function processRequests()
{
if (isset($_SERVER['QUERY_STRING']) && (!isset($_GET) || !count($_GET) && strlen($_SERVER['QUERY_STRING']))) {
// we might be in a framework such as CodeIgniter that deletes the $_GET vars.
// re-create $_GET from the query string
$matches = array();
preg_match_all('#(^|[\\?&])([a-z0-9\\-_]+)=([^&]*)#si', $_SERVER['QUERY_STRING'], $matches, PREG_SET_ORDER);
for ($i = 0; $i < count($matches); $i++) {
// Because WysiwygPro will remove slashes from $_GET if magic_quotes_gpc is on we should add some slashes in so the array is the same as the PHP generated $_GET would have been
if (get_magic_quotes_gpc()) {
$_GET[$matches[$i][2]] = addslashes(urldecode($matches[$i][3]));
} else {
$_GET[$matches[$i][2]] = urldecode($matches[$i][3]);
}
}
}
// get the requested file
$req_path = isset($_GET['wproroutelink']) ? $_GET['wproroutelink'] : '';
if (!empty($req_path)) {
$wpro_path = WPRO_DIR;
// cannot include if IN_WPRO is defined for security purposes
// this prevents out of order execution attacks
// and makes this process no more dangerous than someone browsing the WysiwygPro directory
if (defined('IN_WPRO')) {
exit('WysiwygPro. Route request could not be performed. Please ensure that the WysiwygPro class (or any other WysiwygPro scripts) are included AFTER the call to wproRoute::processRequests().');
}
// validate path by removing all dangerous characters, and since we know that all valid WPro files match this
$req_path = preg_replace("/[^A-Za-z0-9_\\-]/si", '', $req_path);
// create path
$req_path = str_replace('-', '/', $req_path) . '.php';
// extra out of order execution protection just to be on the safe side.
if (stristr($req_path, '.class.php') || stristr($req_path, '.inc.php') || stristr($req_path, '.tpl.php')) {
exit;
}
// initiate global vars
global $EDITOR, $DIALOG, $WPRO_SESS, $wpro_inDialog;
$EDITOR = NULL;
$DIALOG = NULL;
$WPRO_SESS = NULL;
$wpro_inDialog = NULL;
// validate and include file, prevent directory traversal.
if (!defined('WPRO_IN_ROUTE')) {
define('WPRO_IN_ROUTE', true);
}
// deleting globals might break the parent application, we have to trust the parent application is secure?!
if (!defined('WPRO_ALLOW_GLOBALS')) {
define('WPRO_ALLOW_GLOBALS', true);
}
// this is OK since the only global vars used by WPro have been initiated above
// check for directory traversal and that file exists
include_once $wpro_path . 'core/libs/wproFilesystem.class.php';
$fs = new wproFilesystem();
if ($fs->folderNameOK($req_path) && is_file($wpro_path . $req_path)) {
include_once $wpro_path . $req_path;
exit;
}
}
}
