/**
* @group Core
*/
public function testSafeUnserialize()
{
/*
* serialize() uses its internal machine representation when floats expressed in E-notation,
* which may vary between php versions, OS, and hardware platforms
*/
$testData = -5.0E+142;
// intentionally disabled; this doesn't work
// $this->assertEquals( safe_serialize($testData), serialize($testData) );
$this->assertEquals($testData, unserialize(safe_serialize($testData)));
$this->assertSame($testData, safe_unserialize(safe_serialize($testData)));
// workaround: cast floats into strings
$this->assertSame($testData, safe_unserialize(serialize($testData)));
$unserialized = array('announcement' => true, 'source' => array(array('filename' => 'php-5.3.3.tar.bz2', 'name' => 'PHP 5.3.3 (tar.bz2)', 'md5' => '21ceeeb232813c10283a5ca1b4c87b48', 'date' => '22 July 2010'), array('filename' => 'php-5.3.3.tar.gz', 'name' => 'PHP 5.3.3 (tar.gz)', 'md5' => '5adf1a537895c2ec933fddd48e78d8a2', 'date' => '22 July 2010')), 'date' => '22 July 2010', 'version' => '5.3.3');
$serialized = 'a:4:{s:12:"announcement";b:1;s:6:"source";a:2:{i:0;a:4:{s:8:"filename";s:17:"php-5.3.3.tar.bz2";s:4:"name";s:19:"PHP 5.3.3 (tar.bz2)";s:3:"md5";s:32:"21ceeeb232813c10283a5ca1b4c87b48";s:4:"date";s:12:"22 July 2010";}i:1;a:4:{s:8:"filename";s:16:"php-5.3.3.tar.gz";s:4:"name";s:18:"PHP 5.3.3 (tar.gz)";s:3:"md5";s:32:"5adf1a537895c2ec933fddd48e78d8a2";s:4:"date";s:12:"22 July 2010";}}s:4:"date";s:12:"22 July 2010";s:7:"version";s:5:"5.3.3";}';
$this->assertSame($unserialized, unserialize($serialized));
$this->assertEquals($serialized, serialize($unserialized));
$this->assertSame($unserialized, safe_unserialize($serialized));
$this->assertEquals($serialized, safe_serialize($unserialized));
$this->assertSame($unserialized, safe_unserialize(safe_serialize($unserialized)));
$this->assertEquals($serialized, safe_serialize(safe_unserialize($serialized)));
$a = 'O:31:"Test_Piwik_Cookie_Phantom_Class":0:{}';
$this->assertFalse(safe_unserialize($a), "test: unserializing an object where class not (yet) defined");
$a = 'O:28:"Test_Piwik_Cookie_Mock_Class":0:{}';
$this->assertFalse(safe_unserialize($a), "test: unserializing an object where class is defined");
$a = 'a:1:{i:0;O:28:"Test_Piwik_Cookie_Mock_Class":0:{}}';
$this->assertFalse(safe_unserialize($a), "test: unserializing nested object where class is defined");
$a = 'a:2:{i:0;s:4:"test";i:1;O:28:"Test_Piwik_Cookie_Mock_Class":0:{}}';
$this->assertFalse(safe_unserialize($a), "test: unserializing another nested object where class is defined");
$a = 'O:28:"Test_Piwik_Cookie_Mock_Class":1:{s:34:"' . "" . 'Test_Piwik_Cookie_Mock_Class' . "" . 'name";s:4:"test";}';
$this->assertFalse(safe_unserialize($a), "test: unserializing object with member where class is defined");
// arrays and objects cannot be used as keys, i.e., generates "Warning: Illegal offset type ..."
$a = 'a:2:{i:0;a:0:{}O:28:"Test_Piwik_Cookie_Mock_Class":0:{}s:4:"test";';
$this->assertFalse(safe_unserialize($a), "test: unserializing with illegal key");
}
/**
* plugin initialization
*/
function oauth_init()
{
global $conf, $page, $hybridauth_conf, $template;
load_language('plugin.lang', OAUTH_PATH);
$conf['oauth'] = safe_unserialize($conf['oauth']);
// check config
if (defined('IN_ADMIN')) {
if (empty($hybridauth_conf) and strpos(@$_GET['page'], 'plugin-oAuth') === false) {
$page['warnings'][] = '<a href="' . OAUTH_ADMIN . '">' . l10n('Social Connect: You need to configure the credentials') . '</a>';
}
if (!function_exists('curl_init')) {
$page['warnings'][] = l10n('Social Connect: PHP Curl extension is needed');
}
}
// in case of registration aborded
if (script_basename() == 'index' and ($oauth_id = pwg_get_session_var('oauth_new_user')) !== null) {
pwg_unset_session_var('oauth_new_user');
if ($oauth_id[0] == 'Persona') {
oauth_assign_template_vars(get_gallery_home_url());
$template->block_footer_script(null, 'navigator.id.logout();');
} else {
require_once OAUTH_PATH . 'include/hybridauth/Hybrid/Auth.php';
try {
$hybridauth = new Hybrid_Auth($hybridauth_conf);
$adapter = $hybridauth->getAdapter($oauth_id[0]);
$adapter->logout();
} catch (Exception $e) {
}
}
}
}
function install($plugin_version, &$errors = array())
{
global $conf;
if (empty($conf['guestbook'])) {
conf_update_param('guestbook', $this->default_conf, true);
} else {
$old_conf = safe_unserialize($conf['guestbook']);
if (!isset($old_conf['guest_can_view'])) {
$old_conf['guest_can_view'] = true;
$old_conf['guest_can_add'] = true;
}
if (!isset($old_conf['menu_link'])) {
$old_conf['menu_link'] = true;
}
conf_update_param('guestbook', $old_conf, true);
}
pwg_query('
CREATE TABLE IF NOT EXISTS `' . $this->table . '` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`date` datetime NOT NULL DEFAULT "0000-00-00 00:00:00",
`author` varchar(255) NOT NULL,
`author_id` smallint(5) DEFAULT NULL,
`anonymous_id` varchar(45) NOT NULL,
`email` varchar(255) DEFAULT NULL,
`website` varchar(255) DEFAULT NULL,
`content` longtext NOT NULL,
`rate` float(5,2) unsigned DEFAULT NULL,
`validated` enum("true","false") NOT NULL DEFAULT "false",
`validation_date` datetime DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8
;');
}
public function oneClickResults()
{
Piwik_API_Request::reloadAuthUsingTokenAuth($_POST);
Piwik::checkUserIsSuperUser();
$view = Piwik_View::factory('update_one_click_results');
$view->coreError = Piwik_Common::getRequestVar('error', '', 'string', $_POST);
$view->feedbackMessages = safe_unserialize(Piwik_Common::unsanitizeInputValue(Piwik_Common::getRequestVar('messages', '', 'string', $_POST)));
echo $view->render();
}
function install($plugin_version, &$errors = array())
{
global $conf;
if (empty($conf['sortorders'])) {
conf_update_param('sortorders', $this->default_conf, true);
} else {
$old_conf = safe_unserialize($conf['sortorders']);
conf_update_param('sortorders', $old_conf, true);
}
}
function activate($theme_version, &$errors = array())
{
global $conf, $prefixeTable;
if (empty($conf['smartpocket'])) {
conf_update_param('smartpocket', $this->default_conf, true);
} elseif (count(safe_unserialize($conf['smartpocket'])) != 2) {
$conff = safe_unserialize($conf['smartpocket']);
$config = array('loop' => !empty($conff['loop']) ? $conff['loop'] : true, 'autohide' => !empty($conff['autohide']) ? $conff['autohide'] : 5000);
conf_update_param('smartpocket', $config, true);
}
$this->installed = true;
}
function _retrieveCurrentValue() {
$this->current_value = PHP_VERSION;
$url = 'http://php.net/releases/?serialize=1&version=5';
$timeout = Piwik_UpdateCheck::SOCKET_TIMEOUT;
try {
$latestVersion = Piwik_Http::sendHttpRequest($url, $timeout);
$versionInfo = safe_unserialize($latestVersion);
$this->recommended_value = $versionInfo['version'];
} catch(Exception $e) {
$this->recommended_value = '';
}
}
function install($plugin_version, &$errors = array())
{
global $conf;
if (empty($conf['oauth'])) {
conf_update_param('oauth', $this->default_conf, true);
} else {
$conf['oauth'] = safe_unserialize($conf['oauth']);
if (!isset($conf['oauth']['allow_merge_accounts'])) {
$conf['oauth']['allow_merge_accounts'] = true;
conf_update_param('oauth', $conf['oauth']);
}
}
$result = pwg_query('SHOW COLUMNS FROM `' . USER_INFOS_TABLE . '` LIKE "oauth_id";');
if (!pwg_db_num_rows($result)) {
pwg_query('ALTER TABLE `' . USER_INFOS_TABLE . '` ADD `oauth_id` VARCHAR(255) DEFAULT NULL;');
}
// move field from users table to user_infos
$result = pwg_query('SHOW COLUMNS FROM `' . USERS_TABLE . '` LIKE "oauth_id";');
if (pwg_db_num_rows($result)) {
$query = '
UPDATE `' . USER_INFOS_TABLE . '` AS i
SET oauth_id = (
SELECT oauth_id
FROM `' . USERS_TABLE . '` AS u
