Revision 1337
Added by Dietmar over 14 years ago
| branches/2.8.x/CHANGELOG | ||
|---|---|---|
| 12 | 12 |
|
| 13 | 13 |
------------------------------------- 2.8.1 ------------------------------------- |
| 14 | 14 |
27-Apr-2010 Dietmar Woellbrink (Luisehahne) |
| 15 |
+ add an extra class class.secureform.php and extends it to class.wb.php |
|
| 16 |
! check for installed modules before loading in content |
|
| 17 |
27-Apr-2010 Dietmar Woellbrink (Luisehahne) |
|
| 15 | 18 |
! remove forgotten debug line |
| 16 | 19 |
27-Apr-2010 Dietmar Woellbrink (Luisehahne) |
| 17 | 20 |
# Fixed update search settings |
| branches/2.8.x/wb/admin/interface/version.php | ||
|---|---|---|
| 52 | 52 |
|
| 53 | 53 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
| 54 | 54 |
if(!defined('VERSION')) define('VERSION', '2.8.x');
|
| 55 |
if(!defined('REVISION')) define('REVISION', '1336');
|
|
| 55 |
if(!defined('REVISION')) define('REVISION', '1337');
|
|
| 56 | 56 |
|
| 57 | 57 |
?> |
| branches/2.8.x/wb/framework/class.wb.php | ||
|---|---|---|
| 24 | 24 |
// Include new wbmailer class (subclass of PHPmailer) |
| 25 | 25 |
require_once(WB_PATH."/framework/class.wbmailer.php"); |
| 26 | 26 |
|
| 27 |
class wb |
|
| 27 |
require_once(WB_PATH."/framework/class.secureform.php"); |
|
| 28 |
|
|
| 29 |
class wb extends SecureForm |
|
| 28 | 30 |
{
|
| 29 | 31 |
|
| 30 | 32 |
var $password_chars = 'a-zA-Z0-9\_\-\!\#\*\+'; |
| 31 | 33 |
// General initialization function |
| 32 | 34 |
// performed when frontend or backend is loaded. |
| 35 |
|
|
| 33 | 36 |
function wb() {
|
| 34 | 37 |
} |
| 35 | 38 |
|
| ... | ... | |
| 272 | 275 |
} |
| 273 | 276 |
} |
| 274 | 277 |
|
| 275 |
/* |
|
| 276 |
* creates Formular transactionnumbers for unique use |
|
| 277 |
* @access public |
|
| 278 |
* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default) |
|
| 279 |
* false returns an array including FTAN0 and FTAN1 |
|
| 280 |
* @return mixed: array or string |
|
| 281 |
* |
|
| 282 |
* requirements: an active session must be available |
|
| 283 |
*/ |
|
| 284 |
function getFTAN( $as_tag = true) |
|
| 285 |
{
|
|
| 286 |
if(function_exists('microtime'))
|
|
| 287 |
{
|
|
| 288 |
list($usec, $sec) = explode(" ", microtime());
|
|
| 289 |
$time = (string)((float)$usec + (float)$sec); |
|
| 290 |
}else{
|
|
| 291 |
$time = (string)time(); |
|
| 292 |
} |
|
| 293 |
$salt = ( isset($_SERVER['HTTP_ACCEPT']) ? $_SERVER['HTTP_ACCEPT'] : ''); |
|
| 294 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : ''); |
|
| 295 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : ''); |
|
| 296 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : ''); |
|
| 297 |
$salt .= ( isset($_SERVER['HTTP_CONNECTION']) ? $_SERVER['HTTP_CONNECTION'] : ''); |
|
| 298 |
$salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''); |
|
| 299 |
$salt .= ( isset($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : ''); |
|
| 300 |
$salt = ( $salt !== '' ) ? $salt : 'eXtremelyHotTomatoJuice'; |
|
| 301 |
$ftan = md5($time.$salt); |
|
| 302 |
$_SESSION['FTAN'] = $ftan; |
|
| 303 |
$ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10); |
|
| 304 |
$ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10); |
|
| 305 |
if($as_tag == true) |
|
| 306 |
{
|
|
| 307 |
