phorum_api_redirect($PHORUM['http_path']); } elseif (!empty($_POST['continue'])) { if (!empty($_POST['target'])) { $url = phorum_admin_build_url($_POST['target'], TRUE); } else { $url = phorum_admin_build_url(NULL, TRUE); } phorum_api_redirect($url); } exit; } } // We have no token or our token expired. // Generate a fresh token. $admin_token_time = time(); $admin_token = phorum_api_sign($PHORUM['user']['user_id'] . microtime() . $PHORUM['user']['username'] . $PHORUM['user']['sessid_st']); phorum_api_user_save_settings(array('admin_token_time' => $admin_token_time, 'admin_token' => $admin_token)); $PHORUM['admin_token'] = $admin_token; // If there are no POST or GET variables in the request, besides // "module" and/or "phorum_admin_token", then we can safely load // the requested admin page, without bugging the admin about the // token timeout. $post = $_POST; unset($post['module']); unset($post['phorum_admin_token']); $get = $_GET; unset($get['module']); unset($get['phorum_admin_token']); if (empty($post) && empty($get)) { $module = ''; if (isset($_POST['module'])) {
// getting converted (e.g. \r\n to \n). $val = base64_encode(serialize($message[$var])); if ($spec[pf_SIGNED]) { $signval = $val; } } else { $val = htmlspecialchars($message[$var], ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]); if ($spec[pf_SIGNED]) { $signval = $message[$var]; } } if ($spec[pf_READONLY] || $spec[pf_HIDDEN]) { $hidden .= '<input type="hidden" name="' . $var . '" ' . 'value="' . $val . "\" />\n"; } if ($signval !== NULL) { $signature = phorum_api_sign($signval); $hidden .= '<input type="hidden" name="' . $var . ':signature" ' . 'value="' . htmlspecialchars($signature, ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]) . "\" />\n"; } } $PHORUM["DATA"]["POST_VARS"] .= $hidden; // Process data for XSS prevention. foreach ($message as $var => $val) { // The meta information should not be used in templates, because // nothing is escaped here. But we might want to use the data in // mods which are run after this code. We continue here, so the // data won't be stripped from the message data later on. if ($var == "meta") { continue; } // This one is filled from the language file, so there's no need // to run htmlspecialchars on this one.
// along with this program. // // // //////////////////////////////////////////////////////////////////////////////// // don't allow this page to be loaded directly if (!defined("PHORUM_ADMIN")) { exit; } require_once PHORUM_PATH . '/include/api/user.php'; require_once PHORUM_PATH . '/include/api/sign.php'; if (isset($_POST["username"]) && isset($_POST["password"])) { $user_id = phorum_api_user_authenticate(PHORUM_ADMIN_SESSION, trim($_POST["username"]), trim($_POST["password"])); if ($user_id && phorum_api_user_set_active_user(PHORUM_ADMIN_SESSION, $user_id) && phorum_api_user_session_create(PHORUM_ADMIN_SESSION)) { // update the token and time $GLOBALS["PHORUM"]["user"]['settings_data']['admin_token_time'] = time(); $sig_data = $GLOBALS["PHORUM"]["user"]['user_id'] . time() . $GLOBALS["PHORUM"]["user"]['username']; $GLOBALS["PHORUM"]["user"]['settings_data']['admin_token'] = phorum_api_sign($sig_data); $GLOBALS["PHORUM"]['admin_token'] = $GLOBALS["PHORUM"]["user"]['settings_data']['admin_token']; $tmp_user = array('user_id' => $GLOBALS["PHORUM"]["user"]['user_id'], 'settings_data' => $GLOBALS["PHORUM"]["user"]['settings_data']); phorum_api_user_save($tmp_user); if (!empty($_POST["target"])) { $target_url = phorum_admin_build_url($_POST['target'], TRUE); phorum_api_redirect($target_url); } else { $redir_url = phorum_admin_build_url(NULL, TRUE); phorum_api_redirect($redir_url); } exit; } else { /** * TODO Move to User API. */
/** * @deprecated Replaced by {@link phorum_api_sign()}. */ function phorum_generate_data_signature($data) { require_once PHORUM_PATH . '/include/api/sign.php'; return phorum_api_sign($data); }
/** * @deprecated Replaced by {@link phorum_api_sign()}. */ function phorum_generate_data_signature($data) { return phorum_api_sign($data); }