Merge branch 'master' of https://github.com/flatpressblog/flatpress i…

…nto issue94_smartyupdate # resolved conflicts: # fp-includes/smarty/plugins/function.html_select_date.php
flatpressblog · Oct 8, 2022 · c30d52b · c30d52b
2 parents 8bdb374 + d88262a
commit c30d52b
Show file tree

Hide file tree

Showing 34 changed files with 848 additions and 310 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,29 +7,42 @@
 - [README](https://github.com/flatpressblog/flatpress/blob/master/README.md): added "help and support" section
 
 ## Plugins
-- Gallery captions plugin added (see [#108](https://github.com/flatpressblog/flatpress/issues/108))
-- PhotoSwipe plugin added (see [#109](https://github.com/flatpressblog/flatpress/issues/109))
+- Gallery captions plugin added ([#108](https://github.com/flatpressblog/flatpress/issues/108))
+- PhotoSwipe plugin added ([#109](https://github.com/flatpressblog/flatpress/issues/109))
 - jQuery plugin: Updated jQuery (3.5.1 => 3.6) and jQueryUI (1.12.1 => 1.13.1)
 - Media Manager plugin shows 50 items per page, not 10
+- LastComments plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available ([#43](https://github.com/flatpressblog/flatpress/issues/43))
+- Comment Center config page threw errors ([#90](https://github.com/flatpressblog/flatpress/issues/90))
 
 ## Themes
-- Leggero theme: Fixed searchbox glitch in FlatMaas revisited style (see [#97](https://github.com/flatpressblog/flatpress/issues/97))
-- Leggero theme: Fixed missing bullets in preview (see [#98](https://github.com/flatpressblog/flatpress/issues/98))
-- Leggero theme: CSS of the Leggero style had some glitches on mobile devices
-- Leggero theme: Invalid HTML output fixed (see [#106](https://github.com/flatpressblog/flatpress/issues/106))
-- Leggero theme: Removed unneccessary external font resource (see [#112](https://github.com/flatpressblog/flatpress/issues/112))
-
-## Bugfixes
-- Comment Center config page threw errors (see [#90](https://github.com/flatpressblog/flatpress/issues/90))
+- Leggero
+  - Fixed searchbox glitch in FlatMaas revisited style ([#97](https://github.com/flatpressblog/flatpress/issues/97))
+  - Fixed missing bullets in preview ([#98](https://github.com/flatpressblog/flatpress/issues/98))
+  - CSS of the Leggero style had some glitches on mobile devices
+  - Invalid HTML output fixed ([#106](https://github.com/flatpressblog/flatpress/issues/106), [#156](https://github.com/flatpressblog/flatpress/issues/156))
+  - Removed unneccessary external font resource ([#112](https://github.com/flatpressblog/flatpress/issues/112))
+  - "Add comment" link has its own line ([#135](https://github.com/flatpressblog/flatpress/issues/135))
+  - Removed legacy/invalid CSS ([#133](https://github.com/flatpressblog/flatpress/issues/133), [#134](https://github.com/flatpressblog/flatpress/issues/134))
+  - Fixed description of Leggero and Leggero v2 styles ([#137](https://github.com/flatpressblog/flatpress/issues/137))
+  - Obsolete bullet points removed ([#136](https://github.com/flatpressblog/flatpress/issues/136))
+  - Updated preview image ([#139](https://github.com/flatpressblog/flatpress/issues/139))
+
+## Internationalization
 - Fixed glitches in Spanish an Portuguese language files
+- Fixed wrong pt-br country code ([#100](https://github.com/flatpressblog/flatpress/issues/100))
+- Search page: Month names displayed in configured frontend language ([#132](https://github.com/flatpressblog/flatpress/issues/132))
+- German translation for Comment Center plugin added ([#148](https://github.com/flatpressblog/flatpress/issues/148))
+
+## Other bugfixes
 - Plugin management page: Removed empty warning messages box
-- Fixed wrong pt-br country code (see [#100](https://github.com/flatpressblog/flatpress/issues/100))
-- Fixed error at prev link on first / next link on last entry (see [#95](https://github.com/flatpressblog/flatpress/issues/95))
-- LastComments plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available (see [#43](https://github.com/flatpressblog/flatpress/issues/43))
+- Fixed error at prev link on first / next link on last entry ([#95](https://github.com/flatpressblog/flatpress/issues/95))
+- Logout redirects to home page again ([#119](https://github.com/flatpressblog/flatpress/issues/119))
+- Fixed disappearing non-Latin characters in page title ([#49](https://github.com/flatpressblog/flatpress/issues/49) and [#91](https://github.com/flatpressblog/flatpress/issues/91))
 
