Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

This commit is contained in:
Uwe Steinmann 2024-01-11 10:10:12 +01:00
commit 023e2c3edf
7 changed files with 33 additions and 5 deletions

View File

@ -294,6 +294,7 @@
- minor improvements in restapi
- update layout of tab for attachments
- remove session when calling logout of restapi
- fix some potential security issues
--------------------------------------------------------------------------------
Changes in version 5.1.32

View File

@ -73,7 +73,13 @@ class SeedDMS_Controller_Common {
if(!$this->callHook('preRun', get_class($this), $action ? $action : 'run')) {
if($action) {
if(method_exists($this, $action)) {
return $this->{$action}();
$refl = new ReflectionMethod($this, $action);
if($refl->isPublic())
return $this->{$action}();
else {
echo "Action '".$action."' not public";
return false;
}
} else {
echo "Missing action '".$action."'";
return false;

View File

@ -69,7 +69,13 @@ class SeedDMS_View_Common {
if(!$this->callHook('preRun', get_class($this), $action ? $action : 'show')) {
if($action) {
if(method_exists($this, $action)) {
$this->{$action}();
$refl = new ReflectionMethod($this, $action);
if($refl->isPublic())
$this->{$action}();
else {
echo "Action '".$action."' not public";
return false;
}
} else {
echo "Missing action '".htmlspecialchars($action)."'";
}

View File

@ -975,7 +975,7 @@ function seed_pass_hash($password) { /* {{{ */
* @return string hashed password
*/
function seed_pass_verify($password, $hash) { /* {{{ */
return $hash == md5($password);
return $hash === md5($password);
} /* }}} */
function resolveTask($task) { /* {{{ */

View File

@ -82,6 +82,7 @@ else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {
add_log_line();
$controller->setParam('action', 'run'); // Force action run to be called, prevents overriding action with url parameter
$controller->setParam('login', $login);
$controller->setParam('pwd', $pwd);
$controller->setParam('source', 'web');
@ -98,6 +99,12 @@ if(!$controller()) {
}
$user = $controller->getUser();
if(!$user) {
$session = null;
add_log_line("login failed", PEAR_LOG_ERR);
_printMessage(getMLText('login_error_text'), getMLText('login_error_text')."\n");
exit;
}
if (isset($referuri) && strlen($referuri)>0) {
header("Location: " . getBaseUrl() . $referuri);

View File

@ -26,7 +26,7 @@
"grunt-contrib-clean": "^2.0.0",
"grunt-contrib-copy": "^1.0.0",
"jqtree": "^1.5.1",
"jquery": "^1.12.4",
"jquery": "^3.7.1",
"jquery-typeahead": "^2.11.1",
"jquery-validation": "^1.19.2",
"moment": "^2.29.1",
@ -35,7 +35,7 @@
"perfect-scrollbar": "^1.5.0",
"popper.js": "^1.16.1",
"select2": "^4.0.13",
"spectrum-colorpicker2": "^2.0.8",
"spectrum-colorpicker2": "^2.0.10",
"vis-timeline": "^7.4.7"
}
}

View File

@ -173,6 +173,7 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
$controller = Controller::factory('Login', array('dms'=>$this->dms));
$controller->setParam('authenticator', $this->authenticator);
$controller->setParam('action', 'run');
$controller->setParam('login', $user);
$controller->setParam('pwd', $pass);
$controller->setParam('lang', $this->settings->_language);
@ -190,6 +191,13 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
$this->logger->log('check_auth: type='.$type.', user='.$user.' authenticated', PEAR_LOG_INFO);
$this->user = $controller->getUser();
if(!$this->user) {
if($this->logger) {
$this->logger->log($controller->getErrorMsg(), PEAR_LOG_NOTICE);
$this->logger->log('check_auth: error authenicating user '.$user, PEAR_LOG_NOTICE);
}
return false;
}
return true;
} /* }}} */