From aa950ba9a0a0a6b7cc83df1e905d87c3a878111f Mon Sep 17 00:00:00 2001 From: ryuring Date: Mon, 14 May 2018 15:36:59 +0900 Subject: [PATCH] =?UTF-8?q?20180518=E8=84=86=E5=BC=B1=E6=80=A7=E5=AF=BE?= =?UTF-8?q?=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/Baser/Config/setting.php | 2 + .../theme/bc_sample/Elements/crumbs.php | 4 +- .../widgets/blog_author_archives.php | 6 +-- .../Elements/widgets/blog_author_archives.php | 6 +-- .../Config/theme/bccolumn/Elements/crumbs.php | 4 +- .../theme/nada-icons/Elements/crumbs.php | 4 +- .../Component/BcManagerComponent.php | 1 + lib/Baser/Lib/BcSite.php | 4 +- lib/Baser/Locale/baser.pot | 2 +- lib/Baser/Locale/eng/LC_MESSAGES/baser.mo | Bin 263861 -> 263895 bytes lib/Baser/Locale/eng/LC_MESSAGES/baser.po | 10 +++-- lib/Baser/Model/BcAppModel.php | 18 ++++++++ lib/Baser/Model/Page.php | 11 +++-- .../Plugin/Blog/Controller/BlogController.php | 3 +- .../View/Blog/smartphone/default/posts.php | 2 +- .../Elements/admin/blog_posts/index_row.php | 6 +-- .../Elements/widgets/blog_author_archives.php | 6 +-- .../Plugin/Blog/View/Helper/BlogHelper.php | 8 +++- .../Mail/Controller/MailFieldsController.php | 22 +++++++++ lib/Baser/Plugin/Uploader/Config/setting.php | 7 ++- .../Controller/UploaderFilesController.php | 23 ++++++++++ .../Plugin/Uploader/Model/UploaderFile.php | 42 +++++++++--------- .../Elements/admin/uploader_files/index.php | 6 +-- .../admin/uploader_files/index_box.php | 2 +- .../admin/uploader_files/index_row.php | 2 +- lib/Baser/Test/Case/Model/PageTest.php | 2 + .../View/Elements/admin/content_fields.php | 2 +- .../admin/contents/index_list_tree.php | 4 +- .../admin/plugins/index_row_market.php | 6 +-- .../View/Elements/admin/themes/index_list.php | 8 ++-- .../View/Elements/admin/themes/index_row.php | 12 ++--- .../admin/themes/index_row_market.php | 2 +- lib/Baser/View/Elements/admin/toolbar.php | 2 +- .../Elements/admin/user_groups/index_row.php | 2 +- .../View/Elements/admin/users/index_row.php | 6 +-- lib/Baser/View/Elements/crumbs.php | 4 +- lib/Baser/View/Helper/BcBaserHelper.php | 2 +- lib/Baser/View/Layouts/admin/default.php | 2 +- lib/Baser/View/Pages/admin/form.php | 1 + lib/Baser/View/ThemeFiles/admin/form.php | 4 +- 40 files changed, 172 insertions(+), 88 deletions(-) diff --git a/lib/Baser/Config/setting.php b/lib/Baser/Config/setting.php index 96b8170013..cdacd2d122 100755 --- a/lib/Baser/Config/setting.php +++ b/lib/Baser/Config/setting.php @@ -54,6 +54,8 @@ // 固定ページでシンタックスエラーチェックを行うかどうか // お名前ドットコムの場合、CLI版PHPの存在確認の段階で固まってしまう 'validSyntaxWithPage' => true, + // 管理者以外のPHPコードを許可するかどうか + 'allowedPhpOtherThanAdmins' => true, 'marketThemeRss' => 'https://market.basercms.net/themes.rss', 'marketPluginRss' => 'https://market.basercms.net/plugins.rss', 'specialThanks' => 'https://basercms.net/special_thanks/special_thanks/ajax_users' diff --git a/lib/Baser/Config/theme/bc_sample/Elements/crumbs.php b/lib/Baser/Config/theme/bc_sample/Elements/crumbs.php index 9e376e2ed0..30ab5ca0fd 100755 --- a/lib/Baser/Config/theme/bc_sample/Elements/crumbs.php +++ b/lib/Baser/Config/theme/bc_sample/Elements/crumbs.php @@ -23,10 +23,10 @@ } if ($this->BcArray->last($crumbs, $key)) { if ($this->viewPath != 'home' && $crumb['name']) { - $this->BcBaser->addCrumb('' . $crumb['name'] . ''); + $this->BcBaser->addCrumb('' . h($crumb['name']) . ''); } } else { - $this->BcBaser->addCrumb($crumb['name'], $crumb['url']); + $this->BcBaser->addCrumb(h($crumb['name']), $crumb['url']); } } } diff --git a/lib/Baser/Config/theme/bc_sample/Elements/smartphone/widgets/blog_author_archives.php b/lib/Baser/Config/theme/bc_sample/Elements/smartphone/widgets/blog_author_archives.php index 0e3f8de205..f9d82fe189 100755 --- a/lib/Baser/Config/theme/bc_sample/Elements/smartphone/widgets/blog_author_archives.php +++ b/lib/Baser/Config/theme/bc_sample/Elements/smartphone/widgets/blog_author_archives.php @@ -38,13 +38,13 @@ $class = ''; } if ($view_count) { - $title = $this->BcBaser->getUserName($author['User']) . ' (' . $author['count'] . ')'; + $title = h($this->BcBaser->getUserName($author['User'])) . ' (' . $author['count'] . ')'; } else { - $title = $this->BcBaser->getUserName($author['User']); + $title = h($this->BcBaser->getUserName($author['User'])); } ?> > - BcBaser->link($title, $this->request->params['Content']['name'] . '/archives/author/' . $author['User']['name']) ?> + BcBaser->link($title, $this->request->params['Content']['name'] . '/archives/author/' . $author['User']['name'], ['escape' => true]) ?> diff --git a/lib/Baser/Config/theme/bc_sample/Elements/widgets/blog_author_archives.php b/lib/Baser/Config/theme/bc_sample/Elements/widgets/blog_author_archives.php index d60b233970..90e6775baa 100755 --- a/lib/Baser/Config/theme/bc_sample/Elements/widgets/blog_author_archives.php +++ b/lib/Baser/Config/theme/bc_sample/Elements/widgets/blog_author_archives.php @@ -40,13 +40,13 @@ $class = ''; } if ($view_count) { - $title = $this->BcBaser->getUserName($author['User']) . ' (' . $author['count'] . ')'; + $title = h($this->BcBaser->getUserName($author['User'])) . ' (' . $author['count'] . ')'; } else { - $title = $this->BcBaser->getUserName($author['User']); + $title = h($this->BcBaser->getUserName($author['User'])); } ?> > - BcBaser->link($title, $baseCurrentUrl . $author['User']['name']) ?> + BcBaser->link($title, $baseCurrentUrl . $author['User']['name'], ['escape' => true]) ?> diff --git a/lib/Baser/Config/theme/bccolumn/Elements/crumbs.php b/lib/Baser/Config/theme/bccolumn/Elements/crumbs.php index d7a2dce211..74b17668cb 100755 --- a/lib/Baser/Config/theme/bccolumn/Elements/crumbs.php +++ b/lib/Baser/Config/theme/bccolumn/Elements/crumbs.php @@ -10,12 +10,12 @@ foreach ($crumbs as $key => $crumb) { if ($this->BcArray->last($crumbs, $key)) { if ($this->viewPath != 'home' && $crumb['name']) { - $this->BcBaser->addCrumb($crumb['name']); + $this->BcBaser->addCrumb(h($crumb['name'])); } elseif ($this->name == 'CakeError') { $this->BcBaser->addCrumb('404 NOT FOUND'); } } else { - $this->BcBaser->addCrumb($crumb['name'], $crumb['url']); + $this->BcBaser->addCrumb(h($crumb['name']), $crumb['url']); } } } diff --git a/lib/Baser/Config/theme/nada-icons/Elements/crumbs.php b/lib/Baser/Config/theme/nada-icons/Elements/crumbs.php index 60fc2873ea..467ae12e7f 100755 --- a/lib/Baser/Config/theme/nada-icons/Elements/crumbs.php +++ b/lib/Baser/Config/theme/nada-icons/Elements/crumbs.php @@ -10,12 +10,12 @@ foreach ($crumbs as $key => $crumb) { if ($this->BcArray->last($crumbs, $key)) { if ($this->viewPath != 'home' && $crumb['name']) { - $this->BcBaser->addCrumb($crumb['name']); + $this->BcBaser->addCrumb(h($crumb['name'])); } elseif ($this->name == 'CakeError') { $this->BcBaser->addCrumb('404 NOT FOUND'); } } else { - $this->BcBaser->addCrumb($crumb['name'], $crumb['url']); + $this->BcBaser->addCrumb(h($crumb['name']), $crumb['url']); } } } diff --git a/lib/Baser/Controller/Component/BcManagerComponent.php b/lib/Baser/Controller/Component/BcManagerComponent.php index 9deeb90557..0d13f0b3e1 100644 --- a/lib/Baser/Controller/Component/BcManagerComponent.php +++ b/lib/Baser/Controller/Component/BcManagerComponent.php @@ -496,6 +496,7 @@ public function createInstallFile($securitySalt, $secrityCipherSeed, $siteUrl = "Configure::write('BcEnv.sslUrl', '');", "Configure::write('BcEnv.mainDomain', '');", "Configure::write('BcApp.adminSsl', false);", + "Configure::write('BcApp.allowedPhpOtherThanAdmins', false);", "Cache::config('default', array('engine' => 'File'));", "Configure::write('debug', 0);" ]; diff --git a/lib/Baser/Lib/BcSite.php b/lib/Baser/Lib/BcSite.php index 155a612d45..2224796fbc 100644 --- a/lib/Baser/Lib/BcSite.php +++ b/lib/Baser/Lib/BcSite.php @@ -406,9 +406,9 @@ public function existsUrl(CakeRequest $request) { public function makeUrl(CakeRequest $request) { $here = $request->here(false); if($this->alias) { - return "/{$this->alias}{$here}"; + return h("/{$this->alias}{$here}"); } else { - return $here; + return h($here); } } diff --git a/lib/Baser/Locale/baser.pot b/lib/Baser/Locale/baser.pot index 7d5a26a8d1..fae1349e41 100755 --- a/lib/Baser/Locale/baser.pot +++ b/lib/Baser/Locale/baser.pot @@ -4991,7 +4991,7 @@ msgid "更新に失敗しました。入力内容を見直してください。" msgstr "" #: Plugin/Uploader/View/Elements/admin/uploader_files/index.php:23 -msgid "アップロードに失敗しました。ファイルサイズを確認してください。" +msgid "アップロードに失敗しました。ファイルサイズが大きいか、許可されていない形式です。" msgstr "" #: Plugin/Uploader/View/Elements/admin/uploader_files/index.php:24 diff --git a/lib/Baser/Locale/eng/LC_MESSAGES/baser.mo b/lib/Baser/Locale/eng/LC_MESSAGES/baser.mo index 88b289caba7230ac9671bd072569b7bdf39f7bf1..420e5194e48682870d880c86f4ba93f8566480af 100644 GIT binary patch delta 28609 zcmXZl1)NsJ8prYTzDo-VBI!kz*riz(mPWd}6cA)7$(4mAqz_BS(t@NQQX~ zpduk5Al;IJ!u|cp0su<8cYcM_?z+S2*B%qbMX5 zwg+b@67X_SFNSYpQ`GsMxDX%WI-F57;AO=cQ33A_Y>RmUT!$s7PcLTf$6?f;qXsxI z+FXKa|7f%y@aj>x#ephVy0~>o@J`}l%!Gr=m{Xn0 zuph^NKy|2iSv%hx)qZ!JieI53;+HFDbNLbKzy#+ecl=Lh^71y4f|#1?s-ZgG02T5X zs7M^Z5AhyG>wE>f&qtk~jf&t-jN|#Eo!QIy5pnV@z12@bU6i$cnfL-r%}mu6<=bW8W!^0 zHSIx#QPYY$KVZ{3ZuOsz3 zE$sSlP|J1?R>32v)#Ja>(oWPtji4F!!BMCVJwsjidMlgL+Nk40P#v0%?Qkh-#3??o z_Hv@GD}Z`ORKgZ`1a)6T>(D;ndu1pnS>l~vqLS?-YR>*bH5Asy>e)~cDua692_#tF zT~u;bZEI6l2i5UbsDaJEDBSCOgeA28^Tyhq-4Zu)!5I7+%eS+g>>6g_0X5oN)_>T6 z5mH};-MDUZ$AC8t!#f4MXSg0Uw_kr`9e9cwKy+sdeJxan#^V;P|E&}>mkC|$!pWG6 z`Vv>)k4l=exE}*uE$MzlHI$*7MX)MrHT6fWp6^iY{DtQ+MR)7a71R{u?7{k1p*V&7 z8X>CQGcMrW#6(m>aUWagKSPaVGb;2yp+bBGwK{V4G-FX6S%?$y5^5@Y#+#E+?W~Gt z{cFAM=71iQqnC}WHtK?DsN>5~5Bvqy!CUw#zC`89jNY~pEpnd2DICw9VE3;?wRZxw zd~e|ljOoMr*RuGrPr!SCzo6byd;3~4-Ns1j51rZjS-lE2=Xh6C2ezR)cF5JwId8h- zPjM#a)AYCGT!gxQtxqAI!X8Y`6qNYHlJVUEc3}_vi{pb)InZv9<;rN(gTKI{xEeLW zbIymTDM>xpj@LmwFcuZj1PrbJ1r)UWPNI_WwIR0UPQ-rHU%GnVq1MrBxRB#5h6TLV z_!RZvW<;_&c0oC>5%9V|Yix^qunp!O$@c&e^HHnn_$V9s9j7w)#gS%&pD0S2X0_4 zOf`-5uMriTW<7il^|Bc0>KUfnh%2FP?2gLf@$UG1)G|DP+6n(R!_GIr!PMJfBA!J} zMcYqp>XzdG>KSK}ol3H#nKtssS@tQ_85?o@DQaqJeP-u}p&Htbnu3(Gt;4M_f%-L6 zvVJhfR>5S{fR4L*>|A^BVm!<7xBYqcfM=)>M$LE22g^`@fETgg0&XCy(|&HDzp>CB zlzfqOs4OZ%BT%9J0yUL;P;(#lg&B=nWwE#f{Q(qoVUEQ%w;!TL&N}vtGP~~)_M+Z?xh2~#7(@M%t7lnZ9nFXOcx{XCX#IafK_U7H6^ZBg zE|&Ys-s1ysF7>^roh^2yb!0K>z5}=pAEWMH{3r=uAK1D67Y@2KZJy1Oz>s*ARsDFn_vWlDSldTDAgGsT)uFs4* zAB9TVs#rM4oTGAV;&%bBKR)}8^{2C{o^(oXv&HZPnr1=vS>O0Qt+XLPg)N7%p z;s$Dm%d#Wjt-u+m2vpcal8L7n#4gXUpL>ObKY4DPj#Z$;(Qb)-YSmw%t#&W5m{nqeM)KPMLSWsa{(3EXQeAEuO3bmhHL_PTJ-|crn%g|SkuTap)qEFg`Vo}Rv25MP)rvhGi$c+kZTU5t} zVtd?)%KF@=1KtoUgW9S$p(1n!b^jggh6T>pvYc^-^{@50h68HgFzSI9aVLiTVI$d# zI{zEC#hd8ypE|q}`%tfY&XR09YKQB8-jelm)O{;3l-%z4aqP$OKhCrM^&?f23pV#z z|Fo~%O{g!Kh>OeTl2DLv{RnS3ifE(rZrdlGU?0i#zN26x6d$sO9qs z{)DSh$usz}O--i10^aM4xEg-R@upX7PM@Hrq}WyKU?ZGDy$$||x3M^Gx@M8Qj+*Lc zsGRa6uUkVOphER2YD!k3*86^}kH>Hl=D1-EeC<4q`Up*V(;Do6T1B(40hYKG@akY9 zDhUr`8BBgVr0-Rvpb>n6N}5@yj(m?L@whYP9a}!{;sB2ShE=e^UHgs46x6$8!@Yoa z3zOgH6OLv40JUnWJhWdx#GyX#_u_o5|NM_E)ca5)k9}+##b8u2?ZQv-22RFdPt0^r zZN&3YKO-JP4df{%VCH8w=i{**^~KJxf2`g~YW?q{pb$nrw+JMnBCrg#j(cui4|V-j)SN~IgQ2PGhU(a4RFZvzGw=`8fa1e~p=2M88rbZx zpdb3lW(5ay!yCzhp*{LtR1Zfw=c881CcKD0q8_v|xix$cRlk6_@FnW{@D#z&S9J;0 zPPiV`k!u+GHC+ln=xHabmNFRn?bH~ICIaVC*`GdjF!Z*|?yQdLc~4Y_hq?MHoJIWy z)IQNHP0)S-L0x|qHK5z54kmvs7)s)NK80o+ScKY&AK@vioHpo%W43fb`xr${$pF+U zS%Yf$H`LVpg?g~}deF-W=}@6Bg7LTu)#2zjtRu0g2>Amjs7Dh~%jX++!7J3V$;$8A zQ(!gJb#+mpi$mqWdfbRF@ONCBAsE`a$G&Nit)0<2HWAhF*{;6L^u0qAv|*gYo!Iv+ z8(GOrHnJM1Bx{d_10)|Fq5fm$px1-?tSmN?U^crh6Kd)jVHmbT4d6pmggT)H&>Poi z{coYLgN>p~cDo^8j$ml#Dug?^a3E&Da_`s_)JHWq(m4UOl}5jo<Th&h)|ZxY8ZJ>W<$>Ul-=fYd1!tI#LGJ^A@Pz*^Wky=p5?$o6biVN&O{ir;LcO zDQkcMrluPz$$CWE{lhSp`b2Dww<1~pDpbyAb21aP3jV-2%$GkH`WE~Y)zEQNNB+Wb z_yE=6K?Q82b5Q4xp;pH^)Q)%ub=~EHK`%E33)z4p3i)!3nD8`aPs zs5!oc`XHtc3pqe#&i<3hvmp_mINxcVwo1inL!bdRfFa_4WO zmghfMpZ4D@tLs^RvE{6xZm0)NL_J`-t1oo*WvGTXphEWx>VaN)yFLwSYOItYR`3lS7 zTIVe+Ks~aCoo|d9Q47@a>x7ELcnsy1JAcG^#vQ*_!w-i3Q0OTKqPQVnO?xl5Ky8`F z@I#U%Z7s`@?zMy7YK|wN-hSoln4?g0dc^q{mHj#D2E7|t7L~kt>RF^pp*pP>;)@I?@W0up=s@_fb91 z+R#Rl6Sd3=qpt6UI^PF1;z6kIg$eHbUgyuK>rSDryMURr{_j!Hj+VTU?PwKH4Ie@! z({HGb{Ns-2YHamFs12nV*1XLA4{q4Z2GSNQX#Mw~pa-r% z^=!SnV7IFuMLp<(^O-xIp?T2D!|`0Gov;R~!(C9xmgMRSQ6t}rQFs`Y6ED!$dQbIU zF!U2kLsV#Yp{C>|79sm{yl)+-*TPmuC)5UX4mHvoEp6|Q$9U>jFb>~qW$o=oEyq`= z^Cdp8cg>d{u>QMo;3@~yx1%56p}uskTBb&nX|W{`G*bIiU4^6BWwHw)Vi3HDYax zUWV#epq+gu6hL+S15{G_I32%34Y+Bp+-!&1~-|BiY<=8x>U z2B;8zh+5wRQ5_tLn(I-h2Yu_@jf(V7xEx>W9P~cZ`rkl7531KC=&i>gI0mD-+JiTv z8hYaNy4i!$pprF%vmxr&_7hPdKZweSyQqk!>u&WZ)Ib{In_B;)DX8bOQ5P=6#kdRg z;7&b)UNFG>8x_jlar|f&WDCUsy1r*H^oxkB@j-7p*L{FWx@^6zBT=YGHAii|y--{H zKn#8VFQ=dm>_k2AfU6%zJ@6E2q*vVW+zEDl0o3)yP*YIO9j}NPsMo-^umviKW z_kE6jM+z$_+{Ltg?5EZjs5$(kuZ`eq)Ci8DlIu1qw6AaqzSGY>VppSbsl+F?;|)Yz z*Jps`%yiWA7Nfp9QVeAM>p=8C`-q&08gb+x>tPAh$lgUos0u0>YokIu4mIbWqwYJ4 zNld{F)N8u`5F1d$P`m#NROnZr&i_7?^*@Zl=wUX(WYjBD4@ZTlJ!+17xcXnHj@(5h z?PFAfk;AP6%`tSJvxl>v)5nHfKOWW2DIHKqFQBsWZ`8UhkZ8w$K_%rC)Gs7cj<5%Q zgtMs6Kz+6s9BGmH7Mi zabh28M~j?fQ!xwmTe0=197#9X9@HB(vZ=Tfx8p(VG{w#rooXX%fO_y)RIcpBNq7bo zv98lJg{=RtDZIgfv#2?_jsL@ksI4~rber2&c!zpt)EqaTVYbDL)VrcaJOmYiDb5wB z4(vkRcM@0PMXbv6y`)d=0Y{x@Q4QR{85o>t-|@3hAKBpUD8|ouapW_!$FQtN? z*>$5Ziu(6h3vZzYSYozyq#XKMPSxFkQK$;cq<_U8iDZvusXIiL~6e{K&Pf||=D)bWL= z4y{5xXfx`4z6~|vr>F<#Txi$FqLM5Q^;%zpx<0VTt}l;jzoSn?2gt&T;i)sP>aB3w7N0@=(yo zK18k8?x>J1NA>h5YJ|^Gk&0PvTW?p?eRFUlF2gCKEMk$EfyS zxq8}Fw8!(k%oH@@a8!tEV>WDw?JxoL;9pUZIET7E%Qtp?CDhBP5o$_?qpshH>fj+) zKkobk)sZV0`ujhBQ_u*5t9g%OJ*y0UK7`~2U-0_*~f_~`F^A>X;f)j!D_KB1a)lf0iGAV^=unsD@nxh&V zh>@6x+JaZ0uKxjZ<5A3vf1`3K^#=5{59;Z{@*Y{&Ar3sd2LsANsC$Cg`K)O8tA%QZ79 zc^kXqtx;3l7E@^bccxGXKgR#DoaUf*sLgxr!VLR@p}$O$4Z}I!7NgO}9JmfORY$Qk zrq~}0{S}T5sMqWU)Ur!;zy_2BmAv`T*9K9Jg0iv-DiR-}e&QL23i-qz?Zz)r^$nQKeW6P;SHYxX+#c-FX%DVe$mu$Ec(Bk{W~BuudHHZHKzZfsP!w zi+VdXJ!TK=jcRxzYWd7Zt@DGZo$Vwl0)L@8_5^i*isN=X0=3Rdqc)D+ZIqpQY8~(dZ zVH?zzI{>v$%s}=J-#b7-d;cxe`#;0UVCb*MHbiZuXHd)QK5EXNU~MdW%0@T>HR8$6 zFPs}uQ*!