Skip to content

Commit e9339d4

Browse files
author
bnu
committed
Merge branch 'release/1.8.9'
2 parents 9f085ac + 9a7b7fa commit e9339d4

File tree

5 files changed

+39
-19
lines changed

5 files changed

+39
-19
lines changed

.travis.yml

+2-1
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,5 @@ script:
2727
- if [ $(phpenv version-name) != "5.3" ]; then ./vendor/bin/codecept run -d --fail-fast --env travis; fi
2828
notifications:
2929
slack:
30-
secure: 0HhwktIb65zfge56E4yMfYj0Xj4GeYIaxvh/Obb13BK1/C8RdWBy6u213N5MQ2UHsxYk8wXXzynaCh4psegi2iPy9dbKmkdAdEQMzYoKE2xYVSqZveeVQm0sqFVXAlzggpgs/j5vtvKYjRkQKtTrz0C+p0uJ0bkLcyWGezWTpGc=
30+
secure: jpoMjtkveVuPZM4JXJETAPv8QUCtTbI/ZTixdS9HUgxSb9tD2DkoekMaRzXYnXA82Les/gGxTC0fQFcFrls6Ypkbvp1udBPggmAdLiBHubBIz+yd1BGIf/l4I6MY1QmGe1Lx4xlnVlEgLnKXHn+W+ENep4/MzpCEaR9Vw8wfGqY=
31+
secure: "gPv4qFmGcXimNlI/OeVk5n4VtRCWbAe7VUtw7Inb3A/ZZaVDo11gtMNkwo/JVKSnXqFkaCQYebcNpj2D9Rb2ZCwgjMSX6wxvpA4/8OLOZpbWqFW6Hz2RKNggubXlnalXkIwFcsvj70rKctbcJFk2C1G9rVvYWdVGD9X4/ozQtAc="

classes/context/Context.class.php

+11
Original file line numberDiff line numberDiff line change
@@ -666,9 +666,20 @@ function checkSSO()
666666
{
667667
$url = base64_decode(self::get('default_url'));
668668
$url_info = parse_url($url);
669+
670+
$oModuleModel = getModel('module');
671+
$site_info = $oModuleModel->getSiteInfoByDomain($url_info['host']);
672+
if(!$site_info->site_srl) {
673+
$oModuleObject = new ModuleObject();
674+
$oModuleObject->stop('msg_invalid_request');
675+
676+
return false;
677+
}
678+
669679
$url_info['query'].= ($url_info['query'] ? '&' : '') . 'SSOID=' . session_id();
670680
$redirect_url = sprintf('%s://%s%s%s?%s', $url_info['scheme'], $url_info['host'], $url_info['port'] ? ':' . $url_info['port'] : '', $url_info['path'], $url_info['query']);
671681
header('location:' . $redirect_url);
682+
672683
return FALSE;
673684
}
674685
// for sites requesting SSO validation

classes/module/ModuleHandler.class.php

+24-17
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,6 @@ function ModuleHandler($module = '', $act = '', $mid = '', $document_srl = '', $
116116
* */
117117
function init()
118118
{
119-
120119
$oModuleModel = getModel('module');
121120
$site_module_info = Context::get('site_module_info');
122121

@@ -317,13 +316,13 @@ function init()
317316
function procModule()
318317
{
319318
$oModuleModel = getModel('module');
319+
$display_mode = Mobile::isFromMobilePhone() ? 'mobile' : 'view';
320320

321321
// If error occurred while preparation, return a message instance
322322
if($this->error)
323323
{
324324
$this->_setInputErrorToContext();
325-
$type = Mobile::isFromMobilePhone() ? 'mobile' : 'view';
326-
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
325+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
327326
$oMessageObject->setError(-1);
328327
$oMessageObject->setMessage($this->error);
329328
$oMessageObject->dispMessage();
@@ -359,8 +358,7 @@ function procModule()
359358
$this->httpStatusCode = '404';
360359

361360
$this->_setInputErrorToContext();
362-
$type = Mobile::isFromMobilePhone() ? 'mobile' : 'view';
363-
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
361+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
364362
$oMessageObject->setError(-1);
365363
$oMessageObject->setMessage($this->error);
366364
$oMessageObject->dispMessage();
@@ -397,7 +395,7 @@ function procModule()
397395
if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList))
398396
{
399397
$this->error = "msg_invalid_request";
400-
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view');
398+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
401399
$oMessageObject->setError(-1);
402400
$oMessageObject->setMessage($this->error);
403401
$oMessageObject->dispMessage();
@@ -410,13 +408,24 @@ function procModule()
410408
Mobile::setMobile(FALSE);
411409
}
412410