return '<input type="hidden" name="'.$ftan0.'" value="'.$ftan1.'" title="" />'; |
|
| 308 |
}else{
|
|
| 309 |
return array('FTAN0' => $ftan0, 'FTAN1' => $ftan1);
|
|
| 310 |
} |
|
| 278 |
// Print a success message which then automatically redirects the user to another page |
|
| 279 |
function print_success( $message, $redirect = 'index.php' ) {
|
|
| 280 |
global $TEXT; |
|
| 281 |
// fetch redirect timer for sucess messages from settings table |
|
| 282 |
$redirect_timer = ((defined( 'REDIRECT_TIMER' )) && (REDIRECT_TIMER >= 1500)) ? REDIRECT_TIMER : 0; |
|
| 283 |
// add template variables |
|
| 284 |
$tpl = new Template( THEME_PATH.'/templates' ); |
|
| 285 |
$tpl->set_file( 'page', 'success.htt' ); |
|
| 286 |
$tpl->set_block( 'page', 'main_block', 'main' ); |
|
| 287 |
$tpl->set_block( 'main_block', 'show_redirect_block', 'show_redirect' ); |
|
| 288 |
$tpl->set_var( 'MESSAGE', $message ); |
|
| 289 |
$tpl->set_var( 'REDIRECT', $redirect ); |
|
| 290 |
$tpl->set_var( 'REDIRECT_TIMER', $redirect_timer ); |
|
| 291 |
$tpl->set_var( 'NEXT', $TEXT['NEXT'] ); |
|
| 292 |
if ($redirect_timer == 0) {
|
|
| 293 |
$tpl->set_block( 'show_redirect', '' ); |
|
| 294 |
} |
|
| 295 |
else {
|
|
| 296 |
$tpl->parse( 'show_redirect', 'show_redirect_block', true ); |
|
| 297 |
} |
|
| 298 |
$tpl->parse( 'main', 'main_block', false ); |
|
| 299 |
$tpl->pparse( 'output', 'page' ); |
|
| 311 | 300 |
} |
| 312 | 301 |
|
| 313 |
/* |
|
| 314 |
* checks received form-transactionnumbers against session-stored one |
|
| 315 |
* @access public |
|
| 316 |
* @param string $mode: requestmethode POST(default) or GET |
|
| 317 |
* @return bool: true if numbers matches against stored ones |
|
| 318 |
* |
|
| 319 |
* requirements: an active session must be available |
|
| 320 |
* this check will prevent from multiple sending a form. history.back() also will never work |
|
| 321 |
*/ |
|
| 322 |
function checkFTAN( $mode = 'POST') |
|
| 323 |
{
|
|
| 324 |
$retval = false; |
|
| 325 |
if(isset($_SESSION['FTAN']) && strlen($_SESSION['FTAN']) == strlen(md5('dummy')))
|
|
| 326 |
{
|
|
| 327 |
$ftan = $_SESSION['FTAN']; |
|
| 328 |
$ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10); |
|
| 329 |
$ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10); |
|
| 330 |
unset($_SESSION['FTAN']); |
|
| 331 |
if(strtoupper($mode) == 'POST') |
|
| 332 |
{
|
|
| 333 |
$retval = (isset($_POST[$ftan0]) && $_POST[$ftan0] == ($ftan1)); |
|
| 334 |
$_POST[$ftan0] = ''; |
|
| 335 |
}else{
|
|
| 336 |
$retval = (isset($_GET[$ftan0]) && $_GET[$ftan0] == ($ftan1)); |
|
| 337 |
$_GET[$ftan0] = ''; |
|
| 338 |
} |
|
| 339 |
} |
|
| 340 |
return $retval; |
|
| 341 |
} |
|
| 342 |
|
|
| 343 |
// Print a success message which then automatically redirects the user to another page |
|
| 344 |
function print_success($message, $redirect = 'index.php') {
|
|
| 345 |
global $TEXT, $database; |
|
| 346 |
|
|
| 347 |
// fetch redirect timer for sucess messages from settings table |
|
| 348 |
$table = TABLE_PREFIX . 'settings'; |
|
| 349 |
$results = @$database->get_one("SELECT `value` FROM `$table` WHERE `name` = 'redirect_timer'");
|
|
| 350 |
$redirect_timer = ($results) ? $results : '1500'; |
|
| 351 |
|
|
| 352 |
// add template variables |
|
| 353 |
$success_template = new Template(THEME_PATH.'/templates'); |
