/** * Loads all the language translation into an array for quick lookup. * * <b>Note:</b> There is no need to call this manually. It will be invoked by * {@link translate()} the first time it is called. */ function load_translation_text() { global $lang_file, $translations, $basedir, $PUBLIC_ACCESS_FULLNAME, $fullname; $translations = array(); if (strlen($basedir)) { $lang_file_2 = "{$basedir}/{$lang_file}"; if (file_exists($lang_file_2)) { $lang_file = $lang_file_2; } } if (!file_exists($lang_file)) { die_miserable_death("Cannot find language file: {$lang_file}"); } $fp = fopen($lang_file, "r"); if (!$fp) { die_miserable_death("Could not open language file: {$lang_file}"); } while (!feof($fp)) { $buffer = fgets($fp, 4096); $buffer = trim($buffer); // stripslashes may cause problems with Japanese translations // if so, we may have to make this configurable. if (get_magic_quotes_runtime()) { $buffer = stripslashes($buffer); } if (substr($buffer, 0, 1) == "#" || strlen($buffer) == 0) { continue; } $pos = strpos($buffer, ":"); $abbrev = substr($buffer, 0, $pos); $abbrev = trim($abbrev); $trans = substr($buffer, $pos + 1); $trans = trim($trans); $translations[$abbrev] = $trans; //echo "Abbrev: $abbrev<br />Trans: $trans<br />\n"; } fclose($fp); $PUBLIC_ACCESS_FULLNAME = translate("Public Access"); if ($fullname == "Public Access") { $fullname = $PUBLIC_ACCESS_FULLNAME; } }
function doDbSanityCheck() { global $db_database, $db_host, $db_login; $dieMsgStr = 'Error finding WebCalendar tables in database "' . $db_database . '" using db login "' . $db_login . '" on db server "' . $db_host . '".<br /><br /> Have you created the database tables as specified in the <a href="docs/WebCalendar-SysAdmin.html" ' . ' target="other">WebCalendar System Administrator\'s Guide</a>?'; $res = @dbi_execute('SELECT COUNT( cal_value ) FROM webcal_config', array(), false, false); if ($res) { if ($row = dbi_fetch_row($res)) { // Found database. All is peachy. dbi_free_result($res); } else { // Error accessing table. // User has wrong db name or has not created tables. // Note: can't translate this since translate.php is not included yet. dbi_free_result($res); die_miserable_death($dieMsgStr); } } else { die_miserable_death($dieMsgStr); } }
function doDbSanityCheck() { global $db_login, $db_host, $db_database; $res = @dbi_query("SELECT COUNT(cal_value) FROM webcal_config", false, false); if ($res) { if ($row = dbi_fetch_row($res)) { // Found database. All is peachy. dbi_free_result($res); } else { // Error accessing table. // User has wrong db name or has not created tables. // Note: cannot translate this since we have not included // translate.php yet. dbi_free_result($res); die_miserable_death("Error finding WebCalendar tables in database '{$db_database}' " . "using db login '{$db_login}' on db server '{$db_host}'.<br/><br/>\n" . "Have you created the database tables as specified in the " . "<a href=\"docs/WebCalendar-SysAdmin.html\" target=\"other\">WebCalendar " . "System Administrator's Guide</a>?"); } } else { // Error accessing table. // User has wrong db name or has not created tables. // Note: cannot translate this since we have not included translate.php yet. die_miserable_death("Error finding WebCalendar tables in database '{$db_database}' " . "using db login '{$db_login}' on db server '{$db_host}'.<br/><br/>\n" . "Have you created the database tables as specified in the " . "<a href=\"docs/WebCalendar-SysAdmin.html\" target=\"other\">WebCalendar " . "System Administrator's Guide</a>?"); } }
function save_pref($prefs, $src) { global $my_theme, $prefuser; while (list($key, $value) = each($prefs)) { if ($src == 'post') { $setting = substr($key, 5); $prefix = substr($key, 0, 5); if ($prefix != 'pref_') { continue; } // validate key name. should start with "pref_" and not include // any unusual characters that might cause SQL injection if (!preg_match('/pref_[A-Za-z0-9_]+$/', $key)) { die_miserable_death(str_replace('XXX', $key, translate('Invalid setting name XXX.'))); } } else { $setting = $key; $prefix = 'pref_'; } //echo "Setting = $setting, key = $key, prefix = $prefix<br />\n"; if (strlen($setting) > 0 && $prefix == 'pref_') { if ($setting == 'THEME' && $value != 'none') { $my_theme = strtolower($value); } $sql = 'DELETE FROM webcal_user_pref WHERE cal_login = ? ' . 'AND cal_setting = ?'; dbi_execute($sql, array($prefuser, $setting)); if (strlen($value) > 0) { $setting = strtoupper($setting); $sql = 'INSERT INTO webcal_user_pref ' . '( cal_login, cal_setting, cal_value ) VALUES ' . '( ?, ?, ? )'; if (!dbi_execute($sql, array($prefuser, $setting, $value))) { $error = 'Unable to update preference: ' . dbi_error() . '<br /><br /><span class="bold">SQL:</span>' . $sql; break; } } } } }
