Dotclear


Ignore:
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • CHANGELOG

    r3807 r3854  
     1Dotclear 2.14.2 - 2018-09-04 
     2=========================================================== 
     3* 🛡 Security: Authenticated cross-site scripting (XSS) was possible due to the .ahtml (or .bhtml, .chtml, …) file extension being allowed in the media manager. Thank's Josiah Pierce for report (CVE-2018-16358) 
     4* 🛡 Security: Unregister phar wrapper in order to avoid PHP Phar extension vulerability 
     5* Fix: Enter key in some input fields were not redirect to the parent form 
     6* Fix: Unable to save modified theme's files in theme editor, when Codemirror is used 
     7* Fix: Back to the original global_filters() template function (will be rewritten in the next 2.15) 
     8 
    19Dotclear 2.14.1 - 2018-08-17 
    210=========================================================== 

  • inc/core/class.dc.core.php

    r3731 r3850  
    13791379                array('lang', 'string', 'en', 
    13801380                    'Default blog language'), 
    1381                 array('media_exclusion', 'string', '/\.(phps?|pht(ml)?|phl|s?html?|js|htaccess)[0-9]*$/i', 
     1381                array('media_exclusion', 'string', '/\.(phps?|pht(ml)?|phl|.?html?|js|htaccess)[0-9]*$/i', 
    13821382                    'File name exclusion pattern in media manager. (PCRE value)'), 
    13831383                array('media_img_m_size', 'integer', 448, 

  • inc/dbschema/upgrade.php

    r3829 r3858  
    688688        } 
    689689 
     690        if (version_compare($version, '2.14.2', '<')) { 
     691            # Update flie exclusion upload regex 
     692            $strReq = 'UPDATE ' . $core->prefix . 'setting ' . 
     693                " SET setting_value = '/\\.(phps?|pht(ml)?|phl|.?html?|js|htaccess)[0-9]*\$/i' " . 
     694                " WHERE setting_id = 'media_exclusion' " . 
     695                " AND setting_ns = 'system' " . 
     696                " AND (setting_value = '/\\.php[0-9]*\$/i' " . 
     697                "   OR setting_value = '/\\.php\$/i') " . 
     698                "   OR setting_value = '/\\.(phps?|pht(ml)?|phl)[0-9]*\$/i' " . 
     699                "   OR setting_value = '/\\.(phps?|pht(ml)?|phl|s?html?|js)[0-9]*\$/i'" . 
     700                "   OR setting_value = '/\\.(phps?|pht(ml)?|phl|s?html?|js|htaccess)[0-9]*\$/i'"; 
     701            $core->con->execute($strReq); 
     702        } 
     703 
    690704        if (version_compare($version, '2.15', '<')) { 
    691705            # switch from jQuery 1.11.3 to 1.12.4 
Note: See TracChangeset for help on using the changeset viewer.

Sites map