예제 #1
0
/**
 * function used to build HMAC code for an array
 * @return: string
 */
function euplatesc_mac($data, $key = NULL)
{
    $str = NULL;
    foreach ($data as $d) {
        if ($d === NULL || strlen($d) == 0) {
            $str .= '-';
        } else {
            $str .= strlen($d) . $d;
        }
    }
    $key = pack('H*', $key);
    return hmacsha1($key, $str);
}
function lftokenValidateServerToken($token, $key)
{
    $parts = explode(',', $token);
    $signature = array_pop($parts);
    $serverkey = hmacsha1(base64_decode($key), "Server Key");
    $temp = base64_encode(hmacsha1($serverkey, implode(',', $parts)));
    if (count($parts) > 1) {
        $timestamp = strtotime($parts[1]);
        $duration = $parts[2];
    } else {
        $timestamp = time() - 1;
        $duration = 0;
    }
    return $signature == $temp && time() - $timestamp < $duration;
}
예제 #3
0
function logoutSession()
{
    global $cfg, $db;
    $cfg['username'] = '';
    // Footer
    $cfg['access_media'] = '';
    // Header opensearch
    $sid = cookie('netjukebox_sid');
    $sign = randomKey();
    $session_seed = randomKey();
    // Update current session
    mysql_query('UPDATE session SET
		logged_in			= 0,
		ip					= "' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '",
		user_agent			= "' . mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']) . '",
		sign				= "' . mysql_real_escape_string($sign) . '",
		seed				= "' . mysql_real_escape_string($session_seed) . '"
		WHERE sid			= BINARY "' . mysql_real_escape_string($sid) . '"');
    if (mysql_affected_rows($db) == 0) {
        // Create new session
        $sid = randomKey();
        mysql_query('INSERT INTO session (logged_in, create_time, ip, user_agent, sid, sign, seed) VALUES (
			0,
			' . (int) time() . ',
			"' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '",
			"' . mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']) . '",
			"' . mysql_real_escape_string($sid) . '",
			"' . mysql_real_escape_string($sign) . '",
			"' . mysql_real_escape_string($session_seed) . '")');
        setcookie('netjukebox_sid', $sid, time() + 31536000, null, null, NJB_HTTPS, true);
        @ob_flush();
        flush();
    }
    //  +------------------------------------------------------------------------+
    //  | Login                                                                  |
    //  +------------------------------------------------------------------------+
    $query = mysql_query('SELECT username FROM user WHERE username = "******"');
    $user = mysql_fetch_assoc($query);
    $anonymous = $user['username'];
    $action = get('action');
    if (NJB_SCRIPT == 'index.php' && substr($action, 0, 4) == 'view') {
        $url = 'index.php?';
        $get = getAll();
        foreach ($get as $key => $value) {
            $url .= rawurlencode($key) . '=' . rawurlencode($value) . '&amp;';
        }
        $url = substr($url, 0, -5);
    } else {
        $url = 'index.php';
    }
    $cfg['align'] = true;
    require_once NJB_HOME_DIR . 'include/header.inc.php';
    ?>
<script type="text/javascript">
<!--
if (hmacsha1('key', 'The quick brown fox jumps over the lazy dog') != 'de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9') {
	document.write('<table cellspacing="10" cellpadding="0" class="error">');
	document.write('<tr>');
	document.write('	<td valign="top"><img src="<?php 
    echo $cfg['img'];
    ?>
medium_message_error.png" alt=""><\/td>');
	document.write('	<td valign="top"><strong>JavaScript error<\/strong><br>Unexpected SHA1 checksum result.<\/td>');
	document.write('<\/tr>');
	document.write('<\/table>');
}
else if (typeof XMLHttpRequest == 'undefined') {
	document.write('<table cellspacing="10" cellpadding="0" class="error">');
	document.write('<tr>');
	document.write('	<td valign="top"><img src="<?php 
    echo $cfg['img'];
    ?>
medium_message_error.png" alt=""><\/td>');
	document.write('	<td valign="top"><strong>Native XMLHttpRequest support is required<\/strong><br>');
	document.write('	Enable XMLHttpRequest or get a modern web browser.<\/td>');
	document.write('<\/tr>');
	document.write('<\/table>');
}
else {
	document.write('<form action="<?php 
    echo $url;
    ?>
" method="post" name="loginform" id="loginform" onSubmit="loginStage1(this.username.value); return false;">');
	document.write('	<input type="hidden" name="authenticate" value="validate">');
	document.write('	<input type="hidden" name="hash1" value="">');
	document.write('	<input type="hidden" name="hash2" value="">');
	document.write('	<input type="hidden" name="sign" value="">');
	document.write('<table cellspacing="0" cellpadding="0" class="warning">');
	document.write('<tr class="space"><td colspan="5"><\/td><\/tr>');
	document.write('<tr>');
	document.write('	<td class="space"><\/td>');
	document.write('	<td>Username:<\/td>');
	document.write('	<td class="space"><\/td>');
	document.write('	<td><input type="text" name="username" value="<?php 
    echo addslashes(html($anonymous));
    ?>
" maxlength="255" class="login" onKeyUp="anonymousPassword();"><\/td>');
	document.write('	<td class="space"><\/td>');
	document.write('<\/tr>');
	document.write('<tr>');
	document.write('	<td><\/td>');
	document.write('	<td>Password:<\/td>');
	document.write('	<td><\/td>');
	document.write('	<td><input type="password" name="password" class="login"><\/td>');
	document.write('	<td><\/td>');
	document.write('<\/tr>');
	document.write('<tr class="space"><td colspan="5"><\/td><\/tr>');
	document.write('<tr>');
	document.write('	<td><\/td>');
	document.write('	<td colspan="3" align="right"><input type="submit" value="login" class="button"><\/td>');
	document.write('	<td><\/td>');
	document.write('<\/tr>');
	document.write('<tr class="space"><td colspan="5"><\/td><\/tr>');
	document.write('<tr>');
	document.write('	<td><\/td>');
	document.write('	<td colspan="3" class="line"><\/td>');
	document.write('	<td><\/td>');
	document.write('<\/tr>');
	document.write('<tr class="space"><td colspan="5"><\/td><\/tr>');
<?php 
    if ($cfg['admin_login_message'] == '') {
        ?>
	document.write('<tr>');
	document.write('	<td><\/td>');
	document.write('	<td colspan="3"><span class="login_message">Cookies and JavaScript are required to login.<br>');
	document.write('	Browser must support native XMLHttpRequest.<\/span><\/td>');
	document.write('	<td><\/td>');
	document.write('<\/tr>');
<?php 
    } else {
        ?>
	document.write('<tr>');
	document.write('	<td><\/td>');
	document.write('	<td colspan="3"><span class="login_message">');
	document.write('	<?php 
        echo addslashes(bbcode($cfg['admin_login_message']));
        ?>
<\/span><\/td>');
	document.write('	<td><\/td>');
	document.write('<\/tr>');
<?php 
    }
    ?>
	document.write('<tr class="space"><td colspan="5"><\/td><\/tr>');
	document.write('<\/table>');
	document.write('<\/form>');
}


function initialize() {
	if (typeof XMLHttpRequest != 'undefined') {
		document.loginform.username.focus();
		document.loginform.username.select();
		anonymousPassword();
	}
}


function anonymousPassword() {
	if (<?php 
    echo $anonymous ? 'true' : 'false';
    ?>
 && document.loginform.username.value == '<?php 
    echo addslashes(html($anonymous));
    ?>
') {
		document.loginform.password.value = '';
		document.loginform.password.className = 'login readonly';
		// document.loginform.password.disabled = true;
	}
	else {
		document.loginform.password.className = 'login';
		// document.loginform.password.disabled = false;
	}
}


function loginStage1(username) {
	document.loginform.username.value = '';
	document.loginform.username.value = username;
	document.loginform.username.className = 'login readonly';
	document.loginform.password.className = 'login readonly';
	ajaxRequest('json.php', loginStage2, 'action=loginStage1&username='******'UTF-8' ? 'encodeURIComponent' : 'escape';
    ?>
(username) + '&sign=<?php 
