From 28f1f0f077b2adf2144b996ff85acb481e73ae50 Mon Sep 17 00:00:00 2001 From: kodiakhq Date: Tue, 15 Oct 2024 03:06:40 +0000 Subject: [PATCH] deploy: 32e9fbce723e9730dcfac4614e7edb2d96b2962c --- classes/rex-media-service.html | 20 ++--- classes/rex-response.html | 80 +++++++++---------- .../mediapool/lib/service_media.php.txt | 24 ++++++ .../src/addons/phpmailer/lib/mailer.php.txt | 78 +++++++++--------- .../redaxo/src/core/lib/response.php.txt | 18 ++++- 5 files changed, 131 insertions(+), 89 deletions(-) diff --git a/classes/rex-media-service.html b/classes/rex-media-service.html index 4181861c6..00ad0c7c3 100644 --- a/classes/rex-media-service.html +++ b/classes/rex-media-service.html @@ -158,9 +158,9 @@

@@ -249,9 +249,9 @@

Holt ein upgeloadetes File und legt es in den Medienpool @@ -314,9 +314,9 @@

@@ -356,9 +356,9 @@

@@ -431,9 +431,9 @@

Holt ein upgeloadetes File und legt es in den Medienpool diff --git a/classes/rex-response.html b/classes/rex-response.html index f77394ec5..c81e1af92 100644 --- a/classes/rex-response.html +++ b/classes/rex-response.html @@ -789,9 +789,9 @@

Cleans all output buffers.

@@ -822,9 +822,9 @@

Clear the given cookie by name.

@@ -898,9 +898,9 @@

@@ -930,9 +930,9 @@

Returns a request save NONCE für CSP Headers and Implemntations.

@@ -967,9 +967,9 @@

Returns the HTTP Status code.

@@ -1004,9 +1004,9 @@

Set a file to be preload via http link header.

@@ -1061,9 +1061,9 @@

Sends the cache control header.

@@ -1104,9 +1104,9 @@

Sends content to the client.

@@ -1176,9 +1176,9 @@

Sends the content type header.

@@ -1219,9 +1219,9 @@

@@ -1303,9 +1303,9 @@

Checks if content has changed by the etag cachekey.

@@ -1354,9 +1354,9 @@

Sends a file to client.

@@ -1430,9 +1430,9 @@

@@ -1492,9 +1492,9 @@

Checks if content has changed by the last modified timestamp.

@@ -1543,9 +1543,9 @@

Sends a page to client.

@@ -1599,9 +1599,9 @@

Redirects to a URL.

@@ -1672,9 +1672,9 @@

Sends a resource to the client.

@@ -1762,9 +1762,9 @@

Set a http response header. A existing header with the same name will be overridden.

@@ -1812,9 +1812,9 @@

Sets the HTTP Status code.

@@ -1870,9 +1870,9 @@

Encodes the content with GZIP/X-GZIP if the browser supports one of them.

diff --git a/files/redaxo-main/redaxo/src/addons/mediapool/lib/service_media.php.txt b/files/redaxo-main/redaxo/src/addons/mediapool/lib/service_media.php.txt index c94926b5d..c72308812 100644 --- a/files/redaxo-main/redaxo/src/addons/mediapool/lib/service_media.php.txt +++ b/files/redaxo-main/redaxo/src/addons/mediapool/lib/service_media.php.txt @@ -1,5 +1,7 @@ setTable(rex::getTablePrefix() . 'media'); $saveObject->setValue('filetype', $data['file']['type']); @@ -203,6 +207,8 @@ final class rex_media_service @chmod($dstFile, rex::getFilePerm()); + self::sanitizeMedia($dstFile, $filetype); + $saveObject->setValue('filetype', $filetype); $saveObject->setValue('filesize', filesize($dstFile)); $saveObject->setValue('originalname', $file['name']); @@ -370,4 +376,22 @@ final class rex_media_service return $items; } + + private static function sanitizeMedia(string $path, ?string $type): void + { + if ('image/svg+xml' !== $type && 'svg' !== strtolower(rex_file::extension($path))) { + return; + } + + $content = rex_type::notNull(rex_file::get($path)); + + $antiXss = new AntiXSS(); + $antiXss->removeEvilAttributes(['style']); + $antiXss->removeEvilHtmlTags(['style', 'svg', 'title']); + + $content = $antiXss->xss_clean($content); + $content = preg_replace('/^\s*<\?xml(.*?)\?>/', '', $content); + + rex_file::put($path, $content); + } } diff --git a/files/redaxo-main/redaxo/src/addons/phpmailer/lib/mailer.php.txt b/files/redaxo-main/redaxo/src/addons/phpmailer/lib/mailer.php.txt index fd507c5df..3a186dac4 100644 --- a/files/redaxo-main/redaxo/src/addons/phpmailer/lib/mailer.php.txt +++ b/files/redaxo-main/redaxo/src/addons/phpmailer/lib/mailer.php.txt @@ -249,20 +249,19 @@ class rex_mailer extends PHPMailer { $addon = rex_addon::get('phpmailer'); $logFile = rex_path::log('system.log'); - $sendTime = $addon->getConfig('last_log_file_send_time', 0); - $lasterrors = $addon->getConfig('last_errors', ''); - $currenterrors = ''; - $timediff = time() - $sendTime; + $lastSendTime = (int) $addon->getConfig('last_log_file_send_time', 0); + $lastErrors = (string) $addon->getConfig('last_errors', ''); + $currentErrors = ''; - if ($timediff <= $addon->getConfig('errormail') || !filesize($logFile)) { + // Check if the log file has content + if (!filesize($logFile)) { return; } $file = rex_log_file::factory($logFile); - $logevent = false; - // Start - generate mailbody + // Start - generate mail body $mailBody = '

