From eb52e5da64546e12555ef76672d3deb8aaa010e5 Mon Sep 17 00:00:00 2001
From: lechuck <l3chuck@autistici.org>
Date: Tue, 6 May 2014 17:18:25 +0000
Subject: [PATCH] Update NextGen Gallery to 2.0.65
---
.../plugins/nextgen-gallery/changelog.txt | 3 ++
.../plugins/nextgen-gallery/nggallery.php | 4 +--
.../adapter.nextgen_addgallery_ajax.php | 13 +++++---
.../templates/thumbnails/index.php | 2 +-
.../class.gallerystorage_driver_base.php | 32 +++++++++++++++++++
.../class.ngglegacy_gallerystorage_driver.php | 5 ++-
wp-content/plugins/nextgen-gallery/readme.txt | 3 ++
7 files changed, 53 insertions(+), 9 deletions(-)
diff --git a/wp-content/plugins/nextgen-gallery/changelog.txt b/wp-content/plugins/nextgen-gallery/changelog.txt
index c40fcbcc0..cebf969e7 100644
--- a/wp-content/plugins/nextgen-gallery/changelog.txt
+++ b/wp-content/plugins/nextgen-gallery/changelog.txt
@@ -1,6 +1,9 @@
NextGEN Gallery
by Photocrati Media
+= V2.0.65 - 05.04.2014 =
+* Secured: Limit uploads to images and zips
+
= V2.0.63 - 04.29.2014 =
* NEW: Translation ready
* NEW: Including German translation by Roland Stumpp
diff --git a/wp-content/plugins/nextgen-gallery/nggallery.php b/wp-content/plugins/nextgen-gallery/nggallery.php
index c34ae6c09..f55e3770f 100755
--- a/wp-content/plugins/nextgen-gallery/nggallery.php
+++ b/wp-content/plugins/nextgen-gallery/nggallery.php
@@ -4,7 +4,7 @@ if(preg_match('#' . basename(__FILE__) . '#', $_SERVER['PHP_SELF'])) { die('You
/**
* Plugin Name: NextGEN Gallery by Photocrati
* Description: The most popular gallery plugin for WordPress and one of the most popular plugins of all time with over 9 million downloads.
- * Version: 2.0.63
+ * Version: 2.0.65
* Author: Photocrati Media
* Plugin URI: http://www.nextgen-gallery.com
* Author URI: http://www.photocrati.com
@@ -430,7 +430,7 @@ class C_NextGEN_Bootstrap
define('NGG_PRODUCT_URL', path_join(str_replace("\\", '/', NGG_PLUGIN_URL), 'products'));
define('NGG_MODULE_URL', path_join(str_replace("\\", '/', NGG_PRODUCT_URL), 'photocrati_nextgen/modules'));
define('NGG_PLUGIN_STARTED_AT', microtime());
- define('NGG_PLUGIN_VERSION', '2.0.63');
+ define('NGG_PLUGIN_VERSION', '2.0.65');
if (!defined('NGG_HIDE_STRICT_ERRORS')) {
define('NGG_HIDE_STRICT_ERRORS', TRUE);
diff --git a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/adapter.nextgen_addgallery_ajax.php b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/adapter.nextgen_addgallery_ajax.php
index 1234ac79d..f2a288cc3 100644
--- a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/adapter.nextgen_addgallery_ajax.php
+++ b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/adapter.nextgen_addgallery_ajax.php
@@ -15,16 +15,17 @@ class A_NextGen_AddGallery_Ajax extends Mixin
{
$retval = array();
- $gallery_id = intval($this->param('gallery_id'));
- $gallery_name = urldecode($this->param('gallery_name'));
- $error = FALSE;
+ $created_gallery = FALSE;
+ $gallery_id = intval($this->param('gallery_id'));
+ $gallery_name = urldecode($this->param('gallery_name'));
+ $gallery_mapper = $this->object->get_registry()->get_utility('I_Gallery_Mapper');
+ $error = FALSE;
if ($this->validate_ajax_request('nextgen_upload_image'))
{
// We need to create a gallery
if ($gallery_id == 0) {
if (strlen($gallery_name) > 0) {
- $gallery_mapper = $this->object->get_registry()->get_utility('I_Gallery_Mapper');
$gallery = $gallery_mapper->create(array(
'title' => $gallery_name
));
@@ -33,7 +34,8 @@ class A_NextGen_AddGallery_Ajax extends Mixin
$error = TRUE;
}
else {
- $gallery_id = $gallery->id();
+ $created_gallery = TRUE;
+ $gallery_id = $gallery->id();
}
}
else {
@@ -65,6 +67,7 @@ class A_NextGen_AddGallery_Ajax extends Mixin