    echo hmacsha1($cfg['server_seed'], $sign);
    ?>
');
}


function loginStage2(data) {
	// data.user_seed, data.session_seed, data.sign;	
	var password = document.loginform.password.value;
	document.loginform.password.value = '';
	if (<?php 
    echo $anonymous ? 'true' : 'false';
    ?>
 && document.loginform.username.value == '<?php 
    echo addslashes(html($anonymous));
    ?>
')
		password = '******';
	document.loginform.hash1.value = hmacsha1(password, data.user_seed);
	document.loginform.hash2.value = hmacsha1(hmacsha1(password, data.session_seed), data.session_seed);
	document.loginform.sign.value = data.sign;
	password = '';
	setTimeout('document.loginform.submit();', <?php 
    echo $cfg['login_delay'];
    ?>
);
}
//-->
</script>
<?php 
    require_once NJB_HOME_DIR . 'include/footer.inc.php';
    exit;
}
예제 #4
0
 function doModel()
 {
     osc_run_hook('before_search');
     if (osc_rewrite_enabled()) {
         // IF rewrite is not enabled, skip this part, preg_match is always time&resources consuming task
         $p_sParams = "/" . Params::getParam('sParams', false, false);
         if (preg_match_all('|\\/([^,]+),([^\\/]*)|', $p_sParams, $m)) {
             $l = count($m[0]);
             for ($k = 0; $k < $l; $k++) {
                 switch ($m[1][$k]) {
                     case osc_get_preference('rewrite_search_country'):
                         $m[1][$k] = 'sCountry';
                         break;
                     case osc_get_preference('rewrite_search_region'):
                         $m[1][$k] = 'sRegion';
                         break;
                     case osc_get_preference('rewrite_search_city'):
                         $m[1][$k] = 'sCity';
                         break;
                     case osc_get_preference('rewrite_search_city_area'):
                         $m[1][$k] = 'sCityArea';
                         break;
                     case osc_get_preference('rewrite_search_category'):
                         $m[1][$k] = 'sCategory';
                         break;
                     case osc_get_preference('rewrite_search_user'):
                         $m[1][$k] = 'sUser';
                         break;
                     case osc_get_preference('rewrite_search_pattern'):
                         $m[1][$k] = 'sPattern';
                         break;
                     default:
                         // custom fields
                         if (preg_match("/meta(\\d+)-?(.*)?/", $m[1][$k], $results)) {
                             $meta_key = $m[1][$k];
                             $meta_value = $m[2][$k];
                             $array_r = array();
                             if (Params::existParam('meta')) {
                                 $array_r = Params::getParam('meta');
                             }
                             if ($results[2] == '') {
                                 // meta[meta_id] = meta_value
                                 $meta_key = $results[1];
                                 $array_r[$meta_key] = $meta_value;
                             } else {
                                 // meta[meta_id][meta_key] = meta_value
                                 $meta_key = $results[1];
                                 $meta_key2 = $results[2];
                                 $array_r[$meta_key][$meta_key2] = $meta_value;
                             }
                             $m[1][$k] = 'meta';
                             $m[2][$k] = $array_r;
                         }
                         break;
                 }
                 Params::setParam($m[1][$k], $m[2][$k]);
             }
             Params::unsetParam('sParams');
         }
     }
     $uriParams = Params::getParamsAsArray();
     $searchUri = osc_search_url($uriParams);
     if ($this->uri != 'feed') {
         if (str_replace("%20", '+', $searchUri) != str_replace("%20", '+', WEB_PATH . $this->uri)) {
             $this->redirectTo($searchUri, 301);
         }
     }
     ////////////////////////////////
     //GETTING AND FIXING SENT DATA//
     ////////////////////////////////
     $p_sCategory = Params::getParam('sCategory');
     if (!is_array($p_sCategory)) {
         if ($p_sCategory == '') {
             $p_sCategory = array();
         } else {
             $p_sCategory = explode(",", $p_sCategory);
         }
     }
     $p_sCityArea = Params::getParam('sCityArea');
     if (!is_array($p_sCityArea)) {
         if ($p_sCityArea == '') {
             $p_sCityArea = array();
         } else {
             $p_sCityArea = explode(",", $p_sCityArea);
         }
     }
     $p_sCity = Params::getParam('sCity');
     if (!is_array($p_sCity)) {
         if ($p_sCity == '') {
             $p_sCity = array();
         } else {
             $p_sCity = explode(",", $p_sCity);
         }
     }
     $p_sRegion = Params::getParam('sRegion');
     if (!is_array($p_sRegion)) {
         if ($p_sRegion == '') {
             $p_sRegion = array();
         } else {
             $p_sRegion = explode(",", $p_sRegion);
         }
     }
     $p_sCountry = Params::getParam('sCountry');
     if (!is_array($p_sCountry)) {
         if ($p_sCountry == '') {
             $p_sCountry = array();
         } else {
             $p_sCountry = explode(",", $p_sCountry);
         }
     }
     $p_sUser = Params::getParam('sUser');
     if (!is_array($p_sUser)) {
         if ($p_sUser == '') {
             $p_sUser = '';
         } else {
             $p_sUser = explode(",", $p_sUser);
         }
     }
     $p_sLocale = Params::getParam('sLocale');
     if (!is_array($p_sLocale)) {
         if ($p_sLocale == '') {
             $p_sLocale = '';
         } else {
             $p_sLocale = explode(",", $p_sLocale);
         }
     }
     $p_sPattern = trim(strip_tags(Params::getParam('sPattern')));
     // ADD TO THE LIST OF LAST SEARCHES
     if (osc_save_latest_searches() && (!Params::existParam('iPage') || Params::getParam('iPage') == 1)) {
         $savePattern = osc_apply_filter('save_latest_searches_pattern', $p_sPattern);
         if ($savePattern != '') {
             LatestSearches::newInstance()->insert(array('s_search' => $savePattern, 'd_date' => date('Y-m-d H:i:s')));
         }
     }
     $p_bPic = Params::getParam('bPic');
     $p_bPic = $p_bPic == 1 ? 1 : 0;
     $p_bPremium = Params::getParam('bPremium');
     $p_bPremium = $p_bPremium == 1 ? 1 : 0;
     $p_sPriceMin = Params::getParam('sPriceMin');
     $p_sPriceMax = Params::getParam('sPriceMax');
     //WE CAN ONLY USE THE FIELDS RETURNED BY Search::getAllowedColumnsForSorting()
     $p_sOrder = Params::getParam('sOrder');
     if (!in_array($p_sOrder, Search::getAllowedColumnsForSorting())) {
         $p_sOrder = osc_default_order_field_at_search();
     }
     $old_order = $p_sOrder;
     //ONLY 0 ( => 'asc' ), 1 ( => 'desc' ) AS ALLOWED VALUES
     $p_iOrderType = Params::getParam('iOrderType');
     $allowedTypesForSorting = Search::getAllowedTypesForSorting();
     $orderType = osc_default_order_type_at_search();
     foreach ($allowedTypesForSorting as $k => $v) {
         if ($p_iOrderType == $v) {
             $orderType = $k;
             break;
         }
     }
     $p_iOrderType = $orderType;
     $p_sFeed = Params::getParam('sFeed');
     $p_iPage = 0;
     if (is_numeric(Params::getParam('iPage')) && Params::getParam('iPage') > 0) {
         $p_iPage = intval(Params::getParam('iPage')) - 1;
     }
     if ($p_sFeed != '') {
         $p_sPageSize = 1000;
     }
     $p_sShowAs = Params::getParam('sShowAs');
     $aValidShowAsValues = array('list', 'gallery');
     if (!in_array($p_sShowAs, $aValidShowAsValues)) {
         $p_sShowAs = osc_default_show_as_at_search();
     }
     // search results: it's blocked with the maxResultsPerPage@search defined in t_preferences
     $p_iPageSize = intval(Params::getParam('iPagesize'));
     if ($p_iPageSize > 0) {
