From 744946466fc2d92f145882ac1bd8a1259421eb37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Fri, 17 Nov 2017 16:20:30 +0100 Subject: [PATCH 01/16] * fixed wrong mysqli in rewrite --- projekt01/index.php | 461 ++++++++++++++++++++++---------------------- 1 file changed, 230 insertions(+), 231 deletions(-) diff --git a/projekt01/index.php b/projekt01/index.php index 3c35219..973f982 100644 --- a/projekt01/index.php +++ b/projekt01/index.php @@ -43,24 +43,24 @@ $error_reporting = E_ALL & ~E_NOTICE; if (defined('E_DEPRECATED')) { - $error_reporting &= ~E_DEPRECATED; + $error_reporting &= ~E_DEPRECATED; } if (defined('E_STRICT')) { - $error_reporting &= ~E_STRICT; + $error_reporting &= ~E_STRICT; } error_reporting ($error_reporting); // alle GET, POST und COOKIE wegen Globals_off parsen $types_to_register = array('GET','POST','SERVER'); foreach ($types_to_register as $global_type) { - $arr = @${'HTTP_'.$global_type.'_VARS'}; - if (@count($arr) > 0) - extract($arr, EXTR_OVERWRITE); - else { - $arr = @${'_'.$global_type}; - if (@count($arr) > 0) extract($arr, EXTR_OVERWRITE); - } + $arr = @${'HTTP_'.$global_type.'_VARS'}; + if (@count($arr) > 0) + extract($arr, EXTR_OVERWRITE); + else { + $arr = @${'_'.$global_type}; + if (@count($arr) > 0) extract($arr, EXTR_OVERWRITE); + } } $cfg_cms = '';$cfg_client =''; @@ -69,15 +69,15 @@ // Session auslesen if (!empty($view)) { - $sefrengo = (empty($sefrengo)) ? $_COOKIE['sefrengo'] : $sefrengo; + $sefrengo = (empty($sefrengo)) ? $_COOKIE['sefrengo'] : $sefrengo; } else { - $sefrengo = (empty($sid)) ? $_COOKIE_VARS['sid'] : $sid; + $sefrengo = (empty($sid)) ? $_COOKIE_VARS['sid'] : $sid; } //Load API require_once ($cms_path.'API/inc.apiLoader.php'); // notwendige Dateien includen if (! is_file($cms_path.'inc/config.php')) { - die('NO CONFIGFILE FOUND'); + die('NO CONFIGFILE FOUND'); } require_once ($cms_path.'inc/config.php'); require_once ($cms_path.'inc/class.cms_debug.php'); @@ -124,29 +124,29 @@ $langarray = array(); while ($db->next_record()) { - $tmp_idlang = $db->f('idlang'); - $sf_lang_stack[$tmp_idlang]['idlang'] = $tmp_idlang; - $sf_lang_stack[$tmp_idlang]['charset'] = $db->f('charset'); - $sf_lang_stack[$tmp_idlang]['name'] = $db->f('name'); - $sf_lang_stack[$tmp_idlang]['iso_3166_code'] = $db->f('iso_3166_code'); - $sf_lang_stack[$tmp_idlang]['rewrite_key'] = $db->f('rewrite_key'); - $sf_lang_stack[$tmp_idlang]['rewrite_mapping'] = $db->f('rewrite_mapping'); - - if ($db->f('is_start') == 1) { - $lang_global_startlang = $tmp_idlang; - } - - if (strlen($sf_lang_stack[$tmp_idlang]['iso_3166_code']) >= 2 ) { - $langarray[ $sf_lang_stack[$tmp_idlang]['iso_3166_code'] ] = $tmp_idlang; - } + $tmp_idlang = $db->f('idlang'); + $sf_lang_stack[$tmp_idlang]['idlang'] = $tmp_idlang; + $sf_lang_stack[$tmp_idlang]['charset'] = $db->f('charset'); + $sf_lang_stack[$tmp_idlang]['name'] = $db->f('name'); + $sf_lang_stack[$tmp_idlang]['iso_3166_code'] = $db->f('iso_3166_code'); + $sf_lang_stack[$tmp_idlang]['rewrite_key'] = $db->f('rewrite_key'); + $sf_lang_stack[$tmp_idlang]['rewrite_mapping'] = $db->f('rewrite_mapping'); + + if ($db->f('is_start') == 1) { + $lang_global_startlang = $tmp_idlang; + } + + if (strlen($sf_lang_stack[$tmp_idlang]['iso_3166_code']) >= 2 ) { + $langarray[ $sf_lang_stack[$tmp_idlang]['iso_3166_code'] ] = $tmp_idlang; + } } $neg = negotiateLanguage($langarray, 'xx'); if ($neg != 'xx') { - $startlang = $langarray[$neg]; + $startlang = $langarray[$neg]; } else { - $startlang = $lang_global_startlang; + $startlang = $lang_global_startlang; } @@ -154,19 +154,18 @@ // REWRITE // if ($_REQUEST['sf_rewrite'] && $cfg_client['url_rewrite'] == '2' && ! isset($view)) { - include_once($cfg_cms['cms_path'].'inc/fnc.mod_rewrite.php'); - $sf_rewrite_raw = mysqli_escape_string($this->db->Link_ID, $_REQUEST['sf_rewrite']); - $sf_rw_pieces = explode('/', $sf_rewrite_raw); - - $_sf_rewrite_session = true; - if(preg_match('/^[0-9abcdef]{32}$/', $sf_rw_pieces['0'])) { - $_GET['sid'] = $_GET['sid'] = $_REQUEST['sid'] = $sf_rw_pieces['0']; - } - - - //echo " AA ".$lang; - //test of unique side - $sql = "SELECT + include_once($cfg_cms['cms_path'].'inc/fnc.mod_rewrite.php'); + $sf_rewrite_raw = mysqli_escape_string($GLOBALS['db']->Link_ID, $_REQUEST['sf_rewrite']); + $sf_rw_pieces = explode('/', $sf_rewrite_raw); + + $_sf_rewrite_session = true; + if(preg_match('/^[0-9abcdef]{32}$/', $sf_rw_pieces['0'])) { + $_GET['sid'] = $_REQUEST['sid'] = $sf_rw_pieces['0']; + } + + //echo " AA ".$lang; + //test of unique side + $sql = "SELECT CS.idcatside, CS.idcat, SL.idlang FROM ".$cms_db['cat_side']." CS @@ -176,59 +175,59 @@ CL.idclient = '$client' AND SL.rewrite_url = '".preg_replace('#^[0-9abcdef]{32}/#', '', $sf_rewrite_raw)."' AND SL.rewrite_use_automatic= '0'"; - $db->query($sql); - if ($db->next_record()) { - //remember exception langswitch - if (! is_numeric($_REQUEST['lang'])) { - $lang = $db->f('idlang'); - } else { - $lang = $_REQUEST['lang']; - } - - $idcatside = $db->f('idcatside'); - } else { - //sessionlookup and lang - $with_short_startlang = ($cfg_client['url_langid_in_defaultlang'] != '1') ? true: false; - if (preg_match('/^[0-9abcdef]{32}$/', $sf_rw_pieces['0']) ) { - $sf_rw_session = $sf_rw_pieces['0']; - $sf_rw_lang = mysqli_escape_string($this->db->Link_ID, $sf_rw_pieces['1']); - $sf_rw_pieces = array_slice($sf_rw_pieces, 2); - } else { - $sf_rw_session = ''; - $sf_rw_lang = mysqli_escape_string($this->db->Link_ID, $sf_rw_pieces['0']); - $sf_rw_pieces = array_slice($sf_rw_pieces, 1); - } - - //check lang - $lang_exists_in_url = false; - foreach ($sf_lang_stack AS $v) { - //echo "{$v['rewrite_key']} == $sf_rw_lang
"; - if($v['rewrite_key'] == $sf_rw_lang ) { - $lang_exists_in_url = true; - break; - } - } - if (! $lang_exists_in_url) { - //echo "IN"; - array_unshift($sf_rw_pieces, $sf_rw_lang); - $sf_rw_lang = $sf_lang_stack[$startlang]['rewrite_key']; - } - - // print_r($sf_rw_pieces); - - - //page or cat - $sf_rw_count = count($sf_rw_pieces); - $sf_rw_is_page = ($sf_rw_pieces[$sf_rw_count-1] != '') ? true : false; - if (! $sf_rw_is_page) { - array_pop($sf_rw_pieces); - } - - $sf_rw_pieces = array_reverse($sf_rw_pieces); - - - //figure out lang - not jump in, if user change language - $sql = 'SELECT + $db->query($sql); + if ($db->next_record()) { + //remember exception langswitch + if (! is_numeric($_REQUEST['lang'])) { + $lang = $db->f('idlang'); + } else { + $lang = $_REQUEST['lang']; + } + + $idcatside = $db->f('idcatside'); + } else { + //sessionlookup and lang + $with_short_startlang = ($cfg_client['url_langid_in_defaultlang'] != '1') ? true: false; + if (preg_match('/^[0-9abcdef]{32}$/', $sf_rw_pieces['0']) ) { + $sf_rw_session = $sf_rw_pieces['0']; + $sf_rw_lang = mysqli_escape_string($GLOBALS['db']->Link_ID, $sf_rw_pieces['1']); + $sf_rw_pieces = array_slice($sf_rw_pieces, 2); + } else { + $sf_rw_session = ''; + $sf_rw_lang = mysqli_escape_string($GLOBALS['db']->Link_ID, $sf_rw_pieces['0']); + $sf_rw_pieces = array_slice($sf_rw_pieces, 1); + } + + //check lang + $lang_exists_in_url = false; + foreach ($sf_lang_stack AS $v) { + //echo "{$v['rewrite_key']} == $sf_rw_lang
