From a597b57210b48241781f31d3f277e274d3ca6874 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 15 Feb 2010 12:29:49 -0800 Subject: return the absolute url not the relative for the full size, resize and thumb images. --- modules/gallery/models/item.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index 283654c7..a64bcb49 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -931,13 +931,13 @@ class Item_Model extends ORM_MPTT { unset($data["album_cover_item_id"]); if (access::can("view_fillsize", $this) && $this->is_photo()) { - $data["fullsize_url"] = $this->abs_url(); + $data["fullsize_url"] = $this->abs_url(true); } - if ($tmp = $this->resize_url() && $this->is_photo()) { + if ($tmp = $this->resize_url(true) && $this->is_photo()) { $data["resize_url"] = $tmp; } - $data["thumb_url"] = $this->thumb_url(); + $data["thumb_url"] = $this->thumb_url(true); // Elide some internal-only data that is going to cause confusion in the client. foreach (array("relative_path_cache", "relative_url_cache", "left_ptr", "right_ptr", -- cgit v1.2.3 From dcddc68f58dac2f0fe71f5a00ea4af32618efa13 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Mon, 15 Feb 2010 13:12:38 -0800 Subject: Never assign a SafeString instance to a Model member (or hell will break loose). --- modules/gallery/helpers/gallery_installer.php | 2 +- modules/user/helpers/user_installer.php | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'modules') diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index 45d991af..b594ddcf 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -287,7 +287,7 @@ class gallery_installer { // Mark string for translation $powered_by_string = t("Powered by %gallery_version", array("locale" => "root")); - module::set_var("gallery", "credits", $powered_by_string); + module::set_var("gallery", "credits", (string) $powered_by_string); module::set_var("gallery", "simultaneous_upload_limit", 5); module::set_var("gallery", "admin_area_timeout", 90 * 60); module::set_version("gallery", 29); diff --git a/modules/user/helpers/user_installer.php b/modules/user/helpers/user_installer.php index c57ad010..9e757ecd 100644 --- a/modules/user/helpers/user_installer.php +++ b/modules/user/helpers/user_installer.php @@ -98,25 +98,25 @@ class user_installer { DEFAULT CHARSET=utf8;"); $everybody = ORM::factory("group"); - $everybody->name = t("Everybody", array("locale" => "root")); + $everybody->name = (string) t("Everybody", array("locale" => "root")); $everybody->special = true; $everybody->save(); $registered = ORM::factory("group"); - $registered->name = t("Registered Users", array("locale" => "root")); + $registered->name = (string) t("Registered Users", array("locale" => "root")); $registered->special = true; $registered->save(); $guest = ORM::factory("user"); $guest->name = "guest"; - $guest->full_name = t("Guest User", array("locale" => "root")); + $guest->full_name = (string) t("Guest User", array("locale" => "root")); $guest->password = ""; $guest->guest = true; $guest->save(); $admin = ORM::factory("user"); $admin->name = "admin"; - $admin->full_name = t("Gallery Administrator", array("locale" => "root")); + $admin->full_name = (string) t("Gallery Administrator", array("locale" => "root")); $admin->password = "admin"; $admin->email = "unknown@unknown.com"; $admin->admin = true; -- cgit v1.2.3 From e754bc18ea5dfd93beae5bad1c743610ceeef6e3 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Mon, 15 Feb 2010 13:44:37 -0800 Subject: Input sanitization --- modules/organize/controllers/organize.