Try to prevent XSRF exploits by passing a form token.

author garvinhicking <garvinhicking>

Tue, 27 Sep 2005 11:40:14 +0000 (11:40 +0000)

committer garvinhicking <garvinhicking>

Tue, 27 Sep 2005 11:40:14 +0000 (11:40 +0000)
author garvinhicking <garvinhicking>
Tue, 27 Sep 2005 11:40:14 +0000 (11:40 +0000)
committer garvinhicking <garvinhicking>
Tue, 27 Sep 2005 11:40:14 +0000 (11:40 +0000)
diff --git a/docs/NEWS b/docs/NEWS

index d92d4792aa4afb9916c50c1f628815ddfdc68fda..4d18d19b79845d36c2b953a15d99f90e9bd3b77d 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,8 +3,6 @@
  Version 0.9 ()
  ------------------------------------------------------------------------
  
-    * Try to detect XSRF based on HTTP-Referrer. (garvinhicking)
-
      * Fix not showing thumbnail images in media database when thumbSuffix
        is empty. Thanks to Brian J. France!
  
@@ -226,7 +224,8 @@ Version 0.8.5 ()
  ------------------------------------------------------------------------
  
      * More Security: When changing the password in your personal preferences,
-      you need to insert the old password. Thanks to Nenad Jovanovic for
+      you need to insert the old password. Secure backend forms with extra
+      token checks to bypass XSRF attacks. Thanks to Nenad Jovanovic for
        contacting me about this issue! (garvinhicking)
  
      * Fix JS errors in admin comment overview for IE6 (garvinhicking)
diff --git a/include/admin/category.inc.php b/include/admin/category.inc.php

index 6c1c92cb9962c9ea5c91f2dbe0fff562ca2523be..1f26c481dec00dc804cf036bacb24f6c4a7119aa 100644 (file)
--- a/include/admin/category.inc.php
+++ b/include/admin/category.inc.php
@@ -13,7 +13,7 @@ if (!serendipity_checkPermission('adminCategories')) {
  $admin_category = (!serendipity_checkPermission('adminCategoriesMaintainOthers') ? "AND (authorid = 0 OR authorid = " . (int)$serendipity['authorid'] . ")" : '');
  
  /* Add a new category */
-if (isset($_POST['SAVE'])) {
+if (isset($_POST['SAVE']) && serendipity_checkFormToken()) {
      $name     = $serendipity['POST']['cat']['name'];
      $desc     = $serendipity['POST']['cat']['description'];
  
@@ -82,7 +82,7 @@ if (isset($_POST['SAVE'])) {
  }
  
  /* Delete a category */
-if ($serendipity['GET']['adminAction'] == 'doDelete') {
+if ($serendipity['GET']['adminAction'] == 'doDelete' && serendipity_checkFormToken()) {
      if ($serendipity['GET']['cid'] != 0) {
          $remaining_cat = (int)$serendipity['POST']['cat']['remaining_catid'];
          $category_ranges = serendipity_fetchCategoryRange((int)$serendipity['GET']['cid']);
@@ -135,6 +135,7 @@ if ($serendipity['GET']['adminAction'] == 'doDelete') {
              || (serendipity_checkPermission('adminCategoriesDelete') && serendipity_ACLCheck($serendipity['authorid'], $serendipity['GET']['cid'], 'category', 'write'))) { 
  ?>
          <form method="POST" name="serendipityCategory" action="?serendipity[adminModule]=category&amp;serendipity[adminAction]=doDelete&amp;serendipity[cid]=<?php echo $serendipity['GET']['cid'] ?>">
+        <?php echo serendipity_setFormToken(); ?>
              <br />
              <?php echo CATEGORY_REMAINING ?>:
              <select name="serendipity[cat][remaining_catid]">
@@ -178,6 +179,7 @@ if ($serendipity['GET']['adminAction'] == 'doDelete') {
          $groups = serendipity_getAllGroups();
  ?>
  <form method="POST" name="serendipityCategory">
+<?php echo serendipity_setFormToken(); ?>
  <table cellpadding="5" width="100%">
      <tr>
          <td><?php echo NAME; ?></td>
diff --git a/include/admin/comments.inc.php b/include/admin/comments.inc.php

index f18558626ce89797105b15c4906e56794a4d5a86..2435934a312fc336585a8850c721f2e59bea8009 100644 (file)
--- a/include/admin/comments.inc.php
+++ b/include/admin/comments.inc.php
@@ -13,7 +13,7 @@ if (!serendipity_checkPermission('adminComments')) {
  $commentsPerPage = (!empty($serendipity['GET']['filter']['perpage']) ? $serendipity['GET']['filter']['perpage'] : 10);
  $summaryLength = 200;
  
-if ( $serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity['POST']['delete']) != 0 ) {
+if ( $serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity['POST']['delete']) != 0 && serendipity_checkFormToken()) {
      foreach ( $serendipity['POST']['delete'] as $k => $v ) {
          serendipity_deleteComment($k, $v);
          echo DONE . ': '. sprintf(COMMENT_DELETED, $k) . '<br />';
@@ -22,7 +22,7 @@ if ( $serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity[
  
  
  /* We are asked to save the edited comment, and we are not in preview mode */
-if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'doEdit' && !isset($serendipity['POST']['preview']) ) {
+if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'doEdit' && !isset($serendipity['POST']['preview']) && serendipity_checkFormToken()) {
      $sql = "UPDATE {$serendipity['dbPrefix']}comments
                      SET
                          author    = '" . serendipity_db_escape_string($serendipity['POST']['name'])    . "',
@@ -38,7 +38,7 @@ if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActi
  
  
  /* We approve a comment */
-if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'approve' ) {
+if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'approve' && serendipity_checkFormToken()) {
      $sql = "SELECT c.*, e.title, a.email as authoremail, a.mail_comments
              FROM {$serendipity['dbPrefix']}comments c
              LEFT JOIN {$serendipity['dbPrefix']}entries e ON (e.id = c.entry_id)
@@ -55,7 +55,7 @@ if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActi
  }
  
