AjaxSearch 1.12.1 Security Fix was released

It contains an important security fix for previous Ajax Search versions.

It is highly recommended Update to AjaxSearch 1.12.1 from the Extras
Module or downloading from
https://github.com/extras-evolution/ajaxSearch/releases/tag/1.12.1

Author: Nicola1971

assets/modules/evogallery/js/uploadify/uploadify.php

@@ -0,0 +1,162 @@
+#Changelog:
+27-oct-18 (1.12.1)
+- Some refactor
+- Security Fix
+
+11-jul-17 (1.11.0)
+- Refactor, no more use index-ajax.php
+
+12-apr-16 (1.10.2)
+
+- Bug fixes
+- see Github 05.06.14 - 12.04.16: https://github.com/modxcms/evolution/commits/develop/assets/snippets/ajaxSearch
+
+05-jun-14 (1.10.1)
+
+- Security/Bug fixes
+
+27-mar-13 (1.10.0)
+
+- Security/Bug fixes
+
+26-sep-12 (1.9.3)
+
+- Bug fixing
+- Removed ajaxsearch's own striptags functions and substituted the use of $modx->stripTags
+- minimum chars allowed to 2
+
+05-dec-10 (1.9.2)
+
+- Bug fixing
+
+30-aug-10 (1.9.2)
+
+- Bug fixing
+
+18-may-10 (1.9.0)
+
+- Completely refactored - MVC model implemented
+- Defines categories and display of group of results
+- Several AS call on same page
+- parents (in / not in), documents (in / not in)
+- Custom output
+- Filtering search results by tv name
+- Filter features (allow to set up specific search forms)
+- Bug fixing
+
+20-oct-09 (1.8.4)
+
+- Sites and subsites notions
+- Defines categories and display of group of results
+- Several AS call on same page
+- Bug fixing
+
+14-jun-09 (1.8.4)
+
+- Sites and subsites notions
+- Defines categories and display of group of results
+- Several AS call on same page
+- Bug fixing
+
+08-jun-09 (1.8.3)
+
+- Bug fixing
+- The number of results is available with the [+as.resultNumber+] placeholder
+
+01-mar-09 (1.8.2)
+
+- liveSearch parameter renamed
+- Initialisation of configuration parameters is modified
+- mbstring parameter added
+- Limit the amount of keywords that will be queried by a search
+- Capturing failed search criteria and search logs
+- Compatibility with mootools 1.2.1 library
+- Compatibility with jquery library
+- Always display paging parameter added
+- Bug fixing
+
+02-oct-08 (1.8.1)
+
+- subSearch added.
+- mysql query redesigned.
+- whereSearch parameter improved. Fields definition added
+- withTvs parameter added. specify the search in Tvs
+- metacharacter for filter
+- improvement of the searchword list parameter
+- debug - file and firebug console
+- Bug fixing
+
+21 -July-08 (1.8.0)
+
+- define where to do the search (&whereSearch parameter)
+- define which fields to use for the extracts (&extract parameter)
+- use AjaxSearch with non MOdx tables
+- order the results with the &order parameter
+- define the ranking value and sort the results with it
+- filter the unwanted documents of the search
+- define the extract eliipsis
+- define the extract separator
+- Extended place holder templating and template parameters
+- Improvement of the extract algorithm
+- Define the number of extracts displayed in the search results
+- Use of &advSearch parameter available from the front-end by the end user
+- Choose your search term from a predefined search word list
+- stripInput user function
+- stripOutput user function
+- Configuration file and $__ global parameters
+- snippet code completely refactored and objectified
+- Bugfixes regarding Quoted searchstring
+
+06-Mar-08 (1.7.1)
+
+- Advanced search (partial & relevance)
+- Search in hidden documents from menu
+- List of Ids limited to parent-documents ids in javascript
+- Code cleaning
+
+06-Jan-08 (1.7)
+
+- Added custom config file
+- Added list of parent-documents where to search
+- Added opacity parameter (between 0 (transparent) and 1 (opaque)
+- Added bugfixes regarding opacity with IE
+- Using of DBAPI function instead of deprecated function
+- Charset troubles corrected
+
+22-Jan-07 (1.6)
+
+- Added templating support (includes/templates.inc.php)
+- Added language support
+- Switched from prototype/scriptaculous to Mootools
+	
+03-Jan-07
+
+- Added many bugfixes/additions from AjaxSearch forum
+
+18-Sep-06
+
+- Added code to only show results for allowed pages
+
+05-May-06
+
+- Added liveSearch functionality and new parameter
+
+21-Apr-06
+
+- Added code to make it compatible with tagcloud snippet
+
+20-Apr-06
+
+- Added code from eastbind & japanese community for other language searching
+
+04-Apr-06
+
+- Added search term highlighting
+
+01-Apr-06
+
+- initial commit into SVN
+
+30-Mar-06
+
+- initial work based on FSF_ajax from KyleJ

