diff options
Diffstat (limited to 'modules/gallery')
| -rw-r--r-- | modules/gallery/controllers/file_proxy.php | 10 | ||||
| -rw-r--r-- | modules/gallery/controllers/items.php | 10 | ||||
| -rw-r--r-- | modules/gallery/helpers/gallery_event.php | 12 | ||||
| -rw-r--r-- | modules/gallery/helpers/gallery_graphics.php | 2 | ||||
| -rw-r--r-- | modules/gallery/helpers/graphics.php | 4 | ||||
| -rw-r--r-- | modules/gallery/helpers/legal_file.php | 12 | ||||
| -rw-r--r-- | modules/gallery/helpers/module.php | 6 | ||||
| -rw-r--r-- | modules/gallery/helpers/movie.php | 2 | ||||
| -rw-r--r-- | modules/gallery/images/missing_movie.jpg | bin | 0 -> 3428 bytes | |||
| -rw-r--r-- | modules/gallery/images/missing_movie.png | bin | 8474 -> 0 bytes | |||
| -rw-r--r-- | modules/gallery/libraries/Admin_View.php | 7 | ||||
| -rw-r--r-- | modules/gallery/libraries/IdentityProvider.php | 9 | ||||
| -rw-r--r-- | modules/gallery/libraries/Theme_View.php | 7 | ||||
| -rw-r--r-- | modules/gallery/models/item.php | 24 | ||||
| -rw-r--r-- | modules/gallery/tests/Item_Model_Test.php | 50 | ||||
| -rw-r--r-- | modules/gallery/tests/Legal_File_Helper_Test.php | 32 | ||||
| -rw-r--r-- | modules/gallery/views/error_admin.html.php | 2 |
17 files changed, 161 insertions, 28 deletions
diff --git a/modules/gallery/controllers/file_proxy.php b/modules/gallery/controllers/file_proxy.php index 5c958a8d..36c6bc2a 100644 --- a/modules/gallery/controllers/file_proxy.php +++ b/modules/gallery/controllers/file_proxy.php @@ -122,7 +122,15 @@ class File_Proxy_Controller extends Controller { } else { header("Content-Type: $item->mime_type"); } - Kohana::close_buffers(false); + + // Don't use Kohana::close_buffers(false) here because that only closes all the buffers + // that Kohana started. We want to close *all* buffers at this point because otherwise we're + // going to buffer up whatever file we're proxying (and it may be very large). This may + // affect embedding or systems with PHP's output_buffering enabled. + while (ob_get_level()) { + ob_end_clean(); + } + readfile($file); } } diff --git a/modules/gallery/controllers/items.php b/modules/gallery/controllers/items.php index 0c20803c..318fb431 100644 --- a/modules/gallery/controllers/items.php +++ b/modules/gallery/controllers/items.php @@ -24,15 +24,15 @@ class Items_Controller extends Controller { throw new Kohana_404_Exception(); } - // Redirect to the more specific resource type, since it will render - // differently. We can't delegate here because we may have gotten to this - // page via /items/<id> which means that we don't have a type-specific controller. Also, we - // want to drive a single canonical resource mapping where possible. + // Redirect to the more specific resource type, since it will render differently. We can't + // delegate here because we may have gotten to this page via /items/<id> which means that we + // don't have a type-specific controller. Also, we want to drive a single canonical resource + // mapping where possible. access::required("view", $item); url::redirect($item->abs_url()); } - // Return the width/height dimensinons for the given item + // Return the width/height dimensions for the given item public function dimensions($id) { $item = ORM::factory("item", $id); access::required("view", $item); diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index db087588..6225633f 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -23,6 +23,14 @@ class gallery_event_Core { * Initialization. */ static function gallery_ready() { + if (!get_cfg_var("date.timezone")) { + if (!