[pLog-svn] r6289 - in plog/trunk: . class/data/validator class/misc class/test/tests/misc config docs-devel gallery install locale locale/admin plugins release templates/LifeType/en_UK
Reto Hugi
plog at hugi.to
Tue Apr 1 15:22:40 EDT 2008
I guess we should stop making commits to 1.2 branche unless it's
security related. Poor Mark constantly has to merge stuff down. And we
should all be working on 2.0 by now :)
oh, well. What do you guys think? (i.e. jon, as mark is already working
on 2.0 ) ;-)
On 04/01/2008 02:26 PM, mark at devel.lifetype.net wrote:
> Author: mark
> Date: 2008-04-01 08:26:03 -0400 (Tue, 01 Apr 2008)
> New Revision: 6289
>
> Added:
> plog/trunk/config/.htaccess
> plog/trunk/docs-devel/.htaccess
> plog/trunk/install/.htaccess
> plog/trunk/locale/.htaccess
> plog/trunk/release/.htaccess
> Modified:
> plog/trunk/.htaccess
> plog/trunk/class/data/validator/uploadvalidator.class.php
> plog/trunk/class/misc/glob.class.php
> plog/trunk/class/misc/integritychecker.class.php
> plog/trunk/class/test/tests/misc/glob_test.class.php
> plog/trunk/gallery/.htaccess
> plog/trunk/locale/admin/locale_de_DE.php
> plog/trunk/locale/admin/locale_en_UK.php
> plog/trunk/plugins/.htaccess
> plog/trunk/templates/LifeType/en_UK/strings.txt
> plog/trunk/version.php
> Log:
> Merge from LifeType 1.2 branch 6268:6288
>
> Modified: plog/trunk/.htaccess
> ===================================================================
> --- plog/trunk/.htaccess 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -16,7 +16,9 @@
> RewriteEngine On
> RewriteBase /
>
> - # Point to the sitemap file that is local to the blog
> +# Point to the sitemap file that is local to the blog. This is a Plugin
> +# specific rewrite rule and can safely be commented out, if you are not using
> +# the Sitemap plugin (http://wiki.lifetype.net/index.php/Plugin_sitemap).
> RewriteRule ^sitemap([0-9]+)\.gz$ tmp/sitemap/$1/sitemap.gz [L,NC]
>
> # Permalink to the blog entry (i.e. /1_userfoo/archive/3_title-foo-bar.html)
> @@ -73,6 +75,13 @@
> # Static Pages (i.e /3_userfoo/demosites)
> RewriteRule ^([0-9]+)_[^/]+/(.+)$ index.php?op=Template&blogId=$1&show=$2 [NC]
>
> +# If you would like to use custom urls but ForceType or SetType directives do
> +# not work on your server (e.g. PHP is running as CGI/FastCGI) you may uncomment
> +# the rewrite rule below to rewrite all requests to ./blog to ./blog.php.
> +# Please note that this works only as long as you don't change the default
> +# custom url patterns in your LifeType administration.
> +## RewriteRule ^blog/(.+) blog.php/$1 [L,NC]
> +
> </IfModule>
>
> # ForceType settings for hosts that default to php4
>
> Modified: plog/trunk/class/data/validator/uploadvalidator.class.php
> ===================================================================
> --- plog/trunk/class/data/validator/uploadvalidator.class.php 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/class/data/validator/uploadvalidator.class.php 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -81,7 +81,7 @@
> // check if the filename extension is forbidden or not
> $fileName = basename($upload->getFileName());
> foreach( explode( " ", $forbiddenFilesStr ) as $file ) {
> - if( Glob::myFnmatch( $file, $fileName )) {
> + if( Glob::fnmatch( $file, $fileName )) {
> return UPLOAD_VALIDATOR_ERROR_FORBIDDEN_EXTENSION;
> }
> }
> @@ -99,7 +99,7 @@
> // check if the filename extension is one of the allowed ones or not
> $fileName = basename($upload->getFileName());
> foreach( explode( " ", $allowedFilesStr ) as $file ) {
> - if( Glob::myFnmatch( $file, $fileName )) {
> + if( Glob::fnmatch( $file, $fileName )) {
> // print("it's a valid file!");
> return true;
> }
>
> Modified: plog/trunk/class/misc/glob.class.php
> ===================================================================
> --- plog/trunk/class/misc/glob.class.php 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/class/misc/glob.class.php 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -65,18 +65,24 @@
> *
> * @param pattern The shell pattern.
