From: Michael Dale <dale@users.mediawiki.org>
Date: Fri, 4 Sep 2009 14:50:06 +0000 (+0000)
Subject: * added some file checks
X-Git-Tag: 1.31.0-rc.0~39928
X-Git-Url: http://git.cyclocoop.org//%27%40script%40/%27?a=commitdiff_plain;h=8490f4bca36b7d9f54879d0e65782869b0ea97fa;p=lhc%2Fweb%2Fwiklou.git

* added some file checks
* removed depreciated cortado_iframe.php
* added init values for wgJSAutoloadClasses and wgJSAutoloadLocalClasses
---

diff --git a/js2/mwEmbed/jsScriptLoader.php b/js2/mwEmbed/jsScriptLoader.php
index 97911b1412..71d7b1ac6c 100644
--- a/js2/mwEmbed/jsScriptLoader.php
+++ b/js2/mwEmbed/jsScriptLoader.php
@@ -52,6 +52,7 @@ class jsScriptLoader {
 		// Build the output:
 		// swap in the appropriate language per js_file
 		foreach( $this->jsFileList as $classKey => $file_name ){
+
 			// special case: - title classes:
 			if( substr( $classKey, 0, 3 ) == 'WT:' ){
 				global $wgUser;
@@ -88,16 +89,27 @@ class jsScriptLoader {
 					continue;
 				}
 			}
+			//dealing with files::
+			//check that the filename ends with .js and does not include ../ traversing
+			if( substr( $file_name, -3 ) != '.js'){
+				$this->jsout .= "\nError file name must end with .js: ". htmlspecialchars( $file_name ) . " \n ";
+				continue;
+			}
+			if( strpos($file_name, '../') !== false ){
+				$this->jsout .= "\nError file name must not traverse paths: ". htmlspecialchars( $file_name ) . " \n ";
+				continue;
+			}
 
