コード例 #1
0
 function checkFields($aData, $zData = false)
 {
     // Checks fields before submission of data.
     global $_SETT;
     $this->aCheckMandatory = array('system_title', 'email_address', 'refseq_build');
     parent::checkFields($aData);
     // Database URL is mandatory, if the option "Include in the global LOVD listing" is selected.
     if (!empty($aData['include_in_listing']) && empty($aData['location_url'])) {
         lovd_errorAdd('location_url', 'Please fill in an URL in the \'Database URL\' field, if you want this LOVD installation to be included in the global LOVD listing; otherwise disable the \'Include in the global LOVD listing\' setting below.');
     }
     // Database URL should be an URL.
     if (!empty($aData['location_url']) && !lovd_matchURL($aData['location_url'])) {
         lovd_errorAdd('location_url', 'Please fill in a correct URL in the \'Database URL\' field.');
     }
     // Email address.
     if (!empty($aData['email_address']) && !lovd_matchEmail($aData['email_address'])) {
         lovd_errorAdd('email_address', 'Please fill in a correct email address.');
     }
     // Refseq build should match the available builds.
     if (!empty($aData['refseq_build']) && !array_key_exists($aData['refseq_build'], $_SETT['human_builds'])) {
         lovd_errorAdd('refseq_build', 'Please select one of the available Human Builds.');
     }
     // Proxy server checks (valid hostname, valid port number, try connecting.
     if (!empty($aData['proxy_host'])) {
         // Pattern taken from lovd_matchURL().
         if (!preg_match('/^([0-9]{1,3}(\\.[0-9]{1,3}){3}|(([0-9a-z][-0-9a-z]*[0-9a-z]|[0-9a-z])\\.?)+[a-z]{2,6})$/i', $aData['proxy_host'])) {
             lovd_errorAdd('proxy_host', 'Please fill in a correct host name of the proxy server, if you wish to use one.');
         } elseif (empty($aData['proxy_port'])) {
             lovd_errorAdd('proxy_port', 'Please fill in a correct, numeric, port number of the proxy server, if you wish to use a proxy server.');
         } else {
             // Alright, let's try and connect.
             // First: normal connect, direct, no outside connection requested.
             $f = @fsockopen($aData['proxy_host'], $aData['proxy_port'], $nError, $sError, 5);
             if ($f === false) {
                 lovd_errorAdd('proxy_host', 'Could not connect to given proxy server. Please check if the fields are correctly filled in.');
                 lovd_errorAdd('proxy_port', '');
             } else {
                 $sRequest = 'GET ' . $_SETT['check_location_URL'] . ' HTTP/1.0' . "\r\n" . 'User-Agent: LOVDv.' . $_SETT['system']['version'] . " Proxy Check\r\n" . (empty($_POST['proxy_username']) || empty($_POST['proxy_password']) ? '' : 'Proxy-Authorization: Basic ' . base64_encode($_POST['proxy_username'] . ':' . $_POST['proxy_password']) . "\r\n") . 'Connection: Close' . "\r\n\r\n";
                 fputs($f, $sRequest);
                 $s = rtrim(fgets($f));
                 if (!preg_match('/^HTTP\\/1\\.. [23]/', $s, $aRegs)) {
                     // Allowing HTTP 2XX and 3XX.
                     if (preg_match('/^HTTP\\/1\\.. 407/', $s, $aRegs)) {
                         // Proxy needs username and password.
                         if (!empty($_POST['proxy_username']) && !empty($_POST['proxy_password'])) {
                             lovd_errorAdd('proxy_username', 'Invalid username/password combination for this proxy server. Please try again.');
                             lovd_errorAdd('proxy_password', '');
                         } else {
                             lovd_errorAdd('proxy_username', 'This proxy server requires a valid username and password. Please make sure you provide them both.');
                             lovd_errorAdd('proxy_password', '');
                         }
                     } else {
                         lovd_errorAdd('proxy_host', 'Unexpected answer from proxy when trying to connect upstream: ' . $s);
                     }
                 }
             }
         }
     } elseif (!empty($aData['proxy_port'])) {
         // We have a port number, but no host name.
         lovd_errorAdd('proxy_host', 'Please also fill in a correct host name of the proxy server, if you wish to use one.');
     }
     // Custom logo must exist.
     if (!empty($aData['logo_uri'])) {
         // Determine if file can be read and is an image or not.
         if (!is_readable(ROOT_PATH . $aData['logo_uri'])) {
             lovd_errorAdd('logo_uri', 'Cannot read the custom logo file. Please make sure the path is correct and that the file can be read.');
         } else {
             $a = @getimagesize(ROOT_PATH . $aData['logo_uri']);
             if (!is_array($a)) {
                 lovd_errorAdd('logo_uri', 'The custom logo file that you selected does not seem to be a picture.');
             }
         }
     } else {
         // FIXME; this is probably not the best way of doing this...
