summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorctrlaltca@gmail.com <>2011-11-17 16:52:56 +0000
committerctrlaltca@gmail.com <>2011-11-17 16:52:56 +0000
commitd840107832b1f59a9fc3b93ffb97ef976be1b83c (patch)
tree58d0dc8ef1426fa10952d5e4bd59d758ed2da827
parent730c58f877a335203f2b5e73e084a3079cf33f75 (diff)
3-in-1 bugfix commit:
1) TErrorHandler: avoid an error when trying to hide the file path of a lambda function 2) TSecurityManager: avoid a race condition when first generating the encryptionkey or the validationkey 3) TActiveFileUpload: urlencode the base64'ed token since it can contain the "+" character (otherway it would be traslated to a space)
-rw-r--r--framework/Exceptions/TErrorHandler.php10
-rw-r--r--framework/Security/TSecurityManager.php4
-rw-r--r--framework/TApplication.php5
-rwxr-xr-xframework/Web/UI/ActiveControls/TActiveFileUpload.php4
4 files changed, 13 insertions, 10 deletions
diff --git a/framework/Exceptions/TErrorHandler.php b/framework/Exceptions/TErrorHandler.php
index 1fe5a928..363bdecf 100644
--- a/framework/Exceptions/TErrorHandler.php
+++ b/framework/Exceptions/TErrorHandler.php
@@ -4,7 +4,7 @@
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @link http://www.pradosoft.com/
- * @copyright Copyright &copy; 2005-2011 PradoSoft
+ * @copyright Copyright &copy; 2005-2011 PradoSoft
* @license http://www.pradosoft.com/license/
* @version $Id$
* @package System.Exceptions
@@ -83,8 +83,8 @@ class TErrorHandler extends TModule
* @return string the directory containing error template files.
*/
public function getErrorTemplatePath()
- {
- if($this->_templatePath===null)
+ {
+ if($this->_templatePath===null)
$this->_templatePath=Prado::getFrameworkPath().'/Exceptions/templates';
return $this->_templatePath;
}
@@ -154,8 +154,8 @@ class TErrorHandler extends TModule
$aTrace = $exception->getTrace();
foreach($aTrace as $item)
{
- $file = $item['file'];
- $aRpl[dirname($file) . DIRECTORY_SEPARATOR] = '<hidden>' . DIRECTORY_SEPARATOR;
+ if(isset($item['file']))
+ $aRpl[dirname($item['file']) . DIRECTORY_SEPARATOR] = '<hidden>' . DIRECTORY_SEPARATOR;
}
}
$aRpl[$_SERVER['DOCUMENT_ROOT']] = '${DocumentRoot}';
diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php
index d77e9b88..7eba92fe 100644
--- a/framework/Security/TSecurityManager.php
+++ b/framework/Security/TSecurityManager.php
@@ -77,7 +77,7 @@ class TSecurityManager extends TModule
if(null === $this->_validationKey) {
if(null === ($this->_validationKey = $this->getApplication()->getGlobalState(self::STATE_VALIDATION_KEY))) {
$this->_validationKey = $this->generateRandomKey();
- $this->getApplication()->setGlobalState(self::STATE_VALIDATION_KEY, $this->_validationKey, null);
+ $this->getApplication()->setGlobalState(self::STATE_VALIDATION_KEY, $this->_validationKey, null, true);
}
}
return $this->_validationKey;
@@ -104,7 +104,7 @@ class TSecurityManager extends TModule
if(null === $this->_encryptionKey) {
if(null === ($this->_encryptionKey = $this->getApplication()->getGlobalState(self::STATE_ENCRYPTION_KEY))) {
$this->_encryptionKey = $this->generateRandomKey();
- $this->getApplication()->setGlobalState(self::STATE_ENCRYPTION_KEY, $this->_encryptionKey, null);
+ $this->getApplication()->setGlobalState(self::STATE_ENCRYPTION_KEY, $this->_encryptionKey, null, true);
}
}
return $this->_encryptionKey;
diff --git a/framework/TApplication.php b/framework/TApplication.php
index 1fc9485a..703dae17 100644
--- a/framework/TApplication.php
+++ b/framework/TApplication.php
@@ -468,14 +468,17 @@ class TApplication extends TComponent
* @param string the name of the value to be set
* @param mixed the global value to be set
* @param mixed the default value. If $key is not found, $defaultValue will be returned
+ * @param boolean wheter to force an immediate GlobalState save. defaults to false
*/
- public function setGlobalState($key,$value,$defaultValue=null)
+ public function setGlobalState($key,$value,$defaultValue=null,$forceSave=false)
{
$this->_stateChanged=true;
if($value===$defaultValue)
unset($this->_globals[$key]);
else
$this->_globals[$key]=$value;
+ if($forceSave)
+ $this->saveGlobals();
}
/**
diff --git a/framework/Web/UI/ActiveControls/TActiveFileUpload.php b/framework/Web/UI/ActiveControls/TActiveFileUpload.php
index 98a7f422..1a49c20d 100755
--- a/framework/Web/UI/ActiveControls/TActiveFileUpload.php
+++ b/framework/Web/UI/ActiveControls/TActiveFileUpload.php
@@ -233,7 +233,7 @@ EOS;
if ($mgr = Prado::getApplication()->getSecurityManager())
{
// this is a less secure method, file info can be still forged from client side, but only if attacker knows the secret application key
- $token = base64_encode($mgr->encrypt(serialize($params)));
+ $token = urlencode(base64_encode($mgr->encrypt(serialize($params))));
}
else
throw new Exception('TActiveFileUpload needs either an application level cache or a security manager to work securely');
@@ -253,7 +253,7 @@ EOS;
else
if ($mgr = Prado::getApplication()->getSecurityManager())
{
- $v = $mgr->decrypt(base64_decode($token));
+ $v = $mgr->decrypt(base64_decode(urldecode($token)));
$params = unserialize($v);
}
else