card-mod-script 0.14.2 → 0.15.0

data/vendor/jquery_file_upload/SECURITY.md

@@ -1,227 +0,0 @@
-# File Upload Security
-
-## Contents
-
-- [Introduction](#introduction)
-- [Purpose of this project](#purpose-of-this-project)
-- [Mitigations against file upload risks](#mitigations-against-file-upload-risks)
-  - [Prevent code execution on the server](#prevent-code-execution-on-the-server)
-  - [Prevent code execution in the browser](#prevent-code-execution-in-the-browser)
-  - [Prevent distribution of malware](#prevent-distribution-of-malware)
-- [Secure file upload serving configurations](#secure-file-upload-serving-configurations)
-  - [Apache config](#apache-config)
-  - [NGINX config](#nginx-config)
-- [Secure image processing configurations](#secure-image-processing-configurations)
-- [ImageMagick config](#imagemagick-config)
-
-## Introduction
-
-For an in-depth understanding of the potential security risks of providing file
-uploads and possible mitigations, please refer to the
-[OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
-documentation.
-
-To securely setup the project to serve uploaded files, please refer to the
-sample
-[Secure file upload serving configurations](#secure-file-upload-serving-configurations).
-
-To mitigate potential vulnerabilities in image processing libraries, please
-refer to the
-[Secure image processing configurations](#secure-image-processing-configurations).
-
-By default, all sample upload handlers allow only upload of image files, which
-mitigates some attack vectors, but should not be relied on as the only
-protection.
-
-Please also have a look at the
-[list of fixed vulnerabilities](VULNERABILITIES.md) in jQuery File Upload, which
-relates mostly to the sample server-side upload handlers and how they have been
-configured.
-
-## Purpose of this project
-
-Please note that this project is not a complete file management product, but
-foremost a client-side file upload library for [jQuery](https://jquery.com/).  
-The server-side sample upload handlers are just examples to demonstrate the
-client-side file upload functionality.
-
-To make this very clear, there is **no user authentication** by default:
-
-- **everyone can upload files**
-- **everyone can delete uploaded files**
-
-In some cases this can be acceptable, but for most projects you will want to
-extend the sample upload handlers to integrate user authentication, or implement
-your own.
-
-It is also up to you to configure your web server to securely serve the uploaded
-files, e.g. using the
-[sample server configurations](#secure-file-upload-serving-configurations).
-
-## Mitigations against file upload risks
-
-### Prevent code execution on the server
-
-To prevent execution of scripts or binaries on server-side, the upload directory
-must be configured to not execute files in the upload directory (e.g.
-`server/php/files` as the default for the PHP upload handler) and only treat
-uploaded files as static content.
-
-The recommended way to do this is to configure the upload directory path to
-point outside of the web application root.  
-Then the web server can be configured to serve files from the upload directory
-with their default static files handler only.
-
-Limiting file uploads to a whitelist of safe file types (e.g. image files) also
-mitigates this issue, but should not be the only protection.
-
-### Prevent code execution in the browser
-
-To prevent execution of scripts on client-side, the following headers must be
-sent when delivering generic uploaded files to the client:
-
-```
-Content-Type: application/octet-stream
-X-Content-Type-Options: nosniff
-```
-
-The `Content-Type: application/octet-stream` header instructs browsers to
-display a download dialog instead of parsing it and possibly executing script
-content e.g. in HTML files.
-
-The `X-Content-Type-Options: nosniff` header prevents browsers to try to detect
-the file mime type despite the given content-type header.
-
-For known safe files, the content-type header can be adjusted using a
-**whitelist**, e.g. sending `Content-Type: image/png` for PNG files.
-
-### Prevent distribution of malware
-
-To prevent attackers from uploading and distributing malware (e.g. computer
-viruses), it is recommended to limit file uploads only to a whitelist of safe
-file types.
-
-Please note that the detection of file types in the sample file upload handlers
-is based on the file extension and not the actual file content. This makes it
-still possible for attackers to upload malware by giving their files an image
-file extension, but should prevent automatic execution on client computers when