"; + if($v['rewrite_key'] == $sf_rw_lang ) { + $lang_exists_in_url = true; + break; + } + } + if (! $lang_exists_in_url) { + //echo "IN"; + array_unshift($sf_rw_pieces, $sf_rw_lang); + $sf_rw_lang = $sf_lang_stack[$startlang]['rewrite_key']; + } + + // print_r($sf_rw_pieces); + + + //page or cat + $sf_rw_count = count($sf_rw_pieces); + $sf_rw_is_page = ($sf_rw_pieces[$sf_rw_count-1] != '') ? true : false; + if (! $sf_rw_is_page) { + array_pop($sf_rw_pieces); + } + + $sf_rw_pieces = array_reverse($sf_rw_pieces); + + + //figure out lang - not jump in, if user change language + $sql = 'SELECT L.idlang FROM ' . $cms_db['lang'] . ' L @@ -236,26 +235,26 @@ WHERE CL.idclient = ' . $client .' AND L.rewrite_key="'.$sf_rw_lang.'"'; - $db->query($sql); - $db->next_record(); - $sf_rw_lang_id = $db->f('idlang'); - - if (! is_numeric($_REQUEST['lang'])) { - $lang = $sf_rw_lang_id; - } else { - $lang = $_REQUEST['lang']; - } - //echo " AA ".$lang; - - //get idcatside or idcat - if ($sf_rw_is_page) { - //echo "IN". $lang; - //page - $sf_rw_suffix = str_replace('.', '\.', $cfg_client['url_rewrite_suffix']); - - $v = preg_replace('#'.$sf_rw_suffix.'$#', '', $sf_rw_pieces['0']); - - $sql = "SELECT DISTINCT + $db->query($sql); + $db->next_record(); + $sf_rw_lang_id = $db->f('idlang'); + + if (! is_numeric($_REQUEST['lang'])) { + $lang = $sf_rw_lang_id; + } else { + $lang = $_REQUEST['lang']; + } + //echo " AA ".$lang; + + //get idcatside or idcat + if ($sf_rw_is_page) { + //echo "IN". $lang; + //page + $sf_rw_suffix = str_replace('.', '\.', $cfg_client['url_rewrite_suffix']); + + $v = preg_replace('#'.$sf_rw_suffix.'$#', '', $sf_rw_pieces['0']); + + $sql = "SELECT DISTINCT CS.idcatside, CS.idcat FROM ".$cms_db['cat_side']." CS @@ -263,35 +262,35 @@ WHERE CL.idlang= '$sf_rw_lang_id' AND CL.rewrite_url = '".$v."'"; - - $db->query($sql); - $db->num_rows() ; - //simple rewrite - allows shadow urls - //if ($db->num_rows() == 1) { - // $db->next_record(); - // $idcatside = $db->f('idcatside'); - //} else - if ($db->num_rows() > 0) { - while ($db->next_record()) { - $sf_rw_possibleidcats[$db->f('idcatside')] = $db->f('idcat'); - } - - array_shift($sf_rw_pieces); - //print_r($sf_rw_pieces);echo '
'; - foreach($sf_rw_possibleidcats AS $k=>$v) { - if(rewriteIdcatIsUniqueToPath($v, $sf_rw_lang_id, $sf_rw_pieces)) { - //echo "IN"; - $idcatside = $k; - //$idcat = $v; - break; - } - } - } - } else { - //cat - //$v = preg_replace('#/$#', '', mysql_escape_string($v)); - - $sql = "SELECT DISTINCT + + $db->query($sql); + $db->num_rows() ; + //simple rewrite - allows shadow urls + //if ($db->num_rows() == 1) { + // $db->next_record(); + // $idcatside = $db->f('idcatside'); + //} else + if ($db->num_rows() > 0) { + while ($db->next_record()) { + $sf_rw_possibleidcats[$db->f('idcatside')] = $db->f('idcat'); + } + + array_shift($sf_rw_pieces); + //print_r($sf_rw_pieces);echo '
'; + foreach($sf_rw_possibleidcats AS $k=>$v) { + if(rewriteIdcatIsUniqueToPath($v, $sf_rw_lang_id, $sf_rw_pieces)) { + //echo "IN"; + $idcatside = $k; + //$idcat = $v; + break; + } + } + } + } else { + //cat + //$v = preg_replace('#/$#', '', mysql_escape_string($v)); + + $sql = "SELECT DISTINCT C.idcat, C.parent FROM ".$cms_db['cat']." C @@ -299,62 +298,62 @@ WHERE CL.idlang = '$sf_rw_lang_id' AND rewrite_alias = '".$sf_rw_pieces['0']."'"; - $db->query($sql); - //if ($db->num_rows() == 1) { - // $db->next_record(); - // $idcat = $db->f('idcat'); - //} else - if ($db->num_rows() > 0) { - $sf_rw_possibleidcats = array(); - while ($db->next_record()) { - array_push($sf_rw_possibleidcats, $db->f('idcat') ); - } - - foreach ($sf_rw_possibleidcats AS $v) { - if(rewriteIdcatIsUniqueToPath($v, $lang, $sf_rw_pieces)) { - $idcat = $v; - break; - } - } - //echo $idcat; - //print_r($sf_rw_possibleidcats);exit; - } - - } - } + $db->query($sql); + //if ($db->num_rows() == 1) { + // $db->next_record(); + // $idcat = $db->f('idcat'); + //} else + if ($db->num_rows() > 0) { + $sf_rw_possibleidcats = array(); + while ($db->next_record()) { + array_push($sf_rw_possibleidcats, $db->f('idcat') ); + } + + foreach ($sf_rw_possibleidcats AS $v) { + if(rewriteIdcatIsUniqueToPath($v, $lang, $sf_rw_pieces)) { + $idcat = $v; + break; + } + } + //echo $idcat; + //print_r($sf_rw_possibleidcats);exit; + } + + } + } } else { - //var for manipulate session later - $_sf_rewrite_session = false; + //var for manipulate session later + $_sf_rewrite_session = false; } // no page found if (! $idcat && ! $idcatside && $_REQUEST['sf_rewrite'] && $cfg_client['url_rewrite'] == '2') { - //echo "! $idcat && ! $idcatside";exit; - // print_r($cfg_client); - //echo 'Location: '. $cfg_client['htmlpath'].'/error404.php'; - $url = ''; - //echo "XX".$cfg_client['url_rewrite_404'] . $idcatside; - if ($cfg_client['url_rewrite_404'] != '0' && $cfg_client['url_rewrite_404'] != (string) $idcatside) { - $url = str_replace(array('{%http_host}', '{%request_uri}'), array($_SERVER['SERVER_NAME'], base64_encode($_SERVER['REQUEST_URI'])), $cfg_client['url_rewrite_404']); - if ((int) $url > 0) { - //$querylang = ((int) $_REQUEST['lang'] > 0) ? 'lang='.$_REQUEST['lang'].'&': ''; - //$url = $cfg_client['htmlpath']. $cfg_client['contentfile'] . '?'. $querylang .'idcatside=' . $url; - $idcatside = $url; - $cfg_client['send_header_404'] = true; - } else { - //redirect - sf_header_redirect($url); - } - } else { - header("HTTP/1.1 404 Not Found"); - exit; - } + //echo "! $idcat && ! $idcatside";exit; + // print_r($cfg_client); + //echo 'Location: '. $cfg_client['htmlpath'].'/error404.php'; + $url = ''; + //echo "XX".$cfg_client['url_rewrite_404'] . $idcatside; + if ($cfg_client['url_rewrite_404'] != '0' && $cfg_client['url_rewrite_404'] != (string) $idcatside) { + $url = str_replace(array('{%http_host}', '{%request_uri}'), array($_SERVER['SERVER_NAME'], base64_encode($_SERVER['REQUEST_URI'])), $cfg_client['url_rewrite_404']); + if ((int) $url > 0) { + //$querylang = ((int) $_REQUEST['lang'] > 0) ? 'lang='.$_REQUEST['lang'].'&': ''; + //$url = $cfg_client['htmlpath']. $cfg_client['contentfile'] . '?'