NextGEN Gallery – WordPress Gallery Plugin

Version Description

08.08.2014 =
NEW: Added french translations
Secured: XSS vulnerability in jQuery Plupload Queue (thanks Codevigilant Team)
Secured: XSS vulnerability in thumbnail/slideshow integration links
Secured: XSS vulnerability on Manage Albums page

Release Info

Developer	photocrati
Plugin	NextGEN Gallery – WordPress Gallery Plugin
Version	2.0.66.17
Comparing to
See all releases

Code changes from version 2.0.66.16 to 2.0.66.17

Files changed (15) hide show

changelog.txt +6 -0
nggallery.php +2 -2
products/photocrati_nextgen/modules/i18n/lang/nggallery-fr_FR.mo +0 -0
products/photocrati_nextgen/modules/i18n/lang/nggallery-fr_FR.po +2 -2
products/photocrati_nextgen/modules/nextgen_addgallery_page/adapter.upload_images_form.php +12 -9
products/photocrati_nextgen/modules/nextgen_addgallery_page/module.nextgen_addgallery_page.php +1 -1
products/photocrati_nextgen/modules/nextgen_addgallery_page/templates/upload_images.php +15 -0
products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/slideshow/index.php +1 -1
products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/thumbnails/index.php +2 -2
products/photocrati_nextgen/modules/ngglegacy/admin/album.php +2 -1
products/photocrati_nextgen/modules/ngglegacy/admin/manage-galleries.php +1 -1
products/photocrati_nextgen/modules/ngglegacy/admin/manage-images.php +1 -1
products/photocrati_nextgen/modules/wordpress_routing/adapter.wordpress_router.php +4 -0
products/photocrati_nextgen/modules/wordpress_routing/module.wordpress_routing.php +2 -1
readme.txt +6 -0

changelog.txt CHANGED Viewed

	@@ -1,6 +1,12 @@
1	NextGEN Gallery
2	by Photocrati Media
3






4	= V2.0.66.16 - 07.30.2014 =
5	* NEW: Added new "limit" setting to Slideshow widgets
6	* NEW: Added a "ngg_routes" action for other plugins to hook into to provide new routes


1	NextGEN Gallery
2	by Photocrati Media
3
4	+ = V2.0.66.17 - 08.08.2014 =
5	+ * NEW: Added french translations
6	+ * Secured: XSS vulnerability in jQuery Plupload Queue (thanks Codevigilant Team)
7	+ * Secured: XSS vulnerability in thumbnail/slideshow integration links
8	+ * Secured: XSS vulnerability on Manage Albums page
9	+
10	= V2.0.66.16 - 07.30.2014 =
11	* NEW: Added new "limit" setting to Slideshow widgets
12	* NEW: Added a "ngg_routes" action for other plugins to hook into to provide new routes

nggallery.php CHANGED Viewed

	@@ -4,7 +4,7 @@ if(preg_match('#' . basename(__FILE__) . '#', $_SERVER['PHP_SELF'])) { die('You
4	/**
5	* Plugin Name: NextGEN Gallery by Photocrati
6	* Description: The most popular gallery plugin for WordPress and one of the most popular plugins of all time with over 9 million downloads.
7	- * Version: 2.0.66.16
8	* Author: Photocrati Media
9	* Plugin URI: http://www.nextgen-gallery.com
10	* Author URI: http://www.photocrati.com
	@@ -431,7 +431,7 @@ class C_NextGEN_Bootstrap
431	define('NGG_PRODUCT_URL', path_join(str_replace("\\", '/', NGG_PLUGIN_URL), 'products'));
432	define('NGG_MODULE_URL', path_join(str_replace("\\", '/', NGG_PRODUCT_URL), 'photocrati_nextgen/modules'));
433	define('NGG_PLUGIN_STARTED_AT', microtime());
434	- define('NGG_PLUGIN_VERSION', '2.0.66.16');
435
436	if (!defined('NGG_HIDE_STRICT_ERRORS')) {
437	define('NGG_HIDE_STRICT_ERRORS', TRUE);


