/**
* @access private
* @param string $array
* @return array
*/
function remove_magic_quotes($array)
{
foreach ($array as $k => $v) {
$array[$k] = is_array($v) ? remove_magic_quotes($v) : stripslashes($v);
}
return $array;
}
function remove_magic_quotes(&$array)
{
foreach ($array as $key => $val) {
if (is_array($val)) {
remove_magic_quotes($array[$key]);
} elseif (is_string($val)) {
$array[$key] = str_replace(array('\\\\', '\\\\"', "\\'"), array('\\', '\\"', "'"), $val);
}
}
}
function remove_magic_quotes(&$array)
{
foreach (array_keys($array) as $key) {
if (is_array($array[$key])) {
remove_magic_quotes($array[$key]);
} else {
$array[$key] = stripslashes($array[$key]);
}
}
}
function remove_magic_quotes($array)
{
foreach ($array as $k => $v) {
if (is_array($v)) {
$array[$k] = remove_magic_quotes($v);
} else {
$array[$k] = stripslashes($v);
}
}
return $array;
}
*
* Moved all session functions into one file,
* include this where session starting might be required
*
* @package Core
* @author Andreas Goetz <*****@*****.**>
* @version $Id: session.php,v 1.13 2008/02/28 20:01:17 andig2 Exp $
*/
// start session
session_start();
require_once './core/functions.php';
// needed for remove_magic_quotes
// get rid of magic quotes
if (get_magic_quotes_gpc()) {
if (isset($_SESSION)) {
remove_magic_quotes($_SESSION);
}
}
/**
* Get session value or specified default
*/
function session_get($varname, $default = null)
{
return $_SESSION['vdb'][$varname] ? $_SESSION['vdb'][$varname] : $default;
}
/**
* Set session value or specified default
*/
function session_set($varname, $value)
{
$_SESSION['vdb'][$varname] = $value;
define(__NAMESPACE__ . '\\LIB', SYSTEM . '/libraries');
/**
*
* Other variables
*
*/
define(__NAMESPACE__ . '\\PLUGIN_NAME', 'STSCore');
require FUNCTIONS . '/core.php';
start_timer();
//register_globals off
unregister_globals();
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
$_POST = remove_magic_quotes($_POST);
$_GET = remove_magic_quotes($_GET);
$_COOKIE = remove_magic_quotes($_COOKIE);
$_SERVER = remove_magic_quotes($_SERVER);
}
register_shutdown_function(__NAMESPACE__ . '\\shutdown');
spl_autoload_register(__NAMESPACE__ . '\\class_auto_load');
require FUNCTIONS . '/html.php';
$error =& singleton::get(__NAMESPACE__ . '\\error');
try {
if (!file_exists(SETTINGS . '/config.php')) {
throw new \Exception('The config file could not be found.');
} else {
require SETTINGS . '/config.php';
}
} catch (\Exception $e) {
echo 'The config file "user/settings/config.php" could not be found. Please run the <a href="install/">installer</a>.';
$error->create(array('type' => 'file_not_found', 'message' => $e->getMessage()));
}
} else {
function strtoupper_utf($str)
{
return strtoupper($str);
}
function strtolower_utf($str)
{
return strtolower($str);
}
function strlen_utf($str)
{
return strlen($str);
}
function substr_utf($str, $from, $to)
{
return substr($str, $from, $to);
}
}
///
///
/// main
///
///
error_reporting(E_ALL);
ini_set('display_errors', 'on');
remove_magic_quotes();
init_session();
init_default_languages();
process_action(get('action'));
# phpFolding plugin _most_ recommended, http://www.vim.org/scripts/script.php?script_id=1623
# vim: set tw=120 ts=4 sts=4 sw=4 et : #
require_once './core/compatibility.php';
require_once './lib/smarty/SmartyBC.class.php';
/* --------------------------------------------------------------------*/
// exception handling beyond this point
set_exception_handler('exception_handler');
// Set up some defaults
error_reporting($config['debug'] ? E_ALL ^ E_NOTICE : E_ERROR + E_PARSE);
// Remove environment variables from global scope- ensures clean namespace
foreach (array_keys($_ENV) as $key) {
unset($GLOBALS[$key]);
}
// force magic quotes off
ini_set('magic_quotes_runtime', 0);
if (get_magic_quotes_gpc()) {
if (!empty($_REQUEST)) {
remove_magic_quotes($_REQUEST);
}
ini_set('magic_quotes_gpc', 0);
}
// register_globals off? Well I like it...
extract($_REQUEST);
// security check
if ($id) {
validate_input($id);
}
if ($ajax_update) {
validate_input($ajax_update);
}
// Smarty setup
$smarty = new SmartyBC();
$smarty->compile_dir = './cache/smarty';
/**
* Display login form
*
* @param array params
*/
function display_login_form($params)
{
global $Settings, $Plugins, $Session, $Blog, $blog, $dummy_fields;
global $secure_htsrv_url, $admin_url, $baseurl, $ReqHost;
$params = array_merge(array('form_action' => '', 'form_name' => 'login_form', 'form_layout' => '', 'form_class' => 'bComment', 'source' => 'inskin login form', 'inskin' => true, 'login_required' => true, 'validate_required' => NULL, 'redirect_to' => '', 'login' => '', 'action' => '', 'reqID' => '', 'sessID' => '', 'transmit_hashed_password' => false), $params);
$inskin = $params['inskin'];
$login = $params['login'];
$redirect_to = $params['redirect_to'];
$links = array();
if (empty($params['login_required']) && $params['action'] != 'req_validatemail' && strpos($redirect_to, $admin_url) !== 0 && strpos($ReqHost . $redirect_to, $admin_url) !== 0) {
// No login required, allow to pass through
// TODO: dh> validate redirect_to param?!
// check if redirect_to url requires logged in user
if (require_login($redirect_to, true)) {
// logged in user require for redirect_to url
if (!empty($blog)) {
// blog is set
if (empty($Blog)) {
$BlogCache =& get_BlogCache();
$Blog = $BlogCache->get_by_ID($blog, false);
}
// set abort url to Blog url
$abort_url = $Blog->gen_blogurl();
} else {
// set abort login url to base url
$abort_url = $baseurl;
}
} else {
// logged in user isn't required for redirect_to url, set abort url to redirect_to
$abort_url = $redirect_to;
}
$links[] = '<a href="' . htmlspecialchars(url_rel_to_same_host($abort_url, $ReqHost)) . '">' . T_('Abort login!') . '</a>';
}
if (!$inskin && is_logged_in()) {
// if we arrive here, but are logged in, provide an option to logout (e.g. during the email validation procedure)
$links[] = get_user_logout_link();
}
if (count($links)) {
echo '<div style="float:right; margin: 0 1em">' . implode($links, ' · ') . '</div>
<div class="clear"></div>';
}
$Form = new Form($params['form_action'], $params['form_name'], 'post', $params['form_layout']);
$Form->begin_form($params['form_class']);
$Form->add_crumb('loginform');
$source = param('source', 'string', $params['source'] . ' login form');
$Form->hidden('source', $source);
$Form->hidden('redirect_to', $redirect_to);
if ($inskin) {
// inskin login form
$Form->hidden('inskin', true);
$separator = '<br />';
} else {
// standard login form
$Form->hidden('validate_required', $params['validate_required']);
if (isset($params['action'], $params['reqID'], $params['sessID']) && $params['action'] == 'validatemail') {
// the user clicked the link from the "validate your account" email, but has not been logged in; pass on the relevant data:
$Form->hidden('action', 'validatemail');
$Form->hidden('reqID', $params['reqID']);
$Form->hidden('sessID', $params['sessID']);
}
$separator = '';
}
// check if should transmit hashed password
if ($params['transmit_hashed_password']) {
// used by JS-password encryption/hashing:
$pwd_salt = $Session->get('core.pwd_salt');
if (empty($pwd_salt)) {
// Do not regenerate if already set because we want to reuse the previous salt on login screen reloads
// fp> Question: the comment implies that the salt is reset even on failed login attemps. Why that? I would only have reset it on successful login. Do experts recommend it this way?