function get_wc_path($filename) { if (preg_match('/(.*)security_audit.php/', __FILE__, $matches)) { $fileLoc = $matches[1] . $filename; return $fileLoc; } else { // Oops. This file is not named security_audit.php die_miserable_death('Crap! Someone renamed security_audit.php'); } }
function getValue($name, $format = '', $fatal = false) { global $settings; $val = getPostValue($name); if (!isset($val)) { $val = getGetValue($name); } // for older PHP versions... if (!isset($val) && get_magic_quotes_gpc() == 1 && !empty($GLOBALS[$name])) { $val = $GLOBALS[$name]; } if (!isset($val)) { return ''; } if (!empty($format) && !preg_match('/^' . $format . '$/', $val)) { // does not match if ($fatal) { if ($settings['mode'] == 'dev') { $error_str = ' "' . $val . '"'; } else { $error_str = ''; } die_miserable_death(translate('Fatal Error') . ': ' . translate('Invalid data format for') . ' ' . $name . $error_str); } // ignore value return ''; } preventHacking($name, $val); return $val; }
<?php /* $Id: admin_handler.php,v 1.7.4.3 2005/11/29 15:28:25 cknudsen Exp $ */ include_once 'includes/init.php'; $error = ""; if (!$is_admin) { $error = translate("You are not authorized"); } if ($error == "") { while (list($key, $value) = each($HTTP_POST_VARS)) { $setting = substr($key, 6); // validate key name. should start with "admin_" and not include // any unusual characters that might cause SQL injection if (!preg_match('/admin_[A-Za-z0-9_]+$/', $key)) { die_miserable_death('Invalid admin setting name "' . $key . '"'); } if (strlen($setting) > 0) { $sql = "DELETE FROM webcal_config WHERE cal_setting = '{$setting}'"; if (!dbi_query($sql)) { $error = translate("Error") . ": " . dbi_error() . "<br /><br /><span style=\"font-weight:bold;\">SQL:</span> {$sql}"; break; } if (strlen($value) > 0) { $sql = "INSERT INTO webcal_config " . "( cal_setting, cal_value ) VALUES " . "( '{$setting}', '{$value}' )"; if (!dbi_query($sql)) { $error = translate("Error") . ": " . dbi_error() . "<br /><br /><span style=\"font-weight:bold;\">SQL:</span> {$sql}"; break; } } } }
$_SERVER['PHP_AUTH_PW'] = $_SERVER['PHP_AUTH_USER'] = ''; unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); header('WWW-Authenticate: Basic realm="' . $appStr . '"'); header('HTTP/1.0 401 Unauthorized'); exit; } } load_global_settings(); load_user_preferences(); $WebCalendar->setLanguage(); // Load user name, etc. user_load_variables($login, ''); // Make sure the have privileges to access the activity log if (!$is_admin || access_is_enabled() && !access_can_access_function(ACCESS_ACTIVITY_LOG)) { die_miserable_death(print_not_auth(2)); } $charset = empty($LANGUAGE) ? 'iso-8859-1' : translate('charset'); // This should work ok with RSS, may need to hardcode fallback value. $lang = languageToAbbrev($LANGUAGE == 'Browser-defined' || $LANGUAGE == 'none' ? $lang : $LANGUAGE); if ($lang == 'en') { $lang = 'en-us'; } //the RSS 2.0 default. $appStr = generate_application_name(); $descr = $appStr . ' - ' . translate('Activity Log'); // header ( 'Content-type: application/rss+xml'); header('Content-type: text/xml'); echo '<?xml version="1.0" encoding="' . $charset . '"?> <rss version="2.0" xml:lang="' . $lang . '"> <channel>
function load_translation_text() { global $lang_file, $settings, $translation_loaded, $translations; if ($translation_loaded) { // No need to run this twice. return; } $eng_file = 'translations/English-US.txt'; $lang_cache = substr($lang_file, strrpos($lang_file, '/') + 1); $lang_file_2 = ''; if (defined('__WC_BASEDIR')) { if (!file_exists($lang_file)) { $lang_file_2 = __WC_BASEDIR . '/' . $lang_file; } if (file_exists($lang_file_2)) { $lang_file = $lang_file_2; } if (!file_exists($lang_file)) { $lang_file = 'translations/' . $lang_cache; } } if (!file_exists($lang_file)) { $lang_file = $eng_file; } if (!file_exists($lang_file)) { die_miserable_death('Cannot find language file: ' . $lang_file); } $cached_base_file = $cached_file = $cachedir = ''; $can_save = false; if (!file_exists($eng_file)) { $eng_file = '../' . $eng_file; } // Check for 'cachedir' in settings. If found, then we will save // the parsed translation file there as a serialized array. // Ensure we use the proper cachedir name. if (!empty($settings['cachedir']) && is_dir($settings['cachedir'])) { $cachedir = $settings['cachedir']; } else { if (!empty($settings['db_cachedir']) && is_dir($settings['db_cachedir'])) { $cachedir = $settings['db_cachedir']; } } if (!empty($cachedir) && function_exists('file_get_contents')) { $cached_base_file = $cached_file = $cachedir . '/translations/'; $cached_base_file .= 'English-US.txt'; $cached_file .