The Coppermine dev team announces the release of cpg1.4.6.
The new release does not contain new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. It takes care as well of the
".rar"-exploit (that actually isn't a Coppermine bug, but a badly implemented feature of the Apache webserver that needed fixing). All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).
The new package contains all language files that existed up till now (compared to cpg1.4.5, a few new language files have been added).
Get the new release cpg1.4.6 here:
http://prdownloads.sourceforge.net/coppermine/cpg1.4.6.zip?downloadAs suggested above, cpg1.4.6 does not only fix the .rar vulnerability, but several other (minor) issues as well, so everyone should upgrade as suggested. However, if you have a heavily-modified version of coppermine running on your server and can't do the full update, you should at least apply the fix for the ".rar-exploit". To do so, edit include/functions.inc.php with a plain-text editor, find
function replace_forbidden($str)
{
static $forbidden_chars;
if (!is_array($forbidden_chars)) {
global $CONFIG, $mb_utf8_regex;
if (function_exists('html_entity_decode')) {
$chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
} else {
$chars = str_replace(array('&', '"', '<', '>', ' ', '''), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
}
preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
}
/**
* $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
* Replace them back to normal chars so that the str_replace below can work.
*/
$str = str_replace(array('&', '"', '<', '>'), array('&', '"', '<', '>'), $str);;
return str_replace($forbidden_chars[0], '_', $str);
}
and replace with
function replace_forbidden($str)
{
static $forbidden_chars;
if (!is_array($forbidden_chars)) {
global $CONFIG, $mb_utf8_regex;
if (function_exists('html_entity_decode')) {
$chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
} else {
$chars = str_replace(array('&', '"', '<', '>', ' ', '''), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
}
preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
}
/**
* $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
* Replace them back to normal chars so that the str_replace below can work.
*/
$str = str_replace(array('&', '"', '<', '>'), array('&', '"', '<', '>'), $str);;
$return = str_replace($forbidden_chars[0], '_', $str);
/**
* Fix the obscure, misdocumented "feature" in Apache that causes the server
* to process the last "valid" extension in the filename (rar exploit): replace all
* dots in the filename except the last one with an underscore.
*/
// This could be concatenated into a more efficient string later, keeping it in three
// lines for better readability for now.
$extension = ltrim(substr($return,strrpos($return,'.')),'.');
$filenameWithoutExtension = str_replace('.' . $extension, '', $return);
$return = str_replace('.', '_', $filenameWithoutExtension) . '.' . $extension;
return $return;
}
The maintenance release cpg1.4.6 of course contains all previous fixes of the 1.4-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.
Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the
cpg1.4.x upgrading sub-board (after having read the
docs and after having
searched the board).
Joachim
- Coppermine project manager -