// but if you kill the session you get a new salt anyway, so it's no big deal.
// At that point, why not reset the salt at every reload? (it may be good to keep it, but I think the reason should be documented here)
$pwd_salt = generate_random_key(64);
$Session->set('core.pwd_salt', $pwd_salt, 86400);
$Session->dbsave();
// save now, in case there's an error later, and not saving it would prevent the user from logging in.
}
$Form->hidden('pwd_salt', $pwd_salt);
$Form->hidden('pwd_hashed', '');
// gets filled by JS
}
$Form->begin_field();
$Form->text_input($dummy_fields['login'], $params['login'], 18, T_('Login'), $separator . T_('Enter your username (or email address).'), array('maxlength' => 255, 'class' => 'input_text', 'required' => true));
$Form->end_field();
if ($inskin) {
$lost_password_url = regenerate_url('disp', 'disp=lostpassword');
} else {
$lost_password_url = $secure_htsrv_url . 'login.php?action=lostpassword&redirect_to=' . rawurlencode(url_rel_to_same_host($redirect_to, $secure_htsrv_url));
}
if (!empty($login)) {
$lost_password_url .= '&' . $dummy_fields['login'] . '=' . rawurlencode($login);
}
$pwd_note = $pwd_note = '<a href="' . $lost_password_url . '">' . T_('Lost password ?') . '</a>';
$Form->begin_field();
$Form->password_input($dummy_fields['pwd'], '', 18, T_('Password'), array('note' => $pwd_note, 'maxlength' => 70, 'class' => 'input_text', 'required' => true));
$Form->end_field();
// Allow a plugin to add fields/payload
$Plugins->trigger_event('DisplayLoginFormFieldset', array('Form' => &$Form));
// Submit button(s):
$submit_buttons = array(array('name' => 'login_action[login]', 'value' => T_('Log in!'), 'class' => 'search', 'style' => 'font-size: 120%'));
if (!$inskin && strpos($redirect_to, $admin_url) !== 0 && strpos($ReqHost . $redirect_to, $admin_url) !== 0 && !is_admin_page()) {
// provide button to log straight into backoffice, if we would not go there anyway
$submit_buttons[] = array('name' => 'login_action[redirect_to_backoffice]', 'value' => T_('Log into backoffice!'), 'class' => 'search');
}
$Form->buttons_input($submit_buttons);
if ($inskin) {
$before_register_link = '<strong>';
$after_register_link = '</strong>';
$register_link_style = 'text-align:right; margin: 1em 0 1ex';
} else {
echo '<div class="center notes" style="margin: 1em 0">' . T_('You will have to accept cookies in order to log in.') . '</div>';
// Passthrough REQUEST data (when login is required after having POSTed something)
// (Exclusion of 'login_action', 'login', and 'action' has been removed. This should get handled via detection in Form (included_input_field_names),
// and "action" is protected via crumbs)
$Form->hiddens_by_key(remove_magic_quotes($_REQUEST));
$before_register_link = '';
$after_register_link = '';
$register_link_style = 'text-align:right';
}
echo '<div class="login_actions" style="' . $register_link_style . '">';
echo get_user_register_link($before_register_link, $after_register_link, T_('No account yet? Register here') . ' »', '#', true, $redirect_to, $source);
echo '</div>';
$Form->end_form();
echo '<script type="text/javascript">';
// Autoselect login text input or pwd input, if there\'s a login already:
echo 'var login = document.getElementById("' . $dummy_fields['login'] . '");
if( login.value.length > 0 )
{ // Focus on the password field:
document.getElementById("' . $dummy_fields['pwd'] . '").focus();
}
else
{ // Focus on the login field:
login.focus();
}';
if ($params['transmit_hashed_password']) {
// Hash the password onsubmit and clear the original pwd field
// TODO: dh> it would be nice to disable the clicked/used submit button. That's how it has been when the submit was attached to the submit button(s)
echo 'addEvent( document.getElementById("login_form"), "submit", function(){' . 'var form = document.getElementById("login_form");' . 'if( form.pwd_hashed && form.' . $dummy_fields['pwd'] . ' && form.pwd_salt && typeof hex_sha1 != "undefined" && typeof hex_md5 != "undefined" )
{' . 'form.pwd_hashed.value = hex_sha1( hex_md5(form.' . $dummy_fields['pwd'] . '.value) + form.pwd_salt.value );
form.' . $dummy_fields['pwd'] . '.value = "padding_padding_padding_padding_padding_padding_hashed_' . $Session->ID . '";' . '}
return true;
}, false );';
}
echo '</script>';
}
/**
* remove magic quotes recursivly
*
* @author Andreas Gohr <*****@*****.**>
*/
function remove_magic_quotes(&$array)
{
foreach (array_keys($array) as $key) {
// handle magic quotes in keynames (breaks order)
$sk = stripslashes($key);
if ($sk != $key) {
$array[$sk] = $array[$key];
unset($array[$key]);
$key = $sk;
}
// do recursion if needed
if (is_array($array[$key])) {
remove_magic_quotes($array[$key]);
} else {
$array[$key] = stripslashes($array[$key]);
}
}
}
function init_param($para_types, $var, $type = '', $default = NO_DEFAULT_PARAM, $must_exist = false, $set_global = true, $global_override = true)
{
if (!is_array($para_types)) {
if ($para_types) {
$para_tmp = $para_types;
$para_types = array();
$para_types[] = $para_tmp;
} else {
$para_types = array('POST', 'GET');
}
}
$para_found = false;
foreach ($para_types as $para_type) {
switch (strtoupper($para_type)) {
case 'POST':
if (isset($_POST[$var])) {
$para_value = remove_magic_quotes($_POST[$var]);
$para_found = true;
}
break;
case 'GET':
if (isset($_GET[$var])) {
$para_value = remove_magic_quotes($_GET[$var]);
$para_found = true;
}
break;
case 'COOKIE':
if (isset($_COOKIE[$var])) {
$para_value = remove_magic_quotes($_COOKIE[$var]);
$para_found = true;
}
break;
case 'SESSION':
if (isset($_SESSION[$var])) {
$para_value = $_SESSION[$var];
$para_found = true;
}
break;
default:
}
if ($para_found) {
break;
}
}
if ($must_exist && !$para_found) {
redirect_header("", 5, "Required parameter isn't set. [" . $var . "]");
}
if (!$para_found) {
if ($default !== NO_DEFAULT_PARAM) {
$para_value = $default;
} elseif ($type == 'string-yn') {
$para_value = 'N';
} elseif ($type == 'check-01') {
$para_value = '0';
}
}
if (isset($para_value)) {
if (!empty($type)) {
// Force the type
switch ($type) {
case 'html':
// do nothing
break;
case 'clean-html':
$para_value = trim(clean_html($para_value));
break;
case 'string':
$para_value = trim(strip_tags($para_value));
break;
case 'string-yn':
$para_value = $para_value == 'Y' ? 'Y' : 'N';
break;
case 'check-01':
$para_value = $para_value == '1' ? '1' : '0';
break;
case 'array-int':
settype($para_value, 'array');
array_walk($para_value, '_array_int_callback');
break;
default:
settype($para_value, $type);
}
}
set_param($var, $para_value);
}
if ($set_global) {
if ($global_override || empty($GLOBALS[$var])) {
if (!empty($GLOBALS[$var])) {
unset($GLOBALS[$var]);
}
if (!empty($para_value)) {
$GLOBALS[$var] = $para_value;
}
}
}
if (!empty($para_value)) {
return $para_value;
} else {
return false;
}
}
case "update":
$standalone = 0;
wp_refcheck("/wp-admin");
$any_changed = 0;
// iterate through the list of options in this group
// pull the vars from the post
// validate ranges etc.
