Permalink
Commits on Apr 20, 2017
  1. Update lexicons from Crowdin

    Crowdin project: http://translate.modx.com
    Thanks to all translators and proofreaders for contribution!
    opengeek committed Apr 20, 2017
  2. Try all available methods when attempting to download transport packa…

    …ges [#13419]
    
    Make sure the package provider attempts different methods of download packages if one fails #13417
    opengeek committed Apr 20, 2017
  3. Prevent stored XSS in UserGroup names and various other fields [#13418]

    [SECURITY-18] Fix stored XSS in user group name, and other potential manager XSS issues
    
    Initial XSS report affecting the user group name and various places it gets rendered was from Anti Räis via security@modx.com, ticket 18 received April 3rd.
    
    During the investigation of that report I found that ExtJS components that define custom tpls need the htmlEncode filter on possibly untrusted content. So along with fixing the reported issues, I've done a quick search for similar issues and also patched the potential issues I could find.
    opengeek committed Apr 20, 2017
Commits on Apr 19, 2017
  1. Improve local file inclusion protections

    The existing protections would not work on Windows platforms with backslash path delimiters. This commit improves the LFI protections throughout the core to remove any sequence of 2 or more `.` characters regardless of the path delimiter that precedes or follows it.
    
    (cherry picked from commit e873488)
    Mark-H committed Apr 19, 2017
  2. Prevent user/email enumeration in forgot password feature

    Addresses issue #13408
    
    Merge remote-tracking branch 'origin/pr/13409' into 2.x
    
    * origin/pr/13409:
      Update login.inc.php
    opengeek committed Apr 19, 2017
Commits on Apr 18, 2017
  1. Prevent XSS cache poisoning via Host header

    [SECURITY-20] Prevent XSS by cache poisoning via Host header
    opengeek committed Apr 18, 2017
  2. Proper use of json_encode and error handling for outputArray() in pro…

    …cessors
    
    create a proper json response and log errors
    opengeek committed Apr 18, 2017
  3. Update changelog

    opengeek committed Apr 18, 2017
  4. Prevent reflected XSS in setup

    [SECURITY-20] Prevent reflected XSS in setup
    
    Reported via security@modx.com by Tomáš Melicher. This patch makes sure configuration values, which may be provided by an attacker, are escaped before inserting them into the database configuration form of the setup.
    opengeek committed Apr 18, 2017
  5. Fix local file inclusion vulnerability in setup action parameter

    [SECURITY-20] Fix local file inclusion vulnerability in setup action parameter
    
    Reported by Tomas Melicher via security@modx.com, ticket 20
    opengeek committed Apr 18, 2017
  6. Remove htaccess from allowed file types on new installations

    [SECURITY-19] Remove htaccess from allowed file types on new installations
    
    Reported to security@modx.com by Anti Räis in ticket 19 and Tomáš Melicher in ticket 20, the ability to upload or create .htaccess files can cause code execution. Similar to how php files are not allowed out of the box, this patch prevents htaccess files by default to protect against that. Users that want to manage htaccess from the manager can still do so by editing the upload_files setting after installation.
    opengeek committed Apr 18, 2017
Commits on Apr 11, 2017
  1. Prevent stored XSS in resource pagetitle

    [SECURITY-20] Prevent stored XSS in resource pagetitle
    
    Reported by Tomáš Melicher via security@modx.com, ticket 20
    opengeek committed Apr 11, 2017
Commits on Apr 10, 2017
Commits on Apr 9, 2017
  1. No addition on a JS string! [#13401]

    Merge remote-tracking branch 'upstream/pr/13401' into 2.x
    
    * upstream/pr/13401:
      No addition on a JS string!
    Jako committed Apr 9, 2017
Commits on Apr 6, 2017
  1. Merge remote-tracking branch 'xpdo/2.x' into 2.x

    * xpdo/2.x:
      Remove all embedded escape characters when escape() is used on a string
      Update version for 2.6.0-dev
      Added check if cache file empty for return real empty value #modxbughunt
      fix permissions and optionally allow different permissions
    opengeek committed Apr 6, 2017
  2. Merge remote-tracking branch 'xpdo/2.x' into 2.x

    * xpdo/2.x:
      Remove all embedded escape characters when escape() is used on a string
      Update version for 2.6.0-dev
      Added check if cache file empty for return real empty value #modxbughunt
      fix permissions and optionally allow different permissions
    opengeek committed Apr 6, 2017
Commits on Apr 3, 2017
  1. Remove all embedded escape characters when escape() is used on a string

    This prevents SQL injection potential when a value is passed with an embedded escape character for the platform.
    opengeek committed Apr 3, 2017
  2. Update login.inc.php

    Fix User/Email enumeration issue #13408
    Credit @pixelchutes
    mrhaw committed on GitHub Apr 3, 2017
Commits on Mar 28, 2017
  1. No addition on a JS string!

