/** * Apply a basic filter * * @param string|array $var * @param bool $isNumeric * @return string|array */ public static function applyFilter($var, $isNumeric = false) { if (is_array($var)) { return array_map(__METHOD__, $var); } if (is_callable('COM_applyBasicFilter')) { $var = COM_applyBasicFilter($var); } else { // Simulate COM_applyBasicFilter $var = \GLText::remove4byteUtf8Chars($var); $var = strip_tags($var); if (is_callable('COM_killJS')) { $var = COM_killJS($var); // doesn't help a lot right now, but still ... } else { $var = preg_replace('/(\\s)+[oO][nN](\\w*) ?=/', '\\1in\\2=', $var); } if ($isNumeric) { // Note: PHP's is_numeric() accepts values like 4e4 as numeric if (!is_numeric($var) || preg_match('/^-?\\d+$/', $var) == 0) { $var = 0; } } else { $var = preg_replace('/\\/\\*.*/', '', $var); $var = explode("'", $var); $var = explode('"', $var[0]); $var = explode('`', $var[0]); $var = explode(';', $var[0]); $var = explode(',', $var[0]); $var = explode('\\', $var[0]); $var = $var[0]; } } return $var; }
/** * Apply basic filter if necessary * * @param string|array $value * @return string|array */ private function filter($value) { if ($this->applyFilter) { if (is_array($value)) { $value = array_map(array($this, 'filter'), $value); } else { $value = COM_applyBasicFilter($value); } } return $value; }
/** * Get an existing static page * * @param array args Contains all the data provided by the client * @param string &output OUTPUT parameter containing the returned text * @param string &svc_msg OUTPUT parameter containing any service messages * @return int Response code as defined in lib-plugins.php */ function service_get_staticpages($args, &$output, &$svc_msg) { global $_CONF, $_TABLES, $LANG_ACCESS, $LANG12, $LANG_STATIC, $LANG_LOGIN, $_SP_CONF; $output = ''; $svc_msg['output_fields'] = array('sp_hits', 'sp_format', 'owner_id', 'group_id', 'perm_owner', 'perm_group', 'perm_members', 'perm_anon', 'sp_help', 'sp_php', 'sp_inblock', 'commentcode'); if (empty($args['sp_id']) && !empty($args['id'])) { $args['sp_id'] = $args['id']; } if ($args['gl_svc']) { if (isset($args['sp_id'])) { $args['sp_id'] = COM_applyBasicFilter($args['sp_id']); } if (isset($args['mode'])) { $args['mode'] = COM_applyBasicFilter($args['mode']); } if (empty($args['sp_id'])) { $svc_msg['gl_feed'] = true; } else { $svc_msg['gl_feed'] = false; } } else { $svc_msg['gl_feed'] = false; } if (!$svc_msg['gl_feed']) { $page = ''; if (isset($args['sp_id'])) { $page = $args['sp_id']; } $mode = ''; if (isset($args['mode'])) { $mode = $args['mode']; } $error = 0; if ($page == '') { $error = 1; } $perms = SP_getPerms(); if (!empty($perms)) { $perms = ' AND ' . $perms; } $sql = "SELECT sp_title,sp_content,sp_hits,sp_date,sp_format," . "commentcode,sp_uid,owner_id,group_id,perm_owner,perm_group," . "perm_members,perm_anon,sp_tid,sp_help,sp_php," . "sp_inblock FROM {$_TABLES['staticpage']} " . "WHERE (sp_id = '{$page}') AND (sp_status = 1)" . $perms; $result = DB_query($sql); $count = DB_numRows($result); if ($count == 0 || $count > 1) { $error = 1; } if (!$error) { $output = DB_fetchArray($result, false); // WE ASSUME $output doesn't have any confidential fields if ($mode !== 'autotag') { $_CONF['pagetitle'] = $output['sp_title']; } } else { // an error occured (page not found, access denied, ...) if (empty($page)) { $failflg = 0; } else { $failflg = DB_getItem($_TABLES['staticpage'], 'sp_nf', "sp_id='{$page}'"); } if ($failflg) { if ($mode !== 'autotag') { $output = COM_siteHeader('menu'); } $output .= SEC_loginRequiredForm(); if ($mode !== 'autotag') { $output .= COM_siteFooter(); } } else { if ($mode !== 'autotag') { COM_404(); } } return PLG_RET_ERROR; } if ($args['gl_svc']) { // This date format is PHP 5 only, // but only the web-service uses the value $output['published'] = date('c', strtotime($output['sp_date'])); $output['updated'] = date('c', strtotime($output['sp_date'])); $output['id'] = $page; $output['title'] = $output['sp_title']; $output['category'] = array($output['sp_tid']); $output['content'] = $output['sp_content']; $output['content_type'] = 'html'; $output['author_name'] = DB_getItem($_TABLES['users'], 'username', 'uid=' . (int) $output['owner_id']); $output['link_edit'] = $page; } } else { $output = array(); $mode = ''; if (isset($args['mode'])) { $mode = $args['mode']; } $perms = SP_getPerms(); if (!empty($perms)) { $perms = ' AND ' . $perms; } $offset = 0; if (isset($args['offset'])) { $offset = COM_applyBasicFilter($args['offset'], true); } $max_items = $_SP_CONF['atom_max_items'] + 1; $limit = " LIMIT {$offset}, {$max_items}"; $order = " ORDER BY sp_date DESC"; $sql = "SELECT sp_id,sp_title,sp_content,sp_hits,sp_date,sp_format,owner_id," . "group_id,perm_owner,perm_group,perm_members,perm_anon,sp_tid,sp_help,sp_php," . "sp_inblock FROM {$_TABLES['staticpage']} WHERE (sp_status = 1)" . $perms . $order . $limit; $result = DB_query($sql); $count = 0; while (($output_item = DB_fetchArray($result, false)) !== false) { // WE ASSUME $output doesn't have any confidential fields $count += 1; if ($count == $max_items) { $svc_msg['offset'] = $offset + $_SP_CONF['atom_max_items']; break; } if ($args['gl_svc']) { // This date format is PHP 5 only, but only the web-service uses the value $output_item['published'] = date('c', strtotime($output_item['sp_date'])); $output_item['updated'] = date('c', strtotime($output_item['sp_date'])); $output_item['id'] = $output_item['sp_id']; $output_item['title'] = $output_item['sp_title']; $output_item['category'] = array($output_item['sp_tid']); $output_item['content'] = $output_item['sp_content']; $output_item['content_type'] = 'html'; $output_item['author_name'] = DB_getItem($_TABLES['users'], 'username', 'uid=' . (int) $output['owner_id']); } $output[] = $output_item; } } return PLG_RET_OK; }
/** * Get an existing static page * * @param array args Contains all the data provided by the client * @param string &output OUTPUT parameter containing the returned text * @param string &svc_msg OUTPUT parameter containing any service messages * @return int Response code as defined in lib-plugins.php */ function service_get_staticpages($args, &$output, &$svc_msg) { global $_CONF, $_TABLES, $LANG_ACCESS, $LANG12, $LANG_STATIC, $_SP_CONF; $output = ''; $svc_msg['output_fields'] = array('sp_hits', 'sp_format', 'draft_flag', 'owner_id', 'group_id', 'perm_owner', 'perm_group', 'perm_members', 'perm_anon', 'sp_help', 'sp_php', 'sp_inblock', 'commentcode'); if (empty($args['sp_id']) && !empty($args['id'])) { $args['sp_id'] = $args['id']; } if ($args['gl_svc']) { if (isset($args['sp_id'])) { $args['sp_id'] = COM_applyBasicFilter($args['sp_id']); } if (isset($args['mode'])) { $args['mode'] = COM_applyBasicFilter($args['mode']); } if (empty($args['sp_id'])) { $svc_msg['gl_feed'] = true; } else { $svc_msg['gl_feed'] = false; } } else { $svc_msg['gl_feed'] = false; } if (!$svc_msg['gl_feed']) { $page = ''; if (isset($args['sp_id'])) { $page = $args['sp_id']; } $mode = ''; if (isset($args['mode'])) { $mode = $args['mode']; } $error = 0; if ($page == '') { $error = 1; } $perms = SP_getPerms(); if (!SEC_hasRights('staticpages.edit')) { if (!empty($perms)) { $perms .= ' AND'; } $perms .= '(draft_flag = 0)'; } if (!empty($perms)) { $perms = ' AND ' . $perms; } $sql = array(); $sql['mysql'] = "SELECT sp_title,sp_page_title,sp_content,sp_hits,created,modified,sp_format," . "commentcode,meta_description,meta_keywords,template_flag,template_id,draft_flag," . "owner_id,group_id,perm_owner,perm_group," . "perm_members,perm_anon,sp_tid,sp_help,sp_php," . "sp_inblock FROM {$_TABLES['staticpage']} " . "WHERE (sp_id = '{$page}')" . $perms; $sql['mssql'] = "SELECT sp_title,sp_page_title," . "CAST(sp_content AS text) AS sp_content,sp_hits," . "created,modified,sp_format,commentcode," . "CAST(meta_description AS text) AS meta_description," . "CAST(meta_keywords AS text) AS meta_keywords,template_flag,template_id,draft_flag," . "owner_id,group_id,perm_owner,perm_group,perm_members," . "perm_anon,sp_tid,sp_help,sp_php,sp_inblock " . "FROM {$_TABLES['staticpage']} WHERE (sp_id = '{$page}')" . $perms; $sql['pgsql'] = "SELECT sp_title,sp_page_title,sp_content,sp_hits," . "created,modified,sp_format," . "commentcode,meta_description,meta_keywords,template_flag,template_id,draft_flag," . "owner_id,group_id,perm_owner,perm_group," . "perm_members,perm_anon,sp_tid,sp_help,sp_php," . "sp_inblock FROM {$_TABLES['staticpage']} " . "WHERE (sp_id = '{$page}')" . $perms; $result = DB_query($sql); $count = DB_numRows($result); if ($count == 0 || $count > 1) { $error = 1; } if (!