Release phpwcms v1.10.9

Merge branch 'v1.10-dev'

Author: slackero

README.md

@@ -33,10 +33,24 @@ Never forget to backup your database and files before you start the upgrade proc
 Server system requirements
 --------------------------
 
-**phpwcms** version 1.10.8 requires a web server with PHP 8.2 or newer.
+**phpwcms** version 1.10.9 requires a web server with PHP 8.2 or newer.
 and a MySQL/MariaDB database (minimum version 5.6+ or equivalent).
 
 
+FAQ
+---
+
+### How to set up SMTP with Microsoft Azure and XOAUTH2?
+
+You can find the setup guide for Microsoft Azure and XOAUTH2 in the
+[PHPMailer wiki](https://github.com/PHPMailer/PHPMailer/wiki/Microsoft-Azure-and-XOAUTH2-setup-guide)
+
+### How to set up SMTP with Google and XOAUTH2?
+
+You can find the setup guide for Google and XOAUTH2 in the
+[PHPMailer wiki](https://github.com/PHPMailer/PHPMailer/wiki/Using-Gmail-with-XOAUTH2).
+
+
 Known problems
 --------------
 
@@ -67,9 +81,7 @@ Creator
 **Oliver Georgi**
 
 - <https://github.com/slackero>
-- <https://webverbund.de>
 - <https://www.linkedin.com/in/olivergeorgi>
-- <https://twitter.com/slackero>
 
 
 Copyright and license
@@ -95,7 +107,7 @@ GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
 along with this program; if not, write to the.  
-Free Software Foundation, Inc.,
-51 Franklin Street, Fifth Floor, Boston,
-MA 02110-1301,
+Free Software Foundation, Inc.,  
+51 Franklin Street, Fifth Floor, Boston,  
+MA 02110-1301,  
 USA.

composer.json

@@ -10,22 +10,25 @@
         "php": ">=8.2",
         "algo26-matthias/idna-convert": "^v4.2.0",
         "enshrined/svg-sanitize": "^0.21.0",
+        "greew/oauth2-azure-provider": "^v2.0.0",
         "netcarver/textile": "v4.1.3",
-        "league/commonmark": "^2.6.1",
+        "league/commonmark": "^2.7.0",
+        "league/oauth2-google": "^4.0.1",
         "ezyang/htmlpurifier": "^v4.18.0",
         "openpsa/universalfeedcreator": "^v1.9.0",
-        "phpmailer/phpmailer": "^v6.9.3",
-        "phpoffice/phpspreadsheet": "4.1.0",
+        "phpmailer/phpmailer": "^v6.10.0",
+        "phpoffice/phpspreadsheet": "^4.3.1",
         "simplepie/simplepie": "@dev",
         "html2text/html2text": "^4.3.2",
         "php81_bc/strftime": "^0.7.6",
-        "symfony/polyfill-php73": "v1.31.0",
-        "symfony/polyfill-php74": "v1.31.0",
-        "symfony/polyfill-php80": "v1.31.0",
-        "symfony/polyfill-php81": "v1.31.0",
-        "symfony/polyfill-php82": "v1.31.0",
-        "symfony/polyfill-php83": "v1.31.0",
-        "symfony/polyfill-php84": "v1.31.0",
+        "symfony/polyfill-mbstring": "v1.32.0",
+        "symfony/polyfill-php73": "v1.32.0",
+        "symfony/polyfill-php74": "v1.32.0",
+        "symfony/polyfill-php80": "v1.32.0",
+        "symfony/polyfill-php81": "v1.32.0",
+        "symfony/polyfill-php82": "v1.32.0",
+        "symfony/polyfill-php83": "v1.32.0",
+        "symfony/polyfill-php84": "v1.32.0",
         "ext-intl": "*",
         "ext-gd": "*",
         "ext-iconv": "*",
@@ -40,5 +43,8 @@
         "ext-ctype": "*",
         "ext-simplexml": "*",
         "ext-curl": "*"
+    },
+    "require-dev": {
+        "roave/security-advisories": "dev-latest"
     }
 }

image_resized.php

@@ -11,70 +11,93 @@
 
 // <img src="image_resized.php?format=jpg&w=100&h=200&q=85&imgfile=test.jpg" alt="" border="0">
 