4	/**
5	* Plugin Name: NextGEN Gallery by Photocrati
6	* Description: The most popular gallery plugin for WordPress and one of the most popular plugins of all time with over 9 million downloads.
7	+ * Version: 2.0.66.17
8	* Author: Photocrati Media
9	* Plugin URI: http://www.nextgen-gallery.com
10	* Author URI: http://www.photocrati.com

431	define('NGG_PRODUCT_URL', path_join(str_replace("\\", '/', NGG_PLUGIN_URL), 'products'));
432	define('NGG_MODULE_URL', path_join(str_replace("\\", '/', NGG_PRODUCT_URL), 'photocrati_nextgen/modules'));
433	define('NGG_PLUGIN_STARTED_AT', microtime());
434	+ define('NGG_PLUGIN_VERSION', '2.0.66.17');
435
436	if (!defined('NGG_HIDE_STRICT_ERRORS')) {
437	define('NGG_HIDE_STRICT_ERRORS', TRUE);

products/photocrati_nextgen/modules/i18n/lang/nggallery-fr_FR.mo CHANGED Viewed

Binary file

products/photocrati_nextgen/modules/i18n/lang/nggallery-fr_FR.po CHANGED Viewed

	@@ -7,7 +7,7 @@ msgstr ""
7	"Project-Id-Version: NextGEN Gallery\n"
8	"Report-Msgid-Bugs-To: \n"
9	"POT-Creation-Date: 2014-02-20 19:45-0800\n"
10	- "PO-Revision-Date: 2014-05-03 22:22+0100\n"
11	"Last-Translator: Jean-Yves Dumaine <jean.yves.dumaine@gmail.com>\n"
12	"Language-Team: Jean-Yves Dumaine\n"
13	"MIME-Version: 1.0\n"
	@@ -124,7 +124,7 @@ msgid ""
124	"the Pro Lightbox."
125	msgstr ""
126	"Donnez à cette galerie un nom qui facilitera son référencement par les "
127	- "moteurs de recherche. ~~N'est~~ ~~effectif~~ ~~que~~ dans Pro Lightbox"
128
129	#: products/photocrati_nextgen/modules/attach_to_post/templates/display_tab_js.php:655
130	msgid "Slug"


7	"Project-Id-Version: NextGEN Gallery\n"
8	"Report-Msgid-Bugs-To: \n"
9	"POT-Creation-Date: 2014-02-20 19:45-0800\n"
10	+ "PO-Revision-Date: 2014-07-15 17:59+0100\n"
11	"Last-Translator: Jean-Yves Dumaine <jean.yves.dumaine@gmail.com>\n"
12	"Language-Team: Jean-Yves Dumaine\n"
13	"MIME-Version: 1.0\n"

124	"the Pro Lightbox."
125	msgstr ""
126	"Donnez à cette galerie un nom qui facilitera son référencement par les "
127	+ "moteurs de recherche. Supporté uniquement dans Pro Lightbox"
128
129	#: products/photocrati_nextgen/modules/attach_to_post/templates/display_tab_js.php:655
130	msgid "Slug"

products/photocrati_nextgen/modules/nextgen_addgallery_page/adapter.upload_images_form.php CHANGED Viewed

	@@ -73,22 +73,25 @@ class A_Upload_Images_Form extends Mixin
73
74	function get_plupload_filters()
75	{
76	- $retval = ~~array()~~;

77
78	- $imgs = new stdClass;
79	- $imgs->title = "Image files";
80	- $imgs->extensions = "jpg,jpeg,gif,png,JPG,JPEG,GIF,PNG";
81	- $retval[] = $imgs;
82
83	$settings = C_NextGen_Settings::get_instance();
84	if (!is_multisite() \|\| (is_multisite() && $settings->get('wpmuZipUpload')))
85	{
86	- $zips = new stdClass;
87	- $zips->title = "Zip files";
88	- $zips->extensions = "zip,ZIP";
89	- $retval[] = $zips;
90	}
91


