* Added a helpful warning if config.baseURL=1 was found
authorMichael Stucki <michael.stucki@typo3.org>
Sat, 19 Nov 2005 00:01:08 +0000 (00:01 +0000)
committerMichael Stucki <michael.stucki@typo3.org>
Sat, 19 Nov 2005 00:01:08 +0000 (00:01 +0000)
* !!! Disabled the config.baseURL=1 feature. baseURL needs to be a string value, otherwise it will not work (security reasons)!
* Added a fix for broken image-alignment in Mozilla browsers (written by Martin Kutschker)
* Fixed a cross-site scripting issue in showpic.php. Many thanks to Martin Klaus who provided a fix for this.
* Fixed the encryptionKey auto-generation in the Install Tool: The 32 first characters were always the same. Thanks to Jochen Weiland.
* When editing a file in the Install Tool, the backup is no longer renamed to filename.php~ but filename_bak.php (could be viewed in clear-text otherwise). Thanks to Lars Houmark for reporting this.
* Fixed wrong image negation in Install Tool (patch written by Bernhard Kraft)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@871 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
NEWS.txt
typo3/sysext/cms/tslib/class.tslib_content.php
typo3/sysext/cms/tslib/class.tslib_pagegen.php
typo3/sysext/cms/tslib/showpic.php
typo3/sysext/install/mod/class.tx_install.php

index 77c8374..345a0f1 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2005-11-19  Michael Stucki  <michael@typo3.org>
 
+       * Added a helpful warning if config.baseURL=1 was found
+       * !!! Disabled the config.baseURL=1 feature. baseURL needs to be a string value, otherwise it will not work (security reasons)!
+       * Added a fix for broken image-alignment in Mozilla browsers (written by Martin Kutschker)
+       * Fixed a cross-site scripting issue in showpic.php. Many thanks to Martin Klaus who provided a fix for this.
+       * Fixed the encryptionKey auto-generation in the Install Tool: The 32 first characters were always the same. Thanks to Jochen Weiland.
+       * When editing a file in the Install Tool, the backup is no longer renamed to filename.php~ but filename_bak.php (could be viewed in clear-text otherwise). Thanks to Lars Houmark for reporting this.
+       * Fixed wrong image negation in Install Tool (patch written by Bernhard Kraft)
        * Fixed bug #1861: Call of inexinsting t3lib_exec::imageMagickCommand() instead of t3lib_div::...
 
 2006-11-18  Michael Scharkow  <mscharkow@gmx.net>
index cd5e78e..fdbf953 100644 (file)
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -6,16 +6,14 @@ CHANGES & IMPROVEMENTS in TYPO3 4.0
 Access Control
 ===============
 
-       * FE-groups are now nested and content elements. Additionally, pages can have more than one group assigned. (Michael Stucki <michael@typo3.org> integrating extension "fenestgrp" by Glen Gibb and extension "ingmar_accessctrl" by Ingmar Schlecht)
+       * FE-groups are now nested and content elements. Additionally, pages can have more than one group assigned. (Michael Stucki, integrating extension "fenestgrp" by Glen Gibb and extension "ingmar_accessctrl" by Ingmar Schlecht)
 
 Compatibility
 ==============
 
-       * GMENU_LAYERS and TMENU_LAYERS and image rollovers now work with Opera browsers (Martin Kutschker <martin.t.kutschker@blackbox.net>)
-
-2005-07-02
+       * GMENU_LAYERS and TMENU_LAYERS and image rollovers now work with Opera browsers (Martin Kutschker)
 
