Commit: 5b0be6799b4fcdb1d38eafda173e572cbf702ff1 - nucleus-jp-ancient (git) - Nucleus日本語版

R/O
HTTP
SSH
HTTPS

nucleus-jp-ancient: Commit

Nucleus CMS日本語版SVNをgit-svnしたもの。リポジトリの変換作業用

Commit MetaInfo

Revision	5b0be6799b4fcdb1d38eafda173e572cbf702ff1 (tree)
Zeit	2008-09-26 13:32:31
Autor	kimitake <kimitake@1ca2...>
Commiter	kimitake

Log Message

fixed XSS issue

git-svn-id: https://svn.sourceforge.jp/svnroot/nucleus-jp/nucleus-jp/tags/release-3-31-sp2@709 1ca29b6e-896d-4ea0-84a5-967f57386b96

Ändern Zusammenfassung

modified: euc/nucleus/libs/globalfunctions.php (diff)
modified: utf8/nucleus/documentation/history.html (diff)
modified: utf8/nucleus/libs/globalfunctions.php (diff)

Diff

--- a/euc/nucleus/libs/globalfunctions.php

+++ b/euc/nucleus/libs/globalfunctions.php

		@@ -307,6 +307,13 @@ if (!headers_sent() ) {
307	307	$language = getLanguageName();
308	308	include($DIR_LANG . ereg_replace( '[\\\|/]', '', $language) . '.php');
309	309
	310	+// check if valid charset
	311	+if (!encoding_check(false,false,_CHARSET)) {
	312	+ foreach(array($_REQUEST, $_SERVER) as $input) {
	313	+ array_walk($input, 'encoding_check');
	314	+ }
	315	+}
	316	+
310	317	/*
311	318	Backed out for now: See http://forum.nucleuscms.org/viewtopic.php?t=3684 for details
312	319

		@@ -551,6 +558,13 @@ function sendContentType($contenttype, $pagetype = '', $charset = _CHARSET) {
551	558	} else {
552	559	header('Content-Type: ' . $contenttype);
553	560	}
	561	+
	562	+ // check if valid charset
	563	+ if (!encoding_check(false,false,$charset)) {
	564	+ foreach(array($_REQUEST, $_SERVER) as $input) {
	565	+ array_walk($input, 'encoding_check');
	566	+ }
	567	+ }
554	568	}
555	569	}
556	570

		@@ -558,9 +572,11 @@ function sendContentType($contenttype, $pagetype = '', $charset = _CHARSET) {
558	572	* Errors before the database connection has been made
559	573	*/
560	574	function startUpError($msg, $title) {
	575	+ if (!defined('_CHARSET')) define('_CHARSET','iso-8859-1');
	576	+ header('Content-Type: text/html; charset=' . _CHARSET);
561	577	?>
562	578	<html xmlns="http://www.w3.org/1999/xhtml">
563		- <head><meta http-equiv="Content-Type" content="text/html; charset=EUC-JP" />
	579	+ <head><meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET?>" />
564	580	<title><?php echo htmlspecialchars($title)?></title></head>
565	581	<body>
566	582	<h1><?php echo htmlspecialchars($title)?></h1>

