Beanz/flatpress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'flatpressblog:master' into master

Browse Source
This commit is contained in:
Fraenkiman 2022-12-29 22:16:49 +01:00 committed by GitHub
commit 8ac157cc1b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 166 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -53,7 +53,7 @@
- Possible XSS in setup prevented ([#176](https://github.com/flatpressblog/flatpress/issues/176)) - Possible XSS in setup prevented ([#176](https://github.com/flatpressblog/flatpress/issues/176))
- Possible XSS in Media Manager plugin prevented ([#177](https://github.com/flatpressblog/flatpress/issues/177)) - Possible XSS in Media Manager plugin prevented ([#177](https://github.com/flatpressblog/flatpress/issues/177))
- Possible path traversal in Media Manager plugin prevented ([#179](https://github.com/flatpressblog/flatpress/issues/179)) - Possible path traversal in Media Manager plugin prevented ([#179](https://github.com/flatpressblog/flatpress/issues/179))
- Possible XSS in Admin Area prevented ([#180](https://github.com/flatpressblog/flatpress/issues/180)) - Possible XSSs in Admin Area prevented ([#180](https://github.com/flatpressblog/flatpress/issues/180), [#183](https://github.com/flatpressblog/flatpress/issues/183))
# 2021-06-19: [FlatPress 1.2.1](https://github.com/flatpressblog/flatpress/releases/tag/1.2.1) # 2021-06-19: [FlatPress 1.2.1](https://github.com/flatpressblog/flatpress/releases/tag/1.2.1)
## Bugfixes ## Bugfixes

1
CONTRIBUTORS.md
View File

@ -38,3 +38,4 @@ FlatPress utilizes the following free frameworks and libraries. Thanks to their
## Other contributions ## Other contributions
- [Julian Rademacher](https://moortaube.de/) generously donated his Twitter account [@FlatPress](https://twitter.com/FlatPress). Also thanks for your useful pull requests! - [Julian Rademacher](https://moortaube.de/) generously donated his Twitter account [@FlatPress](https://twitter.com/FlatPress). Also thanks for your useful pull requests!
- [Fraenkiman](https://github.com/Fraenkiman) tests FlatPress to its very core and creates a metric ton of very helpful [issues](https://github.com/flatpressblog/flatpress/issues). - [Fraenkiman](https://github.com/Fraenkiman) tests FlatPress to its very core and creates a metric ton of very helpful [issues](https://github.com/flatpressblog/flatpress/issues).
- And last but not least: A big shout out to all the security researchers voluntarily reporting possible vulnerabilities in the FlatPress code on platforms like https://huntr.dev, or by opening [issues](https://github.com/flatpressblog/flatpress/issues). You make FlatPress a lot more secure for everyone!

