Low severityNVD Advisory· Published May 21, 2026
CVE-2026-7882
CVE-2026-7882
Description
Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protection for the file deletion endpoint, allowing cross-site request forgery attacks against users who have permission to edit conversation messages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS 9.5.0 and below has an inverted CSRF token check in the DeleteFile controller, allowing unauthorized file deletion via cross-site request forgery due to flawed logic that proceeds when the token is invalid.
Vulnerability
Analysis
CVE-2026-7882 affects Concrete CMS versions 9.5.0 and earlier. The vulnerability stems from an inverted Cross-Site Request Forgery (CSRF) token check in the DeleteFile controller. Specifically, the code erroneously throws an error when the CSRF token is valid and proceeds with file deletion when the token is invalid or missing. This logic reversal effectively disables CSRF protection for the file deletion endpoint. [1]
Exploitation
Conditions
An attacker can exploit this flaw via a cross-site request forgery attack against users who have permission to edit conversation messages. The attack requires no authentication on the attacker's part (PR:N) but relies on user interaction (UI:P). According to the advisory, the attack complexity is low (AC:L) but requires an active attack on the target system (AT:P). The CVSS v4.0 vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. [1]
Impact
Successful exploitation allows an attacker to delete files that the victim user is authorized to delete, specifically files associated with conversation messages. The impact is limited to file deletion without any direct confidentiality impact (VC:N) and only low integrity impact (VI:L). No availability impact is reported (VA:N). [1]
Mitigation
The Concrete CMS security team has addressed this vulnerability in version 9.5.1, as documented in the release notes. Users are advised to upgrade to version 9.5.1 or later. The release notes include a fix that corrects the CSRF token validation logic in the DeleteFile controller. No workarounds are mentioned. [1]
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=9.5.0
Patches
1f22b9dff5945Sec fixes 9.5.1 (#12920)
https://github.com/concretecms/concretecmsAndrew EmblerMay 19, 2026Fixed in 9.5.1via llm-release-walk
73 files changed · +737 −355
build/assets/themes/dashboard/js/file-manager/file-manager.js+6 −0 modified@@ -39,6 +39,9 @@ new ConcreteAjaxRequest({ loader: false, url: CCM_DISPATCHER_FILENAME + "/ccm/system/file/add_favorite_folder/" + favoriteFolderId, + data: { + ccm_token: CCM_SECURITY_TOKEN + }, success: function() { ConcreteEvent.publish('FileManagerRefreshFavoriteFolderList') } @@ -48,6 +51,9 @@ new ConcreteAjaxRequest({ loader: false, url: CCM_DISPATCHER_FILENAME + "/ccm/system/file/remove_favorite_folder/" + favoriteFolderId, + data: { + ccm_token: CCM_SECURITY_TOKEN + }, success: function() { ConcreteEvent.publish('FileManagerRefreshFavoriteFolderList') }
build/package.json+1 −1 modified@@ -13,7 +13,7 @@ "production": "mix --production" }, "devDependencies": { - "@concretecms/bedrock": "^1.7.1", + "@concretecms/bedrock": "^1.7.2", "cross-env": "^5.1.1", "download": "~8.0.0", "grunt": "^1.5.3",
build/package-lock.json+4 −4 modified@@ -12,7 +12,7 @@ "tui-image-editor": "^3.10.0" }, "devDependencies": { - "@concretecms/bedrock": "^1.7.1", + "@concretecms/bedrock": "^1.7.2", "cross-env": "^5.1.1", "download": "~8.0.0", "grunt": "^1.5.3", @@ -1751,9 +1751,9 @@ } }, "node_modules/@concretecms/bedrock": { - "version": "1.7.1", - "resolved": "https://registry.npmjs.org/@concretecms/bedrock/-/bedrock-1.7.1.tgz", - "integrity": "sha512-iFj4vFmDR9cEs1Is0Xx4dySNc7q5DukRFyp6oFpRGQ4K6qLVqLosvA97aZtt5Ix1OO7K2rNDQ4lNwXfYAOhvAg==", + "version": "1.7.2", + "resolved": "https://registry.npmjs.org/@concretecms/bedrock/-/bedrock-1.7.2.tgz", + "integrity": "sha512-ZlBLoD3zLgsLf3Up6ilwCj+H3Bdxo4PCRp04g3zFg5TfTsIq0bkNKRTaQq7P/mPC3TbyXBK+7g5XobK4JGxbCQ==", "dev": true, "license": "MIT", "dependencies": {
concrete/blocks/calendar/controller.php+13 −3 modified@@ -4,9 +4,11 @@ use Concrete\Core\Attribute\Key\EventKey; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Calendar\Calendar; use Concrete\Core\Calendar\CalendarServiceProvider; use Concrete\Core\Calendar\Event\EventOccurrenceList; +use Concrete\Core\Error\UserMessageException; use Concrete\Core\Feature\Features; use Concrete\Core\Feature\UsesFeatureInterface; use Concrete\Core\Html\Object\HeadLink; @@ -193,10 +195,18 @@ public function action_get_events($bID) $service = $this->app->make('date'); if ($bID == $this->bID) { + $calendar = $this->getCalendar(); + if (!$calendar) { + throw new UserMessageException(t('Invalid calendar.')); + } + $checker = new Checker($calendar); + if (!$checker->canViewCalendar()) { + throw new UserMessageException(t('Access Denied.')); + } $start = $this->request->query->get('start'); $end = $this->request->query->get('end'); $list = new EventOccurrenceList(); - $list->filterByCalendar($this->getCalendar()); + $list->filterByCalendar($calendar); if ($this->filterByTopicAttributeKeyID) { $ak = EventKey::getByID($this->filterByTopicAttributeKeyID); if (is_object($ak)) { @@ -424,7 +434,7 @@ public function supportsLightbox() */ public function save($args) { - if (($args['_fromCIF'] ?? null) === true) { + if ($this->saveMode === SaveMode::SAVE_MODE_IMPORT) { parent::save($args); return; } @@ -548,7 +558,7 @@ public function export(SimpleXMLElement $blockNode) protected function getImportData($blockNode, $page) { $data = parent::getImportData($blockNode, $page); - $data['_fromCIF'] = true; + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; $data['caID'] = 0; if (is_string($caName = $data['caName'] ?? null) && ($caName = trim($caName)) !== '') { $calendar = Calendar::getByName($caName);
concrete/blocks/express_entry_detail/controller.php+9 −1 modified@@ -7,12 +7,15 @@ use Concrete\Core\Entity\Express\Entity; use Concrete\Core\Entity\Express\Entry; use Concrete\Core\Entity\Express\Form; +use Concrete\Core\Error\UserMessageException; use Concrete\Core\Express\Form\Context\FrontendViewContext; use Concrete\Core\Express\Form\Renderer; +use Concrete\Core\Express\ObjectManager; use Concrete\Core\Feature\Features; use Concrete\Core\Feature\UsesFeatureInterface; use Concrete\Core\Form\Context\ContextFactory; use Concrete\Core\Html\Service\Seo; +use Concrete\Core\Permission\Checker; use Concrete\Core\Support\Facade\Express; use Concrete\Core\Support\Facade\Facade; use Concrete\Core\Url\SeoCanonical; @@ -157,9 +160,14 @@ public function view() */ public function action_view_express_entity($exEntryID = null) { - $entry = $exEntryID ? $this->entityManager->find(Entry::class, $exEntryID) : null; + $objectManager = $this->app->make(ObjectManager::class); + $entry = $exEntryID ? $objectManager->getEntryByPublicIdentifier($exEntryID) : null; if ($entry) { $entity = $this->entityManager->find(Entity::class, $this->exEntityID); + $checker = new Checker($entity); + if (!$checker->canViewExpressEntries()) { + throw new UserMessageException(t('Access Denied.')); + } if ($entry->getEntity()->getID() == $entity->getID()) { /** @var Seo $seo */ $seo = $this->app->make('helper/seo');
concrete/blocks/express_entry_list/controller.php+3 −2 modified@@ -4,6 +4,7 @@ use Concrete\Controller\Element\Search\Express\CustomizeResults; use Concrete\Controller\Element\Search\SearchFieldSelector; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Entity\Express\Association; use Concrete\Core\Entity\Express\Entity; use Concrete\Core\Entity\Search\Query; @@ -477,7 +478,7 @@ protected function getItemsPerPageOptions() public function save($data) { $this->on_start(); - $fromCIF = ($data['_fromCIF'] ?? null) === true; + $fromCIF = $this->saveMode === SaveMode::SAVE_MODE_IMPORT; if (!$fromCIF) { $data['columns'] = ''; $data['filterFields'] = ''; @@ -564,7 +565,7 @@ protected function getImportData($blockNode, $page) private function doGetImportData(SimpleXMLElement $blockNode, $page): array { $args = parent::getImportData($blockNode, $page); - $args['_fromCIF'] = true; + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; $xRecord = $blockNode->data[0]->record[0]; $entityID = (string) ($args['exEntityID'] ?? '');
concrete/blocks/express_entry_list/view.php+1 −1 modified@@ -99,7 +99,7 @@ class="table ccm-block-express-entry-list-table <?php if ($tableStriped) { ?><?p <tr class="<?=$rowClass?>"> <?php foreach ($item->getColumns() as $column) { if ($controller->linkThisColumn($column)) { ?> - <td><a href="<?=URL::to($detailPage, 'view_express_entity', $item->getEntry()->getId())?>"><?=$column->getColumnValue($item);?></a></td> + <td><a href="<?=URL::to($detailPage, 'view_express_entity', $item->getEntry()->getPublicIdentifier())?>"><?=$column->getColumnValue($item);?></a></td> <?php } else { ?> <td><?=$column->getColumnValue($item);?></td>
concrete/blocks/feature/controller.php+4 −2 modified@@ -2,6 +2,7 @@ namespace Concrete\Block\Feature; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Editor\LinkAbstractor; use Concrete\Core\Error\UserMessageException; use Concrete\Core\Feature\Features; @@ -228,7 +229,7 @@ public function save($args) $args['title'] = isset($args['title']) ? $security->sanitizeString($args['title']) : ''; $args['titleFormat'] = isset($args['titleFormat']) ? $security->sanitizeString($args['titleFormat']) : ''; $args['paragraph'] = isset($args['paragraph']) ? LinkAbstractor::translateTo($args['paragraph']) : ''; - if (($args['_fromCIF'] ?? null) === true) { + if ($this->saveMode === SaveMode::SAVE_MODE_IMPORT) { $args['internalLinkCID'] = empty($args['internalLinkCID']) ? 0 : (int) $args['internalLinkCID']; } else { [$linkHandle, $linkValue] = $this->app->make(DestinationPicker::class)->decode('link', $this->getLinkDestinationPickers(), $errors, t('Link'), $args); @@ -248,7 +249,8 @@ public function save($args) */ protected function getImportData($blockNode, $page) { - return parent::getImportData($blockNode, $page) + ['_fromCIF' => true]; + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; + return parent::getImportData($blockNode, $page); } /**
concrete/blocks/feature_link/controller.php+3 −2 modified@@ -3,6 +3,7 @@ namespace Concrete\Block\FeatureLink; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Feature\Features; use Concrete\Core\Feature\UsesFeatureInterface; use Concrete\Core\File\File; @@ -272,7 +273,7 @@ public function view() public function save($args) { - $fromCIF = ($args['__fromCIF'] ?? null) === true; + $fromCIF = $this->saveMode === SaveMode::SAVE_MODE_IMPORT; if (!$fromCIF) { list($imageLinkType, $imageLinkValue) = $this->app->make(DestinationPicker::class)->decode('imageLink', $this->getImageLinkPickers(), null, null, $args); $args['buttonInternalLinkCID'] = $imageLinkType === 'page' ? $imageLinkValue : 0; @@ -295,8 +296,8 @@ public function save($args) */ public function getImportData($blockNode, $page) { + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; $args = parent::getImportData($blockNode, $page); - $args += ['__fromCIF' => true]; foreach (['buttonInternalLinkCID', 'buttonFileLinkID', 'fID'] as $field) { $args[$field] = empty($args[$field]) ? 0 : (int) $args[$field]; }
concrete/blocks/hero_image/controller.php+1 −0 modified@@ -259,6 +259,7 @@ public function save($args) } $args['image'] = is_numeric($args['image']) ? $args['image'] : 0; + $args['height'] = isset($args['height']) ? (int) $args['height'] : 0; $security = $this->app->make('helper/security'); $args['icon'] = $security->sanitizeString($args['icon']);
concrete/blocks/hero_image/view.php+2 −0 modified@@ -31,6 +31,8 @@ return; } +$height = (int) $height; + /** * Building the button */
concrete/blocks/image/controller.php+3 −2 modified@@ -3,6 +3,7 @@ namespace Concrete\Block\Image; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Database\Connection\Connection; use Concrete\Core\Error\Error; use Concrete\Core\Feature\Features; @@ -547,7 +548,7 @@ public function delete() */ public function save($args) { - $fromCIF = ($args['__fromCIF'] ?? null) === true; + $fromCIF = $this->saveMode === SaveMode::SAVE_MODE_IMPORT; /** @var Connection $db */ $db = $this->app->make(Connection::class); @@ -611,8 +612,8 @@ public function save($args) */ protected function getImportData($blockNode, $page) { + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; $args = parent::getImportData($blockNode, $page); - $args['__fromCIF'] = true; foreach (['internalLinkCID', 'fileLinkID'] as $field) { $args[$field] = empty($args[$field]) ? 0 : (int) $args[$field]; }
