Fixes for security vulnerabilities in admin mode, and other bug fixes

TribalSystems · Feb 8, 2021 · 2c82a4d · 2c82a4d
1 parent 5c05731
commit 2c82a4d
Show file tree

Hide file tree

Showing 673 changed files with 879 additions and 828 deletions.
diff --git a/license.txt b/license.txt
@@ -1,4 +1,4 @@
-Copyright (c) 2020, Tribal Limited
+Copyright (c) 2021, Tribal Limited
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

diff --git a/package.json b/package.json
@@ -25,5 +25,5 @@
 		"vimeo-upload": "*",
 		"wowjs": "*"
 	},
-	"version": "8.8.52729"
+	"version": "8.8.53370"
 }
diff --git a/zenario/admin/admin_boxes.ajax.php b/zenario/admin/admin_boxes.ajax.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/admin_toolbar.ajax.php b/zenario/admin/admin_toolbar.ajax.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_install/local-DROP.sql b/zenario/admin/db_install/local-DROP.sql
@@ -41,6 +41,7 @@ DROP TABLE IF EXISTS `[[DB_PREFIX]]languages`;
 DROP TABLE IF EXISTS `[[DB_PREFIX]]last_sent_warning_emails`;
 DROP TABLE IF EXISTS `[[DB_PREFIX]]layouts`;
 DROP TABLE IF EXISTS `[[DB_PREFIX]]local_revision_numbers`;
+DROP TABLE IF EXISTS `[[DB_PREFIX]]lock__clean_dirs`;
 DROP TABLE IF EXISTS `[[DB_PREFIX]]lov_salutations`;
 DROP TABLE IF EXISTS `[[DB_PREFIX]]menu_hierarchy`;
 DROP TABLE IF EXISTS `[[DB_PREFIX]]menu_nodes`;

diff --git a/zenario/admin/db_install/local-INSERT.sql b/zenario/admin/db_install/local-INSERT.sql
@@ -160,7 +160,7 @@ INSERT INTO `[[DB_PREFIX]]plugin_settings` VALUES
 <p>Content items will be visible to administrators only until published. Click on the "Publish" button to make them visible to regular site visitors.</p>
 <p>You will also need to make your site visible to visitors by enabling it in Organizer, in the <a href="zenario/admin/organizer.php#zenario__administration/panels/site_settings//site_disabled">Configuration -&gt; Site settings</a> section.</p>
 <p>You can get support and downloads at <a href="http://zenar.io" target="_blank" rel="noopener">http://zenar.io</a>.</p>
-<p>We hope you enjoy using Zenario.</p>','synchronized_setting','translatable_html',NULL,0,'','remove',NULL),
+<p>We hope you enjoy using Zenario.</p>','version_controlled_content','translatable_html',NULL,0,'','remove',NULL),
  (7,'image',0,12,'synchronized_setting','text','file',12,'','remove',NULL),
  (7,'image_source',0,'_CUSTOM_IMAGE','synchronized_setting','text',NULL,0,'','remove',NULL),
  (7,'title',0,'Just a nice image','synchronized_setting','translatable_text',NULL,0,'','remove',NULL),
@@ -240,7 +240,7 @@ INSERT INTO `[[DB_PREFIX]]plugin_settings` VALUES
  (12,'more_link_text',0,'Discover more','synchronized_setting','translatable_text',NULL,0,'','remove',NULL),
  (13,'html',0,'<p>CONTACT</p>
  <h2>Nam liber tempor</h2>
- <p>Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse<br>molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero<br>eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi.</p>','synchronized_setting','translatable_html',NULL,0,'','remove',NULL),
+ <p>Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse<br>molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero<br>eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi.</p>','version_controlled_content','translatable_html',NULL,0,'','remove',NULL),
  (14,'user_form',0,1,'synchronized_setting','text','user_form',1,'','remove',NULL),
  (15,'image',0,13,'synchronized_setting','text','file',13,'','remove',NULL),
  (15,'image_source',0,'_CUSTOM_IMAGE','synchronized_setting','text',NULL,0,'','remove',NULL),

diff --git a/zenario/admin/db_updates/latest_revision_no.inc.php b/zenario/admin/db_updates/latest_revision_no.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -37,6 +37,6 @@
 define('ZENARIO_MAJOR_VERSION', '8');
 define('ZENARIO_MINOR_VERSION', '8');
 define('ZENARIO_IS_BUILD', true);
-define('ZENARIO_REVISION', '52729');
+define('ZENARIO_REVISION', '53370');
 
