Merge branch 'hotfix/3.5.28'

assets/mootools/simplemodal/1.2/css/simplemodal-uncompressed.css

@@ -73,6 +73,16 @@
   bottom: 40px;
   -webkit-overflow-scrolling: touch;
 }
+/* PATCH: see #8708 */
+.ios .simple-modal:before {
+  content: '';
+  position: absolute;
+  top: 0;
+  left: 0;
+  width: 1px;
+  height: calc(100% + 1px);
+  pointer-events: none;
+}
 .simple-modal .simple-modal-header {
   padding: 5px 15px;
   margin: 0;

system/config/constants.php

@@ -13,7 +13,7 @@
  * Core version
  */
 define('VERSION', '3.5');
-define('BUILD', '27');
+define('BUILD', '28');
 define('LONG_TERM_SUPPORT', true);
 
 

system/docs/CHANGELOG.md

@@ -1,6 +1,22 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.5.28 (2017-07-12)
+---------------------------
+
+### Fixed
+Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
+
+### Fixed
+Improve the accessibility of the CAPTCHA widget (see #8709).
+
+### Fixed
+Fixed the iOS scrolling bug in the simple modal script (see #8708).
+
+### Fixed
+Correctly cache the unique keys in the SQL cache (see #8712).
+
+
 Version 3.5.27 (2017-04-25)
 ---------------------------
 

system/modules/core/controllers/FrontendCron.php

@@ -74,6 +74,9 @@ public function run()
 			}
 		}
 
+		// Load the default language file (see #8719)
+		\System::loadLanguageFile('default');
+
 		// Run the jobs
 		foreach ($arrIntervals as $strInterval)
 		{

system/modules/core/dca/tl_files.php

@@ -571,7 +571,9 @@ public function cutFile($row, $href, $label, $title, $icon, $attributes)
 	 */
 	public function deleteFile($row, $href, $label, $title, $icon, $attributes)
 	{
-		if (is_dir(TL_ROOT . '/' . $row['id']) && count(scan(TL_ROOT . '/' . $row['id'])) > 0)
+		$path = TL_ROOT . '/' . urldecode($row['id']);
+
+		if (is_dir($path) && count(scan($path)) > 0)
 		{
 			return $this->User->hasAccess('f4', 'fop') ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
 		}
@@ -653,13 +655,23 @@ public function showFile($row, $href, $label, $title, $icon, $attributes)
 	 */
 	public function protectFolder(DataContainer $dc)
 	{
-		$count = 0;
 		$strPath = $dc->id;
 
 		// Check whether the temporary name has been replaced already (see #6432)
-		if (Input::post('name') && ($strNewPath = str_replace('__new__', Input::post('name'), $strPath, $count)) && $count > 0 && is_dir(TL_ROOT . '/' . $strNewPath))
+		if (Input::post('name'))
 		{
-			$strPath = $strNewPath;
+			if (Validator::isInsecurePath(Input::post('name')))
+			{
+				throw new RuntimeException('Invalid file or folder name ' . Input::post('name'));
+			}
+
+			$count = 0;
+			$strName = basename($strPath);
+
+			if (($strNewPath = str_replace($strName, Input::post('name'), $strPath, $count)) && $count > 0 && is_dir(TL_ROOT . '/' . $strNewPath))
+			{
+				$strPath = $strNewPath;
+			}
 		}
 
 		// Only show for folders (see #5660)

system/modules/core/dca/tl_settings.php

@@ -312,7 +312,7 @@
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['maxImageWidth'],
 			'inputType'               => 'text',
-			'eval'                    => array('rgxp'=>'natural', 'nospace'=>true, 'tl_class'=>'w50')
+			'eval'                    => array('mandatory'=>true, 'rgxp'=>'natural', 'nospace'=>true, 'tl_class'=>'w50')
 		),
 		'jpgQuality' => array
 		(

system/modules/core/forms/FormCaptcha.php

@@ -200,10 +200,11 @@ public function generateLabel()
 	 */
 	public function generate()
 	{
-		return sprintf('<input type="text" name="%s" id="ctrl_%s" class="captcha mandatory%s" value=""%s%s',
+		return sprintf('<input type="text" name="%s" id="ctrl_%s" class="captcha mandatory%s" value="" aria-describedby="captcha_text_%s"%s%s',
 						$this->strCaptchaKey,
 						$this->strId,
 						(($this->strClass != '') ? ' ' . $this->strClass : ''),
+						$this->strId,
 						$this->getAttributes(),
 						$this->strTagEnding) . $this->addSubmit();
 	}
@@ -216,7 +217,8 @@ public function generate()
 	 */
 	public function generateQuestion()
 	{
-		return sprintf('<span class="captcha_text%s">%s</span>',
+		return sprintf('<span id="captcha_text_%s" class="captcha_text%s">%s</span>',
+						$this->strId,
 						(($this->strClass != '') ? ' ' . $this->strClass : ''),
 						$this->getQuestion());
 	}

system/modules/core/languages/en/tl_settings.xlf

@@ -252,7 +252,7 @@
         <source>Maximum front end width</source>
       </trans-unit>
       <trans-unit id="tl_settings.maxImageWidth.1">
-        <source>If the width of an image or movie exceeds this value, it will be adjusted automatically.</source>
+        <source>If the width of an image or movie exceeds this value, it will be adjusted automatically. Set to 0 to disable the limit.</source>
       </trans-unit>
       <trans-unit id="tl_settings.jpgQuality.0">
         <source>JPG thumbnail quality</source>

