Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1884) +++ branches/2.8.x/CHANGELOG (revision 1885) @@ -11,6 +11,13 @@ ! = Update/Change =============================================================================== +11 Mar-2013 Build 1885 Dietmar Woellbrink (Luisehahne) +# protect magic setter to fix security issue in WbDatabase ++ additional arguments for Charset and TablePrefix in WbDatabase::doConnect ++ WbDatabase now can activate SET NAMES by doConnect argument ++ WbDatabase now provide TablePrefix property also (WbDatabase::TablePrefix) ++ initialize.php now also support Charset and TablePrefix settings from setup.ini.php +! in setup.ini.php some keys are renamed (WB_URL => AppUrl and ADMIN_DIRECTORY => AcpDir) 10 Mar-2013 Build 1884 Dietmar Woellbrink (Luisehahne) ! from security reasons the new installation has changed from the old config.php into new setup.ini.php without Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1884) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1885) @@ -51,5 +51,5 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.3'); -if(!defined('REVISION')) define('REVISION', '1884'); +if(!defined('REVISION')) define('REVISION', '1885'); if(!defined('SP')) define('SP', ''); Index: branches/2.8.x/wb/framework/WbDatabase.php =================================================================== --- branches/2.8.x/wb/framework/WbDatabase.php (revision 1884) +++ branches/2.8.x/wb/framework/WbDatabase.php (revision 1885) @@ -32,18 +32,20 @@ */ /* -------------------------------------------------------- */ -define('DATABASE_CLASS_LOADED', true); +@define('DATABASE_CLASS_LOADED', true); class WbDatabase { private static $_oInstances = array(); - private $_db_handle = null; // readonly from outside - private $_db_name = ''; - private $connected = false; - private $error = ''; - private $error_type = ''; - private $iQueryCount= 0; + private $_db_handle = null; // readonly from outside + private $_db_name = ''; + protected $sTablePrefix = ''; + protected $sCharset = 'utf8'; + protected $connected = false; + protected $error = ''; + protected $error_type = ''; + protected $iQueryCount = 0; /* prevent from public instancing */ protected function __construct() {} @@ -81,6 +83,7 @@ * Example for SQL-Url: 'mysql://user:password@demo.de[:3306]/datenbank' */ public function doConnect($url = '') { + $this->connected = false; if($url != '') { $aIni = parse_url($url); @@ -91,22 +94,40 @@ $hostport = isset($aIni['port']) ? $aIni['port'] : '3306'; $hostport = $hostport == '3306' ? '' : ':'.$hostport; $db_name = ltrim(isset($aIni['path']) ? $aIni['path'] : '', '/\\'); + $sTmp = isset($aIni['query']) ? $aIni['query'] : ''; + $aQuery = explode('&', $sTmp); + foreach($aQuery as $sArgument) { + $aArg = explode('=', $sArgument); + switch(strtolower($aArg[0])) { + case 'charset': + $this->sCharset = strtolower(preg_replace('/[^a-z0-9]/i', '', $aArg[1])); + break; + case 'tableprefix': + $this->sTablePrefix = $aArg[1]; + break; + default: + break; + } + } $this->_db_name = $db_name; }else { - throw new RuntimeException('Missing parameter: unable to connect database'); + throw new WbDatabaseException('Missing parameter: unable to connect database'); } - $this->_db_handle = mysql_connect($hostname.$hostport, + $this->_db_handle = @mysql_connect($hostname.$hostport, $username, $password); if(!$this->_db_handle) { - throw new RuntimeException('unable to connect \''.$scheme.'://'. + throw new WbDatabaseException('unable to connect \''.$scheme.'://'. $hostname.$hostport.'\''); } else { - if(!mysql_select_db($db_name)) { - throw new RuntimeException('unable to select database \''.$db_name. + if(!@mysql_select_db($db_name)) { + throw new WbDatabaseException('unable to select database \''.$db_name. '\' on \''.$scheme.'://'. $hostname.$hostport.'\''); } else { + if($this->sCharset) { + @mysql_query('SET NAMES \''.$this->sCharset.'\''); + } $this->connected = true; } } @@ -170,17 +191,15 @@ public function get_error() { return $this->error; } - - // Return escape_string /** - * escape a string for use in DB - * @param string - * @return string + * Protect class from property injections + * @param string name of property + * @param mixed value + * @throws WbDatabaseException */ - public function escapeString($string) { - return mysql_real_escape_string($string, $this->_db_handle); + public function __set($name, $value) { + throw new WbDatabaseException('tried to set a readonly or nonexisting property ['.