		@@ -1495,6 +1511,69 @@ function formatDate($format, $timestamp, $defaultFormat, &$blog) {
1495	1511	}
1496	1512	}
1497	1513
	1514	+function encoding_check($val, $key, $encoding=false, $exclude=false) {
	1515	+ /*
	1516	+ When 3rd argument is set, return if checked already.
	1517	+ When 4th argument is set, set the excluded key(s).
	1518	+ */
	1519	+ static $search=false, $checked=array(), $excludes=array();
	1520	+ if ($exclude!==false) {
	1521	+ if (is_array($exclude)) {
	1522	+ foreach($exclude as $v) $excludes[$v]=true;
	1523	+ } else $excludes[$excludes]=true;
	1524	+ return;
	1525	+ }
	1526	+ if ($encoding!==false) {
	1527	+ switch($encoding=strtolower($encoding)){
	1528	+ case 'utf-8':
	1529	+ $search='/^([\x00-\x7F]+'.
	1530	+ '\|[\xC2-\xDF][\x80-\xBF]'.
	1531	+ '\|[\xE0-\xEF][\x80-\xBF][\x80-\xBF]'.
	1532	+ '\|[\xF0-\xF7][\x80-\xBF][\x80-\xBF][\x80-\xBF]'.
	1533	+ '\|[\xF8-\xFB][\x80-\xBF][\x80-\xBF][\x80-\xBF][\x80-\xBF]'.
	1534	+ '\|[\xFC-\xFD][\x80-\xBF][\x80-\xBF][\x80-\xBF][\x80-\xBF][\x80-\xBF])*/';
	1535	+ break;
	1536	+ case 'euc-jp':
	1537	+ $search='/^([\x00-\x7F]+'.
	1538	+ '\|[\x8E][\xA0-\xDF]'.
	1539	+ '\|[\x8F]?[\xA1-\xFE][\xA1-\xFE])*/';
	1540	+ break;
	1541	+ case 'gb2312':
	1542	+ $search='/^([\x00-\x7F]+'.
	1543	+ '\|[\xA1-\xF7][\xA1-\xFE])*/';
	1544	+ break;
	1545	+ default:
	1546	+ $search=false;
	1547	+ if (preg_match('/^iso\-8859\-[0-9]{1,2}$/',$encoding)) break;
	1548	+ if (preg_match('/^windows\-125[0-8]$/',$encoding)) break;
	1549	+ startUpError('<p>Unknown or non-supported encoding.</p>', 'Encoding Error');
	1550	+ exit;
	1551	+ }
	1552	+ if (isset($checked[$encoding])) return true; // Already checked.
	1553	+ $checked[$encoding]=true;
	1554	+ }
	1555	+ if ($key===false) return false; // Not yet checked.
	1556	+ if ($search===false) return true; // non-multibyte encoding
	1557	+ if (isset($excludes[$key])) return true; // This key isn't checked.
	1558	+ if (is_array($val)) {
	1559	+ array_walk($val, 'encoding_check');
	1560	+ } else {
	1561	+ preg_match($search,$val,$m);
	1562	+ $val2 = (string)$m[0];
	1563	+ if (!($val2 === (string)$val)) {
	1564	+ startUpError('<p>Invalid input.</p>', 'Input Error');
	1565	+ exit;
	1566	+ }
	1567	+ }
	1568	+ preg_match($search,$key,$m);
	1569	+ $key2 = (string)$m[0];
	1570	+ if (!($key2 === (string)$key)) {
	1571	+ startUpError('<p>Invalid input.</p>', 'Input Error');
	1572	+ exit;
	1573	+ }
	1574	+ return true;
	1575	+}
	1576	+
1498	1577	function checkVars($aVars) {
1499	1578	global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS;
1500	1579

--- a/utf8/nucleus/documentation/history.html

+++ b/utf8/nucleus/documentation/history.html

		@@ -1,10 +1,23 @@
	1	+<?xml version="1.0" encoding="UTF-8"?>
1	2	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
2	3	<html xmlns="http://www.w3.org/1999/xhtml" lang="ja-JP" xml:lang="ja-JP">
3	4	<head>
4	5	<!-- $Id: history.html,v 1.13 2007-05-01 06:00:28 kimitake Exp $ -->
5	6	<!-- $NucleusJP: history.html,v 1.12 2007/03/12 05:34:46 kimitake Exp $ -->
	7	+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
	8	+ <meta http-equiv="Content-Style-Type" content="text/css" />
	9	+ <meta http-equiv="Content-Script-Type" content="text/javascript" />
	10	+ <link rel="index" href="./index.html" />
6	11	<title>Nucleus - History</title>
7	12	<link rel="stylesheet" type="text/css" href="styles/manual.css" />
	13	+ <style type="text/css">
	14	+ strong {
	15	+ font-weight: bold;
	16	+ }
	17	+ em {
	18	+ font-style: italic;
	19	+ }
	20	+ </style>
8	21	</head>
9	22	<body>
10	23

