From 39b8810c3b37538e015c9d8cb7b46c59d87fb8c7 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Wed, 24 Feb 2010 16:39:18 -0800 Subject: Fix multi-column layout of language admin. --- modules/gallery/views/admin_languages.html.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'modules/gallery/views') diff --git a/modules/gallery/views/admin_languages.html.php b/modules/gallery/views/admin_languages.html.php index 07134475..d4b7b0c1 100644 --- a/modules/gallery/views/admin_languages.html.php +++ b/modules/gallery/views/admin_languages.html.php @@ -49,13 +49,14 @@ $display_name): ?> - - - - - - - + +
+ + + + + + "> -- cgit v1.2.3 From d9707ae749df2770370dc4eeeeaddda28f092d4d Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 27 Feb 2010 02:37:39 -0800 Subject: Fix for ticket #1036 - Don't echo any sensitive information such as passwords, hashes or personally identifiable information. --- modules/gallery/libraries/MY_Kohana_Exception.php | 57 ++++++++ modules/gallery/tests/Kohana_Exception_Test.php | 170 ++++++++++++++++++++++ modules/gallery/views/kohana/error.php | 4 +- 3 files changed, 229 insertions(+), 2 deletions(-) create mode 100644 modules/gallery/tests/Kohana_Exception_Test.php (limited to 'modules/gallery/views') diff --git a/modules/gallery/libraries/MY_Kohana_Exception.php b/modules/gallery/libraries/MY_Kohana_Exception.php index d6f1f467..1712d895 100644 --- a/modules/gallery/libraries/MY_Kohana_Exception.php +++ b/modules/gallery/libraries/MY_Kohana_Exception.php @@ -92,4 +92,61 @@ class Kohana_Exception extends Kohana_Exception_Core { } print $view; } + + /** + * @see Kohana_Exception::dump() + */ + public static function dump($value, $length=128, $max_level=5) { + return self::safe_dump($value, null, $length, $max_level); + } + + /** + * A safer version of dump(), eliding sensitive information in the dumped + * data, such as session ids and passwords / hashes. + */ + public static function safe_dump($value, $key, $length=128, $max_level=5) { + return parent::dump(self::_sanitize_for_dump($value, $key), $length, $max_level); + } + + /** + * Elides sensitive data which shouldn't be echoed to the client, + * such as passwords, and other secrets. + */ + /* Visible for testing*/ static function _sanitize_for_dump($value, $key=null) { + // Better elide too much than letting something through. + // Note: unanchored match is intended. + $sensitive_info_pattern = + '/(password|pass|email|hash|private_key|session_id|session|g3sid|csrf|secret)/i'; + if (preg_match($sensitive_info_pattern, $key) || + (is_string($value) && preg_match('/[a-f0-9]{20,}/i', $value))) { + return 'removed for display'; + } else if (is_object($value)) { + if ($value instanceof Database) { + // Elide database password, host, name, user, etc. + return get_class($value) . ' object - details omitted for display'; + } else if ($value instanceof User_Model) { + return get_class($value) . ' object for "' . $value->name . '" - details omitted for display'; + } + return self::_sanitize_for_dump((array) $value, $key); + } else if (is_array($value)) { + $result = array(); + foreach ($value as $k => $v) { + $actual_key = $k; + $key_for_display = $k; + if ($k[0] === "\x00") { + // Remove the access level from the variable name + $actual_key = substr($k, strrpos($k, "\x00") + 1); + $access = $k[1] === '*' ? 'protected' : 'private'; + $key_for_display = "$access: $actual_key"; + } + if (is_object($v)) { + $key_for_display .= ' (type: ' . get_class($v) . ')'; + } + $result[$key_for_display] = self::_sanitize_for_dump($v, $actual_key); + } + } else { + $result = $value; + } + return $result; + } } \ No newline at end of file diff --git a/modules/gallery/tests/Kohana_Exception_Test.php b/modules/gallery/tests/Kohana_Exception_Test.php new file mode 100644 index 00000000..d2dbb4dc --- /dev/null +++ b/modules/gallery/tests/Kohana_Exception_Test.php @@ -0,0 +1,170 @@ +assert_equal('string(19) "removed for display"', + Kohana_Exception::dump("1a62761b836138c6198313911")); + $this->assert_equal('string(14) "original value"', + Kohana_Exception::dump("original value")); + } + + public function safe_dump_test() { + // Verify the delegation. + $this->assert_equal('string(19) "removed for display"', + Kohana_Exception::safe_dump("original value", "password")); + $this->assert_equal('string(14) "original value"', + Kohana_Exception::safe_dump("original value", "meow")); + } + + public function sanitize_for_dump_match_key_test() { + $this->assert_equal("removed for display", + Kohana_Exception::_sanitize_for_dump("original value", "password")); + $this->assert_equal("original value", + Kohana_Exception::_sanitize_for_dump("original value", "meow")); + } + + public function sanitize_for_dump_match_key_loosely_test() { + $this->assert_equal("removed