(rand() % 4)) { + Kohana_Log::add("error", "date.timezone setting not detected in " . + get_cfg_var("cfg_file_path") . " falling back to UTC. " . + "Consult http://php.net/manual/function.get-cfg-var.php for help."); + } + } + identity::load_user(); theme::load_themes(); locales::set_request_locale(); @@ -549,8 +557,8 @@ class gallery_event_Core { $value = $data->user->$field; if ($field == "locale") { $value = locales::display_name($value); - } elseif ($field == "url") { - $value = html::mark_clean(html::anchor($data->user->$field)); + } else if ($field == "url") { + $value = html::mark_clean(html::anchor(html::clean($data->user->$field))); } $v->user_profile_data[(string) $label] = $value; } diff --git a/modules/gallery/helpers/gallery_graphics.php b/modules/gallery/helpers/gallery_graphics.php index 02f628a1..d2b92c87 100644 --- a/modules/gallery/helpers/gallery_graphics.php +++ b/modules/gallery/helpers/gallery_graphics.php @@ -126,7 +126,7 @@ class gallery_graphics_Core { module::event("graphics_composite_completed", $input_file, $output_file, $options, $item); } catch (ErrorException $e) { - Kohana_Log::add("error", $e->get_message()); + Kohana_Log::add("error", $e->getMessage()); } } } diff --git a/modules/gallery/helpers/graphics.php b/modules/gallery/helpers/graphics.php index 7e0bbbea..c19fbe6d 100644 --- a/modules/gallery/helpers/graphics.php +++ b/modules/gallery/helpers/graphics.php @@ -156,12 +156,12 @@ class graphics_Core { foreach ($ops as $target => $output_file) { if ($input_item->is_movie()) { // Convert the movie to a JPG first - $output_file = preg_replace("/...$/", "jpg", $output_file); + $output_file = legal_file::change_extension($output_file, "jpg"); try { movie::extract_frame($input_file, $output_file); } catch (Exception $e) { // Assuming this is MISSING_FFMPEG for now - copy(MODPATH . "gallery/images/missing_movie.png", $output_file); + copy(MODPATH . "gallery/images/missing_movie.jpg", $output_file); } $working_file = $output_file; } else { diff --git a/modules/gallery/helpers/legal_file.php b/modules/gallery/helpers/legal_file.php index 6ec65e97..af6472ca 100644 --- a/modules/gallery/helpers/legal_file.php +++ b/modules/gallery/helpers/legal_file.php @@ -80,4 +80,16 @@ class legal_file_Core { module::event("legal_movie_types", $types_wrapper); return $types_wrapper->types; } + + /** + * Convert the extension of a filename. If the original filename has no + * extension, add the new one to the end. + */ + static function change_extension($filename, $new_ext) { + if (strpos($filename, ".") === false) { + return "{$filename}.{$new_ext}"; + } else { + return preg_replace("/\..*?$/", ".{$new_ext}", $filename); + } + } } diff --git a/modules/gallery/helpers/module.php b/modules/gallery/helpers/module.php index 3368e39b..7292b106 100644 --- a/modules/gallery/helpers/module.php +++ b/modules/gallery/helpers/module.php @@ -109,7 +109,11 @@ class module_Core { $modules->gallery->locked = true; $identity_module = module::get_var("gallery", "identity_provider", "user"); $modules->$identity_module->locked = true; - $modules->ksort(); + + function natural_name_sort($a, $b) { + return strnatcasecmp($a->name, $b->name); + } + $modules->uasort('natural_name_sort'); self::$available = $modules; } diff --git a/modules/gallery/helpers/movie.php b/modules/gallery/helpers/movie.php index 79b5a7c2..b54811df 100644 --- a/modules/gallery/helpers/movie.php +++ b/modules/gallery/helpers/movie.php @@ -106,7 +106,7 @@ class movie_Core { $cmd = escapeshellcmd($ffmpeg) . " -i " . escapeshellarg($file_path) . " 2>&1"; $result = `$cmd`; - if (preg_match("/Stream.*?Video:.*?(\d+)x(\d+)/", $result, $regs)) { + if (preg_match("/Stream.*?Video:.*?, (\d+)x(\d+)/", $result, $regs)) { list ($width, $height) = array($regs[1], $regs[2]); } else { list ($width, $height) = array(0, 0); diff --git a/modules/gallery/images/missing_movie.jpg b/modules/gallery/images/missing_movie.jpg Binary files differnew file mode 100644 index 00000000..452db225 --- /dev/null +++ b/modules/gallery/images/missing_movie.jpg diff --git a/modules/gallery/images/missing_movie.png b/modules/gallery/images/missing_movie.png Binary files differdeleted file mode 100644 index fdc97779..00000000 --- a/modules/gallery/images/missing_movie.png +++ /dev/null diff --git a/modules/gallery/libraries/Admin_View.php b/modules/gallery/libraries/Admin_View.php