Project

General

Profile

« Previous | Next » 

Revision 1448

Added by Dietmar over 13 years ago

secure fix edit_module_files.php
fix wb_wrapper_edit_area.php

View differences:

branches/2.8.x/CHANGELOG
11 11
! = Update/Change
12 12

  
13 13
------------------------------------- 2.8.2 -------------------------------------
14
07 May-2011 Build 1448 Dietmar Woellbrink (Luisehahne)
15
# secure fix edit_module_files.php
16
# fix wb_wrapper_edit_area.php
14 17
03 May-2011 Build 1447 Werner v.d.Decken(DarkViper)
15 18
! syncronice version (no data changes)
16 19
03 May-2011 Build 1446 Werner v.d.Decken(DarkViper)
branches/2.8.x/wb/include/editarea/wb_wrapper_edit_area.php
29 29
			script.type = "text/javascript";
30 30
			script.src  = url;
31 31
			script.charset= "UTF-8";
32
			head = document.getElementsByTagName("head");
32
			head = document.getElementsByTagName("head")[0];
33 33
			head[0].appendChild(script);
34 34
		}catch(e){
35 35
			document.write("<script type='text/javascript' src='" + url + "' charset=\"UTF-8\"><"+"/script>");
branches/2.8.x/wb/admin/interface/version.php
52 52

  
53 53
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
54 54
if(!defined('VERSION')) define('VERSION', '2.8.2.RC5');
55
if(!defined('REVISION')) define('REVISION', '1447');
55
if(!defined('REVISION')) define('REVISION', '1448');
56 56

  
57 57
?>
branches/2.8.x/wb/modules/edit_module_files.php
16 16
 *
17 17
 */
18 18

  
19
// prevent this file from being accessed directly
20
if(!(isset($_POST['page_id']) && isset($_POST['section_id']) && isset($_POST['action'])
21
	&& isset($_POST['mod_dir'])  && isset($_POST['edit_file']))) die(header('Location: index.php'));
19
// include required libraries
20
// include configuration file
21
	require('../config.php');
22
// include edit area wrapper script
23
	require_once(WB_PATH.'/include/editarea/wb_wrapper_edit_area.php');
24
// include the admin wrapper script
25
	require(WB_PATH.'/modules/admin.php');
26
// include functions to edit the optional module CSS files (frontend.css, backend.css)
27
	require_once(WB_PATH.'/framework/module.functions.php');
22 28

  
23
// include configuration file and admin wrapper script
24
require('../config.php');
29
	$page_id = (isset($_REQUEST['page_id']) ? intval($_REQUEST['page_id']) : 0  );
30
	$section_id = (isset($_POST['section_id']) ? intval($_POST['section_id']) : 0  );
31
	$_action = (isset($_POST['action']) ? strtolower($_POST['action']) : '');
32
	$_action = ($_action != 'save' ? 'edit' : 'save');
33
	$mod_dir = (isset($_POST['mod_dir']) ? $_POST['mod_dir'] : '');
34
	$_edit_file = (isset($_POST['edit_file']) ? $_POST['edit_file'] : '');
35
//check if given mod_dir + edit_file is valid path/file
36
	$_realpath = realpath(WB_PATH.'/modules/'.$mod_dir.'/'.$_edit_file);
37
	if($_realpath){
38
	// realpath is a valid path, now test if it's inside WB_PATH
39
		$_realpath = str_replace('\\','/', $_realpath);
40
		$_fileValid = (strpos($_realpath, (str_replace('\\','/', WB_PATH))) !== false);
41
	}
42
// check if all needed args are valid 
43
	if(!$page_id || !$section_id || !$_realpath || !$_fileValid) {
44
		die('Invalid arguments passed - script stopped.');
45
	}
25 46

  
26
require_once(WB_PATH . '/include/editarea/wb_wrapper_edit_area.php');
27

  
28
// include the and admin wrapper script
29
require(WB_PATH.'/modules/admin.php');
30