         $_POST['logo_uri'] = 'gfx/LOVD3_logo145x50.jpg';
     }
     // FIXME; Like above, not the best solution, but gets the job done for now.
     if (empty($aData['mutalyzer_soap_url'])) {
         $_POST['mutalyzer_soap_url'] = 'https://mutalyzer.nl/services';
     }
     // SSL check.
     if (!empty($aData['use_ssl']) && !SSL) {
         lovd_errorAdd('use_ssl', 'You\'ve selected to force the use of SSL, but SSL is not currently activated for this session. To force SSL, I must be sure it\'s possible to approach LOVD through an SSL connection (use <A href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . ($_SERVER['QUERY_STRING'] ? '?' . str_replace('&sent=true', '', $_SERVER['QUERY_STRING']) : '') . '" target="_blank">https://</A> instead of http://).');
     }
     $_POST['api_feed_history'] = 0;
     $_POST['allow_count_hidden_entries'] = 0;
     $_POST['use_versioning'] = 0;
     // XSS attack prevention. Deny input of HTML.
     lovd_checkXSS();
 }
コード例 #2
0
ファイル: object_users.php プロジェクト: LOVDnl/LOVD3
 function checkFields($aData, $zData = false)
 {
     // Checks fields before submission of data.
     global $_AUTH, $_DB, $_PE, $_SETT;
     // Mandatory fields.
     $this->aCheckMandatory = array('name', 'institute', 'address', 'city', 'countryid', 'email', 'username');
     // These password fields are only not mandatory when we're editing.
     if (ACTION != 'edit') {
         $this->aCheckMandatory[] = 'password_1';
         $this->aCheckMandatory[] = 'password_2';
     }
     parent::checkFields($aData);
     // Email address.
     if (!empty($aData['email'])) {
         $aEmail = explode("\r\n", $aData['email']);
         foreach ($aEmail as $sEmail) {
             if (!lovd_matchEmail($sEmail)) {
                 lovd_errorAdd('email', 'Email "' . htmlspecialchars($sEmail) . '" is not a correct email address' . ($sEmail && $sEmail == trim($sEmail) ? '' : '. Make sure there are no spaces or empty lines left in the email field') . '.');
             }
         }
     }
     if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'create') {
         // Check username format.
         if ($aData['username'] && !lovd_matchUsername($aData['username'])) {
             lovd_errorAdd('username', 'Please fill in a correct username; 4 to 20 characters and starting with a letter followed by letters, numbers, dots, underscores and dashes only.');
         }
     }
     if (in_array(ACTION, array('create', 'register'))) {
         // Does the username exist already?
         if ($aData['username']) {
             if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_USERS . ' WHERE username = ?', array($aData['username']))->fetchColumn()) {
                 lovd_errorAdd('username', 'There is already a user with this username. Please choose another one.');
             }
         }
     }
     // One of two password fields entered... check 'em.
     if ($aData['password_1'] || $aData['password_2']) {
         if ($aData['password_1'] && $aData['password_2']) {
             // Both entered.
             if ($aData['password_1'] != $aData['password_2']) {
                 lovd_errorAdd('password_2', 'The \'' . (in_array(ACTION, array('edit', 'change_password')) ? 'New p' : 'P') . 'assword\' fields are not equal. Please try again.');
             } else {
                 // Password quality.
                 if (!lovd_matchPassword($aData['password_1'])) {
                     lovd_errorAdd('password_1', 'Your password is found too weak. Please fill in a proper password; at least 4 characters long and containing at least one number or special character.');
                 }
             }
         } else {
             if (in_array(ACTION, array('edit', 'change_password'))) {
                 lovd_errorAdd('password_2', 'If you want to change the current password, please fill in both \'New password\' fields.');
             } else {
                 lovd_errorAdd('password_2', 'Please fill in both \'Password\' fields.');
             }
         }
     }
     // Check given security IP range.
     if (!empty($aData['allowed_ip'])) {
         // This function will throw an error itself (second argument).
         $bIP = lovd_matchIPRange($aData['allowed_ip'], 'allowed_ip');
         if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'edit' && $_PE[1] == $_AUTH['id']) {
             // Check given security IP range.
             if ($bIP && !lovd_validateIP($aData['allowed_ip'], $_SERVER['REMOTE_ADDR'])) {
                 // This IP range is not allowing the current IP to connect. This ain't right.
                 // If IP address is actually IPv6, then complain that we can't restrict at all.
                 // Otherwise, be clear the current setting just doesn't match.
                 if (strpos($_SERVER['REMOTE_ADDR'], ':') !== false) {
                     // IPv6...
                     lovd_errorAdd('allowed_ip', 'Your current IP address is IPv6 (' . $_SERVER['REMOTE_ADDR'] . '), which is not supported by LOVD to restrict access to your account.');
                 } else {
                     lovd_errorAdd('allowed_ip', 'Your current IP address is not matched by the given IP range. This would mean you would not be able to get access to LOVD with this IP range.');
                 }
             }
         }
     } else {
         // We're not sure if $aData == $_POST. But we'll just do this. It can't harm I guess.
         $_POST['allowed_ip'] = '*';
     }
     // Level can't be higher or equal than the current user.
     if (!empty($aData['level']) && $aData['level'] >= $_AUTH['level']) {
         lovd_writeLog('Error', 'HackAttempt', 'Tried to upgrade user ID ' . $_PE[1] . ' to level ' . $_SETT['user_levels'][$aData['level']] . ')');
         lovd_errorAdd('level', 'User level is not permitted. Hack attempt.');
     }
     // XSS attack prevention. Deny input of HTML.
     lovd_checkXSS();
 }