1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-12-22 13:45:02 +00:00

Merge pull request #182 from SeanFromIT/v0.20-hotfixes

patching a PHP 7.3.11 issue and double dot in file uploads
This commit is contained in:
Starbeamrainbowlabs 2020-04-18 12:37:59 +01:00 committed by GitHub
commit 7216a50659
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 32 additions and 35 deletions

View file

@ -13,19 +13,19 @@ register_module([
* @apiGroup Upload * @apiGroup Upload
* @apiPermission User * @apiPermission User
* *
* @apiParam {boolean} avatar Optional. If true then a special page to upload your avatar is displayed instead. * @apiParam {bool} avatar Optional. If true then a special page to upload your avatar is displayed instead.
*/ */
/** /**
* @api {post} ?action=upload Upload a file * @api {post} ?action=upload Upload a file
* @apiName UploadFile * @apiName UploadFile
* @apiGroup Upload * @apiGroup Upload
* @apiPermission User * @apiPermission User
* *
* @apiParam {string} name The name of the file to upload. * @apiParam {string} name The name of the file to upload.
* @apiParam {string} description A description of the file. * @apiParam {string} description A description of the file.
* @apiParam {file} file The file to upload. * @apiParam {file} file The file to upload.
* @apiParam {boolean} avatar Whether this upload should be uploaded as the current user's avatar. If specified, any filenames provided will be ignored. * @apiParam {bool} avatar Whether this upload should be uploaded as the current user's avatar. If specified, any filenames provided will be ignored.
* *
* @apiUse UserNotLoggedInError * @apiUse UserNotLoggedInError
* @apiError UploadsDisabledError Uploads are currently disabled in the wiki's settings. * @apiError UploadsDisabledError Uploads are currently disabled in the wiki's settings.
@ -37,11 +37,11 @@ register_module([
*/ */
/* /*
* ██ ██ ██████ ██ ██████ █████ ██████ * ██ ██ ██████ ██ ██████ █████ ██████
* ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ * ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
* ██ ██ ██████ ██ ██ ██ ███████ ██ ██ * ██ ██ ██████ ██ ██ ██ ███████ ██ ██
* ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ * ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
* ██████ ██ ███████ ██████ ██ ██ ██████ * ██████ ██ ███████ ██████ ██ ██ ██████
*/ */
add_action("upload", function() { add_action("upload", function() {
global $settings, $env, $pageindex, $paths; global $settings, $env, $pageindex, $paths;
@ -99,7 +99,7 @@ register_module([
break; break;
case "POST": case "POST":
// Recieve file // Receive file
if(!$settings->editing) { if(!$settings->editing) {
exit(page_renderer::render_main("Upload failed - $settings->sitename", "<p>Your upload couldn't be processed because editing is currently disabled on $settings->sitename. Please contact $settings->admindetails_name, $settings->sitename's administrator for more information - their contact details can be found at the bottom of this page. <a href='index.php'>Go back to the main page</a>.")); exit(page_renderer::render_main("Upload failed - $settings->sitename", "<p>Your upload couldn't be processed because editing is currently disabled on $settings->sitename. Please contact $settings->admindetails_name, $settings->sitename's administrator for more information - their contact details can be found at the bottom of this page. <a href='index.php'>Go back to the main page</a>."));
@ -122,7 +122,7 @@ register_module([
http_response_code(401); http_response_code(401);
exit(page_renderer::render("Upload failed - $settings->sitename", "<p>Your upload couldn't be processed because you are not logged in.</p><p>Try <a href='?action=login&returnto=" . rawurlencode("?action=upload") . "'>logging in</a> first.")); exit(page_renderer::render("Upload failed - $settings->sitename", "<p>Your upload couldn't be processed because you are not logged in.</p><p>Try <a href='?action=login&returnto=" . rawurlencode("?action=upload") . "'>logging in</a> first."));
} }
// Check for php upload errors // Check for php upload errors
if($_FILES["file"]["error"] > 0) if($_FILES["file"]["error"] > 0)
{ {
@ -194,7 +194,7 @@ register_module([
// The path to the place (relative to the wiki data root) // The path to the place (relative to the wiki data root)
// that we're actually going to store the uploaded file itself // that we're actually going to store the uploaded file itself
$new_filename = "$paths->upload_file_prefix$target_name.$file_extension"; $new_filename = "$paths->upload_file_prefix$target_name$file_extension";
// The path (relative, as before) to the description file // The path (relative, as before) to the description file
$new_description_filename = "$new_filename.md"; $new_description_filename = "$new_filename.md";
@ -215,7 +215,7 @@ register_module([
// file history online. // file history online.
