No Support > Announcements
Maintenance release: cpg1.3.5 fixes XSS vulnerability *MUST READ*
ergo:
are there any style related changes ??
Tranz:
--- Quote from: ergo on October 01, 2005, 02:59:38 pm ---are there any style related changes ??
--- End quote ---
Nope.
Makc666:
========================
MAKE A BACK UP OF YOUR GALLERY
TRY TO PATCH FIRST TIME IN A TEMPORARY FOLDER, IF YOU DO NOT FULLY UNDERSTAND ANY OF THE STEPS OUTLINED BELOW THEN THIS METHOD IS NOT FOR YOU
========================
There was a fix in 1.3.4 in file displayimage.php
http://forum.coppermine-gallery.net/index.php?topic=20933.0
--- Code: --- //Sanitize the data - to fix the XSS vulnerability - Aditya
foreach ($iptc as $key=>$data) {
$iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
}
--- End code ---
You have to remove it now manually if you upgrade from 1.3.3 with this fix:
http://forum.coppermine-gallery.net/index.php?topic=20933.0
========================
Step 0.
All steps were made under FreeBSD.
You can read about patch here:
http://www.phpbb.com/support/documents.php?mode=install#upgradeSTABLE_patch
========================
Step 1.
First of all!
I removed
/cpg133/lang/
/cpg134/lang/
/cpg135/lang/
dirs before patching, as it:
- becomes to big
- there is problems with patching in Japan (etc. country) languages.
- you can update lang files manually
========================
Step 2.
Second I run:
diff -crbBN cpg133 cpg135 >cpg-1.3.3_to_1.3.5.patch
and
diff -crbBN cpg134 cpg135 >cpg-1.3.4_to_1.3.5.patch
========================
Step 3.
Then I made a copy of gallery folder which I was going to patch
cp -R coppermine coppermine-new
========================
Step 4.
Also you must have to copy these files into your directory.
/coppermine/CHANGELOG
/coppermine/COPYING
/coppermine/install.php
You can take them from cpg1.3.3.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.3.zip?download
or
You can take them from cpg1.3.4.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.4.zip?download
========================
Step 5.
Put your patch file into:
/coppermine-new/cpg-1.3.3_to_1.3.5.patch
or
/coppermine-new/cpg-1.3.4_to_1.3.5.patch
========================
Step 6.
patch -cl -d /coppermine-new/ -p1 < /coppermine-new/cpg-1.3.3_to_1.3.5.patch
or
patch -cl -d /coppermine-new/ -p1 < /coppermine-new/cpg-1.3.4_to_1.3.5.patch
In this case you will see all results on your screen.
So make your Scroll Buffer big enough.
It will be about 1200 lines!
========================
Step 7.
Update your
/coppermine/lang/
dir with necessary files.
For example I use only Eng, Ger, Rus.
###########################
###!!! READ THIS ONE !!!###
###########################
During patch process you will (can) see two main information strings:
--> Hunk #3 succeeded at 216.
--> Hunk #1 failed at 1.
Example below.
Word "succeeded" means that there is no problems with patching of that part of code.
Word "failed" means there was some problem.
If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"
below for example it is "zipdownload.php.rej"
and look what the patch couldn't change and fix that manually.
After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!
Word "done" means that patch go throw all "cpg-1.3.3_to_1.3.5.patch" file.
###########################
###### EXAMPLE START ######
###########################
--------------------------
|diff -crbBN cpg132/xp_publish.php cpg133/xp_publish.php
|*** cpg132/xp_publish.php Sat Jul 24 17:03:00 2004
|--- cpg133/xp_publish.php Tue Apr 19 05:17:00 2005
--------------------------
Patching file xp_publish.php using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 205.
Hunk #3 succeeded at 216.
Hunk #4 succeeded at 333.
Hunk #5 succeeded at 571.
Hmm... The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|diff -crbBN cpg132/zipdownload.php cpg133/zipdownload.php
|*** cpg132/zipdownload.php Sat Jul 24 17:03:00 2004
|--- cpg133/zipdownload.php Tue Apr 19 05:17:00 2005
--------------------------
Patching file zipdownload.php using Plan A...
Hunk #1 failed at 1.
Hunk #2 succeeded at 57.
1 out of 2 hunks failed--saving rejects to zipdownload.php.rej
done
###########################
###### EXAMPLE END ########
###########################
========================
Step 8.
Run: http://your.gallery.com/update.php
- If you have not already done so, create a folder called "edit" within your "albums" directory - this folder will be used by coppermine as a temporary folder, do not ftp-upload files there. Make sure the new "edit"-folder is CHMODed the same way your albums-directory is (755 or 777, depending on your server's config)
- Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php). This will update your coppermine install by making all necessary changes in the database.
Taken from:
/cpg135/docs/index.htm#13
3.4 Upgrading from cpg1.2.0rc2 or better to version cpg1.3.5
========================
That it!
(c) Makc666 :)
makc666@newmail.ru
makc666@yahoo.com
Joachim Müller:
above posting by Makc666 does not decribe the upgrade procedures suggested by the coppermine dev team - it's just Makc666's idea how to do things. Some of the steps he outlines are just plain wrong in my opinion. Although we welcome user contributions, I disagree with posting something that looks like a detailed readme/howto. Makc666 failed to say why in his opinion the upgrade steps should be altered in the way he describes. In the future, please post why you think something's wrong with our suggested upgrade instructions instead of boldly posting a guide of your own.
Joachim
Makc666:
My patch files are for those people who have a lot of MODES installed in their galleries.
So they have only to apply my patch with out any new files upload.
This system is 100% the same as patch files for phpBB 2.x forum which is used there.
I didn't say that you upgrade instructions is bad. But they only sutable for galleries with out any modifications.
Thanks for your reply.
P.S. I just try to help people who know what I am posting.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version