} // if not allowedtoedit then userid is $USR now, so stop undo actions check_for_csrf("undo"); // perform undo // undo add new user if (isset($_GET['new'])) { delete_file(GSUSERSPATH . $file); redirect('profile.php?success=' . urlencode(strip_tags(sprintf(i18n_r('ER_HASBEEN_DEL'), $userid)))); } // undo edit user restore_datafile(GSUSERSPATH . $file); redirect('profile.php?upd=profile-restored&userid=' . $userid); } # was the form submitted? if (isset($_POST['submitted']) && isset($_POST['user'])) { check_for_csrf("save_profile"); do { // if editing and post userid not match get userid // @todo perhaps use nonce here instead if ($editing && $userid !== _id($_POST['user'])) { $error = i18n_r('ER_REQ_PROC_FAIL'); break; } $userid = _id($_POST['user']); $file = $userid . '.xml'; if ($adding && path_is_safe(GSUSERSPATH . $file, GSUSERSPATH)) { $error = i18n_r('INVALID_USER'); // user already exists break; } if (!path_is_safe(dirname(GSUSERSPATH . $file), GSUSERSPATH, true)) {
* Theme * * @package GetSimple * @subpackage Theme */ # setup inclusions $load['plugin'] = true; include 'inc/common.php'; login_cookie_check(); # variable settings $path = GSDATAOTHERPATH; $file = GSWEBSITEFILE; $theme_options = ''; # was the form submitted? if (isset($_POST['submitted']) && isset($_POST['template'])) { check_for_csrf("activate"); # get passed value from form $newTemplate = var_in($_POST['template']); if (!path_is_safe(GSTHEMESPATH . $newTemplate, GSTHEMESPATH)) { die; } # backup old GSWEBSITEFILE (website.xml) file $bakpath = GSBACKUPSPATH . getRelPath(GSDATAOTHERPATH, GSDATAPATH); // backups/other/ createBak($file, $path, $bakpath); # udpate GSWEBSITEFILE (website.xml) file with new theme $xml = new SimpleXMLExtended('<item></item>'); $note = $xml->addChild('SITENAME'); $note->addCData($SITENAME); $note = $xml->addChild('SITEURL'); $note->addCData($SITEURL);
$p = $_GET['p']; } else { redirect('backups.php?upd=bak-err'); } if ($p == 'delete') { // deleting page backup check_for_csrf("delete", "backup-edit.php"); if ($draft) { $status = delete_draft_backup($id) ? 'success' : 'err'; } else { $status = delete_page_backup($id) ? 'success' : 'err'; } redirect("backups.php?upd=bak-" . $status . "&id=" . $id); } elseif ($p == 'restore') { // restoring page backup check_for_csrf("restore", "backup-edit.php"); $redirect = ""; if ($draft) { restore_draft($id); // restore old slug file // generate_sitemap(); // regenerates sitemap, we do not need to do this for drafts. $success = exec_action('draft-restore'); // @hook draft-restore fired when a draft is restored redirect("edit.php?id=" . $id . "&upd-draft&upd=edit-success&type=restore"); } if (isset($_GET['new'])) { $newid = $_GET['new']; // @todo traversal protect $newid // restore page by old slug id changeChildParents($newid, $id); // update parents and children
} if (sizeof($errors) != 0) { if (requestIsAjax()) { header("HTTP/1.0 403"); i18n('ERROR_UPLOAD'); die; } foreach ($errors as $msg) { $error = $msg . '<br />'; } } } } // if creating new folder if (isset($_GET['newfolder']) && $allowcreatefolder) { check_for_csrf("createfolder"); $newfolder = $_GET['newfolder']; // check for invalid chars $cleanname = clean_url(to7bit(strippath($newfolder), "UTF-8")); $cleanname = basename($cleanname); if (file_exists($path . $cleanname) || $cleanname == '') { $error = i18n_r('ERROR_FOLDER_EXISTS'); } else { if (getDef('GSCHMOD')) { $chmod_value = GSCHMOD; } else { $chmod_value = 0755; } if (create_dir($path . $cleanname, $chmod_value)) { //create folder for thumbnails $thumbFolder = GSTHUMBNAILPATH . $subFolder . $cleanname;
