Exemplo n.º 1
0
/**
 * Function to be called when a user is attempting to access a page that
 * he/she is not authorised to.  This outputs an access denied message then
 * re-directs to the mainpage.
 *
 * @return void
 */
function access_denied()
{
    if (!auth_is_user_authenticated()) {
        if (basename($_SERVER['SCRIPT_NAME']) != 'login_page.php') {
            $t_return_page = $_SERVER['SCRIPT_NAME'];
            if (isset($_SERVER['QUERY_STRING'])) {
                $t_return_page .= '?' . $_SERVER['QUERY_STRING'];
            }
            $t_return_page = string_url(string_sanitize_url($t_return_page));
            print_header_redirect('login_page.php?return=' . $t_return_page);
        }
    } else {
        if (current_user_is_anonymous()) {
            if (basename($_SERVER['SCRIPT_NAME']) != 'login_page.php') {
                $t_return_page = $_SERVER['SCRIPT_NAME'];
                if (isset($_SERVER['QUERY_STRING'])) {
                    $t_return_page .= '?' . $_SERVER['QUERY_STRING'];
                }
                $t_return_page = string_url(string_sanitize_url($t_return_page));
                echo '<p class="center">' . error_string(ERROR_ACCESS_DENIED) . '</p><p class="center">';
                print_bracket_link(helper_mantis_url('login_page.php') . '?return=' . $t_return_page, lang_get('click_to_login'));
                echo '</p><p class="center">';
                print_bracket_link(helper_mantis_url(config_get('default_home_page')), lang_get('proceed'));
                echo '</p>';
            }
        } else {
            echo '<p class="center">' . error_string(ERROR_ACCESS_DENIED) . '</p>';
            echo '<p class="center">';
            print_bracket_link(helper_mantis_url(config_get('default_home_page')), lang_get('proceed'));
            echo '</p>';
        }
    }
    exit;
}
/**
 * prepares the name of the user given the id.  also makes it an email link.
 * @param int $p_user_id
 * @return string
 */
function prepare_user_name($p_user_id)
{
    # Catch a user_id of NO_USER (like when a handler hasn't been assigned)
    if (NO_USER == $p_user_id) {
        return '';
    }
    $t_username = user_get_name($p_user_id);
    if (user_exists($p_user_id) && user_get_field($p_user_id, 'enabled')) {
        $t_username = string_display_line($t_username);
        // WK/BFE: Original-Zeile auskommentiert: , LB/BFE 2015
        //		return '<a href="' . string_sanitize_url( 'view_user_page.php?id=' . $p_user_id, true ) . '">' . $t_username . '</a>';
        // ersetzt durch: (Link auf view_user_page nur wenn globale Rolle mindestens $g_manage_user_threshold
        if (user_is_administrator(auth_get_current_user_id())) {
            return '<a href="' . string_sanitize_url('view_user_page.php?id=' . $p_user_id, true) . '">' . $t_username . '</a>';
        } else {
            return $t_username;
        }
        // WK/BFE: Ende der Modifikation
    } else {
        $t_result = '<font STYLE="text-decoration: line-through">';
        $t_result .= string_display_line($t_username);
        $t_result .= '</font>';
        return $t_result;
    }
}
Exemplo n.º 3
0
function access_denied()
{
    if (!auth_is_user_authenticated()) {
        if (basename($_SERVER['SCRIPT_NAME']) != 'login_page.php') {
            $t_return_page = $_SERVER['PHP_SELF'];
            if (isset($_SERVER['QUERY_STRING'])) {
                $t_return_page .= '?' . $_SERVER['QUERY_STRING'];
            }
            $t_return_page = string_url(string_sanitize_url($t_return_page));
            print_header_redirect('login_page.php?return=' . $t_return_page);
        }
    } else {
        if (auth_get_current_user_id() == user_get_id_by_name(config_get_global('anonymous_account'))) {
            if (basename($_SERVER['SCRIPT_NAME']) != 'login_page.php') {
                $t_return_page = $_SERVER['PHP_SELF'];
                if (isset($_SERVER['QUERY_STRING'])) {
                    $t_return_page .= '?' . $_SERVER['QUERY_STRING'];
                }
                $t_return_page = string_url(string_sanitize_url($t_return_page));
                echo '<center>';
                echo '<p>' . error_string(ERROR_ACCESS_DENIED) . '</p>';
                print_bracket_link('login_page.php?return=' . $t_return_page, lang_get('click_to_login'));
                echo '<p></p>';
