function api_dispatch($method) { if (!$GLOBALS['cfg']['enable_feature_api']) { api_output_error(999, 'API disabled'); } $method = filter_strict($method); $enc_method = htmlspecialchars($method); $methods = $GLOBALS['cfg']['api']['methods']; if (!$method || !isset($methods[$method])) { api_output_error(404, "Method '{$enc_method}' not found"); } $method_row = $methods[$method]; if (!$method_row['enabled']) { api_output_error(404, "Method '{$enc_method}' not found"); } $method_row['name'] = $method; # TO DO: check API keys here # TO DO: actually check auth here (whatever that means...) if ($method_row['requires_auth']) { api_auth_ensure_auth($method_row); } if ($method_row['requires_crumb']) { api_auth_ensure_crumb($method_row); } loadlib($method_row['library']); $parts = explode(".", $method); $method = array_pop($parts); $func = "{$method_row['library']}_{$method}"; call_user_func($func); exit; }
function rss_parse_fh($fh, $more = array()) { $xml = fread($fh, filesize($more['file']['path'])); fclose($fh); $xml = trim($xml); $rss = new MagpieRSS($xml, 'utf-8', 'utf-8', true); if (!$rss) { return array('ok' => 0, 'error' => 'Failed to parse the RSS. Perhaps it is incorrect or squirrel-y XML?'); } $data = array(); $record = 1; foreach ($rss->items as $item) { $record++; if ($more['max_records'] && $record > $more['max_records']) { break; } $has_latlon = 0; if ($geo = $item['geo']) { $lat = $geo['lat']; $lon = isset($geo['long']) ? $geo['long'] : $geo['lon']; list($lat, $lon) = import_ensure_valid_latlon($lat, $lon); $has_latlon = $lat && $lon ? 1 : 0; } if (!$has_latlon && ($geo = $item['georss'])) { $point = trim($geo['point']); list($lat, $lon) = explode(" ", $point, 2); list($lat, $lon) = import_ensure_valid_latlon($lat, $lon); $has_latlon = $lat && $lon ? 1 : 0; } # What now? Maybe throw the description in to Placemaker ? if (!$lat) { $errors[] = array('record' => $record, 'error' => 'invalid or missing latitude', 'column' => 'latitude'); continue; } if (!$lon) { $errors[] = array('record' => $record, 'error' => 'invalid or missing longitude', 'column' => 'longitude'); continue; } # $tmp = array('guid' => filter_strict(sanitize($item['guid'], 'str')), 'title' => filter_strict(sanitize($item['title'], 'str')), 'link' => filter_strict(sanitize($item['link'], 'str')), 'created' => filter_strict(sanitize($item['pubdate'], 'str')), 'author' => filter_strict(sanitize($item['author'], 'str')), 'description' => filter_strict(sanitize($item['description'], 'str')), 'latitude' => $lat, 'longitude' => $lon); # what to do about 'description' and other tags? if (preg_match("/^tag:flickr.com,2004:\\/photo\\/(\\d+)\$/", $tmp['guid'], $m)) { # remove 'foo posted a photo:' stuff here $tmp['flickr:id'] = $m[1]; # Why did we (Flickr) ever do this kind of thing... # (20101215/straup) $author = str_replace("nobody@flickr.com (", "", $tmp['author']); $author = rtrim($author, ")"); $tmp['author'] = $author; if ($woe = $item['woe']) { $tmp['yahoo:woeid'] = filter_strict(sanitize($woe['woeid'], 'str')); } if (isset($item['media']) && isset($item['media']['category'])) { $tmp['tags'] = filter_strict(sanitize($item['media']['category'], 'str')); } } $data[] = $tmp; } return array('ok' => 1, 'data' => &$data, 'errors' => &$errors); }
function api_test_echo() { $out = array(); foreach ($_GET as $k => $ignore) { if ($k = filter_strict($k)) { $v = filter_strict(get_str($k)); $out[$k] = $v; } } api_output_ok($out); }
