Context Navigation

← Previous Changeset
Next Changeset →

Changeset 662428

Timestamp:

02/02/2013 09:00:47 AM (13 years ago)

Author:

tosend.it

Message:

Stable Version updated to 2.5.10 - XSS vulnerability fix

Location:

pafacile

Files:

: 46 edited
: 42 copied

tags/2.5.10 (copied) (copied from pafacile/trunk)
tags/2.5.10/PAFacileBackend.php (copied) (copied from pafacile/trunk/PAFacileBackend.php)
tags/2.5.10/PAFacileFrontend.php (copied) (copied from pafacile/trunk/PAFacileFrontend.php)
tags/2.5.10/PAFacileUpdateManager.php (copied) (copied from pafacile/trunk/PAFacileUpdateManager.php)
tags/2.5.10/admin-pafacile.css (copied) (copied from pafacile/trunk/admin-pafacile.css)
tags/2.5.10/ajax/actions.php (copied) (copied from pafacile/trunk/ajax/actions.php)
tags/2.5.10/alboPretorio/dettaglio.php (copied) (copied from pafacile/trunk/alboPretorio/dettaglio.php) (1 diff)
tags/2.5.10/alboPretorio/elenco.php (copied) (copied from pafacile/trunk/alboPretorio/elenco.php) (1 diff)
tags/2.5.10/alboPretorio/stampa.php (copied) (copied from pafacile/trunk/alboPretorio/stampa.php) (1 diff)
tags/2.5.10/bandi/dettaglio.php (copied) (copied from pafacile/trunk/bandi/dettaglio.php) (1 diff)
tags/2.5.10/bandi/elenco.php (copied) (copied from pafacile/trunk/bandi/elenco.php) (1 diff)
tags/2.5.10/db.php (copied) (copied from pafacile/trunk/db.php)
tags/2.5.10/definitions.php (copied) (copied from pafacile/trunk/definitions.php)
tags/2.5.10/delibere/dettaglio.php (modified) (1 diff)
tags/2.5.10/delibere/elenco.php (copied) (copied from pafacile/trunk/delibere/elenco.php) (1 diff)
tags/2.5.10/determine/dettaglio.php (modified) (1 diff)
tags/2.5.10/determine/elenco.php (copied) (copied from pafacile/trunk/determine/elenco.php) (1 diff)
tags/2.5.10/doSave.php (copied) (copied from pafacile/trunk/doSave.php)
tags/2.5.10/google-analytics/index.php (copied) (copied from pafacile/trunk/google-analytics/index.php)
tags/2.5.10/images/tree/index.php (modified) (1 diff)
tags/2.5.10/incarichiProfessionali/dettaglio.php (copied) (copied from pafacile/trunk/incarichiProfessionali/dettaglio.php) (1 diff)
tags/2.5.10/incarichiProfessionali/elenco.php (copied) (copied from pafacile/trunk/incarichiProfessionali/elenco.php)
tags/2.5.10/mce/editor_plugin.dev.js (copied) (copied from pafacile/trunk/mce/editor_plugin.dev.js)
tags/2.5.10/ordinanze/dettaglio.php (modified) (1 diff)
tags/2.5.10/ordinanze/elenco.php (copied) (copied from pafacile/trunk/ordinanze/elenco.php) (1 diff)
tags/2.5.10/organi/dettaglio.php (modified) (1 diff)
tags/2.5.10/organi/elenco.php (copied) (copied from pafacile/trunk/organi/elenco.php) (1 diff)
tags/2.5.10/organigramma/dettaglio.php (copied) (copied from pafacile/trunk/organigramma/dettaglio.php) (1 diff)
tags/2.5.10/organigramma/elenco.php (copied) (copied from pafacile/trunk/organigramma/elenco.php) (1 diff)
tags/2.5.10/public-contents/AlboPretorio.php (copied) (copied from pafacile/trunk/public-contents/AlboPretorio.php) (1 diff)
tags/2.5.10/public-contents/BandiGare.php (copied) (copied from pafacile/trunk/public-contents/BandiGare.php) (1 diff)
tags/2.5.10/public-contents/Delibere.php (copied) (copied from pafacile/trunk/public-contents/Delibere.php) (1 diff)
tags/2.5.10/public-contents/Determine.php (copied) (copied from pafacile/trunk/public-contents/Determine.php) (1 diff)
tags/2.5.10/public-contents/Incarichi.php (copied) (copied from pafacile/trunk/public-contents/Incarichi.php) (1 diff)
