diff options
| author | xue <> | 2006-02-18 02:25:34 +0000 |
|---|---|---|
| committer | xue <> | 2006-02-18 02:25:34 +0000 |
| commit | 8b9a5c2f0d5025e29a5477ea8cc8937db49b0341 (patch) | |
| tree | 938ad05685a430d344e3bf1957f5d3ccd0d1e9ce | |
| parent | cba0c1b472cec22e4ffed2b3b084bea27cd26582 (diff) | |
Fixed a security issue about usage of Prado::getPathOfNamespace.
| -rw-r--r-- | framework/I18N/TGlobalization.php | 18 | ||||
| -rw-r--r-- | framework/Web/Services/TPageService.php | 3 | ||||
| -rw-r--r-- | framework/Web/UI/TTemplateControl.php | 2 | ||||
| -rw-r--r-- | framework/Web/UI/WebControls/TColorPicker.php | 20 | ||||
| -rw-r--r-- | framework/Web/UI/WebControls/TDatePicker.php | 20 | ||||
| -rw-r--r-- | framework/Web/UI/WebControls/THtmlArea.php | 2 | ||||
| -rw-r--r-- | framework/Web/UI/WebControls/TRatingList.php | 7 | ||||
| -rw-r--r-- | framework/Web/UI/WebControls/TTextHighlighter.php | 3 | ||||
| -rw-r--r-- | framework/Web/UI/WebControls/TWizard.php | 81 |
9 files changed, 86 insertions, 70 deletions
diff --git a/framework/I18N/TGlobalization.php b/framework/I18N/TGlobalization.php index 1f568a27..317273ac 100644 --- a/framework/I18N/TGlobalization.php +++ b/framework/I18N/TGlobalization.php @@ -28,13 +28,13 @@ class TGlobalization extends TModule {
/**
* Default character set is 'UTF-8'.
- * @var string
+ * @var string
*/
private $_defaultCharset = 'UTF-8';
/**
* Default culture is 'en'.
- * @var string
+ * @var string
*/
private $_defaultCulture = 'en';
@@ -46,13 +46,13 @@ class TGlobalization extends TModule /**
* The current charset.
- * @var string
- */
+ * @var string
+ */
protected $_charset='UTF-8';
/**
* The current culture.
- * @var string
+ * @var string
*/
protected $_culture='en';
@@ -64,7 +64,7 @@ class TGlobalization extends TModule * @param TXmlElement application configuration
*/
public function init($xml)
- {
+ {
$this->_defaultCharset = $this->getCharset();
$this->_defaultCulture = $this->getCulture();
@@ -82,7 +82,7 @@ class TGlobalization extends TModule }
/**
- * @param string culture, e.g. <tt>en_US</tt> for American English
+ * @param string culture, e.g. <tt>en_US</tt> for American English
*/
public function setCulture($culture)
{
@@ -131,7 +131,7 @@ class TGlobalization extends TModule if($config['type'] == 'XLIFF' || $config['type'] == 'gettext')
{
$config['source'] = Prado::getPathOfNamespace($config['source']);
- if(!is_dir($config['source']))
+ if($config['source']===null || !is_dir($config['source']))
throw new TException("invalid source dir '{$config['source']}'");
}
if($config['cache'])
@@ -154,7 +154,7 @@ class TGlobalization extends TModule {
return $this->_translation['catalogue'] = $value;
}
-
+
/**
* @return string default charset set in application.xml
*/
diff --git a/framework/Web/Services/TPageService.php b/framework/Web/Services/TPageService.php index bb80b902..09f1027e 100644 --- a/framework/Web/Services/TPageService.php +++ b/framework/Web/Services/TPageService.php @@ -401,8 +401,9 @@ class TPageService extends TService {
if($this->_initialized)
throw new TInvalidOperationException('pageservice_basepath_unchangeable');
- else if(($this->_basePath=realpath(Prado::getPathOfNamespace($value)))===false || !is_dir($this->_basePath))
+ else if(($path=Prado::getPathOfNamespace($value))===null || !is_dir($path))
throw new TConfigurationException('pageservice_basepath_invalid',$value);
+ $this->_basePath=realpath($path);
}
/**