if($is_avatar && isset($pageindex->$new_pagepath) && $pageindex->$new_pagepath->uploadedfile) if($is_avatar && isset($pageindex->$new_pagepath) && $pageindex->$new_pagepath->uploadedfile)
unlink($pageindex->$new_pagepath->uploadedfilepath); unlink($pageindex->$new_pagepath->uploadedfilepath);
// Make sure that the palce we're uploading to exists // Make sure that the palce we're uploading to exists
if(!file_exists(dirname($env->storage_prefix . $new_filename))) if(!file_exists(dirname($env->storage_prefix . $new_filename)))
mkdir(dirname($env->storage_prefix . $new_filename), 0775, true); mkdir(dirname($env->storage_prefix . $new_filename), 0775, true);
@ -238,7 +238,7 @@ register_module([
$entry = new stdClass(); $entry = new stdClass();
// Point to the description's filepath since this property // Point to the description's filepath since this property
// should point to a markdown file // should point to a markdown file
$entry->filename = $new_description_filename; $entry->filename = $new_description_filename;
$entry->size = strlen($description ?? "(No description provided)"); $entry->size = strlen($description ?? "(No description provided)");
$entry->lastmodified = time(); $entry->lastmodified = time();
$entry->lasteditor = $env->user; $entry->lasteditor = $env->user;
@ -282,7 +282,7 @@ register_module([
* @apiName PreviewFile * @apiName PreviewFile
* @apiGroup Upload * @apiGroup Upload
* @apiPermission Anonymous * @apiPermission Anonymous
* *
* @apiParam {string} page The name of the file to preview. * @apiParam {string} page The name of the file to preview.
* @apiParam {number} size Optional. The size fo the resulting preview. Will be clamped to fit within the bounds specified in the wiki's settings. May also be set to the keyword 'original', which will cause the original file to be returned with it's appropriate mime type instead. * @apiParam {number} size Optional. The size fo the resulting preview. Will be clamped to fit within the bounds specified in the wiki's settings. May also be set to the keyword 'original', which will cause the original file to be returned with it's appropriate mime type instead.
