From d840107832b1f59a9fc3b93ffb97ef976be1b83c Mon Sep 17 00:00:00 2001
From: "ctrlaltca@gmail.com" <>
Date: Thu, 17 Nov 2011 16:52:56 +0000
Subject: 3-in-1 bugfix commit: 1) TErrorHandler: avoid an error when trying to
 hide the file path of a lambda function 2) TSecurityManager: avoid a race
 condition when first generating the encryptionkey or the validationkey 3)
 TActiveFileUpload: urlencode the base64'ed token since it can contain the "+"
 character (otherway it would be traslated to a space)

---
 framework/Exceptions/TErrorHandler.php                | 10 +++++-----
 framework/Security/TSecurityManager.php               |  4 ++--
 framework/TApplication.php                            |  5 ++++-
 framework/Web/UI/ActiveControls/TActiveFileUpload.php |  4 ++--
 4 files changed, 13 insertions(+), 10 deletions(-)

(limited to 'framework')

diff --git a/framework/Exceptions/TErrorHandler.php b/framework/Exceptions/TErrorHandler.php
index 1fe5a928..363bdecf 100644
--- a/framework/Exceptions/TErrorHandler.php
+++ b/framework/Exceptions/TErrorHandler.php
@@ -4,7 +4,7 @@
  *
  * @author Qiang Xue <qiang.xue@gmail.com>
  * @link http://www.pradosoft.com/
- * @copyright Copyright &copy; 2005-2011 PradoSoft
+ * @copyright Copyright &copy; 2005-2011 PradoSoft
  * @license http://www.pradosoft.com/license/
  * @version $Id$
  * @package System.Exceptions
@@ -83,8 +83,8 @@ class TErrorHandler extends TModule
 	 * @return string the directory containing error template files.
 	 */
 	public function getErrorTemplatePath()
-	{
-		if($this->_templatePath===null)
+	{
+		if($this->_templatePath===null)
 			$this->_templatePath=Prado::getFrameworkPath().'/Exceptions/templates';
 		return $this->_templatePath;
 	}
@@ -154,8 +154,8 @@ class TErrorHandler extends TModule
 			$aTrace = $exception->getTrace();
 			foreach($aTrace as $item)
 			{
-				$file = $item['file'];
-				$aRpl[dirname($file) . DIRECTORY_SEPARATOR] = '<hidden>' . DIRECTORY_SEPARATOR;
+				if(isset($item['file']))
+					$aRpl[dirname($item['file']) . DIRECTORY_SEPARATOR] = '<hidden>' . DIRECTORY_SEPARATOR;
 			}
 		}
 		$aRpl[$_SERVER['DOCUMENT_ROOT']] = '${DocumentRoot}';
diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php
index d77e9b88..7eba92fe 100644
--- a/framework/Security/TSecurityManager.php
+++ b/framework/Security/TSecurityManager.php
@@ -77,7 +77,7 @@ class TSecurityManager extends TModule
 		if(null === $this->_validationKey) {
 			if(null === ($this->_validationKey = $this->getApplication()->getGlobalState(self::STATE_VALIDATION_KEY))) {
 				$this->_validationKey = $this->generateRandomKey();
-				$this->getApplication()->setGlobalState(self::STATE_VALIDATION_KEY, $this->_validationKey, null);
+				$this->getApplication()->setGlobalState(self::STATE_VALIDATION_KEY, $this->_validationKey, null, true);
 			}
 		}
 		return $this->_validationKey;
@@ -104,7 +104,7 @@ class TSecurityManager extends TModule
 		if(null === $this->_encryptionKey) {
 			if(null === ($this->_encryptionKey = $this->getApplication()->getGlobalState(self::STATE_ENCRYPTION_KEY))) {
 				$this->_encryptionKey = $this->generateRandomKey();
-				$this->getApplication()->setGlobalState(self::STATE_ENCRYPTION_KEY, $this->_encryptionKey, null);
+				$this->getApplication()->setGlobalState(self::STATE_ENCRYPTION_KEY, $this->_encryptionKey, null, true);
 			}
 		}
 		return $this->_encryptionKey;
diff --git a/framework/TApplication.php b/framework/TApplication.php
index 1fc9485a..703dae17 100644
--- a/framework/TApplication.php
+++ b/framework/TApplication.php
@@ -468,14 +468,17 @@ class TApplication extends TComponent
 	 * @param string the name of the value to be set
 	 * @param mixed the global value to be set
 	 * @param mixed the default value. If $key is not found, $defaultValue will be returned
+	 * @param boolean wheter to force an immediate GlobalState save. defaults to false
 	 */
-	public function setGlobalState($key,$value,$defaultValue=null)
+	public function setGlobalState($key,$value,$defaultValue=null,$forceSave=false)
 	{
 		$this->_stateChanged=true;
 		if($value===$defaultValue)
 			unset($this->_globals[$key]);
 		else
 			$this->_globals[$key]=$value;
+		if($forceSave)
+			$this->saveGlobals();
 	}
 
 	/**
diff --git a/framework/Web/UI/ActiveControls/TActiveFileUpload.php b/framework/Web/UI/ActiveControls/TActiveFileUpload.php
index 98a7f422..1a49c20d 100755
--- a/framework/Web/UI/ActiveControls/TActiveFileUpload.php
+++ b/framework/Web/UI/ActiveControls/TActiveFileUpload.php
@@ -233,7 +233,7 @@ EOS;
 		if ($mgr = Prado::getApplication()->getSecurityManager())
 			{
 				// this is a less secure method, file info can be still forged from client side, but only if attacker knows the secret application key
-				$token = base64_encode($mgr->encrypt(serialize($params)));
+				$token = urlencode(base64_encode($mgr->encrypt(serialize($params))));
 			}
 		else
 			throw new Exception('TActiveFileUpload needs either an application level cache or a security manager to work securely');
@@ -253,7 +253,7 @@ EOS;
 		else
 		if ($mgr = Prado::getApplication()->getSecurityManager())
 			{
-				$v = $mgr->decrypt(base64_decode($token));
+				$v = $mgr->decrypt(base64_decode(urldecode($token)));
 				$params = unserialize($v);
 			}
 		else
-- 
cgit v1.2.3