diff --git a/framework/Web/UI/TTemplateControl.php b/framework/Web/UI/TTemplateControl.php index 2d6829ee..18766102 100644 --- a/framework/Web/UI/TTemplateControl.php +++ b/framework/Web/UI/TTemplateControl.php @@ -198,8 +198,6 @@ class TTemplateControl extends TControl implements INamingContainer $controls=$placeholder->getParent()->getControls();
$loc=$controls->remove($placeholder);
$controls->insertAt($loc,$content);
- //list($parent,$loc)=$this->_placeholders[$id];
- //$parent->getControls()->insertAt($loc,$content);
}
}
diff --git a/framework/Web/UI/WebControls/TColorPicker.php b/framework/Web/UI/WebControls/TColorPicker.php index 2a19125b..c0cc3ae7 100644 --- a/framework/Web/UI/WebControls/TColorPicker.php +++ b/framework/Web/UI/WebControls/TColorPicker.php @@ -132,11 +132,15 @@ class TColorPicker extends TTextBox {
$cs = $this->getPage()->getClientScript();
$style = 'System.Web.Javascripts.colorpicker.'.$this->getColorPickerStyle();
- $cssFile=Prado::getPathOfNamespace($style,'.css');
- $url = $this->publishFilePath($cssFile);
- if(!$cs->isStyleSheetFileRegistered($style))
- $cs->registerStyleSheetFile($style, $url);
- return $url;
+ if(($cssFile=Prado::getPathOfNamespace($style,'.css'))!==null)
+ {
+ $url = $this->publishFilePath($cssFile);
+ if(!$cs->isStyleSheetFileRegistered($style))
+ $cs->registerStyleSheetFile($style, $url);
+ return $url;
+ }
+ else
+ throw new TConfigurationException('colorpicker_style_invalid',$style);
}
/**
@@ -157,8 +161,10 @@ class TColorPicker extends TTextBox foreach($images as $filename => $ext)
{
$image = 'System.Web.Javascripts.colorpicker.'.$filename;
- $file = Prado::getPathOfNamespace($image, $ext);
- $list[$filename.$ext] = $this->publishFilePath($file);
+ if(($file = Prado::getPathOfNamespace($image, $ext))!==null)
+ $list[$filename.$ext] = $this->publishFilePath($file);
+ else
+ throw new TConfigurationException('colorpicker_image_invalid',$image);
}
$imgs['button.gif'] = $list['button.gif'];
$imgs['background.png'] = $list['background.png'];
diff --git a/framework/Web/UI/WebControls/TDatePicker.php b/framework/Web/UI/WebControls/TDatePicker.php index 6f5eaffb..fd280938 100644 --- a/framework/Web/UI/WebControls/TDatePicker.php +++ b/framework/Web/UI/WebControls/TDatePicker.php @@ -329,8 +329,10 @@ class TDatePicker extends TTextBox {
$cs = $this->getPage()->getClientScript();
$image = 'System.Web.Javascripts.datepicker.calendar';
- $file = Prado::getPathOfNamespace($image, '.png');
- return $this->publishFilePath($file);
+ if(($file = Prado::getPathOfNamespace($image, '.png'))!==null)
+ return $this->publishFilePath($file);
+ else
+ throw new TConfigurationException('datepicker_defaultbuttonimage_invalid',$image);
}
/**
@@ -341,11 +343,15 @@ class TDatePicker extends TTextBox {
$cs = $this->getPage()->getClientScript();
$style = 'System.Web.Javascripts.datepicker.'.$this->getCalendarStyle();
- $cssFile=Prado::getPathOfNamespace($style,'.css');
- $url = $this->publishFilePath($cssFile);
- if(!$cs->isStyleSheetFileRegistered($style))
- $cs->registerStyleSheetFile($style, $url);
- return $url;
+ if(($cssFile=Prado::getPathOfNamespace($style,'.css'))!==null)
+ {
+ $url = $this->publishFilePath($cssFile);
+ if(!$cs->isStyleSheetFileRegistered($style))
+ $cs->registerStyleSheetFile($style, $url);
+ return $url;
+ }
+ else
+ throw new TConfigurationException('datepicker_calendarstyle_invalid',$style);
}
/**
