Gallery 1.5.3 Released

Submitted by ckdake on Mon, 2006-04-10 02:20
Gallery 1.5.3 is now available for download. This release is primarily a bug fix release, but it also includes an important security fix. The fixes:
  • Security: Not all user input was correctly sanitized for JavaScript injection. (Thanks to Aditya Mooley at adityamooley@sanisoft.com for reporting this and giving us plenty of time to fix it!)
  • HTML is allowed again in various places. (title, caption, comments)
  • Weird space around images inside the border that appeared in 1.5.2 is gone.
  • Proper order of items when uploaded in IE and Opera.
  • Language Mode 2 works again.
  • Several other minor things.
We recommend all Gallery 1 users upgrade to 1.5.3 to keep their Gallery as secure as possible. Download Gallery 1.5.3 from the Gallery Download Page.
schultmc's picture
Submitted by schultmc on Fri, 2006-04-14 00:54.

Version 1.5.3-1 of the Debian gallery package was uploaded to Debian unstable in the evening (EDT) of Thursday, April 13, 2006 and should be available as of the archive run in the afternoon (EDT) of Friday, April 14, 2006. Sorry for the delay - my build system was out of commission for a few days.

--
Debian gallery package maintainer

Submitted by mattdm on Tue, 2006-04-18 00:49.

Hmmm. With this version, suddenly I (as an administrator user) can't change the permissions of any albums. I can change ownership, and I can click on the other things and the form refreshes, but shows no changes. Peculiar. Anyone else seeing this? I do have a few local modifications to some of the code, but nothing that should affect this.

Submitted by mattdm on Tue, 2006-04-18 01:24.

Oh, weird. It turns out that the problem is that the <-- was getting passed back in as &lt;--.

Oddly, the --> was working fine. No idea why this changed all-the-sudden here, but may be related to the html-sanitizing fixes.

Anyway, this patch makes it work:

--- album_permissions.php.20060417      2006-04-17 21:13:58.000000000 -0400
+++ album_permissions.php       2006-04-17 21:20:48.000000000 -0400
@@ -65,11 +65,11 @@

 foreach ($submit as $perm => $action) {
     if(isset($action) && isset($actionUid)) {
-        if($action == '-->') {
+        if($action == '-->' or $action == '&gt;--') {
             $gallery->album->setPerm($perm, $actionUid, true);
             $changed++;
         }
-        if($action == '<--') {
+        if ($action == '<--' or $action == '&lt;--') {
             $gallery->album->setPerm($perm, $actionUid, false);
             $changed++;
         }
Submitted by mattdm on Tue, 2006-04-18 01:40.

Oh, or:

http://jems.de/archive/1.5.3/updates/Album-Permissions/

I keep forgetting to troll the forums for problems before posting. :)

pierrel's picture
Submitted by pierrel on Thu, 2006-04-27 21:38.

Same here. Is new album_permissions.php the fix, because it still won't let me create new albums even as admin user?

Submitted by mattdm on Thu, 2006-04-27 23:43.

Not letting you create new albums sounds like a different problem.

Submitted by Mannohnenamen on Sun, 2006-05-07 16:42.

>>With this version, suddenly I (as an administrator user) can't change the permissions of any albums.

I have the same problem :-(

Submitted by mattdm on Sun, 2006-05-07 23:01.

It's solved. See above.