[#944 state:resolved] Integrated bug fixes contained in Movable Type …

…4.361.

MANIFEST.SKIP

@@ -36,6 +36,12 @@ addons/ConfigAssistant.pack/static/colorpicker/js/jquery.js
 tools/report-slow-request
 lib/MT/Util/LogProcessor
 
+# MT::App::NotifyList pulled in MT 4.361
+# Fogbugz case:  http://bugs.movabletype.org/?106276
+# Git commits: 75333270 99cacda7
+lib/MT/App/NotifyList.pm
+mt-add-notify.cgi
+
 ^schemas
 ^t/
 .*/t/

lib/MT/App.pm

@@ -2445,6 +2445,19 @@ sub validate_upload {
     my $app        = shift;
     my $args       = shift;
 
+    my $INVALID = sub {
+        my $desc = $app->translate( @_ ? @_ : 'Reason unspecified' );
+        require MT::Log;
+        $app->log({
+            level    => MT::Log::SECURITY(),
+            class    => 'asset',
+            category => 'invalid',
+            message
+                => $app->translate('Blocked invalid upload: [_1]', $desc),
+        });
+        return $app->errtrans('Invalid upload file');
+    };
+
     ###
     # Check filename for validity and allowed upload file extensions
     # The file need not exist for these checks.
@@ -2454,28 +2467,39 @@ sub validate_upload {
         my ($file) = File::Basename::fileparse( $args->{filename} );
         my $cfg    = $app->config();
 
-        return $app->errtrans( 'Invalid upload file' )
-            if
-            ! defined $file 
-                or
-            $file =~ m{
+        defined $file
+            or return $INVALID->( 'Could not parse filepath [_1]',
+                                    $args->{filename} );
+
+        return $INVALID->(
+            'Invalid characters in filename: [_1]', $args->{filename})
+            if $file =~ m{
                 /       | # Filename shouldn't have slash; indicates directory
                 \.\.    | # No upward traversal allowed
                 \0      | # No NULL bytes allowed
                 \|      | # No pipes allowed
                 ^$        # Empty filename
             }x;
 
-        if ( my $deny_exts  = $cfg->DeniedAssetFileExtensions ) {
-            # Return error IF file extension matches
-            MT::Util::match_file_extension( $file, $deny_exts )
-                and return $app->errtrans( 'Invalid upload file' );
+        my $deny_exts = $cfg->DeniedAssetFileExtensions || [];
+        if ( @$deny_exts ) {
+            my $match = MT::Util::match_file_extension( $file, $deny_exts );
+            if ( defined $match and $match ne '' ) {
+                return $INVALID->(
+                    'Blacklisted file extension ([_1]) found for file [_2]',
+                    $match, $file
+                );
+            }
         }
 
-        if ( my $allow_exts = $cfg->AssetFileExtensions ) {
-            # Return error UNLESS file extension matches
-            MT::Util::match_file_extension( $file, $allow_exts )
-                or return $app->errtrans( 'Invalid upload file' );
+        my $allow_exts = $cfg->AssetFileExtensions || [];
+        if ( @$allow_exts ) {
+            my $match = MT::Util::match_file_extension( $file, $allow_exts );
+            unless ( defined $match and $match ne '' ) {
+                return $INVALID->(
+                    'File does not have whitelisted extension: [_1]', $file
+                );
+            }
         }
     }
 
@@ -2485,10 +2509,17 @@ sub validate_upload {
     # files (in particular) that contain embedded HTML or JavaScript are
     # a known vector for an IE 6 and 7 content-sniffing vulnerability.
     ###
-    if ( my $data = $args->{data} ) {
+    if ( defined( my $data = $args->{data} )) {
         require MT::Image;
-        MT::Image->has_html_signature( data => $data )
-            and return $app->errtrans( 'Invalid upload file' );
+        my $has_html = MT::Image->has_html_signature( data => $data );
+
+        defined $has_html
+            or return $INVALID->(
+                'Error reading image [_1]: [_2]', 'data', MT::Image->errstr );
+
+        $has_html
+            or return $INVALID->(
+                'Image file contains suspicious filetype signature');
     }
 
     1;
@@ -3658,15 +3689,16 @@ sub query {
 }
 
 sub blog {
-    my $app = shift;
-    $app->{_blog} = shift if @_;
-    return $app->{_blog} if $app->{_blog};
-    return undef unless $app->query;
-    my $blog_id = $app->query->param('blog_id');
-    if ($blog_id) {
-        $app->{_blog} = MT->model('blog')->load($blog_id);
-    }
-    return $app->{_blog};
+    my $app   = shift;
+    my $blog  = shift || $app->{_blog};
+    $blog   ||= eval {
+                    no warnings;
+                    my $blog_id
+                        = int( $app->query->param('blog_id') || 0 );
+                    return $blog_id ? $app->model('blog')->load( $blog_id )
+                                    : undef;
+               };
+    return $app->{_blog} = $blog;
 }
 
 ## Logging/tracing

lib/MT/App/Comments.pm

@@ -349,22 +349,33 @@ sub do_signup {
     my $app = shift;
     my $q   = $app->query;
 
-    return $app->error( $app->translate("Invalid request") )
-      if $app->request_method() ne 'POST';
+    return $app->errtrans("Invalid request")
+        if $app->request_method() ne 'POST';
 
     my $param = {};
     $param->{$_} = $q->param($_)
       foreach
       qw(blog_id entry_id static email url username nickname email return_url );
 
+    return $app->errtrans("Invalid request")
+        unless int( $param->{blog_id} );
+
+    my $blog = $app->model('blog')->load( $param->{blog_id} || 0 )
+        or return $app->error(
+        $app->translate( 'Can\'t load blog #[_1].', $param->{blog_id} ) );
+
+    my $cfg = $app->config;
+    if ( my $registration = $cfg->CommenterRegistration ) {
+        return $app->handle_error(
+            $app->translate('Registration is not allowed.') )
+            unless $registration->{Allow} && $blog->allow_commenter_regist;
+    }
+
     my $filter_result = $app->run_callbacks( 'api_save_filter.author', $app );
 
     my $user;
     $user = $app->create_user_pending($param) if $filter_result;
     unless ($user) {
-        my $blog = $app->model('blog')->load( $param->{blog_id} )
-          or return $app->error(
-            $app->translate( 'Can\'t load blog #[_1].', $param->{blog_id} ) );
         if ( my $provider
              = MT->effective_captcha_provider( $blog->captcha_provider ) )
         {