-opening those files.
-
-It does not protect at all from exploiting vulnerabilities in image display
-programs, nor from users renaming file extensions to inadvertently execute the
-contained malicious code.
-
-## Secure file upload serving configurations
-
-The following configurations serve uploaded files as static files with the
-proper headers as
-[mitigation against file upload risks](#mitigations-against-file-upload-risks).  
-Please do not simply copy&paste these configurations, but make sure you
-understand what they are doing and that you have implemented them correctly.
-
-> Always test your own setup and make sure that it is secure!
-
-e.g. try uploading PHP scripts (as "example.php", "example.php.png" and
-"example.png") to see if they get executed by your web server, e.g. the content
-of the following sample:
-
-```php
-GIF89ad <?php echo mime_content_type(__FILE__); phpinfo();
-```
-
-### Apache config
-
-Add the following directive to the Apache config (e.g.
-/etc/apache2/apache2.conf), replacing the directory path with the absolute path
-to the upload directory:
-
-```ApacheConf
-<Directory "/path/to/project/server/php/files">
-  # Some of the directives require the Apache Headers module. If it is not
-  # already enabled, please execute the following command and reload Apache:
-  # sudo a2enmod headers
-  #
-  # Please note that the order of directives across configuration files matters,
-  # see also:
-  # https://httpd.apache.org/docs/current/sections.html#merging
-
-  # The following directive matches all files and forces them to be handled as
-  # static content, which prevents the server from parsing and executing files
-  # that are associated with a dynamic runtime, e.g. PHP files.
-  # It also forces their Content-Type header to "application/octet-stream" and
-  # adds a "Content-Disposition: attachment" header to force a download dialog,
-  # which prevents browsers from interpreting files in the context of the
-  # web server, e.g. HTML files containing JavaScript.
-  # Lastly it also prevents browsers from MIME-sniffing the Content-Type,
-  # preventing them from interpreting a file as a different Content-Type than
-  # the one sent by the webserver.
-  <FilesMatch ".*">
-    SetHandler default-handler
-    ForceType application/octet-stream
-    Header set Content-Disposition attachment
-    Header set X-Content-Type-Options nosniff
-  </FilesMatch>
-
-  # The following directive matches known image files and unsets the forced
-  # Content-Type so they can be served with their original mime type.
-  # It also unsets the Content-Disposition header to allow displaying them
-  # inline in the browser.
-  <FilesMatch ".+\.(?i:(gif|jpe?g|png))$">
-    ForceType none
-    Header unset Content-Disposition
-  </FilesMatch>
-</Directory>
-```
-
-### NGINX config
-
-Add the following directive to the NGINX config, replacing the directory path
-with the absolute path to the upload directory:
-
-```Nginx
-location ^~ /path/to/project/server/php/files {
-    root html;
-    default_type application/octet-stream;
-    types {
-        image/gif     gif;
-        image/jpeg    jpg;
-        image/png    png;
-    }
-    add_header X-Content-Type-Options 'nosniff';
-    if ($request_filename ~ /(((?!\.(jpg)|(png)|(gif)$)[^/])+$)) {
-        add_header Content-Disposition 'attachment; filename="$1"';
-        # Add X-Content-Type-Options again, as using add_header in a new context
-        # dismisses all previous add_header calls:
-        add_header X-Content-Type-Options 'nosniff';
-    }
-}
-```
-
-## Secure image processing configurations
-
-The following configuration mitigates
-[potential image processing vulnerabilities with ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php-imagemagick)
-by limiting the attack vectors to a small subset of image types
-(`GIF/JPEG/PNG`).
-
-Please also consider using alternative, safer image processing libraries like
-[libvips](https://github.com/libvips/libvips) or
-[imageflow](https://github.com/imazen/imageflow).
-
-## ImageMagick config
-
-It is recommended to disable all non-required ImageMagick coders via
-[policy.xml](https://wiki.debian.org/imagemagick/security).  
-To do so, locate the ImageMagick `policy.xml` configuration file and add the
-following policies:
-
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- ... -->
-<policymap>
-  <!-- ... -->
-  <policy domain="delegate" rights="none" pattern="*" />
-  <policy domain="coder" rights="none" pattern="*" />
-  <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG}" />
-</policymap>
-```

