Medium severityNVD Advisory· Published May 21, 2026
CVE-2026-8239
CVE-2026-8239
Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS 9.5.0 and below contains an Insecure Direct Object Reference (IDOR) in the get_rating endpoint, exposing message existence and rating scores.
Root
Cause
CVE-2026-8239 is an Insecure Direct Object Reference (IDOR) vulnerability in Concrete CMS versions 9.5.0 and earlier. The endpoint /ccm/frontend/conversations/get_rating confirms the existence of any message by its numeric ID and returns the associated rating score without proper authorization checks [1]. This allows an unauthenticated attacker to enumerate message IDs and extract rating data.
Exploitation
The vulnerability is exploitable over the network (AV:N) without requiring authentication (PR:N) or user interaction (UI:N) [1]. An attacker needs only to know or guess a message ID; the endpoint responds with existence confirmation and the rating value. The attack complexity is low (AC:L) but requires some attacker persistence (AT:P) [1].
Impact
A successful attacker can learn which message IDs exist and retrieve their rating scores, violating confidentiality (VC:L) [1]. The CVSS v4.0 base score is 6.3 (Medium), reflecting limited information disclosure with no impact on integrity or availability [1].
Mitigation
Concrete CMS 9.5.1, released on February 18, 2026, addresses this vulnerability as part of a broader security and behavior update [1]. Users are advised to upgrade immediately. No workarounds have been documented.
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=9.5.0
Patches
2f22b9dff5945Sec fixes 9.5.1 (#12920)
https://github.com/concretecms/concretecmsAndrew EmblerMay 19, 2026Fixed in 9.5.1via llm-release-walk
73 files changed · +737 −355
build/assets/themes/dashboard/js/file-manager/file-manager.js+6 −0 modified@@ -39,6 +39,9 @@ new ConcreteAjaxRequest({ loader: false, url: CCM_DISPATCHER_FILENAME + "/ccm/system/file/add_favorite_folder/" + favoriteFolderId, + data: { + ccm_token: CCM_SECURITY_TOKEN + }, success: function() { ConcreteEvent.publish('FileManagerRefreshFavoriteFolderList') } @@ -48,6 +51,9 @@ new ConcreteAjaxRequest({ loader: false, url: CCM_DISPATCHER_FILENAME + "/ccm/system/file/remove_favorite_folder/" + favoriteFolderId, + data: { + ccm_token: CCM_SECURITY_TOKEN + }, success: function() { ConcreteEvent.publish('FileManagerRefreshFavoriteFolderList') }
build/package.json+1 −1 modified@@ -13,7 +13,7 @@ "production": "mix --production" }, "devDependencies": { - "@concretecms/bedrock": "^1.7.1", + "@concretecms/bedrock": "^1.7.2", "cross-env": "^5.1.1", "download": "~8.0.0", "grunt": "^1.5.3",
build/package-lock.json+4 −4 modified@@ -12,7 +12,7 @@ "tui-image-editor": "^3.10.0" }, "devDependencies": { - "@concretecms/bedrock": "^1.7.1", + "@concretecms/bedrock": "^1.7.2", "cross-env": "^5.1.1", "download": "~8.0.0", "grunt": "^1.5.3", @@ -1751,9 +1751,9 @@ } }, "node_modules/@concretecms/bedrock": { - "version": "1.7.1", - "resolved": "https://registry.npmjs.org/@concretecms/bedrock/-/bedrock-1.7.1.tgz", - "integrity": "sha512-iFj4vFmDR9cEs1Is0Xx4dySNc7q5DukRFyp6oFpRGQ4K6qLVqLosvA97aZtt5Ix1OO7K2rNDQ4lNwXfYAOhvAg==", + "version": "1.7.2", + "resolved": "https://registry.npmjs.org/@concretecms/bedrock/-/bedrock-1.7.2.tgz", + "integrity": "sha512-ZlBLoD3zLgsLf3Up6ilwCj+H3Bdxo4PCRp04g3zFg5TfTsIq0bkNKRTaQq7P/mPC3TbyXBK+7g5XobK4JGxbCQ==", "dev": true, "license": "MIT", "dependencies": {
concrete/blocks/calendar/controller.php+13 −3 modified@@ -4,9 +4,11 @@ use Concrete\Core\Attribute\Key\EventKey; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Calendar\Calendar; use Concrete\Core\Calendar\CalendarServiceProvider; use Concrete\Core\Calendar\Event\EventOccurrenceList; +use Concrete\Core\Error\UserMessageException; use Concrete\Core\Feature\Features; use Concrete\Core\Feature\UsesFeatureInterface; use Concrete\Core\Html\Object\HeadLink; @@ -193,10 +195,18 @@ public function action_get_events($bID) $service = $this->app->make('date'); if ($bID == $this->bID) { + $calendar = $this->getCalendar(); + if (!$calendar) { + throw new UserMessageException(t('Invalid calendar.')); + } + $checker = new Checker($calendar); + if (!$checker->canViewCalendar()) { + throw new UserMessageException(t('Access Denied.')); + } $start = $this->request->query->get('start'); $end = $this->request->query->get('end'); $list = new EventOccurrenceList(); - $list->filterByCalendar($this->getCalendar()); + $list->filterByCalendar($calendar); if ($this->filterByTopicAttributeKeyID) { $ak = EventKey::getByID($this->filterByTopicAttributeKeyID); if (is_object($ak)) { @@ -424,7 +434,7 @@ public function supportsLightbox() */ public function save($args) { - if (($args['_fromCIF'] ?? null) === true) { + if ($this->saveMode === SaveMode::SAVE_MODE_IMPORT) { parent::save($args); return; } @@ -548,7 +558,7 @@ public function export(SimpleXMLElement $blockNode) protected function getImportData($blockNode, $page) { $data = parent::getImportData($blockNode, $page); - $data['_fromCIF'] = true; + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; $data['caID'] = 0; if (is_string($caName = $data['caName'] ?? null) && ($caName = trim($caName)) !== '') { $calendar = Calendar::getByName($caName);
concrete/blocks/express_entry_detail/controller.php+9 −1 modified@@ -7,12 +7,15 @@ use Concrete\Core\Entity\Express\Entity; use Concrete\Core\Entity\Express\Entry; use Concrete\Core\Entity\Express\Form; +use Concrete\Core\Error\UserMessageException; use Concrete\Core\Express\Form\Context\FrontendViewContext; use Concrete\Core\Express\Form\Renderer; +use Concrete\Core\Express\ObjectManager; use Concrete\Core\Feature\Features; use Concrete\Core\Feature\UsesFeatureInterface; use Concrete\Core\Form\Context\ContextFactory; use Concrete\Core\Html\Service\Seo; +use Concrete\Core\Permission\Checker; use Concrete\Core\Support\Facade\Express; use Concrete\Core\Support\Facade\Facade; use Concrete\Core\Url\SeoCanonical; @@ -157,9 +160,14 @@ public function view() */ public function action_view_express_entity($exEntryID = null) { - $entry = $exEntryID ? $this->entityManager->find(Entry::class, $exEntryID) : null; + $objectManager = $this->app->make(ObjectManager::class); + $entry = $exEntryID ? $objectManager->getEntryByPublicIdentifier($exEntryID) : null; if ($entry) { $entity = $this->entityManager->find(Entity::class, $this->exEntityID); + $checker = new Checker($entity); + if (!$checker->canViewExpressEntries()) { + throw new UserMessageException(t('Access Denied.')); + } if ($entry->getEntity()->getID() == $entity->getID()) { /** @var Seo $seo */ $seo = $this->app->make('helper/seo');
concrete/blocks/express_entry_list/controller.php+3 −2 modified@@ -4,6 +4,7 @@ use Concrete\Controller\Element\Search\Express\CustomizeResults; use Concrete\Controller\Element\Search\SearchFieldSelector; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Entity\Express\Association; use Concrete\Core\Entity\Express\Entity; use Concrete\Core\Entity\Search\Query; @@ -477,7 +478,7 @@ protected function getItemsPerPageOptions() public function save($data) { $this->on_start(); - $fromCIF = ($data['_fromCIF'] ?? null) === true; + $fromCIF = $this->saveMode === SaveMode::SAVE_MODE_IMPORT; if (!$fromCIF) { $data['columns'] = ''; $data['filterFields'] = ''; @@ -564,7 +565,7 @@ protected function getImportData($blockNode, $page) private function doGetImportData(SimpleXMLElement $blockNode, $page): array { $args = parent::getImportData($blockNode, $page); - $args['_fromCIF'] = true; + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; $xRecord = $blockNode->data[0]->record[0]; $entityID = (string) ($args['exEntityID'] ?? '');
concrete/blocks/express_entry_list/view.php+1 −1 modified@@ -99,7 +99,7 @@ class="table ccm-block-express-entry-list-table <?php if ($tableStriped) { ?><?p <tr class="<?=$rowClass?>"> <?php foreach ($item->getColumns() as $column) { if ($controller->linkThisColumn($column)) { ?> - <td><a href="<?=URL::to($detailPage, 'view_express_entity', $item->getEntry()->getId())?>"><?=$column->getColumnValue($item);?></a></td> + <td><a href="<?=URL::to($detailPage, 'view_express_entity', $item->getEntry()->getPublicIdentifier())?>"><?=$column->getColumnValue($item);?></a></td> <?php } else { ?> <td><?=$column->getColumnValue($item);?></td>
concrete/blocks/feature/controller.php+4 −2 modified@@ -2,6 +2,7 @@ namespace Concrete\Block\Feature; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Editor\LinkAbstractor; use Concrete\Core\Error\UserMessageException; use Concrete\Core\Feature\Features; @@ -228,7 +229,7 @@ public function save($args) $args['title'] = isset($args['title']) ? $security->sanitizeString($args['title']) : ''; $args['titleFormat'] = isset($args['titleFormat']) ? $security->sanitizeString($args['titleFormat']) : ''; $args['paragraph'] = isset($args['paragraph']) ? LinkAbstractor::translateTo($args['paragraph']) : ''; - if (($args['_fromCIF'] ?? null) === true) { + if ($this->saveMode === SaveMode::SAVE_MODE_IMPORT) { $args['internalLinkCID'] = empty($args['internalLinkCID']) ? 0 : (int) $args['internalLinkCID']; } else { [$linkHandle, $linkValue] = $this->app->make(DestinationPicker::class)->decode('link', $this->getLinkDestinationPickers(), $errors, t('Link'), $args); @@ -248,7 +249,8 @@ public function save($args) */ protected function getImportData($blockNode, $page) { - return parent::getImportData($blockNode, $page) + ['_fromCIF' => true]; + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; + return parent::getImportData($blockNode, $page); } /**
concrete/blocks/feature_link/controller.php+3 −2 modified@@ -3,6 +3,7 @@ namespace Concrete\Block\FeatureLink; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Feature\Features; use Concrete\Core\Feature\UsesFeatureInterface; use Concrete\Core\File\File; @@ -272,7 +273,7 @@ public function view() public function save($args) { - $fromCIF = ($args['__fromCIF'] ?? null) === true; + $fromCIF = $this->saveMode === SaveMode::SAVE_MODE_IMPORT; if (!$fromCIF) { list($imageLinkType, $imageLinkValue) = $this->app->make(DestinationPicker::class)->decode('imageLink', $this->getImageLinkPickers(), null, null, $args); $args['buttonInternalLinkCID'] = $imageLinkType === 'page' ? $imageLinkValue : 0; @@ -295,8 +296,8 @@ public function save($args) */ public function getImportData($blockNode, $page) { + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; $args = parent::getImportData($blockNode, $page); - $args += ['__fromCIF' => true]; foreach (['buttonInternalLinkCID', 'buttonFileLinkID', 'fID'] as $field) { $args[$field] = empty($args[$field]) ? 0 : (int) $args[$field]; }
concrete/blocks/hero_image/controller.php+1 −0 modified@@ -259,6 +259,7 @@ public function save($args) } $args['image'] = is_numeric($args['image']) ? $args['image'] : 0; + $args['height'] = isset($args['height']) ? (int) $args['height'] : 0; $security = $this->app->make('helper/security'); $args['icon'] = $security->sanitizeString($args['icon']);
concrete/blocks/hero_image/view.php+2 −0 modified@@ -31,6 +31,8 @@ return; } +$height = (int) $height; + /** * Building the button */
concrete/blocks/image/controller.php+3 −2 modified@@ -3,6 +3,7 @@ namespace Concrete\Block\Image; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Database\Connection\Connection; use Concrete\Core\Error\Error; use Concrete\Core\Feature\Features; @@ -547,7 +548,7 @@ public function delete() */ public function save($args) { - $fromCIF = ($args['__fromCIF'] ?? null) === true; + $fromCIF = $this->saveMode === SaveMode::SAVE_MODE_IMPORT; /** @var Connection $db */ $db = $this->app->make(Connection::class); @@ -611,8 +612,8 @@ public function save($args) */ protected function getImportData($blockNode, $page) { + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; $args = parent::getImportData($blockNode, $page); - $args['__fromCIF'] = true; foreach (['internalLinkCID', 'fileLinkID'] as $field) { $args[$field] = empty($args[$field]) ? 0 : (int) $args[$field]; }
concrete/blocks/page_list/controller.php+3 −2 modified@@ -7,6 +7,7 @@ use Concrete\Core\Attribute\Category\PageCategory; use Concrete\Core\Attribute\Key\CollectionKey; use Concrete\Core\Block\BlockController; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Block\View\BlockView; use Concrete\Core\Feature\Features; use Concrete\Core\Feature\UsesFeatureInterface; @@ -776,7 +777,7 @@ public function isValidControllerTask($method, $parameters = []) public function save($args) { - $fromCIF = ($args['__fromCIF'] ?? null) === true; + $fromCIF = $this->saveMode === SaveMode::SAVE_MODE_IMPORT; // If we've gotten to the process() function for this class, we assume that we're in // the clear, as far as permissions are concerned (since we check permissions at several @@ -1003,11 +1004,11 @@ public function export(SimpleXMLElement $blockNode) */ protected function getImportData($blockNode, $page) { + $this->saveMode = SaveMode::SAVE_MODE_IMPORT; if (!$this->cID && $page) { $this->cID = $page->getCollectionID(); } $args = parent::getImportData($blockNode, $page); - $args['__fromCIF'] = true; $args['customTopicTreeNodeID'] = 0; $customTopicAttributeKeyHandle = (string) ($args['customTopicAttributeKeyHandle'] ?? ''); $customTopicTreeNodePath = (string) ($args['customTopicTreeNodePath'] ?? '');