WHERE u.' . $conf['user_fields']['id'] . ' = i.user_id
)
;';
pwg_query($query);
pwg_query('ALTER TABLE `' . USERS_TABLE . '` DROP `oauth_id`;');
}
// add 'total' and 'enabled' fields in hybridauth conf file
if (file_exists($this->file)) {
$hybridauth_conf = (include $this->file);
if (!isset($hybridauth_conf['total'])) {
$enabled = array_filter($hybridauth_conf['providers'], create_function('$p', 'return $p["enabled"];'));
$hybridauth_conf['total'] = count($hybridauth_conf['providers']);
$hybridauth_conf['enabled'] = count($enabled);
$content = "<?php\ndefined('PHPWG_ROOT_PATH') or die('Hacking attempt!');\n\nreturn ";
$content .= var_export($hybridauth_conf, true);
$content .= ";\n?>";
file_put_contents($this->file, $content);
}
}
}
function test_safeSerialize()
{
$tests = array('null' => null, 'bool false' => false, 'bool true' => true, 'negative int' => -42, 'zero' => 0, 'positive int' => 42, 'float' => 1.25, 'empty string' => '', 'nul in string' => "", 'carriage return in string' => "first line\r\nsecond line", 'utf7 in string' => 'hello, world', 'utf8 in string' => '是', 'empty array' => array(), 'single element array' => array("test"), 'associative array' => array("alpha", 2 => "beta"), 'mixed keys' => array('first' => 'john', 'last' => 'doe', 10 => 'age'), 'nested arrays' => array('top' => array('middle' => 2, array('bottom'), 'last'), 'the end' => true), 'array confusion' => array('"', "'", '}', ';', ':'));
foreach ($tests as $id => $testData) {
$this->assertEqual(safe_serialize($testData), serialize($testData), $id);
}
foreach ($tests as $id => $testData) {
$this->assertEqual(unserialize(safe_serialize($testData)), $testData, $id);
$this->assertTrue(safe_unserialize(safe_serialize($testData)) === $testData, $id);
$this->assertTrue(safe_unserialize(serialize($testData)) === $testData, $id);
}
/*
* serialize() uses its internal maachine representation when floats expressed in E-notation,
* which may vary between php versions, OS, and hardware platforms
*/
$testData = $tests['exp float'] = -5.0E+142;
// intentionally disabled; this doesn't work
// $this->assertEqual( safe_serialize($testData), serialize($testData) );
$this->assertEqual(unserialize(safe_serialize($testData)), $testData);
$this->assertTrue(safe_unserialize(safe_serialize($testData)) === $testData);
// workaround: cast floats into strings
$this->assertTrue((string) safe_unserialize(serialize($testData)) === (string) $testData);
$unserialized = array('announcement' => true, 'source' => array(array('filename' => 'php-5.3.3.tar.bz2', 'name' => 'PHP 5.3.3 (tar.bz2)', 'md5' => '21ceeeb232813c10283a5ca1b4c87b48', 'date' => '22 July 2010'), array('filename' => 'php-5.3.3.tar.gz', 'name' => 'PHP 5.3.3 (tar.gz)', 'md5' => '5adf1a537895c2ec933fddd48e78d8a2', 'date' => '22 July 2010')), 'date' => '22 July 2010', 'version' => '5.3.3');
$serialized = 'a:4:{s:12:"announcement";b:1;s:6:"source";a:2:{i:0;a:4:{s:8:"filename";s:17:"php-5.3.3.tar.bz2";s:4:"name";s:19:"PHP 5.3.3 (tar.bz2)";s:3:"md5";s:32:"21ceeeb232813c10283a5ca1b4c87b48";s:4:"date";s:12:"22 July 2010";}i:1;a:4:{s:8:"filename";s:16:"php-5.3.3.tar.gz";s:4:"name";s:18:"PHP 5.3.3 (tar.gz)";s:3:"md5";s:32:"5adf1a537895c2ec933fddd48e78d8a2";s:4:"date";s:12:"22 July 2010";}}s:4:"date";s:12:"22 July 2010";s:7:"version";s:5:"5.3.3";}';
$this->assertTrue(unserialize($serialized) === $unserialized);
$this->assertEqual(serialize($unserialized), $serialized);
$this->assertTrue(safe_unserialize($serialized) === $unserialized);
$this->assertEqual(safe_serialize($unserialized), $serialized);
$this->assertTrue(safe_unserialize(safe_serialize($unserialized)) === $unserialized);
$this->assertEqual(safe_serialize(safe_unserialize($serialized)), $serialized);
$a = 'O:31:"Test_Piwik_Cookie_Phantom_Class":0:{}';
$this->assertFalse(safe_unserialize($a), "test: unserializing an object where class not (yet) defined");
$a = 'O:28:"Test_Piwik_Cookie_Mock_Class":0:{}';
$this->assertFalse(safe_unserialize($a), "test: unserializing an object where class is defined");
$a = 'a:1:{i:0;O:28:"Test_Piwik_Cookie_Mock_Class":0:{}}';
$this->assertFalse(safe_unserialize($a), "test: unserializing nested object where class is defined");
$a = 'a:2:{i:0;s:4:"test";i:1;O:28:"Test_Piwik_Cookie_Mock_Class":0:{}}';
$this->assertFalse(safe_unserialize($a), "test: unserializing another nested object where class is defined");
$a = 'O:28:"Test_Piwik_Cookie_Mock_Class":1:{s:34:"' . "" . 'Test_Piwik_Cookie_Mock_Class' . "" . 'name";s:4:"test";}';
$this->assertFalse(safe_unserialize($a), "test: unserializing object with member where class is defined");
// arrays and objects cannot be used as keys, i.e., generates "Warning: Illegal offset type ..."
$a = 'a:2:{i:0;a:0:{}O:28:"Test_Piwik_Cookie_Mock_Class":0:{}s:4:"test";';
$this->assertFalse(safe_unserialize($a), "test: unserializing with illegal key");
}
function install($plugin_version, &$errors = array())
{
global $conf;
// add a new column to existing table
$result = pwg_query('SHOW COLUMNS FROM `' . CATEGORIES_TABLE . '` LIKE "polaroid_active";');
if (!pwg_db_num_rows($result)) {
pwg_query('ALTER TABLE `' . CATEGORIES_TABLE . '` ADD `polaroid_active` enum(\'true\', \'false\') default \'false\';');
}
$config = array('apply_to_albums' => 'all');
// load existing config parameters
if (!empty($conf['polaroid'])) {
$conf['polaroid'] = safe_unserialize($conf['polaroid']);
foreach ($conf['polaroid'] as $key => $value) {
$config[$key] = $value;
}
}
conf_update_param('polaroid', $config, true);
$this->installed = true;
}
function install($plugin_version, &$errors = array())
{
global $conf;
// Configuration
if (!isset($conf['forecast_conf']) || empty($conf['forecast_conf'])) {
$this->default_config['last_clean'] = time();
conf_update_param('forecast_conf', $this->default_config, true);
$q = 'UPDATE ' . CONFIG_TABLE . ' SET `comment` = "Configuration settings for piwigo-forecast plugin" WHERE `param` = "forecast_conf";';
pwg_query($q);
} else {
$current_conf = safe_unserialize($conf['forecast_conf']);
conf_update_param('forecast_conf', array_merge($this->default_config, $current_conf), true);
}
// Create MySQL View
$q = 'DROP VIEW IF EXISTS `forecast`;';
pwg_query($q);
$q = 'CREATE VIEW forecast AS SELECT `id`, `latitude`, `longitude`, UNIX_TIMESTAMP( IFNULL(`date_creation`, `date_available`) ) as `date` FROM ' . IMAGES_TABLE . ' WHERE `latitude` IS NOT NULL AND `longitude` is NOT NULL;';
pwg_query($q);
}
function install($plugin_version, &$errors = array())
{
global $conf;
// configuration
if (!isset($conf['cdnplus_conf']) || empty($conf['cdnplus_conf'])) {
$this->default_config['last_clean'] = time();
/* Generate file_ext from current ext supported */
$filetypes_arr = array_fill_keys(array_intersect_key($conf['file_ext'], array_unique(array_map('strtolower', $conf['file_ext']))), false);
$this->default_config['cdn_1']['filetypes'] = $filetypes_arr;
$this->default_config['cdn_2']['filetypes'] = $filetypes_arr;
$this->default_config['cdn_3']['filetypes'] = $filetypes_arr;
$this->default_config['cdn_4']['filetypes'] = $filetypes_arr;
$this->default_config['cdn_5']['filetypes'] = $filetypes_arr;
conf_update_param('cdnplus_conf', $this->default_config, true);
$q = 'UPDATE ' . CONFIG_TABLE . ' SET `comment` = "Configuration settings for piwigo-cdnplus plugin" WHERE `param` = "cdnplus_conf";';
pwg_query($q);
} else {
$new_conf = safe_unserialize($conf['cdnplus_conf']);
conf_update_param('cdnplus_conf', $new_conf, true);
}
}
function Login2()
{
global $txt, $scripturl, $user_info, $user_settings, $smcFunc;
global $cookiename, $maintenance, $modSettings, $context, $sc, $sourcedir;
// Load cookie authentication stuff.