         if ($p_iPageSize > osc_max_results_per_page_at_search()) {
             $p_iPageSize = osc_max_results_per_page_at_search();
         }
     } else {
         $p_iPageSize = osc_default_results_per_page_at_search();
     }
     //FILTERING CATEGORY
     $bAllCategoriesChecked = false;
     $successCat = false;
     if (count($p_sCategory) > 0) {
         foreach ($p_sCategory as $category) {
             $successCat = $this->mSearch->addCategory($category) || $successCat;
         }
     } else {
         $bAllCategoriesChecked = true;
     }
     //FILTERING CITY_AREA
     foreach ($p_sCityArea as $city_area) {
         $this->mSearch->addCityArea($city_area);
     }
     $p_sCityArea = implode(", ", $p_sCityArea);
     //FILTERING CITY
     foreach ($p_sCity as $city) {
         $this->mSearch->addCity($city);
     }
     $p_sCity = implode(", ", $p_sCity);
     //FILTERING REGION
     foreach ($p_sRegion as $region) {
         $this->mSearch->addRegion($region);
     }
     $p_sRegion = implode(", ", $p_sRegion);
     //FILTERING COUNTRY
     foreach ($p_sCountry as $country) {
         $this->mSearch->addCountry($country);
     }
     $p_sCountry = implode(", ", $p_sCountry);
     // FILTERING PATTERN
     if ($p_sPattern != '') {
         $this->mSearch->addPattern($p_sPattern);
         $osc_request['sPattern'] = $p_sPattern;
     } else {
         // hardcoded - if there isn't a search pattern, order by dt_pub_date desc
         if ($p_sOrder == 'relevance') {
             $p_sOrder = 'dt_pub_date';
             foreach ($allowedTypesForSorting as $k => $v) {
                 if ($p_iOrderType == 'desc') {
                     $orderType = $k;
                     break;
                 }
             }
             $p_iOrderType = $orderType;
         }
     }
     // FILTERING USER
     if ($p_sUser != '') {
         $this->mSearch->fromUser($p_sUser);
     }
     // FILTERING LOCALE
     $this->mSearch->addLocale($p_sLocale);
     // FILTERING IF WE ONLY WANT ITEMS WITH PICS
     if ($p_bPic) {
         $this->mSearch->withPicture(true);
     }
     // FILTERING IF WE ONLY WANT PREMIUM ITEMS
     if ($p_bPremium) {
         $this->mSearch->onlyPremium(true);
     }
     //FILTERING BY RANGE PRICE
     $this->mSearch->priceRange($p_sPriceMin, $p_sPriceMax);
     //ORDERING THE SEARCH RESULTS
     $this->mSearch->order($p_sOrder, $allowedTypesForSorting[$p_iOrderType]);
     //SET PAGE
     if ($p_sFeed == 'rss') {
         // If param sFeed=rss, just output last 'osc_num_rss_items()'
         $this->mSearch->page(0, osc_num_rss_items());
     } else {
         $this->mSearch->page($p_iPage, $p_iPageSize);
     }
     // CUSTOM FIELDS
     $custom_fields = Params::getParam('meta');
     $fields = Field::newInstance()->findIDSearchableByCategories($p_sCategory);
     $table = DB_TABLE_PREFIX . 't_item_meta';
     if (is_array($custom_fields)) {
         foreach ($custom_fields as $key => $aux) {
             if (in_array($key, $fields)) {
                 $field = Field::newInstance()->findByPrimaryKey($key);
                 switch ($field['e_type']) {
                     case 'TEXTAREA':
                     case 'TEXT':
                     case 'URL':
                         if ($aux != '') {
                             $aux = "%{$aux}%";
                             $sql = "SELECT fk_i_item_id FROM {$table} WHERE ";
                             $str_escaped = Search::newInstance()->dao->escape($aux);
                             $sql .= $table . '.fk_i_field_id = ' . $key . ' AND ';
                             $sql .= $table . ".s_value LIKE " . $str_escaped;
                             $this->mSearch->addConditions(DB_TABLE_PREFIX . 't_item.pk_i_id IN (' . $sql . ')');
                         }
                         break;
                     case 'DROPDOWN':
                     case 'RADIO':
                         if ($aux != '') {
                             $sql = "SELECT fk_i_item_id FROM {$table} WHERE ";
                             $str_escaped = Search::newInstance()->dao->escape($aux);
                             $sql .= $table . '.fk_i_field_id = ' . $key . ' AND ';
                             $sql .= $table . ".s_value = " . $str_escaped;
                             $this->mSearch->addConditions(DB_TABLE_PREFIX . 't_item.pk_i_id IN (' . $sql . ')');
                         }
                         break;
                     case 'CHECKBOX':
                         if ($aux != '') {
                             $sql = "SELECT fk_i_item_id FROM {$table} WHERE ";
                             $sql .= $table . '.fk_i_field_id = ' . $key . ' AND ';
                             $sql .= $table . ".s_value = 1";
                             $this->mSearch->addConditions(DB_TABLE_PREFIX . 't_item.pk_i_id IN (' . $sql . ')');
                         }
                         break;
                     case 'DATE':
                         if ($aux != '') {
                             $y = (int) date('Y', $aux);
                             $m = (int) date('n', $aux);
                             $d = (int) date('j', $aux);
                             $start = mktime('0', '0', '0', $m, $d, $y);
                             $end = mktime('23', '59', '59', $m, $d, $y);
                             $sql = "SELECT fk_i_item_id FROM {$table} WHERE ";
                             $sql .= $table . '.fk_i_field_id = ' . $key . ' AND ';
                             $sql .= $table . ".s_value >= " . $start . " AND ";
                             $sql .= $table . ".s_value <= " . $end;
                             $this->mSearch->addConditions(DB_TABLE_PREFIX . 't_item.pk_i_id IN (' . $sql . ')');
                         }
                         break;
                     case 'DATEINTERVAL':
                         if (is_array($aux) && (!empty($aux['from']) && !empty($aux['to']))) {
                             $from = $aux['from'];
                             $to = $aux['to'];
                             $start = $from;
                             $end = $to;
                             $sql = "SELECT fk_i_item_id FROM {$table} WHERE ";
                             $sql .= $table . '.fk_i_field_id = ' . $key . ' AND ';
                             $sql .= $start . " >= " . $table . ".s_value AND s_multi = 'from'";
                             $sql1 = "SELECT fk_i_item_id FROM {$table} WHERE ";
                             $sql1 .= $table . ".fk_i_field_id = " . $key . " AND ";
                             $sql1 .= $end . " <= " . $table . ".s_value AND s_multi = 'to'";
                             $sql_interval = "select a.fk_i_item_id from (" . $sql . ") a where a.fk_i_item_id IN (" . $sql1 . ")";
                             $this->mSearch->addConditions(DB_TABLE_PREFIX . 't_item.pk_i_id IN (' . $sql_interval . ')');
                         }
                         break;
                     default:
                         break;
                 }
             }
         }
     }
     osc_run_hook('search_conditions', Params::getParamsAsArray());
     // RETRIEVE ITEMS AND TOTAL
     $key = md5(osc_base_url() . $this->mSearch->toJson());
     $found = null;
     $cache = osc_cache_get($key, $found);
     $aItems = null;
     $iTotalItems = null;
     if ($cache) {
         $aItems = $cache['aItems'];
         $iTotalItems = $cache['iTotalItems'];
     } else {
         $aItems = $this->mSearch->doSearch();
         $iTotalItems = $this->mSearch->count();
         $_cache['aItems'] = $aItems;
         $_cache['iTotalItems'] = $iTotalItems;
         osc_cache_set($key, $_cache, OSC_CACHE_TTL);
     }
     $iStart = $p_iPage * $p_iPageSize;
     $iEnd = min(($p_iPage + 1) * $p_iPageSize, $iTotalItems);
     $iNumPages = ceil($iTotalItems / $p_iPageSize);
     // works with cache enabled ?
     osc_run_hook('search', $this->mSearch);
     //preparing variables...