		@@ -16,9 +29,45 @@
16	29
17	30	<ul>
18	31	<li>
19		- <b>Nucleus v3.3 "Lithium" (Beta - March 11, 2007)</b>
	32	+ <strong>Nucleus v3.31 SP2 (EUC-JP only) (September 26, 2008)</strong>
20	33	<ul>
21		- <li>FIXED: allow + in email address, see <a href="http://forum.nucleuscms.org/viewtopic.php?t=14207">here</a> (wgroleau)</li>
	34	+ <li>FIXED: An XSS issue</li>
	35	+ </ul>
	36	+ </li>
	37	+ <li>
	38	+ <strong>Nucleus v3.31 SP1 (February 5, 2008)</strong>
	39	+ <ul>
	40	+ <li>FIXED: An XSS issue</li>
	41	+ <li>CHANGED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=83">#83(JP)</a>): ブックマークレットの高さを50ピクセル追加. (kmorimatsu)</li>
	42	+ <li>CHANGED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=84">#84(JP)</a>): To avoid showing ticket in the URL, redirect to pluginlist, instead. (kmorimatsu)</li>
	43	+ <li>ADDED: add <code>createaccount.html</code> with a redirect to <code>createaccount.php</code> for backward compatibility with the old location of the form</li>
	44	+ <li>CHANGED: protect the 'create account form' against abuse: show the form only if needed and add FormExtra (e.g. Captcha) and ValidateForm (to validate input) events (ftruscot and kaigreve)</li>
	45	+ <li>FIXED: bug in upgrade script (admun)</li>
	46	+ <li>CHANGED: update xmlrpc client to version 2.2, this version supports PHP 5.2.x (kimitake)</li>
	47	+ <li>CHANGED: use require instead of include for the file inclusion (kimitake)</li>
	48	+ <li>CHANGED: rollback benchmark default skin (admun)</li>
	49	+ <li>FIXED: possible security problem in NP_Ping (admun)</li>
	50	+ <li>ADDED: NP_Ping sends ping for future post via JustPosted event (admun)</li>
	51	+ <li>ADDED: JustPosted event (admun)</li>
	52	+ <li>ADDED: move weblogs.com ping function into plugin (admun)</li>
	53	+ </ul>
	54	+ </li>
	55	+ <li>
	56	+ <strong>Nucleus v3.3 (May 1, 2007)</strong>
	57	+ <ul>
	58	+ <li>ADDED: add description of charset skin variable to documentation.(JP) (shizuki)</li>
	59	+ <li>FIXED: fix description of if/else/endif skin variables to documentation, inlcuding ifnot, elseif, and elseifnot (JP) (shizuki)</li>
	60	+ <li>ADDED: add description of the doIf function to the plugin documentation (JP) (shizuki)</li>
	61	+ <li>ADDED: NP_Ping sends ping for future post via JustPosted event (admun)</li>
	62	+ <li>ADDED: JustPosted event (admun)</li>
	63	+ <li>ADDED: move weblogs.com ping function into plugin (admun)</li>
	64	+ <li>ADDED: Serveral changes and fixes from Nucleus Japan (details in the log files of the <a href="http://sourceforge.net/svn/?group_id=66479">Nucleus repository</a> at sourceforge.net)</li>
	65	+ <li>ADDED: Sanitize parameters such as $_GET and $_SERVER['REQUEST_URI'] etc. to avoid XSS (from Nucleus Japan)</li>
	66	+ <li>ADDED: (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=45">#45</a> from the Japanese Tracker): include code from NP_0TicketForPlugin in the core (Changes from Nucleus Japan)</li>
	67	+ <li>ADDED: new events for Media upload: PreMediaUpload and PostMediaUpload (kaigreve)</li>
	68	+ <li>ADDED: new skinvar bloglist (kaigreve)</li>
	69	+ <li>ADDED: new method for URL rewriting with the global variable virtualpath, new .htaccess file can be found in the folder extra/fancyurl-2, more information <a href="http://forum.nucleuscms.org/viewtopic.php?t=12241">forum(Another approach to Fancy URLs)</a> (kaigreve and Legolas)</li>
	70	+ <li>FIXED: allow + in email address, see <a href="http://forum.nucleuscms.org/viewtopic.php?t=14207">forum(Minor bug fix in globalfunctions.php)</a> (wgroleau)</li>
22	71	<li>FIXED: XHTML compliance in default skin (admun)</li>
23	72	<li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?id=80&do=details">#80</a>): Atom 1.0 support (rakaz)</li>
24	73	<li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?id=129&do=details">#129</a>): Plugin API: SpamCheck event called from core. (rakaz)</li>