catch (E_NggErrorException $ex) {
$retval['error'] = $ex->getMessage();
$error = TRUE;
+ if ($created_gallery) $gallery_mapper->destroy($gallery_id);
}
catch (Exception $ex) {
$retval['error'] = __("An unexpected error occured.", 'nggallery');
diff --git a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/thumbnails/index.php b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/thumbnails/index.php
index 952ec39b0..cc658cd38 100644
--- a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/thumbnails/index.php
+++ b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/thumbnails/index.php
@@ -80,7 +80,7 @@ $this->start_element('nextgen_gallery.gallery_container', 'container', $displaye
?>
- <?php if ($number_of_columns > 0): ?>
+ <?php if ($number_of_columns > 0 && empty($show_all_in_lightbox)): ?>
<?php if ((($i + 1) % $number_of_columns) == 0 ): ?>
<br style="clear: both" />
<?php endif; ?>
diff --git a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.gallerystorage_driver_base.php b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.gallerystorage_driver_base.php
index 5f7f92da2..8081f0995 100644
--- a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.gallerystorage_driver_base.php
+++ b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.gallerystorage_driver_base.php
@@ -462,6 +462,38 @@ class Mixin_GalleryStorage_Driver_Base extends Mixin
return $this->object->copy_images($images, $gallery, $db, TRUE);
}
+ function is_image_file()
+ {
+ $retval = FALSE;
+
+ if ((isset($_FILES['file']) && $_FILES['file']['error'] == 0)) {
+ $file_info = $_FILES['file'];
+
+ if (isset($file_info['type'])) {
+ $type = strtolower($file_info['type']);
+ error_log("Attempted to upload {$type}.");
+ $valid_types = array(
+ 'image/gif',
+ 'image/jpg',
+ 'image/jpeg',
+ 'image/pjpeg',
+ 'image/png',
+ );
+ $valid_regex = '/\.(jpg|jpeg|gif|png)$/';
+
+ // Is this a valid type?
+ if (in_array($type, $valid_types)) $retval = TRUE;
+
+ // Is this a valid extension?
+ else if (strpos($type, 'octem-stream') !== FALSE && preg_match($valid_regex, $type)) {
+ $retval = TRUE;
+ }
+ }
+ }
+
+ return $retval;
+ }
+
function is_zip()
{
diff --git a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.ngglegacy_gallerystorage_driver.php b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.ngglegacy_gallerystorage_driver.php
index bf799a339..77149dc79 100644
--- a/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.ngglegacy_gallerystorage_driver.php
+++ b/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/class.ngglegacy_gallerystorage_driver.php
@@ -207,12 +207,15 @@ class Mixin_NggLegacy_GalleryStorage_Driver extends Mixin
if ($this->object->is_zip()) {
$retval = $this->object->upload_zip($gallery);
}
- else {
+ else if ($this->is_image_file()) {
$retval = $this->object->upload_base64_image(
$gallery,
file_get_contents($file['tmp_name']),
$filename ? $filename : (isset($file['name']) ? $file['name'] : FALSE)
);
+ }
+ else {
+ throw new E_UploadException(__('Invalid image file. Acceptable formats: JPG, GIF, and PNG.', 'nggallery'));
}
}
elseif ($data) {
diff --git a/wp-content/plugins/nextgen-gallery/readme.txt b/wp-content/plugins/nextgen-gallery/readme.txt
index c3458c90c..2851121dc 100644
--- a/wp-content/plugins/nextgen-gallery/readme.txt
+++ b/wp-content/plugins/nextgen-gallery/readme.txt
@@ -199,6 +199,9 @@ For more information, feel free to visit the official website for the NextGEN Ga
== Changelog ==
+= V2.0.65 - 05.04.2014 =
+* Secured: Limit uploads to images and zips
+
= V2.0.63 - 04.29.2014 =
* NEW: Translation ready
* NEW: Including German translation by Roland Stumpp
--
GitLab