{{!qd*X?s(W~y)#JTOcXT71yDDXLp`{@t9L*}q%Ue655=4~4mH9R7|H=u zJ5Nx{GUXWyeT1_jsv|8>9gf3nT1GwvH82OO;n%3;a}V`a%kYQY7=fD0a;Uj%hU!Rn z{0S#uah6w$vo^OA&e=}-9Myiw^TE(RY^a6m=tB(s`=4YNENk;Pt7148w0Dj`Eu$|{ z*?SfXV46Sex)`iM{XJ}n^Kb_~LgmE9i?(6?jGBAzl0`1&66;?h?8N~slTp|ZH(?wm zyBzdRV{dGX_5QLPn2&nzU%<~W#TARt=cuXMfO=~lMCDY`s}{K)IEeZv)N*}w)wj8N zS4gL=`rzKszE^1YDL}hz#R0NVxJLfV~d)rYv z?FpZPBH-PyhTcNmSO9flb<{dOn&>8kb>7JcWAT>$hzqX^q9Hk3?O!85P>=s404e zdSK2w_UTpy!>M;h2IhNXDJZFy;Bfo}wS1c0wVkgwHl@A|725RoY|noO*+9HV)ClXM z?(2q%*jQB7FTskq8N=~0mc`8XgWdtH|Hc$La3Jdg`vx40G1QNvLX_ff`@td-6{*dr z4qe3d81v9_VHPUHYcL9*qpmOb$a3aA98JA5Y74%NZ}NQat;cpjK4%$J2K!$K`q~$|JanYL`BR;zbl2$Dd>ij&+TtK zw8Xa5v%Lt0{>IY)RMw~b*Fv5Zl>-%=<5AiDJ1S}Kq9Ty|Kg)@dsFzq5Y>pc+8K!#4 z`qvz#duel<6V*Tw3}AIs&ugNR&&L(G3DrQ`SGFoTqBfvjsQqIzmc!(HxYfeSsMRwL z``}E}+cI^)4-17NYaq;9#DUVNXU3VD#S^sb$lANN*+7&Bnt~=a}!ht z5>OAAj)icOJAV-sxnOeZSQ*rSs-XtxzfVCA?1~y$JZc&Fs7NfpaNLS|IsJi}qMRwL zfl^qMdTrG5`~($&(O4a)VqQFfS`E)JD@LRYUB}=5qo6FWgL*l{Vk(@0>d<^t!>dp| z-im7ACsfC;pf;-8*a9=9vgQG45-yI6!97vzqrXU)1VO4C6 z4N=*=5|iT@)Cm7XHGB&-*It@1uOp;FeHX;x`?vyi-78emz4e;qL>_FT^q+G z<3rRO^-XId9E(e-Pe#2PV$#{vG{Q#I<4_U$0Tr=Br~#b82)v5gDbv1g11#pOg1(Zc zDTNqJK&|8Ds10HVs=@Q94&6m1W8e*ICJ}k7QUc)h*D3`&O+b-1dIgASVDQtk3QL82TO*d7jq-}`JFb);+oz4@e zx9m;lOVq&L%*guJg}F1@fzqgv)Iv4b02T5csH7W%WpJT8e+t!+Cm7l%-m>+b9V>CX z9%{}fq9QdHb^T)0)NSzHiLgwzJYK_&Y<;Crp`M%BR>fx2s9nm zI)Yj?mr)}N%V9Z@5%t!rkGb$`)G9iHYWFtk`Uj|X0`Ks0;`v?{3JPT`Dui8eHul1J zOr6u_dLY)JJ`UBuFQ{a?j*84bsHw^vZstKHZ86k$K^;{49Z^%!1O2KL`cqJ{e24k) z7KUTSTo(EmR0Azhp-ezMXa%YRn@~x)AJwsJxx+lQ8-i&OFAx;rt$6rI`Ohr^KbwEX^E4IebsE%EX z@NIqH>ew6BfVbpUMusMuGWpPo|)YNr$LT%y0P)Rxq zm5iHlIG)0p*s5Sy=yyi`Jqq7&AhMA4_&3}|{UvHdI}3+}e*O;@2@CxV#%`!wdAq1} zpaE(Mx}la`f7C#hVF%oWid^0(>v%C#2g@M$`CelRS|%UjXdHrNF<8t(Rsoe%tx(G{ z9u=`KQ4ijNCvh+4#re^;?suU!qF?b_Jmcy!iid^%0>WGj{r<0N3EN0op?ccWIS4gp zV^E>~64lWisD0r)Ho=rJHkYkXt04}R8$&S?$DyWj4MyO8cm6hpzW<-P18GWHa%4hf zX--u34n}>kB%;1(mY`O{&!|XLE@cmFj)kem;zyW-O4h$|06s+}U9ZxXOC!?|jMZO9)iYx(=0ROQ(wT&svYEIU52A8ocv*||yt1tS z3IX0y9MBy9RnB~l>UsL|7Wz!6WfP4GZFy8y*L26by5k9`0SraGWG10j#}BB8{*KzH zidQg4S77}&;=m~m)W`hqhK2rFTt8Iy|A*QKDpj=idIKy+eHbbyzC)cqftsqzu6_g6 z;injiSS8E)*HPC+VnZzKQ_wmcjMZ=+D*G>B8O&DMmRnQjDEyt{n^6ri;B!L z)CRN;3*k=GmVO%x<6Bk3yvkSw6(N5Fg{c(Q;k#J1nr#fjQK8&|`Vu;Tdf*i-j(=k` zMpUTR_jl{6Pnk;qunvbh0j z8Ersi{UKC{&!Zl29kt$5)v_FV0~Lt~)b%l_h}K3$IuVEK{lAZbZme0`E^L6x()Os3 z4#D?uEGk0hP$PJ|j+q~|I!dBGNZxfeMeTH5oIX~k{uwIS&q|)}{Y^m|PpZ1s;9ICj zu+i$lH*gV6X+M!Hw7quj6E_(8zYY!&ry<15`4WZ)`c! zu`%m^ItNDS0Q*3eCbpc)G_?@b#3;_UL2Xb;s1SdSdaZ6ih4`fN9%?zJY-SzFgv#=6 zsN=IS^m20bUCn%J_$UXocV9%!`QNAq{)Zaz8_lglF{tBpQLp1Rs3~cOO15rT3I|{` zu5srtVrl9(QMr@*JLcc=kj7qlks8DW2b>I?e znchM@D0K_#P!&{!8e?JXiurM-)89^E3J0#a3qEOSBV2+?y3MGU$thIB6f|Q(OBMdPg$qUMi>B+h=yZ4mO}f=cmr)sEBPvKb*pScOpYa z>v3Mx$V=gySPPY0AGqTKP$L)B={Swqpdkr-;cRR8E z^?|-%A>a{u$)!?y-3I|Gn@6B-oa0=M3iT$`^4x`u@fNDV3h@@9iP)L? zFIWT1_Of5q_^3!8LA7%pHQ<}b2IhMyd)qf!6zW7B)#+hpY)^f7f_3Z?s-b^Sxsaxh z-IoEi6BfcQ*v!?xM@8l`YGB#>n$cL4dTmUn_5TTlf*cr)TCZzSd;V^$fY(qx&)d&N zRtz;Y{ZYp!pdvF1o8wMYj%4a@$yW$dQZI$-NJZ?5@9DVS|Jx~OMEg-67)S6ceC-qa ztloqZsAn2rNwo--tlLo=&mQMb?)V8*<37%W@+6YG@~g)VL2- zKZ^QF{ms?Spf;Whu6`Hw7JKOQ23tLyGrKb%s@)jWs;Gz)u@er(`-55kI?;1Tn0E+2 z#U2D%pY>@t`sGaXB6J z)qD~)pbTT}9nurkfxj>>K14m&&pOU7ERL->Fa=}r2I_)3<85ReQ4tu9&2Sbf`){Hi z_yiTHViPQ)AETDv7pO>`LcRB2pJ@9_0VIcfuQUbCO?A``_C6|vvrymZ>rs(-f*UYf zQkb_EkDzj6*d&|FnW&D>#WeUFKf&aa?W=eweo1{bYG6&LXlhu0aiIcVGFY4wNvM(R zK)v<;MTIW=RBN~ZDiSfMT&Rnh)5XqJsAahs6{#Jlj%J)@tDqq2{>GS!=X;$gC>!H3 z0sEp}kJnIH{Vyui$)?*fOYh8q+G-1;Lfgw7pNPe%&qgKpLDUrdhmWwt40~SwPg(zZ z+ZCapt+g^LbWKpJpbctd{jehXuD%@=sUK0x@&&4c!I_rruVX{%?_g>C7!}c_I2bQs zMr=Ea^`DbM!Ytdvr=vo%71i)DREJKYHl$0am(z9BUjGEEVB61Z6)Zws|E+TmDz|>d z{P-toIi{X%Igo9(+XzZQ z<_}b|K0syl6I8?L7MpLO+It)Shec44sf%N<18OR7;QLzt_bBKcQ1eSO4nLyD)3H3q zpDhUs{aJ9#QtMDDR0k@e?yH8HvTmr*&P7e#a#Y8DMO}XeH8mGd%la-xE7ob3SyEL* z^{hT>{We8yJgrg7YZxj5bMQM{gL+`M<+e)tqc*JJ_%80nN*G*W-v?DOntB|T#LqE8 zbNw3yEuZJ82dDVT{&?&S)ZDj3^*9bSH4{+FawcjyEkx~TZ?Cjamqd-c0cy20M@?l1 zEP~xp9hr^39(;&G9{e5kpy%#_tY2G0by2IM32M$epc)>Cdhl5M8ozMI8?3U|Z)@Da z@j=)G%Y9=VNJ4G#TfbrbSEukh2ec8rz1rS#MNu7Ti&|zwP*d|cY9vcgky?fMa1&~3 z&Y{|Qh`KMu8jECp%t^gBs^inJ1TI{|`qv!(%7I4sCu+`%t+l6X&CHVC+VlqRFVKUV(bIY($;+54yrJ)Eu8gh3>kmr`cp9 zcpHmyJQ5Z9_fW~%78S|_R0o$~VO)g@`Du6lADl?N$mX!n|3=hz$UDUMN^P+p6uMy< zF4%&V@jj}D(cfAq%b=#FJ8B9h;fHttHRloE*~rSE_V@;<4t$7;&`>Og6Hp!9hbguG z54!`u;>VmgjoMIZZM9?^fbFQSz?zu)dwcCR#vasXq2@aHgB_1S<-#CTN4BBff=5tO zmVBEXe*=^8d@m;jg*Go1!Dgt}Z=x>1xu{4iL`~5$)D&$&t%lR6T)Bvvnun;l{uh-K zskYm4i^SU0t72Z9h`y3#Ed?dTydAcj)?z{Gr?3Eq?X(7pIP0MH_K$EfjzCR8hF$gz znHOKDJ`9!plTaObG zQK8M`%!yh>1>E@}sQY7F{asWCs_%B|zb*&VKnr(adspv{>PTPI2nM2VOmy|J?)(&Y z{8QAN&qb|{m8czaJF5K?*c30IlC!wK#~N&knzNP|g`H40e2VJ%=co}cN6pg5J;DQAzeYhPG1YL)5ol>V3AZYoi+M zhd<(cJb)kVw+9wEU>zurc{pARm9#xjks0DlLUP0R=2KAeEO%~o7aYNGj-Nv{^b(b% zxqr0vTpHE!>ZlR5L0#7wHINCY{bCwwd2U3##;>CGgTO((##w)_Q_$T0hH477_j1%6-b6(t&0%}rN28W!Z`5@&Fcet~MHcnEhZv>x|AK-VD)f_W zAoWn8nufaY3)EbGg<9uZ-1&p3+&GO|u9r}An(l~u>7Yhj8uglPifShgwTcFzuLj0b zD2mfj%VrlA$9<^1{26L%j`-OcY>VO42fF%PR0K9*13Zgb_XUsImrhAkM|z+lFa|Yc z^N+Ir6`Exnkl&y>vJo5MWz<}iIA$ABWmLU8s^g!y`f${$n1mYPdhCunQBzUqxJ9l3 zDzdQ{j`7D?|4|gCav(qML_OdJDi@xhdivTg*1=4uk^IlqOQWu@h)S}0*bawc4?K_R zK;2)%LjQwBaTrVeG3LYf{NHRH4@J%ONK_;yqDC|wb>S8a#|x+&@J^U-qUJU)hB|@; zsMkYnK>bkdjz8cx7vsCNA5-^09p6sn;@m--}G9^j8+unqNkr!2WvU>T18ii$|u zGuB{cR5BGpb-WxZnX91MYmd4<9@UY7&P3Dq##7KTn}*uawxN<|530eRQAv3M)xc?Y z{vv9Gw^196_lMOppmHMu_1Z0pBd{~p#T%$CIp(aAmi1SUf*MLd^>_>_OFzX1xDskotmsD`rP6!)~Y!jKlu86LnqbKW#v@CC~TjQ_#p8V?lf$ z)uBXJpNR_LPW%TCVO!jL(adwn8XST8tR91LxESBZH!fRyoiT#?AXJ1Gp|6I%rl63e z`O7+z5tZfHP)QhrI^W8j?|_<$uBeXna>oZ@CF;XbQ@0ae!vm<*^(*$qe^JTW^9tiv zvJAdr8^t^awjz!#Vgn_ab}8jN+Q&%+{k1s7t*YfKqav;oUeKX~0Xu4Fgt-4c!Z zR;-Rn>cvT6Nie%$#d>J#f8Di_k-cFPg9 z_gBOUn1~f|JL+ZkA1YGm{X6!@YmHGm(`M9LZ9m52c^rog@7j$gF_QXC495)jEX2ie zDD{e{^FN@b@G>gYFHzqIuidw0n;zA1KZ1fzRKxjL8#Sj_P#wC5+9+P3Rz-#f*1>$J zkJL)8-V&9>y>I~b$J}@imCSGcZS6&(?kk0z^!{%|L7zk$QOTC_p-o9)tVX>lYOZHt zb=-^EFH%3Uk(NZgGuoh%a-wqvD(U8-l5sC884sfddJ@xW{r7!r>oO4)s_CdXUg+wp zQS1JDR7h{R^C_O#eVI^i$4G3Cv8Z2M>_T1tAF3l+pIS~;L3OA;hW`J5no-EbfsUxT z8;weqRj4Gog{iRUGYe^H45$79YDxy9LOcyMRZCGxwgubaA=JPM{bNa51{H}$82b0W zttse+9;gQmLydSW>gBS<)sLfY3_Q1uDjk-kUIvR{0;(flqH<>ohT{R$h_9oT^*vN> z)Ox}Ce}_W%7k1-#)B_ecze06n6DmospmN|Q>OoQe+Hbq6VHfIyP?5ZZl`+|W7V;XX zcSvK@)HX-8*YQ8rze3*CT{y*^n2X^YUx?Z;cA};t$4i^jcBl~y#yt2rYNOhX%I=$} zqzrpyIZ_;Bs8>TRy8)T4w(XBn$mQA~&jI zeX%ocL9Lp1g2_T7?STKI-WwI!$*8HBi#5<+Nud^n`>44u6P7GAS5;6Us*UPM1JsQz zP&;E6R8l3N=GI3&U<|6A>8Ry654E9vi3A?Hs3cp1df=bVYp96aMLqBls=a?vuk#eilZD<1Z=oXD2&>=@tfu#6AVsp!-|wk` znxlEB2OQgQdPr>AU_#0b<;GWhBX~TpVbJWNse-&^RxWyTT*<_wD@&GNPMmZ(an$9+ ziI;~bUSF~9%9J&i6K7r?k#sq6S?Ksm{`< z#^#SHQleORvFLI!r3w`*TdY```tAGlEz&%pea}8|?fb?jlnYN7*e{`5&n}-0TpRo$ RP;zXkb-^vA)`j`+{T~}IQ6~TZ delta 28533 zcmXZl2bfMr`^WKTpJ#PZR?jP}-q-5Aud+n%(K}1Bx>XONm*^!3q6E>qBzo^9M2i+I zf)FLrkoWt0?zyi2b$w<|nKN_GJ#)_P#{0iAHP!a1sWvT2;kEJke8cjF`10d*%z_E> zh4^Y?PG_w1d(5fx`OW+|m3n=whBq-eW-Acl3&RL!6=xG%!SQa`8Iu&O1K2;;cYC55ye7$<*^Iq!DXn9pTt7=)YU&M zZXGR;>S$A(j9oAiUw9O%Q^;N-#8(l!