concrete/blocks/page_list/controller.php+3 −2 modified@@ -7,6 +7,7 @@ use Concrete\Core\Attribute\Category\PageCategory; use Concrete\Core\Attribute\Key\CollectionKey; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Block\View\BlockView; use Concrete\Core\Feature\Features; use Concrete\Core\Feature\UsesFeatureInterface; @@ -776,7 +777,7 @@ public function isValidControllerTask($method, $parameters = []) public function save($args) { - $fromCIF = ($args['__fromCIF'] ?? null) === true; + $fromCIF = $this->saveMode === SaveMode::SAVE_MODE_IMPORT; // If we've gotten to the process() function for this class, we assume that we're in // the clear, as far as permissions are concerned (since we check permissions at several @@ -1003,11 +1004,11 @@ public function export(SimpleXMLElement $blockNode) */ protected function getImportData($blockNode, $page) { + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; if (!$this->cID && $page) { $this->cID = $page->getCollectionID(); } $args = parent::getImportData($blockNode, $page); - $args['__fromCIF'] = true; $args['customTopicTreeNodeID'] = 0; $customTopicAttributeKeyHandle = (string) ($args['customTopicAttributeKeyHandle'] ?? ''); $customTopicTreeNodePath = (string) ($args['customTopicTreeNodePath'] ?? '');
concrete/blocks/survey/controller.php+24 −3 modified@@ -159,6 +159,12 @@ public function action_form_save_vote($bID = false) if (!$this->hasVoted()) { $antispam = Core::make('helper/validation/antispam'); if ($antispam->check('', 'survey_block')) { // we do a blank check which will still check IP and UserAgent's + $optionID = (int) $this->request->get('optionID'); + $q = 'SELECT optionID FROM btSurveyOptions WHERE optionID = ? AND bID = ?'; + $optionID = $db->getOne($q, [$optionID, $this->bID]); + if (!$optionID) { + return false; + } $duID = 0; if ($u->getUserID() > 0) { $duID = $u->getUserID(); @@ -169,7 +175,7 @@ public function action_form_save_vote($bID = false) $ip = $iph->getRequestIP(); $ip = ($ip === false) ? ('') : ($ip->getIp($ip::FORMAT_IP_STRING)); $v = [ - $this->request->get('optionID'), + $optionID, $this->bID, $duID, $ip, @@ -219,8 +225,23 @@ public function hasVoted() if ($result > 0) { return true; } - } else if ($cookieHasVoted) { - return true; + } else { + /** @var \Concrete\Core\Permission\IPService $iph */ + $iph = Core::make('helper/validation/ip'); + $ip = $iph->getRequestIP(); + $ip = ($ip === false) ? ('') : ($ip->getIp($ip::FORMAT_IP_STRING)); + if ($ip !== '') { + $db = Database::connection(); + $v = [$ip, $this->bID, $this->cID]; + $q = 'SELECT count(resultID) AS total FROM btSurveyResults WHERE ipAddress = ? AND bID = ? AND cID = ?'; + $result = $db->getOne($q, $v); + if ($result > 0) { + return true; + } + } + if ($cookieHasVoted) { + return true; + } } return false;
concrete/controllers/backend/file.php+46 −65 modified@@ -25,7 +25,10 @@ use Concrete\Core\Permission\Checker; use Concrete\Core\Tree\Node\Node; use Concrete\Core\Tree\Node\Type\FileFolder; -use Concrete\Core\Url\Url; +use Concrete\Core\Url\Validation\InvalidRemoteUrlException; +use Concrete\Core\Url\Validation\RemoteUrlRequestOptionsBuilder; +use Concrete\Core\Url\Validation\RemoteUrlValidator; +use Concrete\Core\Url\Validation\ValidatedRemoteUrl; use Concrete\Core\Utility\Service\Number; use Concrete\Core\Utility\Service\Validation\Strings; use Concrete\Core\Validation\CSRF\Token; @@ -35,12 +38,7 @@ use FileSet; use GuzzleHttp\Client; use GuzzleHttp\Psr7\Request; -use GuzzleHttp\RequestOptions; -use IPLib\Factory as IPFactory; -use IPLib\ParseStringFlag as IPParseStringFlag; -use IPLib\Range\Type as IPRangeType; use Permissions as ConcretePermissions; -use RuntimeException; use Symfony\Component\HttpFoundation\File\UploadedFile; use ZipArchive; @@ -69,6 +67,10 @@ class File extends Controller public function star() { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $fs = FileSet::createAndGetSet('Starred Files', FileSet::TYPE_STARRED); $files = $this->getRequestFiles(); $r = new FileEditResponse(); @@ -87,6 +89,10 @@ public function star() public function rescan() { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $files = $this->getRequestFiles('edit_file_contents'); $r = new FileEditResponse(); $r->setFiles($files); @@ -106,6 +112,10 @@ public function rescan() public function rescanMultiple() { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $files = $this->getRequestFiles('edit_file_contents'); $batch = BatchBuilder::create(t('Rescan Files'), function() use ($files) { foreach ($files as $file) { @@ -117,6 +127,10 @@ public function rescanMultiple() public function approveVersion() { + $token = $this->app->make('token'); + if (!$token->validate('approve_file_version')) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $files = $this->getRequestFiles('edit_file_contents'); $fvID = $this->request->request->get('fvID', $this->request->query->get('fvID')); $fvID = $this->app->make('helper/security')->sanitizeInt($fvID); @@ -133,9 +147,7 @@ public function approveVersion() public function deleteVersion() { $token = $this->app->make('token'); - if (!$token->validate('delete-version')) { - $files = $this->getRequestFiles('edit_file_contents'); - } + $files = $this->getRequestFiles('edit_file_contents'); $fvID = $this->request->request->get('fvID', $this->request->query->get('fvID')); $fvID = $this->app->make('helper/security')->sanitizeInt($fvID); $fv = $files[0]->getVersion($fvID); @@ -254,6 +266,10 @@ public function getFavoriteFolders() public function addFavoriteFolder($folderId) { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $editResponse = new EditResponse(); $errors = new ErrorList(); $user = new \Concrete\Core\User\User(); @@ -301,6 +317,10 @@ public function addFavoriteFolder($folderId) /** @noinspection DuplicatedCode */ public function removeFavoriteFolder($folderId) { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $editResponse = new EditResponse(); $errors = new ErrorList(); $user = new \Concrete\Core\User\User(); @@ -421,15 +441,15 @@ public function importRemote() break; } - $validIps = (array) $this->checkRemoteURlsToImport($urls); + $validatedUrls = (array) $this->checkRemoteURlsToImport($urls); $originalPage = $this->getImportOriginalPage(); $fi = $this->app->make(Importer::class); $volatileDirectory = $this->app->make(VolatileDirectory::class); foreach ($urls as $url) { try { $host = (string) \League\Url\Url::createFromUrl($url)->getHost(); - $downloadedFile = $this->downloadRemoteURL($url, $volatileDirectory->getPath(), $validIps[$host] ?? null); + $downloadedFile = $this->downloadRemoteURL($url, $volatileDirectory->getPath(), $validatedUrls[$host] ?? null); $fileVersion = $fi->import($downloadedFile, false, $replacingFile ?: $this->getDestinationFolder()); if (!$fileVersion instanceof FileVersionEntity) { $errors->add($url . ': ' . $fi->getErrorMessage($fileVersion)); @@ -777,65 +797,37 @@ protected function checkExistingIncomingFiles(array $incomingFiles, Incoming $in /** * Check that a list of strings are valid "incoming" file names. * - * @param string $urls - * @return array<string, string> An array of domains and their validated IPs + * @param string[] $urls + * @return array<string, \Concrete\Core\Url\Validation\ValidatedRemoteUrl> An array of domains and their validated URLs * * @throws \Concrete\Core\Error\UserMessageException in case one or more of the specified URLs are not valid * * @since 8.5.0a3 */ protected function checkRemoteURlsToImport(array $urls) { - $validIps = []; + $validator = new RemoteUrlValidator(); + $validatedUrls = []; foreach ($urls as $u) { try { - $url = Url::createFromUrl($u); - } catch (RuntimeException $x) { - throw new UserMessageException(h(t('The URL "%s" is not valid: %s', $u, $x->getMessage()))); - } - $scheme = (string)$url->getScheme(); - if ($scheme === '') { - throw new UserMessageException(h(t('The URL "%s" is not valid.', $u))); - } - $host = trim((string)$url->getHost()); - if (in_array(strtolower($host), ['', '0', 'localhost'], true)) { + $validatedUrl = $validator->validate((string) $u); + } catch (InvalidRemoteUrlException $x) { + if ($x->getPrevious() !== null) { + throw new UserMessageException(h(t('The URL "%s" is not valid: %s', $u, $x->getMessage()))); + } throw new UserMessageException(h(t('The URL "%s" is not valid.', $u))); } + $host = $validatedUrl->getHost(); // If we've already validated this hostname just skip it. - if (array_key_exists($host, $validIps)) { + if (array_key_exists($host, $validatedUrls)) { continue; } - $ipFormatBlocks = [ - '/^\d+$/', // No fully integer / octal hostnames http://2130706433 http://017700000001 - '/^0x[0-9a-f]+$/i', // No Hexadecimal hostnames http://0x07f000001 - ]; - - foreach ($ipFormatBlocks as $block) { - if (preg_match($block, $host) !== 0) { - throw new UserMessageException(h(t('The URL "%s" is not valid.', $u))); - } - } - - $ipFlags = IPParseStringFlag::IPV4_MAYBE_NON_DECIMAL | IPParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED | IPParseStringFlag::MAY_INCLUDE_PORT | IPParseStringFlag::MAY_INCLUDE_ZONEID; - $ip = IPFactory::parseAddressString($host, $ipFlags); - if ($ip === null) { - $dnsList = @dns_get_record($host, DNS_A | DNS_AAAA); - while ($ip === null && $dnsList !== false && count($dnsList) > 0) { - $dns = array_shift($dnsList); - $ip = IPFactory::parseAddressString($dns['ip']); - } - } - - if ($ip !== null && $ip->getRangeType() !== IPRangeType::T_PUBLIC) { - throw new UserMessageException(h(t('The URL "%s" is not valid.', $u))); - } - - $validIps[$host] = $ip->toString(); + $validatedUrls[$host] = $validatedUrl; } - return $validIps; + return $validatedUrls; } /** @@ -848,24 +840,13 @@ protected function checkRemoteURlsToImport(array $urls) * @throws \Concrete\Core\Error\UserMessageException in case of errors * */ - protected function downloadRemoteURL($url, $temporaryDirectory, ?string $ip = null) + protected function downloadRemoteURL($url, $temporaryDirectory, ?ValidatedRemoteUrl $validatedUrl = null) { /** @var Client $client */ $client = $this->app->make(Client::class); $request = new Request('GET', $url); - $config = [ - RequestOptions::ALLOW_REDIRECTS => false, - ]; - - if ($ip) { - $host = parse_url($url, PHP_URL_HOST); - $scheme = parse_url($url, PHP_URL_SCHEME); - $port = parse_url($url, PHP_URL_PORT) ?: ($scheme === 'http' ? 80 : 443); - - // Specify IP if one is provided. - $config['curl'] = [CURLOPT_RESOLVE => ["{$host}:{$port}:{$ip}"]]; - } + $config = $validatedUrl ? (new RemoteUrlRequestOptionsBuilder())->build($validatedUrl) : []; $response = $client->send($request, $config);
concrete/controllers/backend/page/sitemap_delete_forever.php+4 −0 modified@@ -19,6 +19,10 @@ public function canAccess() public function fillQueue() { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } if ($this->canAccess()) { $c = Page::getByID($_REQUEST['cID']); if (is_object($c) && !$c->isError()) {
concrete/controllers/backend/page/type/composer/form/edit_control/save.php+11 −1 modified@@ -63,8 +63,18 @@ protected function getPostedLabel(): string protected function getPostedTemplate(): string { $template = $this->request->request->get('ptComposerFormLayoutSetControlCustomTemplate'); + if (!is_string($template)) { + return ''; + } + + $setControl = $this->getSetControl(); + $control = $this->getControl($setControl); + $templates = $this->getTemplates($control); + if (!array_key_exists($template, $templates)) { + return ''; + } - return is_string($template) ? $this->app->make(SanitizeService::class)->sanitizeString($template) : ''; + return $this->app->make(SanitizeService::class)->sanitizeString($template); } protected function getPostedDescription(): string
concrete/controllers/backend/summary_template.php+7 −0 modified@@ -2,6 +2,7 @@ namespace Concrete\Controller\Backend; use Concrete\Core\Controller\Controller; +use Concrete\Core\Error\UserMessageException; use Concrete\Core\Page\Theme\Theme; use Concrete\Core\Summary\Category\Driver\DriverInterface; use Concrete\Core\Summary\Category\Driver\Manager; @@ -30,6 +31,12 @@ public function render($categoryHandle, $memberIdentifier, $templateID) */ $template = $category->getMemberSummaryTemplate($templateID); $object = $category->getCategoryMemberFromIdentifier($memberIdentifier); + if (!$object) { + throw new UserMessageException(t('Unable to locate object.')); + } + if (!$category->canViewRenderedSummaryTemplates($object)) { + throw new UserMessageException(t('Access Denied.')); + } $renderer = $this->app->make(Renderer::class); $this->set('template', $template);
concrete/controllers/dialog/event/duplicate.php+1 −1 modified@@ -21,7 +21,7 @@ class Duplicate extends BackendInterfaceController public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { $e = $this->app->make('error'); $calendar = $this->app->make(CalendarService::class)->getByID($_REQUEST['caID']);
