Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG (revision 2014)
+++ branches/2.8.x/CHANGELOG (revision 2015)
@@ -11,6 +11,9 @@
! = Update/Change
===============================================================================
+04 Nov-2013 Build 2015 Manuela v.d.Decken(DarkViper)
+# some fixes in upgrade-script and UpgradeHelper.
+! update initialize.php for secure use of setup.ini.php
04 Nov-2013 Build 2014 Manuela v.d.Decken(DarkViper)
+ added new Interface usable to connect from WYSIWYG-Editor to all Modules with subitems like news or topics
04 Nov-2013 Build 2013 Manuela v.d.Decken(DarkViper)
Index: branches/2.8.x/wb/upgrade-script.php
===================================================================
--- branches/2.8.x/wb/upgrade-script.php (revision 2014)
+++ branches/2.8.x/wb/upgrade-script.php (revision 2015)
@@ -72,7 +72,7 @@
if (is_readable($config_file) && !defined('WB_URL')) {
require_once($config_file);
}
-UpgradeHelper::checkSetupFiles($config_file);
+UpgradeHelper::checkSetupFiles(dirname(__FILE__).'/');
if (!class_exists('admin', false)) {
include(WB_PATH.'/framework/class.admin.php');
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php (revision 2014)
+++ branches/2.8.x/wb/admin/interface/version.php (revision 2015)
@@ -51,5 +51,5 @@
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
if(!defined('VERSION')) define('VERSION', '2.8.3');
-if(!defined('REVISION')) define('REVISION', '2014');
+if(!defined('REVISION')) define('REVISION', '2015');
if(!defined('SP')) define('SP', '');
Index: branches/2.8.x/wb/framework/initialize.php
===================================================================
--- branches/2.8.x/wb/framework/initialize.php (revision 2014)
+++ branches/2.8.x/wb/framework/initialize.php (revision 2015)
@@ -37,15 +37,16 @@
* sanitize $_SERVER['HTTP_REFERER']
* @param string $sWbUrl qualified startup URL of current application
*/
- function SanitizeHttpReferer($sWbUrl = WB_URL) {
+ function initSanitizeHttpReferer($sWbUrl) {
$sTmpReferer = '';
if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != '') {
+ $sTmpReferer = $_SERVER['HTTP_REFERER'];
$aRefUrl = parse_url($_SERVER['HTTP_REFERER']);
if ($aRefUrl !== false) {
$aRefUrl['host'] = isset($aRefUrl['host']) ? $aRefUrl['host'] : '';
$aRefUrl['path'] = isset($aRefUrl['path']) ? $aRefUrl['path'] : '';
$aRefUrl['fragment'] = isset($aRefUrl['fragment']) ? '#'.$aRefUrl['fragment'] : '';
- $aWbUrl = parse_url(WB_URL);
+ $aWbUrl = parse_url($sWbUrl);
if ($aWbUrl !== false) {
$aWbUrl['host'] = isset($aWbUrl['host']) ? $aWbUrl['host'] : '';
$aWbUrl['path'] = isset($aWbUrl['path']) ? $aWbUrl['path'] : '';
@@ -52,7 +53,7 @@
if (strpos($aRefUrl['host'].$aRefUrl['path'],
$aWbUrl['host'].$aWbUrl['path']) !== false) {
$aRefUrl['path'] = preg_replace('#^'.$aWbUrl['path'].'#i', '', $aRefUrl['path']);
- $sTmpReferer = WB_URL.$aRefUrl['path'].$aRefUrl['fragment'];
+ $sTmpReferer = $sWbUrl.$aRefUrl['path'].$aRefUrl['fragment'];
}
unset($aWbUrl);
}
@@ -65,7 +66,7 @@
* Set constants for system/install values
* @throws RuntimeException
*/
- function SetInstallPathConstants() {
+ function initSetInstallPathConstants() {
if(!defined('DEBUG')){ define('DEBUG', false); } // normaly set in config file
if(!defined('ADMIN_DIRECTORY')){ define('ADMIN_DIRECTORY', 'admin'); }
if(!preg_match('/xx[a-z0-9_][a-z0-9_\-\.]+/i', 'xx'.ADMIN_DIRECTORY)) {
