Attachment #152932 for bug #197588

Line 0 Link Here

(-)./files/patch-lib__MT.pm (+31 lines)
	1	--- lib/MT.pm.orig 2014-12-11 01:28:20.000000000 +0900
	2	+++ lib/MT.pm 2015-02-13 11:22:27.000000000 +0900
	3	@@ -39,8 +39,8 @@
	4	)
	5	= (
	6	'Movable Type', 'MT',
	7	- '5.2.11', '5.2.11-ru',
	8	- '11', 'http://movable-type.ru/'
	9	+ '5.2.12', '5.2.12-ru',
	10	+ '12', 'http://movable-type.ru/'
	11	);
	12
	13	# To allow MT to run straight from svn, if no build process (pre-processing)
	14	@@ -56,7 +56,7 @@
	15	}
	16
	17	if ( $RELEASE_NUMBER eq '__RELEASE' . '_NUMBER__' ) {
	18	- $RELEASE_NUMBER = 11;
	19	+ $RELEASE_NUMBER = 12;
	20	}
	21
	22	$DebugMode = 0;
	23	@@ -124,7 +124,7 @@
	24	}
	25
	26	sub build_id {
	27	- my $build_id = '5.2.11-ru';
	28	+ my $build_id = '5.2.12-ru';
	29	$build_id = '' if $build_id eq '__BUILD_' . 'ID__';
	30	return $build_id;
	31	}




--- lib/MT/App/Upgrader.pm.orig	2014-12-11 01:26:51.000000000 +0900
+++ lib/MT/App/Upgrader.pm	2015-02-13 11:11:10.000000000 +0900
@@ -671,6 +671,10 @@
         $data = pack 'H*', $data;
         require MT::Serialize;
         my $ser    = MT::Serialize->new('MT');
+        my $ser_ver = $ser->serializer_version($data);
+        if ( !$ser_ver || $ser_ver != $MT::Serialize::SERIALIZER_VERSION ) {
+            die $app->translate('Invalid parameter.');
+        }
         my $thawed = $ser->unserialize($data);
         if ($thawed) {
             my $saved_cfg = $$thawed;




--- lib/MT/App/Wizard.pm.orig	2014-12-11 01:26:51.000000000 +0900
+++ lib/MT/App/Wizard.pm	2015-02-13 11:13:16.000000000 +0900
@@ -1252,6 +1252,10 @@
         $data = pack 'H*', $data;
         require MT::Serialize;
         my $ser    = MT::Serialize->new('MT');
+        my $ser_ver = $ser->serializer_version($data);
+        if ( !$ser_ver || $ser_ver != $MT::Serialize::SERIALIZER_VERSION ) {
+            die $app->translate('Invalid parameter.');
+        }
         my $thawed = $ser->unserialize($data);
         if ($thawed) {
             my $saved_cfg = $$thawed;




--- lib/MT/BackupRestore/BackupFileHandler.pm.orig	2014-12-11 01:26:51.000000000 +0900
+++ lib/MT/BackupRestore/BackupFileHandler.pm	2015-02-13 11:14:50.000000000 +0900
@@ -409,6 +409,15 @@
                 if ( 'blob' eq $defs->{$column_name}->{type} ) {
                     $text = MIME::Base64::decode_base64($text);
                     if ( substr( $text, 0, 4 ) eq 'SERG' ) {
+                        my $ser_ver
+                            = MT::Serialize->serializer_version($text);
+                        if ( $ser_ver == 3 ) {
+                            my $conf_ver = lc MT->config->Serializer;
+                            if ( ( $conf_ver ne 'storable' ) && ( $conf_ver ne 'mts' ) ) {
+                                $self->{critical} = 1;
+                                die MT->translate('Invalid serializer version was specified.');
+                            }
+                        }
                         $text = MT::Serialize->unserialize($text);
                         $obj->$column_name($$text);
                     }
@@ -424,6 +433,15 @@
                 if ( my $type = $metacolumns->{$column_name} ) {
                     if ( 'vblob' eq $type ) {
                         $text = MIME::Base64::decode_base64($text);
+                        my $ser_ver
+                            = MT::Serialize->serializer_version($text);
+                        if ( $ser_ver == 3 ) {
+                            my $conf_ver = lc MT->config->Serializer;
+                            if ( ( $conf_ver ne 'storable' ) && ( $conf_ver ne 'mts' ) ) {
+                                $self->{critical} = 1;
+                                die MT->translate('Invalid serializer version was specified.');
+                            }
+                        }
                         $text = MT::Serialize->unserialize($text);
                         $obj->$column_name($$text);
                     }




