# HG changeset patch # User Dan # Date 1193244305 14400 # Node ID 861807631f70218bf8f1cfef0553a0d9cee518d6 # Parent 8e2fffc5c622b5665ed59e8d20d874daf3005577# Parent 996572e55dc94fecf0b46fd196bbb97b12d0f277 Merging in fixes from stable diff -r 996572e55dc9 -r 861807631f70 ajax.php --- a/ajax.php Wed Oct 24 09:34:19 2007 -0400 +++ b/ajax.php Wed Oct 24 12:45:05 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.1 + * Version 1.0.2 (Coblynau) * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -116,7 +116,7 @@ } else { - echo 'Error saving the page: '.$e; + echo '

Error saving the page: '.$e.'

'; } break; case "protect": diff -r 996572e55dc9 -r 861807631f70 cron.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cron.php Wed Oct 24 12:45:05 2007 -0400 @@ -0,0 +1,54 @@ + $tasks ) +{ + $last_run_threshold = time() - ( $interval * 3600 ); + if ( $last_run_threshold >= $last_run ) + { + foreach ( $tasks as $task ) + { + @call_user_func($task); + } + } +} + +header('Pragma: no-cache'); +header('Cache-control: no-cache'); +header('Expires: Thu, 1 Jan 1970 00:00:01 GMT'); +header('Content-type: image/gif'); + +echo ENANO_GIF_SPACER; + +?> diff -r 996572e55dc9 -r 861807631f70 includes/clientside/sbedit.js --- a/includes/clientside/sbedit.js Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/clientside/sbedit.js Wed Oct 24 12:45:05 2007 -0400 @@ -123,3 +123,71 @@ }); } +function ajaxRenameSidebarStage1(parent, id) +{ + var oldname = parent.firstChild.nodeValue; + parent.removeChild(parent.firstChild); + parent.ondblclick = function() {}; + parent._idcache = id; + var input = document.createElement('input'); + input.type = 'text'; + input.sbedit_id = id; + input.oldvalue = oldname; + input.onkeyup = function(e) + { + if ( typeof(e) != 'object' ) + return false; + if ( !e.keyCode ) + return false; + if ( e.keyCode == 13 ) + { + ajaxRenameSidebarStage2(this); + } + if ( e.keyCode == 27 ) + { + ajaxRenameSidebarCancel(this); + } + }; + input.onblur = function() + { + ajaxRenameSidebarCancel(this); + }; + input.value = oldname; + input.style.fontSize = '7pt'; + parent.appendChild(input); + input.focus(); +} + +function ajaxRenameSidebarStage2(input) +{ + var newname = input.value; + var id = input.sbedit_id; + var parent = input.parentNode; + parent.removeChild(input); + parent.appendChild(document.createTextNode(( newname == '' ? '' : newname ))); + parent.ondblclick = function() { ajaxRenameSidebarStage1(this, this._idcache); return false; }; + var img = document.createElement('img'); + img.src = scriptPath + '/images/loading.gif'; + parent.appendChild(img); + newname = ajaxEscape(newname); + ajaxPost(makeUrlNS('Special', 'EditSidebar', 'ajax&noheaders&action=rename&id='+id), 'newname=' +newname, function() + { + if ( ajax.readyState == 4 ) + { + parent.removeChild(img); + if ( ajax.responseText != 'GOOD' ) + new messagebox(MB_OK|MB_ICONSTOP, 'Error renaming block', ajax.responseText); + } + }); +} + +function ajaxRenameSidebarCancel(input) +{ + var newname = input.oldvalue; + var id = input.sbedit_id; + var parent = input.parentNode; + parent.removeChild(input); + parent.appendChild(document.createTextNode(newname)); + parent.ondblclick = function() { ajaxRenameSidebarStage1(this, this._idcache); return false; }; +} + diff -r 996572e55dc9 -r 861807631f70 includes/clientside/static/enano-lib-basic.js --- a/includes/clientside/static/enano-lib-basic.js Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/clientside/static/enano-lib-basic.js Wed Oct 24 12:45:05 2007 -0400 @@ -112,6 +112,7 @@ var startwidth = false; var startheight = false; var do_width = false; +var ajax_load_icon = scriptPath + '/images/loading.gif'; // You have an NSIS coder in your midst... var MB_OK = 1; diff -r 996572e55dc9 -r 861807631f70 includes/clientside/static/loader.js --- a/includes/clientside/static/loader.js Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/clientside/static/loader.js Wed Oct 24 12:45:05 2007 -0400 @@ -1,27 +1,8 @@ // Some final stuff - loader routines, etc. -var __tmpEnanoStartup9843275; - -function enanoStartup(e) { - if ( !e ) - { - // Delay initting sliders until images are loaded - if ( typeof(window.onload) == 'function' ) - __tmpEnanoStartup9843275 = window.onload; - else - __tmpEnanoStartup9843275 = function(){}; - window.onload = function(e){__tmpEnanoStartup9843275(e);initSliders();}; - } - else - { - initSliders(); - } -} - function mdgInnerLoader(e) { jws.startup(); - enanoStartup(e); if(window.location.hash == '#comments') ajaxComments(); window.onkeydown=isKeyPressed; window.onkeyup=function(e) { isKeyPressed(e); }; @@ -34,6 +15,7 @@ { dbx_set_key(); } + initSliders(); runOnloadHooks(e); } if(window.onload) var ld = window.onload; diff -r 996572e55dc9 -r 861807631f70 includes/clientside/static/misc.js --- a/includes/clientside/static/misc.js Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/clientside/static/misc.js Wed Oct 24 12:45:05 2007 -0400 @@ -196,7 +196,7 @@ { if ( document.getElementById('ajaxloadicon') ) { - document.getElementById('ajaxloadicon').src=scriptPath + '/images/loading.gif'; + document.getElementById('ajaxloadicon').src=ajax_load_icon; } } @@ -302,51 +302,6 @@ var ajax_auth_mb_cache = false; var ajax_auth_level_cache = false; var ajax_auth_error_string = false; -var ajax_auth_show_captcha = false; - -function ajaxAuthErrorToString($data) -{ - var $errstring = $data.error; - // this was literally copied straight from the PHP code. - switch($data.error) - { - case 'key_not_found': - $errstring = 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.'; - break; - case 'key_wrong_length': - $errstring = 'The encryption key was the wrong length.'; - break; - case 'too_big_for_britches': - $errstring = 'You are trying to authenticate at a level that your user account does not permit.'; - break; - case 'invalid_credentials': - $errstring = 'You have entered an invalid username or password. Please enter your login details again.'; - if ( $data.lockout_policy == 'lockout' ) - { - $errstring += ' You have used up '+$data['lockout_fails']+' out of '+$data['lockout_threshold']+' login attempts. After you have used up all '+$data['lockout_threshold']+' login attempts, you will be locked out from logging in for '+$data['lockout_duration']+' minutes.'; - } - else if ( $data.lockout_policy == 'captcha' ) - { - $errstring += ' You have used up '+$data['lockout_fails']+' out of '+$data['lockout_threshold']+' login attempts. After you have used up all '+$data['lockout_threshold']+' login attempts, you will have to enter a visual confirmation code before logging in, effective for '+$data['lockout_duration']+' minutes.'; - } - break; - case 'backend_fail': - $errstring = 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.'; - break; - case 'locked_out': - $attempts = parseInt($data['lockout_fails']); - if ( $attempts > $data['lockout_threshold']) - $attempts = $data['lockout_threshold']; - $time_rem = $data.time_rem; - $s = ( $time_rem == 1 ) ? '' : 's'; - $errstring = "You have used up all "+$data['lockout_threshold']+" allowed login attempts. Please wait "+$time_rem+" minute"+$s+" before attempting to log in again"; - if ( $data['lockout_policy'] == 'captcha' ) - $errstring += ', or enter the visual confirmation code shown above in the appropriate box'; - $errstring += '.'; - break; - } - return $errstring; -} function ajaxPromptAdminAuth(call_on_ok, level) { @@ -365,17 +320,6 @@ var title = ( level > USER_LEVEL_MEMBER ) ? 'You are requesting a sensitive operation.' : 'Please enter your username and password to continue.'; ajax_auth_mb_cache = new messagebox(MB_OKCANCEL|MB_ICONLOCK, title, loading_win); ajax_auth_mb_cache.onbeforeclick['OK'] = ajaxValidateLogin; - ajax_auth_mb_cache.onbeforeclick['Cancel'] = function() - { - if ( document.getElementById('autoCaptcha') ) - { - var to = fly_out_top(document.getElementById('autoCaptcha'), false, true); - setTimeout(function() { - var d = document.getElementById('autoCaptcha'); - d.parentNode.removeChild(d); - }, to); - } - } ajaxAuthLoginInnerSetup(); } @@ -391,20 +335,6 @@ return false; } response = parseJSON(response); - var disable_controls = false; - if ( response.locked_out && !ajax_auth_error_string ) - { - response.error = 'locked_out'; - ajax_auth_error_string = ajaxAuthErrorToString(response); - if ( response.lockout_policy == 'captcha' ) - { - ajax_auth_show_captcha = response.captcha; - } - else - { - disable_controls = true; - } - } var level = ajax_auth_level_cache; var form_html = ''; var shown_error = false; @@ -418,28 +348,14 @@ { form_html += 'Please re-enter your login details, to verify your identity.