require_once $sourcedir . '/Subs-Auth.php';
if (isset($_GET['sa']) && $_GET['sa'] == 'salt' && !$user_info['is_guest']) {
if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\\{i:0;(i:\\d{1,6}|s:[1-8]:"\\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\\d{1,14};(i:3;i:\\d;)?\\}$~', $_COOKIE[$cookiename]) === 1) {
list(, , $timeout) = safe_unserialize($_COOKIE[$cookiename]);
} elseif (isset($_SESSION['login_' . $cookiename])) {
list(, , $timeout) = safe_unserialize($_SESSION['login_' . $cookiename]);
} else {
trigger_error('Login2(): Cannot be logged in without a session or cookie', E_USER_ERROR);
}
$user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
updateMemberData($user_info['id'], array('password_salt' => $user_settings['password_salt']));
setLoginCookie($timeout - time(), $user_info['id'], sha1($user_settings['passwd'] . $user_settings['password_salt']));
redirectexit('action=login2;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']);
} elseif (isset($_GET['sa']) && $_GET['sa'] == 'check') {
// Strike! You're outta there!
if ($_GET['member'] != $user_info['id']) {
fatal_lang_error('login_cookie_error', false);
}
// Some whitelisting for login_url...
if (empty($_SESSION['login_url'])) {
redirectexit();
} else {
// Best not to clutter the session data too much...
$temp = $_SESSION['login_url'];
unset($_SESSION['login_url']);
redirectexit($temp);
}
}
// Beyond this point you are assumed to be a guest trying to login.
if (!$user_info['is_guest']) {
redirectexit();
}
// Are you guessing with a script?
spamProtection('login');
// Set the login_url if it's not already set (but careful not to send us to an attachment).
if (empty($_SESSION['login_url']) && isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'dlattach') === false && preg_match('~(board|topic)[=,]~', $_SESSION['old_url']) != 0) {
$_SESSION['login_url'] = $_SESSION['old_url'];
}
// Been guessing a lot, haven't we?
if (isset($_SESSION['failed_login']) && $_SESSION['failed_login'] >= $modSettings['failed_login_threshold'] * 3) {
fatal_lang_error('login_threshold_fail', 'critical');
}
// Set up the cookie length. (if it's invalid, just fall through and use the default.)
if (isset($_POST['cookieneverexp']) || !empty($_POST['cookielength']) && $_POST['cookielength'] == -1) {
$modSettings['cookieTime'] = 3153600;
} elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 || $_POST['cookielength'] <= 525600)) {
$modSettings['cookieTime'] = (int) $_POST['cookielength'];
}
loadLanguage('Login');
// Load the template stuff - wireless or normal.
if (WIRELESS) {
$context['sub_template'] = WIRELESS_PROTOCOL . '_login';
} else {
loadTemplate('Login');
$context['sub_template'] = 'login';
}
// Set up the default/fallback stuff.
$context['default_username'] = isset($_POST['user']) ? preg_replace('~&#(\\d{1,7}|x[0-9a-fA-F]{1,6});~', '&#\\1;', htmlspecialchars($_POST['user'])) : '';
$context['default_password'] = '';
$context['never_expire'] = $modSettings['cookieTime'] == 525600 || $modSettings['cookieTime'] == 3153600;
$context['login_errors'] = array($txt['error_occured']);
$context['page_title'] = $txt['login'];
// Add the login chain to the link tree.
$context['linktree'][] = array('url' => $scripturl . '?action=login', 'name' => $txt['login']);
if (!empty($_POST['openid_identifier']) && !empty($modSettings['enableOpenID'])) {
require_once $sourcedir . '/Subs-OpenID.php';
if (($open_id = smf_openID_validate($_POST['openid_identifier'])) !== 'no_data') {
return $open_id;
}
}
// You forgot to type your username, dummy!
if (!isset($_POST['user']) || $_POST['user'] == '') {
$context['login_errors'] = array($txt['need_username']);
return;
}
// Hmm... maybe 'admin' will login with no password. Uhh... NO!
if ((!isset($_POST['passwrd']) || $_POST['passwrd'] == '') && (!isset($_POST['hash_passwrd']) || strlen($_POST['hash_passwrd']) != 40)) {
$context['login_errors'] = array($txt['no_password']);
return;
}
// No funky symbols either.
if (preg_match('~[<>&"\'=\\\\]~', preg_replace('~(&#(\\d{1,7}|x[0-9a-fA-F]{1,6});)~', '', $_POST['user'])) != 0) {
$context['login_errors'] = array($txt['error_invalid_characters_username']);
return;
}
// And if it's too long, trim it back.
if ($smcFunc['strlen']($_POST['user']) > 80) {
$_POST['user'] = $smcFunc['substr']($_POST['user'], 0, 79);
$context['default_username'] = preg_replace('~&#(\\d{1,7}|x[0-9a-fA-F]{1,6});~', '&#\\1;', $smcFunc['htmlspecialchars']($_POST['user']));
}
// Are we using any sort of integration to validate the login?
if (in_array('retry', call_integration_hook('integrate_validate_login', array($_POST['user'], isset($_POST['hash_passwrd']) && strlen($_POST['hash_passwrd']) == 40 ? $_POST['hash_passwrd'] : null, $modSettings['cookieTime'])), true)) {
$context['login_errors'] = array($txt['login_hash_error']);
$context['disable_login_hashing'] = true;
return;
}
// Load the data up!
$request = $smcFunc['db_query']('', '
SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt,
openid_uri, passwd_flood
FROM {db_prefix}members
WHERE ' . ($smcFunc['db_case_sensitive'] ? 'LOWER(member_name) = LOWER({string:user_name})' : 'member_name = {string:user_name}') . '
LIMIT 1', array('user_name' => $smcFunc['db_case_sensitive'] ? strtolower($_POST['user']) : $_POST['user']));
// Probably mistyped or their email, try it as an email address. (member_name first, though!)
if ($smcFunc['db_num_rows']($request) == 0) {
$smcFunc['db_free_result']($request);
$request = $smcFunc['db_query']('', '
SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt, openid_uri,
passwd_flood
FROM {db_prefix}members
WHERE email_address = {string:user_name}
LIMIT 1', array('user_name' => $_POST['user']));
// Let them try again, it didn't match anything...
if ($smcFunc['db_num_rows']($request) == 0) {
$context['login_errors'] = array($txt['username_no_exist']);
return;
}
}
$user_settings = $smcFunc['db_fetch_assoc']($request);
$smcFunc['db_free_result']($request);
// Figure out the password using SMF's encryption - if what they typed is right.
if (isset($_POST['hash_passwrd']) && strlen($_POST['hash_passwrd']) == 40) {
// Needs upgrading?
if (strlen($user_settings['passwd']) != 40) {
$context['login_errors'] = array($txt['login_hash_error']);
$context['disable_login_hashing'] = true;
unset($user_settings);
return;
} elseif ($_POST['hash_passwrd'] == sha1($user_settings['passwd'] . $sc)) {
$sha_passwd = $user_settings['passwd'];
} else {
// Don't allow this!
validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood']);
$_SESSION['failed_login'] = @$_SESSION['failed_login'] + 1;
if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold']) {
redirectexit('action=reminder');
} else {
log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
$context['disable_login_hashing'] = true;
$context['login_errors'] = array($txt['incorrect_password']);
unset($user_settings);
return;
}
}
} else {
$sha_passwd = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
}
// Bad password! Thought you could fool the database?!
if ($user_settings['passwd'] != $sha_passwd) {
// Let's be cautious, no hacking please. thanx.
validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood']);
// Maybe we were too hasty... let's try some other authentication methods.
$other_passwords = array();
// None of the below cases will be used most of the time (because the salt is normally set.)
if ($user_settings['password_salt'] == '') {
// YaBB SE, Discus, MD5 (used a lot), SHA-1 (used some), SMF 1.0.x, IkonBoard, and none at all.
$other_passwords[] = crypt($_POST['passwrd'], substr($_POST['passwrd'], 0, 2));
$other_passwords[] = crypt($_POST['passwrd'], substr($user_settings['passwd'], 0, 2));
$other_passwords[] = md5($_POST['passwrd']);
$other_passwords[] = sha1($_POST['passwrd']);
$other_passwords[] = md5_hmac($_POST['passwrd'], strtolower($user_settings['member_name']));
$other_passwords[] = md5($_POST['passwrd'] . strtolower($user_settings['member_name']));
$other_passwords[] = md5(md5($_POST['passwrd']));
$other_passwords[] = $_POST['passwrd'];
// This one is a strange one... MyPHP, crypt() on the MD5 hash.
$other_passwords[] = crypt(md5($_POST['passwrd']), md5($_POST['passwrd']));
// Snitz style - SHA-256. Technically, this is a downgrade, but most PHP configurations don't support sha256 anyway.
if (strlen($user_settings['passwd']) == 64 && function_exists('mhash') && defined('MHASH_SHA256')) {
$other_passwords[] = bin2hex(mhash(MHASH_SHA256, $_POST['passwrd']));
}
// phpBB3 users new hashing. We now support it as well ;).