                print_bracket_link('main_page.php', lang_get('proceed'));
                echo '</center>';
            }
        } else {
            echo '<center>';
            echo '<p>' . error_string(ERROR_ACCESS_DENIED) . '</p>';
            print_bracket_link('main_page.php', lang_get('proceed'));
            echo '</center>';
        }
    }
    exit;
}
Exemplo n.º 4
0
function print_header_redirect($p_url, $p_die = true, $p_sanitize = false)
{
    $t_use_iis = config_get('use_iis');
    if (ON == config_get('stop_on_errors') && error_handled()) {
        return false;
    }
    # validate the url as part of this site before continuing
    $t_url = $p_sanitize ? string_sanitize_url($p_url) : $p_url;
    # don't send more headers if they have already been sent (guideweb)
    if (!headers_sent()) {
        header('Content-Type: text/html; charset=' . lang_get('charset'));
        if (ON == $t_use_iis) {
            header("Refresh: 0;url={$t_url}");
        } else {
            header("Location: {$t_url}");
        }
    } else {
        trigger_error(ERROR_PAGE_REDIRECTION, ERROR);
        return false;
    }
    if ($p_die) {
        die;
        # additional output can cause problems so let's just stop output here
    }
    return true;
}
Exemplo n.º 5
0
 /**
  * Tests string_sanitize_url()
  *
  * @dataProvider provider
  * @param string $p_in  Input.
  * @param string $p_out Expected output.
  * @return void
  */
 public function testStringSanitize($p_in, $p_out)
 {
     $t_a = string_sanitize_url($p_in, false);
     $this->assertEquals($p_out, $t_a);
     # Since unit tests are run from command-line, with a default MantisBT
     # config $g_short_path will be that of the phpunit binary. We also
     # need to cover the case of Mantis being installed at the server's
     # root (i.e. $g_short_path = '/')
     config_set_global('short_path', '/');
     $t_a = string_sanitize_url($p_in, false);
     $this->assertEquals($p_out, $t_a);
 }
Exemplo n.º 6
0
/**
 * prepares the name of the user given the id.  also makes it an email link.
 * @param int $p_user_id
 * @return string
 */
function prepare_user_name( $p_user_id ) {
	# Catch a user_id of NO_USER (like when a handler hasn't been assigned)
	if( NO_USER == $p_user_id ) {
		return '';
	}

	$t_username = user_get_name( $p_user_id );
	$t_username = string_display_line( $t_username );
	if( user_exists( $p_user_id ) && user_get_field( $p_user_id, 'enabled' ) ) {
		return '<a class="user" href="' . string_sanitize_url( 'view_user_page.php?id=' . $p_user_id, true ) . '">' . $t_username . '</a>';
	} else {
		return '<del class="user">' . $t_username . '</del>';
	}
}
Exemplo n.º 7
0
/**
 * prepares the name of the user given the id.  also makes it an email link.
 * @param int $p_user_id
 * @return string
 */
function prepare_user_name($p_user_id)
{
    # Catch a user_id of NO_USER (like when a handler hasn't been assigned)
    if (NO_USER == $p_user_id) {
        return '';
    }
    $t_username = user_get_name($p_user_id);
    if (user_exists($p_user_id) && user_get_field($p_user_id, 'enabled')) {
        $t_username = string_display_line($t_username);
        return '<a href="' . string_sanitize_url('view_user_page.php?id=' . $p_user_id, true) . '">' . $t_username . '</a>';
    } else {
        $t_result = '<font STYLE="text-decoration: line-through">';
        $t_result .= string_display_line($t_username);
        $t_result .= '</font>';
        return $t_result;
    }
}
Exemplo n.º 8
0
function html_meta_redirect($p_url, $p_time = null, $p_sanitize = false)
{
    if (ON == config_get('stop_on_errors') && error_handled()) {
        return false;
    }
    if (null === $p_time) {
        $p_time = current_user_get_pref('redirect_delay');
    }
    if ($p_sanitize) {
        $t_url = string_sanitize_url($p_url);
    } else {
        $t_url = $p_url;
    }
    echo "\t<meta http-equiv=\"Refresh\" content=\"{$p_time};URL={$t_url}\" />\n";
    return true;
}
Exemplo n.º 9
0
#
# You should have received a copy of the GNU General Public License
# along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
/**
 * login_anon.php logs a user in anonymously without having to enter a username
 * or password.
 *
 * Depends on two global configuration variables:
 * allow_anonymous_login - bool which must be true to allow anonymous login.