// update the values
$options = $wpdb->get_results("SELECT " . wp_table('options') . ".option_id, option_name, option_type, option_value, option_admin_level " . "FROM " . wp_table('options') . " " . "LEFT JOIN " . wp_table('optiongroup_options') . " ON " . wp_table('options') . ".option_id = " . wp_table('optiongroup_options') . ".option_id " . "WHERE group_id = {$option_group_id} " . "ORDER BY seq");
if ($options) {
foreach ($options as $option) {
// should we even bother checking?
if ($user_level >= $option->option_admin_level) {
$this_name = $option->option_name;
$old_val = $option->option_value;
$new_val = remove_magic_quotes($_POST[$this_name]);
if ($new_val != $old_val) {
// get type and validate
$msg = validate_option($option, $this_name, $new_val);
if ($msg == '') {
//no error message
$result = $wpdb->query("UPDATE " . wp_table('options') . " SET option_value = '" . addslashes($new_val) . "' WHERE option_id = {$option->option_id}");
if (!$result) {
$db_errors .= " SQL error while saving {$this_name}. ";
} else {
++$any_changed;
}
} else {
$validation_message .= $msg;
}
}
/**
* Read messages from server and create posts
*
* @param resource $mbox created by pbm_connect() (by reference)
* @param integer the number of messages to process
* @return boolean true on success
*/
function pbm_process_messages(&$mbox, $limit)
{
global $Settings;
global $pbm_item_files, $pbm_messages, $pbm_items, $post_cntr, $del_cntr, $is_cron_mode;
// No execution time limit
set_max_execution_time(0);
// Are we in test mode?
$test_mode_on = $Settings->get('eblog_test_mode');
$post_cntr = 0;
$del_cntr = 0;
for ($index = 1; $index <= $limit; $index++) {
pbm_msg('<hr /><h3>Processing message #' . $index . ':</h3>');
$strbody = '';
$hasAttachment = false;
$hasRelated = false;
$pbm_item_files = array();
// reset the value for each new Item
// Save email to hard drive, otherwise attachments may take a lot of RAM
if (!($tmpMIME = tempnam(sys_get_temp_dir(), 'b2evoMail'))) {
pbm_msg(T_('Could not create temporary file.'), true);
continue;
}
imap_savebody($mbox, $tmpMIME, $index);
// Create random temp directory for message parts
$tmpDirMIME = pbm_tempdir(sys_get_temp_dir(), 'b2evo_');
$mimeParser = new mime_parser_class();
$mimeParser->mbox = 0;
// Set to 0 for parsing a single message file
$mimeParser->decode_headers = 1;
$mimeParser->ignore_syntax_errors = 1;
$mimeParser->extract_addresses = 0;
$MIMEparameters = array('File' => $tmpMIME, 'SaveBody' => $tmpDirMIME, 'SkipBody' => 1);
if (!$mimeParser->Decode($MIMEparameters, $decodedMIME)) {
pbm_msg(sprintf('MIME message decoding error: %s at position %d.', $mimeParser->error, $mimeParser->error_position), true);
rmdir_r($tmpDirMIME);
unlink($tmpMIME);
continue;
} else {
pbm_msg('MIME message decoding successful');
if (!$mimeParser->Analyze($decodedMIME[0], $parsedMIME)) {
pbm_msg(sprintf('MIME message analyse error: %s', $mimeParser->error), true);
rmdir_r($tmpDirMIME);
unlink($tmpMIME);
continue;
}
// Get message $subject and $post_date from headers (by reference)
if (!pbm_process_header($parsedMIME, $subject, $post_date)) {
// Couldn't process message headers
rmdir_r($tmpDirMIME);
unlink($tmpMIME);
continue;
}
// TODO: handle type == "message" recursively
// sam2kb> For some reason imap_qprint() demages HTML text... needs more testing
if ($parsedMIME['Type'] == 'html') {
// Mail is HTML
if ($Settings->get('eblog_html_enabled')) {
// HTML posting enabled
pbm_msg('HTML message part saved as ' . $parsedMIME['DataFile']);
$html_body = file_get_contents($parsedMIME['DataFile']);
}
foreach ($parsedMIME['Alternative'] as $alternative) {
// First try to get HTML alternative (when possible)
if ($alternative['Type'] == 'html' && $Settings->get('eblog_html_enabled')) {
// HTML text
pbm_msg('HTML alternative message part saved as ' . $alternative['DataFile']);
// sam2kb> TODO: we may need to use $html_body here instead
$strbody = file_get_contents($alternative['DataFile']);
break;
// stop after first alternative
} elseif ($alternative['Type'] == 'text') {
// Plain text
pbm_msg('Text alternative message part saved as ' . $alternative['DataFile']);
$strbody = imap_qprint(file_get_contents($alternative['DataFile']));
break;
// stop after first alternative
}
}
} elseif ($parsedMIME['Type'] == 'text') {
// Mail is plain text
pbm_msg('Plain-text message part saved as ' . $parsedMIME['DataFile']);
$strbody = imap_qprint(file_get_contents($parsedMIME['DataFile']));
}
// Check for attachments
if (!empty($parsedMIME['Attachments'])) {
$hasAttachment = true;
foreach ($parsedMIME['Attachments'] as $file) {
pbm_msg('Attachment: ' . $file['FileName'] . ' stored as ' . $file['DataFile']);
}
}
// Check for inline images
if (!empty($parsedMIME['Related'])) {
$hasRelated = true;
foreach ($parsedMIME['Related'] as $file) {
pbm_msg('Related file with content ID: ' . $file['ContentID'] . ' stored as ' . $file['DataFile']);
}
}
if (count($mimeParser->warnings) > 0) {
pbm_msg(sprintf('<h4>%d warnings during decode:</h4>', count($mimeParser->warnings)));
foreach ($mimeParser->warnings as $k => $v) {
pbm_msg('Warning: ' . $v . ' at position ' . $k);
}
}
}
unlink($tmpMIME);
if (empty($html_body)) {
// Plain text message
pbm_msg('Message type: TEXT');
pbm_msg('Message body: <pre style="font-size:10px">' . htmlspecialchars($strbody) . '</pre>');
// Process body. First fix different line-endings (dos, mac, unix), remove double newlines
$content = str_replace(array("\r", "\n\n"), "\n", trim($strbody));
// First see if there's an <auth> tag with login and password
if (($auth = pbm_get_auth_tag($content)) === false) {
// No <auth> tag, let's detect legacy "username:password" on the first line
$a_body = explode("\n", $content, 2);
// tblue> splitting only into 2 parts allows colons in the user PW
// Note: login and password cannot include '<' !
