diff --git a/README b/README
index 007d85e..b0f0e31 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-Gallery 3.0.2
+Gallery 3.0.4 ("Ricochet")
ABOUT:
Gallery 3 is a web based software product that lets you manage your
diff --git a/application/Bootstrap.php b/application/Bootstrap.php
index ff021fd..183705d 100644
--- a/application/Bootstrap.php
+++ b/application/Bootstrap.php
@@ -1,7 +1,7 @@
array(
'type' => '',
'user' => '',
- 'pass' => '',
+ 'pass' => '',
'host' => '',
'port' => '' false,
'socket' => false,
diff --git a/installer/index.php b/installer/index.php
index 5ac23cf..17c1dbf 100644
--- a/installer/index.php
+++ b/installer/index.php
@@ -1,7 +1,7 @@
We've found a place to store your photos:
- = VARPATH ?>
+ = htmlspecialchars(VARPATH, ENT_QUOTES, 'UTF-8', true) ?>
diff --git a/installer/web.php b/installer/web.php
index 0df9b69..12f42d0 100644
--- a/installer/web.php
+++ b/installer/web.php
@@ -1,7 +1,7 @@
$_POST["prefix"],
"type" => function_exists("mysqli_set_charset") ? "mysqli" : "mysql");
list ($config["host"], $config["port"]) = explode(":", $config["host"] . ":");
+ foreach ($config as $k => $v) {
+ if ($k == "password") {
+ $config[$k] = str_replace("'", "\\'", $v);
+ } else {
+ $config[$k] = strtr($v, "'`", "__");
+ }
+ }
if (!installer::connect($config)) {
$content = render("invalid_db_info.html.php");
diff --git a/lib/gallery.common.js b/lib/gallery.common.js
index 697a33c..755218f 100644
--- a/lib/gallery.common.js
+++ b/lib/gallery.common.js
@@ -33,6 +33,7 @@
var elh = $(el).height();
var ph = $(this).height();
var nh = (ph - elh) / 2;
+ if (nh < 1) { var nh = 0; }
$(el).css('margin-top', nh);
});
};
@@ -221,4 +222,32 @@
});
};
+ // Augment jQuery autocomplete to expect the first response line to
+ // be a tag that protects against UTF-7 attacks.
+ $.fn.gallery_autocomplete = function(url, options) {
+ // Drop the first response - it should be a meta tag
+ options.parse = function(data) {
+ var parsed = [];
+ var rows = data.split("\n");
+ if (rows[0].indexOf(" tag in first line of autocomplete response';
+ }
+ rows.shift(); // drop tag
+ for (var i=0; i < rows.length; i++) {
+ var row = $.trim(rows[i]);
+ if (row) {
+ row = row.split("|");
+ parsed[parsed.length] = {
+ data: row,
+ value: row[0],
+ result: row[0]
+ };
+ }
+ }
+ return parsed;
+ };
+
+ $(this).autocomplete(url, options);
+ };
+
})(jQuery);
diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js
index 087b00a..3115532 100644
--- a/lib/gallery.dialog.js
+++ b/lib/gallery.dialog.js
@@ -71,6 +71,12 @@
$("#g-dialog").dialog("option", "self", self);
},
+ error: function(xhr, textStatus, errorThrown) {
+ $("#g-dialog").html(xhr.responseText);
+ self._set_title();
+ self._layout();
+ },
+
_layout: function() {
var dialogWidth;
var dialogHeight = $("#g-dialog").height();
@@ -178,7 +184,12 @@
window.location.reload();
}
}
- }
+ },
+ error: function(xhr, textStatus, errorThrown) {
+ $("#g-dialog").html(xhr.responseText);
+ self._set_title();
+ self._layout();
+ }
});
},
diff --git a/lib/uploadify/jquery.uploadify.min.js b/lib/uploadify/jquery.uploadify.min.js
index 4305311..17127a7 100644
--- a/lib/uploadify/jquery.uploadify.min.js
+++ b/lib/uploadify/jquery.uploadify.min.js
@@ -1,26 +1,27 @@
-/*
-Uploadify v2.1.0
-Release Date: August 24, 2009
-Copyright (c) 2009 Ronnie Garcia, Travis Nickels
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-*/
-
