From ffbaa7bf82750814b6b31c8c83ee11ad25a41196 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sun, 13 May 2012 21:09:26 -0700
Subject: Follow on for #1845 - handle paths with dots in them properly.

---
 modules/gallery/helpers/legal_file.php           | 2 +-
 modules/gallery/tests/Legal_File_Helper_Test.php | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/gallery/helpers/legal_file.php b/modules/gallery/helpers/legal_file.php
index af6472ca..075de9cd 100644
--- a/modules/gallery/helpers/legal_file.php
+++ b/modules/gallery/helpers/legal_file.php
@@ -89,7 +89,7 @@ class legal_file_Core {
     if (strpos($filename, ".") === false) {
       return "{$filename}.{$new_ext}";
     } else {
-      return preg_replace("/\..*?$/", ".{$new_ext}", $filename);
+      return preg_replace("/\.[^\.]*?$/", ".{$new_ext}", $filename);
     }
   }
 }
diff --git a/modules/gallery/tests/Legal_File_Helper_Test.php b/modules/gallery/tests/Legal_File_Helper_Test.php
index c101de10..6f94c9cd 100644
--- a/modules/gallery/tests/Legal_File_Helper_Test.php
+++ b/modules/gallery/tests/Legal_File_Helper_Test.php
@@ -29,4 +29,10 @@ class Legal_File_Helper_Test extends Gallery_Unit_Test_Case {
   public function change_extension_with_no_extension_test() {
     $this->assert_equal("foo.flv", legal_file::change_extension("foo", "flv"));
   }
+
+  public function change_extension_path_containing_dots_test() {
+    $this->assert_equal(
+      "/website/foo.com/VID_20120513_105421.jpg",
+      legal_file::change_extension("/website/foo.com/VID_20120513_105421.mp4", "jpg"));
+  }
 }
\ No newline at end of file
-- 
cgit v1.2.3


From 1531c3898fde620abfa9e306dc6efc73e520bd1c Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 14 May 2012 20:50:36 -0700
Subject: Force uploader status messages to be integers.  Fixes #1863.

---
 modules/gallery/controllers/uploader.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/gallery/controllers/uploader.php b/modules/gallery/controllers/uploader.php
index 20c10b3a..906373b6 100644
--- a/modules/gallery/controllers/uploader.php
+++ b/modules/gallery/controllers/uploader.php
@@ -104,8 +104,8 @@ class Uploader_Controller extends Controller {
       // The "errors" won't be properly pluralized :-/
       print t2("Uploaded %count photo (%error errors)",
                "Uploaded %count photos (%error errors)",
-               $success_count,
-               array("error" => $error_count));
+               (int)$success_count,
+               array("error" => (int)$error_count));
     } else {
       print t2("Uploaded %count photo", "Uploaded %count photos", $success_count);}
   }
-- 
cgit v1.2.3


From e3d50dd8be9cd4bdefb42f41aa6ed96b6fece676 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 14 May 2012 20:51:27 -0700
Subject: Simplify dialog title for editing advanced settings.  Fixes #1864.

---
 modules/gallery/controllers/admin_advanced_settings.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'modules')

diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php
index fd03b275..3fc48b1d 100644
--- a/modules/gallery/controllers/admin_advanced_settings.php
+++ b/modules/gallery/controllers/admin_advanced_settings.php
@@ -32,9 +32,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller {
   public function edit($module_name, $var_name) {
     $value = module::get_var($module_name, $var_name);
     $form = new Forge("admin/advanced_settings/save/$module_name/$var_name", "", "post");
-    $group = $form->group("edit_var")->label(
-      t("Edit %var (%module_name)",
-        array("module_name" => $module_name, "var" => $var_name)));
+    $group = $form->group("edit_var")->label(t("Edit setting"))
     $group->input("module_name")->label(t("Module"))->value($module_name)->disabled(1);
     $group->input("var_name")->label(t("Setting"))->value($var_name)->disabled(1);
     $group->textarea("value")->label(t("Value"))->value($value);
-- 
cgit v1.2.3


From 6a6b3f90f36293a40cba091c3ac387abb64f3c1a Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 14 May 2012 21:54:41 -0700
Subject: Verify that where() clauses are well formed.  Fixes #1865.

---
 modules/kohana23_compat/libraries/MY_Database_Builder.php | 6 ++++++
 system/libraries/Database_Builder.php                     | 8 ++++++++
 2 files changed, 14 insertions(+)

