Update NextGen Gallery to 2.0.65

eb52e5da · lechuck · lucha · 09956e11 · eb52e5da · eb52e5da
Commit eb52e5da authored May 06, 2014 by lechuck Committed by lucha Oct 29, 2016
7 changed files
--- a/wp-content/plugins/nextgen-gallery/changelog.txt
+++ b/wp-content/plugins/nextgen-gallery/changelog.txt
 NextGEN Gallery
 by Photocrati Media

+= V2.0.65 - 05.04.2014 =
+* Secured: Limit uploads to images and zips
+
 = V2.0.63 - 04.29.2014 =
 * NEW:     Translation ready
 * NEW: 	   Including German translation by Roland Stumpp

--- a/wp-content/plugins/nextgen-gallery/nggallery.php
+++ b/wp-content/plugins/nextgen-gallery/nggallery.php
@@ -4,7 +4,7 @@ if(preg_match('#' . basename(__FILE__) . '#', $_SERVER['PHP_SELF'])) { die('You
 /**
 * Plugin Name: NextGEN Gallery by Photocrati
 * Description: The most popular gallery plugin for WordPress and one of the most popular plugins of all time with over 9 million downloads.
- * Version: 2.0.63
+ * Version: 2.0.65
 * Author: Photocrati Media
 * Plugin URI: http://www.nextgen-gallery.com
 * Author URI: http://www.photocrati.com
@@ -430,7 +430,7 @@ class C_NextGEN_Bootstrap
 		define('NGG_PRODUCT_URL', path_join(str_replace("\\", '/', NGG_PLUGIN_URL), 'products'));
 		define('NGG_MODULE_URL', path_join(str_replace("\\", '/', NGG_PRODUCT_URL), 'photocrati_nextgen/modules'));
 		define('NGG_PLUGIN_STARTED_AT', microtime());
-		define('NGG_PLUGIN_VERSION', '2.0.63');
+		define('NGG_PLUGIN_VERSION', '2.0.65');

 		if (!defined('NGG_HIDE_STRICT_ERRORS')) {
 			define('NGG_HIDE_STRICT_ERRORS', TRUE);

--- a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/adapter.nextgen_addgallery_ajax.php
+++ b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/adapter.nextgen_addgallery_ajax.php
@@ -15,16 +15,17 @@ class A_NextGen_AddGallery_Ajax extends Mixin
    {
        $retval = array();

-        $gallery_id     = intval($this->param('gallery_id'));
-        $gallery_name   = urldecode($this->param('gallery_name'));
-        $error          = FALSE;
+        $created_gallery    = FALSE;
+        $gallery_id         = intval($this->param('gallery_id'));
+        $gallery_name       = urldecode($this->param('gallery_name'));
+        $gallery_mapper     = $this->object->get_registry()->get_utility('I_Gallery_Mapper');
+        $error              = FALSE;
        
        if ($this->validate_ajax_request('nextgen_upload_image'))
        {
 		      // We need to create a gallery
 		      if ($gallery_id == 0) {
 		          if (strlen($gallery_name) > 0) {
-		              $gallery_mapper = $this->object->get_registry()->get_utility('I_Gallery_Mapper');
 		              $gallery = $gallery_mapper->create(array(
 		                  'title' =>  $gallery_name
 		              ));
@@ -33,7 +34,8 @@ class A_NextGen_AddGallery_Ajax extends Mixin
 		                  $error = TRUE;
 		              }
 		              else {
-		                  $gallery_id = $gallery->id();
+                          $created_gallery  = TRUE;
+		                  $gallery_id       = $gallery->id();
 		              }
 		          }
 		          else {
@@ -65,6 +67,7 @@ class A_NextGen_AddGallery_Ajax extends Mixin
 		          catch (E_NggErrorException $ex) {
 		              $retval['error'] = $ex->getMessage();
 		              $error = TRUE;
+                      if ($created_gallery) $gallery_mapper->destroy($gallery_id);
 		          }
 		          catch (Exception $ex) {
 		              $retval['error']            = __("An unexpected error occured.", 'nggallery');

--- a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/thumbnails/index.php
+++ b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/thumbnails/index.php
@@ -80,7 +80,7 @@ $this->start_element('nextgen_gallery.gallery_container', 'container', $displaye

 			?>

-        <?php if ($number_of_columns > 0): ?>
+        <?php if ($number_of_columns > 0 && empty($show_all_in_lightbox)): ?>
            <?php if ((($i + 1) % $number_of_columns) == 0 ): ?>
                <br style="clear: both" />
            <?php endif; ?>

--- a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.gallerystorage_driver_base.php
+++ b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.gallerystorage_driver_base.php
@@ -462,6 +462,38 @@ class Mixin_GalleryStorage_Driver_Base extends Mixin
 		return $this->object->copy_images($images, $gallery, $db, TRUE);
 	}

+    function is_image_file()
+    {
+        $retval = FALSE;
+
+        if ((isset($_FILES['file']) && $_FILES['file']['error'] == 0)) {
+            $file_info = $_FILES['file'];
+
+            if (isset($file_info['type'])) {
+                $type = strtolower($file_info['type']);
+                error_log("Attempted to upload {$type}.");
+                $valid_types = array(
+                    'image/gif',
+                    'image/jpg',
+                    'image/jpeg',
+                    'image/pjpeg',
+                    'image/png',
+                );
+                $valid_regex = '/\.(jpg|jpeg|gif|png)$/';
+
+                // Is this a valid type?
+                if (in_array($type, $valid_types)) $retval = TRUE;
+
+                // Is this a valid extension?
+                else if (strpos($type, 'octem-stream') !== FALSE && preg_match($valid_regex, $type)) {
+                    $retval = TRUE;
+                }
+            }
+        }
+
+        return $retval;
+    }
+

    function is_zip()
    {

--- a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.ngglegacy_gallerystorage_driver.php
+++ b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.ngglegacy_gallerystorage_driver.php
@@ -207,12 +207,15 @@ class Mixin_NggLegacy_GalleryStorage_Driver extends Mixin
            if ($this->object->is_zip()) {
                $retval = $this->object->upload_zip($gallery);
            }
-            else {
+            else if ($this->is_image_file()) {
                $retval = $this->object->upload_base64_image(
                    $gallery,
                    file_get_contents($file['tmp_name']),
                    $filename ? $filename : (isset($file['name']) ? $file['name'] : FALSE)
                );
+            }
+            else {
+                throw new E_UploadException(__('Invalid image file. Acceptable formats: JPG, GIF, and PNG.', 'nggallery'));
            }
 		}
 		elseif ($data) {

--- a/wp-content/plugins/nextgen-gallery/readme.txt
+++ b/wp-content/plugins/nextgen-gallery/readme.txt
@@ -199,6 +199,9 @@ For more information, feel free to visit the official website for the NextGEN Ga

 == Changelog ==

+= V2.0.65 - 05.04.2014 =
+* Secured: Limit uploads to images and zips
+
 = V2.0.63 - 04.29.2014 =
 * NEW:     Translation ready
 * NEW: 	   Including German translation by Roland Stumpp