Skip to content

Commit

Permalink
Merge branch 'master' of github.com:vanilla/vanilla-patches
Browse files Browse the repository at this point in the history
  • Loading branch information
@linc
linc committed Mar 2, 2017
2 parents 95aa2b6 + 3f268d9 commit 18a449a
Show file tree
Hide file tree
Showing 17 changed files with 111 additions and 38 deletions.
4 changes: 2 additions & 2 deletions applications/dashboard/controllers/class.entrycontroller.php
View file
Expand Up @@ -1541,7 +1541,7 @@ private function registerBasic() {
$this->RedirectUrl = url($Route);
} else {
if ($Route !== false) {
redirect($Route);
safeRedirect($Route);
}
}
}
Expand Down Expand Up @@ -1668,7 +1668,7 @@ public function registerInvitation($InvitationCode = 0) {
$this->RedirectUrl = url($Route);
} else {
if ($Route !== false) {
redirect($Route);
safeRedirect($Route);
}
}
}
Expand Down
11 changes: 10 additions & 1 deletion applications/dashboard/controllers/class.profilecontroller.php
View file
Expand Up @@ -255,6 +255,10 @@ public function count($Column, $UserID = false) {
$UserID = Gdn::session()->UserID;
}

if ($UserID !== Gdn::session()->UserID) {
$this->permission('Garden.Settings.Manage');
}

$Count = $this->UserModel->profileCount($UserID, $Column);
$this->setData($Column, $Count);
$this->setData('_Value', $Count);
Expand Down Expand Up @@ -537,6 +541,10 @@ public function invitations($UserReference = '', $Username = '', $UserID = '') {
* - 1: Unset the force cookie and use the user agent to determine the theme.
*/
public function noMobile($type = 'desktop') {
if (!Gdn::request()->isAuthenticatedPostBack(true)) {
throw new Exception('Requires POST', 405);
}

$type = strtolower($type);

if ($type == '1') {
Expand All @@ -560,7 +568,8 @@ public function noMobile($type = 'desktop') {
safeCookie('X-UA-Device-Force', $type, $Expiration, $Path, $Domain);
}

redirect("/", 302);
$this->RedirectUrl = url('/');
$this->render('Blank', 'Utility', 'Dashboard');
}

/**
Expand Down
5 changes: 5 additions & 0 deletions applications/dashboard/controllers/class.settingscontroller.php
View file
Expand Up @@ -641,6 +641,11 @@ public function configuration() {
$this->deliveryMethod(DELIVERY_METHOD_JSON);
$this->deliveryType(DELIVERY_TYPE_DATA);

$transientKey = Gdn::request()->get('TransientKey');
if (Gdn::session()->validateTransientKey($transientKey) === false) {
throw new Gdn_UserException(t('Invalid CSRF token.', 'Invalid CSRF token. Please try again.'), 403);
}

$ConfigData = array(
'Title' => c('Garden.Title'),
'Domain' => c('Garden.Domain'),
Expand Down
2 changes: 2 additions & 0 deletions applications/dashboard/controllers/class.statisticscontroller.php
View file
Expand Up @@ -20,6 +20,7 @@ class StatisticsController extends DashboardController {
* Output available info.
*/
public function info() {
$this->permission('Garden.Settings.Manage');
$this->setData('FirstDate', Gdn::statistics()->firstDate());
$this->render();
}
Expand Down Expand Up @@ -131,6 +132,7 @@ public function index() {
* @access public
*/
public function verify() {
$this->permission('Garden.Settings.Manage');
$CredentialsValid = Gdn::statistics()->validateCredentials();
$this->setData('StatisticsVerified', $CredentialsValid);
$this->render();
Expand Down
53 changes: 44 additions & 9 deletions applications/dashboard/controllers/class.utilitycontroller.php
View file
Expand Up @@ -105,18 +105,46 @@ public function sort() {
* @param string $TransientKey A unique transient key to authenticate that the user intended to perform this action.
*/
public function set($UserPropertyColumn = '', $Name = '', $Value = '', $TransientKey = '') {
deprecated('set', '', 'February 2017');