120
admin/panels/config/admin.config.php
View File

@ -1,7 +1,9 @@
<?php <?php
class admin_config extends AdminPanel { class admin_config extends AdminPanel {
var $panelname = 'config'; var $panelname = 'config';
} }
class admin_config_default extends AdminPanelActionValidated { class admin_config_default extends AdminPanelActionValidated {
@ -9,27 +11,96 @@
var $validators = array( var $validators = array(
// not needed anymore ! // not needed anymore !
// array('blog_root', 'blog_root', 'notEmpty', false, false, 'trim'), // array('blog_root', 'blog_root', 'notEmpty', false, false, 'trim'),
array('www', 'www', 'notEmpty', false, false, 'trim'), array(
'www',
'www',
'notEmpty',
false,
false,
'trim'
),
// ... // ...
array('title', 'title', 'notEmpty', false, false, 'trim'), array(
'title',
'title',
'notEmpty',
false,
false,
'trim'
),
// array('subtitle', 'subtitle', 'notEmpty', false, false, 'trim'), // array('subtitle', 'subtitle', 'notEmpty', false, false, 'trim'),
// array('blogfooter', 'blogfooter', 'notEmpty', false, false, 'trim'), // array('blogfooter', 'blogfooter', 'notEmpty', false, false, 'trim'),
array('email', 'email', 'isEmail', false, false, 'trim'), array(
array('maxentries', 'maxentries', 'isInt', false, false, 'trim'), 'email',
'email',
array('timeoffset', 'timeoffset', 'isNumber', false, false, 'trim'), 'isEmail',
array('timeformat', 'timeformat', 'notEmpty', false, false, 'trim'), false,
array('dateformat', 'dateformat', 'notEmpty', false, false, 'trim'), false,
array('dateformatshort', 'dateformatshort', 'notEmpty', false, false, 'trim'), 'trim'
),
array('lang', 'lang', 'notEmpty', false, false, 'trim'), array(
array('charset', 'charset', 'notEmpty', false, false, 'trim'), 'maxentries',
'maxentries',
'isInt',
false,
false,
'trim'
),
array(
'timeoffset',
'timeoffset',
'isNumber',
false,
false,
'trim'
),
array(
'timeformat',
'timeformat',
'notEmpty',
false,
false,
'trim'
),
array(
'dateformat',
'dateformat',
'notEmpty',
false,
false,
'trim'
),
array(
'dateformatshort',
'dateformatshort',
'notEmpty',
false,
false,
'trim'
),
array(
'lang',
'lang',
'notEmpty',
false,
false,
'trim'
),
array(
'charset',
'charset',
'notEmpty',
false,
false,
'trim'
)
); );
var $events = array('save'); var $events = array(
'save'
);
function setup() { function setup() {
$this->smarty->assign('themes', theme_list()); $this->smarty->assign('themes', theme_list());
@ -42,20 +113,17 @@
} }
$this->smarty->assign('static_list', $static_list); $this->smarty->assign('static_list', $static_list);
} }
function onsave() { function onsave() {
global $fp_config; global $fp_config;
$l = explode(',', $_POST ['lang']); $l = explode(',', $_POST ['lang']);
$fp_config ['general'] = array( $fp_config ['general'] = array(
// 'BLOG_ROOT' => $_POST['blog_root'], // 'BLOG_ROOT' => $_POST['blog_root'],
'www' => $_POST ['www'], 'www' => $_POST ['www'],
'title' => html_entity_decode(stripslashes($_POST['title'])), 'title' => wp_specialchars(stripslashes($_POST ['title'])),
'subtitle' => html_entity_decode(stripslashes($_POST['subtitle'])), 'subtitle' => wp_specialchars(stripslashes($_POST ['subtitle'])),
'footer' => html_entity_decode(stripslashes($_POST['blogfooter'])), 'footer' => wp_specialchars(stripslashes($_POST ['blogfooter'])),
'author' => $_POST ['author'], 'author' => $_POST ['author'],
'email' => $_POST ['email'], 'email' => $_POST ['email'],
'startpage' => ($_POST ['startpage'] == ':NULL:') ? null : $_POST ['startpage'], 'startpage' => ($_POST ['startpage'] == ':NULL:') ? null : $_POST ['startpage'],
@ -66,8 +134,7 @@
'theme' => $fp_config ['general'] ['theme'], 'theme' => $fp_config ['general'] ['theme'],
'style' => @$fp_config ['general'] ['style'], 'style' => @$fp_config ['general'] ['style'],
'blogid' => $fp_config ['general'] ['blogid'], 'blogid' => $fp_config ['general'] ['blogid'],
'charset'=> 'utf-8', 'charset' => 'utf-8'
); );
$fp_config ['locale'] = array( $fp_config ['locale'] = array(
@ -79,20 +146,14 @@
'lang' => $_POST ['lang'] 'lang' => $_POST ['lang']
); );
// 'LANG' => $l[0], // 'LANG' => $l[0],
// 'CHARSET'=> $l[1], // 'CHARSET'=> $l[1],
$success = config_save() ? 1 : -1; $success = config_save() ? 1 : -1;
$this->smarty->assign('success', $success); $this->smarty->assign('success', $success);
return 1; return 1;
} }
function onerror() { function onerror() {
@ -102,12 +163,9 @@
function cleartplcache() { function cleartplcache() {
// if theme was switched, clear tpl cache // if theme was switched, clear tpl cache
$tpl = new tpl_deleter(); $tpl = new tpl_deleter();
$tpl->getList(); $tpl->getList();
} }
} }