@@ -72,7 +73,7 @@
throw new RuntimeException('Invalid admin-directory: ' . ADMIN_DIRECTORY);
}
if(!defined('WB_PATH')){ define('WB_PATH', dirname(dirname(__FILE__))); }
- if(!defined('ADMIN_URL')){ define('ADMIN_URL', WB_URL.'/'.ADMIN_DIRECTORY); }
+ if(!defined('ADMIN_URL')){ define('ADMIN_URL', rtrim(WB_URL, '/\\').'/'.ADMIN_DIRECTORY); }
if(!defined('ADMIN_PATH')){ define('ADMIN_PATH', WB_PATH.'/'.ADMIN_DIRECTORY); }
if(!defined('WB_REL')){
$x1 = parse_url(WB_URL);
@@ -80,37 +81,45 @@
}
if(!defined('ADMIN_REL')){ define('ADMIN_REL', WB_REL.'/'.ADMIN_DIRECTORY); }
if(!defined('DOCUMENT_ROOT')) {
- define('DOCUMENT_ROOT', preg_replace('/'.preg_quote(str_replace('\\', '/', WB_REL), '/').'$/', '', str_replace('\\', '/', WB_PATH)));
- // creating $_SERVER['DOCUMENT_ROOT'] for Windows IIS Server
- $_SERVER['DOCUMENT_ROOT'] = DOCUMENT_ROOT;
+ define('DOCUMENT_ROOT', preg_replace('/'.preg_quote(str_replace('\\', '/', WB_REL), '/').'$/', '', str_replace('\\', '/', WB_PATH)));
+ $_SERVER['DOCUMENT_ROOT'] = DOCUMENT_ROOT;
}
if(!defined('TMP_PATH')){ define('TMP_PATH', WB_PATH.'/temp'); }
}
/**
- * Read DB settings from configuration file
- * @return string
+ * checkValidCaller
+ * @param array $aCaller list of allowed scripts
+ * @return true || Exception
* @throws RuntimeException
- *
+ * @description test if acctual file is called from one of the given list
*/
- function readConfiguration($sRetvalType = 'url') {
- // check for valid file request. Becomes more stronger in next version
+ function initCheckValidCaller(array $aCaller)
+ {
$x = debug_backtrace();
- $bValidRequest = false;
- if(sizeof($x) != 0) {
- foreach($x as $aStep) {
- // define the scripts which can read the configuration
- if(preg_match('/(save.php|index.php|config.php|upgrade-script.php)$/si', $aStep['file'])) {
- $bValidRequest = true;
- break;
- }
+ if(sizeof($x) == 0) {
+ return true;
+ }
+ $sPattern = '/('.str_replace('#', '|', preg_quote(implode('#', $aCaller), '/')).')$/si';
+ foreach($x as $aStep) {
+ // define the scripts which can read the configuration
+ if(preg_match($sPattern, $aStep['file'])) {
+ return true;
}
- } else {
- $bValidRequest = true;
}
- if(!$bValidRequest) {
- throw new RuntimeException('illegal function request!');
- }
- $aRetval = array();
+ throw new RuntimeException('illegal file request!');
+ }
+/**
+ * Read DB settings from configuration file
+ * @return array
+ * @throws RuntimeException
+ *
+ */
+ function initReadSetupFile()
+ {
+ // check for valid file request. Becomes more stronger in next version
+ initCheckValidCaller(array('save.php','index.php','config.php','upgrade-script.php'));
+ $aCfg = array();
+
$sSetupFile = dirname(dirname(__FILE__)).'/setup.ini.php';
if(is_readable($sSetupFile)) {
$aCfg = parse_ini_file($sSetupFile, true);
@@ -120,12 +129,12 @@
$value = filter_var($value, FILTER_VALIDATE_BOOLEAN);
if(!defined('DEBUG')) { define('DEBUG', $value); }
break;
- case 'WB_URL':
+ case 'WB_URL': // << case is set deprecated
case 'AppUrl':
$value = trim(str_replace('\\', '/', $value), '/');
if(!defined('WB_URL')) { define('WB_URL', $value); }
break;
- case 'ADMIN_DIRECTORY':
+ case 'ADMIN_DIRECTORY': // << case is set deprecated
case 'AcpDir':
$value = trim(str_replace('\\', '/', $value), '/');
if(!defined('ADMIN_DIRECTORY')) { define('ADMIN_DIRECTORY', $value); }