-$img_target = (isset($_GET['format'])) ? strtolower(trim($_GET['format'])) : 'jpg';
-$img_file   = (isset($_GET['imgfile'])) ? trim($_GET['imgfile']) : 'img/leer.gif';
-$img_width  = (isset($_GET['w'])) ? intval($_GET['w']) : 0;
-$img_height = (isset($_GET['h'])) ? intval($_GET['h']) : 0;
-$img_quality= (isset($_GET['q']) && intval($_GET['q']) <= 100 && intval($_GET['q'])) ? intval($_GET['q']) : 75;
-
-$img_file   = str_replace(array('http://', 'https://'), '', $img_file);
-
-switch($img_target) {
+$img_target = isset($_GET['format']) ? strtolower(trim($_GET['format'])) : 'jpg';
+$img_file = isset($_GET['imgfile']) ? trim(urldecode($_GET['imgfile'])) : 'img/leer.gif';
+$img_width = isset($_GET['w']) ? (int)$_GET['w'] : 0;
+$img_height = isset($_GET['h']) ? (int)$_GET['h'] : 0;
+$img_quality = isset($_GET['q']) && (int)$_GET['q'] <= 100 && (int)$_GET['q'] ? (int)$_GET['q'] : 75;
+$result = false;
+
+// Ensure no protocol handlers (http://…) or something like C:\ or C:/ or ./ or ../ is part of the file name
+if (
+    $img_file
+    &&
+    (
+        $img_file[0] === '.'
+        ||
+        $img_file[0] === '/'
+        ||
+        $img_file[0] === '\\'
+        ||
+        strpos($img_file, ':/') !== false
+        ||
+        strpos($img_file, './') !== false
+        ||
+        strpos($img_file, ':\\') !== false
+        ||
+        strpos($img_file, '.\\') !== false
+    )
+) {
+    $img_file = '';
+} else {
+    // Absolute path only related to the current directory
+    $img_file = __DIR__ . '/' . $img_file;
+}
 
+switch ($img_target) {
     case 'png':
-        $img_mimetype   = 'image/png';
-        $img_target     = 'jpg';
+        $img_mimetype = 'image/png';
+        $img_target = 'jpg';
         break;
 
     case 'gif':
-        if(function_exists('imagegif')) {
+        if (function_exists('imagegif')) {
             $img_mimetype = 'image/gif';
-            $img_target   = 'gif';
+            $img_target = 'gif';
         } else {
-            $img_target   = 'png';
+            $img_target = 'png';
             $img_mimetype = 'image/png';
         }
         break;
 
     case 'webp':
-        $img_mimetype   = 'image/webp';
-        $img_target     = 'webp';
+        $img_mimetype = 'image/webp';
+        $img_target = 'webp';
         break;
 
     case 'jpeg':
     case 'jpg':
     default:
-        $img_mimetype   = 'image/jpeg';
-        $img_target     = 'jpg';
-
+        $img_mimetype = 'image/jpeg';
+        $img_target = 'jpg';
 }
 
-if(is_file($img_file) && $img_info = getimagesize($img_file)) {
+if ($img_file !== '' && is_readable($img_file) && $img_info = getimagesize($img_file)) {
 
-    if(!$img_width || $img_width >= $img_info[0]) {
+    if (!$img_width || $img_width >= $img_info[0]) {
         $percent_width = 1;
     } else {
         $percent_width = $img_width / $img_info[0];
     }
 
-    if(!$img_height || $img_height >= $img_info[1]) {
+    if (!$img_height || $img_height >= $img_info[1]) {
         $percent_height = 1;
     } else {
         $percent_height = $img_height / $img_info[1];
     }
 
-    if($percent_height < $percent_width) {
+    if ($percent_height < $percent_width) {
         $percent = $percent_height;
-    } elseif($percent_height > $percent_width) {
+    } elseif ($percent_height > $percent_width) {
         $percent = $percent_width;
     } else {
         $percent = $percent_width;
     }
 
-    $img_width  = $img_info[0] * $percent;
+    $img_width = $img_info[0] * $percent;
     $img_height = $img_info[1] * $percent;
 
-    switch($img_target) {
+    switch ($img_target) {
         case 'jpg':
         case 'png':
         case 'webp':
@@ -86,8 +109,7 @@
             break;
     }
 
-    switch($img_info[2]) {
-
+    switch ($img_info[2]) {
         case IMAGETYPE_GIF: // GIF
             $img_source = imagecreatefromgif($img_file);
             break;
@@ -105,41 +127,37 @@
             break;
     }
 