index fcfe7aa2..66b8c20c 100644 --- a/modules/gallery/libraries/Admin_View.php +++ b/modules/gallery/libraries/Admin_View.php @@ -31,7 +31,12 @@ class Admin_View_Core extends Gallery_View { $this->theme_name = module::get_var("gallery", "active_admin_theme"); if (identity::active_user()->admin) { - $this->theme_name = Input::instance()->get("theme", $this->theme_name); + $theme_name = Input::instance()->get("theme"); + if ($theme_name && + file_exists(THEMEPATH . $theme_name) && + strpos(realpath(THEMEPATH . $theme_name), THEMEPATH) == 0) { + $this->theme_name = $theme_name; + } } $this->sidebar = ""; $this->set_global(array("theme" => $this, diff --git a/modules/gallery/libraries/IdentityProvider.php b/modules/gallery/libraries/IdentityProvider.php index 66c68dad..c9e8688f 100644 --- a/modules/gallery/libraries/IdentityProvider.php +++ b/modules/gallery/libraries/IdentityProvider.php @@ -85,6 +85,10 @@ class IdentityProvider_Core { call_user_func("{$new_provider}_installer::initialize"); } + if (!$provider->admin_user()) { + throw new Exception("IdentityProvider $new_provider: Couldn't find the admin user!"); + } + module::event("identity_provider_changed", $current_provider, $new_provider); identity::set_active_user($provider->admin_user()); @@ -100,7 +104,12 @@ class IdentityProvider_Core { // Make sure new provider is not in the database try { module::uninstall($new_provider); + } catch (Exception $e2) { + Kohana_Log::add("error", "Error uninstalling failed new provider\n" . + $e2->getMessage() . "\n" . $e2->getTraceAsString()); + } + try { // Lets reset to the current provider so that the gallery installation is still // working. module::set_var("gallery", "identity_provider", null); diff --git a/modules/gallery/libraries/Theme_View.php b/modules/gallery/libraries/Theme_View.php index 031da6de..78b74cde 100644 --- a/modules/gallery/libraries/Theme_View.php +++ b/modules/gallery/libraries/Theme_View.php @@ -33,7 +33,12 @@ class Theme_View_Core extends Gallery_View { $this->theme_name = module::get_var("gallery", "active_site_theme"); if (identity::active_user()->admin) { - $this->theme_name = Input::instance()->get("theme", $this->theme_name); + $theme_name = Input::instance()->get("theme"); + if ($theme_name && + file_exists(THEMEPATH . $theme_name) && + strpos(realpath(THEMEPATH . $theme_name), THEMEPATH) == 0) { + $this->theme_name = $theme_name; + } } $this->item = null; $this->tag = null; diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index e90e0fcb..98a2c4df 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -188,7 +188,7 @@ class Item_Model_Core extends ORM_MPTT { return $base . "/.album.jpg"; } else if ($this->is_movie()) { // Replace the extension with jpg - return preg_replace("/...$/", "jpg", $base); + return legal_file::change_extension($base, "jpg"); } } @@ -213,7 +213,7 @@ class Item_Model_Core extends ORM_MPTT { return $base . "/.album.jpg" . $cache_buster; } else if ($this->is_movie()) { // Replace the extension with jpg - $base = preg_replace("/...$/", "jpg", $base); + $base = legal_file::change_extension($base, "jpg"); return $base . $cache_buster; } } @@ -803,18 +803,22 @@ class Item_Model_Core extends ORM_MPTT { } if ($this->is_movie() || $this->is_photo()) { - if (!$this->loaded()) { + $ext = pathinfo($this->name, PATHINFO_EXTENSION); + + if (!$this->loaded() && !$ext) { // New items must have an extension - $ext = pathinfo($this->name, PATHINFO_EXTENSION); - if (!