tags/2.5.10/public-contents/Ordinanze.php (copied) (copied from pafacile/trunk/public-contents/Ordinanze.php) (1 diff)
tags/2.5.10/public-contents/Organi.php (copied) (copied from pafacile/trunk/public-contents/Organi.php) (1 diff)
tags/2.5.10/public-contents/Sovvenzioni.php (copied) (copied from pafacile/trunk/public-contents/Sovvenzioni.php) (2 diffs)
tags/2.5.10/public-contents/iContents.php (copied) (copied from pafacile/trunk/public-contents/iContents.php)
tags/2.5.10/readme.txt (copied) (copied from pafacile/trunk/readme.txt) (3 diffs)
tags/2.5.10/scripts/jq.pafacile.js (copied) (copied from pafacile/trunk/scripts/jq.pafacile.js)
tags/2.5.10/sovvenzioni (copied) (copied from pafacile/trunk/sovvenzioni)
tags/2.5.10/sovvenzioni/dettaglio.php (modified) (1 diff)
tags/2.5.10/sovvenzioni/elenco.php (modified) (1 diff)
tags/2.5.10/tipiAtto/dettaglio.php (modified) (1 diff)
tags/2.5.10/tipiAtto/elenco.php (modified) (1 diff)
tags/2.5.10/tipiOrgani/dettaglio.php (modified) (1 diff)
tags/2.5.10/tipiOrgani/elenco.php (modified) (1 diff)
tags/2.5.10/toSendIt.php (copied) (copied from pafacile/trunk/toSendIt.php)
tags/2.5.10/toSendItPAFacileContents.php (copied) (copied from pafacile/trunk/toSendItPAFacileContents.php) (1 diff)
tags/2.5.10/toSendItPAFacilePages.php (copied) (copied from pafacile/trunk/toSendItPAFacilePages.php)
tags/2.5.10/toSendItPAFacileWidgets.php (copied) (copied from pafacile/trunk/toSendItPAFacileWidgets.php)
tags/2.5.10/tosendit-pa.php (copied) (copied from pafacile/trunk/tosendit-pa.php) (3 diffs)
tags/2.5.10/welcome.php (copied) (copied from pafacile/trunk/welcome.php) (1 diff)
trunk/alboPretorio/dettaglio.php (modified) (1 diff)
trunk/alboPretorio/elenco.php (modified) (1 diff)
trunk/alboPretorio/stampa.php (modified) (1 diff)
trunk/bandi/dettaglio.php (modified) (1 diff)
trunk/bandi/elenco.php (modified) (1 diff)
trunk/delibere/dettaglio.php (modified) (1 diff)
trunk/delibere/elenco.php (modified) (1 diff)
trunk/determine/dettaglio.php (modified) (1 diff)
trunk/determine/elenco.php (modified) (1 diff)
trunk/images/tree/index.php (modified) (1 diff)
trunk/incarichiProfessionali/dettaglio.php (modified) (1 diff)
trunk/ordinanze/dettaglio.php (modified) (1 diff)
trunk/ordinanze/elenco.php (modified) (1 diff)
trunk/organi/dettaglio.php (modified) (1 diff)
trunk/organi/elenco.php (modified) (1 diff)
trunk/organigramma/dettaglio.php (modified) (1 diff)
trunk/organigramma/elenco.php (modified) (1 diff)
trunk/public-contents/AlboPretorio.php (modified) (1 diff)
trunk/public-contents/BandiGare.php (modified) (1 diff)
trunk/public-contents/Delibere.php (modified) (1 diff)
trunk/public-contents/Determine.php (modified) (1 diff)
trunk/public-contents/Incarichi.php (modified) (1 diff)
trunk/public-contents/Ordinanze.php (modified) (1 diff)
trunk/public-contents/Organi.php (modified) (1 diff)
trunk/public-contents/Sovvenzioni.php (modified) (2 diffs)
trunk/readme.txt (modified) (3 diffs)
trunk/sovvenzioni/dettaglio.php (modified) (1 diff)
trunk/sovvenzioni/elenco.php (modified) (1 diff)
trunk/tipiAtto/dettaglio.php (modified) (1 diff)
trunk/tipiAtto/elenco.php (modified) (1 diff)
trunk/tipiOrgani/dettaglio.php (modified) (1 diff)
trunk/tipiOrgani/elenco.php (modified) (1 diff)
trunk/toSendItPAFacileContents.php (modified) (1 diff)
trunk/tosendit-pa.php (modified) (3 diffs)
trunk/welcome.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

