/**
* upgrade the SecurityCenter module from an old version
*
* @param string $oldVersion version number string to upgrade from
* @return mixed true on success, last valid version string or false if fails
*/
public function upgrade($oldversion)
{
switch ($oldversion) {
case '1.3':
// create cache directory for HTML Purifier
$purifierCacheDir = CacheUtil::getLocalDir() . '/purifierCache';
if (!file_exists($purifierCacheDir)) {
CacheUtil::clearLocalDir('purifierCache');
}
// create ids intrusions table
if (!DBUtil::createTable('sc_intrusion')) {
return false;
}
// create vars for phpids usage
System::setVar('useids', 0);
System::setVar('idsmail', 0);
System::setVar('idsrulepath', 'config/phpids_zikula_default.xml');
System::setVar('idssoftblock', 1);
// do not block requests, but warn for debugging
System::setVar('idsfilter', 'xml');
// filter type
System::setVar('idsimpactthresholdone', 1);
// db logging
System::setVar('idsimpactthresholdtwo', 10);
// mail admin
System::setVar('idsimpactthresholdthree', 25);
// block request
System::setVar('idsimpactthresholdfour', 75);
// kick user, destroy session
System::setVar('idsimpactmode', 1);
// per request per default
System::setVar('idshtmlfields', array('POST.__wysiwyg'));
System::setVar('idsjsonfields', array('POST.__jsondata'));
// Location of HTML Purifier
System::setVar('idsrulepath', 'config/phpids_zikula_default.xml');
System::setVar('idsexceptions', array('GET.__utmz', 'GET.__utmc', 'REQUEST.linksorder', 'POST.linksorder', 'REQUEST.fullcontent', 'POST.fullcontent', 'REQUEST.summarycontent', 'POST.summarycontent', 'REQUEST.filter.page', 'POST.filter.page', 'REQUEST.filter.value', 'POST.filter.value'));
System::delVar('htmlpurifierConfig');
// HTML Purifier default settings
$purifierDefaultConfig = SecurityCenter_Util::getpurifierconfig(array('forcedefault' => true));
$this->setVar('htmlpurifierConfig', serialize($purifierDefaultConfig));
if (!DBUtil::changeTable('sc_intrusion')) {
return false;
}
System::setVar('sessioncsrftokenonetime', 0);
case '1.4.4':
// future upgrade routines
}
// Update successful
return true;
}
public function outputFilter(Zikula_Event $event)
{
if (System::getVar('outputfilter') > 1) {
return;
}
// recursive call for arrays
// [removed as it's duplicated in datautil]
// prepare htmlpurifier class
static $safecache;
$purifier = SecurityCenter_Util::getpurifier();
$md5 = md5($event->data);
// check if the value is in the safecache
if (isset($safecache[$md5])) {
$event->data = $safecache[$md5];
} else {
// save renderer delimiters
$event->data = str_replace('{', '%VIEW_LEFT_DELIMITER%', $event->data);
$event->data = str_replace('{', '%VIEW_RIGHT_DELIMITER%', $event->data);
$event->data = $purifier->purify($event->data);
// restore renderer delimiters
$event->data = str_replace('%VIEW_LEFT_DELIMITER%', '{', $event->data);
$event->data = str_replace('%VIEW_RIGHT_DELIMITER%', '}', $event->data);
// cache the value
$safecache[$md5] = $event->data;
}
return $event->data;
}
/**
* Update HTMLPurifier configuration.
*
* @return void
*/
public function updatepurifierconfig()
{
$this->checkCsrfToken();
// Security check
if (!SecurityUtil::checkPermission('SecurityCenter::', '::', ACCESS_ADMIN)) {
return LogUtil::registerPermissionError();
}
// Load HTMLPurifier Classes
$purifier = SecurityCenter_Util::getpurifier();
// Update module variables.
$config = FormUtil::getPassedValue('purifierConfig', null, 'POST');
$config = HTMLPurifier_Config::prepareArrayFromForm($config, false, true, true, $purifier->config->def);
//echo "\r\n\r\n<pre>" . print_r($config, true) . "</pre>\r\n\r\n";
$allowed = HTMLPurifier_Config::getAllowedDirectivesForForm(true, $purifier->config->def);
foreach ($allowed as $allowedDirective) {
list($namespace, $directive) = $allowedDirective;
$directiveKey = $namespace . '.' . $directive;
$def = $purifier->config->def->info[$directiveKey];
if (isset($config[$namespace])
&& array_key_exists($directive, $config[$namespace])
&& is_null($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
if (count($config[$namespace]) <= 0) {
unset($config[$namespace]);
}
}
if (isset($config[$namespace]) && isset($config[$namespace][$directive])) {
if (is_int($def)) {
$directiveType = abs($def);
} else {
$directiveType = (isset($def->type) ? $def->type : 0);
}
switch ($directiveType) {
case HTMLPurifier_VarParser::LOOKUP:
$value = explode(PHP_EOL, $config[$namespace][$directive]);
$config[$namespace][$directive] = array();
foreach ($value as $val) {
$val = trim($val);
if (!empty($val)) {
$config[$namespace][$directive][$val] = true;
}
}
if (empty($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
}
break;
case HTMLPurifier_VarParser::ALIST:
$value = explode(PHP_EOL, $config[$namespace][$directive]);
$config[$namespace][$directive] = array();
foreach ($value as $val) {
$val = trim($val);
if (!empty($val)) {
$config[$namespace][$directive][] = $val;
}
}
if (empty($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
}
break;
case HTMLPurifier_VarParser::HASH:
$value = explode(PHP_EOL, $config[$namespace][$directive]);
$config[$namespace][$directive] = array();
foreach ($value as $val) {
list($i, $v) = explode(':', $val);
$i = trim($i);
$v = trim($v);
if (!empty($i) && !empty($v)) {
$config[$namespace][$directive][$i] = $v;
}
}
if (empty($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
}
break;
}
}
if (isset($config[$namespace])
&& array_key_exists($directive, $config[$namespace])
&& is_null($config[$namespace][$directive])) {
unset($config[$namespace][$directive]);
if (count($config[$namespace]) <= 0) {
unset($config[$namespace]);
}
}
}
//echo "\r\n\r\n<pre>" . print_r($config, true) . "</pre>\r\n\r\n"; exit;
$this->setVar('htmlpurifierConfig', serialize($config));
$purifier = SecurityCenter_Util::getpurifier(true);
// clear all cache and compile directories
ModUtil::apiFunc('Settings', 'admin', 'clearallcompiledcaches');
// the module configuration has been updated successfuly
LogUtil::registerStatus($this->__('Done! Saved HTMLPurifier configuration.'));
// This function generated no output, and so now it is complete we redirect
// the user to an appropriate page for them to carry on their work
$this->redirect(ModUtil::url('SecurityCenter', 'admin', 'modifyconfig'));
}