data/vendor/jquery_file_upload/VULNERABILITIES.md

@@ -1,118 +0,0 @@
-# List of fixed vulnerabilities
-
-## Contents
-
-- [Potential vulnerabilities with PHP+ImageMagick](#potential-vulnerabilities-with-phpimagemagick)
-- [Remote code execution vulnerability in the PHP component](#remote-code-execution-vulnerability-in-the-php-component)
-- [Open redirect vulnerability in the GAE components](#open-redirect-vulnerability-in-the-gae-components)
-- [Cross-site scripting vulnerability in the Iframe Transport](#cross-site-scripting-vulnerability-in-the-iframe-transport)
-
-## Potential vulnerabilities with PHP+ImageMagick
-
-> Mitigated: 2018-10-25 (GMT)
-
-The sample [PHP upload handler](server/php/UploadHandler.php) before
-[v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1)
-did not validate file signatures before invoking
-[ImageMagick](https://www.imagemagick.org/) (via
-[Imagick](https://php.net/manual/en/book.imagick.php)).  
-Verifying those
-[magic bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) mitigates
-potential vulnerabilities when handling input files other than `GIF/JPEG/PNG`.
-
-Please also configure ImageMagick to only enable the coders required for
-`GIF/JPEG/PNG` processing, e.g. with the sample
-[ImageMagick config](SECURITY.md#imagemagick-config).
-
-**Further information:**
-
-- Commit containing the mitigation:
-  [fe44d34](https://github.com/blueimp/jQuery-File-Upload/commit/fe44d34be43be32c6b8d507932f318dababb25dd)
-- [ImageTragick](https://imagetragick.com/)
-- [CERT Vulnerability Note VU#332928](https://www.kb.cert.org/vuls/id/332928)
-- [ImageMagick CVE entries](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick)
-
-## Remote code execution vulnerability in the PHP component
-
-> Fixed: 2018-10-23 (GMT)
-
-The sample [PHP upload handler](server/php/UploadHandler.php) before
-[v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1)
-allowed to upload all file types by default.  
-This opens up a remote code execution vulnerability, unless the server is
-configured to not execute (PHP) files in the upload directory
-(`server/php/files`).
-
-The provided [.htaccess](server/php/files/.htaccess) file includes instructions
-for Apache to disable script execution, however
-[.htaccess support](https://httpd.apache.org/docs/current/howto/htaccess.html)
-is disabled by default since Apache `v2.3.9` via
-[AllowOverride Directive](https://httpd.apache.org/docs/current/mod/core.html#allowoverride).
-
-**You are affected if you:**
-
-1. A) Uploaded jQuery File Upload < `v9.24.1` on a Webserver that executes files
-   with `.php` as part of the file extension (e.g. "example.php.png"), e.g.
-   Apache with `mod_php` enabled and the following directive (_not a recommended
-   configuration_):
-   ```ApacheConf
-   AddHandler php5-script .php
-   ```
-   B) Uploaded jQuery File Upload < `v9.22.1` on a Webserver that executes files
-   with the file extension `.php`, e.g. Apache with `mod_php` enabled and the
-   following directive:
-   ```ApacheConf
-   <FilesMatch \.php$>
-     SetHandler application/x-httpd-php
-   </FilesMatch>
-   ```
-2. Did not actively configure your Webserver to not execute files in the upload
-   directory (`server/php/files`).
-3. Are running Apache `v2.3.9+` with the default `AllowOverride` Directive set
-   to `None` or another Webserver with no `.htaccess` support.
-
-**How to fix it:**
-
-1. Upgrade to the latest version of jQuery File Upload.
-2. Configure your Webserver to not execute files in the upload directory, e.g.
-   with the [sample Apache configuration](SECURITY.md#apache-config)
-
-**Further information:**
-
-- Commits containing the security fix:
-  [aeb47e5](https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f),
-  [ad4aefd](https://github.com/blueimp/jQuery-File-Upload/commit/ad4aefd96e4056deab6fea2690f0d8cf56bb2d7d)
-- [Full disclosure post on Hacker News](https://news.ycombinator.com/item?id=18267309).
-- [CVE-2018-9206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206)
-- [OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
-
-## Open redirect vulnerability in the GAE components
-
-> Fixed: 2015-06-12 (GMT)
-
-The sample Google App Engine upload handlers before
-v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1)
-accepted any URL as redirect target, making it possible to use the Webserver's
-domain for phishing attacks.
-
-**Further information:**
-
-- Commit containing the security fix:
-  [f74d2a8](https://github.com/blueimp/jQuery-File-Upload/commit/f74d2a8c3e3b1e8e336678d2899facd5bcdb589f)
-- [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
-
-## Cross-site scripting vulnerability in the Iframe Transport
-
-> Fixed: 2012-08-09 (GMT)
-
-The [redirect page](cors/result.html) for the
-[Iframe Transport](js/jquery.iframe-transport.js) before commit
-[4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a)
-(_fixed in all tagged releases_) allowed executing arbitrary JavaScript in the
-context of the Webserver.
-
-**Further information:**
-
-- Commit containing the security fix:
-  [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a)
-- [OWASP - Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)