for display", + Kohana_Exception::_sanitize_for_dump("original value", "this secret key")); + } + + public function sanitize_for_dump_match_value_test() { + // Looks like a hash / secret value. + $this->assert_equal("removed for display", + Kohana_Exception::_sanitize_for_dump("p$2a178b841c6391d6368f131", "meow")); + $this->assert_equal("original value", + Kohana_Exception::_sanitize_for_dump("original value", "meow")); + } + + public function sanitize_for_dump_array_test() { + $var = array("safe" => "original value 1", + "some hash" => "original value 2", + "three" => "2a3728788982938293b9292"); + $expected = array("safe" => "original value 1", + "some hash" => "removed for display", + "three" => "removed for display"); + + $this->assert_equal($expected, + Kohana_Exception::_sanitize_for_dump($var, "ignored")); + } + + public function sanitize_for_dump_nested_array_test() { + $var = array("safe" => "original value 1", + "safe 2" => array("some hash" => "original value 2")); + $expected = array("safe" => "original value 1", + "safe 2" => array("some hash" => "removed for display")); + $this->assert_equal($expected, + Kohana_Exception::_sanitize_for_dump($var, "ignored")); + } + + public function sanitize_for_dump_user_test() { + $user = new User_Model(); + $user->name = "john"; + $user->hash = "value 1"; + $user->email = "value 2"; + $user->full_name = "value 3"; + $this->assert_equal('User_Model object for "john" - details omitted for display', + Kohana_Exception::_sanitize_for_dump($user, "ignored")); + } + + public function sanitize_for_dump_database_test() { + $db = new Kohana_Exception_Test_Database( + array("connection" => array("user" => "john", "name" => "gallery_3"), + "cache" => array())); + $this->assert_equal("Kohana_Exception_Test_Database object - details omitted for display", + Kohana_Exception::_sanitize_for_dump($db, "ignored")); + } + + public function sanitize_for_dump_nested_database_test() { + $db = new Kohana_Exception_Test_Database( + array("connection" => array("user" => "john", "name" => "gallery_3"), + "cache" => array())); + $var = array("some" => "foo", + "bar" => $db); + $this->assert_equal( + array("some" => "foo", + "bar (type: Kohana_Exception_Test_Database)" => + "Kohana_Exception_Test_Database object - details omitted for display"), + Kohana_Exception::_sanitize_for_dump($var, "ignored")); + } + + public function sanitize_for_dump_object_test() { + $obj = new Kohana_Exception_Test_Class(); + $obj->password = "original value"; + $expected = array("var_1" => "val 1", + "protected: var_2" => "val 2", + "private: var_3" => "val 3", + "protected: hash" => "removed for display", + "private: email_address" => "removed for display", + "password" => "removed for display"); + $this->assert_equal($expected, + Kohana_Exception::_sanitize_for_dump($obj, "ignored")); + } + + public function sanitize_for_dump_nested_object_test() { + $user = new User_Model(); + $user->name = "john"; + $obj = new Kohana_Exception_Test_Class(); + $obj->meow = new Kohana_Exception_Test_Class(); + $obj->woof = "original value"; + $obj->foo = array("bar" => $user); + $expected = array("var_1" => "val 1", + "protected: var_2" => "val 2", + "private: var_3" => "val 3", + "protected: hash" => "removed for display", + "private: email_address" => "removed for display", + "meow (type: Kohana_Exception_Test_Class)" => + array("var_1" => "val 1", + "protected: var_2" => "val 2", + "private: var_3" => "val 3", + "protected: hash" => "removed for display", + "private: email_address" => "removed for display"), + "woof" => "original value", + "foo" => array("bar (type: User_Model)" => + 'User_Model object for "john" - details omitted for display')); + $this->assert_equal($expected, + Kohana_Exception::_sanitize_for_dump($obj, "ignored")); + } +} + +class Kohana_Exception_Test_Database extends Database { + function __construct($config) { parent::__construct($config); } + public function connect() {} + public function disconnect() {} + public function set_charset($charset) {} + public function query_execute($sql) {} + public function escape($value) {} + public function list_constraints($table) {} + public function list_fields($table) {} + public function list_tables() {} +} + +class Kohana_Exception_Test_Class { + public $var_1 = "val 1"; + protected $var_2 = "val 2"; + private $var_3 = "val 3"; + protected $hash = "val 4"; + private $email_address = "val 5"; + function __set($name, $val) { + $this->$name = $val; + } +} \ No newline at end of file diff --git a/modules/gallery/views/kohana/error.php b/modules/gallery/views/kohana/error.php index 26628cf2..d55105a0 100644 --- a/modules/gallery/views/kohana/error.php +++ b/modules/gallery/views/kohana/error.php @@ -204,7 +204,7 @@
