diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/action.php | 26 | ||||
| -rw-r--r-- | lib/command.php | 129 | ||||
| -rw-r--r-- | lib/theme.php | 62 | ||||
| -rw-r--r-- | lib/themeuploader.php | 53 | ||||
| -rw-r--r-- | lib/usernoprofileexception.php | 4 | ||||
| -rw-r--r-- | lib/util.php | 3 |
6 files changed, 225 insertions, 52 deletions
diff --git a/lib/action.php b/lib/action.php index 2b3b707c5..c86dd2d86 100644 --- a/lib/action.php +++ b/lib/action.php @@ -121,7 +121,10 @@ class Action extends HTMLOutputter // lawsuit // XXX: attributes (profile?) $this->elementStart('head'); if (Event::handle('StartShowHeadElements', array($this))) { - $this->showTitle(); + if (Event::handle('StartShowHeadTitle', array($this))) { + $this->showTitle(); + Event::handle('EndShowHeadTitle', array($this)); + } $this->showShortcutIcon(); $this->showStylesheets(); $this->showOpenSearch(); @@ -200,7 +203,7 @@ class Action extends HTMLOutputter // lawsuit if (Event::handle('StartShowStatusNetStyles', array($this)) && Event::handle('StartShowLaconicaStyles', array($this))) { - $this->cssLink('css/display.css',null, 'screen, projection, tv, print'); + $this->primaryCssLink(null, 'screen, projection, tv, print'); Event::handle('EndShowStatusNetStyles', array($this)); Event::handle('EndShowLaconicaStyles', array($this)); } @@ -235,7 +238,7 @@ class Action extends HTMLOutputter // lawsuit Event::handle('EndShowDesign', array($this)); } Event::handle('EndShowStyles', array($this)); - + if (common_config('custom_css', 'enabled')) { $css = common_config('custom_css', 'css'); if (Event::handle('StartShowCustomCss', array($this, &$css))) { @@ -248,6 +251,18 @@ class Action extends HTMLOutputter // lawsuit } } + function primaryCssLink($mainTheme=null, $media=null) + { + // If the currently-selected theme has dependencies on other themes, + // we'll need to load their display.css files as well in order. + $theme = new Theme($mainTheme); + $baseThemes = $theme->getDeps(); + foreach ($baseThemes as $baseTheme) { + $this->cssLink('css/display.css', $baseTheme, $media); + } + $this->cssLink('css/display.css', $mainTheme, $media); + } + /** * Show javascript headers * @@ -616,7 +631,10 @@ class Action extends HTMLOutputter // lawsuit function showContentBlock() { $this->elementStart('div', array('id' => 'content')); - $this->showPageTitle(); + if (Event::handle('StartShowPageTitle', array($this))) { + $this->showPageTitle(); + Event::handle('EndShowPageTitle', array($this)); + } $this->showPageNoticeBlock(); $this->elementStart('div', array('id' => 'content_inner')); // show the actual content (forms, lists, whatever) diff --git a/lib/command.php b/lib/command.php index 30db9d069..90a321ad3 100644 --- a/lib/command.php +++ b/lib/command.php @@ -49,7 +49,7 @@ class Command } } - + /** * Override this with the meat! * @@ -80,15 +80,16 @@ class Command $notice = Notice::staticGet(substr($arg,1)); if (!$notice) { - throw new CommandException(_('Notice with that id does not exist')); + // TRANS: Command exception text shown when a notice ID is requested that does not exist. + throw new CommandException(_('Notice with that id does not exist.')); } } - + if (Validate::uri($this->other)) { // A specific notice by URI lookup $notice = Notice::staticGet('uri', $arg); } - + if (!$notice) { // Local or remote profile name to get their last notice. // May throw an exception and report 'no such user' @@ -96,13 +97,15 @@ class Command $notice = $recipient->getCurrentNotice(); if (!$notice) { - throw new CommandException(_('User has no last notice')); + // TRANS: Command exception text shown when a last user notice is requested and it does not exist. + throw new CommandException(_('User has no last notice.')); } } } Event::handle('EndCommandGetNotice', array($this, $arg, &$notice)); if (!$notice) { - throw new CommandException(_('Notice with that id does not exist')); + // TRANS: Command exception text shown when a notice ID is requested that does not exist. + throw new CommandException(_('Notice with that id does not exist.')); } return $notice; } @@ -124,7 +127,7 @@ class Command if (!