CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change log
 
+## 4.4.18 (2018-04-18)
+
+ * Fix an XSS vulnerability in the system log (see CVE-2018-10125).
+ * Correctly highlight all keywords in the search results (see #1461).
+ * Log unknown insert tag (flags) in the system log (see #1182).
+
 ## 4.4.17 (2018-04-04)
 
  * Correctly hide empty custom layout sections (see #1115).

composer.json

@@ -10,7 +10,7 @@
         }
     ],
     "require": {
-        "php": "^5.6|^7.0",
+        "php": "^5.6 || ^7.0",
         "ext-dom": "*",
         "ext-gd": "*",
         "ext-pcre": "*",
@@ -36,11 +36,11 @@
         "contao-components/tablesorter": "^2.0.5.3",
         "contao-components/tinymce4": "4.6.*",
         "contao/image": "^0.3.1",
-        "contao/imagine-svg": "^0.1.2|^0.2",
+        "contao/imagine-svg": "^0.1.2 || ^0.2",
         "doctrine/dbal": "^2.5",
         "doctrine/doctrine-bundle": "^1.6",
         "doctrine/doctrine-cache-bundle": "^1.3",
-        "imagine/imagine": "^0.6|^0.7",
+        "imagine/imagine": "^0.6 || ^0.7",
         "knplabs/knp-menu-bundle": "^2.1",
         "knplabs/knp-time-bundle": "^1.5.2",
         "leafo/scssphp": "^0.6",
@@ -75,8 +75,8 @@
         "doctrine/doctrine-migrations-bundle": "<1.1",
         "doctrine/orm": "<2.4",
         "lexik/maintenance-bundle": "2.1.4",
-        "symfony/finder": "3.4.7|4.0.7",
-        "symfony/security": "3.4.7|4.0.7",
+        "symfony/finder": "3.4.7",
+        "symfony/security": ">= 3.4.7",
         "symfony/swiftmailer-bundle": "2.6.* <2.6.2"
     },
     "require-dev": {

src/EventListener/BypassMaintenanceListener.php

@@ -10,7 +10,7 @@
 
 namespace Contao\CoreBundle\EventListener;
 
-use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 
@@ -27,6 +27,11 @@ class BypassMaintenanceListener
      */
     private $session;
 
+    /**
+     * @var RequestStack
+     */
+    private $requestStack;
+
     /**
      * @var bool
      */
@@ -41,12 +46,14 @@ class BypassMaintenanceListener
      * Constructor.
      *
      * @param SessionInterface $session
+     * @param RequestStack     $requestStack
      * @param bool             $disableIpCheck
      * @param string           $requestAttribute
      */
-    public function __construct(SessionInterface $session, $disableIpCheck, $requestAttribute = '_bypass_maintenance')
+    public function __construct(SessionInterface $session, RequestStack $requestStack, $disableIpCheck, $requestAttribute = '_bypass_maintenance')
     {
         $this->session = $session;
+        $this->requestStack = $requestStack;
         $this->disableIpCheck = $disableIpCheck;
         $this->requestAttribute = $requestAttribute;
     }
@@ -60,7 +67,7 @@ public function onKernelRequest(GetResponseEvent $event)
     {
         $request = $event->getRequest();
 
-        if (!$this->hasAuthenticatedBackendUser($request)) {
+        if (!$this->hasAuthenticatedBackendUser()) {
             return;
         }
 
@@ -70,13 +77,13 @@ public function onKernelRequest(GetResponseEvent $event)
     /**
      * Checks if there is an authenticated back end user.
      *
-     * @param Request $request
-     *
      * @return bool
      */
-    private function hasAuthenticatedBackendUser(Request $request)
+    private function hasAuthenticatedBackendUser()
     {
-        if (!$request->cookies->has('BE_USER_AUTH')) {
+        $request = $this->requestStack->getMasterRequest();
+
+        if (null === $request || !$request->cookies->has('BE_USER_AUTH')) {
             return false;
         }
 

src/Monolog/ContaoTableHandler.php

@@ -106,7 +106,7 @@ protected function write(array $record)
             'username' => (string) $context->getUsername(),
             'func' => (string) $context->getFunc(),
             'ip' => (string) $context->getIp(),
-            'browser' => (string) $context->getBrowser(),
+            'browser' => StringUtil::specialchars((string) $context->getBrowser()),
         ]);
     }
 

src/Resources/config/listener.yml

@@ -44,6 +44,7 @@ services:
         class: Contao\CoreBundle\EventListener\BypassMaintenanceListener
         arguments:
             - "@session"
+            - "@request_stack"
             - "%contao.security.disable_ip_check%"
         tags:
             - { name: kernel.event_listener, event: kernel.request, method: onKernelRequest, priority: 10 }

src/Resources/contao/.php_cs.dist

@@ -29,6 +29,7 @@ return PhpCsFixer\Config::create()
         'no_empty_comment' => true,
         'no_empty_phpdoc' => true,
         'no_empty_statement' => true,
+        'no_extra_blank_lines' => true,
         'no_leading_import_slash' => true,
         'no_leading_namespace_whitespace' => true,
         'no_mixed_echo_print' => true,

src/Resources/contao/classes/Ajax.php

@@ -17,7 +17,6 @@
 use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
-
 /**
  * Provide methods to handle Ajax requests.
  *
@@ -50,7 +49,6 @@ class Ajax extends \Backend
 	 */
 	protected $strAjaxName;
 
-
 	/**
 	 * Get the current action
 	 *
@@ -69,7 +67,6 @@ public function __construct($strAction)
 		parent::__construct();
 	}
 