= $lang_cache; $cache_tran_dir = dirname($cached_file); if (!is_dir($cache_tran_dir)) { @mkdir($cache_tran_dir, 0777); @chmod($cache_tran_dir, 0777); /* // Do we really want to die if we can't save the cache file? // Or should we just run without it? if ( ! is_dir ( $cache_tran_dir ) ) die_miserable_death ( 'Error creating translation cache directory: "' . $cache_tran_dir . '"<br /><br />Please check the permissions of the directory: "' . $cachedir . '"' ); */ } $can_save = is_writable($cache_tran_dir); } $new_install = !strstr($_SERVER['SCRIPT_NAME'], 'install/index.php'); $translations = array(); // First set default $translations[] // by reading the base English-US.txt file or it's cache. if (empty($cached_base_file)) { read_trans_file($eng_file); } else { if (!file_exists($cached_base_file) || filemtime($eng_file) > filemtime($cached_base_file)) { read_trans_file($eng_file, $cached_base_file); } else { // Cache is newer. $translations = unserialize(file_get_contents($cached_base_file)); } } // Then, if language is not English, // read in the user's language file to overwrite the array. // This will ensure that any << MISSING >> phrases at least have a default. if ($lang_file !== $eng_file) { if (empty($cached_file)) { read_trans_file($lang_file); } else { if (!file_exists($cached_file) || filemtime($lang_file) > filemtime($cached_file)) { read_trans_file($lang_file, $cached_file); } else { // Cache is newer. $translations = unserialize(file_get_contents($cached_file)); } } } $translation_loaded = true; }
$layerid += $row[0]; } dbi_execute('INSERT INTO webcal_user_layers ( cal_layerid, cal_login, cal_layeruser, cal_color, cal_dups ) VALUES ( ?, ?, ?, ?, ? )', array($layerid, $login, $nid, $layercolor, 'N')); $layer_found = true; } } } // Add entry in UAC access table for new admin and remove for old admin. // First delete any record for this user/nuc combo. dbi_execute('DELETE FROM webcal_access_user WHERE cal_login = ? AND cal_other_user = ?', array($nadmin, $nid)); if (!dbi_execute('INSERT INTO webcal_access_user ( cal_login, cal_other_user, cal_can_view, cal_can_edit, cal_can_approve, cal_can_invite, cal_can_email, cal_see_time_only ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ? )', array($nadmin, $nid, 511, 511, 511, 'Y', 'Y', 'N'))) { die_miserable_death(translate('Database error') . ': ' . dbi_error()); } } if (!empty($reload)) { $data = array(); $calUser = $nid; $overwrite = true; $type = 'remoteics'; // We will check ics first. $data = parse_ical($nurl, $type); // TODO it may be a vcs file. // if ( count ( $data ) == 0 ) { // $data = parse_vcal ( $nurl ); // } // We may be processing an hCalendar. // $data sometimes has a count of 1 but is not a valid array.
function assert_handler($script, $line, $msg = '') { if (empty($msg)) { $msg = 'Assertion failed<br />' . "\n"; } $trace = function_exists('debug_backtrace') ? assert_backtrace() : basename($script) . ': ' . $line . ' ' . $msg; $msg .= (function_exists('debug_backtrace') ? '<b>Stack Trace:</b><br /><br />' : '') . '<blockquote><tt>' . nl2br($trace) . '</tt></blockquote>'; if (function_exists('die_miserable_death')) { die_miserable_death($msg); } else { echo '<html><head><title>WebCalendar Error</title></head> <body><h2>WebCalendar Error</h2><p>' . $msg . '</p></body></html> '; exit; } }
if (!dbi_execute('INSERT INTO webcal_blob ( cal_blob_id, cal_id, cal_login, cal_name, cal_description, cal_size, cal_mime_type, cal_type, cal_mod_date, cal_mod_time, cal_blob ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )', array($nextid, $id, $login, $filename, $description, $filesize, $mimetype, 'A', date('Ymd'), date('His'), NULL))) { $error = db_error(); } else { if (!dbi_update_blob('webcal_blob', 'cal_blob', "cal_blob_id = {$nextid}", $data)) { $error = db_error(); } else { // success! redirect to view event page activity_log($id, $login, $login, LOG_ATTACHMENT, $filename); do_redirect("view_entry.php?id={$id}"); } } } else { die_miserable_death('Unsupported type'); // programmer error } } if (!empty($error)) { print_header(); echo print_error($error); echo print_trailer(); exit; } } print_header(); ?> <h2><?php echo $title; ?>
function dbi_clear_cache() { global $db_connection_info; if (empty($db_connection_info['cachedir'])) { return 0; } $cnt = 0; $fd = @opendir($db_connection_info['cachedir']); if (empty($fd)) { dbi_fatal_error(translate('Error opening cache dir') . ': ' . $db_connection_info['cachedir']); } $b = 0; $errcnt = 0; $errstr = ''; while (false !== ($file = readdir($fd))) { if (preg_match('/^\\S\\S\\S\\S\\S\\S\\S\\S\\S\\S+.dat$/', $file)) { // echo 'Deleting ' . $file . '<br />'; $cnt++; $fullpath = $db_connection_info['cachedir'] . '/' . $file; $b += filesize($fullpath); if (!@unlink($fullpath)) { $errcnt++; $errstr .= '<!-- ' . translate('Error') . ': ' . str_replace('XXX', translate('delete'), translate('Could not XXX file')) . " {$file}. -->\n"; // TODO: log this somewhere??? } } } if ($errcnt > 10) { // They don't have correct permissions set. die_miserable_death("Error removing temporary file.<br/><br/>The permissions for the following directory do not support the db_cachedir option in includes/settings.php:<br/><blockquote>" . $db_connection_info['cachedir'] . "</blockquote>", 'dbCacheError'); } return $cnt; }