function api_test_echo() { $out = array(); foreach ($_GET as $k => $ignore) { if ($GLOBALS['cfg']['api_auth_type'] == 'oauth2' && $k == 'access_token') { continue; } if ($k = filter_strict($k)) { $v = filter_strict(get_str($k)); $out[$k] = $v; } } api_output_ok($out); }
# magic upload box... $GLOBALS['smarty']->assign("include_url_upload", 1); if (!$GLOBALS['cfg']['enable_feature_import']) { $GLOBALS['error']['uploads_disabled'] = 1; $smarty->display("page_upload_disabled.txt"); exit; } ################################################################# $crumb_key = 'upload'; $crumb_ok = crumb_check($crumb_key); $GLOBALS['smarty']->assign("crumb_key", $crumb_key); # $label = filter_strict(post_str('label')); $private = post_str('private') ? 1 : 0; $dots_index_on = filter_strict(post_str('dots_index_on')); $mime_type = filter_strict(post_str('mime_type')); $GLOBALS['smarty']->assign("label", $label); $GLOBALS['smarty']->assign("private", $private); $GLOBALS['smarty']->assign("dots_index_on", $dots_index_on); $GLOBALS['smarty']->assign("mime_type", $mime_type); # This is here mostly in case we throw and error and need/want # to tell users about valid import formats. $import_map = formats_pretty_import_names_map(); $GLOBALS['smarty']->assign_by_ref("import_map", $import_map); # # First grab the file and do some basic validation # # Ideally the front end should remove the 'upload' parameter but # just in case... if ($crumb_ok && $_FILES['upload'] && !post_str('url')) { $GLOBALS['smarty']->assign('step', 'process');
<?php include "include/init.php"; loadlib("api_keys"); loadlib("api_keys_utils"); features_ensure_enabled("api"); features_ensure_enabled("api_register_keys"); login_ensure_loggedin(); $crumb_key = 'api_key'; $GLOBALS['smarty']->assign("crumb_key", $crumb_key); $step = 1; if (post_isset('done') && crumb_check($crumb_key)) { $ok = 1; $title = filter_strict(post_str("title")); $description = filter_strict(post_str("description")); $callback = filter_strict(post_str("callback")); $conf = post_str("confirm"); if ($ok && !$title) { $GLOBALS['smarty']->assign("error", "no_title"); $ok = 0; } else { $GLOBALS['smarty']->assign("title", $title); } if ($ok && !$description) { $GLOBALS['smarty']->assign("error", "no_description"); $ok = 0; } else { $GLOBALS['smarty']->assign("description", $description); } if ($ok && $callback) { if (!api_keys_utils_is_valid_callback($callback)) {
$ok = 1; if ($url) { $parsed_url = utils_parse_url($url); if (!preg_match("/(www\\.)?flickr\\.com/", $parsed_url['host'])) { $GLOBALS['error']['not_flickr'] = 1; $ok = 0; } $GLOBALS['smarty']->assign("url", $url); $GLOBALS['smarty']->assign("parsed_url", $parsed_url); } if ($url && $ok) { $feed_url = flickr_get_georss_feed($url); if (!$feed_url) { $GLOBALS['error']['no_feed_url'] = 1; $ok = 0; } } # if ($url && $ok && post_str('confirm') && crumb_check($crumb_key)) { $label = filter_strict(post_str('label')); $private = post_str('private') ? 1 : 0; $more = array('label' => $label, 'mark_all_private' => $private, 'return_dots' => 0, 'assume_mime_type' => 'application/rss+xml'); if ($GLOBALS['cfg']['enable_feature_dots_indexing']) { $more['dots_index_on'] = post_str('dots_index_on'); } $import_rsp = import_import_uri($GLOBALS['cfg']['user'], $feed_url, $more); $GLOBALS['smarty']->assign_by_ref("import_rsp", $import_rsp); } # $GLOBALS['smarty']->display("page_upload_by_flickr.txt"); exit;
function _api_output_rest_send_jsonp(&$rsp) { $callback = request_str('callback'); $callback = filter_strict($callback); if (!$callback) { $callback = "makeItSo"; } $callback = htmlspecialchars($callback); _api_output_rest_send_json_headers(); echo $callback . "(" . json_encode($rsp) . ")"; }
