Merge branch 'dev5' into master

bundled-libs/HTTP/Request2.php

@@ -427,7 +427,7 @@ public function getConfig($name = null)
      *
      * @return   HTTP_Request2
      */
-    public function setAuth($user, $password = '', $scheme = self::AUTH_BASIC)
+    public function setAuth($user, #[\SensitiveParameter] $password = '', $scheme = self::AUTH_BASIC)
     {
         if (empty($user)) {
             $this->auth = null;

bundled-libs/HTTP/Request2/Adapter/Socket.php

@@ -688,7 +688,7 @@ protected function updateChallenge(&$challenge, $headerValue)
      * @return   string  value of [Proxy-]Authorization request header
      * @link     http://tools.ietf.org/html/rfc2617#section-3.2.2
      */
-    protected function createDigestResponse($user, $password, $url, &$challenge)
+    protected function createDigestResponse($user, #[\SensitiveParameter] string $password, $url, &$challenge)
     {
         if (false !== ($q = strpos($url, '?'))
             && $this->request->getConfig('digest_compat_ie')

bundled-libs/HTTP/Request2/SOCKS5.php

@@ -92,7 +92,7 @@ public function __construct(
      * @throws HTTP_Request2_MessageException
      * @link http://tools.ietf.org/html/rfc1929
      */
-    protected function performAuthentication($username, $password)
+    protected function performAuthentication($username, #[\SensitiveParameter] string $password)
     {
         $request  = pack('C2', 1, strlen($username)) . $username
                     . pack('C', strlen($password)) . $password;

bundled-libs/Onyx/RSS.php

@@ -63,8 +63,7 @@ function __construct($charset = 'UTF-8')
             $charset = LANG_CHARSET;
         }
         $this->parser = xml_parser_create($charset);
-        $r = PHP_VERSION_ID < 80000 ? !is_resource($this->parser) : !($this->parser instanceof XMLParser); // With 8.0.0 parser expects an XMLParser instance now; previously, a resource was expected
-        if (!$this->parser || $r)
+        if (!$this->parser || !($this->parser instanceof XMLParser))
         {
             $this->raiseError((__LINE__-3), ONYX_ERR_NO_PARSER);
             return false;

bundled-libs/Smarty/CHANGELOG.md

@@ -6,12 +6,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [4.4.1-dev-5] - 2024-05-28
+## [4.4.1-Styx-dev-4] - 2024-05-28
 - Fixed a code injection vulnerability in extends-tag. This addresses CVE-2024-35226.
-  (Tagged as v.4.5.3)
-
-## [4.4.1-Styx-dev-4] - 2024-02-26
-- see [Custom Styx features]
 
 ## [4.4.1] - 2024-02-26
 - Fixed internal release-tooling

bundled-libs/Smarty/libs/Smarty.class.php

@@ -107,7 +107,7 @@ class Smarty extends Smarty_Internal_TemplateBase
     /**
      * smarty version
      */
-    const SMARTY_VERSION = '4.4.1-dev-5';
+    const SMARTY_VERSION = '4.5.2-dev-5';
 
     /**
      * define variable scopes

bundled-libs/Smarty/libs/sysplugins/smarty_internal_compile_private_modifier.php

@@ -107,9 +107,11 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler, $
                             if (!is_object($compiler->smarty->security_policy)
                                 || $compiler->smarty->security_policy->isTrustedPhpModifier($modifier, $compiler)
                             ) {
-                                @trigger_error('Using php-function "' . $modifier . '" as a modifier is deprecated and will be ' .
-                                    'removed in a future release. Use Smarty::registerPlugin to explicitly register ' .
-                                    'a custom modifier.', E_USER_DEPRECATED);
+                                if (!in_array($modifier, ['time', 'join', 'is_array', 'in_array'])) {
+                                    trigger_error('Using unregistered function "' . $modifier . '" in a template is deprecated and will be ' .
+                                        'removed in a future release. Use Smarty::registerPlugin to explicitly register ' .
+                                        'a custom modifier.', E_USER_DEPRECATED);
+                                }
                                 $output = "{$modifier}({$params})";
                             }
                             $compiler->known_modifier_type[ $modifier ] = $type;

bundled-libs/Smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php

@@ -654,6 +654,17 @@ public function compilePHPFunctionCall($name, $parameter)
                         return $func_name . '(' . $parameter[ 0 ] . ')';
                     }
                 } else {
+
+                    if (
+                        !$this->smarty->loadPlugin('smarty_modifiercompiler_' . $name)
+                        && !isset($this->smarty->registered_plugins[Smarty::PLUGIN_MODIFIER][$name])
+                        && !in_array($name, ['time', 'join', 'is_array', 'in_array'])
+                    ) {
+                        trigger_error('Using unregistered function "' . $name . '" in a template is deprecated and will be ' .
+                            'removed in a future release. Use Smarty::registerPlugin to explicitly register ' .
+                            'a custom modifier.', E_USER_DEPRECATED);
+                    }
+
                     return $name . '(' . implode(',', $parameter) . ')';
                 }
             } else {