--- lib/MT/XMLRPCServer.pm.orig	2014-12-11 01:26:51.000000000 +0900
+++ lib/MT/XMLRPCServer.pm	2015-02-13 11:21:09.000000000 +0900
@@ -495,7 +495,18 @@
     }
 
     _validate_params( [ $blog_id, $user, $pass, $publish ] ) or return;
-    _validate_params( [ values %$item ] ) or return;
+    my $values;
+    foreach my $k ( keys %$item ) {
+        if ( 'categories' eq $k || 'mt_tb_ping_urls' eq $k ) {
+
+            # XMLRPC supports categories array and mt_tb_ping_urls array
+            _validate_params( \@{ $item->{$k} } ) or return;
+        }
+        else {
+            push @$values, $item->{$k};
+        }
+    }
+    _validate_params( \@$values ) or return;
 
     $class->_new_entry(
         blog_id => $blog_id,
@@ -511,7 +522,18 @@
     my ( $blog_id, $user, $pass, $item, $publish ) = @_;
 
     _validate_params( [ $blog_id, $user, $pass, $publish ] ) or return;
-    _validate_params( [ values %$item ] ) or return;
+    my $values;
+    foreach my $k ( keys %$item ) {
+        if ( 'mt_tb_ping_urls' eq $k ) {
+
+            # XMLRPC supports mt_tb_ping_urls array
+            _validate_params( \@{ $item->{$k} } ) or return;
+        }
+        else {
+            push @$values, $item->{$k};
+        }
+    }
+    _validate_params( \@$values ) or return;
 
     $class->_new_entry(
         blog_id => $blog_id,
@@ -663,7 +685,18 @@
     }
 
     _validate_params( [ $entry_id, $user, $pass, $publish ] ) or return;
-    _validate_params( [ values %$item ] ) or return;
+    my $values;
+    foreach my $k ( keys %$item ) {
+        if ( 'categories' eq $k || 'mt_tb_ping_urls' eq $k ) {
+
+            # XMLRPC supports categories array and mt_tb_ping_urls array
+            _validate_params( \@{ $item->{$k} } ) or return;
+        }
+        else {
+            push @$values, $item->{$k};
+        }
+    }
+    _validate_params( \@$values ) or return;
 
     $class->_edit_entry(
         entry_id => $entry_id,
@@ -680,7 +713,18 @@
 
     _validate_params( [ $blog_id, $entry_id, $user, $pass, $publish ] )
         or return;
-    _validate_params( [ values %$item ] ) or return;
+    my $values;
+    foreach my $k ( keys %$item ) {
+        if ( 'mt_tb_ping_urls' eq $k ) {
+
+            # XMLRPC supports mt_tb_ping_urls array
+            _validate_params( \@{ $item->{$k} } ) or return;
+        }
+        else {
+            push @$values, $item->{$k};
+        }
+    }
+    _validate_params( \@$values ) or return;
 
