mirror of
https://github.com/Mibew/mibew.git
synced 2024-11-16 09:04:11 +03:00
Secure file paths (second part)
This commit is contained in:
parent
bad9918b98
commit
7f4b1fa9cc
@ -122,7 +122,7 @@ function check_files()
|
||||
fclose($fp);
|
||||
|
||||
foreach ($knownFiles as $file => $sum) {
|
||||
$relativeName = dirname(__FILE__) . "/../$file";
|
||||
$relativeName = dirname(dirname(__FILE__)) . "/$file";
|
||||
if (!is_readable($relativeName)) {
|
||||
if (file_exists($relativeName)) {
|
||||
$errors[] = getlocal2("install.cannot_read", array("$mibewroot/$file"));
|
||||
|
||||
@ -78,7 +78,7 @@ Class PluginManager {
|
||||
// Add include path
|
||||
$include_path = get_include_path();
|
||||
$include_path .= empty($include_path) ? '' : PATH_SEPARATOR ;
|
||||
set_include_path($include_path . realpath(dirname(__FILE__) . "/../../plugins/"));
|
||||
set_include_path($include_path . realpath(dirname(dirname(dirname(__FILE__))) . "/plugins/"));
|
||||
|
||||
// Load plugins
|
||||
$loading_queue = array();
|
||||
|
||||
@ -36,7 +36,7 @@ function read_config_file($file) {
|
||||
*/
|
||||
function get_core_style_config() {
|
||||
// Get root dir of mibew messanger
|
||||
$base_path = realpath(dirname(__FILE__) . '/../../');
|
||||
$base_path = realpath(dirname(dirname(dirname(__FILE__))));
|
||||
|
||||
// Load config
|
||||
$config = read_config_file($base_path.'/view/config.ini');
|
||||
@ -74,7 +74,7 @@ function get_core_style_config() {
|
||||
*/
|
||||
function get_dialogs_style_config($style) {
|
||||
// Get root dir of mibew messanger
|
||||
$base_path = realpath(dirname(__FILE__) . '/../../');
|
||||
$base_path = realpath(dirname(dirname(dirname(__FILE__))));
|
||||
|
||||
// Load config
|
||||
$config = read_config_file($base_path.'/styles/dialogs/'.$style.'/config.ini');
|
||||
|
||||
@ -46,7 +46,7 @@ function myiconv($in_enc, $out_enc, $string)
|
||||
|
||||
function locale_exists($locale)
|
||||
{
|
||||
return file_exists(dirname(__FILE__) . "/../../locales/$locale/properties");
|
||||
return file_exists(dirname(dirname(dirname(__FILE__)))."/locales/$locale/properties");
|
||||
}
|
||||
|
||||
function locale_pattern_check($locale)
|
||||
@ -58,7 +58,7 @@ function locale_pattern_check($locale)
|
||||
function get_available_locales()
|
||||
{
|
||||
$list = array();
|
||||
$folder = dirname(__FILE__) . "/../../locales";
|
||||
$folder = dirname(dirname(dirname(__FILE__))).'/locales';
|
||||
if ($handle = opendir($folder)) {
|
||||
while (false !== ($file = readdir($handle))) {
|
||||
if (locale_pattern_check($file) && is_dir("$folder/$file")) {
|
||||
@ -144,7 +144,7 @@ function load_messages($locale) {
|
||||
global $messages, $output_encoding;
|
||||
|
||||
// Load core localization
|
||||
$locale_file = dirname(__FILE__) . "/../../locales/{$locale}/properties";
|
||||
$locale_file = dirname(dirname(dirname(__FILE__))) . "/locales/{$locale}/properties";
|
||||
$locale_data = read_locale_file($locale_file);
|
||||
|
||||
if (! is_null($locale_data['output_encoding'])) {
|
||||
@ -157,8 +157,8 @@ function load_messages($locale) {
|
||||
$plugins_list = array_keys(PluginManager::getAllPlugins());
|
||||
|
||||
foreach($plugins_list as $plugin_name) {
|
||||
$locale_file = dirname(__FILE__) .