-if(jQuery){(function(a){a.extend(a.fn,{uploadify:function(b){a(this).each(function(){settings=a.extend({id:a(this).attr("id"),uploader:"uploadify.swf",script:"uploadify.php",expressInstall:null,folder:"",height:30,width:110,cancelImg:"cancel.png",wmode:"opaque",scriptAccess:"sameDomain",fileDataName:"Filedata",method:"POST",queueSizeLimit:999,simUploadLimit:1,queueID:false,displayData:"percentage",onInit:function(){},onSelect:function(){},onQueueFull:function(){},onCheck:function(){},onCancel:function(){},onError:function(){},onProgress:function(){},onComplete:function(){},onAllComplete:function(){}},b);var e=location.pathname;e=e.split("/");e.pop();e=e.join("/")+"/";var f={};f.uploadifyID=settings.id;f.pagepath=e;if(settings.buttonImg){f.buttonImg=escape(settings.buttonImg)}if(settings.buttonText){f.buttonText=escape(settings.buttonText)}if(settings.rollover){f.rollover=true}f.script=settings.script;f.folder=escape(settings.folder);if(settings.scriptData){var g="";for(var d in settings.scriptData){g+="&"+d+"="+settings.scriptData[d]}f.scriptData=escape(g.substr(1))}f.width=settings.width;f.height=settings.height;f.wmode=settings.wmode;f.method=settings.method;f.queueSizeLimit=settings.queueSizeLimit;f.simUploadLimit=settings.simUploadLimit;if(settings.hideButton){f.hideButton=true}if(settings.fileDesc){f.fileDesc=settings.fileDesc}if(settings.fileExt){f.fileExt=settings.fileExt}if(settings.multi){f.multi=true}if(settings.auto){f.auto=true}if(settings.sizeLimit){f.sizeLimit=settings.sizeLimit}if(settings.checkScript){f.checkScript=settings.checkScript}if(settings.fileDataName){f.fileDataName=settings.fileDataName}if(settings.queueID){f.queueID=settings.queueID}if(settings.onInit()!==false){a(this).css("display","none");a(this).after('');swfobject.embedSWF(settings.uploader,settings.id+"Uploader",settings.width,settings.height,"9.0.24",settings.expressInstall,f,{quality:"high",wmode:settings.wmode,allowScriptAccess:settings.scriptAccess});if(settings.queueID==false){a("#"+a(this).attr("id")+"Uploader").after('')}}if(typeof(settings.onOpen)=="function"){a(this).bind("uploadifyOpen",settings.onOpen)}a(this).bind("uploadifySelect",{action:settings.onSelect,queueID:settings.queueID},function(j,h,i){if(j.data.action(j,h,i)!==false){var k=Math.round(i.size/1024*100)*0.01;var l="KB";if(k>1000){k=Math.round(k*0.001*100)*0.01;l="MB"}var m=k.toString().split(".");if(m.length>1){k=m[0]+"."+m[1].substr(0,2)}else{k=m[0]}if(i.name.length>20){fileName=i.name.substr(0,20)+"..."}else{fileName=i.name}queue="#"+a(this).attr("id")+"Queue";if(j.data.queueID){queue="#"+j.data.queueID}a(queue).append('')}});if(typeof(settings.onSelectOnce)=="function"){a(this).bind("uploadifySelectOnce",settings.onSelectOnce)}a(this).bind("uploadifyQueueFull",{action:settings.onQueueFull},function(h,i){if(h.data.action(h,i)!==false){alert("The queue is full. The max size is "+i+".")}});a(this).bind("uploadifyCheckExist",{action:settings.onCheck},function(m,l,k,j,o){var i=new Object();i=k;i.folder=e+j;if(o){for(var h in k){var n=h}}a.post(l,i,function(r){for(var p in r){if(m.data.action(m,l,k,j,o)!==false){var q=confirm("Do you want to replace the file "+r[p]+"?");if(!q){document.getElementById(a(m.target).attr("id")+"Uploader").cancelFileUpload(p,true,true)}}}if(o){document.getElementById(a(m.target).attr("id")+"Uploader").startFileUpload(n,true)}else{document.getElementById(a(m.target).attr("id")+"Uploader").startFileUpload(null,true)}},"json")});a(this).bind("uploadifyCancel",{action:settings.onCancel},function(l,h,k,m,j){if(l.data.action(l,h,k,m,j)!==false){var i=(j==true)?0:250;a("#"+a(this).attr("id")+h).fadeOut(i,function(){a(this).remove()})}});if(typeof(settings.onClearQueue)=="function"){a(this).bind("uploadifyClearQueue",settings.onClearQueue)}var c=[];a(this).bind("uploadifyError",{action:settings.onError},function(l,h,k,j){if(l.data.action(l,h,k,j)!