5983a6 2.6.4

.hgtags

@@ -20 +20 @@
 1f8978ee39fc70bf9a6c345cf3b550722b819173 2.6.2
 121f94747a10af7f58a88c00537eafc4e0d29685 2.6.3
+80d565483595acca5b1d9e149aa8a2a9fe5983a6 2.6.4

CHANGELOG

@@ -6 +6 @@
 Dotclear 2.6.3 - 2014-05-16
 ===========================================================
-* Security fix: Strenghened xmlrpc auth. Thanks to Egidio Romano
-* Security fix: Strenghened categories ordering. Thanks to Egidio Romano
+* Security fix: Strengthened xmlrpc auth. Thanks to Egidio Romano
+* Security fix: Strengthened categories ordering. Thanks to Egidio Romano
 
 Dotclear 2.6.2 - 2014-01-20

CHANGELOG

@@ +1 @@
+Dotclear 2.6.4 - 2014-08-18
+===========================================================
+* Security fix: Sanitize search request. Thanks to Takayuki Uchiyama
+* Security fix: Strenghened xmlrpc (see http://www.breaksec.com/?p=6362)
+
 Dotclear 2.6.3 - 2014-05-16
 ===========================================================

admin/search.php

@@ -72 +72 @@
 
 if ($qtype == 'p') {
-     $posts_actions_page = new dcPostsActionsPage($core,'search.php',array('q'=>$q,'qtype'=>$qtype));
+     $posts_actions_page = new dcPostsActionsPage($core,$core->adminurl->get("admin.search"),array('q'=>$q,'qtype'=>$qtype));
 
      if ($posts_actions_page->process()) {
@@ -78 +78 @@
      }
 } else {
-     $comments_actions_page = new dcCommentsActionsPage($core,'search.php',array('q'=>$q,'qtype'=>$qtype));
+     $comments_actions_page = new dcCommentsActionsPage($core,$core->adminurl->get("admin.search"),array('q'=>$q,'qtype'=>$qtype));
 
      if ($comments_actions_page->process()) {
@@ -94 +94 @@
 
 echo
-'<form action="search.php" method="get">'.
+'<form action="'.$core->adminurl->get("admin.search").'" method="get">'.
 '<div class="fieldset"><h3>'.__('Search options').'</h3>'.
 '<p><label for="q">'.__('Query:').' </label>'.form::field('q',30,255,$q).'</p>'.
@@ -118 +118 @@
 
           $post_list->display($page,$nb_per_page,
-          '<form action="search.php" method="post" id="form-entries">'.
+          '<form action="'.$core->adminurl->get("admin.search").'" method="post" id="form-entries">'.
 
           '%s'.
@@ -146 +146 @@
 
           $comment_list->display($page,$nb_per_page,
-          '<form action="search.php" method="post" id="form-comments">'.
+          '<form action="'.$core->adminurl->get("admin.search").'" method="post" id="form-comments">'.
 
           '%s'.

admin/search.php

@@ -29 +29 @@
 if ($q)
 {
+     $q = html::escapeHTML($q);
+
      $params = array();
 
@@ -94 +96 @@
 '<form action="'.$core->adminurl->get("admin.search").'" method="get">'.
 '<div class="fieldset"><h3>'.__('Search options').'</h3>'.
-'<p><label for="q">'.__('Query:').' </label>'.form::field('q',30,255,html::escapeHTML($q)).'</p>'.
+'<p><label for="q">'.__('Query:').' </label>'.form::field('q',30,255,$q).'</p>'.
 '<p><label for="qtype1" class="classic">'.form::radio(array('qtype','qtype1'),'p',$qtype == 'p').' '.__('Search in entries').'</label> '.
 '<label for="qtype2" class="classic">'.form::radio(array('qtype','qtype2'),'c',$qtype == 'c').' '.__('Search in comments').'</label></p>'.

