/ - Diff - WB 2.08.x - Tracking

« Previous | Next »

Revision 1448

Added by Dietmar over 13 years ago

secure fix edit_module_files.php
fix wb_wrapper_edit_area.php

     ! = Update/Change
     ------------------------------------- 2.8.2 -------------------------------------
 May-2011 Build 1448 Dietmar Woellbrink (Luisehahne)
     # secure fix edit_module_files.php
     # fix wb_wrapper_edit_area.php
 May-2011 Build 1447 Werner v.d.Decken(DarkViper)
     ! syncronice version (no data changes)
 May-2011 Build 1446 Werner v.d.Decken(DarkViper)

     			script.type = "text/javascript";
     			script.src  = url;
     			script.charset= "UTF-8";
     			head = document.getElementsByTagName("head");
     			head = document.getElementsByTagName("head")[0];
     			head[0].appendChild(script);
     		}catch(e){
     			document.write("<script type='text/javascript' src='" + url + "' charset=\"UTF-8\"><"+"/script>");

branches/2.8.x/wb/admin/interface/version.php
52	52
53	53	// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
54	54	if(!defined('VERSION')) define('VERSION', '2.8.2.RC5');
55		if(!defined('REVISION')) define('REVISION', '1447');
	55	if(!defined('REVISION')) define('REVISION', '1448');
56	56
57	57	?>

