function auth_sign_in($next_page = "/") { global $AUTH_EXP; global $AUTH_KEY; $username = http_post_string("username", array("len" => 50, "valid" => "[a-z][0-9]")); $password = http_post_string("password", array("len" => 50)); if (!string_uses(substr($username, 0, 1), "[a-z]")) { die("invalid username [{$username}]"); } $row = run_sql("select user_id, password, salt from auth.user_list where username = ?", array($username)); if (count($row) == 0) { die("no such user [{$username}]"); } if (crypt_sha256($password . $row[0]["salt"]) != $row[0]["password"]) { die("wrong password"); } $expire = time() + $AUTH_EXP; $cookie = "exp=" . date("YmdHis", $expire) . "&user="******"user_id"]; $cookie .= "&hash=" . crypt_sha256($AUTH_KEY . $cookie); setcookie("auth", $cookie, $expire); header("Location: {$next_page}"); die; }
// GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with Pipecode. If not, see <http://www.gnu.org/licenses/>. // include "feed.php"; if ($zid != $auth_zid) { die("not your page"); } $col = http_get_int("col"); if ($col < 0 || $col > 2) { die("invalid col [{$col}]"); } if (http_post()) { $fid = http_post_int("fid", array("required" => false)); $uri = http_post_string("uri", array("required" => false, "len" => 100, "valid" => "[a-z][A-Z][0-9]~@#\$%&()-_=+[];:,./?")); if ($fid == 0) { if ($uri == "") { die("no feed uri given"); } $fid = add_feed($uri); } if (!db_has_rec("feed", $fid)) { die("fid not found [{$fid}]"); } if (db_has_rec("feed_user", array("zid" => $auth_zid, "fid" => $fid))) { die("feed [{$fid}] is already on your page"); } $row = run_sql("select max(pos) as max_pos from feed_user where zid = ? and col = ?", array($auth_zid, $col)); $pos = $row[0]["max_pos"] + 1; $feed_user = array();
// (at your option) any later version. // // Pipecode is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with Pipecode. If not, see <http://www.gnu.org/licenses/>. // include "mail.php"; if (http_post()) { $to = http_post_string("to", array("len" => 250, "valid" => "[a-z][A-Z][0-9]-_.<>@+ ")); $subject = http_post_string("subject", array("len" => 250, "valid" => "[ALL]")); $body = http_post_string("body", array("len" => 64000, "valid" => "[ALL]")); $in_reply_to = http_post_string("in_reply_to", array("required" => false, "len" => 250, "valid" => "[a-z][A-Z][0-9]-_.@+-")); send_web_mail($to, $subject, $body, $in_reply_to); header("Location: /mail/"); die; } $to = http_get_string("to", array("required" => false, "len" => 250, "valid" => "[a-z][A-Z][0-9]-_.<>@+ ")); $mid = http_get_int("mid", array("required" => false)); if ($mid > 0) { $message = db_get_rec("mail", $mid); $in_reply_to = $message["message_id"]; $to = $message["mail_from"]; $subject = $message["subject"]; if (substr($subject, 0, 4) != "Re: ") { $subject = "Re: {$subject}"; } } else {
// You should have received a copy of the GNU General Public License // along with Pipecode. If not, see <http://www.gnu.org/licenses/>. // include "clean.php"; include "story.php"; $sid = (int) $s2; if (!@$auth_user["editor"]) { die("you are not an editor"); } $story = db_get_rec("story", $sid); $pipe = db_get_rec("pipe", $story["pid"]); $zid = $pipe["zid"]; if (http_post()) { $title = http_post_string("title", array("len" => 100, "valid" => "[a-z][A-Z][0-9]`~!@#\$%^&*()_+-={}|[]\\:\";',./? ")); $body = http_post_string("story", array("len" => 64000, "valid" => "[ALL]")); $icon = http_post_string("icon", array("len" => 50, "valid" => "[a-z][0-9]-_")); $tid = http_post_int("tid"); $title = clean_entities($title); $new_body = str_replace("\n", "<br>", $body); $new_body = clean_html($new_body); if (http_post("publish")) { $story["tid"] = $tid; $story["title"] = $title; $story["ctitle"] = clean_url($title); $story["icon"] = $icon; $story["story"] = $new_body; db_set_rec("story", $story); header("Location: /story/{$sid}"); die; } } else {