inc/prepend.php

@@ -11 +11 @@
 # -- END LICENSE BLOCK -----------------------------------------
 
+/* Start tick  */
+define('DC_START_TIME',microtime(true));
+
 /* ------------------------------------------------------------------------------------------- */
 #  ClearBricks, DotClear classes auto-loader
@@ -26 +29 @@
 
 require CLEARBRICKS_PATH.'/_common.php';
-$__autoload['dcCore']                   = dirname(__FILE__).'/core/class.dc.core.php';
-$__autoload['dcAuth']                   = dirname(__FILE__).'/core/class.dc.auth.php';
-$__autoload['dcBlog']                   = dirname(__FILE__).'/core/class.dc.blog.php';
-$__autoload['dcCategories']             = dirname(__FILE__).'/core/class.dc.categories.php';
-$__autoload['dcError']                  = dirname(__FILE__).'/core/class.dc.error.php';
-$__autoload['dcMeta']                   = dirname(__FILE__).'/core/class.dc.meta.php';
-$__autoload['dcMedia']                  = dirname(__FILE__).'/core/class.dc.media.php';
-$__autoload['dcPostMedia']                   = dirname(__FILE__).'/core/class.dc.postmedia.php';
-$__autoload['dcModules']                = dirname(__FILE__).'/core/class.dc.modules.php';
-$__autoload['dcPlugins']                = dirname(__FILE__).'/core/class.dc.plugins.php';
-$__autoload['dcThemes']                 = dirname(__FILE__).'/core/class.dc.themes.php';
-$__autoload['dcRestServer']             = dirname(__FILE__).'/core/class.dc.rest.php';
-$__autoload['dcNamespace']              = dirname(__FILE__).'/core/class.dc.namespace.php';
-$__autoload['dcSettings']               = dirname(__FILE__).'/core/class.dc.settings.php';
-$__autoload['dcTrackback']              = dirname(__FILE__).'/core/class.dc.trackback.php';
-$__autoload['dcUpdate']                 = dirname(__FILE__).'/core/class.dc.update.php';
-$__autoload['dcUtils']                  = dirname(__FILE__).'/core/class.dc.utils.php';
-$__autoload['dcXmlRpc']                 = dirname(__FILE__).'/core/class.dc.xmlrpc.php';
-$__autoload['dcLog']                    = dirname(__FILE__).'/core/class.dc.log.php';
-$__autoload['dcWorkspace']              = dirname(__FILE__).'/core/class.dc.workspace.php';
-$__autoload['dcPrefs']                  = dirname(__FILE__).'/core/class.dc.prefs.php';
-$__autoload['dcStore']             = dirname(__FILE__).'/core/class.dc.store.php';
-$__autoload['dcStoreReader']       = dirname(__FILE__).'/core/class.dc.store.reader.php';
-$__autoload['dcStoreParser']       = dirname(__FILE__).'/core/class.dc.store.parser.php';
-$__autoload['dcFavorites']              = dirname(__FILE__).'/admin/class.dc.favorites.php';
-
-$__autoload['rsExtPost']                = dirname(__FILE__).'/core/class.dc.rs.extensions.php';
-$__autoload['rsExtComment']             = dirname(__FILE__).'/core/class.dc.rs.extensions.php';
-$__autoload['rsExtDates']               = dirname(__FILE__).'/core/class.dc.rs.extensions.php';
-$__autoload['rsExtUser']                = dirname(__FILE__).'/core/class.dc.rs.extensions.php';
-
-$__autoload['dcMenu']                   = dirname(__FILE__).'/admin/class.dc.menu.php';
-$__autoload['dcPage']                   = dirname(__FILE__).'/admin/lib.dc.page.php';
-$__autoload['adminGenericList']         = dirname(__FILE__).'/admin/lib.pager.php';
-$__autoload['adminPostList']            = dirname(__FILE__).'/admin/lib.pager.php';
-$__autoload['adminPostMiniList']        = dirname(__FILE__).'/admin/lib.pager.php';
-$__autoload['adminCommentList']         = dirname(__FILE__).'/admin/lib.pager.php';
-$__autoload['adminUserList']            = dirname(__FILE__).'/admin/lib.pager.php';
-$__autoload['dcPager']        = dirname(__FILE__).'/admin/lib.pager.php';
-$__autoload['dcAdminCombos']            = dirname(__FILE__).'/admin/lib.admincombos.php';
-$__autoload['adminModulesList']              = dirname(__FILE__).'/admin/lib.moduleslist.php';
-$__autoload['adminThemesList']               = dirname(__FILE__).'/admin/lib.moduleslist.php';
-
-$__autoload['dcTemplate']               = dirname(__FILE__).'/public/class.dc.template.php';
-$__autoload['context']                  = dirname(__FILE__).'/public/lib.tpl.context.php';
-$__autoload['dcUrlHandlers']            = dirname(__FILE__).'/public/lib.urlhandlers.php';