|
||||
"/../../plugins/{$plugin_name}/locales/{$locale}/properties";
|
||||
$locale_file = dirname(dirname(dirname(__FILE__))) .
|
||||
"/plugins/{$plugin_name}/locales/{$locale}/properties";
|
||||
if (is_readable($locale_file)) {
|
||||
$locale_data = read_locale_file($locale_file);
|
||||
// array_merge used to provide an ability for plugins to override
|
||||
|
||||
@ -55,7 +55,7 @@ if (!$op) {
|
||||
} elseif (!in_array($ext, $valid_types)) {
|
||||
$errors[] = failed_uploading_file($orig_filename, "errors.invalid.file.type");
|
||||
} else {
|
||||
$avatar_local_dir = "../images/avatar/";
|
||||
$avatar_local_dir = dirname(dirname(__FILE__)).'/images/avatar/';
|
||||
$full_file_path = $avatar_local_dir . $new_file_name;
|
||||
if (file_exists($full_file_path)) {
|
||||
unlink($full_file_path);
|
||||
|
||||
@ -24,7 +24,7 @@ require_once(dirname(dirname(__FILE__)).'/libs/styles.php');
|
||||
$operator = check_login();
|
||||
force_password($operator);
|
||||
|
||||
$imageLocales = get_image_locales_map("../locales");
|
||||
$imageLocales = get_image_locales_map(dirname(dirname(__FILE__)).'/locales');
|
||||
$image = verifyparam(isset($_GET['image']) ? "image" : "i", "/^\w+$/", "mibew");
|
||||
if (!isset($imageLocales[$image])) {
|
||||
$errors[] = "Unknown image: $image";
|
||||
@ -33,14 +33,14 @@ if (!isset($imageLocales[$image])) {
|
||||
}
|
||||
$image_locales = $imageLocales[$image];
|
||||
|
||||
$stylelist = get_style_list("../styles/dialogs");
|
||||
$stylelist = get_style_list(dirname(dirname(__FILE__)).'/styles/dialogs');
|
||||
$stylelist[""] = getlocal("page.preview.style_default");
|
||||
$style = verifyparam("style", "/^\w*$/", "");
|
||||
if ($style && !in_array($style, $stylelist)) {
|
||||
$style = "";
|
||||
}
|
||||
|
||||
$invitationstylelist = get_style_list("../styles/invitations");
|
||||
$invitationstylelist = get_style_list(dirname(dirname(__FILE__)).'/styles/invitations');
|
||||
$invitationstylelist[""] = getlocal("page.preview.style_default");
|
||||
$invitationstyle = verifyparam("invitationstyle", "/^\w*$/", "");
|
||||
if ($invitationstyle && !in_array($invitationstyle, $invitationstylelist)) {
|
||||
@ -59,7 +59,7 @@ $lang = verifyparam("lang", "/^[\w-]{2,5}$/", "");
|
||||
if (!$lang || !in_array($lang, $image_locales))
|
||||
$lang = in_array($current_locale, $image_locales) ? $current_locale : $image_locales[0];
|
||||
|
||||
$file = "../locales/${lang}/button/${image}_on.gif";
|
||||
$file = dirname(dirname(__FILE__)).'/locales/${lang}/button/${image}_on.gif';
|
||||
$size = get_gifimage_size($file);
|
||||
|
||||
$imagehref = get_app_location($showhost, $forcesecure) . "/b.php?i=$image&lang=$lang";
|
||||
|
||||
@ -25,7 +25,7 @@ require_once(dirname(dirname(__FILE__)).'/libs/styles.php');
|
||||
|
||||
$operator = check_login();
|
||||
|
||||
$stylelist = get_style_list("../styles/invitations");
|
||||
$stylelist = get_style_list(dirname(dirname(__FILE__)).'/styles/invitations');
|
||||
|