  /* We are asked to delete a comment */
-if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'delete' ) {
+if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'delete' && serendipity_checkFormToken()) {
      serendipity_deleteComment($serendipity['GET']['id'], $serendipity['GET']['entry_id']);
      echo DONE . ': '. sprintf(COMMENT_DELETED, $serendipity['GET']['id']);
  }
@@ -98,7 +98,7 @@ if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActi
  
      serendipity_displayCommentForm(
        $serendipity['GET']['entry_id'],
-      '?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=doEdit&amp;serendipity[id]=' . $serendipity['GET']['id'] . '&amp;serendipity[entry_id]=' . $serendipity['GET']['entry_id'],
+      '?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=doEdit&amp;serendipity[id]=' . $serendipity['GET']['id'] . '&amp;serendipity[entry_id]=' . $serendipity['GET']['entry_id'] . '&amp;' . serendipity_setFormToken('url'),
        NULL,
        $data,
        false,
@@ -139,6 +139,8 @@ if ($serendipity['GET']['filter']['type'] == 'TRACKBACK') {
      $c_type = null;
  }
  
+$searchString .= '&amp;' . serendipity_setFormToken('url');
+
  /* Paging */
  $sql = serendipity_db_query("SELECT COUNT(*) AS total FROM {$serendipity['dbPrefix']}comments c WHERE 1 = 1 " . ($c_type !== null ? " AND c.type = '$c_type' " : '') . $and, true);
  
@@ -198,6 +200,7 @@ function highlightComment(id, checkvalue) {
  }
  </script>
  <form action="" method="GET" style="margin: 0">
+<?php echo serendipity_setFormToken(); ?>
  <input type="hidden" name="serendipity[adminModule]" value="comments" />
  <input type="hidden" name="serendipity[page]" value="<?php echo $page ?>" />
  <table class="serendipity_admin_filters" width="100%">
@@ -255,6 +258,7 @@ function highlightComment(id, checkvalue) {
      } else {
  ?>
  <form action="" method="POST" name="formMultiDelete" id="formMultiDelete">
+<?php echo serendipity_setFormToken(); ?>
  <input type="hidden" name="serendipity[formAction]" value="multiDelete" />
  <table width="100%" cellpadding="3" border="0" cellspacing="0">
  <tr>
@@ -360,13 +364,13 @@ foreach ($sql as $rs) {
              </tr>
          </table>
  <?php if ($rs['status'] == 'pending') { ?>
-          <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=approve&amp;serendipity[id]=<?php echo $rs['id'] ?>" class="serendipityIconLink" title="<?php echo APPROVE; ?>"><img src="<?php echo serendipity_getTemplateFile('admin/img/accept.png'); ?>" alt="<?php echo APPROVE ?>" /><?php echo APPROVE ?></a>
+          <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=approve&amp;serendipity[id]=<?php echo $rs['id'] ?>&amp;<?php echo serendipity_setFormToken('url'); ?>" class="serendipityIconLink" title="<?php echo APPROVE; ?>"><img src="<?php echo serendipity_getTemplateFile('admin/img/accept.png'); ?>" alt="<?php echo APPROVE ?>" /><?php echo APPROVE ?></a>
  <?php } ?>
  <?php if ($excerpt) { ?>
            <a href="#c<?php echo $rs['id'] ?>" onclick="FT_toggle(<?php echo $rs['id'] ?>); return false;" title="<?php echo VIEW; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/zoom.png'); ?>" alt="<?php echo VIEW; ?>" /><span id="<?php echo $rs['id'] ?>_text"><?php echo VIEW ?></span></a>
  <?php } ?>
-          <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=edit&amp;serendipity[id]=<?php echo $rs['id'] ?>&amp;serendipity[entry_id]=<?php echo $rs['entry_id'] ?>" title="<?php echo EDIT; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT; ?>" /><?php echo EDIT ?></a>
-          <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=delete&amp;serendipity[id]=<?php echo $rs['id'] ?>&amp;serendipity[entry_id]=<?php echo $rs['entry_id'] ?>" onclick='return confirm("<?php echo sprintf(COMMENT_DELETE_CONFIRM, $rs['id'], htmlspecialchars($rs['author'])) ?>")' title="<?php echo DELETE ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE; ?>" /><?php echo DELETE ?></a>
+          <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=edit&amp;serendipity[id]=<?php echo $rs['id'] ?>&amp;serendipity[entry_id]=<?php echo $rs['entry_id'] ?>&amp;<?php echo serendipity_setFormToken('url'); ?>" title="<?php echo EDIT; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT; ?>" /><?php echo EDIT ?></a>
+          <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=delete&amp;serendipity[id]=<?php echo $rs['id'] ?>&amp;serendipity[entry_id]=<?php echo $rs['entry_id'] ?>&amp;<?php echo serendipity_setFormToken('url'); ?>" onclick='return confirm("<?php echo sprintf(COMMENT_DELETE_CONFIRM, $rs['id'], htmlspecialchars($rs['author'])) ?>")' title="<?php echo DELETE ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE; ?>" /><?php echo DELETE ?></a>
      </td>
  </tr>
  <tr>
diff --git a/include/admin/configuration.inc.php b/include/admin/configuration.inc.php

index e34cc99dfbec72e7946ad2969af72d6395323797..2dc1864956056c29b329876b5a2b9183727e6eb7 100644 (file)
--- a/include/admin/configuration.inc.php
+++ b/include/admin/configuration.inc.php
@@ -14,7 +14,7 @@ if (!serendipity_checkPermission('siteConfiguration') && !!serendipity_checkPerm
      return;
  }
  
