function do_upgrade($upversion) { global $gbl, $sgbl, $login, $ghtml; if (file_exists("/usr/local/lxlabs/.git")) { print "Development system.. Not upgrading --> exit!...\n"; exit; } $program = $sgbl->__var_program_name; $programfile = "{$program}-" . $upversion . ".zip"; lxfile_rm_rec("__path_program_htmlbase/htmllib/script"); lxfile_rm_rec("__path_program_root/pscript"); $saveddir = getcwd(); lxfile_rm_rec("__path_program_htmlbase/download"); lxfile_mkdir("download"); chdir("download"); print "Downloading {$programfile}.....\n"; download_source("/{$program}/{$programfile}"); print "Download Done....\n"; lxshell_unzip("../..", $programfile); chdir($saveddir); }
/** main program for serving files * * this routine is called from /file.php. * * This routine is responsible for serving files to the visitor. * These files are stored in a (virtual) file hierarchy that looks * like this. * * <pre> * /areas/areaname * /another * /stillmore * ... * /users/username * /another * /stillmore * ... * /groups/groupname * /another * /stillmore * ... * /websiteatschool/program * /manual * /languages * </pre> * * This structure maps to the real file system as follows. The (virtual) * directories /areas, /users and /groups correspond to the fysical * directories {$CFG->datadir}/areas, {$CFG->datadir}/users and * {$CFG->datadir}/groups respectively. The subdirectories correspond to * a (unique) area, user or group and serve as a file repository for that * area, user or group. * * The (virtual) top-level directory /websiteatschool is a special case. * It is used to serve the currently running website program code and the * user-defined translations of active languages. * * Before any file is transmitted to the visitor the access privileges * are checked. The following rules apply. * * Access control for the /areas subdirectory * * - an area must be active before any files are served * - the visitor must have access to the private area if files are to be served * - non-existing files yield a 404 Not Found error * - non-existing areas also yield a 404 Not Found error * - if the visitor has no access to the private area, also a 404 Not Found error is returned * * Access control for /users and /groups * * - a user/group must be active before any files are served * - non-existing users/groups yield 404 Not Found * - non-existing files in existing directories also yield 404 Not Found * * Access control for /websiteatschool * * - there is no limit on downloading the currently active program code or user-defined translations of active languages * * Note: * The check on '..' in the requested filename would be inconclusive if the $path * is encoded in invalid UTF-8: the overlong sequence 2F C0 AE 2E 2F eventually * yields 2F 2E 2E 2F or '/../'. Reference: RFC3629 section 10. However, we use * the filename processed with get_requested_filename() which already checks for * utf8 validity, which rules out the trick with overlong sequences. * * @return void file sent to the browser OR 404 not found on error */ function main_file() { global $USER; global $CFG; global $WAS_SCRIPT_NAME; global $LANGUAGE; /** initialise the program, setup database, read configuration, etc. */ require_once $CFG->progdir . '/init.php'; initialise(); was_version_check(); // this never returns if versions don't match /** utility routines for manipulating files */ require_once $CFG->progdir . '/lib/filelib.php'; $filename = get_requested_filename(); if (is_null($filename)) { error_exit404(); } // 0 -- is the visitor logged in if (isset($_COOKIE[$CFG->session_name])) { /** dbsessionlib.php contains our own database based session handler */ require_once $CFG->progdir . '/lib/dbsessionlib.php'; dbsession_setup($CFG->session_name); if (dbsession_exists(magic_unquote($_COOKIE[$CFG->session_name]))) { session_start(); if (!isset($_SESSION['session_counter'])) { // first time after login, record start time of session $_SESSION['session_counter'] = 1; $_SESSION['session_start'] = strftime("%Y-%m-%d %T"); } else { $_SESSION['session_counter']++; } } } /** useraccount.class.php is used to define the USER object */ require_once $CFG->progdir . '/lib/useraccount.class.php'; if (isset($_SESSION) && isset($_SESSION['user_id'])) { $USER = new Useraccount($_SESSION['user_id']); $USER->is_logged_in = TRUE; $_SESSION['language_key'] = $LANGUAGE->get_current_language(); // remember language set via _GET or otherwise session_write_close(); // we no longer need this here, everything relevant is now in $USER } else { $USER = new Useraccount(); $USER->is_logged_in = FALSE; } // // 1 -- does the visitor want to download the source code // $path_components = explode('/', trim(strtr($filename, '\\', '/'), '/')); if (strtolower($path_components[0]) == 'websiteatschool') { $source = isset($path_components[1]) ? strtolower($path_components[1]) : 'program'; download_source($source); exit; } // // 2 -- no source code requested. check out regular files // $path = '/' . implode('/', $path_components); // 2A -- always disallow attempts to escape from tree via parent directory tricks if (in_array('..', $path_components)) { logger(sprintf("%s(): access denied for file '%s': no tricks with '/../': return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG); error_exit404($path); } // 2B -- check the 1st and 2nd component of the requested file switch ($path_components[0]) { case 'areas': $area_path = isset($path_components[1]) ? $path_components[1] : ''; $fields = array('area_id', 'is_private'); $where = array('is_active' => TRUE, 'path' => $area_path); $table = 'areas'; if (($record = db_select_single_record($table, $fields, $where)) === FALSE) { logger(sprintf("%s(): access denied for file '%s': non-existing or inactive area: return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG); error_exit404($path); } $area_id = intval($record['area_id']); if (db_bool_is(TRUE, $record['is_private']) && !$USER->has_intranet_permissions(ACL_ROLE_INTRANET_ACCESS, $area_id)) { logger(sprintf("%s(): access denied for file '%s' in private area '%d': return 404 Not Found", __FUNCTION__, $path, $area_id), WLOG_DEBUG); error_exit404($path); } break; case 'users': $user_path = isset($path_components[1]) ? $path_components[1] : ''; $fields = array('user_id'); $where = array('path' => $user_path, 'is_active' => TRUE); $table = 'users'; if (($record = db_select_single_record($table, $fields, $where)) === FALSE) { logger(sprintf("%s(): access denied for file '%s': non-existing or inactive user: return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG); error_exit404($path); } break; case 'groups': $group_path = isset($path_components[1]) ? $path_components[1] : ''; $fields = array('group_id'); $where = array('path' => $group_path, 'is_active' => TRUE); $table = 'groups'; if (($record = db_select_single_record($table, $fields, $where)) === FALSE) { logger(sprintf("%s(): access denied for file '%s': non-existing or inactive group: return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG); error_exit404($path); } break; default: logger(sprintf("%s(): access denied for file '%s': subdirectory '%s' not recognised: return 404 Not Found", __FUNCTION__, $path, $path_components[0]), WLOG_DEBUG); error_exit404($path); break; } // 2C -- still here? 1st and 2nd components are good but does the file exist? if (!is_file($CFG->datadir . $path)) { logger(sprintf("%s(): access denied for file '%s': file does not exist: return 404 Not Found", __FUNCTION__, $path), WLOG_DEBUG); error_exit404($path); } // // At this point we confident that the file exists within the data directory and also that // the visitor is allowed access to the file. Now send the file to the visitor. // $name = basename($path); if (($bytes_sent = send_file_from_datadir($path, $name)) === FALSE) { logger(sprintf("Failed to send '%s' using filename '%s'", $path, $name)); $retval = FALSE; } else { logger(sprintf("Success sending '%s' using filename '%s', size = %d bytes", $path, $name, $bytes_sent), WLOG_DEBUG); $retval = TRUE; } exit; }
function do_upgrade($upversion) { global $gbl, $sgbl, $login, $ghtml; $program = $sgbl->__var_program_name; if (file_exists(".svn") || file_exists(".git")) { log_cleanup("BREAK -> Development version found"); exit; } $programfile = "{$program}-" . $upversion . ".zip"; lxfile_rm_rec("__path_program_htmlbase/help"); lxfile_mkdir("help"); lxfile_rm_rec("__path_program_htmlbase/htmllib/script"); lxfile_rm_rec("__path_program_root/pscript"); $saveddir = getcwd(); lxfile_rm_rec("__path_program_htmlbase/download"); lxfile_mkdir("download"); chdir("download"); log_cleanup("Downloading {$programfile}"); download_source("/{$program}/{$programfile}"); log_cleanup("Download Done!... Start unzip"); system("cd ../../ ; unzip -o httpdocs/download/{$programfile}"); // issue #710 - Make sure the files are owned by lxlabs UID/GID system("chown -R lxlabs:lxlabs /usr/local/lxlabs/"); chdir($saveddir); }
} } } else { ?> <tr> <td colspan="8" class="alert">Le dépôt ne contient aucun plugin.</td> </tr> <?php } ?> </tbody> </table> <!-- catalogue ends here --> <p> Lovely designed by theirs authors - <a href="<?php download_source(); ?> ">Download source of this page</a> version <?php echo VERSION; ?> - Php <?php echo PHP_VERSION; ?> </p> <h3>Paramètres de l'url</h3> <ul> <li><strong><?php echo $root; ?>