$tmpl->setvar('dir', $dir);
$tmpl->setvar('_REN_FILE', $cfg['_REN_FILE']);
$tmpl->setvar('_REN_STRING', $cfg['_REN_STRING']);
} else {
$file = tfb_getRequestVar('fileFrom');
$fileTo = tfb_getRequestVar('fileTo');
$dir = tfb_getRequestVar('dir');
$sourceDir = $cfg["path"] . $dir;
$targetDir = $cfg["path"] . $dir . $fileTo;
// Add slashes if magic_quotes off:
if (get_magic_quotes_gpc() !== 1) {
$targetDir = addslashes($targetDir);
$sourceDir = addslashes($sourceDir);
}
// only valid dirs + entries with permission
if (!(tfb_isValidPath($sourceDir) && tfb_isValidPath($sourceDir . $file) && tfb_isValidPath($targetDir) && isValidEntry($file) && isValidEntry($fileTo) && hasPermission($dir, $cfg["user"], 'w'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL RENAME: " . $cfg["user"] . " tried to rename " . $file . " in " . $dir . " to " . $fileTo);
@error("Illegal rename. Action has been logged.", "", "");
}
// Use single quote to escape mv args:
$cmd = "mv '" . $sourceDir . $file . "' '" . $targetDir . "'";
$cmd .= ' 2>&1';
$handle = popen($cmd, 'r');
$gotError = -1;
$buff = fgets($handle);
$gotError = $gotError + 1;
pclose($handle);
// template
$tmpl->setvar('is_start', 0);
$tmpl->setvar('messages', nl2br($buff));
if ($gotError <= 0) {
@error("Required binary could not be found", "", "", $cfg['isAdmin'] ? array('cksfv is required for sfv-checking', 'Specified cksfv-binary does not exist: ' . $cfg['bin_cksfv'], 'Check Settings on Admin-Server-Settings Page') : array('Please contact an Admin'));
}
// target
$dir = tfb_getRequestVar('dir');
$file = tfb_getRequestVar('file');
// validate dir + file
if (!empty($dir)) {
$dirS = str_replace($cfg["path"], '', $dir);
if (!(tfb_isValidPath($dir) && hasPermission($dirS, $cfg["user"], 'r'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL SFV-ACCESS: " . $cfg["user"] . " tried to check " . $dirS);
@error("Illegal access. Action has been logged.", "", "");
}
}
if (!empty($file)) {
$fileS = str_replace($cfg["path"], '', $file);
if (!(tfb_isValidPath($file) && isValidEntry(basename($file)) && hasPermission($fileS, $cfg["user"], 'r'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL SFV-ACCESS: " . $cfg["user"] . " tried to check " . $fileS);
@error("Illegal access. Action has been logged.", "", "");
}
}
// init template-instance
tmplInitializeInstance($cfg["theme"], "page.checkSFV.tmpl");
// process
$cmd = $cfg['bin_cksfv'] . ' -C ' . tfb_shellencode($dir) . ' -f ' . tfb_shellencode($file);
$handle = popen($cmd . ' 2>&1', 'r');
$buff = isset($cfg["debuglevel"]) && $cfg["debuglevel"] == 2 ? "<strong>Debug:</strong> Evaluating command:<br/><br/><pre>" . tfb_htmlencode($cmd) . "</pre><br/>Output follows below:<br/>" : "";
$buff .= "<pre>";
while (!feof($handle)) {
$buff .= tfb_htmlencode(@fgets($handle, 30));
}
$tmpl->setvar('buff', $buff);
}
} else {
$file = $_POST['file'];
$targetDir = "";
if (isset($_POST['dest'])) {
$tempDir = trim(rawurldecode($_POST['dest']));
if (strlen($tempDir) > 0) {
$targetDir = $tempDir;
} else {
if (isset($_POST['selector'])) {
$targetDir = trim(urldecode($_POST['selector']));
}
}
}
// only valid dirs + entries with permission
if (!(tfb_isValidPath($cfg["path"] . $file) && tfb_isValidPath($targetDir) && isValidEntry(basename($cfg["path"] . $file)) && hasPermission($file, $cfg["user"], 'w'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL MOVE: " . $cfg["user"] . " tried to move " . $file . " to " . $targetDir);
@error("Illegal move. Action has been logged.", "", "");
}
// we need absolute paths or stuff will end up in docroot
// inform user .. don't move it into a fallback-dir which may be a hassle
$dirValid = true;
if (strlen($targetDir) <= 0) {