concrete/controllers/dialog/express/association/reorder.php+37 −31 modified@@ -14,7 +14,7 @@ protected function canAccess() $entry = $this->getEntry(); if ($entry) { $ep = new \Permissions($entry); - return $ep->canViewExpressEntry(); + return $ep->canEditExpressEntry(); } return false; } @@ -63,39 +63,45 @@ public function view() public function submit() { - $em = \Database::connection()->getEntityManager(); - $selectedEntry = $this->getEntry(); - $control = $this->getControl(); - if ($association = $control->getAssociation()) { - $i = 0; - $handler = $association->getSaveHandler(); - /** - * @var $handler ManySaveHandlerInterface - */ - $supportsCustomDisplayOrder = false; - if ($association->getTargetEntity()->supportsCustomDisplayOrder()) { - $supportsCustomDisplayOrder = true; - } + if ($this->validateAction()) { + $em = \Database::connection()->getEntityManager(); + $selectedEntry = $this->getEntry(); + $control = $this->getControl(); + if ($association = $control->getAssociation()) { + $i = 0; + $handler = $association->getSaveHandler(); + /** + * @var $handler ManySaveHandlerInterface + */ + $supportsCustomDisplayOrder = false; + if ($association->getTargetEntity()->supportsCustomDisplayOrder()) { + $supportsCustomDisplayOrder = true; + } + + $associatedEntries = $handler->getAssociatedEntriesFromRequest($control, $this->request); + $entryAssociation = $selectedEntry->getAssociation($association); + foreach($associatedEntries as $entry) { + $associationEntry = $entryAssociation ? $entryAssociation->getAssociationEntry($entry) : null; + if (!$associationEntry) { + continue; + } - $associatedEntries = $handler->getAssociatedEntriesFromRequest($control, $this->request); - foreach($associatedEntries as $entry) { - if ($supportsCustomDisplayOrder) { - $entry->setEntryDisplayOrder($i); - $em->persist($entry); - } else { - $entryAssociation = $selectedEntry->getAssociation($association); - $associationEntry = $entryAssociation->getAssociationEntry($entry); - $associationEntry->setDisplayOrder($i); - $em->persist($associationEntry); + if ($supportsCustomDisplayOrder) { + $entry->setEntryDisplayOrder($i); + $em->persist($entry); + } else { + $associationEntry->setDisplayOrder($i); + $em->persist($associationEntry); + } + $i++; } - $i++; - } - $em->flush(); - $this->flash('success', t('Display order saved successfully.')); - $response = new EditResponse(); - $response->setRedirectURL(\URL::to('/dashboard/express/entries/', 'view_entry', $selectedEntry->getId())); - $response->outputJSON(); + $em->flush(); + $this->flash('success', t('Display order saved successfully.')); + $response = new EditResponse(); + $response->setRedirectURL(\URL::to('/dashboard/express/entries/', 'view_entry', $selectedEntry->getId())); + $response->outputJSON(); + } } }
concrete/controllers/dialog/file/usage.php+0 −49 removed@@ -1,49 +0,0 @@ -<?php - -namespace Concrete\Controller\Dialog\File; - -use Concrete\Core\Controller\Controller; -use Concrete\Core\Entity\Statistics\UsageTracker\FileUsageRecord; -use Doctrine\ORM\EntityManagerInterface; - -class Usage extends Controller -{ - - protected $viewPath = '/dialogs/file/usage'; - - /** - * @var \Doctrine\ORM\EntityManagerInterface - */ - protected $manager; - - /** - * Usage constructor. - * @param \Doctrine\ORM\EntityManagerInterface $manager - */ - public function __construct(EntityManagerInterface $manager) - { - $this->manager = $manager; - parent::__construct(); - } - - public function view($fID) - { - $records = $this->manager->getRepository(FileUsageRecord::class)->findByFile($fID); - $reduced = []; - - /** @var FileUsageRecord $record */ - foreach ($records as $record) { - $cID = $record->getCollectionId(); - if (isset($reduced[$cID])) { - if ($record->getCollectionVersionId() > $reduced[$cID]->getCollectionVersionId()) { - $reduced[$cID] = $record; - } - } else { - $reduced[$cID] = $record; - } - } - - $this->set('records', $reduced); - } - -}
concrete/controllers/dialog/frontend/event.php+14 −0 modified@@ -1,9 +1,12 @@ <?php namespace Concrete\Controller\Dialog\Frontend; +use Concrete\Block\Calendar\Controller; use Concrete\Controller\Backend\UserInterface as BackendInterfaceController; use Concrete\Core\Block\Block; use Concrete\Core\Calendar\Event\EventOccurrence; +use Concrete\Core\Error\UserMessageException; +use Concrete\Core\Permission\Checker; class Event extends BackendInterfaceController { @@ -16,6 +19,17 @@ public function view($bID, $occurrence_id) if (is_object($b) && $b->getBlockTypeHandle() == 'calendar') { $controller = $b->getController(); + /** + * @var $controller Controller + */ + $calendar = $controller->getCalendar(); + if (!$calendar) { + throw new UserMessageException(t('Invalid calendar.')); + } + $checker = new Checker($calendar); + if (!$checker->canViewCalendar()) { + throw new UserMessageException(t('Access Denied.')); + } $occurrence = EventOccurrence::getByID($occurrence_id); $this->set('occurrence', $occurrence); $this->set('blockController', $controller);
concrete/controllers/dialog/logs/bulk/delete.php+1 −1 modified@@ -33,7 +33,7 @@ public function view() public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { /** @var Request $request */ $request = $this->app->make(Request::class); /** @var Connection $db */
concrete/controllers/dialog/logs/delete.php+3 −0 modified@@ -39,6 +39,9 @@ public function view() public function submit() { + if (!$this->validateAction()) { + throw new \RuntimeException(implode("\n", $this->error->getList())); + } /** @var Request $request */ $request = $this->app->make(Request::class); /** @var Connection $db */
concrete/controllers/dialog/page/bulk/cache.php+1 −1 modified@@ -103,7 +103,7 @@ public function view() public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { foreach ($this->items as $page) { $data = array(); if (($cCacheFullPageContent = $this->request->request->getInt('cCacheFullPageContent')) > -2) {
concrete/controllers/dialog/page/bulk/delete.php+1 −1 modified@@ -38,7 +38,7 @@ public function view() public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { $u = new \User(); $uID = $u->getUserID(); $pages = $this->items;
concrete/controllers/dialog/page/bulk/design.php+1 −1 modified@@ -110,7 +110,7 @@ public function view() public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { $containsSinglePages = false; foreach ($this->items as $page) { if ($page->isGeneratedCollection()) {
concrete/controllers/frontend/conversations/add_file.php+1 −1 modified@@ -32,7 +32,7 @@ public function view(): Response $fileVersion = $this->importFile($conversation, $file); return $responseFactory->json([ - 'id' => (int) $fileVersion->getFileID(), + 'id' => $fileVersion->getFileUUID(), 'timestamp' => $post->get('timestamp'), 'tag' => $post->get('tag'), ]);
concrete/controllers/frontend/conversations/add_message.php+6 −4 modified@@ -201,7 +201,7 @@ protected function getMessageBody(ArrayAccess $errors): string } /** - * @return int[] + * @return string[] */ protected function getAttachmentIDs(): array { @@ -213,8 +213,8 @@ protected function getAttachmentIDs(): array return array_values( // Reset array indexes array_unique( // Remove duplicates array_filter( // Remove zeroes - array_map( // Ensure integer types - 'intval', + array_map( // Ensure string types + 'strval', $attachmentIDs ) ) @@ -245,9 +245,11 @@ protected function getAttachments(ArrayAccess $errors): array } else { $em = $this->app->make(EntityManagerInterface::class); foreach ($attachmentIDs as $attachmentID) { - $file = $em->find(File::class, $attachmentID); + $file = $em->getRepository(File::class)->findOneBy(['fUUID' => $attachmentID]); if ($file === null) { $errors[] = t('Invalid file specified.'); + } elseif (!(new Checker($file))->canViewFile()) { + $errors[] = t('Invalid file specified.'); } else { $attachments[] = $file; }
concrete/controllers/frontend/conversations/delete_file.php+1 −1 modified@@ -29,7 +29,7 @@ public function view(): Response /** @var Token $token */ $token = $this->app->make(Token::class); - if ($token->validate("delete_conversation_message",$this->request->request->get('token'))) { + if (!$token->validate("delete_conversation_message",$this->request->request->get('token'))) { throw new UserMessageException($token->getErrorMessage()); }
concrete/controllers/frontend/conversations/get_rating.php+3 −0 modified@@ -43,6 +43,9 @@ protected function getMessage(): Message if ($message === null) { throw new UserMessageException(t('Invalid message object.')); } + if ($this->getBlockConversation()->getConversationID() != $message->getConversationObject()->getConversationID()) { + throw new UserMessageException(t('Invalid Conversation.')); + } return $message; }
concrete/controllers/frontend/conversations/message_detail.php+3 −0 modified@@ -47,6 +47,9 @@ protected function getMessage(): Message if ($message === null) { throw new UserMessageException(t('Invalid message object.')); } + if ($this->getBlockConversation()->getConversationID() != $message->getConversationObject()->getConversationID()) { + throw new UserMessageException(t('Invalid Conversation.')); + } return $message; }
concrete/controllers/frontend/conversations/message_page.php+2 −3 modified@@ -54,9 +54,8 @@ protected function getConversationID(): ?int */ protected function getConversation(): Conversation { - $conversationID = $this->getConversationID(); - $conversation = $conversationID === null ? null : Conversation::getByID($conversationID); - if ($conversation === null) { + $conversation = $this->getBlockConversation(); + if ((int) $conversation->getConversationID() !== $this->getConversationID()) { throw new UserMessageException(t('Invalid Conversation.')); }
concrete/controllers/frontend/conversations/update_message.php+6 −4 modified@@ -105,7 +105,7 @@ protected function getMessageBody(ArrayAccess $errors): string } /** - * @return int[] + * @return string[] */ protected function getAttachmentIDs(): array { @@ -117,8 +117,8 @@ protected function getAttachmentIDs(): array return array_values( // Reset array indexes array_unique( // Remove duplicates array_filter( // Remove zeroes - array_map( // Ensure integer types - 'intval', + array_map( // Ensure string types + 'strval', $attachmentIDs ) ) @@ -150,9 +150,11 @@ protected function getAttachments(Message $message, ArrayAccess $errors): array } else { $em = $this->app->make(EntityManagerInterface::class); foreach ($attachmentIDs as $attachmentID) { - $file = $em->find(File::class, $attachmentID); + $file = $em->getRepository(File::class)->findOneBy(['fUUID' => $attachmentID]); if ($file === null) { $errors[] = t('Invalid file specified.'); + } elseif (!(new Checker($file))->canViewFile()) { + $errors[] = t('Invalid file specified.'); } else { $attachments[] = $file; }
concrete/controllers/single_page/account/edit_profile.php+18 −10 modified@@ -110,28 +110,31 @@ public function save() $valt = $app->make('token'); - $data = $this->post(); + $data = []; if (!$valt->validate('profile_edit')) { $this->error->add($valt->getErrorMessage()); } // validate the user's email - $email = $this->post('uEmail'); + $email = (string) $this->post('uEmail'); $app->make('validator/user/email')->isValidFor($email, $ui, $this->error); // Username validation - $username = $this->post('uName'); - if (array_key_exists('uName', $data)) { - $data['uName'] = (string) $data['uName']; + $username = (string) $this->post('uName'); + $displayUserName = !$this->displayUserName + ? false + : $app->make(Repository::class)->get('concrete.user.edit_profile.display_username_field'); + if ($displayUserName && $this->request->request->has('uName')) { + $data['uName'] = $username; $app->make('validator/user/name')->isValidFor($username, $ui, $this->error); } // password - if (strlen($data['uPasswordNew'])) { - $passwordCurrent = (string) $data['uPasswordCurrent']; - $passwordNew = $data['uPasswordNew']; - $passwordNewConfirm = $data['uPasswordNewConfirm']; + $passwordNew = (string) $this->post('uPasswordNew'); + if ($passwordNew !== '') { + $passwordCurrent = (string) $this->post('uPasswordCurrent'); + $passwordNewConfirm = (string) $this->post('uPasswordNewConfirm'); $app->make('validator/password')->isValidFor($passwordNew, $ui, $this->error); @@ -144,6 +147,7 @@ public function save() $this->error->add(t('The two passwords provided do not match.')); } } + $data['_allowPasswordUpdate'] = true; $data['uPasswordConfirm'] = $passwordNew; $data['uPassword'] = $passwordNew; } @@ -164,7 +168,11 @@ public function save() $data['uEmail'] = $email; $config = $this->app->make('config'); if ($config->get('concrete.misc.user_timezones')) { - $data['uTimezone'] = $this->post('uTimezone'); + $data['uTimezone'] = (string) $this->post('uTimezone'); + } + $languages = Localization::getAvailableInterfaceLanguages(); + if (count($languages) > 0) { + $data['uDefaultLanguage'] = (string) $this->post('uDefaultLanguage'); } $ui->saveUserAttributesForm($aks);