413-
// Admin ip
414411
$logged_info = Context::get('logged_info');
412+
413+
// check CSRF for admin actions
414+
if($kind === 'admin' && Context::getRequestMethod() === 'POST' && !checkCSRF()) {
415+
$this->error = 'msg_invalid_request';
416+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
417+
$oMessageObject->setError(-1);
418+
$oMessageObject->setMessage($this->error);
419+
$oMessageObject->dispMessage();
420+
return $oMessageObject;
421+
}
422+
423+
// Admin ip
415424
if($kind == 'admin' && $_SESSION['denied_admin'] == 'Y')
416425
{
417426
$this->_setInputErrorToContext();
418427
$this->error = "msg_not_permitted_act";
419-
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
428+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
420429
$oMessageObject->setError(-1);
421430
$oMessageObject->setMessage($this->error);
422431
$oMessageObject->dispMessage();
@@ -446,8 +455,7 @@ function procModule()
446455
if(!is_object($oModule))
447456
{
448457
$this->_setInputErrorToContext();
449-
$type = Mobile::isFromMobilePhone() ? 'mobile' : 'view';
450-
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
458+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
451459
$oMessageObject->setError(-1);
452460
$oMessageObject->setMessage($this->error);
453461
$oMessageObject->dispMessage();
@@ -466,7 +474,7 @@ function procModule()
466474
{
467475
$this->_setInputErrorToContext();
468476
$this->error = 'msg_invalid_request';
469-
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
477+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
470478
$oMessageObject->setError(-1);
471479
$oMessageObject->setMessage($this->error);
472480
$oMessageObject->dispMessage();
@@ -495,7 +503,7 @@ function procModule()
495503
else
496504
{
497505
$this->error = 'msg_invalid_request';
498-
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view');
506+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
499507
$oMessageObject->setError(-1);
500508
$oMessageObject->setMessage($this->error);
501509
$oMessageObject->dispMessage();
@@ -537,9 +545,8 @@ function procModule()
537545

538546
if(!is_object($oModule))
539547
{
540-
$type = Mobile::isFromMobilePhone() ? 'mobile' : 'view';
541548
$this->_setInputErrorToContext();
542-
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
549+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
543550
$oMessageObject->setError(-1);
544551
$oMessageObject->setMessage('msg_module_is_not_exists');
545552
$oMessageObject->dispMessage();
@@ -569,7 +576,7 @@ function procModule()
569576
$this->_setInputErrorToContext();
570577

571578
$this->error = 'msg_is_not_administrator';
572-
$oMessageObject = ModuleHandler::getModuleInstance('message', $type);
579+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
573580
$oMessageObject->setError(-1);
574581
$oMessageObject->setMessage($this->error);
575582
$oMessageObject->dispMessage();
@@ -583,7 +590,7 @@ function procModule()
583590
{
584591
$this->_setInputErrorToContext();
585592
$this->error = 'msg_is_not_manager';
586-
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view');
593+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
587594
$oMessageObject->setError(-1);
588595
$oMessageObject->setMessage($this->error);
589596
$oMessageObject->dispMessage();
@@ -595,7 +602,7 @@ function procModule()
595602
{
596603
$this->_setInputErrorToContext();
597604
$this->error = 'msg_is_not_administrator';
598-
$oMessageObject = ModuleHandler::getModuleInstance('message', 'view');
605+
$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
599606
$oMessageObject->setError(-1);
600607
$oMessageObject->setMessage($this->error);
601608
$oMessageObject->dispMessage();

config/config.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
/**
3030
* Display XE's full version.
3131
*/
32-
define('__XE_VERSION__', '1.8.8');
32+
define('__XE_VERSION__', '1.8.9');
3333
define('__XE_VERSION_ALPHA__', (stripos(__XE_VERSION__, 'alpha') !== false));
3434
define('__XE_VERSION_BETA__', (stripos(__XE_VERSION__, 'beta') !== false));
3535
define('__XE_VERSION_RC__', (stripos(__XE_VERSION__, 'rc') !== false));

modules/document/document.controller.php

+1
Original file line numberDiff line numberDiff line change
@@ -274,6 +274,7 @@ function insertDocument($obj, $manual_inserted = false, $isRestore = false, $isL
274274
$obj->homepage = $logged_info->homepage;
275275
}
276276
// If the tile is empty, extract string from the contents.
277+
$obj->title = htmlspecialchars($obj->title);
277278
settype($obj->title, "string");
278279
if($obj->title == '') $obj->title = cut_str(trim(strip_tags(nl2br($obj->content))),20,'...');
279280
// If no tile extracted from the contents, leave it untitled.

0 commit comments

Comments
 (0)