		@@ -44,36 +93,36 @@
44	93	<li>ADDED: (bug 817364): delete member enhancement (admun)</li>
45	94	<li>ADDED: Auto save draft (Legolas)</li>
46	95	<li>ADDED: Custom skin parts (tutorio)</li>
47		- <li>CHANGED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=39">#39(JP)</a>): reverted content type for admin area (Kimitake)</li>
48		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=40">#40(JP)</a>): fixed PostAddCategory event (Kimitake)</li>
49		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=41">#41(JP)</a>): fixed dropped info during backing up (Katsumi)</li>
50		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=42">#42(JP)</a>): atom feed template specifies xml:lang but it is en-us, it should be ja, in install.sql (Kimitake)</li>
51		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=45">#45(JP)</a>: added NP_0TicketForPlugin security patch (Katsumi)</li>
52		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=46">#46(JP)</a>: fixed date format for draft entry (Kimitake)</li>
53		- <li>CHANGED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=48">#48(JP)</a>: Super-admin always can login to admin page (Kimitake)</li>
54		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=49">#49(JP)</a>: PLUGIN::getAllItemOptions does not work correctly. (NKJG)</li>
55		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=56">#56(JP)</a>: When creating db backup, the key length drops (Katsumi)</li>
56		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=57">#57(JP)</a>: SQL error happens when updating plugin option. (Katsumi)</li>
57		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=60">#60(JP)</a>: Item link in notification email is wrong. (Shizuki)</li>
58		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=62">#62(JP)</a>: email address is not referred in <%usermail%>. (Shizuki)</li>
59		- <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=66">#66(JP)</a>: Even if calling PostPluginOptionsUpdate, getOption does not returns correct value. (Katsumi)</li>
60		- <li>ADDED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=68">#68(JP)</a>: Encrypted cookie key. (Katsumi)</li>
	96	+ <li>CHANGED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=39">#39(JP)</a>): reverted content type for admin area (Kimitake)</li>
	97	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=40">#40(JP)</a>): fixed PostAddCategory event (Kimitake)</li>
	98	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=41">#41(JP)</a>): fixed dropped info during backing up (Katsumi)</li>
	99	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=42">#42(JP)</a>): atom feed template specifies xml:lang but it is en-us, it should be ja, in install.sql (Kimitake)</li>
	100	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=45">#45(JP)</a>: added NP_0TicketForPlugin security patch (Katsumi)</li>
	101	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=46">#46(JP)</a>: fixed date format for draft entry (Kimitake)</li>
	102	+ <li>CHANGED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=48">#48(JP)</a>: Super-admin always can login to admin page (Kimitake)</li>
	103	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=49">#49(JP)</a>: PLUGIN::getAllItemOptions does not work correctly. (NKJG)</li>
	104	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=56">#56(JP)</a>: When creating db backup, the key length drops (Katsumi)</li>
	105	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=57">#57(JP)</a>: SQL error happens when updating plugin option. (Katsumi)</li>
	106	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=60">#60(JP)</a>: Item link in notification email is wrong. (Shizuki)</li>
	107	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=62">#62(JP)</a>: email address is not referred in <%usermail%>. (Shizuki)</li>
	108	+ <li>FIXED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=66">#66(JP)</a>: Even if calling PostPluginOptionsUpdate, getOption does not returns correct value. (Katsumi)</li>
	109	+ <li>ADDED(JP): (<a href="http://nucleus-jp.sourceforge.jp/tracker/?do=details&id=68">#68(JP)</a>: Encrypted cookie key. (Katsumi)</li>
61	110	</ul>
62	111	</li>
63	112	<li>
64		- <b>Nucleus v3.24 (November 11, 2006)</b>
	113	+ <strong>Nucleus v3.24 (November 11, 2006)</strong>
65	114	<ul>
66	115	<li>FIXED: XSS issue (reported by <a href="http://www.jpcert.or.jp/">JPCERT/CC</a>).</li>
67	116	</ul>
68	117	</li>
69	118	<li>
70		- <b>Nucleus v3.23 (May 23, 2006)</b>
	119	+ <strong>Nucleus v3.23 (May 23, 2006)</strong>
71	120	<ul>
72	121	<li>FIXED: Remote code execution vulnerability (reported by rgod).</li>
73	122	</ul>
74	123	</li>
75	124	<li>
76		- <b>Nucleus v3.22 (August 21, 2005)</b>
	125	+ <strong>Nucleus v3.22 (August 21, 2005)</strong>
77	126	<ul>
78	127	<li>FIXED: Major security vulnerability in the phpxmlrpc library.</li>
79	128	<li>FIXED: New NP_SkinFiles version, fixing a minor security issue. (rakaz)</li>

		@@ -85,7 +134,7 @@
85	134	<li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?do=details&id=49">#49</a>): 'name clashes' warning on skin import no longer displayed when no clashes detected (karma)</li>
86	135	<li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?do=details&id=67">#67</a>): Add resilency to upgrade scripts (Frankenstein)</li>
87	136	<li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?do=details&id=88">#88</a>): PHP5.1: "Fatal error: Only variables can be passed by reference" (karma)</li>
88		- <li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?do=details&id=87">#87</a>): Translate & -> &amp; when links added via toolbar (karma)</li>
	137	+ <li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?do=details&id=87">#87</a>): Translate & -> &amp; when links added via toolbar (karma)</li>
89	138	<li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?do=details&id=42">#42</a>): <code>formatDate</code> didn't always use the correct timezone (karma)</li>
90	139	<li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?do=details&id=43">#43</a>): Only load user language file when logged in (karma).</li>
91	140	<li>FIXED (<a href="http://dev.nucleuscms.org/tracker/index.php?do=details&id=76">#76</a>): Disabling site blocked admin menu access (karma).</li>

		@@ -106,13 +155,13 @@
106	155	</ul>
107	156	</li>
108	157	<li>
109		- <b>Nucleus v3.21 (June 30, 2005)</b>
	158	+ <strong>Nucleus v3.21 (June 30, 2005)</strong>
110	159	<ul>
111	160	<li>FIXED: <a href="http://secunia.com/advisories/15852/">XML-RPC for PHP Unspecified PHP Code Execution Vulnerability</a></li>
112	161	</ul>
113	162	</li>
114	163	<li>
115		- <b>Nucleus v3.2 (March 7, 2005)</b>
	164	+ <strong>Nucleus v3.2 (March 7, 2005)</strong>
116	165	<ul>
117	166	<li>ADDED: <a href="http://wiki.gednet.com/NPSkinFiles">NP_SkinFiles</a> plugin installed on full install</li>
118	167	<li>FIXED: Installing plugins through install.php failed (karma)</li>

		@@ -148,7 +197,7 @@
148	197	</ul>
149	198	</li>
150	199	<li>
151		- <b>Nucleus v3.15 (November 14, 2004)</b>
	200	+ <strong>Nucleus v3.15 (November 14, 2004)</strong>
152	201	<ul>
153	202	<li>FIXED: Some XSS issues, as reported by Alexander Antipov</li>
154	203	<li>FIXED: Validate data that is sent as HTTP headers (redirects etc) (karma)</li>