concrete/blocks/survey/controller.php+24 −3 modified@@ -159,6 +159,12 @@ public function action_form_save_vote($bID = false) if (!$this->hasVoted()) { $antispam = Core::make('helper/validation/antispam'); if ($antispam->check('', 'survey_block')) { // we do a blank check which will still check IP and UserAgent's + $optionID = (int) $this->request->get('optionID'); + $q = 'SELECT optionID FROM btSurveyOptions WHERE optionID = ? AND bID = ?'; + $optionID = $db->getOne($q, [$optionID, $this->bID]); + if (!$optionID) { + return false; + } $duID = 0; if ($u->getUserID() > 0) { $duID = $u->getUserID(); @@ -169,7 +175,7 @@ public function action_form_save_vote($bID = false) $ip = $iph->getRequestIP(); $ip = ($ip === false) ? ('') : ($ip->getIp($ip::FORMAT_IP_STRING)); $v = [ - $this->request->get('optionID'), + $optionID, $this->bID, $duID, $ip, @@ -219,8 +225,23 @@ public function hasVoted() if ($result > 0) { return true; } - } else if ($cookieHasVoted) { - return true; + } else { + /** @var \Concrete\Core\Permission\IPService $iph */ + $iph = Core::make('helper/validation/ip'); + $ip = $iph->getRequestIP(); + $ip = ($ip === false) ? ('') : ($ip->getIp($ip::FORMAT_IP_STRING)); + if ($ip !== '') { + $db = Database::connection(); + $v = [$ip, $this->bID, $this->cID]; + $q = 'SELECT count(resultID) AS total FROM btSurveyResults WHERE ipAddress = ? AND bID = ? AND cID = ?'; + $result = $db->getOne($q, $v); + if ($result > 0) { + return true; + } + } + if ($cookieHasVoted) { + return true; + } } return false;
concrete/controllers/backend/file.php+46 −65 modified@@ -25,7 +25,10 @@ use Concrete\Core\Permission\Checker; use Concrete\Core\Tree\Node\Node; use Concrete\Core\Tree\Node\Type\FileFolder; -use Concrete\Core\Url\Url; +use Concrete\Core\Url\Validation\InvalidRemoteUrlException; +use Concrete\Core\Url\Validation\RemoteUrlRequestOptionsBuilder; +use Concrete\Core\Url\Validation\RemoteUrlValidator; +use Concrete\Core\Url\Validation\ValidatedRemoteUrl; use Concrete\Core\Utility\Service\Number; use Concrete\Core\Utility\Service\Validation\Strings; use Concrete\Core\Validation\CSRF\Token; @@ -35,12 +38,7 @@ use FileSet; use GuzzleHttp\Client; use GuzzleHttp\Psr7\Request; -use GuzzleHttp\RequestOptions; -use IPLib\Factory as IPFactory; -use IPLib\ParseStringFlag as IPParseStringFlag; -use IPLib\Range\Type as IPRangeType; use Permissions as ConcretePermissions; -use RuntimeException; use Symfony\Component\HttpFoundation\File\UploadedFile; use ZipArchive; @@ -69,6 +67,10 @@ class File extends Controller public function star() { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $fs = FileSet::createAndGetSet('Starred Files', FileSet::TYPE_STARRED); $files = $this->getRequestFiles(); $r = new FileEditResponse(); @@ -87,6 +89,10 @@ public function star() public function rescan() { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $files = $this->getRequestFiles('edit_file_contents'); $r = new FileEditResponse(); $r->setFiles($files); @@ -106,6 +112,10 @@ public function rescan() public function rescanMultiple() { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $files = $this->getRequestFiles('edit_file_contents'); $batch = BatchBuilder::create(t('Rescan Files'), function() use ($files) { foreach ($files as $file) { @@ -117,6 +127,10 @@ public function rescanMultiple() public function approveVersion() { + $token = $this->app->make('token'); + if (!$token->validate('approve_file_version')) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $files = $this->getRequestFiles('edit_file_contents'); $fvID = $this->request->request->get('fvID', $this->request->query->get('fvID')); $fvID = $this->app->make('helper/security')->sanitizeInt($fvID); @@ -133,9 +147,7 @@ public function approveVersion() public function deleteVersion() { $token = $this->app->make('token'); - if (!$token->validate('delete-version')) { - $files = $this->getRequestFiles('edit_file_contents'); - } + $files = $this->getRequestFiles('edit_file_contents'); $fvID = $this->request->request->get('fvID', $this->request->query->get('fvID')); $fvID = $this->app->make('helper/security')->sanitizeInt($fvID); $fv = $files[0]->getVersion($fvID); @@ -254,6 +266,10 @@ public function getFavoriteFolders() public function addFavoriteFolder($folderId) { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $editResponse = new EditResponse(); $errors = new ErrorList(); $user = new \Concrete\Core\User\User(); @@ -301,6 +317,10 @@ public function addFavoriteFolder($folderId) /** @noinspection DuplicatedCode */ public function removeFavoriteFolder($folderId) { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } $editResponse = new EditResponse(); $errors = new ErrorList(); $user = new \Concrete\Core\User\User(); @@ -421,15 +441,15 @@ public function importRemote() break; } - $validIps = (array) $this->checkRemoteURlsToImport($urls); + $validatedUrls = (array) $this->checkRemoteURlsToImport($urls); $originalPage = $this->getImportOriginalPage(); $fi = $this->app->make(Importer::class); $volatileDirectory = $this->app->make(VolatileDirectory::class); foreach ($urls as $url) { try { $host = (string) \League\Url\Url::createFromUrl($url)->getHost(); - $downloadedFile = $this->downloadRemoteURL($url, $volatileDirectory->getPath(), $validIps[$host] ?? null); + $downloadedFile = $this->downloadRemoteURL($url, $volatileDirectory->getPath(), $validatedUrls[$host] ?? null); $fileVersion = $fi->import($downloadedFile, false, $replacingFile ?: $this->getDestinationFolder()); if (!$fileVersion instanceof FileVersionEntity) { $errors->add($url . ': ' . $fi->getErrorMessage($fileVersion)); @@ -777,65 +797,37 @@ protected function checkExistingIncomingFiles(array $incomingFiles, Incoming $in /** * Check that a list of strings are valid "incoming" file names. * - * @param string $urls - * @return array<string, string> An array of domains and their validated IPs + * @param string[] $urls + * @return array<string, \Concrete\Core\Url\Validation\ValidatedRemoteUrl> An array of domains and their validated URLs * * @throws \Concrete\Core\Error\UserMessageException in case one or more of the specified URLs are not valid * * @since 8.5.0a3 */ protected function checkRemoteURlsToImport(array $urls) { - $validIps = []; + $validator = new RemoteUrlValidator(); + $validatedUrls = []; foreach ($urls as $u) { try { - $url = Url::createFromUrl($u); - } catch (RuntimeException $x) { - throw new UserMessageException(h(t('The URL "%s" is not valid: %s', $u, $x->getMessage()))); - } - $scheme = (string)$url->getScheme(); - if ($scheme === '') { - throw new UserMessageException(h(t('The URL "%s" is not valid.', $u))); - } - $host = trim((string)$url->getHost()); - if (in_array(strtolower($host), ['', '0', 'localhost'], true)) { + $validatedUrl = $validator->validate((string) $u); + } catch (InvalidRemoteUrlException $x) { + if ($x->getPrevious() !== null) { + throw new UserMessageException(h(t('The URL "%s" is not valid: %s', $u, $x->getMessage()))); + } throw new UserMessageException(h(t('The URL "%s" is not valid.', $u))); } + $host = $validatedUrl->getHost(); // If we've already validated this hostname just skip it. - if (array_key_exists($host, $validIps)) { + if (array_key_exists($host, $validatedUrls)) { continue; } - $ipFormatBlocks = [ - '/^\d+$/', // No fully integer / octal hostnames http://2130706433 http://017700000001 - '/^0x[0-9a-f]+$/i', // No Hexadecimal hostnames http://0x07f000001 - ]; - - foreach ($ipFormatBlocks as $block) { - if (preg_match($block, $host) !== 0) { - throw new UserMessageException(h(t('The URL "%s" is not valid.', $u))); - } - } - - $ipFlags = IPParseStringFlag::IPV4_MAYBE_NON_DECIMAL | IPParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED | IPParseStringFlag::MAY_INCLUDE_PORT | IPParseStringFlag::MAY_INCLUDE_ZONEID; - $ip = IPFactory::parseAddressString($host, $ipFlags); - if ($ip === null) { - $dnsList = @dns_get_record($host, DNS_A | DNS_AAAA); - while ($ip === null && $dnsList !== false && count($dnsList) > 0) { - $dns = array_shift($dnsList); - $ip = IPFactory::parseAddressString($dns['ip']); - } - } - - if ($ip !== null && $ip->getRangeType() !== IPRangeType::T_PUBLIC) { - throw new UserMessageException(h(t('The URL "%s" is not valid.', $u))); - } - - $validIps[$host] = $ip->toString(); + $validatedUrls[$host] = $validatedUrl; } - return $validIps; + return $validatedUrls; } /** @@ -848,24 +840,13 @@ protected function checkRemoteURlsToImport(array $urls) * @throws \Concrete\Core\Error\UserMessageException in case of errors * */ - protected function downloadRemoteURL($url, $temporaryDirectory, ?string $ip = null) + protected function downloadRemoteURL($url, $temporaryDirectory, ?ValidatedRemoteUrl $validatedUrl = null) { /** @var Client $client */ $client = $this->app->make(Client::class); $request = new Request('GET', $url); - $config = [ - RequestOptions::ALLOW_REDIRECTS => false, - ]; - - if ($ip) { - $host = parse_url($url, PHP_URL_HOST); - $scheme = parse_url($url, PHP_URL_SCHEME); - $port = parse_url($url, PHP_URL_PORT) ?: ($scheme === 'http' ? 80 : 443); - - // Specify IP if one is provided. - $config['curl'] = [CURLOPT_RESOLVE => ["{$host}:{$port}:{$ip}"]]; - } + $config = $validatedUrl ? (new RemoteUrlRequestOptionsBuilder())->build($validatedUrl) : []; $response = $client->send($request, $config);
concrete/controllers/backend/page/sitemap_delete_forever.php+4 −0 modified@@ -19,6 +19,10 @@ public function canAccess() public function fillQueue() { + $token = $this->app->make('token'); + if (!$token->validate()) { + throw new UserMessageException($token->getErrorMessage(), 401); + } if ($this->canAccess()) { $c = Page::getByID($_REQUEST['cID']); if (is_object($c) && !$c->isError()) {
concrete/controllers/backend/page/type/composer/form/edit_control/save.php+11 −1 modified@@ -63,8 +63,18 @@ protected function getPostedLabel(): string protected function getPostedTemplate(): string { $template = $this->request->request->get('ptComposerFormLayoutSetControlCustomTemplate'); + if (!is_string($template)) { + return ''; + } + + $setControl = $this->getSetControl(); + $control = $this->getControl($setControl); + $templates = $this->getTemplates($control); + if (!array_key_exists($template, $templates)) { + return ''; + } - return is_string($template) ? $this->app->make(SanitizeService::class)->sanitizeString($template) : ''; + return $this->app->make(SanitizeService::class)->sanitizeString($template); } protected function getPostedDescription(): string
concrete/controllers/backend/summary_template.php+7 −0 modified@@ -2,6 +2,7 @@ namespace Concrete\Controller\Backend; use Concrete\Core\Controller\Controller; +use Concrete\Core\Error\UserMessageException; use Concrete\Core\Page\Theme\Theme; use Concrete\Core\Summary\Category\Driver\DriverInterface; use Concrete\Core\Summary\Category\Driver\Manager; @@ -30,6 +31,12 @@ public function render($categoryHandle, $memberIdentifier, $templateID) */ $template = $category->getMemberSummaryTemplate($templateID); $object = $category->getCategoryMemberFromIdentifier($memberIdentifier); + if (!$object) { + throw new UserMessageException(t('Unable to locate object.')); + } + if (!$category->canViewRenderedSummaryTemplates($object)) { + throw new UserMessageException(t('Access Denied.')); + } $renderer = $this->app->make(Renderer::class); $this->set('template', $template);
concrete/controllers/dialog/event/duplicate.php+1 −1 modified@@ -21,7 +21,7 @@ class Duplicate extends BackendInterfaceController public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { $e = $this->app->make('error'); $calendar = $this->app->make(CalendarService::class)->getByID($_REQUEST['caID']);
concrete/controllers/dialog/express/association/reorder.php+37 −31 modified@@ -14,7 +14,7 @@ protected function canAccess() $entry = $this->getEntry(); if ($entry) { $ep = new \Permissions($entry); - return $ep->canViewExpressEntry(); + return $ep->canEditExpressEntry(); } return false; } @@ -63,39 +63,45 @@ public function view() public function submit() { - $em = \Database::connection()->getEntityManager(); - $selectedEntry = $this->getEntry(); - $control = $this->getControl(); - if ($association = $control->getAssociation()) { - $i = 0; - $handler = $association->getSaveHandler(); - /** - * @var $handler ManySaveHandlerInterface - */ - $supportsCustomDisplayOrder = false; - if ($association->getTargetEntity()->supportsCustomDisplayOrder()) { - $supportsCustomDisplayOrder = true; - } + if ($this->validateAction()) { + $em = \Database::connection()->getEntityManager(); + $selectedEntry = $this->getEntry(); + $control = $this->getControl(); + if ($association = $control->getAssociation()) { + $i = 0; + $handler = $association->getSaveHandler(); + /** + * @var $handler ManySaveHandlerInterface + */ + $supportsCustomDisplayOrder = false; + if ($association->getTargetEntity()->supportsCustomDisplayOrder()) { + $supportsCustomDisplayOrder = true; + } + + $associatedEntries = $handler->getAssociatedEntriesFromRequest($control, $this->request); + $entryAssociation = $selectedEntry->getAssociation($association); + foreach($associatedEntries as $entry) { + $associationEntry = $entryAssociation ? $entryAssociation->getAssociationEntry($entry) : null; + if (!$associationEntry) { + continue; + } - $associatedEntries = $handler->getAssociatedEntriesFromRequest($control, $this->request); - foreach($associatedEntries as $entry) { - if ($supportsCustomDisplayOrder) { - $entry->setEntryDisplayOrder($i); - $em->persist($entry); - } else { - $entryAssociation = $selectedEntry->getAssociation($association); - $associationEntry = $entryAssociation->getAssociationEntry($entry); - $associationEntry->setDisplayOrder($i); - $em->persist($associationEntry); + if ($supportsCustomDisplayOrder) { + $entry->setEntryDisplayOrder($i); + $em->persist($entry); + } else { + $associationEntry->setDisplayOrder($i); + $em->persist($associationEntry); + } + $i++; } - $i++; - } - $em->flush(); - $this->flash('success', t('Display order saved successfully.')); - $response = new EditResponse(); - $response->setRedirectURL(\URL::to('/dashboard/express/entries/', 'view_entry', $selectedEntry->getId())); - $response->outputJSON(); + $em->flush(); + $this->flash('success', t('Display order saved successfully.')); + $response = new EditResponse(); + $response->setRedirectURL(\URL::to('/dashboard/express/entries/', 'view_entry', $selectedEntry->getId())); + $response->outputJSON(); + } } }
