diff --git a/.htaccess b/.htaccess
index d9ef34429..24254ed01 100644
--- a/.htaccess
+++ b/.htaccess
@@ -6,6 +6,7 @@ Header set X-Content-Type-Options: "nosniff"
RewriteEngine On
+RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]
#RewriteRule "^favicon\.ico$" "-" [L]
#RewriteRule "^(favicon\.ico)$" %{HTTP_HOST}/views/bootstrap/images/favicon.svg [L,NC]
RewriteRule "^(favicon\.ico)" /views/bootstrap/images/favicon.svg [L,NC]
diff --git a/CHANGELOG b/CHANGELOG
index f6c256ee3..fa4994b35 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -283,6 +283,7 @@
--------------------------------------------------------------------------------
Changes in version 5.1.33
--------------------------------------------------------------------------------
+- requires php 8.x
- use SeedDMS_Core_File::mimetype() to determine mime type when uploading a
file with drag&drop
- user images may be 300px height, do not scale them up
@@ -303,6 +304,7 @@
- minor improvements in restapi
- update layout of tab for attachments
- remove session when calling logout of restapi
+- fix some potential security issues
--------------------------------------------------------------------------------
Changes in version 5.1.32
diff --git a/inc/inc.ClassControllerCommon.php b/inc/inc.ClassControllerCommon.php
index bb74f403d..2421ff061 100644
--- a/inc/inc.ClassControllerCommon.php
+++ b/inc/inc.ClassControllerCommon.php
@@ -73,7 +73,13 @@ class SeedDMS_Controller_Common {
if(!$this->callHook('preRun', get_class($this), $action ? $action : 'run')) {
if($action) {
if(method_exists($this, $action)) {
- return $this->{$action}();
+ $refl = new ReflectionMethod($this, $action);
+ if($refl->isPublic())
+ return $this->{$action}();
+ else {
+ echo "Action '".$action."' not public";
+ return false;
+ }
} else {
echo "Missing action '".$action."'";
return false;
diff --git a/inc/inc.ClassConversionServiceImageToImage.php b/inc/inc.ClassConversionServiceImageToImage.php
index 27905ad10..ee7ccb9d4 100644
--- a/inc/inc.ClassConversionServiceImageToImage.php
+++ b/inc/inc.ClassConversionServiceImageToImage.php
@@ -86,9 +86,9 @@ class SeedDMS_ConversionServiceImageToImage extends SeedDMS_ConversionServiceBas
break;
}
if($im) {
- $size = getimagesize($infile);
+ $width = imagesx($im);
if(!empty($params['width']))
- $im = imagescale($im, min((int) $params['width'], $size[0]));
+ $im = imagescale($im, min((int) $params['width'], $width));
$end = microtime(true);
if($this->logger) {
$this->logger->log('Conversion from '.$this->from.' to '.$this->to.' with gd image service took '.($end-$start).' sec.', PEAR_LOG_INFO);
@@ -97,7 +97,7 @@ class SeedDMS_ConversionServiceImageToImage extends SeedDMS_ConversionServiceBas
return imagepng($im, $target);
} else {
ob_start();
- var_dump(imagepng($im));
+ echo imagepng($im);
$image = ob_get_clean();
return $image;
}
diff --git a/inc/inc.ClassViewCommon.php b/inc/inc.ClassViewCommon.php
index fd7a32151..737ac8c00 100644
--- a/inc/inc.ClassViewCommon.php
+++ b/inc/inc.ClassViewCommon.php
@@ -69,7 +69,13 @@ class SeedDMS_View_Common {
if(!$this->callHook('preRun', get_class($this), $action ? $action : 'show')) {
if($action) {
if(method_exists($this, $action)) {
- $this->{$action}();
+ $refl = new ReflectionMethod($this, $action);
+ if($refl->isPublic())
+ $this->{$action}();
+ else {
+ echo "Action '".$action."' not public";
+ return false;
+ }
} else {
echo "Missing action '".htmlspecialchars($action)."'";
}
diff --git a/inc/inc.Utils.php b/inc/inc.Utils.php
index 3432a2e3b..d047d9458 100644
--- a/inc/inc.Utils.php
+++ b/inc/inc.Utils.php
@@ -975,7 +975,7 @@ function seed_pass_hash($password) { /* {{{ */
* @return string hashed password
*/
function seed_pass_verify($password, $hash) { /* {{{ */
- return (md5($password) == $hash) || password_verify($password, $hash);
+ return (md5($password) === $hash) || password_verify($password, $hash);
} /* }}} */
function resolveTask($task) { /* {{{ */
diff --git a/op/op.Login.php b/op/op.Login.php
index a8b2c67ef..06ef9cc5a 100644
--- a/op/op.Login.php
+++ b/op/op.Login.php
@@ -82,6 +82,7 @@ else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {
add_log_line();
+$controller->setParam('action', 'run'); // Force action run to be called, prevents overriding action with url parameter
$controller->setParam('login', $login);
$controller->setParam('logininfo', !empty($_POST['logininfo']) ? $_POST['logininfo'] : '');
$controller->setParam('pwd', $pwd);
@@ -99,6 +100,12 @@ if(!$controller()) {
}
$user = $controller->getUser();
+if(!$user) {
+ $session = null;