pafacile/tags/2.5.10/alboPretorio/dettaglio.php

-                      r654497
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function buildModuloAlboPretorio(){
     global $wpdb, $current_user;

pafacile/tags/2.5.10/alboPretorio/elenco.php

-                      r649783
+                      r662428
+<?php
+<?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayAlboPretorioPublic($params, $extraParams = array()){
     global $wpdb;

pafacile/tags/2.5.10/alboPretorio/stampa.php

-                      r525549
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function buildStampaAlboPretorio(){
     global $wpdb, $current_user;

pafacile/tags/2.5.10/bandi/dettaglio.php

-                      r648290
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function adminDettaglioBandi(){
 global $wpdb;

pafacile/tags/2.5.10/bandi/elenco.php

-                      r632155
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayBandiPublic($params, $extraParams = array()){

pafacile/tags/2.5.10/delibere/dettaglio.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 global $wpdb;
 $tableName = $wpdb->prefix . TOSENDIT_PAFACILE_DB_DELIBERE;

pafacile/tags/2.5.10/delibere/elenco.php

-                      r619814
+                      r662428
 <?php
+#require_once 'public-contents/Delibere.php';
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayDeliberePublic($params, $extraParams = array()){

pafacile/tags/2.5.10/determine/dettaglio.php

-                      r470551
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 global $wpdb, $current_user;
 $tableName = $wpdb->prefix . TOSENDIT_PAFACILE_DB_DETERMINE;

pafacile/tags/2.5.10/determine/elenco.php

-                      r619814
+                      r662428
 <?php
 # require_once 'public-contents/Determine.php';
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayDeterminePublic($params, $extraParams = array()){

pafacile/tags/2.5.10/images/tree/index.php

-                      r459538
+                      r662428
     $basedir = dirname(__FILE__) .'/';
     $structure = $_GET['structure'];
     if(file_exists("$basedir$structure.gif")){
+    if(is_numeric($_GET['structure']) && file_exists("$basedir$structure.gif")){
         header("Location: $structure.gif");
         exit();
+    }
+    if(!is_numeric($_GET['structure'])){
+        die("Codice struttura invalido");
+    }
     $l = strlen($structure);
     if($l==0){

pafacile/tags/2.5.10/incarichiProfessionali/dettaglio.php

-                      r559534
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function getDettaglio(){
     global $wpdb, $current_user;

pafacile/tags/2.5.10/ordinanze/dettaglio.php

-                      r470551
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 global $wpdb, $current_user;

pafacile/tags/2.5.10/ordinanze/elenco.php

-                      r619814
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayOrdinanze(){
     toSendItGenericMethods::mergeSearchFilter('ricerca_ordinanze');

pafacile/tags/2.5.10/organi/dettaglio.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function organiDettaglio(){

pafacile/tags/2.5.10/organi/elenco.php

-                      r619814
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayOrgani(){
     toSendItGenericMethods::mergeSearchFilter('ricerca_organi');

pafacile/tags/2.5.10/organigramma/dettaglio.php

-                      r611965
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayDettaglioOrganigramma(){
     global $wpdb;

pafacile/tags/2.5.10/organigramma/elenco.php

-                      r611965
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');

pafacile/tags/2.5.10/public-contents/AlboPretorio.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 /****************************************************************
  * Procedure per la visualizzazione pubblica dell'albo pretorio:

pafacile/tags/2.5.10/public-contents/BandiGare.php

-                      r648290
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 require_once PAFACILE_PLUING_DIRECTORY .'/public-contents/iContents.php';

pafacile/tags/2.5.10/public-contents/Delibere.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 /****************************************************************
      * Procedure per la visualizzazione pubblica delle delibere:

pafacile/tags/2.5.10/public-contents/Determine.php

-                      r525549
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
     /****************************************************************

pafacile/tags/2.5.10/public-contents/Incarichi.php

-                      r559534
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
     /****************************************************************
      * Procedure per la visualizzaizone degli incarichi professionali

pafacile/tags/2.5.10/public-contents/Ordinanze.php

-                      r525549
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
     /****************************************************************
      * Procedure per la visualizzaizone delle ordinanze

pafacile/tags/2.5.10/public-contents/Organi.php

-                      r525549
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
     /* **************************************************