* *
@ -291,11 +291,11 @@ register_module([
*/ */
/* /*
* ██████ ██████ ███████ ██ ██ ██ ███████ ██ ██ * ██████ ██████ ███████ ██ ██ ██ ███████ ██ ██
* ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ * ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
* ██████ ██████ █████ ██ ██ ██ █████ ██ ██ * ██████ ██████ █████ ██ ██ ██ █████ ██ ██
* ██ ██ ██ ██ ██ ██ ██ ██ ██ ███ ██ * ██ ██ ██ ██ ██ ██ ██ ██ ██ ███ ██
* ██ ██ ██ ███████ ████ ██ ███████ ███ ███ * ██ ██ ██ ███████ ████ ██ ███████ ███ ███
*/ */
add_action("preview", function() { add_action("preview", function() {
global $settings, $env, $pageindex, $start_time; global $settings, $env, $pageindex, $start_time;
@ -354,11 +354,8 @@ register_module([
$allheaders = getallheaders(); $allheaders = getallheaders();
$allheaders = array_change_key_case($allheaders, CASE_LOWER); $allheaders = array_change_key_case($allheaders, CASE_LOWER);
if(!isset($allheaders["if-none-match"])) if(!isset($allheaders["if-none-match"]))
{
header("etag: $preview_etag"); header("etag: $preview_etag");
} else {
else
{
if($allheaders["if-none-match"] === $preview_etag) if($allheaders["if-none-match"] === $preview_etag)
{ {
http_response_code(304); http_response_code(304);
@ -450,7 +447,7 @@ register_module([
* ██████ ██████ █████ ██ ██ ██ █████ ██ ██ * ██████ ██████ █████ ██ ██ ██ █████ ██ ██
* ██ ██ ██ ██ ██ ██ ██ ██ ██ ███ ██ * ██ ██ ██ ██ ██ ██ ██ ██ ██ ███ ██
* ██ ██ ██ ███████ ████ ██ ███████ ███ ███ * ██ ██ ██ ███████ ████ ██ ███████ ███ ███
* *
* ██████ ██ ███████ ██████ ██ █████ ██ ██ ███████ ██████ * ██████ ██ ███████ ██████ ██ █████ ██ ██ ███████ ██████
* ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ * ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
* ██ ██ ██ ███████ ██████ ██ ███████ ████ █████ ██████ * ██ ██ ██ ███████ ██████ ██ ███████ ████ █████ ██████
@ -500,7 +497,7 @@ register_module([
<video src='$previewUrl' controls preload='metadata'>Your browser doesn't support HTML5 video, but you can still <a href='$previewUrl'>download it</a> if you'd like.</video> <video src='$previewUrl' controls preload='metadata'>Your browser doesn't support HTML5 video, but you can still <a href='$previewUrl'>download it</a> if you'd like.</video>
</figure>"; </figure>";
break; break;
case "audio": case "audio":
$preview_html .= "\t\t\t<figure class='preview'> $preview_html .= "\t\t\t<figure class='preview'>
<audio src='$previewUrl' controls preload='metadata'>Your browser doesn't support HTML5 audio, but you can still <a href='$previewUrl'>download it</a> if you'd like.</audio> <audio src='$previewUrl' controls preload='metadata'>Your browser doesn't support HTML5 audio, but you can still <a href='$previewUrl'>download it</a> if you'd like.</audio>
@ -622,7 +619,7 @@ function upload_check_svg($temp_filename)
exit(page_renderer::render("Upload Error - $settings->sitename", "<p>$settings->sitename detected that you uploaded an SVG image and performed some extra security checks on your file. Whilst performing these checks it was discovered that the file you uploaded contains some Javascript, which could be dangerous. The uploaded file has been discarded. <a href='?action=upload'>Go back to try again</a>.</p> exit(page_renderer::render("Upload Error - $settings->sitename", "<p>$settings->sitename detected that you uploaded an SVG image and performed some extra security checks on your file. Whilst performing these checks it was discovered that the file you uploaded contains some Javascript, which could be dangerous. The uploaded file has been discarded. <a href='?action=upload'>Go back to try again</a>.</p>
<p>You may wish to consider <a href='https://github.com/sbrl/Pepperminty-Wiki'>opening an issue</a> against Pepperminty Wiki (the software that powers $settings->sitename) if this isn't the first time that you have seen this message.</p>")); <p>You may wish to consider <a href='https://github.com/sbrl/Pepperminty-Wiki'>opening an issue</a> against Pepperminty Wiki (the software that powers $settings->sitename) if this isn't the first time that you have seen this message.</p>"));
} }
// Find and return the size of the SVG image // Find and return the size of the SVG image
return getsvgsize($temp_filename); return getsvgsize($temp_filename);
} }

View file

@ -13,7 +13,7 @@ register_module([
* @apiName Login * @apiName Login
* @apiGroup Authorisation * @apiGroup Authorisation
* @apiPermission Anonymous * @apiPermission Anonymous
* *
* @apiParam {string} failed Setting to yes causes a login failure message to be displayed above the login form. * @apiParam {string} failed Setting to yes causes a login failure message to be displayed above the login form.