  
31
// leave if the required module.functions.php file does not exist
32
if(!file_exists(WB_PATH .'/framework/module.functions.php')) {
33
	echo 'The required file: /framework/module.functions.php is missing - script stopped.';
34
	die;
35
}
36
echo (function_exists('registerEditArea')) ? registerEditArea('code_area', 'css') : 'none';
47
	// echo registerEditArea('code_area', 'css');
48
	echo (function_exists('registerEditArea')) ? registerEditArea('code_area', 'css') : 'none';
37 49
// set default text output if varibles are not defined in the global WB language files
38
$HEADING_CSS_FILE = (isset($GLOBALS['TEXT']['HEADING_CSS_FILE'])) ?$GLOBALS['TEXT']['HEADING_CSS_FILE'] :'Actual module file: ';
39
$TXT_EDIT_CSS_FILE = (isset($GLOBALS['TEXT']['TXT_EDIT_CSS_FILE'])) ?$GLOBALS['TEXT']['TXT_EDIT_CSS_FILE'] :'Edit the CSS definitions in the textarea below.';
50
	if(!isset($TEXT['HEADING_CSS_FILE'])) { $TEXT['HEADING_CSS_FILE'] = 'Actual module file: '; }
51
	if(!isset($TEXT['TXT_EDIT_CSS_FILE'])) { $TEXT['TXT_EDIT_CSS_FILE'] = 'Edit the CSS definitions in the textarea below.'; }
40 52

  
41
// include functions to edit the optional module CSS files (frontend.css, backend.css)
42
require_once(WB_PATH .'/framework/module.functions.php');
43

  
44
// check if the module directory is valid
45
$mod_dir = check_module_dir($_POST['mod_dir']);
46
if($mod_dir == '')
47
{
48
	echo 'The specified module directory is invalid - script stopped.';
49
	die;
50
};
51

  
52 53
// check if action is: save or edit
53
if($_POST['action'] == 'save' && mod_file_exists($mod_dir, $_POST['edit_file'])) {
54
	/** 
55
		SAVE THE UPDATED CONTENTS TO THE CSS FILE
56
	*/
57
	$css_content = '';
58
	if (isset($_POST['css_data']) && strlen($_POST['css_data']) > 0) {
59
		$css_content = stripslashes($_POST['css_data']);
60
	}
61

  
62
	$bytes = 0;
63
	if ($css_content != '')
64
    {
54
	if($_action == 'save' && mod_file_exists($mod_dir, $_edit_file)) {
55
	// SAVE THE UPDATED CONTENTS TO THE CSS FILE
56
		$css_content = '';
57
		if (isset($_POST['css_data']) && strlen($_POST['css_data']) > 0) {
58
			$css_content = stripslashes($_POST['css_data']);
59
		}
60
		$bytes = 0;
61
		if ($css_content != '') {
65 62
		// open the module CSS file for writting
66
		$mod_file = @fopen(WB_PATH .'/modules/' .$mod_dir .'/' .$_POST['edit_file'], 'wb');
63
			$mod_file = @fopen(WB_PATH .'/modules/' .$mod_dir .'/' .$_edit_file, 'wb');
67 64
		// write new content to the module CSS file
68
		$bytes = @fwrite($mod_file, $css_content);
65
			$bytes = @fwrite($mod_file, $css_content);
69 66
		// close the file
70
		@fclose($mod_file);
71
	}
72

  
73
	// write out status message
74
	if($bytes == 0 )
75
    {
76
		$admin->print_error($TEXT['ERROR'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
67
			@fclose($mod_file);
68
		}
69
		// write out status message
70
		if($bytes == 0 ) {
71
			$admin->print_error($TEXT['ERROR'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
72
		} else {
73
			$admin->print_success($TEXT['SUCCESS'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
74
		}
77 75
	} else {
78
		$admin->print_success($TEXT['SUCCESS'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
79
	}
80

