// Fill albums array
$albums[] = $file;
}
}
closedir($handle);
sort($albums, SORT_STRING);
// to make sure $count[] array is in sync with the $albums[] array, we need to perform this extra round AFTER the sort() operation.
foreach ($albums as $key => $file) {
// Count files in album
$images = fileList(BASE_PATH . '/media/albums/' . $file);
$count[$key] = count($images);
}
}
$album = getGETparam4Filename('album');
$album_path = in_array($album, $albums) ? BASE_PATH . '/media/albums/' . $album : null;
$page_id = getGETparam4IdOrNumber('page_id');
$preview_checkcode = GenerateNewPreviewCode($page_id);
$tinyMCE_required = false;
$textarea4descr_id = str2variablename('lightbox_' . $page_id . (!empty($album) ? '_' . $album : ''));
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<title>Lightbox module</title>
<link rel="stylesheet" type="text/css" href="../../../admin/img/styles/base.css,liquid.css,layout.css,sprite.css,last_minute_fixes.css" />
<link rel="stylesheet" type="text/css" href="modLightbox.css" />
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="../../../admin/img/styles/ie.css" />
<![endif]-->
</head>
define('CCMS_PERFORM_MINIMAL_INIT', true);
}
// Define default location
if (!defined('BASE_PATH')) {
$base = str_replace('\\', '/', dirname(dirname(dirname(dirname(dirname(__FILE__))))));
define('BASE_PATH', $base);
}
// Include general configuration
/*MARKER*/
require_once BASE_PATH . '/lib/sitemap.php';
// security check done ASAP
if (!checkAuth() || empty($_SESSION['rc1']) || empty($_SESSION['rc2'])) {
die("No external access to file");
}
$do = getGETparam4IdOrNumber('do');
$status = getGETparam4IdOrNumber('status');
$status_message = getGETparam4DisplayHTML('msg');
// Set the default template
$dir_temp = BASE_PATH . "/lib/templates/";
$get_temp = getGETparam4FullFilePath('template', $template[0] . '.tpl.html');
$chstatus = is_writable_ex($dir_temp . $get_temp);
// @dev: to test the error feedback on read-only on Win+UNIX: add '|| 1' here.
// Check for filename
if (!empty($get_temp)) {
if (@fopen($dir_temp . $get_temp, 'r')) {
$handle = fopen($dir_temp . $get_temp, 'r');
// PHP5+ Feature
$contents = stream_get_contents($handle);
if (0) {
// PHP4 Compatibility
$flen = filesize($dir_temp . $get_temp);
> Contact me for any inquiries.
> E: Xander@CompactCMS.nl
> W: http://community.CompactCMS.nl/forum
************************************************************ */
/* make sure no-one can run anything here if they didn't arrive through 'proper channels' */
if (!defined("COMPACTCMS_CODE")) {
die('Illegal entry point!');
}
/*MARKER*/
// Load news preferences
//$pageID = getGETparam4Filename('page');
$page_id = $ccms['page_id'];
$page_name = $ccms['page_name'];
$do = getGETparam4IdOrNumber('do');
$id = getGETparam4IdOrNumber('id');
$is_printing = $ccms['printing'] == 'Y';
if (!empty($page_id)) {
$rsCfg = $db->SelectSingleRow($cfg['db_prefix'] . 'cfgnews', array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER)));
if ($db->ErrorNumber() != 0) {
$db->Kill();
}
}
$locale = $rsCfg ? $rsCfg->showLocale : $cfg['locale'];
// no need to check whether the given page is a news page; if it isn't we wouldn't have arrived here...
// Set front-end language
SetUpLanguageAndLocale($locale);
// Do actions for overview
$newsrows = false;
if (empty($id)) {
$newsID = false;
$type = getGETparam4IdOrNumber('type');
switch ($type) {
case 'css':
$http_base = path_remove_dot_segments($cssdir);
$base = str_replace('\\', '/', cvt_abs_http_path2realpath($http_base, $cfg['rootdir'], BASE_PATH));
break;
case 'javascript':
$http_base = path_remove_dot_segments($jsdir);
$base = str_replace('\\', '/', cvt_abs_http_path2realpath($http_base, $cfg['rootdir'], BASE_PATH));
break;
default:
send_response_status_header(503);
// Not Implemented
exit;
}
$extra_JS_callback = getGETparam4IdOrNumber('cb');
$only_when_expression = trim(getGETparam4MathExpression('only-when', ''));
/*MARKER*/
require_once BASE_PATH . '/lib/includes/browscap/browscap/Browscap.php';
$client_browser = new Browscap(BASE_PATH . '/lib/includes/cache');
$client_browser->localFile = BASE_PATH . '/lib/includes/browscap-data/php_browscap.ini';
$client_browser = $client_browser->getBrowser();
/*
* we would have liked to calculate the version 'float' value from the ["MajorVer"] and ["MinorVer"] entries,
* but then we'd be screwed when you got versions like '3.01' which would be encoded as 3 and 1.
*
* On the other hand we cannot assume the ["Version"] entry has just a single point. After all, there's nothing
* stopping the format from speccing for example '3.01.2750' and again we'ld be screwed if we casted such an
* entry to float without watching out. So we do it the hard way and pick ["Version"] and strip off anything
* past the second '.' dot in there.
*/
if (!defined('CCMS_PERFORM_MINIMAL_INIT')) {
define('CCMS_PERFORM_MINIMAL_INIT', true);
}
// Define default location
if (!defined('BASE_PATH')) {
$base = str_replace('\\', '/', dirname(dirname(dirname(dirname(dirname(__FILE__))))));
define('BASE_PATH', $base);
}
// Include general configuration
/*MARKER*/
require_once BASE_PATH . '/lib/sitemap.php';
// security check done ASAP
if (!checkAuth() || empty($_SESSION['rc1']) || empty($_SESSION['rc2'])) {
die("No external access to file");
}
$do = getGETparam4IdOrNumber('do');
$btn_backup = getPOSTparam4IdOrNumber('btn_backup');
if ($do == 'backup' && $btn_backup == 'dobackup') {
// Include back-up functions
/*MARKER*/
require_once './functions.php';
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<title>Back-up & Restore module</title>
<link rel="stylesheet" type="text/css" href="../../../../admin/img/styles/base.css,liquid.css,layout.css,sprite.css,last_minute_fixes.css" />
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="../../../../admin/img/styles/ie.css" />
// Include general configuration
/*MARKER*/
require_once BASE_PATH . '/lib/sitemap.php';
class FbX extends CcmsAjaxFbException
{
}
// nasty way to do 'shorthand in PHP -- I do miss my #define macros! :'-|
// Some security functions
/* make darn sure only authenticated users can get past this point in the code */
if (empty($_SESSION['ccms_userID']) || empty($_SESSION['ccms_userName']) || !checkAuth()) {
// this situation should've caught inside sitemap.php-->security.inc.php above! This is just a safety measure here.
die_with_forged_failure_msg(__FILE__, __LINE__);
// $ccms['lang']['auth']['featnotallowed']
}
// Prevent PHP warning by setting default (null) values
$do_action = getGETparam4IdOrNumber('action');
/**
*
* Create a new user as posted by an authorized user
*
*/
if ($do_action == 'add-user' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) {
FbX::SetFeedbackLocation('user-management.Manage.php');
try {
// Only if current user has the rights
if ($perm->is_level_okay('manageUsers', $_SESSION['ccms_userLevel'])) {
//$i=count(array_filter($_POST));
//if($i <= 6) error
if (empty($_POST['userPass'])) {
throw new FbX($ccms['lang']['system']['error_tooshort']);
}
$r = trim($t, '_.');
echo "\nORIG: [" . htmlentities($t) . "]\nRES: [" . htmlentities($r) . "]\n";
}
}
// fake a POST submit through a GET request so we can easily diag/debug event requests:
if (!isset($_POST)) {
$_POST = array();
}
foreach ($_GET as $k => $v) {
$_POST[$k] = $v;
}
}
// the reason why TinyMCE invoked us (IFF it was TinyMCE!)
$req_type = getGETparam4IdOrNumber('editor_req_type');
/*
An alternative to handle the 'type' parameter passed by TinyMCE to the FileManager frontend, is to convert it in the frontend and then set the 'filter' FM option.
*/
$filter_expression = null;
switch ($req_type) {
case 'image':
$filter_expression = 'image/';
break;
case 'media':
$filter_expression = 'video/';
break;
}
$browser = new FileManager(array('directory' => BASE_PATH . '/media/', 'thumbnailPath' => $cfg['rootdir'] . '/media/Thumbnails/', 'assetBasePath' => $cfg['rootdir'] . '/lib/includes/js/mootools-filemanager/Assets', 'chmod' => 0777, 'filter' => $filter_expression, 'allowExtChange' => true, 'UploadIsAuthorized_cb' => 'FM_IsAuthorized', 'DownloadIsAuthorized_cb' => 'FM_IsAuthorized', 'CreateIsAuthorized_cb' => 'FM_IsAuthorized', 'DestroyIsAuthorized_cb' => 'FM_IsAuthorized', 'MoveIsAuthorized_cb' => 'FM_IsAuthorized'));
// log request data:
FM_vardumper($browser, 'init' . getGETparam4IdOrNumber('event'));
$browser->fireEvent(getGETparam4IdOrNumber('event'));
if (!empty($_SESSION['ccms_userID']) && !empty($_SESSION['ccms_userName']) && checkAuth()) {
$qry = '';
if (!empty($status) || !empty($status_message)) {
$qry = '?status=' . rawurlencode($status) . '&msg=' . rawurlencode(!empty($status_message) ? $status_message : $ccms['lang']['system']['error_general']);
}
header('Location: ' . makeAbsoluteURI($cfg['rootdir'] . 'admin/index.php') . $qry);
exit;
}
// Check for ./install directory
if ($cfg['install_dir_exists'] && !$cfg['install_dir_override']) {
die('<strong>Security risk: the installation directory is still present.</strong><br/>Either first <a href="../../_install/">run the installer</a>, or remove the <em>./_install</em> directory, before accessing <a href="../../admin/">the back-end</a>.');
}
$userName = strtolower(getPOSTparam4IdOrNumber('userName'));
// also allow logon actions where the user is already 'pre-configured'; easy logon!
if (empty($userName)) {
$userName = strtolower(getGETparam4IdOrNumber('logon_user'));
}
// Do authentication
if (isset($_POST['submit']) && $_SERVER['REQUEST_METHOD'] == 'POST') {
/*
* This code does NOT require that the submitted data (user+pass) originates from the
* web form below and was entered in the same session (as we don't have the checkAuth()
* condition checked in the if(...) above).
*
* This is intentional: users may store the login credentials in any form and still log
* in. However, it also means that we must be aware that the current POST data can be
* entirely malicious, hence we MUST perform rigorous checks -- which one would require
* anyhow when logging in.
*
* To prevent SQL injection attacks against this form, we make sure the POST-ed data
* does not contain any wildcards or trickery which makes our validation query below
// prevent PHP barfing a hairball in E_STRICT:
if (!isset($_POST) || empty($_POST[$var])) {
return $def;
}
return strval($_POST[$var]);
}
function SESSION2str($var, $def = '')
{
// prevent PHP barfing a hairball in E_STRICT:
if (!isset($_SESSION) || empty($_SESSION[$var])) {
return $def;
}
return strval($_SESSION[$var]);
}
// Check whether this is a send request
$action_type = getGETparam4IdOrNumber('do');
// debugging:
if ($cfg['IN_DEVELOPMENT_ENVIRONMENT'] && 0) {
$extra = array('action_type' => $action_type, 'req_method_is_post' => $_SERVER['REQUEST_METHOD'] == 'POST', 'captcha-on' => USE_CAPTCHA_AGAINST_SPAM, 'captcha-match-a' => POST2str('verification', 'x'), 'captcha-match-b' => SESSION2str('ccms_captcha', 'y'), 'captcha-match' => POST2str('verification', 'x') == SESSION2str('ccms_captcha', 'y'), 'honeypot-on' => USE_HONEYTRAP_AGAINST_SPAM, 'honeypot-check1' => POST2str('email', '') == '', 'honeypot-check2-a' => POST2str('darling_jar', 'x'), 'honeypot-check2-b' => SESSION2str('ccms_contactform_honeypot', 'y'), 'honeypot-check2' => POST2str('darling_jar', 'x') == SESSION2str('ccms_contactform_honeypot', 'y'));
dump_request_to_logfile($extra);
}
$error = null;
$success = null;
$is_form_post = false;
/*
Fetch values early, so we can keep their content on error: message is not
immediately lost to user on faulty submit.
Security notes:
Considering the fact that we keep POST-ed data around when the POST itself is deemed
}
// Continue with content update
$page_idcode = explode('-', getPOSTparam4IdOrNumber('id'), 2);
$page_id = filterParam4Number(count($page_idcode) == 2 ? $page_idcode[1] : 0);
$dest = getGETparam4IdOrNumber('part');
if ($page_id > 0 && !empty($dest)) {
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values[$dest] = MySQL::SQLValue($content, MySQL::SQLVALUE_TEXT);
if (!$db->UpdateRow($cfg['db_prefix'] . 'pages', $values, array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER)))) {
$db->Kill();
} else {
echo $content;
}
} else {
die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ', ' . getGETparam4IdOrNumber('id') . ')');
}
} else {
die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')');
}
exit;
}
/**
*
* Change the page/file name inline.
*
* To make it a proper transaction, first try to change the filename, and only if that succeeds edit the database record.
*
*/
if ($do_action == 'liverename' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) {
$page_idcode = explode('-', getPOSTparam4IdOrNumber('id'), 2);
/*MARKER*/
require_once BASE_PATH . '/admin/includes/security.inc.php';
}
// DATABASE ==
// All set! Now this statement will connect to the database
if (!$db->Open($cfg['db_name'], $cfg['db_host'], $cfg['db_user'], $cfg['db_pass'])) {
$db->Kill($ccms['lang']['system']['error_database']);
}
// ENVIRONMENT ==
// Some variables to help this file orientate on its environment
$current = basename(filterParam4FullFilePath($_SERVER['REQUEST_URI']));
// [i_a] $curr_page was identical (enough) to $pagereq before
$pagereq = checkSpecialPageName(getGETparam4Filename('page'), SPG_GIVE_PAGENAME);
$ccms['pagereq'] = $pagereq;
$ccms['printing'] = getGETparam4boolYN('printing', 'N');
$preview = getGETparam4IdOrNumber('preview');
// in fact, it's a hash plus ID!
$preview = IsValidPreviewCode($preview);
$ccms['preview'] = $preview ? 'Y' : 'N';
//$ccms['responsecode'] = null; // default: 200 : OK
//$ccms['page_id'] = false;
//$ccms['page_name'] = false;
//$ccms['content'] = false;
//$ccms['template'] = null;
// This files' current version
$ccms['ccms_version'] = $v = "1.4.2";
// preparation for plugins, et.c which want to load JavaScript files through the template:
$ccms['CSS.required_files'] = array();
$ccms['CSS.inline'] = array();
$ccms['JS.required_files'] = array();
$ccms['JS.done'] = array();