$load['plugin'] = true; // Include common.php include 'inc/common.php'; login_cookie_check(); // disable this entirely if not enabled if (getdef('GSALLOWDOWNLOADS', true) === false) { die(i18n('NOT_ALLOWED')); } # check if all variables are set if (isset($_GET['file'])) { $file = removerelativepath($_GET['file']); // check that this file is safe to access $archivesafe = filepath_is_safe($file, GSBACKUPSPATH . DIRECTORY_SEPARATOR . 'zip'); // check for archives if ($archivesafe) { check_for_csrf("archive", "download.php"); } // check archive nonce $filesafe = filepath_is_safe($file, GSDATAUPLOADPATH); // check for uploads if (!($filesafe || $archivesafe)) { die(i18n('NOT_ALLOWED')); } // file specified is non existant or LFI! WE DIE $extention = getFileExtension($file); header("Content-disposition: attachment; filename=" . $file); # set content headers if ($extention == 'zip') { header("Content-type: application/octet-stream"); } elseif ($extention == 'gz') { header("Content-type: application/x-gzip");
* @subpackage Page-Edit */ // Setup inclusions $load['plugin'] = true; // Include common.php include 'inc/common.php'; login_cookie_check(); // Variable settings $id = isset($_GET['id']) ? $_GET['id'] : null; $ptype = isset($_GET['type']) ? $_GET['type'] : null; $path = GSDATAPAGESPATH; $counter = '0'; $table = ''; # clone attempt happening if (isset($_GET['action']) && isset($_GET['id']) && $_GET['action'] == 'clone') { check_for_csrf("clone", "pages.php"); # check to not overwrite $count = 1; $newfile = GSDATAPAGESPATH . $_GET['id'] . "-" . $count . ".xml"; if (file_exists($newfile)) { while (file_exists($newfile)) { $count++; $newfile = GSDATAPAGESPATH . $_GET['id'] . "-" . $count . ".xml"; } } $newurl = $_GET['id'] . '-' . $count; # do the copy $status = copy($path . $_GET['id'] . '.xml', $path . $newurl . '.xml'); if ($status) { $newxml = getXML($path . $newurl . '.xml'); $newxml->url = $newurl;
* @subpackage Backups * @link http://get-simple.info/docs/restore-page-backup */ // Setup inclusions $load['plugin'] = true; // Include common.php include 'inc/common.php'; // Variable settings login_cookie_check(); $path = GSBACKUPSPATH . getRelPath(GSDATAPAGESPATH, GSDATAPATH); // backups/pages/ $counter = '0'; $table = ''; // delete all backup files if the ?deleteall session parameter is set if (isset($_GET['deleteall'])) { check_for_csrf("deleteall"); $filenames = getFiles($path); foreach ($filenames as $file) { if (file_exists($path . $file)) { if (isFile($file, $path, 'bak')) { unlink($path . $file); } } } $success = i18n_r('ER_FILE_DEL_SUC'); } //display all page backups $filenames = getFiles($path); $count = "0"; $pagesArray_tmp = array(); $pagesSorted = array();
$update = 'flushcache-success'; } # if the undo command was invoked if (isset($_GET['undo'])) { check_for_csrf("undo"); # perform undo $bakpath = GSBACKUPSPATH . getRelPath(GSDATAOTHERPATH, GSDATAPATH); // backups/other/ undo(GSWEBSITEFILE, GSDATAOTHERPATH, $bakpath); generate_sitemap(); # redirect back to yourself to show the new restored data redirect('settings.php?upd=settings-restored'); } # was the form submitted? if (isset($_POST['submitted'])) { check_for_csrf("save_settings"); # website-specific fields if (isset($_POST['sitename'])) { $SITENAME = htmlentities($_POST['sitename'], ENT_QUOTES, 'UTF-8'); } if (isset($_POST['siteurl'])) { $SITEURL = tsl($_POST['siteurl']); } if (isset($_POST['permalink'])) { $PERMALINK = var_in(trim($_POST['permalink'])); } if (isset($_POST['template'])) { // $TEMPLATE = $_POST['template']; } if (isset($_POST['prettyurls'])) { $PRETTYURLS = $_POST['prettyurls'];