'; } - if ( ajax_auth_show_captcha ) - { - var captcha_html = ' \ - \ - Code in image: \ - \ - '; - } - else - { - var captcha_html = ''; - } - var disableme = ( disable_controls ) ? 'disabled="disabled" ' : ''; form_html += ' \ \ \ - \ \ - \ - ' + captcha_html + ' \ \ '."\n"; else echo ''; - if($ticker < $numrows) echo ''."\n"; else echo ''; + if($ticker > 1) echo ''."\n"; else echo ''; + if($ticker < $numrows) echo ''."\n"; else echo ''; // Date and time - echo ''."\n"; + echo ''."\n"; // User - if($session->get_permissions('mod_misc') && preg_match('#^([0-9]*){1,3}\.([0-9]*){1,3}\.([0-9]*){1,3}\.([0-9]*){1,3}$#', $r['author'])) $rc = ' style="cursor: pointer;" title="Click cell background for reverse DNS info" onclick="ajaxReverseDNS(this, \''.$r['author'].'\');"'; - else $rc = ''; - echo ''."\n"; + if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) ) + { + $rc = ' style="cursor: pointer;" title="Click cell background for reverse DNS info" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"'; + } + else + { + $rc = ''; + } + echo ''."\n"; // Edit summary - echo ''."\n"; + echo ''."\n"; // Minor edit - echo ''."\n"; + echo ''."\n"; // Actions! - echo ''."\n"; - echo ''."\n"; - echo ''."\n"; + echo ''."\n"; + echo ''."\n"; + echo ''."\n"; echo ''."\n"."\n"; @@ -589,8 +628,8 @@ } $db->free_result(); echo '

Other changes:

