From 8b9a5c2f0d5025e29a5477ea8cc8937db49b0341 Mon Sep 17 00:00:00 2001
From: xue <>
Date: Sat, 18 Feb 2006 02:25:34 +0000
Subject: Fixed a security issue about usage of Prado::getPathOfNamespace.
---
framework/I18N/TGlobalization.php | 18 ++---
framework/Web/Services/TPageService.php | 3 +-
framework/Web/UI/TTemplateControl.php | 2 -
framework/Web/UI/WebControls/TColorPicker.php | 20 ++++--
framework/Web/UI/WebControls/TDatePicker.php | 20 ++++--
framework/Web/UI/WebControls/THtmlArea.php | 2 +
framework/Web/UI/WebControls/TRatingList.php | 7 +-
framework/Web/UI/WebControls/TTextHighlighter.php | 3 +-
framework/Web/UI/WebControls/TWizard.php | 81 +++++++++++------------
9 files changed, 86 insertions(+), 70 deletions(-)
(limited to 'framework')
diff --git a/framework/I18N/TGlobalization.php b/framework/I18N/TGlobalization.php
index 1f568a27..317273ac 100644
--- a/framework/I18N/TGlobalization.php
+++ b/framework/I18N/TGlobalization.php
@@ -28,13 +28,13 @@ class TGlobalization extends TModule
{
/**
* Default character set is 'UTF-8'.
- * @var string
+ * @var string
*/
private $_defaultCharset = 'UTF-8';
/**
* Default culture is 'en'.
- * @var string
+ * @var string
*/
private $_defaultCulture = 'en';
@@ -46,13 +46,13 @@ class TGlobalization extends TModule
/**
* The current charset.
- * @var string
- */
+ * @var string
+ */
protected $_charset='UTF-8';
/**
* The current culture.
- * @var string
+ * @var string
*/
protected $_culture='en';
@@ -64,7 +64,7 @@ class TGlobalization extends TModule
* @param TXmlElement application configuration
*/
public function init($xml)
- {
+ {
$this->_defaultCharset = $this->getCharset();
$this->_defaultCulture = $this->getCulture();
@@ -82,7 +82,7 @@ class TGlobalization extends TModule
}
/**
- * @param string culture, e.g. en_US for American English
+ * @param string culture, e.g. en_US for American English
*/
public function setCulture($culture)
{
@@ -131,7 +131,7 @@ class TGlobalization extends TModule
if($config['type'] == 'XLIFF' || $config['type'] == 'gettext')
{
$config['source'] = Prado::getPathOfNamespace($config['source']);
- if(!is_dir($config['source']))
+ if($config['source']===null || !is_dir($config['source']))
throw new TException("invalid source dir '{$config['source']}'");
}
if($config['cache'])
@@ -154,7 +154,7 @@ class TGlobalization extends TModule
{
return $this->_translation['catalogue'] = $value;
}
-
+
/**
* @return string default charset set in application.xml
*/
diff --git a/framework/Web/Services/TPageService.php b/framework/Web/Services/TPageService.php
index bb80b902..09f1027e 100644
--- a/framework/Web/Services/TPageService.php
+++ b/framework/Web/Services/TPageService.php
@@ -401,8 +401,9 @@ class TPageService extends TService
{
if($this->_initialized)
throw new TInvalidOperationException('pageservice_basepath_unchangeable');
- else if(($this->_basePath=realpath(Prado::getPathOfNamespace($value)))===false || !is_dir($this->_basePath))
+ else if(($path=Prado::getPathOfNamespace($value))===null || !is_dir($path))
throw new TConfigurationException('pageservice_basepath_invalid',$value);
+ $this->_basePath=realpath($path);
}
/**