     $countryName = $p_sCountry;
     if (strlen($p_sCountry) == 2) {
         $c = Country::newInstance()->findByCode($p_sCountry);
         if ($c) {
             $countryName = $c['s_name'];
         }
     }
     $regionName = $p_sRegion;
     if (is_numeric($p_sRegion)) {
         $r = Region::newInstance()->findByPrimaryKey($p_sRegion);
         if ($r) {
             $regionName = $r['s_name'];
         }
     }
     $cityName = $p_sCity;
     if (is_numeric($p_sCity)) {
         $c = City::newInstance()->findByPrimaryKey($p_sCity);
         if ($c) {
             $cityName = $c['s_name'];
         }
     }
     $this->_exportVariableToView('search_start', $iStart);
     $this->_exportVariableToView('search_end', $iEnd);
     $this->_exportVariableToView('search_category', $p_sCategory);
     // hardcoded - non pattern and order by relevance
     $p_sOrder = $old_order;
     $this->_exportVariableToView('search_order_type', $p_iOrderType);
     $this->_exportVariableToView('search_order', $p_sOrder);
     $this->_exportVariableToView('search_pattern', $p_sPattern);
     $this->_exportVariableToView('search_from_user', $p_sUser);
     $this->_exportVariableToView('search_total_pages', $iNumPages);
     $this->_exportVariableToView('search_page', $p_iPage);
     $this->_exportVariableToView('search_has_pic', $p_bPic);
     $this->_exportVariableToView('search_only_premium', $p_bPremium);
     $this->_exportVariableToView('search_country', $countryName);
     $this->_exportVariableToView('search_region', $regionName);
     $this->_exportVariableToView('search_city', $cityName);
     $this->_exportVariableToView('search_price_min', $p_sPriceMin);
     $this->_exportVariableToView('search_price_max', $p_sPriceMax);
     $this->_exportVariableToView('search_total_items', $iTotalItems);
     $this->_exportVariableToView('items', $aItems);
     $this->_exportVariableToView('search_show_as', $p_sShowAs);
     $this->_exportVariableToView('search', $this->mSearch);
     // json
     $json = $this->mSearch->toJson();
     $encoded_alert = base64_encode(osc_encrypt_alert($json));
     // Create the HMAC signature and convert the resulting hex hash into base64
     $stringToSign = osc_get_alert_public_key() . $encoded_alert;
     $signature = hex2b64(hmacsha1(osc_get_alert_private_key(), $stringToSign));
     $server_signature = Session::newInstance()->_set('alert_signature', $signature);
     $this->_exportVariableToView('search_alert', $encoded_alert);
     // calling the view...
     if (count($aItems) === 0) {
         header('HTTP/1.1 404 Not Found');
     }
     osc_run_hook("after_search");
     if (!Params::existParam('sFeed')) {
         $this->doView('search.php');
     } else {
         if ($p_sFeed == '' || $p_sFeed == 'rss') {
             // FEED REQUESTED!
             header('Content-type: text/xml; charset=utf-8');
             $feed = new RSSFeed();
             $feed->setTitle(__('Latest listings added') . ' - ' . osc_page_title());
             $feed->setLink(osc_base_url());
             $feed->setDescription(__('Latest listings added in') . ' ' . osc_page_title());
             if (osc_count_items() > 0) {
                 while (osc_has_items()) {
                     if (osc_count_item_resources() > 0) {
                         osc_has_item_resources();
                         $feed->addItem(array('title' => osc_item_title(), 'link' => htmlentities(osc_item_url(), ENT_COMPAT, "UTF-8"), 'description' => osc_item_description(), 'country' => osc_item_country(), 'region' => osc_item_region(), 'city' => osc_item_city(), 'city_area' => osc_item_city_area(), 'category' => osc_item_category(), 'dt_pub_date' => osc_item_pub_date(), 'image' => array('url' => htmlentities(osc_resource_thumbnail_url(), ENT_COMPAT, "UTF-8"), 'title' => osc_item_title(), 'link' => htmlentities(osc_item_url(), ENT_COMPAT, "UTF-8"))));
                     } else {
                         $feed->addItem(array('title' => osc_item_title(), 'link' => htmlentities(osc_item_url(), ENT_COMPAT, "UTF-8"), 'description' => osc_item_description(), 'country' => osc_item_country(), 'region' => osc_item_region(), 'city' => osc_item_city(), 'city_area' => osc_item_city_area(), 'category' => osc_item_category(), 'dt_pub_date' => osc_item_pub_date()));
                     }
                 }
             }
             osc_run_hook('feed', $feed);
             $feed->dumpXML();
         } else {
             osc_run_hook('feed_' . $p_sFeed, $aItems);
         }
     }
 }
예제 #5
0
파일: mactest.php 프로젝트: prachetas/php
# Three different ways to compute the HMAC in PHP. 
# Since PHP 5.0.12 there is a native method 'hash_hmac', please use this if you can
# For PHP 4, the "Local implementation" may be easiest (but please consider upgrading to PHP5)

$secret = "Kah942*$7sdp0)";
$plaintext = "10000GBP2007-10-20Internet Order 123454aD37dJATestMerchant2007-10-11T11:00:00Z";
# result should be x58ZcRVL1H6y+XSeBGrySJ9ACVo=

# PEAR Crypt_HMAC
# install using "pear install Crypt_HMAC"
require '/usr/share/php/Crypt/HMAC.php';

print "PHP5 native implementation  computed:  "  . base64_encode(hash_hmac('sha1',$plaintext,$secret,true)) . "\n";
print "PEAR Crypt_HMAC             computed:  "  . base64_encode(pack('H*',hmacsha1_pear($secret,$plaintext))) . "\n";
print "Local implementation        computed:  "  . base64_encode(pack('H*',hmacsha1($secret,$plaintext))) . "\n";

function hmacsha1_pear($key,$data) {
	$Crypt_HMAC = new Crypt_HMAC($key, 'sha1');
	return $Crypt_HMAC->hash($data);
}

//Calculate HMAC-SHA1 according to RFC2104
// http://www.ietf.org/rfc/rfc2104.txt
function hmacsha1($key,$data) {
    $blocksize=64;
    $hashfunc='sha1';
    if (strlen($key)>$blocksize)
        $key=pack('H*', $hashfunc($key));
    $key=str_pad($key,$blocksize,chr(0x00));
    $ipad=str_repeat(chr(0x36),$blocksize);
예제 #6
0
    $ipad = str_repeat(chr(0x36), $blocksize);
    $opad = str_repeat(chr(0x5c), $blocksize);
    $hmac = pack('H*', $hashfunc(($key ^ $opad) . pack('H*', $hashfunc(($key ^ $ipad) . $data))));
    return bin2hex($hmac);
}
/*
 * Used to encode a field for Amazon Auth
 * (taken from the Amazon S3 PHP example library)
 */
function hex2b64($str)
{
    $raw = '';
    for ($i = 0; $i < strlen($str); $i += 2) {
        $raw .= chr(hexdec(substr($str, $i, 2)));
    }
    return base64_encode($raw);
}
if (count($argv) != 3) {
    echo "Usage: " . $argv[0] . " <S3 Policy File> <S3 secret key>\n";
    exit(1);
}
$policy = file_get_contents($argv[1]);
$secret = $argv[2];
/*
 * Base64 encode the Policy Document and then
 * create HMAC SHA-1 signature of the base64 encoded policy
 * using the secret key. Finally, encode it for Amazon Authentication.
