Beispiel #1
0
/**
 * Security alert! We should not allow to import config.ini into our wiki (or from a sister wiki?)
 * because the sql passwords are in plaintext there. And the webserver must be able to read it.
 * Detected by Santtu Jarvi.
 */
function LoadFile(&$request, $filename, $text = false, $mtime = false)
{
    if (preg_match("/config\$/", dirname($filename)) and preg_match("/config.*\\.ini/", basename($filename))) {
        trigger_error(sprintf("Refused to load %s", $filename), E_USER_WARNING);
        return;
    }
    if (!is_string($text)) {
        // Read the file.
        $stat = stat($filename);
        $mtime = $stat[9];
        $text = implode("", file($filename));
    }
    if (!$request->getArg('start_debug')) {
        @set_time_limit(30);
    } else {
        @set_time_limit(240);
    }
    // FIXME: basename("filewithnoslashes") seems to return garbage sometimes.
    $basename = basename("/dummy/" . $filename);
    if (!$mtime) {
        $mtime = time();
    }
    // Last resort.
    $default_pagename = rawurldecode($basename);
    if ($parts = ParseMimeifiedPages($text)) {
        usort($parts, 'SortByPageVersion');
        foreach ($parts as $pageinfo) {
            SavePage($request, $pageinfo, sprintf(_("MIME file %s"), $filename), $basename);
        }
    } else {
        if ($pageinfo = ParseSerializedPage($text, $default_pagename, $request->getUser())) {
            SavePage($request, $pageinfo, sprintf(_("Serialized file %s"), $filename), $basename);
        } else {
            $user = $request->getUser();
            // Assume plain text file.
            $pageinfo = array('pagename' => $default_pagename, 'pagedata' => array(), 'versiondata' => array('author' => $user->getId()), 'content' => preg_replace('/[ \\t\\r]*\\n/', "\n", chop($text)));
            SavePage($request, $pageinfo, sprintf(_("plain file %s"), $filename), $basename);
        }
    }
}
Beispiel #2
0
/**
 * Security alert! We should not allow to import config.ini into our wiki (or from a sister wiki?)
 * because the sql passwords are in plaintext there. And the webserver must be able to read it.
 * Detected by Santtu Jarvi.
 */
function LoadFile(&$request, $filename, $text = false, $mtime = false)
{
    if (preg_match("/config\$/", dirname($filename)) and preg_match("/config.*\\.ini/", basename($filename))) {
        trigger_error(sprintf("Refused to load %s", $filename), E_USER_WARNING);
        return;
    }
    if (!is_string($text)) {
        // Read the file.
        $stat = stat($filename);
        $mtime = $stat[9];
        $text = implode("", file($filename));
    }
    if (!$request->getArg('start_debug')) {
        @set_time_limit(30);
    } else {
        @set_time_limit(240);
    }
    // FIXME: basename("filewithnoslashes") seems to return garbage sometimes.
    $basename = basename("/dummy/" . $filename);
    if (!$mtime) {
        $mtime = time();
    }
    // Last resort.
    // DONE: check source - target charset for content and pagename
    // but only for pgsrc'ed content, not from the browser.
    $default_pagename = rawurldecode($basename);
    if ($parts = ParseMimeifiedPages($text)) {
        if (count($parts) > 1) {
            $overwrite = $request->getArg('overwrite');
        }
        usort($parts, 'SortByPageVersion');
        foreach ($parts as $pageinfo) {
            // force overwrite
            if (count($parts) > 1) {
                $request->setArg('overwrite', 1);
            }
            SavePage($request, $pageinfo, sprintf(_("MIME file %s"), $filename), $basename);
        }
        if (count($parts) > 1) {
            if ($overwrite) {
                $request->setArg('overwrite', $overwrite);
            } else {
                unset($request->_args['overwrite']);
            }
        }
    } else {
        if ($pageinfo = ParseSerializedPage($text, $default_pagename, $request->getUser())) {
            SavePage($request, $pageinfo, sprintf(_("Serialized file %s"), $filename), $basename);
        } else {
            // plain old file
            $user = $request->getUser();
            $file_charset = 'utf-8';
            // compare to target charset
            if ($file_charset != strtolower($GLOBALS['charset'])) {
                $text = charset_convert($file_charset, $GLOBALS['charset'], $text);
                $default_pagename = charset_convert($file_charset, $GLOBALS['charset'], $default_pagename);
            }
            // Assume plain text file.
            $pageinfo = array('pagename' => $default_pagename, 'pagedata' => array(), 'versiondata' => array('author' => $user->getId()), 'content' => preg_replace('/[ \\t\\r]*\\n/', "\n", chop($text)));
            SavePage($request, $pageinfo, sprintf(_("plain file %s"), $filename), $basename);
        }
    }
}