concrete/controllers/single_page/dashboard/extend/install.php+27 −7 modified@@ -166,13 +166,31 @@ public function package_uninstalled() public function install_package($package) { $this->view(); + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + return; + } $tp = new TaskPermission(); if ($tp->canInstallPackages()) { $packageService = $this->app->make(PackageService::class); $p = $packageService->getClass($package); if ($p instanceof BrokenPackage) { $this->error->add($p->getInstallErrorMessage()); } elseif (is_object($p)) { + $showInstallOptionsScreen = $p->showInstallOptionsScreen(); + $isInitialInstallRequest = $this->token->validate('install_package'); + $isInstallOptionsSubmission = $showInstallOptionsScreen && $this->token->validate('install_options_selected'); + if ($showInstallOptionsScreen && $isInitialInstallRequest && !$isInstallOptionsSubmission) { + $this->set('showInstallOptionsScreen', true); + $this->set('pkg', $p); + + return; + } + if ((!$showInstallOptionsScreen && !$isInitialInstallRequest) || ($showInstallOptionsScreen && !$isInstallOptionsSubmission)) { + $this->error->add(t('Invalid token.')); + + return; + } $config = $this->app->make('config'); if ($config->get('concrete.i18n.auto_install_package_languages')) { $connection = $this->getConnection(); @@ -195,10 +213,7 @@ function (RemotePackage $rp) use ($p) { } } } - if ( - (!$p->showInstallOptionsScreen()) || - $this->token->validate('install_options_selected') - ) { + if (!$showInstallOptionsScreen || $isInstallOptionsSubmission) { $tests = $p->testForInstall(); if (is_object($tests)) { $this->error->add($tests); @@ -214,9 +229,6 @@ function (RemotePackage $rp) use ($p) { $this->redirect('/dashboard/extend/install', 'package_installed', $r->getPackageID()); } } - } else { - $this->set('showInstallOptionsScreen', true); - $this->set('pkg', $p); } } else { $this->error->add(t('Package controller file not found.')); @@ -237,6 +249,14 @@ public function package_installed($pkgID = 0) public function download($remoteId = null) { $this->view(); + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + return; + } + if (!$this->token->validate('download_package')) { + $this->error->add($this->token->getErrorMessage()); + return; + } $tp = new TaskPermission(); if (!$tp->canInstallPackages()) { $this->error->add(t('You do not have permission to download add-ons.'));
concrete/controllers/single_page/dashboard/extend/update.php+42 −21 modified@@ -13,6 +13,30 @@ class Update extends DashboardPageController { + protected function updatePackage(string $pkgHandle): void + { + $packageService = $this->app->make(PackageService::class); + $packageController = $packageService->getClass($pkgHandle); + $testResult = $packageController->testForUpgrade(); + if ($testResult !== true) { + $this->error->add($testResult); + + return; + } + $previousVersion = $packageController->getPackageEntity()->getPackageVersion(); + Localization::getInstance()->withContext(Localization::CONTEXT_SYSTEM, static function () use ($packageController) { + $packageController->upgradeCoreData(); + $packageController->upgrade(); + }); + $this->set('message', + t('Package "%1$s" has been updated successfully from version %2$s to version %3$s.', + t($packageController->getPackageName()) ?: $packageController->getPackageHandle(), + $previousVersion, + $packageController->getPackageVersion() + ) + ); + } + public function view() { $packageRepository = $this->app->make(PackageRepositoryInterface::class); @@ -42,31 +66,20 @@ public function do_update($pkgHandle = false) if (!$pkgHandle) { return $this->view(); } + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + + return $this->view(); + } try { + if (!$this->token->validate('update_addon')) { + throw new UserMessageException($this->token->getErrorMessage()); + } $tp = new Checker(); if (!$tp->canInstallPackages()) { throw new UserMessageException(t('Access Denied.')); } - $packageService = $this->app->make(PackageService::class); - $packageController = $packageService->getClass($pkgHandle); - $testResult = $packageController->testForUpgrade(); - if ($testResult !== true) { - $this->error->add($testResult); - - return $this->view(); - } - $previousVersion = $packageController->getPackageEntity()->getPackageVersion(); - Localization::getInstance()->withContext(Localization::CONTEXT_SYSTEM, static function () use ($packageController) { - $packageController->upgradeCoreData(); - $packageController->upgrade(); - }); - $this->set('message', - t('Package "%1$s" has been updated successfully from version %2$s to version %3$s.', - t($packageController->getPackageName()) ?: $packageController->getPackageHandle(), - $previousVersion, - $packageController->getPackageVersion() - ) - ); + $this->updatePackage($pkgHandle); } catch (UserMessageException $x) { $this->error->add($x); } @@ -77,8 +90,16 @@ public function prepare_remote_upgrade($remoteMPID = 0) { $packageRepository = $this->app->make(PackageRepositoryInterface::class); $packageService = $this->app->make(PackageService::class); + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + + return $this->view(); + } try { + if (!$this->token->validate('prepare_remote_upgrade')) { + throw new UserMessageException($this->token->getErrorMessage()); + } $tp = new Checker(); if (!$tp->canInstallPackages()) { throw new UserMessageException(t('Access Denied.')); @@ -99,7 +120,7 @@ public function prepare_remote_upgrade($remoteMPID = 0) } $packageRepository->download($connection, $mri, true); - return $this->buildRedirect(['/dashboard/extend/update', 'do_update', $mri->handle]); + $this->updatePackage($mri->handle); } catch (UserMessageException $x) { $this->error->add($x); }
concrete/controllers/single_page/dashboard/system/update/update.php+5 −1 modified@@ -168,7 +168,11 @@ public function do_update() if (!$this->userHasUpgradePermission()) { return $this->buildRedirect($this->action()); } - if ($this->app->make(Composer::class)->isCoreInstalledViaComposer() === true) { + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + } elseif (!$this->token->validate('do_update')) { + $this->error->add($this->token->getErrorMessage()); + } elseif ($this->app->make(Composer::class)->isCoreInstalledViaComposer() === true) { $this->error->add(t('ConcreteCMS has been installed via Composer: you should use it to upgrade the currently installed version.')); } elseif ($this->app->make('config')->get('concrete.updates.skip_core')) { $this->error->add(t('Updates are currently disabled via your site configuration.'));
concrete/controllers/single_page/dashboard/users/groups/bulk_user_assignment.php+10 −2 modified@@ -7,6 +7,7 @@ use Concrete\Core\Logging\Channels; use Concrete\Core\Logging\LoggerFactory; use Concrete\Core\Page\Controller\DashboardPageController; +use Concrete\Core\Permission\Checker; use Concrete\Core\User\Group\Group; use Concrete\Core\User\Group\GroupRepository; use Concrete\Core\User\UserInfo; @@ -43,6 +44,15 @@ public function view() $removeUnlistedUsers = $this->request->request->has('removeUnlistedUsers'); if ($targetGroup instanceof Group) { + $gp = new Checker($targetGroup); + if (!$gp->canAssignGroup()) { + $this->error->add(t('Access Denied.')); + } + } else { + $this->error->add(t('You need to select valid target group.')); + } + + if (!$this->error->has()) { /** @var UploadedFile $csvFile */ $csvFile = $this->request->files->get('csvFile'); @@ -74,8 +84,6 @@ public function view() } else { $this->error->add(t('You need to upload a CSV file.')); } - } else { - $this->error->add(t('You need to select valid target group.')); } if (!$this->error->has()) {
concrete/controllers/single_page/dashboard/users/search.php+2 −0 modified@@ -399,6 +399,7 @@ public function save_account($uID = null) $error->add(t('The two passwords provided do not match.')); } } + $data['_allowPasswordUpdate'] = true; $data['uPasswordConfirm'] = $passwordNew; $data['uPassword'] = $passwordNew; } @@ -415,6 +416,7 @@ public function save_account($uID = null) } } } + $data['_allowIgnoredIPMismatchesUpdate'] = true; $data['ignoredIPMismatches'] = $ignoredIPMismatches; }
concrete/controllers/single_page/download_file.php+11 −5 modified@@ -218,15 +218,21 @@ public function submit_password($fID = 0) $rcID = $this->post('rcID'); - if ($f->getPassword() == $this->post('password')) { - if ($this->post('force')) { - return $this->force_download($f); + if ($f->getPassword() === $this->post('password')) { + $checker = new Checker($f); + if ($checker->canViewFile()) { + if ($this->post('force')) { + return $this->force_download($f); + } else { + return $this->download($f); + } } else { - return $this->download($f); + $this->set('error', t("You do not have permission to access this file.")); } + } else { + $this->set('error', t("Password incorrect. Please try again.")); } - $this->set('error', t("Password incorrect. Please try again.")); $this->set('force', ($this->post('force') ? 1 : 0)); if ($fUUID !== null) {
concrete/elements/conversation/display.php+1 −1 modified@@ -16,7 +16,7 @@ } $editor = \Concrete\Core\Conversation\Editor\Editor::getActive(); -$editor->setConversationObject($args['conversation']); +$editor->setConversationObject($conversation); $val = $app->make('token'); $form = $app->make('helper/form');
concrete/js/ckeditor/concrete.js+1 −1 modified@@ -1 +1 @@ -(()=>{var e={461:()=>{CKEDITOR.plugins.add("concretefilemanager",{requires:"filebrowser",init:function(){CKEDITOR.on("dialogDefinition",function(e){var t=e.editor,n=e.data.definition,i=n.contents.length;function o(){return function(){t._.filebrowserSe=this;var e=this.getDialog();ConcreteFileManager.launchDialog(function(n){jQuery.fn.dialog.showLoader(),ConcreteFileManager.getFileDetails(n.fID,function(n){if(jQuery.fn.dialog.hideLoader(),n){var i=n.files[0];"image"!=e.getName()&&"image2"!=e.getName()||"info"!=e._.currentTabId?CKEDITOR.tools.callFunction(t._.filebrowserFn,i.urlDownload):CKEDITOR.tools.callFunction(t._.filebrowserFn,i.urlInline,function(){var t;e.dontResetSize=!0,(t=e.getContentElement("info","txtWidth"))&&t.setValue(""),(t=e.getContentElement("info","width"))&&t.setValue(""),(t=e.getContentElement("info","txtHeight"))&&t.setValue(""),(t=e.getContentElement("info","height"))&&t.setValue(""),(t=e.getContentElement("info","txtAlt"))&&t.setValue(i.title),(t=e.getContentElement("info","alt"))&&t.setValue(i.title)})}})})}}for(var a=0;a<i;a++){var r=n.contents[a].get("browse");null!==r&&(r.hidden=!1,r.onClick=o())}})}})},7068:()=>{CKEDITOR.plugins.add("concreteinline",{init:function(e){e.elementMode==CKEDITOR.ELEMENT_MODE_INLINE&&(e.addCommand("c5save",{exec:function(e){$("#"+e.element.$.id+"_content").val(e.getData()),ConcreteEvent.fire("EditModeBlockSaveInline"),e.destroy()}}),e.addCommand("c5cancel",{exec:function(e){ConcreteEvent.fire("EditModeExitInline"),e.destroy()}}),e.ui.addButton&&(e.ui.addButton("concrete_save",{label:e.lang.common.ok,command:"c5save",toolbar:"document,0"}),e.ui.addButton("concrete_cancel",{label:e.lang.common.cancel,command:"c5cancel",toolbar:"document,1"})))}})},3805:()=>{CKEDITOR.plugins.add("concretelink",{requires:"link",init:function(e){CKEDITOR.on("dialogDefinition",function(t){var n=t.data.name,i=t.data.definition,o=e.lang.common,a=function(e,t){t[e]||(t[e]={}),t[e][this.id]=this.getValue()||""},r=function(e){return a.call(this,"target",e)},l=function(){return CKEDITOR.plugins.link.getSelectedLink(t.editor)};if("link"==n){var s=i.getContents("info");null===s.get("sitemapBrowse")&&t.editor.config.sitemap&&s.add({type:"button",id:"sitemapBrowse",label:ccmi18n_editor.sitemap,title:ccmi18n_editor.sitemap,onClick:function(){jQuery.fn.dialog.open({width:"90%",height:"70%",modal:!1,title:ccmi18n_sitemap.choosePage,href:CCM_DISPATCHER_FILENAME+"/ccm/system/dialogs/page/sitemap_selector"}),ConcreteEvent.unsubscribe("SitemapSelectPage"),ConcreteEvent.subscribe("SitemapSelectPage",function(e,t){jQuery.fn.dialog.closeTop();var n=i.dialog.getContentElement("info","url");n&&n.setValue(CCM_APPLICATION_URL+"/index.php?cID="+t.cID)})}},"browse");var c=i.getContents("target");if(null!==c.get("linkTargetType")){var d=c.get("linkTargetType");"lightbox"!=d.items[3][1]&&(d.items.splice(3,0,["<lightbox>","lightbox"]),d.items.join()),null===c.get("lightboxFeatures")&&c.elements.push({type:"vbox",width:"100%",align:"center",padding:2,id:"lightboxFeatures",children:[{type:"fieldset",label:ccmi18n_editor.lightboxFeatures,children:[{type:"hbox",children:[{type:"checkbox",id:"imageLightbox",label:ccmi18n_editor.imageLink,setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&"image"==t.data("concrete-link-lightbox")?this.setValue(1):this.setValue(0))},commit:r,onChange:function(e){this.getValue()?this.getDialog().getContentElement("target","lightboxDimensions").getElement().hide():this.getDialog().getContentElement("target","lightboxDimensions").getElement().show()}}]},{type:"hbox",id:"lightboxDimensions",children:[{type:"text",widths:["50%","50%"],labelLayout:"horizontal",label:o.width,id:"lightboxWidth",setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&t.hasAttribute("data-concrete-link-lightbox-width")?this.setValue(t.data("concrete-link-lightbox-width")):this.setValue(null))},commit:r},{type:"text",labelLayout:"horizontal",widths:["50%","50%"],label:o.height,id:"lightboxHeight",setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&t.hasAttribute("data-concrete-link-lightbox-height")?this.setValue(t.data("concrete-link-lightbox-height")):this.setValue(null))},commit:r}],setup:function(){this.getDialog().getContentElement("target","imageLightbox").getValue()?this.getElement().hide():this.getElement().show()}}]}],setup:function(){this.getDialog().getContentElement("info","linkType")||this.getElement().hide(),"lightbox"!=this.getDialog().getContentElement("target","linkTargetType").getValue()&&this.getElement().hide()}}),d.onChange=CKEDITOR.tools.override(d.onChange,function(e){return function(){var t=this.getDialog().getContentElement("target","lightboxFeatures").getElement();"lightbox"!=this.getValue()||this._.selectedElement?t.hide():t.show(),e.call(this)}}),d.setup=function(e){e.target&&("lightbox"==e.target.name&&(e.target.type=e.target.name),this.setValue(e.target.type||"notSet")),this.onChange.call(this)},d.commit=function(e){e.target||(e.target={}),e.target.type=this.getValue()},i.onOk=CKEDITOR.tools.override(i.onOk,function(e){return function(){var t={},n={};this.commitContent(t),e.call(this);var i=l();null!