'; - $q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM '.table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$paths->namespace.'\' ORDER BY time_id DESC;'; - if(!$db->sql_query($q)) $db->_die('The history data for the page "'.$paths->cpage['name'].'" could not be selected.'); + $q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;'; + if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.'); if($db->numrows() < 1) echo 'No history entries in this category.'; else { @@ -604,34 +643,34 @@ echo ''; // Date and time - echo ''; + echo ''; // User - echo ''; + echo '>' . $r['author'] . ''; // Minor edit - echo ''; + echo ''; // Action taken - echo ''; // Actions! - echo ''; - echo ''; + echo ''; + echo ''; - //echo '(rollback) '.$r['date_string'].' '.$r['author'].' (Userpage, Contrib): '; + //echo '(rollback) ' . $r['date_string'] . ' ' . $r['author'] . ' (Userpage, Contrib): '; if($r['minor_edit']) echo ' - minor edit'; echo '
'; @@ -663,7 +702,7 @@ { return('The value "id" on the query string must be an integer.'); } - $e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id.';'); + $e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id . ';'); if ( !$e ) { $db->_die('The rollback data could not be selected.'); @@ -719,56 +758,56 @@ if ( !$perms->get_permissions('edit_page') ) return "You don't have permission to edit pages, so rolling back edits can't be allowed either."; $t = $db->escape($rb['page_text']); - $e = $db->sql_query('UPDATE '.table_prefix.'page_text SET page_text=\''.$t.'\',char_tag=\''.$rb['char_tag'].'\' WHERE page_id=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'page_text SET page_text=\'' . $t . '\',char_tag=\'' . $rb['char_tag'] . '\' WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) { return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); } else { - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on ' . $rb['date_string'] . '.'; } break; case "rename": if ( !$perms->get_permissions('rename') ) return "You don't have permission to rename pages, so rolling back renames can't be allowed either."; $t = $db->escape($rb['edit_summary']); - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET name=\''.$t.'\' WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $t . '\' WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) { return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); } else { - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("'.$rb['edit_summary'].'") before '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("' . $rb['edit_summary'] . '") before ' . $rb['date_string'] . '.'; } break; case "prot": if ( !$perms->get_permissions('protect') ) return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=0 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); else - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.'; break; case "semiprot": if ( !$perms->get_permissions('protect') ) return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=0 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); else - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.'; break; case "unprot": if ( !$perms->get_permissions('protect') ) return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=1 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=1 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); if ( !$e ) return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); else - return 'The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at '.$rb['date_string'].'.'; + return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at ' . $rb['date_string'] . '.'; break; case "delete": if ( !$perms->get_permissions('history_rollback_extra') ) @@ -776,11 +815,11 @@ if ( isset($paths->pages[$paths->cpage['urlname']]) ) return 'You cannot raise a dead page that is alive.'; $name = str_replace('_', ' ', $rb['page_id']); - $e = $db->sql_query('INSERT INTO '.table_prefix.'pages(name,urlname,namespace) VALUES( \''.$name.'\', \''.$rb['page_id'].'\',\''.$rb['namespace'].'\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); - $e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'logs WHERE page_id=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); + $e = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace) VALUES( \'' . $name . '\', \'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); + $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); $r = $db->fetchrow(); - $e = $db->sql_query('INSERT INTO '.table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\''.$rb['page_id'].'\',\''.$rb['namespace'].'\',\''.$db->escape($r['page_text']).'\',\''.$r['char_tag'].'\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); - return 'The page "'.$name.'" has been undeleted according to the log created at '.$rb['date_string'].'.'; + $e = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\',\'' . $db->escape($r['page_text']) . '\',\'' . $r['char_tag'] . '\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); + return 'The page "' . $name . '" has been undeleted according to the log created at ' . $rb['date_string'] . '.'; break; case "reupload": if ( !$session->get_permissions('history_rollbacks_extra') ) @@ -789,23 +828,23 @@ } $newtime = time(); $newdate = date('d M Y h:i a'); - if(!$db->sql_query('UPDATE '.table_prefix.'logs SET time_id='.$newtime.',date_string=\''.$newdate.'\' WHERE time_id='.$id)) + if(!$db->sql_query('UPDATE ' . table_prefix.'logs SET time_id=' . $newtime . ',date_string=\'' . $newdate . '\' WHERE time_id=' . $id)) return 'Error during query: '.mysql_error(); - if(!$db->sql_query('UPDATE '.table_prefix.'files SET time_id='.$newtime.' WHERE time_id='.$id)) + if(!$db->sql_query('UPDATE ' . table_prefix.'files SET time_id=' . $newtime . ' WHERE time_id=' . $id)) return 'Error during query: '.mysql_error(); return 'The file has been rolled back to the version uploaded on '.date('d M Y h:i a', (int)$id).'.'; break; default: - return('Rollback of the action "'.$rb['action'].'" is not yet supported.'); + return('Rollback of the action "' . $rb['action'] . '" is not yet supported.'); break; } break; case "security": case "login": - return('A '.$rb['log_type'].'-related log entry cannot be rolled back.'); + return('A ' . $rb['log_type'] . '-related log entry cannot be rolled back.'); break; default: - return('Unknown log entry type: "'.$rb['log_type'].'"'); + return('Unknown log entry type: "' . $rb['log_type'] . '"'); } } @@ -836,9 +875,9 @@ $name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name); $subj = RenderMan::preprocess_text($subject); if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1'; - $q = 'INSERT INTO '.table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\''.$page_id.'\',\''.$namespace.'\',\''.$subj.'\',\''.$text.'\',\''.$name.'\','.$session->user_id.','.$appr.','.time().')'; + $q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')'; $e = $db->sql_query($q); - if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.mysql_error().'\n\nQuery:\n'.$q).'\'))'); + if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.mysql_error().'\n\nQuery:\n' . $q) . '\'))'); else $_ob .= '

Your comment has been posted.