(limited to 'modules')

diff --git a/modules/kohana23_compat/libraries/MY_Database_Builder.php b/modules/kohana23_compat/libraries/MY_Database_Builder.php
index 0b9dbe28..54429ab1 100644
--- a/modules/kohana23_compat/libraries/MY_Database_Builder.php
+++ b/modules/kohana23_compat/libraries/MY_Database_Builder.php
@@ -25,6 +25,9 @@ class Database_Builder extends Database_Builder_Core {
   public function merge_where($tuples) {
     if ($tuples) {
       foreach ($tuples as $tuple) {
+        if (count($tuple) != 3) {
+          throw new Database_Exception("Column triplets require a column, op and value");
+        }
         $this->where($tuple[0], $tuple[1], $tuple[2]);
       }
     }
@@ -38,6 +41,9 @@ class Database_Builder extends Database_Builder_Core {
   public function merge_or_where($tuples) {
     if ($tuples) {
       foreach ($tuples as $tuple) {
+        if (count($tuple) != 3) {
+          throw new Database_Exception("Column triplets require a column, op and value");
+        }
         $this->or_where($tuple[0], $tuple[1], $tuple[2]);
       }
     }
diff --git a/system/libraries/Database_Builder.php b/system/libraries/Database_Builder.php
index e86ce379..553ffd98 100644
--- a/system/libraries/Database_Builder.php
+++ b/system/libraries/Database_Builder.php
@@ -190,6 +190,8 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
+                                if (count($column) != 3)
+                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->where[] = array('AND' => $column);
 			}
 		}
@@ -216,6 +218,8 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
+                                if (count($column) != 3)
+                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->where[] = array('OR' => $column);
 			}
 		}
@@ -422,6 +426,8 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
+                                if (count($column) != 3)
+                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->having[] = array('AND' => $column);
 			}
 		}
@@ -447,6 +453,8 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
+                                if (count($column) != 3)
+                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->having[] = array('OR' => $column);
 			}
 		}
-- 
cgit v1.2.3


From f06c2275052f638ffaf671dda4604d3fb35dfe8c Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 09:26:13 -0700
Subject: Oops dropped a semicolon in e3d50dd8be9cd4bdefb42f41aa6ed96b6fece676

---
 modules/gallery/controllers/admin_advanced_settings.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php
index 3fc48b1d..1ce47529 100644
--- a/modules/gallery/controllers/admin_advanced_settings.php
+++ b/modules/gallery/controllers/admin_advanced_settings.php
@@ -32,7 +32,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller {
   public function edit($module_name, $var_name) {
     $value = module::get_var($module_name, $var_name);
     $form = new Forge("admin/advanced_settings/save/$module_name/$var_name", "", "post");
-    $group = $form->group("edit_var")->label(t("Edit setting"))
+    $group = $form->group("edit_var")->label(t("Edit setting"));
     $group->input("module_name")->label(t("Module"))->value($module_name)->disabled(1);
     $group->input("var_name")->label(t("Setting"))->value($var_name)->disabled(1);
     $group->textarea("value")->label(t("Value"))->value($value);
-- 
cgit v1.2.3


From 0d5187eadf3e19729c6aa25c3bf30d2787fd66a3 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 09:33:43 -0700
Subject: Revert "Verify that where() clauses are well formed.  Fixes #1865."

This reverts commit 6a6b3f90f36293a40cba091c3ac387abb64f3c1a.
---
 modules/kohana23_compat/libraries/MY_Database_Builder.php | 6 ------
 system/libraries/Database_Builder.php                     | 8 --------
 2 files changed, 14 deletions(-)

(limited to 'modules')

diff --git a/modules/kohana23_compat/libraries/MY_Database_Builder.php b/modules/kohana23_compat/libraries/MY_Database_Builder.php
index 54429ab1..0b9dbe28 100644
--- a/modules/kohana23_compat/libraries/MY_Database_Builder.php
+++ b/modules/kohana23_compat/libraries/MY_Database_Builder.php
@@ -25,9 +25,6 @@ class Database_Builder extends Database_Builder_Core {
   public function merge_where($tuples) {
     if ($tuples) {
       foreach ($tuples as $tuple) {
-        if (count($tuple) != 3) {
-          throw new Database_Exception("Column triplets require a column, op and value");
-        }
         $this->where($tuple[0], $tuple[1], $tuple[2]);
       }
     }
@@ -41,9 +38,6 @@ class Database_Builder extends Database_Builder_Core {
   public function merge_or_where($tuples) {
     if ($tuples) {
       foreach ($tuples as $tuple) {
-        if (count($tuple) != 3) {
-          throw new Database_Exception("Column triplets require a column, op and value");
-        }
         $this->or_where($tuple[0], $tuple[1], $tuple[2]);
       }
     }
diff --git a/system/libraries/Database_Builder.php b/system/libraries/Database_Builder.php
index 553ffd98..e86ce379 100644
--- a/system/libraries/Database_Builder.php
+++ b/system/libraries/Database_Builder.php
@@ -190,8 +190,6 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
-                                if (count($column) != 3)
-                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->where[] = array('AND' => $column);
 			}
 		}
@@ -218,8 +216,6 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
-                                if (count($column) != 3)
-                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->where[] = array('OR' => $column);
 			}
 		}
@@ -426,8 +422,6 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
-                                if (count($column) != 3)
-                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->having[] = array('AND' => $column);
 			}
 		}
@@ -453,8 +447,6 @@ class Database_Builder_Core {
 		{
 			foreach ($columns as $column)
 			{
-                                if (count($column) != 3)
-                                        throw new Database_Exception('Column triplets require a column, op and value');
 				$this->having[] = array('OR' => $column);
 			}
 		}
-- 
cgit v1.2.3


From ce34e89c899a3fca6d647e99742c39b8b7a4f3e0 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 09:50:57 -0700
Subject: Different approach to resolving #1865, this replaces
 6a6b3f90f36293a40cba091c3ac387abb64f3c1a which was rolled back.