==i&&("lightbox"==t.target.type?t.target.imageLightbox?(i.data("concrete-link-lightbox","image"),n={"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1}):(i.data("concrete-link-lightbox","iframe"),t.target.lightboxWidth&&t.target.lightboxHeight?(i.data("concrete-link-lightbox-width",t.target.lightboxWidth),i.data("concrete-link-lightbox-height",t.target.lightboxHeight)):n={"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1}):n={"data-concrete-link-lightbox":1,"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1},i.removeAttributes(n))}})}}})}})},1939:()=>{CKEDITOR.plugins.add("normalizeonchange",{init:function(e){CKEDITOR.on("instanceReady",function(e){e.editor.on("change",function(t){var n=e.editor.getSelection();if(n){var i=n.getStartElement();i&&i.$&&n.getStartElement().$.normalize()}})})}})},8315:()=>{CKEDITOR.plugins.add("concretestyles",{requires:["widget","stylescombo","menubutton"],init:function(e){},afterInit:function(e){var t=this;function n(e){return{exec:function(t){var n="> </",i=e.html,o=t.getSelection(),a=o&&o.getSelectedText();if(-1!=i.indexOf(n)&&a){for(var r=["address","article","aside","audio","blockquote","canvas","dd","div","dl","fieldset","figcaption","figure","figcaption","footer","form","h1","h2","h3","h4","h5","h6","header","hgroup","hr","noscript","ol","output","p","pre","section","span","table","tfoot","ul","video"],l=o.getRanges(),s=new CKEDITOR.dom.element("div"),c=0,d=l.length;c<d;++c){var g=l[c],u=g.createBookmark2();s.append(g.cloneContents()),g.moveToBookmark(u),g.select()}for(var h=s.getHtml(),f=0;f<r.length;f++){var m=new RegExp("(<"+r[f]+"[^>]*>|</"+r[f]+">)","gi");h=h.replace(m,"")}i=i.replace(n,">"+h+"</")}t.insertHtml(i)}}}var i={name:"snippets",icon:"snippet.png",title:ccmi18n_editor.snippets,items:[]};if(e.config.snippets&&($.each(e.config.snippets,function(t,n){e.widgets.add(n.scsHandle,{template:n.scsName});var o={};o.name=n.scsHandle,o.icon="snippet.png",o.title=n.scsName,o.html='<span class="ccm-content-editor-snippet" contenteditable="false" data-scsHandle="'+n.scsHandle+'">'+n.scsName+"</span>",i.items.push(o)}),function(i){for(var o=i.items,a={},r=0;r<o.length;r++){var l=o[r],s=l.name;e.addCommand(s,n(l)),a[s]={label:l.title,command:s,group:i.name,role:"menuitem"}}e.addMenuGroup(i.name,1),e.addMenuItems(a),e.ui.add(i.name,CKEDITOR.UI_MENUBUTTON,{label:i.title,icon:t.path+"/icons/"+i.icon,toolbar:i.toolbar||"insert",onMenu:function(){var e={};for(var t in a)e[t]=CKEDITOR.TRISTATE_OFF;return e}})}(i,i.name)),e.config.classes){var o=[];$.each(e.config.classes,function(){var e={};e.name=this.title,void 0!==this.element?e.element=this.element:void 0!==this.forceBlock&&1==this.forceBlock?e.element=["h1","h2","h3","h4","h5","h6","p"]:e.element="span",void 0!==this.spanClass&&(e.attributes={class:this.spanClass}),void 0!==this.attributes&&(e.attributes=this.attributes),void 0!==this.styles&&(e.styles=this.styles),"widget"===this.type&&void 0!==this.widget&&(e.type="widget",e.widget=this.widget),o.push(e)}),e.fire("stylesSet",{styles:o})}}})},7320:()=>{CKEDITOR.plugins.add("concreteuploadimage",{requires:"uploadimage",init:function(e){e.on("fileUploadRequest",function(e){var t=e.data.fileLoader,n=t.xhr,i=new FormData;i.append("ccm_token",CCM_SECURITY_TOKEN),i.append("files[]",t.file,t.fileName),n.send(i),e.stop()}),e.on("fileUploadResponse",function(e){e.stop();var t=e.data,n=t.fileLoader.xhr;if(200==n.status){var i=jQuery.parseJSON(n.responseText);i.error?(t.message=i.errors.join(),e.cancel()):i.files.length>0&&(t.url=i.files[0].urlInline)}else t.message=n.responseText,e.cancel()})}})},8316:()=>{!function(e){if(void 0===e)throw Error("jQuery should be loaded before CKEditor jQuery adapter.");if("undefined"==typeof CKEDITOR)throw Error("CKEditor should be loaded before CKEditor jQuery adapter.");CKEDITOR.config.jqueryOverrideVal=void 0===CKEDITOR.config.jqueryOverrideVal||CKEDITOR.config.jqueryOverrideVal,e.extend(e.fn,{ckeditorGet:function(){var e=this.eq(0).data("ckeditorInstance");if(!e)throw"CKEditor is not initialized yet, use ckeditor() with a callback.";return e},ckeditor:function(t,n){if(!CKEDITOR.env.isCompatible)throw Error("The environment is incompatible.");if("function"!=typeof t){var i=n;n=t,t=i}var o=[];n=n||{},this.each(function(){var i=e(this),a=i.data("ckeditorInstance"),r=i.data("_ckeditorInstanceLock"),l=this,s=new e.Deferred;o.push(s.promise()),a&&!r?(t&&t.apply(a,[this]),s.resolve()):r?a.once("instanceReady",function(){setTimeout(function e(){a.element?(a.element.$==l&&t&&t.apply(a,[l]),s.resolve()):setTimeout(e,100)},0)},null,null,9999):((n.autoUpdateElement||void 0===n.autoUpdateElement&&CKEDITOR.config.autoUpdateElement)&&(n.autoUpdateElementJquery=!0),n.autoUpdateElement=!1,i.data("_ckeditorInstanceLock",!0),a=e(this).is("textarea")?CKEDITOR.replace(l,n):CKEDITOR.inline(l,n),i.data("ckeditorInstance",a),a.on("instanceReady",function(n){var o=n.editor;setTimeout(function a(){if(o.element){if(n.removeListener(),o.on("dataReady",function(){i.trigger("dataReady.ckeditor",[o])}),o.on("setData",function(e){i.trigger("setData.ckeditor",[o,e.data])}),o.on("getData",function(e){i.trigger("getData.ckeditor",[o,e.data])},999),o.on("destroy",function(){i.trigger("destroy.ckeditor",[o])}),o.on("save",function(){return e(l.form).trigger("submit"),!1},null,null,20),o.config.autoUpdateElementJquery&&i.is("textarea")&&e(l.form).length){var r=function(){i.ckeditor(function(){o.updateElement()})};e(l.form).on("submit",r),e(l.form).on("form-pre-serialize",r),i.on("destroy.ckeditor",function(){e(l.form).off("submit",r),e(l.form).off("form-pre-serialize",r)})}o.on("destroy",function(){i.removeData("ckeditorInstance")}),i.removeData("_ckeditorInstanceLock"),i.trigger("instanceReady.ckeditor",[o]),t&&t.apply(o,[l]),s.resolve()}else setTimeout(a,100)},0)},null,null,9999))});var a=new e.Deferred;return this.promise=a.promise(),e.when.apply(this,o).then(function(){a.resolve()}),this.editor=this.eq(0).data("ckeditorInstance"),this}}),CKEDITOR.config.jqueryOverrideVal&&(e.fn.val=CKEDITOR.tools.override(e.fn.val,function(t){return function(n){if(arguments.length){var i=this,o=[],a=this.each(function(){var i=e(this),a=i.data("ckeditorInstance");if(i.is("textarea")&&a){var r=new e.Deferred;return a.setData(n,function(){r.resolve()}),o.push(r.promise()),!0}return t.call(i,n)});if(o.length){var r=new e.Deferred;return e.when.apply(this,o).done(function(){r.resolveWith(i)}),r.promise()}return a}var l=(a=e(this).eq(0)).data("ckeditorInstance");return a.is("textarea")&&l?l.getData():t.call(a)}}))}(window.jQuery)}},t={};function n(i){var o=t[i];if(void 0!==o)return o.exports;var a=t[i]={exports:{}};return e[i](a,a.exports,n),a.exports}n.n=e=>{var t=e&&e.__esModule?()=>e.default:()=>e;return n.d(t,{a:t}),t},n.d=(e,t)=>{for(var i in t)n.o(t,i)&&!n.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:t[i]})},n.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),(()=>{"use strict";n(8316),n(1939),n(7068),n(3805),n(461),n(8315),n(7320)})()})(); \ No newline at end of file +(()=>{var e={461:()=>{CKEDITOR.plugins.add("concretefilemanager",{requires:"filebrowser",init:function(){CKEDITOR.on("dialogDefinition",function(e){var t=e.editor,n=e.data.definition,i=n.contents.length;function o(){return function(){t._.filebrowserSe=this;var e=this.getDialog();ConcreteFileManager.launchDialog(function(n){jQuery.fn.dialog.showLoader(),ConcreteFileManager.getFileDetails(n.fID,function(n){if(jQuery.fn.dialog.hideLoader(),n){var i=n.files[0];"image"!=e.getName()&&"image2"!=e.getName()||"info"!=e._.currentTabId?CKEDITOR.tools.callFunction(t._.filebrowserFn,i.urlDownload):CKEDITOR.tools.callFunction(t._.filebrowserFn,i.urlInline,function(){var t;e.dontResetSize=!0,(t=e.getContentElement("info","txtWidth"))&&t.setValue(""),(t=e.getContentElement("info","width"))&&t.setValue(""),(t=e.getContentElement("info","txtHeight"))&&t.setValue(""),(t=e.getContentElement("info","height"))&&t.setValue(""),(t=e.getContentElement("info","txtAlt"))&&t.setValue(i.title),(t=e.getContentElement("info","alt"))&&t.setValue(i.title)})}})})}}for(var a=0;a<i;a++){var r=n.contents[a].get("browse");null!==r&&(r.hidden=!1,r.onClick=o(),"undefined"!=typeof ccmi18n_editor&&ccmi18n_editor.selectFile&&(r.label=ccmi18n_editor.selectFile,r.title=ccmi18n_editor.selectFile))}})}})},7068:()=>{CKEDITOR.plugins.add("concreteinline",{init:function(e){e.elementMode==CKEDITOR.ELEMENT_MODE_INLINE&&(e.addCommand("c5save",{exec:function(e){$("#"+e.element.$.id+"_content").val(e.getData()),ConcreteEvent.fire("EditModeBlockSaveInline"),e.destroy()}}),e.addCommand("c5cancel",{exec:function(e){ConcreteEvent.fire("EditModeExitInline"),e.destroy()}}),e.ui.addButton&&(e.ui.addButton("concrete_save",{label:e.lang.common.ok,command:"c5save",toolbar:"document,0"}),e.ui.addButton("concrete_cancel",{label:e.lang.common.cancel,command:"c5cancel",toolbar:"document,1"})))}})},3805:()=>{CKEDITOR.plugins.add("concretelink",{requires:"link",init:function(e){CKEDITOR.on("dialogDefinition",function(t){var n=t.data.name,i=t.data.definition,o=e.lang.common,a=function(e,t){t[e]||(t[e]={}),t[e][this.id]=this.getValue()||""},r=function(e){return a.call(this,"target",e)},l=function(){return CKEDITOR.plugins.link.getSelectedLink(t.editor)};if("link"==n){var s=i.getContents("info");null===s.get("sitemapBrowse")&&t.editor.config.sitemap&&s.add({type:"button",id:"sitemapBrowse",label:ccmi18n_editor.sitemap,title:ccmi18n_editor.sitemap,onClick:function(){jQuery.fn.dialog.open({width:"90%",height:"70%",modal:!1,title:ccmi18n_sitemap.choosePage,href:CCM_DISPATCHER_FILENAME+"/ccm/system/dialogs/page/sitemap_selector"}),ConcreteEvent.unsubscribe("SitemapSelectPage"),ConcreteEvent.subscribe("SitemapSelectPage",function(e,t){jQuery.fn.dialog.closeTop();var n=i.dialog.getContentElement("info","url");n&&n.setValue(CCM_APPLICATION_URL+"/index.php?cID="+t.cID)})}},"browse");var c=i.getContents("target");if(null!==c.get("linkTargetType")){var d=c.get("linkTargetType");"lightbox"!=d.items[3][1]&&(d.items.splice(3,0,["<lightbox>","lightbox"]),d.items.join()),null===c.get("lightboxFeatures")&&c.elements.push({type:"vbox",width:"100%",align:"center",padding:2,id:"lightboxFeatures",children:[{type:"fieldset",label:ccmi18n_editor.lightboxFeatures,children:[{type:"hbox",children:[{type:"checkbox",id:"imageLightbox",label:ccmi18n_editor.imageLink,setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&"image"==t.data("concrete-link-lightbox")?this.setValue(1):this.setValue(0))},commit:r,onChange:function(e){this.getValue()?this.getDialog().getContentElement("target","lightboxDimensions").getElement().hide():this.getDialog().getContentElement("target","lightboxDimensions").getElement().show()}}]},{type:"hbox",id:"lightboxDimensions",children:[{type:"text",widths:["50%","50%"],labelLayout:"horizontal",label:o.width,id:"lightboxWidth",setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&t.hasAttribute("data-concrete-link-lightbox-width")?this.setValue(t.data("concrete-link-lightbox-width")):this.setValue(null))},commit:r},{type:"text",labelLayout:"horizontal",widths:["50%","50%"],label:o.height,id:"lightboxHeight",setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&t.hasAttribute("data-concrete-link-lightbox-height")?this.setValue(t.data("concrete-link-lightbox-height")):this.setValue(null))},commit:r}],setup:function(){this.getDialog().getContentElement("target","imageLightbox").getValue()?this.getElement().hide():this.getElement().show()}}]}],setup:function(){this.getDialog().getContentElement("info","linkType")||this.getElement().hide(),"lightbox"!=this.getDialog().getContentElement("target","linkTargetType").getValue()&&this.getElement().hide()}}),d.onChange=CKEDITOR.tools.override(d.onChange,function(e){return function(){var t=this.getDialog().getContentElement("target","lightboxFeatures").getElement();"lightbox"!=this.getValue()||this._.selectedElement?t.hide():t.show(),e.call(this)}}),d.setup=function(e){e.target&&("lightbox"==e.target.name&&(e.target.type=e.target.name),this.setValue(e.target.type||"notSet")),this.onChange.call(this)},d.commit=function(e){e.target||(e.target={}),e.target.type=this.getValue()},i.onOk=CKEDITOR.tools.override(i.onOk,function(e){return function(){var t={},n={};this.commitContent(t),e.call(this);var i=l();null!==i&&("lightbox"==t.target.type?t.target.imageLightbox?(i.data("concrete-link-lightbox","image"),n={"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1}):(i.data("concrete-link-lightbox","iframe"),t.target.lightboxWidth&&t.target.lightboxHeight?(i.data("concrete-link-lightbox-width",t.target.lightboxWidth),i.data("concrete-link-lightbox-height",t.target.lightboxHeight)):n={"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1}):n={"data-concrete-link-lightbox":1,"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1},i.removeAttributes(n))}})}}})}})},1939:()=>{CKEDITOR.plugins.add("normalizeonchange",{init:function(e){CKEDITOR.on("instanceReady",function(e){e.editor.on("change",function(t){var n=e.editor.getSelection();if(n){var i=n.getStartElement();i&&i.