From 24c8b4368adebecec8a1d310a0f20c3b170e829e Mon Sep 17 00:00:00 2001 From: Samuel Georges Date: Sun, 9 Apr 2017 08:00:38 +1000 Subject: [PATCH] Various security and UI fixes The Media Manager now uses a white list approach to blocking files, we have been advised that the blacklist approach is too fragile and we agree. Asset List and Media Manager now use $.oc.alert when displaying errors --- .../fileupload/partials/_config_form.htm | 4 ++-- .../recordfinder/assets/js/recordfinder.js | 1 - modules/cms/widgets/MediaManager.php | 4 ++-- .../cms/widgets/assetlist/assets/js/assetlist.js | 14 ++++++++++---- .../assets/js/mediamanager-browser-min.js | 3 ++- .../widgets/mediamanager/assets/js/mediamanager.js | 7 ++++++- .../system/controllers/updates/_project_form.htm | 2 +- 7 files changed, 23 insertions(+), 12 deletions(-) diff --git a/modules/backend/formwidgets/fileupload/partials/_config_form.htm b/modules/backend/formwidgets/fileupload/partials/_config_form.htm index 733fcf07f..621c51650 100644 --- a/modules/backend/formwidgets/fileupload/partials/_config_form.htm +++ b/modules/backend/formwidgets/fileupload/partials/_config_form.htm @@ -28,7 +28,7 @@ type="text" name="title" class="form-control" - value="title ?>" + value="title) ?>" placeholder="" /> @@ -36,7 +36,7 @@ + class="form-control">description) ?> diff --git a/modules/backend/formwidgets/recordfinder/assets/js/recordfinder.js b/modules/backend/formwidgets/recordfinder/assets/js/recordfinder.js index df6ff7efe..6081110c2 100644 --- a/modules/backend/formwidgets/recordfinder/assets/js/recordfinder.js +++ b/modules/backend/formwidgets/recordfinder/assets/js/recordfinder.js @@ -63,7 +63,6 @@ RecordFinder.prototype.updateRecord = function(linkEl, recordId) { if (!this.options.dataLocker) return - // Selector name must be used because by the time success runs // - this.options will be disposed // - $locker element will be replaced diff --git a/modules/cms/widgets/MediaManager.php b/modules/cms/widgets/MediaManager.php index f7bdb1959..3a944b320 100644 --- a/modules/cms/widgets/MediaManager.php +++ b/modules/cms/widgets/MediaManager.php @@ -1155,9 +1155,9 @@ class MediaManager extends WidgetBase { $extension = strtolower(File::extension($name)); - $blockedFileTypes = FileDefinitions::get('blockedExtensions'); + $allowedFileTypes = FileDefinitions::get('defaultExtensions'); - if (in_array($extension, $blockedFileTypes)) { + if (!in_array($extension, $allowedFileTypes)) { return false; } diff --git a/modules/cms/widgets/assetlist/assets/js/assetlist.js b/modules/cms/widgets/assetlist/assets/js/assetlist.js index a8aad3e37..cbe03c3d8 100644 --- a/modules/cms/widgets/assetlist/assets/js/assetlist.js +++ b/modules/cms/widgets/assetlist/assets/js/assetlist.js @@ -82,14 +82,20 @@ this.updateUi() } - AssetList.prototype.onUploadFail = function(file, error) { - alert('Error uploading file: ' + error) + AssetList.prototype.onUploadFail = function(file, message) { + if (!message) { + message = 'Error uploading file' + } + + $.oc.alert(message) + this.refresh() } AssetList.prototype.onUploadSuccess = function(file, data) { - if (data !== 'success') - alert(data) + if (data !== 'success') { + $.oc.alert(data) + } } AssetList.prototype.onUploadComplete = function(file, data) { diff --git a/modules/cms/widgets/mediamanager/assets/js/mediamanager-browser-min.js b/modules/cms/widgets/mediamanager/assets/js/mediamanager-browser-min.js index 6c22d552b..6dd38823d 100644 --- a/modules/cms/widgets/mediamanager/assets/js/mediamanager-browser-min.js +++ b/modules/cms/widgets/mediamanager/assets/js/mediamanager-browser-min.js @@ -313,7 +313,8 @@ this.hideUploadUi()} MediaManager.prototype.updateUploadBar=function(templateName,classNames){var fileNumberLabel=this.$el.get(0).querySelector('[data-label="file-number-and-progress"]'),successTemplate=fileNumberLabel.getAttribute('data-'+templateName+'-template'),progressBar=this.$el.get(0).querySelector('[data-control="upload-progress-bar"]') fileNumberLabel.innerHTML=successTemplate;progressBar.setAttribute('class',classNames)} MediaManager.prototype.uploadSuccess=function(){this.updateUploadBar('success','progress-bar progress-bar-success');} -MediaManager.prototype.uploadError=function(file,message){this.updateUploadBar('error','progress-bar progress-bar-danger');$.oc.alert('Error uploading file')} +MediaManager.prototype.uploadError=function(file,message){this.updateUploadBar('error','progress-bar progress-bar-danger');if(!message){message='Error uploading file'} +$.oc.alert(message)} MediaManager.prototype.cropSelectedImage=function(callback){var selectedItems=this.getSelectedItems(true) if(selectedItems.length!=1){alert(this.options.selectSingleImage) return} diff --git a/modules/cms/widgets/mediamanager/assets/js/mediamanager.js b/modules/cms/widgets/mediamanager/assets/js/mediamanager.js index 94256c435..00de9d83c 100644 --- a/modules/cms/widgets/mediamanager/assets/js/mediamanager.js +++ b/modules/cms/widgets/mediamanager/assets/js/mediamanager.js @@ -821,7 +821,12 @@ MediaManager.prototype.uploadError = function(file, message) { this.updateUploadBar('error', 'progress-bar progress-bar-danger'); - $.oc.alert('Error uploading file') + + if (!message) { + message = 'Error uploading file' + } + + $.oc.alert(message) } // diff --git a/modules/system/controllers/updates/_project_form.htm b/modules/system/controllers/updates/_project_form.htm index 565556254..f56135a74 100644 --- a/modules/system/controllers/updates/_project_form.htm +++ b/modules/system/controllers/updates/_project_form.htm @@ -19,7 +19,7 @@ type="text" class="form-control" id="projectId" - value="" + value="" autocomplete="off" />