Skip to content

Commit

Permalink
AjaxSearch 1.12.1 Security Fix was released
Browse files Browse the repository at this point in the history 
It contains an important security fix for previous Ajax Search versions.

It is highly recommended Update to AjaxSearch 1.12.1 from the Extras
Module or downloading from
https://github.com/extras-evolution/ajaxSearch/releases/tag/1.12.1
  • Loading branch information
@Nicola1971
Nicola1971 committed Oct 28, 2018
1 parent 4851d74 commit a181fd0
Show file tree
Hide file tree
Showing 135 changed files with 12,262 additions and 4,225 deletions.
3 changes: 0 additions & 3 deletions assets/modules/evogallery/js/uploadify/uploadify.php
View file

This file was deleted.

162 changes: 162 additions & 0 deletions assets/snippets/ajaxSearch/HISTORY.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
#Changelog:
27-oct-18 (1.12.1)
- Some refactor
- Security Fix

11-jul-17 (1.11.0)
- Refactor, no more use index-ajax.php

12-apr-16 (1.10.2)

- Bug fixes
- see Github 05.06.14 - 12.04.16: https://github.com/modxcms/evolution/commits/develop/assets/snippets/ajaxSearch

05-jun-14 (1.10.1)

- Security/Bug fixes

27-mar-13 (1.10.0)

- Security/Bug fixes

26-sep-12 (1.9.3)

- Bug fixing
- Removed ajaxsearch's own striptags functions and substituted the use of $modx->stripTags
- minimum chars allowed to 2

05-dec-10 (1.9.2)

- Bug fixing

30-aug-10 (1.9.2)

- Bug fixing

18-may-10 (1.9.0)

- Completely refactored - MVC model implemented
- Defines categories and display of group of results
- Several AS call on same page
- parents (in / not in), documents (in / not in)
- Custom output
- Filtering search results by tv name
- Filter features (allow to set up specific search forms)
- Bug fixing

20-oct-09 (1.8.4)

- Sites and subsites notions
- Defines categories and display of group of results
- Several AS call on same page
- Bug fixing

14-jun-09 (1.8.4)

- Sites and subsites notions
- Defines categories and display of group of results
- Several AS call on same page
- Bug fixing

08-jun-09 (1.8.3)

- Bug fixing
- The number of results is available with the [+as.resultNumber+] placeholder

01-mar-09 (1.8.2)

- liveSearch parameter renamed
- Initialisation of configuration parameters is modified
- mbstring parameter added
- Limit the amount of keywords that will be queried by a search
- Capturing failed search criteria and search logs
- Compatibility with mootools 1.2.1 library
- Compatibility with jquery library
- Always display paging parameter added
- Bug fixing

02-oct-08 (1.8.1)

- subSearch added.
- mysql query redesigned.
- whereSearch parameter improved. Fields definition added
- withTvs parameter added. specify the search in Tvs
- metacharacter for filter
- improvement of the searchword list parameter
- debug - file and firebug console
- Bug fixing

21 -July-08 (1.8.0)

- define where to do the search (&whereSearch parameter)
- define which fields to use for the extracts (&extract parameter)
- use AjaxSearch with non MOdx tables
- order the results with the &order parameter
- define the ranking value and sort the results with it
- filter the unwanted documents of the search
- define the extract eliipsis
- define the extract separator
- Extended place holder templating and template parameters
- Improvement of the extract algorithm
- Define the number of extracts displayed in the search results
- Use of &advSearch parameter available from the front-end by the end user
- Choose your search term from a predefined search word list
- stripInput user function
- stripOutput user function
- Configuration file and $__ global parameters
- snippet code completely refactored and objectified
- Bugfixes regarding Quoted searchstring

06-Mar-08 (1.7.1)

- Advanced search (partial & relevance)
- Search in hidden documents from menu
- List of Ids limited to parent-documents ids in javascript
- Code cleaning

06-Jan-08 (1.7)

- Added custom config file
- Added list of parent-documents where to search
- Added opacity parameter (between 0 (transparent) and 1 (opaque)
- Added bugfixes regarding opacity with IE
- Using of DBAPI function instead of deprecated function
- Charset troubles corrected

