Merge branch 'hotfix/issue#16'

Dieser Commit ist enthalten in:
o.pinke 2021-05-06 12:59:54 +02:00
Commit 5175025b58
1 geänderte Dateien mit 106 neuen und 129 gelöschten Zeilen

Datei anzeigen

@ -1,4 +1,5 @@
<?php
/**
* Project:
* Contenido Content Management System
@ -28,54 +29,52 @@
* }}
*
*/
if(!defined('CON_FRAMEWORK')) {
die('Illegal call');
if (!defined('CON_FRAMEWORK')) {
die('Illegal call');
}
cInclude ("includes", "functions.tpl.php");
cInclude ("includes", "functions.con.php");
cInclude("includes", "functions.tpl.php");
cInclude("includes", "functions.con.php");
function modEditModule($idmod, $name, $description, $input, $output, $template, $type = "") {
global $db, $client, $cfgClient, $auth, $cfg, $sess, $area_tree, $perm, $frame;
$date = date("Y-m-d H:i:s");
$date = date("Y-m-d H:i:s");
$author = $auth->auth["uname"];
/**
* START TRACK VERSION
**/
$oVersion = new VersionModule($idmod, $cfg, $cfgClient, $db, $client, $area, $frame);
// Create new Module Version in cms/version/module/
$oVersion->createNewVersion();
* START TRACK VERSION
* */
$oVersion = new VersionModule($idmod, $cfg, $cfgClient, $db, $client, $area, $frame);
/**
* END TRACK VERSION
**/
if (!$idmod) {
$cApiModuleCollection = new cApiModuleCollection;
$cApiModule = $cApiModuleCollection->create($name);
// Create new Module Version in cms/version/module/
$oVersion->createNewVersion();
$idmod = $cApiModule->get("idmod");
cInclude ("includes", "functions.rights.php");
/**
* END TRACK VERSION
* */
if (!$idmod) {
$cApiModuleCollection = new cApiModuleCollection;
$cApiModule = $cApiModuleCollection->create($name);
$idmod = $cApiModule->get("idmod");
cInclude("includes", "functions.rights.php");
createRightsForElement("mod", $idmod);
} else {
$cApiModule = new cApiModule;
$cApiModule->loadByPrimaryKey($idmod);
}
} else {
$cApiModule = new cApiModule;
$cApiModule->loadByPrimaryKey($idmod);
}
/* dceModFileEdit (c)2009-2011 www.dceonline.de */
if ($cfg['dceModEdit']['use']
|| $cApiModule->get("name") != stripslashes($name)
|| $cApiModule->get("output") != stripslashes($output)
|| $cApiModule->get("template") != stripslashes($template)
|| $cApiModule->get("description") != stripslashes($description)
|| $cApiModule->get("input") != stripslashes($input)
|| $cApiModule->get("type") != stripslashes($type)) {
|| $cApiModule->get("output") != stripslashes($output)
|| $cApiModule->get("template") != stripslashes($template)
|| $cApiModule->get("description") != stripslashes($description)
|| $cApiModule->get("input") != stripslashes($input)
|| $cApiModule->get("type") != stripslashes($type)) {
$cApiModule->set("name", $name);
$cApiModule->set("output", $cApiModule->escape($output));
$cApiModule->set("template", $template);
@ -83,24 +82,22 @@ function modEditModule($idmod, $name, $description, $input, $output, $template,
$cApiModule->set("input", $cApiModule->escape($input));
$cApiModule->set("type", $type);
$cApiModule->set("lastmodified", $date);
$cApiModule->store();
}
}
return $idmod;
}
function modDeleteModule($idmod)
{
function modDeleteModule($idmod) {
# Global vars
global $db, $sess, $client, $cfg, $area_tree, $perm;
$sql = "DELETE FROM ".$cfg["tab"]["mod"]." WHERE idmod = '".Contenido_Security::toInteger($idmod)."' AND idclient = '".Contenido_Security::toInteger($client)."'";
$sql = "DELETE FROM " . $cfg["tab"]["mod"] . " WHERE idmod = '" . Contenido_Security::toInteger($idmod) . "' AND idclient = '" . Contenido_Security::toInteger($client) . "'";
$db->query($sql);
// delete rights for element
cInclude ("includes", "functions.rights.php");
deleteRightsForElement("mod", $idmod);
cInclude("includes", "functions.rights.php");
deleteRightsForElement("mod", $idmod);
}
// $code: Code to evaluate
@ -108,107 +105,87 @@ function modDeleteModule($idmod)
// $mode: true if start in php mode, otherwise false
// Returns true or false
function modTestModule ($code, $id, $output = false)
{
global $cfg, $modErrorMessage;
function modTestModule($code, $id, $output = false) {
global $cfg, $modErrorMessage;
$magicvalue = 0;
$db = new DB_ConLite();
$db = new DB_ConLite;
/* Put a $ in front of all CMS variables
to prevent PHP error messages */
$sql = "SELECT type FROM ".$cfg["tab"]["type"];
$sql = "SELECT type FROM " . $cfg["tab"]["type"];
$db->query($sql);
while ($db->next_record())
{
$code = str_replace($db->f("type").'[','$'.$db->f("type").'[', $code);
while ($db->next_record()) {
$code = str_replace($db->f("type") . '[', '$' . $db->f("type") . '[', $code);
}
$code = preg_replace(',\[(\d+)?CMS_VALUE\[(\d+)\](\d+)?\],i', '[\1\2\3]', $code);
$code = str_replace('CMS_VALUE','$CMS_VALUE', $code);
$code = str_replace('CMS_VAR','$CMS_VAR', $code);