  
81

  
82
} else {
83
	/** 
84
		MODIFY CONTENTS OF THE CSS FILE VIA TEXT AREA 
85
	*/
76
	// MODIFY CONTENTS OF THE CSS FILE VIA TEXT AREA
86 77
	// check if module backend.css file needs to be included into the <body>
87
	if((!method_exists($admin, 'register_backend_modfiles') || !isset($_GET['page_id']))
88
			&& file_exists(WB_PATH .'/modules/'.$mod_dir.'/backend.css')) {
89
		echo '<style type="text/css">';
90
		include(WB_PATH .'/modules/' .$mod_dir .'/backend.css');
91
		echo "\n</style>\n";
92
	}
93

  
78
		if((!method_exists($admin, 'register_backend_modfiles') || !$page_id)
79
				&& file_exists(WB_PATH .'/modules/'.$mod_dir.'/backend.css')) {
80
			echo '<style type="text/css">';
81
			include(WB_PATH .'/modules/' .$mod_dir .'/backend.css');
82
			echo "\n</style>\n";
83
		}
94 84
	// check which module file to edit (frontend.css, backend.css or '')
95
	$css_file = (in_array($_POST['edit_file'], array('frontend.css', 'backend.css'))) ? $_POST['edit_file'] : '';
85
		$css_file = (in_array($_edit_file, array('frontend.css', 'backend.css'))) ? $_edit_file : '';
96 86

  
97 87
	// display output
98
	if($css_file == '')
99
    {
88
		if($css_file == '')	{
100 89
		// no valid module file to edit; display error message and backlink to modify.php
101
		echo "<h2>Nothing to edit</h2>";
102
		echo "<p>No valid module file exists for this module.</p>";
103
		$output  = "<a href=\"#\" onclick=\"javascript: window.location = '";
104
		$output .= ADMIN_URL ."/pages/modify.php?page_id=" .$page_id ."'\">back</a>";
105
		echo $output;
106
	
107
	} else {
90
			echo "<h2>Nothing to edit</h2>";
91
			echo "<p>No valid module file exists for this module.</p>";
92
			$output  = "<a href=\"#\" onclick=\"javascript: window.location = '";
93
			$output .= ADMIN_URL ."/pages/modify.php?page_id=" .$page_id ."'\">back</a>";
94
			echo $output;
95
		} else {
108 96
		// store content of the module file in variable
109 97
		$css_content = @file_get_contents(WB_PATH .'/modules/' .$mod_dir .'/' .$css_file);
110 98
		// write out heading
111
		echo '<h2>' .$HEADING_CSS_FILE .'"' .$css_file .'"</h2>';
99
		echo '<h2>' .$TEXT['HEADING_CSS_FILE'] .'"' .$css_file .'"</h2>';
112 100
		// include button to switch between frontend.css and backend.css (only shown if both files exists)
113 101
		toggle_css_file($mod_dir, $css_file);
114
		echo '<p>' .$TXT_EDIT_CSS_FILE .'</p>';
102
		echo '<p>'.$TEXT['TXT_EDIT_CSS_FILE'].'</p>';
115 103

  
116 104
		// output content of module file to textareas
117
	?>
118
		<form name="edit_module_file" action="<?php echo $_SERVER['SCRIPT_NAME'];?>" method="post" style="margin: 0;">
105
	  ?><form name="edit_module_file" action="<?php echo $_SERVER['SCRIPT_NAME'];?>" method="post" style="margin: 0;">
119 106
	  	<input type="hidden" name="page_id" value="<?php echo $page_id; ?>" />
120 107
	  	<input type="hidden" name="section_id" value="<?php echo $section_id; ?>" />
121 108
	  	<input type="hidden" name="mod_dir" value="<?php echo $mod_dir; ?>" />
......
137 124
  			</tr>
138 125
  			</table>
139 126
		</form>
140
		<?php 
127
<?php 
141 128
	}
142 129
}
143

  
144 130
// Print admin footer
145 131
$admin->print_footer();
146

  
147
?>

Also available in: Unified diff