diff --git a/README b/README index 007d85e..b0f0e31 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -Gallery 3.0.2 +Gallery 3.0.4 ("Ricochet") ABOUT: Gallery 3 is a web based software product that lets you manage your diff --git a/application/Bootstrap.php b/application/Bootstrap.php index ff021fd..183705d 100644 --- a/application/Bootstrap.php +++ b/application/Bootstrap.php @@ -1,7 +1,7 @@ array( 'type' => '', 'user' => '', - 'pass' => '', + 'pass' => '', 'host' => '', 'port' => '' false, 'socket' => false, diff --git a/installer/index.php b/installer/index.php index 5ac23cf..17c1dbf 100644 --- a/installer/index.php +++ b/installer/index.php @@ -1,7 +1,7 @@

We've found a place to store your photos: - +

diff --git a/installer/web.php b/installer/web.php index 0df9b69..12f42d0 100644 --- a/installer/web.php +++ b/installer/web.php @@ -1,7 +1,7 @@ $_POST["prefix"], "type" => function_exists("mysqli_set_charset") ? "mysqli" : "mysql"); list ($config["host"], $config["port"]) = explode(":", $config["host"] . ":"); + foreach ($config as $k => $v) { + if ($k == "password") { + $config[$k] = str_replace("'", "\\'", $v); + } else { + $config[$k] = strtr($v, "'`", "__"); + } + } if (!installer::connect($config)) { $content = render("invalid_db_info.html.php"); diff --git a/lib/gallery.common.js b/lib/gallery.common.js index 697a33c..755218f 100644 --- a/lib/gallery.common.js +++ b/lib/gallery.common.js @@ -33,6 +33,7 @@ var elh = $(el).height(); var ph = $(this).height(); var nh = (ph - elh) / 2; + if (nh < 1) { var nh = 0; } $(el).css('margin-top', nh); }); }; @@ -221,4 +222,32 @@ }); }; + // Augment jQuery autocomplete to expect the first response line to + // be a tag that protects against UTF-7 attacks. + $.fn.gallery_autocomplete = function(url, options) { + // Drop the first response - it should be a meta tag + options.parse = function(data) { + var parsed = []; + var rows = data.split("\n"); + if (rows[0].indexOf(" tag in first line of autocomplete response'; + } + rows.shift(); // drop tag + for (var i=0; i < rows.length; i++) { + var row = $.trim(rows[i]); + if (row) { + row = row.split("|"); + parsed[parsed.length] = { + data: row, + value: row[0], + result: row[0] + }; + } + } + return parsed; + }; + + $(this).autocomplete(url, options); + }; + })(jQuery); diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js index 087b00a..3115532 100644 --- a/lib/gallery.dialog.js +++ b/lib/gallery.dialog.js @@ -71,6 +71,12 @@ $("#g-dialog").dialog("option", "self", self); }, + error: function(xhr, textStatus, errorThrown) { + $("#g-dialog").html(xhr.responseText); + self._set_title(); + self._layout(); + }, + _layout: function() { var dialogWidth; var dialogHeight = $("#g-dialog").height(); @@ -178,7 +184,12 @@ window.location.reload(); } } - } + }, + error: function(xhr, textStatus, errorThrown) { + $("#g-dialog").html(xhr.responseText); + self._set_title(); + self._layout(); + } }); }, diff --git a/lib/uploadify/jquery.uploadify.min.js b/lib/uploadify/jquery.uploadify.min.js index 4305311..17127a7 100644 --- a/lib/uploadify/jquery.uploadify.min.js +++ b/lib/uploadify/jquery.uploadify.min.js @@ -1,26 +1,27 @@ -/* -Uploadify v2.1.0 -Release Date: August 24, 2009 -Copyright (c) 2009 Ronnie Garcia, Travis Nickels - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. -*/ - -if(jQuery){(function(a){a.extend(a.fn,{uploadify:function(b){a(this).each(function(){settings=a.extend({id:a(this).attr("id"),uploader:"uploadify.swf",script:"uploadify.php",expressInstall:null,folder:"",height:30,width:110,cancelImg:"cancel.png",wmode:"opaque",scriptAccess:"sameDomain",fileDataName:"Filedata",method:"POST",queueSizeLimit:999,simUploadLimit:1,queueID:false,displayData:"percentage",onInit:function(){},onSelect:function(){},onQueueFull:function(){},onCheck:function(){},onCancel:function(){},onError:function(){},onProgress:function(){},onComplete:function(){},onAllComplete:function(){}},b);var e=location.pathname;e=e.split("/");e.pop();e=e.join("/")+"/";var f={};f.uploadifyID=settings.id;f.pagepath=e;if(settings.buttonImg){f.buttonImg=escape(settings.buttonImg)}if(settings.buttonText){f.buttonText=escape(settings.buttonText)}if(settings.rollover){f.rollover=true}f.script=settings.script;f.folder=escape(settings.folder);if(settings.scriptData){var g="";for(var d in settings.scriptData){g+="&"+d+"="+settings.scriptData[d]}f.scriptData=escape(g.substr(1))}f.width=settings.width;f.height=settings.height;f.wmode=settings.wmode;f.method=settings.method;f.queueSizeLimit=settings.queueSizeLimit;f.simUploadLimit=settings.simUploadLimit;if(settings.hideButton){f.hideButton=true}if(settings.fileDesc){f.fileDesc=settings.fileDesc}if(settings.fileExt){f.fileExt=settings.fileExt}if(settings.multi){f.multi=true}if(settings.auto){f.auto=true}if(settings.sizeLimit){f.sizeLimit=settings.sizeLimit}if(settings.checkScript){f.checkScript=settings.checkScript}if(settings.fileDataName){f.fileDataName=settings.fileDataName}if(settings.queueID){f.queueID=settings.queueID}if(settings.onInit()!==false){a(this).css("display","none");a(this).after('
');swfobject.embedSWF(settings.uploader,settings.id+"Uploader",settings.width,settings.height,"9.0.24",settings.expressInstall,f,{quality:"high",wmode:settings.wmode,allowScriptAccess:settings.scriptAccess});if(settings.queueID==false){a("#"+a(this).attr("id")+"Uploader").after('
')}}if(typeof(settings.onOpen)=="function"){a(this).bind("uploadifyOpen",settings.onOpen)}a(this).bind("uploadifySelect",{action:settings.onSelect,queueID:settings.queueID},function(j,h,i){if(j.data.action(j,h,i)!==false){var k=Math.round(i.size/1024*100)*0.01;var l="KB";if(k>1000){k=Math.round(k*0.001*100)*0.01;l="MB"}var m=k.toString().split(".");if(m.length>1){k=m[0]+"."+m[1].substr(0,2)}else{k=m[0]}if(i.name.length>20){fileName=i.name.substr(0,20)+"..."}else{fileName=i.name}queue="#"+a(this).attr("id")+"Queue";if(j.data.queueID){queue="#"+j.data.queueID}a(queue).append('
'+fileName+" ("+k+l+')
')}});if(typeof(settings.onSelectOnce)=="function"){a(this).bind("uploadifySelectOnce",settings.onSelectOnce)}a(this).bind("uploadifyQueueFull",{action:settings.onQueueFull},function(h,i){if(h.data.action(h,i)!==false){alert("The queue is full. The max size is "+i+".")}});a(this).bind("uploadifyCheckExist",{action:settings.onCheck},function(m,l,k,j,o){var i=new Object();i=k;i.folder=e+j;if(o){for(var h in k){var n=h}}a.post(l,i,function(r){for(var p in r){if(m.data.action(m,l,k,j,o)!==false){var q=confirm("Do you want to replace the file "+r[p]+"?");if(!q){document.getElementById(a(m.target).attr("id")+"Uploader").cancelFileUpload(p,true,true)}}}if(o){document.getElementById(a(m.target).attr("id")+"Uploader").startFileUpload(n,true)}else{document.getElementById(a(m.target).attr("id")+"Uploader").startFileUpload(null,true)}},"json")});a(this).bind("uploadifyCancel",{action:settings.onCancel},function(l,h,k,m,j){if(l.data.action(l,h,k,m,j)!