bundled-libs/Smarty/libs/sysplugins/smarty_internal_templateparser.php

@@ -2425,6 +2425,9 @@ public function yy_r99(){
         if (isset($this->smarty->registered_classes[$this->yystack[$this->yyidx + -2]->minor])) {
             $this->_retvalue = $this->smarty->registered_classes[$this->yystack[$this->yyidx + -2]->minor].'::'.$this->yystack[$this->yyidx + 0]->minor[0].$this->yystack[$this->yyidx + 0]->minor[1];
         } else {
+           trigger_error('Using unregistered static method "' . $this->yystack[$this->yyidx + -2]->minor.'::'.$this->yystack[$this->yyidx + 0]->minor[0] . '" in a template is deprecated and will be ' .
+                'removed in a future release. Use Smarty::registerClass to explicitly register ' .
+                'a class for access.', E_USER_DEPRECATED);
             $this->_retvalue = $this->yystack[$this->yyidx + -2]->minor.'::'.$this->yystack[$this->yyidx + 0]->minor[0].$this->yystack[$this->yyidx + 0]->minor[1];
         } 
     } else {

bundled-libs/Smarty/libs/sysplugins/smarty_security.php

@@ -254,6 +254,7 @@ public function __construct($smarty)
      * @param string $function_name
      * @param object $compiler compiler object
      *
+     * @deprecated
      * @return boolean                 true if function is trusted
      */
     public function isTrustedPhpFunction($function_name, $compiler)

bundled-libs/XML/RPC.php

@@ -1057,7 +1057,7 @@ function __construct($val, $fcode = 0, $fstr = '')
     {
         if ($fcode != 0) {
             $this->fn = $fcode;
-            $this->fs = serendipity_specialchars($fstr);
+            $this->fs = htmlspecialchars($fstr);
         } else {
             $this->xv = $val;
         }
@@ -1452,7 +1452,7 @@ function parseResponse($data = '')
         $hdrfnd = 0;
         if ($this->debug) {
             print "\n<pre>---GOT---\n";
-            print isset($_SERVER['SERVER_PROTOCOL']) ? serendipity_specialchars($data) : $data;
+            print isset($_SERVER['SERVER_PROTOCOL']) ? htmlspecialchars($data) : $data;
             print "\n---END---</pre>\n";
         }
 
@@ -1708,7 +1708,7 @@ function serializedata($typ, $val)
             $rs .= "<struct>\n";
             reset($val);
             foreach ($val as $key2 => $val2) {
-                $rs .= "<member><name>" . serendipity_specialchars($key2) . "</name>\n";
+                $rs .= "<member><name>" . htmlspecialchars($key2) . "</name>\n";
                 $rs .= $this->serializeval($val2);
                 $rs .= "</member>\n";
             }
@@ -1733,7 +1733,7 @@ function serializedata($typ, $val)
                 $rs .= "<{$typ}>" . ($val ? '1' : '0') . "</{$typ}>";
                 break;
             case $GLOBALS['XML_RPC_String']:
-                $rs .= "<{$typ}>" . serendipity_specialchars($val). "</{$typ}>";
+                $rs .= "<{$typ}>" . htmlspecialchars($val). "</{$typ}>";
                 break;
             default:
                 $rs .= "<{$typ}>{$val}</{$typ}>";

bundled-libs/simplepie/SimplePie.php

@@ -691,11 +691,6 @@ class SimplePie
      */
     public function __construct()
     {
-        if (version_compare(PHP_VERSION, '7.2', '<')) {
-            trigger_error('Please upgrade to PHP 7.2 or newer.');
-            die();
-        }
-
         $this->set_useragent();
 
         $this->set_cache_namefilter(new CallableNameFilter($this->cache_name_function));
@@ -9545,12 +9540,7 @@ public function get_local_date($date_format = '%c')
         if (!$date_format) {
             return $this->sanitize($this->get_date(''), \SimplePie\SimplePie::CONSTRUCT_TEXT);
         } elseif (($date = $this->get_date('U')) !== null && $date !== false) {
-            if (PHP_VERSION_ICU === true) {
-                // ICU71 is fixed up from PHP 8.2
-                $out = serendipity_toDateTimeMapper($date_format, $date, WYSIWYG_LANG);
-            } else {
-                $out = @strftime($date_format, $date); // replace strftime() before PHP 9
-            }
+            $out = serendipity_toDateTimeMapper($date_format, $date, WYSIWYG_LANG);
             return $out;
         }
 

comment.php

@@ -2,6 +2,8 @@
 # Copyright (c) 2003-2005, Jannis Hermanns (on behalf the Serendipity Developer Team)
 # All rights reserved.  See LICENSE file for licensing details
 
