Merge branch 'hotfix/3.2.19' into support/3.2

contao · Feb 12, 2015 · 0e0691d · 0e0691d
2 parents 8828211 + 42f3e12
commit 0e0691d
Show file tree

Hide file tree

Showing 9 changed files with 74 additions and 17 deletions.
diff --git a/system/config/constants.php b/system/config/constants.php
@@ -13,7 +13,7 @@
  * Core version
  */
 define('VERSION', '3.2');
-define('BUILD', '18');
+define('BUILD', '19');
 define('LONG_TERM_SUPPORT', true);
 
 

diff --git a/system/docs/CHANGELOG.md b/system/docs/CHANGELOG.md
@@ -1,6 +1,14 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.2.19 (2015-02-12)
+---------------------------
+
+### Fixed
+Fixed a directory traversal vulnerability discovered by Arnaud Buchoux. See
+CVE-2015-0269 for more information.
+
+
 Version 3.2.18 (2015-01-30)
 ---------------------------
 

diff --git a/system/modules/calendar/languages/es/tl_calendar.xlf b/system/modules/calendar/languages/es/tl_calendar.xlf
@@ -7,15 +7,15 @@
       </trans-unit>
       <trans-unit id="tl_calendar.title.1">
         <source>Please enter the calendar title.</source>
-        <target>Introduce un título para el calendario.</target>
+        <target>Introduzca un título para el calendario.</target>
       </trans-unit>
       <trans-unit id="tl_calendar.jumpTo.0">
         <source>Redirect page</source>
         <target>Saltar a página</target>
       </trans-unit>
       <trans-unit id="tl_calendar.jumpTo.1">
         <source>Please choose the event reader page to which visitors will be redirected when clicking an event.</source>
-        <target>Selecciona la página a la que serán redirigidos los visitantes cuando hagan clic sobre un evento.</target>
+        <target>Seleccione la página a la que serán redirigidos los visitantes cuando hagan clic sobre un evento.</target>
       </trans-unit>
       <trans-unit id="tl_calendar.allowComments.0">
         <source>Enable comments</source>
@@ -31,23 +31,23 @@
       </trans-unit>
       <trans-unit id="tl_calendar.notify.1">
         <source>Please choose who to notify when comments are added.</source>
-        <target>Seleccionar a quién se debe notificar cuando se agreguen comentarios.</target>
+        <target>Seleccione a quién se debe notificar cuando se agreguen comentarios.</target>
       </trans-unit>
       <trans-unit id="tl_calendar.sortOrder.0">
         <source>Sort order</source>
         <target>Ordenamiento</target>
       </trans-unit>
       <trans-unit id="tl_calendar.sortOrder.1">
         <source>By default, comments are sorted ascending, starting with the oldest one.</source>
-        <target>De manera preestablecida los comentarios se ordenen de manera ascendente, comenzando por el más antiguo.</target>
+        <target>De manera preestablecida los comentarios se ordenan de manera ascendente, comenzando por el más antiguo.</target>
       </trans-unit>
       <trans-unit id="tl_calendar.perPage.0">
         <source>Comments per page</source>
         <target>Comentarios por página</target>
       </trans-unit>
       <trans-unit id="tl_calendar.perPage.1">
         <source>Number of comments per page. Set to 0 to disable pagination.</source>
-        <target>Cantidad de comentarios por página. Introducir 0 para deshabilitar la paginación.</target>
+        <target>Cantidad de comentarios por página. Introduzca 0 para deshabilitar la paginación.</target>
       </trans-unit>
       <trans-unit id="tl_calendar.moderate.0">
         <source>Moderate comments</source>
@@ -71,7 +71,7 @@
       </trans-unit>
       <trans-unit id="tl_calendar.requireLogin.1">
         <source>Allow only authenticated users to create comments.</source>
-        <target>Sólo los usuarios que hayan iniciado sesión pueden crear comentarios.</target>
+        <target>Sólo los usuarios que hayan iniciado la sesión pueden crear comentarios.</target>
       </trans-unit>
       <trans-unit id="tl_calendar.disableCaptcha.0">
         <source>Disable the security question</source>
@@ -95,7 +95,7 @@
       </trans-unit>
       <trans-unit id="tl_calendar.groups.1">
         <source>These groups will be able to see the events in this calendar.</source>
-        <target>Estos grupos podrán ver los eventos.</target>
+        <target>Estos grupos podrán ver los eventos de este calendario.</target>
       </trans-unit>
       <trans-unit id="tl_calendar.tstamp.0">
         <source>Revision date</source>
@@ -127,11 +127,11 @@
       </trans-unit>
       <trans-unit id="tl_calendar.notify_author">
         <source>Author of the event</source>
-        <target>Autor del elemento</target>
+        <target>Autor del evento</target>
       </trans-unit>
       <trans-unit id="tl_calendar.notify_both">
         <source>Author and system administrator</source>
-        <target>Administrador del sistema y autor del elemento</target>
+        <target>Autor y administrador del sistema</target>
       </trans-unit>
       <trans-unit id="tl_calendar.source_teaser">
         <source>Event teasers</source>
@@ -175,11 +175,11 @@
       </trans-unit>
       <trans-unit id="tl_calendar.copy.0">
         <source>Duplicate calendar</source>
-        <target>Copiar calendario</target>
+        <target>Duplicar calendario</target>
       </trans-unit>
       <trans-unit id="tl_calendar.copy.1">
         <source>Duplicate calendar ID %s</source>
-        <target>Copiar calendario con ID %s</target>
+        <target>Duplicar calendario con ID %s</target>
       </trans-unit>
       <trans-unit id="tl_calendar.delete.0">
         <source>Delete calendar</source>
@@ -191,11 +191,11 @@
       </trans-unit>
       <trans-unit id="tl_calendar.feeds.0">
         <source>RSS feeds</source>
-        <target>RSS feeds</target>
+        <target>feeds RSS</target>
       </trans-unit>
       <trans-unit id="tl_calendar.feeds.1">
         <source>Manage RSS feeds</source>
-        <target>Administrar RSS feeds</target>
+        <target>Administrar feeds RSS</target>
       </trans-unit>
     </body>
   </file>

