/** * Импортировать файл */ function brs_importFile($inputname, $oldvalue = '') { global $lang, $cot_translit, $brs_allowed_ext, $brs_files_dir, $cfg; $import = !empty($_FILES[$inputname]) ? $_FILES[$inputname] : array(); $import['delete'] = cot_import('del_' . $inputname, 'P', 'BOL') ? 1 : 0; // Если пришел файл или надо удалить существующий if (is_array($import) && !$import['error'] && !empty($import['name'])) { $fname = mb_substr($import['name'], 0, mb_strrpos($import['name'], '.')); $ext = mb_strtolower(mb_substr($import['name'], mb_strrpos($import['name'], '.') + 1)); if (!file_exists($brs_files_dir)) { mkdir($brs_files_dir); } //check extension if (empty($brs_allowed_ext) || in_array($ext, $brs_allowed_ext)) { if ($lang != 'en') { require_once cot_langfile('translit', 'core'); $fname = is_array($cot_translit) ? strtr($fname, $cot_translit) : ''; } $fname = str_replace(' ', '_', $fname); $fname = preg_replace('#[^a-zA-Z0-9\\-_\\.\\ \\+]#', '', $fname); $fname = str_replace('..', '.', $fname); $fname = empty($fname) ? cot_unique() : $fname; $fname .= file_exists("{$brs_files_dir}/{$fname}.{$ext}") && $oldvalue != $fname . '.' . $ext ? date("YmjGis") : ''; $fname .= '.' . $ext; $file['old'] = !empty($oldvalue) && ($import['delete'] || $import['tmp_name']) ? $oldvalue : ''; $file['tmp'] = !$import['delete'] ? $import['tmp_name'] : ''; $file['new'] = !$import['delete'] ? $brs_files_dir . $fname : ''; if (!empty($file['old']) && file_exists($file['old'])) { unlink($file['old']); } if (!empty($file['tmp']) && !empty($file['tmp'])) { move_uploaded_file($file['tmp'], $file['new']); } return $file['new']; } else { cot_error(cot::$L['brs_err_inv_file_type'], $inputname); return ''; } } }
} if (!file_exists($file['config_sample'])) { cot_error(cot_rc('install_error_missing_file', array('file' => $file['config_sample']))); } if (!cot_error_found()) { $config_contents = file_get_contents($file['config']); cot_install_config_replace($config_contents, 'defaultlang', $rlang); cot_install_config_replace($config_contents, 'defaulttheme', $rtheme); cot_install_config_replace($config_contents, 'defaultscheme', $rscheme); cot_install_config_replace($config_contents, 'mainurl', $cfg['mainurl']); $new_site_id = cot_unique(32); cot_install_config_replace($config_contents, 'site_id', $new_site_id); $new_secret_key = cot_unique(32); cot_install_config_replace($config_contents, 'secret_key', $new_secret_key); file_put_contents($file['config'], $config_contents); $ruserpass['user_passsalt'] = cot_unique(16); $ruserpass['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc']; $ruserpass['user_password'] = cot_hash($user['pass'], $ruserpass['user_passsalt'], $ruserpass['user_passfunc']); try { $db->insert($db_x . 'users', array('user_name' => $user['name'], 'user_password' => $ruserpass['user_password'], 'user_passsalt' => $ruserpass['user_passsalt'], 'user_passfunc' => $ruserpass['user_passfunc'], 'user_maingrp' => COT_GROUP_SUPERADMINS, 'user_country' => (string) $user['country'], 'user_email' => $user['email'], 'user_theme' => $rtheme, 'user_scheme' => $rscheme, 'user_lang' => $rlang, 'user_regdate' => time(), 'user_lastip' => $_SERVER['REMOTE_ADDR'])); $user['id'] = $db->lastInsertId(); $db->insert($db_x . 'groups_users', array('gru_userid' => (int) $user['id'], 'gru_groupid' => COT_GROUP_SUPERADMINS)); $db->update($db_x . 'config', array('config_value' => $user['email']), "config_owner = 'core' AND config_name = 'adminemail'"); } catch (PDOException $err) { cot_error(cot_rc('install_error_sql_script', array('msg' => $err->getMessage()))); } } break; case 4: // Dependency check $install = true;