+     *
      */
     // prevent this file from being accessed directly
     if(!(isset($_POST['page_id']) && isset($_POST['section_id']) && isset($_POST['action'])
     	&& isset($_POST['mod_dir'])  && isset($_POST['edit_file']))) die(header('Location: index.php'));
     // include required libraries
     // include configuration file
     	require('../config.php');
     // include edit area wrapper script
     	require_once(WB_PATH.'/include/editarea/wb_wrapper_edit_area.php');
     // include the admin wrapper script
     	require(WB_PATH.'/modules/admin.php');
     // include functions to edit the optional module CSS files (frontend.css, backend.css)
     	require_once(WB_PATH.'/framework/module.functions.php');
     // include configuration file and admin wrapper script
     require('../config.php');
     	$page_id = (isset($_REQUEST['page_id']) ? intval($_REQUEST['page_id']) : 0  );
     	$section_id = (isset($_POST['section_id']) ? intval($_POST['section_id']) : 0  );
     	$_action = (isset($_POST['action']) ? strtolower($_POST['action']) : '');
     	$_action = ($_action != 'save' ? 'edit' : 'save');
     	$mod_dir = (isset($_POST['mod_dir']) ? $_POST['mod_dir'] : '');
     	$_edit_file = (isset($_POST['edit_file']) ? $_POST['edit_file'] : '');
     //check if given mod_dir + edit_file is valid path/file
     	$_realpath = realpath(WB_PATH.'/modules/'.$mod_dir.'/'.$_edit_file);
     	if($_realpath){
     	// realpath is a valid path, now test if it's inside WB_PATH
     		$_realpath = str_replace('\\','/', $_realpath);
     		$_fileValid = (strpos($_realpath, (str_replace('\\','/', WB_PATH))) !== false);
+    	}
     // check if all needed args are valid
     	if(!$page_id || !$section_id || !$_realpath || !$_fileValid) {
     		die('Invalid arguments passed - script stopped.');
+    	}
     require_once(WB_PATH . '/include/editarea/wb_wrapper_edit_area.php');
     // include the and admin wrapper script
     require(WB_PATH.'/modules/admin.php');
     // leave if the required module.functions.php file does not exist
     if(!file_exists(WB_PATH .'/framework/module.functions.php')) {
     	echo 'The required file: /framework/module.functions.php is missing - script stopped.';
     	die;
+    }
     echo (function_exists('registerEditArea')) ? registerEditArea('code_area', 'css') : 'none';
     	// echo registerEditArea('code_area', 'css');
     	echo (function_exists('registerEditArea')) ? registerEditArea('code_area', 'css') : 'none';
     // set default text output if varibles are not defined in the global WB language files
     $HEADING_CSS_FILE = (isset($GLOBALS['TEXT']['HEADING_CSS_FILE'])) ?$GLOBALS['TEXT']['HEADING_CSS_FILE'] :'Actual module file: ';
     $TXT_EDIT_CSS_FILE = (isset($GLOBALS['TEXT']['TXT_EDIT_CSS_FILE'])) ?$GLOBALS['TEXT']['TXT_EDIT_CSS_FILE'] :'Edit the CSS definitions in the textarea below.';
     	if(!isset($TEXT['HEADING_CSS_FILE'])) { $TEXT['HEADING_CSS_FILE'] = 'Actual module file: '; }
     	if(!isset($TEXT['TXT_EDIT_CSS_FILE'])) { $TEXT['TXT_EDIT_CSS_FILE'] = 'Edit the CSS definitions in the textarea below.'; }
     // include functions to edit the optional module CSS files (frontend.css, backend.css)
     require_once(WB_PATH .'/framework/module.functions.php');
     // check if the module directory is valid
     $mod_dir = check_module_dir($_POST['mod_dir']);
     if($mod_dir == '')
+    {
     	echo 'The specified module directory is invalid - script stopped.';
     	die;
     };
     // check if action is: save or edit
     if($_POST['action'] == 'save' && mod_file_exists($mod_dir, $_POST['edit_file'])) {
     	/**
     		SAVE THE UPDATED CONTENTS TO THE CSS FILE
     	*/
     	$css_content = '';
     	if (isset($_POST['css_data']) && strlen($_POST['css_data']) > 0) {
     		$css_content = stripslashes($_POST['css_data']);
+    	}
     	$bytes = 0;
     	if ($css_content != '')
+        {
     	if($_action == 'save' && mod_file_exists($mod_dir, $_edit_file)) {
     	// SAVE THE UPDATED CONTENTS TO THE CSS FILE
     		$css_content = '';
     		if (isset($_POST['css_data']) && strlen($_POST['css_data']) > 0) {
     			$css_content = stripslashes($_POST['css_data']);
+    		}
     		$bytes = 0;
     		if ($css_content != '') {
     		// open the module CSS file for writting
     		$mod_file = @fopen(WB_PATH .'/modules/' .$mod_dir .'/' .$_POST['edit_file'], 'wb');
     			$mod_file = @fopen(WB_PATH .'/modules/' .$mod_dir .'/' .$_edit_file, 'wb');
     		// write new content to the module CSS file
     		$bytes = @fwrite($mod_file, $css_content);
     			$bytes = @fwrite($mod_file, $css_content);
     		// close the file
     		@fclose($mod_file);
+    	}
     	// write out status message
     	if($bytes == 0 )
+        {
     		$admin->print_error($TEXT['ERROR'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
     			@fclose($mod_file);
+    		}
     		// write out status message
     		if($bytes == 0 ) {
     			$admin->print_error($TEXT['ERROR'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
     		} else {
     			$admin->print_success($TEXT['SUCCESS'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
+    		}
     	} else {
     		$admin->print_success($TEXT['SUCCESS'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
+    	}
     } else {
     	/**
     		MODIFY CONTENTS OF THE CSS FILE VIA TEXT AREA
     	*/
     	// MODIFY CONTENTS OF THE CSS FILE VIA TEXT AREA
     	// check if module backend.css file needs to be included into the <body>
     	if((!method_exists($admin, 'register_backend_modfiles') || !isset($_GET['page_id']))
     			&& file_exists(WB_PATH .'/modules/'.$mod_dir.'/backend.css')) {
     		echo '<style type="text/css">';
     		include(WB_PATH .'/modules/' .$mod_dir .'/backend.css');
     		echo "\n</style>\n";
+    	}
     		if((!method_exists($admin, 'register_backend_modfiles') || !$page_id)
     				&& file_exists(WB_PATH .'/modules/'.$mod_dir.'/backend.css')) {
     			echo '<style type="text/css">';
     			include(WB_PATH .'/modules/' .$mod_dir .'/backend.css');
     			echo "\n</style>\n";
+    		}
     	// check which module file to edit (frontend.css, backend.css or '')
     	$css_file = (in_array($_POST['edit_file'], array('frontend.css', 'backend.css'))) ? $_POST['edit_file'] : '';
     		$css_file = (in_array($_edit_file, array('frontend.css', 'backend.css'))) ? $_edit_file : '';
     	// display output
     	if($css_file == '')
+        {
     		if($css_file == '')	{
     		// no valid module file to edit; display error message and backlink to modify.php
     		echo "<h2>Nothing to edit</h2>";
     		echo "<p>No valid module file exists for this module.</p>";
     		$output  = "<a href=\"#\" onclick=\"javascript: window.location = '";
     		$output .= ADMIN_URL ."/pages/modify.php?page_id=" .$page_id ."'\">back</a>";
     		echo $output;
     	} else {
     			echo "<h2>Nothing to edit</h2>";
     			echo "<p>No valid module file exists for this module.</p>";
     			$output  = "<a href=\"#\" onclick=\"javascript: window.location = '";
     			$output .= ADMIN_URL ."/pages/modify.php?page_id=" .$page_id ."'\">back</a>";
     			echo $output;
     		} else {
     		// store content of the module file in variable
     		$css_content = @file_get_contents(WB_PATH .'/modules/' .$mod_dir .'/' .$css_file);
     		// write out heading
     		echo '<h2>' .$HEADING_CSS_FILE .'"' .$css_file .'"</h2>';
     		echo '<h2>' .$TEXT['HEADING_CSS_FILE'] .'"' .$css_file .'"</h2>';
     		// include button to switch between frontend.css and backend.css (only shown if both files exists)
     		toggle_css_file($mod_dir, $css_file);
     		echo '<p>' .$TXT_EDIT_CSS_FILE .'</p>';
     		echo '<p>'.$TEXT['TXT_EDIT_CSS_FILE'].'</p>';
     		// output content of module file to textareas
     	?>
     		<form name="edit_module_file" action="<?php echo $_SERVER['SCRIPT_NAME'];?>" method="post" style="margin: 0;">
     	  ?><form name="edit_module_file" action="<?php echo $_SERVER['SCRIPT_NAME'];?>" method="post" style="margin: 0;">
     	  	<input type="hidden" name="page_id" value="<?php echo $page_id; ?>" />
     	  	<input type="hidden" name="section_id" value="<?php echo $section_id; ?>" />
     	  	<input type="hidden" name="mod_dir" value="<?php echo $mod_dir; ?>" />
-...
       			</tr>
       			</table>
     		</form>
     		<?php
     <?php
+    	}
+    }
     // Print admin footer
     $admin->print_footer();
     ?>

Also available in: Unified diff

Project

General

Profile

WB 2.08.x

Revision 1448

Added by Dietmar over 13 years ago