data/vendor/jquery_file_upload/cors/postmessage.html

@@ -1,85 +0,0 @@
-<!DOCTYPE html>
-<!--
-/*
- * jQuery File Upload Plugin postMessage API
- * https://github.com/blueimp/jQuery-File-Upload
- *
- * Copyright 2011, Sebastian Tschan
- * https://blueimp.net
- *
- * Licensed under the MIT license:
- * https://opensource.org/licenses/MIT
- */
--->
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <title>jQuery File Upload Plugin postMessage API</title>
-    <script
-      src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"
-      integrity="sha384-nvAa0+6Qg9clwYCGGPpDQLVpLNn0fRaROjHqs13t4Ggj3Ez50XnGQqc/r8MhnRDZ"
-      crossorigin="anonymous"
-    ></script>
-  </head>
-  <body>
-    <script>
-      'use strict';
-      var origin = /^https:\/\/example.org/,
-        target = new RegExp('^(http(s)?:)?\\/\\/' + location.host + '\\/');
-      $(window).on('message', function (e) {
-        e = e.originalEvent;
-        var s = e.data,
-          xhr = $.ajaxSettings.xhr(),
-          f;
-        if (!origin.test(e.origin)) {
-          throw new Error('Origin "' + e.origin + '" does not match ' + origin);
-        }
-        if (!target.test(e.data.url)) {
-          throw new Error(
-            'Target "' + e.data.url + '" does not match ' + target
-          );
-        }
-        $(xhr.upload).on('progress', function (ev) {
-          ev = ev.originalEvent;
-          e.source.postMessage(
-            {
-              id: s.id,
-              type: ev.type,
-              timeStamp: ev.timeStamp,
-              lengthComputable: ev.lengthComputable,
-              loaded: ev.loaded,
-              total: ev.total
-            },
-            e.origin
-          );
-        });
-        s.xhr = function () {
-          return xhr;
-        };
-        if (!(s.data instanceof Blob)) {
-          f = new FormData();
-          $.each(s.data, function (i, v) {
-            f.append(v.name, v.value);
-          });
-          s.data = f;
-        }
-        $.ajax(s).always(function (result, statusText, jqXHR) {
-          if (!jqXHR.done) {
-            jqXHR = result;
-            result = null;
-          }
-          e.source.postMessage(
-            {
-              id: s.id,
-              status: jqXHR.status,
-              statusText: statusText,
-              result: result,
-              headers: jqXHR.getAllResponseHeaders()
-            },
-            e.origin
-          );
-        });
-      });
-    </script>
-  </body>
-</html>

data/vendor/jquery_file_upload/cors/result.html

@@ -1,26 +0,0 @@
-<!DOCTYPE html>
-<!--
-/*
- * jQuery Iframe Transport Plugin Redirect Page
- * https://github.com/blueimp/jQuery-File-Upload
- *
- * Copyright 2010, Sebastian Tschan
- * https://blueimp.net
- *
- * Licensed under the MIT license:
- * https://opensource.org/licenses/MIT
- */
--->
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <title>jQuery Iframe Transport Plugin Redirect Page</title>
-  </head>
-  <body>
-    <script>
-      document.body.innerText = document.body.textContent = decodeURIComponent(
-        window.location.search.slice(1)
-      );
-    </script>
-  </body>
-</html>

data/vendor/jquery_file_upload/css/jquery.fileupload-noscript.css

@@ -1,22 +0,0 @@
-@charset "UTF-8";
-/*
- * jQuery File Upload Plugin NoScript CSS
- * https://github.com/blueimp/jQuery-File-Upload
- *
- * Copyright 2013, Sebastian Tschan
- * https://blueimp.net
- *
- * Licensed under the MIT license:
- * https://opensource.org/licenses/MIT
- */
-
-.fileinput-button input {
-  position: static;
-  opacity: 1;
-  filter: none;
-  font-size: inherit !important;
-  direction: inherit;
-}
-.fileinput-button span {
-  display: none;
-}

data/vendor/jquery_file_upload/css/jquery.fileupload-ui-noscript.css

@@ -1,17 +0,0 @@
-@charset "UTF-8";
-/*
- * jQuery File Upload UI Plugin NoScript CSS
- * https://github.com/blueimp/jQuery-File-Upload
- *
- * Copyright 2012, Sebastian Tschan
- * https://blueimp.net
- *
- * Licensed under the MIT license:
- * https://opensource.org/licenses/MIT
- */
-
-.fileinput-button i,
-.fileupload-buttonbar .delete,
-.fileupload-buttonbar .toggle {
-  display: none;
-}

