diff options
Diffstat (limited to 'modules/gallery')
| -rw-r--r-- | modules/gallery/controllers/packager.php | 10 | ||||
| -rw-r--r-- | modules/gallery/controllers/permissions.php | 2 | ||||
| -rw-r--r-- | modules/gallery/controllers/simple_uploader.php | 1 | ||||
| -rw-r--r-- | modules/gallery/helpers/album.php | 3 | ||||
| -rw-r--r-- | modules/gallery/helpers/gallery.php | 25 | ||||
| -rw-r--r-- | modules/gallery/helpers/gallery_installer.php | 6 | ||||
| -rw-r--r-- | modules/gallery/helpers/locales.php | 56 | ||||
| -rw-r--r-- | modules/gallery/libraries/Theme_View.php | 6 | ||||
| -rw-r--r-- | modules/gallery/models/item.php | 4 | ||||
| -rw-r--r-- | modules/gallery/tests/Controller_Auth_Test.php | 252 | ||||
| -rw-r--r-- | modules/gallery/tests/Item_Model_Test.php | 10 | ||||
| -rw-r--r-- | modules/gallery/tests/Locales_Helper_Test.php | 10 | ||||
| -rw-r--r-- | modules/gallery/tests/Xss_Security_Test.php | 3 | ||||
| -rw-r--r-- | modules/gallery/tests/controller_auth_data.txt | 40 | ||||
| -rw-r--r-- | modules/gallery/tests/xss_data.txt | 44 | ||||
| -rw-r--r-- | modules/gallery/views/admin_languages.html.php | 2 | ||||
| -rw-r--r-- | modules/gallery/views/upgrader.html.php | 2 |
17 files changed, 415 insertions, 61 deletions
diff --git a/modules/gallery/controllers/packager.php b/modules/gallery/controllers/packager.php index fbb1d07d..ae87d74b 100644 --- a/modules/gallery/controllers/packager.php +++ b/modules/gallery/controllers/packager.php @@ -114,18 +114,24 @@ class Packager_Controller extends Controller { $root = ORM::factory("item", 1); $root_created_timestamp = $root->created; $root_updated_timestamp = $root->updated; + $table_name = ""; foreach (file($sql_file) as $line) { // Prefix tables $line = preg_replace( "/(CREATE TABLE|IF EXISTS|INSERT INTO) `{$dbconfig['table_prefix']}(\w+)`/", "\\1 {\\2}", $line); + if (preg_match("/CREATE TABLE {(\w+)}/", $line, $matches)) { + $table_name = $matches[1]; + } // Normalize dates $line = preg_replace("/,$root_created_timestamp,/", ",UNIX_TIMESTAMP(),", $line); $line = preg_replace("/,$root_updated_timestamp,/", ",UNIX_TIMESTAMP(),", $line); - // Remove ENGINE= specifications - $line = preg_replace("/ENGINE=\S+ /", "", $line); + // Remove ENGINE= specifications execpt for search records, it always needs to be MyISAM + if ($table_name != "search_records") { + $line = preg_replace("/ENGINE=\S+ /", "", $line); + } $buf .= $line; } diff --git a/modules/gallery/controllers/permissions.php b/modules/gallery/controllers/permissions.php index 5f4620b2..8d75862e 100644 --- a/modules/gallery/controllers/permissions.php +++ b/modules/gallery/controllers/permissions.php @@ -81,7 +81,7 @@ class Permissions_Controller extends Controller { } } - function _get_form($item) { + private function _get_form($item) { $view = new View("permissions_form.html"); $view->item = $item; $view->groups = ORM::factory("group")->find_all(); diff --git a/modules/gallery/controllers/simple_uploader.php b/modules/gallery/controllers/simple_uploader.php index 156d18ac..bc508319 100644 --- a/modules/gallery/controllers/simple_uploader.php +++ b/modules/gallery/controllers/simple_uploader.php @@ -32,6 +32,7 @@ class Simple_Uploader_Controller extends Controller { } public function start() { + access::verify_csrf(); batch::start(); } diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php index dfb1e66d..9cd746d7 100644 --- a/modules/gallery/helpers/album.php +++ b/modules/gallery/helpers/album.php @@ -135,6 +135,9 @@ class album_Core { ->error_messages( "not_url_safe", t("The internet address should contain only letters, numbers, hyphens and underscores")); + } else { + $group->hidden("dirname")->value($parent->name); + $group->hidden("slug")->value($parent->slug); } $sort_order = $group->group("sort_order", array("id" => "gAlbumSortOrder")) diff --git