static function invalidate($cookies) { global $_zp_loggedin, $_zp_current_admin_obj; if (zp_getCookie('cookieInvalidator') != ($newBase = getOption('cookieInvalidator_base'))) { foreach ($cookies as $cookie => $value) { zp_clearCookie($cookie); } zp_setCookie('cookieInvalidator', $newBase); $_zp_current_admin_obj = $_zp_loggedin = NULL; } }
$protocol = sanitize($_POST['server_protocol'], 3); if ($protocol != SERVER_PROTOCOL) { // force https if required to be sure it works, otherwise the "save" will be the last thing we do httpsRedirect(); } if (getOption('server_protocol') != $protocol) { setOption('server_protocol', $protocol); $_configMutex->lock(); $zp_cfg = @file_get_contents(SERVERPATH . '/' . DATA_FOLDER . '/' . CONFIGFILE); $zp_cfg = updateConfigItem('server_protocol', $protocol, $zp_cfg); storeConfig($zp_cfg); $_configMutex->unlock(); } $_zp_gallery->setUserLogonField(isset($_POST['login_user_field'])); if ($protocol == 'http') { zp_clearCookie("zenphoto_ssl"); } setOption('IP_tied_cookies', (int) isset($_POST['IP_tied_cookies'])); setOption('obfuscate_cache', (int) isset($_POST['obfuscate_cache'])); setOption('image_processor_flooding_protection', (int) isset($_POST['image_processor_flooding_protection'])); $_zp_gallery->save(); $returntab = "&tab=security"; } /* * * custom options ** */ if (!$themeswitch) { // was really a save. $returntab = processCustomOptionSave($returntab, $themename, $themealbum); } if (empty($notify)) { $notify = '?saved'; }
/** * checks password posting * * @param string $authType override of athorization type */ function zp_handle_password($authType = NULL, $check_auth = NULL, $check_user = NULL) { global $_zp_loggedin, $_zp_login_error, $_zp_current_album, $_zp_current_zenpage_page, $_zp_gallery; if (empty($authType)) { // not supplied by caller $check_auth = ''; if (isset($_GET['z']) && @$_GET['p'] == 'full-image' || isset($_GET['p']) && $_GET['p'] == '*full-image') { $authType = 'zp_image_auth'; $check_auth = getOption('protected_image_password'); $check_user = getOption('protected_image_user'); } else { if (in_context(ZP_SEARCH)) { // search page $authType = 'zp_search_auth'; $check_auth = getOption('search_password'); $check_user = getOption('search_user'); } else { if (in_context(ZP_ALBUM)) { // album page $authType = "zp_album_auth_" . $_zp_current_album->getID(); $check_auth = $_zp_current_album->getPassword(); $check_user = $_zp_current_album->getUser(); if (empty($check_auth)) { $parent = $_zp_current_album->getParent(); while (!is_null($parent)) { $check_auth = $parent->getPassword(); $check_user = $parent->getUser(); $authType = "zp_album_auth_" . $parent->getID(); if (!empty($check_auth)) { break; } $parent = $parent->getParent(); } } } else { if (in_context(ZP_ZENPAGE_PAGE)) { $authType = "zp_page_auth_" . $_zp_current_zenpage_page->getID(); $check_auth = $_zp_current_zenpage_page->getPassword(); $check_user = $_zp_current_zenpage_page->getUser(); if (empty($check_auth)) { $pageobj = $_zp_current_zenpage_page; while (empty($check_auth)) { $parentID = $pageobj->getParentID(); if ($parentID == 0) { break; } $sql = 'SELECT `titlelink` FROM ' . prefix('pages') . ' WHERE `id`=' . $parentID; $result = query_single_row($sql); $pageobj = new ZenpagePage($result['titlelink']); $authType = "zp_page_auth_" . $pageobj->getID(); $check_auth = $pageobj->getPassword(); $check_user = $pageobj->getUser(); } } } } } } if (empty($check_auth)) { // anything else is controlled by the gallery credentials $authType = 'zp_gallery_auth'; $check_auth = $_zp_gallery->getPassword(); $check_user = $_zp_gallery->getUser(); } } // Handle the login form. if (DEBUG_LOGIN) { debugLog("zp_handle_password: \$authType={$authType}; \$check_auth={$check_auth}; \$check_user={$check_user}; "); } if (isset($_POST['password']) && isset($_POST['pass'])) { // process login form if (isset($_POST['user'])) { $post_user = sanitize($_POST['user']); } else { $post_user = ''; } $post_pass = $_POST['pass']; // We should not sanitize the password foreach (Zenphoto_Authority::$hashList as $hash => $hi) { $auth = Zenphoto_Authority::passwordHash($post_user, $post_pass, $hi); $success = $auth == $check_auth && $post_user == $check_user; if (DEBUG_LOGIN) { debugLog("zp_handle_password({$success}): \$post_user={$post_user}; \$post_pass={$post_pass}; \$check_auth={$check_auth}; \$auth={$auth}; \$hash={$hash};"); } if ($success) { break; } } $success = zp_apply_filter('guest_login_attempt', $success, $post_user, $post_pass, $authType); if ($success) { // Correct auth info. Set the cookie. if (DEBUG_LOGIN) { debugLog("zp_handle_password: valid credentials"); } zp_setCookie($authType, $auth); if (isset($_POST['redirect'])) { $redirect_to = sanitizeRedirect($_POST['redirect'], true); if (!empty($redirect_to)) { header("Location: " . $redirect_to); exitZP(); } } } else { // Clear the cookie, just in case if (DEBUG_LOGIN) { debugLog("zp_handle_password: invalid credentials"); } zp_clearCookie($authType); $_zp_login_error = true; } return; } if (empty($check_auth)) { //no password on record or admin logged in return; } if (($saved_auth = zp_getCookie($authType)) != '') { if ($saved_auth == $check_auth) { if (DEBUG_LOGIN) { debugLog("zp_handle_password: valid cookie"); } return; } else { // Clear the cookie if (DEBUG_LOGIN) { debugLog("zp_handle_password: invalid cookie"); } zp_clearCookie($authType); } } }
/** * Sets the locale, etc. to the zenphoto domain details. * Returns the result of setupCurrentLocale() * */ function setMainDomain() { global $_zp_current_admin_obj, $_zp_current_locale; if (DEBUG_LOCALE) { debugLogBackTrace("setMainDomain()"); } if (isset($_REQUEST['locale'])) { $_zp_current_locale = validateLocale(sanitize($_REQUEST['locale']), isset($_POST['locale']) ? 'POST' : 'URI string'); if ($_zp_current_locale) { zp_setCookie('dynamic_locale', $_zp_current_locale); } else { zp_clearCookie('dynamic_locale'); } if (DEBUG_LOCALE) { debugLog("dynamic_locale from URL: " . sanitize($_REQUEST['locale']) . "=>{$_zp_current_locale}"); } } else { $matches = explode('.', @$_SERVER['HTTP_HOST']); $_zp_current_locale = validateLocale($matches[0], 'HTTP_HOST'); if ($_zp_current_locale && zp_getCookie('dynamic_locale')) { zp_clearCookie('dynamic_locale'); } if (DEBUG_LOCALE) { debugLog("dynamic_locale from HTTP_HOST: " . sanitize($matches[0]) . "=>{$_zp_current_locale}"); } } if (!$_zp_current_locale && is_object($_zp_current_admin_obj)) { $_zp_current_locale = $_zp_current_admin_obj->getLanguage(); if (DEBUG_LOCALE) { debugLog("locale from user: "******"locale from option: " . $localeOption . '; dynamic locale=' . $_zp_current_locale); } if (empty($localeOption) && empty($_zp_current_locale)) { // if one is not set, see if there is a match from 'HTTP_ACCEPT_LANGUAGE' $languageSupport = generateLanguageList(); $userLang = parseHttpAcceptLanguage(); foreach ($userLang as $lang) { $l = strtoupper($lang['fullcode']); $_zp_current_locale = validateLocale($l, 'HTTP Accept Language'); if ($_zp_current_locale) { break; } } } else { if (empty($_zp_current_locale)) { $_zp_current_locale = $localeOption; } } } if (empty($_zp_current_locale)) { // return "default" language, English if allowed, otherwise whatever is the "first" allowed language $languageSupport = generateLanguageList(); if (defined('BASE_LOCALE')) { $loc = BASE_LOCALE; } else { $loc = 'en_US'; } if (empty($languageSupport) || in_array($loc, $languageSupport)) { $_zp_current_locale = $loc; } else { $_zp_current_locale = array_shift($languageSupport); } if (DEBUG_LOCALE) { debugLog("locale from language list: " . $_zp_current_locale); } } else { setOption('locale', $_zp_current_locale, false); } if (DEBUG_LOCALE) { debugLog("getUserLocale Returning locale: " . $_zp_current_locale); } return setupCurrentLocale($_zp_current_locale); }
/** * Checks saved cookies to see if a user is logged in */ function checkCookieCredentials() { list($auth, $id) = explode('.', zp_getCookie('zp_user_auth') . '.'); $loggedin = $this->checkAuthorization($auth, (int) $id); $loggedin = zp_apply_filter('authorization_cookie', $loggedin, $auth, $id); if ($loggedin) { return $loggedin; } zp_clearCookie("zp_user_auth"); return NULL; }
/** * Loads the search object. */ function zp_load_search() { global $_zp_current_search; zp_clearCookie("zenphoto_search_params"); if (!is_object($_zp_current_search)) { $_zp_current_search = new SearchEngine(); } add_context(ZP_SEARCH); $params = $_zp_current_search->getSearchParams(); zp_setCookie("zenphoto_search_params", $params, SEARCH_DURATION); return $_zp_current_search; }