-    imagecopyresized($new_img, $img_source, 0, 0, 0, 0, $img_width, $img_height, $img_info[0], $img_info[1]);
-
-    header('Content-type: '.$img_mimetype);
-
-    switch($img_target) {
-
-        case 'jpg':
-            imagejpeg($new_img, NULL, $img_quality);
-            break;
-
-        case 'webp':
-            imagewebp($new_img, NULL, $img_quality);
-            break;
-
-        case 'png':
-            imagepng($new_img, NULL, 9);
-            break;
-
-        case 'gif':
-            imagegif($new_img);
-            break;
-
+    $result = imagecopyresized($new_img, $img_source, 0, 0, 0, 0, $img_width, $img_height, $img_info[0], $img_info[1]);
+
+    if ($result) {
+        header('Content-type: ' . $img_mimetype);
+
+        switch ($img_target) {
+            case 'jpg':
+                $result = imagejpeg($new_img, NULL, $img_quality);
+                break;
+            case 'webp':
+                $result = imagewebp($new_img, NULL, $img_quality);
+                break;
+            case 'png':
+                $result = imagepng($new_img, NULL, 9);
+                break;
+            case 'gif':
+                $result = imagegif($new_img);
+                break;
+        }
     }
 
     imagedestroy($new_img);
     imagedestroy($img_source);
+}
 
-} else {
-
-    // error / no image
-    header ('Content-type: image/png');
+// Error / no image
+if (!$result) {
+    header('Content-type: image/png');
     $new_img = imagecreatetruecolor(75, 20);
     $text_color = imagecolorallocate($new_img, 255, 255, 255);
-    imagestring($new_img, 1, 5, 5,  "Image Error", $text_color);
+    imagestring($new_img, 1, 5, 5, 'Image Error', $text_color);
     imagepng($new_img, NULL, 9);
     imagedestroy($new_img);
-
 }

include/config/dist.conf.inc.php

@@ -56,7 +56,7 @@
 $phpwcms['img_prev_height']      = 734; // max height of the large preview image
 $phpwcms['max_time']             = 1800; // logout after max_time/60 seconds
 $phpwcms['responsive']           = 1; // 0 max. image width = $phpwcms['content_width'], 1 = as given
-$phpwcms['preserve_image_name']  = 0; // keep file name for resized versions of the image
+$phpwcms['preserve_image_name']  = 1; // keep file name for resized versions of the image
 
 // other stuff
 $phpwcms['image_library']        = 'GD2'; // GD, GD2, ImageMagick, GraphicsMagick or GM, NetPBM
@@ -163,11 +163,17 @@
 $phpwcms['SMTP_FROM_NAME']       = 'My Name'; // reply/from name
 $phpwcms['SMTP_HOST']            = 'localhost'; // SMTP server (host/IP)
 $phpwcms['SMTP_PORT']            = 25; // SMTP server port (default 25)
-$phpwcms['SMTP_MAILER']          = 'mail'; // mail method: mail (default), smtp, sendmail
+$phpwcms['SMTP_MAILER']          = 'mail'; // mail method: mail (default), smtp, sendmail, qmail
 $phpwcms['SMTP_USER']            = 'user'; // default SMTP login (user) name
 $phpwcms['SMTP_PASS']            = 'pass'; // default SMTP password
 $phpwcms['SMTP_SECURE']          = ''; // secure connection, phpMailer options: '', 'ssl' or 'tls'
 $phpwcms['SMTP_AUTH']            = 0; // SMTP authentication, ON=1/OFF=0
-$phpwcms['SMTP_AUTH_TYPE']       = ''; // sets SMTP auth type: LOGIN (default), PLAIN, NTLM, CRAM-MD5
+$phpwcms['SMTP_AUTH_TYPE']       = ''; // sets SMTP auth type: CRAM-MD5, LOGIN, PLAIN, XOAUTH2
+$phpwcms['SMTP_XOAUTH_PROVIDER'] = ''; // XOAUTH2 authentication provider, currently 'Google', 'Microsoft' or 'Azure' are supported
+$phpwcms['SMTP_CLIENT_ID']       = ''; // The client ID for OAuth2 authentication
+$phpwcms['SMTP_CLIENT_SECRET']   = ''; // The client secret for OAuth2 authentication
+$phpwcms['SMTP_TENANT_ID']       = ''; // The tenant ID for Microsoft OAuth2 authentication
+$phpwcms['SMTP_REFRESH_TOKEN']   = ''; // The OAuth2 refresh token (see the backend to obtain it)
+$phpwcms['SMTP_DEBUG']           = 0; // SMTP debug level, 0 = off, 1 = client messages, 2 = client and server messages, 3 = plus connection status, 4 = low-level data
 
 define('PHPWCMS_INCLUDE_CHECK', true);