diff --git a/composer.lock b/composer.lock index 4993e69..0fc4b34 100644 --- a/composer.lock +++ b/composer.lock @@ -686,16 +686,16 @@ }, { "name": "symfony/polyfill-ctype", - "version": "v1.17.0", + "version": "v1.17.1", "source": { "type": "git", "url": "https://github.com/symfony/polyfill-ctype.git", - "reference": "e94c8b1bbe2bc77507a1056cdb06451c75b427f9" + "reference": "2edd75b8b35d62fd3eeabba73b26b8f1f60ce13d" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/e94c8b1bbe2bc77507a1056cdb06451c75b427f9", - "reference": "e94c8b1bbe2bc77507a1056cdb06451c75b427f9", + "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/2edd75b8b35d62fd3eeabba73b26b8f1f60ce13d", + "reference": "2edd75b8b35d62fd3eeabba73b26b8f1f60ce13d", "shasum": "" }, "require": { @@ -708,6 +708,10 @@ "extra": { "branch-alias": { "dev-master": "1.17-dev" + }, + "thanks": { + "name": "symfony/polyfill", + "url": "https://github.com/symfony/polyfill" } }, "autoload": { @@ -740,7 +744,7 @@ "polyfill", "portable" ], - "time": "2020-05-12T16:14:59+00:00" + "time": "2020-06-06T08:46:27+00:00" }, { "name": "symfony/yaml", diff --git a/system/Controllers/ArticleApiController.php b/system/Controllers/ArticleApiController.php index 1031ab7..4b66eed 100644 --- a/system/Controllers/ArticleApiController.php +++ b/system/Controllers/ArticleApiController.php @@ -22,7 +22,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # validate input only if raw mode if($this->params['raw']) @@ -98,7 +98,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # set structure if(!$this->setStructure($draft = true)){ return $response->withJson($this->errors, 404); } @@ -176,7 +176,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # set structure if(!$this->setStructure($draft = true)){ return $response->withJson($this->errors, 404); } @@ -215,7 +215,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # set url to base path initially $url = $this->uri->getBaseUrl() . '/tm/content/' . $this->settings['editor']; @@ -274,7 +274,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # validate input if(!$this->validateEditorInput()){ return $response->withJson($this->errors,422); } @@ -318,7 +318,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # url is only needed, if an active page is moved to another folder, so user has to be redirected to the new url $url = false; @@ -425,7 +425,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # url is only needed, if an active page is moved $url = false; @@ -492,7 +492,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # url is only needed, if an active page is moved $url = false; @@ -607,7 +607,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # url is only needed, if an active page is moved $url = false; @@ -708,7 +708,7 @@ class ArticleApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # set structure if(!$this->setStructure($draft = true, $cache = false)){ return $response->withJson(array('data' => false, 'errors' => $this->errors, 'url' => $url), 404); } @@ -729,7 +729,7 @@ class ArticleApiController extends ContentController { /* get params from call */ $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # set structure if(!$this->setStructure($draft = true)){ return $response->withJson(array('data' => false, 'errors' => $this->errors), 404); } @@ -776,7 +776,7 @@ class ArticleApiController extends ContentController { /* get params from call */ $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # set structure if(!$this->setStructure($draft = true)){ return $response->withJson(array('data' => false, 'errors' => $this->errors), 404); } diff --git a/system/Controllers/BlockApiController.php b/system/Controllers/BlockApiController.php index 3e5a0af..1d55d0d 100644 --- a/system/Controllers/BlockApiController.php +++ b/system/Controllers/BlockApiController.php @@ -19,7 +19,7 @@ class BlockApiController extends ContentController { /* get params from call */ $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); /* validate input */ if(!$this->validateBlockInput()){ return $response->withJson($this->errors,422); } @@ -199,7 +199,7 @@ class BlockApiController extends ContentController { /* get params from call */ $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); /* validate input */ if(!$this->validateBlockInput()){ return $response->withJson($this->errors,422); } @@ -338,7 +338,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # validate input # if(!$this->validateBlockInput()){ return $response->withJson($this->errors,422); } @@ -430,7 +430,7 @@ class BlockApiController extends ContentController { /* get params from call */ $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $errors = false; # set structure @@ -514,7 +514,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $imageProcessor = new ProcessImage($this->settings['images']); if(!