-$__autoload['dcPostsActionsPage']            = dirname(__FILE__).'/admin/actions/class.dcactionposts.php';
-$__autoload['dcCommentsActionsPage']              = dirname(__FILE__).'/admin/actions/class.dcactioncomments.php';
-$__autoload['dcActionsPage']            = dirname(__FILE__).'/admin/actions/class.dcaction.php';
+$__autoload['dcCore']        = dirname(__FILE__).'/core/class.dc.core.php';
+$__autoload['dcAuth']        = dirname(__FILE__).'/core/class.dc.auth.php';
+$__autoload['dcBlog']        = dirname(__FILE__).'/core/class.dc.blog.php';
+$__autoload['dcCategories']  = dirname(__FILE__).'/core/class.dc.categories.php';
+$__autoload['dcError']       = dirname(__FILE__).'/core/class.dc.error.php';
+$__autoload['dcMeta']        = dirname(__FILE__).'/core/class.dc.meta.php';
+$__autoload['dcMedia']       = dirname(__FILE__).'/core/class.dc.media.php';
+$__autoload['dcPostMedia']   = dirname(__FILE__).'/core/class.dc.postmedia.php';
+$__autoload['dcModules']     = dirname(__FILE__).'/core/class.dc.modules.php';
+$__autoload['dcPlugins']     = dirname(__FILE__).'/core/class.dc.plugins.php';
+$__autoload['dcThemes']      = dirname(__FILE__).'/core/class.dc.themes.php';
+$__autoload['dcRestServer']  = dirname(__FILE__).'/core/class.dc.rest.php';
+$__autoload['dcNamespace']   = dirname(__FILE__).'/core/class.dc.namespace.php';
+$__autoload['dcSettings']    = dirname(__FILE__).'/core/class.dc.settings.php';
+$__autoload['dcTrackback']   = dirname(__FILE__).'/core/class.dc.trackback.php';
+$__autoload['dcUpdate']      = dirname(__FILE__).'/core/class.dc.update.php';
+$__autoload['dcUtils']       = dirname(__FILE__).'/core/class.dc.utils.php';
+$__autoload['dcXmlRpc']      = dirname(__FILE__).'/core/class.dc.xmlrpc.php';
+$__autoload['dcLog']         = dirname(__FILE__).'/core/class.dc.log.php';
+$__autoload['dcWorkspace']   = dirname(__FILE__).'/core/class.dc.workspace.php';
+$__autoload['dcPrefs']       = dirname(__FILE__).'/core/class.dc.prefs.php';
+$__autoload['dcStore']       = dirname(__FILE__).'/core/class.dc.store.php';
+$__autoload['dcStoreReader'] = dirname(__FILE__).'/core/class.dc.store.reader.php';
+$__autoload['dcStoreParser'] = dirname(__FILE__).'/core/class.dc.store.parser.php';
+$__autoload['dcFavorites']   = dirname(__FILE__).'/admin/class.dc.favorites.php';
+
+$__autoload['rsExtPost']    = dirname(__FILE__).'/core/class.dc.rs.extensions.php';
+$__autoload['rsExtComment'] = dirname(__FILE__).'/core/class.dc.rs.extensions.php';
+$__autoload['rsExtDates']   = dirname(__FILE__).'/core/class.dc.rs.extensions.php';
+$__autoload['rsExtUser']    = dirname(__FILE__).'/core/class.dc.rs.extensions.php';
+
+$__autoload['dcMenu']            = dirname(__FILE__).'/admin/class.dc.menu.php';
+$__autoload['dcPage']            = dirname(__FILE__).'/admin/lib.dc.page.php';
+$__autoload['adminGenericList']  = dirname(__FILE__).'/admin/lib.pager.php';
+$__autoload['adminPostList']     = dirname(__FILE__).'/admin/lib.pager.php';
+$__autoload['adminPostMiniList'] = dirname(__FILE__).'/admin/lib.pager.php';
+$__autoload['adminCommentList']  = dirname(__FILE__).'/admin/lib.pager.php';
+$__autoload['adminUserList']     = dirname(__FILE__).'/admin/lib.pager.php';
+$__autoload['dcPager']           = dirname(__FILE__).'/admin/lib.pager.php';
+$__autoload['dcAdminCombos']     = dirname(__FILE__).'/admin/lib.admincombos.php';
+$__autoload['adminModulesList']  = dirname(__FILE__).'/admin/lib.moduleslist.php';
+$__autoload['adminThemesList']   = dirname(__FILE__).'/admin/lib.moduleslist.php';
+$__autoload['dcThemeConfig']     = dirname(__FILE__).'/admin/lib.themeconfig.php';
+
+$__autoload['dcTemplate']            = dirname(__FILE__).'/public/class.dc.template.php';
+$__autoload['context']               = dirname(__FILE__).'/public/lib.tpl.context.php';
+$__autoload['dcUrlHandlers']         = dirname(__FILE__).'/public/lib.urlhandlers.php';
+$__autoload['dcAdminURL']            = dirname(__FILE__).'/admin/lib.dc.adminurl.php';
+$__autoload['dcPostsActionsPage']    = dirname(__FILE__).'/admin/actions/class.dcactionposts.php';
+$__autoload['dcCommentsActionsPage'] = dirname(__FILE__).'/admin/actions/class.dcactioncomments.php';
+$__autoload['dcActionsPage']         = dirname(__FILE__).'/admin/actions/class.dcaction.php';
 