||||
$preview = verifyparam("preview", "/^\w+$/", "default");
|
||||
if (!in_array($preview, $stylelist)) {
|
||||
|
||||
@ -28,7 +28,7 @@ csrfchecktoken();
|
||||
$page = array('agentId' => '');
|
||||
$errors = array();
|
||||
|
||||
$stylelist = get_style_list("../styles/dialogs");
|
||||
$stylelist = get_style_list(dirname(dirname(__FILE__)).'/styles/dialogs');
|
||||
|
||||
$options = array(
|
||||
'email', 'title', 'logo', 'hosturl', 'usernamepattern',
|
||||
@ -37,7 +37,7 @@ $options = array(
|
||||
|
||||
if (Settings::get('enabletracking')) {
|
||||
$options[] = 'invitationstyle';
|
||||
$invitationstylelist = get_style_list("../styles/invitations");
|
||||
$invitationstylelist = get_style_list(dirname(dirname(__FILE__)).'/styles/invitations');
|
||||
}
|
||||
|
||||
$params = array();
|
||||
|
||||
@ -26,7 +26,7 @@ require_once(dirname(dirname(__FILE__)).'/libs/styles.php');
|
||||
|
||||
$operator = check_login();
|
||||
|
||||
$stylelist = get_style_list("../styles/dialogs");
|
||||
$stylelist = get_style_list(dirname(dirname(__FILE__)).'/styles/dialogs');
|
||||
|
||||
$preview = verifyparam("preview", "/^\w+$/", "default");
|
||||
if (!in_array($preview, $stylelist)) {
|
||||
|
||||
@ -38,7 +38,7 @@ function compare_localization_by_id($a, $b)
|
||||
function load_idlist($name)
|
||||
{
|
||||
$result = array();
|
||||
$fp = @fopen(dirname(__FILE__) . "/../locales/names/$name", "r");
|
||||
$fp = @fopen(dirname(dirname(__FILE__))."/locales/names/$name", "r");
|
||||
if ($fp !== FALSE) {
|
||||
while (!feof($fp)) {
|
||||
$line = trim(fgets($fp, 4096));
|
||||
@ -57,7 +57,7 @@ function save_message($locale, $key, $value)
|
||||
$result = "";
|
||||
$added = false;
|
||||
$current_encoding = $mibew_encoding;
|
||||
$fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r");
|
||||
$fp = fopen(dirname(dirname(__FILE__))."/locales/$locale/properties", "r");
|
||||
while (!feof($fp)) {
|
||||
$line = fgets($fp, 4096);
|
||||
$keyval = preg_split("/=/", $line, 2);
|
||||
@ -75,14 +75,14 @@ function save_message($locale, $key, $value)
|
||||
if (!$added) {
|
||||
$result .= "$key=" . myiconv($mibew_encoding, $current_encoding, str_replace("\r", "", str_replace("\n", "\\n", trim($value)))) . "\n";
|
||||
}
|
||||
$fp = @fopen(dirname(__FILE__) . "/../locales/$locale/properties", "w");
|
||||
$fp = @fopen(dirname(dirname(__FILE__))."/locales/$locale/properties", "w");
|
||||
if ($fp !== FALSE) {
|
||||
fwrite($fp, $result);
|
||||
fclose($fp);
|
||||
} else {
|
||||
die("cannot write /locales/$locale/properties, please check file permissions on your server");
|
||||
}
|
||||
$fp = @fopen(dirname(__FILE__) . "/../locales/$locale/properties.log", "a");
|
||||
$fp = @fopen(dirname(dirname(__FILE__))."/locales/$locale/properties.log", "a");
|
||||
if ($fp !== FALSE) {
|
||||
$extAddr = $_SERVER['REMOTE_ADDR'];
|
||||
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) &&
|
||||
|
||||
Loading…
Reference in New Issue
Block a user