 */
$base64_policy = base64_encode($policy);
$signature = hex2b64(hmacsha1($secret, $base64_policy));
echo "S3_POLICY=\"" . $base64_policy . "\"\nS3_SIGNATURE=\"" . $signature . "\"\n";
예제 #7
0
function authenticateStream()
{
    global $cfg, $db;
    header('Expires: Mon, 9 Oct 2000 18:00:00 GMT');
    header('Cache-Control: no-store, no-cache, must-revalidate');
    $track_id = get('track_id');
    $stream_id = (int) get('stream_id');
    $sid = get('sid');
    $hash = get('hash');
    $query = mysql_query('SELECT logged_in, idle_time, user_id, ip FROM session WHERE sid = BINARY "' . mysql_real_escape_string($sid) . '"');
    $session = mysql_fetch_assoc($query);
    $query = mysql_query('SELECT access_stream FROM user WHERE user_id = ' . (int) $session['user_id']);
    $user = mysql_fetch_assoc($query);
    if ($session['logged_in'] && $session['idle_time'] + $cfg['session_lifetime'] > time() && $session['ip'] == $_SERVER['REMOTE_ADDR'] && $hash == hmacsha1($cfg['server_seed'], $track_id . $stream_id . $sid) && $user['access_stream']) {
        mysql_query('UPDATE session SET
			idle_time		= ' . (int) time() . ',
			hit_counter		= hit_counter + 1,
			visit_counter	= visit_counter + ' . (time() > $session['idle_time'] + 3600 ? 1 : 0) . '
			WHERE sid		= BINARY "' . mysql_real_escape_string($sid) . '"');
        return true;
    }
    header('HTTP/1.1 403 Forbidden');
    exit;
}
예제 #8
0
파일: users.php 프로젝트: jdeblese/ompd-mod
function updateUser($user_id)
{
    global $cfg, $db;
    authenticate('access_admin', false, true, true);
    $new_username = post('new_username');
    $new_password = post('new_password');
    $chk_password = post('chk_password');
    $access_media = post('access_media') ? 1 : 0;
    $access_popular = post('access_popular') ? 1 : 0;
    $access_favorite = post('access_favorite') ? 1 : 0;
    $access_playlist = post('access_playlist') ? 1 : 0;
    $access_play = post('access_play') ? 1 : 0;
    $access_add = post('access_add') ? 1 : 0;
    $access_stream = post('access_stream') ? 1 : 0;
    $access_download = post('access_download') ? 1 : 0;
    $access_cover = post('access_cover') ? 1 : 0;
    $access_record = post('access_record') ? 1 : 0;
    $access_statistics = post('access_statistics') ? 1 : 0;
    $access_admin = post('access_admin') ? 1 : 0;
    $query = mysql_query('SELECT user_id FROM user WHERE user_id = ' . (int) $user_id);
    if (mysql_fetch_row($query) == false && $user_id != '0') {
        message(__FILE__, __LINE__, 'error', '[b]Error[/b][br]user_id not found in database');
    }
    $query = mysql_query('SELECT user_id FROM user WHERE user_id != ' . (int) $user_id . ' AND username = "******"');
    if (mysql_fetch_row($query)) {
        message(__FILE__, __LINE__, 'warning', '[b]Username already exist[/b][br]Choose another username[br][url=users.php?action=editUser&user_id=' . rawurlencode($user_id) . '][img]small_back.png[/img]Back to previous page[/url]');
    }
    if ($new_password == hmacsha1(hmacsha1('', $cfg['session_seed']), $cfg['session_seed'])) {
        $password_set = false;
    } else {
        $password_set = true;
    }
    if (preg_match('#^[0-9a-f]{40}$#', $new_password) == false) {
        message(__FILE__, __LINE__, 'error', '[b]Password error[/b][br]This is not a valid hash');
    }
    if ($new_password != $chk_password) {
        message(__FILE__, __LINE__, 'warning', '[b]Passwords are not identical[/b][br][url=users.php?action=editUser&user_id=' . rawurlencode($user_id) . '][img]small_back.png[/img]Back to previous page[/url]');
    }
    if (!$password_set && $user_id == '0' && $new_username != $cfg['anonymous_user']) {
        message(__FILE__, __LINE__, 'warning', '[b]Password must be set for a new user[/b][br][url=users.php?action=editUser&user_id=0][img]small_back.png[/img]Back to previous page[/url]');
    }
    if ($new_username == '') {
        message(__FILE__, __LINE__, 'warning', '[b]Username must be set[/b][br][url=users.php?action=editUser&user_id=' . rawurlencode($user_id) . '][img]small_back.png[/img]Back to previous page[/url]');
    }
    if ($access_admin == false) {
        if (checkAdminAcount($user_id) == false) {
            message(__FILE__, __LINE__, 'warning', '[b]There must be at least one user with admin privilege[/b][br][url=users.php?action=editUser&user_id=' . rawurlencode($user_id) . '][img]small_back.png[/img]Back to previous page[/url]');
        }
    }
    if (($password_set || $user_id == '0') && $new_username == $cfg['anonymous_user']) {
        $new_password = hmacsha1(hmacsha1($cfg['anonymous_user'], $cfg['session_seed']), $cfg['session_seed']);
        $password_set = true;
    }
    if ($user_id == '0') {
        mysql_query('INSERT INTO user (username) VALUES ("")');
        $user_id = mysql_insert_id($db);
    }
    if ($password_set) {
        mysql_query('UPDATE user SET
			username			= "******",
			password			= "******",
			seed				= "' . mysql_real_escape_string($cfg['session_seed']) . '",
			version				= 1,
			access_media		= ' . (int) $access_media . ',
			access_popular		= ' . (int) $access_popular . ',
			access_favorite 	= ' . (int) $access_favorite . ',
			access_playlist		= ' . (int) $access_playlist . ',
			access_play			= ' . (int) $access_play . ',
			access_add			= ' . (int) $access_add . ',
			access_stream		= ' . (int) $access_stream . ',
			access_download 	= ' . (int) $access_download . ',
			access_cover		= ' . (int) $access_cover . ',
			access_record		= ' . (int) $access_record . ',
			access_statistics	= ' . (int) $access_statistics . ',
			access_admin		= ' . (int) $access_admin . '
			WHERE user_id		= ' . (int) $user_id);
        mysql_query('UPDATE session
			SET logged_in	= 0
			WHERE user_id	= ' . (int) $user_id);
    } else {
        mysql_query('UPDATE user SET
			username			= "******",
			access_media		= ' . (int) $access_media . ',
			access_popular		= ' . (int) $access_popular . ',
			access_favorite		= ' . (int) $access_favorite . ',
			access_playlist		= ' . (int) $access_playlist . ',
			access_play			= ' . (int) $access_play . ',
			access_add			= ' . (int) $access_add . ',
			access_stream		= ' . (int) $access_stream . ',
			access_download 	= ' . (int) $access_download . ',
			access_cover		= ' . (int) $access_cover . ',
			access_record		= ' . (int) $access_record . ',
			access_statistics	= ' . (int) $access_statistics . ',
			access_admin		= ' . (int) $access_admin . '
			WHERE user_id		= ' . (int) $user_id);
    }
}
/*

//* overlay   plugin 1.0

예제 #10
0
파일: view.edit.php 프로젝트: hisapi/his
     $s3keystart = $GLOBALS['settings']['s3']['paths']['job-input']['@attributes']['value'];
     $s3acl = $GLOBALS['settings']['s3']['upload']['default-acl']['@attributes']['value'];
     $aws_secret_access_key = $GLOBALS['settings']['s3']['secret-key']['@attributes']['value'];
     $aws_access_key = $GLOBALS['settings']['s3']['access-key']['@attributes']['value'];
     $s3timestamp = $GLOBALS['settings']['s3']['file-expiration']['@attributes']['value'];
     $s3filename = $s3keystart . "/" . sha1(time() . $qn) . ".\${filename}";
     //what extension to use?
