9 files changed, 135 insertions, 34 deletions

diff --git a/HISTORY b/HISTORY
index 630b291f..1d610ca0 100644
--- a/HISTORY
+++ b/HISTORY
@@ -9,12 +9,15 @@ NEW: SQLMap (Wei)
 

 Version 3.0.1 June 1, 2006

 ==========================

+BUG: Ticket#44 - THtmlArea (tiny_mce) not working on some systems (Qiang)

+BUG: Ticket#167 - TSecurityManager issues warning when trying to encrypt/decrypt strings (Qiang)

 ENH: Ticket#150 - TDataGrid and TDataList now render table section tags (Qiang)

 ENH: Ticket#152 - constituent parts of TWizard are exposed (Qiang)

 ENH: added sanity check to calling event handlers (Qiang)

 ENH: added search for quickstart tutorials (Wei)

 ENH: added support to property tags for template owner control (Qiang)

 ENH: added Bulgarian requirement checker messages (StanProg)

+ENH: added TTheme.BaseUrl property (Qiang)

 CHG: Ticket#151 - URL format is modified to handle empty GET values (Qiang)

 CHG: Ticket#153 - TAssetManager now ignores .svn directories (Qiang)

 NEW: TTableHeaderRow, TTableFooterRow and table section support (Qiang)

diff --git a/framework/3rdParty/TinyMCE/tiny_mce.md5 b/framework/3rdParty/TinyMCE/tiny_mce.md5
index 1ee34468..7e3ff1f8 100644
--- a/framework/3rdParty/TinyMCE/tiny_mce.md5
+++ b/framework/3rdParty/TinyMCE/tiny_mce.md5
@@ -1 +1 @@
-505c2761e878f40d5451115bd5643355 *tiny_mce.tar
+92380b28b827c8d569026439abb44142  tiny_mce.tar
diff --git a/framework/3rdParty/TinyMCE/tiny_mce.tar b/framework/3rdParty/TinyMCE/tiny_mce.tar
index 663abb34..125ee624 100644
--- a/framework/3rdParty/TinyMCE/tiny_mce.tar
+++ b/framework/3rdParty/TinyMCE/tiny_mce.tar
diff --git a/framework/Exceptions/messages.txt b/framework/Exceptions/messages.txt
index ebdbaaea..c57534b1 100644
--- a/framework/Exceptions/messages.txt
+++ b/framework/Exceptions/messages.txt
@@ -42,6 +42,10 @@ appconfig_serviceid_required			= Application configuration <service> element mus
 appconfig_servicetype_required			= Application configuration <service id="{0}"> must have a "class" attribute.

 appconfig_parameterid_required			= Application configuration <parameter> element must have an "id" attribute.

 

+securitymanager_validationkey_invalid	= TSecurityManager.ValidationKey must not be empty.

+securitymanager_encryptionkey_invalid	= TSecurityManager.EncryptionKey must not be empty.

+securitymanager_mcryptextension_required = Mcrypt PHP extension is required in order to use TSecurityManager's encryption feature.

+

 uri_format_invalid						= '{0}' is not a valid URI.

 

 httpresponse_bufferoutput_unchangeable	= THttpResponse.BufferOutput cannot be modified after THttpResponse is initialized.

diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php
index 46ad4575..b0ea4e95 100644
--- a/framework/Security/TSecurityManager.php
+++ b/framework/Security/TSecurityManager.php
@@ -43,8 +43,10 @@ class TSecurityManager extends TModule
 {

 	const STATE_VALIDATION_KEY='prado:securitymanager:validationkey';

 	const STATE_ENCRYPTION_KEY='prado:securitymanager:encryptionkey';

-	private $_validationKey;

-	private $_encryptionKey;

+	const STATE_INIT_VECTOR='prado:securitymanager:initvector';

+	private $_validationKey=null;

+	private $_encryptionKey=null;

+	private $_initVector=null;

 	private $_validation='SHA1';

 	private $_encryption='3DES';

 

@@ -63,19 +65,16 @@ class TSecurityManager extends TModule
 	 */

 	protected function generateRandomKey()

 	{

-		$v1=rand();

-		$v2=rand();

-		$v3=rand();

-		return md5("$v1$v2$v3");

+		return rand().rand().rand().rand();

 	}

 

 	/**

 	 * @return string the private key used to generate HMAC.

