Merge branch 'hotfix/3.5.31'

contao · Nov 15, 2017 · 3e41ad8 · 3e41ad8
2 parents 2474ff9 + 0a88b04
commit 3e41ad8
Show file tree

Hide file tree

Showing 10 changed files with 99 additions and 81 deletions.
diff --git a/composer.lock b/composer.lock
diff --git a/system/config/constants.php b/system/config/constants.php
@@ -13,7 +13,7 @@
  * Core version
  */
 define('VERSION', '3.5');
-define('BUILD', '30');
+define('BUILD', '31');
 define('LONG_TERM_SUPPORT', true);
 
 

diff --git a/system/docs/CHANGELOG.md b/system/docs/CHANGELOG.md
@@ -1,6 +1,13 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.5.31 (2017-11-15)
+---------------------------
+
+### Fixed
+Prevent SQL injections in the back end search panel (see CVE-2017-16558).
+
+
 Version 3.5.30 (2017-10-06)
 ---------------------------
 

diff --git a/system/modules/calendar/languages/pl/default.xlf b/system/modules/calendar/languages/pl/default.xlf
@@ -15,6 +15,7 @@
       </trans-unit>
       <trans-unit id="MSC.cal_timeSeparator">
         <source>–</source>
+        <target>–</target>
       </trans-unit>
       <trans-unit id="MSC.cal_emptyDay">
         <source>There are no events on this day.</source>

diff --git a/system/modules/core/drivers/DC_Table.php b/system/modules/core/drivers/DC_Table.php
@@ -4943,23 +4943,33 @@ protected function searchMenu()
 		// Store search value in the current session
 		if (\Input::post('FORM_SUBMIT') == 'tl_filters')
 		{
-			$session['search'][$this->strTable]['value'] = '';
-			$session['search'][$this->strTable]['field'] = \Input::post('tl_field', true);
+			$strField = \Input::post('tl_field', true);
+			$strKeyword = ltrim(\Input::postRaw('tl_value'), '*');
+
+			if ($strField && !in_array($strField, $searchFields, true))
+			{
+				$strField = '';
+				$strKeyword = '';
+			}
 
 			// Make sure the regular expression is valid
-			if (\Input::postRaw('tl_value') != '')
+			if ($strField && $strKeyword)
 			{
 				try
 				{
-					$this->Database->prepare("SELECT * FROM " . $this->strTable . " WHERE " . \Input::post('tl_field', true) . " REGEXP ?")
+					$this->Database->prepare("SELECT * FROM " . $this->strTable . " WHERE " . $strField . " REGEXP ?")
 								   ->limit(1)
-								   ->execute(\Input::postRaw('tl_value'));
-
-					$session['search'][$this->strTable]['value'] = \Input::postRaw('tl_value');
+								   ->execute($strKeyword);
+				}
+				catch (\Exception $e)
+				{
+					$strKeyword = '';
 				}
-				catch (\Exception $e) {}
 			}
 
+			$session['search'][$this->strTable]['field'] = $strField;
+			$session['search'][$this->strTable]['value'] = $strKeyword;
+
 			$this->Session->setData($session);
 		}
 
@@ -5060,7 +5070,7 @@ protected function sortMenu()
 			$strSort = \Input::post('tl_sort');
 
 			// Validate the user input (thanks to aulmn) (see #4971)
-			if (in_array($strSort, $sortingFields))
+			if (in_array($strSort, $sortingFields, true))
 			{
 				$session['sorting'][$this->strTable] = in_array($GLOBALS['TL_DCA'][$this->strTable]['fields'][$strSort]['flag'], array(2, 4, 6, 8, 10, 12)) ? "$strSort DESC" : $strSort;
 				$this->Session->setData($session);

diff --git a/system/modules/core/languages/pl/tl_files.xlf b/system/modules/core/languages/pl/tl_files.xlf
@@ -151,7 +151,7 @@
       </trans-unit>
       <trans-unit id="tl_files.new.0">
         <source>New folder</source>
-        <target>Nowy szablon</target>
+        <target>Nowy folder</target>
       </trans-unit>
       <trans-unit id="tl_files.new.1">
         <source>Create a new folder</source>

diff --git a/system/modules/core/languages/pl/tl_settings.xlf b/system/modules/core/languages/pl/tl_settings.xlf
@@ -335,6 +335,7 @@
       </trans-unit>
       <trans-unit id="tl_settings.maxImageWidth.1">
         <source>If the width of an image or movie exceeds this value, it will be adjusted automatically. Set to 0 to disable the limit.</source>
+        <target>Jeśli szerokość obrazka lub filmu przekroczy tą wartość, element zostanie automatycznie dostosowany. Wprowadź 0, aby wyłączyć limit.</target>
       </trans-unit>
       <trans-unit id="tl_settings.jpgQuality.0">
         <source>JPG thumbnail quality</source>

diff --git a/system/modules/core/library/Contao/StringUtil.php b/system/modules/core/library/Contao/StringUtil.php
@@ -605,13 +605,13 @@ function (array $matches) use ($arrData)
 			$blnCurrent = $arrStack[count($arrStack) - 1];
 			$blnCurrentIf = $arrIfStack[count($arrIfStack) - 1];
 
-			if (strncmp($strTag, '{if', 3) === 0)
+			if (strncmp($strTag, '{if ', 4) === 0)
 			{
 				$blnExpression = $evaluateExpression(substr($strTag, 4, -1));
 				$arrStack[] = $blnCurrent && $blnExpression;
 				$arrIfStack[] = $blnExpression;
 			}
-			elseif (strncmp($strTag, '{elseif', 7) === 0)
+			elseif (strncmp($strTag, '{elseif ', 8) === 0)
 			{
 				$blnExpression = $evaluateExpression(substr($strTag, 8, -1));
 				array_pop($arrStack);