$other_passwords[] = phpBB3_password_check($_POST['passwrd'], $user_settings['passwd']);
// APBoard 2 Login Method.
$other_passwords[] = md5(crypt($_POST['passwrd'], 'CRYPT_MD5'));
} elseif (strlen($user_settings['passwd']) == 32) {
// vBulletin 3 style hashing? Let's welcome them with open arms \o/.
$other_passwords[] = md5(md5($_POST['passwrd']) . $user_settings['password_salt']);
// Hmm.. p'raps it's Invision 2 style?
$other_passwords[] = md5(md5($user_settings['password_salt']) . md5($_POST['passwrd']));
// Some common md5 ones.
$other_passwords[] = md5($user_settings['password_salt'] . $_POST['passwrd']);
$other_passwords[] = md5($_POST['passwrd'] . $user_settings['password_salt']);
} elseif (strlen($user_settings['passwd']) == 40) {
// Maybe they are using a hash from before the password fix.
$other_passwords[] = sha1(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
// BurningBoard3 style of hashing.
$other_passwords[] = sha1($user_settings['password_salt'] . sha1($user_settings['password_salt'] . sha1($_POST['passwrd'])));
// Perhaps we converted to UTF-8 and have a valid password being hashed differently.
if ($context['character_set'] == 'utf8' && !empty($modSettings['previousCharacterSet']) && $modSettings['previousCharacterSet'] != 'utf8') {
// Try iconv first, for no particular reason.
if (function_exists('iconv')) {
$other_passwords['iconv'] = sha1(strtolower(iconv('UTF-8', $modSettings['previousCharacterSet'], $user_settings['member_name'])) . un_htmlspecialchars(iconv('UTF-8', $modSettings['previousCharacterSet'], $_POST['passwrd'])));
}
// Say it aint so, iconv failed!
if (empty($other_passwords['iconv']) && function_exists('mb_convert_encoding')) {
$other_passwords[] = sha1(strtolower(mb_convert_encoding($user_settings['member_name'], 'UTF-8', $modSettings['previousCharacterSet'])) . un_htmlspecialchars(mb_convert_encoding($_POST['passwrd'], 'UTF-8', $modSettings['previousCharacterSet'])));
}
}
}
// SMF's sha1 function can give a funny result on Linux (Not our fault!). If we've now got the real one let the old one be valid!
if (strpos(strtolower(PHP_OS), 'win') !== 0) {
require_once $sourcedir . '/Subs-Compat.php';
$other_passwords[] = sha1_smf(strtolower($user_settings['member_name']) . un_htmlspecialchars($_POST['passwrd']));
}
// Whichever encryption it was using, let's make it use SMF's now ;).
if (in_array($user_settings['passwd'], $other_passwords)) {
$user_settings['passwd'] = $sha_passwd;
$user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
// Update the password and set up the hash.
updateMemberData($user_settings['id_member'], array('passwd' => $user_settings['passwd'], 'password_salt' => $user_settings['password_salt'], 'passwd_flood' => ''));
} else {
// They've messed up again - keep a count to see if they need a hand.
$_SESSION['failed_login'] = @$_SESSION['failed_login'] + 1;
// Hmm... don't remember it, do you? Here, try the password reminder ;).
if ($_SESSION['failed_login'] >= $modSettings['failed_login_threshold']) {
redirectexit('action=reminder');
} else {
// Log an error so we know that it didn't go well in the error log.
log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
$context['login_errors'] = array($txt['incorrect_password']);
return;
}
}
} elseif (!empty($user_settings['passwd_flood'])) {
// Let's be sure they weren't a little hacker.
validatePasswordFlood($user_settings['id_member'], $user_settings['passwd_flood'], true);
// If we got here then we can reset the flood counter.
updateMemberData($user_settings['id_member'], array('passwd_flood' => ''));
}
// Correct password, but they've got no salt; fix it!
if ($user_settings['password_salt'] == '') {
$user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4);
updateMemberData($user_settings['id_member'], array('password_salt' => $user_settings['password_salt']));
}
// Check their activation status.
if (!checkActivation()) {
return;
}
DoLogin();
}
public function oneClickResults()
{
Request::reloadAuthUsingTokenAuth($_POST);
Piwik::checkUserIsSuperUser();
$view = new View('@CoreUpdater/oneClickResults');
$view->coreError = Common::getRequestVar('error', '', 'string', $_POST);
$view->feedbackMessages = safe_unserialize(Common::unsanitizeInputValue(Common::getRequestVar('messages', '', 'string', $_POST)));
return $view->render();
}
/**
* Load the cookie content into a php array.
* Parses the cookie string to extract the different variables.
* Unserialize the array when necessary.
* Decode the non numeric values that were base64 encoded.
*/
protected function loadContentFromCookie()
{
$cookieStr = $this->extractSignedContent($_COOKIE[$this->name]);
if ($cookieStr === false) {
return;
}
$values = explode(self::VALUE_SEPARATOR, $cookieStr);
foreach ($values as $nameValue) {
$equalPos = strpos($nameValue, '=');
$varName = substr($nameValue, 0, $equalPos);
$varValue = substr($nameValue, $equalPos + 1);
// no numeric value are base64 encoded so we need to decode them
if (!is_numeric($varValue)) {
$tmpValue = base64_decode($varValue);
$varValue = safe_unserialize($tmpValue);
// discard entire cookie
// note: this assumes we never serialize a boolean
if ($varValue === false && $tmpValue !== 'b:0;') {
$this->value = array();
unset($_COOKIE[$this->name]);
break;
}
}
$this->value[$varName] = $varValue;
}
}
function mobile_link()
{
global $template, $conf;
$config = safe_unserialize($conf['smartpocket']);
$template->assign('smartpocket', $config);
if (!empty($conf['mobile_theme']) && (get_device() != 'desktop' || mobile_theme())) {
$template->assign(array('TOGGLE_MOBILE_THEME_URL' => add_url_params(htmlspecialchars($_SERVER['REQUEST_URI']), array('mobile' => mobile_theme() ? 'false' : 'true'))));
}
}
function admintools_init()
{
global $conf;
$conf['AdminTools'] = safe_unserialize($conf['AdminTools']);
load_language('plugin.lang', ADMINTOOLS_PATH);
}
function ViewMemberlist()
{
global $txt, $scripturl, $context, $modSettings, $sourcedir, $smcFunc, $user_info;
// Set the current sub action.
$context['sub_action'] = $_REQUEST['sa'];
// Are we performing a delete?
if (isset($_POST['delete_members']) && !empty($_POST['delete']) && allowedTo('profile_remove_any')) {
checkSession();
// Clean the input.
foreach ($_POST['delete'] as $key => $value) {
$_POST['delete'][$key] = (int) $value;
// Don't delete yourself, idiot.
if ($value == $user_info['id']) {
unset($_POST['delete'][$key]);
}
}
if (!empty($_POST['delete'])) {
// Delete all the selected members.
require_once $sourcedir . '/Subs-Members.php';
deleteMembers($_POST['delete'], true);
}
}
if ($context['sub_action'] == 'query' && !empty($_REQUEST['params']) && empty($_POST)) {
$_POST += safe_unserialize(base64_decode($_REQUEST['params']));
}
// Check input after a member search has been submitted.
if ($context['sub_action'] == 'query') {
// Retrieving the membergroups and postgroups.
$context['membergroups'] = array(array('id' => 0, 'name' => $txt['membergroups_members'], 'can_be_additional' => false));
$context['postgroups'] = array();
$request = $smcFunc['db_query']('', '
SELECT id_group, group_name, min_posts
FROM {db_prefix}membergroups
WHERE id_group != {int:moderator_group}
ORDER BY min_posts, CASE WHEN id_group < {int:newbie_group} THEN id_group ELSE 4 END, group_name', array('moderator_group' => 3, 'newbie_group' => 4));
while ($row = $smcFunc['db_fetch_assoc']($request)) {
if ($row['min_posts'] == -1) {
$context['membergroups'][] = array('id' => $row['id_group'], 'name' => $row['group_name'], 'can_be_additional' => true);
} else {
$context['postgroups'][] = array('id' => $row['id_group'], 'name' => $row['group_name']);
}
}
$smcFunc['db_free_result']($request);
// Some data about the form fields and how they are linked to the database.
$params = array('mem_id' => array('db_fields' => array('id_member'), 'type' => 'int', 'range' => true), 'age' => array('db_fields' => array('birthdate'), 'type' => 'age', 'range' => true), 'posts' => array('db_fields' => array('posts'), 'type' => 'int', 'range' => true), 'reg_date' => array('db_fields' => array('date_registered'), 'type' => 'date', 'range' => true), 'last_online' => array('db_fields' => array('last_login'), 'type' => 'date', 'range' => true), 'gender' => array('db_fields' => array('gender'), 'type' => 'checkbox', 'values' => array('0', '1', '2')), 'activated' => array('db_fields' => array('CASE WHEN is_activated IN (1, 11) THEN 1 ELSE 0 END'), 'type' => 'checkbox', 'values' => array('0', '1')), 'membername' => array('db_fields' => array('member_name', 'real_name'), 'type' => 'string'), 'email' => array('db_fields' => array('email_address'), 'type' => 'string'), 'website' => array('db_fields' => array('website_title', 'website_url'), 'type' => 'string'), 'location' => array('db_fields' => array('location'), 'type' => 'string'), 'ip' => array('db_fields' => array('member_ip'), 'type' => 'string'), 'messenger' => array('db_fields' => array('icq', 'aim', 'yim', 'msn'), 'type' => 'string'));
$range_trans = array('--' => '<', '-' => '<=', '=' => '=', '+' => '>=', '++' => '>');
// !!! Validate a little more.