 * anonymous_account - name of account to login with.
 *
 * TODO:
 * Check how manage account is impacted.
 * Might be extended to allow redirects for bug links etc.
 * @package MantisBT
 * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
 * @copyright Copyright (C) 2002 - 2014  MantisBT Team - mantisbt-dev@lists.sourceforge.net
 * @link http://www.mantisbt.org
 */
/**
 * MantisBT Core API's
 */
require_once 'core.php';
$f_return = gpc_get_string('return', '');
$t_anonymous_account = config_get('anonymous_account');
if ($f_return !== '') {
    $t_return = string_url(string_sanitize_url($f_return));
    print_header_redirect("login.php?username={$t_anonymous_account}&perm_login=false&return={$t_return}");
} else {
    print_header_redirect("login.php?username={$t_anonymous_account}&perm_login=false");
}
Exemplo n.º 10
0
 /**
  * Tests string_sanitize_url()
  * @dataProvider provider
  */
 public function testStringSanitize($in, $out)
 {
     $a = string_sanitize_url($in, false);
     $this->assertEquals($out, $a);
 }
Exemplo n.º 11
0
 * @uses session_api.php
 * @uses string_api.php
 */
require_once 'core.php';
require_api('authentication_api.php');
require_api('config_api.php');
require_api('constant_inc.php');
require_api('gpc_api.php');
require_api('print_api.php');
require_api('session_api.php');
require_api('string_api.php');
$t_allow_perm_login = ON == config_get('allow_permanent_cookie');
$f_username = gpc_get_string('username', '');
$f_password = gpc_get_string('password', '');
$f_perm_login = $t_allow_perm_login && gpc_get_bool('perm_login');
$t_return = string_url(string_sanitize_url(gpc_get_string('return', config_get('default_home_page'))));
$f_from = gpc_get_string('from', '');
$f_secure_session = gpc_get_bool('secure_session', false);
$f_install = gpc_get_bool('install');
# If upgrade required, always redirect to install page.
if ($f_install) {
    $t_return = 'admin/install.php';
}
$f_username = auth_prepare_username($f_username);
$f_password = auth_prepare_password($f_password);
gpc_set_cookie(config_get_global('cookie_prefix') . '_secure_session', $f_secure_session ? '1' : '0');
if (auth_attempt_login($f_username, $f_password, $f_perm_login)) {
    session_set('secure_session', $f_secure_session);
    if ($f_username == 'administrator' && $f_password == 'root' && (is_blank($t_return) || $t_return == 'index.php')) {
        $t_return = 'account_page.php';
    }
Exemplo n.º 12
0
/**
 * A function that outputs that an operation was successful and provides a redirect link.
 * @param string $p_redirect_url The url to redirect to.
 * @param string $p_message      Message to display to the user.
 * @return void
 */
function html_operation_successful($p_redirect_url, $p_message = '')
{
    echo '<div class="success-msg">';
    if (!is_blank($p_message)) {
        echo $p_message . '<br />';
    }
    echo lang_get('operation_successful') . '<br />';
    print_bracket_link(string_sanitize_url($p_redirect_url), lang_get('proceed'));
    echo '</div>';
}
Exemplo n.º 13
0
 * @uses string_api.php
 */
/**
 * MantisBT Core API's
 */
require_once 'core.php';
require_api('authentication_api.php');
require_api('constant_inc.php');
require_api('current_user_api.php');
require_api('gpc_api.php');
require_api('html_api.php');
require_api('lang_api.php');
require_api('print_api.php');
require_api('string_api.php');
auth_ensure_user_authenticated();
$f_ref = string_sanitize_url(gpc_get_string('ref', ''));
if (count(current_user_get_accessible_projects()) == 1) {
    $t_project_ids = current_user_get_accessible_projects();
    $t_project_id = (int) $t_project_ids[0];
    if (count(current_user_get_accessible_subprojects($t_project_id)) == 0) {
        $t_ref_urlencoded = string_url($f_ref);
        print_header_redirect("set_project.php?project_id={$t_project_id}&ref={$t_ref_urlencoded}", true);
        /* print_header_redirect terminates script execution */
    }
}
html_page_top(lang_get('select_project_button'));
?>

