Changeset 20712


Ignore:
Timestamp:
02/12/13 11:01:46 (6 years ago)
Author:
plg
Message:

bug 2844: increase security on LocalFiles Editor, filter on files to edit.

Location:
branches/2.4/plugins/LocalFilesEditor
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • branches/2.4/plugins/LocalFilesEditor/admin.php

    r12922 r20712  
    5656if (isset($_POST['restore'])) 
    5757{ 
    58   $edited_file = $_POST['edited_file']; 
    5958  $content_file = file_get_contents(get_bak_file($edited_file)); 
    6059  array_push($page['infos'], 
     
    7473  else 
    7574  { 
    76     $edited_file = $_POST['edited_file']; 
    7775    $content_file = stripslashes($_POST['text']); 
    7876    if (get_extension($edited_file) == 'php') 
  • branches/2.4/plugins/LocalFilesEditor/include/css.inc.php

    r13242 r20712  
    11<?php 
    2  
    32if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!'); 
    43 
    5 if ((isset($_POST['edit'])) and !is_numeric($_POST['file_to_edit'])) 
     4include_once(PHPWG_ROOT_PATH.'admin/include/themes.class.php'); 
     5$themes = new themes(); 
     6 
     7if (isset($_POST['edit'])) 
    68{ 
    7   $edited_file = $_POST['file_to_edit']; 
     9  $_POST['theme'] = $_POST['theme_select']; 
    810} 
    9 elseif (isset($_POST['edited_file'])) 
     11 
     12if (isset($_POST['theme']) and '~common~' == $_POST['theme']) 
    1013{ 
    11   $edited_file = $_POST['edited_file']; 
    12 } 
    13 elseif (isset($_GET['theme']) and in_array($_GET['theme'], array_keys(get_pwg_themes(true)))) 
    14 { 
    15   $edited_file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . 'css/'.$_GET['theme'].'-rules.css'; 
     14  $page['theme'] = $_POST['theme']; 
     15  $edited_file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR.'css/rules.css'; 
    1616} 
    1717else 
    1818{ 
    19   $edited_file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . 'css/'.get_default_theme().'-rules.css'; 
     19  if (isset($_GET['theme'])) 
     20  { 
     21    $page['theme'] = $_GET['theme']; 
     22  } 
     23  elseif (isset($_POST['theme'])) 
     24  { 
     25    $page['theme'] = $_POST['theme']; 
     26  } 
     27   
     28  if (!isset($page['theme']) or !in_array($page['theme'], array_keys($themes->fs_themes))) 
     29  { 
     30    $page['theme'] = get_default_theme(); 
     31  } 
     32   
     33  $edited_file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . 'css/'.$page['theme'].'-rules.css'; 
    2034} 
     35 
     36$template->assign('theme', $page['theme']); 
    2137 
    2238if (file_exists($edited_file)) 
     
    3046 
    3147$selected = 0;  
    32 // $options[] = l10n('locfiledit_choose_file'); 
    33 // $options[] = '----------------------'; 
    34 $value = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . "css/rules.css"; 
     48$value = '~common~'; 
     49$file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . 'css/rules.css'; 
    3550 
    36 $options[$value] = (file_exists($value) ? '&#x2714;' : '&#x2718;').' local / css / rules.css'; 
    37 if ($edited_file == $value) 
     51$options[$value] = (file_exists($file) ? '&#x2714;' : '&#x2718;').' local / css / rules.css'; 
     52if ($page['theme'] == $value) 
    3853{ 
    3954  $selected = $value; 
     
    4358// [Administration > Configuration > Themes] 
    4459 
    45 include_once(PHPWG_ROOT_PATH.'admin/include/themes.class.php'); 
    46 $themes = new themes(); 
    4760$themes->sort_fs_themes(); 
    4861$default_theme = get_default_theme(); 
     