$error) { $output = DB_fetchArray($result, false); // WE ASSUME $output doesn't have any confidential fields if ($output['template_id'] != '') { $retval = ''; $mode = ''; $xmlObject = simplexml_load_string($output['sp_content']); // create array of XML data $tag = array(); foreach ($xmlObject->variable as $variable) { $key = $variable["name"] . ''; $value = $variable->data; $tag[$key] = $value; } // Loop through variables to replace any autotags first foreach ($tag as &$value) { $value = PLG_replaceTags($value); } $args = array('sp_id' => $output['template_id'], 'mode' => $mode, 'gl_svc' => ''); $svc_msg = array(); if (PLG_invokeService('staticpages', 'get', $args, $retval, $svc_msg) == PLG_RET_OK) { $retval['sp_content'] = str_replace(array_keys($tag), array_values($tag), $retval['sp_content']); $output['sp_content'] = $retval['sp_content']; } } } else { // an error occured (page not found, access denied, ...) /** * if the user has edit permissions and the page does not exist, * send them to the editor so they can create it "wiki style" */ $create_page = false; if ($mode !== 'autotag' && $count == 0 && SEC_hasRights('staticpages.edit')) { // check again without permissions if (DB_count($_TABLES['staticpage'], 'sp_id', $page) == 0) { $url = $_CONF['site_admin_url'] . '/plugins/staticpages/index.php?mode=edit&sp_new_id=' . $page . '&msg=21'; $output = COM_refresh($url); $create_page = true; } } if (!$create_page) { if (empty($page)) { $failflg = 0; } else { $failflg = DB_getItem($_TABLES['staticpage'], 'sp_nf', "sp_id = '{$page}'"); } if ($failflg) { if ($mode !== 'autotag') { $output = COM_siteHeader('menu'); } $output .= SEC_loginRequiredForm(); if ($mode !== 'autotag') { $output .= COM_siteFooter(true); } } else { if ($mode !== 'autotag') { $output = COM_siteHeader('menu'); } $output .= COM_startBlock($LANG_ACCESS['accessdenied'], '', COM_getBlockTemplate('_msg_block', 'header')); $output .= $LANG_STATIC['deny_msg']; $output .= COM_endBlock(COM_getBlockTemplate('_msg_block', 'footer')); if ($mode !== 'autotag') { $output .= COM_siteFooter(true); } } } return PLG_RET_ERROR; } if ($args['gl_svc']) { // This date format is PHP 5 only, // but only the web-service uses the value $output['published'] = date('c', strtotime($output['created'])); $output['updated'] = date('c', strtotime($output['modified'])); $output['id'] = $page; $output['title'] = $output['sp_title']; $output['page_title'] = $output['sp_page_title']; $output['category'] = array($output['sp_tid']); $output['content'] = $output['sp_content']; $output['content_type'] = 'html'; $owner_data = SESS_getUserDataFromId($output['owner_id']); $output['author_name'] = $owner_data['username']; $output['link_edit'] = $page; } } else { $output = array(); $mode = ''; if (isset($args['mode'])) { $mode = $args['mode']; } $perms = SP_getPerms(); if (!empty($perms)) { $perms = ' WHERE ' . $perms; } $offset = 0; if (isset($args['offset'])) { $offset = COM_applyBasicFilter($args['offset'], true); } $max_items = $_SP_CONF['atom_max_items'] + 1; $limit = " LIMIT {$offset}, {$max_items}"; $order = " ORDER BY modified DESC"; $sql = array(); $sql['mysql'] = "SELECT sp_id,sp_title,sp_page_title,sp_content,sp_hits,created,modified,sp_format,meta_description,meta_keywords,template_flag,template_id,draft_flag,owner_id," . "group_id,perm_owner,perm_group,perm_members,perm_anon,sp_tid,sp_help,sp_php," . "sp_inblock FROM {$_TABLES['staticpage']}" . $perms . $order . $limit; $sql['mssql'] = "SELECT sp_id,sp_title,sp_page_title,CAST(sp_content AS text) AS sp_content,sp_hits," . "created,modified,sp_format,CAST(meta_description AS text) AS meta_description,CAST(meta_keywords AS text) AS meta_keywords,template_flag,template_id,draft_flag,owner_id,group_id,perm_owner,perm_group,perm_members," . "perm_anon,sp_tid,sp_help,sp_php,sp_inblock FROM {$_TABLES['staticpage']}" . $perms . $order . $limit; $sql['pgsql'] = "SELECT sp_id,sp_title,sp_page_title,sp_content,sp_hits,created,modified,sp_format,meta_description,meta_keywords,template_flag,template_id,draft_flag,owner_id," . "group_id,perm_owner,perm_group,perm_members,perm_anon,sp_tid,sp_help,sp_php," . "sp_inblock FROM {$_TABLES['staticpage']}" . $perms . $order . $limit; $result = DB_query($sql); $count = 0; while (($output_item = DB_fetchArray($result, false)) !== false) { // WE ASSUME $output doesn't have any confidential fields $count += 1; if ($count == $max_items) { $svc_msg['offset'] = $offset + $_SP_CONF['atom_max_items']; break; } if ($args['gl_svc']) { // This date format is PHP 5 only, but only the web-service uses the value $output_item['published'] = date('c', strtotime($output_item['created'])); $output_item['updated'] = date('c', strtotime($output_item['modified'])); $output_item['id'] = $output_item['sp_id']; $output_item['title'] = $output_item['sp_title']; $output_item['page_title'] = $output_item['sp_page_title']; $output_item['category'] = array($output_item['sp_tid']); $output_item['content'] = $output_item['sp_content']; $output_item['content_type'] = 'html'; $owner_data = SESS_getUserDataFromId($output_item['owner_id']); $output_item['author_name'] = $owner_data['username']; } $output[] = $output_item; } } return PLG_RET_OK; }
/** * Get an existing story * * @param array args Contains all the data provided by the client * @param string &output OUTPUT parameter containing the returned text * @return int Response code as defined in lib-plugins.php */ function service_get_story($args, &$output, &$svc_msg) { global $_CONF, $_TABLES, $_USER; $output = array(); $retval = ''; if (!isset($_CONF['atom_max_stories'])) { $_CONF['atom_max_stories'] = 10; // set a resonable default } $svc_msg['output_fields'] = array('draft_flag', 'hits', 'numemails', 'comments', 'trackbacks', 'featured', 'commentcode', 'statuscode', 'expire_date', 'postmode', 'advanced_editor_mode', 'frontpage', 'owner_id', 'group_id', 'perm_owner', 'perm_group', 'perm_members', 'perm_anon'); if (empty($args['sid']) && !empty($args['id'])) { $args['sid'] = $args['id']; } if ($args['gl_svc']) { if (isset($args['mode'])) { $args['mode'] = COM_applyBasicFilter($args['mode']); } if (isset($args['sid'])) { $args['sid'] = COM_applyBasicFilter($args['sid']); } if (empty($args['sid'])) { $svc_msg['gl_feed'] = true; } else { $svc_msg['gl_feed'] = false; } } else { $svc_msg['gl_feed'] = false; } if (empty($args['mode'])) { $args['mode'] = 'view'; } if (!$svc_msg['gl_feed']) { $sid = $args['sid']; $mode = $args['mode']; $story = new Story(); $retval = $story->loadFromDatabase($sid, $mode); if ($retval != STORY_LOADED_OK) { $output = $retval; return PLG_RET_ERROR; } reset($story->_dbFields); while (list($fieldname, $save) = each($story->_dbFields)) { $varname = '_' . $fieldname; $output[$fieldname] = $story->{$varname}; } $output['username'] = $story->_username; $output['fullname'] = $story->_fullname; if ($args['gl_svc']) { if ($output['statuscode'] == STORY_ARCHIVE_ON_EXPIRE || $output['statuscode'] == STORY_DELETE_ON_EXPIRE) { // This date format is PHP 5 only, // but only the web-service uses the value $output['expire_date'] = date('c', $output['expire']); } $output['id'] = $output['sid']; $output['category'] = array($output['tid']); $output['published'] = date('c', $output['date']); $output['updated'] = date('c', $output['date']); if (empty($output['bodytext'])) { $output['content'] = $output['introtext']; } else { $output['content'] = $output['introtext'] . LB . '[page_break]' . LB . $output['bodytext']; } $output['content_type'] = $output['postmode'] == 'html' ? 