==false){var i=new Array(h,k,j);c.push(i);a("#"+a(this).attr("id")+h+" .percentage").text(" - "+j.type+" Error");a("#"+a(this).attr("id")+h).addClass("uploadifyError")}});a(this).bind("uploadifyProgress",{action:settings.onProgress,toDisplay:settings.displayData},function(j,h,i,k){if(j.data.action(j,h,i,k)!==false){a("#"+a(this).attr("id")+h+"ProgressBar").css("width",k.percentage+"%");if(j.data.toDisplay=="percentage"){displayData=" - "+k.percentage+"%"}if(j.data.toDisplay=="speed"){displayData=" - "+k.speed+"KB/s"}if(j.data.toDisplay==null){displayData=" "}a("#"+a(this).attr("id")+h+" .percentage").text(displayData)}});a(this).bind("uploadifyComplete",{action:settings.onComplete},function(k,h,j,i,l){if(k.data.action(k,h,j,unescape(i),l)!==false){a("#"+a(this).attr("id")+h+" .percentage").text(" - Completed");a("#"+a(this).attr("id")+h).fadeOut(250,function(){a(this).remove()})}});if(typeof(settings.onAllComplete)=="function"){a(this).bind("uploadifyAllComplete",{action:settings.onAllComplete},function(h,i){if(h.data.action(h,i)!==false){c=[]}})}})},uploadifySettings:function(f,j,c){var g=false;a(this).each(function(){if(f=="scriptData"&&j!=null){if(c){var i=j}else{var i=a.extend(settings.scriptData,j)}var l="";for(var k in i){l+="&"+k+"="+escape(i[k])}j=l.substr(1)}g=document.getElementById(a(this).attr("id")+"Uploader").updateSettings(f,j)});if(j==null){if(f=="scriptData"){var b=unescape(g).split("&");var e=new Object();for(var d=0;d');swfobject.embedSWF(settings.uploader,settings.id+'Uploader',settings.width,settings.height,'9.0.24',settings.expressInstall,data,{'quality':'high','wmode':settings.wmode,'allowScriptAccess':settings.scriptAccess});if(settings.queueID==false){jQuery("#"+jQuery(this).attr('id')+"Uploader").after('');}}
+if(typeof(settings.onOpen)=='function'){jQuery(this).bind("uploadifyOpen",settings.onOpen);}
+jQuery(this).bind("uploadifySelect",{'action':settings.onSelect,'queueID':settings.queueID},function(event,ID,fileObj){if(event.data.action(event,ID,fileObj)!==false){var byteSize=Math.round(fileObj.size/1024*100)*.01;var suffix='KB';if(byteSize>1000){byteSize=Math.round(byteSize*.001*100)*.01;suffix='MB';}
+var sizeParts=byteSize.toString().split('.');if(sizeParts.length>1){byteSize=sizeParts[0]+'.'+sizeParts[1].substr(0,2);}else{byteSize=sizeParts[0];}
+if(fileObj.name.length>20){fileName=fileObj.name.substr(0,20)+'...';}else{fileName=fileObj.name;}
+queue='#'+jQuery(this).attr('id')+'Queue';if(event.data.queueID){queue='#'+event.data.queueID;}
+jQuery(queue).append('\
+
\
+
\
+
\
+
\
+
\
+
');jQuery('div#'+jQuery(this).attr('id')+ID+' span.fileName').text(fileName+' ('+byteSize+suffix+')');}});if(typeof(settings.onSelectOnce)=='function'){jQuery(this).bind("uploadifySelectOnce",settings.onSelectOnce);}
+jQuery(this).bind("uploadifyQueueFull",{'action':settings.onQueueFull},function(event,queueSizeLimit){if(event.data.action(event,queueSizeLimit)!==false){alert('The queue is full. The max size is '+queueSizeLimit+'.');}});jQuery(this).bind("uploadifyCheckExist",{'action':settings.onCheck},function(event,checkScript,fileQueueObj,folder,single){var postData=new Object();postData=fileQueueObj;postData.folder=pagePath+folder;if(single){for(var ID in fileQueueObj){var singleFileID=ID;}}
+jQuery.post(checkScript,postData,function(data){for(var key in data){if(event.data.action(event,checkScript,fileQueueObj,folder,single)!==false){var replaceFile=confirm("Do you want to replace the file "+data[key]+"?");if(!replaceFile){document.getElementById(jQuery(event.target).attr('id')+'Uploader').cancelFileUpload(key,true,true);}}}