     //$s3redirect=str_replace("{uri}",$this_server_url,$s3redirect);
     //$s3redirect=str_replace("{qid}",$qn,$s3redirect);
     $policy_doc = "{'expiration': '{$s3timestamp}','conditions': [ {'bucket': '{$s3bucket}'},['starts-with', '\$key', '{$s3keystart}'],{'acl': '{$s3acl}'},{'success_action_redirect': '{$s3redirect}'},['starts-with', '\$Content-Type', ''],['content-length-range', 0, 104857600000]]}";
     $policy_doc_encoded = base64_encode($policy_doc);
     //echo $policy_doc."<br/>";
     //$signature = urlencode(base64_encode(hash_hmac("sha1",utf8_encode($policy_doc_encoded),$aws_secret_access_key,true)));
     //$signature = (base64_encode(hash_hmac("sha1",($policy_doc_encoded),$aws_secret_access_key)));
     //$signature = base64_encode(hash_hmac('sha256', $policy_doc, $aws_secret_access_key, true));
     $signature = hex2b64(hmacsha1($aws_secret_access_key, $policy_doc_encoded));
     //echo $signature."<br/>";
     echo "<form style='display:inline;' action='https://{$s3bucket}.s3.amazonaws.com/' method='post' enctype='multipart/form-data'>";
     echo "<input type='hidden' name='key' value='{$s3filename}'>";
     echo "<input type='hidden' name='AWSAccessKeyId' value='{$aws_access_key}'>";
     echo "<input type='hidden' name='acl' value='{$s3acl}'>";
     echo "<input type='hidden' name='success_action_redirect' value='{$s3redirect}'>";
     echo "<input type='hidden' name='policy' value='{$policy_doc_encoded}'>";
     echo "<input type='hidden' name='signature' value='{$signature}'>";
     echo "<input type='hidden' name='Content-Type' value='application/octet-stream'>";
     echo "<input name='file' value='Browse...' type='file' style='background-color:" . rcolor() . ";display:inline;'><input type='submit' value='";
     echo getTranslation("Start File Upload", $settings);
     echo "' style='background-color:" . rcolor() . ";display:inline;'>";
     echo "</form>";
 } else {
     echo getTranslation("Not available in demo", $settings);
예제 #11
0
function randomHex()
{
    ob_start();
    phpinfo();
    $data = ob_get_contents();
    ob_end_clean();
    return hmacsha1(uniqid('', true), $data);
}
예제 #12
0
 function euplatesc_mac($data, $key)
 {
     $str = NULL;
     foreach ($data as $d) {
         if ($d === NULL || strlen($d) == 0) {
             $str .= '-';
         } else {
             $str .= strlen($d) . $d;
         }
     }
     $key = pack('H*', $key);
     // convertim codul secret intr-un string binar
     return hmacsha1($key, $str);
 }
예제 #13
0
파일: hmac.php 프로젝트: exavolt/fsrv
function sign_hmacsha1($key, $data)
{
    return base64_encode(hmacsha1($key, $data));
}
예제 #14
0
 function decode_url($url)
 {
     //        return str_replace(array('&amp;', '&#38;'), '&', base64_decode(rawurldecode($url)));
     // We extract the SHA1 and the URL.
     $s = rawurldecode($url);
     $hmac = substr($s, 0, 40);
     $encrypted_url = substr($s, 40, strlen($s) - 40);
     // Make sure hmac is correct
     if ($hmac != hmacsha1($_SESSION['randomkey'], $encrypted_url)) {
         echo "Wrong hmac.";
         exit;
         // Violent, but effective.
     }
     // Decrypt the URL:
     $cleartext_url = XORDecrypt64($encrypted_url, $_SESSION['randomkey']);
     return str_replace(array('&amp;', '&#38;'), '&', $cleartext_url);
     // --- SSE end
 }
예제 #15
0
파일: ajax.php 프로젝트: oanav/closetshare
 function doModel()
 {
     //specific things for this class
     switch ($this->action) {
         case 'bulk_actions':
             break;
         case 'regions':
             //Return regions given a countryId
             $regions = Region::newInstance()->findByCountry(Params::getParam("countryId"));
             echo json_encode($regions);
             break;
         case 'cities':
             //Returns cities given a regionId
             $cities = City::newInstance()->findByRegion(Params::getParam("regionId"));
             echo json_encode($cities);
             break;
         case 'location':
             // This is the autocomplete AJAX
             $cities = City::newInstance()->ajax(Params::getParam("term"));
             foreach ($cities as $k => $city) {
                 $cities[$k]['label'] = $city['label'] . " (" . $city['region'] . ")";
             }
             echo json_encode($cities);
             break;
         case 'location_countries':
             // This is the autocomplete AJAX
             $countries = Country::newInstance()->ajax(Params::getParam("term"));
             echo json_encode($countries);
             break;
         case 'location_regions':
             // This is the autocomplete AJAX
             $regions = Region::newInstance()->ajax(Params::getParam("term"), Params::getParam("country"));
             echo json_encode($regions);
             break;
         case 'location_cities':
             // This is the autocomplete AJAX
             $cities = City::newInstance()->ajax(Params::getParam("term"), Params::getParam("region"));
             echo json_encode($cities);
             break;
         case 'delete_image':
             // Delete images via AJAX
             $ajax_photo = Params::getParam('ajax_photo');
             $id = Params::getParam('id');
             $item = Params::getParam('item');
             $code = Params::getParam('code');
             $secret = Params::getParam('secret');
             $json = array();
             if ($ajax_photo != '') {
                 $files = Session::newInstance()->_get('ajax_files');
                 $success = false;
                 foreach ($files as $uuid => $file) {
                     if ($file == $ajax_photo) {
                         $filename = $files[$uuid];
                         unset($files[$uuid]);
                         Session::newInstance()->_set('ajax_files', $files);
                         $success = @unlink(osc_content_path() . 'uploads/temp/' . $filename);
                         break;
                     }
                 }
                 echo json_encode(array('success' => $success, 'msg' => $success ? _m('The selected photo has been successfully deleted') : _m("The selected photo couldn't be deleted")));
                 return false;
             }
             if (Session::newInstance()->_get('userId') != '') {
                 $userId = Session::newInstance()->_get('userId');
                 $user = User::newInstance()->findByPrimaryKey($userId);
             } else {
                 $userId = null;
                 $user = null;
             }
             // Check for required fields
             if (!(is_numeric($id) && is_numeric($item) && preg_match('/^([a-z0-9]+)$/i', $code))) {
                 $json['success'] = false;
                 $json['msg'] = _m("The selected photo couldn't be deleted, the url doesn't exist");
                 echo json_encode($json);
                 return false;
             }
             $aItem = Item::newInstance()->findByPrimaryKey($item);
             // Check if the item exists
             if (count($aItem) == 0) {
                 $json['success'] = false;
                 $json['msg'] = _m("The listing doesn't exist");
                 echo json_encode($json);
                 return false;
             }
             if (!osc_is_admin_user_logged_in()) {
                 // Check if the item belong to the user
                 if ($userId != null && $userId != $aItem['fk_i_user_id']) {
                     $json['success'] = false;
                     $json['msg'] = _m("The listing doesn't belong to you");
                     echo json_encode($json);
                     return false;
                 }
                 // Check if the secret passphrase match with the item
                 if ($userId == null && $aItem['fk_i_user_id'] == null && $secret != $aItem['s_secret']) {
                     $json['success'] = false;
                     $json['msg'] = _m("The listing doesn't belong to you");
                     echo json_encode($json);
                     return false;
                 }
             }
             // Does id & code combination exist?
