} $APPL = array( 't' => $JSON['t'] , 'api' => $JSON['api'] ? $JSON['api'] : null , 'url' => $JSON['url'] ? $JSON['url'] : null , 'hdc' => $JSON['hdc'] ? intval($JSON['hdc']) : 0, 'app' => $JSON['app'] ? $JSON['app'] : null , 'act' => $JSON['act'] ? $JSON['act'] : 'main', 'apiFile'=> false ) ; if ($APPL['url']) { $APPL['url']=rtrim($APPL['url'],'/'); $APPL['file'] = WGParseURI($APPL['url']); if ($APPL['file']!==false and !WGisAllowed($APPL['file']['path'])) FatalError("Access denied"); } else $APPL['file'] = null; if ($APPL['file']===false) FatalError("Invalid file name"); if ($APPL['file']) WGProcMIME(); if ($JSON['t']==AJ_SYSTEM) { $APPL['isRAW'] = true; $APPL['isAPI'] = 'bin/system'; } if ($APPL['isAPI']) { if (!$APPL['api'] or $APPL['api']=='') FatalError("API name requested"); if (!preg_match('/^[a-zA-Z0-9\_\-]{1,40}$/',$APPL['api'])) FatalError("Invalid API name"); $f = $APPL['isAPI'].'/'. $APPL['api']. '.php'; $f = WGParseFile($f);
function WGFormCheck(&$obj,&$data) { global $MODULES; foreach($obj['obj'] as $li) { if (!isset($li['n'])) continue; $K = $li['n']; $V = @$data[$K]; $T = $li['t']; if ($MODULES['form'][$T]) { $f="EWGMOD_FORM_{$T}_OnCheck"; if ($f($li,$data[$K])) return $K; continue; } if (!$li['f'] and (!isset($data[$li['n']]) or $data[$li['n']]=='')) return $K; if ($li['f'] and $V=='') continue; if ($li['par']['lmin']) { if (strlen($V)<$li['par']['lmin']) return $K; } if ($li['par']['lmax']) { if (strlen($V)>$li['par']['lmax']) return $K; } if ($li['reg']) { if (preg_match('/'.$li['reg'].'/',$V)==0) return $K; } if ($T=='int') { if (!is_numeric($V) or preg_match('/^[0-9]{1,16}$/',$V)==0) return $K; if (isset($li['par']['min']) and $V<$li['par']['min']) return $K; if (isset($li['par']['max']) and $V>$li['par']['max']) return $K; $data[$K]=intval($V); } if ($T=='float') { if (!is_numeric($V)) return $K; if (isset($li['par']['min']) and $V<$li['par']['min']) return $K; if (isset($li['par']['max']) and $V>$li['par']['max']) return $K; $data[$K]=floatval($V); } if ($T=='image') { $V = WGParseFile($V,true); if ($V===false or !WGisAllowed($V['w'])) return $K; if (!$V['F'] or $V['D']) return $K; if (isset($li['par']['path'])) { $t0=explode(',',$li['par']['path']); $t2=array(); foreach($t0 as $t1) { $t1=trim($t1,'/ '); if ($t1=='') continue; $t2[]="/$t1/"; } $t2="\n".implode("\n",$t2)."\n"; if (strpos($t2,"\n{$V['dirname']}/\n")===false) return $K; } if (isset($li['par']['type'])) { $t0=explode(',',$li['par']['type']); $t2=array(); foreach($t0 as $t1) { $t1=trim($t1,'. '); if ($t1=='') continue; $t2[]=$t1; } $t2=".".implode(".",$t2)."."; if (strpos($t2,".{$V['extension']}.")===false) return $K; } $data[$K] = $V['w']; } if ($T=='enum') { $v=array(); foreach($li['par'] as $k => $v) { if (strpos($k,'.')===false) continue; list($a,$b)=explode('.',$k,2); $v[$b]=true; } if (!$v[$V]) return $K; } if ($T=='time') { list($a,$b)=explode(':',$V.':',2); $a=intval($a); $b=intval($b); if ($a<0 or $a>23 or $b<0 or $b>59) return $K; $data[$K] = ($a*60)+$b; } if ($T=='date') { $z=explode('/',$V.'//'); $d=@$z[$li['par']['ord'][0]]; $m=@$z[$li['par']['ord'][1]]; $y=@$z[$li['par']['ord'][2]]; if (!checkdate($m,$d,$y)) return $K; $data[$K] = gmmktime(0,0,0,$m,$d,$y); } if ($T=='mail') { $x=filter_var($V, FILTER_SANITIZE_EMAIL); if ($x===false) return $K; $data[$K]=$x; } if ($T=='url') { $x = filter_var($V, FILTER_VALIDATE_URL ); if ($x===false) return $K; } if ($T=='color') { if (preg_match('/^\#[0-9a-fA-F]{6}$/',$V)==0) return $K; } if ($T=='captcha') { $capid= $li['cap']; if (!isset($_SESSION['EWGCaptcha'][$capid]) or $_SESSION['EWGCaptcha'][$capid]=='') FatalError($li['par']['onused'] ? $li['par']['onused'] : "The captcha code/session is arleady used."); $code = $_SESSION['EWGCaptcha'][$capid]; if ($code=='' or $code!=strtolower($V)) return $K; if (isset($obj['captchas'])) $obj['captchas']=array(); $obj['captchas'][] = $capid; } if ($T=='font') { if (!is_array($V)) return $K; if (!isset($V['fontFamily']) or preg_match('/^[^\,\-\_\.\s]{1}[a-zA-Z0-9\s\_\-\.\,]{1,40}[^\,\-\_\.\s]{1}$/',$V['fontFamily'])==0) return $K; if (!isset($V['fontSize']) or preg_match('/^[1-9]{1}[0-9]{0,3}(px|pt)$/',$V['fontSize'])==0) return $K; if (!isset($V['fontWeight']) or preg_match('/^[a-zA-Z0-9]{1,16}$/',$V['fontWeight'])==0) return $K; } } return false; }
<? $po = WGParseFile($APPL['file']['path']); if (!$po['D'] and !$po['F']) return; if (!WGisAllowed($po['w'])) FatalError("Access denied"); $js=@file_get_contents($po['f']); if ($js===false) FatalError("Invalid Link"); $js=trim($js,"\t\r\n "); if ($js=='') FatalError("Invalid Link"); $CMD[] = array( 'api' => 'shell', 'data' => $js) ; ?>