$ext) { + $v->add_error("name", "illegal_data_file_extension"); + return; + } + + if ($this->is_photo()) { + if (!in_array(strtolower($ext), legal_file::get_photo_extensions())) { $v->add_error("name", "illegal_data_file_extension"); - return; } + } - if ($this->is_photo() && - !in_array(strtolower($ext), array_map("strtolower", legal_file::get_photo_extensions())) || - $this->is_movie() && - !in_array(strtolower($ext), array_map("strtolower", legal_file::get_movie_extensions()))) { + if ($this->is_movie()) { + if (!in_array(strtolower($ext), legal_file::get_movie_extensions())) { $v->add_error("name", "illegal_data_file_extension"); } } diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php index 205d0a08..6d40230f 100644 --- a/modules/gallery/tests/Item_Model_Test.php +++ b/modules/gallery/tests/Item_Model_Test.php @@ -333,7 +333,36 @@ class Item_Model_Test extends Gallery_Unit_Test_Case { $photo->mime_type = "video/x-flv"; $photo->save(); } catch (ORM_Validation_Exception $e) { - $this->assert_same(array("type" => "read_only"), $e->validation->errors()); + $this->assert_same( + array("name" => "illegal_data_file_extension", "type" => "read_only"), + $e->validation->errors()); + return; // pass + } + $this->assert_true(false, "Shouldn't get here"); + } + + public function photo_files_must_have_an_extension_test() { + try { + $photo = test::random_photo_unsaved(); + $photo->mime_type = "image/jpeg"; + $photo->name = "no_extension"; + $photo->save(); + } catch (ORM_Validation_Exception $e) { + $this->assert_same(array("name" => "illegal_data_file_extension"), $e->validation->errors()); + return; // pass + } + $this->assert_true(false, "Shouldn't get here"); + } + + public function movie_files_must_have_an_extension_test() { + try { + $movie = test::random_photo_unsaved(); + $movie->type = "movie"; + $movie->mime_type = "video/x-flv"; + $movie->name = "no_extension"; + $movie->save(); + } catch (ORM_Validation_Exception $e) { + $this->assert_same(array("name" => "illegal_data_file_extension"), $e->validation->errors()); return; // pass } $this->assert_true(false, "Shouldn't get here"); @@ -421,7 +450,8 @@ class Item_Model_Test extends Gallery_Unit_Test_Case { $photo->set_data_file(MODPATH . "gallery/tests/Item_Model_Test.php"); $photo->save(); } catch (ORM_Validation_Exception $e) { - $this->assert_same(array("mime_type" => "invalid"), $e->validation->errors()); + $this->assert_same(array("mime_type" => "invalid", "name" => "illegal_data_file_extension"), + $e->validation->errors()); return; // pass } $this->assert_true(false, "Shouldn't get here"); @@ -473,4 +503,20 @@ class Item_Model_Test extends Gallery_Unit_Test_Case { $this->assert_true(false, "Shouldn't get here"); } } + + public function cant_rename_to_illegal_extension_test() { + foreach (array("test.php.test", "test.php", "test.PHP", + "test.php5", "test.php4", "test.pl") as $name) { + try { + $photo = test::random_photo(item::root()); + $photo->name = $name; + $photo->save(); + } catch (ORM_Validation_Exception $e) { + $this->assert_equal(array("name" => "illegal_data_file_extension"), + $e->validation->errors()); + continue; + } + $this->assert_true(false, "Shouldn't get here"); + } + } } diff --git a/modules/gallery/tests/Legal_File_Helper_Test.php b/modules/gallery/tests/Legal_File_Helper_Test.php new file mode 100644 index 00000000..c101de10 --- /dev/null +++ b/modules/gallery/tests/Legal_File_Helper_Test.php @@ -0,0 +1,32 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2012 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Legal_File_Helper_Test extends Gallery_Unit_Test_Case { + public function change_extension_test() { + $this->assert_equal("foo.jpg", legal_file::change_extension("foo.png", "jpg")); + } + + public function change_four_letter_extension_test() { + $this->assert_equal("foo.flv", legal_file::change_extension("foo.mpeg", "flv")); + } + + public function change_extension_with_no_extension_test() { + $this->assert_equal("foo.flv", legal_file::change_extension("foo", "flv")); + } +}
\ No newline at end of file diff --git a/modules/gallery/views/error_admin.html.php b/modules/gallery/views/error_admin.html.php index af78c59c..a391746e 100644 --- a/modules/gallery/views/error_admin.html.php +++ b/modules/gallery/views/error_admin.html.php @@ -184,7 +184,7 @@ <?= $type?> [ <?= $code ?> ]: </span> <span class="message"> - <?= $message?> + <?= html::purify($message) ?> </span> </h3> <div id="<?= $error_id ?>" class="content"> |