22-Jan-07 (1.6)

- Added templating support (includes/templates.inc.php)
- Added language support
- Switched from prototype/scriptaculous to Mootools

03-Jan-07

- Added many bugfixes/additions from AjaxSearch forum

18-Sep-06

- Added code to only show results for allowed pages

05-May-06

- Added liveSearch functionality and new parameter

21-Apr-06

- Added code to make it compatible with tagcloud snippet

20-Apr-06

- Added code from eastbind & japanese community for other language searching

04-Apr-06

- Added search term highlighting

01-Apr-06

- initial commit into SVN

30-Mar-06

- initial work based on FSF_ajax from KyleJ
320 changes: 320 additions & 0 deletions assets/snippets/ajaxSearch/README.md
View file

Large diffs are not rendered by default.

102 changes: 102 additions & 0 deletions assets/snippets/ajaxSearch/ajaxSearchPopup.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
<?php
/** ---------------------------------------------------------------------------
* Snippet: AjaxSearch
* -----------------------------------------------------------------------------
* ajaxSearchPopup.php
*
* @author Coroico - www.evo.wangba.fr
* @version 1.12.1
* @date 27/10/2018
*
*/

/*!
* getUserConfigName : parse the non default configuration file name from ucfg string
*/
function getUserConfigName($ucfg) {
preg_match('/&config=`([^`]*)`/', $ucfg, $matches);
return $matches[1];
}

define('MODX_API_MODE', true);
include_once(__DIR__ . '/../../../index.php');
$modx->db->connect();
if (empty($modx->config)) {
$modx->getSettings();
}
if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) ||
(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest') ||
strpos($_SERVER['HTTP_REFERER'], $modx->getConfig('site_url')) !== 0
) {
$modx->sendErrorPage();
}

if (isset($_POST['search'])) {
define('AS_VERSION', '1.12.1');
define('AS_SPATH', 'assets/snippets/ajaxSearch/');
define('AS_PATH', MODX_BASE_PATH . AS_SPATH);

if (!isset($_POST['as_version']) || (strip_tags($_POST['as_version']) !== AS_VERSION)) {
$output = 'AjaxSearch version obsolete.' .
'<br />' .
'Please check the snippet code in MODX manager.';
} else {
include_once AS_PATH . 'classes/ajaxSearch.class.inc.php';
$tstart = $modx->getMicroTime();
$default = AS_PATH . 'configs/default.config.php';

if (file_exists($default)) {
include $default;
} else {
return '<h3>' .
'AjaxSearch error: $default not found !' .
'<br />' .
'Check the existing of this file!' .
'</h3>';
}

if (!isset($dcfg)) {
return '<h3>' .
'AjaxSearch error: default configuration array not defined in $default!' .
'<br />' .
'Check the content of this file!' .
'</h3>';
}

$ucfg = isset($_POST['ucfg']) && is_scalar($_POST['ucfg']) ? $_POST['ucfg'] : '';
$config = getUserConfigName(strip_tags($ucfg));

// Load the custom functions of the custom configuration file if needed
if ($config) {
if (strpos($config, '@FILE:') !== 0) {
// remove all not alphanumeric chars exept underscore and minus in the filename
$config = preg_replace('/[^a-zA-Z0-9_-]/i', '', $config);
$lconfig = AS_PATH . "configs/{$config}.config.php";
if (file_exists($lconfig)) {
include $lconfig;
} else {
return '<h3>' .
'AjaxSearch error: ' . $lconfig . ' not found !' .
'<br />' .
'Check your config parameter or your config file name!' .
'</h3>';
}
} else {
return '<h3>' .
'AjaxSearch error: @FILE: prefix not allowed !' .
'<br />' .
'Check your config parameter or your config file name!' .
'</h3>';
}
}
if ($dcfg['version'] !== AS_VERSION) {
return '<h3>' .
'AjaxSearch error: Version number mismatch. Check the content of the default configuration file!' .
'</h3>';
}
$as = new AjaxSearch();
$output = $as->run($tstart, $dcfg);
header('Content-type: text/html; charset=' . $modx->getConfig('modx_charset'));
}
echo $output;
}
Loading

0 comments on commit a181fd0

Please sign in to comment.