concrete/controllers/dialog/file/usage.php+0 −49 removed@@ -1,49 +0,0 @@ -<?php - -namespace Concrete\Controller\Dialog\File; - -use Concrete\Core\Controller\Controller; -use Concrete\Core\Entity\Statistics\UsageTracker\FileUsageRecord; -use Doctrine\ORM\EntityManagerInterface; - -class Usage extends Controller -{ - - protected $viewPath = '/dialogs/file/usage'; - - /** - * @var \Doctrine\ORM\EntityManagerInterface - */ - protected $manager; - - /** - * Usage constructor. - * @param \Doctrine\ORM\EntityManagerInterface $manager - */ - public function __construct(EntityManagerInterface $manager) - { - $this->manager = $manager; - parent::__construct(); - } - - public function view($fID) - { - $records = $this->manager->getRepository(FileUsageRecord::class)->findByFile($fID); - $reduced = []; - - /** @var FileUsageRecord $record */ - foreach ($records as $record) { - $cID = $record->getCollectionId(); - if (isset($reduced[$cID])) { - if ($record->getCollectionVersionId() > $reduced[$cID]->getCollectionVersionId()) { - $reduced[$cID] = $record; - } - } else { - $reduced[$cID] = $record; - } - } - - $this->set('records', $reduced); - } - -}
concrete/controllers/dialog/frontend/event.php+14 −0 modified@@ -1,9 +1,12 @@ <?php namespace Concrete\Controller\Dialog\Frontend; +use Concrete\Block\Calendar\Controller; use Concrete\Controller\Backend\UserInterface as BackendInterfaceController; use Concrete\Core\Block\Block; use Concrete\Core\Calendar\Event\EventOccurrence; +use Concrete\Core\Error\UserMessageException; +use Concrete\Core\Permission\Checker; class Event extends BackendInterfaceController { @@ -16,6 +19,17 @@ public function view($bID, $occurrence_id) if (is_object($b) && $b->getBlockTypeHandle() == 'calendar') { $controller = $b->getController(); + /** + * @var $controller Controller + */ + $calendar = $controller->getCalendar(); + if (!$calendar) { + throw new UserMessageException(t('Invalid calendar.')); + } + $checker = new Checker($calendar); + if (!$checker->canViewCalendar()) { + throw new UserMessageException(t('Access Denied.')); + } $occurrence = EventOccurrence::getByID($occurrence_id); $this->set('occurrence', $occurrence); $this->set('blockController', $controller);
concrete/controllers/dialog/logs/bulk/delete.php+1 −1 modified@@ -33,7 +33,7 @@ public function view() public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { /** @var Request $request */ $request = $this->app->make(Request::class); /** @var Connection $db */
concrete/controllers/dialog/logs/delete.php+3 −0 modified@@ -39,6 +39,9 @@ public function view() public function submit() { + if (!$this->validateAction()) { + throw new \RuntimeException(implode("\n", $this->error->getList())); + } /** @var Request $request */ $request = $this->app->make(Request::class); /** @var Connection $db */
concrete/controllers/dialog/page/bulk/cache.php+1 −1 modified@@ -103,7 +103,7 @@ public function view() public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { foreach ($this->items as $page) { $data = array(); if (($cCacheFullPageContent = $this->request->request->getInt('cCacheFullPageContent')) > -2) {
concrete/controllers/dialog/page/bulk/delete.php+1 −1 modified@@ -38,7 +38,7 @@ public function view() public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { $u = new \User(); $uID = $u->getUserID(); $pages = $this->items;
concrete/controllers/dialog/page/bulk/design.php+1 −1 modified@@ -110,7 +110,7 @@ public function view() public function submit() { - if ($this->canAccess()) { + if ($this->validateAction()) { $containsSinglePages = false; foreach ($this->items as $page) { if ($page->isGeneratedCollection()) {
concrete/controllers/frontend/conversations/add_file.php+1 −1 modified@@ -32,7 +32,7 @@ public function view(): Response $fileVersion = $this->importFile($conversation, $file); return $responseFactory->json([ - 'id' => (int) $fileVersion->getFileID(), + 'id' => $fileVersion->getFileUUID(), 'timestamp' => $post->get('timestamp'), 'tag' => $post->get('tag'), ]);
concrete/controllers/frontend/conversations/add_message.php+6 −4 modified@@ -201,7 +201,7 @@ protected function getMessageBody(ArrayAccess $errors): string } /** - * @return int[] + * @return string[] */ protected function getAttachmentIDs(): array { @@ -213,8 +213,8 @@ protected function getAttachmentIDs(): array return array_values( // Reset array indexes array_unique( // Remove duplicates array_filter( // Remove zeroes - array_map( // Ensure integer types - 'intval', + array_map( // Ensure string types + 'strval', $attachmentIDs ) ) @@ -245,9 +245,11 @@ protected function getAttachments(ArrayAccess $errors): array } else { $em = $this->app->make(EntityManagerInterface::class); foreach ($attachmentIDs as $attachmentID) { - $file = $em->find(File::class, $attachmentID); + $file = $em->getRepository(File::class)->findOneBy(['fUUID' => $attachmentID]); if ($file === null) { $errors[] = t('Invalid file specified.'); + } elseif (!(new Checker($file))->canViewFile()) { + $errors[] = t('Invalid file specified.'); } else { $attachments[] = $file; }
concrete/controllers/frontend/conversations/delete_file.php+1 −1 modified@@ -29,7 +29,7 @@ public function view(): Response /** @var Token $token */ $token = $this->app->make(Token::class); - if ($token->validate("delete_conversation_message",$this->request->request->get('token'))) { + if (!$token->validate("delete_conversation_message",$this->request->request->get('token'))) { throw new UserMessageException($token->getErrorMessage()); }
concrete/controllers/frontend/conversations/get_rating.php+3 −0 modified@@ -43,6 +43,9 @@ protected function getMessage(): Message if ($message === null) { throw new UserMessageException(t('Invalid message object.')); } + if ($this->getBlockConversation()->getConversationID() != $message->getConversationObject()->getConversationID()) { + throw new UserMessageException(t('Invalid Conversation.')); + } return $message; }
concrete/controllers/frontend/conversations/message_detail.php+3 −0 modified@@ -47,6 +47,9 @@ protected function getMessage(): Message if ($message === null) { throw new UserMessageException(t('Invalid message object.')); } + if ($this->getBlockConversation()->getConversationID() != $message->getConversationObject()->getConversationID()) { + throw new UserMessageException(t('Invalid Conversation.')); + } return $message; }
concrete/controllers/frontend/conversations/message_page.php+2 −3 modified@@ -54,9 +54,8 @@ protected function getConversationID(): ?int */ protected function getConversation(): Conversation { - $conversationID = $this->getConversationID(); - $conversation = $conversationID === null ? null : Conversation::getByID($conversationID); - if ($conversation === null) { + $conversation = $this->getBlockConversation(); + if ((int) $conversation->getConversationID() !== $this->getConversationID()) { throw new UserMessageException(t('Invalid Conversation.')); }
concrete/controllers/frontend/conversations/update_message.php+6 −4 modified@@ -105,7 +105,7 @@ protected function getMessageBody(ArrayAccess $errors): string } /** - * @return int[] + * @return string[] */ protected function getAttachmentIDs(): array { @@ -117,8 +117,8 @@ protected function getAttachmentIDs(): array return array_values( // Reset array indexes array_unique( // Remove duplicates array_filter( // Remove zeroes - array_map( // Ensure integer types - 'intval', + array_map( // Ensure string types + 'strval', $attachmentIDs ) ) @@ -150,9 +150,11 @@ protected function getAttachments(Message $message, ArrayAccess $errors): array } else { $em = $this->app->make(EntityManagerInterface::class); foreach ($attachmentIDs as $attachmentID) { - $file = $em->find(File::class, $attachmentID); + $file = $em->getRepository(File::class)->findOneBy(['fUUID' => $attachmentID]); if ($file === null) { $errors[] = t('Invalid file specified.'); + } elseif (!(new Checker($file))->canViewFile()) { + $errors[] = t('Invalid file specified.'); } else { $attachments[] = $file; }
concrete/controllers/single_page/account/edit_profile.php+18 −10 modified@@ -110,28 +110,31 @@ public function save() $valt = $app->make('token'); - $data = $this->post(); + $data = []; if (!$valt->validate('profile_edit')) { $this->error->add($valt->getErrorMessage()); } // validate the user's email - $email = $this->post('uEmail'); + $email = (string) $this->post('uEmail'); $app->make('validator/user/email')->isValidFor($email, $ui, $this->error); // Username validation - $username = $this->post('uName'); - if (array_key_exists('uName', $data)) { - $data['uName'] = (string) $data['uName']; + $username = (string) $this->post('uName'); + $displayUserName = !$this->displayUserName + ? false + : $app->make(Repository::class)->get('concrete.user.edit_profile.display_username_field'); + if ($displayUserName && $this->request->request->has('uName')) { + $data['uName'] = $username; $app->make('validator/user/name')->isValidFor($username, $ui, $this->error); } // password - if (strlen($data['uPasswordNew'])) { - $passwordCurrent = (string) $data['uPasswordCurrent']; - $passwordNew = $data['uPasswordNew']; - $passwordNewConfirm = $data['uPasswordNewConfirm']; + $passwordNew = (string) $this->post('uPasswordNew'); + if ($passwordNew !== '') { + $passwordCurrent = (string) $this->post('uPasswordCurrent'); + $passwordNewConfirm = (string) $this->post('uPasswordNewConfirm'); $app->make('validator/password')->isValidFor($passwordNew, $ui, $this->error); @@ -144,6 +147,7 @@ public function save() $this->error->add(t('The two passwords provided do not match.')); } } + $data['_allowPasswordUpdate'] = true; $data['uPasswordConfirm'] = $passwordNew; $data['uPassword'] = $passwordNew; } @@ -164,7 +168,11 @@ public function save() $data['uEmail'] = $email; $config = $this->app->make('config'); if ($config->get('concrete.misc.user_timezones')) { - $data['uTimezone'] = $this->post('uTimezone'); + $data['uTimezone'] = (string) $this->post('uTimezone'); + } + $languages = Localization::getAvailableInterfaceLanguages(); + if (count($languages) > 0) { + $data['uDefaultLanguage'] = (string) $this->post('uDefaultLanguage'); } $ui->saveUserAttributesForm($aks);
concrete/controllers/single_page/dashboard/extend/install.php+27 −7 modified@@ -166,13 +166,31 @@ public function package_uninstalled() public function install_package($package) { $this->view(); + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + return; + } $tp = new TaskPermission(); if ($tp->canInstallPackages()) { $packageService = $this->app->make(PackageService::class); $p = $packageService->getClass($package); if ($p instanceof BrokenPackage) { $this->error->add($p->getInstallErrorMessage()); } elseif (is_object($p)) { + $showInstallOptionsScreen = $p->showInstallOptionsScreen(); + $isInitialInstallRequest = $this->token->validate('install_package'); + $isInstallOptionsSubmission = $showInstallOptionsScreen && $this->token->validate('install_options_selected'); + if ($showInstallOptionsScreen && $isInitialInstallRequest && !$isInstallOptionsSubmission) { + $this->set('showInstallOptionsScreen', true); + $this->set('pkg', $p); + + return; + } + if ((!$showInstallOptionsScreen && !$isInitialInstallRequest) || ($showInstallOptionsScreen && !$isInstallOptionsSubmission)) { + $this->error->add(t('Invalid token.')); + + return; + } $config = $this->app->make('config'); if ($config->get('concrete.i18n.auto_install_package_languages')) { $connection = $this->getConnection(); @@ -195,10 +213,7 @@ function (RemotePackage $rp) use ($p) { } } } - if ( - (!$p->showInstallOptionsScreen()) || - $this->token->validate('install_options_selected') - ) { + if (!$showInstallOptionsScreen || $isInstallOptionsSubmission) { $tests = $p->testForInstall(); if (is_object($tests)) { $this->error->add($tests); @@ -214,9 +229,6 @@ function (RemotePackage $rp) use ($p) { $this->redirect('/dashboard/extend/install', 'package_installed', $r->getPackageID()); } } - } else { - $this->set('showInstallOptionsScreen', true); - $this->set('pkg', $p); } } else { $this->error->add(t('Package controller file not found.')); @@ -237,6 +249,14 @@ public function package_installed($pkgID = 0) public function download($remoteId = null) { $this->view(); + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + return; + } + if (!$this->token->validate('download_package')) { + $this->error->add($this->token->getErrorMessage()); + return; + } $tp = new TaskPermission(); if (!$tp->canInstallPackages()) { $this->error->add(t('You do not have permission to download add-ons.'));