$auth = explode(':', strip_tags($a_body[0]), 2);
// Drop the first line with username and password
$content = $a_body[1];
}
} else {
// HTML message
pbm_msg('Message type: HTML');
if (($parsed_message = pbm_prepare_html_message($html_body)) === false) {
// No 'auth' tag provided, skip to the next message
rmdir_r($tmpDirMIME);
continue;
}
list($auth, $content) = $parsed_message;
}
// TODO: dh> should the password really get trimmed here?!
$user_pass = isset($auth[1]) ? trim(remove_magic_quotes($auth[1])) : NULL;
$user_login = trim(evo_strtolower(remove_magic_quotes($auth[0])));
if (empty($user_login) || empty($user_pass)) {
pbm_msg(sprintf(T_('Please add username and password in message body in format %s.'), '"<auth>username:password</auth>"'), true);
rmdir_r($tmpDirMIME);
continue;
}
// Authenticate user
pbm_msg('Authenticating user: «' . $user_login . '»');
$pbmUser =& pbm_validate_user_password($user_login, $user_pass);
if (!$pbmUser) {
pbm_msg(sprintf(T_('Authentication failed for user «%s»'), htmlspecialchars($user_login)), true);
rmdir_r($tmpDirMIME);
continue;
}
$pbmUser->get_Group();
// Load group
if (!empty($is_cron_mode)) {
// Assign current User if we are in cron mode. This is needed in order to check user permissions
global $current_User;
$current_User = duplicate($pbmUser);
}
// Activate User's locale
locale_activate($pbmUser->get('locale'));
pbm_msg('<b class="green">Success</b>');
if ($post_categories = xmlrpc_getpostcategories($content)) {
$main_cat_ID = array_shift($post_categories);
$extra_cat_IDs = $post_categories;
pbm_msg('Extra categories: ' . implode(', ', $extra_cat_IDs));
} else {
$main_cat_ID = $Settings->get('eblog_default_category');
$extra_cat_IDs = array();
}
pbm_msg('Main category ID: ' . $main_cat_ID);
$ChapterCache =& get_ChapterCache();
$pbmChapter =& $ChapterCache->get_by_ID($main_cat_ID, false, false);
if (empty($pbmChapter)) {
pbm_msg(sprintf(T_('Requested category %s does not exist!'), $main_cat_ID), true);
rmdir_r($tmpDirMIME);
continue;
}
$blog_ID = $pbmChapter->blog_ID;
pbm_msg('Blog ID: ' . $blog_ID);
$BlogCache =& get_BlogCache();
$pbmBlog =& $BlogCache->get_by_ID($blog_ID, false, false);
if (empty($pbmBlog)) {
pbm_msg(sprintf(T_('Requested blog %s does not exist!'), $blog_ID), true);
rmdir_r($tmpDirMIME);
continue;
}
// Check permission:
pbm_msg(sprintf('Checking permissions for user «%s» to post to Blog #%d', $user_login, $blog_ID));
if (!$pbmUser->check_perm('blog_post!published', 'edit', false, $blog_ID)) {
pbm_msg(T_('Permission denied.'), true);
rmdir_r($tmpDirMIME);
continue;
}
if (($hasAttachment || $hasRelated) && !$pbmUser->check_perm('files', 'add', false, $blog_ID)) {
pbm_msg(T_('You have no permission to add/upload files.'), true);
rmdir_r($tmpDirMIME);
continue;
}
pbm_msg('<b class="green">Success</b>');
// Remove content after terminator
$eblog_terminator = $Settings->get('eblog_body_terminator');
if (!empty($eblog_terminator) && ($os_terminator = evo_strpos($content, $eblog_terminator)) !== false) {
$content = evo_substr($content, 0, $os_terminator);
}
$post_title = pbm_get_post_title($content, $subject);
// Remove 'title' and 'category' tags
$content = xmlrpc_removepostdata($content);
// Remove <br> tags from string start and end
// We do it here because there might be extra <br> left after deletion of <auth>, <category> and <title> tags
$content = preg_replace(array('~^(\\s*<br[\\s/]*>\\s*){1,}~i', '~(\\s*<br[\\s/]*>\\s*){1,}$~i'), '', $content);
if ($hasAttachment || $hasRelated) {
// Handle attachments
if (isset($GLOBALS['files_Module'])) {
if ($mediadir = $pbmBlog->get_media_dir()) {
if ($hasAttachment) {
pbm_process_attachments($content, $parsedMIME['Attachments'], $mediadir, $pbmBlog->get_media_url(), $Settings->get('eblog_add_imgtag'), 'attach');
}
if ($hasRelated) {
pbm_process_attachments($content, $parsedMIME['Related'], $mediadir, $pbmBlog->get_media_url(), true, 'related');
}
} else {
pbm_msg(T_('Unable to access media directory. No attachments processed.'), true);
}
} else {
pbm_msg(T_('Files module is disabled or missing!'), true);
}
}
// CHECK and FORMAT content
global $Plugins;
$renderer_params = array('Blog' => &$pbmBlog, 'setting_name' => 'coll_apply_rendering');
$renderers = $Plugins->validate_renderer_list($Settings->get('eblog_renderers'), $renderer_params);
pbm_msg('Applying the following text renderers: ' . implode(', ', $renderers));
// Do some optional filtering on the content
// Typically stuff that will help the content to validate
// Useful for code display
// Will probably be used for validation also
$Plugins_admin =& get_Plugins_admin();
$params = array('object_type' => 'Item', 'object_Blog' => &$pbmBlog);
$Plugins_admin->filter_contents($post_title, $content, $renderers, $params);
pbm_msg('Filtered post content: <pre style="font-size:10px">' . htmlspecialchars($content) . '</pre>');
$context = $Settings->get('eblog_html_tag_limit') ? 'commenting' : 'posting';
$post_title = check_html_sanity($post_title, $context, $pbmUser);
$content = check_html_sanity($content, $context, $pbmUser);
global $Messages;
if ($Messages->has_errors()) {
// Make it easier for user to find and correct the errors
pbm_msg("\n" . sprintf(T_('Processing message: %s'), $post_title), true);
pbm_msg($Messages->get_string(T_('Cannot post, please correct these errors:'), 'error'), true);
$Messages->clear();
rmdir_r($tmpDirMIME);
continue;
}
if ($test_mode_on) {
// Test mode
pbm_msg('<b class="green">It looks like the post can be successfully saved in the database. However we will not do it in test mode.</b>');
} else {
load_class('items/model/_item.class.php', 'Item');
global $pbm_items, $DB, $localtimenow;
$post_status = 'published';
pbm_msg(sprintf('<h4>Saving item "%s" in the database</h4>', $post_title));
// INSERT NEW POST INTO DB:
$edited_Item = new Item();
$edited_Item->set_creator_User($pbmUser);
$edited_Item->set($edited_Item->lasteditor_field, $pbmUser->ID);
$edited_Item->set('title', $post_title);
$edited_Item->set('content', $content);
$edited_Item->set('datestart', $post_date);
$edited_Item->set('datemodified', date('Y-m-d H:i:s', $localtimenow));
$edited_Item->set('main_cat_ID', $main_cat_ID);
$edited_Item->set('extra_cat_IDs', $extra_cat_IDs);
$edited_Item->set('status', $post_status);
$edited_Item->set('locale', $pbmUser->locale);
$edited_Item->set('renderers', $renderers);
// INSERT INTO DB:
$edited_Item->dbinsert('through_email');
pbm_msg(sprintf('Item created?: ' . (isset($edited_Item->ID) ? 'yes' : 'no')));
// Execute or schedule notifications & pings:
$edited_Item->handle_post_processing(true);
if (!empty($pbm_item_files)) {
// Attach files
$FileCache =& get_FileCache();
$order = 1;
foreach ($pbm_item_files as $filename) {
pbm_msg(sprintf('Saving file "%s" in the database', $filename));
$pbmFile =& $FileCache->get_by_root_and_path('collection', $pbmBlog->ID, $filename);
$pbmFile->meta = 'notfound';
// Save time and don't try to load meta from DB, it's not there anyway
$pbmFile->dbsave();
pbm_msg(sprintf('File saved?: ' . (isset($pbmFile->ID) ? 'yes' : 'no')));
pbm_msg(sprintf('Attaching file "%s" to the post', $filename));
// Let's make the link!