             $result = ItemResource::newInstance()->existResource($id, $code);
             if ($result > 0) {
                 $resource = ItemResource::newInstance()->findByPrimaryKey($id);
                 if ($resource['fk_i_item_id'] == $item) {
                     // Delete: file, db table entry
                     if (defined(OC_ADMIN)) {
                         osc_deleteResource($id, true);
                         Log::newInstance()->insertLog('ajax', 'deleteimage', $id, $id, 'admin', osc_logged_admin_id());
                     } else {
                         osc_deleteResource($id, false);
                         Log::newInstance()->insertLog('ajax', 'deleteimage', $id, $id, 'user', osc_logged_user_id());
                     }
                     ItemResource::newInstance()->delete(array('pk_i_id' => $id, 'fk_i_item_id' => $item, 's_name' => $code));
                     $json['msg'] = _m('The selected photo has been successfully deleted');
                     $json['success'] = 'true';
                 } else {
                     $json['msg'] = _m("The selected photo does not belong to you");
                     $json['success'] = 'false';
                 }
             } else {
                 $json['msg'] = _m("The selected photo couldn't be deleted");
                 $json['success'] = 'false';
             }
             echo json_encode($json);
             return true;
             break;
         case 'alerts':
             // Allow to register to an alert given (not sure it's used on admin)
             $encoded_alert = Params::getParam("alert");
             $alert = osc_decrypt_alert(base64_decode($encoded_alert));
             // check alert integrity / signature
             $stringToSign = osc_get_alert_public_key() . $encoded_alert;
             $signature = hex2b64(hmacsha1(osc_get_alert_private_key(), $stringToSign));
             $server_signature = Session::newInstance()->_get('alert_signature');
             if ($server_signature != $signature) {
                 echo '-2';
                 return false;
             }
             $email = Params::getParam("email");
             $userid = Params::getParam("userid");
             if (osc_is_web_user_logged_in()) {
                 $userid = osc_logged_user_id();
                 $user = User::newInstance()->findByPrimaryKey($userid);
                 $email = $user['s_email'];
             }
             if ($alert != '' && $email != '') {
                 if (osc_validate_email($email)) {
                     $secret = osc_genRandomPassword();
                     if ($alertID = Alerts::newInstance()->createAlert($userid, $email, $alert, $secret)) {
                         if ((int) $userid > 0) {
                             $user = User::newInstance()->findByPrimaryKey($userid);
                             if ($user['b_active'] == 1 && $user['b_enabled'] == 1) {
                                 Alerts::newInstance()->activate($alertID);
                                 echo '1';
                                 return true;
                             } else {
                                 echo '-1';
                                 return false;
                             }
                         } else {
                             $aAlert = Alerts::newInstance()->findByPrimaryKey($alertID);
                             osc_run_hook('hook_email_alert_validation', $aAlert, $email, $secret);
                         }
                         echo "1";
                     } else {
                         echo "0";
                     }
                     return true;
                 } else {
                     echo '-1';
                     return false;
                 }
             }
             echo '0';
             return false;
             break;
         case 'runhook':
             // run hooks
             $hook = Params::getParam('hook');
             if ($hook == '') {
                 echo json_encode(array('error' => 'hook parameter not defined'));
                 break;
             }
             switch ($hook) {
                 case 'item_form':
                     osc_run_hook('item_form', Params::getParam('catId'));
                     break;
                 case 'item_edit':
                     $catId = Params::getParam("catId");
                     $itemId = Params::getParam("itemId");
                     osc_run_hook("item_edit", $catId, $itemId);
                     break;
                 default:
                     osc_run_hook('ajax_' . $hook);
                     break;
             }
             break;
         case 'custom':
             // Execute via AJAX custom file
             if (Params::existParam('route')) {
                 $routes = Rewrite::newInstance()->getRoutes();
                 $rid = Params::getParam('route');
                 $file = '../';
                 if (isset($routes[$rid]) && isset($routes[$rid]['file'])) {
                     $file = $routes[$rid]['file'];
                 }
             } else {
                 // DEPRECATED: Disclosed path in URL is deprecated, use routes instead
                 // This will be REMOVED in 3.4
                 $file = Params::getParam('ajaxfile');
             }
             if ($file == '') {
                 echo json_encode(array('error' => 'no action defined'));
                 break;
             }
             // valid file?
             if (strpos($file, '../') !== false || strpos($file, '..\\') !== false || stripos($file, '/admin/') !== false) {
                 //If the file is inside an "admin" folder, it should NOT be opened in frontend
                 echo json_encode(array('error' => 'no valid ajaxFile'));
                 break;
             }
             if (!file_exists(osc_plugins_path() . $file)) {
                 echo json_encode(array('error' => "ajaxFile doesn't exist"));
                 break;
             }
             require_once osc_plugins_path() . $file;
             break;
         case 'check_username_availability':
             $username = osc_sanitize_username(Params::getParam('s_username'));
             if (!osc_is_username_blacklisted($username)) {
                 $user = User::newInstance()->findByUsername($username);
                 if (isset($user['s_username'])) {
                     echo json_encode(array('exists' => 1, 's_username' => $username));
                 } else {
                     echo json_encode(array('exists' => 0, 's_username' => $username));
                 }
             } else {
                 echo json_encode(array('exists' => 1, 's_username' => $username));
             }
             break;
         case 'ajax_upload':
             // Include the uploader class
             require_once LIB_PATH . "AjaxUploader.php";
             $uploader = new AjaxUploader();
             $original = pathinfo($uploader->getOriginalName());
             $filename = uniqid("qqfile_") . "." . $original['extension'];
             $result = $uploader->handleUpload(osc_content_path() . 'uploads/temp/' . $filename);
             $result['uploadName'] = $filename;
             echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
             break;
         case 'ajax_validate':
             $id = Params::getParam('id');
             if (!is_numeric($id)) {
                 echo json_encode(array('success' => false));
                 die;
             }
             $secret = Params::getParam('secret');
             $item = Item::newInstance()->findByPrimaryKey($id);
             if ($item['s_secret'] != $secret) {
                 echo json_encode(array('success' => false));
                 die;
             }
             $nResources = ItemResource::newInstance()->countResources($id);
             $result = array('success' => $nResources < osc_max_images_per_item(), 'count' => $nResources);
             echo json_encode($result);
             break;
         case 'delete_ajax_upload':
             $files = Session::newInstance()->_get('ajax_files');
             $success = false;
             $filename = '';
             if (isset($files[Params::getParam('qquuid')]) && $files[Params::getParam('qquuid')] != '') {
                 $filename = $files[Params::getParam('qquuid')];
                 unset($files[Params::getParam('qquuid')]);
                 Session::newInstance()->_set('ajax_files', $files);
                 $success = @unlink(osc_content_path() . 'uploads/temp/' . $filename);
             }
             echo json_encode(array('success' => $success, 'uploadName' => $filename));
             break;
         default:
             echo json_encode(array('error' => __('no action defined')));
             break;
     }
     // clear all keep variables into session
     Session::newInstance()->_dropKeepForm();
     Session::newInstance()->_clearVariables();
 }
예제 #16
0
    public function check($access, $cache = false, $validate_sign = false, $disable_counter = false)
    {
        global $cfg;
        if ($cache == false && headers_sent() == false) {
            header('Expires: Mon, 9 Oct 2000 18:00:00 GMT');
            header('Cache-Control: no-store, no-cache, must-revalidate');
        }
        $sid = $this->app->getCookie('netjukebox_sid');
        $authenticate = $this->app->request->params('authenticate');
        $result = $this->app->db->query('
			SELECT logged_in, user_id, idle_time,
			    ip, user_agent, sign, seed, skin,
				random_blacklist, thumbnail, thumbnail_size,
				stream_id, download_id, player_id
			FROM session
			WHERE sid = BINARY "' . $this->app->db->real_escape_string($sid) . '"');
        $session = $result->fetch_assoc();
        //setSkin($session['skin']);
        // Validate login
        if ($authenticate == 'validate') {