a/modules/gallery/helpers/gallery.php b/modules/gallery/helpers/gallery.php index 813134eb..80ae65bd 100644 --- a/modules/gallery/helpers/gallery.php +++ b/modules/gallery/helpers/gallery.php @@ -18,7 +18,7 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class gallery_Core { - const VERSION = "3.0 git (pre-beta3)"; + const VERSION = "3.0 git (pre-RC1)"; /** * If Gallery is in maintenance mode, then force all non-admins to get routed to a "This site is @@ -95,15 +95,22 @@ class gallery_Core { $menu->append($add_menu = Menu::factory("submenu") ->id("add_menu") ->label(t("Add"))); - $add_menu->append(Menu::factory("dialog") - ->id("add_photos_item") - ->label(t("Add photos")) - ->url(url::site("simple_uploader/app/$item->id"))); - if ($item->is_album()) { + $is_album_writable = + is_writable($item->is_album() ? $item->file_path() : $item->parent()->file_path()); + if ($is_album_writable) { $add_menu->append(Menu::factory("dialog") - ->id("add_album_item") - ->label(t("Add an album")) - ->url(url::site("form/add/albums/$item->id?type=album"))); + ->id("add_photos_item") + ->label(t("Add photos")) + ->url(url::site("simple_uploader/app/$item->id"))); + if ($item->is_album()) { + $add_menu->append(Menu::factory("dialog") + ->id("add_album_item") + ->label(t("Add an album")) + ->url(url::site("form/add/albums/$item->id?type=album"))); + } + } else { + message::warning(t("The album '%album_name' is not writable.", + array("album_name" => $item->title))); } } diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index a1856424..6500482b 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -203,6 +203,12 @@ class gallery_installer { access::register_permission("edit", "Edit"); access::register_permission("add", "Add"); + // Mark for translation (must be the same strings as used above) + t("View Full Size"); + t("View"); + t("Edit"); + t("Add"); + $root = ORM::factory("item"); $root->type = "album"; $root->title = "Gallery"; diff --git a/modules/gallery/helpers/locales.php b/modules/gallery/helpers/locales.php index 16dda2d7..ab7f7526 100644 --- a/modules/gallery/helpers/locales.php +++ b/modules/gallery/helpers/locales.php @@ -165,50 +165,58 @@ class locales_Core { list ($ignored, $qvalue) = explode("=", $qvalue . "=="); $qvalue = floatval($qvalue); } - $locale_preferences[] = array($requested_locale, $qvalue); + // Group by language to boost inexact same-language matches + list ($language) = explode("_", $requested_locale . "_"); + if (!isset($locale_preferences[$language])) { + $locale_preferences[$language] = array(); + } + $locale_preferences[$language][$requested_locale] = $qvalue; } } // Compare and score requested locales with installed ones $scored_locales = array(); - foreach ($locale_preferences as $requested_value) { - $scored_locale_match = self::_locale_match_score($requested_value); - if ($scored_locale_match) { - $scored_locales[] = $scored_locale_match; + foreach ($locale_preferences as $language => $requested_locales) { + // Inexact match adjustment (same language, different region) + $fallback_adjustment_factor = 0.95; + if (count($requested_locales) > 1) { + // Sort by qvalue, descending + $qvalues = array_values($requested_locales); + rsort($qvalues); + // Ensure inexact match scores worse than 2nd preference in same language. + $fallback_adjustment_factor *= $qvalues[1]; + } + foreach ($requested_locales as $requested_locale => $qvalue) { + list ($matched_locale, $match_score) = + self::_locale_match_score($requested_locale, $qvalue, $fallback_adjustment_factor); + if ($matched_locale && + (!isset($scored_locales[$matched_locale]) || + $match_score > $scored_locales[$matched_locale])) { + $scored_locales[$matched_locale] = $match_score; + } } } - usort($scored_locales, array("locales", "_compare_locale_by_qvalue")); + arsort($scored_locales); - $best_match = array_shift($scored_locales); - if ($best_match) { - return $best_match[0]; - } + list ($locale) = each($scored_locales); + return $locale; } return null; } - static function _compare_locale_by_qvalue($a, $b) { - $a = $a[1]; - $b = $b[1]; - if ($a == $b) { - return 0; - } - return $a < $b ? 