data/vendor/jquery_file_upload/css/jquery.fileupload-ui.css

@@ -1,68 +0,0 @@
-@charset "UTF-8";
-/*
- * jQuery File Upload UI Plugin CSS
- * https://github.com/blueimp/jQuery-File-Upload
- *
- * Copyright 2010, Sebastian Tschan
- * https://blueimp.net
- *
- * Licensed under the MIT license:
- * https://opensource.org/licenses/MIT
- */
-
-.progress-animated .progress-bar,
-.progress-animated .bar {
-  background: url('../img/progressbar.gif') !important;
-  filter: none;
-}
-.fileupload-process {
-  float: right;
-  display: none;
-}
-.fileupload-processing .fileupload-process,
-.files .processing .preview {
-  display: block;
-  width: 32px;
-  height: 32px;
-  background: url('../img/loading.gif') center no-repeat;
-  background-size: contain;
-}
-.files audio,
-.files video {
-  max-width: 300px;
-}
-.files .name {
-  word-wrap: break-word;
-  overflow-wrap: anywhere;
-  -webkit-hyphens: auto;
-  hyphens: auto;
-}
-.files button {
-  margin-bottom: 5px;
-}
-.toggle[type='checkbox'] {
-  transform: scale(2);
-  margin-left: 10px;
-}
-
-@media (max-width: 767px) {
-  .fileupload-buttonbar .btn {
-    margin-bottom: 5px;
-  }
-  .fileupload-buttonbar .delete,
-  .fileupload-buttonbar .toggle,
-  .files .toggle,
-  .files .btn span {
-    display: none;
-  }
-  .files audio,
-  .files video {
-    max-width: 80px;
-  }
-}
-
-@media (max-width: 480px) {
-  .files .image td:nth-child(2) {
-    display: none;
-  }
-}

data/vendor/jquery_file_upload/css/jquery.fileupload.css

@@ -1,36 +0,0 @@
-@charset "UTF-8";
-/*
- * jQuery File Upload Plugin CSS
- * https://github.com/blueimp/jQuery-File-Upload
- *
- * Copyright 2013, Sebastian Tschan
- * https://blueimp.net
- *
- * Licensed under the MIT license:
- * https://opensource.org/licenses/MIT
- */
-
-.fileinput-button {
-  position: relative;
-  overflow: hidden;
-  display: inline-block;
-}
-.fileinput-button input {
-  position: absolute;
-  top: 0;
-  right: 0;
-  margin: 0;
-  height: 100%;
-  opacity: 0;
-  filter: alpha(opacity=0);
-  font-size: 200px !important;
-  direction: ltr;
-  cursor: pointer;
-}
-
-/* Fixes for IE < 8 */
-@media screen\9 {
-  .fileinput-button input {
-    font-size: 150% !important;
-  }
-}

data/vendor/jquery_file_upload/docker-compose.yml

@@ -1,55 +0,0 @@
-version: '3.7'
-services:
-  example:
-    build: server/php
-    ports:
-      - 127.0.0.1:80:80
-    volumes:
-      - .:/var/www/html
-  mocha:
-    image: blueimp/mocha-chrome
-    command: http://example/test
-    environment:
-      - WAIT_FOR_HOSTS=example:80
-    depends_on:
-      - example
-  chromedriver:
-    image: blueimp/chromedriver
-    tmpfs: /tmp
-    environment:
-      - DISABLE_X11=false
-      - ENABLE_VNC=true
-      - EXPOSE_X11=true
-    volumes:
-      - ./wdio/assets:/home/webdriver/assets:ro
-    ports:
-      - 127.0.0.1:5900:5900
-  geckodriver:
-    image: blueimp/geckodriver
-    tmpfs: /tmp
-    shm_size: 2g
-    environment:
-      - DISABLE_X11=false
-      - ENABLE_VNC=true
-      - EXPOSE_X11=true
-    volumes:
-      - ./wdio/assets:/home/webdriver/assets:ro
-    ports:
-      - 127.0.0.1:5901:5900
-  wdio:
-    image: blueimp/wdio
-    read_only: true
-    tmpfs:
-      - /tmp
-    environment:
-      - WAIT_FOR_HOSTS=chromedriver:4444 geckodriver:4444 example:80
-      - WINDOWS_HOST
-      - MACOS_ASSETS_DIR=$PWD/wdio/assets/
-      - WINDOWS_ASSETS_DIR
-    volumes:
-      - ./wdio:/app:ro
-      - ./wdio/reports:/app/reports
-    depends_on:
-      - chromedriver
-      - geckodriver
-      - example