diff --git a/framework/Web/UI/TTemplateControl.php b/framework/Web/UI/TTemplateControl.php
index 2d6829ee..18766102 100644
--- a/framework/Web/UI/TTemplateControl.php
+++ b/framework/Web/UI/TTemplateControl.php
@@ -198,8 +198,6 @@ class TTemplateControl extends TControl implements INamingContainer
$controls=$placeholder->getParent()->getControls();
$loc=$controls->remove($placeholder);
$controls->insertAt($loc,$content);
- //list($parent,$loc)=$this->_placeholders[$id];
- //$parent->getControls()->insertAt($loc,$content);
}
}
diff --git a/framework/Web/UI/WebControls/TColorPicker.php b/framework/Web/UI/WebControls/TColorPicker.php
index 2a19125b..c0cc3ae7 100644
--- a/framework/Web/UI/WebControls/TColorPicker.php
+++ b/framework/Web/UI/WebControls/TColorPicker.php
@@ -132,11 +132,15 @@ class TColorPicker extends TTextBox
{
$cs = $this->getPage()->getClientScript();
$style = 'System.Web.Javascripts.colorpicker.'.$this->getColorPickerStyle();
- $cssFile=Prado::getPathOfNamespace($style,'.css');
- $url = $this->publishFilePath($cssFile);
- if(!$cs->isStyleSheetFileRegistered($style))
- $cs->registerStyleSheetFile($style, $url);
- return $url;
+ if(($cssFile=Prado::getPathOfNamespace($style,'.css'))!==null)
+ {
+ $url = $this->publishFilePath($cssFile);
+ if(!$cs->isStyleSheetFileRegistered($style))
+ $cs->registerStyleSheetFile($style, $url);
+ return $url;
+ }
+ else
+ throw new TConfigurationException('colorpicker_style_invalid',$style);
}
/**
@@ -157,8 +161,10 @@ class TColorPicker extends TTextBox
foreach($images as $filename => $ext)
{
$image = 'System.Web.Javascripts.colorpicker.'.$filename;
- $file = Prado::getPathOfNamespace($image, $ext);
- $list[$filename.$ext] = $this->publishFilePath($file);
+ if(($file = Prado::getPathOfNamespace($image, $ext))!==null)
+ $list[$filename.$ext] = $this->publishFilePath($file);
+ else
+ throw new TConfigurationException('colorpicker_image_invalid',$image);
}
$imgs['button.gif'] = $list['button.gif'];
$imgs['background.png'] = $list['background.png'];
diff --git a/framework/Web/UI/WebControls/TDatePicker.php b/framework/Web/UI/WebControls/TDatePicker.php
index 6f5eaffb..fd280938 100644
--- a/framework/Web/UI/WebControls/TDatePicker.php
+++ b/framework/Web/UI/WebControls/TDatePicker.php
@@ -329,8 +329,10 @@ class TDatePicker extends TTextBox
{
$cs = $this->getPage()->getClientScript();
$image = 'System.Web.Javascripts.datepicker.calendar';
- $file = Prado::getPathOfNamespace($image, '.png');
- return $this->publishFilePath($file);
+ if(($file = Prado::getPathOfNamespace($image, '.png'))!==null)
+ return $this->publishFilePath($file);
+ else
+ throw new TConfigurationException('datepicker_defaultbuttonimage_invalid',$image);
}
/**
@@ -341,11 +343,15 @@ class TDatePicker extends TTextBox
{
$cs = $this->getPage()->getClientScript();
$style = 'System.Web.Javascripts.datepicker.'.$this->getCalendarStyle();
- $cssFile=Prado::getPathOfNamespace($style,'.css');
- $url = $this->publishFilePath($cssFile);
- if(!$cs->isStyleSheetFileRegistered($style))
- $cs->registerStyleSheetFile($style, $url);
- return $url;
+ if(($cssFile=Prado::getPathOfNamespace($style,'.css'))!==null)
+ {
+ $url = $this->publishFilePath($cssFile);