-
 	/**
 	 * Ajax actions that do not require a data container object
 	 */
@@ -167,7 +164,6 @@ public function executePreActions()
 		}
 	}
 
-
 	/**
 	 * Ajax actions that do require a data container object
 	 *
@@ -445,7 +441,6 @@ public function executePostActions(DataContainer $dc)
 		}
 	}
 
-
 	/**
 	 * Execute the post actions hook
 	 *
@@ -463,7 +458,6 @@ protected function executePostActionsHook(DataContainer $dc)
 		}
 	}
 
-
 	/**
 	 * Convert a string to a response object
 	 *

src/Resources/contao/classes/Backend.php

@@ -19,7 +19,6 @@
 use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 
-
 /**
  * Provide methods to manage back end controllers.
  *
@@ -40,7 +39,6 @@ protected function __construct()
 		$this->setStaticUrls();
 	}
 
-
 	/**
 	 * Return the current theme as string
 	 *
@@ -58,7 +56,6 @@ public static function getTheme()
 		return 'flexible';
 	}
 
-
 	/**
 	 * Return the back end themes as array
 	 *
@@ -82,7 +79,6 @@ public static function getThemes()
 		return $arrReturn;
 	}
 
-
 	/**
 	 * Return the TinyMCE language
 	 *
@@ -126,7 +122,6 @@ public static function getTinyMceLanguage()
 		return 'en';
 	}
 
-
 	/**
 	 * Get the Ace code editor type from a file extension
 	 *
@@ -199,7 +194,6 @@ public static function getAceType($ext)
 		}
 	}
 
-
 	/**
 	 * Return a list of TinyMCE templates as JSON string
 	 *
@@ -228,7 +222,6 @@ public static function getTinyTemplates()
 		return implode(",\n", $arrFiles) . "\n";
 	}
 
-
 	/**
 	 * Add the request token to the URL
 	 *
@@ -246,7 +239,6 @@ public static function addToUrl($strRequest, $blnAddRef=true, $arrUnset=array())
 		return parent::addToUrl($strRequest . (($strRequest != '') ? '&' : '') . 'rt=' . REQUEST_TOKEN, $blnAddRef, $arrUnset);
 	}
 
-
 	/**
 	 * Handle "runonce" files
 	 *
@@ -282,7 +274,6 @@ public static function handleRunOnce()
 		}
 	}
 
-
 	/**
 	 * Open a back end module and return it as HTML
 	 *
@@ -632,7 +623,6 @@ protected function getBackendModule($module, PickerInterface $picker = null)
 		return null;
 	}
 
-
 	/**
 	 * Get all searchable pages and return them as array
 	 *
@@ -684,7 +674,6 @@ public static function findSearchablePages($pid=0, $domain='', $blnIsSitemap=fal
 		return $arrPages;
 	}
 
-
 	/**
 	 * Add the file meta information to the request
 	 *
@@ -772,7 +761,6 @@ public static function addFileMetaInformationToRequest($strUuid, $strPtable, $in
 		}
 	}
 
-
 	/**
 	 * Add a breadcrumb menu to the page tree
 	 *
@@ -886,7 +874,6 @@ public static function addPagesBreadcrumb($strKey='tl_page_node')
 </ul>';
 	}
 
-
 	/**
 	 * Add an image to each page in the tree
 	 *
@@ -928,7 +915,6 @@ public static function addPageIcon($row, $label, DataContainer $dc=null, $imageA
 		return '<a href="contao/main.php?do=feRedirect&amp;page='.$row['id'].'" title="'.\StringUtil::specialchars($GLOBALS['TL_LANG']['MSC']['view']).'"' . (($dc->table != 'tl_page') ? ' class="tl_gray"' : '') . ' target="_blank">'.\Image::getHtml($image, '', $imageAttribute).'</a> '.$label;
 	}
 
-
 	/**
 	 * Return the system messages as HTML
 	 *
@@ -962,7 +948,6 @@ public static function getSystemMessages()
 		return $strMessages;
 	}
 
-
 	/**
 	 * Add a breadcrumb menu to the file tree
 	 *
@@ -1058,7 +1043,6 @@ public static function addFilesBreadcrumb($strKey='tl_files_node')
 </ul>';
 	}
 
-
 	/**
 	 * Convert an array of layout section IDs to an associative array with IDs and labels
 	 *
@@ -1080,7 +1064,6 @@ public static function convertLayoutSectionIdsToAssociativeArray($arrSections)
 		return $arrSections;
 	}
 
-
 	/**
 	 * Generate the DCA picker wizard
 	 *
@@ -1126,7 +1109,6 @@ public static function getDcaPickerWizard($extras, $table, $field, $inputName)
   </script>';
 	}
 
-
 	/**
 	 * Add the custom layout section references
 	 */
@@ -1152,7 +1134,6 @@ public function addCustomLayoutSectionReferences()
 		}
 	}
 
-
 	/**
 	 * Get all allowed pages and return them as string
 	 *
@@ -1207,7 +1188,6 @@ public function createPageList()
 		return $return;
 	}
 
-
 	/**
 	 * Recursively get all allowed pages and return them as string
 	 *
@@ -1253,7 +1233,6 @@ protected function doCreatePageList($intId=0, $level=-1)
 		return $strOptions;
 	}
 
-
 	/**
 	 * Get all allowed files and return them as string
 	 *
@@ -1303,7 +1282,6 @@ public function createFileList($strFilter='', $filemount=false)
 		return $return;
 	}
 
-
 	/**
 	 * Recursively get all allowed files and return them as string
 	 *