[pLog-svn] r6289 - in plog/trunk: . class/data/validator class/misc class/test/tests/misc config docs-devel gallery install locale locale/admin plugins release templates/LifeType/en_UK
Jon Daley
plogworld at jon.limedaley.com
Tue Apr 1 15:25:56 EDT 2008
Yeah, that's fine. I kind of figured there would be a 1.2.7, so I
wanted to get some things fixed there. But, yeah, a user asked about when
2.0 would be released, since our web page said early 2008...
What is the status of the trunk? Is it useable for a developers
blog, or can it only be used for test installations?
On Tue, 1 Apr 2008, Reto Hugi wrote:
> I guess we should stop making commits to 1.2 branche unless it's
> security related. Poor Mark constantly has to merge stuff down. And we
> should all be working on 2.0 by now :)
>
> oh, well. What do you guys think? (i.e. jon, as mark is already working
> on 2.0 ) ;-)
>
> On 04/01/2008 02:26 PM, mark at devel.lifetype.net wrote:
>> Author: mark
>> Date: 2008-04-01 08:26:03 -0400 (Tue, 01 Apr 2008)
>> New Revision: 6289
>>
>> Added:
>> plog/trunk/config/.htaccess
>> plog/trunk/docs-devel/.htaccess
>> plog/trunk/install/.htaccess
>> plog/trunk/locale/.htaccess
>> plog/trunk/release/.htaccess
>> Modified:
>> plog/trunk/.htaccess
>> plog/trunk/class/data/validator/uploadvalidator.class.php
>> plog/trunk/class/misc/glob.class.php
>> plog/trunk/class/misc/integritychecker.class.php
>> plog/trunk/class/test/tests/misc/glob_test.class.php
>> plog/trunk/gallery/.htaccess
>> plog/trunk/locale/admin/locale_de_DE.php
>> plog/trunk/locale/admin/locale_en_UK.php
>> plog/trunk/plugins/.htaccess
>> plog/trunk/templates/LifeType/en_UK/strings.txt
>> plog/trunk/version.php
>> Log:
>> Merge from LifeType 1.2 branch 6268:6288
>>
>> Modified: plog/trunk/.htaccess
>> ===================================================================
>> --- plog/trunk/.htaccess 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -16,7 +16,9 @@
>> RewriteEngine On
>> RewriteBase /
>>
>> - # Point to the sitemap file that is local to the blog
>> +# Point to the sitemap file that is local to the blog. This is a Plugin
>> +# specific rewrite rule and can safely be commented out, if you are not using
>> +# the Sitemap plugin (http://wiki.lifetype.net/index.php/Plugin_sitemap).
>> RewriteRule ^sitemap([0-9]+)\.gz$ tmp/sitemap/$1/sitemap.gz [L,NC]
>>
>> # Permalink to the blog entry (i.e. /1_userfoo/archive/3_title-foo-bar.html)
>> @@ -73,6 +75,13 @@
>> # Static Pages (i.e /3_userfoo/demosites)
>> RewriteRule ^([0-9]+)_[^/]+/(.+)$ index.php?op=Template&blogId=$1&show=$2 [NC]
>>
>> +# If you would like to use custom urls but ForceType or SetType directives do
>> +# not work on your server (e.g. PHP is running as CGI/FastCGI) you may uncomment
>> +# the rewrite rule below to rewrite all requests to ./blog to ./blog.php.
>> +# Please note that this works only as long as you don't change the default
>> +# custom url patterns in your LifeType administration.
>> +## RewriteRule ^blog/(.+) blog.php/$1 [L,NC]
>> +
>> </IfModule>
>>
>> # ForceType settings for hosts that default to php4
>>
>> Modified: plog/trunk/class/data/validator/uploadvalidator.class.php
>> ===================================================================
>> --- plog/trunk/class/data/validator/uploadvalidator.class.php 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/class/data/validator/uploadvalidator.class.php 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -81,7 +81,7 @@
>> // check if the filename extension is forbidden or not
>> $fileName = basename($upload->getFileName());
>> foreach( explode( " ", $forbiddenFilesStr ) as $file ) {
>> - if( Glob::myFnmatch( $file, $fileName )) {
>> + if( Glob::fnmatch( $file, $fileName )) {
>> return UPLOAD_VALIDATOR_ERROR_FORBIDDEN_EXTENSION;
>> }
>> }
>> @@ -99,7 +99,7 @@
>> // check if the filename extension is one of the allowed ones or not
>> $fileName = basename($upload->getFileName());
>> foreach( explode( " ", $allowedFilesStr ) as $file ) {
>> - if( Glob::myFnmatch( $file, $fileName )) {
>> + if( Glob::fnmatch( $file, $fileName )) {
>> // print("it's a valid file!");
>> return true;
>> }
>>
>> Modified: plog/trunk/class/misc/glob.class.php
>> ===================================================================
>> --- plog/trunk/class/misc/glob.class.php 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/class/misc/glob.class.php 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -65,18 +65,24 @@
>> *
>> * @param pattern The shell pattern.