     $class->_edit_entry(
         blog_id  => $blog_id,
@@ -1493,8 +1537,7 @@
     }
 
     my $local_file = File::Spec->catfile( $blog->site_path, $file->{name} );
-    my $ext
-        = ( File::Basename::fileparse( $local_file, qr/[A-Za-z0-9]+$/ ) )[2];
+    my $ext = ( File::Basename::fileparse( $local_file, qr/[A-Za-z0-9]+$/ ) )[2];
     require MT::Asset::Image;
     if ( MT::Asset::Image->can_handle($ext) ) {
         require MT::Image;

Line 0 Link Here

(-)./files/patch-mt-check.cgi (+14 lines)
	1	--- mt-check.cgi.orig 2014-12-11 01:28:20.000000000 +0900
	2	+++ mt-check.cgi 2015-02-13 11:23:25.000000000 +0900
	3	@@ -97,9 +97,9 @@
	4	my $view = $cgi->param("view");
	5	my $version = $cgi->param("version");
	6	my $sess_id = $cgi->param('session_id');
	7	-$version \|\|= '5.2.11-ru';
	8	+$version \|\|= '5.2.12-ru';
	9	if ( $version eq '__PRODUCT_VERSION' . '_ID__' ) {
	10	- $version = '5.2.11';
	11	+ $version = '5.2.12';
	12	}
	13
	14	my ( $mt, $LH );

Line 0 Link Here

(-)./files/patch-mt-static__css__main.css (+8 lines)
	1	--- mt-static/css/main.css.orig 2014-12-11 01:28:23.000000000 +0900
	2	+++ mt-static/css/main.css 2015-02-13 11:24:07.000000000 +0900
	3	@@ -1,4 +1,4 @@
	4	-/* Movable Type (r) Open Source (C) 2001-2014 Six Apart, Ltd.
	5	+/* Movable Type (r) Open Source (C) 2001-2015 Six Apart, Ltd.
	6	* This file is combined from multiple sources. Consult the source files for their
	7	* respective licenses and copyrights.
	8	*/html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%;}body{margin:0;}h1,

Line 0 Link Here

(-)./files/patch-mt-static__css__simple.css (+8 lines)
	1	--- mt-static/css/simple.css.orig 2014-12-11 01:28:24.000000000 +0900
	2	+++ mt-static/css/simple.css 2015-02-13 11:25:05.000000000 +0900
	3	@@ -1,4 +1,4 @@
	4	-/* Movable Type (r) Open Source (C) 2001-2014 Six Apart, Ltd.
	5	+/* Movable Type (r) Open Source (C) 2001-2015 Six Apart, Ltd.
	6	* This file is combined from multiple sources. Consult the source files for their
	7	* respective licenses and copyrights.
	8	*/html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%;}body{margin:0;}h1,

Line 0 Link Here

(-)./files/patch-mt-static__js__editor.js (+8 lines)
	1	--- mt-static/js/editor.js.orig 2014-12-11 01:28:22.000000000 +0900
	2	+++ mt-static/js/editor.js 2015-02-13 11:25:40.000000000 +0900
	3	@@ -1,4 +1,4 @@
	4	-/* Movable Type (r) Open Source (C) 2001-2014 Six Apart, Ltd.
	5	+/* Movable Type (r) Open Source (C) 2001-2015 Six Apart, Ltd.
	6	* This file is combined from multiple sources. Consult the source files for their
	7	* respective licenses and copyrights.
	8	*/;(function($){MT.EditorManager=function(){this.init.apply(this,arguments);};$.extend(MT.EditorManager,{editors:{},editorsForFormat:{},map:{},defaultWrapTag:'div',defaultWrapClass:'mt-editor-manager-wrap',register:function(id,editor){var thisConstructor=this;this.editors[id]=editor;$.each(editor.formatsForCurrentContext(),function(){if(!thisConstructor.editorsForFormat[this]){thisConstructor.editorsForFormat[this]=[];}