'html' : 'text'; $owner_data = SESS_getUserDataFromId($output['owner_id']); $output['author_name'] = $owner_data['username']; $output['link_edit'] = $sid; } } else { $output = array(); $mode = $args['mode']; $sql = array(); if (isset($args['offset'])) { $offset = COM_applyBasicFilter($args['offset'], true); } else { $offset = 0; } $max_items = $_CONF['atom_max_stories'] + 1; $limit = " LIMIT {$offset}, {$max_items}"; $limit_pgsql = " LIMIT {$max_items} OFFSET {$offset}"; $order = " ORDER BY unixdate DESC"; $sql['mysql'] = "SELECT s.*, UNIX_TIMESTAMP(s.date) AS unixdate, UNIX_TIMESTAMP(s.expire) as expireunix, " . "u.username, u.fullname, u.photo, u.email, t.topic, t.imageurl " . "FROM {$_TABLES['stories']} AS s, {$_TABLES['users']} AS u, {$_TABLES['topics']} AS t " . "WHERE (s.uid = u.uid) AND (s.tid = t.tid)" . COM_getPermSQL('AND', $_USER['uid'], 2, 's') . $order . $limit; $sql['pgsql'] = "SELECT s.*, UNIX_TIMESTAMP(s.date) AS unixdate, UNIX_TIMESTAMP(s.expire) as expireunix, u.username, u.fullname, u.photo, u.email, t.topic, t.imageurl FROM stories s, users u, topics t WHERE (s.uid = u.uid) AND (s.tid = t.tid) FROM {$_TABLES['stories']} AS s, {$_TABLES['users']} AS u, {$_TABLES['topics']} AS t WHERE (s.uid = u.uid) AND (s.tid = t.tid)" . COM_getPermSQL('AND', $_USER['uid'], 2, 's') . $order . $limit_pgsql; $result = DB_query($sql); $count = 0; while (($story_array = DB_fetchArray($result, false)) !== false) { $count += 1; if ($count == $max_items) { $svc_msg['offset'] = $offset + $_CONF['atom_max_stories']; break; } $story = new Story(); $story->loadFromArray($story_array); // This access check is not strictly necessary $access = SEC_hasAccess($story_array['owner_id'], $story_array['group_id'], $story_array['perm_owner'], $story_array['perm_group'], $story_array['perm_members'], $story_array['perm_anon']); $story->_access = min($access, SEC_hasTopicAccess($story->_tid)); if ($story->_access == 0) { continue; } $story->sanitizeData(); reset($story->_dbFields); $output_item = array(); while (list($fieldname, $save) = each($story->_dbFields)) { $varname = '_' . $fieldname; $output_item[$fieldname] = $story->{$varname}; } if ($args['gl_svc']) { if ($output_item['statuscode'] == STORY_ARCHIVE_ON_EXPIRE || $output_item['statuscode'] == STORY_DELETE_ON_EXPIRE) { // This date format is PHP 5 only, // but only the web-service uses the value $output_item['expire_date'] = date('c', $output_item['expire']); } $output_item['id'] = $output_item['sid']; $output_item['category'] = array($output_item['tid']); $output_item['published'] = date('c', $output_item['date']); $output_item['updated'] = date('c', $output_item['date']); if (empty($output_item['bodytext'])) { $output_item['content'] = $output_item['introtext']; } else { $output_item['content'] = $output_item['introtext'] . LB . '[page_break]' . LB . $output_item['bodytext']; } $output_item['content_type'] = $output_item['postmode'] == 'html' ? 'html' : 'text'; $owner_data = SESS_getUserDataFromId($output_item['owner_id']); $output_item['author_name'] = $owner_data['username']; } $output[] = $output_item; } } return PLG_RET_OK; }
/** * Authenticates the user if authentication headers are present * * Our handling of the speedlimit here requires some explanation ... * Atompub clients will usually try to do everything without logging in first. * Since that would mean that we can't provide feeds for drafts, items with * special permissions, etc. we ask them to log in (PLG_RET_AUTH_FAILED). * That, however, means that every request from an Atompub client will count * as one failed login attempt. So doing a couple of requests in quick * succession will surely get the client blocked. Therefore * - a request without any login credentials counts as one failed login attempt * - a request with wrong login credentials counts as two failed login attempts * - if, after a successful login, we have only one failed attempt on record, * we reset the speedlimit * This still ensures that * - repeated failed logins (without or with invalid credentials) will cause the * client to be blocked eventually * - this can not be used for dictionary attacks * */ function WS_authenticate() { global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE; $uid = ''; $username = ''; $password = ''; $status = -1; if (isset($_SERVER['PHP_AUTH_USER'])) { $username = COM_applyBasicFilter($_SERVER['PHP_AUTH_USER']); $password = $_SERVER['PHP_AUTH_PW']; if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '{$username}'"); } /** this does not work! ******************************************************* } elseif (!empty($_SERVER['HTTP_X_WSSE']) && (strpos($_SERVER['HTTP_X_WSSE'], 'UsernameToken') !== false)) { // this is loosely based on a code snippet taken from Elgg (elgg.org) $wsse = str_replace('UsernameToken', '', $_SERVER['HTTP_X_WSSE']); $wsse = explode(',', $wsse); $username = ''; $pwdigest = ''; $created = ''; $nonce = ''; foreach ($wsse as $element) { $element = explode('=', $element); $key = array_shift($element); if (count($element) == 1) { $val = $element[0]; } else { $val = implode('=', $element); } $key = trim($key); $val = trim($val, "\x22\x27"); if ($key == 'Username') { $username = COM_applyBasicFilter($val); } elseif ($key == 'PasswordDigest') { $pwdigest = $val; } elseif ($key == 'Created') { $created = $val; } elseif ($key == 'Nonce') { $nonce = $val; } } if (!empty($username) && !empty($pwdigest) && !empty($created) && !empty($nonce)) { $uname = DB_escapeString($username); $pwd = DB_getItem($_TABLES['users'], 'passwd', "username = '******'"); // ... and here we would need the _unencrypted_ password if (!empty($pwd)) { $mydigest = pack('H*', sha1($nonce . $created . $pwd)); $mydigest = base64_encode($mydigest); if ($pwdigest == $mydigest) { $password = $pwd; } } } if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '$username' (via WSSE)"); } ******************************************************************************/ } elseif (!empty($_SERVER['REMOTE_USER'])) { /* PHP installed as CGI may not have access to authorization headers of * Apache. In that case, use .htaccess to store the auth header as * explained at * http://wiki.geeklog.net/wiki/index.php/Webservices_API#Authentication */ list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']); list($username, $password) = explode(':', base64_decode($auth_data)); $username = COM_applyBasicFilter($username); if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '{$username}' (via \$_SERVER['REMOTE_USER'])"); } } else { if ($WS_VERBOSE) { COM_errorLog("WS: No login given"); } // fallthrough (see below) } COM_clearSpeedlimit($_CONF['login_speedlimit'], 'wsauth'); if (COM_checkSpeedlimit('wsauth', $_CONF['login_attempts']) > 0) { WS_error(PLG_RET_PERMISSION_DENIED, 'Speed Limit exceeded'); } if (!empty($username) && !empty($password)) { if ($_CONF['user_login_method']['3rdparty']) { // remote users will have to use username@servicename $u = explode('@', $username); if (count($u) > 1) { $sv = $u[count($u) - 1]; if (!empty($sv)) { $modules = SEC_collectRemoteAuthenticationModules(); foreach ($modules as $smod) { if (strcasecmp($sv, $smod) == 0) { array_pop($u); // drop the service name $uname = implode('@', $u); $status = SEC_remoteAuthentication($uname, $password, $smod, $uid); break; } } } } } if ($status == -1 && $_CONF['user_login_method']['standard']) { $status = SEC_authenticate($username, $password, $uid); } } if ($status == USER_ACCOUNT_ACTIVE) { $_USER = SESS_getUserDataFromId($uid); PLG_loginUser($_USER['uid']); // Global array of groups current user belongs to $_GROUPS = SEC_getUserGroups($_USER['uid']); // Global array of current user permissions [read,edit] $_RIGHTS = explode(',', SEC_getUserPermissions()); if ($_CONF['restrict_webservices']) { if (!SEC_hasRights('webservices.atompub')) { COM_updateSpeedlimit('wsauth'); if ($WS_VERBOSE) { COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) does not have permission to use the webservices"); } // reset user, groups, and rights, just in case ... $_USER = array(); $_GROUPS = array(); $_RIGHTS = array(); WS_error(PLG_RET_AUTH_FAILED); } } if ($WS_VERBOSE) { COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) successfully logged in"); } // if there were less than 2 failed login attempts, reset speedlimit if (COM_checkSpeedlimit('wsauth', 2) == 0) { if ($WS_VERBOSE) { COM_errorLog("WS: Successful login - resetting speedlimit"); } COM_resetSpeedlimit('wsauth'); } } else { COM_updateSpeedlimit('wsauth'); if (!empty($username) && !empty($password)) { COM_updateSpeedlimit('wsauth'); if ($WS_VERBOSE) { COM_errorLog("WS: Wrong login credentials - counting as 2 failed attempts"); } } elseif ($WS_VERBOSE) { COM_errorLog("WS: Empty login credentials - counting as 1 failed attempt"); } WS_error(PLG_RET_AUTH_FAILED); } }