 ## Security
-- Fixed security issue reported by huntr.dev: Session cookie missed the "secure" flag
+- Possible XSS prevented: Session cookie missed the "secure" and "httponly" flags
 - Possible path traversal in Media Manager plugin prevented
+- Uploaded files wheren't checked properly ([#152](https://github.com/flatpressblog/flatpress/issues/152))
 
 # 2021-06-19: [FlatPress 1.2.1](https://github.com/flatpressblog/flatpress/releases/tag/1.2.1)
 ## Bugfixes

diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -37,3 +37,4 @@ FlatPress utilizes the following free frameworks and libraries. Thanks to their
 
 ## Other contributions
 - [Julian Rademacher](https://moortaube.de/) generously donated his Twitter account [@FlatPress](https://twitter.com/FlatPress). Also thanks for your useful pull requests!
+- [Fraenkiman](https://github.com/Fraenkiman) tests FlatPress to its very core and creates a metric ton of very helpful [issues](https://github.com/flatpressblog/flatpress/issues).
diff --git a/README.md b/README.md
@@ -1,16 +1,16 @@
 [![Home page](https://img.shields.io/badge/Home%20page-🏠-555?style=plastic)](https://www.flatpress.org "Home page")
 [![Support forum](https://img.shields.io/badge/Support%20forum-💬-555?style=plastic)](https://forum.flatpress.org "Support forum")
 [![Wiki](https://img.shields.io/badge/Wiki-📖-555?style=plastic)](https://wiki.flatpress.org "Wiki")
-[![Mastodon](https://img.shields.io/badge/Mastodon-🐘-555?style=plastic)](https://fosstodon.org/@flatpress "FlatPress@Mastodon")
-[![Twitter](https://img.shields.io/badge/Twitter-🐦-555?style=plastic)](https://twitter.com/FlatPress "FlatPress@Twitter")
 [![Change log](https://img.shields.io/badge/Change%20log-📜-555?style=plastic)](./CHANGELOG.md "Change log")
 [![Security policy](https://img.shields.io/badge/Security%20policy-⚡-555?style=plastic)](./SECURITY.md "Security policy")
 [![Contributors](https://img.shields.io/badge/Contributors-😎-555?style=plastic)](./CONTRIBUTORS.md "Contributors")
+[![Wiki](https://img.shields.io/badge/Donate-💛-555?style=plastic&logo=paypal)](https://www.flatpress.org/donate "Send us a little Thank You")
 
 [![Releases](https://img.shields.io/github/release/flatpressblog/flatpress.svg?label=Latest%20release&style=plastic)](https://github.com/flatpressblog/flatpress/releases "See all releases")
 [![License](https://img.shields.io/github/license/flatpressblog/flatpress.svg?style=plastic)](./LICENSE.md "License")
 [![Open issues](https://img.shields.io/github/issues-raw/flatpressblog/flatpress?style=plastic)](https://github.com/flatpressblog/flatpress/issues "See open issues")
 [![Last commit](https://img.shields.io/github/last-commit/flatpressblog/flatpress?style=plastic)](https://github.com/flatpressblog/flatpress/commits/ "Last commit")
+<a href="https://fosstodon.org/users/flatpress/remote_follow" title="Follow on Mastodon"><img alt="Mastodon Follow" src="https://img.shields.io/mastodon/follow/326815?domain=https%3A%2F%2Ffosstodon.org&style=social" alt="Follow on Mastodon"></a> <a href="https://twitter.com/intent/follow?screen_name=flatpress" title="Follow on Twitter"><img src="https://img.shields.io/twitter/follow/flatpress.svg?style=social&logo=twitter" alt="Follow on Twitter"></a>
 