concrete/controllers/single_page/dashboard/extend/update.php+42 −21 modified@@ -13,6 +13,30 @@ class Update extends DashboardPageController { + protected function updatePackage(string $pkgHandle): void + { + $packageService = $this->app->make(PackageService::class); + $packageController = $packageService->getClass($pkgHandle); + $testResult = $packageController->testForUpgrade(); + if ($testResult !== true) { + $this->error->add($testResult); + + return; + } + $previousVersion = $packageController->getPackageEntity()->getPackageVersion(); + Localization::getInstance()->withContext(Localization::CONTEXT_SYSTEM, static function () use ($packageController) { + $packageController->upgradeCoreData(); + $packageController->upgrade(); + }); + $this->set('message', + t('Package "%1$s" has been updated successfully from version %2$s to version %3$s.', + t($packageController->getPackageName()) ?: $packageController->getPackageHandle(), + $previousVersion, + $packageController->getPackageVersion() + ) + ); + } + public function view() { $packageRepository = $this->app->make(PackageRepositoryInterface::class); @@ -42,31 +66,20 @@ public function do_update($pkgHandle = false) if (!$pkgHandle) { return $this->view(); } + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + + return $this->view(); + } try { + if (!$this->token->validate('update_addon')) { + throw new UserMessageException($this->token->getErrorMessage()); + } $tp = new Checker(); if (!$tp->canInstallPackages()) { throw new UserMessageException(t('Access Denied.')); } - $packageService = $this->app->make(PackageService::class); - $packageController = $packageService->getClass($pkgHandle); - $testResult = $packageController->testForUpgrade(); - if ($testResult !== true) { - $this->error->add($testResult); - - return $this->view(); - } - $previousVersion = $packageController->getPackageEntity()->getPackageVersion(); - Localization::getInstance()->withContext(Localization::CONTEXT_SYSTEM, static function () use ($packageController) { - $packageController->upgradeCoreData(); - $packageController->upgrade(); - }); - $this->set('message', - t('Package "%1$s" has been updated successfully from version %2$s to version %3$s.', - t($packageController->getPackageName()) ?: $packageController->getPackageHandle(), - $previousVersion, - $packageController->getPackageVersion() - ) - ); + $this->updatePackage($pkgHandle); } catch (UserMessageException $x) { $this->error->add($x); } @@ -77,8 +90,16 @@ public function prepare_remote_upgrade($remoteMPID = 0) { $packageRepository = $this->app->make(PackageRepositoryInterface::class); $packageService = $this->app->make(PackageService::class); + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + + return $this->view(); + } try { + if (!$this->token->validate('prepare_remote_upgrade')) { + throw new UserMessageException($this->token->getErrorMessage()); + } $tp = new Checker(); if (!$tp->canInstallPackages()) { throw new UserMessageException(t('Access Denied.')); @@ -99,7 +120,7 @@ public function prepare_remote_upgrade($remoteMPID = 0) } $packageRepository->download($connection, $mri, true); - return $this->buildRedirect(['/dashboard/extend/update', 'do_update', $mri->handle]); + $this->updatePackage($mri->handle); } catch (UserMessageException $x) { $this->error->add($x); }
concrete/controllers/single_page/dashboard/system/update/update.php+5 −1 modified@@ -168,7 +168,11 @@ public function do_update() if (!$this->userHasUpgradePermission()) { return $this->buildRedirect($this->action()); } - if ($this->app->make(Composer::class)->isCoreInstalledViaComposer() === true) { + if (!$this->request->isMethod('POST')) { + $this->error->add(t('Invalid request method.')); + } elseif (!$this->token->validate('do_update')) { + $this->error->add($this->token->getErrorMessage()); + } elseif ($this->app->make(Composer::class)->isCoreInstalledViaComposer() === true) { $this->error->add(t('ConcreteCMS has been installed via Composer: you should use it to upgrade the currently installed version.')); } elseif ($this->app->make('config')->get('concrete.updates.skip_core')) { $this->error->add(t('Updates are currently disabled via your site configuration.'));
concrete/controllers/single_page/dashboard/users/groups/bulk_user_assignment.php+10 −2 modified@@ -7,6 +7,7 @@ use Concrete\Core\Logging\Channels; use Concrete\Core\Logging\LoggerFactory; use Concrete\Core\Page\Controller\DashboardPageController; +use Concrete\Core\Permission\Checker; use Concrete\Core\User\Group\Group; use Concrete\Core\User\Group\GroupRepository; use Concrete\Core\User\UserInfo; @@ -43,6 +44,15 @@ public function view() $removeUnlistedUsers = $this->request->request->has('removeUnlistedUsers'); if ($targetGroup instanceof Group) { + $gp = new Checker($targetGroup); + if (!$gp->canAssignGroup()) { + $this->error->add(t('Access Denied.')); + } + } else { + $this->error->add(t('You need to select valid target group.')); + } + + if (!$this->error->has()) { /** @var UploadedFile $csvFile */ $csvFile = $this->request->files->get('csvFile'); @@ -74,8 +84,6 @@ public function view() } else { $this->error->add(t('You need to upload a CSV file.')); } - } else { - $this->error->add(t('You need to select valid target group.')); } if (!$this->error->has()) {
concrete/controllers/single_page/dashboard/users/search.php+2 −0 modified@@ -399,6 +399,7 @@ public function save_account($uID = null) $error->add(t('The two passwords provided do not match.')); } } + $data['_allowPasswordUpdate'] = true; $data['uPasswordConfirm'] = $passwordNew; $data['uPassword'] = $passwordNew; } @@ -415,6 +416,7 @@ public function save_account($uID = null) } } } + $data['_allowIgnoredIPMismatchesUpdate'] = true; $data['ignoredIPMismatches'] = $ignoredIPMismatches; }
concrete/controllers/single_page/download_file.php+11 −5 modified@@ -218,15 +218,21 @@ public function submit_password($fID = 0) $rcID = $this->post('rcID'); - if ($f->getPassword() == $this->post('password')) { - if ($this->post('force')) { - return $this->force_download($f); + if ($f->getPassword() === $this->post('password')) { + $checker = new Checker($f); + if ($checker->canViewFile()) { + if ($this->post('force')) { + return $this->force_download($f); + } else { + return $this->download($f); + } } else { - return $this->download($f); + $this->set('error', t("You do not have permission to access this file.")); } + } else { + $this->set('error', t("Password incorrect. Please try again.")); } - $this->set('error', t("Password incorrect. Please try again.")); $this->set('force', ($this->post('force') ? 1 : 0)); if ($fUUID !== null) {
concrete/elements/conversation/display.php+1 −1 modified@@ -16,7 +16,7 @@ } $editor = \Concrete\Core\Conversation\Editor\Editor::getActive(); -$editor->setConversationObject($args['conversation']); +$editor->setConversationObject($conversation); $val = $app->make('token'); $form = $app->make('helper/form');
concrete/js/ckeditor/concrete.js+1 −1 modified@@ -1 +1 @@ -(()=>{var e={461:()=>{CKEDITOR.plugins.add("concretefilemanager",{requires:"filebrowser",init:function(){CKEDITOR.on("dialogDefinition",function(e){var t=e.editor,n=e.data.definition,i=n.contents.length;function o(){return function(){t._.filebrowserSe=this;var e=this.getDialog();ConcreteFileManager.launchDialog(function(n){jQuery.fn.dialog.showLoader(),ConcreteFileManager.getFileDetails(n.fID,function(n){if(jQuery.fn.dialog.hideLoader(),n){var i=n.files[0];"image"!=e.getName()&&"image2"!=e.getName()||"info"!=e._.currentTabId?CKEDITOR.tools.callFunction(t._.filebrowserFn,i.urlDownload):CKEDITOR.tools.callFunction(t._.filebrowserFn,i.urlInline,function(){var t;e.dontResetSize=!0,(t=e.getContentElement("info","txtWidth"))&&t.setValue(""),(t=e.getContentElement("info","width"))&&t.setValue(""),(t=e.getContentElement("info","txtHeight"))&&t.setValue(""),(t=e.getContentElement("info","height"))&&t.setValue(""),(t=e.getContentElement("info","txtAlt"))&&t.setValue(i.title),(t=e.getContentElement("info","alt"))&&t.setValue(i.title)})}})})}}for(var a=0;a<i;a++){var r=n.contents[a].get("browse");null!==r&&(r.hidden=!1,r.onClick=o())}})}})},7068:()=>{CKEDITOR.plugins.add("concreteinline",{init:function(e){e.elementMode==CKEDITOR.ELEMENT_MODE_INLINE&&(e.addCommand("c5save",{exec:function(e){$("#"+e.element.$.id+"_content").val(e.getData()),ConcreteEvent.fire("EditModeBlockSaveInline"),e.destroy()}}),e.addCommand("c5cancel",{exec:function(e){ConcreteEvent.fire("EditModeExitInline"),e.destroy()}}),e.ui.addButton&&(e.ui.addButton("concrete_save",{label:e.lang.common.ok,command:"c5save",toolbar:"document,0"}),e.ui.addButton("concrete_cancel",{label:e.lang.common.cancel,command:"c5cancel",toolbar:"document,1"})))}})},3805:()=>{CKEDITOR.plugins.add("concretelink",{requires:"link",init:function(e){CKEDITOR.on("dialogDefinition",function(t){var n=t.data.name,i=t.data.definition,o=e.lang.common,a=function(e,t){t[e]||(t[e]={}),t[e][this.id]=this.getValue()||""},r=function(e){return a.call(this,"target",e)},l=function(){return CKEDITOR.plugins.link.getSelectedLink(t.editor)};if("link"==n){var s=i.getContents("info");null===s.get("sitemapBrowse")&&t.editor.config.sitemap&&s.add({type:"button",id:"sitemapBrowse",label:ccmi18n_editor.sitemap,title:ccmi18n_editor.sitemap,onClick:function(){jQuery.fn.dialog.open({width:"90%",height:"70%",modal:!1,title:ccmi18n_sitemap.choosePage,href:CCM_DISPATCHER_FILENAME+"/ccm/system/dialogs/page/sitemap_selector"}),ConcreteEvent.unsubscribe("SitemapSelectPage"),ConcreteEvent.subscribe("SitemapSelectPage",function(e,t){jQuery.fn.dialog.closeTop();var n=i.dialog.getContentElement("info","url");n&&n.setValue(CCM_APPLICATION_URL+"/index.php?cID="+t.cID)})}},"browse");var c=i.getContents("target");if(null!==c.get("linkTargetType")){var d=c.get("linkTargetType");"lightbox"!=d.items[3][1]&&(d.items.splice(3,0,["<lightbox>","lightbox"]),d.items.join()),null===c.get("lightboxFeatures")&&c.elements.push({type:"vbox",width:"100%",align:"center",padding:2,id:"lightboxFeatures",children:[{type:"fieldset",label:ccmi18n_editor.lightboxFeatures,children:[{type:"hbox",children:[{type:"checkbox",id:"imageLightbox",label:ccmi18n_editor.imageLink,setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&"image"==t.data("concrete-link-lightbox")?this.setValue(1):this.setValue(0))},commit:r,onChange:function(e){this.getValue()?this.getDialog().getContentElement("target","lightboxDimensions").getElement().hide():this.getDialog().getContentElement("target","lightboxDimensions").getElement().show()}}]},{type:"hbox",id:"lightboxDimensions",children:[{type:"text",widths:["50%","50%"],labelLayout:"horizontal",label:o.width,id:"lightboxWidth",setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&t.hasAttribute("data-concrete-link-lightbox-width")?this.setValue(t.data("concrete-link-lightbox-width")):this.setValue(null))},commit:r},{type:"text",labelLayout:"horizontal",widths:["50%","50%"],label:o.height,id:"lightboxHeight",setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&t.hasAttribute("data-concrete-link-lightbox-height")?this.setValue(t.data("concrete-link-lightbox-height")):this.setValue(null))},commit:r}],setup:function(){this.getDialog().getContentElement("target","imageLightbox").getValue()?this.getElement().hide():this.getElement().show()}}]}],setup:function(){this.getDialog().getContentElement("info","linkType")||this.getElement().hide(),"lightbox"!=this.getDialog().getContentElement("target","linkTargetType").getValue()&&this.getElement().hide()}}),d.onChange=CKEDITOR.tools.override(d.onChange,function(e){return function(){var t=this.getDialog().getContentElement("target","lightboxFeatures").getElement();"lightbox"!=this.getValue()||this._.selectedElement?t.hide():t.show(),e.call(this)}}),d.setup=function(e){e.target&&("lightbox"==e.target.name&&(e.target.type=e.target.name),this.setValue(e.target.type||"notSet")),this.onChange.call(this)},d.commit=function(e){e.target||(e.target={}),e.target.type=this.getValue()},i.onOk=CKEDITOR.tools.override(i.onOk,function(e){return function(){var t={},n={};this.commitContent(t),e.call(this);var i=l();null!==i&&("lightbox"==t.target.type?t.target.imageLightbox?(i.data("concrete-link-lightbox","image"),n={"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1}):(i.data("concrete-link-lightbox","iframe"),t.target.lightboxWidth&&t.target.lightboxHeight?(i.data("concrete-link-lightbox-width",t.target.lightboxWidth),i.data("concrete-link-lightbox-height",t.target.lightboxHeight)):n={"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1}):n={"data-concrete-link-lightbox":1,"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1},i.removeAttributes(n))}})}}})}})},1939:()=>{CKEDITOR.plugins.add("normalizeonchange",{init:function(e){CKEDITOR.on("instanceReady",function(e){e.editor.on("change",function(t){var n=e.editor.getSelection();if(n){var i=n.getStartElement();i&&i.