<5FCOaagOQoj-sc^+csYd{=Nhro(on%>mBI zIDq3{qdJtKjGZroYQH{C$1hM3@v@e+xvY&k5bIpvjvsM8Muj|Oxe#9x%!}%HQB=s| zP?1=N%Bf3OMCZ%feVtL~hod665_|D{-wg_yi|7g#qAsYO4?sm=o;#kZqD@6Ort^3t-andUG;JH|f`bN}q{z64AZB-3`nC7RTx#^9CainvT^A0NM zQdP68K8U*hCsah@o$s9)qU^dz)OFQR4{Yp?_i)FDNzLgL3L5bu)Cl&XlIs+{$Hdhw zj!r4t4!yR7Z2wwg+@XwKo)%6AMryKZ||wK598PuM^^{fj8=~{;N{R z@v)7tD{2J2Q9YlDx^WLGl#z9V=DNH15KzP3-tpRL`HedPq~dF9YhnVz?ipF-Hj5-z>z} ziF!nHJ3kY(Y*%9y+=5y?-fMRvqJ@p1H1^{}4^+c9Q5U{K&1s>QcDw_sLxZqAPC||N z3F<+ipV)ONQ16JG*c`W@?n~M#xDR-~k0_|&Ce8_{WZR9JvlFO}JaYB-s0e-3+8+2l z5-i_ERC4BNYf~73>Uc%e)Wo5d_ZsIlET;9Jq@C^A6>u9D^u)Co-rjby)0lw=JwdkEh=da;8A>lO2YNst)Vxl2S95ZaUV zuer!TA+JV=syFTx;(Lr;Q4KZx)TUw>Y9tF$bG;dZ4Wd>@=x1gWYFUrL$#@Jkm5pP~ zzNmI)#IpXiURQBI5Ayf6krhH+Fc5Wo3hIG7Q5`&wv+*7(SK|8EMl{xW5T|kcKh*ux z`dWM6qat@6XJMv(tbb+e`hFq47q}DkmRi%_lIa5Grhe7=pELJ>5ML9H*F|+;8LDF& zUHzc*oI8F4=WzZxY9kvv(5|23QHbThYD~fuWE^D4m_5!eY=HMU-X4_$)rVNF#GoEL z4kK_DDq;tnS5Z^)%+(`?+5@9d5owN^I&U-uCC_eDGX9QzvG*|hkhq7cw;XOAJ&jAK zmmd-0YlSyZ4=zn4qp%)o?q{Ley^NZ=q$91vIZz#lL?Y(-T3NyO8S27Os3}>1U*ZZ> zLls9^NBW|2CLX(C<WgMODiTjoq4iI+WGjz)OOACOM6HVd zu)0D%d6G470hJtyCz}~jbDS5uVhL2}7GXm?hKfX{DYnJ-M|HqI)y(LOKz)=(q1x|@ zioj^}bYQVNumLMkKZ(6C=@%isyEq8dkx!;s!`)B~40rV}aRl{^sBgcB=@ywO&XuU= z>_zPZXE7W8Hl6ja5v81AJuHiQS#)>xH>mSDXWEVRQOoQz)bUZMWw;KtrH0J1^F?te z_3AhZ51`h4wb?dxQ!tMDU$ekk zD^U;Li%PQVsHylJ6`{a#+d0dkj(0@m%m7y(jq2DOY=Jwmnbv=*6?Q{6RMHJWJ@_H2 z0pCh{;0LH3FbBTETBz@U^558f*RVJB8mlbXc4Ber$6Wm_s-wwQ+iScUX3_eeNkJjn zjEclwON>@;csm$3-mbEaFz+m?Dw z$@6`^DJV2wqUQ1k)CLl|-X2g9HPT+FY)`VmM$#75fjJl;Hx8ke*RhQ@RS!_h&cDg7 z4@14&qEQjI&F@(M3R#oy?Z$qno=!o%&6c57!$Wuee?Qpu z#ZeDx?Cga_sgFh7zYBH$S=9Y$cH1{%O;pFOp(60qqwq0>!h3A)hoO?@2rAS+I{(A3 zsTbU9Q*jm*;7C}X%F=}c$p?1gxu6_!~Q}_G_Y$TIVJzI_qaECjd z=%D35IO?_B9`j+0b2d(*z8CeN=tK6PkywKIX55JnQ8~2au(fvv>5%99;E3H&5tVGQ zsMqC29Dq+z4R<_hTlJT?hkCJNHqsZUoJn)s?(c${(v_$wI*eLXH&Mx%`-HXE3o~l{ zFQ?F#6T4B%tnf*ajAS{D3R%N5mNcVLBY2LQLki)007p|le<{TG zAvXTWI`kQ8?nj|^z!|9hi!?G2d21g%QEgd>tE}9HV4$eCe#Cu;(mOD z8p)cU?fiGxmijsL@qZCF?31kUO-r)ns2#4=ElbwVQSDB}U~;?TJ8%HU_updu>qn}R zw{7m*}7XPjvOUsE#jn^@FG>J?)HlzISH0Yv&_93hG%j zD$85rX`F>hp7!@_YW~3#j5zQ85Z`i+mx{MJ{TY?*=^j`Ii{muvRq!}oz@oU|p+)ix zYN~Ida>`5g$Qr7I3e{lLluSdd_qF&jZpW$U|J53p?%a#|2z`obu;ycn!!Q zUo>__CE+G4jgL*wm*c68pfxIKhN3#M6ieU^=Tp@3$^M&tLVbr-s26=^zwzjg+6U%8 z5Ai+0$5@|beED}Dgu*H+5a`F zq0OkCpF}+<;$QoLr7kLWHsK%m5MScWxAqP>|ITvb9WLW|()ZThdh`x*;3x%ckrV%8 zoswifq8dyQ;txKkIw~@qu{MrGU4IHSr)mBE;MCPab*vvM$!6j#+>aVilYl>%>@lc; z4G;Le;7>MFIiMR}qxR_Rq5j~AyE{jrR>=bV1=phiPr;{lTy5 zjHsP(9;zd!QO~)X(DVDWljTk15B_$lCl(CUvKm-0gyh3B)Yqr?`+8Czn!!f$Fr!`f4{GX)XY%_3SP?aVs;CG> zqXy6nH){PaqOgyR;^PnPhU6dlgF9C$+|Pw=F*Rn*VpC8A)nIpLENUMZh??VXQ4czV z3i)|dN8Y3E^Jlg8l3+%y|Nl`?_7=y{*cdf}%h(U^ppvvnxIg%XG!Oqrhp%9Lj=#!o z52%*I9#9i?e?8PPZh_@+nmc~V9sdbEU6?$l-IyNLk&jS4FOT}2Z47Ee2T|9bb6&&T z)bF8o%A~n$%8FtLQ&SI>WDRoL{hhEK_1@S7&*x_StB@;?&B+kdD%g*`FnL~o@LO;& zs-YdIj-0>=cp25bm3k{l4t@5H%G^3wU;6>H>CSHq>7> zB2Xb8j%sK>YL3sNz6nG5X+j+@fr`i^%!IR1S-t_)k&CDY-@(oJpF6&}kVSZ}M_~-1 zdWsrRpTaice^AS>RHRKoM^uB~qrQ%hq0WaEv5pl+b)*w&WS^os-XAqJV^AGg=RAd) zV(&49t`ssBwGn%$2OUI3;vA}>EXDl3_85Ums%bbCkK%M}QrsW>q>9J()LWIXT-c4; za<5`6K0|f1ZOPzr^?cna=mE=6Bie#Zh{#RUNQ#!W2FjpvpgyXD9Wfimy7~-M!;4WP zUG3_}-1!Tr<#`J~ru{#I=UIPIWv!uls0a2&Jz$Wlk8$R8m2e1T*JX5OMnx_hHS$WR2h~SKvNa~gPOk3t zqM!%&a}IZoM>Rad)#o^uIM+D0I`=q_IWIVWMzs^~{1ugqzabIwe1W>wg1J5)z*x#I~NSUnYLLn)2X*bw#dT8R3RdWipFnTG!0Z`aB+vIiGyYy+u= z<+c7BP|!%GqIx#ZU9ig4x1k<%*m=_(e}g$Vp0J4}XMR+NKSm{6A6FlP8u=P5jGIuA zyn~+B`)?HbVzH(c+HX)vbPo%W{r+awfym~zI-*e<&_UEl{VipRoRWaNraN)Z-GZ?7_8A5$T2%u@7owo3JbXgqo7_t?j@9ZW6QID8`i%bFr5Qh@8?kKJXu?NU?EiK8=-cro~Y0r!j^a* z+hhKAwna}yb?gD^J0V4TYo`(_DLdm#T#OoU5wC-7xlyQ4PC|9y25QdUqau-@qt#QQ zHlFmTP_{#zKZi=Xw=zGxQ;vy=dFI_!tj18n1hH3rBP*8)zQ5TNE zW%v#1!O=baK7R=BZ&WCo_2Ne}KU*lq>H5$7!CyqY!@XQrDb|wieQ)bX+CCPkGN`S$ zDQb&vi^1>zDHPO!m8b`iID(mPaLV zLuU-?zR%I?L}4n0XZQk#;+=jrhpqeD2&SXnX4_H8bpaLH`#22)1MDMq7AluA4zeAu zE$X@!ah6+yP|q8W`tEoV$NJZS^n>jqatLa~$%a@DGonV89TlP6sAMdJTGyYVemedf zb>9J;!W5iEy{20YvjHU?ZugHvg?=jP{13xf|05{GjIa^@ij}D+;J89m12xADT>S*9 zBNtJt<2tIrWFxHuWiWW3vw`yyXJ@R(^`D{I+2c`ANDrfy*A>*dOfkxi??ff#No<2p zQ4g#=+J4~>huYaver}Ozgt~4f>bl=C9I?FS+n* zoQvfqSY&=gz112{w2kL0jG>_im{P|l+x;C-0~m=)wwyn)BrQiw~k~*Ps=HvJJ17lK|j2ML)`IJU)u35s7UofMPwLi zL=&+z&O*KYPP^l;QP;i47)-Xna%v#zr{_Nwu>Q3X)Lv*C&Hz-luR%3@3iZIB-0^tK zM?KLZ%ZVbWDVl@o_$}0c;!z#S^_BgCqOEf*DzfWP8`_btSigNK{K5hCw8>(7U)PokH-sj6uBff!paOe`dJ_?m&4NU@UrxmRrMv zPz{ekEwjn4{w-=x-;A1yKT#b?w89>g7L}Y$P&?aY)H=_#(gs!=wJ(ft_3fzke?>a( z`4WF)4OT_1*ZQasO+oc^8)}5NQIX2D%C_FRsE&-lZ8#aHVdd2}kn{LC^(&}Pw^nQH z=ZdYUeWmiZ8j#0aQqWep7S-T2)Ovk@>d;$Ml9gF&As_9Wf{NH&SN{ri-zs-}kERLmY#V8*IbajxDLb!+zL&qs`?hR0IA^{@{N%m=cpw zFTL6COMp=rinUSK)yG8G8dG3rcf8+bzZd*_-bfDQ;>2xCj0v__Ln%S)+jfABA+S+;t9-wzxp!-1yw2P!-3Z1ejX zVGQa)d(e+ZP@z4JdeD!kDTv1p@DEfD1h!iTGGTq{V{fB*!9Cv*FVIHm~6LO@2HN9Kuy6zR69xcm{m~i z#UTUpeD^6tb0B)JKloSgS*YLjoWi`AaG#C5Fe-#ou_&%Y&FNKahk^ZeeJ50;rl9uv z$EfQA2W-`p#Mac?VtTFrA1J7yAD!<|4dy*)b2|Y8)aRpeU=fzXC8%Wm8I|?-QOoTy z>be)G<@y?xyb*`&cp21`m&b%W-xo!p0M^0GA^a4J+M#A2whNzQ6!kwb9Lpc!k5t$O zKf-CK5UJ<)ikRoq<|*4^YYa2P%0J9Ao{f#~CRoE3={^Q4aMJPghjPdmOhL zN1^I7P#s@``avV#30oEAQ0-L5Y}f&n{hy;AcoFZ@?gKnX{nRPe{~-!roVFjK8lACZ zn(e%ZYB21q?T8Vm5!Aw}*a8*Gg_sJLyYt(ehf&`Fm#`UraL!&*ol*P1)^nciQ2RL0 zi36um>p$|mJ+MBi;U1{vGX%BHSD|*c?WhPGM0M;E>i+xgc;JF9!*rOQ<26w4nl`9* zCVLbjD13=ZmgA_o^8aWdOO17?=ft+y8+F||)JJNPi?+;iqwb4Fg}Mc5ggsHKU=XSU z(=iXO!dUdqQ7A{D(j^?)3$?t?qUQV(*1`-|ZG`PnBktw& zoHJ2Vvl7$dPUmTN{1;54G=4=vbDZd!-H;Krhv#?o%BYAmLapOgm=(LCMmP?GIe=>C z5^7n-qe36JZe~Vxqy(zNwK0>HQ5yZuY zWplEJ_7{vys2j(lLVXx@{%2I^enrjgKd1+%d1UpxsOzfWhgcsKff&@zIR@3ZR~=| ztxc%h@qVPBp1efXqwk|9)<6~1gIZw`9D^lr2kL=OQ5#8_r}ld7fVyrrDzryYQ*;^i zz;~Dvv;Jne6@?7U^L3%1q#BJQaT99!6nSPlUwv#ueIY8e&ro~*TU3WbpW6uYqVB7S zidYv^){n-DI2*(9B9_6|cuea*;&;EVBM07~z5!dlurHmBs1V)9X&Cy_A~hS;p?%l^ z!(Q3k_eX_zDi+48sK_RMZ8=j6$5M|%MeZbq@qFJ)cR_+b?85Y@5avN`M5XWz*2P;G z^~UczfI0rO2gaisjQq={t_3!r-WN5}L#XBZ4mBku|F(#=L9aUphEdQB@wi_X{9`Yh zKk*Cd&HlBH#iK(029*OJzBRj{vU?jUyHBGca1WIeY2MjXR>vmPXJ9Bkc*pwJ96jNH z=Jp+`fn@Lb4+tXT$=3!~<1ADI<^Qu)Q3b10uZP+{W@A~rhcz(^A8=YdU9lhb zL%l5@`n*7JdA#AkQVygG2?Ud82dZNiQG0bfCc(c@Q{(pseAzJ!l_Mok%eN^e#TZnQ z4nRG4IO_UI7>VmqJLN5pg4TPfKp?oWG{S_`JE1}xgIdQsQLE&lGbA(+%;v(V4m3bL zpf?u4S?>HkROIfUI+i|x4JaFGfL?J5dSDII$m*h&Q5)1U8j9gKAN6wj4mCyZPz|I_ z7zlpApWj(3d-_4sFyJ3p?Qh)Z49g(m?Q|a~$fro2aCFiOPwPWC34mt^X7h zx?oQni5E~w*C@G-unVrF-V2p0VISDk6vFz{Yoj8x02Q&-sFCi%TzD9@Y#*Zrm?DLl z6+IdoT(9>)6Dg}yX)ARTIsbDFK~ZO(h3A{B?aek5w@W_a$zFR115D|TY*OPkI@9hcr##cb57IF60*0xFquX0Y?c zP$TMw%7sB#1jnN8+liWz{mv_>fqTy=d`=;d(QX{?oP)YyIcf^NcOG-+FQFQ~i%Pa9 zs1g2&T9*I0dcsWBu@tB&%z_b^5BKW*--3cdp5a4#&_}3xek_WSsO;^8+K|Sh=5hsU z1iMfjID-oLH7tyo{%89@G-?NIg#&R0Dv1+kR)<)BIVmV)g;6h+3aE{!D(1z3s0S=T zZB%PftL6YI5l;qB@>Am*rArRD^0^E9``t z@_o5HTi<6mplpAH3iW^Pf)u#}zADr+qdL?U^`ID32xGA(4nbXa5OsfO9((zuL3N}8 zsskNR-w`7)3@3OLl+6oK8_h;k5}ibKC|}+{@JFf27@+RUXLA^e%Hrgxxy|dWirT_k zqmr~gX2aPy5_jMnER{bH{GE|^hQfLdgch(KZ@~l9Z=goBxL_do^Zy;(Ouc3y%ay-T z9VigtrVh32nxFYpPy>z|^o3#}9g{-Bc7qo8%#606~0RQB&dy;T0hA{bfO?1-1C&qg)evx z4wZCcP#e%REP#tqTlz^Xh%d1+X02)w^4e3F&VgxI0mG}=#?TfO$~mYnp_Qly9>St{ z9@Vixl)WoTpq5`VY=}d#BA!7FFnM+BU_n$nrL6Axq9`=sKz+=JD^N+Z2Nj7IsBA7! z!)RK+v-Sz`XKqAGZHoD)tzlHiuwRl2fvp*-*=vZHl7ElhF_v0 z@gL^LjI}M>tD%--7gUHpbM8lNG+}itNy}hu>M^L~-i~T7!N+zy3o61rF!