|
| 354 |
$success_template->set_file('page', 'success.htt');
|
|
| 355 |
$success_template->set_block('page', 'main_block', 'main');
|
|
| 356 |
$success_template->set_var('MESSAGE', $message);
|
|
| 357 |
$success_template->set_var('REDIRECT', $redirect);
|
|
| 358 |
$success_template->set_var('REDIRECT_TIMER', $redirect_timer);
|
|
| 359 |
$success_template->set_var('NEXT', $TEXT['NEXT']);
|
|
| 360 |
$success_template->parse('main', 'main_block', false);
|
|
| 361 |
$success_template->pparse('output', 'page');
|
|
| 362 |
} |
|
| 363 |
|
|
| 364 | 302 |
// Print an error message |
| 365 | 303 |
function print_error($message, $link = 'index.php', $auto_footer = true) {
|
| 366 | 304 |
global $TEXT; |
| branches/2.8.x/wb/framework/class.secureform.php | ||
|---|---|---|
| 1 |
<?php |
|
| 2 |
/** |
|
| 3 |
* |
|
| 4 |
* @category security |
|
| 5 |
* @package framework |
|
| 6 |
* @author ISTeam easy-Project |
|
| 7 |
* @copyright 2009-2010, Independend-Software-Team |
|
| 8 |
* @link http://easy.isteam.de/ |
|
| 9 |
* @license http://creativecommons.org/licenses/by-nc-nd/3.0/de/ |
|
| 10 |
* @platform WebsiteBaker 2.8.x |
|
| 11 |
* @requirements PHP 4.4.9 and higher |
|
| 12 |
* @version $Id$ |
|
| 13 |
* @filesource $HeadURL$ |
|
| 14 |
* @lastmodified $Date$ |
|
| 15 |
* |
|
| 16 |
* SecureForm |
|
| 17 |
* Version 0.1 |
|
| 18 |
* |
|
| 19 |
* creates Formular transactionnumbers for unique use |
|
| 20 |
*/ |
|
| 21 |
|
|
| 22 |
class SecureForm {
|
|
| 23 |
|
|
| 24 |
/* insert global vars here... */ |
|
| 25 |
|
|
| 26 |
var $_FTAN = ''; |
|
| 27 |
var $_IDKEYs = array(); |
|
| 28 |
|
|
| 29 |
function SecureForm() |
|
| 30 |
{
|
|
| 31 |
// $this->__construct(); |
|
| 32 |
$this->_FTAN = ''; |
|
| 33 |
// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); }
|
|
| 34 |
} |
|
| 35 |
// function __construct() |
|
| 36 |
// {
|
|
| 37 |
// var $_FTAN = ''; |
|
| 38 |
// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); }
|
|
| 39 |
// } |
|
| 40 |
|
|
| 41 |
/* |
|
| 42 |
* creates Formular transactionnumbers for unique use |
|
| 43 |
* @access public |
|
| 44 |
* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default) |
|
| 45 |
* false returns an array including FTAN0 and FTAN1 |
|
| 46 |
* @return mixed: array or string |
|
| 47 |
* |
|
| 48 |
* requirements: an active session must be available |
|
| 49 |
*/ |
|
| 50 |
function getFTAN( $as_tag = true) |
|
| 51 |
{
|
|
| 52 |
if( $this->_FTAN == '') |
|
| 53 |
{
|
|
| 54 |
if(function_exists('microtime'))
|
|
| 55 |
{
|
|
| 56 |
list($usec, $sec) = explode(" ", microtime());
|
|
| 57 |
$time = (string)((float)$usec + (float)$sec); |
|
| 58 |
}else{
|
|
| 59 |
$time = (string)time(); |
|
| 60 |
} |
|
| 61 |
$salt = ( isset($_SERVER['HTTP_ACCEPT']) ? $_SERVER['HTTP_ACCEPT'] : ''); |
|
| 62 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : ''); |
|
| 63 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : ''); |
|
| 64 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : ''); |
|
| 65 |
$salt .= ( isset($_SERVER['HTTP_CONNECTION']) ? $_SERVER['HTTP_CONNECTION'] : ''); |
|
| 66 |
$salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''); |
|
| 67 |
$salt .= ( isset($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : ''); |