writeln(' <td><table><tr><td>' . $question . '</td><td><input name="answer" type="text" style="margin-left: 8px; width: 100px"/></td></tr></table></td>'); writeln(' <td class="right"><input type="submit" value="Submit"/> <input name="preview" type="submit" value="Preview"/></td>'); writeln(' </tr>'); writeln('</table>'); writeln('</div>'); writeln('</form>'); writeln('</td>'); writeln('</tr>'); writeln('</table>'); print_footer(); } if (http_post()) { $title = http_post_string("title", array("len" => 100, "valid" => "[a-z][A-Z][0-9]`~!@#\$%^&*()_+-={}|[]\\:\";',./? ")); $body = http_post_string("story", array("len" => 64000, "valid" => "[ALL]")); $tid = http_post_int("tid"); $answer = http_post_string("answer", array("required" => false)); $time = time(); if (!captcha_verify($answer)) { die("captcha failed"); } $topic = db_get_rec("topic", $tid); $title = clean_entities($title); $new_body = str_replace("\n", "<br>", $body); $new_body = clean_html($new_body); if (http_post("preview")) { print_submit_box($title, $body, $new_body, $tid, true); die; } $pipe = array(); $pipe["pid"] = 0; $pipe["tid"] = $tid;
if (http_post()) { $server_name = http_post_string("server_name", array("len" => 50, "valid" => "[a-z][0-9]-.")); $server_title = http_post_string("server_title", array("len" => 50, "valid" => "[a-z][A-Z][0-9]- ")); $server_slogan = http_post_string("server_slogan", array("len" => 50)); $smtp_server = http_post_string("smtp_server", array("len" => 50, "valid" => "[a-z][0-9]-.")); $smtp_port = http_post_string("smtp_port", array("len" => 50, "valid" => "[0-9]")); $smtp_address = http_post_string("smtp_address", array("len" => 50, "valid" => "[a-z][0-9]-.@")); $smtp_username = http_post_string("smtp_username", array("len" => 50, "valid" => "[a-z][0-9]-.@")); $smtp_password = http_post_string("smtp_password", array("len" => 100)); $sql_server = http_post_string("sql_server", array("len" => 50, "valid" => "[a-z][0-9]-.")); $sql_user = http_post_string("sql_user", array("len" => 50, "valid" => "[a-z][0-9]")); $sql_pass = http_post_string("sql_pass", array("len" => 100)); $sql_database = http_post_string("sql_database", array("len" => 50, "valid" => "[a-z][0-9]")); $captcha_key = http_post_string("captcha_key", array("len" => 32, "required" => false, "valid" => "[a-z][0-9]")); $admin_username = http_post_string("admin_username", array("len" => 50, "valid" => "[a-z][0-9]")); $admin_password = http_post_string("admin_password", array("len" => 100)); $s = "<?\n"; $s .= "\n"; $s .= "\$server_name = \"{$server_name}\";\n"; $s .= "\$server_title = \"{$server_title}\";\n"; $s .= "\$server_slogan = \"{$server_slogan}\";\n"; $s .= "\n"; $s .= "\$smtp_server = \"{$smtp_server}\";\n"; $s .= "\$smtp_port = \"{$smtp_port}\";\n"; $s .= "\$smtp_address = \"{$smtp_address}\";\n"; $s .= "\$smtp_username = \"{$smtp_username}\";\n"; $s .= "\$smtp_password = \"{$smtp_password}\";\n"; $s .= "\n"; $s .= "\$sql_server = \"mysql:host={$sql_server};dbname={$sql_database}\";\n"; $s .= "\$sql_user = \"{$sql_user}\";\n"; $s .= "\$sql_pass = \"{$sql_pass}\";\n";
