<?php // Prevent including files outside feed-options $type = BigTree::cleanFile($_POST["type"]); $table = $_POST["table"]; $data = json_decode(str_replace(array("\r", "\n"), array('\\r', '\\n'), $_POST["data"]), true); $path = BigTree::path("admin/ajax/developer/feed-options/{$type}.php"); if (file_exists($path)) { include $path; }
function store($local_file, $file_name, $relative_path, $remove_original = true, $prefixes = array()) { // Make sure there are no path exploits $file_name = BigTree::cleanFile($file_name); // If the file name ends in a disabled extension, fail. if (preg_match($this->DisabledExtensionRegEx, $file_name)) { $this->DisabledFileError = true; unlink($local_file); return false; } // If we're auto converting images to JPG from PNG $file_name = $this->convertJPEG($local_file, $file_name); // Enforce trailing slashe on relative_path $relative_path = $relative_path ? rtrim($relative_path, "/") . "/" : "files/"; if ($this->Cloud) { // Clean up the file name global $cms; $parts = BigTree::pathInfo($file_name); $clean_name = $cms->urlify($parts["filename"]); if (strlen($clean_name) > 50) { $clean_name = substr($clean_name, 0, 50); } // Best case name $file_name = $clean_name . "." . strtolower($parts["extension"]); $x = 2; // Make sure we have a unique name while (!$file_name || sqlrows(sqlquery("SELECT `timestamp` FROM bigtree_caches WHERE `identifier` = 'org.bigtreecms.cloudfiles' AND `key` = '" . sqlescape($relative_path . $file_name) . "'"))) { $file_name = $clean_name . "-{$x}." . strtolower($parts["extension"]); $x++; // Check all the prefixes, make sure they don't exist either if (is_array($prefixes) && count($prefixes)) { $prefix_query = array(); foreach ($prefixes as $prefix) { $prefix_query[] = "`key` = '" . sqlescape($relative_path . $prefix . $file_name) . "'"; } if (sqlrows(sqlquery("SELECT `timestamp` FROM bigtree_caches WHERE identifier = 'org.bigtreecms.cloudfiles' AND (" . implode(" OR ", $prefix_query) . ")"))) { $file_name = false; } } } // Upload it $success = $this->Cloud->uploadFile($local_file, $this->Settings->Container, $relative_path . $file_name, true); if ($success) { sqlquery("INSERT INTO bigtree_caches (`identifier`,`key`,`value`) VALUES ('org.bigtreecms.cloudfiles','" . sqlescape($relative_path . $file_name) . "','" . sqlescape(json_encode(array("name" => $file_name, "path" => $relative_path . $file_name, "size" => filesize($local_file)))) . "')"); } if ($remove_original) { unlink($local_file); } return $success; } else { $safe_name = BigTree::getAvailableFileName(SITE_ROOT . $relative_path, $file_name, $prefixes); if ($remove_original) { $success = BigTree::moveFile($local_file, SITE_ROOT . $relative_path . $safe_name); } else { $success = BigTree::copyFile($local_file, SITE_ROOT . $relative_path . $safe_name); } if ($success) { return "{staticroot}" . $relative_path . $safe_name; } else { return false; } } }
static function drawField($field) { global $admin, $bigtree, $cms; // Give the field a unique id $bigtree["field_counter"]++; $field["id"] = $bigtree["field_namespace"] . $bigtree["field_counter"]; // Make sure options is an array to prevent warnings if (!is_array($field["options"])) { $field["options"] = array(); } // Setup Validation Classes $label_validation_class = ""; $field["required"] = false; if (!empty($field["options"]["validation"])) { if (strpos($field["options"]["validation"], "required") !== false) { $label_validation_class = ' class="required"'; $field["required"] = true; } } // Prevent path abuse $field["type"] = BigTree::cleanFile($field["type"]); if (strpos($field["type"], "*") !== false) { list($extension, $field_type) = explode("*", $field["type"]); $field_type_path = SERVER_ROOT . "extensions/{$extension}/field-types/{$field_type}/draw.php"; } else { $field_type_path = BigTree::path("admin/form-field-types/draw/" . $field["type"] . ".php"); } if (file_exists($field_type_path)) { // Don't draw the fieldset for field types that are declared as self drawing. if ($bigtree["field_types"][$field["type"]]["self_draw"]) { include $field_type_path; } else { ?> <fieldset<?php if ($field["matrix_title_field"]) { ?> class="matrix_title_field"<?php } ?> > <?php if ($field["title"] && $field["type"] != "checkbox") { ?> <label<?php echo $label_validation_class; ?> ><?php echo $field["title"]; if ($field["subtitle"]) { ?> <small><?php echo $field["subtitle"]; ?> </small><?php } ?> </label> <?php } ?> <?php include $field_type_path; ?> </fieldset> <?php $bigtree["tabindex"]++; } $bigtree["last_resource_type"] = $field["type"]; } }
</section> <footer> <a class="button blue" href="<?php echo $page_link . $page_vars; ?> ">Try Again</a> <a class="button" href="<?php echo DEVELOPER_ROOT; ?> extensions/">Return to Extensions List</a> </footer> </div> <?php } else { // Save original manifest, prevent path manipulation $id = BigTree::cleanFile($_GET["id"]); $original_manifest = json_decode(file_get_contents(SERVER_ROOT . "extensions/{$id}/manifest.json"), true); // Very simple if we're updating locally if ($updater->Method == "Local") { $updater->installLocal(); $installed = true; // If we're using FTP or SFTP we have to make sure we know where the files exist } else { // If we had to set a directory path we lost the POST if (!count($_POST)) { $_POST = $_SESSION["bigtree_admin"]["ftp"]; } // Try to login if (!$updater->ftpLogin($_POST["username"], $_POST["password"])) { $admin->growl("Developer", "Login Failed", "error"); BigTree::redirect(DEVELOPER_ROOT . "extensions/upgrade/check-file/?id=" . $_GET["id"]);