-	 * If the key is not explicitly set, a random one is generated and used.

+	 * If the key is not explicitly set, a random one is generated and returned.

 	 */

 	public function getValidationKey()

 	{

-		if(empty($this->_validationKey))

+		if($this->_validationKey===null)

 		{

 			if(($this->_validationKey=$this->getApplication()->getGlobalState(self::STATE_VALIDATION_KEY))===null)

 			{

@@ -88,22 +87,23 @@ class TSecurityManager extends TModule
 

 	/**

 	 * @param string the key used to generate HMAC

-	 * @throws TInvalidDataValueException if the key is shorter than 8 characters.

+	 * @throws TInvalidDataValueException if the key is empty

 	 */

 	public function setValidationKey($value)

 	{

-		if(strlen($value)<8)

+		if($value!=='')

+			$this->_validationKey=$value;

+		else

 			throw new TInvalidDataValueException('securitymanager_validationkey_invalid');

-		$this->_validationKey=$value;

 	}

 

 	/**

 	 * @return string the private key used to encrypt/decrypt data.

-	 * If the key is not explicitly set, a random one is generated and used.

+	 * If the key is not explicitly set, a random one is generated and returned.

 	 */

 	public function getEncryptionKey()

 	{

-		if(empty($this->_encryptionKey))

+		if($this->_encryptionKey===null)

 		{

 			if(($this->_encryptionKey=$this->getApplication()->getGlobalState(self::STATE_ENCRYPTION_KEY))===null)

 			{

@@ -116,13 +116,14 @@ class TSecurityManager extends TModule
 

 	/**

 	 * @param string the key used to encrypt/decrypt data.

-	 * @throws TInvalidDataValueException if the key is shorter than 8 characters.

+	 * @throws TInvalidDataValueException if the key is empty

 	 */

 	public function setEncryptionKey($value)

 	{

-		if(strlen($value)<8)

+		if($value!=='')

+			$this->_encryptionKey=$value;

+		else

 			throw new TInvalidDataValueException('securitymanager_encryptionkey_invalid');

-		$this->_encryptionKey=$value;

 	}

 

 	/**

@@ -167,7 +168,15 @@ class TSecurityManager extends TModule
 	{

 		if(function_exists('mcrypt_encrypt'))

 		{

-			return mcrypt_encrypt(MCRYPT_3DES, $this->getEncryptionKey(), $data, MCRYPT_MODE_CBC);

+			$module=mcrypt_module_open(MCRYPT_3DES, '', MCRYPT_MODE_CBC, '');

+			$key=substr(md5($this->getEncryptionKey()),0,mcrypt_enc_get_key_size($module));

+			srand();

+			$iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND);

+			mcrypt_generic_init($module,$key,$iv);

+			$encrypted=$iv.mcrypt_generic($module,$data);

+			mcrypt_generic_deinit($module);

+			mcrypt_module_close($module);

+			return $encrypted;

 		}

 		else

 			throw new TNotSupportedException('securitymanager_mcryptextension_required');

@@ -183,7 +192,15 @@ class TSecurityManager extends TModule
 	{

 		if(function_exists('mcrypt_decrypt'))

 		{

-			return mcrypt_decrypt(MCRYPT_3DES, $this->getEncryptionKey(), $data, MCRYPT_MODE_CBC);

+			$module=mcrypt_module_open(MCRYPT_3DES, '', MCRYPT_MODE_CBC, '');

+			$key=substr(md5($this->getEncryptionKey()),0,mcrypt_enc_get_key_size($module));

+			$ivSize=mcrypt_enc_get_iv_size($module);

+			$iv=substr($data,0,$ivSize);

+			mcrypt_generic_init($module,$key,$iv);

+			$decrypted=mdecrypt_generic($module,substr($data,$ivSize));

+			mcrypt_generic_deinit($module);

+			mcrypt_module_close($module);

+			return rtrim($decrypted,"\0");

 		}

 		else

 			throw new TNotSupportedException('securitymanager_mcryptextension_required');

@@ -238,10 +255,7 @@ class TSecurityManager extends TModule
 			$func='md5';

 		}

 		$key=$this->getValidationKey();

-		if (strlen($key) > 64)

-			$key = pack($pack, $func($key));