==false){var i=(j==true)?0:250;a("#"+a(this).attr("id")+h).fadeOut(i,function(){a(this).remove()})}});if(typeof(settings.onClearQueue)=="function"){a(this).bind("uploadifyClearQueue",settings.onClearQueue)}var c=[];a(this).bind("uploadifyError",{action:settings.onError},function(l,h,k,j){if(l.data.action(l,h,k,j)!==false){var i=new Array(h,k,j);c.push(i);a("#"+a(this).attr("id")+h+" .percentage").text(" - "+j.type+" Error");a("#"+a(this).attr("id")+h).addClass("uploadifyError")}});a(this).bind("uploadifyProgress",{action:settings.onProgress,toDisplay:settings.displayData},function(j,h,i,k){if(j.data.action(j,h,i,k)!==false){a("#"+a(this).attr("id")+h+"ProgressBar").css("width",k.percentage+"%");if(j.data.toDisplay=="percentage"){displayData=" - "+k.percentage+"%"}if(j.data.toDisplay=="speed"){displayData=" - "+k.speed+"KB/s"}if(j.data.toDisplay==null){displayData=" "}a("#"+a(this).attr("id")+h+" .percentage").text(displayData)}});a(this).bind("uploadifyComplete",{action:settings.onComplete},function(k,h,j,i,l){if(k.data.action(k,h,j,unescape(i),l)!==false){a("#"+a(this).attr("id")+h+" .percentage").text(" - Completed");a("#"+a(this).attr("id")+h).fadeOut(250,function(){a(this).remove()})}});if(typeof(settings.onAllComplete)=="function"){a(this).bind("uploadifyAllComplete",{action:settings.onAllComplete},function(h,i){if(h.data.action(h,i)!==false){c=[]}})}})},uploadifySettings:function(f,j,c){var g=false;a(this).each(function(){if(f=="scriptData"&&j!=null){if(c){var i=j}else{var i=a.extend(settings.scriptData,j)}var l="";for(var k in i){l+="&"+k+"="+escape(i[k])}j=l.substr(1)}g=document.getElementById(a(this).attr("id")+"Uploader").updateSettings(f,j)});if(j==null){if(f=="scriptData"){var b=unescape(g).split("&");var e=new Object();for(var d=0;d');swfobject.embedSWF(settings.uploader,settings.id+'Uploader',settings.width,settings.height,'9.0.24',settings.expressInstall,data,{'quality':'high','wmode':settings.wmode,'allowScriptAccess':settings.scriptAccess});if(settings.queueID==false){jQuery("#"+jQuery(this).attr('id')+"Uploader").after('
');}} +if(typeof(settings.onOpen)=='function'){jQuery(this).bind("uploadifyOpen",settings.onOpen);} +jQuery(this).bind("uploadifySelect",{'action':settings.onSelect,'queueID':settings.queueID},function(event,ID,fileObj){if(event.data.action(event,ID,fileObj)!==false){var byteSize=Math.round(fileObj.size/1024*100)*.01;var suffix='KB';if(byteSize>1000){byteSize=Math.round(byteSize*.001*100)*.01;suffix='MB';} +var sizeParts=byteSize.toString().split('.');if(sizeParts.length>1){byteSize=sizeParts[0]+'.'+sizeParts[1].substr(0,2);}else{byteSize=sizeParts[0];} +if(fileObj.name.length>20){fileName=fileObj.name.substr(0,20)+'...';}else{fileName=fileObj.name;} +queue='#'+jQuery(this).attr('id')+'Queue';if(event.data.queueID){queue='#'+event.data.queueID;} +jQuery(queue).append('
\ +
\ + \ +
\ + \ +
\ +
\ +
\ +