Line 0 Link Here

(-)./files/patch-mt-static_js_mt_core_compact.js (+8 lines)
	1	--- mt-static/js/mt_core_compact.js.orig 2014-12-11 01:28:22.000000000 +0900
	2	+++ mt-static/js/mt_core_compact.js 2015-02-13 11:26:17.000000000 +0900
	3	@@ -1,4 +1,4 @@
	4	-/* Movable Type (r) Open Source (C) 2001-2014 Six Apart, Ltd.
	5	+/* Movable Type (r) Open Source (C) 2001-2015 Six Apart, Ltd.
	6	* This file is combined from multiple sources. Consult the source files for their
	7	* respective licenses and copyrights.
	8	*/defined=function(x){return x!==undefined;};exists=function(x){return(x===undefined\|\|x===null)?false:true;};truth=function(x){return(x&&x!="0")?true:false;};finite=function(x){return isFinite(x)?x:0;};finiteInt=function(x,b){return finite(parseInt(x,b));};finiteFloat=function(x){return finite(parseFloat(x));};max=function(){var a=arguments;var n=a[0];for(var i=1;i<a.length;i++)




--- php/mt.php.orig	2014-12-11 01:28:20.000000000 +0900
+++ php/mt.php	2015-02-13 11:27:05.000000000 +0900
@@ -11,7 +11,7 @@
 require_once('lib/class.exception.php');
 
 define('VERSION', '5.2');
-define('PRODUCT_VERSION', '5.2.11');
+define('PRODUCT_VERSION', '5.2.12');
 
 $PRODUCT_NAME = 'Movable Type';
 if($PRODUCT_NAME == '__PRODUCT' . '_NAME__')
@@ -20,10 +20,10 @@
 
 $RELEASE_NUMBER = '11';
 if ( $RELEASE_NUMBER == '__RELEASE_' . 'NUMBER__' )
-    $RELEASE_NUMBER = 11;
+    $RELEASE_NUMBER = 12;
 define('RELEASE_NUMBER', $RELEASE_NUMBER);
 
-$PRODUCT_VERSION_ID = '5.2.11-ru';
+$PRODUCT_VERSION_ID = '5.2.12-ru';
 if ( $PRODUCT_VERSION_ID == '__PRODUCT_' . 'VERSION_ID__' )
     $PRODUCT_VERSION_ID = PRODUCT_VERSION;
 $VERSION_STRING;

Return to bug 197588

Line 0 Link Here

(-)./files/patch-lib__MT__App__Upgrader.pm (+13 lines)
	1	--- lib/MT/App/Upgrader.pm.orig 2014-12-11 01:26:51.000000000 +0900
	2	+++ lib/MT/App/Upgrader.pm 2015-02-13 11:11:10.000000000 +0900
	3	@@ -671,6 +671,10 @@
	4	$data = pack 'H*', $data;
	5	require MT::Serialize;
	6	my $ser = MT::Serialize->new('MT');
	7	+ my $ser_ver = $ser->serializer_version($data);
	8	+ if ( !$ser_ver \|\| $ser_ver != $MT::Serialize::SERIALIZER_VERSION ) {
	9	+ die $app->translate('Invalid parameter.');
	10	+ }
	11	my $thawed = $ser->unserialize($data);
	12	if ($thawed) {
	13	my $saved_cfg = $$thawed;

Line 0 Link Here

(-)./files/patch-lib__MT__App__Wizard.pm (+13 lines)
	1	--- lib/MT/App/Wizard.pm.orig 2014-12-11 01:26:51.000000000 +0900
	2	+++ lib/MT/App/Wizard.pm 2015-02-13 11:13:16.000000000 +0900
	3	@@ -1252,6 +1252,10 @@
	4	$data = pack 'H*', $data;
	5	require MT::Serialize;
	6	my $ser = MT::Serialize->new('MT');
	7	+ my $ser_ver = $ser->serializer_version($data);
	8	+ if ( !$ser_ver \|\| $ser_ver != $MT::Serialize::SERIALIZER_VERSION ) {
	9	+ die $app->translate('Invalid parameter.');
	10	+ }
	11	my $thawed = $ser->unserialize($data);
	12	if ($thawed) {
	13	my $saved_cfg = $$thawed;