+if(single){document.getElementById(jQuery(event.target).attr('id')+'Uploader').startFileUpload(singleFileID,true);}else{document.getElementById(jQuery(event.target).attr('id')+'Uploader').startFileUpload(null,true);}},"json");});jQuery(this).bind("uploadifyCancel",{'action':settings.onCancel},function(event,ID,fileObj,data,clearFast){if(event.data.action(event,ID,fileObj,data,clearFast)!==false){var fadeSpeed=(clearFast==true)?0:250;jQuery("#"+jQuery(this).attr('id')+ID).fadeOut(fadeSpeed,function(){jQuery(this).remove()});}});if(typeof(settings.onClearQueue)=='function'){jQuery(this).bind("uploadifyClearQueue",settings.onClearQueue);}
+var errorArray=[];jQuery(this).bind("uploadifyError",{'action':settings.onError},function(event,ID,fileObj,errorObj){if(event.data.action(event,ID,fileObj,errorObj)!==false){var fileArray=new Array(ID,fileObj,errorObj);errorArray.push(fileArray);jQuery("#"+jQuery(this).attr('id')+ID+" .percentage").text(" - "+errorObj.type+" Error");jQuery("#"+jQuery(this).attr('id')+ID).addClass('uploadifyError');}});jQuery(this).bind("uploadifyProgress",{'action':settings.onProgress,'toDisplay':settings.displayData},function(event,ID,fileObj,data){if(event.data.action(event,ID,fileObj,data)!==false){jQuery("#"+jQuery(this).attr('id')+ID+"ProgressBar").css('width',data.percentage+'%');if(event.data.toDisplay=='percentage')displayData=' - '+data.percentage+'%';if(event.data.toDisplay=='speed')displayData=' - '+data.speed+'KB/s';if(event.data.toDisplay==null)displayData=' ';jQuery("#"+jQuery(this).attr('id')+ID+" .percentage").text(displayData);}});jQuery(this).bind("uploadifyComplete",{'action':settings.onComplete},function(event,ID,fileObj,response,data){if(event.data.action(event,ID,fileObj,unescape(response),data)!==false){jQuery("#"+jQuery(this).attr('id')+ID+" .percentage").text(' - Completed');jQuery("#"+jQuery(this).attr('id')+ID).fadeOut(250,function(){jQuery(this).remove()});}});if(typeof(settings.onAllComplete)=='function'){jQuery(this).bind("uploadifyAllComplete",{'action':settings.onAllComplete},function(event,uploadObj){if(event.data.action(event,uploadObj)!==false){errorArray=[];}});}});},uploadifySettings:function(settingName,settingValue,resetObject){var returnValue=false;jQuery(this).each(function(){if(settingName=='scriptData'&&settingValue!=null){if(resetObject){var scriptData=settingValue;}else{var scriptData=jQuery.extend(settings.scriptData,settingValue);}
+var scriptDataString='';for(var name in scriptData){scriptDataString+='&'+name+'='+escape(scriptData[name]);}
+settingValue=scriptDataString.substr(1);}
+returnValue=document.getElementById(jQuery(this).attr('id')+'Uploader').updateSettings(settingName,settingValue);});if(settingValue==null){if(settingName=='scriptData'){var returnSplit=unescape(returnValue).split('&');var returnObj=new Object();for(var i=0;ivalidate();
module::set_var("comment", "access_permissions",
$form->comment_settings->access_permissions->value);
+ module::set_var("comment", "rss_visible",
+ $form->comment_settings->rss_visible->value);
message::success(t("Comment settings updated"));
url::redirect("admin/comments");
}
@@ -45,6 +47,12 @@ class Admin_Comments_Controller extends Admin_Controller {
->options(array("everybody" => t("Everybody"),
"registered_users" => t("Only registered users")))
->selected(module::get_var("comment", "access_permissions"));
+ $comment_settings->dropdown("rss_visible")
+ ->label(t("Which RSS feeds can users see?"))
