From 88c0363344860ff87bb7fa2d084b8ab190b364cb Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 16 May 2012 12:26:09 -0700
Subject: Prevent server_add autocomplete from being interpreted as UTF-7. 
 Fixes #1871.

---
 modules/server_add/controllers/admin_server_add.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'modules/server_add/controllers/admin_server_add.php')

diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index 954c9ef6..7e63e4ae 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -71,14 +71,13 @@ class Admin_Server_Add_Controller extends Admin_Controller {
   }
 
   public function autocomplete() {
-    $directories = array();
+    $directories = array('<meta http-equiv="content-type" content="text/html; charset=utf-8">');
     $path_prefix = Input::instance()->get("q");
     foreach (glob("{$path_prefix}*") as $file) {
       if (is_dir($file) && !is_link($file)) {
         $directories[] = html::clean($file);
       }
     }
-
     print implode("\n", $directories);
   }
 
-- 
cgit v1.2.3


From 74fa9422db01fbc017ddbc847333cc7847f185ab Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 19 May 2012 11:20:47 -0700
Subject: Revert "Prevent server_add autocomplete from being interpreted as
 UTF-7.  Fixes #1871."

This only fixes server_add, we need to fix it more systemically.

This reverts commit 88c0363344860ff87bb7fa2d084b8ab190b364cb.
---
 modules/server_add/controllers/admin_server_add.php |  3 ++-
 modules/server_add/views/admin_server_add.html.php  | 17 -----------------
 2 files changed, 2 insertions(+), 18 deletions(-)

(limited to 'modules/server_add/controllers/admin_server_add.php')

diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index 7e63e4ae..954c9ef6 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -71,13 +71,14 @@ class Admin_Server_Add_Controller extends Admin_Controller {
   }
 
   public function autocomplete() {
-    $directories = array('<meta http-equiv="content-type" content="text/html; charset=utf-8">');
+    $directories = array();
     $path_prefix = Input::instance()->get("q");
     foreach (glob("{$path_prefix}*") as $file) {
       if (is_dir($file) && !is_link($file)) {
         $directories[] = html::clean($file);
       }
     }
+
     print implode("\n", $directories);
   }
 
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index b8443446..176cff72 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -9,23 +9,6 @@ $("document").ready(function() {
     {
       max: 256,
       loadingClass: "g-loading-small",
-      parse: function(data) {
-        var parsed = [];
-        var rows = data.split("\n");
-        rows.shift();  // drop <META> tag
-        for (var i=0; i < rows.length; i++) {
-          var row = $.trim(rows[i]);
-          if (row) {
-            row = row.split("|");
-            parsed[parsed.length] = {
-              data: row,
-              value: row[0],
-              result: row[0]
-            };
-          }
-        }
-        return parsed;
-      }
     });
 });
 </script>
-- 
cgit v1.2.3


From a9be0691d9efd84cbf5a9f05236caf4df23bcfdb Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 19 May 2012 11:28:46 -0700
Subject: Create an ajax response framework that inserts <meta> tags to guard
 against UTF-7, and create a $.gallery_autocomplete variant of jQuery's
 autocomplete that expects the first line to be a <meta> tag and discards it. 
 More complete fix for #1871.

---
 lib/gallery.common.js                              | 28 +++++++++++++++++++
 modules/g2_import/controllers/admin_g2_import.php  |  2 +-
 modules/g2_import/views/admin_g2_import.html.php   |  2 +-
 modules/gallery/helpers/ajax.php                   | 31 ++++++++++++++++++++++
 .../server_add/controllers/admin_server_add.php    |  3 ++-
 modules/server_add/views/admin_server_add.html.php |  2 +-
 modules/tag/controllers/tags.php                   |  4 +--
 modules/tag/helpers/tag_event.php                  |  4 +--
 modules/tag/views/tag_block.html.php               |  2 +-
 9 files changed, 69 insertions(+), 9 deletions(-)
 create mode 100644 modules/gallery/helpers/ajax.php

(limited to 'modules/server_add/controllers/admin_server_add.php')

diff --git a/lib/gallery.common.js b/lib/gallery.common.js
index b499a2cd..755218f5 100644
--- a/lib/gallery.common.js
+++ b/lib/gallery.common.js
@@ -222,4 +222,32 @@
     });
   };
 
+  // Augment jQuery autocomplete to expect the first response line to
+  // be a <meta> tag that protects against UTF-7 attacks.
+  $.fn.gallery_autocomplete = function(url, options) {
+    // Drop the first response - it should be a meta tag
+    options.parse = function(data) {
+      var parsed = [];
+      var rows = data.split("\n");
+      if (rows[0].indexOf("<meta") == -1) {
+        throw 'Missing <meta> tag in first line of autocomplete response';
+      }
+      rows.shift();  // drop <META> tag
+      for (var i=0; i < rows.length; i++) {
+        var row = $.trim(rows[i]);
+        if (row) {
+          row = row.split("|");
+          parsed[parsed.length] = {
+            data: row,
+            value: row[0],
+            result: row[0]
+          };
+        }
+      }
+      return parsed;
+    };
+
+    $(this).autocomplete(url, options);
+  };
+
 })(jQuery);
diff --git a/modules/g2_import/controllers/admin_g2_import.php b/modules/g2_import/controllers/admin_g2_import.php
index b07082c9..5edd2a1b 100644
--- a/modules/g2_import/controllers/admin_g2_import.php
+++ b/modules/g2_import/controllers/admin_g2_import.php
@@ -113,7 +113,7 @@ class Admin_g2_import_Controller extends Admin_Controller {
       }
     }
 
