Permalink
Browse files

Prepare 3.6.5 Stable Release

  • Loading branch information...
1 parent 5b1b32d commit 435a2226118a4e83ecaf33431ec05f39c640c744 @mbabker mbabker committed with wilsonge Nov 25, 2016
@@ -131,6 +131,25 @@ public function save($data)
$context = $this->option . '.' . $this->name;
JPluginHelper::importPlugin('extension');
+ // Check super user group.
+ if (isset($data['params']) && !JFactory::getUser()->authorise('core.admin'))
+ {
+ $form = $this->getForm(array(), false);
+
+ foreach ($form->getFieldsets() as $fieldset)
+ {
+ foreach ($form->getFieldset($fieldset->name) as $field)
+ {
+ if ($field->type === 'UserGroupList' && isset($data['params'][$field->fieldname])
+ && (int) $field->getAttribute('checksuperusergroup', 0) === 1
+ && JAccess::checkGroup($data['params'][$field->fieldname], 'core.admin'))
+ {
+ throw new RuntimeException(JText::_('JLIB_APPLICATION_ERROR_SAVE_NOT_PERMITTED'));
+ }
+ }
+ }
+ }
+
// Save the rules.
if (isset($data['params']) && isset($data['params']['rules']))
{
@@ -20,15 +20,19 @@
default="2"
label="COM_USERS_CONFIG_FIELD_NEW_USER_TYPE_LABEL"
description="COM_USERS_CONFIG_FIELD_NEW_USER_TYPE_DESC"
- showon="allowUserRegistration:1">
+ checksuperusergroup="1"
+ showon="allowUserRegistration:1"
+ >
</field>
<field
name="guest_usergroup"
type="usergrouplist"
default="1"
label="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_LABEL"
- description="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_DESC">
+ description="COM_USERS_CONFIG_FIELD_GUEST_USER_GROUP_DESC"
+ checksuperusergroup="1"
+ >
</field>
<field
@@ -676,6 +676,19 @@ public function batch($commands, $pks, $contexts)
*/
public function batchReset($user_ids, $action)
{
+ $user_ids = ArrayHelper::toInteger($user_ids);
+
+ // Check if I am a Super Admin
+ $iAmSuperAdmin = JFactory::getUser()->authorise('core.admin');
+
+ // Non-super super user cannot work with super-admin user.
+ if (!$iAmSuperAdmin && JUserHelper::checkSuperUserInUsers($user_ids))
+ {
+ $this->setError(JText::_('COM_USERS_ERROR_CANNOT_BATCH_SUPERUSER'));
+
+ return false;
+ }
+
// Set the action to perform
if ($action === 'yes')
{
@@ -699,8 +712,6 @@ public function batchReset($user_ids, $action)
// Get the DB object
$db = $this->getDbo();
- JArrayHelper::toInteger($user_ids);
-
$query = $db->getQuery(true);
// Update the reset flag
@@ -737,19 +748,30 @@ public function batchReset($user_ids, $action)
*/
public function batchUser($group_id, $user_ids, $action)
{
- // Get the DB object
- $db = $this->getDbo();
-
JArrayHelper::toInteger($user_ids);
- // Non-super admin cannot work with super-admin group
- if ((!JFactory::getUser()->get('isRoot') && JAccess::checkGroup($group_id, 'core.admin')) || $group_id < 1)
+ // Check if I am a Super Admin
+ $iAmSuperAdmin = JFactory::getUser()->authorise('core.admin');
+
+ // Non-super super user cannot work with super-admin user.
+ if (!$iAmSuperAdmin && JUserHelper::checkSuperUserInUsers($user_ids))
+ {
+ $this->setError(JText::_('COM_USERS_ERROR_CANNOT_BATCH_SUPERUSER'));
+
+ return false;
+ }
+
+ // Non-super admin cannot work with super-admin group.