$name.']!! '); } - /** * default Getter for some properties * @param string name of the Property @@ -195,6 +214,7 @@ $retval = $this->_db_handle; break; case 'LastInsertId': + case 'getLastInsertId': $retval = mysql_insert_id($this->_db_handle); break; case 'db_name': @@ -202,6 +222,10 @@ case 'getDbName': $retval = $this->_db_name; break; + case 'TablePrefix': + case 'getTablePrefix': + $retval = $this->sTablePrefix; + break; case 'getQueryCount': $retval = $this->iQueryCount; break; @@ -211,7 +235,23 @@ endswitch; return $retval; } // __get() - +/** + * Escapes special characters in a string for use in an SQL statement + * @param string $unescaped_string + * @return string + */ + public function escapeString($unescaped_string) + { + return mysql_real_escape_string($unescaped_string, $this->_db_handle); + } +/** + * Last inserted Id + * @return bool|int false on error, 0 if no record inserted + */ + public function getLastInsertId() + { + return mysql_insert_id($this->_db_handle); + } /* * @param string full name of the table (incl. TABLE_PREFIX) * @param string name of the field to seek for @@ -223,7 +263,6 @@ $query = $this->query($sql, $this->_db_handle); return ($query->numRows() != 0); } - /* * @param string full name of the table (incl. TABLE_PREFIX) * @param string name of the index to seek for @@ -322,8 +361,7 @@ public function index_add($table_name, $index_name, $field_list, $index_type = 'KEY') { $retval = false; - $field_list = str_replace(' ', '', $field_list); - $field_list = explode(',', $field_list); + $field_list = explode(',', (str_replace(' ', '', $field_list))); $number_fields = sizeof($field_list); $field_list = '`'.implode('`,`', $field_list).'`'; $index_name = $index_type == 'PRIMARY' ? $index_type : $index_name; @@ -421,6 +459,21 @@ } /// end of class database +// //////////////////////////////////////////////////////////////////////////////////// // +/** + * WbDatabaseException + * + * @category Core + * @package Core_database + * @author Werner v.d.Decken + * @copyright Werner v.d.Decken + * @license http://www.gnu.org/licenses/gpl.html GPL License + * @version 2.9.0 + * @revision $Revision$ + * @lastmodified $Date$ + * @description Exceptionhandler for the WbDatabase and depending classes + */ +class WbDatabaseException extends AppException {} define('MYSQL_SEEK_FIRST', 0); define('MYSQL_SEEK_LAST', -1); @@ -469,7 +522,7 @@ } } - +// //////////////////////////////////////////////////////////////////////////////////// // /* this function is placed inside this file temporarely until a better place is found */ /* function to update a var/value-pair(s) in table **************************** * nonexisting keys are inserted Index: branches/2.8.x/wb/framework/initialize.php =================================================================== --- branches/2.8.x/wb/framework/initialize.php (revision 1884) +++ branches/2.8.x/wb/framework/initialize.php (revision 1885) @@ -114,8 +114,24 @@ if(is_readable($sSetupFile)) { $aCfg = parse_ini_file($sSetupFile, true); foreach($aCfg['Constants'] as $key=>$value) { - if($key == 'debug') { $value = filter_var($value, FILTER_VALIDATE_BOOLEAN); } - if(!defined(strtoupper($key))) { define(strtoupper($key), $value); } + switch($key): + case 'DEBUG': + $value = filter_var($value, FILTER_VALIDATE_BOOLEAN); + break; + case 'WB_URL': + case 'AppUrl': + $value = trim(str_replace('\\', '/', $value), '/'); + if(!defined('WB_URL')) { define('WB_URL', $value); } + break; + case 'ADMIN_DIRECTORY': + case 'AcpDir': + $value = trim(str_replace('\\', '/', $value), '/'); + if(!defined('ADMIN_DIRECTORY')) { define('ADMIN_DIRECTORY', $value); } + break; + default: + if(!defined($key)) { define($key, $value); } + break; + endswitch; } $db = $aCfg['DataBase']; $db['type'] = isset($db['type']) ? $db['type'] : 'mysql'; @@ -135,7 +151,8 @@ $aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']); }else { // $sRetvalType == 'url' $aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@' - . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']; + . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name'] + . '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix']; } unset($db, $aCfg); return $aRetval; @@ -159,7 +176,10 @@ } // load db configuration --- if(defined('DB_TYPE')) { - $aSqlData = array( 0 => DB_TYPE.'://'.DB_USERNAME.':'.DB_PASSWORD.'@'.DB_HOST.'/'.DB_NAME); + $sTmp = ($sTmp=((defined('DB_PORT') && DB_PORT !='') ? DB_PORT : '')) ? ':'.$sTmp : ''; + $sTmp = DB_TYPE.'://'.DB_USERNAME.':'.DB_PASSWORD.'@'.DB_HOST.$sTmp.'/'.DB_NAME.'?Charset='; + $sTmp .= (defined('DB_CHARSET') ? DB_CHARSET : '').'&TablePrefix='.TABLE_PREFIX; + $aSqlData = array( 0 => $sTmp); }else { $aSqlData = readConfiguration($sDbConnectType); } @@ -193,7 +213,7 @@ if($sDbConnectType == 'dsn') { $bTmp = $database->doConnect($aSqlData[0], $aSqlData[1]['user'], $aSqlData[1]['pass'], $aSqlData[2]); }else { - $bTmp = $database->doConnect($aSqlData[0], TABLE_PREFIX); + $bTmp = $database->doConnect($aSqlData[0]); } unset($aSqlData); // load global settings from database and define global consts from --- @@ -316,7 +336,9 @@ // load and activate new global translation table Translate::getInstance()->initialize('en', (defined('DEFAULT_LANGUAGE') ? DEFAULT_LANGUAGE : ''), - (defined('LANGUAGE') ? LANGUAGE : '') + (defined('LANGUAGE') ? LANGUAGE : ''), + 'WbOldStyle', + (DEBUG ? Translate::CACHE_DISABLED|Translate::KEEP_MISSING : 0) ); // *** END OF FILE *********************************************************************** \ No newline at end of file Index: branches/2.8.x/wb/install/save.php =================================================================== --- branches/2.8.x/wb/install/save.php (revision 1884) +++ branches/2.8.x/wb/install/save.php (revision 1885) @@ -93,8 +93,24 @@ if(is_readable($sSetupFile)) { $aCfg = parse_ini_file($sSetupFile, true); foreach($aCfg['Constants'] as $key=>$value) { - if($key == 'debug') { $value = filter_var($value, FILTER_VALIDATE_BOOLEAN); } - if(!defined(strtoupper($key))) { define(strtoupper($key), $value); } + switch($key): + case 'DEBUG': + $value = filter_var($value, FILTER_VALIDATE_BOOLEAN); + break; + case 'WB_URL': + case 'AppUrl': + $value = trim(str_replace('\\', '/', $value), '/'); + if(!defined('WB_URL')) { define('WB_URL', $value); } + break; + case 'ADMIN_DIRECTORY': + case 'AcpDir': + $value = trim(str_replace('\\', '/', $value), '/'); + if(!defined('ADMIN_DIRECTORY')) { define('ADMIN_DIRECTORY', $value); } + break; + default: + if(!defined($key)) { define($key, $value); } + break; + endswitch; } $db = $aCfg['DataBase']; $db['type'] = isset($db['type']) ? $db['type'] : 'mysql'; @@ -114,7 +130,8 @@ $aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']); }else { // $sRetvalType == 'url' $aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@' - . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']; + . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name'] + . '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix']; } unset($db, $aCfg); return $aRetval; @@ -243,7 +260,7 @@ $wb_url = $_POST['wb_url']; } // Remove any slashes at the end of the URL -$wb_url = rtrim($wb_url,'/\\'); +$wb_url = trim(str_replace('\\', '/', $wb_url), '/').'/'; // Get the default time zone if(!isset($_POST['default_timezone']) OR !is_numeric($_POST['default_timezone'])) { set_error('Please select a valid default timezone', 'default_timezone'); @@ -378,9 +395,9 @@ ."; auto generated ".date('Y-m-d h:i:s A e ')."\n" .";################################################\n" ."[Constants]\n" -."debug = false\n" -."wb_url = ".$wb_url."\n" -."admin_directory = admin\n" +."DEBUG = false\n" +."AppUrl = ".$wb_url."\n" +."AcpDir = admin/\n" .";##########\n" ."[DataBase]\n" ."type = \"mysql\"\n" @@ -427,7 +444,7 @@ }else { $bTmp = @$database->doConnect($aSqlData[0], TABLE_PREFIX); } -} catch (RuntimeException $e) { +} catch (WbDatabaseException $e) { if(!file_put_contents($sConfigFile," 128) + if ( filesize($sConfigFile) > 100) { $config = 'Already installed? Check!'; // try to open and to write @@ -277,7 +277,7 @@ } else { $config = $sTmp; } - $sConfigFile = preg_match('/(?:rename)/i',$config) ? $sConfigFile : 'setup.ini.php'; + $sConfigFile = preg_match('/(?:rename)/i',$config) ? $sConfigFile : 'config.php'; $installFlag = $installFlag && ($sTmp == ''); ?>