//end if ( $repType ) } function transmit_header($mime, $file) { // header ( 'Content-Type: application/octet-stream' ); header('Content-Type: ' . $mime); header('Content-Disposition: attachment; filename="' . $file . '"'); header('Pragma: private'); header('Cache-control: private, must-revalidate'); } /* ********************************** */ /* Let's go */ /* ********************************** */ $format = getValue('format'); if ($format != 'ical' && $format != 'vcal' && $format != 'pilot-csv' && $format != 'pilot-text') { die_miserable_death('Invalid format "' . htmlspecialchars($format) . '"'); } $id = getValue('id', '-?[0-9]+', true); $use_all_dates = getPostValue('use_all_dates'); if (strtolower($use_all_dates) != 'y') { $use_all_dates = ''; } $include_layers = getPostValue('include_layers'); if (strtolower($include_layers) != 'y') { $include_layers = ''; } $include_deleted = getPostValue('include_deleted'); if (strtolower($include_deleted) != 'y') { $include_deleted = ''; } $cat_filter = getPostValue('cat_filter');
/** * Require a valid HTT_REFERER value in the HTTP header. This will * prevent XSRF (cross-site request forgery). * * For example, suppose a * a "bad guy" sends an email with a link that * would delete an event in webcalendar to the admin. If the admin user * clicks on that link we don't want to actually delete the event. */ function require_valide_referring_url() { global $SERVER_URL; if (empty($_SERVER['HTTP_REFERER'])) { // Missing the REFERER value //die_miserable_death ( translate ( 'Invalid referring URL' ) ); // Unfortunately, some version of MSIE do not send this info. return true; } if (!preg_match("@{$SERVER_URL}@i", $_SERVER['HTTP_REFERER'])) { // Gotcha. URL of referring page is not the same as our server. // This can be an instance of XSRF. // (This may also happen when more than address is used for your server. // However, you're not supposed to do that with this version of // WebCalendar anyhow...) die_miserable_death(translate('Invalid referring URL')); } }
$date = getValue('date'); $return_path = getValue('return_path'); // Was a return path set? $url = !empty($return_path) ? clean_whitespace($return_path . (!empty($date) ? '?date=' . $date : '')) : 'index.php'; if ($login == '__public__') { do_redirect($url); } if (!nonuser_load_variables($login, 'temp_')) { die_miserable_death(translate('No such nonuser calendar') . ": {$login}"); } if (empty($temp_is_public) || $temp_is_public != 'Y') { die_miserable_death(print_not_auth(24)); } // calculate path for cookie if (empty($PHP_SELF)) { $PHP_SELF = $_SERVER['PHP_SELF']; } $cookie_path = str_replace('nulogin.php', '', $PHP_SELF); // echo "Cookie path: $cookie_path\n"; if (get_magic_quotes_gpc()) { $login = stripslashes($login); } $login = trim($login); if ($login != addslashes($login)) { die_miserable_death(translate('Illegal characters in login') . ' <tt>' . htmlentities($login) . '</tt>.'); } // Allow proper login using NUC name $encoded_login = encode_string($login . '|nonuser'); // set login to expire in 365 days SetCookie('webcalendar_session', $encoded_login, !empty($remember) && $remember == 'yes' ? 86400 * 365 + time() : 0, $cookie_path); do_redirect($url);
} $approve_total = $edit_total = $view_total = 0; for ($i = 1; $i <= 256;) { $approve_total += getPostValue('a_' . $i); $edit_total += getPostValue('e_' . $i); $view_total += getPostValue('v_' . $i); $i += $i; } $email = getPostValue('email'); $invite = getPostValue('invite'); $time = getPostValue('time'); if (!dbi_execute('INSERT INTO webcal_access_user ( cal_login, cal_other_user, cal_can_view, cal_can_edit, cal_can_approve, cal_can_invite, cal_can_email, cal_see_time_only ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ? )', array($puser, $pouser, $view_total > 0 ? $view_total : 0, $edit_total > 0 && $puser != '__public__' ? $edit_total : 0, $approve_total > 0 && $puser != '__public__' ? $approve_total : 0, strlen($invite) ? $invite : 'N', strlen($email) ? $email : 'N', strlen($time) ? $time : 'N'))) { die_miserable_death(str_replace('XXX', dbi_error(), $dbErrStr)); } $saved = true; } } $checked = ' checked="checked"'; $guser = getPostValue('guser'); $selected = ' selected="selected"'; //if ( $guser == '__default__' ) { // $otheruser = $guser; // $user_fullname = $defConfigStr; //} else $otheruser = getPostValue('otheruser'); if ($otheruser == '__default__') { $otheruser_fullname = $defConfigStr; $otheruser_login = '******';