+declare(strict_types=1);
+
 # Developer
 #if ($_REQUEST['type'] == 'trackback') die('Disabled');
 
@@ -145,7 +147,7 @@
         $serendipity['smarty']->assign(
             array(
                 'is_comment_added'   => true,
-                'comment_url'        => serendipity_specialchars($_GET['url']) . '&serendipity[entry_id]=' . $id,
+                'comment_url'        => htmlspecialchars($_GET['url']) . '&serendipity[entry_id]=' . $id,
                 'comment_string'     => explode('%s', COMMENT_ADDED_CLICK)
             )
         );
@@ -216,7 +218,7 @@
                 $serendipity['smarty']->assign(
                     array(
                         'is_comment_notadded' => true,
-                        'comment_url'         => serendipity_specialchars($_SERVER['HTTP_REFERER']),
+                        'comment_url'         => htmlspecialchars($_SERVER['HTTP_REFERER']),
                         'comment_string'      => explode('%s', COMMENT_NOT_ADDED_CLICK)
                     )
                 );
@@ -225,7 +227,7 @@
             $serendipity['smarty']->assign(
                 array(
                     'is_comment_empty' => true,
-                    'comment_url'      => serendipity_specialchars($_SERVER['HTTP_REFERER']),
+                    'comment_url'      => htmlspecialchars($_SERVER['HTTP_REFERER']),
                     'comment_string'   => explode('%s', EMPTY_COMMENT)
                 )
             );

docs/NEWS

@@ -1,3 +1,53 @@
+Version 5.0-DEV ()
+ ------------------------------------------------------------------------
+
+
+  * Refactor core language system to remove legacy native language sets and to
+    run UTF-8 only.
+
+  * Make personal config simpleFilters option default to false on install
+
+  * Remove Smarty allowed php_functions 'class_exists' allowance, due to an
+    issue with backends freetag plugin exists checkup and the new Smarty 4.5.2.
+        FUTURES: Use isset() with defined constant checkup instead.
+
+  * Revert Spartacus additional_plugins "master" to "legacy" branch division
+    for Styx 4.x Series.
+
+  * Remove ISO-8859-2 reference of [cz] language names
+
+  * Remove former [cs] lang files and references, from the early nineties...!
+
+  * Remove old MD5/SHA1 hashing upgrade routines... Will convert user...
+
+  * Register some native PHP methods AS Smarty custom modifiers/functions to
+    avoid running into deprecation notices on 1st compile.
+
+  * Update to Smarty v.4.5.2 release named 4.5.2-dev-4 for Styx custom mods
+
+  * Deprecate htmlspecialchars, htmlentities, html_entity_decode mapper functions.
+    - Use default flags up from PHP 8.1.0
+    - Convert core usage
+
+  * Use PHP 8.0 - Convert substr() to str_starts_with() where appropriate
+
+  * Declare strict_types on per file basis
+
+  * Use PHP 8.0 - Change strpos() & strstr() to str_contains() [ case-sensitive ]
+
+  * Remove old compat mb_convert_encoding() checks below PHP 8.2
+
+  * USE PHP 8.1 - Change to use fastest xxHash algorithm
+
+  * Use PHP 8.0 - Combined named arguments with positional arguments
+
+  * Add PHP 8.2 - Sensitive Parameter value redaction support
+
+  * Removed workaround and PHP_VERSION handlers for all versions below PHP 8.2
+
+  * Configure 5.0 revision up from PHP 8.2
+
+
 Version 4.4.3-DEV ()
  ------------------------------------------------------------------------
 
