Merge branch 'master' into calendar_import

7 files changed, 149 insertions, 42 deletions

diff --git a/lib/db.php b/lib/db.php
index 9e6835adc6f..ffa0d37307a 100644
--- a/lib/db.php
+++ b/lib/db.php
@@ -528,7 +528,7 @@ class OC_DB {
 	 	self::removeDBStructure( OC::$SERVERROOT . '/db_structure.xml' );
 	 	
 	 	foreach($apps as $app){
-	 		$path = self::getAppPath($app).'/appinfo/database.xml';
+	 		$path = OC_App::getAppPath($app).'/appinfo/database.xml';
 	 		if(file_exists($path)){
 	 			self::removeDBStructure( $path );	
 	 		}
diff --git a/lib/helper.php b/lib/helper.php
index b1d2da1452f..0d18098a4e7 100644
--- a/lib/helper.php
+++ b/lib/helper.php
@@ -41,7 +41,7 @@ class OC_Helper {
 			$app_path = OC_App::getAppPath($app);
 			// Check if the app is in the app folder
 			if( $app_path && file_exists( $app_path.'/'.$file )){
-				if(substr($file, -3) == 'php' || substr($file, -3) == 'css'){	
+				if(substr($file, -3) == 'php' || substr($file, -3) == 'css'){
 					$urlLinkTo =  OC::$WEBROOT . '/?app=' . $app;
 					$urlLinkTo .= ($file!='index.php')?'&getfile=' . urlencode($file):'';
 				}else{
@@ -379,7 +379,7 @@ class OC_Helper {
 			//trim the character set from the end of the response
 			$mimeType=substr($reply,0,strrpos($reply,' '));
 
-			//trim ; 
+			//trim ;
 			if (strpos($mimeType, ';') !== false) {
 				$mimeType = strstr($mimeType, ';', true);
 			}
@@ -586,11 +586,11 @@ class OC_Helper {
 
 		return $newpath;
 	}
-	
+
 	/*
 	 * checks if $sub is a subdirectory of $parent
-	 * 
-	 * @param $sub 
+	 *
+	 * @param $sub
 	 * @param $parent
 	 * @return bool
 	 */
@@ -620,4 +620,68 @@ class OC_Helper {
 		exit;*/
 		return false;
 	}
+
+	/**
+	* @brief Returns an array with all keys from input lowercased or uppercased. Numbered indices are left as is.
+	*
+	* @param $input The array to work on
+	* @param $case Either MB_CASE_UPPER or MB_CASE_LOWER (default)
+	* @param $encoding The encoding parameter is the character encoding. Defaults to UTF-8
+	* @return array
+	*
+	* Returns an array with all keys from input lowercased or uppercased. Numbered indices are left as is.
+	* based on http://www.php.net/manual/en/function.array-change-key-case.php#107715
+	*
+	*/
+	public static function mb_array_change_key_case($input, $case = MB_CASE_LOWER, $encoding = 'UTF-8'){
+		$case = ($case != MB_CASE_UPPER) ? MB_CASE_LOWER : MB_CASE_UPPER;
+		$ret = array();
+		foreach ($input as $k => $v) {
+			$ret[mb_convert_case($k, $case, $encoding)] = $v;
+		}
+		return $ret;
+	}
+
+	/**
+	* @brief replaces a copy of string delimited by the start and (optionally) length parameters with the string given in replacement.
+	*
+	* @param $input The input string. .Opposite to the PHP build-in function does not accept an array.
+	* @param $replacement The replacement string.
+	* @param $start If start is positive, the replacing will begin at the start'th offset into string. If start is negative, the replacing will begin at the start'th character from the end of string.
+	* @param $length Length of the part to be replaced
+	* @param $encoding The encoding parameter is the character encoding. Defaults to UTF-8
+	* @return string
+	*
+	*/
+	public static function mb_substr_replace($string, $replacement, $start, $length = null, $encoding = 'UTF-8') {
+		$start = intval($start);
+		$length = intval($length);
+		$string = mb_substr($string, 0, $start, $encoding) .
+		          $replacement .
+		          mb_substr($string, $start+$length, mb_strlen($string, 'UTF-8')-$start, $encoding);
+
+		return $string;
+	}
+
+	/**
+	* @brief Replace all occurrences of the search string with the replacement string
+	*
+	* @param $search The value being searched for, otherwise known as the needle. String.
+	* @param $replace The replacement string.
+	* @param $subject The string or array being searched and replaced on, otherwise known as the haystack.
+	* @param $encoding The encoding parameter is the character encoding. Defaults to UTF-8
+	* @param $count If passed, this will be set to the number of replacements performed.
+	* @return string
+	*
+	*/
+	public static function mb_str_replace($search, $replace, $subject, $encoding = 'UTF-8', &$count = null) {
+		$offset = -1;
+		$length = mb_strlen($search, 'UTF-8');
+		while(($i = mb_strrpos($subject, $search, $offset, 'UTF-8'))) {
+			$subject = OC_Helper::mb_substr_replace($subject, $replace, $i, $length);
+			$offset = $i - mb_strlen($subject, 'UTF-8') - 1;
+			$count++;
+		}
+		return $subject;
+	}
 }
diff --git a/lib/json.php b/lib/json.php
index 4eab4fce9f6..c49b831c12b 100644
--- a/lib/json.php
+++ b/lib/json.php
@@ -94,12 +94,12 @@ class OC_JSON{
 	* Encode and print $data in json format
 	*/
 	public static function encodedPrint($data,$setContentType=true){
-		if(!isset($_SERVER['PATH_INFO']) || $_SERVER['PATH_INFO'] == '') {
+			// Disable mimesniffing, don't move this to setContentTypeHeader!
+			header( 'X-Content-Type-Options: nosniff' );
 			if($setContentType){
 				self::setContentTypeHeader();
 			}
 			array_walk_recursive($data, array('OC_JSON', 'to_string'));
 			echo json_encode($data);
-		}
 	}
 }
diff --git a/lib/l10n.php b/lib/l10n.php
index 4acbc5dcebc..de8514573d3 100644
--- a/lib/l10n.php
+++ b/lib/l10n.php
@@ -113,13 +113,13 @@ class OC_L10N{
 			$i18ndir = self::findI18nDir($app);
 			// Localization is in /l10n, Texts are in $i18ndir
 			// (Just no need to define date/time format etc. twice)
-			if(file_exists($i18ndir.$lang.'.php')){
+			if((OC_Helper::issubdirectory($i18ndir.$lang.'.php', OC_App::getAppPath($app).'/l10n/') || OC_Helper::issubdirectory($i18ndir.$lang.'.php', OC::$SERVERROOT.'/core/l10n/') || OC_Helper::issubdirectory($i18ndir.$lang.'.php', OC::$SERVERROOT.'/settings')) && file_exists($i18ndir.$lang.'.php')) {
 				// Include the file, save the data from $CONFIG
-				include($i18ndir.$lang.'.php');
+				include(strip_tags($i18ndir).strip_tags($lang).'.php');
 				if(isset($TRANSLATIONS) && is_array($TRANSLATIONS)){
 					$this->translations = $TRANSLATIONS;
 				}
-			}
+			} 
 
