XOOPS Cube Legacy base repository
| Revision | 0533227a209e2cb48323585b2007f2d9ae6a6117 (tree) |
|---|---|
| Zeit | 2009-04-02 16:00:30 |
| Autor | tom_g3x <tom_g3x@704c...> |
| Commiter | tom_g3x |
marged XCL 2.1.16a(Security Release)
git-svn-id: https://xoopscube.svn.sourceforge.net/svnroot/xoopscube/Package_Legacy/trunk@108 704cf05f-ae62-4b0e-a484-234ee0250e75
docs/CHANGES.txt (diff)
html/modules/legacy/actions/ImageListAction.class.php (diff) html/modules/legacy/actions/MiscSmiliesAction.class.php (diff)
html/modules/legacy/admin/theme/admin_theme.html (diff)| @@ -4,7 +4,6 @@ XOOPS Cube Legacy "Package_Legacy" & "XCube core" Changelog | ||
| 4 | 4 | 2009/03/?: Package Revision 2.1.7 |
| 5 | 5 | ---------------------------------------- |
| 6 | 6 | [Bug Fix - From Bug Tracker] |
| 7 | -- Fix Bug #2350320 - Possibility of script injection in ErrorHandler::show. | |
| 8 | 7 | - Fix Bug #2491813 - SmileEditAction include multi byte comment. |
| 9 | 8 | - Fix Bug #2491817 - SmileEditAction cannnot delete old file. |
| 10 | 9 | - Fix Bug #2591041 - Typo Legacy_PublicControllerStrategy.class.php. |
| @@ -49,6 +48,15 @@ XOOPS Cube Legacy "Package_Legacy" & "XCube core" Changelog | ||
| 49 | 48 | - Tohokuaiki |
| 50 | 49 | - Tom_G3X |
| 51 | 50 | |
| 51 | + | |
| 52 | +---------------------------------------- | |
| 53 | +2009/04/02: Package Revision 2.1.6a | |
| 54 | +---------------------------------------- | |
| 55 | +[Bug Fix - From Bug Tracker] | |
| 56 | +- Fix Bug IPA#74747784 / JPCERT#95042060 - XSS weakness | |
| 57 | +- Fix Bug #2350320 - Possibility of script injection in ErrorHandler::show. | |
| 58 | + | |
| 59 | + | |
| 52 | 60 | ---------------------------------------- |
| 53 | 61 | 2008/11/21: Package Revision 2.1.6 |
| 54 | 62 | ---------------------------------------- |
| @@ -92,7 +92,7 @@ class Legacy_ImageListAction extends Legacy_AbstractListAction | ||
| 92 | 92 | $render->setAttribute('hasUploadPerm', $hasUploadPerm); |
| 93 | 93 | $render->setAttribute("category", $this->mCategory); |
| 94 | 94 | |
| 95 | - $render->setAttribute('target', xoops_getrequest('target')); | |
| 95 | + $render->setAttribute('target', htmlspecialchars(xoops_getrequest('target'), ENT_QUOTES)); | |
| 96 | 96 | } |
| 97 | 97 | |
| 98 | 98 | function executeViewError(&$controller, &$xoopsUser, &$render) |
| @@ -39,7 +39,10 @@ class Legacy_MiscSmiliesAction extends Legacy_AbstractListAction | ||
| 39 | 39 | |
| 40 | 40 | function getDefaultView(&$controller, &$xoopsUser) |
| 41 | 41 | { |
| 42 | - $this->mTargetName = xoops_getrequest('target'); | |
| 42 | + $this->mTargetName = trim(xoops_getrequest('target')); | |
| 43 | + if ($this->mTargetName == '' || !preg_match('/^[a-zA-Z]\w*$/', $this->mTargetName)) { | |
| 44 | + return LEGACY_FRAME_VIEW_ERROR; | |
| 45 | + } | |
| 43 | 46 | return parent::getDefaultView($controller, $xoopsUser); |
| 44 | 47 | } |
| 45 | 48 |
| @@ -56,6 +59,11 @@ class Legacy_MiscSmiliesAction extends Legacy_AbstractListAction | ||
| 56 | 59 | $render->setAttribute("pageNavi", $this->mFilter->mNavi); |
| 57 | 60 | $render->setAttribute("targetName", $this->mTargetName); |
| 58 | 61 | } |
| 62 | + | |
| 63 | + function executeViewError(&$controller, &$xoopsUser, &$render) | |
| 64 | + { | |
| 65 | + $render->setTemplateName("legacy_dummy.html"); | |
| 66 | + } | |
| 59 | 67 | } |
| 60 | 68 | |
| 61 | 69 | ?> |
| @@ -12,7 +12,7 @@ | ||
| 12 | 12 | |
| 13 | 13 | <script type="text/javascript"> |
| 14 | 14 | <!-- <
Fork
xoopscube/legacy