* @apiParam {string} returnto Set to the url to redirect to upon a successful login. * @apiParam {string} returnto Set to the url to redirect to upon a successful login.
*/ */
@ -62,7 +62,7 @@ register_module([
* @apiName CheckLogin * @apiName CheckLogin
* @apiGroup Authorisation * @apiGroup Authorisation
* @apiPermission Anonymous * @apiPermission Anonymous
* *
* @apiParam {string} user The user name to login with. * @apiParam {string} user The user name to login with.
* @apiParam {string} pass The password to login with. * @apiParam {string} pass The password to login with.
* @apiParam {string} returnto The URL to redirect to upon a successful login. * @apiParam {string} returnto The URL to redirect to upon a successful login.
@ -76,7 +76,7 @@ register_module([
* ██ ███████ █████ ██ █████ * ██ ███████ █████ ██ █████
* ██ ██ ██ ██ ██ ██ ██ * ██ ██ ██ ██ ██ ██ ██
* ██████ ██ ██ ███████ ██████ ██ ██ * ██████ ██ ██ ███████ ██████ ██ ██
* *
* ██ ██████ ██████ ██ ███ ██ * ██ ██████ ██████ ██ ███ ██
* ██ ██ ██ ██ ██ ████ ██ * ██ ██ ██ ██ ██ ████ ██
* ██ ██ ██ ██ ███ ██ ██ ██ ██ * ██ ██ ██ ██ ███ ██ ██ ██ ██
@ -193,9 +193,9 @@ function do_password_hash_code_update() {
global $settings, $paths; global $settings, $paths;
// There's no point if we're using Argon2i, as it doesn't take a cost // There's no point if we're using Argon2i, as it doesn't take a cost
if(hash_password_properties()["algorithm"] == PASSWORD_ARGON2I) if(defined("PASSWORD_ARGON2I") && hash_password_properties()["algorithm"] == PASSWORD_ARGON2I)
return; return;
// Skip rechecking if the automatic check has been disabled // Skip rechecking if the automatic check has been disabled
if($settings->password_cost_time_interval == -1) if($settings->password_cost_time_interval == -1)
return; return;
@ -215,7 +215,7 @@ function do_password_hash_code_update() {
} }
/** /**
* Figures out the appropriate algorithm & options for hashing passwords based * Figures out the appropriate algorithm & options for hashing passwords based
* on the current settings. * on the current settings.
* @return array The appropriate password hashing algorithm and options. * @return array The appropriate password hashing algorithm and options.
*/ */
@ -235,7 +235,7 @@ function hash_password_properties() {
* in $settings. * in $settings.
* @package page-login * @package page-login
* @param string $pass The password to hash. * @param string $pass The password to hash.
* *
* @return string The hashed password. Uses password_hash() under-the-hood, but with some additional extras to avoid known issues. * @return string The hashed password. Uses password_hash() under-the-hood, but with some additional extras to avoid known issues.
*/ */
function hash_password($pass) { function hash_password($pass) {
@ -272,7 +272,7 @@ function hash_password_update($pass, $hash) {
/** /**
* Computes the appropriate cost value for password_hash based on the settings * Computes the appropriate cost value for password_hash based on the settings
* automatically. * automatically.
* Starts at 10 and works upwards in increments of 1. Goes on until a value is * Starts at 10 and works upwards in increments of 1. Goes on until a value is
* found that's greater than the target - or 10x the target time elapses. * found that's greater than the target - or 10x the target time elapses.
* @param bool $verbose Whether to output verbose progress information to the client or not. * @param bool $verbose Whether to output verbose progress information to the client or not.
* @return int The automatically calculated password hashing cost. * @return int The automatically calculated password hashing cost.