 			if(file_exists(OC::$SERVERROOT.'/core/l10n/l10n-'.$lang.'.php')){
 				// Include the file, save the data from $CONFIG
diff --git a/lib/migrate.php b/lib/migrate.php
index 731b6a6839c..f788a637d3c 100644
--- a/lib/migrate.php
+++ b/lib/migrate.php
@@ -278,7 +278,7 @@ class OC_Migrate{
 						return json_encode( array( 'success' => false ) );
 					}
 					// Done
-					return json_encode( 'success' => true );
+					return json_encode( array( 'success' => true ) );
 					*/
 			break;
 		}
@@ -443,21 +443,10 @@ class OC_Migrate{
 						'ocversion' => OC_Util::getVersion(),
 						'exporttime' => time(),
 						'exportedby' => OC_User::getUser(),
-						'exporttype' => self::$exporttype
+						'exporttype' => self::$exporttype,
+						'exporteduser' => self::$uid
 					);
-		// Add hash if user export
-		if( self::$exporttype == 'user' ){
-			$query = OC_DB::prepare( "SELECT password FROM *PREFIX*users WHERE uid = ?" );
-			$result = $query->execute( array( self::$uid ) );
-			$row = $result->fetchRow();
-			$hash = $row ? $row['password'] : false;
-			if( !$hash ){
-				OC_Log::write( 'migration', 'Failed to get the users password hash', OC_log::ERROR);
-				return false;
-			}
-			$info['hash'] = $hash;
-			$info['exporteduser'] = self::$uid;
-		}
+
 		if( !is_array( $array ) ){
 			OC_Log::write( 'migration', 'Supplied $array was not an array in getExportInfo()', OC_Log::ERROR );
 		}
diff --git a/lib/public/util.php b/lib/public/util.php
index c611d59a533..41121091544 100644
--- a/lib/public/util.php
+++ b/lib/public/util.php
@@ -26,7 +26,7 @@
  *
  */
 
-// use OCP namespace for all classes that are considered public. 
+// use OCP namespace for all classes that are considered public.
 // This means that they should be used by apps instead of the internal ownCloud classes
 namespace OCP;
 
@@ -54,7 +54,7 @@ class Util {
 
 
 	/**
-	 * @brief send an email 
+	 * @brief send an email
 	 * @param string $toaddress
 	 * @param string $toname
 	 * @param string $subject
@@ -264,17 +264,61 @@ class Util {
 	public static function callCheck(){
 		return(\OC_Util::callCheck());
 	}
-	
-	/**

-	 * @brief Used to sanitize HTML

-	 *

-	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.