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php index 9d9da65e..c92d711f 100644 --- a/modules/organize/controllers/organize.php +++ b/modules/organize/controllers/organize.php @@ -127,7 +127,7 @@ class Organize_Controller extends Controller { "sort_order" => $album->sort_order)); } - function sort_order($album_id, $col, $dir) { + public function sort_order($album_id, $col, $dir) { access::verify_csrf(); $album = ORM::factory("item", $album_id); @@ -149,10 +149,10 @@ class Organize_Controller extends Controller { "sort_order" => $album->sort_order)); } - private static function _get_micro_thumb_grid($album, $offset) { + private static function _get_micro_thumb_grid(Item_Model $album, $offset) { $v = new View("organize_thumb_grid.html"); $v->album = $album; - $v->offset = $offset; + $v->offset = (int) $offset; return $v; } -- cgit v1.2.3 From 6c89bb88789257d1dfe4c2ce6eb14e64fe87507c Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Mon, 15 Feb 2010 13:51:32 -0800 Subject: Update of reviewed XSS audit data. --- modules/gallery/tests/xss_data.txt | 56 ++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 29 deletions(-) (limited to 'modules') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index e53502ee..44233459 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -32,8 +32,8 @@ modules/comment/views/comment.mrss.php 29 DIRTY $child modules/comment/views/comment.mrss.php 34 DIRTY_ATTR $child->thumb_url modules/comment/views/comment.mrss.php 35 DIRTY_ATTR $child->thumb_height modules/comment/views/comment.mrss.php 35 DIRTY_ATTR $child->thumb_width -modules/comment/views/comments.html.php 16 DIRTY_ATTR $comment->id -modules/comment/views/comments.html.php 19 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) +modules/comment/views/comments.html.php 18 DIRTY_ATTR $comment->id +modules/comment/views/comments.html.php 21 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) modules/comment/views/user_profile_comments.html.php 5 DIRTY_ATTR $comment->id modules/comment/views/user_profile_comments.html.php 10 DIRTY_JS $comment->item()->url() modules/comment/views/user_profile_comments.html.php 11 DIRTY $comment->item()->thumb_img(array(),50) @@ -81,19 +81,18 @@ modules/gallery/views/admin_maintenance.html.php 24 DIRTY_ATTR log: modules/gallery/views/admin_maintenance.html.php 25 DIRTY_ATTR log::severity_class($task->severity) modules/gallery/views/admin_maintenance.html.php 26 DIRTY $task->name modules/gallery/views/admin_maintenance.html.php 29 DIRTY $task->description -modules/gallery/views/admin_maintenance.html.php 33 DIRTY_JS "{$button->url}/$task->callback?csrf=$csrf" -modules/gallery/views/admin_maintenance.html.php 76 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/gallery/views/admin_maintenance.html.php 76 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" -modules/gallery/views/admin_maintenance.html.php 77 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" -modules/gallery/views/admin_maintenance.html.php 78 DIRTY gallery::date_time($task->updated) -modules/gallery/views/admin_maintenance.html.php 81 DIRTY $task->name -modules/gallery/views/admin_maintenance.html.php 96 DIRTY $task->status -modules/gallery/views/admin_maintenance.html.php 147 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/gallery/views/admin_maintenance.html.php 147 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" -modules/gallery/views/admin_maintenance.html.php 148 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" -modules/gallery/views/admin_maintenance.html.php 149 DIRTY gallery::date_time($task->updated) -modules/gallery/views/admin_maintenance.html.php 152 DIRTY $task->name -modules/gallery/views/admin_maintenance.html.php 164 DIRTY $task->status +modules/gallery/views/admin_maintenance.html.php 