/** * Filter parameters passed per GET (URL) or POST. * * @param string $parameter the parameter to test * @param boolean $isnumeric true if $parameter is supposed to be numeric * @return string the filtered parameter (may now be empty or 0) * @see COM_applyBasicFilter * */ function COM_applyFilter($parameter, $isnumeric = false) { $p = COM_stripslashes($parameter); return COM_applyBasicFilter($p, $isnumeric); }
$fid = COM_applyfilter($_GET['fid'], true); $op = COM_applyfilter($_GET['op']); COM_errorLog("Download.php - op:{$op}, uid:{$_USER['uid']}, fid:{$fid}"); if ($op == 'incoming') { if (!DB_count($_TABLES['nxfile_import_queue'], 'id', $fid)) { echo COM_refresh($_CONF['site_url'] . '?msg=1&plugin=nexfile'); exit; } } if ($op == 'download') { if (!DB_count($_TABLES['nxfile_files'], 'fid', $fid)) { echo COM_refresh($_CONF['site_url'] . '?msg=1&plugin=nexfile'); exit; } include_once $_CONF['path_system'] . 'classes/downloader.class.php'; $version = COM_applyBasicFilter($_GET['version'], true); if ($version > 0) { $query = DB_query("SELECT fname,ftype FROM {$_TABLES['nxfile_fileversions']} WHERE fid={$fid} AND version={$version}"); list($fname, $ftype) = DB_fetchARRAY($query); $cid = DB_getItem($_TABLES['nxfile_files'], "cid", "fid={$fid}"); } else { $query = DB_query("SELECT cid,fname,ftype,mimetype FROM {$_TABLES['nxfile_files']} WHERE fid={$fid}"); list($cid, $fname, $ftype, $mimetype) = DB_fetchARRAY($query); } // Make sure user has access if (!fm_getPermission($cid, 'view')) { echo COM_refresh($_CONF['site_url'] . '?msg=1&plugin=nexfile'); exit; } if ($ftype == "file") { $directory = $_FMCONF['storage_path'] . $cid . '/';
/** * This function will allow plugins to support the use of custom autolinks * in other site content. Plugins can now use this API when saving content * and have the content checked for any autolinks before saving. * The autolink would be like: [story:20040101093000103 here] * * @param string $content Content that should be parsed for autolinks * @param string $namespace Optional Namespace or plugin name collecting tag info * @param string $operation Optional Operation being performed * @param string $plugin Optional if you only want to parse using a specific plugin * */ function PLG_replaceTags($content, $namespace = '', $operation = '', $plugin = '') { global $_CONF, $_TABLES, $_BLOCK_TEMPLATE, $LANG32, $_AUTOTAGS, $mbMenu, $autoTagUsage; if (isset($_CONF['disable_autolinks']) && $_CONF['disable_autolinks'] == 1) { // autolinks are disabled - return $content unchanged return $content; } static $recursionCount = 0; if ($recursionCount > 5) { COM_errorLog("AutoTag infinite recursion detected on " . $namespace . " " . $operation); return $content; } $autolinkModules = PLG_collectTags(); $autoTagUsage = PLG_autoTagPerms(); if (!empty($namespace) && !empty($operation)) { $postFix = '.' . $namespace . '.' . $operation; } else { $postFix = ''; } // For each supported module, scan the content looking for any AutoLink tags $tags = array(); $contentlen = utf8_strlen($content); $content_lower = utf8_strtolower($content); foreach ($autolinkModules as $moduletag => $module) { $autotag_prefix = '[' . $moduletag . ':'; $offset = 0; $prev_offset = 0; while ($offset < $contentlen) { $start_pos = utf8_strpos($content_lower, $autotag_prefix, $offset); if ($start_pos === false) { break; } else { $end_pos = utf8_strpos($content_lower, ']', $start_pos); $next_tag = utf8_strpos($content_lower, '[', $start_pos + 1); if ($end_pos > $start_pos and ($next_tag === false or $end_pos < $next_tag)) { $taglength = $end_pos - $start_pos + 1; $tag = utf8_substr($content, $start_pos, $taglength); $parms = explode(' ', $tag); // Extra test to see if autotag was entered with a space // after the module name if (utf8_substr($parms[0], -1) == ':') { $startpos = utf8_strlen($parms[0]) + utf8_strlen($parms[1]) + 2; $label = str_replace(']', '', utf8_substr($tag, $startpos)); $tagid = $parms[1]; } else { $label = str_replace(']', '', utf8_substr($tag, utf8_strlen($parms[0]) + 1)); $parms = explode(':', $parms[0]); if (count($parms) > 2) { // whoops, there was a ':' in the tag id ... array_shift($parms); $tagid = implode(':', $parms); } else { $tagid = $parms[1]; } } $newtag = array('module' => $module, 'tag' => $moduletag, 'tagstr' => $tag, 'startpos' => $start_pos, 'length' => $taglength, 'parm1' => str_replace(']', '', $tagid), 'parm2' => $label); $tags[] = $newtag; } else { // Error: tags do not match - return with no changes return $content . $LANG32[32]; } $prev_offset = $offset; $offset = $end_pos; } } } // If we have found 1 or more AutoLink tag if (count($tags) > 0) { // Found the [tag] - Now process them all $recursionCount++; foreach ($tags as $autotag) { $permCheck = $autotag['tag'] . $postFix; if (empty($postFix) || !isset($autoTagUsage[$permCheck]) || $autoTagUsage[$permCheck] == 1) { $function = 'plugin_autotags_' . $autotag['module']; if ($autotag['module'] == 'glfusion' and (empty($plugin) or $plugin == 'glfusion')) { $url = ''; $linktext = $autotag['parm2']; if ($autotag['tag'] == 'story') { $autotag['parm1'] = COM_applyFilter($autotag['parm1']); $url = COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $autotag['parm1']); if (empty($linktext)) { $linktext = DB_getItem($_TABLES['stories'], 'title', "sid = '" . DB_escapeString($autotag['parm1']) . "'"); } } if (!empty($url)) { $filelink = COM_createLink($linktext, $url); $content = str_replace($autotag['tagstr'], $filelink, $content); } if ($autotag['tag'] == 'story_introtext') { $url = ''; $linktext = ''; USES_lib_story(); if (isset($_USER['uid']) && $_USER['uid'] > 1) { $result = DB_query("SELECT maxstories,tids,aids FROM {$_TABLES['userindex']} WHERE uid = {$_USER['uid']}"); $U = DB_fetchArray($result); } else { $U['maxstories'] = 0; $U['aids'] = ''; $U['tids'] = ''; } $sql = " (date <= NOW()) AND (draft_flag = 0)"; if (empty($topic)) { $sql .= COM_getLangSQL('tid', 'AND', 's'); } $sql .= COM_getPermSQL('AND', 0, 2, 's'); if (!empty($U['aids'])) { $sql .= " AND s.uid NOT IN (" . str_replace(' ', ",", $U['aids']) . ") "; } if (!empty($U['tids'])) { $sql .= " AND s.tid NOT IN ('" . str_replace(' ', "','", $U['tids']) . "') "; } $sql .= COM_getTopicSQL('AND', 0, 's') . ' '; $userfields = 'u.uid, u.username, u.fullname'; $msql = "SELECT STRAIGHT_JOIN s.*, UNIX_TIMESTAMP(s.date) AS unixdate, " . 