/** * Strips all unsafe characters from file base name and converts it to latin * * @param string $name File base name * @param string $ext File extension * @param string $savedirectory File path * @param string $unique_name File path * @return string */ function safename($name, $ext, $savedirectory = '', $unique_name = true) { global $lang, $cot_translit, $sys; if (!$cot_translit && $lang != 'en' && file_exists(cot_langfile('translit', 'core'))) { require_once cot_langfile('translit', 'core'); } if ($lang != 'en' && is_array($cot_translit)) { $name = strtr($name, $cot_translit); } $name = str_replace(' ', '_', $name); $name = preg_replace('#[^a-zA-Z0-9\\-_\\.\\ \\+]#', '', $name); $name = str_replace('..', '.', $name); $name = mb_substr($name, 0, 200); if (empty($name)) { $name = cot_unique(); } if ($unique_name && file_exists($this->file_path($savedirectory, $name, $ext))) { $name .= "_" . cot_date('dmY_His', $sys['now']); } if ($unique_name && file_exists($this->file_path($savedirectory, $name, $ext))) { $name .= "_" . rand(1, 999); } return $name; }
$usr['auth'] = unserialize($row['user_auth']); $usr['adminaccess'] = cot_auth('admin', 'any', 'R'); $usr['level'] = $cot_groups[$usr['maingrp']]['level']; $usr['profile'] = $row; $sys['xk'] = $row['user_token']; if (!isset($_SESSION['cot_user_id'])) { $_SESSION['cot_user_id'] = $usr['id']; } if ($usr['lastlog'] + $cfg['timedout'] < $sys['now']) { $sys['comingback'] = TRUE; if ($usr['lastlog'] > $usr['lastvisit']) { $usr['lastvisit'] = $usr['lastlog']; $user_log['user_lastvisit'] = $usr['lastvisit']; } // Generate new security token $token = cot_unique(16); $sys['xk_prev'] = $sys['xk']; $sys['xk'] = $token; $user_log['user_token'] = $token; } if (!$cfg['authcache'] || empty($row['user_auth'])) { $usr['auth'] = cot_auth_build($usr['id'], $usr['maingrp']); $cfg['authcache'] && ($user_log['user_auth'] = serialize($usr['auth'])); } $user_log['user_lastlog'] = $sys['now']; $db->update($db_users, $user_log, "user_id={$usr['id']}"); unset($u, $passhash, $oldhash, $hashsalt, $hashsaltprev, $user_log); } } } }
/** * Adds new user * * @param array $ruser User data array * @param string $email Email address * @param string $name User name; defaults to $email if omitted * @param string $password Password; randomly generated if omitted * @param string $maingrp Custom main grp * @param float $sendemail Send email if need activation * @return int New user ID or false * @global CotDB $db */ function cot_add_user($ruser, $email = null, $name = null, $password = null, $maingrp = null, $sendemail = true) { global $cfg, $cot_extrafields, $db, $db_users, $db_groups_users, $db_x, $L, $R, $sys, $uploadfiles, $usr; $ruser['user_email'] = !empty($email) ? $email : $ruser['user_email']; $ruser['user_name'] = !empty($name) ? $name : $ruser['user_name']; $ruser['user_password'] = !empty($password) ? $password : $ruser['user_password']; empty($ruser['user_password']) && ($ruser['user_password'] = cot_randomstring()); empty($ruser['user_name']) && ($ruser['user_name'] = $ruser['user_email']); $password = $ruser['user_password']; $user_exists = (bool) $db->query("SELECT user_id FROM {$db_users} WHERE user_name = ? LIMIT 1", array($ruser['user_name']))->fetch(); $email_exists = (bool) $db->query("SELECT user_id FROM {$db_users} WHERE user_email = ? LIMIT 1", array($ruser['user_email']))->fetch(); if (!cot_check_email($ruser['user_email']) || $user_exists || !