diff options
author | ctrlaltca@gmail.com <> | 2011-11-17 16:52:56 +0000 |
---|---|---|
committer | ctrlaltca@gmail.com <> | 2011-11-17 16:52:56 +0000 |
commit | d840107832b1f59a9fc3b93ffb97ef976be1b83c (patch) | |
tree | 58d0dc8ef1426fa10952d5e4bd59d758ed2da827 | |
parent | 730c58f877a335203f2b5e73e084a3079cf33f75 (diff) |
3-in-1 bugfix commit:
1) TErrorHandler: avoid an error when trying to hide the file path of a lambda function
2) TSecurityManager: avoid a race condition when first generating the encryptionkey or the validationkey
3) TActiveFileUpload: urlencode the base64'ed token since it can contain the "+" character (otherway it would be traslated to a space)
-rw-r--r-- | framework/Exceptions/TErrorHandler.php | 10 | ||||
-rw-r--r-- | framework/Security/TSecurityManager.php | 4 | ||||
-rw-r--r-- | framework/TApplication.php | 5 | ||||
-rwxr-xr-x | framework/Web/UI/ActiveControls/TActiveFileUpload.php | 4 |
4 files changed, 13 insertions, 10 deletions
diff --git a/framework/Exceptions/TErrorHandler.php b/framework/Exceptions/TErrorHandler.php index 1fe5a928..363bdecf 100644 --- a/framework/Exceptions/TErrorHandler.php +++ b/framework/Exceptions/TErrorHandler.php @@ -4,7 +4,7 @@ *
* @author Qiang Xue <qiang.xue@gmail.com>
* @link http://www.pradosoft.com/
- * @copyright Copyright © 2005-2011 PradoSoft + * @copyright Copyright © 2005-2011 PradoSoft
* @license http://www.pradosoft.com/license/
* @version $Id$
* @package System.Exceptions
@@ -83,8 +83,8 @@ class TErrorHandler extends TModule * @return string the directory containing error template files.
*/
public function getErrorTemplatePath()
- { - if($this->_templatePath===null) + {
+ if($this->_templatePath===null)
$this->_templatePath=Prado::getFrameworkPath().'/Exceptions/templates';
return $this->_templatePath;
}
@@ -154,8 +154,8 @@ class TErrorHandler extends TModule $aTrace = $exception->getTrace();
foreach($aTrace as $item)
{
- $file = $item['file'];
- $aRpl[dirname($file) . DIRECTORY_SEPARATOR] = '<hidden>' . DIRECTORY_SEPARATOR;
+ if(isset($item['file']))
+ $aRpl[dirname($item['file']) . DIRECTORY_SEPARATOR] = '<hidden>' . DIRECTORY_SEPARATOR;
}
}
$aRpl[$_SERVER['DOCUMENT_ROOT']] = '${DocumentRoot}';
diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php index d77e9b88..7eba92fe 100644 --- a/framework/Security/TSecurityManager.php +++ b/framework/Security/TSecurityManager.php @@ -77,7 +77,7 @@ class TSecurityManager extends TModule if(null === $this->_validationKey) { if(null === ($this->_validationKey = $this->getApplication()->getGlobalState(self::STATE_VALIDATION_KEY))) { $this->_validationKey = $this->generateRandomKey(); - $this->getApplication()->setGlobalState(self::STATE_VALIDATION_KEY, $this->_validationKey, null); + $this->getApplication()->setGlobalState(self::STATE_VALIDATION_KEY, $this->_validationKey, null, true); } } return $this->_validationKey; @@ -104,7 +104,7 @@ class TSecurityManager extends TModule if(null === $this->_encryptionKey) { if(null === ($this->_encryptionKey = $this->getApplication()->getGlobalState(self::STATE_ENCRYPTION_KEY))) { $this->_encryptionKey = $this->generateRandomKey(); - $this->getApplication()->setGlobalState(self::STATE_ENCRYPTION_KEY, $this->_encryptionKey, null); + $this->getApplication()->setGlobalState(self::STATE_ENCRYPTION_KEY, $this->_encryptionKey, null, true); } } return $this->_encryptionKey; diff --git a/framework/TApplication.php b/framework/TApplication.php index 1fc9485a..703dae17 100644 --- a/framework/TApplication.php +++ b/framework/TApplication.php @@ -468,14 +468,17 @@ class TApplication extends TComponent * @param string the name of the value to be set * @param mixed the global value to be set * @param mixed the default value. If $key is not found, $defaultValue will be returned + * @param boolean wheter to force an immediate GlobalState save. defaults to false */ - public function setGlobalState($key,$value,$defaultValue=null) + public function setGlobalState($key,$value,$defaultValue=null,$forceSave=false) { $this->_stateChanged=true; if($value===$defaultValue) unset($this->_globals[$key]); else $this->_globals[$key]=$value; + if($forceSave) + $this->saveGlobals(); } /** diff --git a/framework/Web/UI/ActiveControls/TActiveFileUpload.php b/framework/Web/UI/ActiveControls/TActiveFileUpload.php index 98a7f422..1a49c20d 100755 --- a/framework/Web/UI/ActiveControls/TActiveFileUpload.php +++ b/framework/Web/UI/ActiveControls/TActiveFileUpload.php @@ -233,7 +233,7 @@ EOS; if ($mgr = Prado::getApplication()->getSecurityManager()) { // this is a less secure method, file info can be still forged from client side, but only if attacker knows the secret application key - $token = base64_encode($mgr->encrypt(serialize($params))); + $token = urlencode(base64_encode($mgr->encrypt(serialize($params)))); } else throw new Exception('TActiveFileUpload needs either an application level cache or a security manager to work securely'); @@ -253,7 +253,7 @@ EOS; else if ($mgr = Prado::getApplication()->getSecurityManager()) { - $v = $mgr->decrypt(base64_decode($token)); + $v = $mgr->decrypt(base64_decode(urldecode($token))); $params = unserialize($v); } else |