1.7.1 version

* origin/pr/77:
  Update version
  Add changelog for fix
  Fix vulnerability related to the one fixed in 2.6.5

_build/build.transport.php

@@ -34,7 +34,7 @@
 /* define package */
 define('PKG_NAME','Gallery');
 define('PKG_NAME_LOWER','gallery');
-define('PKG_VERSION','1.7.0');
+define('PKG_VERSION','1.7.1');
 define('PKG_RELEASE','pl');
 
 /* define sources */

_build/config.json

@@ -3,7 +3,7 @@
     ,"lowCaseName": "gallery"
     ,"description": "Gallery"
     ,"author": "Shaun McCormick"
-    ,"version": "1.7.0"
+    ,"version": "1.7.1"
     ,"package":{
         "actions": [{
             "id": 1

core/components/gallery/docs/changelog.txt

@@ -1,5 +1,8 @@
 Changelog for Gallery.
 
+Gallery 1.7.1
+====================================
+- Fixed critical vulnerability in phpthumb processor
 - Fixed namespace paths
 
 Gallery 1.7.0

core/components/gallery/processors/web/phpthumb.php

@@ -25,7 +25,25 @@
 $src = str_replace('+', '%27', urldecode($src));
 
 /* explode tag options */
-$ptOptions = $scriptProperties;
+$ptOptions = array();
+
+// Only public parameters of phpThumb should be allowed to pass from user input.
+// List properties between START PARAMETERS and START PARAMETERS in src/core/model/phpthumb/phpthumb.class.php
+$allowed = array(
+    'src', 'new', 'w', 'h', 'wp', 'hp', 'wl', 'hl', 'ws', 'hs',
+    'f', 'q', 'sx', 'sy', 'sw', 'sh', 'zc', 'bc', 'bg', 'fltr',
+    'goto', 'err', 'xto', 'ra', 'ar', 'aoe', 'far', 'iar', 'maxb', 'down',
+    'md5s', 'sfn', 'dpi', 'sia', 'phpThumbDebug'
+);
+
+/* iterate through properties */
+foreach ($scriptProperties as $property => $value) {
+    if (!in_array($property, $allowed, true)) {
+        $this->modx->log(modX::LOG_LEVEL_WARN, "Detected attempt of using private parameter `$property` (for internal usage) of phpThumb that not allowed and insecure");
+        continue;
+    }
+    $ptOptions[$property] = $value;
+}
 
 if (empty($ptOptions['f'])) {
     $ext = pathinfo($src, PATHINFO_EXTENSION);