 # Welcome to FlatPress!
 FlatPress is a lightweight, easy-to-set-up blogging engine. Plain and simple, just PHP. No database needed!
@@ -41,7 +41,3 @@ FlatPress runs on any web server (e.g. Apache or IIS) with PHP 7.1 or higher. Si
 
 ## Credits
 There are many people who contributed to FlatPress over the years. [See them here.](./CONTRIBUTORS.md)
-
-
-<a href="https://fosstodon.org/users/flatpress/remote_follow" title="Follow on Mastodon"><img alt="Mastodon Follow" src="https://img.shields.io/mastodon/follow/326815?domain=https%3A%2F%2Ffosstodon.org&style=social" alt="Follow on Mastodon"></a><br>
-<a href="https://twitter.com/intent/follow?screen_name=flatpress" title="Follow on Twitter"><img src="https://img.shields.io/twitter/follow/flatpress.svg?style=social&logo=twitter" alt="Follow on Twitter"></a>
diff --git a/admin/panels/uploader/admin.uploader.php b/admin/panels/uploader/admin.uploader.php
@@ -102,133 +102,136 @@ function onupload() {
 
 		foreach ($_FILES ["upload"] ["error"] as $key => $error) {
 
-			if ($error == UPLOAD_ERR_OK) {
-				$tmp_name = $_FILES ["upload"] ["tmp_name"] [$key];
-				$name = $_FILES ["upload"] ["name"] [$key];
+			// Upload went wrong -> jump to the next file
+			if ($error != UPLOAD_ERR_OK) {
+				continue;
+			}
+
+			$tmp_name = $_FILES ["upload"] ["tmp_name"] [$key];
+			$name = $_FILES ["upload"] ["name"] [$key];
+
+			$dir = ATTACHS_DIR;
+
+			/*
+			 * second check extension list
+			 * https://stackoverflow.com/questions/4166762/php-image-upload-security-check-list
+			 *
+			 * 2019-11-24 - laborix
+			 */
+
+			$uploadfilename = strtolower($name);
 
-				$dir = ATTACHS_DIR;
+			$isForbidden = false;
+			$deeptest = array();
+			$extcount = 0;
+			$deeptest = explode('.', $uploadfilename);
+			$extcount = count($deeptest);
 