 # Clearbricks extensions
@@ -135 +140 @@
 # Constants
 define('DC_ROOT',path::real(dirname(__FILE__).'/..'));
-define('DC_VERSION','2.6.5');
+define('DC_VERSION','2.7-dev');
 define('DC_DIGESTS',dirname(__FILE__).'/digests');
 define('DC_L10N_ROOT',dirname(__FILE__).'/../locales');
 define('DC_L10N_UPDATE_URL','http://services.dotclear.net/dc2.l10n/?version=%s');
-define('DC_DISTRIB_PLUGINS','aboutConfig,akismet,antispam,attachments,blogroll,blowupConfig,dclegacy,fairTrackbacks,importExport,maintenance,pages,pings,simpleMenu,tags,themeEditor,userPref,widgets');
-define('DC_DISTRIB_THEMES','blueSilence,blowupConfig,customCSS,default,ductile');
+define('DC_DISTRIB_PLUGINS','aboutConfig,akismet,antispam,attachments,blogroll,blowupConfig,dclegacy,fairTrackbacks,importExport,maintenance,pages,pings,simpleMenu,tags,themeEditor,userPref,widgets,dcLegacyEditor,dcCKEditor');
+define('DC_DISTRIB_THEMES','berlin,blueSilence,blowupConfig,customCSS,default,ductile');
+define('DC_DEFAULT_TPLSET','mustek');
 
 if (!defined('DC_VENDOR_NAME')) {