// Loop through every field of the form.
$query_parts = array();
$where_params = array();
foreach ($params as $param_name => $param_info) {
// Not filled in?
if (!isset($_POST[$param_name]) || $_POST[$param_name] === '') {
continue;
}
// Make sure numeric values are really numeric.
if (in_array($param_info['type'], array('int', 'age'))) {
$_POST[$param_name] = (int) $_POST[$param_name];
} elseif ($param_info['type'] == 'date') {
// Check if this date format is valid.
if (preg_match('/^\\d{4}-\\d{1,2}-\\d{1,2}$/', $_POST[$param_name]) == 0) {
continue;
}
$_POST[$param_name] = strtotime($_POST[$param_name]);
}
// Those values that are in some kind of range (<, <=, =, >=, >).
if (!empty($param_info['range'])) {
// Default to '=', just in case...
if (empty($range_trans[$_POST['types'][$param_name]])) {
$_POST['types'][$param_name] = '=';
}
// Handle special case 'age'.
if ($param_info['type'] == 'age') {
// All people that were born between $lowerlimit and $upperlimit are currently the specified age.
$datearray = getdate(forum_time());
$upperlimit = sprintf('%04d-%02d-%02d', $datearray['year'] - $_POST[$param_name], $datearray['mon'], $datearray['mday']);
$lowerlimit = sprintf('%04d-%02d-%02d', $datearray['year'] - $_POST[$param_name] - 1, $datearray['mon'], $datearray['mday']);
if (in_array($_POST['types'][$param_name], array('-', '--', '='))) {
$query_parts[] = $param_info['db_fields'][0] . ' > {string:' . $param_name . '_minlimit}';
$where_params[$param_name . '_minlimit'] = $_POST['types'][$param_name] == '--' ? $upperlimit : $lowerlimit;
}
if (in_array($_POST['types'][$param_name], array('+', '++', '='))) {
$query_parts[] = $param_info['db_fields'][0] . ' <= {string:' . $param_name . '_pluslimit}';
$where_params[$param_name . '_pluslimit'] = $_POST['types'][$param_name] == '++' ? $lowerlimit : $upperlimit;
// Make sure that members that didn't set their birth year are not queried.
$query_parts[] = $param_info['db_fields'][0] . ' > {date:dec_zero_date}';
$where_params['dec_zero_date'] = '0004-12-31';
}
} elseif ($param_info['type'] == 'date' && $_POST['types'][$param_name] == '=') {
$query_parts[] = $param_info['db_fields'][0] . ' > ' . $_POST[$param_name] . ' AND ' . $param_info['db_fields'][0] . ' < ' . ($_POST[$param_name] + 86400);
} else {
$query_parts[] = $param_info['db_fields'][0] . ' ' . $range_trans[$_POST['types'][$param_name]] . ' ' . $_POST[$param_name];
}
} elseif ($param_info['type'] == 'checkbox') {
// Each checkbox or no checkbox at all is checked -> ignore.
if (!is_array($_POST[$param_name]) || count($_POST[$param_name]) == 0 || count($_POST[$param_name]) == count($param_info['values'])) {
continue;
}
$query_parts[] = $param_info['db_fields'][0] . ' IN ({array_string:' . $param_name . '_check})';
$where_params[$param_name . '_check'] = $_POST[$param_name];
} else {
// Replace the wildcard characters ('*' and '?') into MySQL ones.
$parameter = strtolower(strtr($smcFunc['htmlspecialchars']($_POST[$param_name], ENT_QUOTES), array('%' => '\\%', '_' => '\\_', '*' => '%', '?' => '_')));
$query_parts[] = '(' . implode(' LIKE {string:' . $param_name . '_normal} OR ', $param_info['db_fields']) . ' LIKE {string:' . $param_name . '_normal})';
$where_params[$param_name . '_normal'] = '%' . $parameter . '%';
}
}
// Set up the membergroup query part.
$mg_query_parts = array();
// Primary membergroups, but only if at least was was not selected.
if (!empty($_POST['membergroups'][1]) && count($context['membergroups']) != count($_POST['membergroups'][1])) {
$mg_query_parts[] = 'mem.id_group IN ({array_int:group_check})';
$where_params['group_check'] = $_POST['membergroups'][1];
}
// Additional membergroups (these are only relevant if not all primary groups where selected!).
if (!empty($_POST['membergroups'][2]) && (empty($_POST['membergroups'][1]) || count($context['membergroups']) != count($_POST['membergroups'][1]))) {
foreach ($_POST['membergroups'][2] as $mg) {
$mg_query_parts[] = 'FIND_IN_SET({int:add_group_' . $mg . '}, mem.additional_groups) != 0';
$where_params['add_group_' . $mg] = $mg;
}
}
// Combine the one or two membergroup parts into one query part linked with an OR.
if (!empty($mg_query_parts)) {
$query_parts[] = '(' . implode(' OR ', $mg_query_parts) . ')';
}
// Get all selected post count related membergroups.
if (!empty($_POST['postgroups']) && count($_POST['postgroups']) != count($context['postgroups'])) {
$query_parts[] = 'id_post_group IN ({array_int:post_groups})';
$where_params['post_groups'] = $_POST['postgroups'];
}
// Construct the where part of the query.
$where = empty($query_parts) ? '1' : implode('
AND ', $query_parts);
$search_params = base64_encode(serialize($_POST));
} else {
$search_params = null;
}
// Construct the additional URL part with the query info in it.
$context['params_url'] = $context['sub_action'] == 'query' ? ';sa=query;params=' . $search_params : '';
// Get the title and sub template ready..
$context['page_title'] = $txt['admin_members'];
$listOptions = array('id' => 'member_list', 'items_per_page' => $modSettings['defaultMaxMembers'], 'base_href' => $scripturl . '?action=admin;area=viewmembers' . $context['params_url'], 'default_sort_col' => 'user_name', 'get_items' => array('file' => $sourcedir . '/Subs-Members.php', 'function' => 'list_getMembers', 'params' => array(isset($where) ? $where : '1=1', isset($where_params) ? $where_params : array())), 'get_count' => array('file' => $sourcedir . '/Subs-Members.php', 'function' => 'list_getNumMembers', 'params' => array(isset($where) ? $where : '1=1', isset($where_params) ? $where_params : array())), 'columns' => array('id_member' => array('header' => array('value' => $txt['member_id']), 'data' => array('db' => 'id_member', 'class' => 'windowbg', 'style' => 'text-align: center;'), 'sort' => array('default' => 'id_member', 'reverse' => 'id_member DESC')), 'user_name' => array('header' => array('value' => $txt['username']), 'data' => array('sprintf' => array('format' => '<a href="' . strtr($scripturl, array('%' => '%%')) . '?action=profile;u=%1$d">%2$s</a>', 'params' => array('id_member' => false, 'member_name' => false))), 'sort' => array('default' => 'member_name', 'reverse' => 'member_name DESC')), 'display_name' => array('header' => array('value' => $txt['display_name']), 'data' => array('sprintf' => array('format' => '<a href="' . strtr($scripturl, array('%' => '%%')) . '?action=profile;u=%1$d">%2$s</a>', 'params' => array('id_member' => false, 'real_name' => false))), 'sort' => array('default' => 'real_name', 'reverse' => 'real_name DESC')), 'email' => array('header' => array('value' => $txt['email_address']), 'data' => array('sprintf' => array('format' => '<a href="mailto:%1$s">%1$s</a>', 'params' => array('email_address' => true)), 'class' => 'windowbg'), 'sort' => array('default' => 'email_address', 'reverse' => 'email_address DESC')), 'ip' => array('header' => array('value' => $txt['ip_address']), 'data' => array('sprintf' => array('format' => '<a href="' . strtr($scripturl, array('%' => '%%')) . '?action=trackip;searchip=%1$s">%1$s</a>', 'params' => array('member_ip' => false))), 'sort' => array('default' => 'INET_ATON(member_ip)', 'reverse' => 'INET_ATON(member_ip) DESC')), 'last_active' => array('header' => array('value' => $txt['viewmembers_online']), 'data' => array('function' => create_function('$rowData', '
global $txt;
// Calculate number of days since last online.
if (empty($rowData[\'last_login\']))
$difference = $txt[\'never\'];
else
{
$num_days_difference = jeffsdatediff($rowData[\'last_login\']);
// Today.
if (empty($num_days_difference))
$difference = $txt[\'viewmembers_today\'];
// Yesterday.
elseif ($num_days_difference == 1)
$difference = sprintf(\'1 %1$s\', $txt[\'viewmembers_day_ago\']);
// X days ago.
