Merge branch '3.2'

CHANGELOG.md

@@ -41,11 +41,16 @@ This is a log of major user-visible changes in each phpMyFAQ release.
 - migrated from SwiftMailer to Symfony Mailer (Thorsten)
 - migrated codebase to use PHP 8.1 language features (Thorsten)
 - updated to Bootstrap v5.3 (Thorsten)
-- updated to TinyMCE v6.4 (Thorsten)
+- updated to TinyMCE v6.6 (Thorsten)
 - updated to PHPUnit v10 (Thorsten)
 - updated Japanese translation (Advanced Bear)
 - updated Dutch translation (Bob Coret)
 
+### phpMyFAQ v3.1.16 - 2023-07-16
+
+- fixed multiple security vulnerabilities (Thorsten)
+- fixed minor bugs (Thorsten)
+
 ### phpMyFAQ v3.1.15 - 2023-06-17
 
 - fixed minor bugs (Thorsten)

phpmyfaq/admin/api/user.php

@@ -22,6 +22,7 @@
 use phpMyFAQ\Filter;
 use phpMyFAQ\Helper\MailHelper;
 use phpMyFAQ\Permission;
+use phpMyFAQ\Report;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Strings;
 use phpMyFAQ\Translation;
@@ -94,8 +95,8 @@
                 $userObject->status = $user->getStatus();
                 $userObject->isSuperAdmin = $user->isSuperAdmin();
                 $userObject->isVisible = $user->getUserData('is_visible');
-                $userObject->displayName = $user->getUserData('display_name');
-                $userObject->userName = $user->getLogin();
+                $userObject->displayName = Report::sanitize($user->getUserData('display_name'));
+                $userObject->userName = Report::sanitize($user->getLogin());
                 $userObject->email = $user->getUserData('email');
                 $userObject->authSource = $user->getUserAuthSource();
                 $userData[] = $userObject;

phpmyfaq/admin/report.export.php

@@ -122,7 +122,8 @@
 
     $content = '';
     foreach ($text as $row) {
-        $content .= implode(';', $row);
+        $csvRow = array_map(['phpMyFAQ\Report', 'sanitize'], $row);
+        $content .= implode(';', $csvRow);
         $content .= "\r\n";
     }
 

phpmyfaq/content/core/config/constants.php

@@ -113,7 +113,7 @@
  *
  * - hash (default)
  * - bcrypt
- * - crypt (not recommended)
+ * - crypt (not recommended, marked as deprecated, will be removed with v3.3)
  *
  * WARNING: DO NOT CHANGE THIS VALUE AFTER YOUR INITIAL INSTALLATION!
  * OTHERWISE, ALL YOUR REGISTERED USERS HAVE TO REQUEST A NEW PASSWORD.

phpmyfaq/register.php

@@ -30,8 +30,8 @@
 $request = Request::createFromGlobals();
 
 if (!$faqConfig->get('security.enableRegistration')) {
-    $response = new RedirectResponse('$faqSystem->getSystemUri($faqConfig)');
-    $response->send();
+    $redirect = new RedirectResponse($faqSystem->getSystemUri($faqConfig));
+    $redirect->send();
 }
 
 try {

phpmyfaq/services/azure/callback.php

@@ -17,12 +17,16 @@
 
 use GuzzleHttp\Exception\GuzzleException;
 use phpMyFAQ\Auth\AuthAzureActiveDirectory;
+use phpMyFAQ\Configuration;
 use phpMyFAQ\Filter;
 use phpMyFAQ\Session;
 use phpMyFAQ\Auth\Azure\OAuth;
 use phpMyFAQ\User\CurrentUser;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 
+session_start();
+session_regenerate_id(true);
+
 //
 // Prepend and start the PHP session
 //
@@ -36,13 +40,17 @@
 require PMF_ROOT_DIR . '/src/Bootstrap.php';
 require PMF_CONFIG_DIR . '/azure.php';
 
