diff options
Diffstat (limited to 'modules/gallery')
| -rw-r--r-- | modules/gallery/helpers/data_rest.php | 7 | ||||
| -rw-r--r-- | modules/gallery/tests/File_Structure_Test.php | 7 | ||||
| -rw-r--r-- | modules/gallery/tests/xss_data.txt | 2 | ||||
| -rw-r--r-- | modules/gallery/views/form_uploadify.html.php | 2 | ||||
| -rw-r--r-- | modules/gallery/views/movieplayer.html.php | 3 |
5 files changed, 14 insertions, 7 deletions
diff --git a/modules/gallery/helpers/data_rest.php b/modules/gallery/helpers/data_rest.php index d4f456d7..a0a225f9 100644 --- a/modules/gallery/helpers/data_rest.php +++ b/modules/gallery/helpers/data_rest.php @@ -25,7 +25,6 @@ class data_rest_Core { static function get($request) { $item = rest::resolve($request->url); - access::required("view", $item); $p = $request->params; if (!isset($p->size) || !in_array($p->size, array("thumb", "resize", "full"))) { @@ -36,10 +35,16 @@ class data_rest_Core { // see if you should make the same change there as well. if ($p->size == "full") { + if ($item->is_album()) { + throw new Kohana_404_Exception(); + } + access::required("view_full", $item); $file = $item->file_path(); } else if ($p->size == "resize") { + access::required("view", $item); $file = $item->resize_path(); } else { + access::required("view", $item); $file = $item->thumb_path(); } diff --git a/modules/gallery/tests/File_Structure_Test.php b/modules/gallery/tests/File_Structure_Test.php index f46d9d64..e42f7dcd 100644 --- a/modules/gallery/tests/File_Structure_Test.php +++ b/modules/gallery/tests/File_Structure_Test.php @@ -175,9 +175,10 @@ class File_Structure_Test extends Gallery_Unit_Test_Case { // Front controllers break; - case DOCROOT . "lib/uploadify/uploadify.php": - case DOCROOT . "lib/uploadify/uploadify.allglyphs.php": - // Uploadify wrappers - directly accessible + case DOCROOT . "lib/uploadify/uploadify.swf.php": + case DOCROOT . "lib/uploadify/uploadify.allglyphs.swf.php": + case DOCROOT . "lib/mediaelementjs/flashmediaelement.swf.php": + // SWF wrappers - directly accessible break; case DOCROOT . "local.php": diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 8504de3a..b15227d2 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -180,7 +180,7 @@ modules/gallery/views/error_admin.html.php 286 DIRTY_ATTR $env modules/gallery/views/error_admin.html.php 296 DIRTY Kohana_Exception::safe_dump($value,$key) modules/gallery/views/form_uploadify.html.php 16 DIRTY_JS url::site("uploader/status/_S/_E") modules/gallery/views/form_uploadify.html.php 24 DIRTY_JS $flash_minimum_version -modules/gallery/views/form_uploadify.html.php 28 DIRTY_JS url::file("lib/uploadify/uploadify.php") +modules/gallery/views/form_uploadify.html.php 28 DIRTY_JS url::file("lib/uploadify/uploadify.swf.php") modules/gallery/views/form_uploadify.html.php 29 DIRTY_JS url::site("uploader/add_photo/{$album->id}") modules/gallery/views/form_uploadify.html.php 31 DIRTY_JS implode(";",$extensions) modules/gallery/views/form_uploadify.html.php 33 DIRTY_JS url::file("lib/uploadify/cancel.png") diff --git a/modules/gallery/views/form_uploadify.html.php b/modules/gallery/views/form_uploadify.html.php index 4963d185..bba6db73 100644 --- a/modules/gallery/views/form_uploadify.html.php +++ b/modules/gallery/views/form_uploadify.html.php @@ -25,7 +25,7 @@ $("#g-uploadify").uploadify({ width: 298, height: 32, - uploader: "<?= url::file("lib/uploadify/uploadify.php") ?>", + uploader: "<?= url::file("lib/uploadify/uploadify.swf.php") ?>", script: "<?= url::site("uploader/add_photo/{$album->id}") ?>", scriptData: <?= json_encode($script_data) ?>, fileExt: "<?= implode(";", $extensions) ?>", diff --git a/modules/gallery/views/movieplayer.html.php b/modules/gallery/views/movieplayer.html.php index f78cc91a..e4046906 100644 --- a/modules/gallery/views/movieplayer.html.php +++ b/modules/gallery/views/movieplayer.html.php @@ -11,7 +11,8 @@ defaultVideoHeight: <?= $height ?>, startVolume: 1.0, features: ["playpause", "progress", "current", "duration", "volume", "fullscreen"], - pluginPath: "<?= url::abs_file("lib/mediaelementjs/") ?>" + pluginPath: "<?= url::abs_file("lib/mediaelementjs/") ?>", + flashName: "flashmediaelement.swf.php" }, <?= json_encode($player_options) ?>) ); </script> |