From 6f0b0dd1609f2a253b48f1b9347168dd2d5a61d7 Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Sat, 15 Oct 2011 10:35:25 +0100 Subject: removed remnants of old flash uploader (FS#2335) --- lib/exe/multipleUpload.swf | Bin 64561 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 lib/exe/multipleUpload.swf (limited to 'lib/exe') diff --git a/lib/exe/multipleUpload.swf b/lib/exe/multipleUpload.swf deleted file mode 100644 index 888aab045..000000000 Binary files a/lib/exe/multipleUpload.swf and /dev/null differ -- cgit v1.2.3 From b760af946cf29d1bee05a5cb33cfc6e357df441f Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Sat, 15 Oct 2011 14:54:10 +0200 Subject: Send a 401 Unauthorized header in XML-RPC when access is denied This is far from perfect but should solve most issues in the recommended configuration where only authorized users have access. Sending proper status codes should be implemented when the API implementation refactoring is done. --- lib/exe/xmlrpc.php | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/exe') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 8b572d213..93d7c70ba 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -53,6 +53,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { */ function call($methodname, $args){ if(!in_array($methodname,$this->public_methods) && !$this->checkAuth()){ + header('HTTP/1.1 401 Unauthorized'); return new IXR_Error(-32603, 'server error. not authorized to call method "'.$methodname.'".'); } return parent::call($methodname, $args); -- cgit v1.2.3 From 794fc9db8fe6b243f202c740cea5a677b683341b Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Sat, 15 Oct 2011 15:06:35 +0200 Subject: Only send 401 if user is not logged in in XML-RPC FS#2133 If the user is already logged in, a 403 is sent instead now. --- lib/exe/xmlrpc.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib/exe') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 93d7c70ba..6553d043f 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -53,7 +53,11 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { */ function call($methodname, $args){ if(!in_array($methodname,$this->public_methods) && !$this->checkAuth()){ - header('HTTP/1.1 401 Unauthorized'); + if (!isset($_SERVER['REMOTE_USER'])) { + header('HTTP/1.1 401 Unauthorized'); + } else { + header('HTTP/1.1 403 Forbidden'); + } return new IXR_Error(-32603, 'server error. not authorized to call method "'.$methodname.'".'); } return parent::call($methodname, $args); -- cgit v1.2.3 From fe13bd81bd93d84c12b23f8daa1f60c8a003d30b Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 15 Oct 2011 16:30:15 +0200 Subject: Fix XML-RPC login method FS#2324 The login wasn't able to modify the session as it was already closed earlier. This patch also executes the correct event when logins via XMLRPC are done. --- lib/exe/xmlrpc.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'lib/exe') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 6553d043f..8e4141d4e 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -858,11 +858,22 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { global $auth; if(!$conf['useacl']) return 0; if(!$auth) return 0; + + @session_start(); // reopen session for login if($auth->canDo('external')){ - return $auth->trustExternal($user,$pass,false); + $ok = $auth->trustExternal($user,$pass,false); }else{ - return auth_login($user,$pass,false,true); + $evdata = array( + 'user' => $user, + 'password' => $pass, + 'sticky' => false, + 'silent' => true, + ); + $ok = trigger_event('AUTH_LOGIN_CHECK', $evdata, 'auth_login_wrapper'); } + session_write_close(); // we're done with the session + + return $ok; } -- cgit v1.2.3 From f53795891c8f08acc7ad03adf236f82d6e108c38 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Sat, 15 Oct 2011 16:09:02 +0100 Subject: FS#2317 fix CSS compress for generic pseudo classes/pseudo elements --- lib/exe/css.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/exe') diff --git a/lib/exe/css.php b/lib/exe/css.php index 81f47d8fa..d54e2e46c 100644 --- a/lib/exe/css.php +++ b/lib/exe/css.php @@ -319,7 +319,8 @@ function css_compress($css){ // strip whitespaces $css = preg_replace('![\r\n\t ]+!',' ',$css); - $css = preg_replace('/ ?([:;,{}\/]) ?/','\\1',$css); + $css = preg_replace('/ ?([;,{}\/]) ?/','\\1',$css); + $css = preg_replace('/ ?: /',':',$css); // shorten colors $css = preg_replace("/#([0-9a-fA-F]{1})\\1([0-9a-fA-F]{1})\\2([0-9a-fA-F]{1})\\3/", "#\\1\\2\\3",$css); -- cgit v1.2.3 From 6fd41509f28290d217a2c9995341215944d31916 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?schplurtz=20le=20d=C3=A9boulonn=C3=A9?= Date: Thu, 27 Oct 2011 14:14:19 +0200 Subject: Use JSON wrapper in image upload (FS#2345) --- lib/exe/ajax.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/exe') diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index d4ef8dc11..f8d62cb57 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -281,7 +281,8 @@ function ajax_mediaupload(){ } $result = array('error' => $msg['msg'], 'ns' => $NS); } - echo htmlspecialchars(json_encode($result), ENT_NOQUOTES); + $json = new JSON; + echo htmlspecialchars($json->encode($result), ENT_NOQUOTES); } function dir_delete($path) { -- cgit v1.2.3 From 80d6fbc300b7e423fe0d2373cf3888c80ac94a41 Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Sun, 30 Oct 2011 11:02:44 +0100 Subject: Fix double-decoding in XMLRPC putAttachment --- lib/exe/xmlrpc.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'lib/exe') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 8e4141d4e..e5e3298ae 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -7,7 +7,7 @@ if(isset($HTTP_RAW_POST_DATA)) $HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA); /** * Increased whenever the API is changed */ -define('DOKU_XMLRPC_API_VERSION',5); +define('DOKU_XMLRPC_API_VERSION', 6); require_once(DOKU_INC.'inc/init.php'); session_write_close(); //close session @@ -584,8 +584,12 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { // save temporary file @unlink($ftmp); - $buff = base64_decode($file); - io_saveFile($ftmp, $buff); + if (preg_match('/^[A-Za-z0-9\+\/]*={0,2}$/', $file) === 1) { + // DEPRECATED: Double-decode file if it still looks like base64 + // after first decoding (which is done by the library) + $file = base64_decode($file); + } + io_saveFile($ftmp, $file); $res = media_save(array('name' => $ftmp), $id, $params['ow'], $auth, 'rename'); if (is_array($res)) { -- cgit v1.2.3