Merge branch 'rhymix:master' into master

modules/admin/lang/en.php

@@ -159,7 +159,7 @@ $lang->cmd_concat_js_only = 'Combine all JS';
 $lang->cmd_concat_css_js = 'Combine both CSS and JS';
 $lang->about_concat_scripts = 'Automatically combine CSS and JS scripts into as few files as possible. External scripts are not combined.';
 $lang->jquery_version = 'jQuery Version';
-$lang->about_jquery_version = 'You can select the default jQuery version for this site. Please note that jQuery 3.x may not be compatible with older features.';
+$lang->about_jquery_version = 'You can select the default jQuery version for this site. Older third-party programs may require 2.x, but Rhymix recommends 3.x or higher for security.';
 $lang->use_gzip = 'gzip Compression';
 $lang->about_use_gzip = 'This option should be left off unless you know for sure that your webserver doesn\'t compress output by default.';
 $lang->delay_session = 'Delay session start';

modules/admin/lang/ko.php

@@ -160,7 +160,7 @@ $lang->cmd_concat_js_only = 'JS만 합침';
 $lang->cmd_concat_css_js = 'CSS와 JS를 모두 합침';
 $lang->about_concat_scripts = 'CSS, JS 파일들을 하나로 합쳐서 전송합니다. 외부에서 로딩하는 스크립트는 합쳐지지 않습니다.';
 $lang->jquery_version = 'jQuery 버전';
-$lang->about_jquery_version = '기본으로 사용할 jQuery 버전을 선택합니다. jQuery 3.x는 오래된 기능과 호환되지 않을 수 있습니다.';
+$lang->about_jquery_version = '기본으로 사용할 jQuery 버전을 선택합니다. 오래된 확장 기능은 jQuery 2.x를 요구할 수 있으나, 보안상 3.x 이상을 추천합니다.';
 $lang->use_gzip = 'gzip 압축';
 $lang->about_use_gzip = '웹서버가 gzip을 지원하지 않더라도 페이지를 강제로 압축하는 기능입니다. 대부분의 서버에는 필요하지 않습니다.';
 $lang->delay_session = '세션 시작 지연';

modules/board/board.admin.view.php

@@ -58,7 +58,7 @@ class BoardAdminView extends Board {
 
 		// install order (sorting) options
 		foreach($this->order_target as $key) $order_target[$key] = lang($key);
-		$order_target['list_order'] = lang('document_srl');
+		$order_target['list_order'] = lang('default_value');
 		$order_target['update_order'] = lang('last_update');
 		Context::set('order_target', $order_target);
 	}

modules/document/document.controller.php

@@ -907,7 +907,7 @@ class DocumentController extends Document
 					}
 
 					// Handle extra vars that support file upload.
-					if ($extra_item->type === 'file' && is_array($value))
+					if ($extra_item->type === 'file' && $value)
 					{
 						$ev_output = $extra_item->uploadFile($value, $obj->document_srl, 'doc');
 						if (!$ev_output->toBool())
@@ -1305,16 +1305,20 @@ class DocumentController extends Document
 						if ($extra_item->type === 'file')
 						{
 							// New upload
-							if (is_array($value) && isset($value['name']))
+							if (is_array($value) && isset($value['tmp_name']))
 							{
 								// Delete old file
 								if (isset($old_extra_vars[$idx]->value))
 								{
-									$fc_output = FileController::getInstance()->deleteFile($old_extra_vars[$idx]->value);
-									if (!$fc_output->toBool())
+									$old_file = FileModel::getFile($old_extra_vars[$idx]->value);
+									if ($old_file && $old_file->upload_target_srl == $obj->document_srl)
 									{
-										$oDB->rollback();
-										return $fc_output;
+										$fc_output = FileController::getInstance()->deleteFile($old_file->file_srl);
+										if (!$fc_output->toBool())
+										{
+											$oDB->rollback();
+											return $fc_output;
+										}
 									}
 								}
 								// Insert new file
@@ -1339,21 +1343,22 @@ class DocumentController extends Document
 										return $ev_output;
 									}
 									// Delete old file
-									$fc_output = FileController::getInstance()->deleteFile($old_extra_vars[$idx]->value);
-									if (!$fc_output->toBool())
+									$old_file = FileModel::getFile($old_extra_vars[$idx]->value);
+									if ($old_file && $old_file->upload_target_srl == $obj->document_srl)
 									{
-										$oDB->rollback();
-										return $fc_output;
+										$fc_output = FileController::getInstance()->deleteFile($old_file->file_srl);
+										if (!$fc_output->toBool())
+										{
+											$oDB->rollback();
+											return $fc_output;
+										}
 									}
 								}
 							}
 							// Leave current file unchanged
-							elseif (!$value)
+							elseif (isset($old_extra_vars[$idx]->value))
 							{
-								if (isset($old_extra_vars[$idx]->value))
-								{
-									$value = $old_extra_vars[$idx]->value;
-								}
+								$value = $old_extra_vars[$idx]->value;
 							}
 						}
 					}

modules/document/document.item.php

@@ -1650,6 +1650,10 @@ class DocumentItem extends BaseObject
 		return ModuleModel::getModuleInfoByModuleSrl($this->get('module_srl'))->browser_title;
 	}
 
+	/**
+	 * Get the title of the module to which the document belongs.
+	 * @return string
+	 */
 	function getBrowserTitle()
 	{
 		return $this->getModuleName();

modules/document/document.model.php

@@ -111,6 +111,7 @@ class DocumentModel extends Document
 					foreach($GLOBALS['XE_EXTRA_KEYS'][$module_srl] as $idx => $key)
 					{
 						$document_extra_vars[$idx] = clone($key);
+						$document_extra_vars[$idx]->parent_srl = $document_srl;
 