    rtripault committed Mar 28, 2017
  2. Merge branch '2.5.x' into 2.x

    * 2.5.x:
      Update version for 2.5.6-pl release
      Enable Resource Group access column to be sorted (weblink, symlink, static resource)
    opengeek committed Mar 28, 2017
  3. Enable Resource Group access column to be sorted (weblink, symlink, s…

    …tatic resource)
    
    * origin/pr/13399:
      Enable Resource Group access column to be sorted (weblink, symlink, static resource)
    opengeek committed Mar 28, 2017
Commits on Mar 27, 2017
  1. Merge branch '2.5.x' into 2.x

    * 2.5.x:
      Enable Resource Group access column to be sorted
      Reverting changes from PR #13044
      Comment out failing unit tests from #13044 for now
      Stick to PHPUNIT 5.7 for PHP 7.0+ Added PHP 7.1 & 7.2 (nightly) to tests too
      Fixing ‘Code: 200 OK’ message in modx-combo-country
      remove extraneous variable
      Fix #12567 - Install "undefined" on package management breadcrumb when updating
      Fix #9492 Allow value ‘0’ for multi select TV items (checkbox/listbox)
      #9039 Added validation for min and max length of field #modxbughunt
      change math logic to limit system setting in package grid
      use system default per page on package management grid, up to a limit
      Remove override of results per page in package management grid (fixes #12518 #modxbughunt)
      Lower log level for 'resource with id not found in context' to info [#13278]
      Fix array_key_exists PHP warning Avoid the following errors in the MODX error log `PHP warning: array_key_exists() expects parameter 2 to be array, null given` when the aliasMap is not available.
      added missing modauth for modxcms/revolution#13292
      fix for modxcms/revolution#13292
      Encode HTML in the template description to prevent potential XSS [#13290]
      revert last commit
      try to use `isRemovingUnprocessed` directly
      Make sure to call processElementTags with correct $maxIterations value
    opengeek committed Mar 27, 2017
  2. Enable Resource Group access column to be sorted

    * origin/pr/13398:
      Enable Resource Group access column to be sorted
    opengeek committed Mar 27, 2017
  3. Enable Resource Group access column to be sorted

    - Fixes #12426 allowing sorting just like corresponding Name column
    - List active groups together at top like Plugins for convenience
    pixelchutes committed Mar 27, 2017
Commits on Mar 22, 2017
  1. Reverting changes from PR #13044

    Revert "Make sure to call processElementTags with correct $maxIterations value"
    
    This reverts commit e37508e.
    opengeek committed Mar 22, 2017
  2. Merge pull request #13392 from opengeek/fix-parser-tests

    Comment out failing unit tests from #13044 for now
    opengeek committed on GitHub Mar 22, 2017
Commits on Mar 21, 2017
  1. Fixing ‘Code: 200 OK’ message in modx-combo-country

    Merge remote-tracking branch 'origin/pr/13385' into 2.5.x
    
    * origin/pr/13385:
      Fixing ‘Code: 200 OK’ message in modx-combo-country
    opengeek committed Mar 21, 2017
  2. Prevent warning from array_key_exists when aliasMap not available

    Merge remote-tracking branch 'origin/pr/13297' into 2.5.x
    
    * origin/pr/13297:
      Fix array_key_exists PHP warning Avoid the following errors in the MODX error log `PHP warning: array_key_exists() expects parameter 2 to be array, null given` when the aliasMap is not available.
    opengeek committed Mar 21, 2017
  3. Fix broken images in File tree when media source above doc root

    Merge remote-tracking branch 'origin/pr/13293' into 2.5.x
    
    * origin/pr/13293:
      added missing modauth for modxcms/revolution#13292
      fix for modxcms/revolution#13292
    opengeek committed Mar 21, 2017
  4. Encode HTML in the template description to prevent potential XSS

    Merge remote-tracking branch 'origin/pr/13291' into 2.5.x
    
    * origin/pr/13291:
      Encode HTML in the template description to prevent potential XSS [#13290]
    opengeek committed Mar 21, 2017
  5. Call processElementTags with correct $maxIterations value on nested i…

    …nner tags
    
    Merge remote-tracking branch 'origin/pr/13044' into 2.5.x
    
    * origin/pr/13044:
      revert last commit
      try to use `isRemovingUnprocessed` directly
      Make sure to call processElementTags with correct $maxIterations value
    opengeek committed Mar 21, 2017
Commits on Mar 20, 2017
  1. Use (but limit) setting for results per page in package management grid

    * origin/pr/13348:
      remove extraneous variable
      change math logic to limit system setting in package grid
      use system default per page on package management grid, up to a limit
      Remove override of results per page in package management grid (fixes #12518 #modxbughunt)
    opengeek committed Mar 20, 2017