$&&n.getStartElement().$.normalize()}})})}})},8315:()=>{CKEDITOR.plugins.add("concretestyles",{requires:["widget","stylescombo","menubutton"],init:function(e){},afterInit:function(e){var t=this;function n(e){return{exec:function(t){var n="> </",i=e.html,o=t.getSelection(),a=o&&o.getSelectedText();if(-1!=i.indexOf(n)&&a){for(var r=["address","article","aside","audio","blockquote","canvas","dd","div","dl","fieldset","figcaption","figure","figcaption","footer","form","h1","h2","h3","h4","h5","h6","header","hgroup","hr","noscript","ol","output","p","pre","section","span","table","tfoot","ul","video"],l=o.getRanges(),s=new CKEDITOR.dom.element("div"),c=0,d=l.length;c<d;++c){var g=l[c],u=g.createBookmark2();s.append(g.cloneContents()),g.moveToBookmark(u),g.select()}for(var h=s.getHtml(),f=0;f<r.length;f++){var m=new RegExp("(<"+r[f]+"[^>]*>|</"+r[f]+">)","gi");h=h.replace(m,"")}i=i.replace(n,">"+h+"</")}t.insertHtml(i)}}}var i={name:"snippets",icon:"snippet.png",title:ccmi18n_editor.snippets,items:[]};if(e.config.snippets&&($.each(e.config.snippets,function(t,n){e.widgets.add(n.scsHandle,{template:n.scsName});var o={};o.name=n.scsHandle,o.icon="snippet.png",o.title=n.scsName,o.html='<span class="ccm-content-editor-snippet" contenteditable="false" data-scsHandle="'+n.scsHandle+'">'+n.scsName+"</span>",i.items.push(o)}),function(i){for(var o=i.items,a={},r=0;r<o.length;r++){var l=o[r],s=l.name;e.addCommand(s,n(l)),a[s]={label:l.title,command:s,group:i.name,role:"menuitem"}}e.addMenuGroup(i.name,1),e.addMenuItems(a),e.ui.add(i.name,CKEDITOR.UI_MENUBUTTON,{label:i.title,icon:t.path+"/icons/"+i.icon,toolbar:i.toolbar||"insert",onMenu:function(){var e={};for(var t in a)e[t]=CKEDITOR.TRISTATE_OFF;return e}})}(i,i.name)),e.config.classes){var o=[];$.each(e.config.classes,function(){var e={};e.name=this.title,void 0!==this.element?e.element=this.element:void 0!==this.forceBlock&&1==this.forceBlock?e.element=["h1","h2","h3","h4","h5","h6","p"]:e.element="span",void 0!==this.spanClass&&(e.attributes={class:this.spanClass}),void 0!==this.attributes&&(e.attributes=this.attributes),void 0!==this.styles&&(e.styles=this.styles),"widget"===this.type&&void 0!==this.widget&&(e.type="widget",e.widget=this.widget),o.push(e)}),e.fire("stylesSet",{styles:o})}}})},7320:()=>{CKEDITOR.plugins.add("concreteuploadimage",{requires:"uploadimage",init:function(e){e.on("fileUploadRequest",function(e){var t=e.data.fileLoader,n=t.xhr,i=new FormData;i.append("ccm_token",CCM_SECURITY_TOKEN),i.append("files[]",t.file,t.fileName),n.send(i),e.stop()}),e.on("fileUploadResponse",function(e){e.stop();var t=e.data,n=t.fileLoader.xhr;if(200==n.status){var i=jQuery.parseJSON(n.responseText);i.error?(t.message=i.errors.join(),e.cancel()):i.files.length>0&&(t.url=i.files[0].urlInline)}else t.message=n.responseText,e.cancel()})}})},8316:()=>{!function(e){if(void 0===e)throw Error("jQuery should be loaded before CKEditor jQuery adapter.");if("undefined"==typeof CKEDITOR)throw Error("CKEditor should be loaded before CKEditor jQuery adapter.");CKEDITOR.config.jqueryOverrideVal=void 0===CKEDITOR.config.jqueryOverrideVal||CKEDITOR.config.jqueryOverrideVal,e.extend(e.fn,{ckeditorGet:function(){var e=this.eq(0).data("ckeditorInstance");if(!e)throw"CKEditor is not initialized yet, use ckeditor() with a callback.";return e},ckeditor:function(t,n){if(!CKEDITOR.env.isCompatible)throw Error("The environment is incompatible.");if("function"!=typeof t){var i=n;n=t,t=i}var o=[];n=n||{},this.each(function(){var i=e(this),a=i.data("ckeditorInstance"),r=i.data("_ckeditorInstanceLock"),l=this,s=new e.Deferred;o.push(s.promise()),a&&!r?(t&&t.apply(a,[this]),s.resolve()):r?a.once("instanceReady",function(){setTimeout(function e(){a.element?(a.element.$==l&&t&&t.apply(a,[l]),s.resolve()):setTimeout(e,100)},0)},null,null,9999):((n.autoUpdateElement||void 0===n.autoUpdateElement&&CKEDITOR.config.autoUpdateElement)&&(n.autoUpdateElementJquery=!0),n.autoUpdateElement=!1,i.data("_ckeditorInstanceLock",!0),a=e(this).is("textarea")?CKEDITOR.replace(l,n):CKEDITOR.inline(l,n),i.data("ckeditorInstance",a),a.on("instanceReady",function(n){var o=n.editor;setTimeout(function a(){if(o.element){if(n.removeListener(),o.on("dataReady",function(){i.trigger("dataReady.ckeditor",[o])}),o.on("setData",function(e){i.trigger("setData.ckeditor",[o,e.data])}),o.on("getData",function(e){i.trigger("getData.ckeditor",[o,e.data])},999),o.on("destroy",function(){i.trigger("destroy.ckeditor",[o])}),o.on("save",function(){return e(l.form).trigger("submit"),!1},null,null,20),o.config.autoUpdateElementJquery&&i.is("textarea")&&e(l.form).length){var r=function(){i.ckeditor(function(){o.updateElement()})};e(l.form).on("submit",r),e(l.form).on("form-pre-serialize",r),i.on("destroy.ckeditor",function(){e(l.form).off("submit",r),e(l.form).off("form-pre-serialize",r)})}o.on("destroy",function(){i.removeData("ckeditorInstance")}),i.removeData("_ckeditorInstanceLock"),i.trigger("instanceReady.ckeditor",[o]),t&&t.apply(o,[l]),s.resolve()}else setTimeout(a,100)},0)},null,null,9999))});var a=new e.Deferred;return this.promise=a.promise(),e.when.apply(this,o).then(function(){a.resolve()}),this.editor=this.eq(0).data("ckeditorInstance"),this}}),CKEDITOR.config.jqueryOverrideVal&&(e.fn.val=CKEDITOR.tools.override(e.fn.val,function(t){return function(n){if(arguments.length){var i=this,o=[],a=this.each(function(){var i=e(this),a=i.data("ckeditorInstance");if(i.is("textarea")&&a){var r=new e.Deferred;return a.setData(n,function(){r.resolve()}),o.push(r.promise()),!0}return t.call(i,n)});if(o.length){var r=new e.Deferred;return e.when.apply(this,o).done(function(){r.resolveWith(i)}),r.promise()}return a}var l=(a=e(this).eq(0)).data("ckeditorInstance");return a.is("textarea")&&l?l.getData():t.call(a)}}))}(window.jQuery)}},t={};function n(i){var o=t[i];if(void 0!==o)return o.exports;var a=t[i]={exports:{}};return e[i](a,a.exports,n),a.exports}n.n=e=>{var t=e&&e.__esModule?()=>e.default:()=>e;return n.d(t,{a:t}),t},n.d=(e,t)=>{for(var i in t)n.o(t,i)&&!n.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:t[i]})},n.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),(()=>{"use strict";n(8316),n(1939),n(7068),n(3805),n(461),n(8315),n(7320)})()})(); \ No newline at end of file +(()=>{var e={461:()=>{CKEDITOR.plugins.add("concretefilemanager",{requires:"filebrowser",init:function(){CKEDITOR.on("dialogDefinition",function(e){var t=e.editor,n=e.data.definition,i=n.contents.length;function o(){return function(){t._.filebrowserSe=this;var e=this.getDialog();ConcreteFileManager.launchDialog(function(n){jQuery.fn.dialog.showLoader(),ConcreteFileManager.getFileDetails(n.fID,function(n){if(jQuery.fn.dialog.hideLoader(),n){var i=n.files[0];"image"!=e.getName()&&"image2"!=e.getName()||"info"!=e._.currentTabId?CKEDITOR.tools.callFunction(t._.filebrowserFn,i.urlDownload):CKEDITOR.tools.callFunction(t._.filebrowserFn,i.urlInline,function(){var t;e.dontResetSize=!0,(t=e.getContentElement("info","txtWidth"))&&t.setValue(""),(t=e.getContentElement("info","width"))&&t.setValue(""),(t=e.getContentElement("info","txtHeight"))&&t.setValue(""),(t=e.getContentElement("info","height"))&&t.setValue(""),(t=e.getContentElement("info","txtAlt"))&&t.setValue(i.title),(t=e.getContentElement("info","alt"))&&t.setValue(i.title)})}})})}}for(var a=0;a<i;a++){var r=n.contents[a].get("browse");null!==r&&(r.hidden=!1,r.onClick=o(),"undefined"!=typeof ccmi18n_editor&&ccmi18n_editor.selectFile&&(r.label=ccmi18n_editor.selectFile,r.title=ccmi18n_editor.selectFile))}})}})},7068:()=>{CKEDITOR.plugins.add("concreteinline",{init:function(e){e.elementMode==CKEDITOR.ELEMENT_MODE_INLINE&&(e.addCommand("c5save",{exec:function(e){$("#"+e.element.$.id+"_content").val(e.getData()),ConcreteEvent.fire("EditModeBlockSaveInline"),e.destroy()}}),e.addCommand("c5cancel",{exec:function(e){ConcreteEvent.fire("EditModeExitInline"),e.destroy()}}),e.ui.addButton&&(e.ui.addButton("concrete_save",{label:e.lang.common.ok,command:"c5save",toolbar:"document,0"}),e.ui.addButton("concrete_cancel",{label:e.lang.common.cancel,command:"c5cancel",toolbar:"document,1"})))}})},3805:()=>{CKEDITOR.plugins.add("concretelink",{requires:"link",init:function(e){CKEDITOR.on("dialogDefinition",function(t){var n=t.data.name,i=t.data.definition,o=e.lang.common,a=function(e,t){t[e]||(t[e]={}),t[e][this.id]=this.getValue()||""},r=function(e){return a.call(this,"target",e)},l=function(){return CKEDITOR.plugins.link.getSelectedLink(t.editor)};if("link"==n){var s=i.getContents("info");null===s.get("sitemapBrowse")&&t.editor.config.sitemap&&s.add({type:"button",id:"sitemapBrowse",label:ccmi18n_editor.sitemap,title:ccmi18n_editor.sitemap,onClick:function(){jQuery.fn.dialog.open({width:"90%",height:"70%",modal:!1,title:ccmi18n_sitemap.choosePage,href:CCM_DISPATCHER_FILENAME+"/ccm/system/dialogs/page/sitemap_selector"}),ConcreteEvent.unsubscribe("SitemapSelectPage"),ConcreteEvent.subscribe("SitemapSelectPage",function(e,t){jQuery.fn.dialog.closeTop();var n=i.dialog.getContentElement("info","url");n&&n.setValue(CCM_APPLICATION_URL+"/index.php?cID="+t.cID)})}},"browse");var c=i.getContents("target");if(null!==c.get("linkTargetType")){var d=c.get("linkTargetType");"lightbox"!=d.items[3][1]&&(d.items.splice(3,0,["<lightbox>","lightbox"]),d.items.join()),null===c.get("lightboxFeatures")&&c.elements.push({type:"vbox",width:"100%",align:"center",padding:2,id:"lightboxFeatures",children:[{type:"fieldset",label:ccmi18n_editor.lightboxFeatures,children:[{type:"hbox",children:[{type:"checkbox",id:"imageLightbox",label:ccmi18n_editor.imageLink,setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&"image"==t.data("concrete-link-lightbox")?this.setValue(1):this.setValue(0))},commit:r,onChange:function(e){this.getValue()?this.getDialog().getContentElement("target","lightboxDimensions").getElement().hide():this.getDialog().getContentElement("target","lightboxDimensions").getElement().show()}}]},{type:"hbox",id:"lightboxDimensions",children:[{type:"text",widths:["50%","50%"],labelLayout:"horizontal",label:o.width,id:"lightboxWidth",setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&t.hasAttribute("data-concrete-link-lightbox-width")?this.setValue(t.data("concrete-link-lightbox-width")):this.setValue(null))},commit:r},{type:"text",labelLayout:"horizontal",widths:["50%","50%"],label:o.height,id:"lightboxHeight",setup:function(e){var t=l();null!==t&&void 0!==e.target&&("lightbox"==e.target.name&&t.hasAttribute("data-concrete-link-lightbox-height")?this.setValue(t.data("concrete-link-lightbox-height")):this.setValue(null))},commit:r}],setup:function(){this.getDialog().getContentElement("target","imageLightbox").getValue()?this.getElement().hide():this.getElement().show()}}]}],setup:function(){this.getDialog().getContentElement("info","linkType")||this.getElement().hide(),"lightbox"!=this.getDialog().getContentElement("target","linkTargetType").getValue()&&this.getElement().hide()}}),d.onChange=CKEDITOR.tools.override(d.onChange,function(e){return function(){var t=this.getDialog().getContentElement("target","lightboxFeatures").getElement();"lightbox"!=this.getValue()||this._.selectedElement?t.hide():t.show(),e.call(this)}}),d.setup=function(e){e.target&&("lightbox"==e.target.name&&(e.target.type=e.target.name),this.setValue(e.target.type||"notSet")),this.onChange.call(this)},d.commit=function(e){e.target||(e.target={}),e.target.type=this.getValue()},i.onOk=CKEDITOR.tools.override(i.onOk,function(e){return function(){var t={},n={};this.commitContent(t),e.call(this);var i=l();null!==i&&("lightbox"==t.target.type?t.target.imageLightbox?(i.data("concrete-link-lightbox","image"),n={"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1}):(i.data("concrete-link-lightbox","iframe"),t.target.lightboxWidth&&t.target.lightboxHeight?(i.data("concrete-link-lightbox-width",t.target.lightboxWidth),i.data("concrete-link-lightbox-height",t.target.lightboxHeight)):n={"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1}):n={"data-concrete-link-lightbox":1,"data-concrete-link-lightbox-width":1,"data-concrete-link-lightbox-height":1},i.removeAttributes(n))}})}}})}})},1939:()=>{CKEDITOR.plugins.add("normalizeonchange",{init:function(e){CKEDITOR.on("instanceReady",function(e){e.editor.on("change",function(t){var n=e.editor.getSelection();if(n){var i=n.getStartElement();i&&i.$&&n.getStartElement().$.normalize()}})})}})},8315:()=>{CKEDITOR.plugins.add("concretestyles",{requires:["widget","stylescombo","menubutton"],init:function(e){},afterInit:function(e){var t=this;function n(e){return{exec:function(t){var n="> </",i=e.html,o=t.getSelection(),a=o&&o.getSelectedText();if(-1!