/** * Prevent XSS attacks for logged in users by making sure the request contains a valid nonce * */ function CheckPosts($session_id) { if (count($_POST) == 0) { return; } if (!isset($_POST['verified'])) { gpsession::StripPost('XSS Verification Parameter Not Set'); return; } if (empty($_POST['verified'])) { gpsession::StripPost('XSS Verification Parameter Empty'); return; } if (!common::verify_nonce('post', $_POST['verified'], true) && $_POST['verified'] !== $session_id) { gpsession::StripPost('XSS Verification Parameter Mismatch'); return; } }
/** * Assign a layout to the $title. Child pages without a layout assigned will inherit this setting * @param string $title */ function SetLayout() { global $gp_index, $gp_titles, $langmessage, $gpLayouts; $index = $_POST['index']; $title = common::IndexToTitle($index); if (!$title) { message($langmessage['OOPS']); return; } $this->title = $title; $layout = $_POST['layout']; if (!isset($gpLayouts[$layout])) { message($langmessage['OOPS']); return; } if (!common::verify_nonce('use_' . $layout)) { message($langmessage['OOPS']); return; } //unset, then reset if needed unset($gp_titles[$index]['gpLayout']); $currentLayout = display::OrConfig($index, 'gpLayout'); if ($currentLayout != $layout) { $gp_titles[$index]['gpLayout'] = $layout; } if (!admin_tools::SavePagesPHP()) { message($langmessage['OOPS'] . '(3)'); return false; } message($langmessage['SAVED']); }
/** * Prevent XSS attacks for logged in users by making sure the request contains a valid nonce * */ static function CheckPosts() { if (count($_POST) == 0) { return; } if (empty($_POST['verified'])) { self::StripPost('XSS Verification Parameter Error'); return; } if (!common::verify_nonce('post', $_POST['verified'], true)) { self::StripPost('XSS Verification Parameter Mismatch'); return; } }
/** * Save a user submitted comment * */ function CommentAdd() { global $langmessage; // check the nonce // includes the comment count so resubmissions won't work if (!common::verify_nonce('easy_comments:' . count($this->comment_data), $_POST['nonce'], true)) { $message = gpOutput::GetAddonText('Sorry, your comment was not saved.'); message($message); return false; } //check captcha if ($this->config['comment_captcha'] && gp_recaptcha::isActive()) { if (!gp_recaptcha::Check()) { //recaptcha::check adds message on failure return false; } } if (empty($_POST['name'])) { $field = gpOutput::SelectText('Name'); message($langmessage['OOPS_REQUIRED'], $field); return false; } if (empty($_POST['comment'])) { $field = gpOutput::SelectText('Comment'); message($langmessage['OOPS_REQUIRED'], $field); return false; } $temp = array(); $temp['name'] = htmlspecialchars($_POST['name']); $temp['comment'] = nl2br(strip_tags($_POST['comment'])); $temp['time'] = time(); if (!empty($_POST['website']) && $_POST['website'] !== 'http://') { $website = $_POST['website']; if (strpos($website, '://') === false) { $website = false; } if ($website) { $temp['website'] = $website; } } $index = $this->NewIndex(); $this->comment_data[$index] = $temp; //save to index file first if (!$this->UpdateIndex()) { $message = gpOutput::GetAddonText('Sorry, your comment was not saved.'); message($message); return false; } //then save actual comment if ($this->SaveCommentData()) { $message = gpOutput::GetAddonText('Your comment has been saved.'); message($message); return true; } else { $message = gpOutput::GetAddonText('Sorry, your comment was not saved.'); message($message); return false; } }
function MoveUp() { global $langmessage; $move_key =& $_REQUEST['section']; if (!isset($this->file_sections[$move_key])) { message($langmessage['OOPS']); return false; } if (!common::verify_nonce('move_up' . $move_key)) { message($langmessage['OOPS']); return false; } $move_content = $this->file_sections[$move_key]; $file_keys = array_keys($this->file_sections); $file_values = array_values($this->file_sections); $insert_key = array_search($move_key, $file_keys); if ($insert_key === null || $insert_key === false || $insert_key === 0) { message($langmessage['OOPS']); return false; } $prev_key = $insert_key - 1; if (!isset($file_keys[$prev_key])) { message($langmessage['OOPS']); return false; } $old_sections = $this->file_sections; //rebuild $new_sections = array(); foreach ($file_values as $temp_key => $file_value) { if ($temp_key === $prev_key) { $new_sections[] = $move_content; } elseif ($temp_key === $insert_key) { //moved section continue; } $new_sections[] = $file_value; } $this->file_sections = $new_sections; if (!$this->SaveThis()) { $this->file_sections = $old_sections; message($langmessage['OOPS'] . '(4)'); return; } }
function SendMessage() { global $langmessage, $config, $gp_mailer; includeFile('tool/email_mailer.php'); $headers = array(); $_POST += array('subject' => '', 'contact_nonce' => '', 'message' => ''); if (empty($_POST['message'])) { msg($langmessage['OOPS'] . '(Invalid Message)'); return; } //check nonce if (!common::verify_nonce('contact_post', $_POST['contact_nonce'], true)) { msg($langmessage['OOPS'] . '(Invalid Nonce)'); return; } if (!empty($_POST['contact_void'])) { msg($langmessage['OOPS'] . '(Robot Detected)'); return; } //captcha if (!gp_recaptcha::Check()) { return; } if (!gpPlugin::Filter('contact_form_check', array(true))) { return; } //subject $_POST['subject'] = strip_tags($_POST['subject']); //message $tags = '<p><div><span><font><b><i><tt><em><i><a><strong><blockquote>'; $message = nl2br(strip_tags($_POST['message'], $tags)); //reply name if (!empty($_POST['email'])) { //check format if (!$this->ValidEmail($_POST['email'])) { msg($langmessage['invalid_email']); return false; } $replyName = str_replace(array("\r", "\n"), array(' '), $_POST['name']); $replyName = strip_tags($replyName); $replyName = htmlspecialchars($replyName); $gp_mailer->AddReplyTo($_POST['email'], $replyName); if (common::ConfigValue('from_use_user', false)) { $gp_mailer->SetFrom($_POST['email'], $replyName); } } //check for required values $require_email =& $config['require_email']; if (strpos($require_email, 'email') !== false) { if (empty($_POST['email'])) { $field = gpOutput::SelectText('your_email'); msg($langmessage['OOPS_REQUIRED'], $field); return false; } } if (strpos($require_email, 'none') === false) { if (empty($_POST['subject'])) { $field = gpOutput::SelectText('subject'); msg($langmessage['OOPS_REQUIRED'], $field); return false; } if (empty($message)) { $field = gpOutput::SelectText('message'); msg($langmessage['OOPS_REQUIRED'], $field); return false; } } if ($gp_mailer->SendEmail($config['toemail'], $_POST['subject'], $message)) { msg($langmessage['message_sent']); return true; } msg($langmessage['OOPS'] . ' (Send Failed)'); return false; }
/** * Delete a single file or folder * */ function DeleteConfirmed() { global $langmessage, $page; if ($this->isThumbDir) { return false; } if (!common::verify_nonce('delete')) { message($langmessage['OOPS'] . ' (Invalid Nonce)'); return; } $file = $this->CheckFile(); if (!$file) { return; } $full_path = $this->currentDir . '/' . $file; $rel_path = common::GetDir('/data/_uploaded' . $this->subdir . '/' . $file); if (!gpFiles::RmAll($full_path)) { message($langmessage['OOPS']); return; } $page->ajaxReplace[] = array('img_deleted', '', $rel_path); return; }