system/modules/core/library/Contao/Automator.php

@@ -762,6 +762,7 @@ public function generateDcaExtracts()
 			$objFile->append(sprintf("\$this->arrMeta = %s;\n", var_export($objExtract->getMeta(), true)));
 			$objFile->append(sprintf("\$this->arrFields = %s;\n", var_export($objExtract->getFields(), true)));
 			$objFile->append(sprintf("\$this->arrOrderFields = %s;\n", var_export($objExtract->getOrderFields(), true)));
+			$objFile->append(sprintf("\$this->arrUniqueFields = %s;\n", var_export($objExtract->getUniqueFields(), true)));
 			$objFile->append(sprintf("\$this->arrKeys = %s;\n", var_export($objExtract->getKeys(), true)));
 			$objFile->append(sprintf("\$this->arrRelations = %s;\n", var_export($objExtract->getRelations(), true)));
 

system/modules/core/library/Contao/DcaLoader.php

@@ -48,6 +48,11 @@ public function __construct($strTable)
 			throw new \Exception('The table name must not be empty');
 		}
 
+		if (\Validator::isInsecurePath($strTable))
+		{
+			throw new \InvalidArgumentException('The table name contains invalid characters');
+		}
+
 		parent::__construct();
 
 		$this->strTable = $strTable;

system/modules/core/templates/backend/be_login.html5

@@ -3,7 +3,7 @@
 <head>
 
   <meta charset="<?= $this->charset ?>">
-  <title><?= $this->title ?> - Contao Open Source CMS <?= VERSION ?></title>
+  <title><?= $this->title ?> - Contao Open Source CMS</title>
   <base href="<?= $this->base ?>">
   <meta name="generator" content="Contao Open Source CMS">
   <meta name="viewport" content="width=device-width,initial-scale=1.0">
@@ -40,7 +40,7 @@
   <![endif]-->
 
   <div id="header">
-    <h1>Contao Open Source CMS <?= VERSION ?></h1>
+    <h1>Contao Open Source CMS</h1>
   </div>
 
   <div id="container">

system/modules/core/templates/forms/form_captcha.html5

@@ -13,8 +13,8 @@
     <p class="error"><?= $this->getErrorAsString() ?></p>
   <?php endif; ?>
 
-  <input type="text" name="<?= $this->name ?>" id="ctrl_<?= $this->id ?>" class="captcha mandatory<?php if ($this->class) echo ' ' . $this->class; ?>" value=""<?= $this->getAttributes() ?>>
-  <span class="captcha_text<?php if ($this->class) echo ' ' . $this->class; ?>"><?= $this->getQuestion() ?></span>
+  <input type="text" name="<?= $this->name ?>" id="ctrl_<?= $this->id ?>" class="captcha mandatory<?php if ($this->class) echo ' ' . $this->class; ?>" value="" aria-describedby="captcha_text_<?= $this->id ?>"<?= $this->getAttributes() ?>>
+  <span id="captcha_text_<?= $this->id ?>" class="captcha_text<?php if ($this->class) echo ' ' . $this->class; ?>"><?= $this->getQuestion() ?></span>
 
   <?php if ($this->addSubmit): ?>
     <input type="submit" id="ctrl_<?= $this->id ?>_submit" class="submit" value="<?= $this->slabel ?>">

system/modules/core/templates/forms/form_captcha.xhtml

@@ -13,8 +13,8 @@
     <p class="error"><?= $this->getErrorAsString() ?></p>
   <?php endif; ?>
 
-  <input type="text" name="<?= $this->name ?>" id="ctrl_<?= $this->id ?>" class="captcha mandatory<?php if ($this->class) echo ' ' . $this->class; ?>" value=""<?= $this->getAttributes() ?> />
-  <span class="captcha_text<?php if ($this->class) echo ' ' . $this->class; ?>"><?= $this->getQuestion() ?></span>
+  <input type="text" name="<?= $this->name ?>" id="ctrl_<?= $this->id ?>" class="captcha mandatory<?php if ($this->class) echo ' ' . $this->class; ?>" value="" aria-describedby="captcha_text_<?= $this->id ?>"<?= $this->getAttributes() ?> />
+  <span id="captcha_text_<?= $this->id ?>" class="captcha_text<?php if ($this->class) echo ' ' . $this->class; ?>"><?= $this->getQuestion() ?></span>
 
   <?php if ($this->addSubmit): ?>
     <input type="submit" id="ctrl_<?= $this->id ?>_submit" class="submit" value="<?= $this->slabel ?>" />

system/modules/core/templates/forms/form_hidden.html5

@@ -1,2 +1,2 @@
 
-<input type="hidden" name="<?= $this->name ?>" value="<?= $this->value ?>">
+<input type="hidden" name="<?= $this->name ?>" value="<?= specialchars($this->value) ?>">

system/modules/core/templates/forms/form_hidden.xhtml

@@ -1,2 +1,2 @@
 
-<input type="hidden" name="<?= $this->name ?>" value="<?= $this->value ?>" />
+<input type="hidden" name="<?= $this->name ?>" value="<?= specialchars($this->value) ?>" />

system/modules/repository/classes/RepositorySettings.php

@@ -17,6 +17,7 @@
 
 // valid core versions in descending order
 define('REPOSITORY_COREVERSIONS',
+		'30050289,30050289;'.	// 3.5.28
 		'30050279,30050279;'.	// 3.5.27
 		'30050269,30050269;'.	// 3.5.26
 		'30050259,30050259;'.	// 3.5.25