$imageProcessor->checkFolders('images')) @@ -531,7 +531,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $fileProcessor = new ProcessFile(); if(!$fileProcessor->checkFolders()) @@ -548,7 +548,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $this->setStructure($draft = true, $cache = false); @@ -573,7 +573,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $this->setStructure($draft = true, $cache = false); @@ -597,7 +597,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # do this shit in the model ... $imagename = explode('.', $this->params['name']); @@ -623,7 +623,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $finfo = finfo_open( FILEINFO_MIME_TYPE ); $mtype = finfo_file( $finfo, $this->params['file'] ); @@ -688,7 +688,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); if(!isset($this->params['name'])) { @@ -710,7 +710,7 @@ class BlockApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); if(!isset($this->params['name'])) { @@ -732,7 +732,7 @@ class BlockApiController extends ContentController { /* get params from call */ $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $class = false; $imageUrl = $this->params['markdown']; diff --git a/system/Controllers/ContentBackendController.php b/system/Controllers/ContentBackendController.php index e8278f2..de15c06 100644 --- a/system/Controllers/ContentBackendController.php +++ b/system/Controllers/ContentBackendController.php @@ -21,7 +21,7 @@ class ContentBackendController extends ContentController public function showContent(Request $request, Response $response, $args) { # get params from call - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $this->params = isset($args['params']) ? ['url' => $this->uri->getBasePath() . '/' . $args['params']] : ['url' => $this->uri->getBasePath()]; # set structure @@ -89,7 +89,7 @@ class ContentBackendController extends ContentController public function showBlox(Request $request, Response $response, $args) { # get params from call - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $this->params = isset($args['params']) ? ['url' => $this->uri->getBasePath() . '/' . $args['params']] : ['url' => $this->uri->getBasePath()]; # set structure diff --git a/system/Controllers/MediaApiController.php b/system/Controllers/MediaApiController.php index 3d443e6..90caf6a 100644 --- a/system/Controllers/MediaApiController.php +++ b/system/Controllers/MediaApiController.php @@ -15,7 +15,7 @@ class MediaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $imageProcessor = new ProcessImage($this->settings['images']); if(!$imageProcessor->checkFolders('images')) @@ -32,7 +32,7 @@ class MediaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $fileProcessor = new ProcessFile(); if(!$fileProcessor->checkFolders()) @@ -49,7 +49,7 @@ class MediaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $this->setStructure($draft = true, $cache = false); @@ -73,7 +73,7 @@ class MediaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $this->setStructure($draft = true, $cache = false); @@ -97,7 +97,7 @@ class MediaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $imageProcessor = new ProcessImage($this->settings['images']); @@ -123,7 +123,7 @@ class MediaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # make sure only allowed filetypes are uploaded $finfo = finfo_open( FILEINFO_MIME_TYPE ); @@ -205,7 +205,7 @@ class MediaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); if(!isset($this->params['name'])) { @@ -230,7 +230,7 @@ class MediaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); if(!isset($this->params['name'])) { @@ -251,7 +251,7 @@ class MediaApiController extends ContentController { /* get params from call */ $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $class = false; $imageUrl = $this->params['markdown']; diff --git a/system/Controllers/MetaApiController.php b/system/Controllers/MetaApiController.php index 8e48e41..d901169 100644 --- a/system/Controllers/MetaApiController.php +++ b/system/Controllers/MetaApiController.php @@ -67,7 +67,7 @@ class MetaApiController extends ContentController { /* get params from call */ $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); # set structure if(!