'UNIX_TIMESTAMP(s.expire) as expireunix, ' . $userfields . ", t.topic, t.imageurl " . "FROM {$_TABLES['stories']} AS s, {$_TABLES['users']} AS u, " . "{$_TABLES['topics']} AS t WHERE s.sid = '" . $autotag['parm1'] . "' AND (s.uid = u.uid) AND (s.tid = t.tid) AND" . $sql; $result = DB_query($msql); $nrows = DB_numRows($result); if ($A = DB_fetchArray($result)) { $story = new Story(); $story->loadFromArray($A); $linktext = STORY_renderArticle($story, 'y'); } $content = str_replace($autotag['tagstr'], $linktext, $content); } if ($autotag['tag'] == 'showblock') { $blockName = COM_applyBasicFilter($autotag['parm1']); $result = DB_query("SELECT * FROM {$_TABLES['blocks']} WHERE name = '" . DB_escapeString($blockName) . "'" . COM_getPermSQL('AND')); if (DB_numRows($result) > 0) { $skip = 0; $B = DB_fetchArray($result); $template = ''; $side = ''; $px = explode(' ', trim($autotag['parm2'])); if (is_array($px)) { foreach ($px as $part) { if (substr($part, 0, 9) == 'template:') { $a = explode(':', $part); $template = $a[1]; $skip++; } elseif (substr($part, 0, 5) == 'side:') { $a = explode(':', $part); $side = $a[1]; $skip++; break; } } if ($skip != 0) { if (count($px) > $skip) { for ($i = 0; $i < $skip; $i++) { array_shift($px); } $caption = trim(implode(' ', $px)); } else { $caption = ''; } } } if ($template != '') { $_BLOCK_TEMPLATE[$blockName] = 'blockheader-' . $template . '.thtml,blockfooter-' . $template . '.thtml'; } if ($side == 'left') { $B['onleft'] = 1; } else { if ($side == 'right') { $B['onleft'] = 0; } } $linktext = COM_formatBlock($B); $content = str_replace($autotag['tagstr'], $linktext, $content); } else { $content = str_replace($autotag['tagstr'], '', $content); } } if ($autotag['tag'] == 'menu') { $menu = ''; $menuID = trim($autotag['parm1']); $menuHTML = displayMenu($menuID); $content = str_replace($autotag['tagstr'], $menuHTML, $content); } if (isset($_AUTOTAGS[$autotag['tag']])) { $content = autotags_autotag('parse', $content, $autotag); } } else { if (function_exists($function) and (empty($plugin) or $plugin == $autotag['module'])) { $content = $function('parse', $content, $autotag); } } } } $recursionCount--; } return $content; }
function fncSave($edt_flg, $navbarMenu, $menuno) { $pi_name = "userbox"; global $_CONF; global $_TABLES; global $_USER; global $_USERBOX_CONF; global $LANG_USERBOX_ADMIN; global $_FILES; $addition_def = DATABOX_getadditiondef($pi_name); $retval = ''; // clean 'em up $id = COM_applyFilter($_POST['id'], true); $fieldset_id = COM_applyFilter($_POST['fieldset'], true); //@@@@@ username fullname $username = COM_applyFilter($_POST['username']); $username = addslashes(COM_checkHTML(COM_checkWords($username))); $fullname = COM_applyFilter($_POST['fullname']); $fullname = addslashes(COM_checkHTML(COM_checkWords($fullname))); $page_title = COM_applyFilter($_POST['page_title']); $page_title = addslashes(COM_checkHTML(COM_checkWords($page_title))); $description = $_POST['description']; //COM_applyFilter($_POST['description']); $description = addslashes(COM_checkHTML(COM_checkWords($description))); $defaulttemplatesdirectory = COM_applyFilter($_POST['defaulttemplatesdirectory']); $defaulttemplatesdirectory = addslashes(COM_checkHTML(COM_checkWords($defaulttemplatesdirectory))); $draft_flag = COM_applyFilter($_POST['draft_flag'], true); // $hits =0; // $comments=0; $comment_expire_flag = COM_applyFilter($_POST['comment_expire_flag'], true); if ($comment_expire_flag) { $comment_expire_month = COM_applyFilter($_POST['comment_expire_month'], true); $comment_expire_day = COM_applyFilter($_POST['comment_expire_day'], true); $comment_expire_year = COM_applyFilter($_POST['comment_expire_year'], true); $comment_expire_hour = COM_applyFilter($_POST['comment_expire_hour'], true); $comment_expire_minute = COM_applyFilter($_POST['comment_expire_minute'], true); if ($comment_expire_ampm == 'pm') { if ($comment_expire_hour < 12) { $comment_expire_hour = $comment_expire_hour + 12; } } if ($comment_expire_ampm == 'am' and $comment_expire_hour == 12) { $comment_expire_hour = '00'; } } else { $comment_expire_month = 0; $comment_expire_day = 0; $comment_expire_year = 0; $comment_expire_hour = 0; $comment_expire_minute = 0; } $commentcode = COM_applyFilter($_POST['commentcode'], true); $trackbackcode = COM_applyFilter($_POST['trackbackcode'], true); $cache_time = COM_applyFilter($_POST['cache_time'], true); $meta_description = $_POST['meta_description']; $meta_description = addslashes(COM_checkHTML(COM_checkWords($meta_description))); $meta_keywords = $_POST['meta_keywords']; $meta_keywords = addslashes(COM_checkHTML(COM_checkWords($meta_keywords))); $language_id = COM_applyFilter($_POST['language_id']); $language_id = addslashes(COM_checkHTML(COM_checkWords($language_id))); $category = $_POST['category']; //@@@@@ $additionfields = $_POST['afield']; $additionfields_old = $_POST['afield']; $additionfields_fnm = $_POST['afield_fnm']; $additionfields_del = $_POST['afield_del']; $additionfields_alt = $_POST['afield_alt']; $additionfields_date = array(); $dummy = DATABOX_cleanaddtiondatas($additionfields, $addition_def, $additionfields_fnm, $additionfields_del, $additionfields_date, $additionfields_alt); // $owner_id = COM_applyFilter($_POST['owner_id'], true); $group_id = COM_applyFilter($_POST['group_id'], true); // $array['perm_owner'] = $_POST['perm_owner']; $array['perm_group'] = $_POST['perm_group']; $array['perm_members'] = $_POST['perm_members']; $array['perm_anon'] = $_POST['perm_anon']; if (is_array($array['perm_owner']) || is_array($array['perm_group']) || is_array($array['perm_members']) || is_array($array['perm_anon'])) { list($perm_owner, $perm_group, $perm_members, $perm_anon) = SEC_getPermissionValues($array['perm_owner'], $array['perm_group'], $array['perm_members'], $array['perm_anon']); } else { $perm_owner = COM_applyBasicFilter($array['perm_owner'], true); $perm_group = COM_applyBasicFilter($array['perm_group'], true); $perm_members = COM_applyBasicFilter($array['perm_members'], true); $perm_anon = COM_applyBasicFilter($array['perm_anon'], true); } //編集日付 $modified_autoupdate = COM_applyFilter($_POST['modified_autoupdate'], true); if ($modified_autoupdate == 1) { //$udate = date('Ymd'); $modified_month = date('m'); $modified_day = date('d'); $modified_year = date('Y'); $modified_hour = date('H'); $modified_minute = date('i'); } else { $modified_month = COM_applyFilter($_POST['modified_month'], true); $modified_day = COM_applyFilter($_POST['modified_day'], true); $modified_year = COM_applyFilter($_POST['modified_year'], true); $modified_hour = COM_applyFilter($_POST['modified_hour'], true); $modified_minute = COM_applyFilter($_POST['modified_minute'], true); $modified_ampm = COM_applyFilter($_POST['modified_ampm']); if ($modified_ampm == 'pm') { if ($modified_hour < 12) { $modified_hour = $modified_hour + 12; } } if ($modified_ampm == 'am' and $modified_hour == 12) { $modified_hour = '00'; } } //公開日 $released_month = COM_applyFilter($_POST['released_month'], true); $released_day = COM_applyFilter($_POST['released_day'], true); $released_year = COM_applyFilter($_POST['released_year'], true); $released_hour = COM_applyFilter($_POST['released_hour'], true); $released_minute = COM_applyFilter($_POST['released_minute'], true); if ($released_ampm == 'pm') { if ($released_hour < 12) { $released_hour = $released_hour + 12; } } if ($released_ampm == 'am' and $released_hour == 12) { $released_hour = '00'; } //公開終了日 $expired_flag = COM_applyFilter($_POST['expired_flag'], true); if ($expired_flag) { $expired_month = COM_applyFilter($_POST['expired_month'], true); $expired_day = COM_applyFilter($_POST['expired_day'], true); $expired_year = COM_applyFilter($_POST['expired_year'], true); $expired_hour = COM_applyFilter($_POST['expired_hour'], true); $expired_minute = COM_applyFilter($_POST['expired_minute'], true); if ($expired_ampm == 'pm') { if ($expired_hour < 12) { $expired_hour = $expired_hour + 12; } } if ($expired_ampm == 'am' and $expired_hour == 12) { $expired_hour = '00'; } } else { $expired_month = 0; $expired_day = 0; $expired_year = 0; $expired_hour = 0; $expired_minute = 0; } $created = COM_applyFilter($_POST['created_un']); $orderno = mb_convert_kana($_POST['orderno'], "a"); //全角英数字を半角英数字に変換する $orderno = COM_applyFilter($orderno, true); //$name = mb_convert_kana($name,"AKV"); //A:半角英数字を全角英数字に変換する //K:半角カタカナを全角カタカナに変換する //V:濁点つきの文字を1文字に変換する (K、H と共に利用する) //$name = str_replace ("'", "’",$name); //$code = mb_convert_kana($code,"a");//全角英数字を半角英数字に変換する //----- $type = 1; $uuid = $_USER['uid']; // CHECK はじめ $err = ""; //id if ($id == 0) { //$err.