---
 modules/gallery/libraries/MY_ORM.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'modules')

diff --git a/modules/gallery/libraries/MY_ORM.php b/modules/gallery/libraries/MY_ORM.php
index d4cdedb8..ac61e75b 100644
--- a/modules/gallery/libraries/MY_ORM.php
+++ b/modules/gallery/libraries/MY_ORM.php
@@ -18,6 +18,17 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class ORM extends ORM_Core {
+
+  /**
+   * Make sure that we're only using integer ids.
+   */
+  static function factory($model, $id=null) {
+    if ($id && !is_int($id)) {
+      throw new Exception("@todo ORM::factory requires integer ids");
+    }
+    return ORM_Core::factory($model, $id);
+  }
+
   public function save() {
     model_cache::clear();
     return parent::save();
-- 
cgit v1.2.3


From 3d03ea697f18d6e779ac88024f5e6a12bff6788f Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 10:50:21 -0700
Subject: Follow-on to ce34e89c899a3fca6d647e99742c39b8b7a4f3e0 for #1865 -
 allow strings and coerce them to integers.  It might be easier to just cast
 whatever comes in, but I'm worried that we'll accidentally cast an array to
 an int(1) without realizing it.

---
 modules/gallery/libraries/MY_ORM.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/gallery/libraries/MY_ORM.php b/modules/gallery/libraries/MY_ORM.php
index ac61e75b..4194162b 100644
--- a/modules/gallery/libraries/MY_ORM.php
+++ b/modules/gallery/libraries/MY_ORM.php
@@ -23,10 +23,10 @@ class ORM extends ORM_Core {
    * Make sure that we're only using integer ids.
    */
   static function factory($model, $id=null) {
-    if ($id && !is_int($id)) {
+    if ($id && !is_int($id) && !is_string($id)) {
       throw new Exception("@todo ORM::factory requires integer ids");
     }
-    return ORM_Core::factory($model, $id);
+    return ORM_Core::factory($model, (int) $id);
   }
 
   public function save() {
-- 
cgit v1.2.3


From 3caf3cc323cd25b002aa8e44d871d4677da7a029 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 10:54:18 -0700
Subject: Harden installer against bad characters in the database name or
 prefix.  Fixes #1866.

---
 installer/database_config.php             | 2 +-
 installer/installer.php                   | 2 +-
 installer/web.php                         | 7 +++++++
 modules/gallery/libraries/MY_Database.php | 4 ++--
 4 files changed, 11 insertions(+), 4 deletions(-)

(limited to 'modules')

diff --git a/installer/database_config.php b/installer/database_config.php
index a5dc8865..fb7dd112 100644
--- a/installer/database_config.php
+++ b/installer/database_config.php
@@ -31,7 +31,7 @@ $config['default'] = array(
   'connection'    => array(
     'type'     => '<?php print $type ?>',
     'user'     => '<?php print $user ?>',
-    'pass'     => '<?php print str_replace("'", "\\'", $password) ?>',
+    'pass'     => '<?php print $password ?>',
     'host'     => '<?php print $host ?>',
     'port'     => <?php if (!empty($port)): ?>'<?php print $port ?>' <?php else: ?>false<?php endif ?>,
     'socket'   => false,
diff --git a/installer/installer.php b/installer/installer.php
index decc5629..339a02fd 100644
--- a/installer/installer.php
+++ b/installer/installer.php
@@ -183,7 +183,7 @@ class installer {
   }
 
   static function prepend_prefix($prefix, $sql) {
-    return  preg_replace("#{([a-zA-Z0-9_]+)}#", "{$prefix}$1", $sql);
+    return preg_replace("#{([a-zA-Z0-9_]+)}#", "`{$prefix}$1`", $sql);
   }
 
   static function check_environment() {
diff --git a/installer/web.php b/installer/web.php
index 6102f0e0..12f42d02 100644
--- a/installer/web.php
+++ b/installer/web.php
@@ -39,6 +39,13 @@ if (installer::already_installed()) {
                     "prefix" => $_POST["prefix"],
                     "type" => function_exists("mysqli_set_charset") ? "mysqli" : "mysql");
     list ($config["host"], $config["port"]) = explode(":", $config["host"] . ":");
+    foreach ($config as $k => $v) {
+      if ($k == "password") {
+        $config[$k] = str_replace("'", "\\'", $v);
+      } else {
+        $config[$k] = strtr($v, "'`", "__");
+      }
+    }
 
     if (!installer::connect($config)) {
       $content = render("invalid_db_info.html.php");
diff --git a/modules/gallery/libraries/MY_Database.php b/modules/gallery/libraries/MY_Database.php
index f3cace4d..fb54bfcd 100644
--- a/modules/gallery/libraries/MY_Database.php
+++ b/modules/gallery/libraries/MY_Database.php
@@ -65,14 +65,14 @@ abstract class Database extends Database_Core {
       $open_brace = strpos($sql, "TO {") + 4;
       $close_brace = strpos($sql, "}", $open_brace);
       $name = substr($sql, $open_brace, $close_brace - $open_brace);
-      $this->_table_names["{{$name}}"] = "{$prefix}$name";
+      $this->_table_names["{{$name}}"] = "`{$prefix}$name`";
     }
 
     if (!isset($this->_table_names)) {
       // This should only run once on the first query
       $this->_table_names = array();
       foreach($this->list_tables() as $table_name) {
-        $this->_table_names["{{$table_name}}"] = $prefix . $table_name;
+        $this->_table_names["{{$table_name}}"] = "`{$prefix}{$table_name}`";
       }
     }
 
-- 
cgit v1.2.3


From aac18ef8339054e134fa3e52788a80e6907dfba5 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 15:53:38 -0700
Subject: Don't allow new albums with a slug that matches a controller - put up
 a message telling the user that it's a reserved address.  Partial fix for
 #95.