$dirValid = false;
} else {
if ($targetDir[0] != '/') {
$tmpl->setvar('not_absolute', 1);
$dirValid = false;
} else {
$tmpl->setvar('not_absolute', 0);
}
<?php
$out = array();
require 'header.php';
if (isGET('draft') && isAdmin() && isValidEntry('drafts', GET('draft'))) {
$draft = GET('draft');
if (check('title') && check('content') && check('id')) {
$post = newEntry(cleanMagic($_POST['id']));
$postEntry['title'] = clean(cleanMagic($_POST['title']));
$postEntry['content'] = cleanMagic($_POST['content']);
$postEntry['locked'] = $_POST['locked'] === 'yes';
$addedTags = $_POST['tags'] ? $_POST['tags'] : array();
$postEntry['tags'] = $addedTags;
saveEntry('posts', $post, $postEntry);
foreach ($addedTags as $tag) {
$tagEntry = readEntry('tags', $tag);
$tagEntry['posts'][$post] = $post;
saveEntry('tags', $tag, $tagEntry);
}
deleteEntry('drafts', $draft);
redirect('view.php?post=' . $post);
} else {
$draftEntry = readEntry('drafts', $draft);
$tagOptions = array();
foreach (listEntry('tags') as $tag) {
$tagEntry = readEntry('tags', $tag);
$tagOptions[$tag] = $tagEntry['name'];
}
$out['title'] = $lang['publishPost'] . ': ' . $draftEntry['title'];
$out['content'] .= '<form action="./publish.php?draft=' . $draft . '" method="post">
<p>' . text('title', $draftEntry['title']) . '</p>
/**
* recursive chmod
*
* @param $path
* @param $mode
* @return boolean
*/
function chmodRecursive($path, $mode = 0777)
{
if (!@is_dir($path) && isValidEntry(basename($path))) {
return @chmod($path, $mode);
}
$dirHandle = opendir($path);
while ($file = readdir($dirHandle)) {
if (isValidEntry(basename($file))) {
$fullpath = $path . '/' . $file;
if (!@is_dir($fullpath)) {
if (!@chmod($fullpath, $mode)) {
return false;
}
} else {
if (!chmodRecursive($fullpath, $mode)) {
return false;
}
}
}
}
closedir($dirHandle);
return isValidEntry(basename($path)) && @chmod($path, $mode);
}
}
/******************************************************************************/
// common functions
require_once 'inc/functions/functions.common.php';
// dir functions
require_once 'inc/functions/functions.dir.php';
// is enabled ?
if ($cfg["enable_view_nfo"] != 1) {
AuditAction($cfg["constants"]["error"], "ILLEGAL ACCESS: " . $cfg["user"] . " tried to use nfo-viewer");
@error("nfo-viewer is disabled. Action has been logged.", "", "");
}
// target
$file = UrlHTMLSlashesDecode(tfb_getRequestVar("path"));
$path = $cfg["path"] . $file;
// only valid dirs + entries with permission
if (!((tfb_isValidPath($path, ".nfo") || tfb_isValidPath($path, ".txt") || tfb_isValidPath($path, ".log")) && isValidEntry($file) && hasPermission($file, $cfg["user"], 'r'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL NFO-ACCESS: " . $cfg["user"] . " tried to view " . $file);
@error("Illegal access. Action has been logged.", "", "");
}
// init template-instance
tmplInitializeInstance($cfg["theme"], "page.viewnfo.tmpl");
// set vars
$tmpl->setvar('file', $file);
$folder = htmlspecialchars(substr($file, 0, strrpos($file, "/")));
$tmpl->setvar('folder', $folder);
if ($fileHandle = @fopen($path, 'r')) {
$output = "";
while (!@feof($fileHandle)) {
$output .= @fgets($fileHandle, 4096);
}
@fclose($fileHandle);
}
// read in entries
$entrys = array();
$entrysDirs = array();
$entrysFiles = array();
$handle = opendir($dirName);
while (false !== ($entry = readdir($handle))) {
if (empty($dir)) {
// parent dir
if (isValidEntry($entry) && hasPermission($entry, $cfg["user"], 'r')) {
array_push($entrys, $entry);
}
} else {
// sub-dir
if (hasPermission($dir, $cfg["user"], 'r')) {
if (isValidEntry($entry)) {
if (is_dir($dirName . $entry)) {
array_push($entrysDirs, $entry);
} else {
array_push($entrysFiles, $entry);
}
}
}
}
