Merge pull request #261 from Fraenkiman/upstream/issue220

Prevents cross-site scripting (XSS) in the parameter username, Error messages now multilingual
2023-10-02 15:42:40 +02:00 · 2023-10-02 15:42:40 +02:00 · a4fe75dc0e
commit a4fe75dc0e
parent 809bae8c80 367ec99f32
8 changed files with 132 additions and 17 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -70,7 +70,7 @@
 - German translation for Comment Center plugin added ([#148](https://github.com/flatpressblog/flatpress/issues/148))
 - Fixed not-yet-translated phrases in Blog view and Admin Area ([#171](https://github.com/flatpressblog/flatpress/issues/171))
 - Contact form: Admin notification mail is now localized ([#205](https://github.com/flatpressblog/flatpress/issues/205))
- Setup tries to determine local language automatically ([#197](https://github.com/flatpressblog/flatpress/issues/197), [#216](https://github.com/flatpressblog/flatpress/issues/216))
+- Setup tries to determine local language automatically ([#197](https://github.com/flatpressblog/flatpress/issues/197), [#216](https://github.com/flatpressblog/flatpress/issues/216), [#262](https://github.com/flatpressblog/flatpress/issues/262))
 ## Bugfixes
 - Plugin management page: Removed empty warning messages box
@ -92,6 +92,7 @@
 - Possible XSSs in Admin Area prevented ([#180](https://github.com/flatpressblog/flatpress/issues/180), [#183](https://github.com/flatpressblog/flatpress/issues/183), [#187](https://github.com/flatpressblog/flatpress/issues/187))
 - Possible XSS in comments prevented ([#186](https://github.com/flatpressblog/flatpress/issues/186))
 - Possible CSRFs in Admin Area prevented ([#64](https://github.com/flatpressblog/flatpress/issues/64))
 - Possible XSS in FlatPress Installer prevented ([#220](https://github.com/flatpressblog/flatpress/issues/220))
 # 2021-06-19: [FlatPress 1.2.1](https://github.com/flatpressblog/flatpress/releases/tag/1.2.1)
 ## Bugfixes
--- a/setup/lang/lang.cs-cz.php
+++ b/setup/lang/lang.cs-cz.php
@ -1,6 +1,6 @@
 <?php
 /*
- * LangId: English
+ * LangId: Czechiscg
 */
 $lang ['locked'] = array(
 	'head' => 'Setup je uzamčen',
@ -17,6 +17,25 @@ $lang ['locked'] = array(
 		</ul>'
 );
 $lang ['err'] = array(
 	'setuprun1' => 'Instalace probíhá.',
 	'setuprun2' => 'Nastavení je spuštěno: Pokud jste správce, můžete odstranit ',
 	'setuprun3' => ' restartovat.',
 	'writeerror' => 'Chyba při psaní',
 	'fpuser1' => ' není platný uživatel. 
 		Uživatelské jméno musí být alfanumerické a nesmí obsahovat žádné mezery.',
 	'fpuser2' => ' není platný uživatel.
 		Uživatelské jméno může obsahovat pouze písmena, číslice a 1 podtržítko.',
 	'fppwd' => 'Heslo musí obsahovat alespoň 6 znaků a žádné mezery.',
 	'fppwd2' => 'Hesla se neshodují.',
 	'email' => ' není platná e-mailová adresa.',
 	'www' => ' není platná adresa URL.',
 	'error' => '<p><big>Chyba!</big> 
 		Při zpracování formuláře došlo k následujícím chybám:</p><ul>'
 );
 $lang ['step1'] = array(
 	'head' => 'Vítejte ve FlatPressu!',
 	'descr' => 'Děkujeme, že jste si vybrali <strong>FlatPress</strong>.
--- a/setup/lang/lang.de-de.php
+++ b/setup/lang/lang.de-de.php
@ -16,6 +16,25 @@ $lang ['locked'] = array(
 		</ul>'
 );
 $lang ['err'] = array(
 	'setuprun1' => 'Die Installation läuft.',
 	'setuprun2' => 'Die Installation läuft bereits: Wenn du der Administrator bist, kannst du ',
 	'setuprun3' => ' löschen, um neu zu starten.',
 	'writeerror' => 'Fehler beim Schreiben',
 	'fpuser1' => ' ist kein gültiger Benutzer.
 		Der Benutzername muss alphanumerisch sein und darf keine Leerzeichen enthalten.',
 	'fpuser2' => ' ist kein gültiger Benutzer.
 		Der Benutzername darf nur Buchstaben, Zahlen und 1 Unterstrich enthalten.',
 	'fppwd' => 'Das Passwort muss mindestens 6 Zeichen und darf keine Leerzeichen enthalten.',
 	'fppwd2' => 'Die Passwörter stimmen nicht überein.',
 	'email' => ' ist keine gültige E-Mail Adresse.',
 	'www' => ' ist keine gültige URL.',
 	'error' => '<p><big>Fehler!</big> 
 		Bei der Bearbeitung des Formulars sind die folgenden Fehler aufgetreten:</p><ul>'
 );
 $lang ['step1'] = array(
 	'head' => 'Willkommen bei FlatPress!',
 	'descr' => 'Danke, dass du dich für <strong>FlatPress</strong> entschieden hast.