---
 modules/gallery/helpers/album.php | 4 ++++
 modules/gallery/models/item.php   | 5 +++++
 2 files changed, 9 insertions(+)

(limited to 'modules')

diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php
index 23d59eea..0945e4d9 100644
--- a/modules/gallery/helpers/album.php
+++ b/modules/gallery/helpers/album.php
@@ -39,6 +39,8 @@ class album_Core {
       ->error_messages("length", t("Your directory name is too long"))
       ->error_messages("conflict", t("There is already a movie, photo or album with this name"));
     $group->input("slug")->label(t("Internet Address"))
+      ->error_messages(
+        "reserved", t("This address is reserved and can't be used."))
       ->error_messages(
         "not_url_safe",
         t("The internet address should contain only letters, numbers, hyphens and underscores"))
@@ -75,6 +77,8 @@ class album_Core {
       $group->input("slug")->label(t("Internet Address"))->value($parent->slug)
         ->error_messages(
           "conflict", t("There is already a movie, photo or album with this internet address"))
+        ->error_messages(
+          "reserved", t("This address is reserved and can't be used."))
         ->error_messages(
           "not_url_safe",
           t("The internet address should contain only letters, numbers, hyphens and underscores"))
diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php
index 98a2c4df..992af0cc 100644
--- a/modules/gallery/models/item.php
+++ b/modules/gallery/models/item.php
@@ -833,6 +833,11 @@ class Item_Model_Core extends ORM_MPTT {
       $v->add_error("name", "conflict");
       return;
     }
+
+    if ($this->parent_id == 1 && Kohana::auto_load("{$this->slug}_Controller")) {
+      $v->add_error("slug", "reserved");
+      return;
+    }
   }
 
   /**
-- 
cgit v1.2.3


From 891652b233df120464d8fe7d3ca80c5091681dea Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 16:00:46 -0700
Subject: Send back form errors wrapped in JSON.  Fixes #1867.

---
 modules/gallery/controllers/albums.php | 2 +-
 modules/tag/controllers/admin_tags.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index b2ec0700..9b968871 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -133,7 +133,7 @@ class Albums_Controller extends Items_Controller {
 
       json::reply(array("result" => "success", "location" => $album->url()));
     } else {
-      print $form;
+      json::reply(array("result" => "error", "html" => (string)$form));
     }
   }
 
diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php
index ff69ad94..515b6891 100644
--- a/modules/tag/controllers/admin_tags.php
+++ b/modules/tag/controllers/admin_tags.php
@@ -58,7 +58,7 @@ class Admin_Tags_Controller extends Admin_Controller {
 
       json::reply(array("result" => "success", "location" => url::site("admin/tags")));
     } else {
-      print $form;
+      json::reply(array("result" => "error", "html" => (string)$form));
     }
   }
 
-- 
cgit v1.2.3


From ce209b9eaac301b8494d7d6faa72d013ed1c6cb9 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 15 May 2012 16:10:49 -0700
Subject: Fix a typo leading to notification module not sending any text. 
 Fixes #1862.

---
 modules/notification/helpers/notification.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/notification/helpers/notification.php b/modules/notification/helpers/notification.php
index 0d66e6db..8ece698e 100644
--- a/modules/notification/helpers/notification.php
+++ b/modules/notification/helpers/notification.php
@@ -174,7 +174,7 @@ class notification {
           ->subject($pending->subject)
           ->header("Mime-Version", "1.0")
           ->header("Content-Type", "text/html; charset=UTF-8")
-          ->message($pending->body)
+          ->message($pending->text)
           ->send();
         $pending->delete();
       } else {
-- 
cgit v1.2.3


From 99af395a01edac438cef4e42af1f4c26a3532acc Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 16 May 2012 11:07:26 -0700
Subject: Force the error page to UTF-8.  Fixes #1868.