}
closedir($handle);
natcasesort($entrysDirs);
natcasesort($entrysFiles);
$entrys = array_merge($entrysFiles, $entrysDirs, $entrys);
// process entries and fill dir- + file-array
$list = array();
$buff = "";
while (!feof($handle)) {
$buff .= fgets($handle, 30);
}
$tmpl->setvar('buff', nl2br($buff));
pclose($handle);
}
// set vars
if (isset($_REQUEST['file']) && $_REQUEST['file'] != "") {
$file = tfb_getRequestVar('file');
$dir = tfb_getRequestVar('dir');
$file = str_replace($cfg["path"], '', $file);
$dir = str_replace($cfg["path"], '', $dir);
$targetFile = $cfg["path"] . $file;
// only valid dirs + entries with permission
if (!(tfb_isValidPath($targetFile) && isValidEntry(basename($targetFile)) && hasPermission($file, $cfg["user"], 'r') && hasPermission($dir, $cfg["user"], 'w'))) {
AuditAction($cfg["constants"]["error"], "ILLEGAL UNCOMPRESS-ACCESS: " . $cfg["user"] . " tried to uncompress " . $file);
@error("Illegal access. Action has been logged.", "", "");
}
//
$tmpl->setvar('is_file', 1);
$tmpl->setvar('url_file', str_replace('%2F', '/', urlencode($cfg["path"] . $file)));
$tmpl->setvar('url_dir', str_replace('%2F', '/', urlencode($cfg["path"] . $dir)));
$tmpl->setvar('type', tfb_getRequestVar('type'));
} else {
$tmpl->setvar('is_file', 0);
}
//
tmplSetTitleBar('Uncompress File', false);
tmplSetIidVars();
// parse template
$linkEntry = readEntry('links', $link);
if (check('name') && check('url')) {
$linkEntry['name'] = clean(cleanMagic($_POST['name']));
$linkEntry['url'] = clean(cleanMagic($_POST['url']));
saveEntry('links', $link, $linkEntry);
home();
} else {
$out['title'] = $lang['editLink'] . ': ' . $linkEntry['name'];
$out['content'] .= '<form action="./edit.php?link=' . $link . '" method="post">
<p>' . text('name', $linkEntry['name']) . '</p>
<p>' . text('url', $linkEntry['url']) . '</p>
<p>' . submitAdmin($lang['confirm']) . '</p>
</form>';
}
} else {
if (isGET('tag') && isAdmin() && isValidEntry('tags', GET('tag'))) {
$tagEntry = readEntry('tags', GET('tag'));
if (check('name')) {
$tagEntry['name'] = clean(cleanMagic($_POST['name']));
saveEntry('tags', GET('tag'), $tagEntry);
home();
} else {
$out['title'] = $lang['editTag'] . ': ' . $tagEntry['name'];
$out['content'] .= '<form action="./edit.php?tag=' . GET('tag') . '" method="post">
<p>' . text('name', $tagEntry['name']) . '</p>
<p>' . submitAdmin($lang['confirm']) . '</p>
</form>';
}
} else {
home();
}
$postEntry['content'] = cleanMagic($_POST['content']);
$post = newEntry(cleanMagic($_POST['id']));
saveEntry('drafts', $post, $postEntry);
redirect('view.php?draft=' . $post);
} else {
$out['title'] = $lang['newPost'];
$out['content'] .= '<form action="./add.php?draft" method="post">
<p>' . text('title') . '</p>
<p>' . text('id') . '</p>
<p>' . textarea('content') . '</p>
<p>' . submitAdmin($lang['confirm']) . '</p>
</form>';
$out['content'] .= isPOST('content') ? box(cleanMagic($_POST['content'])) : '';
}
} else {
if (isGET('comment') && isValidEntry('posts', GET('comment'))) {
$postEntry = readEntry('posts', GET('comment'));
if ($postEntry['locked']) {
home();
} else {
if (checkBot() && check('name', $config['maxNameLength']) && check('content', $config['maxCommentLength'])) {
$commentEntry['content'] = clean(cleanMagic($_POST['content']));
$commentEntry['post'] = GET('comment');
$comment = newEntry();
$commentEntry['commenter'] = clean(cleanMagic($_POST['name']));
saveEntry('comments', $comment, $commentEntry);
$postEntry['comments'][$comment] = $comment;
saveEntry('posts', GET('comment'), $postEntry);
$_SESSION[$comment] = $comment;
redirect('view.php?post=' . GET('comment') . '/pages/' . pageOf($comment, $postEntry['comment']) . '#' . $comment);
} else {