-switch ($_POST['installAction']) {
+switch ($_POST['installAction'] && serendipity_checkFormToken()) {
      case 'check':
          $oldConfig = $serendipity;
          $res = serendipity_updateConfiguration();
diff --git a/include/admin/groups.inc.php b/include/admin/groups.inc.php

index be1951a89311335744d8bcb7fde686bdd67307f3..aebf74986f6b02e409638e753b29615cff722d3d 100644 (file)
--- a/include/admin/groups.inc.php
+++ b/include/admin/groups.inc.php
@@ -11,14 +11,14 @@ if (!serendipity_checkPermission('adminUsersGroups')) {
  }
  
  /* Delete a group */
-if (isset($_POST['DELETE_YES'])) {
+if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
      $group = serendipity_fetchGroup($serendipity['POST']['group']);
      serendipity_deleteGroup($serendipity['POST']['group']);
      printf('<div class="serendipityAdminMsgSuccess">' . DELETED_GROUP . '</div>', $serendipity['POST']['group'], $group['name']);
  }
  
  /* Save new group */
-if (isset($_POST['SAVE_NEW'])) {
+if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
      $serendipity['POST']['group'] = serendipity_addGroup($serendipity['POST']['name']);
      $perms = serendipity_getAllPermissionNames();    
      serendipity_updateGroupConfig($serendipity['POST']['group'], $perms, $serendipity['POST']);
@@ -27,7 +27,7 @@ if (isset($_POST['SAVE_NEW'])) {
  
  
  /* Edit a group */
-if (isset($_POST['SAVE_EDIT'])) {
+if (isset($_POST['SAVE_EDIT']) && serendipity_checkFormToken()) {
      $perms = serendipity_getAllPermissionNames();    
      serendipity_updateGroupConfig($serendipity['POST']['group'], $perms, $serendipity['POST']);
      printf('<div class="serendipityAdminMsgSuccess">' . MODIFIED_GROUP . '</div>', $serendipity['POST']['name']);
@@ -88,6 +88,7 @@ if ($serendipity['GET']['adminAction'] == 'edit' || isset($_POST['NEW'])) {
  <br />
  <hr noshade="noshade">
  <form action="?serendipity[adminModule]=groups" method="post">
+<?php echo serendipity_setFormToken(); ?>
      <div>
      <h3>
  <?php
@@ -191,6 +192,7 @@ if ($serendipity['GET']['adminAction'] == 'edit') { ?>
      <div>
      <?php printf(DELETE_GROUP, $serendipity['GET']['group'], $group['name']); ?>
          <br /><br />
+        <?php echo serendipity_setFormToken(); ?>
          <input type="hidden" name="serendipity[group]" value="<?php echo $serendipity['GET']['group']; ?>" />
          <input type="submit" name="DELETE_YES" value="<?php echo DUMP_IT; ?>" class="serendipityPrettyButton" />
          <input type="submit" name="NO" value="<?php echo NOT_REALLY; ?>" class="serendipityPrettyButton" />
diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php

index b7a4852ab26b77984adf6f494707befe3e65b356..49180294d9465c8388ec82bb6e0f309ff4625b0e 100644 (file)
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -33,7 +33,7 @@ switch ($serendipity['GET']['adminAction']) {
          break;
  
      case 'DoDelete':
-        if (!serendipity_checkPermission('adminImagesDelete')) {
+        if (!serendipity_checkFormToken() || !serendipity_checkPermission('adminImagesDelete')) {
              break;
          }
  
@@ -49,7 +49,7 @@ switch ($serendipity['GET']['adminAction']) {
          }
  
          $abortLoc = $serendipity['serendipityHTTPPath'] . 'serendipity_admin.php?serendipity[adminModule]=images';
-        $newLoc   = $abortLoc . '&serendipity[adminAction]=DoDelete&serendipity[fid]=' . $serendipity['GET']['fid'];
+        $newLoc   = $abortLoc . '&serendipity[adminAction]=DoDelete&serendipity[fid]=' . $serendipity['GET']['fid'] . '&' . serendipity_setFormToken('url');
  
          printf(ABOUT_TO_DELETE_FILE, $file['name'] .'.'. $file['extension']);
  ?>
@@ -67,7 +67,7 @@ switch ($serendipity['GET']['adminAction']) {
          $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
          $serendipity['GET']['newname'] = serendipity_uploadSecure($serendipity['GET']['newname'], true);
  
-        if (!serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
+        if (!serendipity_checkFormToken() || !serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
              return;
          }
  
@@ -119,7 +119,7 @@ switch ($serendipity['GET']['adminAction']) {
          break;
  
      case 'add':
-        if (!serendipity_checkPermission('adminImagesAdd')) {
+        if (!serendipity_checkFormToken() || !serendipity_checkPermission('adminImagesAdd')) {
              return;
          }
  
@@ -249,7 +249,7 @@ switch ($serendipity['GET']['adminAction']) {
  
  
      case 'directoryDoDelete':
-        if (!serendipity_checkPermission('adminImagesDirectories')) {
+        if (!serendipity_checkFormToken() || !serendipity_checkPermission('adminImagesDirectories')) {
              return;
          }
  
@@ -278,6 +278,7 @@ switch ($serendipity['GET']['adminAction']) {
      <br />
      <br />
      <form method="POST" action="?serendipity[adminModule]=images&serendipity[adminAction]=directoryDoDelete&amp;serendipity[dir]=<?php echo $serendipity['GET']['dir'] ?>">
+    <?php echo serendipity_setFormToken(); ?> 
      <table cellpadding="5">
          <tr>
              <td width="100"><strong><?php echo NAME ?></strong></td>
@@ -299,7 +300,7 @@ switch ($serendipity['GET']['adminAction']) {
          break;
  
      case 'directoryDoCreate':
-        if (!serendipity_checkPermission('adminImagesDirectories')) {
+        if (!serendipity_checkFormToken() || !serendipity_checkPermission('adminImagesDirectories')) {
              return;
          }
  