else
$difference = sprintf(\'%1$d %2$s\', $num_days_difference, $txt[\'viewmembers_days_ago\']);
}
// Show it in italics if they\'re not activated...
if ($rowData[\'is_activated\'] % 10 != 1)
$difference = sprintf(\'<em title="%1$s">%2$s</em>\', $txt[\'not_activated\'], $difference);
return $difference;
')), 'sort' => array('default' => 'last_login DESC', 'reverse' => 'last_login')), 'posts' => array('header' => array('value' => $txt['member_postcount']), 'data' => array('db' => 'posts'), 'sort' => array('default' => 'posts', 'reverse' => 'posts DESC')), 'check' => array('header' => array('value' => '<input type="checkbox" onclick="invertAll(this, this.form);" class="input_check" />'), 'data' => array('function' => create_function('$rowData', '
global $user_info;
return \'<input type="checkbox" name="delete[]" value="\' . $rowData[\'id_member\'] . \'" class="input_check" \' . ($rowData[\'id_member\'] == $user_info[\'id\'] || $rowData[\'id_group\'] == 1 || in_array(1, explode(\',\', $rowData[\'additional_groups\'])) ? \'disabled="disabled"\' : \'\') . \' />\';
'), 'class' => 'windowbg', 'style' => 'text-align: center'))), 'form' => array('href' => $scripturl . '?action=admin;area=viewmembers' . $context['params_url'], 'include_start' => true, 'include_sort' => true), 'additional_rows' => array(array('position' => 'below_table_data', 'value' => '<input type="submit" name="delete_members" value="' . $txt['admin_delete_members'] . '" onclick="return confirm(\'' . $txt['confirm_delete_members'] . '\');" class="button_submit" />', 'style' => 'text-align: right;')));
// Without not enough permissions, don't show 'delete members' checkboxes.
if (!allowedTo('profile_remove_any')) {
unset($listOptions['cols']['check'], $listOptions['form'], $listOptions['additional_rows']);
}
require_once $sourcedir . '/Subs-List.php';
createList($listOptions);
$context['sub_template'] = 'show_list';
$context['default_list'] = 'member_list';
}
/**
* Load the cookie content into a php array.
* Parses the cookie string to extract the different variables.
* Unserialize the array when necessary.
* Decode the non numeric values that were base64 encoded.
*/
protected function loadContentFromCookie()
{
$cookieStr = $this->extractSignedContent($_COOKIE[$this->name]);
if ($cookieStr === false) {
return;
}
$values = explode(self::VALUE_SEPARATOR, $cookieStr);
foreach ($values as $nameValue) {
$equalPos = strpos($nameValue, '=');
$varName = substr($nameValue, 0, $equalPos);
$varValue = substr($nameValue, $equalPos + 1);
// no numeric value are base64 encoded so we need to decode them
if (!is_numeric($varValue)) {
// @see http://bugs.php.net/38680
if (PHP_VERSION < '5.2.1') {
$varValue = safe_unserialize(base64_decode($varValue));
} else {
$varValue = @json_decode(base64_decode($varValue), $assoc = true);
}
}
$this->value[$varName] = $varValue;
}
}
<?php
// Need upgrade?
global $conf;
include PHPWG_THEMES_PATH . 'elegant/admin/upgrade.inc.php';
load_language('theme.lang', PHPWG_THEMES_PATH . 'elegant/');
$config_send = array();
if (isset($_POST['submit_elegant'])) {
$config_send['p_main_menu'] = (isset($_POST['p_main_menu']) and !empty($_POST['p_main_menu'])) ? $_POST['p_main_menu'] : 'on';
$config_send['p_pict_descr'] = (isset($_POST['p_pict_descr']) and !empty($_POST['p_pict_descr'])) ? $_POST['p_pict_descr'] : 'on';
$config_send['p_pict_comment'] = (isset($_POST['p_pict_comment']) and !empty($_POST['p_pict_comment'])) ? $_POST['p_pict_comment'] : 'off';
conf_update_param('elegant', $config_send, true);
array_push($page['infos'], l10n('Information data registered in database'));
}
$template->set_filenames(array('theme_admin_content' => dirname(__FILE__) . '/admin.tpl'));
$template->assign('options', safe_unserialize($conf['elegant']));
$template->assign_var_from_handle('ADMIN_CONTENT', 'theme_admin_content');
public function oneClickResults()
{
$httpsFail = (bool) Common::getRequestVar('httpsFail', 0, 'int', $_POST);
$error = Common::getRequestVar('error', '', 'string', $_POST);
if ($httpsFail) {
$view = new View('@CoreUpdater/updateHttpsError');
$view->error = $error;
} elseif ($error) {
$view = new View('@CoreUpdater/updateHttpError');
$view->error = $error;
$view->feedbackMessages = safe_unserialize(Common::unsanitizeInputValue(Common::getRequestVar('messages', '', 'string', $_POST)));
} else {
$view = new View('@CoreUpdater/updateSuccess');
}
$this->addCustomLogoInfo($view);
$this->setBasicVariablesView($view);
return $view->render();
}
defined('PHPWG_ROOT_PATH') or die('Hacking attempt!');
if (basename(dirname(__FILE__)) != 'GuestBook') {
add_event_handler('init', 'guestbook_error');
function guestbook_error()
{
global $page;
$page['errors'][] = 'GuestBook folder name is incorrect, uninstall the plugin and rename it to "GuestBook"';
}
return;
}
global $conf, $prefixeTable;
define('GUESTBOOK_PATH', PHPWG_PLUGINS_PATH . 'GuestBook/');
define('GUESTBOOK_TABLE', $prefixeTable . 'guestbook');
define('GUESTBOOK_ADMIN', get_root_url() . 'admin.php?page=plugin-GuestBook');
define('GUESTBOOK_URL', get_absolute_root_url() . make_index_url(array('section' => 'guestbook')));
$conf['guestbook'] = safe_unserialize($conf['guestbook']);
include_once GUESTBOOK_PATH . 'include/events.inc.php';
add_event_handler('loading_lang', 'guestbook_loading_lang');
if (defined('IN_ADMIN')) {
add_event_handler('get_admin_plugin_menu_links', 'gb_admin_menu');
} else {
add_event_handler('loc_end_section_init', 'gb_section_init');
add_event_handler('loc_end_index', 'gb_index');
}
if ($conf['guestbook']['menu_link']) {
add_event_handler('blockmanager_apply', 'gb_menubar_apply', EVENT_HANDLER_PRIORITY_NEUTRAL + 10);
}
function guestbook_loading_lang()
{
load_language('plugin.lang', GUESTBOOK_PATH);
}
function sortorders_init()
{
global $conf;
load_language('plugin.lang', SORTORDERS_PATH);
$conf['sortorders'] = safe_unserialize($conf['sortorders']);
}
defined('PHPWG_ROOT_PATH') or die('Hacking attempt!');
if (basename(dirname(__FILE__)) != 'flickr2piwigo') {
add_event_handler('init', 'flickr_error');
function flickr_error()
{
global $page;
$page['errors'][] = 'Flickr2Piwigo folder name is incorrect, uninstall the plugin and rename it to "flickr2piwigo"';
}
return;
}
global $conf;
define('FLICKR_PATH', PHPWG_PLUGINS_PATH . 'flickr2piwigo/');
define('FLICKR_ADMIN', get_root_url() . 'admin.php?page=plugin-flickr2piwigo');
define('FLICKR_FS_CACHE', PHPWG_ROOT_PATH . $conf['data_location'] . 'flickr_cache/');
include_once FLICKR_PATH . 'include/ws_functions.inc.php';
$conf['flickr2piwigo'] = safe_unserialize($conf['flickr2piwigo']);
add_event_handler('ws_add_methods', 'flickr_add_ws_method');
if (defined('IN_ADMIN')) {
add_event_handler('get_admin_plugin_menu_links', 'flickr_admin_menu');
add_event_handler('get_batch_manager_prefilters', 'flickr_add_batch_manager_prefilters');
add_event_handler('perform_batch_manager_prefilters', 'flickr_perform_batch_manager_prefilters', EVENT_HANDLER_PRIORITY_NEUTRAL, 2);
function flickr_admin_menu($menu)
{
$menu[] = array('NAME' => 'Flickr2Piwigo', 'URL' => FLICKR_ADMIN);
return $menu;
}
function flickr_add_batch_manager_prefilters($prefilters)
{
$prefilters[] = array('ID' => 'flickr', 'NAME' => l10n('Imported from Flickr'));
return $prefilters;
}
<?php
/*
Plugin Name: Forecast
Version: 2.7.b
Description: Forecast.io integration for Piwigo
Plugin URI: http://piwigo.org/ext/extension_view.php?eid=795
Author: xbmgsharp
Author URI: https://github.com/xbgmsharp/piwigo-forecast
*/
// Chech whether we are indeed included by Piwigo.
if (!defined('PHPWG_ROOT_PATH')) {
die('Hacking attempt!');
}
// Define the path to our plugin.