. $querylang .'idcatside=' . $url; + $idcatside = $url; + $cfg_client['send_header_404'] = true; + } else { + //redirect + sf_header_redirect($url); + } + } else { + header("HTTP/1.1 404 Not Found"); + exit; + } } // END REWRITE if ($lang < 1) { - $lang = $startlang; + $lang = $startlang; } $lang_charset = $sf_lang_stack[$lang]['charset']; @@ -362,47 +361,47 @@ if (file_exists ($lang_dir.'lang_general.php')) { - require_once($lang_dir.'lang_general.php'); + require_once($lang_dir.'lang_general.php'); } else { - require_once($cms_path.'tpl/standard/lang/de/lang_general.php'); + require_once($cms_path.'tpl/standard/lang/de/lang_general.php'); } // idcatside suchen if ($idcatside < 1) { - if ($idcat > 0) { - $sql = 'SELECT idcatside '; - $sql .= 'FROM ' . $cms_db['cat_side'] . ' '; - $sql .= 'WHERE idcat = ' . $idcat; - $sql .= ' AND is_start = 1 '; - $sql .= 'LIMIT 0,1'; - } else { - $sql = 'SELECT idcatside '; - $sql .= 'FROM ' . $cms_db['cat_side'] . ' AS A LEFT JOIN '; - $sql .= $cms_db['cat'] . ' AS B USING(idcat) '; - $sql .= 'WHERE is_start = 1'; - $sql .= ' AND idclient = ' . $client . ' '; - $sql .= 'ORDER BY parent, B.sortindex LIMIT 0,1'; - } - $db->query($sql); - if ($db->next_record()) { - $idcatside = $db->f('idcatside'); - } else { - header("HTTP/1.1 404 Not Found"); - } + if ($idcat > 0) { + $sql = 'SELECT idcatside '; + $sql .= 'FROM ' . $cms_db['cat_side'] . ' '; + $sql .= 'WHERE idcat = ' . $idcat; + $sql .= ' AND is_start = 1 '; + $sql .= 'LIMIT 0,1'; + } else { + $sql = 'SELECT idcatside '; + $sql .= 'FROM ' . $cms_db['cat_side'] . ' AS A LEFT JOIN '; + $sql .= $cms_db['cat'] . ' AS B USING(idcat) '; + $sql .= 'WHERE is_start = 1'; + $sql .= ' AND idclient = ' . $client . ' '; + $sql .= 'ORDER BY parent, B.sortindex LIMIT 0,1'; + } + $db->query($sql); + if ($db->next_record()) { + $idcatside = $db->f('idcatside'); + } else { + header("HTTP/1.1 404 Not Found"); + } } $deb -> collect('File:' .__FILE__.' Line:' .__LINE__, 'mem'); // Backend, oder Frontend? if (isset($sefrengo) && (isset($view))){ - $is_backend = true; - $is_frontend = false; - if(isset($view)){ - include('cms/inc/backend.php'); - } + $is_backend = true; + $is_frontend = false; + if(isset($view)){ + include('cms/inc/backend.php'); + } } else { - $is_backend = false; - $is_frontend = true; - include ('cms/inc/frontend.php'); + $is_backend = false; + $is_frontend = true; + include ('cms/inc/frontend.php'); } $deb -> collect('File:' .__FILE__.' Line:' .__LINE__, 'mem'); @@ -412,19 +411,19 @@ // eventuelle autostarts ausführen: $a_location = ($is_frontend) ? 'frontend': 'backend'; if (is_array($cfg_cms['autostart'][$a_location])) { - foreach($cfg_cms['autostart'][$a_location] as $value) { - include_once $cfg_cms['cms_path'] .'plugins/'. $value; - } + foreach($cfg_cms['autostart'][$a_location] as $value) { + include_once $cfg_cms['cms_path'] .'plugins/'. $value; + } } if (is_array($cfg_client['autostart'][$a_location])) { - foreach($cfg_client['autostart'][$a_location] as $value) { - include_once $cfg_cms['cms_path'] .'plugins/'. $value; - } + foreach($cfg_client['autostart'][$a_location] as $value) { + include_once $cfg_cms['cms_path'] .'plugins/'. $value; + } } //handle charset - default is UTF-8 if ( $sf_lang_stack[$lang]['charset'] == 'iso-8859-1') { - $output = utf8_decode($output); + $output = utf8_decode($output); } //set Content-type header @@ -434,11 +433,11 @@ // Seite komprimieren und ausgeben if ($cfg_cms['gzip'] == '1') { - @ob_start('ob_gzhandler'); - eval($cfg_client['manipulate_output']); - @ob_end_flush(); + @ob_start('ob_gzhandler'); + eval($cfg_client['manipulate_output']); + @ob_end_flush(); } else { - eval($cfg_client['manipulate_output']); + eval($cfg_client['manipulate_output']); } $sf_factory->unloadAll(); From 2d88c3bb452de35e0b3a2d25d4e8109750caa5a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Wed, 22 Nov 2017 17:40:10 +0100 Subject: [PATCH 02/16] * switched frontend session back to cookie --- backend/external/phplib/local.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/external/phplib/local.php b/backend/external/phplib/local.php index 458b592..55b0390 100644 --- a/backend/external/phplib/local.php +++ b/backend/external/phplib/local.php @@ -594,8 +594,8 @@ class cms_Frontend_Session extends Session var $cookiename = 'sid'; // Name des Cookies var $name = 'sid'; var $magic = 'frontend_Session'; // beliebiger Name zur Verschl?sselung - var $mode = 'get'; // default Modus der Session-ID - var $fallback_mode = 'cookie'; // falls default Modus abgelehnt wird + var $mode = 'cookie'; // default Modus der Session-ID + var $fallback_mode = 'get'; // falls default Modus abgelehnt wird var $lifetime = '0'; // 0 = do session cookies, else minutes var $refresh = '0'; // 0 = no refresh, else minutes var $that_class = 'cms_CT_Sql'; // name of data storage container From d3ed75dafc9047274df4b144cebd04290309f398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Thu, 30 Nov 2017 15:21:15 +0100 Subject: [PATCH 03/16] * fixed wrong mysqli links * fixed sql error in fnc.con -> con_create_site_meta_from_idcatside --- backend/inc/fnc.con.php | 8 ++++---- backend/inc/fnc.css.php | 2 +- backend/inc/fnc.general.php | 3 ++- backend/inc/fnc.group.php | 2 +- backend/inc/fnc.lang.php | 6 +++--- backend/main.php | 2 +- 6 files changed, 12 insertions(+), 11 deletions(-) diff --git a/backend/inc/fnc.con.php b/backend/inc/fnc.con.php index 798d497..c6200c8 100644 --- a/backend/inc/fnc.con.php +++ b/backend/inc/fnc.con.php @@ -730,7 +730,7 @@ function con_create_site_meta_from_idcatside($idclient, $idlang_current, $idcats //create idside $sql = "INSERT INTO ".$cms_db['side']." (idclient) VALUES ('$idclient')"; $db->query($sql); - $idside_to = mysqli_insert_id($this->db->Link_ID); + $idside_to = mysqli_insert_id($GLOBALS['db']->Link_ID); //create idcatside $sql = "INSERT INTO @@ -738,7 +738,7 @@ function con_create_site_meta_from_idcatside($idclient, $idlang_current, $idcats VALUES ('$idcat_to', '$idside_to', '0')"; $db->query($sql); - $idcatside_to = mysqli_insert_id($this->db->Link_ID); + $idcatside_to = mysqli_insert_id($GLOBALS['db']->Link_ID); //sortindex $db->query("SELECT MAX(sortindex) AS max FROM ".$cms_db['cat_side']." WHERE idcat='$idcat_to'"); @@ -836,7 +836,7 @@ function con_create_site_meta_from_idcatside($idclient, $idlang_current, $idcats meta_redirect, meta_redirect_url, author, created, lastmodified, user_protected, visited, edit_ttl, meta_author, meta_description, meta_robots, meta_redirect_time, - ,metasocial_title,metasocial_image,metasocial_description,metasocial_author + metasocial_title,metasocial_image,metasocial_description,metasocial_author, rewrite_use_automatic, rewrite_url, start, end) VALUES ('".$idside_to."', '$idlang', '0', '$title', '$meta_keywords', '$summary', '$online', '".$db3->f('meta_redirect')."', '$meta_redirect_url', '".$db3->f('author')."', @@ -921,7 +921,7 @@ function con_copy_tpl_from_idcatside($idclient, $idcatside_from, $idcatside_to) //echo $sql2 .'