$cfg['useremailduplicate'] && $email_exists) { return false; } $ruser['user_gender'] = in_array($ruser['user_gender'], array('M', 'F')) ? $ruser['user_gender'] : 'U'; $ruser['user_country'] = mb_strlen($ruser['user_country']) < 4 ? $ruser['user_country'] : ''; $ruser['user_timezone'] = !$ruser['user_timezone'] ? 'GMT' : $ruser['user_timezone']; $ruser['user_maingrp'] = $db->countRows($db_users) == 0 ? 5 : $cfg['users']['regnoactivation'] ? 4 : 2; $ruser['user_maingrp'] = (int) $maingrp > 0 ? $maingrp : $ruser['user_maingrp']; $ruser['user_passsalt'] = cot_unique(16); $ruser['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc']; $ruser['user_password'] = cot_hash($ruser['user_password'], $ruser['user_passsalt'], $ruser['user_passfunc']); $ruser['user_birthdate'] = is_null($ruser['user_birthdate']) || $ruser['user_birthdate'] > $sys['now'] ? '0000-00-00' : cot_stamp2date($ruser['user_birthdate']); $ruser['user_lostpass'] = md5(microtime()); cot_shield_update(20, "Registration"); $ruser['user_hideemail'] = 1; $ruser['user_theme'] = $cfg['defaulttheme']; $ruser['user_scheme'] = $cfg['defaultscheme']; $ruser['user_lang'] = empty($ruser['user_lang']) ? $cfg['defaultlang'] : $ruser['user_lang']; $ruser['user_regdate'] = (int) $sys['now']; $ruser['user_logcount'] = 0; $ruser['user_lastip'] = empty($ruser['user_lastip']) ? $usr['ip'] : $ruser['user_lastip']; $ruser['user_token'] = cot_unique(16); if (!$db->insert($db_users, $ruser)) { return; } $userid = $db->lastInsertId(); $db->insert($db_groups_users, array('gru_userid' => (int) $userid, 'gru_groupid' => (int) $ruser['user_maingrp'])); cot_extrafield_movefiles(); /* === Hook for the plugins === */ foreach (cot_getextplugins('users.adduser.done') as $pl) { include $pl; } /* ===== */ if ($ruser['user_maingrp'] == 2 && $sendemail) { if ($cfg['users']['regrequireadmin']) { $subject = $L['aut_regrequesttitle']; $body = sprintf($L['aut_regrequest'], $ruser['user_name']); $body .= "\n\n" . $L['aut_contactadmin']; cot_mail($ruser['user_email'], $subject, $body); $subject = $L['aut_regreqnoticetitle']; $inactive = $cfg['mainurl'] . '/' . cot_url('users', 'gm=2&s=regdate&w=desc', '', true); $body = sprintf($L['aut_regreqnotice'], $ruser['user_name'], $inactive); cot_mail($cfg['adminemail'], $subject, $body); } else { $subject = $L['Registration']; $activate = $cfg['mainurl'] . '/' . cot_url('users', 'm=register&a=validate&token=' . $ruser['user_token'] . '&v=' . $ruser['user_lostpass'] . '&y=1', '', true); $deactivate = $cfg['mainurl'] . '/' . cot_url('users', 'm=register&a=validate&token=' . $ruser['user_token'] . '&v=' . $ruser['user_lostpass'] . '&y=0', '', true); $body = sprintf($L['aut_emailreg'], $ruser['user_name'], $activate, $deactivate); $body .= "\n\n" . $L['aut_contactadmin']; cot_mail($ruser['user_email'], $subject, $body); } } return $userid; }