$this->setStructure($draft = true)){ return $response->withJson($this->errors, 404); } @@ -132,7 +132,7 @@ class MetaApiController extends ContentController { # get params from call $this->params = $request->getParams(); - $this->uri = $request->getUri(); + $this->uri = $request->getUri()->withUserInfo(''); $tab = isset($this->params['tab']) ? $this->params['tab'] : false; $metaInput = isset($this->params['data']) ? $this->params['data'] : false ; diff --git a/system/Controllers/PageController.php b/system/Controllers/PageController.php index ed64ac8..f6448b3 100644 --- a/system/Controllers/PageController.php +++ b/system/Controllers/PageController.php @@ -33,7 +33,7 @@ class PageController extends Controller $settings = $this->c->get('settings'); $pathToContent = $settings['rootPath'] . $settings['contentFolder']; $cache = new WriteCache(); - $uri = $request->getUri(); + $uri = $request->getUri()->withUserInfo(''); $base_url = $uri->getBaseUrl(); $this->pathToContent = $pathToContent; diff --git a/system/Controllers/SettingsController.php b/system/Controllers/SettingsController.php index cf426aa..ee37b28 100644 --- a/system/Controllers/SettingsController.php +++ b/system/Controllers/SettingsController.php @@ -35,15 +35,16 @@ class SettingsController extends Controller if($request->isPost()) { $referer = $request->getHeader('HTTP_REFERER'); - $uri = $request->getUri(); + $uri = $request->getUri()->withUserInfo(''); $base_url = $uri->getBaseUrl(); - # security, users should not be able to fake post with settings from other typemill pages. + /* security, users should not be able to fake post with settings from other typemill pages. if(!isset($referer[0]) OR $referer[0] !== $base_url . '/tm/settings' ) { $this->c->flash->addMessage('error', 'illegal referer'); return $response->withRedirect($this->c->router->pathFor('settings.show')); } + */ $settings = \Typemill\Settings::getUserSettings(); $defaultSettings = \Typemill\Settings::getDefaultSettings(); @@ -316,15 +317,16 @@ class SettingsController extends Controller if($request->isPost()) { $referer = $request->getHeader('HTTP_REFERER'); - $uri = $request->getUri(); + $uri = $request->getUri()->withUserInfo(''); $base_url = $uri->getBaseUrl(); - # users should not be able to fake post with settings from other typemill pages. + /* users should not be able to fake post with settings from other typemill pages. if(!isset($referer[0]) OR $referer[0] !== $base_url . '/tm/themes' ) { $this->c->flash->addMessage('error', 'illegal referer'); return $response->withRedirect($this->c->router->pathFor('themes.show')); } + */ $userSettings = \Typemill\Settings::getUserSettings(); $params = $request->getParams(); @@ -413,16 +415,17 @@ class SettingsController extends Controller if($request->isPost()) { $referer = $request->getHeader('HTTP_REFERER'); - $uri = $request->getUri(); + $uri = $request->getUri()->withUserInfo(''); $base_url = $uri->getBaseUrl(); - # security, users should not be able to fake post with settings from other typemill pages. + /* security, users should not be able to fake post with settings from other typemill pages. if(!isset($referer[0]) OR $referer[0] !== $base_url . '/tm/plugins' ) { $this->c->flash->addMessage('error', 'illegal referer'); return $response->withRedirect($this->c->router->pathFor('plugins.show')); } - + */ + $userSettings = \Typemill\Settings::getUserSettings(); $pluginSettings = array(); $userInput = $request->getParams(); @@ -651,15 +654,16 @@ class SettingsController extends Controller if($request->isPost()) { $referer = $request->getHeader('HTTP_REFERER'); - $uri = $request->getUri(); + $uri = $request->getUri()->withUserInfo(''); $base_url = $uri->getBaseUrl(); - # security, users should not be able to fake post with settings from other typemill pages. + /* security, users should not be able to fake post with settings from other typemill pages. if(!isset($referer[0]) OR $referer[0] !== $base_url . '/tm/user/new' ) { $this->c->flash->addMessage('error', 'illegal referer'); return $response->withRedirect($this->c->router->pathFor('user.new')); } + */ $params = $request->getParams(); $user = new User(); @@ -686,15 +690,16 @@ class SettingsController extends Controller if($request->isPost()) { $referer = $request->getHeader('HTTP_REFERER'); - $uri = $request->getUri(); + $uri = $request->getUri()->withUserInfo(''); $base_url = $uri->getBaseUrl(); - # security, users should not be able to fake post with settings from other typemill pages. + /* security, users should not be able to fake post with settings from other typemill pages. if(!isset($referer[0]) OR strpos($referer[0], $base_url . '/tm/user/') === false ) { $this->c->flash->addMessage('error', 'illegal referer'); return $response->withRedirect($this->c->router->pathFor('user.list')); } + */ $params = $request->getParams(); $user = new User(); @@ -743,15 +748,16 @@ class SettingsController extends Controller if($request->isPost()) { $referer = $request->getHeader('HTTP_REFERER'); - $uri = $request->getUri(); + $uri = $request->getUri()->withUserInfo(''); $base_url = $uri->getBaseUrl(); - # security, users should not be able to fake post with settings from other typemill pages. + /* security, users should not be able to fake post with settings from other typemill pages. if(!isset($referer[0]) OR strpos($referer[0], $base_url . '/tm/user/') === false ) { $this->c->flash->addMessage('error', 'illegal referer'); return $response->withRedirect($this->c->router->pathFor('user.list')); } + */ $params = $request->getParams(); $validate = new Validation(); diff --git a/system/Plugin.php b/system/Plugin.php index a182480..216f4cc 100644 --- a/system/Plugin.php +++ b/system/Plugin.php @@ -63,7 +63,7 @@ abstract class Plugin implements EventSubscriberInterface protected function getRoute() { - return $this->container['request']->getUri(); + return $this->container['request']->getUri()->withUserInfo(''); } protected function getPath() diff --git a/system/Settings.php b/system/Settings.php index 95ead28..7669384 100644 --- a/system/Settings.php +++ b/system/Settings.php @@ -78,7 +78,7 @@ class Settings 'contentFolder' => 'content', 'cache' => true, 'cachePath' => $rootPath . 'cache', - 'version' => '1.3.7.1', + 'version' => '1.3.7.2', 'setup' => true, 'welcome' => true, 'images' => ['live' => ['width' => 820], 'thumbs' => ['width' => 250, 'height' => 150]], diff --git a/system/system.php b/system/system.php index 0c9662b..57b6007 100644 --- a/system/system.php +++ b/system/system.php @@ -118,14 +118,16 @@ $container['dispatcher'] = function($container) use ($dispatcher) return $dispatcher; }; +# delete username and password from uri +$uri = $container['request']->getUri()->withUserInfo(''); /******************************** * ADD ASSET-FUNCTION FOR TWIG * ********************************/ -$container['assets'] = function($c) +$container['assets'] = function($c) use ($uri) { - return new \Typemill\Assets($c['request']->getUri()->getBaseUrl()); + return new \Typemill\Assets($uri->getBaseUrl()); }; /************************ @@ -138,7 +140,7 @@ $session_segments = array('setup', 'tm/', 'api/', '/setup', '/tm/', '/api/'); $client_segments = $dispatcher->dispatch('onSessionSegmentsLoaded', new OnSessionSegmentsLoaded([]))->getData(); $session_segments = array_merge($session_segments, $client_segments); -$path = $container['request']->getUri()->getPath(); +$path = $uri->getPath(); $container['flash'] = false; $container['csrf'] = false; @@ -149,7 +151,7 @@ foreach($session_segments as $segment) // configure session ini_set('session.cookie_httponly', 1 ); ini_set('session.use_strict_mode', 1); - if($container['request']->getUri()->getScheme() == 'https') + if($uri->getScheme() == 'https') { ini_set('session.cookie_secure', 1); session_name('__Secure-typemill-session'); @@ -183,7 +185,7 @@ foreach($session_segments as $segment) * LOAD TWIG VIEW * ************************/ -$container['view'] = function ($container) +$container['view'] = function ($container) use ($uri) { $path = array($container->get('settings')['themePath'], $container->get('settings')['authorPath']); @@ -194,18 +196,18 @@ $container['view'] = function ($container) ]); // Instantiate and add Slim specific extension - $basePath = rtrim(str_ireplace('index.php', '', $container['request']->getUri()->getBasePath()), '/'); + $basePath = rtrim(str_ireplace('index.php', '', $uri->getBasePath()), '/'); $view->addExtension(new Slim\Views\TwigExtension($container['router'], $basePath)); $view->addExtension(new Twig_Extension_Debug()); $view->addExtension(new Typemill\Extensions\TwigUserExtension()); $view->addExtension(new Typemill\Extensions\TwigMarkdownExtension()); $view->addExtension(new Typemill\Extensions\TwigMetaExtension()); $view->addExtension(new Typemill\Extensions\TwigPagelistExtension()); - - /* use {{ base_url() }} in twig templates */ - $view['base_url'] = $container['request']->getUri()->getBaseUrl(); - $view['current_url'] = $container['request']->getUri()->getPath(); + # use {{ base_url() }} in twig templates + $view['base_url'] = $uri->getBaseUrl(); + $view['current_url'] = $uri->getPath(); + /* if session route, add flash messages and csrf-protection */ if($container['flash']) { @@ -216,12 +218,10 @@ $container['view'] = function ($container) /* add asset-function to all views */ $view->getEnvironment()->addGlobal('assets', $container->assets); - /****************************** * LOAD TRANSLATIONS * ******************************/ - $uri = $_SERVER['REQUEST_URI']; - if(isset($uri) && (strpos($uri,'/tm/') !== false OR strpos($uri,'/setup') !== false)) + if(isset($uri->getPath) && (strpos($uri->getPath(),'/tm/') !== false OR strpos($uri->getPath(),'/setup') !== false)) { // Admin environment labels $labels = Typemill\Translations::loadTranslations('admin');