=$LANG_USERBOX_ADMIN['err_uid']."<br {XHTML}>".LB; } else { if (!is_numeric($id)) { $err .= $LANG_USERBOX_ADMIN['err_id'] . "<br {XHTML}>" . LB; } } //文字数制限チェック if (mb_strlen($description, 'UTF-8') > $_USERBOX_CONF['maxlength_description']) { $err .= $LANG_USERBOX_ADMIN['description'] . $_USERBOX_CONF['maxlength_description'] . $LANG_USERBOX_ADMIN['err_maxlength'] . "<br/>" . LB; } if (mb_strlen($meta_description, 'UTF-8') > $_USERBOX_CONF['maxlength_meta_description']) { $err .= $LANG_USERBOX_ADMIN['meta_description'] . $_USERBOX_CONF['maxlength_meta_description'] . $LANG_USERBOX_ADMIN['err_maxlength'] . "<br/>" . LB; } if (mb_strlen($meta_keywords, 'UTF-8') > $_USERBOX_CONF['maxlength_meta_keywords']) { $err .= $LANG_USERBOX_ADMIN['meta_keywords'] . $_USERBOX_CONF['maxlength_meta_keywords'] . $LANG_USERBOX_ADMIN['err_maxlength'] . "<br/>" . LB; } //----追加項目チェック $err .= DATABOX_checkaddtiondatas($additionfields, $addition_def, $pi_name, $additionfields_fnm, $additionfields_del, $additionfields_alt); //編集日付 $modified = $modified_year . "-" . $modified_month . "-" . $modified_day; if (checkdate($modified_month, $modified_day, $modified_year) == false) { $err .= $LANG_USERBOX_ADMIN['err_modified'] . "<br {XHTML}>" . LB; } $modified = COM_convertDate2Timestamp($modified_year . "-" . $modified_month . "-" . $modified_day, $modified_hour . ":" . $modified_minute . "::00"); //公開日 $released = $released_year . "-" . $released_month . "-" . $released_day; if (checkdate($released_month, $released_day, $released_year) == false) { $err .= $LANG_USERBOX_ADMIN['err_released'] . "<br {XHTML}>" . LB; } $released = COM_convertDate2Timestamp($released_year . "-" . $released_month . "-" . $released_day, $released_hour . ":" . $released_minute . "::00"); //コメント受付終了日時 if ($comment_expire_flag) { if (checkdate($comment_expire_month, $comment_expire_day, $comment_expire_year) == false) { $err .= $LANG_USERBOX_ADMIN['err_comment_expire'] . "<br {XHTML}>" . LB; } $comment_expire = COM_convertDate2Timestamp($comment_expire_year . "-" . $comment_expire_month . "-" . $comment_expire_day, $comment_expire_hour . ":" . $comment_expire_minute . "::00"); } else { $comment_expire = '0000-00-00 00:00:00'; //$comment_expire=""; } //公開終了日 if ($expired_flag) { if (checkdate($expired_month, $expired_day, $expired_year) == false) { $err .= $LANG_USERBOX_ADMIN['err_expired'] . "<br {XHTML}>" . LB; } $expired = COM_convertDate2Timestamp($expired_year . "-" . $expired_month . "-" . $expired_day, $expired_hour . ":" . $expired_minute . "::00"); if ($expired < $released) { $err .= $LANG_USERBOX_ADMIN['err_expired'] . "<br {XHTML}>" . LB; } } else { $expired = '0000-00-00 00:00:00'; //$expired=""; } //errorのあるとき if ($err != "") { $retval['title'] = $LANG_USERBOX_ADMIN['piname'] . $LANG_USERBOX_ADMIN['edit']; $retval['display'] = fncEdit($id, $edt_flg, 3, $err); return $retval; } // CHECK おわり if ($id == 0) { $w = DB_getItem($_TABLES['USERBOX_base'], "max(id)", "1=1"); if ($w == "") { $w = 0; } $id = $w + 1; $created_month = date('m'); $created_day = date('d'); $created_year = date('Y'); $created_hour = date('H'); $created_minute = date('i'); $created = COM_convertDate2Timestamp($created_year . "-" . $created_month . "-" . $created_day, $created_hour . ":" . $created_minute . "::00"); } $hits = 0; $comments = 0; $fields = "id"; $values = "{$id}"; $fields .= ",page_title"; // $values .= ",'{$page_title}'"; $fields .= ",description"; // $values .= ",'{$description}'"; $fields .= ",defaulttemplatesdirectory"; // $values .= ",'{$defaulttemplatesdirectory}'"; //$fields.=",hits";// //$values.=",$hits"; $fields .= ",comments"; // $values .= ",{$comments}"; $fields .= ",meta_description"; // $values .= ",'{$meta_description}'"; $fields .= ",meta_keywords"; // $values .= ",'{$meta_keywords}'"; $fields .= ",commentcode"; // $values .= ",{$commentcode}"; $fields .= ",trackbackcode"; // $values .= ",{$trackbackcode}"; $fields .= ",cache_time"; // $values .= ",{$cache_time}"; $fields .= ",comment_expire"; // if ($comment_expire == '0000-00-00 00:00:00') { $values .= ",'{$comment_expire}'"; } else { $values .= ",FROM_UNIXTIME('{$comment_expire}')"; } $fields .= ",language_id"; // $values .= ",'{$language_id}'"; $fields .= ",owner_id"; $values .= ",{$owner_id}"; $fields .= ",group_id"; $values .= ",{$group_id}"; $fields .= ",perm_owner"; $values .= ",{$perm_owner}"; $fields .= ",perm_group"; $values .= ",{$perm_group}"; $fields .= ",perm_members"; $values .= ",{$perm_members}"; $fields .= ",perm_anon"; $values .= ",{$perm_anon}"; $fields .= ",modified"; $values .= ",FROM_UNIXTIME('{$modified}')"; if ($created != "") { $fields .= ",created"; $values .= ",FROM_UNIXTIME('{$created}')"; } $fields .= ",expired"; if ($expired == '0000-00-00 00:00:00') { $values .= ",'{$expired}'"; } else { $values .= ",FROM_UNIXTIME('{$expired}')"; } $fields .= ",released"; $values .= ",FROM_UNIXTIME('{$released}')"; $fields .= ",orderno"; // $values .= ",{$orderno}"; $fields .= ",fieldset_id"; // $values .= ",{$fieldset_id}"; $fields .= ",uuid"; $values .= ",{$uuid}"; $fields .= ",draft_flag"; $values .= ",{$draft_flag}"; DB_save($_TABLES['USERBOX_base'], $fields, $values); //カテゴリ $rt = DATABOX_savecategorydatas($id, $category, $pi_name); //追加項目 DATABOX_uploadaddtiondatas($additionfields, $addition_def, $pi_name, $id, $additionfields_fnm, $additionfields_del, $additionfields_old, $additionfields_alt); $rt = DATABOX_saveaddtiondatas($id, $additionfields, $addition_def, $pi_name); //user (コアのテーブル) //kokoka $sql = "UPDATE " . $_TABLES['users'] . " SET "; $sql .= " fullname ='" . $fullname . "'"; $sql .= " WHERE uid=" . $id; DB_query($sql); $rt = fncsendmail('data', $id); $cacheInstance = 'userbox__' . $id . '__'; CACHE_remove_instance($cacheInstance); //exit;// debug 用 // if ($edt_flg){ // $return_page=$_CONF['site_url'] . "/".THIS_SCRIPT; // $return_page.="?id=".$id; // }else{ // $return_page=$_CONF['site_admin_url'] . '/plugins/'.THIS_SCRIPT.'?msg=1'; // } // return COM_refresh ($return_page); if ($_USERBOX_CONF['aftersave_admin'] === 'no') { $retval['title'] = $LANG_USERBOX_ADMIN['piname'] . $LANG_USERBOX_ADMIN['edit']; $retval['display'] .= fncEdit($id, $edt_flg, 1, ""); return $retval; } else { if ($_USERBOX_CONF['aftersave_admin'] === 'list') { $url = $_CONF['site_admin_url'] . "/plugins/{$pi_name}/profile.php"; $item_url = COM_buildURL($url); $target = 'item'; } else { $url = $_CONF['site_url'] . "/userbox/profile.php"; $url .= "?"; //コード使用の時 if ($_USERBOX_CONF['datacode']) { $url .= "code=" . $username; $url .= "&m=code"; } else { $url .= "id=" . $id; $url .= "&m=id"; } $item_url = COM_buildUrl($url); $target = $_USERBOX_CONF['aftersave_admin']; } } $return_page = PLG_afterSaveSwitch($target, $item_url, 'userbox', 1); echo $return_page; exit; }