@@ -135,59 +144,76 @@
break;
endswitch;
}
- $db = $aCfg['DataBase'];
- $db['type'] = isset($db['type']) ? $db['type'] : 'mysql';
- $db['user'] = isset($db['user']) ? $db['user'] : 'foo';
- $db['pass'] = isset($db['pass']) ? $db['pass'] : 'bar';
- $db['host'] = isset($db['host']) ? $db['host'] : 'localhost';
- $db['port'] = isset($db['port']) ? $db['port'] : '3306';
- $db['port'] = ($db['port'] != '3306') ? $db['port'] : '';
- $db['name'] = isset($db['name']) ? $db['name'] : 'dummy';
- $db['charset'] = isset($db['charset']) ? trim($db['charset']) : '';
- $db['table_prefix'] = (isset($db['table_prefix']) ? $db['table_prefix'] : '');
- if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $db['table_prefix']); }
- if($sRetvalType == 'dsn') {
- $aRetval[0] = $db['type'].':dbname='.$db['name'].';host='.$db['host'].';'
- . ($db['port'] != '' ? 'port='.(int)$db['port'].';' : '');
- $aRetval[1] = array('CHARSET' => $db['charset'], 'TABLE_PREFIX' => $db['table_prefix']);
- $aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']);
- }else { // $sRetvalType == 'url'
- $aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@'
- . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']
- . '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix'];
- }
- unset($db, $aCfg);
- return $aRetval;
}
- throw new RuntimeException('unable to read setup.ini.php');
+ return $aCfg;
+// throw new RuntimeException('unable to read setup.ini.php');
}
+ /**
+ * GetDbConnectData
+ * @param array $aCfg
+ * @param string $sDbConnectType can be 'url' or 'dsn'
+ * @return array
+ *
+ */
+ function initGetDbConnectData(array $aCfg, $sDbConnectType = 'url')
+ {
+ if(defined('DB_TYPE'))
+ {
+ // import constants for compatibility reasons
+ $db = array();
+ if(defined('DB_TYPE')) { $db['type'] = DB_TYPE; }
+ if(defined('DB_USERNAME')) { $db['user'] = DB_USERNAME; }
+ if(defined('DB_PASSWORD')) { $db['pass'] = DB_PASSWORD; }
+ if(defined('DB_HOST')) { $db['host'] = DB_HOST; }
+ if(defined('DB_PORT')) { $db['port'] = DB_PORT; }
+ if(defined('DB_NAME')) { $db['name'] = DB_NAME; }
+ if(defined('DB_CHARSET')) { $db['charset'] = DB_CHARSET; }
+ if(defined('TABLE_PREFIX')) { $db['table_prefix'] = TABLE_PREFIX; }
+ $aCfg['DataBase'] = $db;
+ }
+ // sanitize values
+ $db = $aCfg['DataBase'];
+ $db['type'] = isset($db['type']) ? $db['type'] : 'mysql';
+ $db['user'] = isset($db['user']) ? $db['user'] : 'foo';
+ $db['pass'] = isset($db['pass']) ? $db['pass'] : 'bar';
+ $db['host'] = isset($db['host']) ? $db['host'] : 'localhost';
+ $db['port'] = isset($db['port']) ? $db['port'] : '3306';
+ $db['port'] = ($db['port'] != '3306') ? $db['port'] : '';
+ $db['name'] = isset($db['name']) ? $db['name'] : 'dummy';
+ $db['charset'] = isset($db['charset']) ? trim($db['charset']) : 'utf8';
+ $db['table_prefix'] = (isset($db['table_prefix']) ? $db['table_prefix'] : '');
+ if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $db['table_prefix']); }
+ if($sDbConnectType == 'dsn') {
+ // build dsn to connect
+ $aRetval[0] = $db['type'].':dbname='.$db['name'].';host='.$db['host'].';'
+ . ($db['port'] != '' ? 'port='.(int)$db['port'].';' : '');
+ $aRetval[1] = array('CHARSET' => $db['charset'], 'TABLE_PREFIX' => $db['table_prefix']);
+ $aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']);
+ }else {
+ // build url to connect
+ $aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@'
+ . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']
+ . '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix'];
+ }
+ return $aRetval;
+ }
+
/* ***************************************************************************************
* Start initialization *
****************************************************************************************/
// initialize debug evaluation values ---
- $sDbConnectType = 'url'; // depending from class WbDatabase it can be 'url' or 'dsn'
$starttime = array_sum(explode(" ",microtime()));
$iPhpDeclaredClasses = sizeof(get_declared_classes());
+ $sDbConnectType = 'url'; // depending from class WbDatabase it can be 'url' or 'dsn'
// disable all kind of magic_quotes in PHP versions before 5.4 ---
if(version_compare(PHP_VERSION, '5.4.0', '<')) {
- if(get_magic_quotes_gpc() || get_magic_quotes_runtime()) {
- @ini_set('magic_quotes_sybase', 0);
- @ini_set('magic_quotes_gpc', 0);
- @ini_set('magic_quotes_runtime', 0);
- }
+ @set_magic_quotes_runtime(0);
}
-// load db configuration ---
- if(defined('DB_TYPE')) {
- $sTmp = ($sTmp=((defined('DB_PORT') && DB_PORT !='') ? DB_PORT : '')) ? ':'.$sTmp : '';
- $sTmp = DB_TYPE.'://'.DB_USERNAME.':'.DB_PASSWORD.'@'.DB_HOST.$sTmp.'/'.DB_NAME.'?Charset=';
- $sTmp .= (defined('DB_CHARSET') ? DB_CHARSET : '').'&TablePrefix='.TABLE_PREFIX;
- $aSqlData = array( 0 => $sTmp);
- }else {
- $aSqlData = readConfiguration($sDbConnectType);
- }
- SetInstallPathConstants();
+// load configuration ---
+ $aCfg = initReadSetupFile();
// sanitize $_SERVER['HTTP_REFERER'] ---
- SanitizeHttpReferer(WB_URL);
+ initSetInstallPathConstants();
+ initSanitizeHttpReferer(WB_URL);
// register WB basic autoloader ---
$sTmp = dirname(__FILE__).'/WbAutoloader.php';
if(!class_exists('WbAutoloader')){
@@ -194,6 +220,8 @@
include($sTmp);
}
WbAutoloader::doRegister(array(ADMIN_DIRECTORY=>'a', 'modules'=>'m'));
+// instantiate and initialize adaptor for temporary registry replacement ---
+ WbAdaptor::getInstance()->getWbConstants();
// register TWIG autoloader ---
$sTmp = dirname(dirname(__FILE__)).'/include/Sensio/Twig/lib/Twig/Autoloader.php';
if(!class_exists('Twig_Autoloader')) {
@@ -205,14 +233,20 @@
include(dirname(__FILE__).'/globalExceptionHandler.php');
}
// ---------------------------
+// get Database connection data from configuration
+ $aSqlData = initGetDbConnectData($aCfg, $sDbConnectType);
// Create global database instance ---
- $database = WbDatabase::getInstance();
+ $oDb = $database = WbDatabase::getInstance();
if($sDbConnectType == 'dsn') {
- $bTmp = $database->doConnect($aSqlData[0], $aSqlData[1]['user'], $aSqlData[1]['pass'], $aSqlData[2]);
+ $bTmp = $oDb->doConnect($aSqlData[0], $aSqlData[1]['user'], $aSqlData[1]['pass'], $aSqlData[2]);
}else {
- $bTmp = $database->doConnect($aSqlData[0]);
+ $bTmp = $oDb->doConnect($aSqlData[0]);
}
- unset($aSqlData);
+// remove critical data from memory
+ unset($aSqlData, $aCfg);
+
+ if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $oDb->TablePrefix); }
+
// load global settings from database and define global consts from ---
$sql = 'SELECT `name`, `value` FROM `'.TABLE_PREFIX.'settings`';
if(($oSettings = $database->query($sql))) {
@@ -333,15 +367,14 @@
}
/** end of deprecated part **/
// instantiate and initialize adaptor for temporary registry replacement ---
