Various security and UI fixes

The Media Manager now uses a white list approach to blocking files, we have been advised that the blacklist approach is too fragile and we agree. Asset List and Media Manager now use $.oc.alert when displaying errors
2017-04-09 08:00:38 +10:00 · 2017-04-09 08:00:38 +10:00 · 24c8b4368a
parent 9e74fe6a53
commit 24c8b4368a
7 changed files with 23 additions and 12 deletions
--- a/modules/backend/formwidgets/fileupload/partials/_config_form.htm
+++ b/modules/backend/formwidgets/fileupload/partials/_config_form.htm
@ -28,7 +28,7 @@
                    type="text"
                    name="title"
                    class="form-control"
-                    value="<?= $file->title ?>"
+                    value="<?= e($file->title) ?>"
                    placeholder="<?= e(trans('backend::lang.fileupload.title_label')) ?>"
                    />
            </div>
@ -36,7 +36,7 @@
                <textarea
                    name="description"
                    placeholder="<?= e(trans('backend::lang.fileupload.description_label')) ?>"
-                    class="form-control"><?= $file->description ?></textarea>
+                    class="form-control"><?= e($file->description) ?></textarea>
            </div>

        </div>
--- a/modules/backend/formwidgets/recordfinder/assets/js/recordfinder.js
+++ b/modules/backend/formwidgets/recordfinder/assets/js/recordfinder.js
@ -63,7 +63,6 @@
    RecordFinder.prototype.updateRecord = function(linkEl, recordId) {
        if (!this.options.dataLocker) return

-
        // Selector name must be used because by the time success runs
        // - this.options will be disposed
        // - $locker element will be replaced
--- a/modules/cms/widgets/MediaManager.php
+++ b/modules/cms/widgets/MediaManager.php
@ -1155,9 +1155,9 @@ class MediaManager extends WidgetBase
    {
        $extension = strtolower(File::extension($name));

-        $blockedFileTypes = FileDefinitions::get('blockedExtensions');
+        $allowedFileTypes = FileDefinitions::get('defaultExtensions');

-        if (in_array($extension, $blockedFileTypes)) {
+        if (!in_array($extension, $allowedFileTypes)) {
            return false;
        }

--- a/modules/cms/widgets/assetlist/assets/js/assetlist.js
+++ b/modules/cms/widgets/assetlist/assets/js/assetlist.js
@ -82,14 +82,20 @@
        this.updateUi()
    }

-    AssetList.prototype.onUploadFail = function(file, error) {
-        alert('Error uploading file: ' + error)
+    AssetList.prototype.onUploadFail = function(file, message) {
+        if (!message) {
+            message = 'Error uploading file'
+        }
+
+        $.oc.alert(message)
+
        this.refresh()
    }

    AssetList.prototype.onUploadSuccess = function(file, data) {
-        if (data !== 'success')
-            alert(data)
+        if (data !== 'success') {
+            $.oc.alert(data)
+        }
    }

    AssetList.prototype.onUploadComplete = function(file, data) {
--- a/modules/cms/widgets/mediamanager/assets/js/mediamanager-browser-min.js
+++ b/modules/cms/widgets/mediamanager/assets/js/mediamanager-browser-min.js
@ -313,7 +313,8 @@ this.hideUploadUi()}
 MediaManager.prototype.updateUploadBar=function(templateName,classNames){var fileNumberLabel=this.$el.get(0).querySelector('[data-label="file-number-and-progress"]'),successTemplate=fileNumberLabel.getAttribute('data-'+templateName+'-template'),progressBar=this.$el.get(0).querySelector('[data-control="upload-progress-bar"]')
 fileNumberLabel.innerHTML=successTemplate;progressBar.setAttribute('class',classNames)}
 MediaManager.prototype.uploadSuccess=function(){this.updateUploadBar('success','progress-bar progress-bar-success');}
-MediaManager.prototype.uploadError=function(file,message){this.updateUploadBar('error','progress-bar progress-bar-danger');$.oc.alert('Error uploading file')}
+MediaManager.prototype.uploadError=function(file,message){this.updateUploadBar('error','progress-bar progress-bar-danger');if(!message){message='Error uploading file'}
+$.oc.alert(message)}
 MediaManager.prototype.cropSelectedImage=function(callback){var selectedItems=this.getSelectedItems(true)
 if(selectedItems.length!=1){alert(this.options.selectSingleImage)
 return}
--- a/modules/cms/widgets/mediamanager/assets/js/mediamanager.js
+++ b/modules/cms/widgets/mediamanager/assets/js/mediamanager.js
@ -821,7 +821,12 @@

    MediaManager.prototype.uploadError = function(file, message) {
        this.updateUploadBar('error', 'progress-bar progress-bar-danger');
-        $.oc.alert('Error uploading file')
+
+        if (!message) {
+            message = 'Error uploading file'
+        }
+
+        $.oc.alert(message)
    }

    //
--- a/modules/system/controllers/updates/_project_form.htm
+++ b/modules/system/controllers/updates/_project_form.htm
@ -19,7 +19,7 @@
                type="text"
                class="form-control"
                id="projectId"
-                value="<?= post('project_id') ?>"
+                value="<?= e(post('project_id')) ?>"
                autocomplete="off" />
        </div>