$profile) { // TRANS: Message given requesting a profile for a non-existing user. // TRANS: %s is the nickname of the user for which the profile could not be found. - throw new CommandException(sprintf(_('Could not find a user with nickname %s'), $arg)); + throw new CommandException(sprintf(_('Could not find a user with nickname %s.'), $arg)); } return $profile; } @@ -144,7 +147,7 @@ class Command if (!$user){ // TRANS: Message given getting a non-existing user. // TRANS: %s is the nickname of the user that could not be found. - throw new CommandException(sprintf(_('Could not find a local user with nickname %s'), + throw new CommandException(sprintf(_('Could not find a local user with nickname %s.'), $arg)); } return $user; @@ -163,6 +166,7 @@ class Command } Event::handle('EndCommandGetGroup', array($this, $arg, &$group)); if (!$group) { + // TRANS: Command exception text shown when a group is requested that does not exist. throw new CommandException(_('No such group.')); } return $group; @@ -177,6 +181,7 @@ class UnimplementedCommand extends Command { function handle($channel) { + // TRANS: Error text shown when an unimplemented command is given. $channel->error($this->user, _("Sorry, this command is not yet implemented.")); } } @@ -222,6 +227,7 @@ class NudgeCommand extends Command { $recipient = $this->getUser($this->other); if ($recipient->id == $this->user->id) { + // TRANS: Command exception text shown when a user tries to nudge themselves. throw new CommandException(_('It does not make a lot of sense to nudge yourself!')); } else { if ($recipient->email && $recipient->emailnotifynudge) { @@ -231,7 +237,7 @@ class NudgeCommand extends Command // XXX: notify by SMS // TRANS: Message given having nudged another user. // TRANS: %s is the nickname of the user that was nudged. - $channel->output($this->user, sprintf(_('Nudge sent to %s'), + $channel->output($this->user, sprintf(_('Nudge sent to %s.'), $recipient->nickname)); } } @@ -257,6 +263,10 @@ class StatsCommand extends Command $subbed_count = $profile->subscriberCount(); $notice_count = $profile->noticeCount(); + // TRANS: User statistics text. + // TRANS: %1$s is the number of other user the user is subscribed to. + // TRANS: %2$s is the number of users that are subscribed to the user. + // TRANS: %3$s is the number of notices the user has sent. $channel->output($this->user, sprintf(_("Subscriptions: %1\$s\n". "Subscribers: %2\$s\n". "Notices: %3\$s"), @@ -282,6 +292,7 @@ class FavCommand extends Command $fave = Fave::addNew($this->user->getProfile(), $notice); if (!$fave) { + // TRANS: Error message text shown when a favorite could not be set. $channel->error($this->user, _('Could not create favorite.')); return; } @@ -299,6 +310,7 @@ class FavCommand extends Command $this->user->blowFavesCache(); + // TRANS: Text shown when a notice has been marked as favourite successfully. $channel->output($this->user, _('Notice marked as fave.')); } @@ -320,10 +332,12 @@ class JoinCommand extends Command $cur = $this->user; if ($cur->isMember($group)) { - $channel->error($cur, _('You are already a member of that group')); + // TRANS: Error text shown a user tries to join a group they already are a member of. + $channel->error($cur, _('You are already a member of that group.')); return; } if (Group_block::isBlocked($group, $cur->getProfile())) { + // TRANS: Error text shown when a user tries to join a group they are blocked from joining. $channel->error($cur, _('You have been blocked from that group by the admin.')); return; } @@ -336,14 +350,14 @@ class JoinCommand extends Command } catch (Exception $e) { // TRANS: Message given having failed to add a user to a group. // TRANS: %1$s is the nickname of the user, %2$s is the nickname of the group. - $channel->error($cur, sprintf(_('Could not join user %1$s to group %2$s'), + $channel->error($cur, sprintf(_('Could not join user %1$s to group %2$s.'), $cur->nickname, $group->nickname)); return; } // TRANS: Message given having added a user to a group. // TRANS: %1$s is the nickname of the user, %2$s is the nickname of the group. - $channel->output($cur, sprintf(_('%1$s joined group %2$s'), + $channel->output($cur, sprintf(_('%1$s joined group %2$s.'), $cur->nickname, $group->nickname)); } @@ -365,11 +379,13 @@ class DropCommand extends Command $cur = $this->user; if (!