function svenk_check_whitelisted_domain($success, $url, $keyword, $title)
{
/* This filter works like that: Return $success if everything is fine,
return something else or die if not.
Unfortunately the filter is called *before* the URL is escaped properly,
so we have to do this twice (https://github.com/YOURLS/YOURLS/blob/master/includes/functions.php#L185). */
$url = yourls_escape(yourls_sanitize_url(yourls_encodeURI($url)));
$url_host = parse_url($url, PHP_URL_HOST);
if (!$url_host) {
// we cannot even determine the host part of the $url, fail silently.
// This more or less replaces Line191 in the functions.php file.
# yourls_die('During Whitelist check, cannot determine host of URL', 'Forbidden', 403);
return array('status' => 'fail', 'code' => 'error:nourl', 'message' => 'During whitelist check, cannot determine host of URL. Probably missing or malformed URL', 'errorCode' => 400);
}
/* make sure this is present: The configuration of whitelisted domains */
global $allowed_domains;
foreach ($allowed_domains as $allowed_domain) {
if (isset($allowed_domain['regexp'])) {
// check if this whitelist entry catches the $url_host by regexp
if (preg_match($allowed_domain['regexp'], $url_host)) {
return $success;
}
} elseif (isset($allowed_domain['domain'])) {
// check if this whitelist entry allows the $url_host by domain end test
if (svenk_endsWith($url_host, $allowed_domain['domain'])) {
return $success;
}
}
}
/* URL is not whitelisted. Fail verbosely */
return array('status' => 'fail', 'code' => 'error:whitelist', 'message' => 'This domain is not whitelisted.', 'errorCode' => 400);
#yourls_die('This domain is not whitelisted', 'Forbidden', 403);
}
$table = YOURLS_DB_TABLE_LOG;
$referrers = array();
$direct = $notdirect = 0;
$countries = array();
$dates = array();
$list_of_days = array();
$list_of_months = array();
$list_of_years = array();
$last_24h = array();
// Define keyword query range : either a single keyword or a list of keywords
if ($aggregate) {
$keyword_list = yourls_get_longurl_keywords($longurl);
$keyword_range = "IN ( '" . join("', '", $keyword_list) . "' )";
// IN ( 'blah', 'bleh', 'bloh' )
} else {
$keyword_range = sprintf("= '%s'", yourls_escape($keyword));
}
// *** Referrers ***
$query = "SELECT `referrer`, COUNT(*) AS `count` FROM `{$table}` WHERE `shorturl` {$keyword_range} GROUP BY `referrer`;";
$rows = $ydb->get_results(yourls_apply_filter('stat_query_referrer', $query));
// Loop through all results and build list of referrers, countries and hits per day
foreach ((array) $rows as $row) {
if ($row->referrer == 'direct') {
$direct = $row->count;
continue;
}
$host = yourls_get_domain($row->referrer);
if (!array_key_exists($host, $referrers)) {
$referrers[$host] = array();
}
if (!array_key_exists($row->referrer, $referrers[$host])) {
if (isset($return['status']) && $return['status'] == 'fail' && isset($return['code']) && $return['code'] == 'error:keyword') {
$msg = $return['message'];
$return = yourls_add_new_link($url, '', $ydb);
$return['message'] .= ' (' . $msg . ')';
}
// Stop here if bookmarklet with a JSON callback function
if (isset($_GET['jsonp']) && $_GET['jsonp'] == 'yourls') {
$short = $return['shorturl'] ? $return['shorturl'] : '';
$message = $return['message'];
yourls_content_type_header('application/javascript');
echo yourls_apply_filter('bookmarklet_jsonp', "yourls_callback({'short_url':'{$short}','message':'{$message}'});");
die;
}
// Now use the URL that has been sanitized and returned by yourls_add_new_link()
$url = $return['url']['url'];
$where = sprintf(" AND `url` LIKE '%s' ", yourls_escape($url));
$page = $total_pages = $perpage = 1;
$offset = 0;
$text = isset($_GET['s']) ? stripslashes($_GET['s']) : '';
// Sharing with social bookmarklets
if (!empty($_GET['share'])) {
yourls_do_action('pre_share_redirect');
switch ($_GET['share']) {
case 'twitter':
// share with Twitter
$destination = sprintf("https://twitter.com/intent/tweet?url=%s&text=%s", urlencode($return['shorturl']), urlencode($title));
yourls_redirect($destination, 303);
// Deal with the case when redirection failed:
$return['status'] = 'error';
$return['errorCode'] = 400;
$return['message'] = yourls_s('Short URL created, but could not redirect to %s !', 'Twitter');
/**
* Escape a string or an array of strings before DB usage. ALWAYS escape before using in a SQL query. Thanks.