		@@ -175,7 +224,7 @@
175	224	</ul>
176	225	</li>
177	226	<li>
178		- <b>Nucleus v3.1 (July 28, 2004)</b>
	227	+ <strong>Nucleus v3.1 (July 28, 2004)</strong>
179	228	<ul>
180	229	<li>FIXED: Nucleus v3.01 was missing a fix in <code>backup.php</code>, which could cause fulltext key info not to be backed up correctly</li>
181	230	<li>ADDED: support for patch levels, so plugin API enhancements can be distributed to power users earlier (<a href="http://forum.nucleuscms.org/viewtopic.php?t=4142" title="More info...">suggested</a> by TeRanEX)</li>

		@@ -197,7 +246,7 @@
197	246	</ul>
198	247	</li>
199	248	<li>
200		- <b>Nucleus v3.01 (July 13, 2004)</b>
	249	+ <strong>Nucleus v3.01 (July 13, 2004)</strong>
201	250	<ul>
202	251	<li>FIXED: PHP5: Links to plugin admin area broken (radekradek)</li>
203	252	<li>FIXED: bug 966011, skins created with v2.0 could not be imported (karma)</li>

		@@ -205,7 +254,7 @@
205	254	</ul>
206	255	</li>
207	256	<li>
208		- <b>Nucleus v3.0 (May 30, 2004)</b>
	257	+ <strong>Nucleus v3.0 (May 30, 2004)</strong>
209	258	<ul>
210	259	<li>FIXED: When adding a weblog, select globally defined default skin by default (TeRanEX)</li>
211	260	<li>FIXED: CSS conflict in default skin (moraes)</li>

		@@ -235,7 +284,7 @@
235	284	</ul>
236	285	</li>
237	286	<li>
238		- <b>Nucleus v3.0 RC (April 27, 2004)</b>
	287	+ <strong>Nucleus v3.0 RC (April 27, 2004)</strong>
239	288	<ul>
240	289	<li>CHANGED: Labeled it v3.0, since users started believing "2.5 beta == 25 final"</li>
241	290	<li>FIXED: XML-RPC: <code>metaWeblog.editPost</code> assigned the default category again when no categories were passed along (karma).</li>

		@@ -281,7 +330,7 @@
281	330	</ul>
282	331	</li>
283	332	<li>
284		- <b>Nucleus v2.5 beta (October 11, 2003)</b>
	333	+ <strong>Nucleus v2.5 beta (October 11, 2003)</strong>
285	334	<ul>
286	335	<li>ADDED: <code>if(previtem)</code>, <code>if(nextitem)</code> and <code>if(skintype,<em>typename</em>)</code> skinvars.</li>
287	336	<li>FIXED: RSS conditional GET wasn't working correctly (Visa Kopu)</li>

		@@ -330,7 +379,7 @@
330	379	</ul>
331	380	</li>
332	381	<li>
333		- <b>Nucleus v2.0 Final (April 3, 2003)</b>
	382	+ <strong>Nucleus v2.0 Final (April 3, 2003)</strong>
334	383	<ul>
335	384	<li>FIXED: renamed the <code>xmlrpc_encode</code> and <code>xmlrpc_decode</code> methods in <code>xmlrpc.inc.php</code>, avoiding naming conflicts on some PHP configurations that are compiled with XMLRPC support</li>
336	385	<li>FIXED: restore did not work on some PHP configurations, and did not correctly recognize <code>application/x-gzip</code> encoding type</li>

		@@ -360,7 +409,7 @@
360	409	</ul>
361	410	</li>
362	411	<li>
363		- <b>Nucleus v2.0 beta (January 18, 2003)</b>
	412	+ <strong>Nucleus v2.0 beta (January 18, 2003)</strong>
364	413	<ul>
365	414	<li>FIXED: Highlighted text no longer has <!--h--> in it</li>
366	415	<li>ADDED; Plugin hook: PostAuthentication</li>

		@@ -429,7 +478,7 @@
429	478	</ul>
430	479	</li>
431	480	<li>
432		- <b>Nucleus v1.55 (August 26, 2002)</b>
	481	+ <strong>Nucleus v1.55 (August 26, 2002)</strong>
433	482	<ul>
434	483	<li>ADDED: <%archivedaylist%> and <%otherarchivedaylist%> skinvars (to show archives by day instead of by month)</li>
435	484	<li>FIXED: PHP error on createAccount through action.php</li>