$group) { + // TRANS: Error text shown when trying to leave a group that does not exist. $channel->error($cur, _('No such group.')); return; } if (!$cur->isMember($group)) { + // TRANS: Error text shown when trying to leave an existing group the user is not a member of. $channel->error($cur, _('You are not a member of that group.')); return; } @@ -382,14 +398,14 @@ class DropCommand extends Command } catch (Exception $e) { // TRANS: Message given having failed to remove a user from a group. // TRANS: %1$s is the nickname of the user, %2$s is the nickname of the group. - $channel->error($cur, sprintf(_('Could not remove user %1$s from group %2$s'), + $channel->error($cur, sprintf(_('Could not remove user %1$s from group %2$s.'), $cur->nickname, $group->nickname)); return; } // TRANS: Message given having removed a user from a group. // TRANS: %1$s is the nickname of the user, %2$s is the nickname of the group. - $channel->output($cur, sprintf(_('%1$s left group %2$s'), + $channel->output($cur, sprintf(_('%1$s left group %2$s.'), $cur->nickname, $group->nickname)); } @@ -454,12 +470,14 @@ class MessageCommand extends Command } catch (CommandException $f) { throw $e; } + // TRANS: Command exception text shown when trying to send a direct message to a remote user (a user not registered at the current server). throw new CommandException(sprintf(_('%s is a remote profile; you can only send direct messages to users on the same server.'), $this->other)); } $len = mb_strlen($this->text); if ($len == 0) { + // TRANS: Command exception text shown when trying to send a direct message to another user without content. $channel->error($this->user, _('No content!')); return; } @@ -467,20 +485,24 @@ class MessageCommand extends Command $this->text = common_shorten_links($this->text); if (Message::contentTooLong($this->text)) { + // XXX: i18n. Needs plural support. // TRANS: Message given if content is too long. // TRANS: %1$d is the maximum number of characters, %2$d is the number of submitted characters. - $channel->error($this->user, sprintf(_('Message too long - maximum is %1$d characters, you sent %2$d'), + $channel->error($this->user, sprintf(_('Message too long - maximum is %1$d characters, you sent %2$d.'), Message::maxContent(), mb_strlen($this->text))); return; } if (!$other) { + // TRANS: Error text shown when trying to send a direct message to a user that does not exist. $channel->error($this->user, _('No such user.')); return; } else if (!$this->user->mutuallySubscribed($other)) { + // TRANS: Error text shown when trying to send a direct message to a user without a mutual subscription (each user must be subscribed to the other). $channel->error($this->user, _('You can\'t send a message to this user.')); return; } else if ($this->user->id == $other->id) { + // TRANS: Error text shown when trying to send a direct message to self. $channel->error($this->user, _('Don\'t send a message to yourself; just say it to yourself quietly instead.')); return; } @@ -489,8 +511,9 @@ class MessageCommand extends Command $message->notify(); // TRANS: Message given have sent a direct message to another user. // TRANS: %s is the name of the other user. - $channel->output($this->user, sprintf(_('Direct message to %s sent'), $this->other)); + $channel->output($this->user, sprintf(_('Direct message to %s sent.'), $this->other)); } else { + // TRANS: Error text shown sending a direct message fails with an unknown reason. $channel->error($this->user, _('Error sending direct message.')); } } @@ -511,12 +534,14 @@ class RepeatCommand extends Command if($this->user->id == $notice->profile_id) { - $channel->error($this->user, _('Cannot repeat your own notice')); + // TRANS: Error text shown when trying to repeat