From 7ec490b6009965920fea35e971b29f11df6e6bff Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 11 Sep 2009 11:04:35 -0700 Subject: rawurlencode() path components in relative_path_cache and relative_url_cache so that they're safe for browser use. --- modules/gallery/models/item.php | 4 ++-- modules/gallery/tests/Item_Model_Test.php | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index da1f6959..a87997c6 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -284,8 +284,8 @@ class Item_Model extends ORM_MPTT { ->where("id <>", 1) ->orderby("left_ptr", "ASC") ->get() as $row) { - $names[] = urlencode($row->name); - $slugs[] = urlencode($row->slug); + $names[] = rawurlencode($row->name); + $slugs[] = rawurlencode($row->slug); } $this->relative_path_cache = implode($names, "/"); $this->relative_url_cache = implode($slugs, "/"); diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php index 585e247c..84210e4c 100644 --- a/modules/gallery/tests/Item_Model_Test.php +++ b/modules/gallery/tests/Item_Model_Test.php @@ -150,4 +150,14 @@ class Item_Model_Test extends Unit_Test_Case { $this->assert_same("ORIGINAL_VALUE", $item->original()->title); $this->assert_same("NEW_VALUE", $item->title); } + + public function urls_are_rawurlencoded_test() { + $item = self::_create_random_item(); + $item->slug = "foo bar"; + $item->name = "foo bar.jpg"; + $item->save(); + + $this->assert_equal("foo%20bar", $item->relative_url()); + $this->assert_equal("foo%20bar.jpg", $item->relative_path()); + } } -- cgit v1.2.3 From e1b9565232fac63ce63b29c434211ad9763b13ac Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 11 Sep 2009 11:16:52 -0700 Subject: Change all booleans to use php_flag instead of php_value. And turn off suhosin.session.encrypt by default. --- .htaccess | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.htaccess b/.htaccess index 8c2e3793..1d8bcb34 100644 --- a/.htaccess +++ b/.htaccess @@ -1,12 +1,13 @@ - php_value short_open_tag 1 - php_value magic_quotes_gpc 0 - php_value magic_quotes_sybase 0 - php_value magic_quotes_runtime 0 - php_value register_globals 0 - php_value session.auto_start 0 - php_value upload_max_filesize 20M - php_value post_max_size 100M + php_flag short_open_tag On + php_flag magic_quotes_gpc Off + php_flag magic_quotes_sybase Off + php_flag magic_quotes_runtime Off + php_flag register_globals Off + php_flag session.auto_start Off + php_flag suhosin.session.encrypt Off + php_value upload_max_filesize 20M + php_value post_max_size 100M # Try to disable the parts of mod_security that interfere with the Flash uploader -- cgit v1.2.3