|
| 68 |
$salt = ( $salt !== '' ) ? $salt : 'eXtremelyHotTomatoJuice'; |
|
| 69 |
$this->_FTAN = md5($time.$salt); |
|
| 70 |
$_SESSION['FTAN'] = $this->_FTAN; |
|
| 71 |
} |
|
| 72 |
$ftan0 = 'a'.substr($this->_FTAN, -(10 + hexdec(substr($this->_FTAN, 1))), 10); |
|
| 73 |
$ftan1 = 'a'.substr($this->_FTAN, hexdec(substr($this->_FTAN, -1)), 10); |
|
| 74 |
if($as_tag == true) |
|
| 75 |
{
|
|
| 76 |
return '<input type="hidden" name="'.$ftan0.'" value="'.$ftan1.'" title="" />'; |
|
| 77 |
}else{
|
|
| 78 |
return array('FTAN0' => $ftan0, 'FTAN1' => $ftan1);
|
|
| 79 |
} |
|
| 80 |
} |
|
| 81 |
|
|
| 82 |
/* |
|
| 83 |
* checks received form-transactionnumbers against session-stored one |
|
| 84 |
* @access public |
|
| 85 |
* @param string $mode: requestmethode POST(default) or GET |
|
| 86 |
* @return bool: true if numbers matches against stored ones |
|
| 87 |
* |
|
| 88 |
* requirements: an active session must be available |
|
| 89 |
* this check will prevent from multiple sending a form. history.back() also will never work |
|
| 90 |
*/ |
|
| 91 |
function checkFTAN( $mode = 'POST') |
|
| 92 |
{
|
|
| 93 |
$retval = false; |
|
| 94 |
if(isset($_SESSION['FTAN']) && strlen($_SESSION['FTAN']) == strlen(md5('dummy')))
|
|
| 95 |
{
|
|
| 96 |
$ftan = $_SESSION['FTAN']; |
|
| 97 |
$ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10); |
|
| 98 |
$ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10); |
|
| 99 |
unset($_SESSION['FTAN']); |
|
| 100 |
if(strtoupper($mode) == 'POST') |
|
| 101 |
{
|
|
| 102 |
$retval = (isset($_POST[$ftan0]) && $_POST[$ftan0] == ($ftan1)); |
|
| 103 |
$_POST[$ftan0] = ''; |
|
| 104 |
}else{
|
|
| 105 |
$retval = (isset($_GET[$ftan0]) && $_GET[$ftan0] == ($ftan1)); |
|
| 106 |
$_GET[$ftan0] = ''; |
|
| 107 |
} |
|
| 108 |
} |
|
| 109 |
return $retval; |
|
| 110 |
} |
|
| 111 |
|
|
| 112 |
|
|
| 113 |
|
|
| 114 |
//put your code here |
|
| 115 |
} |
|
| 116 |
?> |
|
| 0 | 117 | |
| branches/2.8.x/wb/framework/frontend.functions.php | ||
|---|---|---|
| 258 | 258 |
if(defined('SEC_ANCHOR') && SEC_ANCHOR!='') {
|
| 259 | 259 |
echo '<a class="section_anchor" id="'.SEC_ANCHOR.$section_id.'" name="'.SEC_ANCHOR.$section_id.'"></a>'; |
| 260 | 260 |
} |
| 261 |
|
|
| 261 |
// check if module exists - feature: write in errorlog |
|
| 262 |
if(file_exists(WB_PATH.'/modules/'.$module.'/view.php')) {
|
|
| 262 | 263 |
// fetch content -- this is where to place possible output-filters (before highlighting) |
| 263 |
ob_start(); // fetch original content |
|
| 264 |
require(WB_PATH.'/modules/'.$module.'/view.php'); |
|
| 265 |
$content = ob_get_contents(); |
|
| 266 |
ob_end_clean(); |
|
| 264 |
ob_start(); // fetch original content |
|
| 265 |
require(WB_PATH.'/modules/'.$module.'/view.php'); |
|
| 266 |
$content = ob_get_contents(); |
|
| 267 |
ob_end_clean(); |
|
| 268 |
} else {
|
|
| 269 |
continue; |
|
| 270 |
} |
|
| 267 | 271 |
|
| 268 | 272 |
// highlights searchresults |
| 269 | 273 |
if(isset($_GET['searchresult']) && is_numeric($_GET['searchresult']) && !isset($_GET['nohighlight']) && isset($_GET['sstring']) && !empty($_GET['sstring'])) {
|
Also available in: Unified diff
add an extra class class.secureform.php and extends it to class.wb.php
check for installed modules before loading in content