'; $db2->query($sql2); - $current_idtplconf = mysqli_insert_id($this->db->Link_ID); + $current_idtplconf = mysqli_insert_id($GLOBALS['db']->Link_ID); $sql2 = "UPDATE ".$cms_db['side_lang']." diff --git a/backend/inc/fnc.css.php b/backend/inc/fnc.css.php index 27363a6..9471f3c 100644 --- a/backend/inc/fnc.css.php +++ b/backend/inc/fnc.css.php @@ -938,7 +938,7 @@ function insert_cssrelation( $idcss, $idcssfile ) { $sql = 'INSERT INTO ' . $cms_db['css_upl'] . ' (idcss, idupl) VALUES '; $sql .= '(' . $idcss . ', ' . $idcssfile . ')'; $db->query($sql); - return mysqli_insert_id($this->db->Link_ID); + return mysqli_insert_id($GLOBALS['db']->Link_ID); } // diff --git a/backend/inc/fnc.general.php b/backend/inc/fnc.general.php index deb0833..95a04cd 100644 --- a/backend/inc/fnc.general.php +++ b/backend/inc/fnc.general.php @@ -297,7 +297,7 @@ function set_magic_quotes_gpc(&$code) { $code = str_replace("'", "\'", $code); $code = str_replace('"', '\"', $code); } else { - $code = mysqli_real_escape_string($this->db->Link_ID, $code); + $code = mysqli_real_escape_string($GLOBALS['db']->Link_ID, $code); } } @@ -347,6 +347,7 @@ function make_array_to_urlstring($in) { ksort($in); $tmp[] = ''; + $out = ''; // $tmp[] = 0; $in = array_diff($in, $tmp); foreach($in as $key => $value) { diff --git a/backend/inc/fnc.group.php b/backend/inc/fnc.group.php index 4a1a9b7..13342e9 100644 --- a/backend/inc/fnc.group.php +++ b/backend/inc/fnc.group.php @@ -74,7 +74,7 @@ function group_save() { else { $sql = "INSERT INTO ". $cms_db['groups'] ." VALUES ('', '$name', '$description', '0', '1', '1')"; $db->query($sql); - $idgroup = mysqli_insert_id($this->db->Link_ID); + $idgroup = mysqli_insert_id($GLOBALS['db']->Link_ID); } } diff --git a/backend/inc/fnc.lang.php b/backend/inc/fnc.lang.php index b78b862..7d1ff5c 100644 --- a/backend/inc/fnc.lang.php +++ b/backend/inc/fnc.lang.php @@ -49,7 +49,7 @@ function lang_new_language($idclient, $name, $desc, $charset, $rewrite_key, $rew ('$name', '$desc', '".$auth->auth['uid']."', '".$charset."', '".$iso_3166_code."', '".$rewrite_key."', '".$rewrite_mapping."', '".$is_start."', '".time()."', '".time()."')"; $db->query($sql); - $lang = mysqli_insert_id($this->db->Link_ID); + $lang = mysqli_insert_id($GLOBALS['db']->Link_ID); // Eintrag in 'clients_lang' Tabelle $sql = "INSERT INTO @@ -152,7 +152,7 @@ function lang_new_language($idclient, $name, $desc, $charset, $rewrite_key, $rew //echo $sql2 .'
'; $db2->query($sql2); - $current_idtplconf = mysqli_insert_id($this->db->Link_ID); + $current_idtplconf = mysqli_insert_id($GLOBALS['db']->Link_ID); $sql2 = "UPDATE ".$cms_db['cat_lang']." @@ -203,7 +203,7 @@ function lang_new_language($idclient, $name, $desc, $charset, $rewrite_key, $rew //echo $sql2 .'
'; $db2->query($sql2); - $current_idtplconf = mysqli_insert_id($this->db->Link_ID); + $current_idtplconf = mysqli_insert_id($GLOBALS['db']->Link_ID); $sql2 = "UPDATE ".$cms_db['side_lang']." diff --git a/backend/main.php b/backend/main.php index aadfe44..1920870 100644 --- a/backend/main.php +++ b/backend/main.php @@ -208,7 +208,7 @@ if ( $cfg_rep['repository_init_plugins'] ) $rep->init_plugins(); // Area wählen -if(@!include("inc/inc.".preg_replace('/[^a-zA-Z0-9_-]/','',$area).".php")){ +if(!include("inc/inc.".preg_replace('/[^a-zA-Z0-9_-]/','',$area).".php")){ die("Stop. Maybe XSS?"); }; From a9453c5741a460d8b0a9ec60d41913dd42dc070f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Thu, 30 Nov 2017 17:50:51 +0100 Subject: [PATCH 04/16] * fixed wrong mysqli links --- backend/API/PAGE/class.SF_PAGE_Cat.php | 2 +- backend/inc/fnc.con.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/API/PAGE/class.SF_PAGE_Cat.php b/backend/API/PAGE/class.SF_PAGE_Cat.php index 30374c4..4d23b73 100644 --- a/backend/API/PAGE/class.SF_PAGE_Cat.php +++ b/backend/API/PAGE/class.SF_PAGE_Cat.php @@ -533,7 +533,7 @@ function _copyTemplateConfig($idcat_from, $idcat_to) { //echo $sql2 .'
'; $db2->query($sql2); - $current_idtplconf = mysqli_insert_id($this->db->Link_ID); + $current_idtplconf = mysqli_insert_id($db2->Link_ID); $sql2 = "UPDATE ".$cms_db['cat_lang']." diff --git a/backend/inc/fnc.con.php b/backend/inc/fnc.con.php index c6200c8..bb69c50 100644 --- a/backend/inc/fnc.con.php +++ b/backend/inc/fnc.con.php @@ -921,7 +921,7 @@ function con_copy_tpl_from_idcatside($idclient, $idcatside_from, $idcatside_to) //echo $sql2 .'