-    print implode("\n", $directories);
+    ajax::response(implode("\n", $directories));
   }
 
   private function _get_import_form() {
diff --git a/modules/g2_import/views/admin_g2_import.html.php b/modules/g2_import/views/admin_g2_import.html.php
index 9c4eb840..22e19f5b 100644
--- a/modules/g2_import/views/admin_g2_import.html.php
+++ b/modules/g2_import/views/admin_g2_import.html.php
@@ -3,7 +3,7 @@
 <?= $theme->script("jquery.autocomplete.js") ?>
 <script type="text/javascript">
 $("document").ready(function() {
-  $("form input[name=embed_path]").autocomplete(
+  $("form input[name=embed_path]").gallery_autocomplete(
     "<?= url::site("__ARGS__") ?>".replace("__ARGS__", "admin/g2_import/autocomplete"),
     {
       max: 256,
diff --git a/modules/gallery/helpers/ajax.php b/modules/gallery/helpers/ajax.php
new file mode 100644
index 00000000..f01984a9
--- /dev/null
+++ b/modules/gallery/helpers/ajax.php
@@ -0,0 +1,31 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2012 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class ajax_Core {
+  /**
+   * Encode an Ajax response so that it's UTF-7 safe.
+   *
+   * @param  string $message string to print
+   */
+  static function response($content) {
+    header("Content-Type: text/plain; charset=" . Kohana::CHARSET);
+    print "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\">\n";
+    print html::clean($content);
+  }
+}
diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index 954c9ef6..5b75c02d 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -72,6 +72,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
 
   public function autocomplete() {
     $directories = array();
+
     $path_prefix = Input::instance()->get("q");
     foreach (glob("{$path_prefix}*") as $file) {
       if (is_dir($file) && !is_link($file)) {
@@ -79,7 +80,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
       }
     }
 
-    print implode("\n", $directories);
+    ajax::response(implode("\n", $directories));
   }
 
   private function _get_admin_form() {
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index 176cff72..f59e327f 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -4,7 +4,7 @@
 <?= $theme->script("jquery.autocomplete.js") ?>
 <script type="text/javascript">
 $("document").ready(function() {
-  $("#g-path").autocomplete(
+  $("#g-path").gallery_autocomplete(
     "<?= url::site("__ARGS__") ?>".replace("__ARGS__", "admin/server_add/autocomplete"),
     {
       max: 256,
diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php
index edb8c89b..9af3843e 100644
--- a/modules/tag/controllers/tags.php
+++ b/modules/tag/controllers/tags.php
@@ -57,9 +57,9 @@ class Tags_Controller extends Controller {
       ->limit($limit)
       ->find_all();
     foreach ($tag_list as $tag) {
-      $tags[] = $tag->name;
+      $tags[] = html::clean($tag->name);
     }
 
-    print implode("\n", $tags);
+    ajax::response(implode("\n", $tags));
   }
 }
diff --git a/modules/tag/helpers/tag_event.php b/modules/tag/helpers/tag_event.php
index d4f1c757..d2757219 100644
--- a/modules/tag/helpers/tag_event.php
+++ b/modules/tag/helpers/tag_event.php
@@ -72,7 +72,7 @@ class tag_event_Core {
     $url = url::site("tags/autocomplete");
     $form->script("")
       ->text("$('form input[name=tags]').ready(function() {
-                $('form input[name=tags]').autocomplete(
+                $('form input[name=tags]').gallery_autocomplete(
                   '$url', {max: 30, multiple: true, multipleSeparator: ',', cacheLength: 1});
               });");
 
@@ -123,7 +123,7 @@ class tag_event_Core {
     $autocomplete_url = url::site("tags/autocomplete");
     $group->script("")
       ->text("$('input[name=tags]')
-                .autocomplete(
+                .gallery_autocomplete(
                   '$autocomplete_url',
                   {max: 30, multiple: true, multipleSeparator: ',', cacheLength: 1}
                 )
diff --git a/modules/tag/views/tag_block.html.php b/modules/tag/views/tag_block.html.php
index 98fa0d4f..d25b8dcb 100644
--- a/modules/tag/views/tag_block.html.php
+++ b/modules/tag/views/tag_block.html.php
@@ -2,7 +2,7 @@
 <script type="text/javascript">
   $("#g-add-tag-form").ready(function() {
     var url = $("#g-tag-cloud-autocomplete-url").attr("href");
-    $("#g-add-tag-form input:text").autocomplete(
+    $("#g-add-tag-form input:text").gallery_autocomplete(
       url, {
         max: 30,
         multiple: true,
-- 
cgit v1.2.3