$pbmLink = new Link();
$pbmLink->set('itm_ID', $edited_Item->ID);
$pbmLink->set('file_ID', $pbmFile->ID);
$pbmLink->set('position', 'aftermore');
$pbmLink->set('order', $order++);
$pbmLink->dbinsert();
pbm_msg(sprintf('File attached?: ' . (isset($pbmLink->ID) ? 'yes' : 'no')));
}
}
// Save posted items sorted by author user for reports
$pbm_items['user_' . $pbmUser->ID][] = $edited_Item;
++$post_cntr;
}
pbm_msg('Message posting successful');
// Delete temporary directory
rmdir_r($tmpDirMIME);
if (!$test_mode_on && $Settings->get('eblog_delete_emails')) {
pbm_msg('Marking message for deletion from inbox: ' . $index);
imap_delete($mbox, $index);
++$del_cntr;
}
}
// Expunge messages marked for deletion
imap_expunge($mbox);
return true;
}
/**
* Remove slashes if magic quotes are enabled
*
* @param mixed $mixed string or array to strip slashes from
*
* @return mixed cleaned string or array
*/
function remove_magic_quotes($mixed)
{
if (get_magic_quotes_gpc()) {
if (is_array($mixed)) {
foreach ($mixed as $k => $v) {
$mixed[$k] = remove_magic_quotes($v);
}
} else {
$mixed = stripslashes($mixed);
}
}
return $mixed;
}
/**
* Remove quotes from input.
* This handles magic_quotes_gpc and magic_quotes_sybase PHP settings/variants.
*
* NOTE: you should not use it directly, but one of the param-functions!
*
* @param mixed string or array (function is recursive)
* @return mixed Value, with magic quotes removed
*/
function remove_magic_quotes($mixed)
{
if (is_array($mixed)) {
foreach ($mixed as $k => $v) {
$mixed[$k] = remove_magic_quotes($v);
}
} elseif (is_string($mixed)) {
// echo 'Removing slashes ';
$mixed = stripslashes($mixed);
}
return $mixed;
}
function insert_link_db($range_id, $the_file_size, $refresh = FALSE) {
global $the_file_name, $user;
$the_link = Request::get('the_link');
$date = time(); //Systemzeit
$user_id = $user->id; // user_id erfragen...
$range_id = trim($range_id); // laestige white spaces loswerden
$description = trim(Request::get('description')); // laestige white spaces loswerden
$name = trim(Request::get('name')); // laestige white spaces loswerden
$url_parts = parse_url($the_link);
$the_file_name = $the_file_name ?: basename($url_parts['path']);
if (!$name) {
$name = $the_file_name;
}
if (!$refresh) {
$doc = new StudipDocument();
$doc->description = remove_magic_quotes($description);
$doc->name = $name;
$doc->range_id = $range_id;
$doc->user_id = $user_id;
$doc->filename = $the_file_name;
$doc->seminar_id = Request::option('upload_seminar_id');
$doc->filesize = $the_file_size;
$doc->url = $the_link;
$doc->protected = Request::int('protect');
$doc->autor_host = $_SERVER['REMOTE_ADDR'];
$doc->author_name = get_fullname($user_id);
} else {
$doc = StudipDocument::find($refresh);
$doc->user_id = $user_id;
$doc->filename = $the_file_name;
$doc->filesize = $the_file_size;
$doc->autor_host = $_SERVER['REMOTE_ADDR'];
$doc->author_name = get_fullname($user_id);
}
return $doc->store();
}
function process_tinyadm()
{
global $db;
@session_start();
remove_magic_quotes();
if (!isset($_SESSION['user'])) {
$_SESSION['user'] = '';
}
if (!isset($_SESSION['password'])) {
$_SESSION['password'] = '';
}
if (!isset($_SESSION['database'])) {
$_SESSION['database'] = '';
}
if (!isset($_SESSION['table'])) {
$_SESSION['table'] = '';
}
if (!isset($_SESSION['last_sql'])) {
$_SESSION['last_sql'] = '';
}
if (!isset($_SESSION['sql_history'])) {
$_SESSION['sql_history'] = array();
}
$act = get_var('act');
if ($act == 'login') {
setcookie('tinymy_user', get_var('user'), time() + 5184000);
// 2 months
$_SESSION['user'] = addslashes(get_var('user'));
$_SESSION['password'] = addslashes(get_var('password'));
}
$db = new sqldb($_SESSION['user'], $_SESSION['password'], $_SESSION['database']);
if (!$db->is_connected()) {
return draw_login_form();
}
if ($act == 'login') {
// switch to default databas
if (get_cookie('tinymy_database')) {
$_SESSION['database'] = get_cookie('tinymy_database');
}
}
switch ($act) {
case 'sel_db':
$_SESSION['database'] = get_var('d');
$_SESSION['table'] = '';
setcookie('tinymy_database', get_var('d'), time() + 5184000);
// 2 months
redirect_self();
exit;
case 'use_history':
$idx = (int) get_var('idx');
if (isset($_SESSION['sql_history'][$idx])) {
$_SESSION['database'] = $_SESSION['sql_history'][$idx]['db'];
$_SESSION['last_sql'] = $_SESSION['sql_history'][$idx]['sql'];
}
redirect_self();
exit;
case 'sel_table':
$_SESSION['table'] = get_var('table');
break;
case 'do_export':
ob_end_clean();
// we need to pass through the following output from export immediately, without caching
do_export();
break;
case 'logout':
session_unset();
session_destroy();
redirect_self();
exit;
case 'exec_sql':
history_add(get_var('sql'));
}
ob_start();
// menu needs to be created after the possible sql has executed
echo '<div id="content">';
if ($act != 'export' && $act != 'do_export') {
draw_sqlarea();
}
switch ($act) {
case 'history':
draw_history();
break;
case 'export':
draw_export();
break;
case 'sel_db':
break;
case 'sel_table':
case 'show_structure':
h('<p style="margin-bottom: 8px;"><a href="?act=show_contents">Show contents of %s</a></p>', $_SESSION['table']);
exec_sql_internal(sprintf('desc `%s`', mysqli_escape_string($db->conn_id, $_SESSION['table'])));
exec_sql_singlerow(sprintf('show create table `%s`', mysqli_escape_string($db->conn_id, $_SESSION['table'])));
break;
case 'show_contents':
h('<p style="margin-bottom: 8px;"><a href="?act=show_structure">Show structure of %s</a></p>', $_SESSION['table']);