@@ -265,7 +265,7 @@ -- cgit v1.2.3 From 5f985b3e2aa404d9b1145796dff8bc4c1e48b3f0 Mon Sep 17 00:00:00 2001 From: Chad Kieffer Date: Sun, 28 Feb 2010 18:46:43 -0700 Subject: Updates to upload CSS to make it themeable and RTL compatible. Use absolute positioning to handle upload button positioning. Remove color definitions to allow jQuery UI theme to set button colors. Consolidate upload dialog CSS to modules/css/gallery.css. Closes #885. --- lib/gallery.common.css | 66 ++++---------------------- modules/gallery/css/gallery.css | 68 +++++++++++++++++++++++++++ modules/gallery/views/form_uploadify.html.php | 29 ++---------- 3 files changed, 80 insertions(+), 83 deletions(-) (limited to 'modules/gallery/views') diff --git a/lib/gallery.common.css b/lib/gallery.common.css index 98b4ee40..31988b67 100644 --- a/lib/gallery.common.css +++ b/lib/gallery.common.css @@ -273,7 +273,7 @@ form li.g-warning { } .g-short-form li.g-error { - padding: .3em 0 .3em 0; + padding: .3em 0; } form.g-error input[type="text"], @@ -294,7 +294,8 @@ li.g-error select { .g-error, .g-denied, -tr.g-error td.g-error { +tr.g-error td.g-error, +#g-add-photos-status .g-error { background: #f6cbca url('images/ico-error.png') no-repeat .4em 50%; color: #f00; } @@ -304,7 +305,8 @@ tr.g-error td.g-error { } .g-success, -.g-allowed { +.g-allowed, +#g-add-photos-status .g-success { background: #d9efc2 url('images/ico-success.png') no-repeat .4em 50%; } @@ -603,60 +605,6 @@ div#g-action-status { margin-left: 0; } -/* Simple uploader ~~~~~~~~~~~~~~~~~~~~~~~ */ - -#g-add-photos-canvas { - border: 1px solid #ccc; - height: 200px; - margin: .5em 0; - overflow: auto; - width: 469px; -} - -#g-add-photos-status { - border: 1px solid #ccc; - height: 125px; - margin: .5em 0; - overflow: auto; - width: 469px; -} - -#g-add-photos button { - float: right; - margin-bottom: .5em; - margin-left: .5em; -} - -#g-add-photos-status li { - text-align: left; - padding-left: 2em; -} - -#g-add-photos-status li.g-success { - background: #d9efc2 url('images/ico-success.png') no-repeat .4em 50%; - width: 429px; -} - -#g-add-photos-status li.g-error { - background: #f6cbca url('images/ico-error.png') no-repeat .4em 50%; - width: 429px; -/* color: #f00;*/ -} - -#g-add-photos-button { - background: #DFEFFC; - border: 1px solid #C5DBEC; - color: #2E6E9E -} - -#g-add-photos p { - margin: 0 -} - -#g-add-photos .g-breadcrumbs li { - padding-top: .5em; -} - /** ******************************************************************* * 7) Right to left language styles **********************************************************************/ @@ -685,7 +633,9 @@ div#g-action-status { .rtl .g-error, .rtl .g-info, .rtl .g-success, -.rtl .g-warning { +.rtl .g-warning, +.rtl #g-add-photos-status .g-success, +.rtl #g-add-photos-status .g-error { background-position: center right; padding-right: 30px !important; } diff --git a/modules/gallery/css/gallery.css b/modules/gallery/css/gallery.css index f3e5ec6d..ed9986bf 100644 --- a/modules/gallery/css/gallery.css +++ b/modules/gallery/css/gallery.css @@ -11,6 +11,70 @@ * 1) End-user **********************************************************************/ +/* Uploader ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */ + +#g-add-photos-canvas, +#g-add-photos-status { + width: 469px; +} + +#g-add-photos-canvas { + border: 1px solid #ccc; + height: 200px; + margin: .5em 0; + padding: 1.8em 0 0 0; + overflow: auto; + position: relative; +} + +#g-add-photos-canvas object, +#g-add-photos-button { + left: 137px; + margin: 0 0 .5em 0; + padding: .4em 1em; + position: absolute; + top: 0; + width: 175px; +} + +#g-add-photos-canvas object { + margin: 0; + z-index: 100; +} + +#g-add-photos-canvas .uploadifyQueueItem { + margin: 0; +} + +#g-add-photos-button { + z-index: 1; +} + +#g-add-photos-status { + border: 1px solid #ccc; + height: 125px; + margin: .4em 0; + overflow: auto; +} + +#g-add-photos-status .g-message-block { + border: none; +} + +#g-add-photos-status #g-action-status li { + margin: 0 0 1px 0; + padding-top: .7em; + width: 433px; +} + +#g-add-photos-form .g-breadcrumbs { + margin: 0; +} + +#g-add-photos-form p { + margin-bottom: 0 +} + /* Permissions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */ #g-edit-permissions-form { @@ -121,6 +185,10 @@ * 3) Right to left language styles **********************************************************************/ +.rtl #g-add-photos-status #g-action-status li { + width: 407px; +} + .rtl #g-block-admin .g-left { margin-left: 1em; margin-right: 0; diff --git a/modules/gallery/views/form_uploadify.html.php b/modules/gallery/views/form_uploadify.html.php index 137cb353..2cb690ea 100644 --- a/modules/gallery/views/form_uploadify.html.php +++ b/modules/gallery/views/form_uploadify.html.php @@ -1,25 +1,4 @@ -
-
+
-
+