+$faqConfig = Configuration::getConfigurationInstance();
+
 $code = Filter::filterInput(INPUT_GET, 'code', FILTER_SANITIZE_SPECIAL_CHARS);
 $error = Filter::filterInput(INPUT_GET, 'error_description', FILTER_SANITIZE_SPECIAL_CHARS);
 
 $session = new Session($faqConfig);
 $oAuth = new OAuth($faqConfig, $session);
 $auth = new AuthAzureActiveDirectory($faqConfig, $oAuth);
 
+$redirect = new RedirectResponse($faqConfig->getDefaultUrl());
+
 if ($session->getCurrentSessionKey()) {
     try {
         $token = $oAuth->getOAuthToken($code);
@@ -76,14 +84,14 @@
         $user->setSuccess(true);
 
         // @todo -> redirect to where the user came from
-        $response = new RedirectResponse($faqConfig->getDefaultUrl());
-        $response->send();
+        $redirect->send();
     } catch (GuzzleException $e) {
         echo $e->getMessage();
     } catch (Exception $e) {
         echo $e->getMessage();
     }
 } else {
-    $response = new RedirectResponse($faqConfig->getDefaultUrl());
-    $response->send();
+    $redirect->send();
 }
+
+

phpmyfaq/services/twitter/clearsessions.php

@@ -7,12 +7,12 @@
  * v. 2.0. If a copy of the MPL was not distributed with this file, You can
  * obtain one at https://mozilla.org/MPL/2.0/.
  *
- * @package phpMyFAQ
- * @author Thorsten Rinne <[email protected]>
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <[email protected]>
  * @copyright 2010-2023 phpMyFAQ Team
- * @license https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
- * @link https://www.phpmyfaq.de
- * @since 2010-09-18
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2010-09-18
  */
 
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -30,6 +30,7 @@
 require PMF_ROOT_DIR . '/src/Bootstrap.php';
 
 session_destroy();
+session_start();
 
 $response = new RedirectResponse('./connect.php');
 $response->send();

phpmyfaq/services/twitter/index.php

@@ -19,6 +19,8 @@
 use Abraham\TwitterOAuth\TwitterOAuth;
 use Abraham\TwitterOAuth\TwitterOAuthException;
 use Symfony\Component\HttpFoundation\RedirectResponse;
+use phpMyFAQ\Configuration;
+use Symfony\Component\HttpFoundation\RedirectResponse;
 
 //
 // Prepend and start the PHP session
@@ -31,6 +33,8 @@
 //
 require PMF_ROOT_DIR . '/src/Bootstrap.php';
 
+$faqConfig = Configuration::getConfigurationInstance();
+
 if (
     empty($_SESSION['access_token']) ||
     empty($_SESSION['access_token']['oauth_token']) ||

phpmyfaq/services/twitter/redirect.php

@@ -17,6 +17,7 @@
  */
 
 use Abraham\TwitterOAuth\TwitterOAuth;
+use phpMyFAQ\Configuration;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 
 //
@@ -30,6 +31,8 @@
 //
 require PMF_ROOT_DIR . '/src/Bootstrap.php';
 
+$faqConfig = Configuration::getConfigurationInstance();
+
 $connection = new TwitterOAuth(
     $faqConfig->get('socialnetworks.twitterConsumerKey'),
     $faqConfig->get('socialnetworks.twitterConsumerSecret')

phpmyfaq/src/phpMyFAQ/EncryptionTypes/Crypt.php

@@ -23,6 +23,7 @@
  * Class Crypt
  *
  * @package phpMyFAQ\EncryptionTypes
+ * @deprecated will be removed with v3.3
  */
 class Crypt extends Encryption
 {