/** * This is the "tokens" upload tab * * @author Stephen Billard (sbillard) * * Copyright 2014 by Stephen L Billard for use in {@link https://github.com/ZenPhoto20/ZenPhoto20 ZenPhoto20} * * @package plugins * @subpackage development */ require_once dirname(dirname(dirname(__FILE__))) . '/admin-globals.php'; admin_securityChecks(DEBUG_RIGHTS, $return = currentRelativeURL()); if (isset($_POST['delete_cookie'])) { foreach ($_POST['delete_cookie'] as $cookie => $v) { zp_clearCookie(postIndexDecode($cookie)); } header('location: ?page=develpment&tab=cookie'); exitZP(); } $subtab = getSubtabs(); printAdminHeader('development', $subtab); echo "\n</head>"; ?> <body> <?php printLogoAndLinks(); ?> <div id="main">
/** * * Handles the POSTing of a comment * @return NULL|boolean */ function comment_form_handle_comment() { global $_zp_current_image, $_zp_current_album, $_zp_comment_stored, $_zp_current_article, $_zp_current_page, $_zp_HTML_cache; $comment_error = 0; $cookie = zp_getCookie('zenphoto_comment'); if (isset($_POST['comment']) && (!isset($_POST['username']) || empty($_POST['username']))) { // 'username' is a honey-pot trap /* * do not save the post page in the cache * Also the cache should be cleared so that a new page is saved at the first non-comment posting viewing. * But this has to wait until processing is finished to avoid race conditions. */ $_zp_HTML_cache->disable(); if (in_context(ZP_IMAGE)) { $commentobject = $_zp_current_image; $redirectTo = $_zp_current_image->getLink(); } else { if (in_context(ZP_ALBUM)) { $commentobject = $_zp_current_album; $redirectTo = $_zp_current_album->getLink(); } else { if (in_context(ZP_ZENPAGE_NEWS_ARTICLE)) { $commentobject = $_zp_current_article; $redirectTo = FULLWEBPATH . '/index.php?p=news&title=' . $_zp_current_article->getTitlelink(); } else { if (in_context(ZP_ZENPAGE_PAGE)) { $commentobject = $_zp_current_page; $redirectTo = FULLWEBPATH . '/index.php?p=pages&title=' . $_zp_current_page->getTitlelink(); } else { $commentobject = NULL; $error = gettext('Comment posted on unknown page!'); } } } } if (is_object($commentobject)) { if (isset($_POST['name'])) { $p_name = sanitize($_POST['name'], 3); } else { $p_name = NULL; } if (isset($_POST['email'])) { $p_email = sanitize($_POST['email'], 3); if (!is_valid_email_zp($p_email)) { $p_email = NULL; } } else { $p_email = NULL; } if (isset($_POST['website'])) { $p_website = sanitize($_POST['website'], 3); if ($p_website && strpos($p_website, 'http') !== 0) { $p_website = 'http://' . $p_website; } if (!isValidURL($p_website)) { $p_website = NULL; } } else { $p_website = NULL; } if (isset($_POST['comment'])) { $p_comment = sanitize($_POST['comment'], 1); } else { $p_comment = ''; } $p_server = getUserIP(); if (isset($_POST['code'])) { $code1 = sanitize($_POST['code'], 3); $code2 = sanitize($_POST['code_h'], 3); } else { $code1 = ''; $code2 = ''; } $p_private = isset($_POST['private']); $p_anon = isset($_POST['anon']); $commentadded = $commentobject->addComment($p_name, $p_email, $p_website, $p_comment, $code1, $code2, $p_server, $p_private, $p_anon, serialize(getCommentAddress(0))); $comment_error = $commentadded->getInModeration(); $_zp_comment_stored = array('name' => $commentadded->getName(), 'email' => $commentadded->getEmail(), 'website' => $commentadded->getWebsite(), 'comment' => $commentadded->getComment(), 'saved' => isset($_POST['remember']), 'private' => $commentadded->getPrivate(), 'anon' => $commentadded->getAnon(), 'custom' => $commentadded->getCustomData()); if ($comment_error) { $error = $commentadded->comment_error_text; $comment_error++; } else { $_zp_HTML_cache->clearHtmlCache(); $error = NULL; if (isset($_POST['remember'])) { // Should always re-cookie to update info in case it's changed... $_zp_comment_stored['comment'] = ''; // clear the comment itself zp_setCookie('zenphoto_comment', serialize($_zp_comment_stored)); } else { zp_clearCookie('zenphoto_comment'); } //use $redirectTo to send users back to where they came from instead of booting them back to the gallery index. (default behaviour) if (!isset($_SERVER['SERVER_SOFTWARE']) || strpos(strtolower($_SERVER['SERVER_SOFTWARE']), 'microsoft-iis') === false) { // but not for Microsoft IIS because that server fails if we redirect! header('Location: ' . $redirectTo . '#zp_comment_id_' . $commentadded->getId()); exitZP(); } } } return $error; } else { if (!empty($cookie)) { $cookiedata = getSerializedArray($cookie); if (count($cookiedata) > 1) { $_zp_comment_stored = $cookiedata; } } } return false; }