    8295} 
    8396 
    84 $options[] = ''; 
    85 $options[] = '----- '.l10n('Active Themes').' -----'; 
    86 $options[] = ''; 
     97$active_theme_options = array(); 
    8798foreach ($active_themes as $theme) 
    8899{ 
    89   $value = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . 'css/'.$theme['id'].'-rules.css'; 
     100  $file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . 'css/'.$theme['id'].'-rules.css'; 
    90101 
    91   $options[$value] = (file_exists($value) ? '&#x2714;' : '&#x2718;').' '.$theme['name']; 
     102  $label = (file_exists($file) ? '&#x2714;' : '&#x2718;').' '.$theme['name']; 
    92103 
    93104  if ($default_theme == $theme['id']) 
    94105  { 
    95     $options[$value].= ' ('.l10n('default').')'; 
     106    $label.= ' ('.l10n('default').')'; 
    96107  } 
     108 
     109  $active_theme_options[$theme['id']] = $label; 
    97110   
    98   if ($edited_file == $value) 
     111  if ($theme['id'] == $page['theme']) 
    99112  { 
    100     $selected = $value; 
     113    $selected = $theme['id']; 
    101114  } 
    102115} 
    103116 
    104 $options[] = ''; 
    105 $options[] = '----- '.l10n('Inactive Themes').' -----'; 
    106 $options[] = ''; 
     117if (count($active_theme_options) > 0) 
     118{ 
     119  $options[l10n('Active Themes')] = $active_theme_options; 
     120} 
     121 
     122$inactive_theme_options = array(); 
    107123foreach ($inactive_themes as $theme) 
    108124{ 
    109   $value = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . 'css/'.$theme['id'].'-rules.css'; 
     125  $file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR . 'css/'.$theme['id'].'-rules.css'; 
    110126 
    111   $options[$value] = (file_exists($value) ? '&#x2714;' : '&#x2718;').' '.$theme['name']; 
     127  $inactive_theme_options[$theme['id']] = (file_exists($file) ? '&#x2714;' : '&#x2718;').' '.$theme['name']; 
    112128   
    113   if ($edited_file == $value) 
     129  if ($theme['id'] == $page['theme']) 
    114130  { 
    115     $selected = $value; 
     131    $selected = $theme['id']; 
    116132  } 
    117133} 
    118134 
    119 $template->assign('css_lang_tpl', array( 
    120   'OPTIONS' => $options, 
    121   'SELECTED' => $selected 
    122   ) 
     135if (count($inactive_theme_options) > 0) 
     136{ 
     137  $options[l10n('Inactive Themes')] = $inactive_theme_options; 
     138} 
     139 
     140$template->assign( 
     141  'css_lang_tpl', 
     142  array( 
     143    'SELECT_NAME' => 'theme_select', 
     144    'OPTIONS' => $options, 
     145    'SELECTED' => $selected 
     146    ) 
    123147); 
    124148 
    125149$codemirror_mode = 'text/css'; 
    126  
    127150?> 
  • branches/2.4/plugins/LocalFilesEditor/include/lang.inc.php

    r10348 r20712  
    11<?php 
    2  
    32if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!'); 
    43 
    5 $edited_file = isset($_POST['edited_file']) ? $_POST['edited_file'] : ''; 
    6 $content_file = ''; 
     4$languages = get_languages(); 
    75 
    8 if ((isset($_POST['edit'])) and !is_numeric($_POST['file_to_edit'])) 
     6if (isset($_POST['edit'])) 
    97{ 
    10   $edited_file = $_POST['file_to_edit']; 
    11   if (file_exists($edited_file)) 
    12   { 
    13     $content_file = file_get_contents($edited_file); 
    14   } 
    15   else 
    16   { 
    17     $content_file = "<?php\n\n/* ".l10n('locfiledit_newfile')." */\n\n\n\n\n?>"; 
    18   } 
     8  $_POST['language'] = $_POST['language_select']; 
    199} 
    2010 
    21 $selected = 0;  
    22 $options[] = l10n('locfiledit_choose_file'); 
    23 $options[] = '----------------------'; 
     11if (isset($_POST['language'])) 
     12{ 
     13  $page['language'] = $_POST['language']; 
     14} 
     15   
     16if (!isset($page['language']) or !in_array($page['language'], array_keys($languages))) 
     17{ 
     18  $page['language'] = get_default_language(); 
     19} 
     20 
     21$template->assign('language', $page['language']); 
     22 
     23$edited_file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR.'language/'.$page['language'].'.lang.php';; 
     24 
     25if (file_exists($edited_file)) 
     26{ 
     27  $content_file = file_get_contents($edited_file); 
     28} 
     29else 
     30{ 
     31  $content_file = "<?php\n\n/* ".l10n('locfiledit_newfile')." */\n\n\n\n\n?>"; 
     32} 
     33 
     34$selected = 0; 
    2435foreach (get_languages() as $language_code => $language_name) 
    2536{ 
    26   $value = PHPWG_ROOT_PATH.PWG_LOCAL_DIR.'language/'.$language_code.'.lang.php'; 
    27   if ($edited_file == $value) 
     37  $file = PHPWG_ROOT_PATH.PWG_LOCAL_DIR.'language/'.$language_code.'.lang.php'; 
     38 
     39  $options[$language_code] = (file_exists($file) ? '&#x2714;' : '&#x2718;').' '.$language_name; 
     40   
     41  if ($page['language'] == $language_code) 
    2842  { 
    29     $selected = $value; 
     43    $selected = $language_code; 
    3044    $template->assign('show_default', array( 
    3145      array( 
     