-		if (strlen($key) < 64)

-			$key = str_pad($key, 64, chr(0));

+		$key=str_pad($func($key), 64, chr(0));

 		return $func((str_repeat(chr(0x5C), 64) ^ substr($key, 0, 64)) . pack($pack, $func((str_repeat(chr(0x36), 64) ^ substr($key, 0, 64)) . $data)));

 	}

 }

diff --git a/framework/Web/UI/TThemeManager.php b/framework/Web/UI/TThemeManager.php
index 7ae36556..c351bcdb 100644
--- a/framework/Web/UI/TThemeManager.php
+++ b/framework/Web/UI/TThemeManager.php
@@ -301,6 +301,14 @@ class TTheme extends TApplicationComponent implements ITheme
 	}

 

 	/**

+	 * @return string the URL to the theme folder (without ending slash)

+	 */

+	public function getBaseUrl()

+	{

+		return $this->_themeUrl;

+	}

+

+	/**

 	 * Applies the theme to a particular control.

 	 * The control's class name and SkinID value will be used to

 	 * identify which skin to be applied. If the control's SkinID is empty,

diff --git a/requirements/index.php b/requirements/index.php
index 8bb40418..a94c92cf 100644
--- a/requirements/index.php
+++ b/requirements/index.php
@@ -30,15 +30,70 @@
  * @var array List of requirements (required or not, check item, hint)

  */

 $requirements = array(

-	array(true,'version_compare(PHP_VERSION,"5.0.4",">=")','PHP version check','PHP 5.0.4 or higher required'),

-	array(false,'version_compare(PHP_VERSION,"5.1.0",">=")','PHP version check','PHP 5.1.0 or higher preferred'),

-	array(true,'class_exists("DOMDocument",false)','DOM extension check','DOM extension required'),

-	array(false,'function_exists("iconv")','ICONV extension check','ICONV extension optional'),

-	array(false,'extension_loaded("zlib")','Zlib extension check','Zlib extension optional'),

-	array(false,'extension_loaded("sqlite")','SQLite extension check','SQLite extension optional'),

-	array(false,'extension_loaded("memcache")','Memcache extension check','Memcache extension optional'),

-	array(false,'extension_loaded("apc")','APC extension check','APC extension optional'),

-	array(false,'extension_loaded("mcrypt")','Mcrypt extension check','Mcrypt extension optional'),

+	array(

+		true,

+		version_compare(PHP_VERSION,"5.0.4",">="),

+		'PHP version check',

+		'PHP 5.0.4 or higher required'),

+	array(

+		false,

+		version_compare(PHP_VERSION,"5.1.0",">="),

+		'PHP version check','PHP 5.1.0 or higher preferred'),

+	array(

+		true,

+		isset($_SERVER["HTTP_ACCEPT"]),

+		'$_SERVER["HTTP_ACCEPT"] check',

+		'HTTP_ACCEPT required'),

+	array(

+		true,

+		isset($_SERVER["SCRIPT_FILENAME"]) && realpath($_SERVER["SCRIPT_FILENAME"])===realpath(__FILE__),

+		'$_SERVER["SCRIPT_FILENAME"] check',

+		'SCRIPT_FILENAME required'),

+	array(

+		true,

+		isset($_SERVER["REQUEST_URI"]) || isset($_SERVER["QUERY_STRING"]),

+		'$_SERVER["REQUEST_URI"] check',

+		'REQUEST_URI required'),

+	array(

+		true,

+		isset($_SERVER["PATH_INFO"]) || strpos($_SERVER["PHP_SELF"],$_SERVER["SCRIPT_NAME"])===0,

+		'$_SERVER["PATH_INFO"] check',

+		'PATH_INFO required'),

+	array(

+		true,

+		class_exists("DOMDocument",false),

+		'DOM extension check',

+		'DOM extension required'),

+	array(

+		false,

+		function_exists("iconv"),

+		'ICONV extension check',

+		'ICONV extension optional'),

+	array(

+		false,

+		extension_loaded("zlib"),

+		'Zlib extension check',

+		'Zlib extension optional'),

+	array(

+		false,

+		extension_loaded("sqlite"),

+		'SQLite extension check',

+		'SQLite extension optional'),

+	array(

+		false,

+		extension_loaded("memcache"),

+		'Memcache extension check',

+		'Memcache extension optional'),

+	array(

+		false,

+		extension_loaded("apc"),

+		'APC extension check',

+		'APC extension optional'),

+	array(

+		false,

+		extension_loaded("mcrypt"),

+		'Mcrypt extension check',

+		'Mcrypt extension optional'),

 	array(false,'extension_loaded("xsl")','XSL extension check','XSL extension optional'),