 Security
 =========
 
-       * A debug script exposed system information provided by phpinfo(). For details, see http://typo3.org /teams/security/security-bulletins/typo3-20050725-1/ (Michael Stucki <michael@typo3.org>)
+       * A debug script exposed system information provided by phpinfo(). For details, see http://typo3.org /teams/security/security-bulletins/typo3-20050725-1/ (Michael Stucki)
index da1712a..ce61ace 100755 (executable)
@@ -1069,9 +1069,29 @@ class tslib_cObj {
                                $tablecode.='</tr>';    // ending row
                        }
                        if ($c) {
-                               // Table-tag is inserted
-                               $i=$contentPosition;
-                               $table_align = (($i==16) ? 'align="'.$align.'"' : '');
+                               switch ($contentPosition)       {
+                                       case '0':       // above
+                                       case '8':       // below
+                                               switch ($align)        {        // These settings are needed for Firefox
+                                                       case 'center':
+                                                               $table_align = 'margin-left: auto; margin-right: auto';
+                                                       break;
+                                                       case 'right':
+                                                               $table_align = 'margin-left: auto; margin-right: 0px';
+                                                       break;
+                                                       default:        // Most of all: left
+                                                               $table_align = 'margin-left: 0px; margin-right: auto';
+                                               }
+                                               $table_align = 'style="'.$table_align.'"';
+                                       break;
+                                       case '16':      // in text
+                                               $table_align = 'align="'.$align.'"';
+                                       break;
+                                       default:
+                                               $table_align = '';
+                               }
+
+                                       // Table-tag is inserted
                                $tablecode = '<table'.($tableWidth?' width="'.$tableWidth.'"':'').' border="0" cellspacing="0" cellpadding="0" '.$table_align.' class="imgtext-table">'.$tablecode;
                                if ($editIconsHTML)     {       // IF this value is not long since reset.
                                        $tablecode.='<tr><td colspan="'.$colspan.'">'.$editIconsHTML.'</td></tr>';
@@ -2609,7 +2629,15 @@ class tslib_cObj {
                                if ($conf['title']) {$params.='&title='.rawurlencode($conf['title']);}
                                if ($conf['wrap']) {$params.='&wrap='.rawurlencode($conf['wrap']);}
 
-                               $md5_value = md5($imageFile.'|'.$conf['width'].'|'.$conf['height'].'|'.$conf['effects'].'|'.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].'|');
+                               $md5_value = md5(
+                                               $imageFile.'|'.
+                                               $conf['width'].'|'.
+                                               $conf['height'].'|'.
+                                               $conf['effects'].'|'.
+                                               $conf['bodyTag'].'|'.
+                                               $conf['title'].'|'.
+                                               $conf['wrap'].'|'.
+                                               $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].'|');
 
                                $params.= '&md5='.$md5_value;
                                $url = $GLOBALS['TSFE']->absRefPrefix.'showpic.php?file='.rawurlencode($imageFile).$params;
index 6d6947d..ff40121 100755 (executable)
@@ -125,8 +125,20 @@ class TSpagegen {
                $GLOBALS['TSFE']->debug = ''.$GLOBALS['TSFE']->config['config']['debug'];
 
                        // Base url:
-               if ($GLOBALS['TSFE']->config['config']['baseURL']) {
-                       $GLOBALS['TSFE']->baseUrl = (intval($GLOBALS['TSFE']->config['config']['baseURL']) ? t3lib_div::getIndpEnv('TYPO3_SITE_URL') : $GLOBALS['TSFE']->config['config']['baseURL']);
+               if ($GLOBALS['TSFE']->config['config']['baseURL'])      {
+                       if ($GLOBALS['TSFE']->config['config']['baseURL']==='1')        {
+                                       // Depreciated property, going to be dropped.
+                               $error = 'Depreciated Typoscript property was found in this template: "config.baseURL="1"
+
+You need to change this value to the URL of your website root, otherwise TYPO3 will not work!
+
+See <a href="http://wiki.typo3.org/index.php/TYPO3_3.8.1" target="_blank">wiki.typo3.org/index.php/TYPO3_3.8.1</a> for more information.';
+
+                               $GLOBALS['TSFE']->printError(nl2br($error));
+                               exit;
+                       } else {
+                               $GLOBALS['TSFE']->baseUrl = $GLOBALS['TSFE']->config['config']['baseURL'];
+                       }
                        $GLOBALS['TSFE']->anchorPrefix = substr(t3lib_div::getIndpEnv('TYPO3_REQUEST_URL'),strlen(t3lib_div::getIndpEnv('TYPO3_SITE_URL')));
                }
 
index d3c65c1..29ff5ef 100755 (executable)
@@ -138,7 +138,16 @@ class SC_tslib_showpic {
                }
 
                        // Chech md5-checksum: If this md5-value does not match the one submitted, then we fail... (this is a kind of security that somebody don't just hit the script with a lot of different parameters
-               $md5_value = md5($this->file.'|'.$this->width.'|'.$this->height.'|'.$this->effects.'|'.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].'|');
+               $md5_value = md5(
+                               $this->file.'|'.
+                               $this->width.'|'.
+                               $this->height.'|'.
+                               $this->effects.'|'.
+                               $this->bodyTag.'|'.
+                               $this->title.'|'.
+                               $this->wrap.'|'.
+                               $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].'|');
+
                if ($md5_value!=$this->md5) {
                        die('Parameter Error: Wrong parameters sent.');
                }
index a7596ab..9faa67d 100755 (executable)
@@ -853,22 +853,19 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv("REMOTE_ADDR")."' (".t3lib_div::getIndp
                        $save_to_file = $this->INSTALL["FILE"]["name"];
                        if (@is_file($save_to_file))    {
                                $save_to_file_md5 = md5($save_to_file);
-                               if (isset($this->INSTALL["FILE"][$save_to_file_md5]) && t3lib_div::isFirstPartOfStr($save_to_file,$EDIT_path."") && substr($save_to_file,-1)!="~")      {
+                               if (isset($this->INSTALL['FILE'][$save_to_file_md5]) && t3lib_div::isFirstPartOfStr($save_to_file,$EDIT_path.'') && substr($save_to_file,-1)!='~' && !strstr($save_file,'_bak'))        {
                                        $this->INSTALL["typo3conf_files"] = $save_to_file;
                                        $save_fileContent = $this->INSTALL["FILE"][$save_to_file_md5];
 