 			if( trim( $file_name ) != '' ){
 				// if in debug add a comment with the file name:
 				if( $this->debug )
 					$this->jsout .= "\n/**
-* File: $file_name
+* File: ". htmlspecialchars( $file_name ) ."
 */\n";
 				$this->jsout .= ( $this->doProccessJsFile( $file_name ) ) . "\n";
 			}
 		}
+
 		// check if we should minify :
 		if( $wgEnableScriptMinify && !$this->debug ){
 			// do the minification and output
diff --git a/js2/mwEmbed/php/cortado_iframe.php b/js2/mwEmbed/php/cortado_iframe.php
deleted file mode 100644
index 1ff30e2293..0000000000
--- a/js2/mwEmbed/php/cortado_iframe.php
+++ /dev/null
@@ -1,222 +0,0 @@
-<?php
-/*
-cortado_embed.php
-all file checks and conditions should be checked prior to loading this page.
-this page serves as a wrapper for the cortado java applet
-
-@@this may be deprecated in favor of a central hosted java applet
-*/
-
-cortado_iframe();
-
-function cortado_iframe() {
-	if( !function_exists( 'filter_input' ) ){
-		die( 'your version of PHP lacks <b>filter_input()</b> function<br />' );
-	}
-
-	// load the http GETS:
-	// set the parent domain if provided
-	$parent_domain = isset( $_GET['parent_domain'] ) ? $_GET['parent_domain'] : false;
-
-	// default to null media in not provided:
-	$media_url = isset( $_GET['media_url'] ) ? $_GET['media_url'] : false;
-	if( strval( $media_url ) === '' ){
-		error_out( 'invalid or missing media URL' );
-	}
-
-	// default duration to 30 seconds if not provided. (ideally cortado would read this from the video file)
-	//$duration = ( isset( $_GET['duration'] ) ) ? $_GET['duration'] : 0;
-	$duration = filter_input( INPUT_GET, 'duration', FILTER_SANITIZE_NUMBER_INT );
-	if( is_null( $duration ) || $duration === false ){
-		$duration = 0;
-	}
-
-	// id (set to random if none provided)
-	//$id = ( isset( $_GET['id'] ) ) ? $_GET['id'] : 'vid_' . rand( '10000000' );
-	$id = isset( $_GET['id'] ) ? $_GET['id'] : false;
-	if( is_null( $id ) || $id === false ){
-		$id = 'vid_' . rand( 0, 10000000 );
-	}
-
-	$width = filter_input( INPUT_GET, 'width', FILTER_SANITIZE_NUMBER_INT );
-	if( is_null( $width ) || $width === false ){
-		$width = 320;
-	}
-	$height = filter_input( INPUT_GET, 'height', FILTER_SANITIZE_NUMBER_INT );
-	// default to video:
-	$stream_type = ( isset( $_GET['stream_type'] ) ) ? $_GET['stream_type'] : 'video';
-	if( $stream_type == 'video' ){
-		$audio = $video = 'true';	
-		if( is_null( $height ) || $height === false )
-			$height = 240;
-	} else { // if( $stream_type == 'audio' )
-		$audio = 'true';
-		$video = 'false';
-		if( is_null( $height ) || $height === false )
-			$height = 20;	
-	}
-
-	// everything good output page: 
-	output_page(array(
-		'id' => $id,
-		'media_url' => $media_url,
-		'audio' => $audio,
-		'video' => $video,
-		'duration' => $duration,
-		'width' => $width,
-		'height' => $height,
-		'parent_domain' => $parent_domain
-	));
-}
-
-/**
- * JS escape function copied from MediaWiki's Xml::escapeJsString()
- */
-function escapeJsString( $string ) {
-	// See ECMA 262 section 7.8.4 for string literal format
-	$pairs = array(
-		"\\" => "\\\\",
-		"\"" => "\\\"",
-		'\'' => '\\\'',
-		"\n" => "\\n",
-		"\r" => "\\r",
-
-		# To avoid closing the element or CDATA section
-		"<" => "\\x3c",
-		">" => "\\x3e",
-
-		# To avoid any complaints about bad entity refs
-		"&" => "\\x26",
-
-		# Work around https://bugzilla.mozilla.org/show_bug.cgi?id=274152
-		# Encode certain Unicode formatting chars so affected
-		# versions of Gecko don't misinterpret our strings;
-		# this is a common problem with Farsi text.
-		"\xe2\x80\x8c" => "\\u200c", // ZERO WIDTH NON-JOINER
-		"\xe2\x80\x8d" => "\\u200d", // ZERO WIDTH JOINER
-	);
-	return strtr( $string, $pairs );
-}
-
-function error_out( $error = '' ){
-	output_page( array( 'error' => $error ) );
-	exit();
-}
-
-function output_page( $params ){
-	extract( $params );
-?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-	<html xmlns="http://www.w3.org/1999/xhtml">
-	<head>
-	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-	<title>cortado_embed</title>	