+ if(!$cs->isStyleSheetFileRegistered($style))
+ $cs->registerStyleSheetFile($style, $url);
+ return $url;
+ }
+ else
+ throw new TConfigurationException('datepicker_calendarstyle_invalid',$style);
}
/**
diff --git a/framework/Web/UI/WebControls/THtmlArea.php b/framework/Web/UI/WebControls/THtmlArea.php
index d858a90f..1801e739 100644
--- a/framework/Web/UI/WebControls/THtmlArea.php
+++ b/framework/Web/UI/WebControls/THtmlArea.php
@@ -284,6 +284,8 @@ class THtmlArea extends TTextBox
{
$tarfile = Prado::getPathOfNamespace('System.3rdParty.TinyMCE.tiny_mce', '.tar');
$md5sum = Prado::getPathOfNamespace('System.3rdParty.TinyMCE.tiny_mce', '.md5');
+ if($tarfile===null || $md5sum===null)
+ throw new TConfigurationException('htmlarea_tarfile_invalid');
return $this->getApplication()->getAssetManager()->publishTarFile($tarfile, $md5sum);
}
diff --git a/framework/Web/UI/WebControls/TRatingList.php b/framework/Web/UI/WebControls/TRatingList.php
index 3c5a9279..4302c3b3 100644
--- a/framework/Web/UI/WebControls/TRatingList.php
+++ b/framework/Web/UI/WebControls/TRatingList.php
@@ -158,7 +158,8 @@ class TRatingListDefaultStyle extends TRatingListStyle
public function getStyleSheet()
{
$style = 'System.Web.Javascripts.ratings.default';
- $cssFile=Prado::getPathOfNamespace($style,'.css');
+ if(($cssFile=Prado::getPathOfNamespace($style,'.css'))===null)
+ throw new TConfigurationException('ratinglist_stylesheet_invalid',$style);
return $cssFile;
}
@@ -166,7 +167,9 @@ class TRatingListDefaultStyle extends TRatingListStyle
{
$assets = array();
$image = 'System.Web.Javascripts.ratings.10star_white';
- $assets[] = Prado::getPathOfNamespace($image, '.gif');
+ if(($file=Prado::getPathOfNamespace($image, '.gif'))===null)
+ throw TConfigurationException('ratinglist_asset_invalid',$image);
+ $assets[] = $file;
return $assets;
}
}
diff --git a/framework/Web/UI/WebControls/TTextHighlighter.php b/framework/Web/UI/WebControls/TTextHighlighter.php
index 281f131e..4eec7de1 100644
--- a/framework/Web/UI/WebControls/TTextHighlighter.php
+++ b/framework/Web/UI/WebControls/TTextHighlighter.php
@@ -122,7 +122,8 @@ class TTextHighlighter extends TWebControl
$cssKey='prado:TTextHighlighter';
if(!$cs->isStyleSheetFileRegistered($cssKey))
{
- $cssFile=Prado::getPathOfNamespace('System.3rdParty.geshi.highlight','.css');
+ if(($cssFile=Prado::getPathOfNamespace('System.3rdParty.geshi.highlight','.css'))===null)
+ throw new TConfigurationException('texthighlighter_stylesheet_invalid');
$styleSheet = $this->publishFilePath($cssFile);
$cs->registerStyleSheetFile($cssKey, $styleSheet);
}
diff --git a/framework/Web/UI/WebControls/TWizard.php b/framework/Web/UI/WebControls/TWizard.php
index 9bc6a1e0..20d80eca 100644
--- a/framework/Web/UI/WebControls/TWizard.php
+++ b/framework/Web/UI/WebControls/TWizard.php
@@ -32,13 +32,13 @@
*
*
*
- * Full name:
+ * Full name:
*
*
*
- * Telephone Number:
+ * Telephone Number:
*
- * Email:
+ * Email:
*
*
*
@@ -101,7 +101,7 @@
* @version v1.0, last update on Sat Dec 11 15:25:11 EST 2004
* @package System.Web.UI.WebControls
*/
-class TWizard extends TPanel
+class TWizard extends TPanel implements INamingContainer
{
/**
* The command name for the OnNextCommand.