> * @param file The filename we would like to match.
> + * @param casesensitive Whether the search should be case-sensitive or not
> * @return True if the file matches the pattern or false if not.
> * @static
> */
> - function fnmatch( $pattern, $file )
> + function fnmatch( $pattern, $file, $casesensitive = false )
> {
> + if( !$casesensitive ){
> + $pattern = strtolower( $pattern );
> + $file = strtolower( $file );
> + }
> +
> if( function_exists("fnmatch")) {
> // use the native fnmatch version
> return fnmatch( $pattern, $file );
> }
> else {
> // otherwise, use our own
> - return Glob::myFnmatch( $pattern, $file );
> + return Glob::_myFnmatch( $pattern, $file );
> }
> }
>
> @@ -136,14 +142,17 @@
> * Based on a user-contributed code for the fnmatch php function here:
> * http://www.php.net/manual/en/function.fnmatch.php
> *
> + * Note, this function is case-sensitive (like the native fnmatch)
> + *
> * @static
> + * @private (call this->fnmatch instead)
> */
> - function myFnmatch( $pattern, $file )
> + function _myFnmatch( $pattern, $file )
> {
> for($i=0,$len = strlen($pattern); $i<$len; $i++) {
> if($pattern[$i] == "*") {
> for($c=$i; $c<max(strlen($pattern), strlen($file)); $c++) {
> - if(Glob::myFnmatch(substr($pattern, $i+1), substr($file, $c))) {
> + if(Glob::_myFnmatch(substr($pattern, $i+1), substr($file, $c))) {
> return true;
> }
> }
> @@ -159,7 +168,7 @@
> break;
> }
> foreach ($letter_set as $letter) {
> - if(Glob::myFnmatch($letter.substr($pattern, $c+1), substr($file, $i))) {
> + if(Glob::_myFnmatch($letter.substr($pattern, $c+1), substr($file, $i))) {
> return true;
> }
> }
>
> Modified: plog/trunk/class/misc/integritychecker.class.php
> ===================================================================
> --- plog/trunk/class/misc/integritychecker.class.php 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/class/misc/integritychecker.class.php 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -84,7 +84,7 @@
>
> $result = false;
> foreach( $ignore as $pattern ) {
> - if( Glob::myFnMatch( $pattern, $file )) {
> + if( Glob::fnmatch( $pattern, $file )) {
> $result = true;
> break;
> }
>
> Modified: plog/trunk/class/test/tests/misc/glob_test.class.php
> ===================================================================
> --- plog/trunk/class/test/tests/misc/glob_test.class.php 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/class/test/tests/misc/glob_test.class.php 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -13,10 +13,22 @@
> function testmyFnMatch()
> {
> // incorrect match
> - $this->assertFalse( Glob::myFnMatch( "*.index.template.*", "index.template.php" ));
> -
> + $this->assertFalse( Glob::_myFnmatch( "*.index.template.*", "index.template.php" ) );
> +
> // valid match
> - $this->assertTrue( Glob::myFnMatch( "*index.template.*", "index.template.php" ));
> + $this->assertTrue( Glob::_myFnmatch( "*index.template.*", "index.template.php" ) );
> + }
> +
> + function testfnmatch()
> + {
> + // case sensitive check => false
> + $this->assertFalse( Glob::fnmatch( "*index.template.PHP", "index.template.php", true ) );
> +
> + // case insensitive check => true
> + $this->assertTrue( Glob::fnmatch( "*index.template.PHP", "index.template.php", false ) );
> +
> + // default is case-insensitive => true
> + $this->assertTrue( Glob::fnmatch( "*index.template.PHP", "index.template.php" ) );
> }
> }
> ?>
> \ No newline at end of file
>
> Copied: plog/trunk/config/.htaccess (from rev 6288, plog/branches/lifetype-1.2/config/.htaccess)
> ===================================================================
> --- plog/trunk/config/.htaccess (rev 0)