Error protocol for: ' . rex::getServerName() . '

'; $mailBody .= ' '; $mailBody .= ''; @@ -278,8 +277,11 @@ class rex_mailer extends PHPMailer $mailBody .= ' '; $mailBody .= ' '; + $errorCount = 0; + $maxErrors = 30; // Maximum number of errors to process + /** @var rex_log_entry $entry */ - foreach (new LimitIterator($file, 0, 30) as $entry) { + foreach (new LimitIterator($file, 0, $maxErrors) as $entry) { $data = $entry->getData(); $time = rex_formatter::intlDateTime($entry->getTimestamp(), [IntlDateFormatter::SHORT, IntlDateFormatter::MEDIUM]); $type = $data[0]; @@ -289,24 +291,11 @@ class rex_mailer extends PHPMailer $url = $data[4] ?? ''; $style = ''; - $logtypes = [ - 'error', - 'exception', - ]; - - foreach ($logtypes as $logtype) { - if (false !== stripos($type, $logtype)) { - $logevent = true; - $style = ' class="errorbg"'; - $currenterrors .= $entry->getTimestamp() . ' '; - break; - } - } - - if ('logevent' == $type) { - $style = ' class="eventbg"'; + if (false !== stripos($type, 'error') || false !== stripos($type, 'exception') || 'logevent' === $type) { + $style = ' class="' . (('logevent' === $type) ? 'eventbg' : 'errorbg') . '"'; $logevent = true; - $currenterrors .= $entry->getTimestamp() . ' '; + $currentErrors .= $entry->getTimestamp() . $type . $message; + ++$errorCount; } $mailBody .= ' '; @@ -317,29 +306,46 @@ class rex_mailer extends PHPMailer $mailBody .= ' '; $mailBody .= ' '; $mailBody .= ' '; + + if ($errorCount >= $maxErrors) { + break; + } } - // check if logevent occured then send mail + $mailBody .= ' '; + $mailBody .= '
' . $line . '' . $url . '
'; + + // If no errors were found, terminate if (!$logevent) { return; } - if ($lasterrors === $currenterrors || '' == $currenterrors) { + // Create hash of current errors + $currentErrorsHash = md5($currentErrors); + + // Combine time-based and content-based checks + $timeSinceLastSend = time() - $lastSendTime; + $errorMailInterval = (int) $addon->getConfig('errormail'); + + if ($timeSinceLastSend < $errorMailInterval && $currentErrorsHash === $lastErrors) { return; } - $mailBody .= ' '; - $mailBody .= ''; - // End - generate mailbody - + // Send email $mail = new self(); - $mail->Subject = rex::getServerName() . ' - error report '; + $mail->Subject = rex::getServerName() . ' - Error Report'; $mail->Body = $mailBody; $mail->AltBody = strip_tags($mailBody); - $mail->FromName = 'REDAXO error report'; + $mail->FromName = 'REDAXO Error Report'; $mail->addAddress(rex::getErrorEmail()); - $addon->setConfig('last_errors', $currenterrors); - $addon->setConfig('last_log_file_send_time', time()); - $mail->Send(); + + // Set X-Mailer header for ErrorMails + $mail->XMailer = 'REDAXO/' . rex::getVersion() . ' ErrorMailer'; + + if ($mail->Send()) { + // Update configuration only if email was sent successfully + $addon->setConfig('last_errors', $currentErrorsHash); + $addon->setConfig('last_log_file_send_time', time()); + } } } diff --git a/files/redaxo-main/redaxo/src/core/lib/response.php.txt b/files/redaxo-main/redaxo/src/core/lib/response.php.txt index 90770bd61..4a86a53c2 100644 --- a/files/redaxo-main/redaxo/src/core/lib/response.php.txt +++ b/files/redaxo-main/redaxo/src/core/lib/response.php.txt @@ -28,6 +28,7 @@ class rex_response private static bool $sentEtag = false; private static bool $sentContentType = false; private static bool $sentCacheControl = false; + private static bool $closeConnection = false; private static array $additionalHeaders = []; private static array $preloadFiles = []; private static string $nonce = ''; @@ -275,7 +276,7 @@ class rex_response $hasShutdownExtension = rex_extension::isRegistered('RESPONSE_SHUTDOWN'); if ($hasShutdownExtension) { - header('Connection: close'); + self::$closeConnection = true; } self::sendContent($content, null, $lastModified); @@ -340,10 +341,21 @@ class rex_response self::sendAdditionalHeaders(); self::sendPreloadHeaders(); + $finish = null; + if (function_exists('fastcgi_finish_request')) { + $finish = fastcgi_finish_request(...); + } elseif (function_exists('litespeed_finish_request')) { + $finish = litespeed_finish_request(...); + } elseif (self::$closeConnection) { + header('Connection: close'); + } + echo $content; - if (function_exists('fastcgi_finish_request')) { - fastcgi_finish_request(); + if ($finish) { + $finish(); + } elseif (!in_array(\PHP_SAPI, ['cli', 'phpdbg', 'embed'], true)) { + flush(); } }