+ if ((!$iAmSuperAdmin && JAccess::checkGroup($group_id, 'core.admin')) || $group_id < 1)
{
$this->setError(JText::_('COM_USERS_ERROR_INVALID_GROUP'));
return false;
}
+ // Get the DB object
+ $db = $this->getDbo();
+
switch ($action)
{
// Sets users to a selected group
@@ -962,17 +984,17 @@ public function getOtpConfig($user_id = null)
// Get the encrypted data
list($method, $config) = explode(':', $item->otpKey, 2);
$encryptedOtep = $item->otep;
-
+
// Get the secret key, yes the thing that is saved in the configuration file
$key = $this->getOtpConfigEncryptionKey();
-
+
if (strpos($config, '{') === false)
{
$openssl = new FOFEncryptAes($key, 256);
$mcrypt = new FOFEncryptAes($key, 256, 'cbc', null, 'mcrypt');
-
+
$decryptedConfig = $mcrypt->decryptString($config);
-
+
if (strpos($decryptedConfig, '{') !== false)
{
// Data encrypted with mcrypt
@@ -984,9 +1006,9 @@ public function getOtpConfig($user_id = null)
// Config data seems to be save encrypted, this can happen with 3.6.3 and openssl, lets get the data
$decryptedConfig = $openssl->decryptString($config);
}
-
+
$otpKey = $method . ':' . $decryptedConfig;
-
+
$query = $db->getQuery(true)
->update($db->qn('#__users'))
->set($db->qn('otep') . '=' . $db->q($encryptedOtep))
@@ -999,7 +1021,7 @@ public function getOtpConfig($user_id = null)
{
$decryptedConfig = $config;
}
-
+
// Create an encryptor class
$aes = new FOFEncryptAes($key, 256);
@@ -1043,7 +1065,7 @@ public function getOtpConfig($user_id = null)
// Return the configuration object
return $otpConfig;
}
-
+
/**
* Sets the one time password (OTP) – a.k.a. two factor authentication –
* configuration for a particular user. The $otpConfig object is the same as
@@ -87,6 +87,7 @@ COM_USERS_EDIT_NOTE_N="Editing note with ID #%d"
COM_USERS_EDIT_USER="Edit User %s"
COM_USERS_EMPTY_REVIEW="-"
COM_USERS_EMPTY_SUBJECT="- No subject -"
+COM_USERS_ERROR_CANNOT_BATCH_SUPERUSER="A non-Super User can't perform batch operations on Super Users."
COM_USERS_ERROR_INVALID_GROUP="Invalid Group"
COM_USERS_ERROR_LEVELS_NOLEVELS_SELECTED="No View Permission Level(s) selected."
COM_USERS_ERROR_NO_ADDITIONS="The selected user(s) are already assigned to the selected group."
@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<metafile version="3.6" client="administrator">
<name>English (en-GB)</name>
- <version>3.6.4</version>
- <creationDate>October 2016</creationDate>
+ <version>3.6.5</version>
+ <creationDate>December 2016</creationDate>
<author>Joomla! Project</author>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
@@ -2,8 +2,8 @@
<extension version="3.6" client="administrator" type="language" method="upgrade">
<name>English (United Kingdom)</name>
<tag>en-GB</tag>
- <version>3.6.4</version>
- <creationDate>October 2016</creationDate>
+ <version>3.6.5</version>
+ <creationDate>December 2016</creationDate>
<author>Joomla! Project</author>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
@@ -6,8 +6,8 @@
<authorUrl>www.joomla.org</authorUrl>
<copyright>(C) 2005 - 2016 Open Source Matters. All rights reserved</copyright>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
- <version>3.6.4</version>
- <creationDate>October 2016</creationDate>
+ <version>3.6.5</version>
+ <creationDate>December 2016</creationDate>
<description>FILES_JOOMLA_XML_DESCRIPTION</description>
<scriptfile>administrator/components/com_admin/script.php</scriptfile>
@@ -2,8 +2,8 @@
<extension type="package" version="3.6" method="upgrade">
<name>English (en-GB) Language Pack</name>
<packagename>en-GB</packagename>
- <version>3.6.4.1</version>
- <creationDate>October 2016</creationDate>
+ <version>3.6.5.1</version>
+ <creationDate>December 2016</creationDate>
<author>Joomla! Project</author>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
@@ -242,9 +242,15 @@ public function getData()
// Override the base user data with any data in the session.
$temp = (array) $app->getUserState('com_users.registration.data', array());
+ $form = $this->getForm(array(), false);
+
foreach ($temp as $k => $v)
{
- $this->data->$k = $v;
+ // Only merge the field if it exists in the form.
+ if ($form->getField($k) !== false)
+ {
+ $this->data->$k = $v;
+ }
}
// Get the groups the user should be added to after registration.
@@ -3,8 +3,8 @@
version="3.6"
client="installation">
<name>English (United Kingdom)</name>
- <version>3.6.4</version>
- <creationDate>October 2016</creationDate>
+ <version>3.6.5</version>
+ <creationDate>December 2016</creationDate>
<author>Joomla! Project</author>
<copyright>Copyright (C) 2005 - 2016 Open Source Matters. All rights reserved.</copyright>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<metafile version="3.6" client="site">
<name>English (en-GB)</name>
- <version>3.6.4</version>
- <creationDate>October 2016</creationDate>
+ <version>3.6.5</version>
+ <creationDate>December 2016</creationDate>
<author>Joomla! Project</author>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
@@ -2,8 +2,8 @@
<extension version="3.6" client="site" type="language" method="upgrade">
<name>English (United Kingdom)</name>
<tag>en-GB</tag>
- <version>3.6.4</version>
- <creationDate>October 2016</creationDate>
+ <version>3.6.5</version>
+ <creationDate>December 2016</creationDate>
<author>Joomla! Project</author>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
@@ -50,12 +50,19 @@ protected function getOptions()
{
static::$options[$hash] = parent::getOptions();
- $groups = JHelperUsergroups::getInstance()->getAll();
-
- $options = array();
+ $groups = JHelperUsergroups::getInstance()->getAll();
+ $checkSuperUser = (int) $this->getAttribute('checksuperusergroup', 0);
+ $isSuperUser = JFactory::getUser()->authorise('core.admin');
+ $options = array();
foreach ($groups as $group)
{
+ // Don't show super user groups to non super users.