=i.indexOf(n)&&a){for(var r=["address","article","aside","audio","blockquote","canvas","dd","div","dl","fieldset","figcaption","figure","figcaption","footer","form","h1","h2","h3","h4","h5","h6","header","hgroup","hr","noscript","ol","output","p","pre","section","span","table","tfoot","ul","video"],l=o.getRanges(),s=new CKEDITOR.dom.element("div"),c=0,d=l.length;c<d;++c){var g=l[c],u=g.createBookmark2();s.append(g.cloneContents()),g.moveToBookmark(u),g.select()}for(var h=s.getHtml(),m=0;m<r.length;m++){var f=new RegExp("(<"+r[m]+"[^>]*>|</"+r[m]+">)","gi");h=h.replace(f,"")}i=i.replace(n,">"+h+"</")}t.insertHtml(i)}}}var i={name:"snippets",icon:"snippet.png",title:ccmi18n_editor.snippets,items:[]};if(e.config.snippets&&($.each(e.config.snippets,function(t,n){e.widgets.add(n.scsHandle,{template:n.scsName});var o={};o.name=n.scsHandle,o.icon="snippet.png",o.title=n.scsName,o.html='<span class="ccm-content-editor-snippet" contenteditable="false" data-scsHandle="'+n.scsHandle+'">'+n.scsName+"</span>",i.items.push(o)}),function(i){for(var o=i.items,a={},r=0;r<o.length;r++){var l=o[r],s=l.name;e.addCommand(s,n(l)),a[s]={label:l.title,command:s,group:i.name,role:"menuitem"}}e.addMenuGroup(i.name,1),e.addMenuItems(a),e.ui.add(i.name,CKEDITOR.UI_MENUBUTTON,{label:i.title,icon:t.path+"/icons/"+i.icon,toolbar:i.toolbar||"insert",onMenu:function(){var e={};for(var t in a)e[t]=CKEDITOR.TRISTATE_OFF;return e}})}(i,i.name)),e.config.classes){var o=[];$.each(e.config.classes,function(){var e={};e.name=this.title,void 0!==this.element?e.element=this.element:void 0!==this.forceBlock&&1==this.forceBlock?e.element=["h1","h2","h3","h4","h5","h6","p"]:e.element="span",void 0!==this.spanClass&&(e.attributes={class:this.spanClass}),void 0!==this.attributes&&(e.attributes=this.attributes),void 0!==this.styles&&(e.styles=this.styles),"widget"===this.type&&void 0!==this.widget&&(e.type="widget",e.widget=this.widget),o.push(e)}),e.fire("stylesSet",{styles:o})}}})},7320:()=>{CKEDITOR.plugins.add("concreteuploadimage",{requires:"uploadimage",init:function(e){e.on("fileUploadRequest",function(e){var t=e.data.fileLoader,n=t.xhr,i=new FormData;i.append("ccm_token",CCM_SECURITY_TOKEN),i.append("files[]",t.file,t.fileName),n.send(i),e.stop()}),e.on("fileUploadResponse",function(e){e.stop();var t=e.data,n=t.fileLoader.xhr;if(200==n.status){var i=jQuery.parseJSON(n.responseText);i.error?(t.message=i.errors.join(),e.cancel()):i.files.length>0&&(t.url=i.files[0].urlInline)}else t.message=n.responseText,e.cancel()})}})},8316:()=>{!function(e){if(void 0===e)throw Error("jQuery should be loaded before CKEditor jQuery adapter.");if("undefined"==typeof CKEDITOR)throw Error("CKEditor should be loaded before CKEditor jQuery adapter.");CKEDITOR.config.jqueryOverrideVal=void 0===CKEDITOR.config.jqueryOverrideVal||CKEDITOR.config.jqueryOverrideVal,e.extend(e.fn,{ckeditorGet:function(){var e=this.eq(0).data("ckeditorInstance");if(!e)throw"CKEditor is not initialized yet, use ckeditor() with a callback.";return e},ckeditor:function(t,n){if(!CKEDITOR.env.isCompatible)throw Error("The environment is incompatible.");if("function"!=typeof t){var i=n;n=t,t=i}var o=[];n=n||{},this.each(function(){var i=e(this),a=i.data("ckeditorInstance"),r=i.data("_ckeditorInstanceLock"),l=this,s=new e.Deferred;o.push(s.promise()),a&&!r?(t&&t.apply(a,[this]),s.resolve()):r?a.once("instanceReady",function(){setTimeout(function e(){a.element?(a.element.$==l&&t&&t.apply(a,[l]),s.resolve()):setTimeout(e,100)},0)},null,null,9999):((n.autoUpdateElement||void 0===n.autoUpdateElement&&CKEDITOR.config.autoUpdateElement)&&(n.autoUpdateElementJquery=!0),n.autoUpdateElement=!1,i.data("_ckeditorInstanceLock",!0),a=e(this).is("textarea")?CKEDITOR.replace(l,n):CKEDITOR.inline(l,n),i.data("ckeditorInstance",a),a.on("instanceReady",function(n){var o=n.editor;setTimeout(function a(){if(o.element){if(n.removeListener(),o.on("dataReady",function(){i.trigger("dataReady.ckeditor",[o])}),o.on("setData",function(e){i.trigger("setData.ckeditor",[o,e.data])}),o.on("getData",function(e){i.trigger("getData.ckeditor",[o,e.data])},999),o.on("destroy",function(){i.trigger("destroy.ckeditor",[o])}),o.on("save",function(){return e(l.form).trigger("submit"),!1},null,null,20),o.config.autoUpdateElementJquery&&i.is("textarea")&&e(l.form).length){var r=function(){i.ckeditor(function(){o.updateElement()})};e(l.form).on("submit",r),e(l.form).on("form-pre-serialize",r),i.on("destroy.ckeditor",function(){e(l.form).off("submit",r),e(l.form).off("form-pre-serialize",r)})}o.on("destroy",function(){i.removeData("ckeditorInstance")}),i.removeData("_ckeditorInstanceLock"),i.trigger("instanceReady.ckeditor",[o]),t&&t.apply(o,[l]),s.resolve()}else setTimeout(a,100)},0)},null,null,9999))});var a=new e.Deferred;return this.promise=a.promise(),e.when.apply(this,o).then(function(){a.resolve()}),this.editor=this.eq(0).data("ckeditorInstance"),this}}),CKEDITOR.config.jqueryOverrideVal&&(e.fn.val=CKEDITOR.tools.override(e.fn.val,function(t){return function(n){if(arguments.length){var i=this,o=[],a=this.each(function(){var i=e(this),a=i.data("ckeditorInstance");if(i.is("textarea")&&a){var r=new e.Deferred;return a.setData(n,function(){r.resolve()}),o.push(r.promise()),!0}return t.call(i,n)});if(o.length){var r=new e.Deferred;return e.when.apply(this,o).done(function(){r.resolveWith(i)}),r.promise()}return a}var l=(a=e(this).eq(0)).data("ckeditorInstance");return a.is("textarea")&&l?l.getData():t.call(a)}}))}(window.jQuery)}},t={};function n(i){var o=t[i];if(void 0!==o)return o.exports;var a=t[i]={exports:{}};return e[i](a,a.exports,n),a.exports}n.n=e=>{var t=e&&e.__esModule?()=>e.default:()=>e;return n.d(t,{a:t}),t},n.d=(e,t)=>{for(var i in t)n.o(t,i)&&!n.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:t[i]})},n.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),(()=>{"use strict";n(8316),n(1939),n(7068),n(3805),n(461),n(8315),n(7320)})()})(); \ No newline at end of file
concrete/js/cms.js+1 −1 modifiedconcrete/routes/dialogs/files.php+0 −1 modified@@ -43,7 +43,6 @@ $router->all('/thumbnails', 'Thumbnails::view'); $router->all('/thumbnails/edit', 'Thumbnails\Edit::view'); $router->all('/thumbnails/edit/submit', 'Thumbnails\Edit::submit'); -$router->all('/usage/{fID}', 'Usage::view'); $router->all('/statistics/{fID}', 'Statistics::view'); $router->all('/statistics/load_more/{fID}', 'Statistics::load_more'); $router->all('/statistics/download/{fID}', 'Statistics::download');
concrete/single_pages/dashboard/extend/install.php+8 −2 modified@@ -315,7 +315,10 @@ <p><?= h($pb->summary); ?></p> </div> <div class="d-block ms-auto"> - <a href="<?= URL::to('/dashboard/extend/install', 'download', $pb->id); ?>" class="btn btn-sm btn-secondary"><?= t('Download'); ?></a> + <form method="post" action="<?= URL::to('/dashboard/extend/install', 'download', $pb->id); ?>" class="d-inline"> + <?= $token->output('download_package'); ?> + <button type="submit" class="btn btn-sm btn-secondary"><?= t('Download'); ?></button> + </form> </div> </div> <?php @@ -338,7 +341,10 @@ } else { ?> <div class="btn-group ms-auto d-block"> - <a href="<?= URL::to('/dashboard/extend/install', 'install_package', $obj->getPackageHandle()); ?>" class="btn btn-sm btn-secondary"><?= t('Install'); ?></a><?php + <form method="post" action="<?= URL::to('/dashboard/extend/install', 'install_package', $obj->getPackageHandle()); ?>" class="d-inline"> + <?= $token->output('install_package'); ?> + <button type="submit" class="btn btn-sm btn-secondary"><?= t('Install'); ?></button> + </form><?php if ($displayDeleteBtn) { ?><a href="javascript:void(0)" class="btn btn-sm btn-danger" onclick="deletePackage('<?= $obj->getPackageHandle() ?>', '<?= $obj->getPackageName() ?>')"><?= t('Delete') ?></a> <?php
concrete/single_pages/dashboard/extend/update.php+10 −2 modified@@ -60,7 +60,10 @@ ?> <td class="ccm-marketplace-list-install-button"> <a class="btn" target="_blank" href="#"><?=t('More Information')?></a> - <?=$ch->button(t('Download and Install'), View::url('/dashboard/extend/update', 'prepare_remote_upgrade', $remotePackage->id), '', 'primary')?> + <form method="post" action="<?= View::url('/dashboard/extend/update', 'prepare_remote_upgrade', $remotePackage->id) ?>" class="d-inline"> + <?= $valt->output('prepare_remote_upgrade') ?> + <button type="submit" class="btn btn-secondary primary"><?= t('Download and Install') ?></button> + </form> </td> <?php } @@ -107,7 +110,12 @@ <td class="ccm-addon-list-description"><h3><?=$pkg->getPackageName()?></h3><p><?=$pkg->getPackageDescription()?></p> <p><strong><?=t('New Version: %s. Upgrading from: %s.', $pkg->getPackageVersion(), $entity->getPackageVersion())?></strong></p> </td> - <td class="ccm-marketplace-list-install-button"><?=$ch->button(t('Update Add-On'), View::url('/dashboard/extend/update', 'do_update', $pkg->getPackageHandle()), '', 'btn-primary')?></td> + <td class="ccm-marketplace-list-install-button"> + <form method="post" action="<?= View::url('/dashboard/extend/update', 'do_update', $pkg->getPackageHandle()) ?>" class="d-inline"> + <?= $valt->output('update_addon') ?> + <button type="submit" class="btn btn-secondary btn-primary"><?= t('Update Add-On') ?></button> + </form> + </td> </tr> <tr> <td colspan="2" style="border-top: 0px">
concrete/src/Api/OAuth/Controller.php+57 −29 modified@@ -14,6 +14,11 @@ use Concrete\Core\Logging\LoggerAwareInterface; use Concrete\Core\Logging\LoggerAwareTrait; use Concrete\Core\Support\Facade\Application; +use Concrete\Core\User\Exception\FailedLoginThresholdExceededException; +use Concrete\Core\User\Exception\InvalidCredentialsException; +use Concrete\Core\User\Exception\UserDeactivatedException; +use Concrete\Core\User\Exception\UserException; +use Concrete\Core\User\Login\LoginService; use Concrete\Core\User\User as UserObject; use Concrete\Core\Validation\CSRF\Token; use Concrete\Core\View\View; @@ -193,6 +198,8 @@ public function handleLogin(AuthorizationRequest $request) { $error = new ErrorList(); $emailLogin = $this->config->get('concrete.user.registration.email_registration'); + $app = Application::getFacadeApplication(); + $loginService = $app->make(LoginService::class); while ($this->request->getMethod() === 'POST') { @@ -204,43 +211,47 @@ public function handleLogin(AuthorizationRequest $request) $query = $this->request->getParsedBody(); $user = array_get($query, 'uName'); $password = array_get($query, 'uPassword'); + $user = is_string($user) ? trim($user) : ''; + $password = is_string($password) ? $password : ''; - $userRepository = $this->entityManager->getRepository(User::class); - - /** @var User $user */ - $user = $userRepository->findOneBy([$emailLogin ? 'uEmail' : 'uName' => $user]); - - $app = Application::getFacadeApplication(); - $hasher = $app->make(\Concrete\Core\Encryption\PasswordHasher::class); - - // User successfully logged in - if ($user && $user->getUserID() && $hasher->checkPassword($password, $user->getUserPassword())) { - if ($hasher->needsRehash($user->getUserPassword())) { - $em = $app->make(EntityManagerInterface::class); - - try { - $em->transactional(function () use ($user, $hasher, $password) { - $user->setUserPassword($hasher->hashPassword($password)); - }); - } catch (\Throwable $e) { - $this->logger->emergency('Unable to rehash password for user {user} ({id}): {message}', [ - 'user' => $user->getUserName(), - 'id' => $user->getUserID(), - 'message' => $e->getMessage(), - ]); - } + if ($user === '' || $password === '') { + if ($emailLogin) { + $error->add(t('Please provide both email address and password.')); + } else { + $error->add(t('Please provide both username and password.')); } + break; + } + + $failedLogins = $app->make('failed_login'); + if ($failedLogins->isDenylisted()) { + $error->add($failedLogins->getErrorMessage()); + break; + } + + try { + $loggedInUser = $loginService->login($user, $password); + $loginService->logLoginAttempt($user); - $userInfo = $this->entityManager->find(User::class, $user->getUserID()); + $userInfo = $this->entityManager->find(User::class, $loggedInUser->getUserID()); $request->setUser($userInfo); $this->storeRequest($request); return new \RedirectResponse($this->request->getUri()); - } else { - if ($this->config->get('concrete.user.registration.email_registration')) { - $message = t('Invalid email address or password.'); + } catch (UserException $e) { + try { + $this->handleFailedLogin($loginService, $user, $password, $e); + } catch (UserException $x) { + $e = $x; + } + if ($e instanceof InvalidCredentialsException) { + if ($emailLogin) { + $message = t('Invalid email address or password.'); + } else { + $message = t('Invalid username or password.'); + } } else { - $message = t('Invalid username or password.'); + $message = $e->getMessage(); } $error->add($message); } @@ -260,6 +271,23 @@ public function handleLogin(AuthorizationRequest $request) return new \Concrete\Core\Http\Response($contents->render()); } + protected function handleFailedLogin(LoginService $loginService, $uName, $uPassword, UserException $e) + { + if ($e instanceof InvalidCredentialsException) { + try { + $loginService->failLogin($uName, $uPassword); + } catch (FailedLoginThresholdExceededException $e) { + $loginService->logLoginAttempt($uName, ['Failed Login Threshold Exceeded', $e->getMessage()]); + throw $e; + } catch (UserDeactivatedException $e) { + $loginService->logLoginAttempt($uName, ['User Deactivated', $e->getMessage()]); + throw $e; + } + } + + $loginService->logLoginAttempt($uName, ['Invalid Credentials', $e->getMessage()]); + } + /** * Handle the scope authorization portion of an authorization request * This method renders a view that outputs a list of scopes and asks the user to verify that they want to give the