$&&n.getStartElement().$.normalize()}})})}})},8315:()=>{CKEDITOR.plugins.add("concretestyles",{requires:["widget","stylescombo","menubutton"],init:function(e){},afterInit:function(e){var t=this;function n(e){return{exec:function(t){var n="> </",i=e.html,o=t.getSelection(),a=o&&o.getSelectedText();if(-1!=i.indexOf(n)&&a){for(var r=["address","article","aside","audio","blockquote","canvas","dd","div","dl","fieldset","figcaption","figure","figcaption","footer","form","h1","h2","h3","h4","h5","h6","header","hgroup","hr","noscript","ol","output","p","pre","section","span","table","tfoot","ul","video"],l=o.getRanges(),s=new CKEDITOR.dom.element("div"),c=0,d=l.length;c<d;++c){var g=l[c],u=g.createBookmark2();s.append(g.cloneContents()),g.moveToBookmark(u),g.select()}for(var h=s.getHtml(),m=0;m<r.length;m++){var f=new RegExp("(<"+r[m]+"[^>]*>|</"+r[m]+">)","gi");h=h.replace(f,"")}i=i.replace(n,">"+h+"</")}t.insertHtml(i)}}}var i={name:"snippets",icon:"snippet.png",title:ccmi18n_editor.snippets,items:[]};if(e.config.snippets&&($.each(e.config.snippets,function(t,n){e.widgets.add(n.scsHandle,{template:n.scsName});var o={};o.name=n.scsHandle,o.icon="snippet.png",o.title=n.scsName,o.html='<span class="ccm-content-editor-snippet" contenteditable="false" data-scsHandle="'+n.scsHandle+'">'+n.scsName+"</span>",i.items.push(o)}),function(i){for(var o=i.items,a={},r=0;r<o.length;r++){var l=o[r],s=l.name;e.addCommand(s,n(l)),a[s]={label:l.title,command:s,group:i.name,role:"menuitem"}}e.addMenuGroup(i.name,1),e.addMenuItems(a),e.ui.add(i.name,CKEDITOR.UI_MENUBUTTON,{label:i.title,icon:t.path+"/icons/"+i.icon,toolbar:i.toolbar||"insert",onMenu:function(){var e={};for(var t in a)e[t]=CKEDITOR.TRISTATE_OFF;return e}})}(i,i.name)),e.config.classes){var o=[];$.each(e.config.classes,function(){var e={};e.name=this.title,void 0!==this.element?e.element=this.element:void 0!==this.forceBlock&&1==this.forceBlock?e.element=["h1","h2","h3","h4","h5","h6","p"]:e.element="span",void 0!==this.spanClass&&(e.attributes={class:this.spanClass}),void 0!==this.attributes&&(e.attributes=this.attributes),void 0!==this.styles&&(e.styles=this.styles),"widget"===this.type&&void 0!==this.widget&&(e.type="widget",e.widget=this.widget),o.push(e)}),e.fire("stylesSet",{styles:o})}}})},7320:()=>{CKEDITOR.plugins.add("concreteuploadimage",{requires:"uploadimage",init:function(e){e.on("fileUploadRequest",function(e){var t=e.data.fileLoader,n=t.xhr,i=new FormData;i.append("ccm_token",CCM_SECURITY_TOKEN),i.append("files[]",t.file,t.fileName),n.send(i),e.stop()}),e.on("fileUploadResponse",function(e){e.stop();var t=e.data,n=t.fileLoader.xhr;if(200==n.status){var i=jQuery.parseJSON(n.responseText);i.error?(t.message=i.errors.join(),e.cancel()):i.files.length>0&&(t.url=i.files[0].urlInline)}else t.message=n.responseText,e.cancel()})}})},8316:()=>{!function(e){if(void 0===e)throw Error("jQuery should be loaded before CKEditor jQuery adapter.");if("undefined"==typeof CKEDITOR)throw Error("CKEditor should be loaded before CKEditor jQuery adapter.");CKEDITOR.config.jqueryOverrideVal=void 0===CKEDITOR.config.jqueryOverrideVal||CKEDITOR.config.jqueryOverrideVal,e.extend(e.fn,{ckeditorGet:function(){var e=this.eq(0).data("ckeditorInstance");if(!e)throw"CKEditor is not initialized yet, use ckeditor() with a callback.";return e},ckeditor:function(t,n){if(!CKEDITOR.env.isCompatible)throw Error("The environment is incompatible.");if("function"!=typeof t){var i=n;n=t,t=i}var o=[];n=n||{},this.each(function(){var i=e(this),a=i.data("ckeditorInstance"),r=i.data("_ckeditorInstanceLock"),l=this,s=new e.Deferred;o.push(s.promise()),a&&!r?(t&&t.apply(a,[this]),s.resolve()):r?a.once("instanceReady",function(){setTimeout(function e(){a.element?(a.element.$==l&&t&&t.apply(a,[l]),s.resolve()):setTimeout(e,100)},0)},null,null,9999):((n.autoUpdateElement||void 0===n.autoUpdateElement&&CKEDITOR.config.autoUpdateElement)&&(n.autoUpdateElementJquery=!0),n.autoUpdateElement=!1,i.data("_ckeditorInstanceLock",!0),a=e(this).is("textarea")?CKEDITOR.replace(l,n):CKEDITOR.inline(l,n),i.data("ckeditorInstance",a),a.on("instanceReady",function(n){var o=n.editor;setTimeout(function a(){if(o.element){if(n.removeListener(),o.on("dataReady",function(){i.trigger("dataReady.ckeditor",[o])}),o.on("setData",function(e){i.trigger("setData.ckeditor",[o,e.data])}),o.on("getData",function(e){i.trigger("getData.ckeditor",[o,e.data])},999),o.on("destroy",function(){i.trigger("destroy.ckeditor",[o])}),o.on("save",function(){return e(l.form).trigger("submit"),!1},null,null,20),o.config.autoUpdateElementJquery&&i.is("textarea")&&e(l.form).length){var r=function(){i.ckeditor(function(){o.updateElement()})};e(l.form).on("submit",r),e(l.form).on("form-pre-serialize",r),i.on("destroy.ckeditor",function(){e(l.form).off("submit",r),e(l.form).off("form-pre-serialize",r)})}o.on("destroy",function(){i.removeData("ckeditorInstance")}),i.removeData("_ckeditorInstanceLock"),i.trigger("instanceReady.ckeditor",[o]),t&&t.apply(o,[l]),s.resolve()}else setTimeout(a,100)},0)},null,null,9999))});var a=new e.Deferred;return this.promise=a.promise(),e.when.apply(this,o).then(function(){a.resolve()}),this.editor=this.eq(0).data("ckeditorInstance"),this}}),CKEDITOR.config.jqueryOverrideVal&&(e.fn.val=CKEDITOR.tools.override(e.fn.val,function(t){return function(n){if(arguments.length){var i=this,o=[],a=this.each(function(){var i=e(this),a=i.data("ckeditorInstance");if(i.is("textarea")&&a){var r=new e.Deferred;return a.setData(n,function(){r.resolve()}),o.push(r.promise()),!0}return t.call(i,n)});if(o.length){var r=new e.Deferred;return e.when.apply(this,o).done(function(){r.resolveWith(i)}),r.promise()}return a}var l=(a=e(this).eq(0)).data("ckeditorInstance");return a.is("textarea")&&l?l.getData():t.call(a)}}))}(window.jQuery)}},t={};function n(i){var o=t[i];if(void 0!==o)return o.exports;var a=t[i]={exports:{}};return e[i](a,a.exports,n),a.exports}n.n=e=>{var t=e&&e.__esModule?()=>e.default:()=>e;return n.d(t,{a:t}),t},n.d=(e,t)=>{for(var i in t)n.o(t,i)&&!n.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:t[i]})},n.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),(()=>{"use strict";n(8316),n(1939),n(7068),n(3805),n(461),n(8315),n(7320)})()})(); \ No newline at end of file
concrete/js/cms.js+1 −1 modifiedconcrete/routes/dialogs/files.php+0 −1 modified@@ -43,7 +43,6 @@ $router->all('/thumbnails', 'Thumbnails::view'); $router->all('/thumbnails/edit', 'Thumbnails\Edit::view'); $router->all('/thumbnails/edit/submit', 'Thumbnails\Edit::submit'); -$router->all('/usage/{fID}', 'Usage::view'); $router->all('/statistics/{fID}', 'Statistics::view'); $router->all('/statistics/load_more/{fID}', 'Statistics::load_more'); $router->all('/statistics/download/{fID}', 'Statistics::download');
concrete/single_pages/dashboard/extend/install.php+8 −2 modified@@ -315,7 +315,10 @@ <p><?= h($pb->summary); ?></p> </div> <div class="d-block ms-auto"> - <a href="<?= URL::to('/dashboard/extend/install', 'download', $pb->id); ?>" class="btn btn-sm btn-secondary"><?= t('Download'); ?></a> + <form method="post" action="<?= URL::to('/dashboard/extend/install', 'download', $pb->id); ?>" class="d-inline"> + <?= $token->output('download_package'); ?> + <button type="submit" class="btn btn-sm btn-secondary"><?= t('Download'); ?></button> + </form> </div> </div> <?php @@ -338,7 +341,10 @@ } else { ?> <div class="btn-group ms-auto d-block"> - <a href="<?= URL::to('/dashboard/extend/install', 'install_package', $obj->getPackageHandle()); ?>" class="btn btn-sm btn-secondary"><?= t('Install'); ?></a><?php + <form method="post" action="<?= URL::to('/dashboard/extend/install', 'install_package', $obj->getPackageHandle()); ?>" class="d-inline"> + <?= $token->output('install_package'); ?> + <button type="submit" class="btn btn-sm btn-secondary"><?= t('Install'); ?></button> + </form><?php if ($displayDeleteBtn) { ?><a href="javascript:void(0)" class="btn btn-sm btn-danger" onclick="deletePackage('<?= $obj->getPackageHandle() ?>', '<?= $obj->getPackageName() ?>')"><?= t('Delete') ?></a> <?php
concrete/single_pages/dashboard/extend/update.php+10 −2 modified@@ -60,7 +60,10 @@ ?> <td class="ccm-marketplace-list-install-button"> <a class="btn" target="_blank" href="#"><?=t('More Information')?></a> - <?=$ch->button(t('Download and Install'), View::url('/dashboard/extend/update', 'prepare_remote_upgrade', $remotePackage->id), '', 'primary')?> + <form method="post" action="<?= View::url('/dashboard/extend/update', 'prepare_remote_upgrade', $remotePackage->id) ?>" class="d-inline"> + <?= $valt->output('prepare_remote_upgrade') ?> + <button type="submit" class="btn btn-secondary primary"><?= t('Download and Install') ?></button> + </form> </td> <?php } @@ -107,7 +110,12 @@ <td class="ccm-addon-list-description"><h3><?=$pkg->getPackageName()?></h3><p><?=$pkg->getPackageDescription()?></p> <p><strong><?=t('New Version: %s. Upgrading from: %s.', $pkg->getPackageVersion(), $entity->getPackageVersion())?></strong></p> </td> - <td class="ccm-marketplace-list-install-button"><?=$ch->button(t('Update Add-On'), View::url('/dashboard/extend/update', 'do_update', $pkg->getPackageHandle()), '', 'btn-primary')?></td> + <td class="ccm-marketplace-list-install-button"> + <form method="post" action="<?= View::url('/dashboard/extend/update', 'do_update', $pkg->getPackageHandle()) ?>" class="d-inline"> + <?= $valt->output('update_addon') ?> + <button type="submit" class="btn btn-secondary btn-primary"><?= t('Update Add-On') ?></button> + </form> + </td> </tr> <tr> <td colspan="2" style="border-top: 0px">
concrete/src/Api/OAuth/Controller.php+57 −29 modified@@ -14,6 +14,11 @@ use Concrete\Core\Logging\LoggerAwareInterface; use Concrete\Core\Logging\LoggerAwareTrait; use Concrete\Core\Support\Facade\Application; +use Concrete\Core\User\Exception\FailedLoginThresholdExceededException; +use Concrete\Core\User\Exception\InvalidCredentialsException; +use Concrete\Core\User\Exception\UserDeactivatedException; +use Concrete\Core\User\Exception\UserException; +use Concrete\Core\User\Login\LoginService; use Concrete\Core\User\User as UserObject; use Concrete\Core\Validation\CSRF\Token; use Concrete\Core\View\View; @@ -193,6 +198,8 @@ public function handleLogin(AuthorizationRequest $request) { $error = new ErrorList(); $emailLogin = $this->config->get('concrete.user.registration.email_registration'); + $app = Application::getFacadeApplication(); + $loginService = $app->make(LoginService::class); while ($this->request->getMethod() === 'POST') { @@ -204,43 +211,47 @@ public function handleLogin(AuthorizationRequest $request) $query = $this->request->getParsedBody(); $user = array_get($query, 'uName'); $password = array_get($query, 'uPassword'); + $user = is_string($user) ? trim($user) : ''; + $password = is_string($password) ? $password : ''; - $userRepository = $this->entityManager->getRepository(User::class); - - /** @var User $user */ - $user = $userRepository->findOneBy([$emailLogin ? 'uEmail' : 'uName' => $user]); - - $app = Application::getFacadeApplication(); - $hasher = $app->make(\Concrete\Core\Encryption\PasswordHasher::class); - - // User successfully logged in - if ($user && $user->getUserID() && $hasher->checkPassword($password, $user->getUserPassword())) { - if ($hasher->needsRehash($user->getUserPassword())) { - $em = $app->make(EntityManagerInterface::class); - - try { - $em->transactional(function () use ($user, $hasher, $password) { - $user->setUserPassword($hasher->hashPassword($password)); - }); - } catch (\Throwable $e) { - $this->logger->emergency('Unable to rehash password for user {user} ({id}): {message}', [ - 'user' => $user->getUserName(), - 'id' => $user->getUserID(), - 'message' => $e->getMessage(), - ]); - } + if ($user === '' || $password === '') { + if ($emailLogin) { + $error->add(t('Please provide both email address and password.')); + } else { + $error->add(t('Please provide both username and password.')); } + break; + } + + $failedLogins = $app->make('failed_login'); + if ($failedLogins->isDenylisted()) { + $error->add($failedLogins->getErrorMessage()); + break; + } + + try { + $loggedInUser = $loginService->login($user, $password); + $loginService->logLoginAttempt($user); - $userInfo = $this->entityManager->find(User::class, $user->getUserID()); + $userInfo = $this->entityManager->find(User::class, $loggedInUser->getUserID()); $request->setUser($userInfo); $this->storeRequest($request); return new \RedirectResponse($this->request->getUri()); - } else { - if ($this->config->get('concrete.user.registration.email_registration')) { - $message = t('Invalid email address or password.'); + } catch (UserException $e) { + try { + $this->handleFailedLogin($loginService, $user, $password, $e); + } catch (UserException $x) { + $e = $x; + } + if ($e instanceof InvalidCredentialsException) { + if ($emailLogin) { + $message = t('Invalid email address or password.'); + } else { + $message = t('Invalid username or password.'); + } } else { - $message = t('Invalid username or password.'); + $message = $e->getMessage(); } $error->add($message); } @@ -260,6 +271,23 @@ public function handleLogin(AuthorizationRequest $request) return new \Concrete\Core\Http\Response($contents->render()); } + protected function handleFailedLogin(LoginService $loginService, $uName, $uPassword, UserException $e) + { + if ($e instanceof InvalidCredentialsException) { + try { + $loginService->failLogin($uName, $uPassword); + } catch (FailedLoginThresholdExceededException $e) { + $loginService->logLoginAttempt($uName, ['Failed Login Threshold Exceeded', $e->getMessage()]); + throw $e; + } catch (UserDeactivatedException $e) { + $loginService->logLoginAttempt($uName, ['User Deactivated', $e->getMessage()]); + throw $e; + } + } + + $loginService->logLoginAttempt($uName, ['Invalid Credentials', $e->getMessage()]); + } + /** * Handle the scope authorization portion of an authorization request * This method renders a view that outputs a list of scopes and asks the user to verify that they want to give the