diff --git a/system/modules/core/classes/Backend.php b/system/modules/core/classes/Backend.php
@@ -515,6 +515,8 @@ public static function findSearchablePages($pid=0, $domain='', $blnIsSitemap=fal
 	 * Add a breadcrumb menu to the page tree
 	 *
 	 * @param string
+	 *
+	 * @throws \RuntimeException
 	 */
 	public static function addPagesBreadcrumb($strKey='tl_page_node')
 	{
@@ -523,7 +525,13 @@ public static function addPagesBreadcrumb($strKey='tl_page_node')
 		// Set a new node
 		if (isset($_GET['node']))
 		{
-			$objSession->set($strKey, \Input::get('node'));
+			// Check the path (thanks to Arnaud Buchoux)
+			if (\Validator::isInsecurePath(\Input::get('node', true)))
+			{
+				throw new \RuntimeException('Insecure path ' . \Input::get('node', true));
+			}
+
+			$objSession->set($strKey, \Input::get('node', true));
 			\Controller::redirect(preg_replace('/&node=[^&]*/', '', \Environment::get('request')));
 		}
 
@@ -534,6 +542,12 @@ public static function addPagesBreadcrumb($strKey='tl_page_node')
 			return;
 		}
 
+		// Check the path (thanks to Arnaud Buchoux)
+		if (\Validator::isInsecurePath($intNode))
+		{
+			throw new \RuntimeException('Insecure path ' . $intNode);
+		}
+
 		$arrIds   = array();
 		$arrLinks = array();
 		$objUser  = \BackendUser::getInstance();
@@ -653,6 +667,8 @@ public static function addPageIcon($row, $label, DataContainer $dc=null, $imageA
 	 * Add a breadcrumb menu to the file tree
 	 *
 	 * @param string
+	 *
+	 * @throws \RuntimeException
 	 */
 	public static function addFilesBreadcrumb($strKey='tl_files_node')
 	{
@@ -661,6 +677,12 @@ public static function addFilesBreadcrumb($strKey='tl_files_node')
 		// Set a new node
 		if (isset($_GET['node']))
 		{
+			// Check the path (thanks to Arnaud Buchoux)
+			if (\Validator::isInsecurePath(\Input::get('node', true)))
+			{
+				throw new \RuntimeException('Insecure path ' . \Input::get('node', true));
+			}
+
 			$objSession->set($strKey, \Input::get('node', true));
 			\Controller::redirect(preg_replace('/(&|\?)node=[^&]*/', '', \Environment::get('request')));
 		}
@@ -672,6 +694,12 @@ public static function addFilesBreadcrumb($strKey='tl_files_node')
 			return;
 		}
 