$whiteList = [];

if (c('Garden.Profile.ShowActivities', true)) {
$whiteList = array_merge($whiteList, [
'Email.WallComment',
'Email.ActivityComment',
'Popup.WallComment',
'Popup.ActivityComment'
]);
}

$this->_DeliveryType = DELIVERY_TYPE_BOOL;
$Session = Gdn::session();
$Success = false;
if (in_array($UserPropertyColumn, array('preference', 'attribute'))
&& $Name != ''
&& $Value != ''
&& $Session->UserID > 0
&& $Session->validateTransientKey($TransientKey)
) {
$UserModel = Gdn::factory("UserModel");
$Method = $UserPropertyColumn == 'preference' ? 'SavePreference' : 'SaveAttribute';
$Success = $UserModel->$Method($Session->UserID, $Name, $Value) ? 'TRUE' : 'FALSE';

// Get index of whitelisted name
$index = array_search(strtolower($Name), array_map('strtolower', $whiteList));

if (!empty($whiteList) && $index !== false) {

// Force name to have casing present in whitelist
$Name = $whiteList[$index];

// Force value
if ($Value != '1') {
$Value = '0';
}

if (in_array($UserPropertyColumn, array('preference', 'attribute'))
&& $Name != ''
&& $Value != ''
&& $Session->UserID > 0
&& $Session->validateTransientKey($TransientKey)
) {
$UserModel = Gdn::factory("UserModel");
$Method = $UserPropertyColumn == 'preference' ? 'SavePreference' : 'SaveAttribute';
$Success = $UserModel->$Method($Session->UserID, $Name, $Value) ? 'TRUE' : 'FALSE';
}
}

if (!$Success) {
Expand Down Expand Up @@ -279,6 +307,13 @@ public function update() {

$this->fireEvent('AfterUpdate');

if ($this->deliveryType() === DELIVERY_TYPE_DATA) {
// Make sure that we do not disclose anything too sensitive here!
$this->Data = array_filter($this->Data, function($key) {
return in_array(strtolower($key), ['success', 'error']);
}, ARRAY_FILTER_USE_KEY);
}

$this->MasterView = 'empty';
$this->CssClass = 'Home';
$this->render();
Expand Down
5 changes: 5 additions & 0 deletions applications/dashboard/modules/class.configurationmodule.php
View file
Expand Up @@ -126,6 +126,11 @@ public function initialize($Schema = null) {
if (val('Crop', $Row, false)) {
$options['Crop'] = val('Crop', $Row);
}

// Old image to clean!
$options['CurrentImage'] = c($Name, false);

// Save the new image and clean up the old one.
$Form->saveImage($Name, $options);
}

Expand Down
4 changes: 2 additions & 2 deletions applications/dashboard/settings/class.hooks.php
View file
Expand Up @@ -219,7 +219,7 @@ public function base_render_before($Sender) {
// Allow return to mobile site
$ForceNoMobile = val('X-UA-Device-Force', $_COOKIE);
if ($ForceNoMobile === 'desktop') {
$Sender->addAsset('Foot', wrap(Anchor(t('Back to Mobile Site'), '/profile/nomobile/1'), 'div'), 'MobileLink');
$Sender->addAsset('Foot', wrap(Anchor(t('Back to Mobile Site'), '/profile/nomobile/1', 'js-hijack'), 'div'), 'MobileLink');
}