--- a/setup/lang/lang.it-it.php
+++ b/setup/lang/lang.it-it.php
@ -17,6 +17,25 @@ $lang ['locked'] = array(
 		</ul>'
 );
 $lang ['err'] = array(
 	'setuprun1' => 'L\'installazione è in corso.',
 	'setuprun2' => 'L\'installazione è già in corso: se siete l\'amministratore, potete cancellare ',
 	'setuprun3' => ' per riavviare.',
 	'writeerror' => 'Errore di scrittura',
 	'fpuser1' => ' non è un utente valido.
 		Il nome utente deve essere alfanumerico e non deve contenere spazi.',
 	'fpuser2' => ' non è un utente valido.
 		Il nome utente può contenere solo lettere, numeri e 1 trattino basso.',
 	'fppwd' => 'La password deve contenere almeno 6 caratteri e nessuno spazio.',
 	'fppwd2' => 'Le password non corrispondono.',
 	'email' => ' non è un indirizzo e-mail valido.',
 	'www' => ' non è un URL valido.',
 	'error' => '<p><big>Errore!</big> 
 		Durante l\'elaborazione del modulo si sono verificati i seguenti errori:</p><ul>'
 );
 $lang ['step1'] = array(
 	'head' => 'Benvenuto in FlatPress!',
 	'descr' => 'Grazie per aver scelto <strong>FlatPress</strong>.
--- a/setup/lang/lang.ja-jp.php
+++ b/setup/lang/lang.ja-jp.php
@ -17,6 +17,25 @@ $lang ['locked'] = array(
 		</ul>'
 );
 $lang ['err'] = array(
 	'setuprun1' => 'インストールは実行中です。',
 	'setuprun2' => 'インストールがすでに実行されています: 管理者であれば、 ',
 	'setuprun3' => ' を削除して再起動できます。',
 	'writeerror' => '書き込みエラー',
 	'fpuser1' => ' は有効なユーザーではありません。
 		ユーザー名は英数字でなければならず、スペースを含んではならない。',
 	'fpuser2' => ' は有効なユーザーではありません。
 		ユーザー名にはアルファベット、数字、アンダースコア1文字のみを使用することができます。',
 	'fppwd' => 'パスワードは6文字以上で、スペースは使用しないでください。',
 	'fppwd2' => 'パスワードが一致しない。',
 	'email' => ' は有効なメールアドレスではありません。',
 	'www' => ' は有効なURLではありません。',
 	'error' => '<p><big>エラー！</big> 
 		フォームの処理中に以下のエラーが発生しました：</p><ul>'
 );
 $lang ['step1'] = array(
 	'head' => 'ようこそFlatPressへ',
 	'descr' => '<strong>FlatPress</strong>を選んでくださり, 感謝申し上げます!
--- a/setup/lang/lang.nl-nl.php
+++ b/setup/lang/lang.nl-nl.php
@ -17,6 +17,25 @@ $lang ['locked'] = array(
 		</ul>'
 );
 $lang ['err'] = array(
 	'setuprun1' => 'De installatie wordt uitgevoerd.',
 	'setuprun2' => 'De installatie loopt al: Als je de beheerder bent, kun je ',
 	'setuprun3' => ' verwijderen om opnieuw te starten.',
 	'writeerror' => 'Fout in schrijven',
 	'fpuser1' => ' is geen geldige gebruiker.
 		De gebruikersnaam moet alfanumeriek zijn en mag geen spaties bevatten.',
 	'fpuser2' => ' is geen geldige gebruiker.
 		De gebruikersnaam mag alleen letters, cijfers en 1 underscore bevatten.',
 	'fppwd' => 'Het wachtwoord moet minstens 6 tekens en geen spaties bevatten.',
 	'fppwd2' => 'De wachtwoorden komen niet overeen.',
 	'email' => ' is geen geldig e-mailadres.',
 	'www' => ' is geen geldige URL.',
 	'error' => '<p><big>Fout!</big> 
 		De volgende fouten zijn opgetreden tijdens het verwerken van het formulier:</p><ul>'
 );
 $lang ['step1'] = array(
 	'head' => 'Welkom bij FlatPress!',
 	'descr' => 'Bedankt dat je gekozen hebt voor <strong>FlatPress</strong>.
--- a/setup/lang/lang.pt-br.php
+++ b/setup/lang/lang.pt-br.php
@ -1,6 +1,6 @@
 <?php
 /*
- * LangId: English
+ * LangId: Português (BR)
 */
 // TERMINADO!
@ -19,6 +19,25 @@ encontramos o arquivo de bloqueio. <code>%s</code>.
 		</ul>'
 );
 $lang ['err'] = array(
 	'setuprun1' => 'A instalação está sendo executada.',
 	'setuprun2' => 'A instalação já está em execução: se você for o administrador, poderá excluir ',
 	'setuprun3' => ' para reiniciar.',
 	'writeerror' => 'Erro de escrita',
 	'fpuser1' => ' não é um usuário válido.
 		O nome de usuário deve ser alfanumérico e não deve conter espaços.',
 	'fpuser2' => ' não é um usuário válido.
 		O nome de usuário só pode conter letras, números e um sublinhado.',
 	'fppwd' => 'A senha deve conter pelo menos 6 caracteres e nenhum espaço.',
 	'fppwd2' => 'As senhas não correspondem.',
 	'email' => ' não é um endereço de e-mail válido.',
 	'www' => ' não é um URL válido.',
 	'error' => '<p><big>Erro!</big> 
 		Os seguintes erros ocorreram durante o processamento do formulário:</p><ul>'
 );
 $lang ['step1'] = array(
 	'head' => 'Bem-vindo ao FlatPress!',
 	'descr' => 'Obrigado por escolher <strong>o FlatPress</strong>.
--- a/setup/lib/main.lib.php
+++ b/setup/lib/main.lib.php
@ -2,7 +2,7 @@
 $err = array();
 function print_done_fail($label, $bool) {
-	echo "<li>", $label . ' <strong style="color :' . (($bool) ? 'green;">DONE' : 'red;">FAILED') . '</strong><br />', "</li>\n";
+	echo "<li>", $label . ' <strong style="color: ' . (($bool) ? 'green;">DONE' : 'red;">FAILED') . '</strong><br>', "</li>\n";
 }
 function config_exist() {
@ -35,7 +35,7 @@ function setupid() {
 }
 function getstep(&$id) {
-	global $err;
+	global $err, $lang;
 	$STEPS = array(
 		'locked',
@ -54,7 +54,7 @@ function getstep(&$id) {
 		$setupid = setupid();
 		if (!$setupid)
-			die('Setup is running');
+			die($lang ['err'] ['setuprun1']);
 		if (!file_exists(SETUPTEMP_FILE)) {
 			if (empty($_POST))
@ -64,7 +64,7 @@ function getstep(&$id) {
 		} else {
 			$x = explode(',', io_load_file(SETUPTEMP_FILE));
 			if ($x [0] != $setupid)
-				die('Setup is running: if you are the owner, you can delete ' . SETUPTEMP_FILE . ' to restart');
+				die($lang ['err'] ['setuprun2'] . SETUPTEMP_FILE . $lang ['err'] ['setuprun3']);
 			$i = intval($x [1]);
 		}
@ -83,7 +83,7 @@ function getstep(&$id) {
 				io_write_file(LOCKFILE, "locked");
 			} else {
 				if ($i > 0 && !@io_write_file(SETUPTEMP_FILE, "$setupid,$i")) {
-					$err [] = 'Write error';
+					$err [] = $lang ['err'] ['writeerror'];
 				}
 			}
 		}
@ -95,26 +95,26 @@ function getstep(&$id) {
 }
 function validate() {
 	global $lang;
 	$fpuser = strip_tags($_POST ['fpuser']);
 	$fppwd = $_POST ['fppwd'];
 	$fppwd2 = $_POST ['fppwd2'];
 	$email = strip_tags($_POST ['email']);
 	$www = strip_tags($_POST ['www']);
-	if (!ctype_alnum($fpuser)) {
+	if (!(preg_match('/^[\w]+$/u', $fpuser))) {
-		$err [] = $fpuser . " is not a valid username. 
+		$err [] = $fpuser . $lang ['err'] ['fpuser2'];
 		Username must be alphanumeric and should not contain spaces.";
 	}
 	if (strlen(trim(($fppwd))) < 6) {
-		$err [] = "Password must contain at least 6 non-space characters";
+		$err [] = $lang ['err'] ['fppwd'];
 	}
 	if (($fppwd) != ($fppwd2)) {
-		$err [] = "Passwords did not match";
+		$err [] = $lang ['err'] ['fppwd2'];
 	}
 	if (!(preg_match('!@.*@|\.\.|\,|\;!', $email) || preg_match('!^.+\@(\[?)[a-zA-Z0-9\.\-]+\.([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$!', $email))) {
-		$err [] = $email . " is not a valid email address";
+		$err [] = $email . $lang ['err'] ['email'];
 	}
 	if (!(preg_match('!^http(s)?://[\w-]+\.[\w-]+(\S+)?$!i', $www) || preg_match('!^http(s)?://localhost!', $www)))
-		$err [] = $www . " is not a valid URL";
+		$err [] = $www . $lang ['err'] ['www'];
 	if ($www && $www [strlen($www) - 1] != '/') {
 		$www .= '/';
 	}
@ -145,9 +145,9 @@ function validate() {
 function print_err() {
 	global $err;
 	global $lang;
 	if (isset($err)) {
-		echo "<p><big>Error!</big> 
+		echo $lang ['err'] ['www'];
 		The following errors have been encountered processing the form:</p><ul>";
 		foreach ($err as $val) {
 			echo "<li>$val</li>";
 		}