/** * Strips all unsafe characters from file base name and converts it to latin * * @param string $basename File base name * @param bool $underscore Convert spaces to underscores * @param string $postfix Postfix appended to filename * @return string */ function cot_safename($basename, $underscore = true, $postfix = '') { global $lang, $cot_translit; if (!$cot_translit && $lang != 'en' && file_exists(cot_langfile('translit', 'core'))) { require_once cot_langfile('translit', 'core'); } $fname = mb_substr($basename, 0, mb_strrpos($basename, '.')); $ext = mb_substr($basename, mb_strrpos($basename, '.') + 1); if ($lang != 'en' && is_array($cot_translit)) { $fname = strtr($fname, $cot_translit); } if ($underscore) { $fname = str_replace(' ', '_', $fname); } $fname = preg_replace('#[^a-zA-Z0-9\\-_\\.\\ \\+]#', '', $fname); $fname = str_replace('..', '.', $fname); if (empty($fname)) { $fname = cot_unique(); } return $fname . $postfix . '.' . mb_strtolower($ext); }
$disp_errors = ''; $u_tmp_name = $_FILES['userfile']['tmp_name'][$ii]; $u_type = $_FILES['userfile']['type'][$ii]; $u_name = $_FILES['userfile']['name'][$ii]; $u_size = $_FILES['userfile']['size'][$ii]; $u_name = str_replace("\\'", '', $u_name); $u_name = trim(str_replace("\"", '', $u_name)); if (!empty($u_name)) { $disp_errors .= $u_name . ' : '; $u_name = mb_strtolower($u_name); $dotpos = mb_strrpos($u_name, ".") + 1; $f_extension = mb_substr($u_name, $dotpos); $f_extension_ok = 0; $desc = $ndesc[$ii]; if ($cfg['pfs']['pfstimename']) { $u_newname = time() . '_' . cot_unique(6) . '_' . $userid . '.' . $f_extension; } else { $u_newname = cot_safename($u_name, true, '_' . $userid); } $u_sqlname = $db->prep($u_newname); if ($f_extension != 'php' && $f_extension != 'php3' && $f_extension != 'php4' && $f_extension != 'php5') { foreach ($cot_extensions as $k => $line) { if (mb_strtolower($f_extension) == $line[0]) { $f_extension_ok = 1; } } } if (is_uploaded_file($u_tmp_name) && $u_size > 0 && $u_size < $maxfile && $f_extension_ok && $pfs_totalsize + $u_size < $maxtotal) { $fcheck = cot_file_check($u_tmp_name, $u_name, $f_extension); if ($fcheck == 1) { if (!file_exists($pfs_dir_user . $u_newname)) {
} $t = new XTemplate($mskin); // Check for new config options if (is_writable($file['config']) && file_exists($file['config_sample'])) { list($old_cfg, $old_db) = cot_get_config($file['config']); list($new_cfg, $new_db) = cot_get_config($file['config_sample']); if (count(array_diff($new_cfg, $old_cfg)) > 0 || count(array_diff($new_db, $old_db)) > 0) { // Add new config options $delta = ''; if (count(array_diff($new_cfg, $old_cfg)) > 0) { foreach ($new_cfg as $key => $val) { if (!isset($old_cfg[$key])) { if ($key == 'new_install') { $val = false; } elseif ($key == 'site_id' || $key == 'secret_key') { $val = cot_unique(32); } if (is_bool($val)) { $val = $val ? 'TRUE' : 'FALSE'; } elseif (is_int($val) || is_float($val)) { $val = (string) $val; } else { $val = "'{$val}'"; } $delta .= "\$cfg['{$key}'] = {$val};\n"; } } } if (count(array_diff($new_db, $old_db)) > 0) { foreach ($new_db as $key => $val) { if (!isset($old_db[$key])) {
/** * Imports Extra fields data * * @param string $inputname Variable name (or value for source=D) * @param array $extrafields Extra fields data * @param string $source Source type: G (GET), P (POST), C (COOKIE) or D (variable filtering) * @param string $oldvalue Old value of extrafield * @return string */ function cot_import_extrafields($inputname, $extrafield, $source = 'P', $oldvalue = '') { global $L; switch ($extrafield['field_type']) { case 'input': $import = $extrafield['field_parse'] == 'Text' ? cot_import($inputname, $source, 'TXT') : cot_import($inputname, $source, 'HTM'); if (!empty($extrafield['field_params']) && !is_null($import) && !preg_match($extrafield['field_params'], $import)) { $L['field_pregmatch_' . $extrafield['field_name']] = isset($L['field_pregmatch_' . $extrafield['field_name']]) ? $L['field_pregmatch_' . $extrafield['field_name']] : $L['field_pregmatch']; cot_error('field_pregmatch_' . $extrafield['field_name'], $inputname); } break; case 'inputint': case 'range': $extrafield['field_params'] = str_replace(array(' , ', ', ', ' ,'), ',', $extrafield['field_params']); $import = cot_import($inputname, $source, 'INT'); if (!is_null($import) && !empty($extrafield['field_params'])) { list($min, $max) = explode(",", $extrafield['field_params'], 2); $min = (int) $min; $max = (int) $max; if ($import < $min || $import > $max) { cot_error('field_range_' . $extrafield['field_name'], $inputname); } } break; case 'currency': case 'double': $extrafield['field_params'] = str_replace(array(' , ', ', ', ' ,'), ',', $extrafield['field_params']); $import = cot_import($inputname, $source, 'NUM'); if (!is_null($import)) { $import = floatval($import); } if (!is_null($import) && !empty($extrafield['field_params'])) { list($min, $max) = explode(",", $extrafield['field_params'], 2); $min = (int) $min; $max = (int) $max; if ($import < $min || $import > $max) { cot_error('field_range_' . $extrafield['field_name'], $inputname); } } break; case 'textarea': $import = cot_import($inputname, $source, 'HTM'); break; case 'select': case 'radio': $extrafield['field_variants'] = str_replace(array(' , ', ', ', ' ,'), ',', $extrafield['field_variants']); $opt_array = explode(",", trim($extrafield['field_variants'])); $import = cot_import($inputname, $source, 'HTM'); if (!is_null($import) && !in_array(trim($import), $opt_array)) { $L['field_notinarray_' . $extrafield['field_name']] = isset($L['field_notinarray_' . $extrafield['field_name']]) ? $L['field_notinarray_' . $extrafield['field_name']] : $L['field_notinarray']; cot_error('field_notinarray_' . $extrafield['field_name'], $inputname); } break; case 'checkbox': $import = cot_import($inputname, $source, 'BOL'); break; case 'datetime': $extrafield['field_params'] = str_replace(array(' , ', ', ', ' ,'), ',', $extrafield['field_params']); list($min, $max) = explode(",", $extrafield['field_params'], 2); $import = cot_import_date($inputname, true, false, $source); if (!is_null($import) && ((int) $min > 0 || (int) $max > 0)) { list($s_year, $s_month, $s_day, $s_hour, $s_minute) = explode('-', @date('Y-m-d-H-i', $import)); if ($min > $s_year) { $import = mktime($s_hour, $s_minute, 0, $s_month, $s_day, $min); } if ($max < $s_year) { $import = mktime($s_hour, $s_minute, 0, $s_month, $s_day, $max); } } break; case 'country': $import = cot_import($inputname, $source, 'ALP'); break; case 'checklistbox': $import = cot_import($inputname, $source, 'ARR'); $extrafield['field_variants'] = str_replace(array(' , ', ', ', ' ,'), ',', $extrafield['field_variants']); $opt_array = explode(',', trim($extrafield['field_variants'])); if (count($import) < 1) { $import = null; } elseif (count($import) == 1 && isset($import['nullval'])) { $import = array(); } else { unset($import['nullval']); foreach ($import as $k => $v) { $import[$k] = cot_import($v, 'D', 'HTM'); if (!is_null($import[$k]) && !in_array($import[$k], $opt_array)) { $L['field_notinarray_' . $extrafield['field_name']] = isset($L['field_notinarray_' . $extrafield['field_name']]) ? $L['field_notinarray_' . $extrafield['field_name']] : $L['field_notinarray']; cot_error('field_notinarray_' . $extrafield['field_name'], $inputname); } } } if (is_array($import)) { $import = implode(',', $import); } break; case 'file': global $lang, $cot_translit, $exfldfiles, $exfldsize, $cfg, $uploadfiles, $pl; if ($source == 'P' || $source == 'POST') { $import = $_FILES[$inputname]; $import['delete'] = cot_import('rdel_' . $inputname, 'P', 'BOL') ? 