=rd6$Q=R z9#lhjQK3pw*M6j`ih7?fKwWnel>`2I`~-s~Pz}z+#&{IJzz^%&j<*J*sh>k7W2Od{ zGgTU}{%3NaqYkhS{DE3d=^I&ya$;fXWid6zph7$h^;(^Q3h{R58PxspsE)is?E^I% z+wp-Id^x%LlE$7jyq*L4lG%rv^Yf?&{)`&&Z>Tv7YhuUqqF%>kQBzV8m25S!BsRk$ zIMtoshoz_=M@_M>spZ@U9tF*PT2u$ZaS9eejbJaTp|ECw;NJnFP+ReIR4C`8IQR%UC^|Jjc_z-i=B;HemhVNXKrabSQ8AT z{s}6%+F^E#Lk(mhYO2;b51?}BGHMDkeG-hQ=POP@Up%!jAFjbPcoFsbeTWM&w3W@_ zQs)K?u751S`J<=}>n&>J$y>YShzqDkq9S$5c?k<@{okaZ_jA%V_Ik|bERGsUP1M}C zKuyJGSPqw>?z@3%_!ZW~x2Wr)+FB$BqB=GKi{X6Kl%K}n-~X?=19wpkJktp**)9Q&abM zvXQ67FzUHb$yM4NZ-yF4H`Eu=LTrKGqgGFv&bI8bU~%eoQFA{UwbLF!<;LmGtbaY= z7Y=m9*QnQO^Dfq4KU8j0!pqR-q10VXumPSxCEJIw7NH*4mHH;E zjv0E}uWH($BDogT&TiCzk0TqH=ZmMHZ?q5k*oi!ti5^B_2adPxYaQE~G1L8$ZzcZ%QFQ7j!~p{}-q|e<_y7BdDJH z2iV9`pr)n?>UeilWcp(hT#Q5%DC=J*J{}hE zoy5M_6Dth2Ww{0wvNNa%-N%;r1i!-SBW(TO!$j0mvYeIG8BiNjVa$&8P*d9nHIUCy z1D)wn&`vfFTjMFz+br)$3w0G#4zxqf=^|{7TTmNG(ovR7l~Gw8i`s~$xcX|;-hTx3 z;Ga;DzK^=@nMXlcoOHA$MNZUKIu+IP2e<>1d~RPt`*8*J-|--;WX>2Haf@;GaoHQo zaDF>#K+kaiemvefa1e7+zkqtK_lANlOf|tm`zb2vj-f8dGtov?1r>p|*ckhxvi~^h zftOH`N-@bIS_ex~_fV1Af!ZOTqV|_WlY=?r`O;C)++@c}SR56a{;2Qt>8MCt!maox zZo;)wEH_$DwYltv>UbP#*47)fWNZa-4!1SmZQKjmL*au%Q2SEBmUAL5<`q z)N;Fyn!CSH4JVpzkqATOLSEFIj&x2!Ez8-cNPUG$;uol7Pdvl!kHEw{-xoze*;p6* zVk6Y+@dzrbucJbJ7q#r3Ise7#)DzFN(AGnp?|~ZeKvZ(CLQTQX_!?8svgak7&HC5d zE*S-FtyxebER0$OWl=$?u@u&sV-fuvhf?2< zX|ViU)_+zC4d&XO-5Zr;^HB|NKy_$4Ccyou7eqLsSm@sdcZ=r=D*SNRJ9#9xQ+@um_GoCDSt;j9tI9*YO=x$o&hf11V9tlE+yR z)zRuW0N10g&#}-V9O+TW&4Fm#kG)YjQDjjd_)ju6qe8XxEBol&hWf$dcjs&LQ~wK< zEB~UFU0|{OrL!!)WS`i8is;u%?Pa$bhfwz}Qc#HMeQnv<9u>lIs0L@Crszx5)O?4E z*f~^IUqUtf#Q74{-rtxRlP$Bz%c4wZ+e0&-#y|u#E%Si2laHn0$kEq&#M${s}5+hM`6>8WpKYmH#NFA-;;5vZPyVHKfC%)Qh5)@!uW=jqDw2P6J!*#0RK`Q==Npfx51UtCvDu zUmZ1o`lzXEjgN5%YU;XdvnlF@n(A?=cgsxFd2f{~Y(TvOwxdFK)YTuMM({UAVCZ%W zeK8E~;iynHKy`2o7Q{)I6?eMxS8y`*WIF=E|Ba}5$UDU2f1}NQP^gKexnK@f#C~$3$BHYutg&_$eoL zqBfLV-&-;^!}iq2VGVqU)iL4+`&jLdn(I5L<6*lk7h0e?vJmwaT#K5rd+zve7|Qc~ z?c94ZpSQByPqHAQn!t6?W9SN5S+#Rb${Uq|J{1JrU0-D|5M z9CK3dfu54(3kph#!TW4EeS!I@@4$Tc3#x%+`^`M4y}cTKf$dRK@ElvB|A1|^tx>tt z6V=gysQX5sreNU#*1tyhH3w4QH}1rC)bSr&eLresM^V?EL#>KisK`7;h4z*69cpYM_L>u#&6SLUp7OY6Q(uH@0*2F7EuN?s#9+oX4S7 z#{|@lxd_$%R&0cOP|2CfJ7f(;qUNk57RIWm8~UPpJ`6SDv8cJ5h3d#I=U!At52M;S zfx7-D%#HW3J0?AB?e;_cgyapUpqIuXR4BJ$a4U6QKz;i?M6K)GN36ldc%1qWJciYd z+5?jvvkqiJy;E|bk~SI@nNOTCNN#w(ArzE6W1aKe1#2;!<3FGpx`9ek-*KC=bf}JJ zM@6bE>bfY@K)R#$i&)h1oQZmkA4cs5xA8lz|ECl*x8Izw2W&t^;1CwTYgh*poV1;; zA!@H5i<-mZs1QHGN|^GLEzkO>>-u0YvKWjk>UkHiFwgg0qo9V8oVE=lA1YL_s0%&R zT#iSr^EvMPDpYRlL@n3-s5yOtT6Rg#*of1iUel4Nc50(mQ493cKsO2z*c-KMmS9m_ zj+*n!sI570)*392;nbVEdK@YOv#>6HkLp0;bM~c^1{L~fR0KMsrfkSL*1tkCh68dk zsv|S8J{~~LRqFG$5oJNuYoR*c)YaRfRz*+L2&ZEVE=KK?NiJCA3ZNoe0mHHG1=fFI z3ZHQxFD^zs;20{|E}?q*E2@L9P$T)r)zkfG*Jnm0Sw3u!t*|HVMs*adxx$b~^P!H6IdZR9!gW@h&zoX{X|C8$o=A)huwE;Cowc8Cf zpje!QV^HmQDK7_nM<`@Nh3+913*k>O*qVC2tCn2jur$XvqayP7nl<!Lc++}Y0beBCH$nZ=@Zw1ueT`5G08b*QA=ifUk|JHHP#!jq^C=9a5J zN99J~XM61?$I;ZIur?k;ZOLIbl(ekBd=%7B15}SYqq4Lw*2M{!jgenQ<;q_-?LQ#M zd&?R+kLtiftf%v+WmxmJb)YK_q`nw+UAj9qpxlz@`|?xJ$RjX67DsicovZglg>W(c zjjOROF8jp{xoZu!N4=&yV=o+u&G0u=dr|l7C#Dvt2#-Kd4Nat=kUc_mmbXzGKp5FWxM_yW^0MKd1SH{Pm8wsGA>y<1ZLYTt_4QAs@#tKiLF zS^v2xWPNNSt&aauk3oef=81iZ4Zv{fU!bymqjN9n6YC5rsh(hPIX<<$KQor+css0! zi%=c<85OB#9)&IxB7U=-X*TMuwgO{uH%`EU&+NwSn49`>49DlF5T|->zf#SNI==ul zg$GcfzJdBa_!YGeJVSNd3;b>;vf&~Q;EcGmm95QRpZn2AcZc+`|6ePusRN22DsKStp))PC_0 zHPSS%?VV8;m6Sc4eNag^7?q66P?1`L8t8URuJzyO4_lY*P@(FLn&aWFJ_WVzzeI)f zggbv9wVq$0-j1Pf?APuUupIRzsOx`5b>s~yr?UQO9mI32gCdTA{SxD1iIQ7z~DQSrcaV%=8K1U_l9BhxPQ3FfzwrBE zvrwq@uie-U^?;$y@u-f>LS^qER1O?RJ?MkC_S>#(*o}G%R3!IfWxR_Dd5(9sLq?#c zwkWE-D(_hT3V96<=)zCki8u_WJ{+}SEJjVmzoqJDHcjuH3^ zDo0ZNXMb|ZhFW&bPy_Gpxxy?|NVi~4yop+d`gabom>h@WFw`>p2OFXJU!}$C{%;3Q4#5m zkvJ9gz`f2RsEC|KJ@7|Vd)HB~^ZQs9U!o#eC_!j&@Ba#`>3w;dLQ_uUNEjOYYxQ8% z12$~EHmqH8|AmmPWhYil>E{b%$oz=J{=SK}e!Dbm!o0hqLbA^Da)cxumoH>TK7YUQ oNsARK8W~=sMA>3x<_+KE&oFP{Cjah`lH*%!_U~-5Ip8(@Kg-w+q5uE@ diff --git a/lib/Baser/Locale/eng/LC_MESSAGES/baser.po b/lib/Baser/Locale/eng/LC_MESSAGES/baser.po index 1ebdff731a..f31493ec5b 100755 --- a/lib/Baser/Locale/eng/LC_MESSAGES/baser.po +++ b/lib/Baser/Locale/eng/LC_MESSAGES/baser.po @@ -5,14 +5,14 @@ msgid "" msgstr "" "Project-Id-Version: baserCMS\n" "POT-Creation-Date: \n" -"PO-Revision-Date: 2018-03-20 15:39+0900\n" -"Last-Translator: \n" +"PO-Revision-Date: 2018-04-30 01:46+0900\n" +"Last-Translator: ryuring\n" "Language-Team: baserCMS Users Community \n" "Language: en\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" -"X-Generator: Poedit 2.0.6\n" +"X-Generator: Poedit 2.0.5\n" #: basics.php:772 msgid "baserCMSアップデート" @@ -5471,7 +5471,9 @@ msgid "更新に失敗しました。入力内容を見直してください。" msgstr "Failed updating. Please check entered content." #: Plugin/Uploader/View/Elements/admin/uploader_files/index.php:23 -msgid "アップロードに失敗しました。ファイルサイズを確認してください。" +msgid "" +"アップロードに失敗しました。ファイルサイズが大きいか、許可されていない形式で" +"す。" msgstr "Failed uploading. Please check file size." #: Plugin/Uploader/View/Elements/admin/uploader_files/index.php:24 diff --git a/lib/Baser/Model/BcAppModel.php b/lib/Baser/Model/BcAppModel.php index afce46e3c7..6b564e92f5 100755 --- a/lib/Baser/Model/BcAppModel.php +++ b/lib/Baser/Model/BcAppModel.php @@ -1749,5 +1749,23 @@ public function sanitize($value) { return $value; } } + +/** + * スクリプトがが埋め込まれているかチェックする + * - 管理グループの場合は無条件に true を返却 + * - 管理グループ以外の場合に許可されている場合は無条件に true を返却 + * @param array $check + * @return bool + */ + public function containsScript($check) { + if(BcUtil::isAdminUser() || Configure::read('BcApp.allowedPhpOtherThanAdmins')) { + return true; + } + $value = $check[key($check)]; + if(preg_match('/(<\?