// Allow global translation of TagHint
Expand Down Expand Up @@ -464,7 +464,7 @@ public function siteNavModule_init_handler($sender) {
// Add a link to the community home.
$sender->addLinkToGlobals(t('Community Home'), '/', 'main.home', '', -100, array('icon' => 'home'), false);
$sender->addGroupToGlobals('', 'etc', '', 100);
$sender->addLinkToGlobalsIf(Gdn::session()->isValid() && IsMobile(), t('Full Site'), '/profile/nomobile', 'etc.nomobile', '', 100, array('icon' => 'resize-full'));
$sender->addLinkToGlobalsIf(Gdn::session()->isValid() && IsMobile(), t('Full Site'), '/profile/nomobile', 'etc.nomobile', 'js-hijack', 100, array('icon' => 'resize-full'));
$sender->addLinkToGlobalsIf(Gdn::session()->isValid(), t('Sign Out'), SignOutUrl(), 'etc.signout', '', 100, array('icon' => 'signout'));
$sender->addLinkToGlobalsIf(!Gdn::session()->isValid(), t('Sign In'), SigninUrl(), 'etc.signin', '', 100, array('icon' => 'signin'));

Expand Down
2 changes: 1 addition & 1 deletion applications/dashboard/views/modules/media-addon.php
View file
Expand Up @@ -10,7 +10,7 @@
<div class="media-body">
<div class="media-heading">
<div class="media-title">
<?php echo $this->getTitleUrl() != '' ? anchor($this->getTitle(), $this->getTitleUrl()) : $this->getTitle(); ?>
<?php echo $this->getTitleUrl() != '' ? anchor(htmlspecialchars($this->getTitle()), $this->getTitleUrl()) : htmlspecialchars($this->getTitle()); ?>
<?php foreach(val('badges', $this->getOptions()) as $badge) : ?>
<span class="badge <?php echo val('cssClass', $badge); ?>"><?php echo val('text', $badge); ?></span>
<?php endforeach; ?>
Expand Down
2 changes: 1 addition & 1 deletion applications/dashboard/views/modules/media-callout.php
View file
Expand Up @@ -13,7 +13,7 @@
<?php } ?>
<div class="media-heading">
<h3 class="media-title theme-name">
<?php echo $this->getTitleUrl() != '' ? anchor($this->getTitle(), $this->getTitleUrl()) : $this->getTitle(); ?>
<?php echo $this->getTitleUrl() != '' ? anchor(htmlspecialchars($this->getTitle()), $this->getTitleUrl()) : htmlspecialchars($this->getTitle()); ?>
</h3>
<?php if ($this->getMeta()) { ?>
<div class="info">
Expand Down
2 changes: 1 addition & 1 deletion applications/dashboard/views/modules/media-sm.php
View file
Expand Up @@ -9,7 +9,7 @@
<?php } ?>
<div class="media-body">
<div class="media-title">
<?php echo $this->getTitleUrl() != '' ? anchor($this->getTitle(), $this->getTitleUrl(), 'reverse-link') : $this->getTitle(); ?>
<?php echo $this->getTitleUrl() != '' ? anchor(htmlspecialchars($this->getTitle()), $this->getTitleUrl(), 'reverse-link') : htmlspecialchars($this->getTitle()); ?>
</div>
<?php if ($this->getDescription()) { ?>
<div class="media-description">
Expand Down
10 changes: 5 additions & 5 deletions applications/vanilla/controllers/class.discussioncontroller.php
View file
Expand Up @@ -373,16 +373,16 @@ public function comment($CommentID) {
* @param string $TransientKey Single-use hash to prove intent.
*/
public function dismissAnnouncement($DiscussionID = '') {
// Make sure we are posting back.
if (!Gdn::request()->isAuthenticatedPostBack(true)) {
throw new Exception('Requires POST', 405);
}

// Confirm announcements may be dismissed
if (!c('Vanilla.Discussions.Dismiss', 1)) {
throw permissionException('Vanilla.Discussions.Dismiss');
}

// Make sure we are posting back.
if (!$this->Request->isPostBack()) {
throw permissionException('Javascript');
}