pafacile/tags/2.5.10/public-contents/Sovvenzioni.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 require_once PAFACILE_PLUING_DIRECTORY .'/public-contents/iContents.php';
 class Sovvenzioni extends PAFacilePublicBaseClass implements iContents {
 …
         echo $buffer;
+        /*
+         * Since Ver. 2.5.10
+         * Assenza del box di upload
+         */
+        toSendItGenericMethods::displayFileUploadBox($tableName, $itemId);
         return true;

pafacile/tags/2.5.10/readme.txt

-                      r661392
+                      r662428
 Requires at least: 3.4
 Tested up to: 3.5
 Stable tag: 2.5.9
+Stable tag: 2.5.10
 License: GPLv3
 …
 == Description ==
+**NOTA:** Aggiornare immediatamente PAFacile se si sta utilizzando una versione precedente alla 2.5.9.
+**NOTA:** Aggiornare immediatamente PAFacile se si sta utilizzando una versione precedente alla 2.5.10.
+È stata scoperta una vulnerabilità di tipo XSS per la quale un individuo potrebbe iniettare del codice
+Javascript in alcune delle pagine del sito veicolando eventuali codici malevoli verso gli utenti ignari.
 PAFacile è un plugin sviluppato dalla [toSend.it](http://tosend.it) per venire incontro alle esigenze della Pubblica Amministrazione e degli Enti Locali creando uno strumento semplice da usare e facile da manutenere e intuitivo nella sua configurazione.
 …
 == Changelog ==
+= 2.5.10 (2013-02-02) =
+* **Update:** Aggiunto box dei file alla sezione pubblica delle sovvenzioni.
+* **Security:** Corretto il codice per evitare un attacco di tipo XSS (thanks to Dejan Lukan).
 = 2.5.9 (2013-01-30) =

pafacile/tags/2.5.10/sovvenzioni/dettaglio.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function buildModuloSovvenzioni(){
     global $wpdb, $current_user;

pafacile/tags/2.5.10/sovvenzioni/elenco.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displaySovvenzioniPublic($params, $extraParams = array()){
     global $wpdb;

pafacile/tags/2.5.10/tipiAtto/dettaglio.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function adminDettaglioTipiAtto(){
 global $wpdb;

pafacile/tags/2.5.10/tipiAtto/elenco.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 /* =====================
  *  SINCE VERSION 1.5.6

pafacile/tags/2.5.10/tipiOrgani/dettaglio.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 class adminFormBuilder{

pafacile/tags/2.5.10/tipiOrgani/elenco.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 /* =====================
  *  SINCE VERSION 1.5.6

pafacile/tags/2.5.10/toSendItPAFacileContents.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+ * Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+ */
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 require_once PAFACILE_PLUING_DIRECTORY .'/public-contents/Determine.php';
 require_once PAFACILE_PLUING_DIRECTORY .'/public-contents/Delibere.php';

pafacile/tags/2.5.10/tosendit-pa.php

-                      r661392
+                      r662428
  * @package toSend.it
  * @author toSend.it di Luisa Marra
  * @version 2.5.9
+ * @version 2.5.10
  */
 /*
 …
 Description: PAFacile è un plugin nato per consentire alle pubbliche amministrazione di gestire la trasparenza amministrativa secondo gli obblighi di legge. Il plugin è l'unico in Italia a consentire l'adeguamento di un sito web di una pubblica amministrazione agli ultimi aggiornamenti normativa in materia di Albo Pretorio on-line, Bandi di Gara, Delbere e determinazioni, Ordinanze, Organigramma, Incarichi professionali, Sovvenzioni.
 Author: toSend.it di Luisa Marra
 Version: 2.5.9
+Version: 2.5.10
 Author URI: http://toSend.it
 */
 …
 #define('TOSENDIT_PAFACILE_VERSION', '2.5.7');
 #define('TOSENDIT_PAFACILE_VERSION', '2.5.8');
+define('TOSENDIT_PAFACILE_VERSION', '2.5.9');
+#define('TOSENDIT_PAFACILE_VERSION', '2.5.9');
+define('TOSENDIT_PAFACILE_VERSION', '2.5.10');
 # è PAFacile in un installazione di default

pafacile/tags/2.5.10/welcome.php

-                      r649783
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function pageWelcomeVersionOutput($currentVersion, $minimalVersion ){