// If we are in single user mode, make sure that the login selected is // a valid login. if ($single_user == 'Y') { if (empty($single_user_login)) { die_miserable_death("You have not defined <tt>single_user_login</tt> in " . "<tt>includes/settings.php</tt>"); } $res = dbi_query("SELECT COUNT(*) FROM webcal_user " . "WHERE cal_login = '******'"); if (!$res) { echo "Database error: " . dbi_error(); exit; } $row = dbi_fetch_row($res); if ($row[0] == 0) { // User specified as single_user_login does not exist if (!dbi_query("INSERT INTO webcal_user ( cal_login, " . "cal_passwd, cal_is_admin ) VALUES ( '{$single_user_login}', " . "'" . md5($single_user_login) . "', 'Y' )")) { die_miserable_death("User <tt>{$single_user_login}</tt> does not " . "exist in <tt>webcal_user</tt> table and was not able to add " . "it for you:<br /><blockquote>" . dbi_error() . "</blockquote>"); } // User was added... should we tell them? } dbi_free_result($res); } // global settings have not been loaded yet, so check for public_access now $res = dbi_query("SELECT cal_value FROM webcal_config " . "WHERE cal_setting = 'public_access'"); $pub_acc_enabled = false; if ($res) { if ($row = dbi_fetch_row($res)) { if ($row[0] == "Y") { $pub_acc_enabled = true; } } dbi_free_result($res);
// Load user preferences (to get the DISPLAY_UNAPPROVED and // FREEBUSY_ENABLED pref for this user). $login = $user; load_user_preferences(); $WebCalendar->setLanguage(); // Load user name, etc. user_load_variables($user, 'publish_'); if (empty($FREEBUSY_ENABLED) || $FREEBUSY_ENABLED != 'Y') { header('Content-Type: text/plain'); echo 'user='******'No user specified.'); if (empty($user)) { die_miserable_death($no_user); } $get_unapproved = false; $datem = date('m'); $dateY = date('Y'); // Start date is beginning of this month. $startdate = mktime(0, 0, 0, $datem, 0, $dateY); // End date is one year from now. // Seems kind of arbitrary, eh? $enddate = mktime(0, 0, 0, $datem, 1, $dateY + 1); /* Pre-Load the repeated events for quicker access. */ $repeated_events = read_repeated_events($user, $startdate, $enddate, ''); /* Pre-load the non-repeating events for quicker access. */ $events = read_events($user, $startdate, $enddate); // Loop from start date until we reach end date... $event_text = '';
function transmit_header($mime, $file) { header("Content-Type: application/octet-stream"); //header ( "Content-Type: $mime" ); header('Content-Disposition: attachment; filename="' . $file . '"'); header('Pragma: no-cache'); header('Cache-Control: no-cache'); } //end function /*******************************************/ /*** Let's go ***/ /*******************************************/ $id = getIntValue('id', true); $format = getValue('format'); if ($format != 'ical' && $format != 'vcal' && $format != 'pilot-csv' && $format != 'pilot-text') { die_miserable_death("Invalid format '" . $format . "'"); } $use_all_dates = getPostValue('use_all_dates'); if ($use_all_dates != 'y') { $use_all_dates = ''; } $include_layers = getPostValue('include_layers'); if ($include_layers != 'y') { $include_layers = ''; } $fromyear = getIntValue('fromyear', true); $frommonth = getIntValue('frommonth', true); $fromday = getIntValue('fromday', true); $endyear = getIntValue('endyear', true); $endmonth = getIntValue('endmonth', true); $endday = getIntValue('endday', true);
function connect_and_bind() { global $ds, $error, $ldap_server, $ldap_port, $ldap_version; global $ldap_admin_dn, $ldap_admin_pwd, $ldap_start_tls, $set_ldap_version; if (!function_exists('ldap_connect')) { die_miserable_death('Your installation of PHP does not support LDAP'); } $ret = false; $ds = @ldap_connect($ldap_server, $ldap_port); if ($ds) { if ($set_ldap_version || $ldap_start_tls) { ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap_version); } if ($ldap_start_tls) { if (!ldap_start_tls($ds)) { $error = 'Could not start TLS for LDAP connection'; return $ret; } } if ($ldap_admin_dn != '') { $r = @ldap_bind($ds, $ldap_admin_dn, $ldap_admin_pwd); } else { $r = @ldap_bind($ds); } if (!$r) { $error = 'Invalid Admin login for LDAP Server'; } else { $ret = $r; } } else { $error = 'Error connecting to LDAP server'; $ret = false; } return $ret; }
function access_get_function_description($function) { switch ($function) { case ACCESS_ACCESS_MANAGEMENT: return translate('User Access Control'); case ACCESS_ACCOUNT_INFO: return translate('Account'); case ACCESS_ACTIVITY_LOG: return translate('Activity Log'); case ACCESS_SECURITY_AUDIT: return translate('Security Audit'); case ACCESS_ADMIN_HOME: return translate('Administrative Tools'); case ACCESS_ADVANCED_SEARCH: return translate('Advanced Search'); case ACCESS_ANOTHER_CALENDAR: return translate('Another Users Calendar'); case ACCESS_ASSISTANTS: return translate('Assistants'); case ACCESS_CATEGORY_MANAGEMENT: return translate('Category Management'); case ACCESS_DAY: return translate('Day View'); case ACCESS_EVENT_EDIT: return translate('Edit Event'); case ACCESS_EVENT_VIEW: return translate('View Event'); case ACCESS_EXPORT: return translate('Export'); case ACCESS_HELP: return translate('Help'); case ACCESS_IMPORT: return translate('Import'); case ACCESS_LAYERS: return translate('Layers'); case ACCESS_MONTH: return translate('Month View'); case ACCESS_PREFERENCES: return translate('Preferences'); case ACCESS_PUBLISH: return translate('Subscribe/Publish'); case ACCESS_REPORT: return translate('Reports'); case ACCESS_SEARCH: return translate('Search'); case ACCESS_SYSTEM_SETTINGS: return translate('System Settings'); case ACCESS_TRAILER: return translate('Common Trailer'); case ACCESS_USER_MANAGEMENT: return translate('User Management'); case ACCESS_VIEW: return translate('Views'); case ACCESS_VIEW_MANAGEMENT: return translate('Manage Views'); case ACCESS_WEEK: return translate('Week View'); case ACCESS_YEAR: return translate('Year View'); default: die_miserable_death(translate('Invalid function id') . ': ' . $function); } }