'; $db2->query($sql2); - $current_idtplconf = mysqli_insert_id($GLOBALS['db']->Link_ID); + $current_idtplconf = mysqli_insert_id($db2->Link_ID); $sql2 = "UPDATE ".$cms_db['side_lang']." From 7b25070d134112619a93ff94c5ff3a2d8221ecb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Fri, 8 Dec 2017 18:12:12 +0100 Subject: [PATCH 05/16] * php7 adaptions --- .../GUI/class.SF_GUI_ContentStylerPlain.php | 26 +++++++++---------- backend/external/pear.php.net/Mail/RFC822.php | 2 +- .../external/pear.php.net/Pager/Sliding.php | 2 +- backend/inc/class.fileaccess.php | 8 +++--- backend/inc/class.filemanager.php | 4 +-- backend/inc/class.repository.php | 4 +-- backend/inc/class.user_perms.php | 2 +- backend/inc/class.values_ct_edit.php | 2 +- backend/inc/fnc.mipforms_core.php | 3 +++ backend/inc/inc.mod_config.php | 1 + 10 files changed, 29 insertions(+), 25 deletions(-) diff --git a/backend/API/GUI/class.SF_GUI_ContentStylerPlain.php b/backend/API/GUI/class.SF_GUI_ContentStylerPlain.php index fbb64bd..05c688b 100644 --- a/backend/API/GUI/class.SF_GUI_ContentStylerPlain.php +++ b/backend/API/GUI/class.SF_GUI_ContentStylerPlain.php @@ -146,7 +146,7 @@ function _getDynamicValString($type_config) * @Return String Content * @Access public */ - function getText($mod_content, $type_config = "") { + function getText($mod_content, $type_config = []) { return $mod_content; } @@ -162,7 +162,7 @@ function getText($mod_content, $type_config = "") { * @Return String Content * @Access public */ - function getTextarea($mod_content, $type_config = "") { + function getTextarea($mod_content, $type_config = []) { return $mod_content; } @@ -178,7 +178,7 @@ function getTextarea($mod_content, $type_config = "") { * @Return String Content * @Access public */ - function getWysiwyg2($mod_content, $type_config = "") + function getWysiwyg2($mod_content, $type_config = []) { return $mod_content; } @@ -195,7 +195,7 @@ function getWysiwyg2($mod_content, $type_config = "") * @Return String Content * @Access public */ - function getWysiwyg($mod_content, $type_config = "") + function getWysiwyg($mod_content, $type_config = []) { return $mod_content; } @@ -212,7 +212,7 @@ function getWysiwyg($mod_content, $type_config = "") * @Return String Content * @Access public */ - function getImage($mod_content, $mod_descr, $type_config = "") { + function getImage($mod_content, $mod_descr, $type_config = []) { return $mod_content; } @@ -228,7 +228,7 @@ function getImage($mod_content, $mod_descr, $type_config = "") { * @Return String Content * @Access public */ - function getLink($link_url, $link_desc, $link_target, $type_config = "") + function getLink($link_url, $link_desc, $link_target, $type_config = []) { return $mod_content; } @@ -245,7 +245,7 @@ function getLink($link_url, $link_desc, $link_target, $type_config = "") * @Return String Content * @Access public */ - function getFile($file_id, $file_desc, $file_target, $type_config = "") + function getFile($file_id, $file_desc, $file_target, $type_config = []) { return $mod_content; } @@ -262,7 +262,7 @@ function getFile($file_id, $file_desc, $file_target, $type_config = "") * @Return String Content * @Access public */ - function getSourcecode($mod_content, $type_config = "") + function getSourcecode($mod_content, $type_config = []) { return $mod_content; } @@ -279,7 +279,7 @@ function getSourcecode($mod_content, $type_config = "") * @Return String Content * @Access public */ - function getSelect($mod_content, $type_config = "") { + function getSelect($mod_content, $type_config = []) { return $mod_content; } @@ -295,7 +295,7 @@ function getSelect($mod_content, $type_config = "") { * @Return String Content * @Access public */ - function getHidden($mod_content, $type_config = "") + function getHidden($mod_content, $type_config = []) { return $mod_content; } @@ -312,7 +312,7 @@ function getHidden($mod_content, $type_config = "") * @Return String Content * @Access public */ - function getCheckbox($mod_content, $type_config = "") { + function getCheckbox($mod_content, $type_config = []) { return $mod_content; } @@ -328,7 +328,7 @@ function getCheckbox($mod_content, $type_config = "") { * @Return String Content * @Access public */ - function getRadio($mod_content, $type_config = "") { + function getRadio($mod_content, $type_config = []) { return $mod_content; } @@ -344,7 +344,7 @@ function getRadio($mod_content, $type_config = "") { * @Return String Content * @Access public */ - function getDate($mod_content, $type_config = "") { + function getDate($mod_content, $type_config = []) { return $mod_content; } diff --git a/backend/external/pear.php.net/Mail/RFC822.php b/backend/external/pear.php.net/Mail/RFC822.php index 46c935f..8074326 100644 --- a/backend/external/pear.php.net/Mail/RFC822.php +++ b/backend/external/pear.php.net/Mail/RFC822.php @@ -411,7 +411,7 @@ function _hasUnclosedBracketsSub($string, &$num, $char) * Function to begin checking the address. * * @access private - * @param string $address The address to validate. + * @param array $address The address to validate. * @return mixed False on failure, or a structured array of address information on success. */ function _validateAddress($address) diff --git a/backend/external/pear.php.net/Pager/Sliding.php b/backend/external/pear.php.net/Pager/Sliding.php index 014fe9d..73ee9a4 100644 --- a/backend/external/pear.php.net/Pager/Sliding.php +++ b/backend/external/pear.php.net/Pager/Sliding.php @@ -178,7 +178,7 @@ function getPageRangeByPageId($pageid = null) * @return array back/pages/next/first/last/all links * @access public */ - function getLinks($pageID = null) + function getLinks($pageID=null, $next_html='') { if ($pageID != null) { $_sav = $this->_currentPage; diff --git a/backend/inc/class.fileaccess.php b/backend/inc/class.fileaccess.php index 27c9a97..814374b 100644 --- a/backend/inc/class.fileaccess.php +++ b/backend/inc/class.fileaccess.php @@ -229,7 +229,7 @@ function get_directory_name($iddirectory) { // -> else: only $directory is used as ID // function get_directory($directory, $idclient = '', $type = 1 ) { - if (empty($directory)) return ''; // missing directory information + if (empty($directory)) return []; // missing directory information if ($this->use_cache && $this->tmp_directorydata[$directory]) return $this->tmp_directorydata[$directory]; // set variables $tmp_dir = array( 'dirname', 'iddirectory', 'str', 'num'); @@ -254,7 +254,7 @@ function get_directory($directory, $idclient = '', $type = 1 ) { // save data in cache $tmp = $this->db->select_record($table, $parameter, $type); if ($this->use_cache && $tmp) $this->tmp_directorydata[(int)$tmp['iddirectory']] = $tmp; - return ((!empty($tmp)) ? $tmp: ''); + return ((!empty($tmp)) ? $tmp: []); } // @@ -356,7 +356,7 @@ function get_parent_directories($iddirectory, $idclient) { // -> else: only $file is used as ID // function get_file($file, $idclient = '', $iddirectory = '', $type = 1) { - if (empty($file)) return ''; // missing fileid + if (empty($file)) return array(); // missing fileid if ($this->use_cache && $this->tmp_filedata[$file]) return $this->tmp_filedata[$file]; // get data for a single file $tmp_file = array( 'filename', 'idupl', 'str', 'num'); @@ -386,7 +386,7 @@ function get_file($file, $idclient = '', $iddirectory = '', $type = 1) { // save data in cache $tmp = $this->db->select_record($table, $parameter, $type); if ($this->use_cache && $tmp) $this->tmp_filedata[$tmp['idupl']] = $tmp; - return ((!empty($tmp)) ? $tmp: ''); + return ((!empty($tmp)) ? $tmp: array()); } // diff --git a/backend/inc/class.filemanager.php b/backend/inc/class.filemanager.php index 2219ef2..2009a8b 100644 --- a/backend/inc/class.filemanager.php +++ b/backend/inc/class.filemanager.php @@ -389,7 +389,7 @@ function scan_directory( $iddirectory, $nosubdirscan ) { $newdirs2scan = array(); $this->edit_dirs = array(); $content_found = false; - $currentdir = ''; + $currentdir = []; $scandir = ''; // get scan directory @@ -1109,7 +1109,7 @@ function scan_files( $iddirectory, $updatethumbs = 0 ) { // scan