 						// set variable value in user language
 						if(isset($document_extra_values[$idx][$user_lang_code]))

modules/extravar/models/Value.php

@@ -25,6 +25,7 @@ class Value
 	public $input_id = '';
 	public $input_name = '';
 	public $parent_type = 'document';
+	public $parent_srl = null;
 	public $type = 'text';
 	public $value = null;
 	public $name = '';
@@ -159,7 +160,7 @@ class Value
 	 */
 	public function getValueHTML(): string
 	{
-		return self::_getTypeValueHTML($this->type, $this->value);
+		return self::_getTypeValueHTML($this->type, $this->value, $this->parent_type, $this->parent_srl);
 	}
 
 	/**
@@ -280,7 +281,7 @@ class Value
 			$values = [$value];
 		}
 
-		// Check if a required value is empty.
+		// Check that a required value is not empty.
 		if ($this->is_required === 'Y')
 		{
 			if ($this->type === 'file' && !$value && $old_value)
@@ -298,7 +299,7 @@ class Value
 			}
 		}
 
-		// Check if a strict value is not one of the specified options.
+		// Check that a strict value equals one of the specified options.
 		if ($this->is_strict === 'Y' && $value)
 		{
 			if ($this->canHaveOptions())
@@ -321,6 +322,15 @@ class Value
 			}
 		}
 
+		// Check that a file value is actually an uploaded file.
+		if ($this->type === 'file' && $value)
+		{
+			if (!isset($value['tmp_name']) || !is_uploaded_file($value['tmp_name']))
+			{
+				return new BaseObject(-1, sprintf(lang('common.filter.invalid_file'), Context::replaceUserLang($this->name)));
+			}
+		}
+
 		return new BaseObject;
 	}
 
@@ -442,9 +452,11 @@ class Value
 	 *
 	 * @param string $type
 	 * @param string|array $value
+	 * @param string $parent_type
+	 * @param ?int $parent_srl
 	 * @return string
 	 */
-	protected static function _getTypeValueHTML(string $type, $value): string
+	protected static function _getTypeValueHTML(string $type, $value, string $parent_type, ?int $parent_srl = null): string
 	{
 		// Return if the value is empty.
 		$value = self::_getTypeValue($type, $value);
@@ -511,10 +523,14 @@ class Value
 				if ($value)
 				{
 					$file = FileModel::getFile($value);
-					if ($file)
+					if ($file && $file->upload_target_srl == $parent_srl)
 					{
 						return sprintf('<span><a href="%s">%s</a> (%s)</span>', \RX_BASEURL . ltrim($file->download_url, './'), $file->source_filename, FileHandler::filesize($file->file_size));
 					}
+					elseif ($file)
+					{
+						return sprintf('<span>%s (%s)</span>', $file->source_filename, FileHandler::filesize($file->file_size));
+					}
 					else
 					{
 						return '';

modules/file/file.controller.php

@@ -551,7 +551,7 @@ class FileController extends File
 		{
 			$download_type = 'inline';
 		}
-		if (Context::get('force_download') === 'Y')
+		if ($mime_type === 'image/svg+xml' || Context::get('force_download') === 'Y')
 		{
 			$download_type = 'attachment';
 		}
@@ -936,6 +936,14 @@ class FileController extends File
 			}
 		}
 
+		// Sanitize SVG
+		if(!$manual_insert && !$this->user->isAdmin() && ($file_info['type'] === 'image/svg+xml' || $file_info['extension'] === 'svg'))
+		{
+			$dirty_svg = Rhymix\Framework\Storage::read($file_info['tmp_name']);
+			$clean_svg = Rhymix\Framework\Security::sanitize($dirty_svg, 'svg');
+			Rhymix\Framework\Storage::write($file_info['tmp_name'], $clean_svg);
+		}
+
 		// Adjust
 		if(!$manual_insert)
 		{

modules/install/install.controller.php

@@ -204,6 +204,13 @@ class installController extends install
 		// Set the default umask.
 		$config['file']['umask'] = Rhymix\Framework\Storage::recommendUmask();
 
+		// Set default security settings.
+		if ($config['url']['ssl'] === 'always')
+		{
+			$config['session']['use_ssl'] = true;
+			$config['session']['use_ssl_cookies'] = true;
+		}
+
 		// Load the new configuration.
 		Rhymix\Framework\Config::setAll($config);
 		Context::loadDBInfo($config);

modules/install/install.view.php

@@ -28,6 +28,11 @@ class installView extends install
 		// Specify the template path.
 		$this->setTemplatePath($this->module_path.'tpl');
 
+		// Set default frontend configurations.
+		config('view.jquery_version', 3);
+		config('view.minify_scripts', 'none');
+		config('view.concat_scripts', 'none');
+
 		// Check the environment.
 		$oInstallController = getController('install');
 		self::$checkEnv = $oInstallController->checkInstallEnv();

modules/page/page.admin.controller.php

@@ -175,7 +175,7 @@ class PageAdminController extends Page
 		$oDocumentController = getController('document');
 		$obj = new stdClass();
 		$obj->module_srl = $module_srl;
-		$obj->list_count = 99999999;
+		$obj->list_count = 0;
 		$output = $oDocumentModel->getDocumentList($obj);
 		if(count($output->data))
 		{

modules/page/tpl/filter/insert_mpage_content.xml

@@ -6,7 +6,7 @@
         <param name="module_srl" target="module_srl" />
         <param name="mid" target="mid" />
         <param name="mcontent" target="content" />
-		<parma name="type" target="type" />
+		<param name="type" target="type" />
     </parameter>
     <response callback_func="completeInsertMobilePageContent">
         <tag name="error" />