---
 modules/gallery/views/error_admin.html.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'modules')

diff --git a/modules/gallery/views/error_admin.html.php b/modules/gallery/views/error_admin.html.php
index a391746e..96e7bf51 100644
--- a/modules/gallery/views/error_admin.html.php
+++ b/modules/gallery/views/error_admin.html.php
@@ -3,6 +3,7 @@
 <? if (!function_exists("t")) { function t($msg) { return $msg; } } ?>
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
+   <meta http-equiv="content-type" content="text/html; charset=utf-8">
     <style type="text/css">
       body {
         background: #fff;
-- 
cgit v1.2.3


From 91e87cb811769dc9490549ca4c01a3830ee6da37 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 16 May 2012 11:32:11 -0700
Subject: Oops, fix indentation in 99af395a01edac438cef4e42af1f4c26a3532acc

---
 modules/gallery/views/error_admin.html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/gallery/views/error_admin.html.php b/modules/gallery/views/error_admin.html.php
index 96e7bf51..3e7c286e 100644
--- a/modules/gallery/views/error_admin.html.php
+++ b/modules/gallery/views/error_admin.html.php
@@ -3,7 +3,7 @@
 <? if (!function_exists("t")) { function t($msg) { return $msg; } } ?>
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
-   <meta http-equiv="content-type" content="text/html; charset=utf-8">
+    <meta http-equiv="content-type" content="text/html; charset=utf-8">
     <style type="text/css">
       body {
         background: #fff;
-- 
cgit v1.2.3


From 1c5c2e7de42f9e59932c81fb26c8416b2fef3fda Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 16 May 2012 11:32:28 -0700
Subject: Convert any UTF-7 to UTF-8 so that fragment pages (like AJAX replies)
 won't be mistakenly interpreted as UTF-7.  Fixes #1869.

---
 modules/gallery/libraries/SafeString.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php
index 997abd2e..52ed48f2 100644
--- a/modules/gallery/libraries/SafeString.php
+++ b/modules/gallery/libraries/SafeString.php
@@ -31,7 +31,7 @@ class SafeString_Core {
       $this->_is_safe_html = $string->_is_safe_html;
       $string = $string->unescaped();
     }
-    $this->_raw_string = (string) $string;
+    $this->_raw_string = mb_convert_encoding((string) $string, 'UTF-8', 'UTF-7');
   }
 
   /**
-- 
cgit v1.2.3


From 355679fa55bfa21e8475f52fb26efa0ff2a1bf0d Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 16 May 2012 12:01:41 -0700
Subject: Revert "Convert any UTF-7 to UTF-8 so that fragment pages (like AJAX
 replies)" This will break many legal UTF-8 strings.

This reverts commit 1c5c2e7de42f9e59932c81fb26c8416b2fef3fda.
---
 modules/gallery/libraries/SafeString.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php
index 52ed48f2..997abd2e 100644
--- a/modules/gallery/libraries/SafeString.php
+++ b/modules/gallery/libraries/SafeString.php
@@ -31,7 +31,7 @@ class SafeString_Core {
       $this->_is_safe_html = $string->_is_safe_html;
       $string = $string->unescaped();
     }
-    $this->_raw_string = mb_convert_encoding((string) $string, 'UTF-8', 'UTF-7');
+    $this->_raw_string = (string) $string;
   }
 
   /**
-- 
cgit v1.2.3


From 88c0363344860ff87bb7fa2d084b8ab190b364cb Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 16 May 2012 12:26:09 -0700
Subject: Prevent server_add autocomplete from being interpreted as UTF-7. 
 Fixes #1871.

---
 modules/server_add/controllers/admin_server_add.php |  3 +--
 modules/server_add/views/admin_server_add.html.php  | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index 954c9ef6..7e63e4ae 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -71,14 +71,13 @@ class Admin_Server_Add_Controller extends Admin_Controller {
   }
 
   public function autocomplete() {
-    $directories = array();
+    $directories = array('<meta http-equiv="content-type" content="text/html; charset=utf-8">');
     $path_prefix = Input::instance()->get("q");
     foreach (glob("{$path_prefix}*") as $file) {
       if (is_dir($file) && !is_link($file)) {
         $directories[] = html::clean($file);
       }
     }
-
     print implode("\n", $directories);
   }
 
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index 176cff72..b8443446 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -9,6 +9,23 @@ $("document").ready(function() {
     {
       max: 256,
       loadingClass: "g-loading-small",
+      parse: function(data) {
+        var parsed = [];
+        var rows = data.split("\n");
+        rows.shift();  // drop <META> tag
+        for (var i=0; i < rows.length; i++) {
+          var row = $.trim(rows[i]);
+          if (row) {
+            row = row.split("|");
+            parsed[parsed.length] = {
+              data: row,
+              value: row[0],
+              result: row[0]
+            };
+          }
+        }
+        return parsed;
+      }
     });
 });
 </script>
-- 
cgit v1.2.3


From 9e2ea2ffedb22f83137db4e5ba4c06b91f11e09d Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Thu, 17 May 2012 20:25:27 -0700
Subject: Smash multiple extensions down into a single one when accepting file
 uploads.  Fixes #1872.