/** * Get an existing static page * * @param array args Contains all the data provided by the client * @param string &output OUTPUT parameter containing the returned text * @param string &svc_msg OUTPUT parameter containing any service messages * @return int Response code as defined in lib-plugins.php */ function service_get_staticpages($args, &$output, &$svc_msg) { global $_CONF, $_TABLES, $LANG_ACCESS, $LANG12, $LANG_STATIC, $_SP_CONF, $topic; $output = ''; $svc_msg['output_fields'] = array('sp_hits', 'sp_format', 'draft_flag', 'cache_time', 'owner_id', 'group_id', 'perm_owner', 'perm_group', 'perm_members', 'perm_anon', 'sp_help', 'sp_php', 'sp_inblock', 'commentcode'); if (empty($args['sp_id']) && !empty($args['id'])) { $args['sp_id'] = $args['id']; } if ($args['gl_svc']) { if (isset($args['sp_id'])) { $args['sp_id'] = COM_applyBasicFilter($args['sp_id']); } if (isset($args['mode'])) { $args['mode'] = COM_applyBasicFilter($args['mode']); } if (empty($args['sp_id'])) { $svc_msg['gl_feed'] = true; } else { $svc_msg['gl_feed'] = false; } } else { $svc_msg['gl_feed'] = false; } if (!$svc_msg['gl_feed']) { $page = ''; if (isset($args['sp_id'])) { $page = $args['sp_id']; } $mode = ''; if (isset($args['mode'])) { $mode = $args['mode']; } $error = 0; if ($page == '') { $error = 1; } $perms = SP_getPerms(); if (!SEC_hasRights('staticpages.edit')) { if (!empty($perms)) { $perms .= ' AND'; } $perms .= '(draft_flag = 0)'; } if (!empty($perms)) { $perms = ' AND ' . $perms; } // Topic Permissions $topic_perms = COM_getTopicSQL('', 0, 'ta'); if ($topic_perms != "") { $topic_perms = " AND (" . $topic_perms . ""; if (COM_onFrontpage()) { $topic_perms .= " OR (ta.tid = '" . TOPIC_HOMEONLY_OPTION . "' OR ta.tid = '" . TOPIC_ALL_OPTION . "'))"; } else { // $topic_perms .= " OR ta.tid = '" . TOPIC_ALL_OPTION . "')"; $topic_perms .= " OR (ta.tid = '" . TOPIC_HOMEONLY_OPTION . "' OR ta.tid = '" . TOPIC_ALL_OPTION . "'))"; } } $topic_perms .= " GROUP BY sp_id"; $sql = array(); $sql['mysql'] = "SELECT sp_id,sp_title,sp_page_title,sp_content,sp_hits,created,modified,sp_format," . "commentcode,meta_description,meta_keywords,template_flag,template_id,draft_flag," . "owner_id,group_id,perm_owner,perm_group," . "perm_members,perm_anon,sp_help,sp_php,sp_inblock,cache_time " . "FROM {$_TABLES['staticpage']}, {$_TABLES['topic_assignments']} ta " . "WHERE (sp_id = '{$page}')" . $perms . " AND ta.type = 'staticpages' AND ta.id = sp_id " . $topic_perms; $sql['pgsql'] = "SELECT sp_id,sp_title,sp_page_title,sp_content,sp_hits," . "created,modified,sp_format," . "commentcode,meta_description,meta_keywords,template_flag,template_id,draft_flag," . "owner_id,group_id,perm_owner,perm_group," . "perm_members,perm_anon,sp_help,sp_php,sp_inblock,cache_time " . "sp_inblock FROM {$_TABLES['staticpage']}, {$_TABLES['topic_assignments']} ta " . "WHERE (sp_id = '{$page}')" . $perms . " AND ta.type = 'staticpages' AND ta.id = sp_id " . $topic_perms; $result = DB_query($sql); $count = DB_numRows($result); if ($count == 0 || $count > 1) { $error = 1; } if (!$error) { $output = DB_fetchArray($result, false); $page = $output['sp_id']; // reset page id so case mimics id perfectly since this affects the cache file and canonical link // WE ASSUME $output doesn't have any confidential fields // Generate output now (omly if not grabing a template since template is combined with variables first and then generated) if (!isset($args['template'])) { $output['sp_content'] = SP_render_content($page, $output['sp_content'], $output['sp_php'], $output['cache_time'], $output['template_id']); } } else { // an error occured (page not found, access denied, ...) /** * if the user has edit permissions and the page does not exist, * send them to the editor so they can create it "wiki style" */ $create_page = false; if ($mode !== 'autotag' && $count == 0 && SEC_hasRights('staticpages.edit')) { // check again without permissions if (DB_count($_TABLES['staticpage'], 'sp_id', $page) == 0) { $url = $_CONF['site_admin_url'] . '/plugins/staticpages/index.php?mode=edit&sp_new_id=' . $page . '&msg=21'; $output = COM_refresh($url); $create_page = true; } } if (!$create_page) { if (empty($page)) { $failflg = 0; } else { $failflg = DB_getItem($_TABLES['staticpage'], 'sp_nf', "sp_id = '{$page}'"); } if ($failflg) { $output .= SEC_loginRequiredForm(); if ($mode !== 'autotag') { $output = COM_createHTMLDocument($output, array('rightblock' => true)); } } else { if ($mode !== 'autotag') { COM_handle404(); } } } return PLG_RET_ERROR; } if ($args['gl_svc']) { // This date format is PHP 5 only, // but only the web-service uses the value $output['published'] = date('c', strtotime($output['created'])); $output['updated'] = date('c', strtotime($output['modified'])); $output['id'] = $page; $output['title'] = $output['sp_title']; $output['page_title'] = $output['sp_page_title']; $output['category'] = TOPIC_getTopicIdsForObject('staticpages', $page); $output['content'] = $output['sp_content']; $output['content_type'] = 'html'; $owner_data = SESS_getUserDataFromId($output['owner_id']); $output['author_name'] = $owner_data['username']; $output['link_edit'] = $page; } } else { $output = array(); $mode = ''; if (isset($args['mode'])) { $mode = $args['mode']; } $perms = SP_getPerms(); if (!empty($perms)) { $perms = ' WHERE ' . $perms; } $offset = 0; if (isset($args['offset'])) { $offset = COM_applyBasicFilter($args['offset'], true); } $max_items = $_SP_CONF['atom_max_items'] + 1; $limit = " LIMIT {$offset}, {$max_items}"; $order = " ORDER BY modified DESC"; $sql = array(); $sql['mysql'] = "SELECT sp_id,sp_title,sp_page_title,sp_content,sp_hits,created,modified,sp_format,meta_description,meta_keywords,template_flag,template_id,draft_flag,owner_id," . "group_id,perm_owner,perm_group,perm_members,perm_anon,sp_help,sp_php,sp_inblock,cache_time " . " FROM {$_TABLES['staticpage']}" . $perms . $order . $limit; $sql['pgsql'] = "SELECT sp_id,sp_title,sp_page_title,sp_content,sp_hits,created,modified,sp_format,meta_description,meta_keywords,template_flag,template_id,draft_flag,owner_id," . "group_id,perm_owner,perm_group,perm_members,perm_anon,sp_help,sp_php,sp_inblock,cache_time " . "FROM {$_TABLES['staticpage']}" . $perms . $order . $limit; $result = DB_query($sql); $count = 0; while (($output_item = DB_fetchArray($result, false)) !== false) { // WE ASSUME $output doesn't have any confidential fields $count++; if ($count == $max_items) { $svc_msg['offset'] = $offset + $_SP_CONF['atom_max_items']; break; } if ($args['gl_svc']) { // This date format is PHP 5 only, but only the web-service uses the value $output_item['published'] = date('c', strtotime($output_item['created'])); $output_item['updated'] = date('c', strtotime($output_item['modified'])); $output_item['id'] = $output_item['sp_id']; $output_item['title'] = $output_item['sp_title']; $output_item['page_title'] = $output_item['sp_page_title']; //$output_item['category'] = array($output_item['sp_tid']); $output_item['category'] = TOPIC_getTopicIdsForObject('staticpages', $page); //$output_item['content'] = $output_item['sp_content']; $output['content'] = SP_render_content($output['sp_id'], $output['sp_content'], $output['sp_php'], $output['cache_time'], $output['template_id']); $output_item['content_type'] = 'html'; $owner_data = SESS_getUserDataFromId($output_item['owner_id']); $output_item['author_name'] = $owner_data['username']; } $output[] = $output_item; } } return PLG_RET_OK; }
/** * Dispatch the client based on $_SERVER['PATH_INFO'] * * @return bool when not dispatched */ public static function dispatch() { global $_CONF, $_TABLES, $LANG_ROUTER; // URL rewrite is disabled if (!$_CONF['url_rewrite']) { return false; } // URL routing is not supported if (!isset($_CONF['url_routing'])) { return false; } $routingType = intval($_CONF['url_routing'], 10); // URL routing is disabled if ($routingType === self::ROUTING_DISABLED) { return false; } // $_SERVER['PATH_INFO'] is unavailable if (!isset($_SERVER['PATH_INFO']) || empty($_SERVER['PATH_INFO'])) { return false; } $pathInfo = COM_applyBasicFilter($_SERVER['PATH_INFO']); if (self::$debug) { COM_errorLog(__METHOD__ . ': PATH_INFO = ' . $pathInfo); } // Get request type switch ($_SERVER['REQUEST_METHOD']) { case 'GET': $method = self::HTTP_REQUEST_GET; break; case 'POST': $method = self::HTTP_REQUEST_POST; break; case 'PUT': $method = self::HTTP_REQUEST_PUT; break; case 'DELETE': $method = self::HTTP_REQUEST_DELETE; break; case 'HEAD': $method = self::HTTP_REQUEST_HEAD; break; default: // Unsupported method COM_errorLog(__METHOD__ . ': unknown HTTP request method "' . $_SERVER['REQUEST_METHOD'] . '" was supplied'); return false; } // Get routing rules and routes from database $sql = "SELECT * FROM {$_TABLES['routes']} WHERE method = " . DB_escapeString($method) . " ORDER BY priority "; $result = DB_query($sql); if (DB_error()) { COM_errorLog(__METHOD__ . ': ' . DB_error()); return false; } while (($A = DB_fetchArray($result, false)) !