$code = str_replace('CMS_VALUE', '$CMS_VALUE', $code);
$code = str_replace('CMS_VAR', '$CMS_VAR', $code);
/* If the module is an output module, escape PHP since
all output modules enter php mode */
if ($output == true)
{
$code = "?>\n" . $code . "\n<?php";
if ($output == true) {
$code = "?>\n" . $code . "\n<?php";
}
/* Looks ugly: Paste a function declarator
in front of the code */
$code = "function foo".$id." () {" . $code;
$code = "function foo" . $id . " () {" . $code;
$code .= "\n}\n";
if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 5) {
try {
eval($code);
} catch (ParseError $err) {
$modErrorMessage = $err->getMessage() . " (line: " . ($err->getLine() - 1) . ")";
return false;
}
/* Set the magic value */
$code .= '$magicvalue = 941;';
/* To parse the error message, we prepend and
append a phperror tag in front of the output */
$sErs = ini_get("error_prepend_string"); // Save current setting (see below)
$sEas = ini_get("error_append_string"); // Save current setting (see below)
@ini_set("error_prepend_string","<phperror>");
@ini_set("error_append_string","</phperror>");
/* Turn off output buffering and error reporting, eval the code */
ob_start();
$display_errors = ini_get("display_errors");
@ini_set("display_errors", true);
$output = eval($code);
@ini_set("display_errors", $display_errors);
/* Get the buffer contents and turn it on again */
$output = ob_get_contents();
ob_end_clean();
/* Remove the prepend and append settings */
/* 19.09.2006: Following lines have been disabled, as ini_restore has been disabled
by some hosters as there is a security leak in PHP (PHP <= 5.1.6 & <= 4.4.4) */
//ini_restore("error_prepend_string");
//ini_restore("error_append_string");
@ini_set("error_prepend_string", $sErs); // Restoring settings (see above)
@ini_set("error_append_string", $sEas); // Restoring settings (see above)
/* Strip out the error message */
$start = strpos($output, "<phperror>");
$end = strpos($output, "</phperror>");
/* More stripping: Users shouldnt see where the file
is located, but they should see the error line */
if ($start !== false)
{
$start = strpos($output, "eval()");
$modErrorMessage = substr($output, $start, $end - $start);
/* Kill that HTML formatting */
$modErrorMessage = str_replace("<b>","",$modErrorMessage);
$modErrorMessage = str_replace("</b>","",$modErrorMessage);
$modErrorMessage = str_replace("<br>","",$modErrorMessage);
$modErrorMessage = str_replace("<br />","",$modErrorMessage);
}
/* check if there are any php short tags in code, and display error*/
$bHasShortTags = false;
if (preg_match('/<\?\s+/', $code) && $magicvalue == 941) {
$bHasShortTags = true;
$modErrorMessage = i18n('Please do not use short open Tags. (Use <?php instead of <?).');
}
/* Now, check if the magic value is 941. If not, the function
didn't compile */
if ($magicvalue != 941 || $bHasShortTags)
{
return false;
return true;
} else {
return true;
// To parse the error message, we prepend and append a phperror tag in front of the output
$sErs = ini_get("error_prepend_string"); // Save current setting (see below)
$sEas = ini_get("error_append_string"); // Save current setting (see below)
@ini_set("error_prepend_string", "<phperror>");
@ini_set("error_append_string", "</phperror>");
// Turn off output buffering and error reporting, eval the code
ob_start();
$display_errors = ini_get("display_errors");
@ini_set("display_errors", true);
$output = eval($code);
@ini_set("display_errors", $display_errors);
// Get the buffer contents and turn it on again
$output = ob_get_contents();
ob_end_clean();
@ini_set("error_prepend_string", $sErs); // Restoring settings (see above)
@ini_set("error_append_string", $sEas); // Restoring settings (see above)
// Strip out the error message
$start = strpos($output, "<phperror>");
$end = strpos($output, "</phperror>");
// More stripping: Users shouldnt see where the file is located, but they should see the error line
if ($start !== false) {
$start = strpos($output, "eval()");
$modErrorMessage = substr($output, $start, $end - $start);
// Kill that HTML formatting
$modErrorMessage = str_replace("<b>", "", $modErrorMessage);
$modErrorMessage = str_replace("</b>", "", $modErrorMessage);
$modErrorMessage = str_replace("<br>", "", $modErrorMessage);
$modErrorMessage = str_replace("<br />", "", $modErrorMessage);
}
// check if there are any php short tags in code, and display error
$bHasShortTags = false;
if (preg_match('/<\?\s+/', $code) && $magicvalue == 941) {
$bHasShortTags = true;
$modErrorMessage = i18n('Please do not use short open Tags. (Use <?php instead of <?).');
}
if ($bHasShortTags) {
return false;
} else {
return true;
}
}
}
?>