function filter_strict_quot($str) { $str = filter_strict($str); $str = str_replace(""", "\"", $str); return $str; }
function import_scrub($input, $sanitize_as = 'str') { $input = html_entity_decode($input, ENT_QUOTES, 'UTF-8'); $input = sanitize($input, $sanitize_as); $input = filter_strict($input); $input = trim($input); return $input; }
<?php include "include/init.php"; loadlib("flickr_users_path_aliases"); if (!$GLOBALS['cfg']['enable_feature_path_alias_redirects']) { error_disabled(); } login_ensure_loggedin("/account/url/"); $crumb_key = 'pathalias'; $smarty->assign("crumb_key", $crumb_key); $crumb_ok = crumb_check($crumb_key); if ($crumb_ok) { $ok = 1; $new_alias = post_str("path_alias"); $new_alias = filter_strict($new_alias); $new_alias = trim($new_alias); if (!$new_alias) { $GLOBALS['smarty']->assign("error", "invalid alias"); $ok = 0; } if ($ok && !flickr_users_path_aliases_is_available($new_alias)) { $GLOBALS['smarty']->assign("error", "alias taken"); $ok = 0; } if ($ok) { if (post_str("confirm")) { $rsp = flickr_users_path_aliases_create($GLOBALS['cfg']['user'], $new_alias); if (!$rsp['ok']) { $GLOBALS['smarty']->assign("error", "db error"); $ok = 0; }
} } # # Okay, you buy? # if (!$ok) { $GLOBALS['error']['invalid_url'] = 1; $GLOBALS['error']['details'] = $error_details; $GLOBALS['smarty']->display('page_upload_by_url_form.txt'); exit; } # # Confirmation and/or remote fetching # $smarty->assign_by_ref('parsed_url', $parsed); $smarty->assign('url', $url); if (post_isset('confirm') && crumb_check($crumb_key)) { $label = filter_strict(post_str('label')); $private = post_str('private') ? 1 : 0; $dots_index_on = filter_strict(post_str('dots_index_on')); $more = array('label' => $label, 'mark_all_private' => $private, 'return_dots' => 0, 'dots_index_on' => $dots_index_on); if ($mime_type = post_str('mime_type')) { $more['assume_mime_type'] = $mime_type; } $rsp = import_import_uri($GLOBALS['cfg']['user'], $url, $more); $smarty->assign_by_ref('import', $rsp); } $import_formats = formats_valid_import_map('key by extension'); $GLOBALS['smarty']->assign_by_ref("import_formats", $import_formats); $smarty->display("page_upload_by_url.txt"); exit;
function api_dispatch($method) { if (!$GLOBALS['cfg']['enable_feature_api']) { api_output_error(999, 'API disabled'); } $method = filter_strict($method); $api_key = request_str("api_key"); $access_token = request_str("access_token"); # Log the basics api_log(array('api_key' => $api_key, 'method' => $method, 'access_token' => $access_token, 'remote_addr' => $_SERVER['REMOTE_ADDR'])); $methods = $GLOBALS['cfg']['api']['methods']; if (!$method || !isset($methods[$method])) { $enc_method = htmlspecialchars($method); api_output_error(404, "Method '{$enc_method}' not found"); } apache_setenv("API_METHOD", $method); $method_row = $methods[$method]; $key_row = null; $token_row = null; if (!$method_row['enabled']) { $enc_method = htmlspecialchars($method); api_output_error(404, "Method '{$enc_method}' not found"); } $method_row['name'] = $method; if ($GLOBALS['cfg']['api_auth_type'] == 'oauth2') { if ($_SERVER['REQUEST_METHOD'] != 'POST' && !