'; return PageUtils::comments($page_id, $namespace, false, Array(), $_ob); } @@ -868,15 +907,15 @@ case "delete": if(isset($flags['id'])) { - $q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND comment_id='.intval($flags['id']).' LIMIT 1;'; + $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;'; } else { $n = $db->escape($flags['name']); $s = $db->escape($flags['subj']); $t = $db->escape($flags['text']); - $q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND name=\''.$n.'\' AND subject=\''.$s.'\' AND comment_data=\''.$t.'\' LIMIT 1;'; + $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; } $e=$db->sql_query($q); - if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); break; case "approve": if(isset($flags['id'])) @@ -886,20 +925,20 @@ $n = $db->escape($flags['name']); $s = $db->escape($flags['subj']); $t = $db->escape($flags['text']); - $where = 'name=\''.$n.'\' AND subject=\''.$s.'\' AND comment_data=\''.$t.'\''; + $where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\''; } - $q = 'SELECT approved FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND '.$where.' LIMIT 1;'; + $q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;'; $e = $db->sql_query($q); - if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); $r = $db->fetchrow(); $db->free_result(); $a = ( $r['approved'] ) ? '0' : '1'; - $q = 'UPDATE '.table_prefix.'comments SET approved='.$a.' WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND '.$where.';'; + $q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';'; $e=$db->sql_query($q); - if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); if($a=='1') $v = 'Unapprove'; else $v = 'Approve'; - echo 'document.getElementById("mdgApproveLink'.$_GET['id'].'").innerHTML="'.$v.'";'; + echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";'; break; } } @@ -911,31 +950,31 @@ $tpl = $template->makeParser('comment.tpl'); - $e = $db->sql_query('SELECT * FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND approved=0;'); + $e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;'); if(!$e) $db->_die('The comment text data could not be selected.'); $num_unapp = $db->numrows(); $db->free_result(); - $e = $db->sql_query('SELECT * FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND approved=1;'); + $e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;'); if(!$e) $db->_die('The comment text data could not be selected.'); $num_app = $db->numrows(); $db->free_result(); $lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,u.user_level,u.signature - FROM '.table_prefix.'comments AS c - LEFT JOIN '.table_prefix.'users AS u + FROM ' . table_prefix.'comments AS c + LEFT JOIN ' . table_prefix.'users AS u ON c.user_id=u.user_id - WHERE page_id=\''.$page_id.'\' - AND namespace=\''.$namespace.'\' ORDER BY c.time ASC;'); + WHERE page_id=\'' . $page_id . '\' + AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;'); if(!$lq) _die('The comment text data could not be selected. '.mysql_error()); $_ob .= '

Article Comments

'; $n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app; - if($n==1) $s = 'is '.$n.' comment'; else $s = 'are '.$n.' comments'; + if($n==1) $s = 'is ' . $n . ' comment'; else $s = 'are ' . $n . ' comments'; if($n < 1) { $_ob .= '

There are currently no comments on this '.strtolower($namespace).''; if($namespace != 'Article') $_ob .= ' page'; $_ob .= '.

'; - } else $_ob .= '

There '.$s.' on this article.'; - if($session->get_permissions('mod_comments') && $num_unapp > 0) $_ob .= ' '.$num_unapp.' of those are unapproved.'; + } else $_ob .= '

There ' . $s . ' on this article.'; + if($session->get_permissions('mod_comments') && $num_unapp > 0) $_ob .= ' ' . $num_unapp . ' of those are unapproved.'; elseif(!$session->get_permissions('mod_comments') && $num_unapp > 0) { $u = ($num_unapp == 1) ? "is $num_unapp comment" : "are $num_unapp comments"; $_ob .= ' However, there ' . $u . ' awating approval.'; } $_ob .= '

'; $list = 'list = { '; @@ -946,7 +985,8 @@ $i++; $strings = Array(); $bool = Array(); - if($session->get_permissions('mod_comments') || $row['approved']) { + if ( $session->get_permissions('mod_comments') || $row['approved'] ) + { $list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, '; // Comment ID (used in the Javascript apps) @@ -992,10 +1032,10 @@ if($session->get_permissions('edit_comments')) { // Edit link - $strings['EDIT_LINK'] = 'edit'; + $strings['EDIT_LINK'] = 'edit'; // Delete link - $strings['DELETE_LINK'] = 'delete'; + $strings['DELETE_LINK'] = 'delete'; } else { @@ -1007,19 +1047,19 @@ } // Send PM link - $strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? 'Send private message
' : ''; + $strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? 'Send private message
' : ''; // Add Buddy link - $strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? 'Add to buddy list' : ''; + $strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? 'Add to buddy list' : ''; // Mod links $applink = ''; - $applink .= ''; + $applink .= ''; if($row['approved']) $applink .= 'Unapprove'; else $applink .= 'Approve'; $applink .= ''; $strings['MOD_APPROVE_LINK'] = $applink; unset($applink); - $strings['MOD_DELETE_LINK'] = 'Delete'; + $strings['MOD_DELETE_LINK'] = 'Delete'; // Signature $strings['SIGNATURE'] = ''; @@ -1046,19 +1086,19 @@ $_ob .= '

Got something to say?

If you have comments or suggestions on this article, you can shout it out here.'; if(getConfig('approve_comments')=='1') $_ob .= ' Before your comment will be visible to the public, a moderator will have to approve it.'; if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) $_ob .= ' Because you are not logged in, you will need to enter a visual confirmation before your comment will be posted.'; - $sn = $session->user_logged_in ? $session->username . '' : ''; + $sn = $session->user_logged_in ? $session->username . '' : ''; $_ob .= '