---
 modules/gallery/controllers/uploader.php           |  4 ++++
 modules/gallery/helpers/legal_file.php             | 16 ++++++++++++++++
 modules/gallery/models/item.php                    | 10 +++++++++-
 modules/gallery/tests/Item_Model_Test.php          |  3 ++-
 modules/gallery/tests/Legal_File_Helper_Test.php   | 10 ++++++++++
 modules/watermark/controllers/admin_watermarks.php |  1 +
 6 files changed, 42 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/gallery/controllers/uploader.php b/modules/gallery/controllers/uploader.php
index 906373b6..4ea55ff6 100644
--- a/modules/gallery/controllers/uploader.php
+++ b/modules/gallery/controllers/uploader.php
@@ -63,6 +63,10 @@ class Uploader_Controller extends Controller {
         $item->parent_id = $album->id;
         $item->set_data_file($temp_filename);
 
+        // Remove double extensions from the filename - they'll be disallowed in the model but if
+        // we don't do it here then it'll result in a failed upload.
+        $item->name = legal_file::smash_extensions($item->name);
+
         $path_info = @pathinfo($temp_filename);
         if (array_key_exists("extension", $path_info) &&
             in_array(strtolower($path_info["extension"]), array("flv", "mp4", "m4v"))) {
diff --git a/modules/gallery/helpers/legal_file.php b/modules/gallery/helpers/legal_file.php
index 075de9cd..bd48d7b7 100644
--- a/modules/gallery/helpers/legal_file.php
+++ b/modules/gallery/helpers/legal_file.php
@@ -92,4 +92,20 @@ class legal_file_Core {
       return preg_replace("/\.[^\.]*?$/", ".{$new_ext}", $filename);
     }
   }
+
+  /**
+   * Reduce the given file to having a single extension.
+   */
+  static function smash_extensions($filename) {
+    $parts = pathinfo($filename);
+    $result = "";
+    if ($parts["dirname"] != ".") {
+      $result .= $parts["dirname"] . "/";
+    }
+    $parts["filename"] = str_replace(".", "_", $parts["filename"]);
+    $parts["filename"] = preg_replace("/[_]+/", "_", $parts["filename"]);
+    $parts["filename"] = trim($parts["filename"], "_");
+    $result .= "{$parts['filename']}.{$parts['extension']}";
+    return $result;
+  }
 }
diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php
index 992af0cc..903dadad 100644
--- a/modules/gallery/models/item.php
+++ b/modules/gallery/models/item.php
@@ -797,11 +797,19 @@ class Item_Model_Core extends ORM_MPTT {
     if (strpos($this->name, "/") !== false) {
       $v->add_error("name", "no_slashes");
       return;
-    } else if (rtrim($this->name, ".") !== $this->name) {
+    }
+
+    if (rtrim($this->name, ".") !== $this->name) {
       $v->add_error("name", "no_trailing_period");
       return;
     }
 
+    // Do not accept files with double extensions, they can cause problems on some
+    // versions of Apache.
+    if (substr_count($this->name, ".") > 1) {
+      $v->add_error("name", "illegal_data_file_extension");
+    }
+
     if ($this->is_movie() || $this->is_photo()) {
       $ext = pathinfo($this->name, PATHINFO_EXTENSION);
 
diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php
index 6d40230f..876fc137 100644
--- a/modules/gallery/tests/Item_Model_Test.php
+++ b/modules/gallery/tests/Item_Model_Test.php
@@ -490,7 +490,8 @@ class Item_Model_Test extends Gallery_Unit_Test_Case {
   }
 
   public function illegal_extension_test() {
-    foreach (array("test.php", "test.PHP", "test.php5", "test.php4", "test.pl") as $name) {
+    foreach (array("test.php", "test.PHP", "test.php5", "test.php4",
+                   "test.pl", "test.php.png") as $name) {
       try {
         $photo = test::random_photo_unsaved(item::root());
         $photo->name = $name;
diff --git a/modules/gallery/tests/Legal_File_Helper_Test.php b/modules/gallery/tests/Legal_File_Helper_Test.php
index 6f94c9cd..d80bcafe 100644
--- a/modules/gallery/tests/Legal_File_Helper_Test.php
+++ b/modules/gallery/tests/Legal_File_Helper_Test.php
@@ -35,4 +35,14 @@ class Legal_File_Helper_Test extends Gallery_Unit_Test_Case {
       "/website/foo.com/VID_20120513_105421.jpg",
       legal_file::change_extension("/website/foo.com/VID_20120513_105421.mp4", "jpg"));
   }
+
+  public function smash_extensions_test() {
+    $this->assert_equal("foo_bar.jpg", legal_file::smash_extensions("foo.bar.jpg"));
+    $this->assert_equal("foo_bar_baz.jpg", legal_file::smash_extensions("foo.bar.baz.jpg"));
+    $this->assert_equal("foo_bar_baz.jpg", legal_file::smash_extensions("foo.bar.baz.jpg"));
+    $this->assert_equal("foo_bar_baz.jpg", legal_file::smash_extensions("...foo...bar..baz...jpg"));
+    $this->assert_equal("/path/to/foo_bar.jpg", legal_file::smash_extensions("/path/to/foo.bar.jpg"));
+    $this->assert_equal("/path/to.to/foo_bar.jpg", legal_file::smash_extensions("/path/to.to/foo.bar.jpg"));
+    $this->assert_equal("foo_bar-12345678.jpg", legal_file::smash_extensions("foo.bar-12345678.jpg"));
+  }
 }
\ No newline at end of file
diff --git a/modules/watermark/controllers/admin_watermarks.php b/modules/watermark/controllers/admin_watermarks.php
index 92a44a86..a80f82a9 100644
--- a/modules/watermark/controllers/admin_watermarks.php
+++ b/modules/watermark/controllers/admin_watermarks.php
@@ -98,6 +98,7 @@ class Admin_Watermarks_Controller extends Admin_Controller {
       $pathinfo = pathinfo($file);
       // Forge prefixes files with "uploadfile-xxxxxxx" for uniqueness
       $name = preg_replace("/uploadfile-[^-]+-(.*)/", '$1', $pathinfo["basename"]);
+      $name = legal_file::smash_extensions($name);
 
       if (!($image_info = getimagesize($file)) ||
           !in_array($image_info[2], array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG))) {
-- 
cgit v1.2.3


From 74fa9422db01fbc017ddbc847333cc7847f185ab Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 19 May 2012 11:20:47 -0700
Subject: Revert "Prevent server_add autocomplete from being interpreted as
 UTF-7.  Fixes #1871."