-	 *

-	 * @param string or array of strings

-	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.

-	 */

-	public static function sanitizeHTML( $value ){

-		return(\OC_Util::sanitizeHTML($value));

+
+	/**
+	 * @brief Used to sanitize HTML
+	 *
+	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
+	 *
+	 * @param string or array of strings
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 */
+	public static function sanitizeHTML( $value ){
+		return(\OC_Util::sanitizeHTML($value));
+	}
+
+	/**
+	* @brief Returns an array with all keys from input lowercased or uppercased. Numbered indices are left as is.
+	*
+	* @param $input The array to work on
+	* @param $case Either MB_CASE_UPPER or MB_CASE_LOWER (default)
+	* @param $encoding The encoding parameter is the character encoding. Defaults to UTF-8
+	* @return array
+	*
+	*
+	*/
+	public static function mb_array_change_key_case($input, $case = MB_CASE_LOWER, $encoding = 'UTF-8'){
+		return(\OC_Helper::mb_array_change_key_case($input, $case, $encoding));
+	}
+
+	/**
+	* @brief replaces a copy of string delimited by the start and (optionally) length parameters with the string given in replacement.
+	*
+	* @param $input The input string. .Opposite to the PHP build-in function does not accept an array.
+	* @param $replacement The replacement string.
+	* @param $start If start is positive, the replacing will begin at the start'th offset into string. If start is negative, the replacing will begin at the start'th character from the end of string.
+	* @param $length Length of the part to be replaced
+	* @param $encoding The encoding parameter is the character encoding. Defaults to UTF-8
+	* @return string
+	*
+	*/
+	public static function mb_substr_replace($string, $replacement, $start, $length = null, $encoding = 'UTF-8') {
+		return(\OC_Helper::mb_substr_replace($string, $replacement, $start, $length, $encoding));
+	}
+
+	/**
+	* @brief Replace all occurrences of the search string with the replacement string
+	*
+	* @param $search The value being searched for, otherwise known as the needle. String.
+	* @param $replace The replacement string.
+	* @param $subject The string or array being searched and replaced on, otherwise known as the haystack.
+	* @param $encoding The encoding parameter is the character encoding. Defaults to UTF-8
+	* @param $count If passed, this will be set to the number of replacements performed.
+	* @return string
+	*
+	*/
+	public static function mb_str_replace($search, $replace, $subject, $encoding = 'UTF-8', &$count = null) {
+		return(\OC_Helper::mb_str_replace($search, $replace, $subject, $encoding, $count));
 	}
 }
 
diff --git a/lib/setup.php b/lib/setup.php
index 5387a0ef493..bad0f5301c7 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -155,8 +155,11 @@ class OC_Setup {
 				OC_CONFIG::setValue('dbhost', $dbhost);
 				OC_CONFIG::setValue('dbtableprefix', $dbtableprefix);
 
+				$e_host = addslashes($dbhost);
+				$e_user = addslashes($dbuser);
+				$e_password = addslashes($dbpass);
 				//check if the database user has admin right
-				$connection_string = "host=$dbhost dbname=postgres user=$dbuser password=$dbpass";
+				$connection_string = "host='$e_host' dbname=postgres user='$e_user' password='$e_password'";
 				$connection = @pg_connect($connection_string);
 				if(!$connection) {
 					$error[] = array(
@@ -166,8 +169,9 @@ class OC_Setup {
 					return $error;
 				}
 				else {
+					$e_user = pg_escape_string($dbuser);
 					//check for roles creation rights in postgresql
-					$query="SELECT 1 FROM pg_roles WHERE rolcreaterole=TRUE AND rolname='$dbuser'";
+					$query="SELECT 1 FROM pg_roles WHERE rolcreaterole=TRUE AND rolname='$e_user'";
 					$result = pg_query($connection, $query);
 					if($result and pg_num_rows($result) > 0) {
 						//use the admin login data for the new database user
@@ -199,7 +203,13 @@ class OC_Setup {
 					// connect to the ownCloud database (dbname=$dbname) an check if it needs to be filled
 					$dbuser = OC_CONFIG::getValue('dbuser');
 					$dbpass = OC_CONFIG::getValue('dbpassword');
-					$connection_string = "host=$dbhost dbname=$dbname user=$dbuser password=$dbpass";
+
+					$e_host = addslashes($dbhost);
+					$e_dbname = addslashes($dbname);
+					$e_user = addslashes($dbuser);
+					$e_password = addslashes($dbpass);
+
+					$connection_string = "host='$e_host' dbname='$e_dbname' user='$e_user' password='$e_password'";
 					$connection = @pg_connect($connection_string);
 					if(!$connection) {
 						$error[] = array(