');jQuery('div#'+jQuery(this).attr('id')+ID+' span.fileName').text(fileName+' ('+byteSize+suffix+')');}});if(typeof(settings.onSelectOnce)=='function'){jQuery(this).bind("uploadifySelectOnce",settings.onSelectOnce);} +jQuery(this).bind("uploadifyQueueFull",{'action':settings.onQueueFull},function(event,queueSizeLimit){if(event.data.action(event,queueSizeLimit)!==false){alert('The queue is full. The max size is '+queueSizeLimit+'.');}});jQuery(this).bind("uploadifyCheckExist",{'action':settings.onCheck},function(event,checkScript,fileQueueObj,folder,single){var postData=new Object();postData=fileQueueObj;postData.folder=pagePath+folder;if(single){for(var ID in fileQueueObj){var singleFileID=ID;}} +jQuery.post(checkScript,postData,function(data){for(var key in data){if(event.data.action(event,checkScript,fileQueueObj,folder,single)!==false){var replaceFile=confirm("Do you want to replace the file "+data[key]+"?");if(!replaceFile){document.getElementById(jQuery(event.target).attr('id')+'Uploader').cancelFileUpload(key,true,true);}}} +if(single){document.getElementById(jQuery(event.target).attr('id')+'Uploader').startFileUpload(singleFileID,true);}else{document.getElementById(jQuery(event.target).attr('id')+'Uploader').startFileUpload(null,true);}},"json");});jQuery(this).bind("uploadifyCancel",{'action':settings.onCancel},function(event,ID,fileObj,data,clearFast){if(event.data.action(event,ID,fileObj,data,clearFast)!==false){var fadeSpeed=(clearFast==true)?0:250;jQuery("#"+jQuery(this).attr('id')+ID).fadeOut(fadeSpeed,function(){jQuery(this).remove()});}});if(typeof(settings.onClearQueue)=='function'){jQuery(this).bind("uploadifyClearQueue",settings.onClearQueue);} +var errorArray=[];jQuery(this).bind("uploadifyError",{'action':settings.onError},function(event,ID,fileObj,errorObj){if(event.data.action(event,ID,fileObj,errorObj)!==false){var fileArray=new Array(ID,fileObj,errorObj);errorArray.push(fileArray);jQuery("#"+jQuery(this).attr('id')+ID+" .percentage").text(" - "+errorObj.type+" Error");jQuery("#"+jQuery(this).attr('id')+ID).addClass('uploadifyError');}});jQuery(this).bind("uploadifyProgress",{'action':settings.onProgress,'toDisplay':settings.displayData},function(event,ID,fileObj,data){if(event.data.action(event,ID,fileObj,data)!==false){jQuery("#"+jQuery(this).attr('id')+ID+"ProgressBar").css('width',data.percentage+'%');if(event.data.toDisplay=='percentage')displayData=' - '+data.percentage+'%';if(event.data.toDisplay=='speed')displayData=' - '+data.speed+'KB/s';if(event.data.toDisplay==null)displayData=' ';jQuery("#"+jQuery(this).attr('id')+ID+" .percentage").text(displayData);}});jQuery(this).bind("uploadifyComplete",{'action':settings.onComplete},function(event,ID,fileObj,response,data){if(event.data.action(event,ID,fileObj,unescape(response),data)!==false){jQuery("#"+jQuery(this).attr('id')+ID+" .percentage").text(' - Completed');jQuery("#"+jQuery(this).attr('id')+ID).fadeOut(250,function(){jQuery(this).remove()});}});if(typeof(settings.onAllComplete)=='function'){jQuery(this).bind("uploadifyAllComplete",{'action':settings.onAllComplete},function(event,uploadObj){if(event.data.action(event,uploadObj)!==false){errorArray=[];}});}});},uploadifySettings:function(settingName,settingValue,resetObject){var returnValue=false;jQuery(this).each(function(){if(settingName=='scriptData'&&settingValue!