$Session = Gdn::session();
if (is_numeric($DiscussionID)
&& $DiscussionID > 0
Expand Down
4 changes: 4 additions & 0 deletions applications/vanilla/controllers/class.discussionscontroller.php
View file
Expand Up @@ -538,6 +538,10 @@ public function userBookmarkCount($UserID = false) {
$UserID = Gdn::session()->UserID;
}

if ($UserID !== Gdn::session()->UserID) {
$this->permission('Garden.Settings.Manage');
}

if (!$UserID) {
$CountBookmarks = null;
} else {
Expand Down
2 changes: 1 addition & 1 deletion conf/constants.php
View file
Expand Up @@ -13,7 +13,7 @@
define('PATH_CACHE', PATH_ROOT.'/cache');
}
if (!defined('PATH_UPLOADS')) {
define('PATH_UPLOADS', PATH_ROOT.'/uploads');
define('PATH_UPLOADS', PATH_ROOT.DS.'uploads');
}

// You should not change these paths.
Expand Down
13 changes: 13 additions & 0 deletions js/global.js
View file
Expand Up @@ -1690,6 +1690,19 @@ jQuery(document).ready(function($) {
"q": query,
"limit": server_limit
}, function(data) {
if (Array.isArray(data)) {
data.forEach(function(result) {
if (typeof result === "object" && typeof result.name === "string") {
// Convert special characters to safely insert into template.
result.name = result.name.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&apos;");
}
});
}

callback(data);

// If data is empty, cache the results to prevent
Expand Down
4 changes: 3 additions & 1 deletion library/SmartyPlugins/function.nomobile_link.php
View file
Expand Up @@ -19,5 +19,7 @@ function smarty_function_nomobile_link($Params, &$Smarty) {
$Wrap = val('wrap', $Params, 'li');
return Gdn_Theme::link('profile/nomobile',
val('text', $Params, t("Full Site")),
val('format', $Params, wrap('<a href="%url" class="%class">%text</a>', $Wrap)));
val('format', $Params, wrap('<a href="%url" class="%class">%text</a>', $Wrap)),
['Class' => 'js-hijack']
);
}
19 changes: 11 additions & 8 deletions library/core/class.form.php
View file
Expand Up @@ -2723,10 +2723,12 @@ public function save() {
}

/**
* Save an image from a field and delete any old image that's been uploaded.
* Save an image from a field.
*
* @param string $Field The name of the field. The image will be uploaded with the _New extension while the current image will be just the field name.
* @param array $Options
* - CurrentImage: Current image to clean if the save is successful
* @return bool
*/
public function saveImage($Field, $Options = array()) {
$Upload = new Gdn_UploadImage();
Expand Down Expand Up @@ -2783,13 +2785,14 @@ public function saveImage($Field, $Options = array()) {
$Parsed = $Upload->saveImageAs($TmpName, $Name, val('Height', $Options, ''), val('Width', $Options, ''), $Options);
trace($Parsed, 'Saved Image');

$Current = $this->getFormValue($Field);
if ($Current && val('DeleteOriginal', $Options, true)) {
// Delete the current image.
trace("Deleting original image: $Current.");
if ($Current) {
$Upload->delete($Current);
}
if (val('DeleteOriginal', $Options, false)) {
deprecated('Option DeleteOriginal', 'CurrentImage');
}

$currentImage = val('CurrentImage', $Options, false);
if ($currentImage) {
trace("Deleting original image: $currentImage.");
$Upload->delete($currentImage);
}

// Set the current value.
Expand Down
7 changes: 1 addition & 6 deletions library/core/functions.error.php
View file
Expand Up @@ -266,8 +266,7 @@ function Gdn_ExceptionHandler($Exception) {

if ($DeliveryType != DELIVERY_TYPE_ALL) {
if (!$Debug) {
echo '<b class="Bonk">Whoops! There was an error.</b>';
echo '<div class="BonkError Hidden">';
die('<b class="Bonk">Whoops! There was an error.</b>');
}

// This is an ajax request, so dump an error that is more eye-friendly in the debugger
Expand Down Expand Up @@ -309,10 +308,6 @@ function Gdn_ExceptionHandler($Exception) {
}
}
echo '</pre>';

if (!$Debug) {
echo '</div>';
}
} else {
// If the master view wasn't found, assume a panic state and dump the error.
if ($Master === false) {
Expand Down

0 comments on commit 18a449a

Please sign in to comment.