70 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/gallery/views/admin_maintenance.html.php 70 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" +modules/gallery/views/admin_maintenance.html.php 71 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" +modules/gallery/views/admin_maintenance.html.php 72 DIRTY gallery::date_time($task->updated) +modules/gallery/views/admin_maintenance.html.php 75 DIRTY $task->name +modules/gallery/views/admin_maintenance.html.php 90 DIRTY $task->status +modules/gallery/views/admin_maintenance.html.php 141 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/gallery/views/admin_maintenance.html.php 141 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" +modules/gallery/views/admin_maintenance.html.php 142 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" +modules/gallery/views/admin_maintenance.html.php 143 DIRTY gallery::date_time($task->updated) +modules/gallery/views/admin_maintenance.html.php 146 DIRTY $task->name +modules/gallery/views/admin_maintenance.html.php 158 DIRTY $task->status modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY_JS url::site("admin/maintenance/save_log/$task->id?csrf=$csrf") modules/gallery/views/admin_maintenance_show_log.html.php 13 DIRTY $task->name modules/gallery/views/admin_maintenance_task.html.php 55 DIRTY $task->name @@ -121,6 +120,7 @@ modules/gallery/views/admin_themes.html.php 62 DIRTY $theme modules/gallery/views/admin_themes.html.php 76 DIRTY $info->name modules/gallery/views/admin_themes.html.php 78 DIRTY $info->description modules/gallery/views/admin_themes_preview.html.php 7 DIRTY_ATTR $url +modules/gallery/views/error_404.html.php 14 DIRTY $login_form modules/gallery/views/form_uploadify.html.php 30 DIRTY_JS url::file("lib/uploadify/uploadify.swf") modules/gallery/views/form_uploadify.html.php 31 DIRTY_JS url::site("simple_uploader/add_photo/{$album->id}") modules/gallery/views/form_uploadify.html.php 35 DIRTY_JS url::file("lib/uploadify/cancel.png") @@ -128,8 +128,7 @@ modules/gallery/views/form_uploadify.html.php 36 DIRTY_JS $simul modules/gallery/views/in_place_edit.html.php 2 DIRTY form::open($action,array("method"=>"post","id"=>"g-in-place-edit-form","class"=>"g-short-form")) modules/gallery/views/in_place_edit.html.php 3 DIRTY access::csrf_form_field() modules/gallery/views/in_place_edit.html.php 6 DIRTY form::input("input",$form["input"]," class=\"textbox\"") -modules/gallery/views/kohana_error_page.php 102 DIRTY $message -modules/gallery/views/kohana_error_page.php 116 DIRTY $trace +modules/gallery/views/in_place_edit.html.php 14 DIRTY $errors["input"] modules/gallery/views/kohana_profiler.php 32 DIRTY $profile->render(); modules/gallery/views/l10n_client.html.php 21 DIRTY_ATTR $string["translation"]===""?"untranslated":"translated" modules/gallery/views/l10n_client.html.php 23 DIRTY $string["source"]["one"] @@ -148,18 +147,18 @@ modules/gallery/views/l10n_client.html.php 67 DIRTY form:: modules/gallery/views/login_ajax.html.php 6 DIRTY_JS url::site("password/reset") modules/gallery/views/login_ajax.html.php 37 DIRTY $form modules/gallery/views/maintenance.html.php 46 DIRTY auth::get_login_form("login/auth_html") -modules/gallery/views/menu.html.php 4 DIRTY isset($menu->css_id)?"id='$menu->css_id'":"" +modules/gallery/views/menu.html.php 4 DIRTY $menu->css_id?"id='$menu->css_id'":"" modules/gallery/views/menu.html.php 4 DIRTY_ATTR $menu->css_class modules/gallery/views/menu.html.php 6 DIRTY $element->render() modules/gallery/views/menu.html.php 18 DIRTY $element->render() -modules/gallery/views/menu_ajax_link.html.php 3 DIRTY_ATTR $menu->css_id +modules/gallery/views/menu_ajax_link.html.php 