diff --git a/CREDITS b/CREDITS index aa71d52c..2bf6127d 100644 --- a/CREDITS +++ b/CREDITS @@ -29,8 +29,10 @@ Benoît Bleuzé Christian Kier Christoph Anton Mitterer CSchulz +Cyprian Guerra Cyril Giraud Daniel Aleksandersen +Danny de Weille DAViCal Administrator Dávid Takács Émile Morel @@ -61,7 +63,9 @@ Matthias Beyer Matthias Mohr Maxime Delorme Michael Trausch +Milan Crha Milan Medlik +Niels van Gijzen Nishanth Aravamudan Nomad Arton Patrick Näf Moser @@ -71,6 +75,7 @@ Peter Schaefer-Hutter Philipp Matthias Hahn Pierre Giraud Raphael Hertzog +Rick Verdoes Rik Theys Rob Ostensen Sarenet S.A.U Egoitz Aurrekoetxea diff --git a/ChangeLog b/ChangeLog index 88c5141c..7167b8d5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,34 @@ +2019-11-29 Niels van Gijzen + * Correct reflected cross-site scripting (XSS) vulnerability + * Correct persistent XSS vulnerability in user/group/resource details + * Correct persistent XSS vulnerability in user/group/resource list + * Add token to address cross-site request forgery (CSRF) vulnerability + +2019-11-26 Andrew Ruthven + * More syntax errors with collection_id + +2019-03-28 Cyprian Guerra + * Fix syntax of collection_id parameter + +2019-06-19 Milan Crha + * Add missing 'break' to rrule.php + +2019-03-11 Florian Schlichting + * More PHP curl message corrections + +2019-03-06 Andrew Ruthven + * Specify PHP curl, not PHP5 + +2019-03-05 Jamie McClymont + * Update minimum PHP version requirement + +2019-02-27 Jamie McClymont + * Make range-based calendar queries use the new first_instance_start/last_instance_end columns + * Make calquery expansion aware of the calendar default timezone + +2019-02-12 Florian Schlichting + * Fix more PHP7+ type hints for PHP5 compatibility (fixes #197) + 2019-01-30 Florian Schlichting * add users to new groups in the "update groups" step * honour do_not_sync_group_from_ldap when creating groups, correctly display all results diff --git a/VERSION b/VERSION index 18efdb9a..512a1faa 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.8 +1.1.9 diff --git a/htdocs/always.php b/htdocs/always.php index ca75b8c2..2dcdf2c5 100644 --- a/htdocs/always.php +++ b/htdocs/always.php @@ -8,47 +8,6 @@ if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php'); -// XSS Protection -function filter_post(&$val, $index) { - if(in_array($index, ["newpass1", "newpass2"])) return; - - switch (gettype($val)) { - case "string": - $val = htmlspecialchars($val); - break; - - case "array": - array_walk_recursive($val, function(&$v) { - if (gettype($v) == "string") { - $v = htmlspecialchars($v); - } - }); - break; - } -} - -function clean_get() { - $temp = []; - - foreach($_GET as $key => $value) { - // XSS is possible in both key and values - $k = htmlspecialchars($key); - $v = htmlspecialchars($value); - $temp[$k] = $v; - } - - return $temp; -} - -// Before anything else is executed we filter all the user input, a lot of code in this project -// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables. -if(isset($_POST)) array_walk($_POST, 'filter_post'); -$_GET = clean_get(); -$_SERVER['REQUEST_URI'] = str_replace("&", "&", htmlspecialchars($_SERVER['REQUEST_URI'])); -$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']); - - - // Ensure the configuration starts out as an empty object. $c = (object) array(); $c->script_start_time = microtime(true); @@ -287,7 +246,7 @@ if ( function_exists('awl_set_locale') ) { */ $c->code_version = 0; $c->want_awl_version = '0.60'; -$c->version_string = '1.1.8'; // The actual version # is replaced into that during the build /release process +$c->version_string = '1.1.9'; // The actual version # is replaced into that during the build /release process if ( isset($c->version_string) && preg_match( '/(\d+)\.(\d+)\.(\d+)(.*)/', $c->version_string, $matches) ) { $c->code_major = $matches[1]; $c->code_minor = $matches[2];