Project

General

Profile

« Previous | Next » 

Revision 1777

Added by Dietmar about 12 years ago

+ add methode StripCodeFromText in class.wb to clean injection
! rebranding the admin/settings and security fixes
! a few new styling in backend wb_theme
! beginning aa lot of account changes like correction of $_SESSION indexe, security fixes
+ add head.load.min.js and head.min.js to /include/jquery/ to style HTML5 templates

View differences:

save.php
58 58
	}
59 59
}
60 60

  
61
if(isset($_POST['wbmailer_routine']) && ($_POST['wbmailer_routine']=='smtp')) {
61
if($admin->StripCodeFromText($admin->get_post('wbmailer_routine'))=='smtp') {
62 62

  
63
	$checkSmtpHost = (isset($_POST['wbmailer_smtp_host']) && ($_POST['wbmailer_smtp_host']=='') ? false : true);
64
	$checkSmtpUser = (isset($_POST['wbmailer_smtp_username']) && ($_POST['wbmailer_smtp_username']=='') ? false : true);
65
	$checkSmtpPassword = (isset($_POST['wbmailer_smtp_password']) && ($_POST['wbmailer_smtp_password']=='') ? false : true);
63
	$checkSmtpHost = (($admin->StripCodeFromText($admin->get_post('wbmailer_smtp_host'))=='') ? false : true);
64
//	$checkSmtpHost = (isset($_POST['wbmailer_smtp_host']) && ($_POST['wbmailer_smtp_host']=='') ? false : true);
65
	$checkSmtpUser = (($admin->StripCodeFromText($admin->get_post('wbmailer_smtp_username'))=='') ? false : true);
66
//	$checkSmtpUser = (isset($_POST['wbmailer_smtp_username']) && ($_POST['wbmailer_smtp_username']=='') ? false : true);
67
	$checkSmtpPassword = (($admin->StripCodeFromText($admin->get_post('wbmailer_smtp_password'))=='') ? false : true);
68
//	$checkSmtpPassword = (isset($_POST['wbmailer_smtp_password']) && ($_POST['wbmailer_smtp_password']=='') ? false : true);
69

  
66 70
	if(!$checkSmtpHost || !$checkSmtpUser || !$checkSmtpPassword) {
67 71
		$admin->print_error($TEXT['REQUIRED'].' '.$TEXT['WBMAILER_SMTP_AUTH'].
68 72
			'<br /><strong>'.$MESSAGE['GENERIC_FILL_IN_ALL'].'</strong>', $js_back);
......
73 77
// Work-out file mode
74 78
if($advanced == '')
75 79
{
80
	$file_mode = STRING_FILE_MODE;
81
	$dir_mode = STRING_DIR_MODE;
76 82
	// Check if should be set to 777 or left alone
77
	if(isset($_POST['world_writeable']) && $_POST['world_writeable'] == 'true')
78
    {
79
		$file_mode = '0777';
80
		$dir_mode = '0777';
81
	} else {
82
		$file_mode = STRING_FILE_MODE;
83
		$dir_mode = STRING_DIR_MODE;
84
	}
83
//	if(isset($_POST['world_writeable']) && $_POST['world_writeable'] == 'true')
84
//    {
85
//		$file_mode = '0777';
86
//		$dir_mode = '0777';
87
//	} else {
88
//		$file_mode = STRING_FILE_MODE;
89
//		$dir_mode = STRING_DIR_MODE;
90
//	}
85 91
} else {
86 92
	$file_mode = STRING_FILE_MODE;
87 93
	$dir_mode = STRING_DIR_MODE;
......
154 160
	}
155 161
}
156 162