if ($password_1 != $password_2) { die("passwords do not match"); } $salt = crypt_sha256(rand()); $password = crypt_sha256("{$password_1}{$salt}"); $user_conf["password"] = $password; $user_conf["salt"] = $salt; db_set_conf("user_conf", $user_conf, $zid); db_del_rec("email_challenge", $verify); print_header("Password Reset"); writeln('<h1>Password Reset</h1>'); writeln('<p>Don\'t forget it this time!</p>'); print_footer(); die; } $username = http_post_string("username", array("len" => 20, "valid" => "[a-z][A-Z][0-9]")); $zid = strtolower($username) . "@{$site_name}"; if (!is_local_user($zid)) { die("no such user [{$zid}]"); } $user_conf = db_get_conf("user_conf", $zid); $hash = crypt_sha256(rand()); if (db_has_rec("email_challenge", array("username" => $username))) { db_del_rec("email_challenge", array("username" => $username)); } $email_challenge = array(); $email_challenge["challenge"] = $hash; $email_challenge["username"] = $username; $email_challenge["email"] = $user["email"]; $email_challenge["expires"] = time() + 86400 * 3; db_set_rec("email_challenge", $email_challenge);
// GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with Pipecode. If not, see <http://www.gnu.org/licenses/>. // if ($zid != $auth_zid) { die("not your page"); } $zones = DateTimeZone::listIdentifiers(DateTimeZone::ALL); if (http_post()) { $javascript_enabled = http_post_bool("javascript_enabled", array("numeric" => true)); $time_zone = http_post_string("time_zone", array("len" => 50, "valid" => "[a-z][A-Z]-_/")); $hide_threshold = http_post_string("hide_threshold", array("valid" => "[0-9]-")); $expand_threshold = http_post_string("expand_threshold", array("valid" => "[0-9]-")); $list_enabled = http_post_bool("list_enabled", array("numeric" => true)); $real_name = http_post_string("real_name", array("len" => 50, "required" => false, "valid" => "[a-z][A-Z]- ")); if (!in_array($time_zone, $zones)) { die("invalid time zone [{$time_zone}]"); } $user_conf["javascript_enabled"] = $javascript_enabled; $user_conf["time_zone"] = $time_zone; $user_conf["hide_threshold"] = $hide_threshold; $user_conf["expand_threshold"] = $expand_threshold; $user_conf["list_enabled"] = $list_enabled; $user_conf["real_name"] = $real_name; db_set_conf("user_conf", $user_conf, $auth_zid); //var_dump($user_conf); //die(); header("Location: /menu/"); die; }
// Pipecode is free software: you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // Pipecode is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with Pipecode. If not, see <http://www.gnu.org/licenses/>. // if (http_post()) { $username = http_post_string("username", array("len" => 20, "valid" => "[a-z][A-Z][0-9]")); $password = http_post_string("password", array("len" => 64, "valid" => "[KEYBOARD]")); $referer = http_get_string("referer", array("required" => false, "len" => 200, "valid" => "[a-z][A-Z][0-9].+-_/?&#=;~")); $zid = strtolower($username) . "@{$server_name}"; $user_conf = db_get_conf("user_conf", $zid); if ($user_conf["password"] != crypt_sha256($password . $user_conf["salt"])) { die("wrong password"); } $expire = time() + $auth_expire; $cookie = "expire={$expire}&zid={$zid}"; $cookie .= "&hash=" . crypt_sha256($auth_key . $cookie); setcookie("auth", $cookie, time() + $auth_expire, "/", ".{$server_name}"); if ($referer != "") { header("Location: {$referer}"); } else { header("Location: ./"); }
// but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with Pipecode. If not, see <http://www.gnu.org/licenses/>. // $pid = $s2; if (!string_uses($pid, "[0-9]")) { die("invalid pid [{$pid}]"); } if (!$auth_user["editor"]) { die("you are not an editor"); } if (http_post()) { $reason = http_post_string("reason", array("len" => 50, "valid" => "[a-z][A-Z][0-9]~!@#\$%^*()_+-=[]\\{}|;',./? ")); $pipe = db_get_rec("pipe", $pid); if ($pipe["closed"]) { die("article already closed [{$pid}]"); } $pipe["closed"] = 1; $pipe["editor"] = $auth_zid; $pipe["reason"] = $reason; db_set_rec("pipe", $pipe); header("Location: /pipe/{$pid}"); die; } print_header("Close Submission"); writeln("<h1>Close Submission</h1>"); writeln('<form method="post">'); writeln('<p>Are you sure you want to close this submission? The article will no longer show in the pipe, voting will be disabled, and comments will be locked.</p>');