*
* @param string|array $data string or array of strings to be escaped
* @return string|array escaped data
*/
function yourls_escape($data)
{
if (is_array($data)) {
foreach ($data as $k => $v) {
if (is_array($v)) {
$data[$k] = yourls_escape($v);
} else {
$data[$k] = yourls_escape_real($v);
}
}
} else {
$data = yourls_escape_real($data);
}
return $data;
}
/**
* Check if an IP shortens URL too fast to prevent DB flood. Return true, or die.
*
*/
function yourls_check_IP_flood($ip = '')
{
// Allow plugins to short-circuit the whole function
$pre = yourls_apply_filter('shunt_check_IP_flood', false, $ip);
if (false !== $pre) {
return $pre;
}
yourls_do_action('pre_check_ip_flood', $ip);
// at this point $ip can be '', check it if your plugin hooks in here
// Raise white flag if installing or if no flood delay defined
if (defined('YOURLS_FLOOD_DELAY_SECONDS') && YOURLS_FLOOD_DELAY_SECONDS === 0 || !defined('YOURLS_FLOOD_DELAY_SECONDS') || yourls_is_installing()) {
return true;
}
// Don't throttle logged in users
if (yourls_is_private()) {
if (yourls_is_valid_user() === true) {
return true;
}
}
// Don't throttle whitelist IPs
if (defined('YOURLS_FLOOD_IP_WHITELIST') && YOURLS_FLOOD_IP_WHITELIST) {
$whitelist_ips = explode(',', YOURLS_FLOOD_IP_WHITELIST);
foreach ((array) $whitelist_ips as $whitelist_ip) {
$whitelist_ip = trim($whitelist_ip);
if ($whitelist_ip == $ip) {
return true;
}
}
}
$ip = $ip ? yourls_sanitize_ip($ip) : yourls_get_IP();
$ip = yourls_escape($ip);
yourls_do_action('check_ip_flood', $ip);
global $ydb;
$table = YOURLS_DB_TABLE_URL;
$lasttime = $ydb->get_var("SELECT `timestamp` FROM {$table} WHERE `ip` = '{$ip}' ORDER BY `timestamp` DESC LIMIT 1");
if ($lasttime) {
$now = date('U');
$then = date('U', strtotime($lasttime));
if ($now - $then <= YOURLS_FLOOD_DELAY_SECONDS) {
// Flood!
yourls_do_action('ip_flood', $ip, $now - $then);
yourls_die(yourls__('Too many URLs added too fast. Slow down please.'), yourls__('Forbidden'), 403);
}
}
return true;
}
if (isValidUser($username, $password)) {
$token = getUserTokenByEmail($username);
$id = getUserIdByToken($token);
$_SESSION['user'] = array("id" => $id, "user" => $username, "token" => $token);
yourls_redirect("index.php");
} else {
$error_msg = "Problems to login.";
require_once 'form.php';
}
}
break;
case "joinform":
require_once 'formjoin.php';
break;
case "join":
$username = yourls_escape($_POST['username']);
$password = $_POST['password'];
if (captchaEnabled()) {
require_once 'recaptchalib.php';
$privatekey = YOURLS_MULTIUSER_CAPTCHA_PRIVATE_KEY;
$resp = recaptcha_check_answer($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
$error_msg = "Captch is incorrect.";
require_once 'formjoin.php';
break;
}
}
if (!empty($username) && !empty($password)) {
if (validEmail($username) === false) {
$error_msg = "E-mail not recognized!";
require_once 'formjoin.php';
/**
* Make sure a integer is safe
*
* Note: this is not checking for integers, since integers on 32bits system are way too limited
* TODO: find a way to validate as integer
*
*/
function yourls_intval($in)
{
return yourls_escape($in);
}
/**
* Make sure a integer is safe
*
* Note: this function is dumb and dumbly named since it does not intval(). DO NOT USE.
*
*/
function yourls_intval($in)
{
yourls_deprecated_function(__FUNCTION__, '1.7', 'yourls_sanitize_int');
return yourls_escape($in);
}
function yourls_get_duplicate_keywords($longurl)
{
if (!yourls_allow_duplicate_longurls()) {
return NULL;
}
global $ydb;
$longurl = yourls_escape(yourls_sanitize_url($longurl));
$table = YOURLS_DB_TABLE_URL;
return $ydb->get_col("SELECT `keyword` FROM `{$table}` WHERE `url` = '{$longurl}'");
}