<!-- Project Select Form BEGIN -->
<div id="select-project-div" class="form-container">
	<form id="select-project-form" method="post" action="set_project.php">
Exemplo n.º 14
0
# (at your option) any later version.
#
# Mantis is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Mantis.  If not, see <http://www.gnu.org/licenses/>.
# --------------------------------------------------------
# $Id: permalink_page.php,v 1.4.2.1 2007-10-13 22:34:11 giallu Exp $
# --------------------------------------------------------
require_once 'core.php';
$t_core_path = config_get('core_path');
html_page_top1();
html_page_top2();
$f_url = string_sanitize_url(gpc_get_string('url'));
?>
<div align="center">
	<p>
	<?php 
echo lang_get('filter_permalink'), '<br />';
echo "<a href=\"{$f_url}\">{$f_url}</a>";
?>
</p><br />
<?php 
print_bracket_link(sprintf(config_get('create_short_url'), $f_url), lang_get('create_short_link'), true);
?>
</div>
<?php 
html_page_bottom1(__FILE__);
Exemplo n.º 15
0
/**
 * Format and hyperlink mentions
 *
 * @param string $p_text The text to process.
 * @param bool $p_html true for html, false otherwise.
 * @return string The processed text.
 */
function mention_format_text($p_text, $p_html = true)
{
    $t_mentioned_users = mention_get_users($p_text);
    if (empty($t_mentioned_users)) {
        return $p_text;
    }
    $t_mentions_tag = mentions_tag();
    $t_formatted_mentions = array();
    foreach ($t_mentioned_users as $t_username => $t_user_id) {
        $t_mention = $t_mentions_tag . $t_username;
        $t_mention_formatted = $t_mention;
        if ($p_html) {
            $t_mention_formatted = string_display_line($t_mention_formatted);
            $t_mention_formatted = '<a class="user" href="' . string_sanitize_url('view_user_page.php?id=' . $t_user_id, true) . '">' . $t_mention_formatted . '</a>';
            if (!user_is_enabled($t_user_id)) {
                $t_mention_formatted = '<s>' . $t_mention_formatted . '</s>';
            }
            $t_mention_formatted = '<span class="mention">' . $t_mention_formatted . '</span>';
        }
        $t_formatted_mentions[$t_mention] = $t_mention_formatted;
    }
    # Replace the mentions, ignoring existing anchor tags (otherwise
    # previously set mailto links would be processed as mentions,
    # corrupting the output
    $t_text = string_process_exclude_anchors($p_text, function ($p_string) use($t_formatted_mentions) {
        return str_replace(array_keys($t_formatted_mentions), array_values($t_formatted_mentions), $p_string);
    });
    return $t_text;
}
Exemplo n.º 16
0
 /**
  * Tests string_sanitize_url()
  *
  * @dataProvider provider
  * @param string $p_in  Input.
  * @param string $p_out Expected output.
  * @return void
  */
 public function testStringSanitize($p_in, $p_out)
 {
     $t_a = string_sanitize_url($p_in, false);
     $this->assertEquals($p_out, $t_a);
 }
Exemplo n.º 17
0
$f_perm_login = gpc_get_bool('perm_login');
$f_return = gpc_get_string('return', config_get('default_home_page'));
$f_from = gpc_get_string('from', '');
if (BASIC_AUTH == config_get('login_method')) {
    $f_username = $_SERVER['REMOTE_USER'];
    $f_password = $_SERVER['PHP_AUTH_PW'];
}
if (HTTP_AUTH == config_get('login_method')) {
    if (!auth_http_is_logout_pending()) {
        if (isset($_SERVER['PHP_AUTH_USER'])) {
            $f_username = $_SERVER['PHP_AUTH_USER'];
        }
        if (isset($_SERVER['PHP_AUTH_PW'])) {
            $f_password = $_SERVER['PHP_AUTH_PW'];
        }
    } else {
        auth_http_set_logout_pending(false);
        auth_http_prompt();
        return;
    }
}
if (auth_attempt_login($f_username, $f_password, $f_perm_login)) {
    $t_redirect_url = 'login_cookie_test.php?return=' . string_sanitize_url($f_return);
} else {
    $t_redirect_url = 'login_page.php?return=' . string_sanitize_url($f_return) . '&error=1';
    if (HTTP_AUTH == config_get('login_method')) {
        auth_http_prompt();
        exit;
    }
}
print_header_redirect($t_redirect_url);
Exemplo n.º 18
0
require_api('authentication_api.php');
require_api('config_api.php');
require_api('constant_inc.php');
require_api('current_user_api.php');
require_api('database_api.php');
require_api('gpc_api.php');
require_api('html_api.php');
require_api('lang_api.php');
require_api('print_api.php');
require_api('string_api.php');
require_api('user_api.php');
require_api('utility_api.php');
require_css('login.css');