> +++ plog/trunk/config/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -0,0 +1,6 @@
> +<Files "*">
> + Order allow,deny
> + Deny from all
> +</Files>
> +
> +ErrorDocument 403 "Access is not allowed"
>
> Copied: plog/trunk/docs-devel/.htaccess (from rev 6288, plog/branches/lifetype-1.2/docs-devel/.htaccess)
> ===================================================================
> --- plog/trunk/docs-devel/.htaccess (rev 0)
> +++ plog/trunk/docs-devel/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -0,0 +1,6 @@
> +<Files "*">
> + Order allow,deny
> + Deny from all
> +</Files>
> +
> +ErrorDocument 403 "Access is not allowed"
>
> Modified: plog/trunk/gallery/.htaccess
> ===================================================================
> --- plog/trunk/gallery/.htaccess 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/gallery/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -1,15 +1,20 @@
> -<Files "*.php">
> +# case insensitive file matching. See conversations on the svn list circa 2008-03-29
> +# regarding this setting. It is basically impossible to get this string perfect,
> +# and so there is an inherent security risk of allowing untrusted users to upload
> +# files
> +<Files ~ "/\.(php|php3|php4|php5|php6|pht|php3p|phtml|htm|html|pl|py|pyc|pyo|rb|cgi)$/i">
> Order allow,deny
> Deny from all
> </Files>
>
> -<Files "*.htm">
> - Order allow,deny
> - Deny from all
> -</Files>
>
> -<Files "*.html">
> - Order allow,deny
> - Deny from all
> -</Files>
> -
> +# to be more secure, you can deny access to all files
> +# and then only allow access to specific extensions
> +#<Files "*">
> +# Order allow,deny
> +# Deny from all
> +#</Files>
> +#
> +#<Files ~ "/\.(gif|jpg|mp3|mov|png|bmp|pdf)$/i">
> +# Allow from all
> +#</Files>
>
> Copied: plog/trunk/install/.htaccess (from rev 6288, plog/branches/lifetype-1.2/install/.htaccess)
> ===================================================================
> --- plog/trunk/install/.htaccess (rev 0)
> +++ plog/trunk/install/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -0,0 +1,6 @@
> +<Files "*">
> + Order allow,deny
> + Deny from all
> +</Files>
> +
> +ErrorDocument 403 "Access is not allowed"
>
> Copied: plog/trunk/locale/.htaccess (from rev 6288, plog/branches/lifetype-1.2/locale/.htaccess)
> ===================================================================
> --- plog/trunk/locale/.htaccess (rev 0)
> +++ plog/trunk/locale/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -0,0 +1,6 @@
> +<Files "*">
> + Order allow,deny
> + Deny from all
> +</Files>
> +
> +ErrorDocument 403 "Access is not allowed"
>
> Modified: plog/trunk/locale/admin/locale_de_DE.php
> ===================================================================
> --- plog/trunk/locale/admin/locale_de_DE.php 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/locale/admin/locale_de_DE.php 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -939,7 +939,7 @@
> $messages['blogs'] = 'Blogs';
> $messages['resources'] = 'Resourcen';
> $messages['upload_in_progress'] = 'Daten werden gesendet, bitte warten...';
> -$messages['error_incorrect_username'] = 'Der Benutzername ist nicht korrekt, er ist entweder schon vergeben, oder er ist zu lang (maximal 15 Zeichen!)';
> +$messages['error_incorrect_username'] = 'Der Benutzername ist nicht korrekt, er ist entweder schon vergeben, enthält nicht erlaubte Zeichen oder ist zu lang (keine Sonderzeichen, keine Grossbuchstaben, maximal 15 Zeichen!)';
>
> $messages['Miscellaneous'] = 'Verschiedenes';
> $messages['Plugins'] = 'Plugins';
>
> Modified: plog/trunk/locale/admin/locale_en_UK.php
> ===================================================================