pafacile/trunk/alboPretorio/dettaglio.php

-                      r654497
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function buildModuloAlboPretorio(){
     global $wpdb, $current_user;

pafacile/trunk/alboPretorio/elenco.php

-                      r649783
+                      r662428
+<?php
+<?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayAlboPretorioPublic($params, $extraParams = array()){
     global $wpdb;

pafacile/trunk/alboPretorio/stampa.php

-                      r525549
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function buildStampaAlboPretorio(){
     global $wpdb, $current_user;

pafacile/trunk/bandi/dettaglio.php

-                      r648290
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function adminDettaglioBandi(){
 global $wpdb;

pafacile/trunk/bandi/elenco.php

-                      r632155
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayBandiPublic($params, $extraParams = array()){

pafacile/trunk/delibere/dettaglio.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 global $wpdb;
 $tableName = $wpdb->prefix . TOSENDIT_PAFACILE_DB_DELIBERE;

pafacile/trunk/delibere/elenco.php

-                      r619814
+                      r662428
 <?php
+#require_once 'public-contents/Delibere.php';
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayDeliberePublic($params, $extraParams = array()){

pafacile/trunk/determine/dettaglio.php

-                      r470551
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 global $wpdb, $current_user;
 $tableName = $wpdb->prefix . TOSENDIT_PAFACILE_DB_DETERMINE;

pafacile/trunk/determine/elenco.php

-                      r619814
+                      r662428
 <?php
 # require_once 'public-contents/Determine.php';
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayDeterminePublic($params, $extraParams = array()){

pafacile/trunk/images/tree/index.php

-                      r459538
+                      r662428
     $basedir = dirname(__FILE__) .'/';
     $structure = $_GET['structure'];
     if(file_exists("$basedir$structure.gif")){
+    if(is_numeric($_GET['structure']) && file_exists("$basedir$structure.gif")){
         header("Location: $structure.gif");
         exit();
+    }
+    if(!is_numeric($_GET['structure'])){
+        die("Codice struttura invalido");
+    }
     $l = strlen($structure);
     if($l==0){

pafacile/trunk/incarichiProfessionali/dettaglio.php

-                      r559534
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function getDettaglio(){
     global $wpdb, $current_user;

pafacile/trunk/ordinanze/dettaglio.php

-                      r470551
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 global $wpdb, $current_user;

pafacile/trunk/ordinanze/elenco.php

-                      r619814
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayOrdinanze(){
     toSendItGenericMethods::mergeSearchFilter('ricerca_ordinanze');

pafacile/trunk/organi/dettaglio.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function organiDettaglio(){

pafacile/trunk/organi/elenco.php

-                      r619814
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayOrgani(){
     toSendItGenericMethods::mergeSearchFilter('ricerca_organi');

pafacile/trunk/organigramma/dettaglio.php

-                      r611965
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displayDettaglioOrganigramma(){
     global $wpdb;

pafacile/trunk/organigramma/elenco.php

-                      r611965
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');

pafacile/trunk/public-contents/AlboPretorio.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 /****************************************************************
  * Procedure per la visualizzazione pubblica dell'albo pretorio:

pafacile/trunk/public-contents/BandiGare.php

-                      r648290
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 require_once PAFACILE_PLUING_DIRECTORY .'/public-contents/iContents.php';

pafacile/trunk/public-contents/Delibere.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 /****************************************************************
      * Procedure per la visualizzazione pubblica delle delibere:

pafacile/trunk/public-contents/Determine.php

-                      r525549
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
     /****************************************************************

pafacile/trunk/public-contents/Incarichi.php

-                      r559534
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
     /****************************************************************
      * Procedure per la visualizzaizone degli incarichi professionali

pafacile/trunk/public-contents/Ordinanze.php

-                      r525549
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
     /****************************************************************
      * Procedure per la visualizzaizone delle ordinanze

pafacile/trunk/public-contents/Organi.php

-                      r525549
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
     /* **************************************************

pafacile/trunk/public-contents/Sovvenzioni.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 require_once PAFACILE_PLUING_DIRECTORY .'/public-contents/iContents.php';
 class Sovvenzioni extends PAFacilePublicBaseClass implements iContents {
 …
         echo $buffer;
+        /*
+         * Since Ver. 2.5.10
+         * Assenza del box di upload
+         */
+        toSendItGenericMethods::displayFileUploadBox($tableName, $itemId);
         return true;