$GLOBALS['cfg']['api_oauth2_allow_get_parameters']) { api_output_error(405, 'Method not allowed'); } } if (isset($method_row['request_method'])) { if ($_SERVER['REQUEST_METHOD'] != $method_row['request_method']) { api_output_error(405, 'Method not allowed'); } } # Okay – now we get in to validation and authorization. Which means a # whole world of pedantic stupid if we're using Oauth2. Note that you # could use OAuth2 and require API keys be passed explictly but since # that's not part of the spec if you enable the two features simultaneously # don't be surprised when hilarity ensues. Good times. (20121026/straup) # First API keys if (features_is_enabled("api_require_keys")) { if (!$api_key) { api_output_error(999, "Required API key is missing"); } $key_row = api_keys_get_by_key($api_key); api_keys_utils_ensure_valid_key($key_row); } # Second auth-y bits $auth_rsp = api_auth_ensure_auth($method_row, $key_row); if (isset($auth_rsp['api_key'])) { $key_row = $auth_rsp['api_key']; } if (isset($auth_rsp['access_token'])) { $token_row = $auth_rsp['access_token']; } if ($auth_rsp['user']) { $GLOBALS['cfg']['user'] = $auth_rsp['user']; } apache_setenv("API_KEY", $key_row['api_key']); # Check for require-iness of users here ? # Roles - for API keys (things like only the site keys) api_config_ensure_role($method_row, $key_row, $token_row); # Blessings and other method specific access controls api_config_ensure_blessing($method_row, $key_row, $token_row); # Finally, crumbs - because they are tastey if ($method_row['requires_crumb']) { api_auth_ensure_crumb($method_row); } # GO! loadlib($method_row['library']); $parts = explode(".", $method); $method = array_pop($parts); $func = "{$method_row['library']}_{$method}"; if (!function_exists($func)) { api_output_error(404, "Method not found"); } call_user_func($func); exit; }
function dots_create_dot(&$user, &$sheet, &$data, $more = array()) { # if we've gotten here via lib_uploads then # we will have already done validation. if (!$more['skip_validation']) { $rsp = dots_ensure_valid_data($row); if (!$rsp['ok']) { return $rsp; } } # $id = dbtickets_create(64); if (!$id) { return array('ok' => 0, 'error' => 'Ticket server failed'); } # # Assign basic geo bits - keep track of stuff that has # been derived so that we can flag them accordingly in # the DotsExtras table. # list($data, $derived) = dots_derive_location_data($data); # Note that we return $derived with the response below # (assuming everything else works) and check for any errors # out of band, read: the _import_dots function (20110311/straup) # # creation date for the point (different from import date) # should this be stored/flagged as an extra? # $now = time(); if ($created = $data['created']) { # # Because intval("2010-09-23T00:18:55Z") returns '2010' ... # Because is_numeric(20101029154025.000) returns true ... # Because strtotime(time()) returns false ... # BECAUSE GOD HATES YOU ... # $created = preg_match("/^\\d+\$/", $created) ? $created : strtotime($created); # if ! $created then reassign $now ? # Now convert everything back in to a datetime string if ($created) { $data['created'] = gmdate('Y-m-d H:i:s', $created); } } else { $data['created'] = gmdate('Y-m-d H:i:s', $now); } # # permissions # $perms_map = dots_permissions_map('string keys'); $perms = $perms_map['public']; if ($data['perms'] == 'private' || $more['mark_all_private']) { $perms = $perms_map['private']; } # # Go! Or rather... start! # $dot = array('id' => $id, 'user_id' => $user['id'], 'sheet_id' => $sheet['id'], 'perms' => $perms); # Always store created date in the user Sheets table; it's # not clear how this relates/works with the dots extras # stuff yet (20101210/straup) $to_denormalize = array('created'); foreach ($to_denormalize as $key) { if (isset($data[$key]) && !empty($data[$key])) { $dot[$key] = $data[$key]; } } # Please to write me: A discussion on the relationship between # details, extras, 'indexed' and search. (20101213/straup) # # Dots extras (as in: extra things you can search for) # $details = array(); $extras = array(); if ($GLOBALS['cfg']['enable_feature_dots_indexing']) { $index_on = array(); if ($GLOBALS['cfg']['dots_indexing_index_all']) { $tmp = array(); $skip = array('latitude', 'longitude', 'created', 'title_internal'); foreach (array_keys($data) as $f) { if (!in_array($f, $skip)) { $tmp[] = $f; } } } else { $tmp = explode(",", $more['dots_index_on'], $GLOBALS['cfg']['dots_indexing_max_cols']); } # foreach ($tmp as $field) { $field = trim($field); if (!isset($data[$field])) { continue; } $extras[] = array('dot_id' => $id, 'sheet_id' => $sheet['id'], 'user_id' => $user['id'], 'name' => $field, 'value' => $data[$field]); $index_on[] = AddSlashes($field); } $dot['index_on'] = implode(",", $index_on); } # # Store any remaining fields in a big old JSON blob # foreach (array_keys($data) as $label) { $label = filter_strict(trim($label)); if (!$label) { continue; } $value = $data[$label]; $value = filter_strict(trim($value)); if (!$value) { continue; } $ns = null; $pred = $label; if (strpos($label, ':')) { list($ns, $pred) = explode(':', $label, 2); } $detail = array('namespace' => $ns, 'label' => $pred, 'value' => $data[$label]); if (isset($derived[$label])) { $extra['derived_from'] = $derived[$label]; } if (!is_array($details[$label])) { $details[$label] = array(); } $details[$label][] = $detail; } $dot['details_json'] = json_encode($details); # # Look, we are FINALLY NOW creating the dot # $insert = array(); foreach ($dot as $key => $value) { $insert[$key] = AddSlashes($value); } $rsp = db_insert_users($user['cluster_id'], 'Dots', $insert); if (!$rsp['ok']) { return $rsp; } $dot['details'] = $details; # # Update the DotsLookup table # $lookup = array('dot_id' => $id, 'sheet_id' => $sheet['id'], 'user_id' => $user['id'], 'imported' => $now, 'last_modified' => $now); if ($more['buffer_lookup_inserts']) { $rsp['lookup'] = $lookup; } else { $lookup_rsp = dots_lookup_create($lookup); if (!$lookup_rsp['ok']) { # What then... } } # # Now the searching (first the basics then any 'extras' specific to this dot) # $search = array('dot_id' => $id, 'sheet_id' => $sheet['id'], 'user_id' => $user['id'], 'imported' => $now, 'created' => $data['created'], 'perms' => $perms, 'geohash' => $data['geohash'], 'latitude' => $data['latitude'], 'longitude' => $data['longitude']); if ($more['buffer_search_inserts']) { $rsp['search'] =& $search; } else { $search_rsp = dots_search_add_dot($search); if (!$search_rsp['ok']) { # What then... } } # extras if ($more['buffer_extras_inserts']) { $rsp['extras'] = $extras; } else { $extras_rsp = dots_search_extras_add_lots_of_extras($extras); if (!$extras_rsp['ok']) { # What then... } } # # Happy happy # $rsp['dot'] =& $dot; $rsp['derived'] =& $derived; return $rsp; }
# # carry this argument through # $smarty->assign('redir', request_str('redir')); # # are we signing up? # if (post_str('signup')){ $ok = 1; $username = filter_strict(post_str('username')); $email = post_str('email'); $password = post_str('password'); $redir = post_str('redir'); $smarty->assign('email', $email); $smarty->assign('password', $password); $smarty->assign('username', $username); $smarty->assign('redir', $redir); # # all fields are in order? #