>> * @param file The filename we would like to match.
>> + * @param casesensitive Whether the search should be case-sensitive or not
>> * @return True if the file matches the pattern or false if not.
>> * @static
>> */
>> - function fnmatch( $pattern, $file )
>> + function fnmatch( $pattern, $file, $casesensitive = false )
>> {
>> + if( !$casesensitive ){
>> + $pattern = strtolower( $pattern );
>> + $file = strtolower( $file );
>> + }
>> +
>> if( function_exists("fnmatch")) {
>> // use the native fnmatch version
>> return fnmatch( $pattern, $file );
>> }
>> else {
>> // otherwise, use our own
>> - return Glob::myFnmatch( $pattern, $file );
>> + return Glob::_myFnmatch( $pattern, $file );
>> }
>> }
>>
>> @@ -136,14 +142,17 @@
>> * Based on a user-contributed code for the fnmatch php function here:
>> * http://www.php.net/manual/en/function.fnmatch.php
>> *
>> + * Note, this function is case-sensitive (like the native fnmatch)
>> + *
>> * @static
>> + * @private (call this->fnmatch instead)
>> */
>> - function myFnmatch( $pattern, $file )
>> + function _myFnmatch( $pattern, $file )
>> {
>> for($i=0,$len = strlen($pattern); $i<$len; $i++) {
>> if($pattern[$i] == "*") {
>> for($c=$i; $c<max(strlen($pattern), strlen($file)); $c++) {
>> - if(Glob::myFnmatch(substr($pattern, $i+1), substr($file, $c))) {
>> + if(Glob::_myFnmatch(substr($pattern, $i+1), substr($file, $c))) {
>> return true;
>> }
>> }
>> @@ -159,7 +168,7 @@
>> break;
>> }
>> foreach ($letter_set as $letter) {
>> - if(Glob::myFnmatch($letter.substr($pattern, $c+1), substr($file, $i))) {
>> + if(Glob::_myFnmatch($letter.substr($pattern, $c+1), substr($file, $i))) {
>> return true;
>> }
>> }
>>
>> Modified: plog/trunk/class/misc/integritychecker.class.php
>> ===================================================================
>> --- plog/trunk/class/misc/integritychecker.class.php 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/class/misc/integritychecker.class.php 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -84,7 +84,7 @@
>>
>> $result = false;
>> foreach( $ignore as $pattern ) {
>> - if( Glob::myFnMatch( $pattern, $file )) {
>> + if( Glob::fnmatch( $pattern, $file )) {
>> $result = true;
>> break;
>> }
>>
>> Modified: plog/trunk/class/test/tests/misc/glob_test.class.php
>> ===================================================================
>> --- plog/trunk/class/test/tests/misc/glob_test.class.php 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/class/test/tests/misc/glob_test.class.php 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -13,10 +13,22 @@
>> function testmyFnMatch()
>> {
>> // incorrect match
>> - $this->assertFalse( Glob::myFnMatch( "*.index.template.*", "index.template.php" ));
>> -
>> + $this->assertFalse( Glob::_myFnmatch( "*.index.template.*", "index.template.php" ) );
>> +
>> // valid match
>> - $this->assertTrue( Glob::myFnMatch( "*index.template.*", "index.template.php" ));
>> + $this->assertTrue( Glob::_myFnmatch( "*index.template.*", "index.template.php" ) );
>> + }
>> +
>> + function testfnmatch()
>> + {
>> + // case sensitive check => false
>> + $this->assertFalse( Glob::fnmatch( "*index.template.PHP", "index.template.php", true ) );
>> +
>> + // case insensitive check => true
>> + $this->assertTrue( Glob::fnmatch( "*index.template.PHP", "index.template.php", false ) );
>> +
>> + // default is case-insensitive => true
>> + $this->assertTrue( Glob::fnmatch( "*index.template.PHP", "index.template.php" ) );
>> }
>> }
>> ?>
>> \ No newline at end of file
>>
>> Copied: plog/trunk/config/.htaccess (from rev 6288, plog/branches/lifetype-1.2/config/.htaccess)
>> ===================================================================
>> --- plog/trunk/config/.htaccess (rev 0)
>> +++ plog/trunk/config/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -0,0 +1,6 @@