== false) { $rule = $A['rule']; $route = $A['route']; // Try simple comparison without placeholders if (strcasecmp($rule, $pathInfo) === 0) { $route = $_CONF['site_url'] . $route; if (self::$debug) { COM_errorLog(__METHOD__ . ': "' . $pathInfo . '"matched with simple comparison rule "' . $A['rule'] . '", converted into "' . $route . '"'); } header('Location: ' . $route); COM_errorLog(__METHOD__ . ': somehow could not redirect'); return false; } // Try comparison with placeholders if (preg_match_all(self::PLACEHOLDER_MATCH, $rule, $matches, PREG_SET_ORDER)) { // Escape a period and a question mark so that they can safely be used in a regular expression $rule = str_replace(array('.', '?'), array('\\.', '\\?'), $rule); $placeHolders = array(); // Replace placeholders in a rule with ones for regular expressions foreach ($matches as $match) { $placeHolders[] = $match[1]; $rule = str_replace($match[1], self::PLACEHOLDER_REPLACE, $rule); } $rule = '|\\A' . $rule . '\\z|i'; if (!preg_match($rule, $pathInfo, $values)) { continue; } array_shift($values); foreach ($values as $value) { if (preg_match(self::VALUE_MATCH, $value)) { $value = urlencode($value); } $placeHolder = array_shift($placeHolders); $route = str_replace($placeHolder, $value, $route); } if (strpos($route, '@') !== false && self::$debug) { COM_errorLog(sprintf('%s: %s. Rule (rid = %d) = %s, Route = %s', __METHOD__, @$LANG_ROUTER[15], $A['rid'], $A['rule'], $A['route'])); continue; } $route = $_CONF['site_url'] . $route; if (self::$debug) { COM_errorLog(__METHOD__ . ': "' . $pathInfo . '" matched with regular expression rule "' . $A['rule'] . '", converted into "' . $route . '"'); } header('Location: ' . $route); } } return false; }
/** * Filter parameters passed per GET (URL) or POST. * * @param string $parameter the parameter to test * @param boolean $isnumeric true if $parameter is supposed to be numeric * @return string the filtered parameter (may now be empty or 0) * */ function COM_applyFilter($parameter, $isnumeric = false) { $p = $parameter; return COM_applyBasicFilter($p, $isnumeric); }
/** * Apply basic filter if necessary * * @param $value * @return string */ private function filter($value) { return $this->applyFilter ? COM_applyBasicFilter($value) : $value; }
/** * Get an existing static page * * @param array args Contains all the data provided by the client * @param string &output OUTPUT parameter containing the returned text * @param string &svc_msg OUTPUT parameter containing any service messages * @return int Response code as defined in lib-plugins.php */ function service_get_staticpages($args, &$output, &$svc_msg) { global $_CONF, $_TABLES, $LANG_ACCESS, $LANG12, $LANG_STATIC, $LANG_LOGIN, $_SP_CONF; $output = ''; $svc_msg['output_fields'] = array('sp_hits', 'sp_format', 'owner_id', 'group_id', 'perm_owner', 'perm_group', 'perm_members', 'perm_anon', 'sp_help', 'sp_php', 'sp_inblock', 'commentcode'); if (empty($args['sp_id']) && !empty($args['id'])) { $args['sp_id'] = $args['id']; } if ($args['gl_svc']) { if (isset($args['sp_id'])) { $args['sp_id'] = COM_applyBasicFilter($args['sp_id']); } if (isset($args['mode'])) { $args['mode'] = COM_applyBasicFilter($args['mode']); } if (empty($args['sp_id'])) { $svc_msg['gl_feed'] = true; } else { $svc_msg['gl_feed'] = false; } } else { $svc_msg['gl_feed'] = false; } if (!$svc_msg['gl_feed']) { $page = ''; if (isset($args['sp_id'])) { $page = $args['sp_id']; } $mode = ''; if (isset($args['mode'])) { $mode = $args['mode']; } $error = 0; if ($page == '') { $error = 1; } $perms = SP_getPerms(); if (!empty($perms)) { $perms = ' AND ' . $perms; } $sql = array(); $sql['mysql'] = "SELECT sp_title,sp_content,sp_hits,sp_date,sp_format," . "commentcode,owner_id,group_id,perm_owner,perm_group," . "perm_members,perm_anon,sp_tid,sp_help,sp_php," . "sp_inblock FROM {$_TABLES['staticpage']} " . "WHERE (sp_id = '{$page}')" . $perms; $sql['mssql'] = "SELECT sp_title," . "CAST(sp_content AS text) AS sp_content,sp_hits," . "sp_date,sp_format,commentcode,owner_id,group_id," . "perm_owner,perm_group,perm_members,perm_anon,sp_tid," . "sp_help,sp_php,sp_inblock " . "FROM {$_TABLES['staticpage']} WHERE (sp_id = '{$page}')" . $perms; $result = DB_query($sql); $count = DB_numRows($result); if ($count == 0 || $count > 1) { $error = 1; } if (!$error) { $output = DB_fetchArray($result, false); // WE ASSUME $output doesn't have any confidential fields } else { // an error occured (page not found, access denied, ...) if (empty($page)) { $failflg = 0; } else { $failflg = DB_getItem($_TABLES['staticpage'], 'sp_nf', "sp_id='{$page}'"); } if ($failflg) { if ($mode !== 'autotag') { $output = COM_siteHeader('menu'); } $output .= COM_startBlock($LANG_LOGIN[1], '', COM_getBlockTemplate('_msg_block', 'header')); $login = new Template($_CONF['path_layout'] . 'submit'); $login->set_file(array('login' => 'submitloginrequired.thtml')); $login->set_var('login_message', $LANG_LOGIN[2]); $login->set_var('site_url', $_CONF['site_url']); $login->set_var('lang_login', $LANG_LOGIN[3]); $login->set_var('lang_newuser', $LANG_LOGIN[4]); $login->parse('output', 'login'); $output .= $login->finish($login->get_var('output')); $output .= COM_endBlock(COM_getBlockTemplate('_msg_block', 'footer')); if ($mode !== 'autotag') { $output .= COM_siteFooter(true); } } else { if ($mode !== 'autotag') { $output = COM_siteHeader('menu'); } $output .= COM_startBlock($LANG_ACCESS['accessdenied'], '', COM_getBlockTemplate('_msg_block', 'header')); $output .= $LANG_STATIC['deny_msg']; $output .= COM_endBlock(COM_getBlockTemplate('_msg_block', 'footer')); if ($mode !== 'autotag') { $output .= COM_siteFooter(true); } } return PLG_RET_ERROR; } if ($args['gl_svc']) { // This date format is PHP 5 only, // but only the web-service uses the value $output['published'] = date('c', strtotime($output['sp_date'])); $output['updated'] = date('c', strtotime($output['sp_date'])); $output['id'] = $page; $output['title'] = $output['sp_title']; $output['category'] = array($output['sp_tid']); $output['content'] = $output['sp_content']; $output['content_type'] = 'html'; $owner_data = SESS_getUserDataFromId($output['owner_id']); $output['author_name'] = $owner_data['username']; $output['link_edit'] = $page; } } else { $output = array(); $mode = ''; if (isset($args['mode'])) { $mode = $args['mode']; } $perms = SP_getPerms(); if (!empty($perms)) { $perms = ' WHERE ' . $perms; } $offset = 0; if (isset($args['offset'])) { $offset = COM_applyBasicFilter($args['offset'], true); } $max_items = $_SP_CONF['atom_max_items'] + 1; $limit = " LIMIT {$offset}, {$max_items}"; $order = " ORDER BY sp_date DESC"; $sql = array(); $sql['mysql'] = "SELECT sp_id,sp_title,sp_content,sp_hits,sp_date,sp_format,owner_id," . "group_id,perm_owner,perm_group,perm_members,perm_anon,sp_tid,sp_help,sp_php," . "sp_inblock FROM {$_TABLES['staticpage']}" . $perms . $order . $limit; $sql['mssql'] = "SELECT sp_id,sp_title,CAST(sp_content AS text) AS sp_content,sp_hits," . "sp_date,sp_format,owner_id,group_id,perm_owner,perm_group,perm_members," . "perm_anon,sp_tid,sp_help,sp_php,sp_inblock FROM {$_TABLES['staticpage']}" . $perms . $order . $limit; $result = DB_query($sql); $count = 0; while (($output_item = DB_fetchArray($result, false)) !== false) { // WE ASSUME $output doesn't have any confidential fields $count += 1; if ($count == $max_items) { $svc_msg['offset'] = $offset + $_SP_CONF['atom_max_items']; break; } if ($args['gl_svc']) { // This date format is PHP 5 only, but only the web-service uses the value $output_item['published'] = date('c', strtotime($output_item['sp_date'])); $output_item['updated'] = date('c', strtotime($output_item['sp_date'])); $output_item['id'] = $output_item['sp_id']; $output_item['title'] = $output_item['sp_title']; $output_item['category'] = array($output_item['sp_tid']); $output_item['content'] = $output_item['sp_content']; $output_item['content_type'] = 'html'; $owner_data = SESS_getUserDataFromId($output_item['owner_id']); $output_item['author_name'] = $owner_data['username']; } $output[] = $output_item; } } return PLG_RET_OK; }