source: branches/2.4/plugins/LocalFilesEditor/admin.php @ 20712

Revision 20712, 5.5 KB checked in by plg, 6 years ago (diff)

bug 2844: increase security on LocalFiles Editor, filter on files to edit.

  • Property svn:eol-style set to LF
RevLine 
[2235]1<?php
2// +-----------------------------------------------------------------------+
[8728]3// | Piwigo - a PHP based photo gallery                                    |
[2297]4// +-----------------------------------------------------------------------+
[12922]5// | Copyright(C) 2008-2012 Piwigo Team                  http://piwigo.org |
[2297]6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
[2235]23
24if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!');
25include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
[10348]26include_once(LOCALEDIT_PATH.'include/functions.inc.php');
[2235]27load_language('plugin.lang', LOCALEDIT_PATH);
[9359]28$my_base_url = get_root_url().'admin.php?page=plugin-'.basename(dirname(__FILE__));
[2235]29
30// +-----------------------------------------------------------------------+
31// |                            Tabssheet
32// +-----------------------------------------------------------------------+
33
[11655]34if (empty($conf['LocalFilesEditor_tabs']))
35{
36  $conf['LocalFilesEditor_tabs'] = array('localconf', 'css', 'tpl', 'lang', 'plug');
37}
38
39$page['tab'] = isset($_GET['tab']) ? $_GET['tab'] : $conf['LocalFilesEditor_tabs'][0];
40
41if (!in_array($page['tab'], $conf['LocalFilesEditor_tabs'])) die('Hacking attempt!');
42
[2235]43$tabsheet = new tabsheet();
[11655]44foreach ($conf['LocalFilesEditor_tabs'] as $tab)
45{
46  $tabsheet->add($tab, l10n('locfiledit_onglet_'.$tab), $my_base_url.'-'.$tab);
47}
[2235]48$tabsheet->select($page['tab']);
49$tabsheet->assign();
50
[10348]51include_once(LOCALEDIT_PATH.'include/'.$page['tab'].'.inc.php');
[2235]52
53// +-----------------------------------------------------------------------+
54// |                           Load backup file
55// +-----------------------------------------------------------------------+
[8126]56if (isset($_POST['restore']))
[2235]57{
[2588]58  $content_file = file_get_contents(get_bak_file($edited_file));
[2235]59  array_push($page['infos'],
[2588]60    l10n('locfiledit_bak_loaded1'),
61    l10n('locfiledit_bak_loaded2'));
[2235]62}
63
64// +-----------------------------------------------------------------------+
65// |                            Save file
66// +-----------------------------------------------------------------------+
[8126]67if (isset($_POST['submit']))
[2235]68{
[5272]69  if (!is_webmaster())
[5256]70  {
71    array_push($page['errors'], l10n('locfiledit_webmaster_only'));
[2235]72  }
[5256]73  else
74  {
75    $content_file = stripslashes($_POST['text']);
76    if (get_extension($edited_file) == 'php')
[2235]77    {
[5256]78      $content_file = eval_syntax($content_file);
[2235]79    }
[5256]80    if ($content_file === false)
[2235]81    {
[5256]82      array_push($page['errors'], l10n('locfiledit_syntax_error'));
[2235]83    }
[5256]84    else
[2235]85    {
[5256]86      if ($page['tab'] == 'plug' and !is_dir(PHPWG_PLUGINS_PATH . 'PersonalPlugin'))
87      {
88        @mkdir(PHPWG_PLUGINS_PATH . "PersonalPlugin");
89      }
90      if (file_exists($edited_file))
91      {
92        @copy($edited_file, get_bak_file($edited_file));
93        array_push($page['infos'], sprintf(l10n('locfiledit_saved_bak'), substr(get_bak_file($edited_file), 2)));
94      }
95     
96      if ($file = @fopen($edited_file , "w"))
97      {
98        @fwrite($file , $content_file);
99        @fclose($file);
100        array_unshift($page['infos'], l10n('locfiledit_save_config'));
101        $template->delete_compiled_templates();
102      }
103      else
104      {
105        array_push($page['errors'], l10n('locfiledit_cant_save'));
106      }
[2235]107    }
108  }
109}
110
111// +-----------------------------------------------------------------------+
112// |                            template initialization
113// +-----------------------------------------------------------------------+
114$template->set_filenames(array(
[10348]115    'plugin_admin_content' => dirname(__FILE__) . '/template/admin.tpl'));
[2235]116
117if (!empty($edited_file))
118{
119  if (!empty($page['errors']))
120        {
121    $content_file = stripslashes($_POST['text']);
122  }
123  $template->assign('zone_edit',
[10348]124    array(
125      'EDITED_FILE' => $edited_file,
126      'CONTENT_FILE' => htmlspecialchars($content_file),
127      'FILE_NAME' => trim($edited_file, './\\')
128    )
129  );
[2588]130  if (file_exists(get_bak_file($edited_file)))
[2235]131  {
132    $template->assign('restore', true);
133  }
[2588]134  if (file_exists($edited_file))
135  {
136    $template->assign('restore_infos', true);
137  }
[2235]138}
139
[2588]140$template->assign(array(
[9359]141  'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=plugin-LocalFilesEditor-'.$page['tab'],
[2588]142  'LOCALEDIT_PATH' => LOCALEDIT_PATH,
[10307]143  'CODEMIRROR_MODE' => @$codemirror_mode
144  )
145);
[2291]146
[2235]147$template->assign_var_from_handle('ADMIN_CONTENT', 'plugin_admin_content');
148
149?>
Note: See TracBrowser for help on using the repository browser.