files in directory $found_files_id = array(); $this->edit_files = array(); - $currentdir = ''; + $currentdir = []; $scandir = ''; // get scan dir diff --git a/backend/inc/class.repository.php b/backend/inc/class.repository.php index abdaecc..dc83e30 100644 --- a/backend/inc/class.repository.php +++ b/backend/inc/class.repository.php @@ -1086,7 +1086,7 @@ function gen_new_plug($name, $force = false) { * { Description } * */ - var $_rep_var = ''; + var $_rep_var = []; /** * repository::$_cms_var * @@ -1100,7 +1100,7 @@ function gen_new_plug($name, $force = false) { * { Description } * */ - var $_lang_var = ''; + var $_lang_var = []; /** * repository::$_service * diff --git a/backend/inc/class.user_perms.php b/backend/inc/class.user_perms.php index e983c67..28846d7 100644 --- a/backend/inc/class.user_perms.php +++ b/backend/inc/class.user_perms.php @@ -1793,7 +1793,7 @@ function _get_mask($permission) { * Rechtewerte. * * @param string $type Anzuzeigender Rechtetyp - * @param string $rights Array mit Gruppennamen, Gruppenids und Gruppenrechte + * @param array $rights Array mit Gruppennamen, Gruppenids und Gruppenrechte * @param string $countRights Referenz zur Aufnahme der Anzahl der ausgelesenen Rechte * @param string $prefix Prefix für Formularvariablen, damit mehrere Formulare auf einer Seite dargestellt werden können * diff --git a/backend/inc/class.values_ct_edit.php b/backend/inc/class.values_ct_edit.php index 62a0e55..dee43d6 100644 --- a/backend/inc/class.values_ct_edit.php +++ b/backend/inc/class.values_ct_edit.php @@ -54,7 +54,7 @@ class values_ct_edit extends values_ct * KONSTRUKTOR - Konfiguration * */ - function __construct($mixed = '') + function __construct($mixed = []) { global $cms_lang, $vid; diff --git a/backend/inc/fnc.mipforms_core.php b/backend/inc/fnc.mipforms_core.php index 4497a44..788592a 100644 --- a/backend/inc/fnc.mipforms_core.php +++ b/backend/inc/fnc.mipforms_core.php @@ -172,6 +172,9 @@ function mip_forms_abstrakt($in, $input) $spaces .= sprintf($mip_forms_tab['tab'], ' '); } + $mip_forms_tab['left_width'] = empty($mip_forms_tab['left_width']) ? 0 : $mip_forms_tab['left_width']; + $in['tab'] = empty($in['tab']) ? 0 : $in['tab']; + $left_width = $mip_forms_tab['left_width'] - ($in['tab'] * 20); $cont_left = sprintf($mip_forms_tab['left'], $left_width, $in['desc']); $cont_left = $spaces .$cont_left; diff --git a/backend/inc/inc.mod_config.php b/backend/inc/inc.mod_config.php index b0a3be3..8740d37 100644 --- a/backend/inc/inc.mod_config.php +++ b/backend/inc/inc.mod_config.php @@ -80,6 +80,7 @@ mip_forms_ob_start(); eval(' ?>' . $default); $default_arr = mip_forms_get_array(); +//$cms_mod = empty($cms_mod) ? : $cms_mod; $default_arr = array_merge ($cms_mod, $default_arr); mip_forms_ob_end(); $trans_html = get_html_translation_table(HTML_ENTITIES); From 3cfedcb81fe7876068e280a02753e5022a2d35c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Fri, 15 Dec 2017 11:00:33 +0100 Subject: [PATCH 06/16] * switched backend session to cookie because of problems with diverse plugins --- backend/external/phplib/local.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/external/phplib/local.php b/backend/external/phplib/local.php index 55b0390..b732a93 100644 --- a/backend/external/phplib/local.php +++ b/backend/external/phplib/local.php @@ -569,8 +569,8 @@ class cms_Backend_Session extends Session var $cookiename = 'sefrengo'; // Name des Cookies var $name = 'cms'; var $magic = 'backend_Session'; // beliebiger Name zur Verschl?sselung - var $mode = 'get'; // default Modus der Session-ID - var $fallback_mode = 'cookie'; // falls default Modus abgelehnt wird + var $mode = 'cookie'; // default Modus der Session-ID + var $fallback_mode = 'get'; // falls default Modus abgelehnt wird var $lifetime = '0'; // 0 = do session cookies, else minutes var $refresh = '0'; // 0 = no refresh, else minutes var $that_class = 'cms_CT_Sql'; // name of data storage container From aae6c4e2c5c0221283afd2222c1ea7a810e24fb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Fri, 5 Jan 2018 17:38:58 +0100 Subject: [PATCH 07/16] * fixed mod_test function for php7 --- backend/inc/class.repository.php | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/backend/inc/class.repository.php b/backend/inc/class.repository.php index dc83e30..4ed34fb 100644 --- a/backend/inc/class.repository.php +++ b/backend/inc/class.repository.php @@ -941,30 +941,27 @@ function mod_test ($code, $id) { @ini_set("error_prepend_string", ""); @ini_set("error_append_string", ""); // Debug Me! print_r($code); + // Run the code in a Box - ob_start(); - eval(' ?>' . $code); - $output = ob_get_contents(); - // Later Parse! call_user_func("function mod_test_" . $id,''); - ob_end_clean(); + ob_start(); + try { + eval( ' ?>' . $code ); + } catch(ParseError $e) { + $error_line = $e->getLine(); + } + ob_end_clean(); + // Ini Restore @ini_restore("error_prepend_string"); @ini_restore("error_append_string"); - // Strip - $start = strpos($output, ""); - $end = strpos($output, ""); - if ($start !== false) { - $start = strpos($output, "eval()"); - $error = substr($output, $start, $end - $start); - preg_match ('/(\d+)<\/b>/i', $error, $match); - $error_line = (int) $match['1'] - 1; - } - if ($mod_test_var != $id) { + + if (!empty($error_line)) { return $error_line; } else { return false; } } + /** * repository::gen_new_mod() * From c02cc5b9069be9547c50da795d94b2db371967d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Sun, 7 Jan 2018 11:32:12 +0100 Subject: [PATCH 08/16] * fixed escaping bug in session --- backend/external/phplib/session.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/external/phplib/session.inc b/backend/external/phplib/session.inc index 3c2b0ed..4b912e6 100644 --- a/backend/external/phplib/session.inc +++ b/backend/external/phplib/session.inc @@ -329,7 +329,7 @@ class Session { $str .= "\$$var = array(); "; while ( "array" == $l ) { // Structural recursion - $this->serialize( $var . "['" . preg_replace( "#([\\'])#", "\\\\1", $k ) . "']", $str ); + $this->serialize( $var . "['" . preg_replace( "#([\\'])#", "\\\\$1", $k ) . "']", $str ); eval( "\$l = gettype(list(\$k)=each(\$$var));" ); } @@ -348,7 +348,7 @@ class Session { default: // $$var is an atom. Extract it to $l, then generate code. eval( "\$l = \$$var;" ); - $str .= "\$$var = '" . preg_replace( "#([\\'])#", "\\\\1", $l ) . "'; "; + $str .= "\$$var = '" . preg_replace( "#([\\'])#", "\\\\$1", $l ) . "'; "; break; } } From fb234e6acebb17b1f51bd0040b2980bb8919cc79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Sun, 7 Jan 2018 11:33:59 +0100 Subject: [PATCH 09/16] * added CMSPHP:CACHE to mod_test --- backend/inc/class.repository.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/backend/inc/class.repository.php b/backend/inc/class.repository.php index 4ed34fb..93c490b 100644 --- a/backend/inc/class.repository.php +++ b/backend/inc/class.repository.php @@ -924,11 +924,13 @@ function mod_test ($code, $id) { // add constant __cmsMODTEST $code .= ''; // replaces - $code = str_replace('', '', $code); - $code = str_replace('', '', $code); + $code = str_replace('', '', '?>', $code); + $code = str_replace('', '', '?>', $code); //todo: 2remove - $code = str_replace('', '', $code); - $code = str_replace('', '', $code); + $code = str_replace('', '', '?