1 : -1; - } - - private static function _locale_match_score($requested_locale_and_qvalue) { - list ($requested_locale, $qvalue) = $requested_locale_and_qvalue; + private static function _locale_match_score($requested_locale, $qvalue, $adjustment_factor) { $installed = self::installed(); if (isset($installed[$requested_locale])) { - return $requested_locale_and_qvalue; + return array($requested_locale, $qvalue); } list ($language) = explode("_", $requested_locale . "_"); if (isset(self::$language_subtag_to_locale[$language]) && isset($installed[self::$language_subtag_to_locale[$language]])) { - return array(self::$language_subtag_to_locale[$language], $qvalue * 0.66); + $score = $adjustment_factor * $qvalue; + return array(self::$language_subtag_to_locale[$language], $score); } - return null; + return array(null, 0); } }
\ No newline at end of file diff --git a/modules/gallery/libraries/Theme_View.php b/modules/gallery/libraries/Theme_View.php index 541bce88..130e2dce 100644 --- a/modules/gallery/libraries/Theme_View.php +++ b/modules/gallery/libraries/Theme_View.php @@ -111,6 +111,12 @@ class Theme_View_Core extends Gallery_View { return $menu->compact(); } + public function movie_menu() { + $menu = Menu::factory("root"); + module::event("movie_menu", $menu, $this); + return $menu->compact(); + } + public function context_menu($item, $thumbnail_css_selector) { $menu = Menu::factory("root") ->append(Menu::factory("submenu") diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index d1c6feb9..ff02daf8 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -284,8 +284,8 @@ class Item_Model extends ORM_MPTT { ->where("id <>", 1) ->orderby("left_ptr", "ASC") ->get() as $row) { - $names[] = urlencode($row->name); - $slugs[] = urlencode($row->slug); + $names[] = rawurlencode($row->name); + $slugs[] = rawurlencode($row->slug); } $this->relative_path_cache = implode($names, "/"); $this->relative_url_cache = implode($slugs, "/"); diff --git a/modules/gallery/tests/Controller_Auth_Test.php b/modules/gallery/tests/Controller_Auth_Test.php new file mode 100644 index 00000000..caf6d8f2 --- /dev/null +++ b/modules/gallery/tests/Controller_Auth_Test.php @@ -0,0 +1,252 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Controller_Auth_Test extends Unit_Test_Case { + static $rest_methods = array("_index", "_show", "_form_edit", "_form_add", "_create", + "_update", "_delete"); + + static $rest_methods_with_csrf_check = array("_update", "_delete", "_create"); + + public function find_missing_auth_test() { + $found = array(); + $controllers = glob("*/*/controllers/*.php"); + $feeds = glob("*/*/helpers/*_rss.php"); + foreach (array_merge($controllers, $feeds) as $controller) { + if (preg_match("{modules/(gallery_)?unit_test/}", $controller)) { + continue; + } + + // List of all tokens without whitespace, simplifying parsing. + $tokens = array(); + foreach (token_get_all(file_get_contents($controller)) as $token) { + if (!is_array($token) || $token[0] != T_WHITESPACE) { + $tokens[] = $token; + } + } + + $is_admin_controller = false; + $is_rest_controller = false; + + $open_braces = 0; + $function = null; + for ($token_number = 0; $token_number < count($tokens); $token_number++) { + $token = $tokens[$token_number]; + + // Count braces. + // 1 open brace = in class context. + // 2 open braces = in function. + if (!is_array($token)) { + if ($token == "}") { + $open_braces--; + if ($open_braces == 1 && $function) { + $found[$controller][] = $function; + $function = null; + } else if ($open_braces == 0) { + $is_admin_controller = false; + $is_rest_controller = false; + } + } else if ($token == "{") { + $open_braces++; + } + } else { + // An array token + + if ($open_braces == 0 && $token[0] == T_EXTENDS) { + if (self::_token_matches(array(T_STRING, "Admin_Controller"), $tokens, $token_number + 1)) { + $is_admin_controller = true; + } else if (self::_token_matches(array(T_STRING, "REST_Controller"), $tokens, $token_number + 1)) { + $is_rest_controller = true; + } + } else if ($open_braces == 1 && $token[0] == T_FUNCTION) { + $line = $token[2]; + $name = ""; + // Search backwards to check visibility, + // "private function", or "private static function" + $previous = $tokens[$token_number - 1][0]; + $previous_2 = $tokens[$token_number - 2][0]; + $is_private = in_array($previous, array(T_PRIVATE, T_PROTECTED)) || + in_array($previous_2, array(T_PRIVATE, T_PROTECTED)); + $is_static = $previous == T_STATIC || $previous_2 == T_STATIC; + + // Search forward to get function name + do { + $token_number++; + if (self::_token_matches(array(T_STRING), $tokens, $token_number)) { + $token = $tokens[$token_number]; + $name = $token[1]; + break; + } + } while ($token_number < count($tokens)); + + $is_rss_feed = $name == "feed" && strpos(basename($controller), "_rss.php"); + + if ((!$is_static || $is_rss_feed) && + (!$is_private || + ($is_rest_controller && in_array($name, self::$rest_methods)))) { + $function = self::_function($name, $line, $is_admin_controller); + if ($is_rest_controller && in_array($name, self::$rest_methods_with_csrf_check)) { + $function->checks_csrf(true); + } + } + } + + // Check body of all public functions + // + // Authorization + // Require: access::required\( + // Authentication (CSRF token) + // [When using Input, $this->input, Forge] + // Require: ->validate() or access::verify_csrf\( + if ($function && $open_braces >= 2) { + if ($token[0] == T_STRING) { + if ($token[1] == "access" && + self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], array("forbidden", "required")) && + self::_token_matches("(", $tokens, $token_number + 3)) { + $token_number += 3; + $function->checks_authorization(true); + } else if ($token[1] == "access" && + self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING, "verify_csrf"), $tokens, $token_number + 2) && + self::_token_matches("(", $tokens, $token_number + 3)) { + $token_number += 3; + $function->checks_csrf(true); + } else if (in_array($token[1], array("Input", "Forge")) && + self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1)) { + $token_number++; + $function->uses_input(true); + } + } else if ($token[0] == T_VARIABLE) { + if ($token[1] == '$this' && + self::_token_matches(array(T_OBJECT_OPERATOR), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING, "input"), $tokens, $token_number + 2)) { + $token_number += 2; + $function->uses_input(true); + } + } else if ($token[0] == T_OBJECT_OPERATOR) { + if (self::_token_matches(array(T_STRING, "validate"), $tokens, $token_number + 1) && + self::_token_matches("(", $tokens, $token_number + 2)) { + $token_number += 2; + $function->checks_csrf(true); + } + } + } + } + } + } + + // Generate the report + $new = TMPPATH . "controller_auth_data.txt"; + $fd = fopen($new, "wb"); + ksort($found); + foreach ($found as $controller => $functions) { + $is_admin_controller = true; + foreach ($functions as $function) { + $is_admin_controller &= $function->is_admin_controller; + $flags = array(); + if ($function->uses_input() && !$function->checks_csrf()) { + $flags[] = "DIRTY_CSRF"; + } + if (!$function->is_admin_controller && !$function->checks_authorization()) { + $flags[] = "DIRTY_AUTH"; + } + + if (!$flags) { + // Don't print CLEAN instances + continue; + } + + fprintf($fd, "%-60s %-20s %s\n", + $controller, $function->name, implode("|", $flags)); + } + + if (strpos(basename($controller), "admin_") === 0 && !