source: branches/2.4/plugins/LocalFilesEditor/admin.php @ 20712

Revision 20712, 5.5 KB checked in by plg, 6 years ago (diff)

bug 2844: increase security on LocalFiles Editor, filter on files to edit.

  • Property svn:eol-style set to LF
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based photo gallery                                    |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2012 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!');
25include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
26include_once(LOCALEDIT_PATH.'include/functions.inc.php');
27load_language('plugin.lang', LOCALEDIT_PATH);
28$my_base_url = get_root_url().'admin.php?page=plugin-'.basename(dirname(__FILE__));
29
30// +-----------------------------------------------------------------------+
31// |                            Tabssheet
32// +-----------------------------------------------------------------------+
33
34if (empty($conf['LocalFilesEditor_tabs']))
35{
36  $conf['LocalFilesEditor_tabs'] = array('localconf', 'css', 'tpl', 'lang', 'plug');
37}
38
39$page['tab'] = isset($_GET['tab']) ? $_GET['tab'] : $conf['LocalFilesEditor_tabs'][0];
40
41if (!in_array($page['tab'], $conf['LocalFilesEditor_tabs'])) die('Hacking attempt!');
42
43$tabsheet = new tabsheet();
44foreach ($conf['LocalFilesEditor_tabs'] as $tab)
45{
46  $tabsheet->add($tab, l10n('locfiledit_onglet_'.$tab), $my_base_url.'-'.$tab);
47}
48$tabsheet->select($page['tab']);
49$tabsheet->assign();
50
51include_once(LOCALEDIT_PATH.'include/'.$page['tab'].'.inc.php');
52
53// +-----------------------------------------------------------------------+
54// |                           Load backup file
55// +-----------------------------------------------------------------------+
56if (isset($_POST['restore']))
57{
58  $content_file = file_get_contents(get_bak_file($edited_file));
59  array_push($page['infos'],
60    l10n('locfiledit_bak_loaded1'),
61    l10n('locfiledit_bak_loaded2'));
62}
63
64// +-----------------------------------------------------------------------+
65// |                            Save file
66// +-----------------------------------------------------------------------+
67if (isset($_POST['submit']))
68{
69  if (!is_webmaster())
70  {
71    array_push($page['errors'], l10n('locfiledit_webmaster_only'));
72  }
73  else
74  {
75    $content_file = stripslashes($_POST['text']);
76    if (get_extension($edited_file) == 'php')
77    {
78      $content_file = eval_syntax($content_file);
79    }
80    if ($content_file === false)
81    {
82      array_push($page['errors'], l10n('locfiledit_syntax_error'));
83    }
84    else
85    {
86      if ($page['tab'] == 'plug' and !is_dir(PHPWG_PLUGINS_PATH . 'PersonalPlugin'))
87      {
88        @mkdir(PHPWG_PLUGINS_PATH . "PersonalPlugin");
89      }
90      if (file_exists($edited_file))
91      {
92        @copy($edited_file, get_bak_file($edited_file));
93        array_push($page['infos'], sprintf(l10n('locfiledit_saved_bak'), substr(get_bak_file($edited_file), 2)));
94      }
95     
96      if ($file = @fopen($edited_file , "w"))
97      {
98        @fwrite($file , $content_file);
99        @fclose($file);
100        array_unshift($page['infos'], l10n('locfiledit_save_config'));
101        $template->delete_compiled_templates();
102      }
103      else
104      {
105        array_push($page['errors'], l10n('locfiledit_cant_save'));
106      }
107    }
108  }
109}
110
111// +-----------------------------------------------------------------------+
112// |                            template initialization
113// +-----------------------------------------------------------------------+
114$template->set_filenames(array(
115    'plugin_admin_content' => dirname(__FILE__) . '/template/admin.tpl'));
116
117if (!empty($edited_file))
118{
119  if (!empty($page['errors']))
120        {
121    $content_file = stripslashes($_POST['text']);
122  }
123  $template->assign('zone_edit',
124    array(
125      'EDITED_FILE' => $edited_file,
126      'CONTENT_FILE' => htmlspecialchars($content_file),
127      'FILE_NAME' => trim($edited_file, './\\')
128    )
129  );
130  if (file_exists(get_bak_file($edited_file)))
131  {
132    $template->assign('restore', true);
133  }
134  if (file_exists($edited_file))
135  {
136    $template->assign('restore_infos', true);
137  }
138}
139
140$template->assign(array(
141  'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=plugin-LocalFilesEditor-'.$page['tab'],
142  'LOCALEDIT_PATH' => LOCALEDIT_PATH,
143  'CODEMIRROR_MODE' => @$codemirror_mode
144  )
145);
146
147$template->assign_var_from_handle('ADMIN_CONTENT', 'plugin_admin_content');
148
149?>
Note: See TracBrowser for help on using the repository browser.