                                        if ($this->INSTALL["FILE"]["win_to_unix_br"])   {
                                                $save_fileContent = str_replace(chr(13).chr(10),chr(10),$save_fileContent);
                                        }
+
+                                       $backupFile = $this->getBackupFilename($save_to_file);
                                        if ($this->INSTALL["FILE"]["backup"])   {
-                                               if (@is_file($save_to_file."~"))        unlink($save_to_file."~");
-                                               rename($save_to_file,$save_to_file."~");
-                                               $this->contentBeforeTable.='Backup written to <strong>'.$save_to_file.'~</strong><BR>';
-                                       } else {
-                                               if (@is_file($save_to_file."~"))        {
-                                                       unlink($save_to_file."~");
-                                                       $this->contentBeforeTable.='Backup REMOVED! (<strong>'.$save_to_file.'~</strong>)<BR>';
-                                               }
+                                               if (@is_file($backupFile))      { unlink($backupFile); }
+                                               rename($save_to_file,$backupFile);
+                                               $this->contentBeforeTable.='Backup written to <strong>'.$backupFile.'</strong><BR>';
                                        }
 
                                        t3lib_div::writeFile($save_to_file,$save_fileContent);
@@ -912,9 +909,11 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv("REMOTE_ADDR")."' (".t3lib_div::getIndp
                        //--></style>
                        ';
 
+                       $backupFile = $this->getBackupFilename($this->INSTALL['typo3conf_files']);
                        $fileContent = t3lib_div::getUrl($this->INSTALL["typo3conf_files"]);
-                       $this->contentBeforeTable.= '<form action="'.$this->action.'" method="POST">
-                               '.(substr($this->INSTALL["typo3conf_files"],-1)!="~"?'<input type="submit" name="TYPO3_INSTALL[SAVE_FILE]" value="Save file">&nbsp;':'').'<input type="submit" name="_close" value="Close">
+                       $this->contentBeforeTable.= '<form action="'.$this->action.'" method="POST">'.(substr($this->INSTALL['typo3conf_files'],-1)!='~' && !strstr($this->INSTALL['typo3conf_files'],'_bak') ? '
+                               <input type="submit" name="TYPO3_INSTALL[SAVE_FILE]" value="Save file">&nbsp;' : '').'
+                               <input type="submit" name="_close" value="Close">
                                <BR>File: '.$this->INSTALL["typo3conf_files"].'
                                <BR>MD5-sum: '.md5($fileContent).'
                                <BR>
@@ -923,8 +922,8 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv("REMOTE_ADDR")."' (".t3lib_div::getIndp
                                '.($this->allowFileEditOutsite_typo3conf_dir?'<input type="hidden" name="TYPO3_INSTALL[FILE][EDIT_path]" value="'.$this->INSTALL["FILE"]["EDIT_path"].'">':'').'
                                <input type="hidden" name="TYPO3_INSTALL[FILE][prevMD5]" value="'.md5($fileContent).'">
                                <textarea rows="30" name="TYPO3_INSTALL[FILE]['.md5($this->INSTALL["typo3conf_files"]).']" wrap="off"'.$this->formWidthText(48,"width:98%;height:80%","off").'>'.t3lib_div::formatForTextarea($fileContent).'</textarea><BR>
-                               <input type="checkbox" name="TYPO3_INSTALL[FILE][win_to_unix_br]" value="1"'.(TYPO3_OS=="WIN"?"":" CHECKED").'> Convert windows linebreaks (13-10) to unix (10)<BR>
-                               <input type="checkbox" name="TYPO3_INSTALL[FILE][backup]" value="1"'.(@is_file($this->INSTALL["typo3conf_files"]."~") ? " CHECKED":"").'> Make backup copy (else remove any backup copy, prepended by "~")<BR>
+                               <input type="checkbox" name="TYPO3_INSTALL[FILE][win_to_unix_br]" value="1"'.(TYPO3_OS=="WIN"?"":" checked").'> Convert Windows linebreaks (13-10) to Unix (10)<BR>
+                               <input type="checkbox" name="TYPO3_INSTALL[FILE][backup]" value="1"'.(@is_file($backupFile) ? ' checked' : '').'> Make backup copy (rename to '.basename($backupFile).')<BR>
                                '.
                        '</form>';
                }
@@ -2022,7 +2021,7 @@ From sub-directory:
                                if ($this->mode!="123") {
                                        $out.=$this->wrapInCells("Site name:", '<input type="text" name="TYPO3_INSTALL[localconf.php][sitename]" value="'.htmlspecialchars($GLOBALS["TYPO3_CONF_VARS"]["SYS"]["sitename"]).'">');
                                        $out.=$this->wrapInCells("", "<BR>");
-                                       $out.='<script type="text/javascript" src="../md5.js"></script><script type="text/javascript">function generateEncryptionKey(key) {time=new Date(); key=MD5(key)+MD5(time.getMilliseconds().toString());while(key.length<66){key=key+MD5(key)};return key;}</script>';
+                                       $out.='<script type="text/javascript" src="../md5.js"></script><script type="text/javascript">function generateEncryptionKey(key) {time=new Date(); key=MD5(time.getMilliseconds().toString());while(key.length<66){key=key+MD5(key)};return key;}</script>';
                                        $out.=$this->wrapInCells("Encryption key:", '<a name="set_encryptionKey" /><input type="text" name="TYPO3_INSTALL[localconf.php][encryptionKey]" value="'.htmlspecialchars($GLOBALS["TYPO3_CONF_VARS"]["SYS"]["encryptionKey"]).'"><br /><input type="button" onclick="document.forms[\'setupGeneral\'].elements[\'TYPO3_INSTALL[localconf.php][encryptionKey]\'].value=generateEncryptionKey(document.forms[\'setupGeneral\'].elements[\'TYPO3_INSTALL[localconf.php][encryptionKey]\'].value);" value="Generate random key">');
                                        $out.=$this->wrapInCells("", "<BR>");
 