=|<\?php| [ ['rule' => 'numeric', 'on' => 'update', 'message' => __d('baser', 'IDに不正な値が利用されています。')]], 'contents' => [ - ['rule' => 'phpValidSyntax', 'message' => __d('baser', 'PHPの構文エラーが発生しました。')], - ['rule' => ['maxByte', 64000], 'message' => __d('baser', '本稿欄に保存できるデータ量を超えています。')]], + ['rule' => 'phpValidSyntax', 'message' => __d('baser', '本稿欄でPHPの構文エラーが発生しました。')], + ['rule' => ['maxByte', 64000], 'message' => __d('baser', '本稿欄に保存できるデータ量を超えています。')], + ['rule' => 'containsScript', 'message' => __d('baser', '本稿欄でスクリプトの入力は許可されていません。')]], 'draft' => [ + ['rule' => 'phpValidSyntax', 'message' => __d('baser', '草稿欄でPHPの構文エラーが発生しました。')], + ['rule' => ['maxByte', 64000], 'message' => __d('baser', '草稿欄に保存できるデータ量を超えています。')], + ['rule' => 'containsScript', 'message' => __d('baser', '草稿欄でスクリプトの入力は許可されていません。')]], + 'code' => [ ['rule' => 'phpValidSyntax', 'message' => __d('baser', 'PHPの構文エラーが発生しました。')], - ['rule' => ['maxByte', 64000], 'message' => __d('baser', '草稿欄に保存できるデータ量を超えています。')]] + ['rule' => 'containsScript', 'message' => __d('baser', 'スクリプトの入力は許可されていません。')]] ]; } diff --git a/lib/Baser/Plugin/Blog/Controller/BlogController.php b/lib/Baser/Plugin/Blog/Controller/BlogController.php index a742a27208..ec954d2c3c 100644 --- a/lib/Baser/Plugin/Blog/Controller/BlogController.php +++ b/lib/Baser/Plugin/Blog/Controller/BlogController.php @@ -307,8 +307,7 @@ public function archives() { $data = $this->BlogPost->User->find('first', ['fields' => ['real_name_1', 'real_name_2', 'nickname'], 'conditions' => ['User.name' => $author]]); App::uses('BcBaserHelper', 'View/Helper'); $BcBaser = new BcBaserHelper(new View()); - $userName = $BcBaser->getUserName($data); - $this->pageTitle = urldecode($userName); + $this->pageTitle = $BcBaser->getUserName($data); $template = $this->blogContent['BlogContent']['template'] . DS . 'archives'; $this->set('blogArchiveType', $type); break; diff --git a/lib/Baser/Plugin/Blog/View/Blog/smartphone/default/posts.php b/lib/Baser/Plugin/Blog/View/Blog/smartphone/default/posts.php index d8e2f8a638..42f9a0b21c 100755 --- a/lib/Baser/Plugin/Blog/View/Blog/smartphone/default/posts.php +++ b/lib/Baser/Plugin/Blog/View/Blog/smartphone/default/posts.php @@ -29,7 +29,7 @@
  • - Blog->postLink($post, '' . $this->Blog->getPostDate($post, 'Y.m.d') . '
    ' . '' . $this->Blog->getPostTitle($post, false) . '') ?> + Blog->postLink($post, '' . $this->Blog->getPostDate($post, 'Y.m.d') . '
    ' . '' . $this->Blog->getPostTitle($post, false) . '', ['escape' => false]) ?>
    • diff --git a/lib/Baser/Plugin/Blog/View/Elements/admin/blog_posts/index_row.php b/lib/Baser/Plugin/Blog/View/Elements/admin/blog_posts/index_row.php index 25b60ccf04..9488bd8067 100755 --- a/lib/Baser/Plugin/Blog/View/Elements/admin/blog_posts/index_row.php +++ b/lib/Baser/Plugin/Blog/View/Elements/admin/blog_posts/index_row.php @@ -34,17 +34,17 @@ BcUpload->uploadImage('BlogPost.eye_catch', $data['BlogPost']['eye_catch'], ['imgsize' => 'mobile_thumb']) ?> - + ', h($tags)) ?>
    - BcBaser->link($data['BlogPost']['name'], ['action' => 'edit', $data['BlogContent']['id'], $data['BlogPost']['id']]) ?> + BcBaser->link($data['BlogPost']['name'], ['action' => 'edit', $data['BlogContent']['id'], $data['BlogPost']['id']], ['escape' => true]) ?> - BcBaser->getUserName($data['User']) ?>
    + BcBaser->getUserName($data['User'])) ?>
    BcText->booleanMark($data['BlogPost']['status']); ?> diff --git a/lib/Baser/Plugin/Blog/View/Elements/widgets/blog_author_archives.php b/lib/Baser/Plugin/Blog/View/Elements/widgets/blog_author_archives.php index 17a9e45c41..2e08184de9 100644 --- a/lib/Baser/Plugin/Blog/View/Elements/widgets/blog_author_archives.php +++ b/lib/Baser/Plugin/Blog/View/Elements/widgets/blog_author_archives.php @@ -43,13 +43,13 @@ $class = ''; } if ($view_count) { - $title = $this->BcBaser->getUserName($author['User']) . ' (' . $author['count'] . ')'; + $title = h($this->BcBaser->getUserName($author['User'])) . ' (' . $author['count'] . ')'; } else { - $title = $this->BcBaser->getUserName($author['User']); + $title = h($this->BcBaser->getUserName($author['User'])); } ?> > - BcBaser->link($title, $baseCurrentUrl . $author['User']['name']) ?> + BcBaser->link($title, $baseCurrentUrl . $author['User']['name'], ['escape' => true]) ?> diff --git a/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php b/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php index 26d6012013..84d723c975 100755 --- a/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php +++ b/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php @@ -219,6 +219,10 @@ public function getPostTitle($post, $link = true) { * @return string 記事へのリンク */ public function getPostLink($post, $title, $options = []) { + $options = array_merge([ + 'escape' => true + ], $options); + $url = $this->getPostLinkUrl($post, false); // EVENT beforeGetPostLink @@ -471,7 +475,7 @@ public function getTag($post, $options = []) { if (!empty($post['BlogTag'])) { foreach ($post['BlogTag'] as $tag) { if($options['link']) { - $tags[] = $this->BcBaser->getLink($tag['name'], $this->getTagLinkUrl($crossingId, $tag, false)); + $tags[] = $this->BcBaser->getLink($tag['name'], $this->getTagLinkUrl($crossingId, $tag, false), ['escape' => true]); } else { $tags[] = [ 'name' => $tag['name'], @@ -563,7 +567,7 @@ public function getPostDate($post, $format = 'Y/m/d') { * @return void */ public function author($post) { - echo $this->BcBaser->getUserName($post['User']); + echo h($this->BcBaser->getUserName($post['User'])); } /** diff --git a/lib/Baser/Plugin/Mail/Controller/MailFieldsController.php b/lib/Baser/Plugin/Mail/Controller/MailFieldsController.php index 7051162f08..216a572e6c 100644 --- a/lib/Baser/Plugin/Mail/Controller/MailFieldsController.php +++ b/lib/Baser/Plugin/Mail/Controller/MailFieldsController.php @@ -63,6 +63,7 @@ class MailFieldsController extends MailAppController { */ public function beforeFilter() { parent::beforeFilter(); + $this->_checkEnv(); $this->MailContent->recursive = -1; $mailContentId = $this->params['pass'][0]; $this->mailContent = $this->MailContent->read(null, $mailContentId); @@ -73,6 +74,27 @@ public function beforeFilter() { } } +/** + * プラグインの環境をチェックする + */ + protected function _checkEnv() { + $savePath = WWW_ROOT . 'files' . DS . "mail" . DS . 'limited'; + if(!is_dir($savePath)) { + $Folder = new Folder(); + $Folder->create($savePath, 0777); + if(!is_dir($savePath)) { + $this->setMessage('ファイルフィールドを利用している場合、現在、フォームより送信したファイルフィールドのデータは公開された状態となっています。URLを直接閲覧すると参照できてしまいます。参照されないようにする為には、' . WWW_ROOT . 'files/mail/ に書き込み権限を与えてください。', true); + } + $File = new File($savePath . DS . '.htaccess'); + $htaccess = "Order allow,deny\nDeny from all"; + $File->write($htaccess); + $File->close(); + if(!file_exists($savePath . DS . '.htaccess')) { + $this->setMessage('ファイルフィールドを利用している場合、現在、フォームより送信したファイルフィールドのデータは公開された状態となっています。URLを直接閲覧すると参照できてしまいます。参照されないようにする為には、' . WWW_ROOT . 'files/mail/limited/ に書き込み権限を与えてください。', true); + } + } + } + /** * beforeRender * diff --git a/lib/Baser/Plugin/Uploader/Config/setting.php b/lib/Baser/Plugin/Uploader/Config/setting.php index 5459bdf960..03d973d654 100644 --- a/lib/Baser/Plugin/Uploader/Config/setting.php +++ b/lib/Baser/Plugin/Uploader/Config/setting.php @@ -24,7 +24,10 @@ 'url' => array('admin' => true, 'plugin' => 'uploader', 'controller' => 'uploader_categories', 'action' => 'add')), array('name' => __d('baser', '基本設定'), 'url' => array('admin' => true, 'plugin' => 'uploader', 'controller' => 'uploader_configs', 'action' => 'index')), - ) + ), ); - + $config['Uploader'] = [ + // システム管理者グループ以外のユーザーがアップロード可能なファイル(拡張子をカンマ区切りで指定する) + 'allowedExt' => 'gif,jpg,png,pdf,zip,doc,docx,xls,xlsx,ppt,pptx' + ]; ?