Comment form

Username: \ + Username: \

Password: \ + Password: \

\
Trouble logging in? Try the full login form.
'; @@ -467,21 +383,8 @@ { $('ajaxlogin_user').object.focus(); } - if ( ajax_auth_show_captcha ) - { - $('ajaxlogin_captcha_code').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; - $('ajaxlogin_captcha_code').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; - } - else - { - $('ajaxlogin_pass').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; - $('ajaxlogin_pass').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; - } - if ( disable_controls ) - { - var panel = document.getElementById('messageBoxButtons'); - panel.firstChild.disabled = true; - } + $('ajaxlogin_pass').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; + $('ajaxlogin_pass').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; /* ## This causes the background image to disappear under Fx 2 if ( shown_error ) @@ -495,11 +398,6 @@ fader.start(); } */ - if ( ajax_auth_show_captcha ) - { - ajaxShowCaptcha(ajax_auth_show_captcha); - ajax_auth_show_captcha = false; - } } }); } @@ -514,15 +412,6 @@ password = document.getElementById('ajaxlogin_pass').value; auth_enabled = false; - if ( document.getElementById('autoCaptcha') ) - { - var to = fly_out_top(document.getElementById('autoCaptcha'), false, true); - setTimeout(function() { - var d = document.getElementById('autoCaptcha'); - d.parentNode.removeChild(d); - }, to); - } - disableJSONExts(); // @@ -578,12 +467,6 @@ 'level' : ajax_auth_level_cache }; - if ( document.getElementById('ajaxlogin_captcha_hash') ) - { - json_data.captcha_hash = document.getElementById('ajaxlogin_captcha_hash').value; - json_data.captcha_code = document.getElementById('ajaxlogin_captcha_code').value; - } - json_data = toJSONString(json_data); json_data = encodeURIComponent(json_data); @@ -626,23 +509,18 @@ } break; case 'error': - if ( response.data.error == 'invalid_credentials' || response.data.error == 'locked_out' ) + if ( response.error == 'The username and/or password is incorrect.' ) { - ajax_auth_error_string = ajaxAuthErrorToString(response.data); + ajax_auth_error_string = response.error; mb_current_obj.updateContent(''); document.getElementById('messageBox').style.backgroundColor = '#C0C0C0'; var mb_parent = document.getElementById('messageBox').parentNode; new Spry.Effect.Shake(mb_parent, {duration: 1500}).start(); setTimeout("document.getElementById('messageBox').style.backgroundColor = '#FFF'; ajaxAuthLoginInnerSetup();", 2500); - - if ( response.data.lockout_policy == 'captcha' && response.data.error == 'locked_out' ) - { - ajax_auth_show_captcha = response.captcha; - } } else { - ajax_auth_error_string = ajaxAuthErrorToString(response.data); + alert(response.error); ajaxAuthLoginInnerSetup(); } break; diff -r 996572e55dc9 -r 861807631f70 includes/common.php --- a/includes/common.php Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/common.php Wed Oct 24 12:45:05 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.1 + * Version 1.0.2 (Coblynau) * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -23,7 +23,7 @@ exit; } -$version = '1.1.1'; +$version = '1.0.2'; function microtime_float() { @@ -68,6 +68,9 @@ if ( file_exists( ENANO_ROOT . '/_nightly.php') ) require(ENANO_ROOT.'/_nightly.php'); +// List of scheduled tasks +$cron_tasks = array(); + // Start including files. LOTS of files. Yeah! require_once(ENANO_ROOT.'/includes/constants.php'); dc_here('Enano CMS '.$version.' (dev) - debug window
Powered by debugConsole'); diff -r 996572e55dc9 -r 861807631f70 includes/functions.php --- a/includes/functions.php Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/functions.php Wed Oct 24 12:45:05 2007 -0400 @@ -2796,7 +2796,7 @@ $strip_tags = implode('|', $strip_tags); // Strip out the tags and replace with placeholders - preg_match_all("#<($strip_tags)(.*?)>(.*?)#is", $html, $matches); + preg_match_all("#<($strip_tags)([ ]+.*?)?>(.*?)#is", $html, $matches); $seed = md5(microtime() . mt_rand()); // Random value used for placeholders for ($i = 0;$i < sizeof($matches[1]); $i++) { @@ -2804,7 +2804,7 @@ } // Optimize (but don't obfuscate) Javascript - preg_match_all('/(.+?)<\/script>/is', $html, $jscript); + preg_match_all('/(.*?)(\]\]>)?<\/script>/is', $html, $jscript); // list of Javascript reserved words - from about.com $reserved_words = array('abstract', 'as', 'boolean', 'break', 'byte', 'case', 'catch', 'char', 'class', 'continue', 'const', 'debugger', 'default', 'delete', 'do', @@ -2819,6 +2819,8 @@ { $js =& $jscript[2][$i]; + // echo('

' . "-----------------------------------------------------------------------------\n" . htmlspecialchars($js) . '

'); + // for line optimization, explode it $particles = explode("\n", $js); @@ -3166,6 +3168,20 @@ return $score; } +/** + * Registers a task that will be run every X hours. Scheduled tasks should always be scheduled at runtime - they are not stored in the DB. + * @param string Function name to call, or array(object, string method) + * @param int Interval between runs, in hours. Defaults to 24. + */ + +function register_cron_task($func, $hour_interval = 24) +{ + global $cron_tasks; + if ( !isset($cron_tasks[$hour_interval]) ) + $cron_tasks[$hour_interval] = array(); + $cron_tasks[$hour_interval][] = $func; +} + //die('

Original:  01010101010100101010100101010101011010'."\nProcessed: ".uncompress_bitfield(compress_bitfield('01010101010100101010100101010101011010')).'

'); ?> diff -r 996572e55dc9 -r 861807631f70 includes/pageutils.php --- a/includes/pageutils.php Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/pageutils.php Wed Oct 24 12:45:05 2007 -0400 @@ -1,8 +1,7 @@ sql_query('SELECT username FROM '.table_prefix.'users WHERE username=\''.$db->escape(rawurldecode($name)).'\''); - if(!$q) die(mysql_error()); - if($db->numrows() < 1) { $db->free_result(); return('good'); } - else { $db->free_result(); return('bad'); } + $q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\''); + if ( !$q ) + { + die(mysql_error()); + } + if ( $db->numrows() < 1) + { + $db->free_result(); return('good'); + } + else + { + $db->free_result(); return('bad'); + } } /** @@ -58,10 +66,10 @@ $pid = RenderMan::strToPageID($page); if($pid[1] == 'Special' || $pid[1] == 'Admin') { - die('This type of page ('.$paths->nslist[$pid[1]].') cannot be edited because the page source code is not stored in the database.'); + die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.'); } - $e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'page_text WHERE page_id=\''.$pid[0].'\' AND namespace=\''.$pid[1].'\''); + $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\''); if ( !$e ) { $db->_die('The page text could not be selected.'); @@ -124,7 +132,7 @@ return $r; } - $fname = 'page_'.$pid[1].'_'.$paths->pages[$page]['urlname_nons']; + $fname = 'page_' . $pid[1] . '_' . $paths->pages[$page]['urlname_nons']; @call_user_func($fname); } @@ -148,7 +156,7 @@ return $r; } - $fname = 'page_'.$pid[1].'_'.$pid[0]; + $fname = 'page_' . $pid[1] . '_' . $pid[0]; if ( !function_exists($fname) ) { $title = 'Page backend not found'; @@ -191,12 +199,17 @@

You have requested a page that doesn\'t exist yet.'; if($session->get_permissions('create_page')) echo ' You can create this page, or return to the homepage.'; else echo ' Return to the homepage.

