示例#1
0
            // Fill albums array
            $albums[] = $file;
        }
    }
    closedir($handle);
    sort($albums, SORT_STRING);
    // to make sure $count[] array is in sync with the $albums[] array, we need to perform this extra round AFTER the sort() operation.
    foreach ($albums as $key => $file) {
        // Count files in album
        $images = fileList(BASE_PATH . '/media/albums/' . $file);
        $count[$key] = count($images);
    }
}
$album = getGETparam4Filename('album');
$album_path = in_array($album, $albums) ? BASE_PATH . '/media/albums/' . $album : null;
$page_id = getGETparam4IdOrNumber('page_id');
$preview_checkcode = GenerateNewPreviewCode($page_id);
$tinyMCE_required = false;
$textarea4descr_id = str2variablename('lightbox_' . $page_id . (!empty($album) ? '_' . $album : ''));
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>Lightbox module</title>
	<link rel="stylesheet" type="text/css" href="../../../admin/img/styles/base.css,liquid.css,layout.css,sprite.css,last_minute_fixes.css" />
	<link rel="stylesheet" type="text/css" href="modLightbox.css" />
	<!--[if IE]>
		<link rel="stylesheet" type="text/css" href="../../../admin/img/styles/ie.css" />
	<![endif]-->
</head>
    define('CCMS_PERFORM_MINIMAL_INIT', true);
}
// Define default location
if (!defined('BASE_PATH')) {
    $base = str_replace('\\', '/', dirname(dirname(dirname(dirname(dirname(__FILE__))))));
    define('BASE_PATH', $base);
}
// Include general configuration
/*MARKER*/
require_once BASE_PATH . '/lib/sitemap.php';
// security check done ASAP
if (!checkAuth() || empty($_SESSION['rc1']) || empty($_SESSION['rc2'])) {
    die("No external access to file");
}
$do = getGETparam4IdOrNumber('do');
$status = getGETparam4IdOrNumber('status');
$status_message = getGETparam4DisplayHTML('msg');
// Set the default template
$dir_temp = BASE_PATH . "/lib/templates/";
$get_temp = getGETparam4FullFilePath('template', $template[0] . '.tpl.html');
$chstatus = is_writable_ex($dir_temp . $get_temp);
// @dev: to test the error feedback on read-only on Win+UNIX: add '|| 1' here.
// Check for filename
if (!empty($get_temp)) {
    if (@fopen($dir_temp . $get_temp, 'r')) {
        $handle = fopen($dir_temp . $get_temp, 'r');
        // PHP5+ Feature
        $contents = stream_get_contents($handle);
        if (0) {
            // PHP4 Compatibility
            $flen = filesize($dir_temp . $get_temp);
示例#3
0
> Contact me for any inquiries.
> E: Xander@CompactCMS.nl
> W: http://community.CompactCMS.nl/forum
************************************************************ */
/* make sure no-one can run anything here if they didn't arrive through 'proper channels' */
if (!defined("COMPACTCMS_CODE")) {
    die('Illegal entry point!');
}
/*MARKER*/
// Load news preferences
//$pageID   = getGETparam4Filename('page');
$page_id = $ccms['page_id'];
$page_name = $ccms['page_name'];
$do = getGETparam4IdOrNumber('do');
$id = getGETparam4IdOrNumber('id');
$is_printing = $ccms['printing'] == 'Y';
if (!empty($page_id)) {
    $rsCfg = $db->SelectSingleRow($cfg['db_prefix'] . 'cfgnews', array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER)));
    if ($db->ErrorNumber() != 0) {
        $db->Kill();
    }
}
$locale = $rsCfg ? $rsCfg->showLocale : $cfg['locale'];
// no need to check whether the given page is a news page; if it isn't we wouldn't have arrived here...
// Set front-end language
SetUpLanguageAndLocale($locale);
// Do actions for overview
$newsrows = false;
if (empty($id)) {
    $newsID = false;
示例#4
0
$type = getGETparam4IdOrNumber('type');
switch ($type) {
    case 'css':
        $http_base = path_remove_dot_segments($cssdir);
        $base = str_replace('\\', '/', cvt_abs_http_path2realpath($http_base, $cfg['rootdir'], BASE_PATH));
        break;
    case 'javascript':
        $http_base = path_remove_dot_segments($jsdir);
        $base = str_replace('\\', '/', cvt_abs_http_path2realpath($http_base, $cfg['rootdir'], BASE_PATH));
        break;
    default:
        send_response_status_header(503);
        // Not Implemented
        exit;
}
$extra_JS_callback = getGETparam4IdOrNumber('cb');
$only_when_expression = trim(getGETparam4MathExpression('only-when', ''));
/*MARKER*/
require_once BASE_PATH . '/lib/includes/browscap/browscap/Browscap.php';
$client_browser = new Browscap(BASE_PATH . '/lib/includes/cache');
$client_browser->localFile = BASE_PATH . '/lib/includes/browscap-data/php_browscap.ini';
$client_browser = $client_browser->getBrowser();
/*
 * we would have liked to calculate the version 'float' value from the ["MajorVer"] and ["MinorVer"] entries,
 * but then we'd be screwed when you got versions like '3.01' which would be encoded as 3 and 1.
 *
 * On the other hand we cannot assume the ["Version"] entry has just a single point. After all, there's nothing
 * stopping the format from speccing for example '3.01.2750' and again we'ld be screwed if we casted such an
 * entry to float without watching out. So we do it the hard way and pick ["Version"] and strip off anything
 * past the second '.' dot in there.
 */
if (!defined('CCMS_PERFORM_MINIMAL_INIT')) {
    define('CCMS_PERFORM_MINIMAL_INIT', true);
}
// Define default location
if (!defined('BASE_PATH')) {
    $base = str_replace('\\', '/', dirname(dirname(dirname(dirname(dirname(__FILE__))))));
    define('BASE_PATH', $base);
}
// Include general configuration
/*MARKER*/
require_once BASE_PATH . '/lib/sitemap.php';
// security check done ASAP
if (!checkAuth() || empty($_SESSION['rc1']) || empty($_SESSION['rc2'])) {
    die("No external access to file");
}
$do = getGETparam4IdOrNumber('do');
$btn_backup = getPOSTparam4IdOrNumber('btn_backup');
if ($do == 'backup' && $btn_backup == 'dobackup') {
    // Include back-up functions
    /*MARKER*/
    require_once './functions.php';
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>Back-up &amp; Restore module</title>
	<link rel="stylesheet" type="text/css" href="../../../../admin/img/styles/base.css,liquid.css,layout.css,sprite.css,last_minute_fixes.css" />
	<!--[if IE]>
		<link rel="stylesheet" type="text/css" href="../../../../admin/img/styles/ie.css" />
// Include general configuration
/*MARKER*/
require_once BASE_PATH . '/lib/sitemap.php';
class FbX extends CcmsAjaxFbException
{
}
// nasty way to do 'shorthand in PHP -- I do miss my #define macros! :'-|
// Some security functions
/* make darn sure only authenticated users can get past this point in the code */
if (empty($_SESSION['ccms_userID']) || empty($_SESSION['ccms_userName']) || !checkAuth()) {
    // this situation should've caught inside sitemap.php-->security.inc.php above! This is just a safety measure here.
    die_with_forged_failure_msg(__FILE__, __LINE__);
    // $ccms['lang']['auth']['featnotallowed']
}
// Prevent PHP warning by setting default (null) values
$do_action = getGETparam4IdOrNumber('action');
/**
 *
 * Create a new user as posted by an authorized user
 *
 */
if ($do_action == 'add-user' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) {
    FbX::SetFeedbackLocation('user-management.Manage.php');
    try {
        // Only if current user has the rights
        if ($perm->is_level_okay('manageUsers', $_SESSION['ccms_userLevel'])) {
            //$i=count(array_filter($_POST));
            //if($i <= 6) error
            if (empty($_POST['userPass'])) {
                throw new FbX($ccms['lang']['system']['error_tooshort']);
            }
示例#7
0
            $r = trim($t, '_.');
            echo "\nORIG: [" . htmlentities($t) . "]\nRES:  [" . htmlentities($r) . "]\n";
        }
    }
    // fake a POST submit through a GET request so we can easily diag/debug event requests:
    if (!isset($_POST)) {
        $_POST = array();
    }
    foreach ($_GET as $k => $v) {
        $_POST[$k] = $v;
    }
}
// the reason why TinyMCE invoked us (IFF it was TinyMCE!)
$req_type = getGETparam4IdOrNumber('editor_req_type');
/*
An alternative to handle the 'type' parameter passed by TinyMCE to the FileManager frontend, is to convert it in the frontend and then set the 'filter' FM option.
*/
$filter_expression = null;
switch ($req_type) {
    case 'image':
        $filter_expression = 'image/';
        break;
    case 'media':
        $filter_expression = 'video/';
        break;
}
$browser = new FileManager(array('directory' => BASE_PATH . '/media/', 'thumbnailPath' => $cfg['rootdir'] . '/media/Thumbnails/', 'assetBasePath' => $cfg['rootdir'] . '/lib/includes/js/mootools-filemanager/Assets', 'chmod' => 0777, 'filter' => $filter_expression, 'allowExtChange' => true, 'UploadIsAuthorized_cb' => 'FM_IsAuthorized', 'DownloadIsAuthorized_cb' => 'FM_IsAuthorized', 'CreateIsAuthorized_cb' => 'FM_IsAuthorized', 'DestroyIsAuthorized_cb' => 'FM_IsAuthorized', 'MoveIsAuthorized_cb' => 'FM_IsAuthorized'));
// log request data:
FM_vardumper($browser, 'init' . getGETparam4IdOrNumber('event'));
$browser->fireEvent(getGETparam4IdOrNumber('event'));
示例#8
0
if (!empty($_SESSION['ccms_userID']) && !empty($_SESSION['ccms_userName']) && checkAuth()) {
    $qry = '';
    if (!empty($status) || !empty($status_message)) {
        $qry = '?status=' . rawurlencode($status) . '&msg=' . rawurlencode(!empty($status_message) ? $status_message : $ccms['lang']['system']['error_general']);
    }
    header('Location: ' . makeAbsoluteURI($cfg['rootdir'] . 'admin/index.php') . $qry);
    exit;
}
// Check for ./install directory
if ($cfg['install_dir_exists'] && !$cfg['install_dir_override']) {
    die('<strong>Security risk: the installation directory is still present.</strong><br/>Either first <a href="../../_install/">run the installer</a>, or remove the <em>./_install</em> directory, before accessing <a href="../../admin/">the back-end</a>.');
}
$userName = strtolower(getPOSTparam4IdOrNumber('userName'));
// also allow logon actions where the user is already 'pre-configured'; easy logon!
if (empty($userName)) {
    $userName = strtolower(getGETparam4IdOrNumber('logon_user'));
}
// Do authentication
if (isset($_POST['submit']) && $_SERVER['REQUEST_METHOD'] == 'POST') {
    /*
     * This code does NOT require that the submitted data (user+pass) originates from the
     * web form below and was entered in the same session (as we don't have the checkAuth()
     * condition checked in the if(...) above).
     *
     * This is intentional: users may store the login credentials in any form and still log
     * in. However, it also means that we must be aware that the current POST data can be
     * entirely malicious, hence we MUST perform rigorous checks -- which one would require
     * anyhow when logging in.
     *
     * To prevent SQL injection attacks against this form, we make sure the POST-ed data
     * does not contain any wildcards or trickery which makes our validation query below
示例#9
0
    // prevent PHP barfing a hairball in E_STRICT:
    if (!isset($_POST) || empty($_POST[$var])) {
        return $def;
    }
    return strval($_POST[$var]);
}
function SESSION2str($var, $def = '')
{
    // prevent PHP barfing a hairball in E_STRICT:
    if (!isset($_SESSION) || empty($_SESSION[$var])) {
        return $def;
    }
    return strval($_SESSION[$var]);
}
// Check whether this is a send request
$action_type = getGETparam4IdOrNumber('do');
// debugging:
if ($cfg['IN_DEVELOPMENT_ENVIRONMENT'] && 0) {
    $extra = array('action_type' => $action_type, 'req_method_is_post' => $_SERVER['REQUEST_METHOD'] == 'POST', 'captcha-on' => USE_CAPTCHA_AGAINST_SPAM, 'captcha-match-a' => POST2str('verification', 'x'), 'captcha-match-b' => SESSION2str('ccms_captcha', 'y'), 'captcha-match' => POST2str('verification', 'x') == SESSION2str('ccms_captcha', 'y'), 'honeypot-on' => USE_HONEYTRAP_AGAINST_SPAM, 'honeypot-check1' => POST2str('email', '') == '', 'honeypot-check2-a' => POST2str('darling_jar', 'x'), 'honeypot-check2-b' => SESSION2str('ccms_contactform_honeypot', 'y'), 'honeypot-check2' => POST2str('darling_jar', 'x') == SESSION2str('ccms_contactform_honeypot', 'y'));
    dump_request_to_logfile($extra);
}
$error = null;
$success = null;
$is_form_post = false;
/*
Fetch values early, so we can keep their content on error: message is not 
immediately lost to user on faulty submit.

Security notes:

Considering the fact that we keep POST-ed data around when the POST itself is deemed
示例#10
0
        }
        // Continue with content update
        $page_idcode = explode('-', getPOSTparam4IdOrNumber('id'), 2);
        $page_id = filterParam4Number(count($page_idcode) == 2 ? $page_idcode[1] : 0);
        $dest = getGETparam4IdOrNumber('part');
        if ($page_id > 0 && !empty($dest)) {
            $values = array();
            // [i_a] make sure $values is an empty array to start with here
            $values[$dest] = MySQL::SQLValue($content, MySQL::SQLVALUE_TEXT);
            if (!$db->UpdateRow($cfg['db_prefix'] . 'pages', $values, array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER)))) {
                $db->Kill();
            } else {
                echo $content;
            }
        } else {
            die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ', ' . getGETparam4IdOrNumber('id') . ')');
        }
    } else {
        die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')');
    }
    exit;
}
/**
 *
 * Change the page/file name inline.
 *
 * To make it a proper transaction, first try to change the filename, and only if that succeeds edit the database record.
 *
 */
if ($do_action == 'liverename' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) {
    $page_idcode = explode('-', getPOSTparam4IdOrNumber('id'), 2);
示例#11
0
    /*MARKER*/
    require_once BASE_PATH . '/admin/includes/security.inc.php';
}
// DATABASE ==
// All set! Now this statement will connect to the database
if (!$db->Open($cfg['db_name'], $cfg['db_host'], $cfg['db_user'], $cfg['db_pass'])) {
    $db->Kill($ccms['lang']['system']['error_database']);
}
// ENVIRONMENT ==
// Some variables to help this file orientate on its environment
$current = basename(filterParam4FullFilePath($_SERVER['REQUEST_URI']));
// [i_a] $curr_page was identical (enough) to $pagereq before
$pagereq = checkSpecialPageName(getGETparam4Filename('page'), SPG_GIVE_PAGENAME);
$ccms['pagereq'] = $pagereq;
$ccms['printing'] = getGETparam4boolYN('printing', 'N');
$preview = getGETparam4IdOrNumber('preview');
// in fact, it's a hash plus ID!
$preview = IsValidPreviewCode($preview);
$ccms['preview'] = $preview ? 'Y' : 'N';
//$ccms['responsecode'] = null; // default: 200 : OK
//$ccms['page_id'] = false;
//$ccms['page_name'] = false;
//$ccms['content'] = false;
//$ccms['template'] = null;
// This files' current version
$ccms['ccms_version'] = $v = "1.4.2";
// preparation for plugins, et.c which want to load JavaScript files through the template:
$ccms['CSS.required_files'] = array();
$ccms['CSS.inline'] = array();
$ccms['JS.required_files'] = array();
$ccms['JS.done'] = array();