define('FORECAST_PATH', PHPWG_PLUGINS_PATH . basename(dirname(__FILE__)) . '/');
global $conf;
// Prepare configuration
$conf['forecast_conf'] = safe_unserialize($conf['forecast_conf']);
// If admin do the init
if (defined('IN_ADMIN')) {
include_once dirname(__FILE__) . '/admin/admin_boot.php';
}
// Add event handler if not in admin
if (!defined('IN_ADMIN')) {
include_once dirname(__FILE__) . '/picture.inc.php';
}
function loadUserSettings()
{
global $modSettings, $user_settings, $sourcedir, $smcFunc;
global $cookiename, $user_info, $language;
// Check first the integration, then the cookie, and last the session.
if (count($integration_ids = call_integration_hook('integrate_verify_user')) > 0) {
$id_member = 0;
foreach ($integration_ids as $integration_id) {
$integration_id = (int) $integration_id;
if ($integration_id > 0) {
$id_member = $integration_id;
$already_verified = true;
break;
}
}
} else {
$id_member = 0;
}
if (empty($id_member) && isset($_COOKIE[$cookiename])) {
// Fix a security hole in PHP 4.3.9 and below...
if (preg_match('~^a:[34]:\\{i:0;(i:\\d{1,6}|s:[1-8]:"\\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\\d{1,14};(i:3;i:\\d;)?\\}$~i', $_COOKIE[$cookiename]) == 1) {
list($id_member, $password) = safe_unserialize($_COOKIE[$cookiename]);
$id_member = !empty($id_member) && strlen($password) > 0 ? (int) $id_member : 0;
} else {
$id_member = 0;
}
} elseif (empty($id_member) && isset($_SESSION['login_' . $cookiename]) && ($_SESSION['USER_AGENT'] == $_SERVER['HTTP_USER_AGENT'] || !empty($modSettings['disableCheckUA']))) {
// !!! Perhaps we can do some more checking on this, such as on the first octet of the IP?
list($id_member, $password, $login_span) = safe_unserialize($_SESSION['login_' . $cookiename]);
$id_member = !empty($id_member) && strlen($password) == 40 && $login_span > time() ? (int) $id_member : 0;
}
// Only load this stuff if the user isn't a guest.
if ($id_member != 0) {
// Is the member data cached?
if (empty($modSettings['cache_enable']) || $modSettings['cache_enable'] < 2 || ($user_settings = cache_get_data('user_settings-' . $id_member, 60)) == null) {
$request = $smcFunc['db_query']('', '
SELECT mem.*, IFNULL(a.id_attach, 0) AS id_attach, a.filename, a.attachment_type
FROM {db_prefix}members AS mem
LEFT JOIN {db_prefix}attachments AS a ON (a.id_member = {int:id_member})
WHERE mem.id_member = {int:id_member}
LIMIT 1', array('id_member' => $id_member));
$user_settings = $smcFunc['db_fetch_assoc']($request);
$smcFunc['db_free_result']($request);
if (!empty($modSettings['cache_enable']) && $modSettings['cache_enable'] >= 2) {
cache_put_data('user_settings-' . $id_member, $user_settings, 60);
}
}
// Did we find 'im? If not, junk it.
if (!empty($user_settings)) {
// As much as the password should be right, we can assume the integration set things up.
if (!empty($already_verified) && $already_verified === true) {
$check = true;
} elseif (strlen($password) == 40) {
$check = sha1($user_settings['passwd'] . $user_settings['password_salt']) == $password;
} else {
$check = false;
}
// Wrong password or not activated - either way, you're going nowhere.
$id_member = $check && ($user_settings['is_activated'] == 1 || $user_settings['is_activated'] == 11) ? $user_settings['id_member'] : 0;
} else {
$id_member = 0;
}
// If we no longer have the member maybe they're being all hackey, stop brute force!
if (!$id_member) {
require_once $sourcedir . '/LogInOut.php';
validatePasswordFlood(!empty($user_settings['id_member']) ? $user_settings['id_member'] : $id_member, !empty($user_settings['passwd_flood']) ? $user_settings['passwd_flood'] : false, $id_member != 0);
}
}
// Found 'im, let's set up the variables.
if ($id_member != 0) {
// Let's not update the last visit time in these cases...
// 1. SSI doesn't count as visiting the forum.
// 2. RSS feeds and XMLHTTP requests don't count either.
// 3. If it was set within this session, no need to set it again.
// 4. New session, yet updated < five hours ago? Maybe cache can help.
if (SMF != 'SSI' && !isset($_REQUEST['xml']) && (!isset($_REQUEST['action']) || $_REQUEST['action'] != '.xml') && empty($_SESSION['id_msg_last_visit']) && (empty($modSettings['cache_enable']) || ($_SESSION['id_msg_last_visit'] = cache_get_data('user_last_visit-' . $id_member, 5 * 3600)) === null)) {
// Do a quick query to make sure this isn't a mistake.
$result = $smcFunc['db_query']('', '
SELECT poster_time
FROM {db_prefix}messages
WHERE id_msg = {int:id_msg}
LIMIT 1', array('id_msg' => $user_settings['id_msg_last_visit']));
list($visitTime) = $smcFunc['db_fetch_row']($result);
$smcFunc['db_free_result']($result);
$_SESSION['id_msg_last_visit'] = $user_settings['id_msg_last_visit'];
// If it was *at least* five hours ago...
if ($visitTime < time() - 5 * 3600) {
updateMemberData($id_member, array('id_msg_last_visit' => (int) $modSettings['maxMsgID'], 'last_login' => time(), 'member_ip' => $_SERVER['REMOTE_ADDR'], 'member_ip2' => $_SERVER['BAN_CHECK_IP']));
$user_settings['last_login'] = time();
if (!empty($modSettings['cache_enable']) && $modSettings['cache_enable'] >= 2) {
cache_put_data('user_settings-' . $id_member, $user_settings, 60);
}
if (!empty($modSettings['cache_enable'])) {
cache_put_data('user_last_visit-' . $id_member, $_SESSION['id_msg_last_visit'], 5 * 3600);
}
}
} elseif (empty($_SESSION['id_msg_last_visit'])) {
$_SESSION['id_msg_last_visit'] = $user_settings['id_msg_last_visit'];
}
$username = $user_settings['member_name'];
if (empty($user_settings['additional_groups'])) {
$user_info = array('groups' => array($user_settings['id_group'], $user_settings['id_post_group']));
} else {
$user_info = array('groups' => array_merge(array($user_settings['id_group'], $user_settings['id_post_group']), explode(',', $user_settings['additional_groups'])));
}
// Because history has proven that it is possible for groups to go bad - clean up in case.
foreach ($user_info['groups'] as $k => $v) {
$user_info['groups'][$k] = (int) $v;
}
// This is a logged in user, so definitely not a spider.
$user_info['possibly_robot'] = false;
} else {
// This is what a guest's variables should be.
$username = '';
$user_info = array('groups' => array(-1));
$user_settings = array();
if (isset($_COOKIE[$cookiename])) {
$_COOKIE[$cookiename] = '';
}
// Do we perhaps think this is a search robot? Check every five minutes just in case...
if ((!empty($modSettings['spider_mode']) || !empty($modSettings['spider_group'])) && (!isset($_SESSION['robot_check']) || $_SESSION['robot_check'] < time() - 300)) {
require_once $sourcedir . '/ManageSearchEngines.php';
$user_info['possibly_robot'] = SpiderCheck();
} elseif (!empty($modSettings['spider_mode'])) {
$user_info['possibly_robot'] = isset($_SESSION['id_robot']) ? $_SESSION['id_robot'] : 0;
} else {
$ci_user_agent = strtolower($_SERVER['HTTP_USER_AGENT']);
$user_info['possibly_robot'] = strpos($_SERVER['HTTP_USER_AGENT'], 'Mozilla') === false && strpos($_SERVER['HTTP_USER_AGENT'], 'Opera') === false || strpos($ci_user_agent, 'googlebot') !== false || strpos($ci_user_agent, 'slurp') !== false || strpos($ci_user_agent, 'crawl') !== false;
}
}
// Set up the $user_info array.