'; - if($session->get_permissions('history_rollback')) { - $e = $db->sql_query('SELECT * FROM '.table_prefix.'logs WHERE action=\'delete\' AND page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$pid[1].'\' ORDER BY time_id DESC;'); - if(!$e) $db->_die('The deletion log could not be selected.'); - if($db->numrows() > 0) { + if ( $session->get_permissions('history_rollback') ) + { + $e = $db->sql_query('SELECT * FROM ' . table_prefix.'logs WHERE action=\'delete\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' ORDER BY time_id DESC;'); + if ( !$e ) + { + $db->_die('The deletion log could not be selected.'); + } + if ($db->numrows() > 0 ) + { $r = $db->fetchrow(); - echo '

This page also appears to have some log entries in the database - it seems that it was deleted on '.$r['date_string'].'. You can probably roll back the deletion.

'; + echo '

This page also appears to have some log entries in the database - it seems that it was deleted on ' . $r['date_string'] . '. You can probably roll back the deletion.

'; } $db->free_result(); } @@ -234,15 +247,16 @@ return $text; } - if($hist_id) { - $e = $db->sql_query('SELECT page_text,date_string,char_tag FROM '.table_prefix.'logs WHERE page_id=\''.$paths->pages[$page]['urlname_nons'].'\' AND namespace=\''.$pid[1].'\' AND log_type=\'page\' AND action=\'edit\' AND time_id='.$db->escape($hist_id).''); + if ( $hist_id ) + { + $e = $db->sql_query('SELECT page_text,date_string,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $paths->pages[$page]['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' AND log_type=\'page\' AND action=\'edit\' AND time_id=' . $db->escape($hist_id) . ''); if($db->numrows() < 1) { $db->_die('There were no rows in the text table that matched the page text query.'); } $r = $db->fetchrow(); $db->free_result(); - $message = '

Notice:
The page you are viewing was archived on '.$r['date_string'].'.
View current version | Restore this version

'.RenderMan::render($r['page_text']); + $message = '

Notice:
The page you are viewing was archived on ' . $r['date_string'] . '.
View current version | Restore this version

'.RenderMan::render($r['page_text']); if( !$paths->pages[$page]['special'] ) { @@ -253,7 +267,7 @@ display_page_headers(); } - eval('?>'.$message); + eval('?>' . $message); if( !$paths->pages[$page]['special'] ) { @@ -287,7 +301,7 @@ // This is it, this is what all of Enano has been working up to... - eval('?>'.$message); + eval('?>' . $message); if( !$paths->pages[$page]['special'] ) { @@ -323,8 +337,9 @@ if(!isset($paths->pages[$pname])) { - if(!PageUtils::createPage($page_id, $namespace)) - return 'The page did not exist, and I was not able to create it. Permissions problem?'; + $create = PageUtils::createPage($page_id, $namespace); + if ( $create != 'good' ) + return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create; $paths->page_exists = true; } @@ -338,10 +353,10 @@ $msg = $db->escape($message); $minor = $minor ? 'true' : 'false'; - $q='INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \''.$paths->cpage['urlname_nons'].'\', \''.$paths->namespace.'\', \''.$msg.'\', \''.$uid.'\', \''.$session->username.'\', \''.$db->escape(htmlspecialchars($summary)).'\', '.$minor.');'; + $q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $paths->cpage['urlname_nons'] . '\', \'' . $paths->namespace . '\', \'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');'; if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); - $q = 'UPDATE '.table_prefix.'page_text SET page_text=\''.$msg.'\',char_tag=\''.$uid.'\' WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'; + $q = 'UPDATE ' . table_prefix.'page_text SET page_text=\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'; $e = $db->sql_query($q); if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost :\'(.'); @@ -363,32 +378,38 @@ if(in_array($namespace, Array('Special', 'Admin'))) { // echo 'Notice: PageUtils::createPage: You can\'t create a special page in the database
'; - return false; // Can't create a special page + return 'You can\'t create a special page in the database'; } if(!isset($paths->nslist[$namespace])) { // echo 'Notice: PageUtils::createPage: Couldn\'t look up the namespace
'; - return false; // Couldn't look up namespace + return 'Couldn\'t look up the namespace'; } $pname = $paths->nslist[$namespace] . $page_id; if(isset($paths->pages[$pname])) { // echo 'Notice: PageUtils::createPage: Page already exists
'; - return false; // Page already exists + return 'Page already exists'; } if(!$session->get_permissions('create_page')) { // echo 'Notice: PageUtils::createPage: Not authorized to create pages
'; - return false; // Access denied + return 'Not authorized to create pages'; } if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System') { // echo 'Notice: PageUtils::createPage: Not authorized to create system messages
'; - return false; // Not authorized to create system messages + return 'Not authorized to create system messages'; + } + + if ( substr($page_id, 0, 8) == 'Project:' ) + { + // echo 'Notice: PageUtils::createPage: Prefix "Project:" is reserved
'; + return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.'; } $page_id = dirtify_page_id($page_id); @@ -399,7 +420,7 @@ if(!preg_match($regex, $page)) { //echo 'Notice: PageUtils::createPage: Name contains invalid characters
'; - return false; // Name contains invalid characters + return 'Name contains invalid characters'; } $page_id = sanitize_page_id( $page_id ); @@ -422,16 +443,15 @@ $paths->add_page($page_data); - $qa = $db->sql_query('INSERT INTO '.table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\''.$db->escape($name).'\', \''.$db->escape($page_id).'\', \''.$namespace.'\', '. ( $visible ? '1' : '0' ) .', '.$prot.', \'' . $db->escape(serialize($ips)) . '\');'); - $qb = $db->sql_query('INSERT INTO '.table_prefix.'page_text(page_id,namespace) VALUES(\''.$db->escape($page_id).'\', \''.$namespace.'\');'); - $qc = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \''.$session->username.'\', \''.$db->escape($page_id).'\', \''.$namespace.'\');'); + $qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');'); + $qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); + $qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); if($qa && $qb && $qc) - return true; + return 'good'; else { - echo $db->get_error(); - return false; + return $db->get_error(); } } @@ -451,31 +471,41 @@ $wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; $prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; - if(!$session->get_permissions('protect')) return('Insufficient access rights'); - if(!$wiki) return('Page protection only has an effect when Wiki Mode is enabled.'); - if(!preg_match('#^([0-9]+){1}$#', (string)$level)) return('Invalid $level parameter.'); - - if($reason!='NO_REASON') { - switch($level) - { - case 0: - $q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'unprot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; - break; - case 1: - $q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'prot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; - break; - case 2: - $q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'semiprot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; - break; - default: - return 'PageUtils::protect(): Invalid value for $level'; - break; - } - if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.'); + if ( !$session->get_permissions('protect') ) + { + return('Insufficient access rights'); + } + if ( !$wiki ) + { + return('Page protection only has an effect when Wiki Mode is enabled.'); + } + if ( !preg_match('#^([0-9]+){1}$#', (string)$level) ) + { + return('Invalid $level parameter.'); } - $q = $db->sql_query('UPDATE '.table_prefix.'pages SET protected='.$_POST['level'].' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); - if(!$q) $db->_die('The pages table was not updated.'); + switch($level) + { + case 0: + $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; + break; + case 1: + $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; + break; + case 2: + $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; + break; + default: + return 'PageUtils::protect(): Invalid value for $level'; + break; + } + if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.'); + + $q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); + if ( !$q ) + { + $db->_die('The pages table was not updated.'); + } return('good'); } @@ -500,8 +530,8 @@ $wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; $prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; - $q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM '.table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' ORDER BY time_id DESC;'; - if(!$db->sql_query($q)) $db->_die('The history data for the page "'.$paths->cpage['name'].'" could not be selected.'); + $q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' ORDER BY time_id DESC;'; + if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.'); echo 'History of edits and actions