if ($single_user == "Y") { // No login for single-user mode do_redirect("index.php"); } else { if ($use_http_auth) { // There is no login page when using HTTP authorization do_redirect("index.php"); } else { if (!empty($login) && !empty($password)) { if (get_magic_quotes_gpc()) { $password = stripslashes($password); $login = stripslashes($login); } $login = trim($login); if ($login != addslashes($login)) { die_miserable_death("Illegal characters in login " . "<tt>" . htmlentities($login) . "</tt>"); } if (user_valid_login($login, $password)) { user_load_variables($login, ""); // set login to expire in 365 days srand((double) microtime() * 1000000); $salt = chr(rand(ord('A'), ord('z'))) . chr(rand(ord('A'), ord('z'))); $encoded_login = encode_string($login . "|" . crypt($password, $salt)); if (!empty($settings['session']) && ($settings['session'] = 'php')) { $_SESSION['webcalendar_session'] = $encoded_login; } else { if (!empty($remember) && $remember == "yes") { SetCookie("webcalendar_session", $encoded_login, time() + 24 * 3600 * 365, $cookie_path); } else { SetCookie("webcalendar_session", $encoded_login, 0, $cookie_path); }
function save_pref($prefs, $src) { global $error, $my_theme, $prad; if (!$prad) { global $prefuser; } $pos = $prad ? 6 : 5; while (list($key, $value) = each($prefs)) { if ($src == 'post') { $prefix = substr($key, 0, $pos); $setting = substr($key, $pos); if (!$prad && $prefix != 'pref_' || $prad && $key == 'currenttab') { continue; } // . // Validate key name. // If $prad not true, should start with "pref_" // else should start with "admin_", // and not include any unusual characters that might be an SQL injection attack. if (!$prad && !preg_match('/pref_[A-Za-z0-9_]+$/', $key) || $prad && !preg_match('/admin_[A-Za-z0-9_]+$/', $key)) { die_miserable_death(str_replace('XXX', $key, translate('Invalid setting name XXX.'))); } } else { $prefix = $prad ? 'admin_' : 'pref_'; $setting = $key; } if (strlen($setting) > 0 && $prefix == 'pref_' || $prefix == 'admin_') { if ($setting == 'THEME' && $value != 'none') { $my_theme = strtolower($value); } if ($prad) { $setting = strtoupper($setting); $sql = 'DELETE FROM webcal_config WHERE cal_setting = ?'; if (!dbi_execute($sql, array($setting))) { $error = db_error(false, $sql); break; } if (strlen($value) > 0) { $sql = 'INSERT INTO webcal_config ( cal_setting, cal_value ) VALUES ( ?, ? )'; if (!dbi_execute($sql, array($setting, $value))) { $error = db_error(false, $sql); break; } } } else { dbi_execute('DELETE FROM webcal_user_pref WHERE cal_login = ? AND cal_setting = ?', array($prefuser, $setting)); if (strlen($value) > 0) { $setting = strtoupper($setting); $sql = 'INSERT INTO webcal_user_pref ( cal_login, cal_setting, cal_value ) VALUES ( ?, ?, ? )'; if (!dbi_execute($sql, array($prefuser, $setting, $value))) { $error = 'Unable to update preference: ' . dbi_error() . '<br /><br /><span class="bold">SQL:</span>' . $sql; break; } } } } } // Reload preferences so any CSS changes will take effect. load_global_settings(); load_user_preferences(); }
function do_config($fileLoc) { global $db_database, $db_host, $db_login, $db_password, $db_persistent, $db_type, $NONUSER_PREFIX, $phpdbiVerbose, $PROGRAM_DATE, $PROGRAM_NAME, $PROGRAM_URL, $PROGRAM_VERSION, $readonly, $run_mode, $settings, $single_user, $single_user_login, $TROUBLE_URL, $use_http_auth, $user_inc; $PROGRAM_VERSION = 'v1.2.7'; $PROGRAM_DATE = '22 Feb 2013'; $PROGRAM_NAME = 'WebCalendar ' . "{$PROGRAM_VERSION} ({$PROGRAM_DATE})"; $PROGRAM_URL = 'http://www.k5n.us/webcalendar.php'; $TROUBLE_URL = 'docs/WebCalendar-SysAdmin.html#trouble'; // Open settings file to read. $settings = array(); if (file_exists($fileLoc)) { $fd = @fopen($fileLoc, 'rb', true); } if (empty($fd) && defined('__WC_INCLUDEDIR')) { $fd = @fopen(__WC_INCLUDEDIR . '/settings.php', 'rb', true); if ($fd) { $fileLoc = __WC_INCLUDEDIR . '/settings.php'; } } // If still empty.... use __FILE__. if (empty($fd)) { $testName = get_full_include_path("settings.php"); $fd = @fopen($fileLoc, 'rb', true); if ($fd) { $fileLoc = $testName; } } if (empty($fd) || filesize($fileLoc) == 0) { // There is no settings.php file. // Redirect user to install page if it exists. if (file_exists('install/index.php')) { header('Location: install/index.php'); exit; } else { die_miserable_death(translate('Could not find settings.php file...')); } } // We don't use fgets () since it seems to have problems with Mac-formatted // text files. Instead, we read in the entire file, and split the lines manually. $data = ''; while (!feof($fd)) { $data .