+ add_log_line("login failed", PEAR_LOG_ERR);
+ _printMessage(getMLText('login_error_text'), getMLText('login_error_text')."\n");
+ exit;
+}
if (isset($referuri) && strlen($referuri)>0) {
header("Location: " . getBaseUrl() . $referuri);
diff --git a/op/op.TimelineFeedPreview.php b/op/op.TimelineFeedPreview.php
index 83a457df5..1762630d0 100644
--- a/op/op.TimelineFeedPreview.php
+++ b/op/op.TimelineFeedPreview.php
@@ -20,15 +20,15 @@
// Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
include("../inc/inc.Settings.php");
-include("../inc/inc.LogInit.php");
include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
include("../inc/inc.Language.php");
include("../inc/inc.Init.php");
include("../inc/inc.Extension.php");
include("../inc/inc.DBInit.php");
include("../inc/inc.ClassUI.php");
include("../inc/inc.ClassController.php");
-//include("../inc/inc.BasicAuthentication.php");
+include("../inc/inc.BasicAuthentication.php");
if(empty($_GET['hash']))
exit;
diff --git a/package.json b/package.json
index aa7c2d000..5c880bffb 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
"grunt-contrib-clean": "^2.0.0",
"grunt-contrib-copy": "^1.0.0",
"jqtree": "^1.5.1",
- "jquery": "^1.12.4",
+ "jquery": "^3.7.1",
"jquery-typeahead": "^2.11.1",
"jquery-validation": "^1.19.2",
"moment": "^2.29.1",
@@ -35,7 +35,7 @@
"perfect-scrollbar": "^1.5.0",
"popper.js": "^1.16.1",
"select2": "^4.0.13",
- "spectrum-colorpicker2": "^2.0.8",
+ "spectrum-colorpicker2": "^2.0.10",
"vis-timeline": "^7.4.7"
}
}
diff --git a/views/bootstrap/class.ForcePasswordChange.php b/views/bootstrap/class.ForcePasswordChange.php
index 34adeaf94..76dfcf159 100644
--- a/views/bootstrap/class.ForcePasswordChange.php
+++ b/views/bootstrap/class.ForcePasswordChange.php
@@ -117,6 +117,7 @@ $(document).ready( function() {
+
0) {
+ if(0) {
// Create an array to hold all of these results, and index the array by
// document id. This makes it easier to retrieve document ID information
// later on and saves us having to repeatedly poll the database every time
@@ -446,6 +447,45 @@ $(document).ready( function() {
}else{
printMLText("no_docs_to_check");
}
+ } else {
+ // List the documents where a review has been requested.
+ $this->contentHeading(getMLText("documents_to_process"));
+
+ $printheader=true;
+ $iRev = array();
+ $dList = array();
+ foreach ($resArr as $res) {
+
+ if ( $res['id'] ) {
+ $dList[] = $res["id"];
+ $document = $dms->getDocument($res["id"]);
+ $document->verifyLastestContentExpriry();
+
+ if ($printheader){
+ print "";
+ print "\n\n";
+ print " | \n";
+ print "".getMLText("name")." | \n";
+ print "".getMLText("status")." | \n";
+ print "".getMLText("action")." | \n";
+ print "
\n\n\n";
+ $printheader=false;
+ }
+
+ $txt = $this->callHook('documentListItem', $document, $previewer);
+ if(is_string($txt))
+ echo $txt;
+ else {
+ echo $this->documentListRow($document, $previewer, false, $res['version']);
+ }
+ }
+ }
+ if (!$printheader){
+ echo "\n
";
+ }else{
+ printMLText("no_docs_to_check");
+ }
+ }
}
} /* }}} */
diff --git a/webdav/webdav.php b/webdav/webdav.php
index e2d547329..89f119882 100644
--- a/webdav/webdav.php
+++ b/webdav/webdav.php
@@ -173,6 +173,7 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
$controller = Controller::factory('Login', array('dms'=>$this->dms));
$controller->setParam('authenticator', $this->authenticator);
+ $controller->setParam('action', 'run');
$controller->setParam('login', $user);
$controller->setParam('pwd', $pass);
$controller->setParam('lang', $this->settings->_language);
@@ -190,6 +191,13 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
$this->logger->log('check_auth: type='.$type.', user='.$user.' authenticated', PEAR_LOG_INFO);
$this->user = $controller->getUser();
+ if(!$this->user) {
+ if($this->logger) {
+ $this->logger->log($controller->getErrorMsg(), PEAR_LOG_NOTICE);
+ $this->logger->log('check_auth: error authenicating user '.$user, PEAR_LOG_NOTICE);
+ }
+ return false;
+ }
return true;
} /* }}} */
@@ -877,6 +885,8 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
*/
function MKCOL($options) /* {{{ */
{
+ global $fulltextservice;
+
$this->log_options('MKCOL', $options);
$path = $options["path"];
@@ -925,6 +935,7 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
$controller = Controller::factory('AddSubFolder');
$controller->setParam('dms', $this->dms);
$controller->setParam('user', $this->user);
+ $controller->setParam('fulltextservice', $fulltextservice);
$controller->setParam('folder', $folder);
$controller->setParam('name', $name);
$controller->setParam('comment', '');