-	<script type="text/javascript">
-		<?php //set the parent domain: 
-			if( $parent_domain ){?>
-			try {
-				document.domain = '<?php echo htmlspecialchars( $parent_domain ) ?>';
-			} catch ( e ) {
-				if( window.console )
-					console.log('could not set domain to <?php echo htmlspecialchars( $parent_domain ) ?>');
-			}
-		<?php
-			} ?>
-			var jPlayer = null;
-			function setGlobalJplayer(){
-				jPlayer = document.getElementById('<?php echo htmlspecialchars( $id ) ?>');
-			}
-	</script>
-	<style type="text/css">
-	<!--
-	body {
-		margin-left: 0px;
-		margin-top: 0px;
-		margin-right: 0px;
-		margin-bottom: 0px;
-	}
-	-->
-	</style></head>
-	<body onload="setGlobalJplayer()" >
-	<?php 
-		$appid = ( preg_match( "/MSIE/i", getenv( "HTTP_USER_AGENT" ) ) ) ? '' : 'classid="java:com.fluendo.player.Cortado.class"';
-		if( empty( $error ) ){ ?>
-			<div id="jPlayer"></div>			
-			<OBJECT id="<?php echo  htmlspecialchars( $id ) ?>" 
-		  code="com.fluendo.player.Cortado.class" 
-		  <?php echo $appid ?>
-		  archive="binPlayers/cortado/cortado-wmf-r46643.jar" 
-		  width="<?php echo htmlspecialchars( $width ) ?>" 
-		  height="<?php echo htmlspecialchars( $height ) ?>" >
-			<param name="url" value="<?php echo htmlspecialchars( $media_url ) ?>" />
-			<param name="local" value="false"/>
-			<param name="keepaspect" value="true" />
-			<param name="video" value="<?php echo htmlspecialchars( $video ) ?>" />
-			<param name="audio" value="<?php echo htmlspecialchars( $audio ) ?>" />
-			<param name="seekable" value="false" />
-			<?php if( $duration != 0 ){ ?>
-				<param name="duration" value="<?php echo htmlspecialchars( $duration ) ?>" />
-			<?php } ?>
-			<param name="showStatus" value="hide" />
-			<param name="autoPlay" value="true" />
-			<param name="BufferSize" value="8192" />
-			<param name="BufferHigh" value="30" />
-			<param name="BufferLow" value="5" />
-	</OBJECT>
-	<?php } else { ?>
-		<b>Error:</b> <?php echo htmlspecialchars( $error ) ?>
-	<?php
-	}
-	?>
-	</body>
-	</html>
-<?php
-}
-/* 
-javascript envoked version:
-	function doPlayer(){
-			jPlayer = document.createElement('OBJECT');
-			jPlayer.setAttribute('classid', 'java:com.fluendo.player.Cortado.class');
-			jPlayer.type = 'application/x-java-applet';
-			jPlayer.setAttribute('archive', this.CortadoLocation);
-			jPlayer.id = '<?php echo  htmlspecialchars( $id ) ?>';
-			jPlayer.width = '<?php echo  htmlspecialchars( $width )?>';
-			jPlayer.height = '<?php echo  htmlspecialchars( $height )?>';
-		
-			var params = {
-			  'code': 'com.fluendo.player.Cortado',
-			  'archive': 'cortado-wmf-r46643.jar',
-			  'url': '<?php echo  htmlspecialchars( $media_url )?>',
-			  'local': 'false',
-			  'keepAspect': 'true',
-			  'video': '<?php echo  htmlspecialchars( $video )?>',
-			  'audio': '<?php echo  htmlspecialchars( $audio )?>',
-			  'seekable': 'false',
-			  'showStatus': 'hide',
-			  'autoPlay': 'true',
-			  'bufferSize': '8192',
-			  'BufferHigh':'30',
-			  'BufferLow' : '5',
-				 <? if($duration!=0){
-					?>
-					'duration':'<?php echo  htmlspecialchars( $duration )?>',
-					<?
-				 } ?>
-			  'debug': 0
-			}
-			for(name in params){
-			  var p = document.createElement('param');
-			  p.name = name;
-			  p.value = params[name];
-			  jPlayer.appendChild(p);
-			}
-			var pHolder = document.getElementById('jPlayer');
-			if(pHolder)
-				pHolder.appendChild( jPlayer );
-		}
-		doPlayer();		
-//then in the page: 
-<script type="text/javascript">
-				doPlayer();
-			</script>
- * 
-*/
\ No newline at end of file
diff --git a/js2/mwEmbed/php/noMediaWikiConfig.php b/js2/mwEmbed/php/noMediaWikiConfig.php
index 5c066189de..78d7353afd 100644
--- a/js2/mwEmbed/php/noMediaWikiConfig.php
+++ b/js2/mwEmbed/php/noMediaWikiConfig.php
@@ -19,6 +19,9 @@ $wgUseFileCache = true;
 
 $wgEnableScriptLoaderJsFile = false;
 
+//init our wg Globals
+$wgJSAutoloadClasses = array();
+$wgJSAutoloadLocalClasses = array();
 
 /*Localization:*/
 $wgEnableScriptLocalization = true;