Skip to content

Commit

Permalink
[#929] Integrated high-priority (i.e. security) fixes from MT 4.36 re…
Browse files Browse the repository at this point in the history 
…lease. The rest may be integrated later in Melody 1.1.
  • Loading branch information
@jayallen
jayallen committed May 27, 2011
1 parent 6cb1fe4 commit 38f6f19
Show file tree
Hide file tree
Showing 21 changed files with 322 additions and 41 deletions.
183 changes: 182 additions & 1 deletion lib/MT/App/CMS.pm
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Movable Type (r) Open Source (C) 2001-2010 Six Apart, Ltd.
# Movable Type (r) Open Source (C) 2001-2011 Six Apart, Ltd.
# This program is distributed under the terms of the
# GNU General Public License, version 2.
#
Expand Down Expand Up @@ -1512,6 +1512,9 @@ sub init_core_callbacks {
$pkg
. 'save_permission_filter.notification' =>
"${pfx}AddressBook::can_save",
$pkg
. 'delete_permission_filter.notification' =>
"${pfx}AddressBook::can_delete",
$pkg
. 'save_filter.notification' =>
"${pfx}AddressBook::save_filter",
Expand All @@ -1520,6 +1523,10 @@ sub init_core_callbacks {
"${pfx}AddressBook::post_delete",

# associations
$pkg
. 'save_permission_filter.association' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.association' =>
"${pfx}User::can_delete_association",
Expand Down Expand Up @@ -1612,6 +1619,8 @@ sub init_core_callbacks {
$pkg . 'view_permission_filter.page' => "${pfx}Page::can_view",
$pkg
. 'delete_permission_filter.page' => "${pfx}Page::can_delete",
$pkg
. 'save_permission_filter.page' => "${pfx}Page::can_save",
$pkg . 'pre_save.page' => "${pfx}Page::pre_save",
$pkg . 'post_save.page' => "${pfx}Page::post_save",
$pkg . 'post_delete.page' => "${pfx}Page::post_delete",
Expand Down Expand Up @@ -1646,6 +1655,10 @@ sub init_core_callbacks {
'restore' => "${pfx}Template::restore_widgetmanagers",

# tags
$pkg
. 'save_permission_filter.tag' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg . 'delete_permission_filter.tag' => "${pfx}Tag::can_delete",
$pkg . 'post_delete.tag' => "${pfx}Tag::post_delete",

Expand All @@ -1659,10 +1672,178 @@ sub init_core_callbacks {
$pkg . 'view_permission_filter.asset' => "${pfx}Asset::can_view",
$pkg
. 'delete_permission_filter.asset' => "${pfx}Asset::can_delete",
$pkg
. 'save_permission_filter.asset' =>
"${pfx}Asset::can_save",
$pkg . 'pre_save.asset' => "${pfx}Asset::pre_save",
$pkg . 'post_save.asset' => "${pfx}Asset::post_save",
$pkg . 'post_delete.asset' => "${pfx}Asset::post_delete",
'template_param.edit_asset' => "${pfx}Asset::template_param_edit",

# log
$pkg
. 'save_permission_filter.log' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.log' => sub {
$app->error( $app->translate("Invalid request.") );
},

# config
$pkg
. 'save_permission_filter.config' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.config' => sub {
$app->error( $app->translate("Invalid request.") );
},

# fileinfo
$pkg
. 'save_permission_filter.fileinfo' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.fileinfo' => sub {
$app->error( $app->translate("Invalid request.") );
},

# objectasset
$pkg
. 'save_permission_filter.objectasset' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.objectasset' => sub {
$app->error( $app->translate("Invalid request.") );
},

# objectscore
$pkg
. 'save_permission_filter.objectscore' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.objectscore' => sub {
$app->error( $app->translate("Invalid request.") );
},

# objecttag
$pkg
. 'save_permission_filter.objecttag' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.objecttag' => sub {
$app->error( $app->translate("Invalid request.") );
},

# permission
$pkg
. 'save_permission_filter.permission' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.permission' => sub {
$app->error( $app->translate("Invalid request.") );
},

# plaement
$pkg
. 'save_permission_filter.placement' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.placement' => sub {
$app->error( $app->translate("Invalid request.") );
},

# session
$pkg
. 'save_permission_filter.session' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.session' => sub {
$app->error( $app->translate("Invalid request.") );
},

# templatemap
$pkg
. 'save_permission_filter.templatemap' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.templatemap' => sub {
$app->error( $app->translate("Invalid request.") );
},

# touch
$pkg
. 'save_permission_filter.touch' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.touch' => sub {
$app->error( $app->translate("Invalid request.") );
},

# trackback
$pkg
. 'save_permission_filter.trackback' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.trackback' => sub {
$app->error( $app->translate("Invalid request.") );
},

# ts_error
$pkg
. 'save_permission_filter.ts_error' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.ts_error' => sub {
$app->error( $app->translate("Invalid request.") );
},

# ts_exitstatus
$pkg
. 'save_permission_filter.ts_exitstatus' => sub {
$app->error( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.ts_exitstatus' => sub {
$app->error( $app->translate("Invalid request.") );
},

# ts_funcmap
$pkg
. 'save_permission_filter.ts_funcmap' => sub {
$app->funcmap( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.ts_funcmap' => sub {
$app->funcmap( $app->translate("Invalid request.") );
},

# ts_job
$pkg
. 'save_permission_filter.ts_job' => sub {
$app->job( $app->translate("Invalid request.") );
},
$pkg
. 'delete_permission_filter.ts_job' => sub {
$app->job( $app->translate("Invalid request.") );
},

