private static function protectDirs(Module_PageBuilder $module) { $path = $module->getContentPath(); // if (false === GWF_HTAccess::protect404($path)) // { // return GWF_HTML::err('ERR_WRITE_FILE', array($path)); // } $filename = $path . '/.htaccess'; $data = "RewriteEngine On\nRewriteRule (.*) /index.php?mo=PageBuilder&me=ServeContent&filename=\$1\n"; if (!file_put_contents($filename, $data)) { return GWF_HTML::err('ERR_WRITE_FILE', array($filename)); } return ''; }
public static function onUpload(Module_PageBuilder $module) { if (false !== ($error = GWF_Form::validateCSRF_WeakS())) { return $error; } if (false === ($file = GWF_Upload::getFile('file'))) { return GWF_HTML::err('ERR_MISSING_UPLOAD'); } $back = ''; # TODO: There are more unsafe languages! # But we want to keep the file extension. # Not really a big deal, unless you have malicious admin users. $name = $file['name']; // $name = str_replace(array('/', '\\'), '', $name); // $forbidden = array('.php',/* '.pl', '.py', '.asp'*/); // foreach ($forbidden as $ext) // { // if (Common::endsWith($name, $ext)) // if (Common::endsWith($name, '.php')) // { // $name .= '.html'; // $back .= $module->error('err_file_ext'); // return $back; // } // } # This is evil, sometimes even with foo.php.html if (stripos($name, '.php') !== false) { return $module->error('err_file_ext'); } # We do a sanity check here if (!preg_match('#^[a-z0-9_][a-z0-9_\\.]{0,62}$#iD', $name)) { $back .= $module->error('err_file_name'); return $back; } # Copy the file $path = 'dbimg/content/' . $name; $epath = htmlspecialchars($path); if (Common::isFile($path)) { return $back . $module->error('err_upload_exists'); } if (false === GWF_Upload::moveTo($file, $path)) { return $back . GWF_HTML::err('ERR_WRITE_FILE', array($epath)); } # Is bbcode mode? $bbcode = (Common::getPostInt('type', 0) & (GWF_Page::HTML | GWF_Page::SMARTY)) === 0; # Append to page content as image or anchor. $_POST['content'] .= self::fileToContent($name, $path, $bbcode); return $module->message('msg_file_upped', array($epath)); }
public static function validateType(Module_PageBuilder $m, $arg, $locked_mode) { switch ($arg) { case GWF_Page::SMARTY: case GWF_Page::HTML: if ($m->isAuthor(GWF_User::getStaticOrGuest())) { return false; } break; case GWF_Page::BBCODE: return false; default: break; } return $m->lang('err_type'); }
public function validate_url(Module_PageBuilder $m, $arg) { return $m->validateURL($arg, false); }
public function validate_url(Module_PageBuilder $m, $arg) { # Allow duplicate URL when it's still the same $allow_dups = $this->page->getVar('page_url') === $arg; return $m->validateURL($arg, $allow_dups); }