    4054    ); 
    4155  } 
    42   $options[$value] = $language_name; 
    4356} 
    4457 
    45 $template->assign('css_lang_tpl', array( 
     58$template->assign( 
     59  'css_lang_tpl', 
     60  array( 
     61    'SELECT_NAME' => 'language_select', 
    4662    'OPTIONS' => $options, 
    4763    'SELECTED' => $selected 
  • branches/2.4/plugins/LocalFilesEditor/include/tpl.inc.php

    r11654 r20712  
    11<?php 
    2  
    32if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!'); 
    43 
    5 $edited_file = isset($_POST['edited_file']) ? $_POST['edited_file'] : ''; 
     4$edited_file = ''; 
     5 
     6if (isset($_POST['edit'])) 
     7{ 
     8  $_POST['template'] = $_POST['file_to_edit']; 
     9} 
     10 
     11if (!empty($_POST['template'])) 
     12{ 
     13  if (preg_match('#\.\./#', $_POST['template'])) 
     14  { 
     15    die('Hacking attempt! template extension must be in template-extension directory'); 
     16  } 
     17 
     18  if (!preg_match('#\.tpl$#', $_POST['template'])) 
     19  { 
     20    die('Hacking attempt! template extension must be a *.tpl file'); 
     21  } 
     22 
     23  $template->assign('template', $_POST['template']); 
     24   
     25  $edited_file = './template-extension/'.$_POST['template']; 
     26} 
     27 
    628$content_file = ''; 
    7  
    8 if ((isset($_POST['edit'])) and !is_numeric($_POST['file_to_edit'])) 
     29if (file_exists($edited_file)) 
    930{ 
    10   $edited_file = $_POST['file_to_edit']; 
    11   if (file_exists($edited_file)) 
    12   { 
    13     $content_file = file_get_contents($edited_file); 
    14   } 
    15   else 
    16   { 
    17     $content_file = ''; 
    18   } 
     31  $content_file = file_get_contents($edited_file); 
    1932} 
    2033 
     
    5164  else 
    5265  { 
     66    $template->assign('template', $filename); 
    5367    $edited_file = $_POST['tpl_parent'] . '/' . $filename; 
    5468    $content_file = ($_POST['tpl_model'] == '0') ? '' : file_get_contents($_POST['tpl_model']); 
     
    118132  foreach (get_extents() as $pwg_template) 
    119133  { 
    120     $value = './template-extension/' . $pwg_template; 
     134    $value = $pwg_template; 
    121135    $options[$value] =  str_replace('/', ' / ', $pwg_template); 
    122136    if ($edited_file == $value) $selected = $value; 
     
    127141    $selected = $edited_file; 
    128142  } 
    129   $template->assign('css_lang_tpl', array( 
    130     'OPTIONS' => $options, 
    131     'SELECTED' => $selected, 
    132     'NEW_FILE_URL' => $my_base_url.'-tpl&amp;newfile', 
    133     'NEW_FILE_CLASS' => empty($edited_file) ? '' : 'top_right' 
    134     ) 
    135   ); 
     143  $template->assign( 
     144    'css_lang_tpl', 
     145    array( 
     146      'SELECT_NAME' => 'file_to_edit', 
     147      'OPTIONS' => $options, 
     148      'SELECTED' => $selected, 
     149      'NEW_FILE_URL' => $my_base_url.'-tpl&amp;newfile', 
     150      'NEW_FILE_CLASS' => empty($edited_file) ? '' : 'top_right' 
     151      ) 
     152    ); 
    136153} 
    137154 
  • branches/2.4/plugins/LocalFilesEditor/template/admin.tpl

    r11362 r20712  
    3131<div id="LocalFilesEditor"> 
    3232 
    33 <input type="hidden" value="{$zone_edit.EDITED_FILE}" name="edited_file"/> 
     33{if isset($theme)} 
     34<input type="hidden" value="{$theme}" name="theme"> 
     35{/if} 
     36 
     37{if isset($language)} 
     38<input type="hidden" value="{$language}" name="language"> 
     39{/if} 
     40 
     41{if isset($template)} 
     42<input type="hidden" value="{$template}" name="template"> 
     43{/if} 
     44 
    3445 
    3546{if isset ($create_tpl)} 
     
    5364 
    5465{if isset ($css_lang_tpl)} 
    55 <select name="file_to_edit"> 
    56 {foreach from=$css_lang_tpl.OPTIONS item=theme key=value} 
    57   <option value="{$value}" {if $value == $css_lang_tpl.SELECTED}selected="selected"{/if} {if is_numeric($value)}disabled="disabled"{/if}>{$theme}</option> 
    58 {/foreach} 
     66<select name="{$css_lang_tpl.SELECT_NAME}"> 
     67{html_options options=$css_lang_tpl.OPTIONS selected=$css_lang_tpl.SELECTED} 
    5968</select> 
    60  
    6169 
    6270<input class="submit" type="submit" value="{'locfiledit_edit'|@translate}" name="edit" /> 
    6371<br><br> 
    64   {if isset ($css_lang_tpl.NEW_FILE_URL)} 
    65   <span class="{$css_lang_tpl.NEW_FILE_CLASS}"> 
    66   <a href="{$css_lang_tpl.NEW_FILE_URL}">{'locfiledit_new_tpl'|@translate}</a> 
    67   </span> 
    68   {/if} 
     72{/if} 
     73 
     74{if isset ($css_lang_tpl.NEW_FILE_URL)} 
     75<span class="{$css_lang_tpl.NEW_FILE_CLASS}"> 
     76<a href="{$css_lang_tpl.NEW_FILE_URL}">{'locfiledit_new_tpl'|@translate}</a> 
     77</span> 
    6978{/if} 
    7079 
Note: See TracChangeset for help on using the changeset viewer.