3 DIRTY $menu->css_id?"id='{$menu->css_id}'":"" modules/gallery/views/menu_ajax_link.html.php 4 DIRTY_ATTR $menu->css_class modules/gallery/views/menu_ajax_link.html.php 5 DIRTY_JS $menu->url modules/gallery/views/menu_ajax_link.html.php 7 DIRTY $menu->ajax_handler -modules/gallery/views/menu_dialog.html.php 3 DIRTY_ATTR $menu->css_id +modules/gallery/views/menu_dialog.html.php 3 DIRTY $menu->css_id?"id='{$menu->css_id}'":"" modules/gallery/views/menu_dialog.html.php 4 DIRTY_ATTR $menu->css_class modules/gallery/views/menu_dialog.html.php 5 DIRTY_JS $menu->url -modules/gallery/views/menu_link.html.php 3 DIRTY_ATTR $menu->css_id +modules/gallery/views/menu_link.html.php 3 DIRTY $menu->css_id?"id='{$menu->css_id}'":"" modules/gallery/views/menu_link.html.php 4 DIRTY_ATTR $menu->css_class modules/gallery/views/menu_link.html.php 5 DIRTY_JS $menu->url modules/gallery/views/move_browse.html.php 4 DIRTY_JS url::site("move/show_sub_tree/{$source->id}/__TARGETID__") @@ -209,6 +208,7 @@ modules/gallery/views/permissions_form.html.php 75 DIRTY_JS $item- modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $group->id modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $permission->id modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $item->id +modules/gallery/views/reauthenticate.html.php 9 DIRTY $form modules/gallery/views/upgrader.html.php 57 DIRTY_ATTR $done?"muted":"" modules/gallery/views/upgrader.html.php 61 DIRTY_ATTR $done?"muted":"" modules/gallery/views/upgrader.html.php 69 DIRTY_ATTR $module->version==$module->code_version?"current":"upgradeable" @@ -239,15 +239,13 @@ modules/organize/views/organize_dialog.html.php 4 DIRTY_JS url::s modules/organize/views/organize_dialog.html.php 5 DIRTY_JS url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") modules/organize/views/organize_dialog.html.php 6 DIRTY_JS url::site("organize/tree/__ALBUM_ID__") modules/organize/views/organize_dialog.html.php 14 DIRTY $album_tree -modules/organize/views/organize_dialog.html.php 24 DIRTY $micro_thumb_grid +modules/organize/views/organize_dialog.html.php 23 DIRTY $micro_thumb_grid modules/organize/views/organize_dialog.html.php 32 DIRTY form::dropdown(array("id"=>"g-organize-sort-column"),album::get_sort_order_options(),$album->sort_column) -modules/organize/views/organize_dialog.html.php 33 DIRTY form::dropdown(array("id"=>"g-organize-sort-order"),array("ASC"=>"Ascending","DESC"=>"Descending"),$album->sort_order) -modules/organize/views/organize_thumb_grid.html.php 3 DIRTY_ATTR $child->id +modules/organize/views/organize_thumb_grid.html.php 3 DIRTY_ATTR $child->is_album()?"g-album":"g-photo" modules/organize/views/organize_thumb_grid.html.php 4 DIRTY_ATTR $child->id -modules/organize/views/organize_thumb_grid.html.php 5 DIRTY_ATTR $child->is_album()?"g-album":"g-photo" -modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->thumb_img(array("class"=>"g-thumbnail","ref"=>$child->id),90,true) -modules/organize/views/organize_thumb_grid.html.php 7 DIRTY $child->is_album()?" class=\"ui-icon ui-icon-note\"":"" -modules/organize/views/organize_thumb_grid.html.php 15 DIRTY_JS url::site("organize/album/$album->id/".($offset+25)) +modules/organize/views/organize_thumb_grid.html.php 5 DIRTY $child->thumb_img(array("class"=>"g-thumbnail","ref"=>$child->id),90,true) +modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->is_album()?" class=\"ui-icon ui-icon-note\"":"" +modules/organize/views/organize_thumb_grid.html.php 13 DIRTY_JS url::site("organize/album/$album->id/".