concrete/src/Block/BlockController.php+4 −1 modified@@ -4,6 +4,7 @@ use Concrete\Core\Area\Area; use Concrete\Core\Backup\ContentExporter; use Concrete\Core\Backup\ContentImporter; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Block\View\BlockViewTemplate; use Concrete\Core\Database\Connection\Connection; use Concrete\Core\Editor\LinkAbstractor; @@ -155,6 +156,8 @@ class BlockController extends \Concrete\Core\Controller\AbstractController */ public static $btTitleFormats = ['h1' => 'H1', 'h2' => 'H2', 'h3' => 'H3', 'h4' => 'H4', 'h5' => 'H5', 'h6' => 'H6', 'p' => 'Normal']; + public $saveMode = SaveMode::SAVE_MODE_REQUEST; + /** * Set this to true if the data sent to the save/performSave methods can contain NULL values that should be persisted. * @@ -540,7 +543,7 @@ public function import($page, $arHandle, \SimpleXMLElement $blockNode) $blockData = []; $bt = \Concrete\Core\Block\BlockType\BlockType::getByHandle($this->btHandle); - $b = $page->addBlock($bt, $arHandle, $args); + $b = $page->addBlock($bt, $arHandle, $args, SaveMode::SAVE_MODE_IMPORT); $bName = (string) $blockNode['name']; $bFilename = (string) $blockNode['custom-template']; if ($bName) {
concrete/src/Block/Controller/SaveMode.php+9 −0 added@@ -0,0 +1,9 @@ +<?php + +namespace Concrete\Core\Block\Controller; + +class SaveMode +{ + public const SAVE_MODE_REQUEST = 'request'; + public const SAVE_MODE_IMPORT = 'import'; +}
concrete/src/Conversation/FrontendController.php+4 −0 modified@@ -260,6 +260,10 @@ protected function getBlockConversation(): Conversation if (!($blockConversation instanceof Conversation)) { throw new UserMessageException(t('Invalid Conversation.')); } + $cp = new Checker($blockConversation); + if (!$cp->canViewConversation()) { + throw new UserMessageException(t('Access Denied.')); + } $this->blockConversation = $blockConversation; }
concrete/src/Entity/Block/BlockType/BlockType.php+4 −2 modified@@ -5,6 +5,7 @@ use BlockTypeSet; use Concrete\Block\CoreStackDisplay\Controller; use Concrete\Core\Block\BlockType\BlockTypeList; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Block\View\BlockView; use Concrete\Core\Database\Schema\Schema; use Concrete\Core\Filesystem\TemplateFile; @@ -630,10 +631,10 @@ public function delete() * @param mixed $data * @param bool|\Collection $c * @param bool|\Area $a - * + * @param string $saveMode * @return bool|\Concrete\Core\Block\Block */ - public function add($data, $c = false, $a = false) + public function add($data, $c = false, $a = false, ?string $saveMode = SaveMode::SAVE_MODE_REQUEST) { $app = Facade::getFacadeApplication(); $db = $app->make('database')->connection(); @@ -672,6 +673,7 @@ public function add($data, $c = false, $a = false) } $class = $this->getBlockTypeClass(); $bc = $app->make($class, ['obj' => $nb]); + $bc->saveMode = $saveMode; $bc->save($data); return Block::getByID($bIDnew);
concrete/src/Feed/FeedService.php+30 −2 modified@@ -3,7 +3,12 @@ use Concrete\Core\Cache\Adapter\LaminasCacheDriver; use Concrete\Core\Config\Repository\Repository; +use Concrete\Core\Error\UserMessageException; use Concrete\Core\Http\Client\Factory as HttpClientFactory; +use Concrete\Core\Url\Validation\InvalidRemoteUrlException; +use Concrete\Core\Url\Validation\RemoteUrlRequestOptionsBuilder; +use Concrete\Core\Url\Validation\RemoteUrlValidator; +use Concrete\Core\Url\Validation\ValidatedRemoteUrl; use Laminas\Feed\Reader\Feed\FeedInterface; use Laminas\Feed\Reader\Reader; @@ -19,10 +24,22 @@ class FeedService */ protected $httpClientFactory; + /** + * @var \Concrete\Core\Url\Validation\RemoteUrlValidator + */ + protected $remoteUrlValidator; + + /** + * @var \Concrete\Core\Url\Validation\RemoteUrlRequestOptionsBuilder + */ + protected $remoteUrlRequestOptionsBuilder; + public function __construct(Repository $config, HttpClientFactory $httpClientFactory) { $this->config = $config; $this->httpClientFactory = $httpClientFactory; + $this->remoteUrlValidator = new RemoteUrlValidator(); + $this->remoteUrlRequestOptionsBuilder = new RemoteUrlRequestOptionsBuilder(); } /** @@ -38,7 +55,8 @@ public function load($url, $cache = 3600) Reader::setCache(new LaminasCacheDriver('cache/expensive', $cache)); } - Reader::setHttpClient(new GuzzleClient($this->buildHttpClient())); + $validatedUrl = $this->getValidatedFeedUrl($url); + Reader::setHttpClient(new GuzzleClient($this->buildHttpClient($validatedUrl))); // Load the RSS feed, either from remote URL or from cache // (if specified above and still fresh) @@ -59,12 +77,22 @@ public function getPosts(FeedInterface $feed): array /** * @return \Concrete\Core\Http\Client\Client */ - protected function buildHttpClient() + protected function buildHttpClient(ValidatedRemoteUrl $validatedUrl) { $options = [ 'timeout' => 5, ] + $this->httpClientFactory->getDefaultOptions($this->config); + $options = array_replace($options, $this->remoteUrlRequestOptionsBuilder->build($validatedUrl)); return $this->httpClientFactory->createFromOptions($options); } + + protected function getValidatedFeedUrl($url) + { + try { + return $this->remoteUrlValidator->validate((string) $url); + } catch (InvalidRemoteUrlException $x) { + throw new UserMessageException(t('The RSS feed URL is not valid.')); + } + } }
concrete/src/Legacy/Pagination.php+3 −0 modified@@ -194,6 +194,7 @@ public function getNext($linkText = false, $wrapper = 'span') return '<' . $wrapper . ' class="page-link"' . ($wrapper == 'a' ? ' href="#"' : '') . '>'.$linkText.'</' . $wrapper . '>'; } else { $linkURL = str_replace("%pageNum%", $this->getNextInt() + 1, $this->URL); + $linkURL = htmlspecialchars($linkURL, ENT_QUOTES, 'UTF-8'); return '<a class="page-link" href="'.$linkURL.'" '.$this->getJSFunctionCall($this->getNextInt() + 1).'>'.$linkText.'</a>'; } @@ -221,6 +222,7 @@ public function getPrevious($linkText = false, $wrapper = 'span') return '<' . $wrapper . ' class="page-link"' . ($wrapper == 'a' ? ' href="#"' : '') . '>'.$linkText.'</' . $wrapper . '>'; } else { $linkURL = str_replace("%pageNum%", $this->getPreviousInt() + 1, $this->URL); + $linkURL = htmlspecialchars($linkURL, ENT_QUOTES, 'UTF-8'); return '<a class="page-link" href="'.$linkURL.'" '.$this->getJSFunctionCall($this->getPreviousInt() + 1).'>'.$linkText.'</a>'; } @@ -301,6 +303,7 @@ public function getPages($wrapper = 'span') } } else { $linkURL = str_replace("%pageNum%", $i + 1, $this->URL); + $linkURL = htmlspecialchars($linkURL, ENT_QUOTES, 'UTF-8'); if ($wrapper == 'li') { $pages .= "<li class=\"page-item\"><a class=\"page-link\" href=\"{$linkURL}\" ".$this->getJSFunctionCall($i + 1).">".($i + 1)."</a></li>";
concrete/src/Page/Collection/Collection.php+3 −2 modified@@ -11,6 +11,7 @@ use Concrete\Core\Area\CustomStyle as AreaCustomStyle; use Concrete\Core\Area\GlobalArea; use Concrete\Core\Attribute\Key\CollectionKey; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Block\CustomStyle as BlockCustomStyle; use Concrete\Core\Block\CustomStyleRepository as BlockCustomStyleRepository; use Concrete\Core\Database\Connection\Connection; @@ -1010,14 +1011,14 @@ public function getBlockIDs($arHandle = false) * * @return \Concrete\Core\Block\Block */ - public function addBlock($bt, $a, $data) + public function addBlock($bt, $a, $data, ?string $saveMode = SaveMode::SAVE_MODE_REQUEST) { $app = Application::getFacadeApplication(); /** @var Connection $db */ $db = $app->make(Connection::class); // first we add the block to the system - $nb = $bt->add($data, $this, $a); + $nb = $bt->add($data, $this, $a, $saveMode); // now that we have a block, we add it to the collectionversions table
concrete/src/Page/Page.php+5 −2 modified@@ -5,6 +5,7 @@ use Concrete\Core\Area\Area; use Block; use CacheLocal; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Entity\Page\Summary\CustomPageTemplateCollection; use Concrete\Core\Localization\Service\Date; use Concrete\Core\Page\Collection\Collection; @@ -1192,6 +1193,8 @@ public function updateCollectionAliasExternal($cName, $cLink, $newWindow = 0) } else { $newWindow = 0; } + $cLink = app('helper/security')->sanitizeURL($cLink); + $cName = app('helper/text')->sanitize($cName); $db->executeQuery('update CollectionVersions set cvName = ? where cID = ?', [$cName, $this->cID]); $db->executeQuery('update Pages set cPointerExternalLink = ?, cPointerExternalLinkNewWindow = ? where cID = ?', [$cLink, $newWindow, $this->cID]); } @@ -2851,12 +2854,12 @@ public function updateGroupsSubCollection($cParentIDString) * * @return \Concrete\Core\Block\Block */ - public function addBlock($bt, $a, $data) + public function addBlock($bt, $a, $data, ?string $saveMode = SaveMode::SAVE_MODE_REQUEST) { if (is_string($a) && $a !== '') { $a = Area::getOrCreate($this, $a); } - $b = parent::addBlock($bt, $a, $data); + $b = parent::addBlock($bt, $a, $data, $saveMode); $btHandle = $bt->getBlockTypeHandle(); if ($b->getBlockTypeHandle() == BLOCK_HANDLE_PAGE_TYPE_OUTPUT_PROXY) { $bi = $b->getInstance();
concrete/src/Summary/Category/Driver/AbstractDriver.php+5 −0 modified@@ -4,6 +4,7 @@ use Concrete\Core\Application\Application; use Concrete\Core\Application\ApplicationAwareInterface; use Concrete\Core\Application\ApplicationAwareTrait; +use Concrete\Core\Summary\Category\CategoryMemberInterface; use Doctrine\ORM\EntityManager; defined('C5_EXECUTE') or die("Access Denied."); @@ -23,4 +24,8 @@ public function __construct(EntityManager $entityManager) $this->entityManager = $entityManager; } + public function canViewRenderedSummaryTemplates(CategoryMemberInterface $object): bool + { + return false; + } }
concrete/src/Summary/Category/Driver/CalendarEventDriver.php+11 −0 modified@@ -4,7 +4,9 @@ use Concrete\Core\Calendar\Event\EventOccurrenceService; use Concrete\Core\Calendar\Event\EventService; +use Concrete\Core\Entity\Calendar\CalendarEventVersionOccurrence; use Concrete\Core\Entity\Calendar\Summary\CalendarEventTemplate; +use Concrete\Core\Permission\Checker; use Concrete\Core\Summary\Category\CategoryMemberInterface; use Concrete\Core\Summary\Template\RenderableTemplateInterface; @@ -23,5 +25,14 @@ public function getMemberSummaryTemplate($templateID): ?RenderableTemplateInterf return $this->entityManager->find(CalendarEventTemplate::class, $templateID); } + /** + * @param CalendarEventVersionOccurrence $object + */ + public function canViewRenderedSummaryTemplates(CategoryMemberInterface $object): bool + { + $calendar = $object->getEvent()->getCalendar(); + $checker = new Checker($calendar); + return $checker->canEditCalendar(); + } }
concrete/src/Summary/Category/Driver/DriverInterface.php+1 −0 modified@@ -14,4 +14,5 @@ public function getCategoryMemberFromIdentifier($identifier): ?CategoryMemberInt public function getMemberSummaryTemplate($templateID): ?RenderableTemplateInterface; + public function canViewRenderedSummaryTemplates(CategoryMemberInterface $object): bool; }
concrete/src/Summary/Category/Driver/PageDriver.php+11 −0 modified@@ -3,6 +3,7 @@ use Concrete\Core\Entity\Page\Summary\PageTemplate; use Concrete\Core\Page\Page; +use Concrete\Core\Permission\Checker; use Concrete\Core\Summary\Category\CategoryMemberInterface; use Concrete\Core\Summary\Template\RenderableTemplateInterface; @@ -21,4 +22,14 @@ public function getMemberSummaryTemplate($templateID): ?RenderableTemplateInterf return $this->entityManager->find(PageTemplate::class, $templateID); } + /** + * @param Page $object + * @return bool + */ + public function canViewRenderedSummaryTemplates(CategoryMemberInterface $object): bool + { + $checker = new Checker($object); + return $checker->canEditPageTemplate(); + } + }
concrete/src/Url/Validation/InvalidRemoteUrlException.php+9 −0 added@@ -0,0 +1,9 @@ +<?php + +namespace Concrete\Core\Url\Validation; + +use RuntimeException; + +class InvalidRemoteUrlException extends RuntimeException +{ +}
concrete/src/Url/Validation/RemoteUrlRequestOptionsBuilder.php+23 −0 added@@ -0,0 +1,23 @@ +<?php + +namespace Concrete\Core\Url\Validation; + +use GuzzleHttp\RequestOptions; + +class RemoteUrlRequestOptionsBuilder +{ + public function build(ValidatedRemoteUrl $validatedUrl): array + { + $url = $validatedUrl->getUrl(); + $host = trim((string) $url->getHost()); + $scheme = strtolower((string) $url->getScheme()); + $port = $url->getPort(); + $port = $port ? $port->get() : null; + $port = $port ? (int) $port : ($scheme === 'http' ? 80 : 443); + + return [ + RequestOptions::ALLOW_REDIRECTS => false, + 'curl' => [CURLOPT_RESOLVE => [sprintf('%s:%d:%s', $host, $port, $validatedUrl->getIp())]], + ]; + } +}