@@ -2843,6 +2842,12 @@ From sub-directory:
                                                if (!@is_file($overlay))        die("Error: ".$overlay." was not a file");
                                                if (!@is_file($mask))   die("Error: ".$mask." was not a file");
 
+                                       if ($imageProc->maskNegate)     {
+                                               $outmask = $imageProc->tempPath.$imageProc->filenamePrefix.t3lib_div::shortMD5($imageProc->alternativeOutputKey."mask").".gif";
+                                               $imageProc->imageMagickExec($mask, $outmask, '-negate');
+                                               $mask = $outmask;
+                                       }
+
                                        $output = $imageProc->tempPath.$imageProc->filenamePrefix.t3lib_div::shortMD5($imageProc->alternativeOutputKey."combine1").".jpg";
                                        $imageProc->combineExec($input,$overlay,$mask,$output);
                                        $fileInfo = $imageProc->getImageDimensions($output);
@@ -2857,6 +2862,13 @@ From sub-directory:
                                                if (!@is_file($input))  die("Error: ".$input." was not a file");
                                                if (!@is_file($overlay))        die("Error: ".$overlay." was not a file");
                                                if (!@is_file($mask))   die("Error: ".$mask." was not a file");
+
+                                       if ($imageProc->maskNegate)     {
+                                               $outmask = $imageProc->tempPath.$imageProc->filenamePrefix.t3lib_div::shortMD5($imageProc->alternativeOutputKey."mask2").".gif";
+                                               $imageProc->imageMagickExec($mask, $outmask, '-negate');
+                                               $mask = $outmask;
+                                       }
+
                                        $output = $imageProc->tempPath.$imageProc->filenamePrefix.t3lib_div::shortMD5($imageProc->alternativeOutputKey."combine2").".jpg";
                                        $imageProc->combineExec($input,$overlay,$mask,$output);
                                        $fileInfo = $imageProc->getImageDimensions($output);
@@ -4778,6 +4790,23 @@ A:hover {color: #000066}
                }
                return $wTags;
        }
+
+       /**
+        * Return the filename that will be used for the backup.
+        * It is important that backups of PHP files still stay as a PHP file, otherwise they could be viewed un-parsed in clear-text.
+        *
+        * @param       string          Full path to a file
+        * @return      string          The name of the backup file (again, including the full path)
+        */
+       function getBackupFilename($filename)   {
+               if (preg_match('/\.php$/', $filename))  {
+                       $backupFile = str_replace('.php', '_bak.php', $filename);
+               } else {
+                       $backupFile = $filename.'~';
+               }
+
+               return $backupFile;
+       }
 }
 
 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install.php'])   {