92	return $retval;
93	}
94


73
74	function get_plupload_filters()
75	{
76	+ $retval = new stdClass;
77	+ $retval->mime_types = array();
78
79	+ $imgs = new stdClass;
80	+ $imgs->title = "Image files";
81	+ $imgs->extensions = "jpg,jpeg,gif,png,JPG,JPEG,GIF,PNG";
82	+ $retval->mime_types[] = $imgs;
83
84	$settings = C_NextGen_Settings::get_instance();
85	if (!is_multisite() \|\| (is_multisite() && $settings->get('wpmuZipUpload')))
86	{
87	+ $zips = new stdClass;
88	+ $zips->title = "Zip files";
89	+ $zips->extensions = "zip,ZIP";
90	+ $retval->mime_types[] = $zips;
91	}
92
93	+ $retval->xss_protection = TRUE;
94	+
95	return $retval;
96	}
97

products/photocrati_nextgen/modules/nextgen_addgallery_page/module.nextgen_addgallery_page.php CHANGED Viewed

	@@ -15,7 +15,7 @@ class M_NextGen_AddGallery_Page extends C_Base_Module
15	'photocrati-nextgen_addgallery_page',
16	'NextGEN Add Gallery Page',
17	'Provides admin page for adding a gallery and uploading images',
18	- '0.5',
19	'http://www.nextgen-gallery.com',
20	'Photocrati Media',
21	'http://www.photocrati.com'


15	'photocrati-nextgen_addgallery_page',
16	'NextGEN Add Gallery Page',
17	'Provides admin page for adding a gallery and uploading images',
18	+ '0.6',
19	'http://www.nextgen-gallery.com',
20	'Photocrati Media',
21	'http://www.photocrati.com'

products/photocrati_nextgen/modules/nextgen_addgallery_page/templates/upload_images.php CHANGED Viewed

@@ -70,6 +70,21 @@
                                 var $gallery_selection = $('#gallery_selection').detach();
                                 window.uploaded_image_ids = [];
                                 // Override some final plupload options
                                 plupload_options.url = photocrati_ajax.url;
                                 plupload_options.preinit = {


70	var $gallery_selection = $('#gallery_selection').detach();
71	window.uploaded_image_ids = [];
72
73	+ plupload.addFileFilter('xss_protection', function(enabled, file, cb){
74	+ var retval = true;
75	+ if (enabled) {
76	+ if (file.name.match(/\<\|\>/)) {
77	+ retval = false;
78	+ this.trigger("Error", {
79	+ code: plupload.SECURITY_ERROR,
80	+ message: plupload.translate('XSS attempt detected'),
81	+ file: file
82	+ });
83	+ }
84	+ }
85	+ cb(retval);
86	+ });
87	+
88	// Override some final plupload options
89	plupload_options.url = photocrati_ajax.url;
90	plupload_options.preinit = {

products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/slideshow/index.php CHANGED Viewed

	@@ -2,7 +2,7 @@
2	<?php if ($show_thumbnail_link): ?>
3	<!-- Thumbnails Link -->
4	<div class="slideshowlink">
5	- <a href='<?php ~~echo~~ $thumbnail_link ?>'><?php echo_h($thumbnail_link_text) ?></a>
6	</div>
7	<?php endif ?>
8


2	<?php if ($show_thumbnail_link): ?>
3	<!-- Thumbnails Link -->
4	<div class="slideshowlink">
5	+ <a href='<?php esc_attr_e($thumbnail_link) ?>'><?php echo_h($thumbnail_link_text) ?></a>
6	</div>
7	<?php endif ?>
8

products/photocrati_nextgen/modules/nextgen_basic_gallery/templates/thumbnails/index.php CHANGED Viewed