> \ No newline at end of file diff --git a/lib/Baser/Plugin/Uploader/Controller/UploaderFilesController.php b/lib/Baser/Plugin/Uploader/Controller/UploaderFilesController.php index 49159bb672..82f488c319 100755 --- a/lib/Baser/Plugin/Uploader/Controller/UploaderFilesController.php +++ b/lib/Baser/Plugin/Uploader/Controller/UploaderFilesController.php @@ -76,8 +76,31 @@ public function __construct($request = null, $response = null) { public function beforeFilter() { $this->BcAuth->allow('view_limited_file'); + $this->_checkEnv(); parent::beforeFilter(); } + +/** + * プラグインの環境をチェックする + */ + protected function _checkEnv() { + $savePath = WWW_ROOT . 'files' . DS . $this->UploaderFile->actsAs['BcUpload']['saveDir'] . DS; + if(!is_dir($savePath . 'limited')) { + $Folder = new Folder(); + $Folder->create($savePath . 'limited', 0777); + if(!is_dir($savePath . 'limited')) { + $this->setMessage('現在、アップロードファイルの公開期間の指定ができません。指定できるようにするには、' . $savePath . ' に書き込み権限を与えてください。', true); + } + $File = new File($savePath . 'limited' . DS . '.htaccess'); + $htaccess = "Order allow,deny\nDeny from all"; + $File->write($htaccess); + $File->close(); + if(!file_exists($savePath . 'limited' . DS . '.htaccess')) { + $this->setMessage('現在、アップロードファイルの公開期間の指定ができません。指定できるようにするには、' . $savePath . 'limited/ に書き込み権限を与えてください。', true); + } + } + } + /** * [ADMIN] ファイル一覧 * diff --git a/lib/Baser/Plugin/Uploader/Model/UploaderFile.php b/lib/Baser/Plugin/Uploader/Model/UploaderFile.php index f0dfca8967..6c136f35ea 100755 --- a/lib/Baser/Plugin/Uploader/Model/UploaderFile.php +++ b/lib/Baser/Plugin/Uploader/Model/UploaderFile.php @@ -36,26 +36,6 @@ class UploaderFile extends AppModel { 'name' => ['type' => 'all'] ]]]; -/** - * バリデーション - * - * @var array - */ - public $validate = [ - 'publish_begin' => [ - 'checkPeriod' => [ - 'rule' => 'checkPeriod', - 'message' => '公開期間が不正です。' - ] - ], - 'publish_end' => [ - 'checkPeriod' => [ - 'rule' => 'checkPeriod', - 'message' => '公開期間が不正です。' - ] - ] - ]; - /** * 公開期間をチェックする * @@ -78,6 +58,28 @@ public function checkPeriod() { * @param string $ds */ public function __construct($id = false, $table = null, $ds = null) { + $this->validate = [ + 'publish_begin' => [ + 'checkPeriod' => [ + 'rule' => 'checkPeriod', + 'message' => __d('baser', '公開期間が不正です。') + ] + ], + 'publish_end' => [ + 'checkPeriod' => [ + 'rule' => 'checkPeriod', + 'message' => __d('baser', '公開期間が不正です。') + ] + ] + ]; + if(!BcUtil::isAdminUser()) { + $this->validate['name'] = [ + 'fileExt' => [ + 'rule' => ['fileExt', Configure::read('Uploader.allowedExt')], + 'message' => __d('baser', '許可されていないファイル形式です。') + ] + ]; + } parent::__construct($id, $table, $ds); $sizes = array('large', 'midium', 'small', 'mobile_large', 'mobile_small'); $UploaderConfig = ClassRegistry::init('Uploader.UploaderConfig'); diff --git a/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index.php b/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index.php index a13f97b1af..2c7ed62d82 100755 --- a/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index.php +++ b/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index.php @@ -14,17 +14,17 @@ * * @var \BcAppView $this */ -$this->BcBaser->i18nScript([ +echo $this->BcBaser->i18nScript([ 'uploaderCancel' => __d('baser', 'キャンセル'), 'uploaderSave' => __d('baser', '保存'), 'uploaderEdit' => __d('baser', '編集'), 'uplaoderDelete' => __d('baser', '削除'), 'uploaderAlertMessage1' => __d('baser', '更新に失敗しました。入力内容を見直してください。'), - 'uploaderAlertMessage2' => __d('baser', 'アップロードに失敗しました。ファイルサイズを確認してください。'), + 'uploaderAlertMessage2' => __d('baser', 'アップロードに失敗しました。ファイルサイズが大きいか、許可されていない形式です。'), 'uploaderAlertMessage3' => __d('baser', 'このファイルの編集・削除はできません。'), 'uploaderAlertMessage4' => __d('baser', 'サーバーでの処理に失敗しました。'), 'uploaderConfirmMessage1' => __d('baser', '本当に削除してもよろしいですか?') -], ['inline', true]); +], ['inline' => true]); $this->BcBaser->js(array('Uploader.admin/uploader_files/uploader_list')); if(!isset($listId)) { $listId = ''; diff --git a/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_box.php b/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_box.php index 83a1056478..7f37a1f658 100755 --- a/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_box.php +++ b/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_box.php @@ -38,7 +38,7 @@ [BcText->booleanMark($statusPublish); ?>] BcTime->format('Y.m.d',$file['UploaderFile']['created']) ?>     -
    BcText->arrayValue($file['UploaderFile']['user_id'], $users) ?>
    +
    BcText->arrayValue($file['UploaderFile']['user_id'], $users)) ?>
    BcTime->format('Y.m.d',$file['UploaderFile']['modified']) ?> diff --git a/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_row.php b/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_row.php index ac6b61c357..8410bb0f19 100755 --- a/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_row.php +++ b/lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_row.php @@ -47,7 +47,7 @@
    BcText->truncate($file['UploaderFile']['alt'], 40) ?> BcText->booleanMark($statusPublish); ?> - BcText->arrayValue($file['UploaderFile']['user_id'], $users) ?> + BcText->arrayValue($file['UploaderFile']['user_id'], $users)) ?> BcTime->format('Y.m.d',$file['UploaderFile']['created']) ?>
    BcTime->format('Y.m.d',$file['UploaderFile']['modified']) ?> diff --git a/lib/Baser/Test/Case/Model/PageTest.php b/lib/Baser/Test/Case/Model/PageTest.php index 026e4b05b0..236ed3039c 100644 --- a/lib/Baser/Test/Case/Model/PageTest.php +++ b/lib/Baser/Test/Case/Model/PageTest.php @@ -77,6 +77,7 @@ public function test既存ページチェック正常() { } public function testPHP構文チェック正常系() { + Configure::write('BcApp.allowedPhpOtherThanAdmins', true); $this->Page->create([ 'Page' => [ 'name' => 'test', @@ -84,6 +85,7 @@ public function testPHP構文チェック正常系() { ] ]); $this->assertTrue($this->Page->validates()); + Configure::write('BcApp.allowedPhpOtherThanAdmins', false); } public function testPHP構文チェック異常系() { diff --git a/lib/Baser/View/Elements/admin/content_fields.php b/lib/Baser/View/Elements/admin/content_fields.php index ea91e710e1..693384bb4f 100644 --- a/lib/Baser/View/Elements/admin/content_fields.php +++ b/lib/Baser/View/Elements/admin/content_fields.php @@ -368,7 +368,7 @@ - + BcContents->settings[$relatedContent['Content']['type']]['title'] ?>) diff --git a/lib/Baser/View/Elements/admin/contents/index_list_tree.php b/lib/Baser/View/Elements/admin/contents/index_list_tree.php index 8ef83edb74..1b8fefb892 100644 --- a/lib/Baser/View/Elements/admin/contents/index_list_tree.php +++ b/lib/Baser/View/Elements/admin/contents/index_list_tree.php @@ -63,12 +63,12 @@ "contentType":"", "contentAliasId":"", "contentPlugin":"", - "contentTitle":"", + "contentTitle":"", "contentSiteRoot":"", "editDisabled":"", "manageDisabled":"" }' class="jstree-open"> - + BcBaser->element('admin/contents/index_list_tree', ['datas' => $data['children']]) ?> diff --git a/lib/Baser/View/Elements/admin/plugins/index_row_market.php b/lib/Baser/View/Elements/admin/plugins/index_row_market.php index cf104da49d..f724202b89 100644 --- a/lib/Baser/View/Elements/admin/plugins/index_row_market.php +++ b/lib/Baser/View/Elements/admin/plugins/index_row_market.php @@ -21,11 +21,11 @@