		@@ -460,11 +509,11 @@
460	509	</ul>
461	510	</li>
462	511	<li>
463		- <b>Nucleus v1.5 (August 13, 2002)</b>
	512	+ <strong>Nucleus v1.5 (August 13, 2002)</strong>
464	513	<ul>
465	514	<li>ADDED: Introducing plugins (define your own skinvars and templatevars, add event listeners, ...)</li>
466	515	<li>CHANGED: simpler and more accessible default templates/skins</li>
467		- <li>FIXED: GreyMatter convert now works when the <tt>asp_tags</tt> option in PHP is enabled</li>
	516	+ <li>FIXED: GreyMatter convert now works when the <code>asp_tags</code> option in PHP is enabled</li>
468	517	<li>ADDED: title and authorName fields in Blogger API getRecentItems call</li>
469	518	<li>ADDED: HTML label tags for radio buttons and checkboxes (this way you can click anywhere on the text instead of only on the radio button/checkbox itself)</li>
470	519	<li>FIXED: deleting a comment you made in a blog that's not your own resulted in a 'disallowed action' error (thanks moraes)</li>

		@@ -486,7 +535,7 @@
486	535	<li>ADDED: PHP and MySQL versions are listed during the installation proces, with warnings when those version numbers are lower than what Nucleus requires</li>
487	536	<li>CHANGED: item parsing method changed, so it's more easily extensible. plugin, parsedinclude, include and phpinclude are now also allowed in some templates. Inside items, there are also 3 allowed variables: 'image', 'media' and 'popup'</li>
488	537	<li>FIXED: image popups didn't work with register_globals disabled</li>
489		- <li>CHANGED: renamed method: getBlogidFromName -> getBlogIDFromName (consistency)</li>
	538	+ <li>CHANGED: renamed method: getBlogidFromName -> getBlogIDFromName (consistency)</li>
490	539	<li>ADDED: method selectCategory($name)</li>
491	540	<li>FIXED: Nucleus now handles data correctly when magic_quotes_gpc is disabled (solves some problems with template editing)</li>
492	541	<li>CHANGED: categories in selection box are now sorted by name (tip from katatonik)</li>

		@@ -505,7 +554,7 @@
505	554	<li>ADDED: left and right box buttons on JS toolbar</li>
506	555	<li>FIXED: truncated entry when login is requested after adding (data didn't get passed on correctly)</li>
507	556	<li>ADDED: <%authorlink%> to template vars for item templates (this one can take catid into account)</li>
508		- <li>ADDED: $CONF['Self'] => $CONF['ItemURL'], $CONF['IndexURL'], ... to optionally allow people to use different files for items/archives/...</li>
	557	+ <li>ADDED: $CONF['Self'] => $CONF['ItemURL'], $CONF['IndexURL'], ... to optionally allow people to use different files for items/archives/...</li>
509	558	<li>CHANGED: Now using mysql_fetch_assoc instead of mysql_fetch_array (efficiency)</li>
510	559	<li>CHANGED: The <%searchresults%> and <%othersearchresults%> skintags got an extra parameter to limit the number of results (defaults to 50)</li>
511	560	<li>FIXED: doError did not take into account chosen skin</li>

		@@ -525,7 +574,7 @@
525	574	</ul>
526	575	</li>
527	576	<li>
528		- <b>Nucleus v1.1 (April 30, 2002)</b>
	577	+ <strong>Nucleus v1.1 (April 30, 2002)</strong>
529	578	<ul>
530	579	<li>Started assuming that at least PHP 4.0.5 is available. (for older PHP versions, some small code-changes should do the trick)</li>
531	580	<li>Added bookmarklets for Mac/IE5 users and Mozilla. Also, made the title of the page also show up in the title field of the new item. Makes more sense. <small>(thanks to <a href="http://www.35mm.org">Ricardo Lamego</a>)</small></li>

		@@ -616,7 +665,7 @@
616	665	</ul>
617	666	</li>
618	667	<li>
619		- <b>Nucleus v1.0 (March 6, 2002)</b>
	668	+ <strong>Nucleus v1.0 (March 6, 2002)</strong>
620	669	<ul>
621	670	<li>Fixed: width & height of <%image()%> construct</li>
622	671	<li>Changed: windows in popup windows don't have a white border anymore <small>(<a href="http://www.nucleuscms.org/forum/viewtopic.php?t=3">see forum</a>)</small>

		@@ -654,7 +703,7 @@
654	703	</ul>
655	704	</li>
656	705	<li>
657		- <b>Nucleus v0.96 (December 13, 2001)</b>
	706	+ <strong>Nucleus v0.96 (December 13, 2001)</strong>
658	707	<ul>
659	708	<li>Added: add-item-preview now also in admin area</li>
660	709	<li>Added: action log</li>

		@@ -681,7 +730,7 @@
681	730	</ul>
682	731	</li>
683	732	<li>
684		- <b>Nucleus v0.95 (October 10, 2001)</b>
	733	+ <strong>Nucleus v0.95 (October 10, 2001)</strong>
685	734	<ul>
686	735	<li>Added: per-blog setting to enable/disable line break conversion</li>
687	736	<li>Added: per-blog setting to send a ping to Userland (weblogs.com) when you update your blog. This way, you'll be able to end up in the weblogs.com update-list</li>