an own notice. + $channel->error($this->user, _('Cannot repeat your own notice.')); return; } if ($this->user->getProfile()->hasRepeated($notice->id)) { - $channel->error($this->user, _('Already repeated that notice')); + // TRANS: Error text shown when trying to repeat an notice that was already repeated by the user. + $channel->error($this->user, _('Already repeated that notice.')); return; } @@ -526,8 +551,9 @@ class RepeatCommand extends Command // TRANS: Message given having repeated a notice from another user. // TRANS: %s is the name of the user for which the notice was repeated. - $channel->output($this->user, sprintf(_('Notice from %s repeated'), $recipient->nickname)); + $channel->output($this->user, sprintf(_('Notice from %s repeated.'), $recipient->nickname)); } else { + // TRANS: Error text shown when repeating a notice fails with an unknown reason. $channel->error($this->user, _('Error repeating notice.')); } } @@ -552,6 +578,7 @@ class ReplyCommand extends Command $len = mb_strlen($this->text); if ($len == 0) { + // TRANS: Command exception text shown when trying to reply to a notice without providing content for the reply. $channel->error($this->user, _('No content!')); return; } @@ -559,7 +586,10 @@ class ReplyCommand extends Command $this->text = common_shorten_links($this->text); if (Notice::contentTooLong($this->text)) { - $channel->error($this->user, sprintf(_('Notice too long - maximum is %d characters, you sent %d'), + // XXX: i18n. Needs plural support. + // TRANS: Message given if content of a notice for a reply is too long. + // TRANS: %1$d is the maximum number of characters, %2$d is the number of submitted characters. + $channel->error($this->user, sprintf(_('Notice too long - maximum is %1$d characters, you sent %2$d.'), Notice::maxContent(), mb_strlen($this->text))); return; } @@ -568,8 +598,11 @@ class ReplyCommand extends Command array('reply_to' => $notice->id)); if ($notice) { - $channel->output($this->user, sprintf(_('Reply to %s sent'), $recipient->nickname)); + // TRANS: Text shown having sent a reply to a notice successfully. + // TRANS: %s is the nickname of the user of the notice the reply was sent to. + $channel->output($this->user, sprintf(_('Reply to %s sent.'), $recipient->nickname)); } else { + // TRANS: Error text shown when a reply to a notice fails with an unknown reason. $channel->error($this->user, _('Error saving notice.')); } @@ -593,7 +626,8 @@ class GetCommand extends Command $notice = $target->getCurrentNotice(); if (!$notice) { - $channel->error($this->user, _('User has no last notice')); + // TRANS: Error text shown when a last user notice is requested and it does not exist. + $channel->error($this->user, _('User has no last notice.')); return; } $notice_content = $notice->content; @@ -617,7 +651,8 @@ class SubCommand extends Command { if (!$this->other) { - $channel->error($this->user, _('Specify the name of the user to subscribe to')); + // TRANS: Error text shown when no username was provided when issuing a subscribe command. + $channel->error($this->user, _('Specify the name of the user to subscribe to.')); return; } @@ -625,13 +660,16 @@ class SubCommand extends Command $remote = Remote_profile::staticGet('id', $target->id); if ($remote) { + // TRANS: Command exception text shown when trying to subscribe to an OMB profile using the subscribe command. throw new CommandException(_("Can't subscribe to OMB profiles by command.")); } try { Subscription::start($this->user->getProfile(), $target); - $channel->output($this->user, sprintf(_('Subscribed to %s'), $this->other)); + // TRANS: Text shown after having subscribed to another user successfully. + // TRANS: %s is the name of the user the subscription was requested for. + $channel->output($this->user, sprintf(_('Subscribed to %s.'), $this->other)); } catch (Exception $e) { $channel->error($this->user, $e->getMessage()); } @@ -652,7 +690,8 @@ class UnsubCommand extends Command function handle($channel) { if(!