    BcBaser->link($this->BcBaser->getImg('admin/icn_tool_down.png', ['title' => __d('baser', 'ダウンロード'), 'alt' => __d('baser', 'ダウンロード')]), $data['link'], ['target' => '_blank']) ?>
    - + - - BcBaser->link($data['author'], $data['authorLink'], ['target' => '_blank']) ?> + + BcBaser->link($data['author'], $data['authorLink'], ['target' => '_blank', 'escape' => true]) ?> BcTime->format('Y-m-d', $data['created']) ?>
    BcTime->format('Y-m-d', $data['modified']) ?> diff --git a/lib/Baser/View/Elements/admin/themes/index_list.php b/lib/Baser/View/Elements/admin/themes/index_list.php index a3924fb062..651a96d5fc 100755 --- a/lib/Baser/View/Elements/admin/themes/index_list.php +++ b/lib/Baser/View/Elements/admin/themes/index_list.php @@ -41,12 +41,12 @@
    -

     (  )

    +

     (  )

    - BcBaser->link($currentTheme['author'], $currentTheme['url'], ['target' => '_blank']) ?> + BcBaser->link($currentTheme['author'], $currentTheme['url'], ['target' => '_blank', 'escape' => true]) ?> - +

    @@ -58,7 +58,7 @@ BcForm->end() ?>



    -
    +

    diff --git a/lib/Baser/View/Elements/admin/themes/index_row.php b/lib/Baser/View/Elements/admin/themes/index_row.php index e033c371bd..c0d2eb6d3b 100755 --- a/lib/Baser/View/Elements/admin/themes/index_row.php +++ b/lib/Baser/View/Elements/admin/themes/index_row.php @@ -17,7 +17,7 @@
  • -

     (  )

    +

     (  )

    @@ -39,9 +39,9 @@

    - BcBaser->link($data['author'], $data['url'], ['target' => '_blank']) ?> + BcBaser->link($data['author'], $data['url'], ['target' => '_blank', 'escape' => true]) ?> - +

    @@ -53,16 +53,16 @@ BcBaser->img('admin/no-screenshot.png', ['alt' => $data['title']]) ?>
    -
     (  )
    +
     (  )
    BcBaser->link($data['author'], $data['url'], ['target' => '_blank']) ?> - +
    -
    +
    • diff --git a/lib/Baser/View/Elements/admin/themes/index_row_market.php b/lib/Baser/View/Elements/admin/themes/index_row_market.php index 2e91e67d76..0c304d9260 100644 --- a/lib/Baser/View/Elements/admin/themes/index_row_market.php +++ b/lib/Baser/View/Elements/admin/themes/index_row_market.php @@ -60,7 +60,7 @@ BcBaser->link($data['author'], $data['authorLink'], ['target' => '_blank']) ?> - +
    diff --git a/lib/Baser/View/Elements/admin/toolbar.php b/lib/Baser/View/Elements/admin/toolbar.php index 50e39d9b44..78c8ccd1c0 100755 --- a/lib/Baser/View/Elements/admin/toolbar.php +++ b/lib/Baser/View/Elements/admin/toolbar.php @@ -72,7 +72,7 @@
    • - BcBaser->link($this->BcBaser->getUserName($user) . ' ' . $this->BcBaser->getImg('admin/btn_dropdown.png', ['width' => 8, 'height' => 11, 'class' => 'bc-btn']), 'javascript:void(0)', ['class' => 'title']) ?> + BcBaser->link(h($this->BcBaser->getUserName($user)) . ' ' . $this->BcBaser->getImg('admin/btn_dropdown.png', ['width' => 8, 'height' => 11, 'class' => 'bc-btn']), 'javascript:void(0)', ['class' => 'title']) ?>
        Session->check('AuthAgent')): ?>
      • BcBaser->link(__d('baser', '元のユーザーに戻る'), '/users/back_agent') ?>
        • diff --git a/lib/Baser/View/Elements/admin/user_groups/index_row.php b/lib/Baser/View/Elements/admin/user_groups/index_row.php index c58845b30d..977718bcf7 100755 --- a/lib/Baser/View/Elements/admin/user_groups/index_row.php +++ b/lib/Baser/View/Elements/admin/user_groups/index_row.php @@ -31,7 +31,7 @@ BcBaser->link($data['UserGroup']['name'], ['action' => 'edit', $data['UserGroup']['id']]) ?>
        - BcBaser->link($this->BcBaser->getUserName($user), ['controller' => 'users', 'action' => 'edit', $user['id']]) ?> + BcBaser->link(h($this->BcBaser->getUserName($user)), ['controller' => 'users', 'action' => 'edit', $user['id']]) ?> diff --git a/lib/Baser/View/Elements/admin/users/index_row.php b/lib/Baser/View/Elements/admin/users/index_row.php index 5d047a4314..2cb2715ac9 100755 --- a/lib/Baser/View/Elements/admin/users/index_row.php +++ b/lib/Baser/View/Elements/admin/users/index_row.php @@ -25,10 +25,10 @@ - BcBaser->link($data['User']['name'], ['action' => 'edit', $data['User']['id']]) ?> - + BcBaser->link(h($data['User']['name']), ['action' => 'edit', $data['User']['id']]) ?> + BcText->listValue('User.user_group_id', $data['User']['user_group_id']); ?>
        -   +   BcListTable->dispatchShowRow($data) ?> BcTime->format('Y-m-d', $data['User']['created']) ?>
        BcTime->format('Y-m-d', $data['User']['modified']) ?> diff --git a/lib/Baser/View/Elements/crumbs.php b/lib/Baser/View/Elements/crumbs.php index 2f573534fd..53ff1cd5cc 100755 --- a/lib/Baser/View/Elements/crumbs.php +++ b/lib/Baser/View/Elements/crumbs.php @@ -26,10 +26,10 @@ foreach ($crumbs as $key => $crumb) { if ($this->BcArray->last($crumbs, $key)) { if ($this->viewPath != 'home' && $crumb['name']) { - $this->BcBaser->addCrumb($crumb['name']); + $this->BcBaser->addCrumb(h($crumb['name'])); } } else { - $this->BcBaser->addCrumb($crumb['name'], $crumb['url']); + $this->BcBaser->addCrumb(h($crumb['name']), $crumb['url']); } } } elseif (empty($crumbs)) { diff --git a/lib/Baser/View/Helper/BcBaserHelper.php b/lib/Baser/View/Helper/BcBaserHelper.php index 6e4f0fc3e5..31fb96b9ea 100755 --- a/lib/Baser/View/Helper/BcBaserHelper.php +++ b/lib/Baser/View/Helper/BcBaserHelper.php @@ -382,7 +382,7 @@ public function getContentsTitle() { * @return void */ public function contentsTitle() { - echo $this->getContentsTitle(); + echo h($this->getContentsTitle()); } /** diff --git a/lib/Baser/View/Layouts/admin/default.php b/lib/Baser/View/Layouts/admin/default.php index a9573b9bd3..3e51c73b28 100755 --- a/lib/Baser/View/Layouts/admin/default.php +++ b/lib/Baser/View/Layouts/admin/default.php @@ -106,7 +106,7 @@ - + diff --git a/lib/Baser/View/ThemeFiles/admin/form.php b/lib/Baser/View/ThemeFiles/admin/form.php index bb1c8aa656..afff21e251 100755 --- a/lib/Baser/View/ThemeFiles/admin/form.php +++ b/lib/Baser/View/ThemeFiles/admin/form.php @@ -21,7 +21,7 @@
        - +
        @@ -47,7 +47,7 @@ request->action != 'admin_view'): ?> BcForm->input('ThemeFile.name', ['type' => 'text', 'size' => 30, 'maxlength' => 255, 'autofocus' => true]) ?> BcForm->value('ThemeFile.ext')): ?>. - BcForm->value('ThemeFile.ext') ?> + BcForm->value('ThemeFile.ext')) ?> BcForm->input('ThemeFile.ext', ['type' => 'hidden']) ?> Html->image('admin/icn_help.png', ['id' => 'helpName', 'class' => 'btn help', 'alt' => __d('baser', 'ヘルプ')]) ?> BcForm->error('ThemeFile.name') ?>