diff --git a/framework/Web/UI/WebControls/THtmlArea.php b/framework/Web/UI/WebControls/THtmlArea.php index d858a90f..1801e739 100644 --- a/framework/Web/UI/WebControls/THtmlArea.php +++ b/framework/Web/UI/WebControls/THtmlArea.php @@ -284,6 +284,8 @@ class THtmlArea extends TTextBox {
$tarfile = Prado::getPathOfNamespace('System.3rdParty.TinyMCE.tiny_mce', '.tar');
$md5sum = Prado::getPathOfNamespace('System.3rdParty.TinyMCE.tiny_mce', '.md5');
+ if($tarfile===null || $md5sum===null)
+ throw new TConfigurationException('htmlarea_tarfile_invalid');
return $this->getApplication()->getAssetManager()->publishTarFile($tarfile, $md5sum);
}
diff --git a/framework/Web/UI/WebControls/TRatingList.php b/framework/Web/UI/WebControls/TRatingList.php index 3c5a9279..4302c3b3 100644 --- a/framework/Web/UI/WebControls/TRatingList.php +++ b/framework/Web/UI/WebControls/TRatingList.php @@ -158,7 +158,8 @@ class TRatingListDefaultStyle extends TRatingListStyle public function getStyleSheet()
{
$style = 'System.Web.Javascripts.ratings.default';
- $cssFile=Prado::getPathOfNamespace($style,'.css');
+ if(($cssFile=Prado::getPathOfNamespace($style,'.css'))===null)
+ throw new TConfigurationException('ratinglist_stylesheet_invalid',$style);
return $cssFile;
}
@@ -166,7 +167,9 @@ class TRatingListDefaultStyle extends TRatingListStyle {
$assets = array();
$image = 'System.Web.Javascripts.ratings.10star_white';
- $assets[] = Prado::getPathOfNamespace($image, '.gif');
+ if(($file=Prado::getPathOfNamespace($image, '.gif'))===null)
+ throw TConfigurationException('ratinglist_asset_invalid',$image);
+ $assets[] = $file;
return $assets;
}
}
diff --git a/framework/Web/UI/WebControls/TTextHighlighter.php b/framework/Web/UI/WebControls/TTextHighlighter.php index 281f131e..4eec7de1 100644 --- a/framework/Web/UI/WebControls/TTextHighlighter.php +++ b/framework/Web/UI/WebControls/TTextHighlighter.php @@ -122,7 +122,8 @@ class TTextHighlighter extends TWebControl $cssKey='prado:TTextHighlighter';
if(!$cs->isStyleSheetFileRegistered($cssKey))
{
- $cssFile=Prado::getPathOfNamespace('System.3rdParty.geshi.highlight','.css');
+ if(($cssFile=Prado::getPathOfNamespace('System.3rdParty.geshi.highlight','.css'))===null)
+ throw new TConfigurationException('texthighlighter_stylesheet_invalid');
$styleSheet = $this->publishFilePath($cssFile);
$cs->registerStyleSheetFile($cssKey, $styleSheet);
}
diff --git a/framework/Web/UI/WebControls/TWizard.php b/framework/Web/UI/WebControls/TWizard.php index 9bc6a1e0..20d80eca 100644 --- a/framework/Web/UI/WebControls/TWizard.php +++ b/framework/Web/UI/WebControls/TWizard.php @@ -32,13 +32,13 @@ *<code>
* <com:TWizard ID="ContactWizard" >
* <com:TWizardStep Title="Step 1: Name">
- * <com:TFormLabel For="Name">Full name:</com:TFormLabel>
+ * <com:TLabel ForControl="Name">Full name:</com:TLabel>
* <com:TTextBox ID="Name" />
* </com:TWizardStep>
* <com:TWizardStep Title="Step 2: Contact">
- * <com:TFormLabel For="Phone">Telephone Number:</com:TFormLabel>
+ * <com:TLabel ForControl="Phone">Telephone Number:</com:TLabel>
* <com:TTextBox ID="Phone" />
- * <com:TFormLabel For="Email">Email:</com:TFormLabel>
+ * <com:TLabel ForControl="Email">Email:</com:TLabel>
* <com:TTextBox ID="Email" />
* </com:TWizardStep>
* <com:TWizardStep Title="Step 3: Confirmation">
@@ -101,7 +101,7 @@ * @version v1.0, last update on Sat Dec 11 15:25:11 EST 2004
* @package System.Web.UI.WebControls
*/
-class TWizard extends TPanel
+class TWizard extends TPanel implements INamingContainer
{
/**
* The command name for the OnNextCommand.