+		// Check the path (thanks to Arnaud Buchoux)
+		if (\Validator::isInsecurePath($strNode))
+		{
+			throw new \RuntimeException('Insecure path ' . $strNode);
+		}
+
 		// Currently selected folder does not exist
 		if (!is_dir(TL_ROOT . '/' . $strNode))
 		{

diff --git a/system/modules/core/dca/tl_templates.php b/system/modules/core/dca/tl_templates.php
@@ -136,12 +136,20 @@ class tl_templates extends Backend
 
 	/**
 	 * Add the breadcrumb menu
+	 *
+	 * @throws RuntimeException
 	 */
 	public function addBreadcrumb()
 	{
 		// Set a new node
 		if (isset($_GET['node']))
 		{
+			// Check the path (thanks to Arnaud Buchoux)
+			if (Validator::isInsecurePath(Input::get('node', true)))
+			{
+				throw new RuntimeException('Insecure path ' . Input::get('node', true));
+			}
+
 			$this->Session->set('tl_templates_node', Input::get('node', true));
 			$this->redirect(preg_replace('/(&|\?)node=[^&]*/', '', Environment::get('request')));
 		}
@@ -153,6 +161,12 @@ public function addBreadcrumb()
 			return;
 		}
 
+		// Check the path (thanks to Arnaud Buchoux)
+		if (Validator::isInsecurePath($strNode))
+		{
+			throw new RuntimeException('Insecure path ' . $strNode);
+		}
+
 		// Currently selected folder does not exist
 		if (!is_dir(TL_ROOT . '/' . $strNode))
 		{

diff --git a/system/modules/core/languages/ru/tl_form.xlf b/system/modules/core/languages/ru/tl_form.xlf
@@ -135,7 +135,7 @@
       </trans-unit>
       <trans-unit id="tl_form.attributes.1">
         <source>Here you can set an ID and one or more classes.</source>
-        <target>Вы можете ввести CSS ID (ID атрибута) и один или несколько CSS классов (атрибутов класса).</target>
+        <target>Вы можете ввести ID одного или нескольких классов.</target>
       </trans-unit>
       <trans-unit id="tl_form.formID.0">
         <source>Form ID</source>

diff --git a/system/modules/core/languages/ru/tl_module.xlf b/system/modules/core/languages/ru/tl_module.xlf
@@ -495,7 +495,7 @@
       </trans-unit>
       <trans-unit id="tl_module.cssID.1">
         <source>Here you can set an ID and one or more classes.</source>
-        <target>Вы можете ввести CSS ID (ID атрибута) и один или несколько CSS классов (атрибутов класса).</target>
+        <target>Вы можете ввести ID одного или нескольких классов.</target>
       </trans-unit>
       <trans-unit id="tl_module.space.0">
         <source>Space in front and after</source>

diff --git a/system/modules/core/library/Contao/Validator.php b/system/modules/core/library/Contao/Validator.php
@@ -337,6 +337,12 @@ public static function isInsecurePath($strPath)
 		$strPath = str_replace('\\', '/', $strPath);
 		$strPath = preg_replace('#//+#', '/', $strPath);
 
+		// Equals ..
+		if ($strPath == '..')
+		{
+			return true;
+		}
+
 		// Begins with ./
 		if (substr($strPath, 0, 2) == './')
 		{

diff --git a/system/modules/repository/classes/RepositorySettings.php b/system/modules/repository/classes/RepositorySettings.php
@@ -31,6 +31,7 @@
 		'30030007,30030007;'.	// 3.3.0-RC2
 		'30030006,30030006;'.	// 3.3.0-RC1
 		'30030003,30030003;'.	// 3.3.0-beta1
+		'30020199,30020199;'.	// 3.2.19
 		'30020189,30020189;'.	// 3.2.18
 		'30020179,30020179;'.	// 3.2.17
 		'30020169,30020169;'.	// 3.2.16