  
157
$allow_tags_in_fields = array('website_header', 'website_footer','website_signature');
158
$allow_empty_values = array('website_header','website_footer','pages_directory','page_spacer','website_signature,page_icon_dir','modules_upgrade_list');
159
$disallow_in_fields = array('pages_directory', 'media_directory','wb_version');
163
$allow_tags_in_fields = array(
164
    'website_header',
165
    'website_footer',
166
    'website_signature'
167
    );
168
$allow_empty_values = array(
169
    'website_header',
170
    'website_footer',
171
    'website_signature',
172
    'wysiwyg_style',
173
    'pages_directory',
174
    'page_icon_dir',
175
    'rename_files_on_upload',
176
    'page_spacer',
177
    'website_signature',
178
    'page_icon_dir',
179
    'modules_upgrade_list'
180
    );
181
$disallow_in_fields = array(
182
    'pages_directory',
183
    'media_directory',
184
    'wb_version'
185
    );
186
$StripCodeFromInput = array(
187
    'website_title',
188
    'website_description',
189
    'website_keywords',
190
    'wysiwyg_style',
191
    'search_module_order',
192
    'search_max_excerpt',
193
    'search_time_limit',
194
    'pages_directory',
195
    'page_icon_dir',
196
    'media_directory',
197
    'page_extension',
198
    'rename_files_on_upload',
199
    'page_spacer',
200
    'page_icon_dir',
201
    'modules_upgrade_list'
202
    );
160 203

  
161 204
$bRebuildAccessFiles = ( (isset( $_POST['rebuild_access_files']) && ( $_POST['rebuild_access_files'] == true )) ? true : false ) ;
162 205

  
......
189 232
	 			$passed = true;
190 233
    			break;
191 234
			case 'sec_anchor':
235
                $value = $admin->StripCodeFromText($value);
192 236
				$value=(($value=='') ? 'section_' : $value);
193 237
	 			$passed = true;
194 238
				break;
195 239
			case 'pages_directory':
240
                $value = $admin->StripCodeFromText($value);
196 241
                $bNewPageFile = ( ( $value!= $old_settings['pages_directory'] ) ? true :  false );
197 242
	 			$passed = $bNewPageFile;
198 243
                $sGetId = '&amp;id='.$bNewPageFile;
......
208 253
	 			$passed = true;
209 254
				break;
210 255
			default :
211
			    $passed = in_array($setting_name, $allow_empty_values);
256
                $passed = in_array($setting_name, $allow_empty_values);
257
                if(in_array($setting_name, $StripCodeFromInput) ) {
258
                    $value = $admin->StripCodeFromText($value);
259
                }
212 260
				break;
213 261
		}
214 262

  
215

  
216 263
	    if (!in_array($setting_name, $allow_tags_in_fields))
217 264
	    {
218 265
	        $value = strip_tags($value);
......
222 269
	    {
223 270
	        $value = trim($admin->add_slashes($value));
224 271
	        $sql = 'UPDATE `'.TABLE_PREFIX.'settings` ';
225
	        $sql .= 'SET `value` = \''.$value.'\' ';
272
	        $sql .= 'SET `value` = \''.($value).'\' '; // mysql_escape_string
226 273
	        $sql .= 'WHERE `name` != \'wb_version\' ';
227 274
	        $sql .= 'AND `name` = \''.$setting_name.'\' ';
228 275
	        if (!$database->query($sql))
......
241 288
    }
242 289

  
243 290
}
291
$StripCodeFromISearch = array(
292
    'search_module_order',
293
    'search_max_excerpt',
294
    'search_time_limit',
295
    );
244 296

  
245 297
// Query current search settings in the db, then loop through them and update the db with the new value
246 298
$sql  = 'SELECT `name`, `value` FROM `'.TABLE_PREFIX.'search` ';
......
255 307
{
256 308
	$old_value = $search_setting['value'];
257 309
	$setting_name = $search_setting['name'];
258
	$post_name = 'search_'.$search_setting['name'];
310
	$post_name = 'search_'.$setting_name;
259 311

  
260 312
    // hold old value if post is empty
261 313
    // check search template
262
    $value = ( ($admin->get_post($post_name) == '') && ($setting_name != 'template') ) ? $old_value : $admin->get_post($post_name);
314
    $value = ($admin->get_post($post_name));
315
    if(in_array($post_name, $StripCodeFromISearch) ) {
316
        $value = $admin->StripCodeFromText($value);
317
    }
318
    $value = ( ($value == '') && ($setting_name != 'template') ) ? $old_value : $value;
263 319
    // $value =  ( ($admin->get_post($post_name) == '') && ($setting_name == 'template') ) ? DEFAULT_TEMPLATE : $admin->get_post($post_name);
264 320
    if(isset($value))
265 321
	{

Also available in: Unified diff