source: branches/2.4/plugins/LocalFilesEditor/admin.php @ 20713

Revision 20713, 5.5 KB checked in by plg, 6 years ago (diff)

bug 2844: improve security on LocalFiles Editor, add pwg_token to avoid CSRF

  • Property svn:eol-style set to LF
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based photo gallery                                    |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2012 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!');
25include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
26include_once(LOCALEDIT_PATH.'include/functions.inc.php');
27load_language('plugin.lang', LOCALEDIT_PATH);
28$my_base_url = get_root_url().'admin.php?page=plugin-'.basename(dirname(__FILE__));
29
30// +-----------------------------------------------------------------------+
31// |                            Tabssheet
32// +-----------------------------------------------------------------------+
33
34if (empty($conf['LocalFilesEditor_tabs']))
35{
36  $conf['LocalFilesEditor_tabs'] = array('localconf', 'css', 'tpl', 'lang', 'plug');
37}
38
39$page['tab'] = isset($_GET['tab']) ? $_GET['tab'] : $conf['LocalFilesEditor_tabs'][0];
40
41if (!in_array($page['tab'], $conf['LocalFilesEditor_tabs'])) die('Hacking attempt!');
42
43$tabsheet = new tabsheet();
44foreach ($conf['LocalFilesEditor_tabs'] as $tab)
45{
46  $tabsheet->add($tab, l10n('locfiledit_onglet_'.$tab), $my_base_url.'-'.$tab);
47}
48$tabsheet->select($page['tab']);
49$tabsheet->assign();
50
51include_once(LOCALEDIT_PATH.'include/'.$page['tab'].'.inc.php');
52
53// +-----------------------------------------------------------------------+
54// |                           Load backup file
55// +-----------------------------------------------------------------------+
56if (isset($_POST['restore']))
57{
58  $content_file = file_get_contents(get_bak_file($edited_file));
59  array_push($page['infos'],
60    l10n('locfiledit_bak_loaded1'),
61    l10n('locfiledit_bak_loaded2'));
62}
63
64// +-----------------------------------------------------------------------+
65// |                            Save file
66// +-----------------------------------------------------------------------+
67if (isset($_POST['submit']))
68{
69  check_pwg_token();
70
71  if (!is_webmaster())
72  {
73    array_push($page['errors'], l10n('locfiledit_webmaster_only'));
74  }
75  else
76  {
77    $content_file = stripslashes($_POST['text']);
78    if (get_extension($edited_file) == 'php')
79    {
80      $content_file = eval_syntax($content_file);
81    }
82    if ($content_file === false)
83    {
84      array_push($page['errors'], l10n('locfiledit_syntax_error'));
85    }
86    else
87    {
88      if ($page['tab'] == 'plug' and !is_dir(PHPWG_PLUGINS_PATH . 'PersonalPlugin'))
89      {
90        @mkdir(PHPWG_PLUGINS_PATH . "PersonalPlugin");
91      }
92      if (file_exists($edited_file))
93      {
94        @copy($edited_file, get_bak_file($edited_file));
95        array_push($page['infos'], sprintf(l10n('locfiledit_saved_bak'), substr(get_bak_file($edited_file), 2)));
96      }
97     
98      if ($file = @fopen($edited_file , "w"))
99      {
100        @fwrite($file , $content_file);
101        @fclose($file);
102        array_unshift($page['infos'], l10n('locfiledit_save_config'));
103        $template->delete_compiled_templates();
104      }
105      else
106      {
107        array_push($page['errors'], l10n('locfiledit_cant_save'));
108      }
109    }
110  }
111}
112
113// +-----------------------------------------------------------------------+
114// |                            template initialization
115// +-----------------------------------------------------------------------+
116$template->set_filenames(array(
117    'plugin_admin_content' => dirname(__FILE__) . '/template/admin.tpl'));
118
119if (!empty($edited_file))
120{
121  if (!empty($page['errors']))
122        {
123    $content_file = stripslashes($_POST['text']);
124  }
125  $template->assign('zone_edit',
126    array(
127      'EDITED_FILE' => $edited_file,
128      'CONTENT_FILE' => htmlspecialchars($content_file),
129      'FILE_NAME' => trim($edited_file, './\\')
130    )
131  );
132  if (file_exists(get_bak_file($edited_file)))
133  {
134    $template->assign('restore', true);
135  }
136  if (file_exists($edited_file))
137  {
138    $template->assign('restore_infos', true);
139  }
140}
141
142$template->assign(array(
143  'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=plugin-LocalFilesEditor-'.$page['tab'],
144  'LOCALEDIT_PATH' => LOCALEDIT_PATH,
145  'PWG_TOKEN' => get_pwg_token(),
146  'CODEMIRROR_MODE' => @$codemirror_mode
147  )
148);
149
150$template->assign_var_from_handle('ADMIN_CONTENT', 'plugin_admin_content');
151
152?>
Note: See TracBrowser for help on using the repository browser.