= fgets($fd, 4096); } fclose($fd); // Replace any combination of carriage return (\r) and new line (\n) // with a single new line. $data = preg_replace("/[\r\n]+/", "\n", $data); // Split the data into lines. $configLines = explode("\n", $data); for ($n = 0, $cnt = count($configLines); $n < $cnt; $n++) { $buffer = trim($configLines[$n], "\r\n "); if (preg_match('/^#|\\/\\*/', $buffer) || preg_match('/^<\\?/', $buffer) || preg_match('/^\\?>/', $buffer)) { // end PHP code continue; } if (preg_match('/(\\S+):\\s*(\\S+)/', $buffer, $matches)) { $settings[$matches[1]] = $matches[2]; } // echo "settings $matches[1] => $matches[2]<br />"; } $configLines = $data = ''; // Extract db settings into global vars. $db_database = $settings['db_database']; $db_host = $settings['db_host']; $db_login = $settings['db_login']; $db_password = $settings['db_password']; $db_persistent = preg_match('/(1|yes|true|on)/i', $settings['db_persistent']) ? '1' : '0'; $db_type = $settings['db_type']; // If no db settings, then user has likely started install but not yet // completed. So, send them back to the install script. if (empty($db_type)) { if (file_exists('install/index.php')) { header('Location: install/index.php'); exit; } else { die_miserable_death(translate('Incomplete settings.php file...')); } } // Use 'db_cachedir' if found, otherwise look for 'cachedir'. if (!empty($settings['db_cachedir'])) { dbi_init_cache($settings['db_cachedir']); } else { if (!empty($settings['cachedir'])) { dbi_init_cache($settings['cachedir']); } } if (!empty($settings['db_debug']) && preg_match('/(1|true|yes|enable|on)/i', $settings['db_debug'])) { dbi_set_debug(true); } foreach (array('db_type', 'db_host', 'db_login', 'db_password') as $s) { if (empty($settings[$s])) { die_miserable_death(str_replace('XXX', $s, translate('Could not find XXX defined in...'))); } } // Allow special settings of 'none' in some settings[] values. // This can be used for db servers not using TCP port for connection. $db_host = $db_host == 'none' ? '' : $db_host; $db_password = $db_password == 'none' ? '' : $db_password; $readonly = preg_match('/(1|yes|true|on)/i', $settings['readonly']) ? 'Y' : 'N'; if (empty($settings['mode'])) { $settings['mode'] = 'prod'; } $run_mode = preg_match('/(dev)/i', $settings['mode']) ? 'dev' : 'prod'; $phpdbiVerbose = $run_mode == 'dev'; $single_user = preg_match('/(1|yes|true|on)/i', $settings['single_user']) ? 'Y' : 'N'; if ($single_user == 'Y') { $single_user_login = $settings['single_user_login']; } if ($single_user == 'Y' && empty($single_user_login)) { die_miserable_death(str_replace('XXX', 'single_user_login', translate('You must define XXX in'))); } $use_http_auth = preg_match('/(1|yes|true|on)/i', $settings['use_http_auth']) ? true : false; // Type of user authentication. $user_inc = $settings['user_inc']; // If sqlite, the db file is in the include directory if ($db_type == 'sqlite') { $db_database = get_full_include_path($db_database); } // Check the current installation version. // Redirect user to install page if it is different from stored value. // This will prevent running WebCalendar until UPGRADING.html has been // read and required upgrade actions completed. $c = @dbi_connect($db_host, $db_login, $db_password, $db_database, false); if ($c) { $rows = dbi_get_cached_rows('SELECT cal_value FROM webcal_config WHERE cal_setting = \'WEBCAL_PROGRAM_VERSION\''); if (!$rows) { // & does not work here...leave it as &. header('Location: install/index.php?action=mismatch&version=UNKNOWN'); exit; } else { $row = $rows[0]; if (empty($row) || $row[0] != $PROGRAM_VERSION) { // & does not work here...leave it as &. header('Location: install/index.php?action=mismatch&version=' . (empty($row) ? 'UNKNOWN' : $row[0])); exit; } } dbi_close($c); } else { // Must mean we don't have a settings.php file. // NOTE: if we get a connect error when running send_reminders.php, // we may want to show that error message here. // & does not work here...leave it as &. header('Location: install/index.php?action=mismatch&version=UNKNOWN'); exit; } // We can add extra 'nonuser' calendars such as a holiday, corporate, // departmental, etc. We need a unique prefix for these calendars // so we don't get them mixed up with real logins. This prefix should be // a maximum of 5 characters and should NOT change once set! $NONUSER_PREFIX = '_NUC_'; if ($single_user != 'Y') { $single_user_login = ''; } }