Line 0 Link Here

(-)./files/patch-lib__MT__BackupRestore__BackupFileHandler.pm (+34 lines)
	1	--- lib/MT/BackupRestore/BackupFileHandler.pm.orig 2014-12-11 01:26:51.000000000 +0900
	2	+++ lib/MT/BackupRestore/BackupFileHandler.pm 2015-02-13 11:14:50.000000000 +0900
	3	@@ -409,6 +409,15 @@
	4	if ( 'blob' eq $defs->{$column_name}->{type} ) {
	5	$text = MIME::Base64::decode_base64($text);
	6	if ( substr( $text, 0, 4 ) eq 'SERG' ) {
	7	+ my $ser_ver
	8	+ = MT::Serialize->serializer_version($text);
	9	+ if ( $ser_ver == 3 ) {
	10	+ my $conf_ver = lc MT->config->Serializer;
	11	+ if ( ( $conf_ver ne 'storable' ) && ( $conf_ver ne 'mts' ) ) {
	12	+ $self->{critical} = 1;
	13	+ die MT->translate('Invalid serializer version was specified.');
	14	+ }
	15	+ }
	16	$text = MT::Serialize->unserialize($text);
	17	$obj->$column_name($$text);
	18	}
	19	@@ -424,6 +433,15 @@
	20	if ( my $type = $metacolumns->{$column_name} ) {
	21	if ( 'vblob' eq $type ) {
	22	$text = MIME::Base64::decode_base64($text);
	23	+ my $ser_ver
	24	+ = MT::Serialize->serializer_version($text);
	25	+ if ( $ser_ver == 3 ) {
	26	+ my $conf_ver = lc MT->config->Serializer;
	27	+ if ( ( $conf_ver ne 'storable' ) && ( $conf_ver ne 'mts' ) ) {
	28	+ $self->{critical} = 1;
	29	+ die MT->translate('Invalid serializer version was specified.');
	30	+ }
	31	+ }
	32	$text = MT::Serialize->unserialize($text);
	33	$obj->$column_name($$text);
	34	}

