From 0c725e2ceeb9abf2e8b625961548928fa9bca9b2 Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Thu, 10 May 2012 10:08:34 -0700 Subject: Fixes #4507. Corrected typo for twitter interstitial page. --- CHANGES.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 11060aa2d..460c3b538 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,14 @@ +Version 1.8.5 +(May 15, 2012 from https://github.com/Elgg/Elgg/tree/1.8) + + Contributing Developers: + * Brett Profitt + + Bugfixes: + * Twitter API: New users are forwarded to the correct page after creating + an account with Twitter. + + Version 1.8.4 (April 24, 2012 from https://github.com/Elgg/Elgg/tree/1.8) -- cgit v1.2.3 From 319500f0b54baa05286098f51407b3966a51121d Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Thu, 10 May 2012 10:18:13 -0700 Subject: Updated changes. --- CHANGES.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 460c3b538..cabfd604b 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -3,11 +3,12 @@ Version 1.8.5 Contributing Developers: * Brett Profitt + * Sem Bugfixes: * Twitter API: New users are forwarded to the correct page after creating an account with Twitter. - + * Files: PDF files are downloaded as "inline" to display in the browser. Version 1.8.4 (April 24, 2012 from https://github.com/Elgg/Elgg/tree/1.8) -- cgit v1.2.3 From 3d5db88999fbafa1d1ac6f0dedf01d692c2a968c Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Thu, 10 May 2012 10:31:11 -0700 Subject: Fixes #4372. Using elgg_view_friendly_time() in river entries. --- CHANGES.txt | 4 ++++ views/default/river/elements/body.php | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index cabfd604b..2a3339c95 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -10,6 +10,10 @@ Version 1.8.5 an account with Twitter. * Files: PDF files are downloaded as "inline" to display in the browser. + API: + * River entries' timestamps use elgg_view_friendly_time() and can be + overridden with the friendly time output view. + Version 1.8.4 (April 24, 2012 from https://github.com/Elgg/Elgg/tree/1.8) diff --git a/views/default/river/elements/body.php b/views/default/river/elements/body.php index 6894b81e2..2cd7f2289 100644 --- a/views/default/river/elements/body.php +++ b/views/default/river/elements/body.php @@ -18,7 +18,7 @@ $menu = elgg_view_menu('river', array( )); // river item header -$timestamp = elgg_get_friendly_time($item->getPostedTime()); +$timestamp = elgg_view_friendly_time($item->getPostedTime()); $summary = elgg_extract('summary', $vars, elgg_view('river/elements/summary', array('item' => $vars['item']))); if ($summary === false) { -- cgit v1.2.3 From 12179513e27e136bbbb590123ab519658f8b11ef Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Thu, 10 May 2012 20:09:51 -0700 Subject: Updated changes. --- CHANGES.txt | 3 +++ 1 file changed, 3 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 2a3339c95..387b28076 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -9,6 +9,9 @@ Version 1.8.5 * Twitter API: New users are forwarded to the correct page after creating an account with Twitter. * Files: PDF files are downloaded as "inline" to display in the browser. + * Fixed possible duplication errors when writing metadata with multiple values. + * Fixed possible upgrade issue if using a plugin uses the system_log hooks. + * Fixed problems when enabling more than 50 metadata or annotations. API: * River entries' timestamps use elgg_view_friendly_time() and can be -- cgit v1.2.3 From f8d77796af608dd8b4eff0a19129edf544f73396 Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Mon, 14 May 2012 11:52:39 -0700 Subject: Updated CHANGES.txt. --- CHANGES.txt | 3 +++ 1 file changed, 3 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 387b28076..a7e14331d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -5,6 +5,9 @@ Version 1.8.5 * Brett Profitt * Sem + Security Enhancements: + * Fixed possible XSS vulnerability if using a crafted URL. + Bugfixes: * Twitter API: New users are forwarded to the correct page after creating an account with Twitter. -- cgit v1.2.3 From 70e5ffe5f887679b10b6c6ac8a14b1f128efbb52 Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Mon, 14 May 2012 11:59:23 -0700 Subject: Setting the useradd action's access to admin instead of public. --- CHANGES.txt | 1 + engine/lib/users.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index a7e14331d..f5cacac29 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -7,6 +7,7 @@ Version 1.8.5 Security Enhancements: * Fixed possible XSS vulnerability if using a crafted URL. + * Fixed exploit to bypass new user validation if using a crafted form. Bugfixes: * Twitter API: New users are forwarded to the correct page after creating diff --git a/engine/lib/users.php b/engine/lib/users.php index 6a881777e..e209f2c38 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -1551,7 +1551,7 @@ function users_init() { elgg_register_plugin_hook_handler('register', 'menu:user_hover', 'elgg_user_hover_menu'); elgg_register_action('register', '', 'public'); - elgg_register_action('useradd', '', 'public'); + elgg_register_action('useradd', '', 'admin'); elgg_register_action('friends/add'); elgg_register_action('friends/remove'); elgg_register_action('avatar/upload'); -- cgit v1.2.3 From 9a59aa7a3cbb0e741b9b50b6b6ce8bd021b2479a Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Mon, 