Index: /FCKeditor/trunk/_whatsnew.html =================================================================== --- /FCKeditor/trunk/_whatsnew.html (revision 7668) +++ /FCKeditor/trunk/_whatsnew.html (revision 7669) @@ -34,9 +34,14 @@ FCKeditor ChangeLog - What's New?

- Version 2.6.8

+ Version 2.6.9

Fixed Bugs:

Index: /FCKeditor/trunk/_whatsnew_history.html =================================================================== --- /FCKeditor/trunk/_whatsnew_history.html (revision 7668) +++ /FCKeditor/trunk/_whatsnew_history.html (revision 7669) @@ -33,4 +33,11 @@

FCKeditor ChangeLog - What's New?

+

+ Version 2.6.8

+

+ Fixed Bugs:

+

Version 2.6.7

Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/asp/class_upload.asp (revision 7669) @@ -281,8 +281,8 @@ If sDenied = "" Then - oRE.Pattern = sAllowed + oRE.Pattern = "^(" & sAllowed & ")$" IsAllowed = (sAllowed = "") Or oRE.Test(sExt) Else - oRE.Pattern = sDenied + oRE.Pattern = "^(" & sDenied & ")$" IsAllowed = Not oRE.Test(sExt) End If @@ -300,5 +300,5 @@ oRE.IgnoreCase = True oRE.Global = True - oRE.Pattern = sHtmlExtensions + oRE.Pattern = "^(" & sHtmlExtensions & ")$" IsHtmlExtension = oRE.Test(sExt) Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/asp/config.asp (revision 7669) @@ -89,4 +89,6 @@ ' Attention: It must end with a slash: '/' ' +' WARNING: It is recommended to remove swf extension from the list of allowed extensions. +' SWF files can be used to perform XSS attack. Dim ConfigAllowedExtensions, ConfigDeniedExtensions, ConfigFileTypesPath, ConfigFileTypesAbsolutePath, ConfigQuickUploadPath, ConfigQuickUploadAbsolutePath Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/connector.asp =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/asp/connector.asp (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/asp/connector.asp (revision 7669) @@ -53,5 +53,5 @@ ' Check if it is an allowed command if ( Not IsAllowedCommand( sCommand ) ) then - SendError 1, "The """ & sCommand & """ command isn't allowed" + SendError 1, "The requested command isn't allowed" end if Index: /FCKeditor/trunk/editor/filemanager/connectors/asp/upload.asp =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/asp/upload.asp (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/asp/upload.asp (revision 7669) @@ -53,10 +53,10 @@ ' Is Upload enabled? if ( Not IsAllowedCommand( sCommand ) ) then - SendUploadResults "1", "", "", "The """ & sCommand & """ command isn't allowed" + SendUploadResults "1", "", "", "The requested command isn't allowed" end if ' Check if it is an allowed resource type. if ( Not IsAllowedType( sResourceType ) ) Then - SendUploadResults "1", "", "", "The " & sResourceType & " resource type isn't allowed" + SendUploadResults "1", "", "", "The requested resource type isn't allowed" end if Index: /FCKeditor/trunk/editor/filemanager/connectors/aspx/config.ascx =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/aspx/config.ascx (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/aspx/config.ascx (revision 7669) @@ -67,4 +67,7 @@ HtmlExtensions = new string[] { "html", "htm", "xml", "xsd", "txt", "js" }; + // WARNING: It is recommended to remove swf extension from the list of allowed extensions. + // SWF files can be used to perform XSS attack. + TypeConfig[ "File" ].AllowedExtensions = new string[] { "7z", "aiff", "asf", "avi", "bmp", "csv", "doc", "fla", "flv", "gif", "gz", "gzip", "jpeg", "jpg", "mid", "mov", "mp3", "mp4", "mpc", "mpeg", "mpg", "ods", "odt", "pdf", "png", "ppt", "pxd", "qt", "ram", "rar", "rm", "rmi", "rmvb", "rtf", "sdc", "sitd", "swf", "sxc", "sxw", "tar", "tgz", "tif", "tiff", "txt", "vsd", "wav", "wma", "wmv", "xls", "xml", "zip" }; TypeConfig[ "File" ].DeniedExtensions = new string[] { }; Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_connector.cfm =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_connector.cfm (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_connector.cfm (revision 7669) @@ -125,5 +125,5 @@ - '> + '> Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_upload.cfm =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_upload.cfm (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf5_upload.cfm (revision 7669) @@ -77,10 +77,10 @@ - + - + Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_connector.cfm =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_connector.cfm (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_connector.cfm (revision 7669) @@ -59,5 +59,5 @@ - + Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_upload.cfm =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_upload.cfm (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/cf_upload.cfm (revision 7669) @@ -61,5 +61,5 @@ - + Index: /FCKeditor/trunk/editor/filemanager/connectors/cfm/config.cfm =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/cfm/config.cfm (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/cfm/config.cfm (revision 7669) @@ -113,4 +113,7 @@ // Attention: The above 'QuickUploadPath' must point to the same directory. // Attention: It must end with a slash: '/' +// +// WARNING: It is recommended to remove swf extension from the list of allowed extensions. +// SWF files can be used to perform XSS attack. Config.AllowedExtensions = StructNew() ; Index: /FCKeditor/trunk/editor/filemanager/connectors/lasso/config.lasso =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/lasso/config.lasso (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/lasso/config.lasso (revision 7669) @@ -40,4 +40,7 @@ Set which file extensions are allowed and/or denied for each file type. + + WARNING: It is recommended to remove swf extension from the list of allowed extensions. + SWF files can be used to perform XSS attack. */ var('config') = map( Index: /FCKeditor/trunk/editor/filemanager/connectors/perl/config.pl =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/perl/config.pl (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/perl/config.pl (revision 7669) @@ -33,4 +33,7 @@ $GLOBALS{'UserFilesDirectory'} = $rootpath . $GLOBALS{'UserFilesPath'}; +# WARNING: It is recommended to remove swf extension from the list of allowed extensions. +# SWF files can be used to perform XSS attack. + %allowedExtensions = ("File", "7z|aiff|asf|avi|bmp|csv|doc|fla|flv|gif|gz|gzip|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|ods|odt|pdf|png|ppt|pxd|qt|ram|rar|rm|rmi|rmvb|rtf|sdc|sitd|swf|sxc|sxw|tar|tgz|tif|tiff|txt|vsd|wav|wma|wmv|xls|xml|zip", "Image", "bmp|gif|jpeg|jpg|png", Index: /FCKeditor/trunk/editor/filemanager/connectors/php/config.php =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/php/config.php (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/php/config.php (revision 7669) @@ -120,4 +120,7 @@ */ +// WARNING: It is recommended to remove swf extension from the list of allowed extensions. +// SWF files can be used to perform XSS attack. + $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; $Config['DeniedExtensions']['File'] = array() ; Index: /FCKeditor/trunk/editor/filemanager/connectors/php/connector.php =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/php/connector.php (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/php/connector.php (revision 7669) @@ -52,5 +52,5 @@ // Check if it is an allowed command if ( ! IsAllowedCommand( $sCommand ) ) - SendError( 1, 'The "' . $sCommand . '" command isn\'t allowed' ) ; + SendError( 1, 'The requested command isn\'t allowed' ) ; // Check if it is an allowed type. Index: /FCKeditor/trunk/editor/filemanager/connectors/php/upload.php =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/php/upload.php (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/php/upload.php (revision 7669) @@ -48,5 +48,5 @@ // Is enabled the upload? if ( ! IsAllowedCommand( $sCommand ) ) - SendUploadResults( '1', '', '', 'The ""' . $sCommand . '"" command isn\'t allowed' ) ; + SendUploadResults( '1', '', '', 'The requested command isn\'t allowed' ) ; // Check if it is an allowed type. Index: /FCKeditor/trunk/editor/filemanager/connectors/py/config.py =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/py/config.py (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/py/config.py (revision 7669) @@ -118,4 +118,7 @@ # Attention: It must end with a slash: '/' +# WARNING: It is recommended to remove swf extension from the list of allowed extensions. +# SWF files can be used to perform XSS attack. + AllowedExtensions['File'] = ['7z','aiff','asf','avi','bmp','csv','doc','fla','flv','gif','gz','gzip','jpeg','jpg','mid','mov','mp3','mp4','mpc','mpeg','mpg','ods','odt','pdf','png','ppt','pxd','qt','ram','rar','rm','rmi','rmvb','rtf','sdc','sitd','swf','sxc','sxw','tar','tgz','tif','tiff','txt','vsd','wav','wma','wmv','xls','xml','zip'] DeniedExtensions['File'] = [] Index: /FCKeditor/trunk/editor/filemanager/connectors/py/connector.py =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/py/connector.py (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/py/connector.py (revision 7669) @@ -64,5 +64,5 @@ # Check if it is an allowed command if ( not command in Config.ConfigAllowedCommands ): - return self.sendError( 1, 'The %s command isn\'t allowed' % command ) + return self.sendError( 1, 'The requested command isn\'t allowed' ) if ( not resourceType in Config.ConfigAllowedTypes ): Index: /FCKeditor/trunk/editor/filemanager/connectors/py/upload.py =================================================================== --- /FCKeditor/trunk/editor/filemanager/connectors/py/upload.py (revision 7668) +++ /FCKeditor/trunk/editor/filemanager/connectors/py/upload.py (revision 7669) @@ -49,5 +49,5 @@ # Check if it is an allowed command if ( not command in Config.ConfigAllowedCommands ): - return self.sendUploadResults( 1, '', '', 'The %s command isn\'t allowed' % command ) + return self.sendUploadResults( 1, '', '', 'The requested command isn\'t allowed' ) if ( not resourceType in Config.ConfigAllowedTypes ):