Line 0 Link Here

(-)./files/patch-lib__MT__Serialize.pm (+92 lines)
		1	--- lib/MT/XMLRPCServer.pm.orig 2014-12-11 01:26:51.000000000 +0900
		2	+++ lib/MT/XMLRPCServer.pm 2015-02-13 11:21:09.000000000 +0900
		3	@@ -495,7 +495,18 @@
		4	}
		5
		6	_validate_params( [ $blog_id, $user, $pass, $publish ] ) or return;
		7	- _validate_params( [ values %$item ] ) or return;
		8	+ my $values;
		9	+ foreach my $k ( keys %$item ) {
		10	+ if ( 'categories' eq $k \|\| 'mt_tb_ping_urls' eq $k ) {
		11	+
		12	+ # XMLRPC supports categories array and mt_tb_ping_urls array
		13	+ _validate_params( \@{ $item->{$k} } ) or return;
		14	+ }
		15	+ else {
		16	+ push @$values, $item->{$k};
		17	+ }
		18	+ }
		19	+ _validate_params( \@$values ) or return;
		20
		21	$class->_new_entry(
		22	blog_id => $blog_id,
		23	@@ -511,7 +522,18 @@
		24	my ( $blog_id, $user, $pass, $item, $publish ) = @_;
		25
		26	_validate_params( [ $blog_id, $user, $pass, $publish ] ) or return;
		27	- _validate_params( [ values %$item ] ) or return;
		28	+ my $values;
		29	+ foreach my $k ( keys %$item ) {
		30	+ if ( 'mt_tb_ping_urls' eq $k ) {
		31	+
		32	+ # XMLRPC supports mt_tb_ping_urls array
		33	+ _validate_params( \@{ $item->{$k} } ) or return;
		34	+ }
		35	+ else {
		36	+ push @$values, $item->{$k};
		37	+ }
		38	+ }
		39	+ _validate_params( \@$values ) or return;
		40
		41	$class->_new_entry(
		42	blog_id => $blog_id,
		43	@@ -663,7 +685,18 @@
		44	}
		45
		46	_validate_params( [ $entry_id, $user, $pass, $publish ] ) or return;
		47	- _validate_params( [ values %$item ] ) or return;
		48	+ my $values;
		49	+ foreach my $k ( keys %$item ) {
		50	+ if ( 'categories' eq $k \|\| 'mt_tb_ping_urls' eq $k ) {
		51	+
		52	+ # XMLRPC supports categories array and mt_tb_ping_urls array
		53	+ _validate_params( \@{ $item->{$k} } ) or return;
		54	+ }
		55	+ else {
		56	+ push @$values, $item->{$k};
		57	+ }
		58	+ }
		59	+ _validate_params( \@$values ) or return;
		60
		61	$class->_edit_entry(
		62	entry_id => $entry_id,
		63	@@ -680,7 +713,18 @@
		64
65	_validate_params( [ $blog_id, $entry_id, $user, $pass, $publish ] )
66	or return;
67	- _validate_params( [ values %$item ] ) or return;
68	+ my $values;
69	+ foreach my $k ( keys %$item ) {
70	+ if ( 'mt_tb_ping_urls' eq $k ) {
71	+
72	+ # XMLRPC supports mt_tb_ping_urls array
73	+ _validate_params( \@{ $item->{$k} } ) or return;
74	+ }
75	+ else {
76	+ push @$values, $item->{$k};
77	+ }
78	+ }
79	+ _validate_params( \@$values ) or return;
80
81	$class->_edit_entry(
82	blog_id => $blog_id,
83	@@ -1493,8 +1537,7 @@
84	}
85
86	my $local_file = File::Spec->catfile( $blog->site_path, $file->{name} );
87	- my $ext
88	- = ( File::Basename::fileparse( $local_file, qr/[A-Za-z0-9]+$/ ) )[2];
89	+ my $ext = ( File::Basename::fileparse( $local_file, qr/[A-Za-z0-9]+$/ ) )[2];
90	require MT::Asset::Image;
91	if ( MT::Asset::Image->can_handle($ext) ) {
92	require MT::Image;

Line 0 Link Here

(-)./files/patch-php_mt.php (+24 lines)
	1	--- php/mt.php.orig 2014-12-11 01:28:20.000000000 +0900
	2	+++ php/mt.php 2015-02-13 11:27:05.000000000 +0900
	3	@@ -11,7 +11,7 @@
	4	require_once('lib/class.exception.php');
	5
	6	define('VERSION', '5.2');
	7	-define('PRODUCT_VERSION', '5.2.11');
	8	+define('PRODUCT_VERSION', '5.2.12');
	9
	10	$PRODUCT_NAME = 'Movable Type';
	11	if($PRODUCT_NAME == '__PRODUCT' . '_NAME__')
	12	@@ -20,10 +20,10 @@
	13
	14	$RELEASE_NUMBER = '11';
	15	if ( $RELEASE_NUMBER == '__RELEASE_' . 'NUMBER__' )
	16	- $RELEASE_NUMBER = 11;
	17	+ $RELEASE_NUMBER = 12;
	18	define('RELEASE_NUMBER', $RELEASE_NUMBER);
	19
	20	-$PRODUCT_VERSION_ID = '5.2.11-ru';
	21	+$PRODUCT_VERSION_ID = '5.2.12-ru';
	22	if ( $PRODUCT_VERSION_ID == '__PRODUCT_' . 'VERSION_ID__' )
	23	$PRODUCT_VERSION_ID = PRODUCT_VERSION;
	24	$VERSION_STRING;