1 : 0; } elseif ($source == 'D') { $import = $inputname; } /* === Hook === */ foreach (cot_getextplugins('extrafields.import.file.first') as $pl) { include $pl; } /* ===== */ if (is_array($import) && !$import['error'] && !empty($import['name'])) { $fname = mb_substr($import['name'], 0, mb_strrpos($import['name'], '.')); $ext = mb_strtolower(mb_substr($import['name'], mb_strrpos($import['name'], '.') + 1)); //check extension $extrafield['field_variants'] = str_replace(array(' , ', ', ', ' ,'), ',', mb_strtolower($extrafield['field_variants'])); $ext_array = explode(",", trim($extrafield['field_variants'])); if (empty($extrafield['field_variants']) || in_array($ext, $ext_array)) { if ($lang != 'en' && file_exists(cot_langfile('translit', 'core'))) { require_once cot_langfile('translit', 'core'); $fname = is_array($cot_translit) ? strtr($fname, $cot_translit) : ''; } $fname = str_replace(array(' ', ' ', '__'), '_', $fname); $fname = preg_replace('#[^a-zA-Z0-9\\-_\\.\\ \\+]#', '', $fname); $fname = str_replace('..', '.', $fname); $fname = str_replace('__', '_', $fname); $fname = empty($fname) ? cot_unique() : $fname; // Generate unique file name. Old file - must be removed any way $extrafield['field_params'] = !empty($extrafield['field_params']) ? $extrafield['field_params'] : $cfg['extrafield_files_dir']; $extrafield['field_params'] .= mb_substr($extrafield['field_params'], -1) == '/' ? '' : '/'; if (file_exists("{$extrafield['field_params']}{$fname}.{$ext}")) { $fname = $inputname . '_' . date("YmjGis") . '_' . $fname; } $fname .= '.' . $ext; $file['old'] = !empty($oldvalue) && ($import['delete'] || $import['tmp_name']) ? $extrafield['field_params'] . $oldvalue : ''; $file['field'] = $extrafield['field_name']; $file['tmp'] = !$import['delete'] ? $import['tmp_name'] : ''; $file['new'] = !$import['delete'] ? $extrafield['field_params'] . $fname : ''; /* === Hook === */ foreach (cot_getextplugins('extrafields.import.file.done') as $pl) { include $pl; } /* ===== */ $exfldsize[$extrafield['field_name']] = $import['size']; $uploadfiles[] = $file; $import = $fname; } else { cot_error('field_extension_' . $extrafield['field_name'], $inputname); $exfldsize[$extrafield['field_name']] = null; $import = null; } } elseif (is_array($import) && $import['delete']) { $exfldsize[$extrafield['field_name']] = 0; $import = ''; $extrafield['field_params'] = !empty($extrafield['field_params']) ? $extrafield['field_params'] : $cfg['extrafield_files_dir']; $file['old'] = !empty($oldvalue) ? "{$extrafield['field_params']}/{$oldvalue}" : ''; $file['field'] = $extrafield['field_name']; $uploadfiles[] = $file; } else { $exfldsize[$extrafield['field_name']] = null; $import = null; } break; case 'filesize': global $exfldsize; $import = $exfldsize[$extrafield['field_variants']]; break; } if ((is_null($import) || $import === '') && $extrafield['field_required']) { $fname = !empty($extrafield['field_description']) ? $extrafield['field_description'] : $extrafield['field_name']; $msg = isset($L['field_required_' . $extrafield['field_name']]) ? 'field_required_' . $extrafield['field_name'] : $L['field_required'] . ': ' . $fname; cot_error($msg, $inputname); } return $import; }