=null){if(resetObject){var scriptData=settingValue;}else{var scriptData=jQuery.extend(settings.scriptData,settingValue);} +var scriptDataString='';for(var name in scriptData){scriptDataString+='&'+name+'='+escape(scriptData[name]);} +settingValue=scriptDataString.substr(1);} +returnValue=document.getElementById(jQuery(this).attr('id')+'Uploader').updateSettings(settingName,settingValue);});if(settingValue==null){if(settingName=='scriptData'){var returnSplit=unescape(returnValue).split('&');var returnObj=new Object();for(var i=0;ivalidate(); module::set_var("comment", "access_permissions", $form->comment_settings->access_permissions->value); + module::set_var("comment", "rss_visible", + $form->comment_settings->rss_visible->value); message::success(t("Comment settings updated")); url::redirect("admin/comments"); } @@ -45,6 +47,12 @@ class Admin_Comments_Controller extends Admin_Controller { ->options(array("everybody" => t("Everybody"), "registered_users" => t("Only registered users"))) ->selected(module::get_var("comment", "access_permissions")); + $comment_settings->dropdown("rss_visible") + ->label(t("Which RSS feeds can users see?")) + ->options(array("all" => t("All comment feeds"), + "newest" => t("New comments feed only"), + "per_item" => t("Comments on photos, movies and albums only"))) + ->selected(module::get_var("comment", "rss_visible")); $comment_settings->submit("save")->value(t("Save")); return $form; } diff --git a/modules/comment/controllers/admin_manage_comments.php b/modules/comment/controllers/admin_manage_comments.php index 72684e7..bb5745a 100644 --- a/modules/comment/controllers/admin_manage_comments.php +++ b/modules/comment/controllers/admin_manage_comments.php @@ -1,7 +1,7 @@ id"] = t("Comments on %title", array("title" => html::purify($item->title))); } @@ -29,7 +43,7 @@ class comment_rss_Core { } static function feed($feed_id, $offset, $limit, $id) { - if ($feed_id != "newest" && $feed_id != "item") { + if (!comment_rss::feed_visible($feed_id)) { return; } @@ -51,7 +65,7 @@ class comment_rss_Core { foreach ($comments->find_all($limit, $offset) as $comment) { $item = $comment->item(); $feed->comments[] = new ArrayObject( - array("pub_date" => date("D, d M Y H:i:s T", $comment->created), + array("pub_date" => date("D, d M Y H:i:s O", $comment->created), "text" => nl2br(html::purify($comment->text)), "thumb_url" => $item->thumb_url(), "thumb_height" => $item->thumb_height, diff --git a/modules/comment/helpers/comment_theme.php b/modules/comment/helpers/comment_theme.php index 398f84b..a152457 100644 --- a/modules/comment/helpers/comment_theme.php +++ b/modules/comment/helpers/comment_theme.php @@ -1,7 +1,7 @@ get("q"); foreach (glob("{$path_prefix}*") as $file) { if (is_dir($file) && !is_link($file)) { + $file = html::clean($file); $directories[] = $file; // If we find an embed.php, include it as well @@ -113,7 +114,7 @@ class Admin_g2_import_Controller extends Admin_Controller { } } - print implode("\n", $directories); + ajax::response(implode("\n", $directories)); } private function _get_import_form() { diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php index 90984e8..6c96089 100644 --- a/modules/g2_import/controllers/g2.php +++ b/modules/g2_import/controllers/g2.php @@ -1,7 +1,7 @@ get("path"); $id = $input->get("g2_itemId"); - if ($path || $id) { + if (($path && $path != 'index.php' && $path != 'main.php') || $id) { if ($id) { // Requests by id are either core.DownloadItem or core.ShowItem requests. Later versions of // Gallery 2 don't specify g2_view if it's the default (core.ShowItem). And in some cases diff --git a/modules/g2_import/helpers/g2_import.php b/modules/g2_import/helpers/g2_import.php index 8a5d2c5..10af7d0 100644 --- a/modules/g2_import/helpers/g2_import.php +++ b/modules/g2_import/helpers/g2_import.php @@ -1,7 +1,7 @@ script("jquery.autocomplete.js") ?>