@@ -137,19 +137,19 @@ class TWizard extends TPanel
* A list of steps.
* @var array
*/
- protected $steps=array();
+ private $_steps=array();
/**
* A list of navigation templates, including built-in defaults.
* @var array
*/
- protected $navigation = array();
+ private $_navigation = array();
/**
* A list of links for the side bar.
* @var array
*/
- protected $sidebarLinks = array();
+ private $_sidebarLinks = array();
/**
* Set the Finish button text.
@@ -230,14 +230,14 @@ class TWizard extends TPanel
*/
public function setDisplaySideBar($value)
{
- $this->setViewState('DisplaySideBar',$value,true);
+ $this->setViewState('DisplaySideBar',TPropertyValue::ensureBoolean($value),true);
}
/**
* Determine if the side bar's visibility.
* @return boolean true if visible, false otherwise.
*/
- public function isSideBarVisible()
+ public function getDisplaySideBar()
{
return $this->getViewState('DisplaySideBar',true);
}
@@ -249,8 +249,10 @@ class TWizard extends TPanel
public function getActiveStep()
{
$index = $this->getActiveStepIndex();
- if(isset($this->steps[$index]))
- return $this->steps[$index];
+ if(isset($this->_steps[$index]))
+ return $this->_steps[$index];
+ else
+ return null;
}
/**
@@ -278,23 +280,20 @@ class TWizard extends TPanel
* By adding components as child of TWizard, these component's parent
* is the TWizard.
* @param object a component object.
- * @param object the template owner object
*/
public function addParsedObject($object,$context)
{
if($object instanceof TWizardStep)
{
$object->setVisible(false);
- $this->steps[] = $object;
- $this->addChild($object);
- $this->addBody($object);
+ $this->_steps[] = $object;
+ $this->getControls()->add($object);
}
else if ($object instanceof TWizardTemplate)
{
$object->setVisible(false);
- $this->navigation[$object->Type][] = $object;
- $this->addChild($object);
- $this->addBody($object);
+ $this->_navigation[$object->getType()][] = $object;
+ $this->getControls()->add($object);
}
else
parent::addParsedObject($object,$context);
@@ -324,32 +323,32 @@ class TWizard extends TPanel
parent::onPreRender($param);
$index = $this->getActiveStepIndex();
- $totalSteps = count($this->steps);
+ $totalSteps = count($this->_steps);
//show the current step
for($i = 0; $i < $totalSteps; $i++)
- $this->steps[$i]->setVisible($i == $index);
+ $this->_steps[$i]->setVisible($i == $index);
//determine which link is active
- for($i = 0; $i < count($this->sidebarLinks); $i++)
- $this->sidebarLinks[$i]->CssClass= ($i == $index)?'active':'';
+ for($i = 0; $i < count($this->_sidebarLinks); $i++)
+ $this->_sidebarLinks[$i]->CssClass= ($i == $index)?'active':'';
//hide all the navigations first.
- foreach($this->navigation as $navigation)
+ foreach($this->_navigation as $navigation)
{
foreach($navigation as $nav)
$nav->setVisible(false);
}
- $final = $this->steps[$index]->Type == TWizardStep::TYPE_FINAL;
+ $final = $this->_steps[$index]->Type == TWizardStep::TYPE_FINAL;
//if it is not the final step
if(!$final && $this->isSideBarVisible())
$this->showNavigation(TWizardTemplate::ID_SIDEBAR);
$finishStep = $index == $totalSteps-1;
- $finishStep = $finishStep || (isset($this->steps[$index+1]) &&
- $this->steps[$index+1]->Type == TWizardStep::TYPE_FINAL);
+ $finishStep = $finishStep || (isset($this->_steps[$index+1]) &&
+ $this->_steps[$index+1]->Type == TWizardStep::TYPE_FINAL);
//now show the appropriate navigation elements.