@@ -327,6 +328,7 @@ switch ($serendipity['GET']['adminAction']) {
      <br />
      <br />
      <form method="POST" action="?serendipity[adminModule]=images&serendipity[adminAction]=directoryDoCreate">
+    <?php echo serendipity_setFormToken(); ?> 
      <table cellpadding="5">
          <tr>
              <td><?php echo NAME ?></td>
@@ -540,6 +542,7 @@ switch ($serendipity['GET']['adminAction']) {
  
      <form action="?" method="POST" id="uploadform" enctype="multipart/form-data">
          <div>
+            <?php echo serendipity_setFormToken(); ?> 
              <input type="hidden" name="serendipity[action]"      value="admin" />
              <input type="hidden" name="serendipity[adminModule]" value="images" />
              <input type="hidden" name="serendipity[adminAction]" value="add" />
@@ -639,9 +642,9 @@ switch ($serendipity['GET']['adminAction']) {
          if (serendipity_rotateImg($serendipity['GET']['fid'], -90)) {
  ?>
          <script language="javascript" type="text/javascript">
-            location.href="<?php echo $_SERVER['HTTP_REFERER'] ?>";
+            location.href="<?php echo htmlspecialchars($_SERVER['HTTP_REFERER']) ?>";
          </script>
-       <noscript><a href="<?php echo $_SERVER['HTTP_REFERER'] ?>"><?php echo DONE ?></a></noscript>
+       <noscript><a href="<?php echo htmlspecialchars($_SERVER['HTTP_REFERER']) ?>"><?php echo DONE ?></a></noscript>
  <?php
          }
      break;
@@ -655,9 +658,9 @@ switch ($serendipity['GET']['adminAction']) {
          if (serendipity_rotateImg($serendipity['GET']['fid'], 90)) {
  ?>
          <script language="javascript" type="text/javascript">
-            location.href="<?php echo $_SERVER['HTTP_REFERER'] ?>";
+            location.href="<?php echo htmlspecialchars($_SERVER['HTTP_REFERER']) ?>";
          </script>
-       <noscript><a href="<?php echo $_SERVER['HTTP_REFERER'] ?>"><?php echo DONE ?></a></noscript>
+       <noscript><a href="<?php echo htmlspecialchars($_SERVER['HTTP_REFERER']) ?>"><?php echo DONE ?></a></noscript>
  <?php
          }
      break;
@@ -665,7 +668,7 @@ switch ($serendipity['GET']['adminAction']) {
      case 'scale':
          $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
  
-        if (!serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
+        if (!serendipity_checkFormToken() || !serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
              return;
          }
  
@@ -684,7 +687,7 @@ switch ($serendipity['GET']['adminAction']) {
      <script language="javascript" type="text/javascript">
         // location.href="?serendipity[adminModule]=images";
      </script>
-    <noscript><a href="<?php echo $_SERVER['HTTP_REFERER'] ?>"><?php echo DONE ?></a></noscript>
+    <noscript><a href="<?php echo htmlspecialchars($_SERVER['HTTP_REFERER']) ?>"><?php echo DONE ?></a></noscript>
  <?php
          break;
  
@@ -729,6 +732,7 @@ switch ($serendipity['GET']['adminAction']) {
          <div>
              <?php echo NEWSIZE; ?>
  
+            <?php echo serendipity_setFormToken(); ?> 
              <input type="hidden" name="serendipity[adminModule]" value="images" />
              <input type="hidden" name="serendipity[adminAction]" value="scale" />
              <input type="hidden" name="serendipity[fid]"         value="<?php echo $serendipity["GET"]["fid"]; ?>" />
@@ -758,7 +762,7 @@ switch ($serendipity['GET']['adminAction']) {
      <!--
          function rename(id, fname) {
              if(newname = prompt('<?php echo ENTER_NEW_NAME; ?>' + fname, fname)) {
-                location.href='?serendipity[adminModule]=images&serendipity[adminAction]=rename&serendipity[fid]='+ escape(id) + '&serendipity[newname]='+ escape(newname);
+                location.href='?<?php echo serendipity_setFormToken('url'); ?>&serendipity[adminModule]=images&serendipity[adminAction]=rename&serendipity[fid]='+ escape(id) + '&serendipity[newname]='+ escape(newname);
              }
          }
      //-->
@@ -775,4 +779,3 @@ switch ($serendipity['GET']['adminAction']) {
          break;
  }
  /* vim: set sts=4 ts=4 expandtab : */
-?>
diff --git a/include/admin/import.inc.php b/include/admin/import.inc.php

index d3bf0e3156f84472339184855a38a5d961750caf..7bb4f7f90d266a83f1be1c8ff87066d5072efa9f 100644 (file)
--- a/include/admin/import.inc.php
+++ b/include/admin/import.inc.php
@@ -31,7 +31,7 @@ class Serendipity_Import {
          }
  
          if (LANG_CHARSET != 'ISO-8859-1') {
-            $charset['ISO-8859-1'] = 'ISO-8859-1';
+            $charsets['ISO-8859-1'] = 'ISO-8859-1';
          }
          
          if ($utf8_default) {
@@ -41,8 +41,22 @@ class Serendipity_Import {
          return $charsets;
      }
  
-    function decode($string) {
-        switch($this->data['charset']) {
+    function &decode($string) {
+        static $phpCharset = null;
+        $target = $this->data['charset'];
+
+        if ($phpCharset === null) {
+            $phpCharset = version_compare(phpversion(), '4.3.11', '>=');
+        }
+
+        if ($phpCharset == 1) {
+            // Luckily PHP5 supports
+            // xml_parser_set_option($this->parser, XML_OPTION_TARGET_ENCODING, LANG_CHARSET);
+            // which means we need no transcoding here.
+            return $string;
+        }
+
+        switch($target) {
              case 'native':
                  return $string;
  
