/** * upgrade the SecurityCenter module from an old version * * @param string $oldVersion version number string to upgrade from * @return mixed true on success, last valid version string or false if fails */ public function upgrade($oldversion) { switch ($oldversion) { case '1.3': // create cache directory for HTML Purifier $purifierCacheDir = CacheUtil::getLocalDir() . '/purifierCache'; if (!file_exists($purifierCacheDir)) { CacheUtil::clearLocalDir('purifierCache'); } // create ids intrusions table if (!DBUtil::createTable('sc_intrusion')) { return false; } // create vars for phpids usage System::setVar('useids', 0); System::setVar('idsmail', 0); System::setVar('idsrulepath', 'config/phpids_zikula_default.xml'); System::setVar('idssoftblock', 1); // do not block requests, but warn for debugging System::setVar('idsfilter', 'xml'); // filter type System::setVar('idsimpactthresholdone', 1); // db logging System::setVar('idsimpactthresholdtwo', 10); // mail admin System::setVar('idsimpactthresholdthree', 25); // block request System::setVar('idsimpactthresholdfour', 75); // kick user, destroy session System::setVar('idsimpactmode', 1); // per request per default System::setVar('idshtmlfields', array('POST.__wysiwyg')); System::setVar('idsjsonfields', array('POST.__jsondata')); // Location of HTML Purifier System::setVar('idsrulepath', 'config/phpids_zikula_default.xml'); System::setVar('idsexceptions', array('GET.__utmz', 'GET.__utmc', 'REQUEST.linksorder', 'POST.linksorder', 'REQUEST.fullcontent', 'POST.fullcontent', 'REQUEST.summarycontent', 'POST.summarycontent', 'REQUEST.filter.page', 'POST.filter.page', 'REQUEST.filter.value', 'POST.filter.value')); System::delVar('htmlpurifierConfig'); // HTML Purifier default settings $purifierDefaultConfig = SecurityCenter_Util::getpurifierconfig(array('forcedefault' => true)); $this->setVar('htmlpurifierConfig', serialize($purifierDefaultConfig)); if (!DBUtil::changeTable('sc_intrusion')) { return false; } System::setVar('sessioncsrftokenonetime', 0); case '1.4.4': // future upgrade routines } // Update successful return true; }
public function outputFilter(Zikula_Event $event) { if (System::getVar('outputfilter') > 1) { return; } // recursive call for arrays // [removed as it's duplicated in datautil] // prepare htmlpurifier class static $safecache; $purifier = SecurityCenter_Util::getpurifier(); $md5 = md5($event->data); // check if the value is in the safecache if (isset($safecache[$md5])) { $event->data = $safecache[$md5]; } else { // save renderer delimiters $event->data = str_replace('{', '%VIEW_LEFT_DELIMITER%', $event->data); $event->data = str_replace('{', '%VIEW_RIGHT_DELIMITER%', $event->data); $event->data = $purifier->purify($event->data); // restore renderer delimiters $event->data = str_replace('%VIEW_LEFT_DELIMITER%', '{', $event->data); $event->data = str_replace('%VIEW_RIGHT_DELIMITER%', '}', $event->data); // cache the value $safecache[$md5] = $event->data; } return $event->data; }
/** * Update HTMLPurifier configuration. * * @return void */ public function updatepurifierconfig() { $this->checkCsrfToken(); // Security check if (!SecurityUtil::checkPermission('SecurityCenter::', '::', ACCESS_ADMIN)) { return LogUtil::registerPermissionError(); } // Load HTMLPurifier Classes $purifier = SecurityCenter_Util::getpurifier(); // Update module variables. $config = FormUtil::getPassedValue('purifierConfig', null, 'POST'); $config = HTMLPurifier_Config::prepareArrayFromForm($config, false, true, true, $purifier->config->def); //echo "\r\n\r\n<pre>" . print_r($config, true) . "</pre>\r\n\r\n"; $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm(true, $purifier->config->def); foreach ($allowed as $allowedDirective) { list($namespace, $directive) = $allowedDirective; $directiveKey = $namespace . '.' . $directive; $def = $purifier->config->def->info[$directiveKey]; if (isset($config[$namespace]) && array_key_exists($directive, $config[$namespace]) && is_null($config[$namespace][$directive])) { unset($config[$namespace][$directive]); if (count($config[$namespace]) <= 0) { unset($config[$namespace]); } } if (isset($config[$namespace]) && isset($config[$namespace][$directive])) { if (is_int($def)) { $directiveType = abs($def); } else { $directiveType = (isset($def->type) ? $def->type : 0); } switch ($directiveType) { case HTMLPurifier_VarParser::LOOKUP: $value = explode(PHP_EOL, $config[$namespace][$directive]); $config[$namespace][$directive] = array(); foreach ($value as $val) { $val = trim($val); if (!empty($val)) { $config[$namespace][$directive][$val] = true; } } if (empty($config[$namespace][$directive])) { unset($config[$namespace][$directive]); } break; case HTMLPurifier_VarParser::ALIST: $value = explode(PHP_EOL, $config[$namespace][$directive]); $config[$namespace][$directive] = array(); foreach ($value as $val) { $val = trim($val); if (!empty($val)) { $config[$namespace][$directive][] = $val; } } if (empty($config[$namespace][$directive])) { unset($config[$namespace][$directive]); } break; case HTMLPurifier_VarParser::HASH: $value = explode(PHP_EOL, $config[$namespace][$directive]); $config[$namespace][$directive] = array(); foreach ($value as $val) { list($i, $v) = explode(':', $val); $i = trim($i); $v = trim($v); if (!empty($i) && !empty($v)) { $config[$namespace][$directive][$i] = $v; } } if (empty($config[$namespace][$directive])) { unset($config[$namespace][$directive]); } break; } } if (isset($config[$namespace]) && array_key_exists($directive, $config[$namespace]) && is_null($config[$namespace][$directive])) { unset($config[$namespace][$directive]); if (count($config[$namespace]) <= 0) { unset($config[$namespace]); } } } //echo "\r\n\r\n<pre>" . print_r($config, true) . "</pre>\r\n\r\n"; exit; $this->setVar('htmlpurifierConfig', serialize($config)); $purifier = SecurityCenter_Util::getpurifier(true); // clear all cache and compile directories ModUtil::apiFunc('Settings', 'admin', 'clearallcompiledcaches'); // the module configuration has been updated successfuly LogUtil::registerStatus($this->__('Done! Saved HTMLPurifier configuration.')); // This function generated no output, and so now it is complete we redirect // the user to an appropriate page for them to carry on their work $this->redirect(ModUtil::url('SecurityCenter', 'admin', 'modifyconfig')); }