$res = mysqli_query($db->conn_id, sprintf("select count(*) from `%s`", mysqli_escape_string($db->conn_id, $_SESSION['table'])));
if (!$res) {
$db->error();
//
} else {
list($reccount) = mysqli_fetch_row($res);
pager($reccount);
exec_sql_internal(sprintf('select * from `%s` %s', mysqli_escape_string($db->conn_id, $_SESSION['table']), pager_limits()));
}
case 'exec_sql':
exec_sql();
// in case the query changed the database, switch to it
$cur_database = $db->get_current_database();
if ($cur_database != $_SESSION['database']) {
$_SESSION['database'] = $cur_database;
setcookie('tinymy_database', $cur_database, time() + 5184000);
// 2 months
}
break;
}
echo '</div>';
// content
$content = ob_get_contents();
ob_end_clean();
// menu needs to be created after all the sql has executed
draw_db_menu();
echo $content;
}
/**
* Display login form
*
* @param array params
*/
function display_login_form($params)
{
global $Settings, $Plugins, $Session, $Blog, $blog, $dummy_fields;
global $secure_htsrv_url, $admin_url, $baseurl, $ReqHost, $redirect_to;
$params = array_merge(array('form_before' => '', 'form_after' => '', 'form_action' => '', 'form_name' => 'login_form', 'form_title' => '', 'form_layout' => '', 'form_class' => 'bComment', 'source' => 'inskin login form', 'inskin' => true, 'inskin_urls' => true, 'login_required' => true, 'validate_required' => NULL, 'redirect_to' => '', 'return_to' => '', 'login' => '', 'action' => '', 'reqID' => '', 'sessID' => '', 'transmit_hashed_password' => false, 'display_abort_link' => true, 'abort_link_position' => 'above_form', 'abort_link_text' => T_('Abort login!'), 'display_reg_link' => false), $params);
$inskin = $params['inskin'];
$login = $params['login'];
$redirect_to = $params['redirect_to'];
$return_to = $params['return_to'];
$links = array();
$form_links = array();
if ($params['display_abort_link'] && empty($params['login_required']) && $params['action'] != 'req_validatemail' && strpos($return_to, $admin_url) !== 0 && strpos($ReqHost . $return_to, $admin_url) !== 0) {
// No login required, allow to pass through
// TODO: dh> validate return_to param?!
// check if return_to url requires logged in user
if (empty($return_to) || require_login($return_to, true)) {
// logged in user require for return_to url
if (!empty($blog)) {
// blog is set
if (empty($Blog)) {
$BlogCache =& get_BlogCache();
$Blog = $BlogCache->get_by_ID($blog, false);
}
// set abort url to Blog url
$abort_url = $Blog->gen_blogurl();
} else {
// set abort login url to base url
$abort_url = $baseurl;
}
} else {
// logged in user isn't required for return_to url, set abort url to return_to
$abort_url = $return_to;
}
// Gets displayed as link to the location on the login form if no login is required
$abort_link = '<a href="' . htmlspecialchars(url_rel_to_same_host($abort_url, $ReqHost)) . '">' . $params['abort_link_text'] . '</a>';
if ($params['abort_link_position'] == 'above_form') {
// Display an abort link under login form
$links[] = $abort_link;
} elseif ($params['abort_link_position'] == 'form_title') {
// Display an abort link in form title block
$form_links[] = $abort_link;
}
}
if (!$inskin && is_logged_in()) {
// if we arrive here, but are logged in, provide an option to logout (e.g. during the email validation procedure)
$links[] = get_user_logout_link();
}
if (count($links)) {
echo '<div class="evo_form__login_links">' . '<div class="floatright">' . implode($links, ' · ') . '</div>' . '<div class="clear"></div>' . '</div>';
}
$form_links = count($form_links) ? '<span class="pull-right">' . implode(' ', $form_links) . '</span>' : '';
echo str_replace('$form_links$', $form_links, $params['form_before']);
$Form = new Form($params['form_action'], $params['form_name'], 'post', $params['form_layout']);
$Form->begin_form($params['form_class']);
$Form->add_crumb('loginform');
$source = param('source', 'string', $params['source'] . ' login form');
$Form->hidden('source', $source);
$Form->hidden('redirect_to', $redirect_to);
$Form->hidden('return_to', $return_to);
if ($inskin || $params['inskin_urls']) {
// inskin login form
$Form->hidden('inskin', true);
$separator = '<br />';
} else {
// standard login form
if (!empty($params['form_title'])) {
echo '<h4>' . $params['form_title'] . '</h4>';
}
$Form->hidden('validate_required', $params['validate_required']);
if (isset($params['action'], $params['reqID'], $params['sessID']) && $params['action'] == 'validatemail') {
// the user clicked the link from the "validate your account" email, but has not been logged in; pass on the relevant data:
$Form->hidden('action', 'validatemail');
$Form->hidden('reqID', $params['reqID']);
$Form->hidden('sessID', $params['sessID']);
}
$separator = '';
}
// check if should transmit hashed password
if ($params['transmit_hashed_password']) {
// used by JS-password encryption/hashing:
$pwd_salt = $Session->get('core.pwd_salt');
if (empty($pwd_salt)) {
// Do not regenerate if already set because we want to reuse the previous salt on login screen reloads
// fp> Question: the comment implies that the salt is reset even on failed login attemps. Why that? I would only have reset it on successful login. Do experts recommend it this way?
// but if you kill the session you get a new salt anyway, so it's no big deal.
// At that point, why not reset the salt at every reload? (it may be good to keep it, but I think the reason should be documented here)
$pwd_salt = generate_random_key(64);
$Session->set('core.pwd_salt', $pwd_salt, 86400);
$Session->dbsave();
// save now, in case there's an error later, and not saving it would prevent the user from logging in.
