Merge branch 'hotfix/3.5.28'

Author: leofeyer

assets/mootools/simplemodal/1.2/css/simplemodal-uncompressed.css

@@ -73,6 +73,16 @@
   bottom: 40px;
   -webkit-overflow-scrolling: touch;
 }
+/* PATCH: see #8708 */
+.ios .simple-modal:before {
+  content: '';
+  position: absolute;
+  top: 0;
+  left: 0;
+  width: 1px;
+  height: calc(100% + 1px);
+  pointer-events: none;
+}
 .simple-modal .simple-modal-header {
   padding: 5px 15px;
   margin: 0;

assets/mootools/simplemodal/1.2/css/simplemodal.css

@@ -13,7 +13,7 @@
  * Core version
  */
 define('VERSION', '3.5');
-define('BUILD', '27');
+define('BUILD', '28');
 define('LONG_TERM_SUPPORT', true);
 
 

system/config/constants.php

@@ -1,6 +1,22 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.5.28 (2017-07-12)
+---------------------------
+
+### Fixed
+Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
+
+### Fixed
+Improve the accessibility of the CAPTCHA widget (see #8709).
+
+### Fixed
+Fixed the iOS scrolling bug in the simple modal script (see #8708).
+
+### Fixed
+Correctly cache the unique keys in the SQL cache (see #8712).
+
+
 Version 3.5.27 (2017-04-25)
 ---------------------------
 

system/docs/CHANGELOG.md

@@ -74,6 +74,9 @@ public function run()
 			}
 		}
 
+		// Load the default language file (see #8719)
+		\System::loadLanguageFile('default');
+
 		// Run the jobs
 		foreach ($arrIntervals as $strInterval)
 		{

system/modules/core/controllers/FrontendCron.php

@@ -571,7 +571,9 @@ public function cutFile($row, $href, $label, $title, $icon, $attributes)
 	 */
 	public function deleteFile($row, $href, $label, $title, $icon, $attributes)
 	{
-		if (is_dir(TL_ROOT . '/' . $row['id']) && count(scan(TL_ROOT . '/' . $row['id'])) > 0)
+		$path = TL_ROOT . '/' . urldecode($row['id']);
+
+		if (is_dir($path) && count(scan($path)) > 0)
 		{
 			return $this->User->hasAccess('f4', 'fop') ? '<a href="'.$this->addToUrl($href.'&amp;id='.$row['id']).'" title="'.specialchars($title, false, true).'"'.$attributes.'>'.Image::getHtml($icon, $label).'</a> ' : Image::getHtml(preg_replace('/\.gif$/i', '_.gif', $icon)).' ';
 		}
@@ -653,13 +655,23 @@ public function showFile($row, $href, $label, $title, $icon, $attributes)
 	 */
 	public function protectFolder(DataContainer $dc)
 	{
-		$count = 0;
 		$strPath = $dc->id;
 
 		// Check whether the temporary name has been replaced already (see #6432)
-		if (Input::post('name') && ($strNewPath = str_replace('__new__', Input::post('name'), $strPath, $count)) && $count > 0 && is_dir(TL_ROOT . '/' . $strNewPath))
+		if (Input::post('name'))
 		{
-			$strPath = $strNewPath;
+			if (Validator::isInsecurePath(Input::post('name')))
+			{
+				throw new RuntimeException('Invalid file or folder name ' . Input::post('name'));
+			}
+
+			$count = 0;
+			$strName = basename($strPath);
+
+			if (($strNewPath = str_replace($strName, Input::post('name'), $strPath, $count)) && $count > 0 && is_dir(TL_ROOT . '/' . $strNewPath))
+			{
+				$strPath = $strNewPath;
+			}
 		}
 
 		// Only show for folders (see #5660)

system/modules/core/dca/tl_files.php

@@ -312,7 +312,7 @@
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['maxImageWidth'],
 			'inputType'               => 'text',
-			'eval'                    => array('rgxp'=>'natural', 'nospace'=>true, 'tl_class'=>'w50')
+			'eval'                    => array('mandatory'=>true, 'rgxp'=>'natural', 'nospace'=>true, 'tl_class'=>'w50')
 		),
 		'jpgQuality' => array
 		(

system/modules/core/dca/tl_settings.php

@@ -200,10 +200,11 @@ public function generateLabel()
 	 */
 	public function generate()
 	{
-		return sprintf('<input type="text" name="%s" id="ctrl_%s" class="captcha mandatory%s" value=""%s%s',
+		return sprintf('<input type="text" name="%s" id="ctrl_%s" class="captcha mandatory%s" value="" aria-describedby="captcha_text_%s"%s%s',
 						$this->strCaptchaKey,
 						$this->strId,
 						(($this->strClass != '') ? ' ' . $this->strClass : ''),
+						$this->strId,
 						$this->getAttributes(),
 						$this->strTagEnding) . $this->addSubmit();
 	}
@@ -216,7 +217,8 @@ public function generate()
 	 */
 	public function generateQuestion()
 	{
-		return sprintf('<span class="captcha_text%s">%s</span>',
+		return sprintf('<span id="captcha_text_%s" class="captcha_text%s">%s</span>',
+						$this->strId,
 						(($this->strClass != '') ? ' ' . $this->strClass : ''),
 						$this->getQuestion());
 	}

system/modules/core/forms/FormCaptcha.php

@@ -252,7 +252,7 @@
         <source>Maximum front end width</source>
       </trans-unit>
       <trans-unit id="tl_settings.maxImageWidth.1">
-        <source>If the width of an image or movie exceeds this value, it will be adjusted automatically.</source>
+        <source>If the width of an image or movie exceeds this value, it will be adjusted automatically. Set to 0 to disable the limit.</source>
       </trans-unit>
       <trans-unit id="tl_settings.jpgQuality.0">
         <source>JPG thumbnail quality</source>

system/modules/core/languages/en/tl_settings.xlf

@@ -762,6 +762,7 @@ public function generateDcaExtracts()
 			$objFile->append(sprintf("\$this->arrMeta = %s;\n", var_export($objExtract->getMeta(), true)));
 			$objFile->append(sprintf("\$this->arrFields = %s;\n", var_export($objExtract->getFields(), true)));
 			$objFile->append(sprintf("\$this->arrOrderFields = %s;\n", var_export($objExtract->getOrderFields(), true)));
+			$objFile->append(sprintf("\$this->arrUniqueFields = %s;\n", var_export($objExtract->getUniqueFields(), true)));
 			$objFile->append(sprintf("\$this->arrKeys = %s;\n", var_export($objExtract->getKeys(), true)));
 			$objFile->append(sprintf("\$this->arrRelations = %s;\n", var_export($objExtract->getRelations(), true)));