concrete/src/Block/BlockController.php+4 −1 modified@@ -4,6 +4,7 @@ use Concrete\Core\Area\Area; use Concrete\Core\Backup\ContentExporter; use Concrete\Core\Backup\ContentImporter; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Block\View\BlockViewTemplate; use Concrete\Core\Database\Connection\Connection; use Concrete\Core\Editor\LinkAbstractor; @@ -155,6 +156,8 @@ class BlockController extends \Concrete\Core\Controller\AbstractController */ public static $btTitleFormats = ['h1' => 'H1', 'h2' => 'H2', 'h3' => 'H3', 'h4' => 'H4', 'h5' => 'H5', 'h6' => 'H6', 'p' => 'Normal']; + public $saveMode = SaveMode::SAVE_MODE_REQUEST; + /** * Set this to true if the data sent to the save/performSave methods can contain NULL values that should be persisted. * @@ -540,7 +543,7 @@ public function import($page, $arHandle, \SimpleXMLElement $blockNode) $blockData = []; $bt = \Concrete\Core\Block\BlockType\BlockType::getByHandle($this->btHandle); - $b = $page->addBlock($bt, $arHandle, $args); + $b = $page->addBlock($bt, $arHandle, $args, SaveMode::SAVE_MODE_IMPORT); $bName = (string) $blockNode['name']; $bFilename = (string) $blockNode['custom-template']; if ($bName) {
concrete/src/Block/Controller/SaveMode.php+9 −0 added@@ -0,0 +1,9 @@ +<?php + +namespace Concrete\Core\Block\Controller; + +class SaveMode +{ + public const SAVE_MODE_REQUEST = 'request'; + public const SAVE_MODE_IMPORT = 'import'; +}
concrete/src/Conversation/FrontendController.php+4 −0 modified@@ -260,6 +260,10 @@ protected function getBlockConversation(): Conversation if (!($blockConversation instanceof Conversation)) { throw new UserMessageException(t('Invalid Conversation.')); } + $cp = new Checker($blockConversation); + if (!$cp->canViewConversation()) { + throw new UserMessageException(t('Access Denied.')); + } $this->blockConversation = $blockConversation; }
concrete/src/Entity/Block/BlockType/BlockType.php+4 −2 modified@@ -5,6 +5,7 @@ use BlockTypeSet; use Concrete\Block\CoreStackDisplay\Controller; use Concrete\Core\Block\BlockType\BlockTypeList; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Block\View\BlockView; use Concrete\Core\Database\Schema\Schema; use Concrete\Core\Filesystem\TemplateFile; @@ -630,10 +631,10 @@ public function delete() * @param mixed $data * @param bool|\Collection $c * @param bool|\Area $a - * + * @param string $saveMode * @return bool|\Concrete\Core\Block\Block */ - public function add($data, $c = false, $a = false) + public function add($data, $c = false, $a = false, ?string $saveMode = SaveMode::SAVE_MODE_REQUEST) { $app = Facade::getFacadeApplication(); $db = $app->make('database')->connection(); @@ -672,6 +673,7 @@ public function add($data, $c = false, $a = false) } $class = $this->getBlockTypeClass(); $bc = $app->make($class, ['obj' => $nb]); + $bc->saveMode = $saveMode; $bc->save($data); return Block::getByID($bIDnew);
concrete/src/Feed/FeedService.php+30 −2 modified@@ -3,7 +3,12 @@ use Concrete\Core\Cache\Adapter\LaminasCacheDriver; use Concrete\Core\Config\Repository\Repository; +use Concrete\Core\Error\UserMessageException; use Concrete\Core\Http\Client\Factory as HttpClientFactory; +use Concrete\Core\Url\Validation\InvalidRemoteUrlException; +use Concrete\Core\Url\Validation\RemoteUrlRequestOptionsBuilder; +use Concrete\Core\Url\Validation\RemoteUrlValidator; +use Concrete\Core\Url\Validation\ValidatedRemoteUrl; use Laminas\Feed\Reader\Feed\FeedInterface; use Laminas\Feed\Reader\Reader; @@ -19,10 +24,22 @@ class FeedService */ protected $httpClientFactory; + /** + * @var \Concrete\Core\Url\Validation\RemoteUrlValidator + */ + protected $remoteUrlValidator; + + /** + * @var \Concrete\Core\Url\Validation\RemoteUrlRequestOptionsBuilder + */ + protected $remoteUrlRequestOptionsBuilder; + public function __construct(Repository $config, HttpClientFactory $httpClientFactory) { $this->config = $config; $this->httpClientFactory = $httpClientFactory; + $this->remoteUrlValidator = new RemoteUrlValidator(); + $this->remoteUrlRequestOptionsBuilder = new RemoteUrlRequestOptionsBuilder(); } /** @@ -38,7 +55,8 @@ public function load($url, $cache = 3600) Reader::setCache(new LaminasCacheDriver('cache/expensive', $cache)); } - Reader::setHttpClient(new GuzzleClient($this->buildHttpClient())); + $validatedUrl = $this->getValidatedFeedUrl($url); + Reader::setHttpClient(new GuzzleClient($this->buildHttpClient($validatedUrl))); // Load the RSS feed, either from remote URL or from cache // (if specified above and still fresh) @@ -59,12 +77,22 @@ public function getPosts(FeedInterface $feed): array /** * @return \Concrete\Core\Http\Client\Client */ - protected function buildHttpClient() + protected function buildHttpClient(ValidatedRemoteUrl $validatedUrl) { $options = [ 'timeout' => 5, ] + $this->httpClientFactory->getDefaultOptions($this->config); + $options = array_replace($options, $this->remoteUrlRequestOptionsBuilder->build($validatedUrl)); return $this->httpClientFactory->createFromOptions($options); } + + protected function getValidatedFeedUrl($url) + { + try { + return $this->remoteUrlValidator->validate((string) $url); + } catch (InvalidRemoteUrlException $x) { + throw new UserMessageException(t('The RSS feed URL is not valid.')); + } + } }
concrete/src/Legacy/Pagination.php+3 −0 modified@@ -194,6 +194,7 @@ public function getNext($linkText = false, $wrapper = 'span') return '<' . $wrapper . ' class="page-link"' . ($wrapper == 'a' ? ' href="#"' : '') . '>'.$linkText.'</' . $wrapper . '>'; } else { $linkURL = str_replace("%pageNum%", $this->getNextInt() + 1, $this->URL); + $linkURL = htmlspecialchars($linkURL, ENT_QUOTES, 'UTF-8'); return '<a class="page-link" href="'.$linkURL.'" '.$this->getJSFunctionCall($this->getNextInt() + 1).'>'.$linkText.'</a>'; } @@ -221,6 +222,7 @@ public function getPrevious($linkText = false, $wrapper = 'span') return '<' . $wrapper . ' class="page-link"' . ($wrapper == 'a' ? ' href="#"' : '') . '>'.$linkText.'</' . $wrapper . '>'; } else { $linkURL = str_replace("%pageNum%", $this->getPreviousInt() + 1, $this->URL); + $linkURL = htmlspecialchars($linkURL, ENT_QUOTES, 'UTF-8'); return '<a class="page-link" href="'.$linkURL.'" '.$this->getJSFunctionCall($this->getPreviousInt() + 1).'>'.$linkText.'</a>'; } @@ -301,6 +303,7 @@ public function getPages($wrapper = 'span') } } else { $linkURL = str_replace("%pageNum%", $i + 1, $this->URL); + $linkURL = htmlspecialchars($linkURL, ENT_QUOTES, 'UTF-8'); if ($wrapper == 'li') { $pages .= "<li class=\"page-item\"><a class=\"page-link\" href=\"{$linkURL}\" ".$this->getJSFunctionCall($i + 1).">".($i + 1)."</a></li>";
concrete/src/Page/Collection/Collection.php+3 −2 modified@@ -11,6 +11,7 @@ use Concrete\Core\Area\CustomStyle as AreaCustomStyle; use Concrete\Core\Area\GlobalArea; use Concrete\Core\Attribute\Key\CollectionKey; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Block\CustomStyle as BlockCustomStyle; use Concrete\Core\Block\CustomStyleRepository as BlockCustomStyleRepository; use Concrete\Core\Database\Connection\Connection; @@ -1010,14 +1011,14 @@ public function getBlockIDs($arHandle = false) * * @return \Concrete\Core\Block\Block */ - public function addBlock($bt, $a, $data) + public function addBlock($bt, $a, $data, ?string $saveMode = SaveMode::SAVE_MODE_REQUEST) { $app = Application::getFacadeApplication(); /** @var Connection $db */ $db = $app->make(Connection::class); // first we add the block to the system - $nb = $bt->add($data, $this, $a); + $nb = $bt->add($data, $this, $a, $saveMode); // now that we have a block, we add it to the collectionversions table
concrete/src/Page/Page.php+5 −2 modified@@ -5,6 +5,7 @@ use Concrete\Core\Area\Area; use Block; use CacheLocal; +use Concrete\Core\Block\Controller\SaveMode; use Concrete\Core\Entity\Page\Summary\CustomPageTemplateCollection; use Concrete\Core\Localization\Service\Date; use Concrete\Core\Page\Collection\Collection; @@ -1192,6 +1193,8 @@ public function updateCollectionAliasExternal($cName, $cLink, $newWindow = 0) } else { $newWindow = 0; } + $cLink = app('helper/security')->sanitizeURL($cLink); + $cName = app('helper/text')->sanitize($cName); $db->executeQuery('update CollectionVersions set cvName = ? where cID = ?', [$cName, $this->cID]); $db->executeQuery('update Pages set cPointerExternalLink = ?, cPointerExternalLinkNewWindow = ? where cID = ?', [$cLink, $newWindow, $this->cID]); } @@ -2851,12 +2854,12 @@ public function updateGroupsSubCollection($cParentIDString) * * @return \Concrete\Core\Block\Block */ - public function addBlock($bt, $a, $data) + public function addBlock($bt, $a, $data, ?string $saveMode = SaveMode::SAVE_MODE_REQUEST) { if (is_string($a) && $a !== '') { $a = Area::getOrCreate($this, $a); } - $b = parent::addBlock($bt, $a, $data); + $b = parent::addBlock($bt, $a, $data, $saveMode); $btHandle = $bt->getBlockTypeHandle(); if ($b->getBlockTypeHandle() == BLOCK_HANDLE_PAGE_TYPE_OUTPUT_PROXY) { $bi = $b->getInstance();
concrete/src/Summary/Category/Driver/AbstractDriver.php+5 −0 modified@@ -4,6 +4,7 @@ use Concrete\Core\Application\Application; use Concrete\Core\Application\ApplicationAwareInterface; use Concrete\Core\Application\ApplicationAwareTrait; +use Concrete\Core\Summary\Category\CategoryMemberInterface; use Doctrine\ORM\EntityManager; defined('C5_EXECUTE') or die("Access Denied."); @@ -23,4 +24,8 @@ public function __construct(EntityManager $entityManager) $this->entityManager = $entityManager; } + public function canViewRenderedSummaryTemplates(CategoryMemberInterface $object): bool + { + return false; + } }
concrete/src/Summary/Category/Driver/CalendarEventDriver.php+11 −0 modified@@ -4,7 +4,9 @@ use Concrete\Core\Calendar\Event\EventOccurrenceService; use Concrete\Core\Calendar\Event\EventService; +use Concrete\Core\Entity\Calendar\CalendarEventVersionOccurrence; use Concrete\Core\Entity\Calendar\Summary\CalendarEventTemplate; +use Concrete\Core\Permission\Checker; use Concrete\Core\Summary\Category\CategoryMemberInterface; use Concrete\Core\Summary\Template\RenderableTemplateInterface; @@ -23,5 +25,14 @@ public function getMemberSummaryTemplate($templateID): ?RenderableTemplateInterf return $this->entityManager->find(CalendarEventTemplate::class, $templateID); } + /** + * @param CalendarEventVersionOccurrence $object + */ + public function canViewRenderedSummaryTemplates(CategoryMemberInterface $object): bool + { + $calendar = $object->getEvent()->getCalendar(); + $checker = new Checker($calendar); + return $checker->canEditCalendar(); + } }
concrete/src/Summary/Category/Driver/DriverInterface.php+1 −0 modified@@ -14,4 +14,5 @@ public function getCategoryMemberFromIdentifier($identifier): ?CategoryMemberInt public function getMemberSummaryTemplate($templateID): ?RenderableTemplateInterface; + public function canViewRenderedSummaryTemplates(CategoryMemberInterface $object): bool; }
concrete/src/Summary/Category/Driver/PageDriver.php+11 −0 modified@@ -3,6 +3,7 @@ use Concrete\Core\Entity\Page\Summary\PageTemplate; use Concrete\Core\Page\Page; +use Concrete\Core\Permission\Checker; use Concrete\Core\Summary\Category\CategoryMemberInterface; use Concrete\Core\Summary\Template\RenderableTemplateInterface; @@ -21,4 +22,14 @@ public function getMemberSummaryTemplate($templateID): ?RenderableTemplateInterf return $this->entityManager->find(PageTemplate::class, $templateID); } + /** + * @param Page $object + * @return bool + */ + public function canViewRenderedSummaryTemplates(CategoryMemberInterface $object): bool + { + $checker = new Checker($object); + return $checker->canEditPageTemplate(); + } + }
concrete/src/Url/Validation/InvalidRemoteUrlException.php+9 −0 added@@ -0,0 +1,9 @@ +<?php + +namespace Concrete\Core\Url\Validation; + +use RuntimeException; + +class InvalidRemoteUrlException extends RuntimeException +{ +}
concrete/src/Url/Validation/RemoteUrlRequestOptionsBuilder.php+23 −0 added@@ -0,0 +1,23 @@ +<?php + +namespace Concrete\Core\Url\Validation; + +use GuzzleHttp\RequestOptions; + +class RemoteUrlRequestOptionsBuilder +{ + public function build(ValidatedRemoteUrl $validatedUrl): array + { + $url = $validatedUrl->getUrl(); + $host = trim((string) $url->getHost()); + $scheme = strtolower((string) $url->getScheme()); + $port = $url->getPort(); + $port = $port ? $port->get() : null; + $port = $port ? (int) $port : ($scheme === 'http' ? 80 : 443); + + return [ + RequestOptions::ALLOW_REDIRECTS => false, + 'curl' => [CURLOPT_RESOLVE => [sprintf('%s:%d:%s', $host, $port, $validatedUrl->getIp())]], + ]; + } +}