 define('TINYMCE_DIR', 'zenario/libs/manually_maintained/lgpl/tinymce_4_7_3/');
diff --git a/zenario/admin/db_updates/step_1_update_the_updater_itself/data_archive.inc.php b/zenario/admin/db_updates/step_1_update_the_updater_itself/data_archive.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_1_update_the_updater_itself/updater_tables.inc.php b/zenario/admin/db_updates/step_1_update_the_updater_itself/updater_tables.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_2_update_the_database_schema/admin_tables.inc.php b/zenario/admin/db_updates/step_2_update_the_database_schema/admin_tables.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_2_update_the_database_schema/content_tables.inc.php b/zenario/admin/db_updates/step_2_update_the_database_schema/content_tables.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_2_update_the_database_schema/user_tables.inc.php b/zenario/admin/db_updates/step_2_update_the_database_schema/user_tables.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_3_populate_certain_tables/document_types.inc.php b/zenario/admin/db_updates/step_3_populate_certain_tables/document_types.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_3_populate_certain_tables/language_names.inc.php b/zenario/admin/db_updates/step_3_populate_certain_tables/language_names.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_3_populate_certain_tables/page_preview_sizes.inc.php b/zenario/admin/db_updates/step_3_populate_certain_tables/page_preview_sizes.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_4_migrate_the_data/admin_tables.inc.php b/zenario/admin/db_updates/step_4_migrate_the_data/admin_tables.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_4_migrate_the_data/content_tables.inc.php b/zenario/admin/db_updates/step_4_migrate_the_data/content_tables.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_4_migrate_the_data/external_programs.inc.php b/zenario/admin/db_updates/step_4_migrate_the_data/external_programs.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_4_migrate_the_data/plugins.inc.php b/zenario/admin/db_updates/step_4_migrate_the_data/plugins.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/db_updates/step_4_migrate_the_data/user_tables.inc.php b/zenario/admin/db_updates/step_4_migrate_the_data/user_tables.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/dev_tools/doc_tools.js b/zenario/admin/dev_tools/doc_tools.js
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/layout_preview.php b/zenario/admin/layout_preview.php
@@ -1,6 +1,6 @@
 <?php 
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/organizer.ajax.php b/zenario/admin/organizer.ajax.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/quick_ajax.php b/zenario/admin/quick_ajax.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/welcome.ajax.php b/zenario/admin/welcome.ajax.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/admin/welcome.php b/zenario/admin/welcome.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -26,12 +26,12 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-if (version_compare(phpversion(), '7.0.0', '<')) {
+if (version_compare(phpversion(), '7.2.0', '<')) {
 	echo '
 		<h1>System Requirements</h1>
 		<p>It looks like your server doesn\'t meet the requirements for Zenario.</p>
 		<p>
-			Zenario needs PHP version 7.0 or later to run (<em>you have version ', htmlspecialchars(phpversion()), '</em>).
+			Zenario needs PHP version 7.2 or later to run (<em>you have version ', htmlspecialchars(phpversion()), '</em>).
 		</p>';
 	exit;
 }

diff --git a/zenario/admin/welcome/diagnostics.yaml b/zenario/admin/welcome/diagnostics.yaml
@@ -73,7 +73,7 @@ diagnostics:
                     full_width: true
                     row_class: sub_field
                     snippet:
-                        html: PHP version 7.0 or later
+                        html: PHP version 7.2 or later
                     visible_if: zenarioAW.togglePressed(field)
                 opcache_misconfigured:
                     grouping: sub_table

diff --git a/zenario/admin/welcome/system_requirements.yaml b/zenario/admin/welcome/system_requirements.yaml
@@ -49,7 +49,7 @@ system_requirements:
                     grouping: sub_table
                     full_width: true
                     snippet:
-                        html: PHP version 7.0 or later
+                        html: PHP version 7.2 or later
                     visible_if: zenarioAW.togglePressed(field)
                 opcache_misconfigured:
                     grouping: sub_table

diff --git a/zenario/adminheader.inc.php b/zenario/adminheader.inc.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/ajax.php b/zenario/ajax.php
@@ -1,6 +1,6 @@
 <?php 
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/admin.php b/zenario/autoload/admin.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -554,7 +554,8 @@ public static function isInactive($adminId) {
 			FROM ' . DB_PREFIX . 'admins
 			WHERE id = ' . (int)$adminId . '
 			AND authtype = "local" 
-			AND COALESCE(last_login, created_date) < DATE_SUB(NOW(), INTERVAL ' . (int)$days . ' DAY)';
+			AND COALESCE(last_login, created_date) < DATE_SUB(NOW(), INTERVAL ' . (int)$days . ' DAY)
+			LIMIT 1';
 		$result = \ze\sql::select($sql);
 		return \ze\sql::numRows($result) > 0;
 	}

diff --git a/zenario/autoload/adminAdm.php b/zenario/autoload/adminAdm.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/cache.php b/zenario/autoload/cache.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/category.php b/zenario/autoload/category.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/categoryAdm.php b/zenario/autoload/categoryAdm.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/content.php b/zenario/autoload/content.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/contentAdm.php b/zenario/autoload/contentAdm.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/cookie.php b/zenario/autoload/cookie.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/curl.php b/zenario/autoload/curl.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/dataset.php b/zenario/autoload/dataset.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/datasetAdm.php b/zenario/autoload/datasetAdm.php
@@ -1,6 +1,6 @@
 <?php 
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/date.php b/zenario/autoload/date.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without

diff --git a/zenario/autoload/db.php b/zenario/autoload/db.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (c) 2020, Tribal Limited
+ * Copyright (c) 2021, Tribal Limited
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without
@@ -599,7 +599,7 @@ public static function updateDataRevisionNumber2() {
 
 
 	//Formerly "connectToDatabase()"
-	public static function connect($dbhost = 'localhost', $dbname, $dbuser, $dbpass, $dbport = '', $reportErrors = true) {
+	public static function connect($dbhost, $dbname, $dbuser, $dbpass, $dbport = '', $reportErrors = true) {
 		try {
 			\ze::ignoreErrors();
 				if ($dbport) {