@@ -137,19 +137,19 @@ class TWizard extends TPanel * A list of steps.
* @var array
*/
- protected $steps=array();
+ private $_steps=array();
/**
* A list of navigation templates, including built-in defaults.
* @var array
*/
- protected $navigation = array();
+ private $_navigation = array();
/**
* A list of links for the side bar.
* @var array
*/
- protected $sidebarLinks = array();
+ private $_sidebarLinks = array();
/**
* Set the Finish button text.
@@ -230,14 +230,14 @@ class TWizard extends TPanel */
public function setDisplaySideBar($value)
{
- $this->setViewState('DisplaySideBar',$value,true);
+ $this->setViewState('DisplaySideBar',TPropertyValue::ensureBoolean($value),true);
}
/**
* Determine if the side bar's visibility.
* @return boolean true if visible, false otherwise.
*/
- public function isSideBarVisible()
+ public function getDisplaySideBar()
{
return $this->getViewState('DisplaySideBar',true);
}
@@ -249,8 +249,10 @@ class TWizard extends TPanel public function getActiveStep()
{
$index = $this->getActiveStepIndex();
- if(isset($this->steps[$index]))
- return $this->steps[$index];
+ if(isset($this->_steps[$index]))
+ return $this->_steps[$index];
+ else
+ return null;
}
/**
@@ -278,23 +280,20 @@ class TWizard extends TPanel * By adding components as child of TWizard, these component's parent
* is the TWizard.
* @param object a component object.
- * @param object the template owner object
*/
public function addParsedObject($object,$context)
{
if($object instanceof TWizardStep)
{
$object->setVisible(false);
- $this->steps[] = $object;
- $this->addChild($object);
- $this->addBody($object);
+ $this->_steps[] = $object;
+ $this->getControls()->add($object);
}
else if ($object instanceof TWizardTemplate)
{
$object->setVisible(false);
- $this->navigation[$object->Type][] = $object;
- $this->addChild($object);
- $this->addBody($object);
+ $this->_navigation[$object->getType()][] = $object;
+ $this->getControls()->add($object);
}
else
parent::addParsedObject($object,$context);
@@ -324,32 +323,32 @@ class TWizard extends TPanel parent::onPreRender($param);
$index = $this->getActiveStepIndex();
- $totalSteps = count($this->steps);
+ $totalSteps = count($this->_steps);
//show the current step
for($i = 0; $i < $totalSteps; $i++)
- $this->steps[$i]->setVisible($i == $index);
+ $this->_steps[$i]->setVisible($i == $index);
//determine which link is active
- for($i = 0; $i < count($this->sidebarLinks); $i++)
- $this->sidebarLinks[$i]->CssClass= ($i == $index)?'active':'';
+ for($i = 0; $i < count($this->_sidebarLinks); $i++)
+ $this->_sidebarLinks[$i]->CssClass= ($i == $index)?'active':'';
//hide all the navigations first.
- foreach($this->navigation as $navigation)
+ foreach($this->_navigation as $navigation)
{
foreach($navigation as $nav)
$nav->setVisible(false);
}
- $final = $this->steps[$index]->Type == TWizardStep::TYPE_FINAL;
+ $final = $this->_steps[$index]->Type == TWizardStep::TYPE_FINAL;
//if it is not the final step
if(!$final && $this->isSideBarVisible())
$this->showNavigation(TWizardTemplate::ID_SIDEBAR);
$finishStep = $index == $totalSteps-1;
- $finishStep = $finishStep || (isset($this->steps[$index+1]) &&
- $this->steps[$index+1]->Type == TWizardStep::TYPE_FINAL);
+ $finishStep = $finishStep || (isset($this->_steps[$index+1]) &&
+ $this->_steps[$index+1]->Type == TWizardStep::TYPE_FINAL);
//now show the appropriate navigation elements.