            $username = $this->app->request->post('username');
            $hash1 = $this->app->request->post('hash1');
            $hash2 = $this->app->request->post('hash2');
            $sign = $this->app->request->post('sign');
            if ($session['ip'] == '') {
                message(__FILE__, __LINE__, 'error', '[b]Login failed[/b][br]netjukebox requires cookies to login.[br]Enable cookies in your browser and try again.[br][url=index.php][img]small_login.png[/img]login[/url]');
            }
            if ($session['ip'] != $_SERVER['REMOTE_ADDR']) {
                message(__FILE__, __LINE__, 'error', '[b]Login failed[/b][br]Unexpected IP address[br][url=index.php][img]small_login.png[/img]login[/url]');
            }
            $query = mysql_query('SELECT ' . (string) round(microtime(true) * 1000) . ' - pre_login_time AS login_delay FROM session WHERE ip = "' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '" ORDER BY pre_login_time DESC LIMIT 1');
            $ip = mysql_fetch_assoc($query);
            $query = mysql_query('SELECT password, seed, version, user_id FROM user WHERE username = "******"');
            $user = mysql_fetch_assoc($query);
            $user_id = $user['user_id'];
            if (($user['version'] == 0 && $user['password'] == sha1($hash1) || $user['version'] == 1 && $user['password'] == hmacsha1($hash1, $user['seed'])) && preg_match('#^[0-9a-f]{40}$#', $hash1) && preg_match('#^[0-9a-f]{40}$#', $hash2) && ($username == $cfg['anonymous_user'] && $hash2 == hmacsha1(hmacsha1($cfg['anonymous_user'], $session['seed']), $session['seed']) || $username != $cfg['anonymous_user'] && $hash2 != hmacsha1(hmacsha1('', $session['seed']), $session['seed'])) && $ip['login_delay'] > $cfg['login_delay'] && $session['user_agent'] == substr($_SERVER['HTTP_USER_AGENT'], 0, 255) && $session['sign'] == $sign) {
                mysql_query('UPDATE user SET
					password		= "******",
					seed			= "' . mysql_real_escape_string($session['seed']) . '",
					version			= 1
					WHERE username	= "******"');
                $sign = randomKey();
                $sid = randomKey();
                mysql_query('UPDATE session SET
					logged_in		= 1,
					user_id			= ' . (int) $user_id . ',
					login_time		= ' . (int) time() . ',
					idle_time		= ' . (int) time() . ',
					sid				= "' . mysql_real_escape_string($sid) . '",
					sign			= "' . mysql_real_escape_string($sign) . '",
					hit_counter		= hit_counter + ' . ($disable_counter ? 0 : 1) . ',
					visit_counter	= visit_counter + ' . (time() > $session['idle_time'] + 3600 ? 1 : 0) . '
					WHERE sid		= BINARY "' . mysql_real_escape_string(cookie('netjukebox_sid')) . '"');
                setcookie('netjukebox_sid', $sid, time() + 31536000, null, null, NJB_HTTPS, true);
                @ob_flush();
                flush();
            } else {
                logoutSession();
            }
        } else {
            // Validate current session
            $user_id = $session['user_id'];
            if ($session['logged_in'] && $session['ip'] == $_SERVER['REMOTE_ADDR'] && $session['user_agent'] == substr($_SERVER['HTTP_USER_AGENT'], 0, 255) && $session['idle_time'] + $cfg['session_lifetime'] > time()) {
                mysql_query('UPDATE session SET
					idle_time		= ' . (int) time() . ',
					hit_counter		= hit_counter + ' . ($disable_counter ? 0 : 1) . ',
					visit_counter	= visit_counter + ' . (time() > $session['idle_time'] + 3600 ? 1 : 0) . '
					WHERE sid		= BINARY "' . mysql_real_escape_string($sid) . '"');
            } elseif ($access == 'access_always') {
                $cfg['access_media'] = false;
                $cfg['access_popular'] = false;
                $cfg['access_favorite'] = false;
                $cfg['access_cover'] = false;
                $cfg['access_stream'] = false;
                $cfg['access_download'] = false;
                $cfg['access_playlist'] = false;
                $cfg['access_play'] = false;
                $cfg['access_add'] = false;
                $cfg['access_record'] = false;
                $cfg['access_statistics'] = false;
                $cfg['access_admin'] = false;
                return true;
            } else {
                $app->ll->str('böla');
                logoutSession();
            }
        }
        // Username & user privalages
        unset($cfg['username']);
        $query = mysql_query('SELECT
			username,
			access_media,
			access_popular,
			access_favorite,
			access_cover,
			access_stream,
			access_download,
			access_playlist,
			access_play,
			access_add,
			access_record,
			access_statistics,
			access_admin
			FROM user
			WHERE user_id = ' . (int) $user_id);
        $cfg += mysql_fetch_assoc($query);
        // Validate privilege
        $access_validated = false;
        if (is_array($access)) {
            foreach ($access as $value) {
                if (isset($cfg[$value]) && $cfg[$value]) {
                    $access_validated = true;
                }
            }
        } elseif (isset($cfg[$access]) && $cfg[$access]) {
            $access_validated = true;
        } elseif ($access == 'access_logged_in') {
            $access_validated = true;
        } elseif ($access == 'access_always') {
            $access_validated = true;
        }
        if ($access_validated == false) {
            message(__FILE__, __LINE__, 'warning', '[b]You have no privilege to access this page[/b][br][url=index.php?authenticate=logout][img]small_login.png[/img]Login as another user[/url]');
        }
        // Validate signature
        if ($cfg['sign_validated'] == false && ($validate_sign || $authenticate == 'logoutAllSessions' || $authenticate == 'logoutSession')) {
            $cfg['sign'] = randomKey();
            mysql_query('UPDATE session
				SET	sign		= "' . mysql_real_escape_string($cfg['sign']) . '"
				WHERE sid		= BINARY "' . mysql_real_escape_string($sid) . '"');
            if ($session['sign'] == getpost('sign')) {
                $cfg['sign_validated'] = true;
            } else {
                message(__FILE__, __LINE__, 'error', '[b]Signature expired[/b]');
            }
        } else {
            $cfg['sign'] = $session['sign'];
        }
        // Logout
        if ($authenticate == 'logout' && $cfg['username'] != $cfg['anonymous_user']) {
            $query = mysql_query('SELECT user_id FROM session
				WHERE logged_in
				AND user_id		= ' . (int) $user_id . '
				AND idle_time	> ' . (int) (time() - $cfg['session_lifetime']));
            if (mysql_affected_rows($db) > 1) {
                logoutMenu();
            } else {
                logoutSession();
            }
        } elseif ($authenticate == 'logoutAllSessions' && $cfg['username'] != $cfg['anonymous_user']) {
            mysql_query('UPDATE session
				SET logged_in	= 0
				WHERE user_id	= ' . (int) $user_id);
            logoutSession();
        } elseif ($authenticate == 'logoutSession' || $authenticate == 'logout') {
            logoutSession();
        }
        $cfg['user_id'] = $user_id;
        $cfg['sid'] = $sid;
        $cfg['session_seed'] = $session['seed'];
        $cfg['random_blacklist'] = $session['random_blacklist'];
        //$cfg['thumbnail']			= $session['thumbnail'];
        $cfg['thumbnail'] = 1;
        //$cfg['thumbnail_size']		= $session['thumbnail_size'];
        $cfg['thumbnail_size'] = 100;
        $cfg['stream_id'] = isset($cfg['encode_extension'][$session['stream_id']]) ? $session['stream_id'] : -1;
        $cfg['download_id'] = isset($cfg['encode_extension'][$session['download_id']]) ? $session['download_id'] : -1;
        $cfg['player_id'] = $session['player_id'];
    }
예제 #17
0
파일: json.php 프로젝트: jdeblese/ompd-mod
function loginStage1()
{
    global $cfg, $db;
    header('Expires: Mon, 9 Oct 2000 18:00:00 GMT');
    header('Cache-Control: no-store, no-cache, must-revalidate');
    $sid = cookie('netjukebox_sid');
    $username = post('username');
    $sign = post('sign');
    $query = mysql_query('SELECT seed FROM user WHERE username = "******"');
    $user = mysql_fetch_assoc($query);
    $query = mysql_query('SELECT ip, seed, sign FROM session WHERE sid = BINARY "' . mysql_real_escape_string($sid) . '"');
    $session = mysql_fetch_assoc($query);
    if ($session['ip'] == '') {
        message(__FILE__, __LINE__, 'error', '[b]Login failed[/b][br]netjukebox requires cookies to login.[br]Enable cookies in your browser and try again.[br][url=index.php][img]small_login.png[/img]login[/url]');
    }
    if ($session['ip'] != $_SERVER['REMOTE_ADDR']) {
        message(__FILE__, __LINE__, 'error', '[b]Login failed[/b][br]Unexpected IP address[br][url=index.php][img]small_login.png[/img]login[/url]');
    }
    if (hmacsha1($cfg['server_seed'], $session['sign']) == $sign) {
        $sign = randomKey();
        mysql_query('UPDATE session
			SET	sign		= "' . mysql_real_escape_string($sign) . '",
			pre_login_time	= ' . (string) round(microtime(true) * 1000) . '
			WHERE sid		= BINARY "' . mysql_real_escape_string($sid) . '"');
    } else {
        // login will fail!
        $sign = randomKey();
    }
    // Always calculate fake seed to prevent script execution time differences
    $fake_seed = substr(hmacsha1($cfg['server_seed'], $username . 'NeZlFgqDoh9hc-BkczryQFIcpoBng3I_vXaWtOKS'), 0, 30);
    $fake_seed .= substr(hmacsha1($cfg['server_seed'], $username . 'g-FE6H0MJ1n0lNo2D7XLachV8WE-xmEcwsXNZqlQ'), 0, 30);
    $fake_seed = base64_encode(pack('H*', $fake_seed));
    $fake_seed = str_replace('+', '-', $fake_seed);
    // modified Base64 for URL
    $fake_seed = str_replace('/', '_', $fake_seed);
    $data = array();
    $data['user_seed'] = $user['seed'] == '' ? $fake_seed : $user['seed'];
    $data['session_seed'] = $session['seed'];
    $data['sign'] = $sign;
    echo safe_json_encode($data);
}