$user_info += array('id' => $id_member, 'username' => $username, 'name' => isset($user_settings['real_name']) ? $user_settings['real_name'] : '', 'email' => isset($user_settings['email_address']) ? $user_settings['email_address'] : '', 'passwd' => isset($user_settings['passwd']) ? $user_settings['passwd'] : '', 'language' => empty($user_settings['lngfile']) || empty($modSettings['userLanguage']) ? $language : $user_settings['lngfile'], 'is_guest' => $id_member == 0, 'is_admin' => in_array(1, $user_info['groups']), 'theme' => empty($user_settings['id_theme']) ? 0 : $user_settings['id_theme'], 'last_login' => empty($user_settings['last_login']) ? 0 : $user_settings['last_login'], 'ip' => $_SERVER['REMOTE_ADDR'], 'ip2' => $_SERVER['BAN_CHECK_IP'], 'posts' => empty($user_settings['posts']) ? 0 : $user_settings['posts'], 'time_format' => empty($user_settings['time_format']) ? $modSettings['time_format'] : $user_settings['time_format'], 'time_offset' => empty($user_settings['time_offset']) ? 0 : $user_settings['time_offset'], 'avatar' => array('url' => isset($user_settings['avatar']) ? $user_settings['avatar'] : '', 'filename' => empty($user_settings['filename']) ? '' : $user_settings['filename'], 'custom_dir' => !empty($user_settings['attachment_type']) && $user_settings['attachment_type'] == 1, 'id_attach' => isset($user_settings['id_attach']) ? $user_settings['id_attach'] : 0), 'smiley_set' => isset($user_settings['smiley_set']) ? $user_settings['smiley_set'] : '', 'messages' => empty($user_settings['instant_messages']) ? 0 : $user_settings['instant_messages'], 'unread_messages' => empty($user_settings['unread_messages']) ? 0 : $user_settings['unread_messages'], 'total_time_logged_in' => empty($user_settings['total_time_logged_in']) ? 0 : $user_settings['total_time_logged_in'], 'buddies' => !empty($modSettings['enable_buddylist']) && !empty($user_settings['buddy_list']) ? explode(',', $user_settings['buddy_list']) : array(), 'ignoreboards' => !empty($user_settings['ignore_boards']) && !empty($modSettings['allow_ignore_boards']) ? explode(',', $user_settings['ignore_boards']) : array(), 'ignoreusers' => !empty($user_settings['pm_ignore_list']) ? explode(',', $user_settings['pm_ignore_list']) : array(), 'warning' => isset($user_settings['warning']) ? $user_settings['warning'] : 0, 'permissions' => array(), 'ldap_user' => isset($user_settings['ldap_user']) && $user_settings['ldap_user'] == true);
$user_info['groups'] = array_unique($user_info['groups']);
// Make sure that the last item in the ignore boards array is valid. If the list was too long it could have an ending comma that could cause problems.
if (!empty($user_info['ignoreboards']) && empty($user_info['ignoreboards'][$tmp = count($user_info['ignoreboards']) - 1])) {
unset($user_info['ignoreboards'][$tmp]);
}
// Do we have any languages to validate this?
if (!empty($modSettings['userLanguage']) && (!empty($_GET['language']) || !empty($_SESSION['language']))) {
$languages = getLanguages();
}
// Allow the user to change their language if its valid.
if (!empty($modSettings['userLanguage']) && !empty($_GET['language']) && isset($languages[strtr($_GET['language'], './\\:', '____')])) {
$user_info['language'] = strtr($_GET['language'], './\\:', '____');
$_SESSION['language'] = $user_info['language'];
} elseif (!empty($modSettings['userLanguage']) && !empty($_SESSION['language']) && isset($languages[strtr($_SESSION['language'], './\\:', '____')])) {
$user_info['language'] = strtr($_SESSION['language'], './\\:', '____');
}
// Just build this here, it makes it easier to change/use - administrators can see all boards.
if ($user_info['is_admin']) {
$user_info['query_see_board'] = '1=1';
} else {
$user_info['query_see_board'] = '(FIND_IN_SET(' . implode(', b.member_groups) != 0 OR FIND_IN_SET(', $user_info['groups']) . ', b.member_groups) != 0' . (isset($user_info['mod_cache']) ? ' OR ' . $user_info['mod_cache']['mq'] : '') . ')';
}
// Build the list of boards they WANT to see.
// This will take the place of query_see_boards in certain spots, so it better include the boards they can see also
// If they aren't ignoring any boards then they want to see all the boards they can see
if (empty($user_info['ignoreboards'])) {
$user_info['query_wanna_see_board'] = $user_info['query_see_board'];
} else {
$user_info['query_wanna_see_board'] = '(' . $user_info['query_see_board'] . ' AND b.id_board NOT IN (' . implode(',', $user_info['ignoreboards']) . '))';
}
}
<?php
if (!defined('PHPWG_ROOT_PATH')) {
die('Hacking attempt!');
}
global $prefixeTable, $conf;
if (!isset($conf['elegant'])) {
$config = array('p_main_menu' => 'on', 'p_pict_descr' => 'on', 'p_pict_comment' => 'off');
conf_update_param('elegant', $config, true);
} elseif (count(safe_unserialize($conf['elegant'])) != 3) {
$conff = safe_unserialize($conf['elegant']);
$config = array('p_main_menu' => isset($conff['p_main_menu']) ? $conff['p_main_menu'] : 'on', 'p_pict_descr' => isset($conff['p_pict_descr']) ? $conff['p_pict_descr'] : 'on', 'p_pict_comment' => isset($conff['p_pict_comment']) ? $conff['p_pict_comment'] : 'off');
conf_update_param('elegant', $config, true);
}
/*
Plugin Name: CDNPlus
Version: 2.7.c
Description: CDN integration for Piwigo
Plugin URI: http://piwigo.org/ext/extension_view.php?eid=788
Author: xbmgsharp
Author URI: https://github.com/xbgmsharp/piwigo-cdnplus
*/
// Chech whether we are indeed included by Piwigo.
if (!defined('PHPWG_ROOT_PATH')) {
die('Hacking attempt!');
}
global $conf;
// Prepare configuration
$conf['cdnplus_conf'] = safe_unserialize($conf['cdnplus_conf']);
// Add an entry to the 'Plugins' menu.
add_event_handler('get_admin_plugin_menu_links', 'cdnplus_admin_menu');
function cdnplus_admin_menu($menu)
{
global $page, $conf;
if (!empty($conf['cdnplus_conf']['cdn_enabled']) && empty($conf['cdnplus_conf']['cdn_1']['host']) and in_array($page['page'], array('intro', 'plugins_list'))) {
$page['errors'][] = l10n('You need to set your CDN host');
}
$admin_url = get_admin_plugin_menu_link(dirname(__FILE__) . '/admin.php');
array_push($menu, array('NAME' => 'CDNPlus', 'URL' => get_admin_plugin_menu_link(dirname(__FILE__)) . '/admin.php'));
return $menu;
}
//add_event_handler('loc_end_picture', 'cdnplus_debug', EVENT_HANDLER_PRIORITY_NEUTRAL, 4);
// Add event handler if CDNPlus enable
if (!empty($conf['cdnplus_conf']['cdn_enabled']) and !defined('IN_ADMIN')) {
public function oneClickResults()
{
$view = new View('@CoreUpdater/oneClickResults');
$view->coreError = Common::getRequestVar('error', '', 'string', $_POST);
$view->feedbackMessages = safe_unserialize(Common::unsanitizeInputValue(Common::getRequestVar('messages', '', 'string', $_POST)));
$this->addCustomLogoInfo($view);
return $view->render();
}
function setLoginCookie($cookie_length, $id, $password = '')
{
global $cookiename, $boardurl, $modSettings;
// If changing state force them to re-address some permission caching.
$_SESSION['mc']['time'] = 0;
// The cookie may already exist, and have been set with different options.
$cookie_state = (empty($modSettings['localCookies']) ? 0 : 1) | (empty($modSettings['globalCookies']) ? 0 : 2);
if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\\{i:0;(i:\\d{1,6}|s:[1-8]:"\\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\\d{1,14};(i:3;i:\\d;)?\\}$~', $_COOKIE[$cookiename]) === 1) {
$array = safe_unserialize($_COOKIE[$cookiename]);
// Out with the old, in with the new!
if (isset($array[3]) && $array[3] != $cookie_state) {
$cookie_url = url_parts($array[3] & 1 > 0, $array[3] & 2 > 0);
setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']));
}
}
// Get the data and path to set it on.
$data = serialize(empty($id) ? array(0, '', 0) : array($id, $password, time() + $cookie_length, $cookie_state));
$cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
// Set the cookie, $_COOKIE, and session variable.
setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']));
// If subdomain-independent cookies are on, unset the subdomain-dependent cookie too.
if (empty($id) && !empty($modSettings['globalCookies'])) {
setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], '', !empty($modSettings['secureCookies']));
}
// Any alias URLs? This is mainly for use with frames, etc.
if (!empty($modSettings['forum_alias_urls'])) {
$aliases = explode(',', $modSettings['forum_alias_urls']);
$temp = $boardurl;
foreach ($aliases as $alias) {
// Fake the $boardurl so we can set a different cookie.
$alias = strtr(trim($alias), array('http://' => '', 'https://' => ''));
$boardurl = 'http://' . $alias;
$cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
if ($cookie_url[0] == '') {
$cookie_url[0] = strtok($alias, '/');
}
setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']));
}
$boardurl = $temp;
}
$_COOKIE[$cookiename] = $data;
// Make sure the user logs in with a new session ID.
if (!isset($_SESSION['login_' . $cookiename]) || $_SESSION['login_' . $cookiename] !== $data) {
// Backup and remove the old session.
$oldSessionData = $_SESSION;
$_SESSION = array();
session_destroy();
// Recreate and restore the new session.
loadSession();
session_regenerate_id();
$_SESSION = $oldSessionData;
// Version 4.3.2 didn't store the cookie of the new session.
if (version_compare(PHP_VERSION, '4.3.2') === 0) {
$sessionCookieLifetime = @ini_get('session.cookie_lifetime');
setcookie(session_name(), session_id(), time() + (empty($sessionCookieLifetime) ? $cookie_length : $sessionCookieLifetime), $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']));
}
$_SESSION['login_' . $cookiename] = $data;
}
}
