diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2005-11-29 08:50:47 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2005-11-29 08:50:47 +0000 |
| commit | 94d993d8383710dbc87ea12e2a978e43e26f78e2 (patch) | |
| tree | 20544d78de6754abe36a1b0a8b78f03e0c95a176 | |
| parent | bda730ec5f252c4dc436efcee498b50b2df8c59a (diff) | |
| download | ampache-94d993d8383710dbc87ea12e2a978e43e26f78e2.tar.gz ampache-94d993d8383710dbc87ea12e2a978e43e26f78e2.tar.bz2 ampache-94d993d8383710dbc87ea12e2a978e43e26f78e2.zip | |
fixed another snoopy flaw and cleaned up for alpha3s release
| -rwxr-xr-x | docs/CHANGELOG | 7 | ||||
| -rw-r--r-- | login.php | 16 | ||||
| -rw-r--r-- | modules/init.php | 2 |
3 files changed, 19 insertions, 6 deletions
diff --git a/docs/CHANGELOG b/docs/CHANGELOG index 63e12cfc..b2614722 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -3,10 +3,15 @@ -------------------------------------------------------------------------- -------------------------------------------------------------------------- - v.3.3.2-Alpha3 + v.3.3.2-Alpha3 11/29/2005 + - Added marineam's patch to the Snoopy class which fixes a flaw + in the new version which fails to escape single quotes - Updated included Snoopy class due to vulenerability http://seclists.org/lists/fulldisclosure/2005/Oct/0536.html (Thx marineam) + - Fixed a problem where it would attempt to redirect back to the + admin section regardless of rights giving a access denied + message. - Added transcoding of m4a files so they stream properly (Thx Rosensama) - Fixed problem where Add to Playlist from mpd.php only works for @@ -69,10 +69,18 @@ if ( ($auth['success'] == 1)) { // but naming this 'user' didn't work at all // $_SESSION['userdata'] = $auth['info']; - // Make sure they are actually trying to get to this site - if (strstr($_POST['referrer'], conf('web_path')) AND !strstr($_POST['referrer'],"install.php") AND !strstr($_POST['referrer'],"login.php") AND !strstr($_POST['referrer'],"update.php")) { - header("Location: " . $_POST['referrer']); - exit(); + + /* Make sure they are actually trying to get to this site and don't try to redirect them back into + * an admin section + **/ + if (strstr($_POST['referrer'], conf('web_path')) AND + !strstr($_POST['referrer'],"install.php") AND + !strstr($_POST['referrer'],"login.php") AND + !strstr($_POST['referrer'],"update.php") AND + !strstr($_POST['referrer'],"admin")) { + + header("Location: " . $_POST['referrer']); + exit(); } // if we've got a referrer header("Location: " . conf('web_path') . "/index.php"); exit(); diff --git a/modules/init.php b/modules/init.php index a098d8ee..ad049062 100644 --- a/modules/init.php +++ b/modules/init.php @@ -83,7 +83,7 @@ if (!$results['conf']['allow_stream_playback']) { } $results['conf']['web_path'] = $http_type . $_SERVER['HTTP_HOST'] . $results['conf']['web_path']; -$results['conf']['version'] = '3.3.2-Alpha3 Build (002)'; +$results['conf']['version'] = '3.3.2-Alpha3'; $results['conf']['catalog_file_pattern']= 'mp3|mpc|m4p|m4a|mp4|aac|ogg|rm|wma|asf|flac|spx'; $results['libglue']['local_table'] = 'session'; $results['libglue']['local_sid'] = 'id'; |