if($index == 0)
@@ -367,8 +366,8 @@ class TWizard extends TPanel
*/
private function showNavigation($index)
{
- if(!isset($this->navigation[$index])) return;
- foreach($this->navigation[$index] as $nav)
+ if(!isset($this->_navigation[$index])) return;
+ foreach($this->_navigation[$index] as $nav)
{
$nav->setVisible(true);
$nav->dataBind();
@@ -415,15 +414,15 @@ class TWizard extends TPanel
$cancelButton->CssClass='Cancel';
$cancelButton->setCausesValidation(false);
- if(!isset($this->navigation[TWizardTemplate::ID_START]))
+ if(!isset($this->_navigation[TWizardTemplate::ID_START]))
{
$start->addBody($nextButton);
$start->addBody($cancelButton);
$this->addBody($start);
- $this->navigation[TWizardTemplate::ID_START][] = $start;
+ $this->_navigation[TWizardTemplate::ID_START][] = $start;
}
- if(!isset($this->navigation[TWizardTemplate::ID_STEP]))
+ if(!isset($this->_navigation[TWizardTemplate::ID_STEP]))
{
$step->addBody($hiddenButton);
@@ -431,16 +430,16 @@ class TWizard extends TPanel
$step->addBody($nextButton);
$step->addBody($cancelButton);
$this->addBody($step);
- $this->navigation[TWizardTemplate::ID_STEP][] = $step;
+ $this->_navigation[TWizardTemplate::ID_STEP][] = $step;
}
- if(!isset($this->navigation[TWizardTemplate::ID_FINISH]))
+ if(!isset($this->_navigation[TWizardTemplate::ID_FINISH]))
{
$finish->addBody($previousButton);
$finish->addBody($finishButton);
$finish->addBody($cancelButton);
$this->addBody($finish);
- $this->navigation[TWizardTemplate::ID_FINISH][] = $finish;
+ $this->_navigation[TWizardTemplate::ID_FINISH][] = $finish;
}
}
@@ -452,10 +451,10 @@ class TWizard extends TPanel
*/
private function addNavigationSideBar()
{
- if(isset($this->navigation[TWizardTemplate::ID_SIDEBAR]))
+ if(isset($this->_navigation[TWizardTemplate::ID_SIDEBAR]))
return;
- $total = count($this->steps);
+ $total = count($this->_steps);
$current = $this->getActiveStepIndex();
$sidebar = $this->createComponent('TPanel',TWizardTemplate::ID_SIDEBAR);
@@ -464,21 +463,21 @@ class TWizard extends TPanel
if($total > 0) $sidebar->addBody("\n");
for($i = 0; $i < $total; $i++)
{
- if($this->steps[$i]->Type == TWizardStep::TYPE_FINAL)
+ if($this->_steps[$i]->Type == TWizardStep::TYPE_FINAL)
continue;
$sidebar->addBody("- ");
$link = $this->createComponent('TLinkButton');
$link->setCommandName(self::CMD_JUMP);
$link->setCommandParameter($i);
- $link->Text = $this->steps[$i]->Title;
- $this->sidebarLinks[] = $link;
+ $link->Text = $this->_steps[$i]->Title;
+ $this->_sidebarLinks[] = $link;
$sidebar->addBody($link);
$sidebar->addBody("
\n");
}
if($total > 0) $sidebar->addBody("
\n");
$this->addBody($sidebar);
- $this->navigation[TWizardTemplate::ID_SIDEBAR][] = $sidebar;
+ $this->_navigation[TWizardTemplate::ID_SIDEBAR][] = $sidebar;
}
/**
@@ -520,7 +519,7 @@ class TWizard extends TPanel
}
break;
case self::CMD_FINISH:
- if(isset($this->steps[$event->nextStepIndex+1]))
+ if(isset($this->_steps[$event->nextStepIndex+1]))
$event->nextStepIndex++;
$this->raiseEvent('OnFinishCommand',$this,$event);
if(!$event->cancel)
--
cgit v1.2.3