	@@ -9,7 +9,7 @@ $this->start_element('nextgen_gallery.gallery_container', 'container', $displaye
9
10	<?php if (!empty($slideshow_link)): ?>
11	<div class="slideshowlink">
12	- <a href='<?php ~~echo~~ $slideshow_link ?>'><?php echo $slideshow_link_text ?></a>
13
14	</div>
15	<?php endif ?>
	@@ -17,7 +17,7 @@ $this->start_element('nextgen_gallery.gallery_container', 'container', $displaye
17	<?php if ($show_piclens_link): ?>
18	<!-- Piclense link -->
19	<div class="piclenselink">
20	- <a class="piclenselink" href="<?php ~~echo esc_attr~~($piclens_link) ?>">
21	<?php echo_h($piclens_link_text); ?>
22	</a>
23	</div>


9
10	<?php if (!empty($slideshow_link)): ?>
11	<div class="slideshowlink">
12	+ <a href='<?php esc_attr_e($slideshow_link) ?>'><?php echo $slideshow_link_text ?></a>
13
14	</div>
15	<?php endif ?>

17	<?php if ($show_piclens_link): ?>
18	<!-- Piclense link -->
19	<div class="piclenselink">
20	+ <a class="piclenselink" href="<?php esc_attr_e($piclens_link) ?>">
21	<?php echo_h($piclens_link_text); ?>
22	</a>
23	</div>

products/photocrati_nextgen/modules/ngglegacy/admin/album.php CHANGED Viewed

	@@ -527,7 +527,7 @@ function showDialog() {
527	<div id="editalbum" style="display: none;" >
528	<form id="form-edit-album" method="POST" accept-charset="utf-8">
529	<?php wp_nonce_field('ngg_thickbox_form') ?>
530	- <input type="hidden" id="current_album" name="act_album" value="<?php ~~echo~~ $this->currentID; ?>" />
531	<table width="100%" border="0" cellspacing="3" cellpadding="3" >
532	<tr>
533	<th>
	@@ -694,6 +694,7 @@ function showDialog() {
694
695	if ($this->albums) {
696	foreach($this->albums as $album) {

697	foreach($album->sortorder as $galleryid) {
698	if (!in_array($galleryid, $used))
699	$used[] = $galleryid;


527	<div id="editalbum" style="display: none;" >
528	<form id="form-edit-album" method="POST" accept-charset="utf-8">
529	<?php wp_nonce_field('ngg_thickbox_form') ?>
530	+ <input type="hidden" id="current_album" name="act_album" value="<?php esc_attr_e($this->currentID); ?>" />
531	<table width="100%" border="0" cellspacing="3" cellpadding="3" >
532	<tr>
533	<th>

694
695	if ($this->albums) {
696	foreach($this->albums as $album) {
697	+ if (!is_array($album->sortorder)) continue;
698	foreach($album->sortorder as $galleryid) {
699	if (!in_array($galleryid, $used))
700	$used[] = $galleryid;

products/photocrati_nextgen/modules/ngglegacy/admin/manage-galleries.php CHANGED Viewed

	@@ -174,7 +174,7 @@ function nggallery_manage_gallery_main() {
174	<input type="submit" value="<?php _e( 'Search Images', 'nggallery' ); ?>" class="button" />
175	</p>
176	</form>
177	- <form id="editgalleries" class="nggform" method="POST" action="<?php echo $ngg->manage_page->base_page . '&paged=' . $_GET['paged']; ?>" accept-charset="utf-8">
178	<?php wp_nonce_field('ngg_bulkgallery') ?>
179	<input type="hidden" name="page" value="manage-galleries" />
180


174	<input type="submit" value="<?php _e( 'Search Images', 'nggallery' ); ?>" class="button" />
175	</p>
176	</form>
177	+ <form id="editgalleries" class="nggform" method="POST" action="<?php echo $ngg->manage_page->base_page . '&paged=' . esc_attr($_GET['paged']); ?>" accept-charset="utf-8">
178	<?php wp_nonce_field('ngg_bulkgallery') ?>
179	<input type="hidden" name="page" value="manage-galleries" />
180

products/photocrati_nextgen/modules/ngglegacy/admin/manage-images.php CHANGED Viewed