setcookie('gs_editor_theme', $themesave); } return; } $themepath = GSTHEMESPATH . tsl($template); // prevent traversal if ($template_file != '' and !filepath_is_safe($themepath . $template_file, $themepath)) { die(i18n_r('INVALID_OPER')); } # if no template is selected, use the default if ($template_file == '') { $template_file = GSTEMPLATEFILE; } # check for form submission if (isset($_POST['submitsave'])) { check_for_csrf("save"); # save edited template file $SavedFile = $_POST['edited_file']; $FileContents = get_magic_quotes_gpc() ? stripslashes($_POST['content']) : $_POST['content']; // prevent traversal if (!filepath_is_safe(GSTHEMESPATH . $SavedFile, GSTHEMESPATH)) { die(i18n_r('INVALID_OPER')); } $fh = fopen(GSTHEMESPATH . $SavedFile, 'w') or die("can't open file"); fwrite($fh, $FileContents); fclose($fh); $success = sprintf(i18n_r('TEMPLATE_FILE'), $SavedFile); if (isset($_POST['ajaxsave'])) { echo "<div>"; include 'template/error_checking.php'; echo '<input id="nonce" name="nonce" type="hidden" value="' . get_nonce("save") . '" />';
if (!filepath_is_safe(GSDATADRAFTSPATH . $id . '.xml', GSDATADRAFTSPATH)) { $status = false; } else { $status = publishDraft($id); } if ($status) { exec_action('draft-publish'); // @hook draft-publish a draft was published generate_sitemap(); // regenerates sitemap } redirect("pages.php?id=" . $id . "&upd=publish-" . ($status ? 'success' : 'error')); die; } if (isset($_POST['submitted'])) { check_for_csrf("edit", "edit.php"); // check for missing required fields safemodefail('changedata-save', 'edit.php?id=' . $_POST['post-id']); if (!isset($_POST['post-title']) || trim($_POST['post-title']) == '') { // no title, throw CANNOT_SAVE_EMPTY // @todo this loses $id, we only get here if js is disabled redirect("edit.php?upd=edit-error&type=" . urlencode(i18n_r('CANNOT_SAVE_EMPTY'))); } // flag for new page, true, false existing $pageIsNew = !isset($_POST['existing-url']) || trim($_POST['existing-url']) == ''; $postslug = $oldslug = null; $oldslug = isset($_POST['existing-url']) && trim($_POST['existing-url']) !== '' ? $_POST['existing-url'] : null; $postslug = isset($_POST['post-id']) && trim($_POST['post-id']) !== '' ? $_POST['post-id'] : null; $slugHasChanged = !$pageIsNew && $oldslug !== $postslug; # flag, this edit changed the slug $overwrite = !$pageIsNew && !$slugHasChanged;
/** * Reset Password * * Resets the password for GetSimple control panel access * * @package GetSimple * @subpackage Login */ # setup inclusions $load['plugin'] = true; include 'inc/common.php'; if (getDef('GSALLOWRESETPASS', true) === false) { die; } if (isset($_POST['submitted'])) { check_for_csrf("reset_password"); $randSleep = rand(250000, 2000000); // random sleep for .25 to 2 seconds if (isset($_POST['username']) and !empty($_POST['username'])) { # user filename $file = _id($_POST['username']) . '.xml'; # get user information from existing XML file if (filepath_is_safe(GSUSERSPATH . $file, GSUSERSPATH) && file_exists(GSUSERSPATH . $file)) { $data = getXML(GSUSERSPATH . $file); $userid = strtolower($data->USR); $EMAIL = $data->EMAIL; if (strtolower($_POST['username']) === $userid) { # create new random password $random = createRandomPassword(); // $random = '1234'; # create backup