		@@ -692,10 +741,10 @@
692	741	</ul>
693	742	</li>
694	743	<li>
695		- <b>Nucleus v0.94 (September 27, 2001)</b>
	744	+ <strong>Nucleus v0.94 (September 27, 2001)</strong>
696	745	<ul>
697	746	<li>Changed: 'Add Item' in admin-area now redirects to blog url (if available)</li>
698		- <li>Changed: <i>headlines.php</i> and <i>xml-rss.php</i> adapted to behave better in disabled-site situations</li>
	747	+ <li>Changed: <em>headlines.php</em> and <em>xml-rss.php</em> adapted to behave better in disabled-site situations</li>
699	748	<li>Changed: <%userlink%> got smarter in recognizing e-mail addresses</li>
700	749	<li>Added: tabindices in forms to make traversal with the TAB-button more natural</li>
701	750	<li>Fixed: bookmarklet login did not pass data correctly</li>

		@@ -709,7 +758,7 @@
709	758	</ul>
710	759	</li>
711	760	<li>
712		- <b>Nucleus v0.93 (September 19, 2001)</b>
	761	+ <strong>Nucleus v0.93 (September 19, 2001)</strong>
713	762	<ul>
714	763	<li>Added: friendly error message on error with nucleusdir definition in config.php</li>
715	764	<li>Changed: call_user_func instead of eval</li>

		@@ -724,7 +773,7 @@
724	773	</ul>
725	774	</li>
726	775	<li>
727		- <b>Nucleus v0.92 (September 18, 2001)</b>
	776	+ <strong>Nucleus v0.92 (September 18, 2001)</strong>
728	777	<ul>
729	778	<li>GM conversion: {{linkmo and {{emailmo conversion now also works with PHP versions < 4.0.4</li>
730	779	<li>GM conversion: Fixed occasional JavaScript errors with {{linkmo and {{emailmo</li>

		@@ -741,13 +790,13 @@
741	790	</ul>
742	791	</li>
743	792	<li>
744		- <b>Nucleus v0.91 (September 15, 2001)</b>
	793	+ <strong>Nucleus v0.91 (September 15, 2001)</strong>
745	794	<ul>
746	795	<li>Improved conversion for GreyMatter blogs. Special markup commands are now recognized. (thanks to <a href="http://www.elrado.nl/">Raoul</a> for pointing this out)</li>
747	796	</ul>
748	797	</li>
749	798	<li>
750		- <b>Nucleus v0.90 [beta 2 release] (September 14, 2001)</b>
	799	+ <strong>Nucleus v0.90 [beta 2 release] (September 14, 2001)</strong>
751	800	<ul>
752	801	<li>an install-script is now available, no more messing around in shells</li>
753	802	<li>created default skins/templates for a release version</li>

		@@ -770,7 +819,7 @@
770	819	</ul>
771	820	</li>
772	821	<li>
773		- <b>Nucleus v0.80 [beta 1 release] (September 2, 2001)</b>
	822	+ <strong>Nucleus v0.80 [beta 1 release] (September 2, 2001)</strong>
774	823	<ul>
775	824	<li>XML-RPC Interface implementing the blogger methods</li>
776	825	<li>fixes and code-reorganisation</li>

		@@ -780,7 +829,7 @@
780	829	</ul>
781	830	</li>
782	831	<li>
783		- <b>Nucleus v0.70 [not released] (August 20, 2001)</b>
	832	+ <strong>Nucleus v0.70 [not released] (August 20, 2001)</strong>
784	833	<ul>
785	834	<li>mySQL instead of XML</li>
786	835	<li>extensive admin area</li>

		@@ -793,7 +842,7 @@
793	842	</ul>
794	843	</li>
795	844	<li>
796		- <b>Nucleus v0.60 and earlier (since February 2001)</b>
	845	+ <strong>Nucleus v0.60 and earlier (since February 2001)</strong>
797	846	<br />
798	847	no history (XML versions with limited functions)
799	848	</li>

--- a/utf8/nucleus/libs/globalfunctions.php

+++ b/utf8/nucleus/libs/globalfunctions.php

		@@ -307,6 +307,13 @@ if (!headers_sent() ) {
307	307	$language = getLanguageName();
308	308	include($DIR_LANG . ereg_replace( '[\\\|/]', '', $language) . '.php');
309	309
	310	+// check if valid charset
	311	+if (!encoding_check(false,false,_CHARSET)) {
	312	+ foreach(array($_REQUEST, $_SERVER) as $input) {
	313	+ array_walk($input, 'encoding_check');
	314	+ }
	315	+}
	316	+
310	317	/*
311	318	Backed out for now: See http://forum.nucleuscms.org/viewtopic.php?t=3684 for details
312	319

		@@ -551,6 +558,13 @@ function sendContentType($contenttype, $pagetype = '', $charset = _CHARSET) {
551	558	} else {
552	559	header('Content-Type: ' . $contenttype);
553	560	}
	561	+
	562	+ // check if valid charset
	563	+ if (!encoding_check(false,false,$charset)) {
	564	+ foreach(array($_REQUEST, $_SERVER) as $input) {
	565	+ array_walk($input, 'encoding_check');
	566	+ }
	567	+ }
554	568	}
555	569	}
556	570

