Commits

Anonymous committed 785b64c

Elgg 1.7.11 migration.

The following security enhancements were made:

* Aung Khant from the YEHG reported and helped to fix a XSS vector in the Embed plugin and an SQL exposure vector in the Search plugin.

* Lostmon Lords reported and helped to fix an SQL injection vector in the search plugin.

Tons of thanks to these two people, who have been helping us find and fix security problems for the last few releases!

1.7.11 also includes a few minor bugfixes:

* Filtering by content works again in the activity stream.

* Dragging works in IE 9 for profile widgets.

  • Participants
  • Parent commits 54bd92e

Comments (0)

Files changed (11)

+Version 1.7.11
+(August 15, 2011 from http://github.com/Elgg/elgg)
+
+ Security Enhancements:
+  * Fixed possible XSS vector in the embed plugin. Thanks to Aung Khant from YEHG for the report.
+  * Fixed possible SQL exposure exploit in the search plugin. Thanks again to Aung Khant.
+  * Fixed possible SQL injection vector in the search plugin. Thanks to Lostmon Lords for the report.
+
+ Bugfixes:
+  * Filtering by content works in the dashboard again.
+  * Dragging widgets works in IE9.
+
+ API Changes:
+  * Deleting a container will delete all contained objects regardless of access_id.
+  * setLocation() and setLatLong() no longer double escapes strings.
+  * Calling elgg_list_entities() with count set no longer breaks the display.
+
 Version 1.7.10
 (June 14, 2011 from http://code.elgg.org/branches/1.7)
 

elgg/engine/lib/database.php

 			return false;
 		}
 
-		return $cached_query;
+		// if this was cached as a full result, only return the first.
+		// http://trac.elgg.org/ticket/3555
+		if (is_array($cached_query)) {
+			return $cached_query[0];
+		} else {
+			return $cached_query;
+		}
 	}
 
 	$dblink = get_db_link('read');

elgg/engine/lib/entities.php

 
 	/** Interface to set the location */
 	public function setLocation($location) {
-		$location = sanitise_string($location);
-
-		$this->location = $location;
-
-		return true;
+		return $this->location = $location;
 	}
 
 	/**
 	 * @param float $long
 	 */
 	public function setLatLong($lat, $long) {
-		$lat = sanitise_string($lat);
-		$long = sanitise_string($long);
-
 		$this->set('geo:lat', $lat);
 		$this->set('geo:long', $long);
 
 
 	$owner_guids_sanitised = array();
 	foreach ($owner_guids as $owner_guid) {
-		if (($owner_guid != sanitise_int($owner_guid))) {
-			return FALSE;
+		if ($owner_guid !== ELGG_ENTITIES_NO_VALUE) {
+			$owner_guid = sanitise_int($owner_guid);
+
+			if (!$owner_guid) {
+				return false;
+			}
 		}
+		
 		$owner_guids_sanitised[] = $owner_guid;
 	}
 
 
 	$container_guids_sanitised = array();
 	foreach ($container_guids as $container_guid) {
-		$sanitized_guid = sanitise_int($container_guid);
-		if (($container_guid != $sanitized_guid)) {
-			return FALSE;
+		if ($container_guid !== ELGG_ENTITIES_NO_VALUE) {
+			$container_guid = sanitise_int($container_guid);
+			
+			if (!$container_guid) {
+				return false;
+			}
 		}
+
 		$container_guids_sanitised[] = $sanitized_guid;
 	}
 
 		'pagination' => TRUE
 	);
 	$options = array_merge($defaults, $options);
-
-	$count = elgg_get_entities(array_merge(array('count' => TRUE), $options));
+	
+	if (isset($options['count'])) {
+		unset ($options['count']);
+	}
+
+	$count = elgg_get_entities(array_merge($options, array('count' => TRUE)));
 	$entities = elgg_get_entities($options);
 
 	return elgg_view_entity_list($entities, $count, $options['offset'],
 
 					$entity_disable_override = access_get_show_hidden_status();
 					access_show_hidden_entities(true);
+					$ia = elgg_set_ignore_access(true);
 					$sub_entities = get_data("SELECT * from {$CONFIG->dbprefix}entities
 						WHERE container_guid=$guid
 							or owner_guid=$guid
 
 					access_show_hidden_entities($entity_disable_override);
 					$__RECURSIVE_DELETE_TOKEN = null;
+					elgg_set_ignore_access($ia);
 				}
 