if ($single_user == 'Y') { // No login for single-user mode do_redirect('index.php'); } else { if ($use_http_auth) { // There is no login page when using HTTP authorization do_redirect('index.php'); } else { if (!empty($login) && !empty($password) && !$logout) { if (get_magic_quotes_gpc()) { $password = stripslashes($password); $login = stripslashes($login); } $login = trim($login); if ($login != addslashes($login)) { die_miserable_death('Illegal characters in login ' . '<tt>' . htmlentities($login) . '</tt>'); } if (user_valid_login($login, $password)) { user_load_variables($login, ''); $encoded_login = encode_string($login . '|' . crypt($password)); // set login to expire in 365 days if (!empty($remember) && $remember == 'yes') { SetCookie('webcalendar_session', $encoded_login, time() + 24 * 3600 * 365, $cookie_path); } else { SetCookie('webcalendar_session', $encoded_login, 0, $cookie_path); } // The cookie "webcalendar_login" is provided as a convenience to // other apps that may wish to find out what the last calendar // login was, so they can use week_ssi.php as a server-side include. // As such, it's not a security risk to have it un-encoded since it // is not used to allow logins within this app. It is used to
/** * Gets the value resulting from either HTTP GET method or HTTP POST method. * * <b>Note:</b> The return value will be affected by the value of * <var>magic_quotes_gpc</var> in the php.ini file. * * <b>Note:</b> If you need to get an integer value, yuou can use the * getIntValue function. * * @param string $name Name used in the HTML form or found in the URL * @param string $format A regular expression format that the input must match. * If the input does not match, an empty string is * returned and a warning is sent to the browser. If The * <var>$fatal</var> parameter is true, then execution * will also stop when the input does not match the * format. * @param bool $fatal Is it considered a fatal error requiring execution to * stop if the value retrieved does not match the format * regular expression? * * @return string The value used in the HTML form (or URL) * * @uses getGetValue * @uses getPostValue */ function getValue($name, $format = "", $fatal = false) { $val = getPostValue($name); if (!isset($val)) { $val = getGetValue($name); } // for older PHP versions... if (!isset($val) && get_magic_quotes_gpc() == 1 && !empty($GLOBALS[$name])) { $val = $GLOBALS[$name]; } if (!isset($val)) { return ""; } if (!empty($format) && !preg_match("/^" . $format . "\$/", $val)) { // does not match if ($fatal) { die_miserable_death("Fatal Error: Invalid data format for {$name}"); } // ignore value return ""; } return $val; }
// translate("Holo (Taiwanese)") // translate("Hungarian") // translate("Icelandic") // translate("Italian") // translate("Japanese") // translate("Korean") // translate("Norwegian") // translate("Polish") // translate("Portuguese") // translate("Portuguese/Brazil") // translate("Romanian") // translate("Russian") // translate("Spanish") // translate("Swedish") // translate("Turkish") // translate("Welsh") if ($single_user != "Y") { $single_user_login = ""; } // Make sure magic quotes is enabled, since this app requires it. if (get_magic_quotes_gpc() == 0) { ob_start(); phpinfo(); $val = ob_get_contents(); ob_end_clean(); $loc = ''; if (preg_match("/>([^<>]*php.ini)</", $val, $matches)) { $loc = "Please edit the following file and restart your server:" . "<br /><br />\n" . "<blockquote>\n<tt>" . $matches[1] . "</tt>\n</blockquote>\n"; } die_miserable_death("You must reconfigure your <tt>php.ini</tt> file to " . "have <span style=\"font-weight:bold;\">magic_quotes_gpc</span> set " . " to <span style=\"font-weight:bold;\">ON</span>.<br /><br />\n" . $loc); }
$error = print_not_auth(21); } if ($allow_user_override) { $u = getValue('user', '[A-Za-z0-9_\\.=@,\\-]+', true); if (!empty($u)) { $login = $user = $u; } // We also set $login since some functions assume that it is set. } load_user_preferences(); user_load_variables($login, 'minical_'); if ($user != '__public__' && !nonuser_load_variables($login, 'minica_')) { die_miserable_death(str_replace('XXX', $login, translate('No such nonuser calendar XXX.'))); } if ($user != '__public__' && (empty($minical_is_public) || $minical_is_public != 'Y')) { die_miserable_death(translate('This Calendar is not Public.')); } $next = mktime(0, 0, 0, $thismonth + 1, 1, $thisyear); $nextmonth = date('m', $next); $nextyear = date('Y', $next); $prev = mktime(0, 0, 0, $thismonth - 1, 1, $thisyear); $prevmonth = date('m', $prev); $prevyear = date('Y', $prev); $boldDays = true; $startdate = mktime(0, 0, 0, $thismonth, 0, $thisyear); $enddate = mktime(23, 59, 59, $thismonth + 1, 0, $thisyear); // Don't display custom header. print_header('', generate_refresh_meta(), '', true); /* Pre-Load the repeated events for quicker access. */ $repeated_events = read_repeated_events($user, $startdate, $enddate, $cat_id); /* Pre-load the non-repeating events for quicker access. */