14 May 2012 17:35:53 -0700 Subject: Only caching access lists after ready, system fires. This prevents a bug where access lists could be cached and not cleared during plugin boot while access was disabled, which could expose entities set to ACCESS_PRIVATE. --- CHANGES.txt | 16 +++++++++------- engine/lib/access.php | 31 +++++++++++++++++++------------ 2 files changed, 28 insertions(+), 19 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index f5cacac29..ae0cdc333 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -8,17 +8,19 @@ Version 1.8.5 Security Enhancements: * Fixed possible XSS vulnerability if using a crafted URL. * Fixed exploit to bypass new user validation if using a crafted form. + * Fixed incorrect caching of access lists that could allow plugins + to show private entities to non-admin and non-owning users. (Non-exploitable) Bugfixes: - * Twitter API: New users are forwarded to the correct page after creating - an account with Twitter. - * Files: PDF files are downloaded as "inline" to display in the browser. - * Fixed possible duplication errors when writing metadata with multiple values. - * Fixed possible upgrade issue if using a plugin uses the system_log hooks. - * Fixed problems when enabling more than 50 metadata or annotations. + * Twitter API: New users are forwarded to the correct page after creating + an account with Twitter. + * Files: PDF files are downloaded as "inline" to display in the browser. + * Fixed possible duplication errors when writing metadata with multiple values. + * Fixed possible upgrade issue if using a plugin uses the system_log hooks. + * Fixed problems when enabling more than 50 metadata or annotations. API: - * River entries' timestamps use elgg_view_friendly_time() and can be + * River entries' timestamps use elgg_view_friendly_time() and can be overridden with the friendly time output view. Version 1.8.4 diff --git a/engine/lib/access.php b/engine/lib/access.php index 6be252c6a..702e2c1cb 100644 --- a/engine/lib/access.php +++ b/engine/lib/access.php @@ -31,7 +31,7 @@ function get_access_list($user_id = 0, $site_id = 0, $flush = false) { global $CONFIG, $init_finished; static $access_list; - if (!isset($access_list) || !$init_finished) { + if (!isset($access_list)) { $access_list = array(); } @@ -49,9 +49,15 @@ function get_access_list($user_id = 0, $site_id = 0, $flush = false) { return $access_list[$user_id]; } - $access_list[$user_id] = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")"; + $access = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")"; - return $access_list[$user_id]; + // only cache if done with init + if ($init_finished) { + $access_list[$user_id] = $access; + return $access_list[$user_id]; + } else { + return $access; + } } /** @@ -83,7 +89,7 @@ function get_access_array($user_id = 0, $site_id = 0, $flush = false) { // this cache might be redundant. But db cache is flushed on every db write. static $access_array; - if (!isset($access_array) || (!isset($init_finished)) || (!$init_finished)) { + if (!isset($access_array)) { $access_array = array(); } @@ -137,12 +143,11 @@ function get_access_array($user_id = 0, $site_id = 0, $flush = false) { $tmp_access_array[] = ACCESS_PRIVATE; } - $access_array[$user_id] = $tmp_access_array; - } else { - // No user id logged in so we can only access public info - $tmp_return = $tmp_access_array; + // only cache if done with init + if ($init_finished) { + $access_array[$user_id] = $tmp_access_array; + } } - } else { $tmp_access_array = $access_array[$user_id]; } @@ -946,7 +951,8 @@ function elgg_get_access_object() { * * @global bool $init_finished * @access private - * @todo investigate why this is needed + * @todo This is required to tell the access system to start caching because + * calls are made while in ignore access mode and before the user is logged in. */ $init_finished = false; @@ -1014,8 +1020,9 @@ function access_test($hook, $type, $value, $params) { return $value; } -// This function will let us know when 'init' has finished -elgg_register_event_handler('init', 'system', 'access_init', 9999); +// Tell the access functions the system has booted, plugins are loaded, +// and the user is logged in so it can start caching +elgg_register_event_handler('ready', 'system', 'access_init'); // For overrided permissions elgg_register_plugin_hook_handler('permissions_check', 'all', 'elgg_override_permissions'); -- cgit v1.2.3 From 14d2c70e1872f4045fc857be9b9022d085f1fbd1 Mon Sep 17 00:00:00 2001 From: Evan Winslow Date: Thu, 17 May 2012 09:57:56 -0700 Subject: Version bump. Updates CHANGES.txt --- CHANGES.txt | 6 +++++- version.php | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index ae0cdc333..870c4f57d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,9 +1,13 @@ Version 1.8.5 -(May 15, 2012 from https://github.com/Elgg/Elgg/tree/1.8) +(May 17, 2012 from https://github.com/Elgg/Elgg/tree/1.8) Contributing Developers: * Brett Profitt + * Evan Winslow * Sem + * Steve Clay + * Jeroen Dalsem + * Jerome Bakker Security Enhancements: * Fixed possible XSS vulnerability if using a crafted URL. diff --git a/version.php b/version.php index c36f4e186..4f028bfd6 100644 --- a/version.php +++ b/version.php @@ -14,4 +14,4 @@ $version = 2012041801; // Human-friendly version name -$release = '1.8.4'; +$release = '1.8.5'; -- cgit v1.2.3