@@ -2729,7 +2779,7 @@ Version 3.0.0 (May, 28th 2020)
   * PHP and JavaScript set Sessions and Cookies DO now SET the "sameSite"
     attribute. Inbound JS Libraries were changed or replaced to support this.
     This regards upcoming Browser changes [ Mozilla 76+, Chromium 80+, ..]
-    internally handling and changing the default �sameSite� attribute.
+    internally handling and changing the default “sameSite” attribute.
     To avoid future Browser Revisions to reject old Cookies without, this for
     now was hard set wherever possible.
     This raises the PHP requirement to PHP >= 7.3.0.
@@ -2858,7 +2908,7 @@ Version 3.0.0 (May, 28th 2020)
     To focus on details for utf8mb4_unicode_ci/utf8mb4_unicode_520_ci,
     there are problems with sorting/comparing certain letters which have
     a stroke for example. (This and other examples apply to languages like
-    polish, czech, greek, turkish, german (i.e. �=ss), etc., just to name few.)
+    polish, czech, greek, turkish, german (i.e. ß=ss), etc., just to name few.)
     For these cases and languages, the sorting Algorithm does return different
     ordered resultsets, depending the collation used, appending sort results
     before, after, or at the same place as the normal letter.
@@ -5850,7 +5900,7 @@ Version 2.1-beta1 Styx (September 3rd, 2016)
             see here, this is NOT trivial to change and error prone, to
             be that robust as it has ever been.
 
-     2. To set the connection�s COLLATION to "unicode" instead of
+     2. To set the connection’s COLLATION to "unicode" instead of
         "general" you have to convert these tables by using "SET NAMES
         ... COLLATE ...".
         You only need to use this better "utf8_unicode_ci" collation
@@ -5866,7 +5916,7 @@ Version 2.1-beta1 Styx (September 3rd, 2016)
         By default a new Serendipity (UTF-8) installation should already
         be set to use the "utf8_unicode_ci" collation.
 
-        (*) Likewise �=ss; utf8_unicode_ci uses the Unicode Collation
+        (*) Likewise ß=ss; utf8_unicode_ci uses the Unicode Collation
             Algorithm as defined in the Unicode standards, whereas
             utf8_general_ci is a more simple sort order which results
             in "less accurate" sorting results.
@@ -5890,7 +5940,7 @@ Version 2.1-beta1 Styx (September 3rd, 2016)
         The unset Serendipity option, NOT to use SET NAMES, enables a
         better automated, modern handshake between server and database.
         At this point, these characters and symbols are actually stored
-        in native UTF-8, eg. '�'+'�' for "�".
+        in native UTF-8, eg. 'Ã'+'¼' for "ü".
         But since there are way too much possible settings/issues
         around, which may play a role, and not have been mentioned
         here, please see this approach as "EXPERIMENTAL" and at your

exit.php

@@ -2,6 +2,8 @@
 # Copyright (c) 2003-2005, Jannis Hermanns (on behalf the Serendipity Developer Team)
 # All rights reserved.  See LICENSE file for licensing details
 
+declare(strict_types=1);
+
 include 'serendipity_config.inc.php';
 
 $url        = $serendipity['baseURL'];

include/admin/category.inc.php

@@ -2,6 +2,8 @@
 # Copyright (c) 2003-2005, Jannis Hermanns (on behalf the Serendipity Developer Team)
 # All rights reserved.  See LICENSE file for licensing details
 
+declare(strict_types=1);
+
 if (IN_serendipity !== true) {
     die ("Don't hack!");
 }
@@ -67,7 +69,7 @@
             if (is_array($r)) {
                 $r = serendipity_db_query("SELECT category_name FROM {$serendipity['dbPrefix']}category
                                             WHERE categoryid = ". (int)$parentid);
-                $data['subcat'] = sprintf(ALREADY_SUBCATEGORY, serendipity_specialchars($r[0]['category_name']), serendipity_specialchars($name));
+                $data['subcat'] = sprintf(ALREADY_SUBCATEGORY, htmlspecialchars($r[0]['category_name']), htmlspecialchars($name));
             } else {
                 $_sort_order = $serendipity['POST']['cat']['sort_order'] ?? 0;
                 $_hide_sub   = $serendipity['POST']['cat']['hide_sub']   ?? 0;
@@ -216,7 +218,7 @@
     if (empty($admin_category)) {
         $cats = serendipity_fetchCategories('all');
     } else {
-        $cats = serendipity_fetchCategories(null, null, null, 'write'); // $serendipity['authorid'] is added in there - only use per given parameter, when current user is different to meant user!!
+        $cats = serendipity_fetchCategories(); // $serendipity['authorid'] is added inside - only use per given parameter, when current user is different to meant user!!
     }
     $data['view'] = true;
     $data['viewCats'] = $cats;
@@ -234,7 +236,7 @@
                                     : (
                                         (serendipity_checkPermission('adminEntriesMaintainOthers') && serendipity_checkPermission('adminCategoriesMaintainOthers'))
                                         ? GROUP . ': <span class="icon-users chief" title="' . USERLEVEL_CHIEF_DESC . '" aria-hidden="true"></span> +'
-                                        : AUTHOR . ': ' .serendipity_specialchars($serendipity['serendipityUser'])
+                                        : AUTHOR . ': ' .htmlspecialchars($serendipity['serendipityUser'])
                                     );
     }
 }