+ ->options(array("all" => t("All comment feeds"),
+ "newest" => t("New comments feed only"),
+ "per_item" => t("Comments on photos, movies and albums only")))
+ ->selected(module::get_var("comment", "rss_visible"));
$comment_settings->submit("save")->value(t("Save"));
return $form;
}
diff --git a/modules/comment/controllers/admin_manage_comments.php b/modules/comment/controllers/admin_manage_comments.php
index 72684e7..bb5745a 100644
--- a/modules/comment/controllers/admin_manage_comments.php
+++ b/modules/comment/controllers/admin_manage_comments.php
@@ -1,7 +1,7 @@
id"] =
t("Comments on %title", array("title" => html::purify($item->title)));
}
@@ -29,7 +43,7 @@ class comment_rss_Core {
}
static function feed($feed_id, $offset, $limit, $id) {
- if ($feed_id != "newest" && $feed_id != "item") {
+ if (!comment_rss::feed_visible($feed_id)) {
return;
}
@@ -51,7 +65,7 @@ class comment_rss_Core {
foreach ($comments->find_all($limit, $offset) as $comment) {
$item = $comment->item();
$feed->comments[] = new ArrayObject(
- array("pub_date" => date("D, d M Y H:i:s T", $comment->created),
+ array("pub_date" => date("D, d M Y H:i:s O", $comment->created),
"text" => nl2br(html::purify($comment->text)),
"thumb_url" => $item->thumb_url(),
"thumb_height" => $item->thumb_height,
diff --git a/modules/comment/helpers/comment_theme.php b/modules/comment/helpers/comment_theme.php
index 398f84b..a152457 100644
--- a/modules/comment/helpers/comment_theme.php
+++ b/modules/comment/helpers/comment_theme.php
@@ -1,7 +1,7 @@
get("q");
foreach (glob("{$path_prefix}*") as $file) {
if (is_dir($file) && !is_link($file)) {
+ $file = html::clean($file);
$directories[] = $file;
// If we find an embed.php, include it as well
@@ -113,7 +114,7 @@ class Admin_g2_import_Controller extends Admin_Controller {
}
}
- print implode("\n", $directories);
+ ajax::response(implode("\n", $directories));
}
private function _get_import_form() {
diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php
index 90984e8..6c96089 100644
--- a/modules/g2_import/controllers/g2.php
+++ b/modules/g2_import/controllers/g2.php
@@ -1,7 +1,7 @@
get("path");
$id = $input->get("g2_itemId");
- if ($path || $id) {
+ if (($path && $path != 'index.php' && $path != 'main.php') || $id) {
if ($id) {
// Requests by id are either core.DownloadItem or core.ShowItem requests. Later versions of
// Gallery 2 don't specify g2_view if it's the default (core.ShowItem). And in some cases
diff --git a/modules/g2_import/helpers/g2_import.php b/modules/g2_import/helpers/g2_import.php
index 8a5d2c5..10af7d0 100644
--- a/modules/g2_import/helpers/g2_import.php
+++ b/modules/g2_import/helpers/g2_import.php
@@ -1,7 +1,7 @@
script("jquery.autocomplete.js") ?>