$this->other) { - $channel->error($this->user, _('Specify the name of the user to unsubscribe from')); + // TRANS: Error text shown when no username was provided when issuing an unsubscribe command. + $channel->error($this->user, _('Specify the name of the user to unsubscribe from.')); return; } @@ -661,7 +700,9 @@ class UnsubCommand extends Command try { Subscription::cancel($this->user->getProfile(), $target); - $channel->output($this->user, sprintf(_('Unsubscribed from %s'), $this->other)); + // TRANS: Text shown after having unsubscribed from another user successfully. + // TRANS: %s is the name of the user the unsubscription was requested for. + $channel->output($this->user, sprintf(_('Unsubscribed from %s.'), $this->other)); } catch (Exception $e) { $channel->error($this->user, $e->getMessage()); } @@ -679,11 +720,14 @@ class OffCommand extends Command function handle($channel) { if ($this->other) { + // TRANS: Error text shown when issuing the command "off" with a setting which has not yet been implemented. $channel->error($this->user, _("Command not yet implemented.")); } else { if ($channel->off($this->user)) { + // TRANS: Text shown when issuing the command "off" successfully. $channel->output($this->user, _('Notification off.')); } else { + // TRANS: Error text shown when the command "off" fails for an unknown reason. $channel->error($this->user, _('Can\'t turn off notification.')); } } @@ -702,11 +746,14 @@ class OnCommand extends Command function handle($channel) { if ($this->other) { + // TRANS: Error text shown when issuing the command "on" with a setting which has not yet been implemented. $channel->error($this->user, _("Command not yet implemented.")); } else { if ($channel->on($this->user)) { + // TRANS: Text shown when issuing the command "on" successfully. $channel->output($this->user, _('Notification on.')); } else { + // TRANS: Error text shown when the command "on" fails for an unknown reason. $channel->error($this->user, _('Can\'t turn on notification.')); } } @@ -720,7 +767,8 @@ class LoginCommand extends Command $disabled = common_config('logincommand','disabled'); $disabled = isset($disabled) && $disabled; if($disabled) { - $channel->error($this->user, _('Login command is disabled')); + // TRANS: Error text shown when issuing the login command while login is disabled. + $channel->error($this->user, _('Login command is disabled.')); return; } @@ -731,7 +779,9 @@ class LoginCommand extends Command } $channel->output($this->user, - sprintf(_('This link is useable only once, and is good for only 2 minutes: %s'), + // TRANS: Text shown after issuing the login command successfully. + // TRANS: %s is a logon link.. + sprintf(_('This link is useable only once and is valid for only 2 minutes: %s.'), common_local_url('otp', array('user_id' => $login_token->user_id, 'token' => $login_token->token)))); } @@ -739,7 +789,6 @@ class LoginCommand extends Command class LoseCommand extends Command { - var $other = null; function __construct($user, $other) @@ -751,14 +800,17 @@ class LoseCommand extends Command function execute($channel) { if(!$this->other) { - $channel->error($this->user, _('Specify the name of the user to unsubscribe from')); + // TRANS: Error text shown when no username was provided when issuing the command. + $channel->error($this->user, _('Specify the name of the user to unsubscribe from.')); return; } $result = Subscription::cancel($this->getProfile($this->other), $this->user->getProfile()); if ($result) { - $channel->output($this->user, sprintf(_('Unsubscribed %s'), $this->other)); + // TRANS: Text shown after issuing the lose command successfully (stop another user from following the current user). + // TRANS: %s is the name of the user the unsubscription was requested for. + $channel->output($this->user, sprintf(_('Unsubscribed %s.'), $this->other)); } else { $channel->error($this->user, $result); } @@ -775,8 +827,12 @@ class SubscriptionsCommand extends Command $nicknames[]=$profile->nickname; } if(count($nicknames)==0){ + // TRANS: Text shown after requesting other users a user is subscribed to without having any subscriptions. $out=_('You