pafacile/trunk/readme.txt

-                      r661392
+                      r662428
 Requires at least: 3.4
 Tested up to: 3.5
 Stable tag: 2.5.9
+Stable tag: 2.5.10
 License: GPLv3
 …
 == Description ==
+**NOTA:** Aggiornare immediatamente PAFacile se si sta utilizzando una versione precedente alla 2.5.9.
+**NOTA:** Aggiornare immediatamente PAFacile se si sta utilizzando una versione precedente alla 2.5.10.
+È stata scoperta una vulnerabilità di tipo XSS per la quale un individuo potrebbe iniettare del codice
+Javascript in alcune delle pagine del sito veicolando eventuali codici malevoli verso gli utenti ignari.
 PAFacile è un plugin sviluppato dalla [toSend.it](http://tosend.it) per venire incontro alle esigenze della Pubblica Amministrazione e degli Enti Locali creando uno strumento semplice da usare e facile da manutenere e intuitivo nella sua configurazione.
 …
 == Changelog ==
+= 2.5.10 (2013-02-02) =
+* **Update:** Aggiunto box dei file alla sezione pubblica delle sovvenzioni.
+* **Security:** Corretto il codice per evitare un attacco di tipo XSS (thanks to Dejan Lukan).
 = 2.5.9 (2013-01-30) =

pafacile/trunk/sovvenzioni/dettaglio.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function buildModuloSovvenzioni(){
     global $wpdb, $current_user;

pafacile/trunk/sovvenzioni/elenco.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function displaySovvenzioniPublic($params, $extraParams = array()){
     global $wpdb;

pafacile/trunk/tipiAtto/dettaglio.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function adminDettaglioTipiAtto(){
 global $wpdb;

pafacile/trunk/tipiAtto/elenco.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 /* =====================
  *  SINCE VERSION 1.5.6

pafacile/trunk/tipiOrgani/dettaglio.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 class adminFormBuilder{

pafacile/trunk/tipiOrgani/elenco.php

-                      r459538
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 /* =====================
  *  SINCE VERSION 1.5.6

pafacile/trunk/toSendItPAFacileContents.php

-                      r643338
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+ * Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+ */
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 require_once PAFACILE_PLUING_DIRECTORY .'/public-contents/Determine.php';
 require_once PAFACILE_PLUING_DIRECTORY .'/public-contents/Delibere.php';

pafacile/trunk/tosendit-pa.php

-                      r661392
+                      r662428
  * @package toSend.it
  * @author toSend.it di Luisa Marra
  * @version 2.5.9
+ * @version 2.5.10
  */
 /*
 …
 Description: PAFacile è un plugin nato per consentire alle pubbliche amministrazione di gestire la trasparenza amministrativa secondo gli obblighi di legge. Il plugin è l'unico in Italia a consentire l'adeguamento di un sito web di una pubblica amministrazione agli ultimi aggiornamenti normativa in materia di Albo Pretorio on-line, Bandi di Gara, Delbere e determinazioni, Ordinanze, Organigramma, Incarichi professionali, Sovvenzioni.
 Author: toSend.it di Luisa Marra
 Version: 2.5.9
+Version: 2.5.10
 Author URI: http://toSend.it
 */
 …
 #define('TOSENDIT_PAFACILE_VERSION', '2.5.7');
 #define('TOSENDIT_PAFACILE_VERSION', '2.5.8');
+define('TOSENDIT_PAFACILE_VERSION', '2.5.9');
+#define('TOSENDIT_PAFACILE_VERSION', '2.5.9');
+define('TOSENDIT_PAFACILE_VERSION', '2.5.10');
 # è PAFacile in un installazione di default

pafacile/trunk/welcome.php

-                      r649783
+                      r662428
 <?php
+/*
+ * Sinve Version 2.5.10
+* Avoid XSS vulnerability discovered by Dejan Lukan many thanks!
+*/
+if (!empty($_SERVER['SCRIPT_FILENAME']) &&
+        basename(__FILE__)             == basename($_SERVER['SCRIPT_FILENAME']) &&            // Same script file
+        basename(dirname(__FILE__)) == basename(dirname($_SERVER['SCRIPT_FILENAME']))    // Same directory
+)
+    die ('Please do not load this page directly. Thanks to Dejan Lukan for the notification!');
 function pageWelcomeVersionOutput($currentVersion, $minimalVersion ){

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Context Navigation

Changeset 662428

Legend:

Download in other formats: