/** * Apply whatever escaping is requested to the given value. * * @param array A list of escaping to do * @param string The string to apply the escapings to * @return string Output string */ function apply_tempcode_escaping_inline($escaped, $value) { global $HTML_ESCAPE_1_STRREP, $HTML_ESCAPE_2; foreach (array_reverse($escaped) as $escape) { if ($escape == ENTITY_ESCAPED) { $value = str_replace($HTML_ESCAPE_1_STRREP, $HTML_ESCAPE_2, $value); } elseif ($escape == FORCIBLY_ENTITY_ESCAPED) { $value = str_replace($HTML_ESCAPE_1_STRREP, $HTML_ESCAPE_2, $value); } elseif ($escape == SQ_ESCAPED) { $value = str_replace(''', '\\'', str_replace('\'', '\\\'', str_replace('\\', '\\\\', $value))); } elseif ($escape == DQ_ESCAPED) { $value = str_replace('"', '\\"', str_replace('"', '\\"', str_replace('\\', '\\\\', $value))); } elseif ($escape == NL_ESCAPED) { $value = str_replace(chr(13), '', str_replace(chr(10), '', $value)); } elseif ($escape == NL2_ESCAPED) { $value = str_replace(chr(13), '', str_replace(chr(10), '\\n', $value)); } elseif ($escape == CC_ESCAPED) { $value = str_replace('[', '\\[', str_replace('\\', '\\\\', $value)); } elseif ($escape == UL_ESCAPED) { $value = ocp_url_encode($value); } elseif ($escape == UL2_ESCAPED) { $value = rawurlencode($value); } elseif ($escape == JSHTML_ESCAPED) { $value = str_replace(']]>', ']]\'+\'>', str_replace('</', '<\\/', $value)); } elseif ($escape == ID_ESCAPED) { $value = fix_id($value); } elseif ($escape == CSS_ESCAPED) { $value = preg_replace('#[^\\w\\#\\.\\-\\%]#', '_', $value); } elseif ($escape == NAUGHTY_ESCAPED) { $value = filter_naughty_harsh($value, true); } } if ($GLOBALS['XSS_DETECT'] && $escaped != array()) { ocp_mark_as_escaped($value); } return $value; }
/** * String to tack onto URL to keep 'keep_' parameters * * @param array Parameters passed to the symbol (0=whether this starts off the query string, 1=force session append even if it's also available a session cookie e.g. when put into download manager) * @return string The result. */ function keep_symbol($param) { $value = ''; $get_vars = $_GET; if (isset($param[1]) && $param[1] == '1' && is_null(get_bot_type()) && !array_key_exists('keep_session', $get_vars)) { $get_vars['keep_session'] = strval(get_session_id()); } if (count($get_vars) > 0) { $first = false; if (isset($param[0]) && $param[0] == '1') { $first = true; } foreach ($get_vars as $key => $val) { if (!is_string($key)) { $key = strval($key); } if (get_magic_quotes_gpc() && is_string($val)) { $val = stripslashes($val); } if (substr($key, 0, 5) == 'keep_' && strpos($key, '_expand_') === false && (!skippable_keep($key, $val) || $key == 'keep_session' && is_null(get_bot_type()) && isset($param[1]) && $param[1] == '1') && is_string($val)) { $value .= ($first ? '?' : '&') . urlencode($key) . '=' . ocp_url_encode($val); $first = false; } } } return $value; }
/** * Attempt to use mod_rewrite to improve this URL. * * @param ID_TEXT The name of the zone for this * @param array A map of variables to include in our URL * @param boolean Force inclusion of the index.php name into a short URL, so something may tack on extra parameters to the result here * @return ?URLPATH The improved URL (NULL: couldn't do anything) */ function _url_rewrite_params($zone_name, $vars, $force_index_php = false) { global $URL_REMAPPINGS; if ($URL_REMAPPINGS === NULL) { $old_style = get_option('htm_short_urls') != '1'; require_code('url_remappings'); $URL_REMAPPINGS = get_remappings($old_style); } // Find mapping foreach ($URL_REMAPPINGS as $_remapping) { list($remapping, $target, $require_full_coverage) = $_remapping; // if (count($remapping)!=$num_vars) continue; $good = true; $last_key_num = count($remapping); $loop_cnt = 0; foreach ($remapping as $key => $val) { $loop_cnt++; $last = $loop_cnt == $last_key_num; if (!is_string($val) && $val !== NULL) { $val = strval($val); } if (array_key_exists($key, $vars) && is_integer($vars[$key])) { $vars[$key] = strval($vars[$key]); } if (!((isset($vars[$key]) || $val === NULL && $key == 'type' && array_key_exists('id', $vars)) && ($key != 'page' || $vars[$key] != '' || $val === '') && (!array_key_exists($key, $vars) || $vars[$key] != '' || !$last) && ($val === NULL || $vars[$key] == $val))) { $good = false; break; } } if ($require_full_coverage) { foreach ($_GET as $key => $val) { if (!is_string($val)) { continue; } if (substr($key, 0, 5) == 'keep_' && !skippable_keep($key, $val)) { $good = false; } } foreach ($vars as $key => $val) { if (!array_key_exists($key, $remapping) && $val !== NULL && ($key != 'page' || $vars[$key] != '')) { $good = false; } } } if ($good) { // We've found one, now let's sort out the target $makeup = $target; if ($GLOBALS['DEBUG_MODE']) { foreach ($vars as $key => $val) { if (is_integer($val)) { $vars[$key] = strval($val); } } } $extra_vars = array(); foreach (array_keys($remapping) as $key) { if (!isset($vars[$key])) { continue; } $val = $vars[$key]; unset($vars[$key]); $makeup = str_replace(strtoupper($key), ocp_url_encode_mini($val, true), $makeup); } if (!$require_full_coverage) { $extra_vars += $vars; } $makeup = str_replace('TYPE', 'misc', $makeup); if ($makeup == '') { $makeup .= get_zone_default_page($zone_name) . '.htm'; } if ($extra_vars != array() || $force_index_php) { if (get_option('htm_short_urls') != '1') { $makeup .= '/index.php'; } $first = true; foreach ($extra_vars as $key => $val) { if ($val === NULL) { continue; } if (is_integer($key)) { $key = strval($key); } if ($val === SELF_REDIRECT) { $val = get_self_url(true, true); } $makeup .= ($first ? '?' : '&') . $key . '=' . ocp_url_encode($val, true); $first = false; } } return $makeup; } } return NULL; }
/** * Actualise the join form. * * @param boolean Whether to handle CAPTCHA (if enabled at all) * @param boolean Whether to ask for intro messages (if enabled at all) * @param boolean Whether to check for invites (if enabled at all) * @param boolean Whether to check email-address restrictions (if enabled at all) * @param boolean Whether to require staff confirmation (if enabled at all) * @param boolean Whether to force email address validation (if enabled at all) * @param boolean Whether to do COPPA checks (if enabled at all) * @param boolean Whether to instantly log the user in * @return array A tuple: Messages to show (currently nothing else in tuple) */ function ocf_join_actual($captcha_if_enabled = true, $intro_message_if_enabled = true, $invites_if_enabled = true, $one_per_email_address_if_enabled = true, $confirm_if_enabled = true, $validate_if_enabled = true, $coppa_if_enabled = true, $instant_login = false) { ocf_require_all_forum_stuff(); require_css('ocf'); require_code('ocf_members_action'); require_code('ocf_members_action2'); // Read in data $username = trim(post_param('username')); ocf_check_name_valid($username, NULL, NULL, true); // Adjusts username if needed $password = trim(post_param('password')); $password_confirm = trim(post_param('password_confirm')); if ($password != $password_confirm) { warn_exit(make_string_tempcode(escape_html(do_lang('PASSWORD_MISMATCH')))); } $confirm_email_address = post_param('email_address_confirm', NULL); $email_address = trim(post_param('email_address')); if (!is_null($confirm_email_address)) { if (trim($confirm_email_address) != $email_address) { warn_exit(make_string_tempcode(escape_html(do_lang('EMAIL_ADDRESS_MISMATCH')))); } } require_code('type_validation'); if (!is_valid_email_address($email_address)) { warn_exit(do_lang_tempcode('INVALID_EMAIL_ADDRESS')); } if ($invites_if_enabled) { if (get_option('is_on_invites') == '1') { $test = $GLOBALS['FORUM_DB']->query_value_null_ok('f_invites', 'i_inviter', array('i_email_address' => $email_address, 'i_taken' => 0)); if (is_null($test)) { warn_exit(do_lang_tempcode('NO_INVITE')); } } $GLOBALS['FORUM_DB']->query_update('f_invites', array('i_taken' => 1), array('i_email_address' => $email_address, 'i_taken' => 0), '', 1); } $dob_day = post_param_integer('dob_day', NULL); $dob_month = post_param_integer('dob_month', NULL); $dob_year = post_param_integer('dob_year', NULL); $reveal_age = post_param_integer('reveal_age', 0); $timezone = post_param('timezone', get_users_timezone()); $language = post_param('language', get_site_default_lang()); $allow_emails = post_param_integer('allow_emails', 0); $allow_emails_from_staff = post_param_integer('allow_emails_from_staff', 0); $groups = ocf_get_all_default_groups(true); // $groups will contain the built in default primary group too (it is not $secondary_groups) $primary_group = post_param_integer('primary_group', NULL); if ($primary_group !== NULL && !in_array($primary_group, $groups)) { // Check security $test = $GLOBALS['FORUM_DB']->query_value('f_groups', 'g_is_presented_at_install', array('id' => $primary_group)); if ($test == 1) { $groups = ocf_get_all_default_groups(false); // Get it so it does not include the built in default primary group $groups[] = $primary_group; // And add in the *chosen* primary group } else { $primary_group = NULL; } } else { $primary_group = NULL; } if ($primary_group === NULL) { $primary_group = get_first_default_group(); } $custom_fields = ocf_get_all_custom_fields_match($groups, NULL, NULL, NULL, NULL, NULL, NULL, 0, true); $actual_custom_fields = ocf_read_in_custom_fields($custom_fields); // Check that the given address isn't already used (if one_per_email_address on) $member_id = NULL; if ($one_per_email_address_if_enabled) { if (get_option('one_per_email_address') == '1') { $test = $GLOBALS['FORUM_DB']->query_select('f_members', array('id', 'm_username'), array('m_email_address' => $email_address), '', 1); if (array_key_exists(0, $test)) { if ($test[0]['m_username'] != $username) { $reset_url = build_url(array('page' => 'lostpassword', 'email_address' => $email_address), get_module_zone('lostpassword')); warn_exit(do_lang_tempcode('EMAIL_ADDRESS_IN_USE', escape_html(get_site_name()), escape_html($reset_url->evaluate()))); } $member_id = $test[0]['id']; } } } if ($captcha_if_enabled) { if (addon_installed('captcha')) { require_code('captcha'); enforce_captcha(); } } if (addon_installed('ldap')) { require_code('ocf_ldap'); if (ocf_is_ldap_member_potential($username)) { warn_exit(do_lang_tempcode('DUPLICATE_JOIN_AUTH')); } } // Add member $skip_confirm = get_option('skip_email_confirm_join') == '1'; if (!$confirm_if_enabled) { $skip_confirm = true; } $validated_email_confirm_code = $skip_confirm ? '' : strval(mt_rand(1, 32000)); $require_new_member_validation = get_option('require_new_member_validation') == '1'; if (!$validate_if_enabled) { $require_new_member_validation = false; } $coppa = get_option('is_on_coppa') == '1' && utctime_to_usertime(time() - mktime(0, 0, 0, $dob_month, $dob_day, $dob_year)) / 31536000.0 < 13.0; if (!$coppa_if_enabled) { $coppa = false; } $validated = $require_new_member_validation || $coppa ? 0 : 1; if (is_null($member_id)) { $member_id = ocf_make_member($username, $password, $email_address, $groups, $dob_day, $dob_month, $dob_year, $actual_custom_fields, $timezone, $primary_group, $validated, time(), time(), '', NULL, '', 0, get_option('default_preview_guests') == '1' ? 1 : 0, $reveal_age, '', '', '', 1, get_value('no_auto_notifications') === '1' ? 0 : 1, $language, $allow_emails, $allow_emails_from_staff, '', get_ip_address(), $validated_email_confirm_code, true, '', ''); } // Send confirm mail if (!$skip_confirm) { $zone = get_module_zone('join'); if ($zone != '') { $zone .= '/'; } $_url = build_url(array('page' => 'join', 'type' => 'step4', 'email' => $email_address, 'code' => $validated_email_confirm_code), $zone, NULL, false, false, true); $url = $_url->evaluate(); $_url_simple = build_url(array('page' => 'join', 'type' => 'step4'), $zone, NULL, false, false, true); $url_simple = $_url_simple->evaluate(); $redirect = get_param('redirect', ''); if ($redirect != '') { $url .= '&redirect=' . ocp_url_encode($redirect); } $message = do_lang('OCF_SIGNUP_TEXT', comcode_escape(get_site_name()), comcode_escape($url), array($url_simple, $email_address, $validated_email_confirm_code), $language); require_code('mail'); if (!$coppa) { mail_wrap(do_lang('CONFIRM_EMAIL_SUBJECT', get_site_name(), NULL, NULL, $language), $message, array($email_address), $username, '', '', 3, NULL, false, NULL, false, false, false, 'MAIL', true); } } // Send COPPA mail if ($coppa) { $fields_done = do_lang('THIS_WITH_COMCODE', do_lang('USERNAME'), $username) . "\n\n"; foreach ($custom_fields as $custom_field) { if ($custom_field['cf_type'] != 'upload') { $fields_done .= do_lang('THIS_WITH_COMCODE', $custom_field['trans_name'], post_param('custom_' . $custom_field['id'] . '_value')) . "\n"; } } $_privacy_url = build_url(array('page' => 'privacy'), '_SEARCH', NULL, false, false, true); $privacy_url = $_privacy_url->evaluate(); $message = do_lang('COPPA_MAIL', comcode_escape(get_option('site_name')), comcode_escape(get_option('privacy_fax')), array(comcode_escape(get_option('privacy_postal_address')), comcode_escape($fields_done), comcode_escape($privacy_url)), $language); require_code('mail'); mail_wrap(do_lang('COPPA_JOIN_SUBJECT', $username, get_site_name(), NULL, $language), $message, array($email_address), $username); } // Send 'validate this member' notification if ($require_new_member_validation) { require_code('notifications'); $_validation_url = build_url(array('page' => 'members', 'type' => 'view', 'id' => $member_id), get_module_zone('members'), NULL, false, false, true, 'tab__edit'); $validation_url = $_validation_url->evaluate(); $message = do_lang('VALIDATE_NEW_MEMBER_MAIL', comcode_escape($username), comcode_escape($validation_url), comcode_escape(strval($member_id)), get_site_default_lang()); dispatch_notification('ocf_member_needs_validation', NULL, do_lang('VALIDATE_NEW_MEMBER_SUBJECT', $username, NULL, NULL, get_site_default_lang()), $message, NULL, A_FROM_SYSTEM_PRIVILEGED); } // Send new member notification require_code('notifications'); $_member_url = build_url(array('page' => 'members', 'type' => 'view', 'id' => $member_id), get_module_zone('members'), NULL, false, false, true); $member_url = $_member_url->evaluate(); $message = do_lang('NEW_MEMBER_NOTIFICATION_MAIL', comcode_escape($username), comcode_escape(get_site_name()), array(comcode_escape($member_url), comcode_escape(strval($member_id))), get_site_default_lang()); dispatch_notification('ocf_new_member', NULL, do_lang('NEW_MEMBER_NOTIFICATION_MAIL_SUBJECT', $username, get_site_name(), NULL, get_site_default_lang()), $message, NULL, A_FROM_SYSTEM_PRIVILEGED); // Intro post if ($intro_message_if_enabled) { $forum_id = get_option('intro_forum_id'); if ($forum_id != '') { if (!is_numeric($forum_id)) { $_forum_id = $GLOBALS['FORUM_DB']->query_value_null_ok('f_forums', 'id', array('f_name' => $forum_id)); if (is_null($_forum_id)) { $forum_id = strval(db_get_first_id()); } else { $forum_id = strval($_forum_id); } } $intro_title = post_param('intro_title', ''); $intro_post = post_param('intro_post', ''); if ($intro_post != '') { require_code('ocf_topics_action'); if ($intro_title == '') { $intro_title = do_lang('INTRO_POST_DEFAULT', $username); } $topic_id = ocf_make_topic(intval($forum_id)); require_code('ocf_posts_action'); ocf_make_post($topic_id, $intro_title, $intro_post, 0, true, NULL, 0, NULL, NULL, NULL, $member_id); } } } // Alert user to situation $message = new ocp_tempcode(); if ($coppa) { if (!$skip_confirm) { $message->attach(do_lang_tempcode('OCF_WAITING_CONFIRM_MAIL')); } $message->attach(do_lang_tempcode('OCF_WAITING_CONFIRM_MAIL_COPPA')); } elseif ($require_new_member_validation) { if (!$skip_confirm) { $message->attach(do_lang_tempcode('OCF_WAITING_CONFIRM_MAIL')); } $message->attach(do_lang_tempcode('OCF_WAITING_CONFIRM_MAIL_VALIDATED', escape_html(get_custom_base_url()))); } elseif ($skip_confirm) { if ($instant_login) { require_code('users_active_actions'); handle_active_login($username); $message->attach(do_lang_tempcode('OCF_LOGIN_AUTO')); } else { $_login_url = build_url(array('page' => 'login', 'redirect' => get_param('redirect', NULL)), get_module_zone('login')); $login_url = $_login_url->evaluate(); $message->attach(do_lang_tempcode('OCF_LOGIN_INSTANT', escape_html($login_url))); } } else { if (!$skip_confirm) { $message->attach(do_lang_tempcode('OCF_WAITING_CONFIRM_MAIL')); } $message->attach(do_lang_tempcode('OCF_WAITING_CONFIRM_MAIL_INSTANT')); } $message = protect_from_escaping($message); return array($message); }