This only fixes server_add, we need to fix it more systemically.

This reverts commit 88c0363344860ff87bb7fa2d084b8ab190b364cb.
---
 modules/server_add/controllers/admin_server_add.php |  3 ++-
 modules/server_add/views/admin_server_add.html.php  | 17 -----------------
 2 files changed, 2 insertions(+), 18 deletions(-)

(limited to 'modules')

diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index 7e63e4ae..954c9ef6 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -71,13 +71,14 @@ class Admin_Server_Add_Controller extends Admin_Controller {
   }
 
   public function autocomplete() {
-    $directories = array('<meta http-equiv="content-type" content="text/html; charset=utf-8">');
+    $directories = array();
     $path_prefix = Input::instance()->get("q");
     foreach (glob("{$path_prefix}*") as $file) {
       if (is_dir($file) && !is_link($file)) {
         $directories[] = html::clean($file);
       }
     }
+
     print implode("\n", $directories);
   }
 
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index b8443446..176cff72 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -9,23 +9,6 @@ $("document").ready(function() {
     {
       max: 256,
       loadingClass: "g-loading-small",
-      parse: function(data) {
-        var parsed = [];
-        var rows = data.split("\n");
-        rows.shift();  // drop <META> tag
-        for (var i=0; i < rows.length; i++) {
-          var row = $.trim(rows[i]);
-          if (row) {
-            row = row.split("|");
-            parsed[parsed.length] = {
-              data: row,
-              value: row[0],
-              result: row[0]
-            };
-          }
-        }
-        return parsed;
-      }
     });
 });
 </script>
-- 
cgit v1.2.3


From a9be0691d9efd84cbf5a9f05236caf4df23bcfdb Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 19 May 2012 11:28:46 -0700
Subject: Create an ajax response framework that inserts <meta> tags to guard
 against UTF-7, and create a $.gallery_autocomplete variant of jQuery's
 autocomplete that expects the first line to be a <meta> tag and discards it. 
 More complete fix for #1871.

---
 lib/gallery.common.js                              | 28 +++++++++++++++++++
 modules/g2_import/controllers/admin_g2_import.php  |  2 +-
 modules/g2_import/views/admin_g2_import.html.php   |  2 +-
 modules/gallery/helpers/ajax.php                   | 31 ++++++++++++++++++++++
 .../server_add/controllers/admin_server_add.php    |  3 ++-
 modules/server_add/views/admin_server_add.html.php |  2 +-
 modules/tag/controllers/tags.php                   |  4 +--
 modules/tag/helpers/tag_event.php                  |  4 +--
 modules/tag/views/tag_block.html.php               |  2 +-
 9 files changed, 69 insertions(+), 9 deletions(-)
 create mode 100644 modules/gallery/helpers/ajax.php

(limited to 'modules')

diff --git a/lib/gallery.common.js b/lib/gallery.common.js
index b499a2cd..755218f5 100644
--- a/lib/gallery.common.js
+++ b/lib/gallery.common.js
@@ -222,4 +222,32 @@
     });
   };
 
+  // Augment jQuery autocomplete to expect the first response line to
+  // be a <meta> tag that protects against UTF-7 attacks.
+  $.fn.gallery_autocomplete = function(url, options) {
+    // Drop the first response - it should be a meta tag
+    options.parse = function(data) {
+      var parsed = [];
+      var rows = data.split("\n");
+      if (rows[0].indexOf("<meta") == -1) {
+        throw 'Missing <meta> tag in first line of autocomplete response';
+      }
+      rows.shift();  // drop <META> tag
+      for (var i=0; i < rows.length; i++) {
+        var row = $.trim(rows[i]);
+        if (row) {
+          row = row.split("|");
+          parsed[parsed.length] = {
+            data: row,
+            value: row[0],
+            result: row[0]
+          };
+        }
+      }
+      return parsed;
+    };
+
+    $(this).autocomplete(url, options);
+  };
+
 })(jQuery);
diff --git a/modules/g2_import/controllers/admin_g2_import.php b/modules/g2_import/controllers/admin_g2_import.php
index b07082c9..5edd2a1b 100644
--- a/modules/g2_import/controllers/admin_g2_import.php
+++ b/modules/g2_import/controllers/admin_g2_import.php
@@ -113,7 +113,7 @@ class Admin_g2_import_Controller extends Admin_Controller {
       }
     }
 
