From d840107832b1f59a9fc3b93ffb97ef976be1b83c Mon Sep 17 00:00:00 2001 From: "ctrlaltca@gmail.com" <> Date: Thu, 17 Nov 2011 16:52:56 +0000 Subject: 3-in-1 bugfix commit: 1) TErrorHandler: avoid an error when trying to hide the file path of a lambda function 2) TSecurityManager: avoid a race condition when first generating the encryptionkey or the validationkey 3) TActiveFileUpload: urlencode the base64'ed token since it can contain the "+" character (otherway it would be traslated to a space) --- framework/Exceptions/TErrorHandler.php | 10 +++++----- framework/Security/TSecurityManager.php | 4 ++-- framework/TApplication.php | 5 ++++- framework/Web/UI/ActiveControls/TActiveFileUpload.php | 4 ++-- 4 files changed, 13 insertions(+), 10 deletions(-) (limited to 'framework') diff --git a/framework/Exceptions/TErrorHandler.php b/framework/Exceptions/TErrorHandler.php index 1fe5a928..363bdecf 100644 --- a/framework/Exceptions/TErrorHandler.php +++ b/framework/Exceptions/TErrorHandler.php @@ -4,7 +4,7 @@ * * @author Qiang Xue * @link http://www.pradosoft.com/ - * @copyright Copyright © 2005-2011 PradoSoft + * @copyright Copyright © 2005-2011 PradoSoft * @license http://www.pradosoft.com/license/ * @version $Id$ * @package System.Exceptions @@ -83,8 +83,8 @@ class TErrorHandler extends TModule * @return string the directory containing error template files. */ public function getErrorTemplatePath() - { - if($this->_templatePath===null) + { + if($this->_templatePath===null) $this->_templatePath=Prado::getFrameworkPath().'/Exceptions/templates'; return $this->_templatePath; } @@ -154,8 +154,8 @@ class TErrorHandler extends TModule $aTrace = $exception->getTrace(); foreach($aTrace as $item) { - $file = $item['file']; - $aRpl[dirname($file) . DIRECTORY_SEPARATOR] = '' . DIRECTORY_SEPARATOR; + if(isset($item['file'])) + $aRpl[dirname($item['file']) . DIRECTORY_SEPARATOR] = '' . DIRECTORY_SEPARATOR; } } $aRpl[$_SERVER['DOCUMENT_ROOT']] = '${DocumentRoot}'; diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php index d77e9b88..7eba92fe 100644 --- a/framework/Security/TSecurityManager.php +++ b/framework/Security/TSecurityManager.php @@ -77,7 +77,7 @@ class TSecurityManager extends TModule if(null === $this->_validationKey) { if(null === ($this->_validationKey = $this->getApplication()->getGlobalState(self::STATE_VALIDATION_KEY))) { $this->_validationKey = $this->generateRandomKey(); - $this->getApplication()->setGlobalState(self::STATE_VALIDATION_KEY, $this->_validationKey, null); + $this->getApplication()->setGlobalState(self::STATE_VALIDATION_KEY, $this->_validationKey, null, true); } } return $this->_validationKey; @@ -104,7 +104,7 @@ class TSecurityManager extends TModule if(null === $this->_encryptionKey) { if(null === ($this->_encryptionKey = $this->getApplication()->getGlobalState(self::STATE_ENCRYPTION_KEY))) { $this->_encryptionKey = $this->generateRandomKey(); - $this->getApplication()->setGlobalState(self::STATE_ENCRYPTION_KEY, $this->_encryptionKey, null); + $this->getApplication()->setGlobalState(self::STATE_ENCRYPTION_KEY, $this->_encryptionKey, null, true); } } return $this->_encryptionKey; diff --git a/framework/TApplication.php b/framework/TApplication.php index 1fc9485a..703dae17 100644 --- a/framework/TApplication.php +++ b/framework/TApplication.php @@ -468,14 +468,17 @@ class TApplication extends TComponent * @param string the name of the value to be set * @param mixed the global value to be set * @param mixed the default value. If $key is not found, $defaultValue will be returned + * @param boolean wheter to force an immediate GlobalState save. defaults to false */ - public function setGlobalState($key,$value,$defaultValue=null) + public function setGlobalState($key,$value,$defaultValue=null,$forceSave=false) { $this->_stateChanged=true; if($value===$defaultValue) unset($this->_globals[$key]); else $this->_globals[$key]=$value; + if($forceSave) + $this->saveGlobals(); } /** diff --git a/framework/Web/UI/ActiveControls/TActiveFileUpload.php b/framework/Web/UI/ActiveControls/TActiveFileUpload.php index 98a7f422..1a49c20d 100755 --- a/framework/Web/UI/ActiveControls/TActiveFileUpload.php +++ b/framework/Web/UI/ActiveControls/TActiveFileUpload.php @@ -233,7 +233,7 @@ EOS; if ($mgr = Prado::getApplication()->getSecurityManager()) { // this is a less secure method, file info can be still forged from client side, but only if attacker knows the secret application key - $token = base64_encode($mgr->encrypt(serialize($params))); + $token = urlencode(base64_encode($mgr->encrypt(serialize($params)))); } else throw new Exception('TActiveFileUpload needs either an application level cache or a security manager to work securely'); @@ -253,7 +253,7 @@ EOS; else if ($mgr = Prado::getApplication()->getSecurityManager()) { - $v = $mgr->decrypt(base64_decode($token)); + $v = $mgr->decrypt(base64_decode(urldecode($token))); $params = unserialize($v); } else -- cgit v1.2.3