are not subscribed to anyone.'); }else{ + // TRANS: Text shown after requesting other users a user is subscribed to. + // TRANS: This message support plural forms. This message is followed by a + // TRANS: hard coded space and a comma separated list of subscribed users. $out = ngettext('You are subscribed to this person:', 'You are subscribed to these people:', count($nicknames)); @@ -797,8 +853,13 @@ class SubscribersCommand extends Command $nicknames[]=$profile->nickname; } if(count($nicknames)==0){ + // TRANS: Text shown after requesting other users that are subscribed to a user + // TRANS: (followers) without having any subscribers. $out=_('No one is subscribed to you.'); }else{ + // TRANS: Text shown after requesting other users that are subscribed to a user (followers). + // TRANS: This message support plural forms. This message is followed by a + // TRANS: hard coded space and a comma separated list of subscribing users. $out = ngettext('This person is subscribed to you:', 'These people are subscribed to you:', count($nicknames)); @@ -819,8 +880,13 @@ class GroupsCommand extends Command $groups[]=$group->nickname; } if(count($groups)==0){ + // TRANS: Text shown after requesting groups a user is subscribed to without having + // TRANS: any group subscriptions. $out=_('You are not a member of any groups.'); }else{ + // TRANS: Text shown after requesting groups a user is subscribed to. + // TRANS: This message support plural forms. This message is followed by a + // TRANS: hard coded space and a comma separated list of subscribed groups. $out = ngettext('You are a member of this group:', 'You are a member of these groups:', count($nicknames)); @@ -834,6 +900,7 @@ class HelpCommand extends Command { function handle($channel) { + // TRANS: Help text for commands. $channel->output($this->user, _("Commands:\n". "on - turn on notifications\n". diff --git a/lib/theme.php b/lib/theme.php index a9d0cbc84..992fce870 100644 --- a/lib/theme.php +++ b/lib/theme.php @@ -54,6 +54,7 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { class Theme { + var $name = null; var $dir = null; var $path = null; @@ -70,6 +71,10 @@ class Theme if (empty($name)) { $name = common_config('site', 'theme'); } + if (!self::validName($name)) { + throw new ServerException("Invalid theme name."); + } + $this->name = $name; // Check to see if it's in the local dir @@ -178,6 +183,58 @@ class Theme } /** + * Fetch a list of other themes whose CSS needs to be pulled in before + * this theme's, based on following the theme.ini 'include' settings. + * (May be empty if this theme has no include dependencies.) + * + * @return array of strings with theme names + */ + function getDeps() + { + $chain = $this->doGetDeps(array($this->name)); + array_pop($chain); // Drop us back off + return $chain; + } + + protected function doGetDeps($chain) + { + $data = $this->getMetadata(); + if (!empty($data['include'])) { + $include = $data['include']; + + // Protect against cycles! + if (!in_array($include, $chain)) { + try { + $theme = new Theme($include); + array_unshift($chain, $include); + return $theme->doGetDeps($chain); + } catch (Exception $e) { + common_log(LOG_ERR, + "Exception while fetching theme dependencies " . + "for $this->name: " . $e->getMessage()); + } + } + } + return $chain; + } + + /** + * Pull data from the theme's theme.ini file. + * @fixme calling getFile will fall back to default theme, this may be unsafe. + * + * @return associative array of strings + */ + function getMetadata() + { + $iniFile = $this->getFile('theme.ini'); + if (file_exists($iniFile)) { + return parse_ini_file($iniFile); + } else { + return array(); + } + } + + /** * Gets the full path of a file in a theme dir based on its relative name * * @param string $relative relative path within the theme directory @@ -285,4 +342,9 @@ class Theme return $instroot; } + + static function validName($name) + { + return preg_match('/^[a-z0-9][a-z0-9_-]*$/i', $name); + } } diff --git a/lib/themeuploader.php b/lib/themeuploader.php index 370965db0..5a48e884e 100644 --- a/lib/themeuploader.php +++ b/lib/themeuploader.php @@ -128,8 +128,16 @@ class ThemeUploader continue; } - // Check the directory structure... + // Is this a safe or skippable file? $path = pathinfo($name); + if ($this->skippable($path['filename'], $path['extension'])) { + // Documentation and such... booooring + continue; + } else { + $this->validateFile($path['filename'], $path['extension']); + } + + // Check the directory structure... $dirs = explode('/', $path['dirname']); $baseDir = array_shift($dirs); if ($commonBaseDir === false) { @@ -144,14 +152,6 @@ class ThemeUploader $this->validateFileOrFolder($dir); } - // Is this a safe or skippable file? - if ($this->skippable($path['filename'], $path['extension'])) { - // Documentation and such... booooring - continue; - } else { - $this->validateFile($path['filename'], $path['extension']); - } - $fullPath = $dirs; $fullPath[] = $path['basename']; $localFile = implode('/', $fullPath); @@ -180,39 +180,64 @@ class ThemeUploader } } + /** + * @fixme Probably most unrecognized files should just be skipped... + */ protected function skippable($filename, $ext) { - $skip = array('txt', 'rtf', 'doc', 'docx', 'odt'); + $skip = array('txt', 'html', 'rtf', 'doc', 'docx', 'odt', 'xcf'); if (strtolower($filename) == 'readme') { return true; } if (in_array(strtolower($ext), $skip)) { return true; } + if ($filename == '' || substr($filename, 0, 1) == '.') { + // Skip Unix-style hidden files + return true; + } + if ($filename == '__MACOSX') { + // Skip awful metadata files Mac OS X slips in for you. + // Thanks Apple! + return true; + } return false; } protected function validateFile($filename, $ext) { $this->validateFileOrFolder($filename); - $this->validateExtension($ext); + $this->validateExtension($filename, $ext); // @fixme validate content } protected function validateFileOrFolder($name) { - if (!preg_match('/^[a-z0-9_-]+$/i', $name)) { + if (!preg_match('/^[a-z0-9_\.-]+$/i', $name)) { + common_log(LOG_ERR, "Bad theme filename: $name"); $msg = _("Theme contains invalid file or folder name. " . "Stick with ASCII letters, digits, underscore, and minus sign."); throw new ClientException($msg); } + if (preg_match('/\.(php|cgi|asp|aspx|js|vb)\w/i', $name)) { + common_log(LOG_ERR, "Unsafe theme filename: $name"); + $msg = _("Theme contains unsafe file extension names; may be unsafe."); + throw new ClientException($msg); + } return true; } - protected function validateExtension($ext) + protected function validateExtension($base, $ext) { - $allowed = array('css', 'png', 'gif', 'jpg', 'jpeg'); + $allowed = array('css', // CSS may need validation + 'png', 'gif', 'jpg', 'jpeg', + 'svg', // SVG images/fonts may need validation + 'ttf', 'eot', 'woff'); if (!in_array(strtolower($ext), $allowed)) { + if ($ext == 'ini' && $base == 'theme') { + // theme.ini exception + return true; + } $msg = sprintf(_("Theme contains file of type '.%s', " . "which is not allowed."), $ext); diff --git a/lib/usernoprofileexception.php b/lib/usernoprofileexception.php index 6744d2529..e0186fef9 100644 --- a/lib/usernoprofileexception.php +++ b/lib/usernoprofileexception.php @@ -55,7 +55,9 @@ class UserNoProfileException extends ServerException { $this->user = $user; - $message = sprintf(_("User %s (%d) has no profile record."), + // TRANS: Exception text shown when no profile can be found for a user. + // TRANS: %1$s is a user nickname, $2$d is a user ID (number). + $message = sprintf(_("User %1$s (%2$d) has no profile record."), $user->nickname, $user->id); parent::__construct($message); diff --git a/lib/util.php b/lib/util.php index f187926b5..b7d3c80ca 100644 --- a/lib/util.php +++ b/lib/util.php @@ -1045,8 +1045,7 @@ function common_local_url($action, $args=null, $params=null, $fragment=null, $ad function common_is_sensitive($action) { - static $sensitive = array('login', 'register', 'passwordsettings', - 'twittersettings', 'api'); + static $sensitive = array('login', 'register', 'passwordsettings', 'api'); $ssl = null; if (Event::handle('SensitiveAction', array($action, &$ssl))) { |