Changeset 1162 for trunk

Timestamp:

12/15/11 16:00:09 (5 months ago)

Author:

bogdan2412

Message:

More fixes from live.

• Fix 500 errors appearing when attachment name contained ilegal characters.

(was not security issue, only failing assert)

• Fix 500 errors appearing when textblock revision was not an integer

(was not security issue, got converted into integer -1 and caused mysql
syntax error)

• Fix coding style, variable name mismatch and memory leak in userwidget view.
• Fix bug in account controller when trying to change user's security level.
• Do not allow tests to be run if not in development mode.

Location:

trunk

Files:

• tests/utilities.php (modified) (1 diff)
• www/controllers/account_validator.php (modified) (1 diff)
• www/controllers/attachment.php (modified) (1 diff)
• www/controllers/textblock.php (modified) (1 diff)
• www/views/userwidget.php (modified) (1 diff)

trunk/tests/utilities.php

@@ -6 +6 @@
 require_once(IA_ROOT_DIR."common/db/db.php");
 require_once(IA_ROOT_DIR."common/db/user.php");
+
+if (!IA_DEVELOPMENT_MODE) {
+    // These tests alter the database and can remove user created content
+    // by mistake (it has happened in the past).
+    log_error("You should never run these tests in a production environment");
+}
 
 // Test with curl. $args format:

trunk/www/controllers/account_validator.php

@@ -121 +121 @@
 
     // Security
-    log_print($user['security_level']);
     if (!$register && array_key_exists('security_level', $data)) {
-        if ($user['security_level'] != 'normal' &&
-               $user['security_level'] != 'helper' &&
-               $user['security_level'] != 'admin' &&
-               $user['security_level'] != 'intern') {
+        if ($data['security_level'] != 'normal' &&
+            $data['security_level'] != 'helper' &&
+            $data['security_level'] != 'admin' &&
+            $data['security_level'] != 'intern') {
             $errors['security_level'] = "Nivel de securitate invalid";
         }

trunk/www/controllers/attachment.php

@@ -414 +414 @@
 // Returns attachment model
 function try_attachment_get($page_name, $file_name) {
-    if (!$file_name) {
+    if (!$file_name || !is_attachment_name($file_name)) {
         die_http_error();
     }

trunk/www/controllers/textblock.php

@@ -22 +22 @@
         $rev_count = textblock_get_revision_count($page_name);
         if ($rev_num && $rev_num != $rev_count) {
+            if (!is_numeric($rev_num) || (int)$rev_num < 1) {
+                flash_error('Revizia "' . $rev_num . '" este invalida.');
+                redirect(url_textblock($page_name));
+            } else {
+                $rev_num = (int)$rev_num;
+            }
             identity_require("textblock-history", $crpage);
             $page = textblock_get_revision($page_name, $rev_num);
 
             if (!$page) {
-                flash_error("Revizia \"{$rev_num}\" nu exista.");
+                flash_error('Revizia "' . $rev_num . '" nu exista.');
                 redirect(url_textblock($page_name));
             }

trunk/www/views/userwidget.php

@@ -5 +5 @@
     $my_img = imagecreatefromjpeg (IA_ROOT_DIR . "www/static/images/widget.jpg");
     $background = imagecolorallocate($my_img, 154, 205, 50);
-    $text_colour = imagecolorallocate($my_img, 255, 255, 255);
+    $text_color = imagecolorallocate($my_img, 255, 255, 255);
     $rating_value = (int) $view['rating'];
     if($rating_value >= 600) {
-        $line_colour = imagecolorallocate($my_img, 178, 34, 34);
+        $line_color = imagecolorallocate($my_img, 178, 34, 34);
+    } else if ($rating_value >= 520) {
+        $line_color = imagecolorallocate($my_img, 255, 255, 0);
+    } else {
+        $line_color = imagecolorallocate($my_img, 50, 205, 50);
     }
-    else if($rating_value >= 520) {
-        $line_colour = imagecolorallocate($my_img, 255, 255, 0);
-    }
-    else {
-        $line_colour = imagecolorallocate($my_img, 50, 205, 50);
-    }
-    imagestring($my_img, 3, 15, 42, $view['name'], $text_colour);
-    imagestring($my_img, 3, 115, 5, $print_rating, $text_colour);
-    imagestring($my_img, 3, 95, 19, "Succes: " . $view['succes'], $text_colour);
-    imagestring($my_img, 3, 15, 54, "Probleme rezolvate: " . $view['task_data_succes'], $text_colour);
-    imagestring($my_img, 3, 15, 65, "Probleme incercate: " . $view['task_data_failed'], $text_colour);
+    imagestring($my_img, 3, 15, 42, $view['name'], $text_color);
+    imagestring($my_img, 3, 115, 5, $print_rating, $text_color);
+    imagestring($my_img, 3, 95, 19, "Succes: " . $view['succes'], $text_color);
+    imagestring($my_img, 3, 15, 54, "Probleme rezolvate: " . $view['task_data_succes'], $text_color);
+    imagestring($my_img, 3, 15, 65, "Probleme incercate: " . $view['task_data_failed'], $text_color);
     imagesetthickness($my_img, 5);
-    imageline($my_img, 0, 38, 200, 38, $line_colour);
+    imageline($my_img, 0, 38, 200, 38, $line_color);
     header("Content-type: image/png");
     imagepng($my_img);
-    imagecolordeallocate($line_color);
-    imagecolordeallocate($text_color);
-    imagecolordeallocate($background);
+    imagecolordeallocate($my_img, $line_color);
+    imagecolordeallocate($my_img, $text_color);
+    imagecolordeallocate($my_img, $background);
     imagedestroy($my_img);
- ?>
+?>