>> +<Files "*">
>> + Order allow,deny
>> + Deny from all
>> +</Files>
>> +
>> +ErrorDocument 403 "Access is not allowed"
>>
>> Copied: plog/trunk/docs-devel/.htaccess (from rev 6288, plog/branches/lifetype-1.2/docs-devel/.htaccess)
>> ===================================================================
>> --- plog/trunk/docs-devel/.htaccess (rev 0)
>> +++ plog/trunk/docs-devel/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -0,0 +1,6 @@
>> +<Files "*">
>> + Order allow,deny
>> + Deny from all
>> +</Files>
>> +
>> +ErrorDocument 403 "Access is not allowed"
>>
>> Modified: plog/trunk/gallery/.htaccess
>> ===================================================================
>> --- plog/trunk/gallery/.htaccess 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/gallery/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -1,15 +1,20 @@
>> -<Files "*.php">
>> +# case insensitive file matching. See conversations on the svn list circa 2008-03-29
>> +# regarding this setting. It is basically impossible to get this string perfect,
>> +# and so there is an inherent security risk of allowing untrusted users to upload
>> +# files
>> +<Files ~ "/\.(php|php3|php4|php5|php6|pht|php3p|phtml|htm|html|pl|py|pyc|pyo|rb|cgi)$/i">
>> Order allow,deny
>> Deny from all
>> </Files>
>>
>> -<Files "*.htm">
>> - Order allow,deny
>> - Deny from all
>> -</Files>
>>
>> -<Files "*.html">
>> - Order allow,deny
>> - Deny from all
>> -</Files>
>> -
>> +# to be more secure, you can deny access to all files
>> +# and then only allow access to specific extensions
>> +#<Files "*">
>> +# Order allow,deny
>> +# Deny from all
>> +#</Files>
>> +#
>> +#<Files ~ "/\.(gif|jpg|mp3|mov|png|bmp|pdf)$/i">
>> +# Allow from all
>> +#</Files>
>>
>> Copied: plog/trunk/install/.htaccess (from rev 6288, plog/branches/lifetype-1.2/install/.htaccess)
>> ===================================================================
>> --- plog/trunk/install/.htaccess (rev 0)
>> +++ plog/trunk/install/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -0,0 +1,6 @@
>> +<Files "*">
>> + Order allow,deny
>> + Deny from all
>> +</Files>
>> +
>> +ErrorDocument 403 "Access is not allowed"
>>
>> Copied: plog/trunk/locale/.htaccess (from rev 6288, plog/branches/lifetype-1.2/locale/.htaccess)
>> ===================================================================
>> --- plog/trunk/locale/.htaccess (rev 0)
>> +++ plog/trunk/locale/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -0,0 +1,6 @@
>> +<Files "*">
>> + Order allow,deny
>> + Deny from all
>> +</Files>
>> +
>> +ErrorDocument 403 "Access is not allowed"
>>
>> Modified: plog/trunk/locale/admin/locale_de_DE.php
>> ===================================================================
>> --- plog/trunk/locale/admin/locale_de_DE.php 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/locale/admin/locale_de_DE.php 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -939,7 +939,7 @@
>> $messages['blogs'] = 'Blogs';
>> $messages['resources'] = 'Resourcen';
>> $messages['upload_in_progress'] = 'Daten werden gesendet, bitte warten...';
>> -$messages['error_incorrect_username'] = 'Der Benutzername ist nicht korrekt, er ist entweder schon vergeben, oder er ist zu lang (maximal 15 Zeichen!)';
>> +$messages['error_incorrect_username'] = 'Der Benutzername ist nicht korrekt, er ist entweder schon vergeben, enthält nicht erlaubte Zeichen oder ist zu lang (keine Sonderzeichen, keine Grossbuchstaben, maximal 15 Zeichen!)';
>>
>> $messages['Miscellaneous'] = 'Verschiedenes';
>> $messages['Plugins'] = 'Plugins';
>>
>> Modified: plog/trunk/locale/admin/locale_en_UK.php
>> ===================================================================
>> --- plog/trunk/locale/admin/locale_en_UK.php 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/locale/admin/locale_en_UK.php 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -920,7 +920,7 @@