+ if ($checkSuperUser && !$isSuperUser && JAccess::checkGroup($group->id, 'core.admin'))
+ {
+ continue;
+ }
+
$options[] = (object) array(
'text' => str_repeat('- ', $group->level) . $group->title,
'value' => $group->id,
@@ -91,8 +91,9 @@ public function canUpload($file, $component = 'com_media')
// Media file names should never have executable extensions buried in them.
$executable = array(
- 'php', 'js', 'exe', 'phtml', 'java', 'perl', 'py', 'asp', 'dll', 'go', 'ade', 'adp', 'bat', 'chm', 'cmd', 'com', 'cpl', 'hta', 'ins', 'isp',
- 'jse', 'lib', 'mde', 'msc', 'msp', 'mst', 'pif', 'scr', 'sct', 'shb', 'sys', 'vb', 'vbe', 'vbs', 'vxd', 'wsc', 'wsf', 'wsh',
+ 'php', 'php3', 'php4', 'php5', 'php6', 'php7', 'pht', 'js', 'exe', 'phtml', 'java', 'perl', 'py', 'asp', 'dll', 'go', 'ade',
+ 'adp', 'bat', 'chm', 'cmd', 'com', 'cpl', 'hta', 'ins', 'isp', 'jse', 'lib', 'mde', 'msc', 'msp', 'mst', 'pif', 'scr', 'sct',
+ 'shb', 'sys', 'vb', 'vbe', 'vbs', 'vxd', 'wsc', 'wsf', 'wsh',
);
$check = array_intersect($filetypes, $executable);
@@ -38,7 +38,7 @@
* @var string
* @since 3.5
*/
- const DEV_LEVEL = '4';
+ const DEV_LEVEL = '5';
/**
* Development status.
@@ -70,15 +70,15 @@
* @var string
* @since 3.5
*/
- const RELDATE = '21-October-2016';
+ const RELDATE = '1-December-2016';
/**
* Release time.
*
* @var string
* @since 3.5
*/
- const RELTIME = '16:33';
+ const RELTIME = '22:46';
/**
* Release timezone.
@@ -138,7 +138,7 @@ public static function clearStatics()
* @param mixed $asset Integer asset id or the name of the asset as a string. Defaults to the global asset node.
* @param boolean $preload Indicates whether preloading should be used
*
- * @return boolean True if authorised.
+ * @return boolean|null True if allowed, false for an explicit deny, null for an implicit deny.
*
* @since 11.1
*/
@@ -507,7 +507,7 @@ public static function isSafeFile($file, $options = array())
// Forbidden string in extension (e.g. php matched .php, .xxx.php, .php.xxx and so on)
'forbidden_extensions' => array(
- 'php', 'phps', 'php5', 'php3', 'php4', 'inc', 'pl', 'cgi', 'fcgi', 'java', 'jar', 'py',
+ 'php', 'phps', 'pht', 'phtml', 'php3', 'php4', 'php5', 'php6', 'php7', 'inc', 'pl', 'cgi', 'fcgi', 'java', 'jar', 'py',
),
// <?php tag in file contents
@@ -811,4 +811,29 @@ public static function getShortHashedUserAgent()
return md5(JUri::base() . $uaShort);
}
+
+ /**
+ * Check if there is a super user in the user ids.
+ *
+ * @param array $userIds An array of user IDs on which to operate
+ *
+ * @return boolean True on success, false on failure
+ *
+ * @since 3.6.5
+ */
+ public static function checkSuperUserInUsers(array $userIds)
+ {
+ foreach ($userIds as $userId)
+ {
+ foreach (static::getUserGroups($userId) as $userGroupId)
+ {
+ if (JAccess::checkGroup($userGroupId, 'core.admin'))
+ {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
}
@@ -391,7 +391,7 @@ public function authorise($action, $assetname = null)
}
}
- return $this->isRoot ? true : JAccess::check($this->id, $action, $assetname);
+ return $this->isRoot ? true : (bool) JAccess::check($this->id, $action, $assetname);
}
/**
@@ -82,6 +82,10 @@ public function onUserAuthenticate($credentials, $options, &$response)
}
else
{
+ // Let's hash the entered password even if we don't have a matching user for some extra response time
+ // By doing so, we mitigate side channel user enumeration attacks
+ JUserHelper::hashPassword($credentials['password']);
+
// Invalid user
$response->status = JAuthentication::STATUS_FAILURE;
$response->error_message = JText::_('JGLOBAL_AUTH_NO_USER');
Oops, something went wrong.

0 comments on commit 435a222

Please sign in to comment.