Edits:

'; $numrows = $db->numrows(); if($numrows < 1) echo 'No history entries in this category.'; @@ -552,29 +582,38 @@ $s1 = ''; $s2 = ''; } - if($ticker > 1) echo '

'.$r['date_string'].'

' . $r['date_string'] . '

nslist['User'] . $r['author'])) echo 'class="wikilink-nonexistent"'; - echo '>'.$r['author'].'

nslist['User'] . $r['author']) ) + { + echo 'class="wikilink-nonexistent"'; + } + echo '>' . $r['author'] . '

'.$r['edit_summary'].'

' . $r['edit_summary'] . '

'. (( $r['minor_edit'] ) ? 'M' : '' ) .'

View revision

View user contribs

Revert to this revision

View revision

View user contribs

Revert to this revision

'.$r['date_string'].' ' . $r['date_string'] . ' nslist['User'] . $r['author'])) echo 'class="wikilink-nonexistent"'; - echo '>'.$r['author'].' '. (( $r['minor_edit'] ) ? 'M' : '' ) .' '. (( $r['minor_edit'] ) ? 'M' : '' ) .' '; + echo ' '; // Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime. - if ($r['action']=='prot') echo 'Protected page Reason: '.$r['edit_summary']; - elseif($r['action']=='unprot') echo 'Unprotected page Reason: '.$r['edit_summary']; - elseif($r['action']=='semiprot') echo 'Semi-protected page Reason: '.$r['edit_summary']; - elseif($r['action']=='rename') echo 'Renamed page Old title: '.htmlspecialchars($r['edit_summary']); - elseif($r['action']=='create') echo 'Created page '; - elseif($r['action']=='delete') echo 'Deleted page Reason: '.$r['edit_summary']; - elseif($r['action']=='reupload') echo 'Uploaded new file version Reason: '.htmlspecialchars($r['edit_summary']); + if ($r['action']=='prot') echo 'Protected page Reason: ' . $r['edit_summary']; + elseif($r['action']=='unprot') echo 'Unprotected page Reason: ' . $r['edit_summary']; + elseif($r['action']=='semiprot') echo 'Semi-protected page Reason: ' . $r['edit_summary']; + elseif($r['action']=='rename') echo 'Renamed page Old title: '.htmlspecialchars($r['edit_summary']); + elseif($r['action']=='create') echo 'Created page '; + elseif($r['action']=='delete') echo 'Deleted page Reason: ' . $r['edit_summary']; + elseif($r['action']=='reupload') echo 'Uploaded new file version Reason: '.htmlspecialchars($r['edit_summary']); echo ' View user contribs Revert action View user contribs Revert action

- + '; if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) { $session->kill_captcha(); $captcha = $session->make_captcha(); - $_ob .= ''; + $_ob .= ''; } $_ob .= ' @@ -1068,7 +1108,7 @@ '; } } else { - $_ob .= '

Got something to say?

You need to be logged in to post comments. Log in

'; + $_ob .= '

Got something to say?

You need to be logged in to post comments. Log in

'; } $list .= '};'; echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\'); @@ -1139,7 +1179,7 @@ if(!$session->get_permissions('mod_comments')) // allow mods to edit comments { if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.

Please log in and try again.'); - $q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_data=\''.$old_text.'\' AND subject=\''.$old_subject.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; + $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; $s = $db->sql_query($q); if(!$s) _die('SQL error during safety check: '.mysql_error().'

Attempted SQL:

'.htmlspecialchars($q).'