# role
$pkg
. 'delete_permission_filter.role' =>
"${pfx}User::can_delete_role",
}
);
} ## end sub init_core_callbacks
Expand Down
4 changes: 2 additions & 2 deletions lib/MT/App/Comments.pm
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Movable Type (r) Open Source (C) 2001-2010 Six Apart, Ltd.
# Movable Type (r) Open Source (C) 2001-2011 Six Apart, Ltd.
# This program is distributed under the terms of the
# GNU General Public License, version 2.
#
Expand Down Expand Up @@ -1367,7 +1367,7 @@ sub redirect_to_target {
$target = $entry->archive_url;
}
elsif ( $static ne '' ) {
$target = $static;
$target = MT::Util::encode_html( $static );
}
if ( $q->param('logout') ) {
if ( $app->user && ( 'TypeKey' eq $app->user->auth_type ) ) {
Expand Down
6 changes: 6 additions & 0 deletions lib/MT/CMS/AddressBook.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,12 @@ sub can_save {
return $perms->can_edit_notifications;
}

sub can_delete {
my ( $eh, $app, $id ) = @_;
my $perms = $app->permissions;
return $perms->can_edit_notifications;
}

sub save_filter {
my $eh = shift;
my ($app) = @_;
Expand Down
18 changes: 16 additions & 2 deletions lib/MT/CMS/Asset.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -553,6 +553,19 @@ sub can_delete {
return $perms && $perms->can_edit_assets();
}

sub can_save {
my ( $eh, $app, $obj ) = @_;
my $author = $app->user;
return 1 if $author->is_superuser();

if ( $obj && !ref $obj ) {
$obj = MT->model('asset')->load($obj);
}
my $blog_id = $obj ? $obj->blog_id : ( $app->blog ? $app->blog->id : 0 );

return $author->permissions($blog_id)->can_edit_assets();
}

sub pre_save {
my $eh = shift;
my ( $app, $obj ) = @_;
Expand Down Expand Up @@ -973,6 +986,7 @@ sub _set_start_upload_params {
sub _upload_file {
my $app = shift;
my (%upload_param) = @_;
my $ext;
require MT::Image;
if ( my $perms = $app->permissions ) {
Expand Down Expand Up @@ -1137,7 +1151,7 @@ sub _upload_file {

my $filename = $local_base
; ## Save the filename so we can use it in the error message later
my $ext = $local_base;
$ext = $local_base;
$ext =~ m!.*\.(.*)$!
; ## Extract the characters to the right of the last dot delimiter / period
$ext = $1; ## Those characters are the file extension
Expand Down Expand Up @@ -1397,7 +1411,7 @@ sub _upload_file {

my $filename = $local_base
; ## Save the filename so we can use it in the error message later
my $ext = $local_base;
$ext = $local_base;
$ext =~ m!.*\.(.*)$!
; ## Extract the characters to the right of the last dot delimiter / period
$ext = $1; ## Those characters are the file extension
Expand Down
2 changes: 1 addition & 1 deletion lib/MT/CMS/Blog.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1134,7 +1134,7 @@ sub start_rebuild_pages {
or return $app->error(
$app->translate( 'Can\'t load template #[_1].', $tmpl_id ) );
$param{build_type_name}
= $app->translate( "index template '[_1]'", $tmpl->name );
= $app->translate( "index template '[_1]'", MT::Util::encode_html( $tmpl->name ) );
$param{is_one_index} = 1;
}
elsif ( $type_name =~ /^entry-(\d+)$/ ) {
Expand Down
31 changes: 25 additions & 6 deletions lib/MT/CMS/Category.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -368,16 +368,35 @@ sub can_view {
}

sub can_save {
my ( $eh, $app, $id ) = @_;
my $perms = $app->permissions;
return $perms->can_edit_categories();
my ( $eh, $app, $obj ) = @_;
my $author = $app->user;
return 1 if $author->is_superuser();

unless ( ref $obj ) {
$obj = MT->model('category')->load($obj)
or return;
}
return unless $obj->is_category;

my $blog_id = $obj ? $obj->blog_id : ( $app->blog ? $app->blog->id : 0 );

return $author->permissions($blog_id)->can_edit_categories();
}

sub can_delete {
my ( $eh, $app, $obj ) = @_;
return 1 if $app->user->is_superuser();
my $perms = $app->permissions;
return $perms && $perms->can_edit_categories();
my $author = $app->user;
return 1 if $author->is_superuser();

unless ( ref $obj ) {
$obj = MT->model('category')->load($obj)
or return;
}
return unless $obj->is_category;

my $blog_id = $obj ? $obj->blog_id : ( $app->blog ? $app->blog->id : 0 );

return $author->permissions($blog_id)->can_edit_categories();
}

sub pre_save {
Expand Down
2 changes: 2 additions & 0 deletions lib/MT/CMS/Comment.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1049,6 +1049,8 @@ sub not_junk {
my $class = $app->model($type);
my %rebuild_set;

$app->validate_magic or return;

my $perm_checked = (
$app->user->is_superuser()
|| ( $q->param('blog_id')
Expand Down
2 changes: 0 additions & 2 deletions lib/MT/CMS/Entry.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1334,8 +1334,6 @@ sub save {
|| ( ( 'page' eq $type ) && $perms->can_manage_pages );
}

$app->validate_magic() or return;

# check for autosave
if ( $q->param('_autosave') ) {
return $app->autosave_object();
Expand Down
Loading

0 comments on commit 38f6f19

Please sign in to comment.