($offset+25)) modules/organize/views/organize_tree.html.php 2 DIRTY_ATTR access::can("edit",$album)?"":"g-view-only" modules/organize/views/organize_tree.html.php 3 DIRTY_ATTR $album->id modules/organize/views/organize_tree.html.php 6 DIRTY_ATTR $selected&&$album->id==$selected->id?"ui-state-focus":"" @@ -255,6 +253,7 @@ modules/organize/views/organize_tree.html.php 7 DIRTY_ATTR $alb modules/organize/views/organize_tree.html.php 13 DIRTY View::factory("organize_tree.html",array("selected"=>$selected,"album"=>$child)); modules/organize/views/organize_tree.html.php 15 DIRTY_ATTR access::can("edit",$child)?"":"g-view-only" modules/organize/views/organize_tree.html.php 16 DIRTY_ATTR $child->id +modules/organize/views/organize_tree.html.php 18 DIRTY_ATTR $selected&&$child->id==$selected->id?"ui-state-focus":"" modules/organize/views/organize_tree.html.php 18 DIRTY_ATTR $child->id modules/recaptcha/views/admin_recaptcha.html.php 11 DIRTY $form modules/recaptcha/views/admin_recaptcha.html.php 23 DIRTY_JS $public_key @@ -323,7 +322,6 @@ modules/user/views/admin_users.html.php 123 DIRTY_ATTR ($gr modules/user/views/admin_users.html.php 125 DIRTY $v modules/user/views/admin_users_group.html.php 22 DIRTY_JS $user->id modules/user/views/admin_users_group.html.php 22 DIRTY_JS $group->id -modules/user/views/user_form.html.php 7 DIRTY $form modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $height modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $url -- cgit v1.2.3 From 5e25d2f7f11a75386e3c7f3d1d0c496eb3287cac Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Mon, 15 Feb 2010 14:27:48 -0800 Subject: Put focus on password field in reauthenticate dialog. --- modules/gallery/views/reauthenticate.html.php | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'modules') diff --git a/modules/gallery/views/reauthenticate.html.php b/modules/gallery/views/reauthenticate.html.php index 8611d0f7..9a6696fb 100644 --- a/modules/gallery/views/reauthenticate.html.php +++ b/modules/gallery/views/reauthenticate.html.php @@ -7,4 +7,9 @@ $user_name)) ?>

+ \ No newline at end of file -- cgit v1.2.3 From 61f8af6e4cd33a6e226221fd81fcfe2e5afa1081 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Tue, 16 Feb 2010 21:56:56 -0800 Subject: Fix for ticket #1020: Fix RSS feed validation of album / recent items feeds. --- modules/rss/views/feed.mrss.php | 46 ++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 24 deletions(-) (limited to 'modules') diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php index cdb4f0f0..0fd8095d 100644 --- a/modules/rss/views/feed.mrss.php +++ b/modules/rss/views/feed.mrss.php @@ -49,32 +49,30 @@ height="thumb_height ?>" width="thumb_width ?>" /> + + type == "photo" && $view_full): ?> - type == "photo"): ?> - - - - - - - + + type == "photo"): ?> + + + + + + type == "photo" && $view_full): ?> + -- cgit v1.2.3 From 4ca55a90ee2f8e1d8595b0ec53a601d6c65475f6 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Tue, 16 Feb 2010 23:54:39 -0800 Subject: Fix for ticket #1017: Handle the common case of t(html::clean($var)) by casting SafeString instances to string in translate(). --- modules/gallery/libraries/Gallery_I18n.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'modules') diff --git a/modules/gallery/libraries/Gallery_I18n.php b/modules/gallery/libraries/Gallery_I18n.php index cfed046a..160543c9 100644 --- a/modules/gallery/libraries/Gallery_I18n.php +++ b/modules/gallery/libraries/Gallery_I18n.php @@ -117,6 +117,9 @@ class Gallery_I18n_Core { $count = isset($options['count']) ? $options['count'] : null; $values = $options; unset($values['locale']); + if ($message instanceof SafeString) { + $message = (string) $message; + } $this->log($message, $options); $entry = $this->lookup($locale, $message); -- cgit v1.2.3