- if(class_exists('WbAdaptor')) {
- WbAdaptor::getInstance()->getWbConstants();
- }
+ WbAdaptor::getInstance()->getWbConstants();
// load and activate new global translation table
Translate::getInstance()->initialize('en',
(defined('DEFAULT_LANGUAGE') ? DEFAULT_LANGUAGE : ''),
(defined('LANGUAGE') ? LANGUAGE : ''),
'WbOldStyle',
- (DEBUG ? Translate::CACHE_DISABLED|Translate::KEEP_MISSING : 0)
+ (Translate::CACHE_DISABLED|Translate::KEEP_MISSING)
+// (DEBUG ? Translate::CACHE_DISABLED|Translate::KEEP_MISSING : 0)
);
if(!class_exists('PasswordHash', false)) { include(WB_PATH.'/include/phpass/PasswordHash.php'); }
$oPass = Password::getInstance(new PasswordHash(Password::CRYPT_LOOPS_DEFAULT, Password::HASH_TYPE_AUTO));
@@ -348,4 +381,4 @@
if(defined('PASSWORD_CRYPT_LOOPS')) { $oPass->setIteration(PASSWORD_CRYPT_LOOPS); }
if(defined('PASSWORD_HASH_TYPES')) { $oPass->setHashType(PASSWORD_HASH_TYPES); }
// *** END OF FILE ***********************************************************************
-
\ No newline at end of file
+
Index: branches/2.8.x/wb/framework/UpgradeHelper.php
===================================================================
--- branches/2.8.x/wb/framework/UpgradeHelper.php (revision 2014)
+++ branches/2.8.x/wb/framework/UpgradeHelper.php (revision 2015)
@@ -137,9 +137,9 @@
. 'setup.ini.php.new';
self::dieWithMessage($sMsg);
} else { // ok, let's change the files now!
- if (file_exists($aAppPath.'setup.ini.php')) {
+ if (file_exists($sAppPath.'setup.ini.php')) {
// if 'setup.ini.php' exists
- if (!is_writeable($aAppPath.'setup.ini.php')) {
+ if (!is_writeable($sAppPath.'setup.ini.php')) {
// but it's not writable
$sMsg = 'The file \'setup.ini.php\' already exists but is not writeable!';
self::dieWithMessage($sMsg);
@@ -146,9 +146,9 @@
}
} else {
// try to rename 'setup.ini.php.new' into 'setup.ini.php'
- if (!rename($aAppPath.'setup.ini.php.new', $aAppPath.'setup.ini.php')) {
- $sMsg = 'Can not rename \''.$aAppPath.'setup.ini.php.new\' into \''.$aAppPath.'setup.ini.php\' !!
'
- . 'Create an empty file \''.$aAppPath.'setup.ini.php\' and make it writeable for the server!';
+ if (!rename($sAppPath.'setup.ini.php.new', $sAppPath.'setup.ini.php')) {
+ $sMsg = 'Can not rename \''.$sAppPath.'setup.ini.php.new\' into \''.$sAppPath.'setup.ini.php\' !!
'
+ . 'Create an empty file \''.$sAppPath.'setup.ini.php\' and make it writeable for the server!';
self::dieWithMessage($sMsg);
}
}
@@ -172,8 +172,8 @@
$aSetupConsts['ADMIN_DIRECTORY'] = trim(str_replace('\\', '/', preg_replace('/^'.preg_quote(WB_PATH, '/').'/', '', ADMIN_PATH)), '/').'/';
$aSetupConsts['WB_URL'] = rtrim(str_replace('\\', '/', WB_URL), '/').'/';
// Try and write settings to config file
- if (writeSetupIni($sAppPath, $aSetupConsts)) {
- if (writeConfig($sAppPath)) {
+ if (self::writeSetupIni($sAppPath, $aSetupConsts)) {
+ if (self::writeConfig($sAppPath)) {
return true;
} else {
$sMsg ='Error writing \''.$sAppPath.'config.php\'!';
@@ -228,7 +228,7 @@
."user = \"".$aSetupValues['DB_USERNAME']."\"\n"
."pass = \"".$aSetupValues['DB_PASSWORD']."\"\n"
."host = \"".$aSetupValues['DB_HOST']."\"\n"
- ."port = \"".$aSetupValues['DB_PORT']."3306\"\n"
+ ."port = \"".$aSetupValues['DB_PORT']."\"\n"
."name = \"".$aSetupValues['DB_NAME']."\"\n"
."charset = \"".$aSetupValues['DB_CHARSET']."\"\n"
."table_prefix = \"".$aSetupValues['TABLE_PREFIX']."\"\n"