concrete/src/Url/Validation/RemoteUrlValidator.php+66 −0 added@@ -0,0 +1,66 @@ +<?php + +namespace Concrete\Core\Url\Validation; + +use Concrete\Core\Url\Url; +use IPLib\Factory as IPFactory; +use IPLib\Range\Type as IPRangeType; +use RuntimeException; + +class RemoteUrlValidator +{ + public function validate(string $url, array $allowedSchemes = ['http', 'https']): ValidatedRemoteUrl + { + try { + $parsedUrl = Url::createFromUrl($url); + } catch (RuntimeException $x) { + throw new InvalidRemoteUrlException($x->getMessage(), 0, $x); + } + + $scheme = strtolower((string) $parsedUrl->getScheme()); + if (!in_array($scheme, $allowedSchemes, true)) { + throw new InvalidRemoteUrlException('Invalid URL scheme.'); + } + + $host = trim((string) $parsedUrl->getHost()); + if (in_array(strtolower($host), ['', '0', 'localhost'], true)) { + throw new InvalidRemoteUrlException('Invalid URL host.'); + } + + $ipFormatBlocks = [ + '/^\d+$/', + '/^0x[0-9a-f]+$/i', + ]; + + foreach ($ipFormatBlocks as $block) { + if (preg_match($block, $host) !== 0) { + throw new InvalidRemoteUrlException('Invalid URL host.'); + } + } + + $ip = null; + if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6) !== false) { + $ip = IPFactory::parseAddressString($host); + } elseif (preg_match('/^[0-9.]+$/', $host) !== 0) { + // Reject non-standard numeric host notations like dotted octal. + throw new InvalidRemoteUrlException('Invalid URL host.'); + } + + if ($ip === null) { + $dnsList = @dns_get_record($host, DNS_A | DNS_AAAA); + while ($ip === null && $dnsList !== false && count($dnsList) > 0) { + $dns = array_shift($dnsList); + $resolvedIp = $dns['ip'] ?? $dns['ipv6'] ?? null; + if ($resolvedIp !== null) { + $ip = IPFactory::parseAddressString($resolvedIp); + } + } + } + + if ($ip === null || $ip->getRangeType() !== IPRangeType::T_PUBLIC) { + throw new InvalidRemoteUrlException('Invalid URL host.'); + } + + return new ValidatedRemoteUrl($parsedUrl, $ip->toString()); + } +}
concrete/src/Url/Validation/ValidatedRemoteUrl.php+57 −0 added@@ -0,0 +1,57 @@ +<?php + +namespace Concrete\Core\Url\Validation; + +use Concrete\Core\Url\Url; + +class ValidatedRemoteUrl +{ + /** + * @var \Concrete\Core\Url\Url + */ + protected $url; + + /** + * @var string + */ + protected $ip; + + public function __construct(Url $url, string $ip) + { + $this->url = $url; + $this->ip = $ip; + } + + public function getUrl(): Url + { + return $this->url; + } + + public function getScheme(): string + { + return strtolower((string) $this->url->getScheme()); + } + + public function getHost(): string + { + return trim((string) $this->url->getHost()); + } + + public function getPort(): int + { + $port = $this->url->getPort(); + $port = $port ? $port->get() : null; + + return $port ? (int) $port : ($this->getScheme() === 'http' ? 80 : 443); + } + + public function getIp(): string + { + return $this->ip; + } + + public function __toString(): string + { + return (string) $this->url; + } +}
concrete/src/User/UserInfo.php+6 −2 modified@@ -494,6 +494,9 @@ public function getUserObject() */ public function update($data) { + $data = is_array($data) ? $data : []; + $allowPasswordUpdate = ($data['_allowPasswordUpdate'] ?? null) === true; + $allowIgnoredIPMismatchesUpdate = ($data['_allowIgnoredIPMismatchesUpdate'] ?? null) === true; $uID = (int)$this->getUserID(); if ($uID === 0) { $result = false; @@ -533,7 +536,7 @@ public function update($data) $values[] = $data['uHomeFileManagerFolderID']; } } - if (isset($data['uPassword']) && (string)$data['uPassword'] !== '') { + if ($allowPasswordUpdate && isset($data['uPassword']) && (string)$data['uPassword'] !== '') { if (isset($data['uPasswordConfirm']) && $data['uPassword'] === $data['uPasswordConfirm']) { $passwordChangedOn = $this->application->make('date')->getOverridableNow(); $fields[] = 'uPassword = ?'; @@ -548,7 +551,7 @@ public function update($data) $result = null; } } - if (is_array($data['ignoredIPMismatches'] ?? null)) { + if ($allowIgnoredIPMismatchesUpdate && is_array($data['ignoredIPMismatches'] ?? null)) { $fields[] = 'ignoredIPMismatches = ?'; $values[] = (new SimpleArrayType())->convertToDatabaseValue($data['ignoredIPMismatches'], $this->connection->getDatabasePlatform()); } @@ -712,6 +715,7 @@ public function markValidated() public function changePassword($newPassword) { return $this->update([ + '_allowPasswordUpdate' => true, 'uPassword' => $newPassword, 'uPasswordConfirm' => $newPassword, 'uIsPasswordReset' => false,
concrete/src/Utility/Service/Url.php+9 −8 modified@@ -28,15 +28,16 @@ public function setVariable($variable, $value = false, $url = false) // sanitizeString() removes tags like <script>… and similar markup. $url = Loader::helper('security')->sanitizeString($_SERVER['REQUEST_URI']); $url = $encodeQuotesAndStripCRLF($url); - } elseif (strpos($url, '?') === false) { - // Base URL provided without a query: protect it too (in case it contains quotes). + } else { + // Base URL provided by the caller: protect it too (in case it contains quotes). $url = $encodeQuotesAndStripCRLF($url); - - // Append the current query string, after sanitizing and applying the same light encoding. - $qs = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : ''; - $qs = Loader::helper('security')->sanitizeString($qs); - if ($qs !== false && $qs !== '') { - $url .= '?' . $encodeQuotesAndStripCRLF($qs); + if (strpos($url, '?') === false) { + // Append the current query string, after sanitizing and applying the same light encoding. + $qs = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : ''; + $qs = Loader::helper('security')->sanitizeString($qs); + if ($qs !== false && $qs !== '') { + $url .= '?' . $encodeQuotesAndStripCRLF($qs); + } } }
concrete/themes/atomik/account.php+1 −1 modified@@ -8,7 +8,7 @@ // spacing. If we add an element between the container and the outer page class it breaks this. ?> <div class="row"> <div class="col-md-12"> - <h1><?=$c->getCollectionName()?></h1> + <h1><?=h($c->getCollectionName())?></h1> <?php View::element(
concrete/themes/dashboard/main.js+2 −2 modifiedconcrete/views/dialogs/file/usage.php+0 −58 removed@@ -1,58 +0,0 @@ -<?php - -use Concrete\Core\Entity\Statistics\UsageTracker\FileUsageRecord; -use Concrete\Core\Page\Page; -use Concrete\Core\Support\Facade\Url; - -/** @var FileUsageRecord[] $records */ - -?> -<div class="ccm-ui"> - <table class="table table-striped"> - <thead> - <tr> - <td> - <?php echo t('Page ID') ?> - </td> - - <td> - <?php echo t('Version') ?> - </td> - - <td> - <?php echo t('Handle') ?> - </td> - - <td> - <?php echo t('Location') ?> - </td> - </tr> - </thead> - - <tbody> - <?php foreach ($records as $record): ?> - <?php $page = Page::getByID($record->getCollectionID()); ?> - - <tr> - <td> - <?php echo $page->getCollectionID() ?> - </td> - - <td> - <?php echo $page->getVersionID() ?> - </td> - - <td> - <?php echo $page->getCollectionHandle() ?> - </td> - - <td> - <a target="_blank" href="<?php echo Url::to($page) ?>"> - <?php echo h($page->getCollectionPath() ?: '/') ?> - </a> - </td> - </tr> - <?php endforeach; ?> - </tbody> - </table> -</div>
concrete/views/dialogs/file/versions.php+2 −0 modified@@ -102,6 +102,7 @@ 'fileVersions' => $versions, 'canPreviewFileVersion' => $canPreviewFileVersion, 'canDeleteFileVersion' => $canDeleteFileVersion, + 'approveToken' => $token->generate('approve_file_version'), ]) ?>; }, watch: { @@ -115,6 +116,7 @@ data: { fID: this.fileID, fvID: this.activeFileVersionID, + <?= json_encode($token::DEFAULT_TOKEN_NAME) ?>: this.approveToken, }, success: () => { this.busy = false;
concrete/views/oauth/authorize.php+1 −1 modified@@ -50,7 +50,7 @@ <?php if (!$authorize) { ?> - <h3 class="text-center"><?= t('Sign in to %s', "<strong>{$client->getName()}</strong>") ?></h3> + <h3 class="text-center"><?= t('Sign in to %s', "<strong>{h($client->getName())}</strong>") ?></h3> <?php } ?>
tests/tests/Controller/Backend/FileTest.php+3 −4 modified@@ -67,14 +67,13 @@ public static function remoteUrlsToTry(): iterable $octal3 = '01002004010'; $integer = '134744072'; - // Test hexadecimal IPs get caught as local + // Standard public IPv4 hosts remain valid, but non-standard numeric notations are rejected. yield ['http://' . $simpleIp]; // This is allowed because it's an external IP yield ['http://' . $hex, UserMessageException::class, '/The URL ".+?" is not valid./']; - yield ['http://' . $octal]; // This form is allowed because it at least converts properly in ip-lib - yield ['http://' . $octal2]; // Same as the first octal + yield ['http://' . $octal, UserMessageException::class, '/The URL ".+?" is not valid./']; + yield ['http://' . $octal2, UserMessageException::class, '/The URL ".+?" is not valid./']; yield ['http://' . $octal3, UserMessageException::class, '/The URL ".+?" is not valid./']; yield ['http://' . $integer, UserMessageException::class, '/The URL ".+?" is not valid./']; } } -
tests/tests/Url/Validation/RemoteUrlValidationTest.php+49 −0 added@@ -0,0 +1,49 @@ +<?php + +declare(strict_types=1); + +namespace Concrete\Tests\Url\Validation; + +use Concrete\Core\Url\Url; +use Concrete\Core\Url\Validation\InvalidRemoteUrlException; +use Concrete\Core\Url\Validation\RemoteUrlRequestOptionsBuilder; +use Concrete\Core\Url\Validation\RemoteUrlValidator; +use Concrete\Core\Url\Validation\ValidatedRemoteUrl; +use Concrete\Tests\TestCase; +use GuzzleHttp\RequestOptions; + +class RemoteUrlValidationTest extends TestCase +{ + public function testValidateWrapsParsedUrlAndResolvedIp(): void + { + $validatedUrl = (new RemoteUrlValidator())->validate('http://8.8.8.8:8080/feed'); + + $this->assertInstanceOf(ValidatedRemoteUrl::class, $validatedUrl); + $this->assertInstanceOf(Url::class, $validatedUrl->getUrl()); + $this->assertSame('http', $validatedUrl->getScheme()); + $this->assertSame('8.8.8.8', $validatedUrl->getHost()); + $this->assertSame(8080, $validatedUrl->getPort()); + $this->assertSame('8.8.8.8', $validatedUrl->getIp()); + $this->assertSame('http://8.8.8.8:8080/feed', (string) $validatedUrl); + } + + public function testBuildUsesWrappedUrlComponentsForCurlResolve(): void + { + $validatedUrl = (new RemoteUrlValidator())->validate('https://8.8.8.8/feed'); + $options = (new RemoteUrlRequestOptionsBuilder())->build($validatedUrl); + + $this->assertFalse($options[RequestOptions::ALLOW_REDIRECTS]); + $this->assertSame( + ['8.8.8.8:443:8.8.8.8'], + $options['curl'][CURLOPT_RESOLVE] + ); + } + + public function testValidateRejectsLocalhost(): void + { + $this->expectException(InvalidRemoteUrlException::class); + $this->expectExceptionMessage('Invalid URL host.'); + + (new RemoteUrlValidator())->validate('http://localhost/feed'); + } +}
c090d7416b9aFix #11201 - layout delete confirmation says "remove" but means "orphan"
1 file changed · +1 −1
concrete/controllers/dialog/block/delete.php+1 −1 modified@@ -26,7 +26,7 @@ public function view() } } if ($this->block->getBlockTypeHandle() == BLOCK_HANDLE_LAYOUT_PROXY) { - $this->set('message', t('Are you sure you wish to delete this layout? It will remove the blocks that are contained within it.')); + $this->set('message', t('Are you sure you wish to delete this layout? It will orphan the blocks that are contained within it.')); } else { $this->set('message', t('Are you sure you wish to delete this %s block?', $this->block->getBlockTypeObject()->getBlockTypeName())); }
Vulnerability mechanics
Root cause
"Missing access control checks on several backend controller actions allow unauthorized users to perform privileged operations."
Attack vector
An unauthenticated attacker can send crafted HTTP POST requests to the affected Concrete CMS backend endpoints. The `/ccm/frontend/conversations/get_rating` endpoint (referenced in the advisory) confirms existence and returns the rating score for any message by ID without requiring authentication or authorization. Additionally, the patch reveals that several file management actions (star, rescan, approveVersion, deleteVersion, addFavoriteFolder, removeFavoriteFolder) and the package update endpoint lacked CSRF token validation, allowing cross-site request forgery attacks. The Express entry association reorder endpoint had an incorrect permission check (`canViewExpressEntry` instead of `canEditExpressEntry`), enabling unauthorized reordering of associated entries.
Affected code
The advisory identifies the `/ccm/frontend/conversations/get_rating` endpoint as vulnerable to IDOR, though the specific controller file for that endpoint is not included in the patch bundle. The patch shows fixes in `concrete/controllers/backend/file.php` (star, rescan, rescanMultiple, approveVersion, deleteVersion, addFavoriteFolder, removeFavoriteFolder actions), `concrete/controllers/dialog/express/association/reorder.php` (canAccess method), `concrete/controllers/single_page/dashboard/extend/update.php` (do_update method), and `concrete/src/Api/OAuth/Controller.php` (handleLogin method) [patch_id=1290822].
What the fix does
The patch adds CSRF token validation (`$token->validate()`) to multiple file controller actions (star, rescan, rescanMultiple, approveVersion, addFavoriteFolder, removeFavoriteFolder) and the package update endpoint, preventing cross-site request forgery [patch_id=1290822]. The Express association reorder controller's `canAccess()` method was changed from `canViewExpressEntry()` to `canEditExpressEntry()`, ensuring only users with edit permissions can reorder entries [patch_id=1290822]. The OAuth login handler was refactored to use the centralized `LoginService`, adding proper failed login tracking and threshold enforcement [patch_id=1290822]. The remote URL import functionality was refactored to use a dedicated `RemoteUrlValidator` class that properly validates URLs and rejects non-public IP addresses [patch_id=1290822].
Preconditions
- networkNetwork access to the Concrete CMS instance
- inputKnowledge of a valid message ID for the get_rating endpoint
- inputAbility to send HTTP POST requests to backend endpoints
Generated on May 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.