assets/snippets/ajaxSearch/HISTORY.md

@@ -0,0 +1,102 @@
+<?php
+/** ---------------------------------------------------------------------------
+ * Snippet: AjaxSearch
+ * -----------------------------------------------------------------------------
+ * ajaxSearchPopup.php
+ *
+ * @author       Coroico - www.evo.wangba.fr
+ * @version      1.12.1
+ * @date         27/10/2018
+ *
+ */
+
+/*!
+* getUserConfigName : parse the non default configuration file name from ucfg string
+*/
+function getUserConfigName($ucfg) {
+    preg_match('/&config=`([^`]*)`/', $ucfg, $matches);
+    return $matches[1];
+}
+
+define('MODX_API_MODE', true);
+include_once(__DIR__ . '/../../../index.php');
+$modx->db->connect();
+if (empty($modx->config)) {
+    $modx->getSettings();
+}
+if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) ||
+    (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest') ||
+    strpos($_SERVER['HTTP_REFERER'], $modx->getConfig('site_url')) !== 0
+) {
+    $modx->sendErrorPage();
+}
+
+if (isset($_POST['search'])) {
+    define('AS_VERSION', '1.12.1');
+    define('AS_SPATH', 'assets/snippets/ajaxSearch/');
+    define('AS_PATH', MODX_BASE_PATH . AS_SPATH);
+
+    if (!isset($_POST['as_version']) || (strip_tags($_POST['as_version']) !== AS_VERSION)) {
+        $output = 'AjaxSearch version obsolete.' .
+            '<br />' .
+            'Please check the snippet code in MODX manager.';
+    } else {
+        include_once AS_PATH . 'classes/ajaxSearch.class.inc.php';
+        $tstart = $modx->getMicroTime();
+        $default = AS_PATH . 'configs/default.config.php';
+
+        if (file_exists($default)) {
+            include $default;
+        } else {
+            return '<h3>' .
+                'AjaxSearch error: $default not found !' .
+                '<br />' .
+                'Check the existing of this file!' .
+            '</h3>';
+        }
+
+        if (!isset($dcfg)) {
+            return '<h3>' .
+                'AjaxSearch error: default configuration array not defined in $default!' .
+                '<br />' .
+                'Check the content of this file!' .
+            '</h3>';
+        }
+
+        $ucfg = isset($_POST['ucfg']) && is_scalar($_POST['ucfg']) ? $_POST['ucfg'] : '';
+        $config = getUserConfigName(strip_tags($ucfg));
+
+        // Load the custom functions of the custom configuration file if needed
+        if ($config) {
+            if (strpos($config, '@FILE:') !== 0) {
+                // remove all not alphanumeric chars exept underscore and minus in the filename
+                $config = preg_replace('/[^a-zA-Z0-9_-]/i', '', $config);
+                $lconfig = AS_PATH . "configs/{$config}.config.php";
+                if (file_exists($lconfig)) {
+                    include $lconfig;
+                } else {
+                    return '<h3>' .
+                        'AjaxSearch error: ' . $lconfig . ' not found !' .
+                        '<br />' .
+                        'Check your config parameter or your config file name!' .
+                    '</h3>';
+                }
+            } else {
+                return '<h3>' .
+                    'AjaxSearch error: @FILE: prefix not allowed !' .
+                    '<br />' .
+                    'Check your config parameter or your config file name!' .
+                '</h3>';
+            }
+        }
+        if ($dcfg['version'] !== AS_VERSION) {
+            return '<h3>' .
+                'AjaxSearch error: Version number mismatch. Check the content of the default configuration file!' .
+            '</h3>';
+        }
+        $as = new AjaxSearch();
+        $output = $as->run($tstart, $dcfg);
+        header('Content-type: text/html; charset=' . $modx->getConfig('modx_charset'));
+    }
+    echo $output;
+}