+			if ($extcount == 1) {
 				/*
-				 * second check extension list
-				 * https://stackoverflow.com/questions/4166762/php-image-upload-security-check-list
+				 * none extension like .jpg or something else
 				 *
-				 * 2019-11-24 - laborix
+				 * possible filename = simple-file-without-extension - linux like ok
 				 */
-
-				$uploadfilename = strtolower($tmp_name);
-
 				$isForbidden = false;
-				$deeptest = array();
-				$extcount = 0;
-				$deeptest = explode('.', $uploadfilename);
-				$extcount = count($deeptest);
-
-				if ($extcount == 1) {
-					/*
-					 * none extension like .jpg or something else
-					 *
-					 * possible filename = simple-file-without-extension - linux like ok
-					 */
-					$isForbidden = false;
-				} elseif ($extcount == 2) {
-					/*
-					 * Only one possible extension
-					 *
-					 * possible filename = 1.jpg
-					 * possible filename = admin.uploader.php
-					 * possible filename = .htaccess
-					 * and so on...
-					 */
-					$check_ext1 = "";
-					$check_ext1 = trim($deeptest [1], "\x00..\x1F");
-					if (in_array($check_ext1, $blacklist_extensions)) {
-						$isForbidden = true;
-					} else {
-						$isForbidden = false;
-					}
-				} elseif ($extcount > 2) {
-					/*
-					 * Chekc only the last two possible extensions
-					 *
-					 * Hint: OWASP - Unrestricted File Upload
-					 *
-					 * In Apache, a php file might be executed using the
-					 * double extension technique such as "file.php.jpg"
-					 * when ".jpg" is allowed.
-					 *
-					 * possible filename = 1.PhP.jpg
-					 * possible filename = admin.uploader.php.JPg
-					 * and so on...
-					 */
-					$check_ext1 = "";
-					$check_ext2 = "";
-					$check_ext1 = trim($deeptest [$extcount - 1], "\x00..\x1F");
-					if (in_array($check_ext1, $blacklist_extensions)) {
-						$isForbidden = true;
-					} else {
-						$isForbidden = false;
-					}
-					/* Test only if first extension check are not in the blacklist */
-					if (!$isForbidden) {
-						$check_ext2 = trim($deeptest [$extcount - 2], "\x00..\x1F");
-						if (in_array($check_ext2, $blacklist_extensions)) {
-							$isForbidden = true;
-						} else {
-							$isForbidden = false;
-						}
-					}
-				}
+			} elseif ($extcount == 2) {
 				/*
-				 * If one blacklisted extension found then
-				 * return with -1 = An error occurred while trying to upload.
+				 * Only one possible extension
+				 *
+				 * possible filename = 1.jpg
+				 * possible filename = admin.uploader.php
+				 * possible filename = .htaccess
+				 * and so on...
 				 */
-				if ($isForbidden) {
-					$this->smarty->assign('success', $success ? 1 : -1);
-					sess_add('admin_uploader_files', $uploaded_files);
-					return -1;
+				$check_ext1 = "";
+				$check_ext1 = trim($deeptest [1], "\x00..\x1F");
+				if (in_array($check_ext1, $blacklist_extensions)) {
+					$isForbidden = true;
+				} else {
+					$isForbidden = false;
 				}
-
+			} elseif ($extcount > 2) {
 				/*
-				 * third check extension
-				 * if someone upload a .php file as .gif, .jpg or .txt
-				 * if someone upload a .html file as .gif, .jpg or .txt
+				 * Chekc only the last two possible extensions
+				 *
+				 * Hint: OWASP - Unrestricted File Upload
+				 *
+				 * In Apache, a php file might be executed using the
+				 * double extension technique such as "file.php.jpg"
+				 * when ".jpg" is allowed.
 				 *
-				 * 2019-11-24 - laborix
+				 * possible filename = 1.PhP.jpg
+				 * possible filename = admin.uploader.php.JPg
+				 * and so on...
 				 */
-
-				if (version_compare(PHP_VERSION, '5.3.0') < 0)
-					return -1;
-				if (!function_exists('finfo_open'))
-					return -1;
-
-				$finfo = finfo_open(FILEINFO_MIME_TYPE);
-				$mime = finfo_file($finfo, $tmp_name);
-				finfo_close($finfo);
-
-				if (($mime == "text/x-php") || ($mime == "text/html")) {
-					$this->smarty->assign('success', $success ? 1 : -1);
-					sess_add('admin_uploader_files', $uploaded_files);
-					return -1;
+				$check_ext1 = "";
+				$check_ext2 = "";
+				$check_ext1 = trim($deeptest [$extcount - 1], "\x00..\x1F");
+				if (in_array($check_ext1, $blacklist_extensions)) {
+					$isForbidden = true;
+				} else {
+					$isForbidden = false;
 				}
+				/* Test only if first extension check are not in the blacklist */
+				if (!$isForbidden) {
+					$check_ext2 = trim($deeptest [$extcount - 2], "\x00..\x1F");
+					if (in_array($check_ext2, $blacklist_extensions)) {
+						$isForbidden = true;
+					} else {
+						$isForbidden = false;
+					}
+				}
+			}
+			/*
+			 * If one blacklisted extension found then
+			 * return with -1 = An error occurred while trying to upload.
+			 */
+			if ($isForbidden) {
+				$this->smarty->assign('success', $success ? 1 : -1);
+				sess_add('admin_uploader_files', $uploaded_files);
+				return -1;
+			}
 