}
$Form->hidden('pwd_salt', $pwd_salt);
// Add container for the hashed password hidden inputs
echo '<div id="pwd_hashed_container"></div>';
// gets filled by JS
}
if ($inskin) {
$Form->begin_field();
$Form->text_input($dummy_fields['login'], $params['login'], 18, T_('Login'), $separator . T_('Enter your username (or email address).'), array('maxlength' => 255, 'class' => 'input_text', 'required' => true));
$Form->end_field();
} else {
$Form->text_input($dummy_fields['login'], $params['login'], 18, '', '', array('maxlength' => 255, 'class' => 'input_text', 'input_required' => 'required', 'placeholder' => T_('Username (or email address)')));
}
$lost_password_url = get_lostpassword_url($redirect_to, '&', $return_to);
if (!empty($login)) {
$lost_password_url = url_add_param($lost_password_url, $dummy_fields['login'] . '=' . rawurlencode($login));
}
$pwd_note = '<a href="' . $lost_password_url . '">' . T_('Lost your password?') . '</a>';
if ($inskin) {
$Form->begin_field();
$Form->password_input($dummy_fields['pwd'], '', 18, T_('Password'), array('note' => $pwd_note, 'maxlength' => 70, 'class' => 'input_text', 'required' => true));
$Form->end_field();
} else {
$Form->password_input($dummy_fields['pwd'], '', 18, '', array('placeholder' => T_('Password'), 'note' => $pwd_note, 'maxlength' => 70, 'class' => 'input_text', 'input_required' => 'required'));
}
// Allow a plugin to add fields/payload
$Plugins->trigger_event('DisplayLoginFormFieldset', array('Form' => &$Form));
// Display registration link after login button
$register_link = $params['display_reg_link'] ? get_user_register_link('', '', T_('Register') . ' »', '#', true, $redirect_to, $source, 'btn btn-primary btn-lg pull-right') : '';
// Submit button(s):
$submit_buttons = array(array('name' => 'login_action[login]', 'value' => T_('Log in!'), 'class' => 'btn-success btn-lg', 'input_suffix' => $register_link));
$Form->buttons_input($submit_buttons);
if ($inskin) {
$before_register_link = '<div class="login_actions" style="text-align:right; margin: 1em 0 1ex"><strong>';
$after_register_link = '</strong></div>';
user_register_link($before_register_link, $after_register_link, T_('No account yet? Register here') . ' »', '#', true, $redirect_to, $source);
} else {
// Passthrough REQUEST data (when login is required after having POSTed something)
// (Exclusion of 'login_action', 'login', and 'action' has been removed. This should get handled via detection in Form (included_input_field_names),
// and "action" is protected via crumbs)
$Form->hiddens_by_key(remove_magic_quotes($_REQUEST), array('pwd_hashed'));
}
$Form->end_form();
echo $params['form_after'];
display_login_js_handler($params);
}
function param($var, $type = '', $default = NO_DEFAULT_PARAM, $override = false, $forceset = true)
{
// Check if already set
// WARNING: when PHP register globals is ON, COOKIES get priority over GET and POST with this!!!
if (!isset($GLOBALS[$var]) || $override) {
if (isset($GLOBALS[$var])) {
unset($GLOBALS[$var]);
}
if (isset($_POST[$var])) {
$GLOBALS[$var] = remove_magic_quotes($_POST[$var]);
} elseif (isset($_GET["{$var}"])) {
$GLOBALS[$var] = remove_magic_quotes($_GET[$var]);
} elseif (isset($_COOKIE[$var])) {
$GLOBALS[$var] = remove_magic_quotes($_COOKIE[$var]);
} elseif (isset($_SESSION[$var])) {
$GLOBALS[$var] = remove_magic_quotes($_SESSION[$var]);
}
// echo $var." = ".$GLOBALS[$var]."<br>\n";
if (!isset($GLOBALS[$var])) {
// echo $var."<br>\n";
// echo "Default($var) = $default<br>";
if ($default === true) {
die('<p class="error">' . sprintf('Parameter %s is required!', $var) . '</p>');
} elseif ($forceset && "{$default}" != NO_DEFAULT_PARAM) {
$GLOBALS[$var] = $default;
// echo "Default($var) = $default<br>";
} elseif ($type == 'string-yn') {
$GLOBALS[$var] = 'N';
} else {
// param not found! don't set the variable.
// Won't be memorized nor type-forced!
return false;
}
} else {
if ($GLOBALS[$var] == "" && $default != NO_DEFAULT_PARAM && $forceset) {
$GLOBALS[$var] = $default;
}
}
} else {
$GLOBALS[$var] = remove_magic_quotes($GLOBALS[$var]);
}
// type will be forced even if it was set before and not overriden
// echo $var." = ".$GLOBALS[$var]."<br>\n";
if (!empty($type)) {
// Force the type
switch ($type) {
case 'html':
// do nothing
break;
case 'string':
$GLOBALS[$var] = trim(strip_tags($GLOBALS[$var]));
break;
case 'string-yn':
$GLOBALS[$var] = $GLOBALS[$var] == 'Y' ? 'Y' : 'N';
break;
case 'array-int':
settype($GLOBALS[$var], 'array');
array_walk($GLOBALS[$var], 'array_int_callback');
break;
default:
settype($GLOBALS[$var], $type);
}
}
// echo $var." = ".$GLOBALS[$var]."<br>\n";
return $GLOBALS[$var];
}
/**
* update an existing semester
*
* @param array() $semesterdata
* @return boolean
*/
function updateExistingSemester($semesterdata)
{
$semester = Semester::find($semesterdata['semester_id']);
if ($semester) {
$semester->setData(remove_magic_quotes($semesterdata));
if ($semester->store()) {
Semester::getall(true);
return true;
} else {
return false;
}
}
}
function remove_magic_quotes(&$x, $keyname = "")
{
// http://www.php.net/manual/en/configuration.php#ini.magic-quotes-gpc (by the way: gpc = get post cookie)
// if (magic_quotes_gpc == 1), then PHP converts automatically " --> \", ' --> \'
// Has only to be done when getting info from get post cookie
if (get_magic_quotes_gpc() == 1) {
if (is_array($x)) {
while (list($key, $value) = each($x)) {
if ($value) {
remove_magic_quotes($x[$key], $key);
}
}
} else {
$quote = "'";
$doublequote = "\"";
$backslash = "\\";
$x = str_replace("{$backslash}{$quote}", $quote, $x);
$x = str_replace("{$backslash}{$doublequote}", $doublequote, $x);
$x = str_replace("{$backslash}{$backslash}", $backslash, $x);
}
}
// end if get_magic_quotes_gpc
return $x;
}
/**
* Assert that we received a valid crumb for the object we want to act on.
*
* This will DIE if we have not received a valid crumb.
*
* The received crumb must match a crumb we previously saved less than 2 hours ago.
*
* @param string crumb name
* @param boolean true if the script should die on error
*/
function assert_received_crumb($crumb_name, $die = true)
{
global $servertimenow, $crumb_expires, $debug;
if (!($crumb_received = param('crumb_' . $crumb_name, 'string', NULL))) {
// We did not receive a crumb!
if ($die) {
bad_request_die('Missing crumb [' . $crumb_name . '] -- It looks like this request is not legit.');
}
return false;
}
// Retrieve latest saved crumb:
$crumb_recalled = $this->get('crumb_latest_' . $crumb_name, '-0');
list($crumb_value, $crumb_time) = explode('-', $crumb_recalled);
if ($crumb_received == $crumb_value && $servertimenow - $crumb_time <= $crumb_expires) {
// Crumb is valid
// echo '<p>-<p>-<p>A';
return true;
}
$crumb_valid_latest = $crumb_value;
// Retrieve previous saved crumb:
$crumb_recalled = $this->get('crumb_prev_' . $crumb_name, '-0');
list($crumb_value, $crumb_time) = explode('-', $crumb_recalled);
if ($crumb_received == $crumb_value && $servertimenow - $crumb_time <= $crumb_expires) {
// Crumb is valid
// echo '<p>-<p>-<p>B';
return true;
}
if (!$die) {
return false;
}
// ERROR MESSAGE, with form/button to bypass and enough warning hopefully.