		@@ -558,9 +572,11 @@ function sendContentType($contenttype, $pagetype = '', $charset = _CHARSET) {
558	572	* Errors before the database connection has been made
559	573	*/
560	574	function startUpError($msg, $title) {
	575	+ if (!defined('_CHARSET')) define('_CHARSET','iso-8859-1');
	576	+ header('Content-Type: text/html; charset=' . _CHARSET);
561	577	?>
562	578	<html xmlns="http://www.w3.org/1999/xhtml">
563		- <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
	579	+ <head><meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET?>" />
564	580	<title><?php echo htmlspecialchars($title)?></title></head>
565	581	<body>
566	582	<h1><?php echo htmlspecialchars($title)?></h1>

		@@ -1495,6 +1511,69 @@ function formatDate($format, $timestamp, $defaultFormat, &$blog) {
1495	1511	}
1496	1512	}
1497	1513
	1514	+function encoding_check($val, $key, $encoding=false, $exclude=false) {
	1515	+ /*
	1516	+ When 3rd argument is set, return if checked already.
	1517	+ When 4th argument is set, set the excluded key(s).
	1518	+ */
	1519	+ static $search=false, $checked=array(), $excludes=array();
	1520	+ if ($exclude!==false) {
	1521	+ if (is_array($exclude)) {
	1522	+ foreach($exclude as $v) $excludes[$v]=true;
	1523	+ } else $excludes[$excludes]=true;
	1524	+ return;
	1525	+ }
	1526	+ if ($encoding!==false) {
	1527	+ switch($encoding=strtolower($encoding)){
	1528	+ case 'utf-8':
	1529	+ $search='/^([\x00-\x7F]+'.
	1530	+ '\|[\xC2-\xDF][\x80-\xBF]'.
	1531	+ '\|[\xE0-\xEF][\x80-\xBF][\x80-\xBF]'.
	1532	+ '\|[\xF0-\xF7][\x80-\xBF][\x80-\xBF][\x80-\xBF]'.
	1533	+ '\|[\xF8-\xFB][\x80-\xBF][\x80-\xBF][\x80-\xBF][\x80-\xBF]'.
	1534	+ '\|[\xFC-\xFD][\x80-\xBF][\x80-\xBF][\x80-\xBF][\x80-\xBF][\x80-\xBF])*/';
	1535	+ break;
	1536	+ case 'euc-jp':
	1537	+ $search='/^([\x00-\x7F]+'.
	1538	+ '\|[\x8E][\xA0-\xDF]'.
	1539	+ '\|[\x8F]?[\xA1-\xFE][\xA1-\xFE])*/';
	1540	+ break;
	1541	+ case 'gb2312':
	1542	+ $search='/^([\x00-\x7F]+'.
	1543	+ '\|[\xA1-\xF7][\xA1-\xFE])*/';
	1544	+ break;
	1545	+ default:
	1546	+ $search=false;
	1547	+ if (preg_match('/^iso\-8859\-[0-9]{1,2}$/',$encoding)) break;
	1548	+ if (preg_match('/^windows\-125[0-8]$/',$encoding)) break;
	1549	+ startUpError('<p>Unknown or non-supported encoding.</p>', 'Encoding Error');
	1550	+ exit;
	1551	+ }
	1552	+ if (isset($checked[$encoding])) return true; // Already checked.
	1553	+ $checked[$encoding]=true;
	1554	+ }
	1555	+ if ($key===false) return false; // Not yet checked.
	1556	+ if ($search===false) return true; // non-multibyte encoding
	1557	+ if (isset($excludes[$key])) return true; // This key isn't checked.
	1558	+ if (is_array($val)) {
	1559	+ array_walk($val, 'encoding_check');
	1560	+ } else {
	1561	+ preg_match($search,$val,$m);
	1562	+ $val2 = (string)$m[0];
	1563	+ if (!($val2 === (string)$val)) {
	1564	+ startUpError('<p>Invalid input.</p>', 'Input Error');
	1565	+ exit;
	1566	+ }
	1567	+ }
	1568	+ preg_match($search,$key,$m);
	1569	+ $key2 = (string)$m[0];
	1570	+ if (!($key2 === (string)$key)) {
	1571	+ startUpError('<p>Invalid input.</p>', 'Input Error');
	1572	+ exit;
	1573	+ }
	1574	+ return true;
	1575	+}
	1576	+
1498	1577	function checkVars($aVars) {
1499	1578	global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS;
1500	1579

Show on old repository browser

Nucleus日本語版 Forknucleus-nextnucleus-jp-ancientnucleus-plugins

nucleus-jp-ancient: Commit

Commit MetaInfo

Log Message

Ändern Zusammenfassung

Diff

Nucleus日本語版
Fork
nucleus-next
nucleus-jp-ancient
nucleus-plugins