>', $code); // replaces $code = str_replace('MOD_VALUE', '$MOD_VALUE', $code); $code = str_replace('MOD_VAR', '$MOD_VAR', $code); From d10d2d371e36d68266c17cd729645e1acf13a3aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Sun, 7 Jan 2018 21:32:55 +0100 Subject: [PATCH 10/16] * base64 encode modules in session to prevent problems with complex quoting escapes. --- backend/inc/inc.mod.php | 10 ++++++---- backend/inc/inc.mod_config.php | 1 - backend/inc/inc.mod_edit.php | 6 ++++++ backend/main.php | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/backend/inc/inc.mod.php b/backend/inc/inc.mod.php index ceaaac2..aece765 100644 --- a/backend/inc/inc.mod.php +++ b/backend/inc/inc.mod.php @@ -72,14 +72,15 @@ $install_sql, $uninstall_sql, $update_sql, $mod_rebuild_sql, $source, $mod_no_wedding, false, $mod_config_takeover)) ) { if (empty($modname) || $modname == '') $modname = $cms_lang['mod_defaultname']; if (empty($modversion) || $modversion == '') $modversion = '1.0'; - $s_modul = array( + // base64_encode before writing to the session. There are problems with correct quote escape in complex statements + $s_modul = base64_encode(serialize(array( 'name' => $modname2, 'verbose' => $modverbose2, 'description' => $description2, 'version' => $modversion2, 'cat' => $modcat2, 'input' => $input2, - 'output' => $output2); + 'output' => $output2))); $sess->register('s_modul'); // merke:erst ein value kann gespeichert werden ;) $sess->freeze(); header ('Location:' . $sess->urlRaw("main.php?area=mod_edit&idmod=" . $idmod . "&idclient=" . $idclient . "&errno=" . $errno)); @@ -87,14 +88,15 @@ } else if(isset($_REQUEST['sf_apply'])) { if (empty($modname) || $modname == '') $modname = $cms_lang['mod_defaultname']; if (empty($modversion) || $modversion == '') $modversion = '1.0'; - $s_modul = array( + // base64_encode before writing to the session. There are problems with correct quote escape in complex statements + $s_modul = base64_encode(serialize(array( 'name' => $modname2, 'verbose' => $modverbose2, 'description' => $description2, 'version' => $modversion2, 'cat' => $modcat2, 'input' => $input2, - 'output' => $output2); + 'output' => $output2))); $sess->register('s_modul'); // merke:erst ein value kann gespeichert werden ;) $sess->freeze(); header ('Location:' . $sess->urlRaw("main.php?area=mod_edit&idmod=" . $idmod . "&idclient=" . $idclient )); diff --git a/backend/inc/inc.mod_config.php b/backend/inc/inc.mod_config.php index 8740d37..b0a3be3 100644 --- a/backend/inc/inc.mod_config.php +++ b/backend/inc/inc.mod_config.php @@ -80,7 +80,6 @@ mip_forms_ob_start(); eval(' ?>' . $default); $default_arr = mip_forms_get_array(); -//$cms_mod = empty($cms_mod) ? : $cms_mod; $default_arr = array_merge ($cms_mod, $default_arr); mip_forms_ob_end(); $trans_html = get_html_translation_table(HTML_ENTITIES); diff --git a/backend/inc/inc.mod_edit.php b/backend/inc/inc.mod_edit.php index f8c5f17..2dd493e 100644 --- a/backend/inc/inc.mod_edit.php +++ b/backend/inc/inc.mod_edit.php @@ -57,6 +57,12 @@ if (is_numeric($idmod)) { $modul = $rep->mod_data($idmod, $idclient); } + +// s_modul is base64 encoded because of problems with quote escaping in the session. Decode it here. +if (!empty($s_modul)) { + $s_modul = unserialize(base64_decode($s_modul)); +} + if (is_array($s_modul)) { $modul = ( is_array($modul) ) ? array_merge($modul, $s_modul) : $s_modul; if ($sess->is_registered('s_modul')) $sess->unregister('s_modul'); diff --git a/backend/main.php b/backend/main.php index 1920870..aadfe44 100644 --- a/backend/main.php +++ b/backend/main.php @@ -208,7 +208,7 @@ if ( $cfg_rep['repository_init_plugins'] ) $rep->init_plugins(); // Area wählen -if(!include("inc/inc.".preg_replace('/[^a-zA-Z0-9_-]/','',$area).".php")){ +if(@!include("inc/inc.".preg_replace('/[^a-zA-Z0-9_-]/','',$area).".php")){ die("Stop. Maybe XSS?"); }; From 7a15504aac1f28ad99026c533c506adf7c915a29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Sun, 7 Jan 2018 22:04:38 +0100 Subject: [PATCH 11/16] * test module code in anonymous function. Prevents function already exist error. --- backend/inc/class.repository.php | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/backend/inc/class.repository.php b/backend/inc/class.repository.php index 93c490b..8c523ec 100644 --- a/backend/inc/class.repository.php +++ b/backend/inc/class.repository.php @@ -918,7 +918,7 @@ function mod_test ($code, $id) { $idcatside = 1; // include the Mipforms include_once('inc/fnc.mipforms.php'); - $mod_test_var = 0; + // spezial for 'Druckmodul' $list['id'][] = 1; // add constant __cmsMODTEST @@ -936,29 +936,20 @@ function mod_test ($code, $id) { $code = str_replace('MOD_VAR', '$MOD_VAR', $code); $code = preg_replace ('/(<(cms|dedi):[\/\!]*?[^<>]*?>)/si', '""', $code); // Init the Box - $code = "function mod_test_" . $id . " () {" . $code; - $code .= "\n}\n"; - $code .= '$mod_test_var = $id;'; - // Ini Set - @ini_set("error_prepend_string", ""); - @ini_set("error_append_string", ""); - // Debug Me! print_r($code); + $code = "\$_testFunction = function () { ?>" . $code . "\n' . $code ); + eval( $code ); } catch(ParseError $e) { $error_line = $e->getLine(); } + unset($_testFunction); ob_end_clean(); - // Ini Restore - @ini_restore("error_prepend_string"); - @ini_restore("error_append_string"); - if (!empty($error_line)) { - return $error_line; + return $error_line - 2; } else { return false; } From 8c6bf852d27296304842c727a2d4580843fc6475 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Thu, 8 Feb 2018 11:12:33 +0100 Subject: [PATCH 12/16] * changed modul config fron text to medium text because text is to small for some configurations. --- setup/index.php | 3 ++- setup/sql/updates_from.01.06.06.sql | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 setup/sql/updates_from.01.06.06.sql diff --git a/setup/index.php b/setup/index.php index ed90c1d..af0be5e 100644 --- a/setup/index.php +++ b/setup/index.php @@ -135,7 +135,8 @@ class setup { 'updates_from.01.06.02.sql', 'updates_from.01.06.03.sql', 'updates_from.01.06.04.sql', - 'updates_from.01.06.05.sql' + 'updates_from.01.06.05.sql', + 'updates_from.01.06.06.sql' ); /** diff --git a/setup/sql/updates_from.01.06.06.sql b/setup/sql/updates_from.01.06.06.sql new file mode 100644 index 0000000..70f6780 --- /dev/null +++ b/setup/sql/updates_from.01.06.06.sql @@ -0,0 +1,5 @@ +# xx.03.2015 set new versionnumber - Sefrengo 1.6.5 +UPDATE cms_values SET value = '01.06.05' WHERE group_name = 'cfg' AND key1 = 'version'; + +ALTER TABLE `cms_container_conf` CHANGE `config` `config` MEDIUMTEXT CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL; +ALTER TABLE `cms_mod` CHANGE `config` `config` MEDIUMTEXT CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL; From 088a23e7f5f6d864f35f33167adf592677a4a871 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Thu, 8 Feb 2018 11:38:17 +0100 Subject: [PATCH 13/16] * changed modul config fron text to medium text because text is to small for some configurations. --- setup/sql/updates_from.01.06.06.sql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/sql/updates_from.01.06.06.sql b/setup/sql/updates_from.01.06.06.sql index 70f6780..c9c319c 100644 --- a/setup/sql/updates_from.01.06.06.sql +++ b/setup/sql/updates_from.01.06.06.sql @@ -1,5 +1,5 @@ -# xx.03.2015 set new versionnumber - Sefrengo 1.6.5 -UPDATE cms_values SET value = '01.06.05' WHERE group_name = 'cfg' AND key1 = 'version'; +# xx.03.2015 set new versionnumber - Sefrengo 1.6.6 +UPDATE cms_values SET value = '01.06.06' WHERE group_name = 'cfg' AND key1 = 'version'; ALTER TABLE `cms_container_conf` CHANGE `config` `config` MEDIUMTEXT CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL; ALTER TABLE `cms_mod` CHANGE `config` `config` MEDIUMTEXT CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL; From ecec2676aa30a5dd89c361b5a8a7a29e0617d91a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Mon, 2 Apr 2018 11:22:12 +0200 Subject: [PATCH 14/16] * BUGFIX: No SQL Encoding of metasocial fields ins insert statements --- backend/inc/fnc.con.php | 2 +- backend/inc/fnc.lang.php | 4 ++-- changelog.md | 29 ++++++++++++++++++++++++++++- setup/sql/updates_from.01.06.07.sql | 3 +++ 4 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 setup/sql/updates_from.01.06.07.sql diff --git a/backend/inc/fnc.con.php b/backend/inc/fnc.con.php index bb69c50..038201f 100644 --- a/backend/inc/fnc.con.php +++ b/backend/inc/fnc.con.php @@ -842,7 +842,7 @@ function con_create_site_meta_from_idcatside($idclient, $idlang_current, $idcats '".$db3->f('meta_redirect')."', '$meta_redirect_url', '".$db3->f('author')."', '".time()."', '".time()."', '".$db3->f('user_protected')."', '".$db3->f('visited')."', '".$db3->f('edit_ttl')."', '$meta_author', '$meta_description', '$meta_robots', '".