phpmyfaq/src/phpMyFAQ/Faq.php

@@ -909,7 +909,10 @@ public function create(FaqEntity $faq): int
         }
 
         $query = sprintf(
-            "INSERT INTO %sfaqdata VALUES
+            "INSERT INTO %sfaqdata 
+            (id, lang, solution_id, revision_id, active, sticky, keywords, thema, content, author, email, comment, 
+            updated, date_start, date_end, created, notes)
+            VALUES
             (%d, '%s', %d, %d, '%s', %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')",
             Database::getTablePrefix(),
             $faq->getId(),

phpmyfaq/src/phpMyFAQ/Link.php

@@ -262,11 +262,11 @@ public function toHtmlAnchor(): string
         }
 
         if (!empty($this->tooltip)) {
-            $htmlAnchor .= sprintf(' title="%s"', addslashes($this->tooltip));
+            $htmlAnchor .= sprintf(' title="%s"', Strings::htmlentities($this->tooltip));
         }
 
         if (!empty($this->name)) {
-            $htmlAnchor .= sprintf(' name="%s"', $this->name);
+            $htmlAnchor .= sprintf(' name="%s"', Strings::htmlentities($this->name));
         } else {
             if (!empty($this->url)) {
                 $htmlAnchor .= sprintf(' href="%s"', $url);
@@ -280,10 +280,10 @@ public function toHtmlAnchor(): string
         }
         $htmlAnchor .= '>';
         if (('0' == $this->text) || (!empty($this->text))) {
-            $htmlAnchor .= $this->text;
+            $htmlAnchor .= Strings::htmlentities($this->text);
         } else {
             if (!empty($this->name)) {
-                $htmlAnchor .= $this->name;
+                $htmlAnchor .= Strings::htmlentities($this->name);
             } else {
                 $htmlAnchor .= $url;
             }

phpmyfaq/src/phpMyFAQ/Report.php

@@ -139,4 +139,18 @@ public function convertEncoding(string $outputString = ''): string
         $toBeRemoved = ['=', '+', '-', 'HYPERLINK'];
         return str_replace($toBeRemoved, '', $outputString);
     }
+
+    /**
+     * Sanitizes input to avoid CSV injection.
+     * @param string|int $value
+     * @return string
+     */
+    public static function sanitize($value): string
+    {
+        if (preg_match('/[=\+\-\@\|]/', $value)) {
+            $value = '"' . str_replace('"', '""', $value) . '"';
+        }
+
+        return $value;
+    }
 }

phpmyfaq/src/phpMyFAQ/Search/Database/Mysqli.php

@@ -48,7 +48,7 @@ public function __construct(Configuration $config)
     public function search(string $searchTerm): mixed
     {
         if (is_numeric($searchTerm) && $this->config->get('search.searchForSolutionId')) {
-            parent::search($searchTerm);
+            return parent::search($searchTerm);
         } else {
             $relevance = $this->config->get('search.enableRelevance');
             $columns = $this->getResultColumns();

phpmyfaq/src/phpMyFAQ/Session.php

@@ -404,7 +404,7 @@ public function setCookie(string $name, int|string|null $sessionId, int $timeout
 
         return setcookie(
             $name,
-            $sessionId,
+            $sessionId ?? '',
             [
                 'expires' => $_SERVER['REQUEST_TIME'] + $timeout,
                 'path' => dirname((string) $_SERVER['SCRIPT_NAME']),

phpmyfaq/src/phpMyFAQ/User/CurrentUser.php

@@ -443,6 +443,7 @@ public function deleteFromSession(bool $deleteCookie = false): bool
         }
 
         session_destroy();
+        session_start();
 
         return true;
     }

phpmyfaq/ucp.php

@@ -15,6 +15,7 @@
  * @since     2012-01-12
  */
 
+use phpMyFAQ\Configuration;
 use phpMyFAQ\Services\Gravatar;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Strings;
@@ -29,6 +30,8 @@
     exit();
 }
 
+$faqConfig = Configuration::getConfigurationInstance();
+
 if ($user->isLoggedIn()) {
     try {
         $faqSession->userTracking('user_control_panel', $user->getUserId());