$is_admin_controller) { + fprintf($fd, "%-60s %-20s %s\n", + $controller, basename($controller), "NO_ADMIN_CONTROLLER"); + } + } + fclose($fd); + + // Compare with the expected report from our golden file. + $canonical = MODPATH . "gallery/tests/controller_auth_data.txt"; + exec("diff $canonical $new", $output, $return_value); + $this->assert_false( + $return_value, "Controller auth golden file mismatch. Output:\n" . implode("\n", $output) ); + } + + private static function _token_matches($expected_token, &$tokens, $token_number) { + if (!isset($tokens[$token_number])) { + return false; + } + + $token = $tokens[$token_number]; + + if (is_array($expected_token)) { + for ($i = 0; $i < count($expected_token); $i++) { + if ($expected_token[$i] != $token[$i]) { + return false; + } + } + return true; + } else { + return $expected_token == $token; + } + } + + static function _function($name, $line, $is_admin_controller) { + return new Controller_Auth_Test_Function($name, $line, $is_admin_controller); + } +} + +class Controller_Auth_Test_Function { + public $name; + public $line; + public $is_admin_controller = false; + private $_uses_input = false; + private $_checks_authorization = false; + private $_checks_csrf = false; + + function __construct($name, $line, $is_admin_controller) { + $this->name = $name; + $this->line = $line; + $this->is_admin_controller = $is_admin_controller; + } + + function uses_input($val=null) { + if ($val !== null) { + $this->_uses_input = (bool) $val; + } + return $this->_uses_input; + } + + function checks_authorization($val=null) { + if ($val !== null) { + $this->_checks_authorization = (bool) $val; + } + return $this->_checks_authorization; + } + + function checks_csrf($val=null) { + if ($val !== null) { + $this->_checks_csrf = $val; + } + return $this->_checks_csrf; + } +}
\ No newline at end of file diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php index 585e247c..84210e4c 100644 --- a/modules/gallery/tests/Item_Model_Test.php +++ b/modules/gallery/tests/Item_Model_Test.php @@ -150,4 +150,14 @@ class Item_Model_Test extends Unit_Test_Case { $this->assert_same("ORIGINAL_VALUE", $item->original()->title); $this->assert_same("NEW_VALUE", $item->title); } + + public function urls_are_rawurlencoded_test() { + $item = self::_create_random_item(); + $item->slug = "foo bar"; + $item->name = "foo bar.jpg"; + $item->save(); + + $this->assert_equal("foo%20bar", $item->relative_url()); + $this->assert_equal("foo%20bar.jpg", $item->relative_path()); + } } diff --git a/modules/gallery/tests/Locales_Helper_Test.php b/modules/gallery/tests/Locales_Helper_Test.php index 85b8e206..4c03d8d4 100644 --- a/modules/gallery/tests/Locales_Helper_Test.php +++ b/modules/gallery/tests/Locales_Helper_Test.php @@ -67,7 +67,7 @@ class Locales_Helper_Test extends Unit_Test_Case { locales::update_installed(array("no_NO", "pt_PT", "ja_JP")); $_SERVER["HTTP_ACCEPT_LANGUAGE"] = "en,en-us,ja_JP;q=0.7,no-fr;q=0.9"; $locale = locales::locale_from_http_request(); - $this->assert_equal("ja_JP", $locale); + $this->assert_equal("no_NO", $locale); } public function locale_from_http_request_best_match_vs_installed_2_test() { @@ -83,4 +83,12 @@ class Locales_Helper_Test extends Unit_Test_Case { $locale = locales::locale_from_http_request(); $this->assert_equal(null, $locale); } + + public function locale_from_http_request_prefer_inexact_same_language_match_over_exact_other_language_match_test() { + locales::update_installed(array("de_DE", "ar_AR", "fa_IR", "he_IL", "en_US")); + // Accept-Language header from Firefox 3.5/Ubuntu + $_SERVER["HTTP_ACCEPT_LANGUAGE"] = "he,en-us;q=0.9,de-ch;q=0.5,en;q=0.3"; + $locale = locales::locale_from_http_request(); + $this->assert_equal("he_IL", $locale); + } }