-				$ext = strtolower(strrchr($name, '.'));
+			/*
+			 * third check extension
+			 * if someone upload a .php file as .gif, .jpg or .txt
+			 * if someone upload a .html file as .gif, .jpg or .txt
+			 *
+			 * 2019-11-24 - laborix
+			 */
+
+			if (version_compare(PHP_VERSION, '5.3.0') < 0)
+				return -1;
+			if (!function_exists('finfo_open'))
+				return -1;
+
+			$finfo = finfo_open(FILEINFO_MIME_TYPE);
+			$mime = finfo_file($finfo, $tmp_name);
+			finfo_close($finfo);
+
+			if (($mime == "text/x-php") || ($mime == "text/html")) {
+				$this->smarty->assign('success', $success ? 1 : -1);
+				sess_add('admin_uploader_files', $uploaded_files);
+				return -1;
+			}
 
-				if (in_array($ext, $imgs)) {
-					$dir = IMAGES_DIR;
-				}
+			$ext = strtolower(strrchr($name, '.'));
+
+			if (in_array($ext, $imgs)) {
+				$dir = IMAGES_DIR;
+			}
 
-				$name = sanitize_title(substr($name, 0, -strlen($ext))) . $ext;
+			$name = sanitize_title(substr($name, 0, -strlen($ext))) . $ext;
 
-				$target = "$dir/$name";
-				@umask(022);
-				$success = move_uploaded_file($tmp_name, $target);
-				@chmod($target, 0766);
+			$target = "$dir/$name";
+			@umask(022);
+			$success = move_uploaded_file($tmp_name, $target);
+			@chmod($target, 0766);
 
-				$uploaded_files [] = $name;
+			$uploaded_files [] = $name;
 
-				// one failure will make $success == false :)
-				$success &= $success;
-			}
+			// one failure will make $success == false :)
+			$success &= $success;
 		}
 
 		if ($uploaded_files) {

diff --git a/admin/res/admin.css b/admin/res/admin.css
@@ -167,7 +167,7 @@ input.maxsize { width: 99% }
 #main ul.msgs, ul.msgs {
 	margin-top: 1em;
 	margin-left: 0em;
-	padding: 1em 2em
+	padding: 1em 2em;
 }
 
 .errors {

diff --git a/defaults.php b/defaults.php
@@ -121,6 +121,7 @@
 $serverport = "false";
 // Unterstützung für Apache und IIS
 ini_set('session.cookie_secure', 1);
+ini_set('session.cookie_httponly', 1);
 if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
 	$serverport = "https://";
 } else {

diff --git a/fp-includes/core/core.cookie.php b/fp-includes/core/core.cookie.php
@@ -23,6 +23,8 @@ function cookie_setup() {
 		define('COOKIE_DOMAIN', false);
 	if (!defined('COOKIE_SECURE'))
 		define('COOKIE_SECURE', true);
+	if (!defined('COOKIE_HTTPONLY'))
+		define('COOKIE_HTTPONLY', true);
 }
 
 if (!function_exists('wp_get_cookie_login')) :
@@ -62,20 +64,20 @@ function cookie_set($username, $password, $already_md5 = false, $home = '', $sit
 	else
 		$expire = 0;
 
-	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
-	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
+	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
 
 	if ($cookiepath != $sitecookiepath) {
-		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
-		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
+		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
+		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
 	}
 }
 
 function cookie_clear() {
-	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
-	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
-	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
-	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
+	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
+	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
+	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
 }
 
 if (!function_exists('wp_login')) :