// TODO: dh> please review carefully!
echo '<div style="background-color: #fdd; padding: 1ex; margin-bottom: 1ex;">';
echo '<h3 style="color:#f00;">' . T_('Incorrect crumb received!') . ' [' . $crumb_name . ']</h3>';
echo '<p>' . T_('Your request was stopped for security reasons.') . '</p>';
echo '<p>' . sprintf(T_('Have you waited more than %d minutes before submitting your request?'), floor($crumb_expires / 60)) . '</p>';
echo '<p>' . T_('Please go back to the previous page and refresh it before submitting the form again.') . '</p>';
echo '</div>';
if ($debug > 0) {
echo '<div>';
echo '<p>Received crumb:' . $crumb_received . '</p>';
echo '<p>Latest saved crumb:' . $crumb_valid_latest . '</p>';
echo '<p>Previous saved crumb:' . $crumb_value . '</p>';
echo '</div>';
}
echo '<div>';
echo '<p class="warning">' . T_('Alternatively, you can try to resubmit your request with a refreshed crumb:') . '</p>';
$Form = new Form('', 'evo_session_crumb_resend', $_SERVER['REQUEST_METHOD']);
$Form->begin_form('inline');
$Form->add_crumb($crumb_name);
$Form->hiddens_by_key(remove_magic_quotes($_REQUEST));
$Form->button(array('submit', '', T_('Resubmit now!'), 'ActionButton'));
$Form->end_form();
echo '</div>';
die;
}
function add_meta($post_ID)
{
$metakeyselect = $GLOBALS['wpdb']->escape(remove_magic_quotes(trim($_POST['metakeyselect'])));
$metakeyinput = $GLOBALS['wpdb']->escape(remove_magic_quotes(trim($_POST['metakeyinput'])));
$metavalue = $GLOBALS['wpdb']->escape(remove_magic_quotes(trim($_POST['metavalue'])));
if (!empty($metavalue) && ('#NONE#' != $metakeyselect && !empty($metakeyselect) || !empty($metakeyinput))) {
// We have a key/value pair. If both the select and the
// input for the key have data, the input takes precedence:
if ('#NONE#' != $metakeyselect) {
$metakey = $metakeyselect;
}
if ($metakeyinput) {
$metakey = $metakeyinput;
}
// default
$result = $GLOBALS['wpdb']->query("\n\t\t\t\tINSERT INTO " . wp_table('postmeta') . " \n\t\t\t\t(post_id,meta_key,meta_value) \n\t\t\t\tVALUES ('{$post_ID}','{$metakey}','{$metavalue}')\n\t\t\t");
}
}
$pass = isset($_GET['pwd']) ? $_GET['pwd'] : '';
unset($_GET['pwd']);
// password will be hashed below
}
$Debuglog->add('login: '******'login');
$Debuglog->add('pass: '******'' : 'not') . ' empty', 'login');
// either 'login' (normal) or 'redirect_to_backoffice' may be set here. This also helps to display the login form again, if either login or pass were empty.
$login_action = param_arrayindex('login_action');
$UserCache =& get_Cache('UserCache');
if (!empty($login_action) || !empty($login) && !empty($pass)) {
// User is trying to login right now
$Debuglog->add('User is trying to log in.', 'login');
header_nocache();
// Note: login and password cannot include '<' !
$login = strtolower(strip_tags(remove_magic_quotes($login)));
$pass = strip_tags(remove_magic_quotes($pass));
$pass_md5 = md5($pass);
/*
* Handle javascript-hashed password:
* If possible, the login form will hash the entered password with a salt that changes everytime.
*/
param('pwd_salt', 'string', '');
// just for comparison with the one from Session
$pwd_salt_sess = $Session->get('core.pwd_salt');
// $Debuglog->add( 'salt: '.var_export($pwd_salt, true).', session salt: '.var_export($pwd_salt_sess, true) );
$transmit_hashed_password = (bool) $Settings->get('js_passwd_hashing') && !(bool) $Plugins->trigger_event_first_true('LoginAttemptNeedsRawPassword');
if ($transmit_hashed_password) {
param('pwd_hashed', 'string', '');
} else {
// at least one plugin requests the password un-hashed:
$pwd_hashed = '';
function checkData()
{
global $invalidEntries;
// check the standard role data
if (!Request::get('new_name') && Request::get('presetName') != 'none') {
$this->name = remove_magic_quotes(Request::get('presetName'));
} else {
$this->name = remove_magic_quotes(Request::get('new_name'));
}
$this->size = (int) Request::int('new_size');
// check if we have to remove the self_assign_exclusive-flag
$this->selfassign = SetSelfAssign($this->statusgruppe_id, Request::quoted('new_selfassign') ? 1 : 0);
/*if (Request::quoted('new_selfassign')) {
if ($this->selfassign == 0) {
$this->selfassign = 1;
}
} else {
if ($this->selfassign == 2) {
if ($GLOBALS['SessSemName']) {
SetSelfAssignExclusive($GLOBALS['SessSemName'][1], false);
}
}
$this->selfassign = 0;
}*/
if (Request::get('groupfolder')) {
// check if there already exists a folder
$stmt = DBManager::get()->prepare("SELECT COUNT(*) as c FROM folder WHERE range_id = ?");
$stmt->execute(array($this->statusgruppe_id));
if ($folder = $stmt->fetch(PDO::FETCH_ASSOC)) {
if ($folder['c'] == 0) {
// if no folder exists, we create one
$title = _("Dateiordner der Gruppe:") . ' ' . $this->name;
$description = _("Ablage für Ordner und Dokumente dieser Gruppe");
$permission = 15;
create_folder(addslashes($title), $description, $this->statusgruppe_id, $permission);
$this->messages['msg'][] = _("Es wurde ein Gruppenordner angelegt.");
}
}
}
if (!$this->isSeminar()) {
// check the datafields
foreach (Request::quotedArray('datafields') as $id => $data) {
$struct = DataField::find($id);
$entry = DataFieldEntry::createDataFieldEntry($struct, array($this->range_id, $this->statusgruppe_id));
$entry->setValueFromSubmit($data);
if ($entry->isValid()) {
$entry->store();
} else {
$invalidEntries[$struct->id] = $entry;
}
}
// a group cannot be its own vather!
if (Request::get('vather') == $this->statusgruppe_id) {
$this->messages['error'][] = _("Sie könne diese Gruppe nicht sich selbst unterordnen!");
} else {
// check if the group shall be moved
if (Request::get('vather') != 'nochange') {
if (Request::option('vather') == 'root') {
$vather_id = $GLOBALS['range_id'];
} else {
$vather_id = Request::option('vather');
}
if (!isVatherDaughterRelation($this->statusgruppe_id, $vather_id)) {
$this->range_id = $vather_id;
//$db->query("UPDATE statusgruppen SET range_id = '$vather_id' WHERE statusgruppe_id = '{$this->statusgruppe_id}'");
} else {
$this->messages['error'][] = _("Sie können diese Gruppe nicht einer ihr untergeordneten Gruppe zuweisen!");
}
}
}
}
if (!$this->isSeminar() && is_array($invalidEntries)) {
$this->messages['error'][] = _("Korrigieren Sie die fehlerhaften Eingaben!");
return false;
}
return true;
}
function tidypostdata($string)
{
return str_replace(array('"', ''', '<', '>'), array('"', "'", '<', '>'), remove_magic_quotes($string));
}