concrete/src/Url/Validation/RemoteUrlValidator.php+66 −0 added@@ -0,0 +1,66 @@ +<?php + +namespace Concrete\Core\Url\Validation; + +use Concrete\Core\Url\Url; +use IPLib\Factory as IPFactory; +use IPLib\Range\Type as IPRangeType; +use RuntimeException; + +class RemoteUrlValidator +{ + public function validate(string $url, array $allowedSchemes = ['http', 'https']): ValidatedRemoteUrl + { + try { + $parsedUrl = Url::createFromUrl($url); + } catch (RuntimeException $x) { + throw new InvalidRemoteUrlException($x->getMessage(), 0, $x); + } + + $scheme = strtolower((string) $parsedUrl->getScheme()); + if (!in_array($scheme, $allowedSchemes, true)) { + throw new InvalidRemoteUrlException('Invalid URL scheme.'); + } + + $host = trim((string) $parsedUrl->getHost()); + if (in_array(strtolower($host), ['', '0', 'localhost'], true)) { + throw new InvalidRemoteUrlException('Invalid URL host.'); + } + + $ipFormatBlocks = [ + '/^\d+$/', + '/^0x[0-9a-f]+$/i', + ]; + + foreach ($ipFormatBlocks as $block) { + if (preg_match($block, $host) !== 0) { + throw new InvalidRemoteUrlException('Invalid URL host.'); + } + } + + $ip = null; + if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6) !== false) { + $ip = IPFactory::parseAddressString($host); + } elseif (preg_match('/^[0-9.]+$/', $host) !== 0) { + // Reject non-standard numeric host notations like dotted octal. + throw new InvalidRemoteUrlException('Invalid URL host.'); + } + + if ($ip === null) { + $dnsList = @dns_get_record($host, DNS_A | DNS_AAAA); + while ($ip === null && $dnsList !== false && count($dnsList) > 0) { + $dns = array_shift($dnsList); + $resolvedIp = $dns['ip'] ?? $dns['ipv6'] ?? null; + if ($resolvedIp !== null) { + $ip = IPFactory::parseAddressString($resolvedIp); + } + } + } + + if ($ip === null || $ip->getRangeType() !== IPRangeType::T_PUBLIC) { + throw new InvalidRemoteUrlException('Invalid URL host.'); + } + + return new ValidatedRemoteUrl($parsedUrl, $ip->toString()); + } +}
concrete/src/Url/Validation/ValidatedRemoteUrl.php+57 −0 added@@ -0,0 +1,57 @@ +<?php + +namespace Concrete\Core\Url\Validation; + +use Concrete\Core\Url\Url; + +class ValidatedRemoteUrl +{ + /** + * @var \Concrete\Core\Url\Url + */ + protected $url; + + /** + * @var string + */ + protected $ip; + + public function __construct(Url $url, string $ip) + { + $this->url = $url; + $this->ip = $ip; + } + + public function getUrl(): Url + { + return $this->url; + } + + public function getScheme(): string + { + return strtolower((string) $this->url->getScheme()); + } + + public function getHost(): string + { + return trim((string) $this->url->getHost()); + } + + public function getPort(): int + { + $port = $this->url->getPort(); + $port = $port ? $port->get() : null; + + return $port ? (int) $port : ($this->getScheme() === 'http' ? 80 : 443); + } + + public function getIp(): string + { + return $this->ip; + } + + public function __toString(): string + { + return (string) $this->url; + } +}
concrete/src/User/UserInfo.php+6 −2 modified@@ -494,6 +494,9 @@ public function getUserObject() */ public function update($data) { + $data = is_array($data) ? $data : []; + $allowPasswordUpdate = ($data['_allowPasswordUpdate'] ?? null) === true; + $allowIgnoredIPMismatchesUpdate = ($data['_allowIgnoredIPMismatchesUpdate'] ?? null) === true; $uID = (int)$this->getUserID(); if ($uID === 0) { $result = false; @@ -533,7 +536,7 @@ public function update($data) $values[] = $data['uHomeFileManagerFolderID']; } } - if (isset($data['uPassword']) && (string)$data['uPassword'] !== '') { + if ($allowPasswordUpdate && isset($data['uPassword']) && (string)$data['uPassword'] !== '') { if (isset($data['uPasswordConfirm']) && $data['uPassword'] === $data['uPasswordConfirm']) { $passwordChangedOn = $this->application->make('date')->getOverridableNow(); $fields[] = 'uPassword = ?'; @@ -548,7 +551,7 @@ public function update($data) $result = null; } } - if (is_array($data['ignoredIPMismatches'] ?? null)) { + if ($allowIgnoredIPMismatchesUpdate && is_array($data['ignoredIPMismatches'] ?? null)) { $fields[] = 'ignoredIPMismatches = ?'; $values[] = (new SimpleArrayType())->convertToDatabaseValue($data['ignoredIPMismatches'], $this->connection->getDatabasePlatform()); } @@ -712,6 +715,7 @@ public function markValidated() public function changePassword($newPassword) { return $this->update([ + '_allowPasswordUpdate' => true, 'uPassword' => $newPassword, 'uPasswordConfirm' => $newPassword, 'uIsPasswordReset' => false,
concrete/src/Utility/Service/Url.php+9 −8 modified@@ -28,15 +28,16 @@ public function setVariable($variable, $value = false, $url = false) // sanitizeString() removes tags like <script>… and similar markup. $url = Loader::helper('security')->sanitizeString($_SERVER['REQUEST_URI']); $url = $encodeQuotesAndStripCRLF($url); - } elseif (strpos($url, '?') === false) { - // Base URL provided without a query: protect it too (in case it contains quotes). + } else { + // Base URL provided by the caller: protect it too (in case it contains quotes). $url = $encodeQuotesAndStripCRLF($url); - - // Append the current query string, after sanitizing and applying the same light encoding. - $qs = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : ''; - $qs = Loader::helper('security')->sanitizeString($qs); - if ($qs !== false && $qs !== '') { - $url .= '?' . $encodeQuotesAndStripCRLF($qs); + if (strpos($url, '?') === false) { + // Append the current query string, after sanitizing and applying the same light encoding. + $qs = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : ''; + $qs = Loader::helper('security')->sanitizeString($qs); + if ($qs !== false && $qs !== '') { + $url .= '?' . $encodeQuotesAndStripCRLF($qs); + } } }
concrete/themes/atomik/account.php+1 −1 modified@@ -8,7 +8,7 @@ // spacing. If we add an element between the container and the outer page class it breaks this. ?> <div class="row"> <div class="col-md-12"> - <h1><?=$c->getCollectionName()?></h1> + <h1><?=h($c->getCollectionName())?></h1> <?php View::element(
concrete/themes/dashboard/main.js+2 −2 modifiedconcrete/views/dialogs/file/usage.php+0 −58 removed@@ -1,58 +0,0 @@ -<?php - -use Concrete\Core\Entity\Statistics\UsageTracker\FileUsageRecord; -use Concrete\Core\Page\Page; -use Concrete\Core\Support\Facade\Url; - -/** @var FileUsageRecord[] $records */ - -?> -<div class="ccm-ui"> - <table class="table table-striped"> - <thead> - <tr> - <td> - <?php echo t('Page ID') ?> - </td> - - <td> - <?php echo t('Version') ?> - </td> - - <td> - <?php echo t('Handle') ?> - </td> - - <td> - <?php echo t('Location') ?> - </td> - </tr> - </thead> - - <tbody> - <?php foreach ($records as $record): ?> - <?php $page = Page::getByID($record->getCollectionID()); ?> - - <tr> - <td> - <?php echo $page->getCollectionID() ?> - </td> - - <td> - <?php echo $page->getVersionID() ?> - </td> - - <td> - <?php echo $page->getCollectionHandle() ?> - </td> - - <td> - <a target="_blank" href="<?php echo Url::to($page) ?>"> - <?php echo h($page->getCollectionPath() ?: '/') ?> - </a> - </td> - </tr> - <?php endforeach; ?> - </tbody> - </table> -</div>
concrete/views/dialogs/file/versions.php+2 −0 modified@@ -102,6 +102,7 @@ 'fileVersions' => $versions, 'canPreviewFileVersion' => $canPreviewFileVersion, 'canDeleteFileVersion' => $canDeleteFileVersion, + 'approveToken' => $token->generate('approve_file_version'), ]) ?>; }, watch: { @@ -115,6 +116,7 @@ data: { fID: this.fileID, fvID: this.activeFileVersionID, + <?= json_encode($token::DEFAULT_TOKEN_NAME) ?>: this.approveToken, }, success: () => { this.busy = false;
concrete/views/oauth/authorize.php+1 −1 modified@@ -50,7 +50,7 @@ <?php if (!$authorize) { ?> - <h3 class="text-center"><?= t('Sign in to %s', "<strong>{$client->getName()}</strong>") ?></h3> + <h3 class="text-center"><?= t('Sign in to %s', "<strong>{h($client->getName())}</strong>") ?></h3> <?php } ?>
tests/tests/Controller/Backend/FileTest.php+3 −4 modified@@ -67,14 +67,13 @@ public static function remoteUrlsToTry(): iterable $octal3 = '01002004010'; $integer = '134744072'; - // Test hexadecimal IPs get caught as local + // Standard public IPv4 hosts remain valid, but non-standard numeric notations are rejected. yield ['http://' . $simpleIp]; // This is allowed because it's an external IP yield ['http://' . $hex, UserMessageException::class, '/The URL ".+?" is not valid./']; - yield ['http://' . $octal]; // This form is allowed because it at least converts properly in ip-lib - yield ['http://' . $octal2]; // Same as the first octal + yield ['http://' . $octal, UserMessageException::class, '/The URL ".+?" is not valid./']; + yield ['http://' . $octal2, UserMessageException::class, '/The URL ".+?" is not valid./']; yield ['http://' . $octal3, UserMessageException::class, '/The URL ".+?" is not valid./']; yield ['http://' . $integer, UserMessageException::class, '/The URL ".+?" is not valid./']; } } -
tests/tests/Url/Validation/RemoteUrlValidationTest.php+49 −0 added@@ -0,0 +1,49 @@ +<?php + +declare(strict_types=1); + +namespace Concrete\Tests\Url\Validation; + +use Concrete\Core\Url\Url; +use Concrete\Core\Url\Validation\InvalidRemoteUrlException; +use Concrete\Core\Url\Validation\RemoteUrlRequestOptionsBuilder; +use Concrete\Core\Url\Validation\RemoteUrlValidator; +use Concrete\Core\Url\Validation\ValidatedRemoteUrl; +use Concrete\Tests\TestCase; +use GuzzleHttp\RequestOptions; + +class RemoteUrlValidationTest extends TestCase +{ + public function testValidateWrapsParsedUrlAndResolvedIp(): void + { + $validatedUrl = (new RemoteUrlValidator())->validate('http://8.8.8.8:8080/feed'); + + $this->assertInstanceOf(ValidatedRemoteUrl::class, $validatedUrl); + $this->assertInstanceOf(Url::class, $validatedUrl->getUrl()); + $this->assertSame('http', $validatedUrl->getScheme()); + $this->assertSame('8.8.8.8', $validatedUrl->getHost()); + $this->assertSame(8080, $validatedUrl->getPort()); + $this->assertSame('8.8.8.8', $validatedUrl->getIp()); + $this->assertSame('http://8.8.8.8:8080/feed', (string) $validatedUrl); + } + + public function testBuildUsesWrappedUrlComponentsForCurlResolve(): void + { + $validatedUrl = (new RemoteUrlValidator())->validate('https://8.8.8.8/feed'); + $options = (new RemoteUrlRequestOptionsBuilder())->build($validatedUrl); + + $this->assertFalse($options[RequestOptions::ALLOW_REDIRECTS]); + $this->assertSame( + ['8.8.8.8:443:8.8.8.8'], + $options['curl'][CURLOPT_RESOLVE] + ); + } + + public function testValidateRejectsLocalhost(): void + { + $this->expectException(InvalidRemoteUrlException::class); + $this->expectExceptionMessage('Invalid URL host.'); + + (new RemoteUrlValidator())->validate('http://localhost/feed'); + } +}
Vulnerability mechanics
Root cause
"Inverted CSRF token check in the `deleteVersion()` method of the File controller: the code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing."
Attack vector
An attacker crafts a malicious page that submits a forged request to the `deleteVersion` endpoint while a logged-in administrator (who has permission to edit conversation messages) visits that page. Because the CSRF token check is inverted — the code only throws an error when the token is valid, and proceeds with deletion when the token is invalid or missing — the forged request bypasses CSRF protection entirely [patch_id=1293003]. The attacker does not need to know or steal a valid CSRF token. The vulnerability is triggered via a standard cross-site request forgery attack over HTTP POST.
Affected code
The vulnerable code is in `concrete/controllers/backend/file.php` in the `deleteVersion()` method. The original logic was: `if (!$token->validate('delete-version')) { $files = $this->getRequestFiles('edit_file_contents'); }` — this means file access only occurs when the token is INVALID, which is the opposite of the intended behavior [patch_id=1293003].
What the fix does
The patch corrects the inverted logic in `deleteVersion()` by removing the conditional that gated file access on an invalid token. Instead, the method now always calls `getRequestFiles('edit_file_contents')` to retrieve the files, and a proper CSRF token validation (with `$token->validate()`) is added to the `star()`, `rescan()`, `rescanMultiple()`, `approveVersion()`, `addFavoriteFolder()`, and `removeFavoriteFolder()` methods [patch_id=1293003]. This ensures that all sensitive file operations require a valid CSRF token before proceeding, closing the protection gap.
Preconditions
- authThe victim must be logged in as a user with permission to edit conversation messages (and thus access the file deletion endpoint).
- networkThe attacker must be able to deliver a crafted HTML page to the victim's browser (e.g., via a link or embedded content).
- inputThe attacker must craft a POST request to the deleteVersion endpoint with the target file version ID (fvID) but without a valid CSRF token.
Generated on May 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.