 );

 

@@ -47,7 +102,8 @@ $conclusion = 0;
 foreach($requirements as $requirement)

 {

 	list($required,$expression,$aspect,$hint)=$requirement;

-	eval('$ret='.$expression.';');

+	//eval('$ret='.$expression.';');

+	$ret=$expression;

 	if($required)

 	{

 		if($ret)

diff --git a/requirements/messages-zh.txt b/requirements/messages-zh.txt
index bb832a4c..b86d96cf 100644
--- a/requirements/messages-zh.txt
+++ b/requirements/messages-zh.txt
@@ -20,3 +20,11 @@ Mcrypt extension check = Mcrypt模块检查
 Mcrypt extension optional = Mcrypt模块是可选的。如果它不存在，某些敏感数据，例如viewstate，将无法被加密。

 XSL extension check = XSL模块检查

 XSL extension optional = XSL模块是可选的。如果它不存在，您将无法使用TXmlTransform。

+$_SERVER["HTTP_ACCEPT"] check = $_SERVER["HTTP_ACCEPT"]检查

+HTTP_ACCEPT required = $_SERVER["HTTP_ACCEPT"]是必须的。如果它不存在，一些多语言功能可能出错。

+$_SERVER["SCRIPT_FILENAME"] check = $_SERVER["SCRIPT_FILENAME"]检查

+SCRIPT_FILENAME required = $_SERVER["SCRIPT_FILENAME"]必须指向本程序文件路径。

+$_SERVER["REQUEST_URI"] check = $_SERVER["REQUEST_URI"]检查

+REQUEST_URI required = $_SERVER["REQUEST_URI"]或$_SERVER["QUERY_STRING"]是必须的。如果它们都不存在，用户请求将无法被正确解析。

+$_SERVER["PATH_INFO"] check = $_SERVER["PATH_INFO"]检查

+PATH_INFO required = $_SERVER["PATH_INFO"]或$_SERVER["PHP_SELF"]和$_SERVER["SCRIPT_NAME"]是必须的。如果它们都不存在，URL的pathinfo将无法被正确解析。

diff --git a/requirements/messages.txt b/requirements/messages.txt
index 405231df..ccda04b2 100644
--- a/requirements/messages.txt
+++ b/requirements/messages.txt
@@ -19,4 +19,12 @@ ICONV extension optional			= ICONV extension is optional. If it is absent, some
 Mcrypt extension check				= Mcrypt extension check

 Mcrypt extension optional			= Mcrypt extension is optional. If it is absent, sensitive data, such as viewstate, cannot be encrypted.

 XSL extension check					= XSL extension check

-XSL extension optional				= XSL extension is optional. If it is absent, you will not be able to use TXmlTransform.
\ No newline at end of file
+XSL extension optional				= XSL extension is optional. If it is absent, you will not be able to use TXmlTransform.

+$_SERVER["HTTP_ACCEPT"] check		= $_SERVER["HTTP_ACCEPT"] check

+HTTP_ACCEPT required				= $_SERVER["HTTP_ACCEPT"] is required by multilanguage support.

+$_SERVER["SCRIPT_FILENAME"] check	= $_SERVER["SCRIPT_FILENAME"] check

+SCRIPT_FILENAME required			= $_SERVER["SCRIPT_FILENAME"] must point to the file path of this checker script.

+$_SERVER["REQUEST_URI"] check		= $_SERVER["REQUEST_URI"] check

+REQUEST_URI required				= Either $_SERVER["REQUEST_URI"] or $_SERVER["QUERY_STRING"] must be available for resolving user requests.

+$_SERVER["PATH_INFO"] check			= $_SERVER["PATH_INFO"] check

+PATH_INFO required					= $_SERVER["PATH_INFO"] or $_SERVER["PHP_SELF"] and $_SERVER["SCRIPT_NAME"] are required for determining URL pathinfo.