$f_error = gpc_get_bool('error');
$f_cookie_error = gpc_get_bool('cookie_error');
$f_return = string_sanitize_url(gpc_get_string('return', ''));
$f_username = gpc_get_string('username', '');
$f_perm_login = gpc_get_bool('perm_login', false);
$f_secure_session = gpc_get_bool('secure_session', false);
$f_secure_session_cookie = gpc_get_cookie(config_get_global('cookie_prefix') . '_secure_session', null);
# Set username to blank if invalid to prevent possible XSS exploits
if (!user_is_name_valid($f_username)) {
    $f_username = '';
}
$t_session_validation = ON == config_get_global('session_validation');
# If user is already authenticated and not anonymous
if (auth_is_user_authenticated() && !current_user_is_anonymous()) {
    # If return URL is specified redirect to it; otherwise use default page
    if (!is_blank($f_return)) {
        print_header_redirect($f_return, false, false, true);
    } else {
Exemplo n.º 19
0
 * @uses user_api.php
 * @uses user_pref_api.php
 */
require_once 'core.php';
require_api('access_api.php');
require_api('authentication_api.php');
require_api('config_api.php');
require_api('form_api.php');
require_api('gpc_api.php');
require_api('print_api.php');
require_api('string_api.php');
require_api('user_api.php');
require_api('user_pref_api.php');
#============ Parameters ============
$f_user_id = gpc_get_int('user_id');
$f_redirect_url = string_sanitize_url(gpc_get_string('redirect_url', 'account_prefs_page.php'));
#============ Permissions ============
form_security_validate('account_prefs_reset');
auth_ensure_user_authenticated();
user_ensure_exists($f_user_id);
$t_user = user_get_row($f_user_id);
# This page is currently called from the manage_* namespace and thus we
# have to allow authorised users to update the accounts of other users.
# TODO: split this functionality into manage_user_prefs_reset.php
if (auth_get_current_user_id() != $f_user_id) {
    access_ensure_global_level(config_get('manage_user_threshold'));
    access_ensure_global_level($t_user['access_level']);
} else {
    # Protected users should not be able to update the preferences of their
    # user account. The anonymous user is always considered a protected
    # user and hence will also not be allowed to update preferences.
Exemplo n.º 20
0
function print_header_redirect($p_url, $p_die = true, $p_sanitize = false, $p_absolute = false)
{
    if (ON == config_get_global('stop_on_errors') && error_handled()) {
        return false;
    }
    # validate the url as part of this site before continuing
    if ($p_absolute) {
        if ($p_sanitize) {
            $t_url = string_sanitize_url($p_url);
        } else {
            $t_url = $p_url;
        }
    } else {
        if ($p_sanitize) {
            $t_url = string_sanitize_url($p_url, true);
        } else {
            $t_url = config_get('path') . $p_url;
        }
    }
    $t_url = string_prepare_header($t_url);
    # don't send more headers if they have already been sent (guideweb)
    if (!headers_sent()) {
        header('Content-Type: text/html; charset=utf-8');
        header("Location: {$t_url}");
    } else {
        trigger_error(ERROR_PAGE_REDIRECTION, ERROR);
        return false;
    }
    if ($p_die) {
        die;
        # additional output can cause problems so let's just stop output here
    }
    return true;
}
Exemplo n.º 21
0
/**
 * (6) Print an HTML meta tag to redirect to another page
 * This function is optional and may be called by pages that need a redirect.
 * $p_time is the number of seconds to wait before redirecting.
 * If we have handled any errors on this page return false and don't redirect.
 *
 * @param string  $p_url      The page to redirect: has to be a relative path.
 * @param integer $p_time     Seconds to wait for before redirecting.
 * @param boolean $p_sanitize Apply string_sanitize_url to passed URL.
 * @return boolean
 */
function html_meta_redirect($p_url, $p_time = null, $p_sanitize = true)
{
    if (ON == config_get_global('stop_on_errors') && error_handled()) {
        return false;
    }
    if (null === $p_time) {
        $p_time = current_user_get_pref('redirect_delay');
    }
    $t_url = config_get('path');
    if ($p_sanitize) {
        $t_url .= string_sanitize_url($p_url);
    } else {
        $t_url .= $p_url;
    }
    $t_url = htmlspecialchars($t_url);
    echo "\t" . '<meta http-equiv="Refresh" content="' . $p_time . ';URL=' . $t_url . '" />' . "\n";
    return true;
}