 				// Now delete the entity itself

elgg/engine/lib/metadata.php

 
 	$options = array_merge($defaults, $options);
 
-	$count = elgg_get_entities_from_metadata(array_merge(array('count' => TRUE), $options));
+	if (isset($options['count'])) {
+		unset ($options['count']);
+	}
+
+	$count = elgg_get_entities_from_metadata(array_merge($options, array('count' => TRUE)));
 	$entities = elgg_get_entities_from_metadata($options);
 
 	return elgg_view_entity_list($entities, $count, $options['offset'], $options['limit'], $options['full_view'], $options['view_type_toggle'], $options['pagination']);

elgg/engine/lib/pageowner.php

 	if (isset($CONFIG->context) && !empty($CONFIG->context)) {
 		return $CONFIG->context;
 	}
-	if (preg_match("/\/pg\/([\w\-\_]+)/", $_SERVER['REQUEST_URI'], $matches)) {
+	if (preg_match("|/pg/([\w\-\_]+)/?|", $_SERVER['REQUEST_URI'], $matches)) {
 		return $matches[1];
 	}
 	if ($context = get_plugin_name(true)) {

elgg/engine/lib/relationships.php

 
 	$options = array_merge($defaults, $options);
 
-	$count = elgg_get_entities_from_relationship(array_merge(array('count' => TRUE), $options));
+	if (isset($options['count'])) {
+		unset ($options['count']);
+	}
+
+	$count = elgg_get_entities_from_relationship(array_merge($options, array('count' => TRUE)));
 	$entities = elgg_get_entities_from_relationship($options);
 
 	return elgg_view_entity_list($entities, $count, $options['offset'], $options['limit'], $options['full_view'], $options['view_type_toggle'], $options['pagination']);

elgg/mod/embed/embed.php

 		
 	// Get the name of the form field we need to inject into
 		$internalname = get_input('internalname');
+		$internalname = htmlentities($internalname);
 		
 		if (!isloggedin()) exit;
 		
 							'simpletypes' => $types,
 					   ));
 
-?>
+?>

elgg/mod/riverdashboard/index.php

 
 // only allow real and registered subtypes
 $registered_entities = get_registered_entity_types($type);
-$valid_subtypes = array();
-if ($registered_entities) {
-	foreach ($registered_entities as $tmp_type => $temp_subtypes) {
-		$valid_subtypes = array_merge($valid_subtypes, $temp_subtypes);
-	}
-}
 
-if (!in_array($subtype, $valid_subtypes)) {
+if (!in_array($subtype, $registered_entities)) {
 	$subtype = '';
 }
 

elgg/mod/search/search_hooks.php

 			$container_guid = implode(",",$container_guid);
 			$container_and = 'AND e.container_guid in (' . sanitise_string($container_guid).')';
 		} else {
-			$container_and = 'AND e.container_guid = ' . sanitise_string($params['container_guid']);
+			$container_and = 'AND e.container_guid = ' . sanitise_int($params['container_guid']);
 		}
 	}
 
 $version = 2011052801;
 
 // Human-friendly version name
-$release = '1.7.10';
+$release = '1.7.11';

elgg/views/default/page_elements/header.php

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
+	<!-- Force IE 9 to IE 8 Document Mode for jQuery-UI 1.7.2 draggable and sortable -->
+	<meta http-equiv="X-UA-Compatible" content="IE=8" />
 	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 	<meta name="ElggRelease" content="<?php echo $release; ?>" />
 	<meta name="ElggVersion" content="<?php echo $version; ?>" />