$db3->f('meta_redirect_time')."', - '".$db->f('metasocial_title')."', '".$db->f('metasocial_image')."', '".$db->f('metasocial_description')."', '".$db->f('metasocial_author')."', + '".$metasocial_title."', '".$metasocial_image."', '".$metasocial_description."', '".$metasocial_author."', '1', '$rewrite_url', ".time().", ".time().")"; $db2->query($sql2); } diff --git a/backend/inc/fnc.lang.php b/backend/inc/fnc.lang.php index 7d1ff5c..7143910 100644 --- a/backend/inc/fnc.lang.php +++ b/backend/inc/fnc.lang.php @@ -119,8 +119,8 @@ function lang_new_language($idclient, $name, $desc, $charset, $rewrite_key, $rew ('".$db->f('idside')."', '$lang', '0', '$title', '$meta_keywords', '$summary', '$online', '".$db->f('meta_redirect')."', '$meta_redirect_url', '".$db->f('author')."', '".time()."', '".time()."', '".$db->f('user_protected')."', '".$db->f('visited')."', '".$db->f('edit_ttl')."', '$meta_author', - '$meta_description', '$meta_robots', '".$db->f('meta_redirect_time')."' - , '".$db->f('metasocial_title')."', '".$db->f('metasocial_image')."', '".$db->f('metasocial_description')."', '".$db->f('metasocial_author')."')"; + '$meta_description', '$meta_robots', '".make_string_dump($db->f('meta_redirect_time'))."' + , '".make_string_dump($db->f('metasocial_title'))."', '".make_string_dump($db->f('metasocial_image'))."', '".make_string_dump($db->f('metasocial_description'))."', '".make_string_dump($db->f('metasocial_author'))."')"; // change JB $db2->query($sql2); } diff --git a/changelog.md b/changelog.md index 65c1c9f..df03c2f 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,32 @@ Changelog - ================================================================================================ +================================================================================================ + +Sefrengo v1.6.7 +------------------------------------------------------------------------------------------------ +Internal versionnumber: 01.06.07
+Release: xx.xx.xxxx + +Commits are contributed by left4web +* FIXED: No sql escaping of metasocial fields in in fnc.con.php and fnc.lang.php + + +Sefrengo v1.6.6 +------------------------------------------------------------------------------------------------ +Internal versionnumber: 01.06.06
+Release: xx.xx.xxxx + +Commits are contributed by left4web +* FIXED: Bugfixing for PHP7 Compatiblity +* CHANGE: set config in cms_container and cms_mod to mediumtext + + +Sefrengo v1.6.5 +------------------------------------------------------------------------------------------------ +Internal versionnumber: 01.06.05
+Release: xx.xx.xxxx + +Commits are contributed by left4web +* ADDED: Compatibility to PHP7 Sefrengo v1.6.4 ------------------------------------------------------------------------------------------------ diff --git a/setup/sql/updates_from.01.06.07.sql b/setup/sql/updates_from.01.06.07.sql new file mode 100644 index 0000000..23eb34a --- /dev/null +++ b/setup/sql/updates_from.01.06.07.sql @@ -0,0 +1,3 @@ +# xx.03.2018 set new versionnumber - Sefrengo 1.6.7 +UPDATE cms_values SET value = '01.06.07' WHERE group_name = 'cfg' AND key1 = 'version'; + From 0437154dbf89b0e9189fcd0dde75171737765cca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Mon, 2 Apr 2018 11:30:56 +0200 Subject: [PATCH 15/16] * BUGFIX: No SQL Encoding of metasocial fields ins insert statements --- setup/index.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/index.php b/setup/index.php index af0be5e..e56e19f 100644 --- a/setup/index.php +++ b/setup/index.php @@ -136,7 +136,8 @@ class setup { 'updates_from.01.06.03.sql', 'updates_from.01.06.04.sql', 'updates_from.01.06.05.sql', - 'updates_from.01.06.06.sql' + 'updates_from.01.06.06.sql', + 'updates_from.01.06.07.sql' ); /** @@ -147,7 +148,7 @@ function __construct() $this -> catch_globals(); $this -> version['prior'] = '01'; $this -> version['minor'] = '06'; - $this -> version['fix'] = '06'; + $this -> version['fix'] = '07'; $this -> version_text = $this -> version['prior']; $this -> version_text .= '.'; $this -> version_text .= $this -> version['minor']; From 1678095b41d515a18e452bf5951f930fbab86449 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Schnottale?= Date: Wed, 18 Apr 2018 08:40:44 +0200 Subject: [PATCH 16/16] * CHANGE: Disabled function mod_test in class.repository.php because it produces more problems than it solved * CHANGE: Removed Session fallback in local.php. Prevents showing session ids in Search engines. --- backend/external/phplib/local.php | 2 +- backend/inc/class.repository.php | 3 +++ changelog.md | 13 ++++++++++++- setup/index.php | 5 +++-- setup/sql/updates_from.01.06.08.sql | 3 +++ 5 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 setup/sql/updates_from.01.06.08.sql diff --git a/backend/external/phplib/local.php b/backend/external/phplib/local.php index b732a93..2e995fd 100644 --- a/backend/external/phplib/local.php +++ b/backend/external/phplib/local.php @@ -595,7 +595,7 @@ class cms_Frontend_Session extends Session var $name = 'sid'; var $magic = 'frontend_Session'; // beliebiger Name zur Verschl?sselung var $mode = 'cookie'; // default Modus der Session-ID - var $fallback_mode = 'get'; // falls default Modus abgelehnt wird + var $fallback_mode = ''; // falls default Modus abgelehnt wird var $lifetime = '0'; // 0 = do session cookies, else minutes var $refresh = '0'; // 0 = no refresh, else minutes var $that_class = 'cms_CT_Sql'; // name of data storage container diff --git a/backend/inc/class.repository.php b/backend/inc/class.repository.php index 8c523ec..04067ea 100644 --- a/backend/inc/class.repository.php +++ b/backend/inc/class.repository.php @@ -909,6 +909,9 @@ function run_php($code) { * */ function mod_test ($code, $id) { + // js@left4web.de - disabled mod_test because it produces more trouble than it helps + return false; + global $db, $auth, $cms_db, $cfg_cms, $rep, $mod, $perm, $client, $lang, $con_tree, $con_side; static $_id; $_strict = explode(',',($_dis = @ini_get('disable_functions'))); diff --git a/changelog.md b/changelog.md index df03c2f..d2b37cc 100644 --- a/changelog.md +++ b/changelog.md @@ -1,6 +1,17 @@ Changelog ================================================================================================ +Sefrengo v1.6.8 +------------------------------------------------------------------------------------------------ +Internal versionnumber: 01.06.08
+Release: xx.xx.xxxx + +Commits are contributed by left4web +* CHANGE: Disabled function mod_test in class.repository.php because it produces more problems + than it solved +* CHANGE: Removed Session fallback in local.php. Prevents showing session ids in Search engines. + + Sefrengo v1.6.7 ------------------------------------------------------------------------------------------------ Internal versionnumber: 01.06.07
@@ -25,7 +36,7 @@ Sefrengo v1.6.5 Internal versionnumber: 01.06.05
Release: xx.xx.xxxx -Commits are contributed by left4web +Commits are contributed by left4web * ADDED: Compatibility to PHP7 Sefrengo v1.6.4 diff --git a/setup/index.php b/setup/index.php index e56e19f..c737b54 100644 --- a/setup/index.php +++ b/setup/index.php @@ -137,7 +137,8 @@ class setup { 'updates_from.01.06.04.sql', 'updates_from.01.06.05.sql', 'updates_from.01.06.06.sql', - 'updates_from.01.06.07.sql' + 'updates_from.01.06.07.sql', + 'updates_from.01.06.08.sql' ); /** @@ -148,7 +149,7 @@ function __construct() $this -> catch_globals(); $this -> version['prior'] = '01'; $this -> version['minor'] = '06'; - $this -> version['fix'] = '07'; + $this -> version['fix'] = '08'; $this -> version_text = $this -> version['prior']; $this -> version_text .= '.'; $this -> version_text .= $this -> version['minor']; diff --git a/setup/sql/updates_from.01.06.08.sql b/setup/sql/updates_from.01.06.08.sql new file mode 100644 index 0000000..fc2f722 --- /dev/null +++ b/setup/sql/updates_from.01.06.08.sql @@ -0,0 +1,3 @@ +# xx.03.2018 set new versionnumber - Sefrengo 1.6.7 +UPDATE cms_values SET value = '01.06.08' WHERE group_name = 'cfg' AND key1 = 'version'; +