@@ -103,7 +117,7 @@ class Serendipity_Import {
      }
  }
  
-if ( isset($serendipity['GET']['importFrom']) ) {
+if (isset($serendipity['GET']['importFrom']) && serendipity_checkFormToken()) {
  
      /* Include the importer */
      $class = @require_once(S9Y_INCLUDE_PATH . 'include/admin/importers/'. basename($serendipity['GET']['importFrom']) .'.inc.php');
@@ -133,6 +147,7 @@ if ( isset($serendipity['GET']['importFrom']) ) {
  <?php echo IMPORT_PLEASE_ENTER ?>:<br />
  <br />
  <form action="" method="POST" enctype="multipart/form-data">
+  <?php echo serendipity_setFormToken(); ?>
    <table cellpadding="3" cellspacing="2">
      <?php foreach ( $importer->getInputFields() as $field ) { ?>
      <tr>
@@ -183,6 +198,7 @@ if ( isset($serendipity['GET']['importFrom']) ) {
  <br />
  <form action="" method="GET">
    <input type="hidden" name="serendipity[adminModule]" value="import">
+  <?php echo serendipity_setFormToken(); ?>
    <strong><?php echo IMPORT_WEBLOG_APP ?>: </strong>
    <select name="serendipity[importFrom]">
      <?php foreach ($list as $v=>$k) { ?>
diff --git a/include/admin/importers/generic.inc.php b/include/admin/importers/generic.inc.php

index 5ea05a59a5fd26e4afeb160527fa79dcef768120..216a383135c63c09881e1bf9bfa2977592a892be 100644 (file)
--- a/include/admin/importers/generic.inc.php
+++ b/include/admin/importers/generic.inc.php
@@ -129,6 +129,7 @@ class Serendipity_Import_Generic extends Serendipity_Import {
  
          $c = &new Onyx_RSS();
          $c->parse($this->data['url']);
+        $this->data['encoding'] = $c->rss['encoding'];
  
          $serendipity['noautodiscovery'] = 1;
          while ($item = $c->getNextItem()) {
diff --git a/include/admin/personal.inc.php b/include/admin/personal.inc.php

index 68b9529945dd89e827c4acf04a4d3c1908c22820..0815ee804fb10f6a0e4730d1f41e874437a84808 100644 (file)
--- a/include/admin/personal.inc.php
+++ b/include/admin/personal.inc.php
@@ -12,7 +12,7 @@ if (!serendipity_checkPermission('personalConfiguration')) {
  
  $from = array();
  
-if ( $serendipity['GET']['adminAction'] == 'save' ) {
+if ($serendipity['GET']['adminAction'] == 'save' && serendipity_checkFormToken()) {
      $config = serendipity_parseTemplate(S9Y_CONFIG_USERTEMPLATE);
      if (!serendipity_checkPermission('adminUsersEditUserlevel') && (int)$_POST['userlevel'] > $serendipity['serendipityUserlevel']) {
          echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>';
@@ -42,7 +42,8 @@ if ( $serendipity['GET']['adminAction'] == 'save' ) {
  } ?>
  
  <form action="?serendipity[adminModule]=personal&amp;serendipity[adminAction]=save" method="post">
-<?php
+<?php 
+echo serendipity_setFormToken();
  $template       = serendipity_parseTemplate(S9Y_CONFIG_USERTEMPLATE);
  $user           = serendipity_fetchUsers($serendipity['authorid']);
  $from           = $user[0];
@@ -55,4 +56,3 @@ serendipity_printConfigTemplate($template, $from, true, false);
  
  <?php
  /* vim: set sts=4 ts=4 expandtab : */
-?>
diff --git a/include/admin/plugins.inc.php b/include/admin/plugins.inc.php

index a110050b986eedbef513435cc594b13777c21282..4332a349f9789cc7e140ca1ee2fd6b65c98e6120 100644 (file)
--- a/include/admin/plugins.inc.php
+++ b/include/admin/plugins.inc.php
@@ -31,6 +31,7 @@ function show_plugins($event_only = false)
      global $serendipity;
  ?>
      <form action="?serendipity[adminModule]=plugins" method="post">
+        <?php echo serendipity_setFormToken(); ?>
          <table border="0" cellpadding="5" cellspacing="0" width="100%">
              <tr>
                  <td colspan="2">&nbsp;</td>
@@ -105,13 +106,13 @@ function show_plugins($event_only = false)
              if ($sort_idx == 0) {
                  $moveup   = '&nbsp;';
              } else {
-                $moveup   = '<a href="?serendipity[adminModule]=plugins&amp;submit=move+up&amp;serendipity[plugin_to_move]=' . $key . $event_only_uri . '" style="border: 0"><img src="' . serendipity_getTemplateFile('admin/img/uparrow.png') .'" height="16" width="16" border="0" alt="' . UP . '" /></a>';
+                $moveup   = '<a href="?' . serendipity_setFormToken('url') . '&amp;serendipity[adminModule]=plugins&amp;submit=move+up&amp;serendipity[plugin_to_move]=' . $key . $event_only_uri . '" style="border: 0"><img src="' . serendipity_getTemplateFile('admin/img/uparrow.png') .'" height="16" width="16" border="0" alt="' . UP . '" /></a>';
              }
  
              if ($sort_idx == (count($plugins)-1)) {
                  $movedown = '&nbsp;';
              } else {
-                $movedown = ($moveup != '' ? '&nbsp;' : '') . '<a href="?serendipity[adminModule]=plugins&amp;submit=move+down&serendipity[plugin_to_move]=' . $key . $event_only_uri . '" style="border: 0"><img src="' . serendipity_getTemplateFile('admin/img/downarrow.png') . '" height="16" width="16" alt="'. DOWN .'" border="0" /></a>';
+                $movedown = ($moveup != '' ? '&nbsp;' : '') . '<a href="?' . serendipity_setFormToken('url') . '&amp;serendipity[adminModule]=plugins&amp;submit=move+down&serendipity[plugin_to_move]=' . $key . $event_only_uri . '" style="border: 0"><img src="' . serendipity_getTemplateFile('admin/img/downarrow.png') . '" height="16" width="16" alt="'. DOWN .'" border="0" /></a>';
              }
  ?>
              <tr>
@@ -214,7 +215,7 @@ function placement_box($name, $val, $is_plugin_editable = false)
      return $x . "</select>\n";
  }
  