-    print implode("\n", $directories);
+    ajax::response(implode("\n", $directories));
   }
 
   private function _get_import_form() {
diff --git a/modules/g2_import/views/admin_g2_import.html.php b/modules/g2_import/views/admin_g2_import.html.php
index 9c4eb840..22e19f5b 100644
--- a/modules/g2_import/views/admin_g2_import.html.php
+++ b/modules/g2_import/views/admin_g2_import.html.php
@@ -3,7 +3,7 @@
 <?= $theme->script("jquery.autocomplete.js") ?>
 <script type="text/javascript">
 $("document").ready(function() {
-  $("form input[name=embed_path]").autocomplete(
+  $("form input[name=embed_path]").gallery_autocomplete(
     "<?= url::site("__ARGS__") ?>".replace("__ARGS__", "admin/g2_import/autocomplete"),
     {
       max: 256,
diff --git a/modules/gallery/helpers/ajax.php b/modules/gallery/helpers/ajax.php
new file mode 100644
index 00000000..f01984a9
--- /dev/null
+++ b/modules/gallery/helpers/ajax.php
@@ -0,0 +1,31 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2012 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class ajax_Core {
+  /**
+   * Encode an Ajax response so that it's UTF-7 safe.
+   *
+   * @param  string $message string to print
+   */
+  static function response($content) {
+    header("Content-Type: text/plain; charset=" . Kohana::CHARSET);
+    print "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\">\n";
+    print html::clean($content);
+  }
+}
diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index 954c9ef6..5b75c02d 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -72,6 +72,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
 
   public function autocomplete() {
     $directories = array();
+
     $path_prefix = Input::instance()->get("q");
     foreach (glob("{$path_prefix}*") as $file) {
       if (is_dir($file) && !is_link($file)) {
@@ -79,7 +80,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
       }
     }
 
-    print implode("\n", $directories);
+    ajax::response(implode("\n", $directories));
   }
 
   private function _get_admin_form() {
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index 176cff72..f59e327f 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -4,7 +4,7 @@
 <?= $theme->script("jquery.autocomplete.js") ?>
 <script type="text/javascript">
 $("document").ready(function() {
-  $("#g-path").autocomplete(
+  $("#g-path").gallery_autocomplete(
     "<?= url::site("__ARGS__") ?>".replace("__ARGS__", "admin/server_add/autocomplete"),
     {
       max: 256,
diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php
index edb8c89b..9af3843e 100644
--- a/modules/tag/controllers/tags.php
+++ b/modules/tag/controllers/tags.php
@@ -57,9 +57,9 @@ class Tags_Controller extends Controller {
       ->limit($limit)
       ->find_all();
     foreach ($tag_list as $tag) {
-      $tags[] = $tag->name;
+      $tags[] = html::clean($tag->name);
     }
 
-    print implode("\n", $tags);
+    ajax::response(implode("\n", $tags));
   }
 }
diff --git a/modules/tag/helpers/tag_event.php b/modules/tag/helpers/tag_event.php
index d4f1c757..d2757219 100644
--- a/modules/tag/helpers/tag_event.php
+++ b/modules/tag/helpers/tag_event.php
@@ -72,7 +72,7 @@ class tag_event_Core {
     $url = url::site("tags/autocomplete");
     $form->script("")
       ->text("$('form input[name=tags]').ready(function() {
-                $('form input[name=tags]').autocomplete(
+                $('form input[name=tags]').gallery_autocomplete(
                   '$url', {max: 30, multiple: true, multipleSeparator: ',', cacheLength: 1});
               });");
 
@@ -123,7 +123,7 @@ class tag_event_Core {
     $autocomplete_url = url::site("tags/autocomplete");
     $group->script("")
       ->text("$('input[name=tags]')
-                .autocomplete(
+                .gallery_autocomplete(
                   '$autocomplete_url',
                   {max: 30, multiple: true, multipleSeparator: ',', cacheLength: 1}
                 )
diff --git a/modules/tag/views/tag_block.html.php b/modules/tag/views/tag_block.html.php
index 98fa0d4f..d25b8dcb 100644
--- a/modules/tag/views/tag_block.html.php
+++ b/modules/tag/views/tag_block.html.php
@@ -2,7 +2,7 @@
 <script type="text/javascript">
   $("#g-add-tag-form").ready(function() {
     var url = $("#g-tag-cloud-autocomplete-url").attr("href");
-    $("#g-add-tag-form input:text").autocomplete(
+    $("#g-add-tag-form input:text").gallery_autocomplete(
       url, {
         max: 30,
         multiple: true,
-- 
cgit v1.2.3


From 648d9a4de8420f0cec037041bb77c39beaa42ac6 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 19 May 2012 11:51:10 -0700
Subject: Remove accidental double encoding.

---
 modules/gallery/helpers/ajax.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/gallery/helpers/ajax.php b/modules/gallery/helpers/ajax.php
index f01984a9..6d59b6e4 100644
--- a/modules/gallery/helpers/ajax.php
+++ b/modules/gallery/helpers/ajax.php
@@ -26,6 +26,6 @@ class ajax_Core {
   static function response($content) {
     header("Content-Type: text/plain; charset=" . Kohana::CHARSET);
     print "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\">\n";
-    print html::clean($content);
+    print $content;
   }
 }
-- 
cgit v1.2.3