\ No newline at end of file diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 85624517..16541017 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -144,7 +144,8 @@ class Xss_Security_Test extends Unit_Test_Case { "dynamic_bottom", "dynamic_top", "footer", "head", "header_bottom", "header_top", "page_bottom", "page_top", "photo_blocks", "photo_bottom", "photo_top", "resize_bottom", "resize_top", "sidebar_blocks", "sidebar_bottom", - "sidebar_top", "thumb_bottom", "thumb_info", "thumb_top")) && + "sidebar_top", "thumb_bottom", "thumb_info", "thumb_top", + "movie_menu")) && self::_token_matches("(", $tokens, $token_number + 3)) { $method = $tokens[$token_number + 2][1]; diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt new file mode 100644 index 00000000..fdf00c5e --- /dev/null +++ b/modules/gallery/tests/controller_auth_data.txt @@ -0,0 +1,40 @@ +modules/comment/controllers/admin_comments.php queue DIRTY_CSRF +modules/comment/controllers/comments.php _index DIRTY_CSRF +modules/comment/helpers/comment_rss.php feed DIRTY_AUTH +modules/digibug/controllers/digibug.php print_proxy DIRTY_CSRF|DIRTY_AUTH +modules/digibug/controllers/digibug.php close_window DIRTY_AUTH +modules/gallery/controllers/admin.php __call DIRTY_AUTH +modules/gallery/controllers/albums.php _show DIRTY_CSRF +modules/gallery/controllers/albums.php _form_add DIRTY_CSRF +modules/gallery/controllers/combined.php javascript DIRTY_AUTH +modules/gallery/controllers/combined.php css DIRTY_AUTH +modules/gallery/controllers/file_proxy.php __call DIRTY_CSRF|DIRTY_AUTH +modules/gallery/controllers/maintenance.php index DIRTY_AUTH +modules/gallery/controllers/rest.php __construct DIRTY_AUTH +modules/gallery/controllers/rest.php __call DIRTY_AUTH +modules/gallery/controllers/rest.php form_edit DIRTY_AUTH +modules/gallery/controllers/rest.php form_add DIRTY_AUTH +modules/gallery/controllers/rest.php _index DIRTY_AUTH +modules/gallery/controllers/rest.php _create DIRTY_AUTH +modules/gallery/controllers/rest.php _show DIRTY_AUTH +modules/gallery/controllers/rest.php _update DIRTY_AUTH +modules/gallery/controllers/rest.php _delete DIRTY_AUTH +modules/gallery/controllers/rest.php _form_add DIRTY_AUTH +modules/gallery/controllers/rest.php _form_edit DIRTY_AUTH +modules/gallery/controllers/simple_uploader.php start DIRTY_AUTH +modules/gallery/controllers/simple_uploader.php finish DIRTY_AUTH +modules/gallery/controllers/upgrader.php index DIRTY_AUTH +modules/gallery/controllers/welcome_message.php index DIRTY_AUTH +modules/rss/controllers/rss.php feed DIRTY_CSRF|DIRTY_AUTH +modules/search/controllers/search.php index DIRTY_CSRF|DIRTY_AUTH +modules/server_add/controllers/admin_server_add.php autocomplete DIRTY_CSRF +modules/server_add/controllers/server_add.php children DIRTY_CSRF +modules/tag/controllers/admin_tags.php index DIRTY_CSRF +modules/tag/controllers/tags.php _show DIRTY_CSRF|DIRTY_AUTH +modules/user/controllers/login.php ajax DIRTY_AUTH +modules/user/controllers/login.php auth_ajax DIRTY_AUTH +modules/user/controllers/login.php html DIRTY_AUTH +modules/user/controllers/login.php auth_html DIRTY_AUTH +modules/user/controllers/logout.php index DIRTY_CSRF|DIRTY_AUTH +modules/user/controllers/password.php reset DIRTY_AUTH +modules/user/controllers/password.php do_reset DIRTY_CSRF|DIRTY_AUTH diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 8c71740e..57da8730 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -48,6 +48,7 @@ modules/gallery/views/admin_block_log_entries.html.php 8 DIRTY $entry modules/gallery/views/admin_block_news.html.php 5 DIRTY_JS $entry["link"] modules/gallery/views/admin_block_news.html.php 5 DIRTY $entry["title"] modules/gallery/views/admin_block_news.html.php 7 DIRTY text::limit_words(strip_tags($entry["description"]),25); +modules/gallery/views/admin_block_photo_stream.html.php 5 DIRTY_JS $photo->url() modules/gallery/views/admin_block_photo_stream.html.php 6 DIRTY