-if (isset($_GET['serendipity']['plugin_to_move']) && isset($_GET['submit'])) {
+if (isset($_GET['serendipity']['plugin_to_move']) && isset($_GET['submit']) && serendipity_checkFormToken()) {
      if (isset($_GET['serendipity']['event_plugin'])) {
          $plugins = serendipity_plugin_api::enum_plugins('event', false);
      } else {
@@ -270,7 +271,7 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
  
      $config_names = $bag->get('configuration');
  
-    if (isset($_POST['SAVECONF'])) {
+    if (isset($_POST['SAVECONF']) && serendipity_checkFormToken()) {
          /* enum properties and set their values */
  
          $save_errors = array();
@@ -310,6 +311,7 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
  <?php } ?>
  
  <form method="post" name="serendipityPluginConfigure">
+    <?php echo serendipity_setFormToken(); ?>
      <table cellpadding="5" style="border: 1px dashed" width="90%" align="center">
          <tr>
              <th width="100"><?php echo NAME; ?></th>
@@ -625,6 +627,7 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
      <tr>
          <td colspan="2" class="serendipity_pluginlist_header">
              <form action="serendipity_admin.php" method="get">
+                <?php echo serendipity_setFormToken(); ?>
                  <input type="hidden" name="serendipity[adminModule]" value="plugins" />
                  <input type="hidden" name="serendipity[adminAction]" value="addnew" />
                  <input type="hidden" name="serendipity[type]" value="<?php echo htmlspecialchars($serendipity['GET']['type']); ?>" />
@@ -743,7 +746,7 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
  } else {
      /* show general plugin list */
  
-    if (isset($_POST['SAVE']) && isset($_POST['serendipity']['placement'])) {
+    if (isset($_POST['SAVE']) && isset($_POST['serendipity']['placement']) && serendipity_checkFormToken()) {
          foreach ($_POST['serendipity']['placement'] as $plugin_name => $placement) {
              serendipity_plugin_api::update_plugin_placement(
                  addslashes($plugin_name),
@@ -792,7 +795,7 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
          }
      }
  
-    if (isset($_POST['REMOVE'])) {
+    if (isset($_POST['REMOVE']) && serendipity_checkFormToken()) {
          if (is_array($_POST['serendipity']['plugin_to_remove'])) { 
              foreach ($_POST['serendipity']['plugin_to_remove'] as $key) {
                  $plugin =& serendipity_plugin_api::load_plugin($key);
@@ -824,4 +827,3 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
  <?php
  }
  /* vim: set sts=4 ts=4 expandtab : */
-?>
diff --git a/include/admin/users.inc.php b/include/admin/users.inc.php

index 49b6f3780b9d03139559c833bbdb6b53fdabae89..9e86e9149a11245bf838ea432e3223cb5b1af765 100644 (file)
--- a/include/admin/users.inc.php
+++ b/include/admin/users.inc.php
@@ -13,7 +13,7 @@ if (!serendipity_checkPermission('adminUsers')) {
  require_once(S9Y_INCLUDE_PATH . 'include/functions_installer.inc.php');
  
  /* Delete a user */
-if (isset($_POST['DELETE_YES'])) {
+if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
      $user = serendipity_fetchUsers($serendipity['POST']['user']);
      if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersDelete')) {
          echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>';
@@ -35,7 +35,7 @@ if (isset($_POST['DELETE_YES'])) {
  
  
  /* Save new user */
-if (isset($_POST['SAVE_NEW'])) {
+if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
      if ($_POST['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersCreateNew')) {
          echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>';
      } else {
@@ -87,7 +87,7 @@ if (isset($_POST['SAVE_NEW'])) {
  
  
  /* Edit a user */
-if (isset($_POST['SAVE_EDIT'])) {
+if (isset($_POST['SAVE_EDIT']) && serendipity_checkFormToken()) {
      $user = serendipity_fetchUsers($serendipity['POST']['user']);
      if (!serendipity_checkPermission('adminUsersMaintainOthers') && $user[0]['userlevel'] >= $serendipity['serendipityUserlevel']) {
          echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>';
@@ -213,6 +213,7 @@ if ( ($serendipity['GET']['adminAction'] == 'edit' && serendipity_checkPermissio
  <br />
  <hr noshade="noshade">
  <form action="?serendipity[adminModule]=users" method="post">
+<?php echo serendipity_setFormToken(); ?>
      <div>
      <h3>
  <?php
@@ -272,6 +273,7 @@ if ($serendipity['GET']['adminAction'] == 'edit') { ?>
      <div>
      <?php printf(DELETE_USER, $serendipity['GET']['userid'], $user[0]['realname']); ?>
          <br /><br />
+        <?php echo serendipity_setFormToken(); ?>
          <input type="hidden" name="serendipity[user]" value="<?php echo $serendipity['GET']['userid']; ?>" />
          <input type="submit" name="DELETE_YES" value="<?php echo DUMP_IT; ?>" class="serendipityPrettyButton" />
          <input type="submit" name="NO" value="<?php echo NOT_REALLY; ?>" class="serendipityPrettyButton" />
diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php

index 1782168116d55c8127409d3703ef7fff83678ac9..d8603d9058fcf1c2d50b4697bc81c8a3e6504dc5 100644 (file)
--- a/include/functions_config.inc.php
+++ b/include/functions_config.inc.php
@@ -299,6 +299,7 @@ function serendipity_authenticate_author($username = '', $password = '', $is_md5
          $row = serendipity_db_query($query, true, 'assoc');
  
          if (is_array($row)) {
+            serendipity_setCookie('old_session', session_id());
              $_SESSION['serendipityUser']        = $serendipity['serendipityUser']         = $username;
              $_SESSION['serendipityPassword']    = $serendipity['serendipityPassword']     = $password;
              $_SESSION['serendipityEmail']       = $serendipity['serendipityEmail']        = $row['email'];
@@ -1109,14 +1110,14 @@ function serendipity_checkXSRF() {
  