>> $messages['blogs'] = 'Blogs';
>> $messages['resources'] = 'Resources';
>> $messages['upload_in_progress'] = 'Uploading. Please wait...';
>> -$messages['error_incorrect_username'] = 'The username is not correct, it is already in use or it is too long (maximum 15 characters)';
>> +$messages['error_incorrect_username'] = 'The username is not correct, it is already in use, contains disallowed characters or it is too long (no special characters, no capitals, maximum 15 characters)';
>>
>> $messages['Miscellaneous'] = 'Miscellaneous';
>> $messages['Plugins'] = 'Plugins';
>>
>> Modified: plog/trunk/plugins/.htaccess
>> ===================================================================
>> --- plog/trunk/plugins/.htaccess 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/plugins/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -1,5 +1,20 @@
>> -<Files "*.php">
>> +# case insensitive file matching. See conversations on the svn list circa 2008-03-29
>> +# regarding this setting. It is basically impossible to get this string perfect,
>> +# and so there is an inherent security risk of allowing untrusted users to upload
>> +# files
>> +<Files ~ "/\.(php|php3|php4|php5|php6|pht|php3p|phtml|htm|html|pl|py|pyc|pyo|rb|cgi)$/i">
>> Order allow,deny
>> Deny from all
>> </Files>
>>
>> +
>> +# to be more secure, you can deny access to all files
>> +# and then only allow access to specific extensions
>> +#<Files "*">
>> +# Order allow,deny
>> +# Deny from all
>> +#</Files>
>> +#
>> +#<Files ~ "/\.(gif|jpg|mp3|mov|png|bmp|pdf)$/i">
>> +# Allow from all
>> +#</Files>
>>
>> Copied: plog/trunk/release/.htaccess (from rev 6288, plog/branches/lifetype-1.2/release/.htaccess)
>> ===================================================================
>> --- plog/trunk/release/.htaccess (rev 0)
>> +++ plog/trunk/release/.htaccess 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -0,0 +1,6 @@
>> +<Files "*">
>> + Order allow,deny
>> + Deny from all
>> +</Files>
>> +
>> +ErrorDocument 403 "Access is not allowed"
>>
>> Modified: plog/trunk/templates/LifeType/en_UK/strings.txt
>> ===================================================================
>> --- plog/trunk/templates/LifeType/en_UK/strings.txt 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/templates/LifeType/en_UK/strings.txt 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -1,8 +1,8 @@
>> ltTagline = """LifeType is an open-source blogging platform with support for multiple blogs and users
>> in a single installation."""
>>
>> -frontPageLeft = """The latest stable version of LifeType is <b>1.2.6</b>. Click the link below to download.<br/>
>> -Take a look at the <a href="/post/2008/01/23/lifetype-1.2.6">Release Page</a>."""
>> +frontPageLeft = """The latest stable version of LifeType is <b>1.2.7</b>. Click the link below to download.<br/>
>> +Take a look at the <a href="/post/2008/03/30/lifetype-1.2.7">Release Page</a>."""
>>
>> frontPageRight = """LifeType supports multiple blogs and users, media management,
>> generation of standard content, clean URLs and support for subdomains.
>>
>> Modified: plog/trunk/version.php
>> ===================================================================
>> --- plog/trunk/version.php 2008-04-01 09:22:32 UTC (rev 6288)
>> +++ plog/trunk/version.php 2008-04-01 12:26:03 UTC (rev 6289)
>> @@ -1,3 +1,3 @@
>> <?php
>> - $version = 'LifeType-2.0-Dev';
>> +$version = 'lifetype-1.2.7-dev';
>> ?>
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
--
Jon Daley
http://jon.limedaley.com/
Our most basic problem is not that we want too much. On the contrary,
it is that we are content with too little.
-- Randy Alcorn, 50 Days of Heaven
More information about the pLog-svn
mailing list