*/ // Setup inclusions $load['plugin'] = true; include 'inc/common.php'; login_cookie_check(); // Variable Settings $log_name = isset($_GET['log']) ? $_GET['log'] : ''; $log_path = GSDATAOTHERPATH . 'logs/'; $log_file = $log_path . $log_name; $whois_url = 'http://whois.arin.net/rest/ip/'; // filepath_is_safe returns false if file does nt exist if (!isset($log_name) || !filepath_is_safe($log_file, $log_path)) { $log_data = false; } if (isset($_GET['action']) && $_GET['action'] == 'delete' && strlen($log_name) > 0) { check_for_csrf("delete"); unlink($log_file); exec_action('logfile_delete'); redirect('log.php?success=' . urlencode('Log ' . $log_name . i18n_r('MSG_HAS_BEEN_CLR'))); } if (!isset($log_data)) { $log_data = getXML($log_file); } $pagetitle = i18n_r('LOGS') . ' · ' . i18n_r('SUPPORT'); get_template('header'); ?> <?php include 'template/include-nav.php'; ?>
<?php /** * Delete File * * Deletes Files based on what is passed to it * * @package GetSimple * @subpackage Delete-Files */ // Setup inclusions $load['plugin'] = true; // Include common.php include 'inc/common.php'; login_cookie_check(); check_for_csrf("delete", "deletefile.php"); // are we deleting pages? if (isset($_GET['id'])) { $id = $_GET['id']; if ($id == 'index') { redirect('pages.php?upd=edit-error&type=' . urlencode(i18n_r('HOMEPAGE_DELETE_ERROR'))); } else { updateSlugs($id); $status = delete_file($id); generate_sitemap(); exec_action('page-delete'); redirect("pages.php?upd=del-" . $status . "&id=" . $id . "&type=delete"); } } // are we deleting archives? if (isset($_GET['zip'])) {
$c_note = $components->addChild('title'); $c_note->addCData($comp['title']); $components->addChild('slug', $comp['slug']); $c_note = $components->addChild('value'); $c_note->addCData($comp['value']); $count++; } } exec_action('component-save'); XMLsave($xml, $path . $file); $update = 'comp-success'; // redirect('components.php?upd=comp-success'); } # if undo was invoked if (isset($_GET['undo'])) { check_for_csrf("undo"); # perform the undo undo($file, $path, $bakpath); $update = 'comp-restored'; // redirect('components.php?upd=comp-restored'); } # create components form html $data = getXML($path . $file); $componentsec = $data->item; $count = 0; // $componentsec = subval_sort($data->item,'title'); // sorted on save probably not necessary at this time if (count($componentsec) != 0) { foreach ($componentsec as $component) { $table .= '<div class="compdiv codewrap" id="section-' . $count . '"><table class="comptable" ><tr><td><b title="' . i18n_r('DOUBLE_CLICK_EDIT') . '" class="comptitle editable">' . stripslashes($component->title) . '</b></td>'; $table .= '<td style="text-align:right;" ><code><?php get_component(<span class="compslugcode">\'' . $component->slug . '\'</span>); ?></code></td><td class="delete" >'; $table .= '<a href="javascript:void(0)" title="' . i18n_r('DELETE_COMPONENT') . ': ' . cl($component->title) . '?" class="delcomponent" rel="' . $count . '" >×</a></td></tr></table>';
* Displays and starts the website archives * * @package GetSimple * @subpackage Backups */ // Setup inclusions $load['plugin'] = true; // Include common.php include 'inc/common.php'; login_cookie_check(); exec_action('load-archive'); // Variable Settings $table = ''; // if a backup needs to be created if (isset($_GET['do'])) { check_for_csrf("create"); exec_action('archive-backup'); // @hook archive-backup create backup archive requested redirect('zip.php?s=' . $SESSIONHASH); } // if a backup has just been created if (isset($_GET['done'])) { $success = i18n_r('SUCC_WEB_ARCHIVE'); } if (isset($_GET['nozip'])) { $error = i18n_r('NO_ZIPARCHIVE') . ' - <a href="health-check.php">' . i18n_r('WEB_HEALTH_CHECK') . '</a>'; } $pagetitle = i18n_r('WEBSITE_ARCHIVES') . ' · ' . i18n_r('BAK_MANAGEMENT'); get_template('header'); ?>