      // The referrer was empty. Deny access.
      if (empty($_SERVER['HTTP_REFERER'])) {
-        echo serendipity_reportXSRF(1);
+        echo serendipity_reportXSRF(1, true, true);
          return false;
      }
      
      // Parse the Referrer host. Abort if not parseable.
      $hostinfo = @parse_url($_SERVER['HTTP_REFERER']);
      if (!is_array($hostinfo)) {
-        echo serendipity_reportXSRF(2);
+        echo serendipity_reportXSRF(2, true, true);
          return true;
      }
  
@@ -1133,19 +1134,66 @@ function serendipity_checkXSRF() {
  
      // If the current server is different than the referred server, deny access.
      if ($hostinfo['host'] != $server) {
-        echo serendipity_reportXSRF(3);
+        echo serendipity_reportXSRF(3, true, true);
          return true;
      }
      
      return false;
  }
  
-function serendipity_reportXSRF($type = 0) {
+function serendipity_reportXSRF($type = 0, $reset = true, $use_config = false) {
      global $serendipity;
  
+    // Set this in your serendipity_config_local.inc.php if you want HTTP Referrer blocking:
+    // $serendipity['referrerXSRF'] = true;
+
      $string = '<div class="serendipityAdminMsgError XSRF_' . $type . '">' . ERROR_XSRF . '</div>';
-    $serendipity['GET']['adminModule'] = '';
+    if ($reset) {
+        // Config key "referrerXSRF" can be set to enable blocking based on HTTP Referrer. Recommended for Paranoia.
+        if (($use_config && isset($serendipity['referrerXSRF']) && $serendipity['referrerXSRF']) || $use_config === false) {
+            $serendipity['GET']['adminModule'] = '';
+        } else {
+            // Paranoia not enabled. Do not report XSRF.
+            $string = '';
+        }
+    }
      return $string;
  }
  
-/* vim: set sts=4 ts=4 expandtab : */
+function serendipity_checkFormToken() {
+    global $serendipity;
+    
+    $token = '';
+    if (!empty($serendipity['POST']['token'])) {
+        $token = $serendipity['POST']['token'];
+    } elseif (!empty($serendipity['GET']['token'])) {
+        $token = $serendipity['GET']['token'];
+    }
+
+    if (empty($token)) {
+        echo serendipity_reportXSRF('token', false);
+        return false;
+    }
+
+    if ($token != md5(session_id()) &&
+        $token != md5($serendipity['COOKIE']['old_session'])) {
+        echo serendipity_reportXSRF('token', false);
+        return false;
+    }
+    
+    return true;
+}
+
+function serendipity_setFormToken($type = 'form') {
+    global $serendipity;
+    
+    if ($type == 'form') {
+        return '<input type="hidden" name="serendipity[token]" value="' . md5(session_id()) . '" />';
+    } elseif ($type == 'url') {
+        return 'serendipity[token]=' . md5(session_id());
+    } else {
+        return md5(session_id());
+    }
+}
+
+/* vim: set sts=4 ts=4 expandtab : */
+\ No newline at end of file
diff --git a/include/functions_entries_admin.inc.php b/include/functions_entries_admin.inc.php

index c7e8ee83c61c78623518505f6c8307f83fc2844f..2695d18627356c283fd0612a85976b387bc9bf51 100644 (file)
--- a/include/functions_entries_admin.inc.php
+++ b/include/functions_entries_admin.inc.php
@@ -99,7 +99,7 @@ function serendipity_printEntryForm($targetURL, $hiddens = array(), $entry = arr
      $hidden .= '        <input type="hidden" id="entryid" name="serendipity[id]" value="' . (isset($entry['id']) ? $entry['id'] : '') . '" />' . $n;\r
      $hidden .= '        <input type="hidden" name="serendipity[timestamp]" value="' . (isset($entry['timestamp']) ? serendipity_serverOffsetHour($entry['timestamp']) : serendipity_serverOffsetHour(time())) . '" />' . $n;\r
      $hidden .= '        <input type="hidden" name="serendipity[preview]" value="false" />';\r
-\r
+    $hidden .= '        ' . serendipity_setFormToken();\r
      if (!empty($errMsg)) {\r
  ?>\r
          <div class="serendipityAdminMsgError"><?php echo $errMsg; ?></div>\r
diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php

index 35bcd5e769d63b2f0ec4cd3f01e995a241eddf3e..f2192ea3b8e5785b00478238294f399e372cbca2 100644 (file)
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -940,6 +940,7 @@ function serendipity_displayImageList($page = 0, $lineBreak = NULL, $manage = fa
  ?>
  <form style="display: inline; margin: 0px; padding: 0px;" method="get" action="?">
  <?php
+    echo serendipity_setFormToken();
      foreach($serendipity['GET'] AS $g_key => $g_val) {
          if ( !is_array($g_val) && $g_key != 'page' ) {
              echo '<input type="hidden" name="serendipity[' . $g_key . ']" value="' . htmlspecialchars($g_val) . '" />';
diff --git a/include/functions_installer.inc.php b/include/functions_installer.inc.php