if($index == 0)
@@ -367,8 +366,8 @@ class TWizard extends TPanel */
private function showNavigation($index)
{
- if(!isset($this->navigation[$index])) return;
- foreach($this->navigation[$index] as $nav)
+ if(!isset($this->_navigation[$index])) return;
+ foreach($this->_navigation[$index] as $nav)
{
$nav->setVisible(true);
$nav->dataBind();
@@ -415,15 +414,15 @@ class TWizard extends TPanel $cancelButton->CssClass='Cancel';
$cancelButton->setCausesValidation(false);
- if(!isset($this->navigation[TWizardTemplate::ID_START]))
+ if(!isset($this->_navigation[TWizardTemplate::ID_START]))
{
$start->addBody($nextButton);
$start->addBody($cancelButton);
$this->addBody($start);
- $this->navigation[TWizardTemplate::ID_START][] = $start;
+ $this->_navigation[TWizardTemplate::ID_START][] = $start;
}
- if(!isset($this->navigation[TWizardTemplate::ID_STEP]))
+ if(!isset($this->_navigation[TWizardTemplate::ID_STEP]))
{
$step->addBody($hiddenButton);
@@ -431,16 +430,16 @@ class TWizard extends TPanel $step->addBody($nextButton);
$step->addBody($cancelButton);
$this->addBody($step);
- $this->navigation[TWizardTemplate::ID_STEP][] = $step;
+ $this->_navigation[TWizardTemplate::ID_STEP][] = $step;
}
- if(!isset($this->navigation[TWizardTemplate::ID_FINISH]))
+ if(!isset($this->_navigation[TWizardTemplate::ID_FINISH]))
{
$finish->addBody($previousButton);
$finish->addBody($finishButton);
$finish->addBody($cancelButton);
$this->addBody($finish);
- $this->navigation[TWizardTemplate::ID_FINISH][] = $finish;
+ $this->_navigation[TWizardTemplate::ID_FINISH][] = $finish;
}
}
@@ -452,10 +451,10 @@ class TWizard extends TPanel */
private function addNavigationSideBar()
{
- if(isset($this->navigation[TWizardTemplate::ID_SIDEBAR]))
+ if(isset($this->_navigation[TWizardTemplate::ID_SIDEBAR]))
return;
- $total = count($this->steps);
+ $total = count($this->_steps);
$current = $this->getActiveStepIndex();
$sidebar = $this->createComponent('TPanel',TWizardTemplate::ID_SIDEBAR);
@@ -464,21 +463,21 @@ class TWizard extends TPanel if($total > 0) $sidebar->addBody("<ul>\n");
for($i = 0; $i < $total; $i++)
{
- if($this->steps[$i]->Type == TWizardStep::TYPE_FINAL)
+ if($this->_steps[$i]->Type == TWizardStep::TYPE_FINAL)
continue;
$sidebar->addBody("<li>");
$link = $this->createComponent('TLinkButton');
$link->setCommandName(self::CMD_JUMP);
$link->setCommandParameter($i);
- $link->Text = $this->steps[$i]->Title;
- $this->sidebarLinks[] = $link;
+ $link->Text = $this->_steps[$i]->Title;
+ $this->_sidebarLinks[] = $link;
$sidebar->addBody($link);
$sidebar->addBody("</li>\n");
}
if($total > 0) $sidebar->addBody("</ul>\n");
$this->addBody($sidebar);
- $this->navigation[TWizardTemplate::ID_SIDEBAR][] = $sidebar;
+ $this->_navigation[TWizardTemplate::ID_SIDEBAR][] = $sidebar;
}
/**
@@ -520,7 +519,7 @@ class TWizard extends TPanel }
break;
case self::CMD_FINISH:
- if(isset($this->steps[$event->nextStepIndex+1]))
+ if(isset($this->_steps[$event->nextStepIndex+1]))
$event->nextStepIndex++;
$this->raiseEvent('OnFinishCommand',$this,$event);
if(!$event->cancel)
|