> --- plog/trunk/locale/admin/locale_en_UK.php 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/locale/admin/locale_en_UK.php 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -920,7 +920,7 @@
> $messages['blogs'] = 'Blogs';
> $messages['resources'] = 'Resources';
> $messages['upload_in_progress'] = 'Uploading. Please wait...';
> -$messages['error_incorrect_username'] = 'The username is not correct, it is already in use or it is too long (maximum 15 characters)';
> +$messages['error_incorrect_username'] = 'The username is not correct, it is already in use, contains disallowed characters or it is too long (no special characters, no capitals, maximum 15 characters)';
>
> $messages['Miscellaneous'] = 'Miscellaneous';
> $messages['Plugins'] = 'Plugins';
>
> Modified: plog/trunk/plugins/.htaccess
> ===================================================================
> --- plog/trunk/plugins/.htaccess 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/plugins/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -1,5 +1,20 @@
> -<Files "*.php">
> +# case insensitive file matching. See conversations on the svn list circa 2008-03-29
> +# regarding this setting. It is basically impossible to get this string perfect,
> +# and so there is an inherent security risk of allowing untrusted users to upload
> +# files
> +<Files ~ "/\.(php|php3|php4|php5|php6|pht|php3p|phtml|htm|html|pl|py|pyc|pyo|rb|cgi)$/i">
> Order allow,deny
> Deny from all
> </Files>
>
> +
> +# to be more secure, you can deny access to all files
> +# and then only allow access to specific extensions
> +#<Files "*">
> +# Order allow,deny
> +# Deny from all
> +#</Files>
> +#
> +#<Files ~ "/\.(gif|jpg|mp3|mov|png|bmp|pdf)$/i">
> +# Allow from all
> +#</Files>
>
> Copied: plog/trunk/release/.htaccess (from rev 6288, plog/branches/lifetype-1.2/release/.htaccess)
> ===================================================================
> --- plog/trunk/release/.htaccess (rev 0)
> +++ plog/trunk/release/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -0,0 +1,6 @@
> +<Files "*">
> + Order allow,deny
> + Deny from all
> +</Files>
> +
> +ErrorDocument 403 "Access is not allowed"
>
> Modified: plog/trunk/templates/LifeType/en_UK/strings.txt
> ===================================================================
> --- plog/trunk/templates/LifeType/en_UK/strings.txt 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/templates/LifeType/en_UK/strings.txt 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -1,8 +1,8 @@
> ltTagline = """LifeType is an open-source blogging platform with support for multiple blogs and users
> in a single installation."""
>
> -frontPageLeft = """The latest stable version of LifeType is <b>1.2.6</b>. Click the link below to download.<br/>
> -Take a look at the <a href="/post/2008/01/23/lifetype-1.2.6">Release Page</a>."""
> +frontPageLeft = """The latest stable version of LifeType is <b>1.2.7</b>. Click the link below to download.<br/>
> +Take a look at the <a href="/post/2008/03/30/lifetype-1.2.7">Release Page</a>."""
>
> frontPageRight = """LifeType supports multiple blogs and users, media management,
> generation of standard content, clean URLs and support for subdomains.
>
> Modified: plog/trunk/version.php
> ===================================================================
> --- plog/trunk/version.php 2008-04-01 09:22:32 UTC (rev 6288)
> +++ plog/trunk/version.php 2008-04-01 12:26:03 UTC (rev 6289)
> @@ -1,3 +1,3 @@
> <?php
> - $version = 'LifeType-2.0-Dev';
> +$version = 'lifetype-1.2.7-dev';
> ?>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list