index 49be3df860ac8a076edac7188b724fdfd3dbb794..e48054b3f9029acc8bd659a931d33a2eb53a4fff 100644 (file)
--- a/include/functions_installer.inc.php
+++ b/include/functions_installer.inc.php
@@ -387,6 +387,7 @@ function showConfigAll(count) {
      <div>
          <input type="hidden" name="serendipity[adminModule]" value="installer" />
          <input type="hidden" name="installAction" value="check" />
+        <?php echo serendipity_setFormToken(); ?>
          <br />
  <?php   }
      if (sizeof($config) > 1 && $allowToggle) { ?>
@@ -504,7 +505,7 @@ function serendipity_parse_sql_tables($filename) {
              $line = trim(fgets($fp, 4096));
              if ($in_table) {
                  $def .= $line;
-                if (preg_match('/^\)\s*(type\=\S+)?\s*\;$/i', $line)) {
+                if (preg_match('/^\)\s*(type\=\S+|\{UTF_8\})?\s*\;$/i', $line)) {
                      $in_table = 0;
                      array_push($queries, $def);
                  }
@@ -581,9 +582,9 @@ function serendipity_checkInstallation() {
      $serendipity['dbType'] = $_POST['dbType'];
      // Probe database
      // (do it after the dir stuff, as we need to be able to create the sqlite database)
-    @include_once($_POST['serendipityPath'] . 'include/db/db.inc.php');
+    include_once($_POST['serendipityPath'] . 'include/db/db.inc.php');
      // For shared installations, probe the file on include path
-    @include_once(S9Y_INCLUDE_PATH . 'include/db/db.inc.php');
+    include_once(S9Y_INCLUDE_PATH . 'include/db/db.inc.php');
  
      if (S9Y_DB_INCLUDED) {
          serendipity_db_probe($_POST, $errs);
diff --git a/plugins/serendipity_plugin_remoterss/serendipity_plugin_remoterss.php b/plugins/serendipity_plugin_remoterss/serendipity_plugin_remoterss.php

index b0b34e68d5b32feb61bae3666c100d8fc254f694..b3813edb19368455e9aa141f0610d4e9b23c5117 100644 (file)
--- a/plugins/serendipity_plugin_remoterss/serendipity_plugin_remoterss.php
+++ b/plugins/serendipity_plugin_remoterss/serendipity_plugin_remoterss.php
@@ -254,6 +254,7 @@ class s9y_remoterss_OPML {
  
  class serendipity_plugin_remoterss extends serendipity_plugin {
      var $title = PLUGIN_REMOTERSS_TITLE;
+    var $encoding = null;
  
      function introspect(&$propbag) {
          $this->title = $this->get_config('sidebartitle', $this->title);
@@ -408,6 +409,7 @@ class serendipity_plugin_remoterss extends serendipity_plugin {
                      require_once S9Y_PEAR_PATH . 'Onyx/RSS.php';
                      $c = &new Onyx_RSS();
                      $c->parse($rssuri);
+                    $this->encoding = $c->rss['encoding'];
  
                      $i = 0;
                      $content = '';
@@ -526,8 +528,23 @@ class serendipity_plugin_remoterss extends serendipity_plugin {
          }
      }
  
-    function decode($string) {
-        switch($this->get_config('charset', 'native')) {
+    function &decode($string) {
+        static $phpCharset = null;
+
+        if ($phpCharset === null) {
+            $phpCharset = version_compare(phpversion(), '4.3.11', '>=');
+        }
+
+        if ($phpCharset == 1) {
+            // Luckily PHP5 supports
+            // xml_parser_set_option($this->parser, XML_OPTION_TARGET_ENCODING, LANG_CHARSET);
+            // which means we need no transcoding here.
+            return $string;
+        }
+
+        $target = $this->get_config('charset', 'native');
+
+        switch($target) {
              case 'native':
                  return $string;
  
diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php

index 0e48889719378e2a56fa76ee23fe73ec7751c68c..04a6bb4e7a181926cd308a462b6ced0dfd32e01b 100644 (file)
--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@@ -111,6 +111,11 @@ $serendipity['calendars'] = array('gregorian'   => 'Gregorian',
   */
  include($serendipity['serendipityPath'] . 'include/lang.inc.php');
  
+$serendipity['charsets'] = array(
+    'UTF-8/' => 'UTF-8',
+    ''        => CHARSET_NATIVE
+);
+
  @define('PATH_SMARTY_COMPILE', 'templates_c'); // will be placed inside the template directory
  @define('USERLEVEL_ADMIN', 255);
  @define('USERLEVEL_CHIEF', 1);
@@ -235,11 +240,6 @@ if (defined('DATE_LOCALES')) {
      }
  }
  
-$serendipity['charsets'] = array(
-    'UTF-8/' => 'UTF-8',
-    ''        => CHARSET_NATIVE
-);
-
  /*
   *   Fallback charset, if none is defined in the language files
   */
author	garvinhicking <garvinhicking>
	Tue, 27 Sep 2005 11:40:14 +0000 (11:40 +0000)
committer	garvinhicking <garvinhicking>
	Tue, 27 Sep 2005 11:40:14 +0000 (11:40 +0000)
docs/NEWS		patch \| blob \| history
include/admin/category.inc.php		patch \| blob \| history
include/admin/comments.inc.php		patch \| blob \| history
include/admin/configuration.inc.php		patch \| blob \| history
include/admin/groups.inc.php		patch \| blob \| history
include/admin/images.inc.php		patch \| blob \| history
include/admin/import.inc.php		patch \| blob \| history
include/admin/importers/generic.inc.php		patch \| blob \| history
include/admin/personal.inc.php		patch \| blob \| history
include/admin/plugins.inc.php		patch \| blob \| history
include/admin/users.inc.php		patch \| blob \| history
include/functions_config.inc.php		patch \| blob \| history
include/functions_entries_admin.inc.php		patch \| blob \| history
include/functions_images.inc.php		patch \| blob \| history
include/functions_installer.inc.php		patch \| blob \| history
plugins/serendipity_plugin_remoterss/serendipity_plugin_remoterss.php		patch \| blob \| history
serendipity_config.inc.php		patch \| blob \| history