photo::img_dimensions($photo->width,$photo->height,72) modules/gallery/views/admin_block_photo_stream.html.php 7 DIRTY_ATTR $photo->thumb_url() modules/gallery/views/admin_dashboard.html.php 5 DIRTY_JS $csrf @@ -180,14 +181,14 @@ modules/image_block/views/image_block_block.html.php 3 DIRTY_JS $item- modules/image_block/views/image_block_block.html.php 4 DIRTY $item->thumb_img(array("class"=>"gThumbnail")) modules/info/views/info_block.html.php 22 DIRTY date("M j, Y H:i:s",$item->captured) modules/info/views/info_block.html.php 29 DIRTY_JS $item->owner->url -modules/notification/views/comment_published.html.php 28 DIRTY_JS $comment->item()->url(array(),true) -modules/notification/views/comment_published.html.php 29 DIRTY $comment->item()->url(array(),true) -modules/notification/views/item_added.html.php 16 DIRTY_JS $item->url(array(),true) -modules/notification/views/item_added.html.php 17 DIRTY $item->url(array(),true) -modules/notification/views/item_deleted.html.php 18 DIRTY_JS $item->parent()->url(array(),true) -modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->url(array(),true) -modules/notification/views/item_updated.html.php 20 DIRTY_JS $item->url(array(),true) -modules/notification/views/item_updated.html.php 20 DIRTY $item->url(array(),true) +modules/notification/views/comment_published.html.php 28 DIRTY_JS $comment->item()->abs_url() +modules/notification/views/comment_published.html.php 29 DIRTY $comment->item()->abs_url() +modules/notification/views/item_added.html.php 16 DIRTY_JS $item->abs_url() +modules/notification/views/item_added.html.php 17 DIRTY $item->abs_url() +modules/notification/views/item_deleted.html.php 18 DIRTY_JS $item->parent()->abs_url() +modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->abs_url() +modules/notification/views/item_updated.html.php 20 DIRTY_JS $item->abs_url() +modules/notification/views/item_updated.html.php 20 DIRTY $item->abs_url() modules/organize/views/organize_dialog.html.php 3 DIRTY_JS url::site("organize/move_to/__ALBUM_ID__?csrf=$csrf") modules/organize/views/organize_dialog.html.php 4 DIRTY_JS url::site("organize/rearrange/__TARGET_ID__/__BEFORE__?csrf=$csrf") modules/organize/views/organize_dialog.html.php 5 DIRTY_JS url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") @@ -246,6 +247,7 @@ modules/rss/views/feed.mrss.php 73 DIRTY_ATTR $chi modules/rss/views/feed.mrss.php 74 DIRTY_ATTR $child->mime_type modules/rss/views/rss_block.html.php 6 DIRTY_JS rss::url($url) modules/search/views/search.html.php 30 DIRTY_ATTR $item_class +modules/search/views/search.html.php 31 DIRTY_JS $item->url() modules/search/views/search.html.php 32 DIRTY $item->thumb_img() modules/server_add/views/admin_server_add.html.php 15 DIRTY_ATTR $id modules/server_add/views/admin_server_add.html.php 24 DIRTY $form @@ -285,6 +287,7 @@ themes/admin_default/views/admin.html.php 15 DIRTY_JS $theme themes/admin_default/views/admin.html.php 32 DIRTY $theme->admin_head() themes/admin_default/views/admin.html.php 36 DIRTY $theme->admin_page_top() themes/admin_default/views/admin.html.php 44 DIRTY $theme->admin_header_top() +themes/admin_default/views/admin.html.php 49 DIRTY_JS item::root()->url() themes/admin_default/views/admin.html.php 53 DIRTY $theme->admin_menu() themes/admin_default/views/admin.html.php 55 DIRTY $theme->admin_header_bottom() themes/admin_default/views/admin.html.php 62 DIRTY $content @@ -292,10 +295,11 @@ themes/admin_default/views/admin.html.php 68 DIRTY $sideb themes/admin_default/views/admin.html.php 73 DIRTY $theme->admin_footer() themes/admin_default/views/admin.html.php 75 DIRTY $theme->admin_credits() themes/admin_default/views/admin.html.php 79 DIRTY $theme->admin_page_bottom() -themes/admin_default/views/block.html.php 2 DIRTY $id -themes/admin_default/views/block.html.php 2 DIRTY_ATTR $css_id -themes/admin_default/views/block.html.php 10 DIRTY $title -themes/admin_default/views/block.html.php 13 DIRTY $content +themes/admin_default/views/block.html.php 3 DIRTY_ATTR $anchor +themes/admin_default/views/block.html.php 5 DIRTY $id +themes/admin_default/views/block.html.php 5 DIRTY_ATTR $css_id +themes/admin_default/views/block.html.php 13 DIRTY $title +themes/admin_default/views/block.html.php 16 DIRTY $content themes/admin_default/views/pager.html.php 13 DIRTY_JS str_replace('{page}',1,$url) themes/admin_default/views/pager.html.php 20 DIRTY_JS str_replace('{page}',$previous_page,$url) themes/admin_default/views/pager.html.php 27 DIRTY $from_to_msg @@ -306,10 +310,10 @@ themes/default/views/album.html.php 16 DIRTY_ATTR $ite themes/default/views/album.html.php 18 DIRTY_JS $child->url() themes/default/views/album.html.php 19 DIRTY $child->thumb_img(array("class"=>"gThumbnail")) themes/default/views/album.html.php 23 DIRTY_JS $child->url() -themes/default/views/block.html.php 2 DIRTY_ATTR $anchor -themes/default/views/block.html.php 3 DIRTY_ATTR $css_id -themes/default/views/block.html.php 4 DIRTY $title -themes/default/views/block.html.php 6 DIRTY $content +themes/default/views/block.html.php 3 DIRTY_ATTR $anchor +themes/default/views/block.html.php 5 DIRTY_ATTR $css_id +themes/default/views/block.html.php 6 DIRTY $title +themes/default/views/block.html.php 8 DIRTY $content themes/default/views/dynamic.html.php 11 DIRTY_ATTR $child->is_album()?"gAlbum":"" themes/default/views/dynamic.html.php 13 DIRTY_JS $child->url() themes/default/views/dynamic.html.php 14 DIRTY_ATTR $child->id @@ -325,9 +329,11 @@ themes/default/views/page.html.php 41 DIRTY $new_w themes/default/views/page.html.php 42 DIRTY $new_height themes/default/views/page.html.php 43 DIRTY $thumb_proportion themes/default/views/page.html.php 82 DIRTY $header_text -themes/default/views/page.html.php 112 DIRTY $content -themes/default/views/page.html.php 118 DIRTY newView("sidebar.html") -themes/default/views/page.html.php 125 DIRTY $footer_text +themes/default/views/page.html.php 84 DIRTY_JS item::root()->url() +themes/default/views/page.html.php 102 DIRTY_JS $parent->url($parent==$theme->item()->parent()?"show={$theme->item()->id}":null) +themes/default/views/page.html.php 117 DIRTY $content +themes/default/views/page.html.php 123 DIRTY newView("sidebar.html") +themes/default/views/page.html.php 130 DIRTY $footer_text themes/default/views/pager.html.php 13 DIRTY_JS str_replace('{page}',1,$url) themes/default/views/pager.html.php 20 DIRTY_JS str_replace('{page}',$previous_page,$url) themes/default/views/pager.html.php 27 DIRTY $from_to_msg diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php index fa97d299..fb30c7ba 100644 --- a/modules/gallery/views/admin_languages.html.php +++ b/modules/gallery/views/admin_languages.html.php @@ -98,6 +98,6 @@ </a> </div> -<h3>Sharing your translations</h3> +<h3><?= t("Sharing your translations") ?></h3> <?= $share_translations_form ?> </div> diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php index 5f93c2d5..8a01cd29 100644 --- a/modules/gallery/views/upgrader.html.php +++ b/modules/gallery/views/upgrader.html.php @@ -81,7 +81,7 @@ <? else: // can_upgrade ?> <h1> <?= t("Who are you?") ?> </h1> <p> - <?= t("You're not logged in as an administrator, so we have to verify you to make sure it's ok for you to do an upgrade. To prove you can run an upgrade, create a file called %name in your <b>gallery3/var/tmp</b> directory.", array("name" => "<br/><b>$upgrade_token</b>")) ?> + <?= t("You're not logged in as an administrator, so we have to verify you to make sure it's ok for you to do an upgrade. To prove you can run an upgrade, create a file called <br/><b>%name</b> in your <b>gallery3/var/tmp</b> directory.", array("name" => "$upgrade_token")) ?> </p> <a href="<?= url::site("upgrader?") ?>"><?= t("Ok, I've done that") ?></a> <? endif // can_upgrade ?> |