	@@ -287,7 +287,7 @@ jQuery(document).ready( function($) {
287
288	<br style="clear: both;" />
289
290	- <form id="updategallery" class="nggform" method="POST" action="<?php echo $ngg->manage_page->base_page . '&mode=edit&gid=' . $act_gid . '&paged=' . $_GET['paged']; ?>" accept-charset="utf-8">
291	<?php wp_nonce_field('ngg_updategallery') ?>
292	<input type="hidden" name="page" value="manage-images" />
293


287
288	<br style="clear: both;" />
289
290	+ <form id="updategallery" class="nggform" method="POST" action="<?php echo $ngg->manage_page->base_page . '&mode=edit&gid=' . $act_gid . '&paged=' . esc_attr($_GET['paged']); ?>" accept-charset="utf-8">
291	<?php wp_nonce_field('ngg_updategallery') ?>
292	<input type="hidden" name="page" value="manage-images" />
293

products/photocrati_nextgen/modules/wordpress_routing/adapter.wordpress_router.php CHANGED Viewed

	@@ -112,6 +112,10 @@ class A_WordPress_Router extends Mixin
112	if ($add_index)
113	$retval = $this->_add_index_dot_php_to_url($retval);
114




115	if ($this->object->is_https())
116	$retval = preg_replace('/^http:\\/\\//i', 'https://', $retval, 1);
117


112	if ($add_index)
113	$retval = $this->_add_index_dot_php_to_url($retval);
114
115	+ // in case the user's home/site/content/plugins_url constant does not contain their domain
116	+ if (!parse_url($retval, PHP_URL_HOST))
117	+ $retval = 'http://' . $_SERVER['SERVER_NAME'] . $retval;
118	+
119	if ($this->object->is_https())
120	$retval = preg_replace('/^http:\\/\\//i', 'https://', $retval, 1);
121

products/photocrati_nextgen/modules/wordpress_routing/module.wordpress_routing.php CHANGED Viewed

	@@ -45,7 +45,8 @@ class M_WordPress_Routing extends C_Base_Module
45	$request_uri = $_SERVER['ORIG_REQUEST_URI'];
46	$_SERVER['UNENCODED_URL'] = $_SERVER['HTTP_X_ORIGINAL_URL'] = $_SERVER['REQUEST_URI'] = $request_uri;
47	}
48	- ~~else~~ {

49	wp_old_slug_redirect();
50	redirect_canonical();
51	}


45	$request_uri = $_SERVER['ORIG_REQUEST_URI'];
46	$_SERVER['UNENCODED_URL'] = $_SERVER['HTTP_X_ORIGINAL_URL'] = $_SERVER['REQUEST_URI'] = $request_uri;
47	}
48	+ // this is the proper behavior but it causes problems with WPML
49	+ else if (!class_exists('SitePress')) {
50	wp_old_slug_redirect();
51	redirect_canonical();
52	}

readme.txt CHANGED Viewed

	@@ -199,6 +199,12 @@ For more information, feel free to visit the official website for the NextGEN Ga
199
200	== Changelog ==
201






202	= V2.0.66.16 - 07.30.2014 =
203	* NEW: Added new "limit" setting to Slideshow widgets
204	* NEW: Added a "ngg_routes" action for other plugins to hook into to provide new routes


199
200	== Changelog ==
201
202	+ = V2.0.66.17 - 08.08.2014 =
203	+ * NEW: Added french translations
204	+ * Secured: XSS vulnerability in jQuery Plupload Queue (thanks Codevigilant Team)
205	+ * Secured: XSS vulnerability in thumbnail/slideshow integration links
206	+ * Secured: XSS vulnerability on Manage Albums page
207	+
208	= V2.0.66.16 - 07.30.2014 =
209	* NEW: Added new "limit" setting to Slideshow widgets
210	* NEW: Added a "ngg_routes" action for other plugins to hook into to provide new routes

NextGEN Gallery – WordPress Gallery Plugin - Version 2.0.66.17

Version Description

Release Info

Code changes from version 2.0.66.16 to 2.0.66.17