'); $r = $db->fetchrow($s); @@ -1148,13 +1188,13 @@ } $s = RenderMan::preprocess_text($subject); $t = RenderMan::preprocess_text($text); - $sql = 'UPDATE '.table_prefix.'comments SET subject=\''.$s.'\',comment_data=\''.$t.'\' WHERE comment_data=\''.$old_text.'\' AND subject=\''.$old_subject.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; + $sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; $result = $db->sql_query($sql); if($result) { return 'result="GOOD"; - list['.$id.'][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\'); - list['.$id.'][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = '.$id.'; + list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\'); + list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . '; s = unescape(\''.rawurlencode($s).'\'); t = unescape(\''.str_replace('%5Cn', '
', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');'; } @@ -1162,7 +1202,7 @@ { return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment. Performed SQL: - '.$sql.' + ' . $sql . ' Error returned by MySQL: '.mysql_error()).'");'; } @@ -1188,7 +1228,7 @@ if(!$session->get_permissions('mod_comments')) // allow mods to edit comments { if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.

Please log in and try again.'); - $q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_id='.$id.' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; + $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; $s = $db->sql_query($q); if(!$s) _die('SQL error during safety check: '.mysql_error().'

Attempted SQL:

'.htmlspecialchars($q).'

'); $r = $db->fetchrow($s); @@ -1197,13 +1237,13 @@ } $s = RenderMan::preprocess_text($subject); $t = RenderMan::preprocess_text($text); - $sql = 'UPDATE '.table_prefix.'comments SET subject=\''.$s.'\',comment_data=\''.$t.'\' WHERE comment_id='.$id.' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; + $sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; $result = $db->sql_query($sql); if($result) return 'good'; else return 'Enano encountered a problem whilst saving the comment. Performed SQL: - '.$sql.' + ' . $sql . ' Error returned by MySQL: '.mysql_error(); } @@ -1235,16 +1275,16 @@ if(!$session->get_permissions('mod_comments')) // allows mods to delete comments { if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.

Please log in and try again.'); - $q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_data=\''.$t.'\' AND subject=\''.$s.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; + $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; $s = $db->sql_query($q); if(!$s) _die('SQL error during safety check: '.mysql_error().'

Attempted SQL:

'.htmlspecialchars($q).'

'.htmlspecialchars($q).'

'); $r = $db->fetchrow($s); if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); $db->free_result(); } - $q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND comment_id='.$id.' LIMIT 1;'; + $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;'; $e=$db->sql_query($q); - if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); + if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); return('good'); } @@ -1305,19 +1345,19 @@ } if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' )) { - $e = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'rename\', \''.$db->escape($paths->cpage['urlname_nons']).'\', \''.$paths->namespace.'\', \''.$db->escape($session->username).'\', \''.$db->escape($paths->cpage['name']).'\')'); + $e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')'); if ( !$e ) { $db->_die('The page title could not be updated.'); } - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET name=\''.$db->escape($name).'\' WHERE urlname=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\';'); + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); if ( !$e ) { $db->_die('The page title could not be updated.'); } else { - return('The page "'.$paths->pages[$pname]['name'].'" has been renamed to "'.$name.'". You are encouraged to leave a comment explaining your action.' . "\n\n" . 'You will see the change take effect the next time you reload this page.'); + return('The page "' . $paths->pages[$pname]['name'] . '" has been renamed to "' . $name . '". You are encouraged to leave a comment explaining your action.' . "\n\n" . 'You will see the change take effect the next time you reload this page.'); } } else @@ -1337,18 +1377,18 @@ { global $db, $session, $paths, $template, $plugins; // Common objects if(!$session->get_permissions('clear_logs')) die('Administrative privileges are required to flush logs, you loser.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'logs WHERE page_id=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\';'); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); if(!$e) $db->_die('The log entries could not be deleted.'); // If the page exists, make a backup of it in case it gets spammed/vandalized // If not, the admin's probably deleting a trash page if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) ) { - $e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'page_text WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); + $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.'); $row = $db->fetchrow(); $db->free_result(); - $q='INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape($row['page_text']).'\', \''.$row['char_tag'].'\', \''.$session->username.'\', \''."Automatic backup created when logs were purged".'\', '.'false'.');'; + $q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.'false'.');'; if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); } return('The logs for this page have been cleared. A backup of this page has been added to the logs table so that this page can be restored in case of vandalism or spam later.'); @@ -1372,17 +1412,17 @@ return 'Invalid reason for deletion passed'; } if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.'); - $e = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'delete\', \''.$page_id.'\', \''.$namespace.'\', \''.$session->username.'\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); + $e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); if(!$e) $db->_die('The page log entry could not be inserted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); if(!$e) $db->_die('The page categorization entries could not be deleted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); if(!$e) $db->_die('The page comments could not be deleted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'page_text WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); if(!$e) $db->_die('The page text entry could not be deleted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'pages WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); if(!$e) $db->_die('The page entry could not be deleted.'); - $e = $db->sql_query('DELETE FROM '.table_prefix.'files WHERE page_id=\''.$page_id.'\''); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\''); if(!$e) $db->_die('The file entry could not be deleted.'); return('This page has been deleted. Note that there is still a log of edits and actions in the database, and anyone with admin rights can raise this page from the dead unless the log is cleared. If the deleted file is an image, there may still be cached thumbnails of it in the cache/ directory, which is inaccessible to users.'); } @@ -1447,7 +1487,7 @@ $cv++; - $q = 'UPDATE '.table_prefix.'pages SET delvotes='.$cv.',delvote_ips=\''.$ips.'\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; + $q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; $w = $db->sql_query($q); return 'Your vote to have this page deleted has been cast.'."\nYou are encouraged to leave a comment explaining the reason for your vote."; @@ -1464,7 +1504,7 @@ { global $db, $session, $paths, $template, $plugins; // Common objects if(!$session->get_permissions('vote_reset')) die('You need moderator rights in order to do this, stinkin\' hacker.'); - $q = 'UPDATE '.table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; + $q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; $e = $db->sql_query($q); if(!$e) $db->_die('The number of delete votes was not reset.'); else return('The number of votes for having this page deleted has been reset to zero.'); @@ -1480,14 +1520,17 @@ { $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - $dir = './themes/'.$_GET['id'].'/css/'; + if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) ) + return $json->encode(false); + + $dir = './themes/' . $_GET['id'] . '/css/'; $list = Array(); // Open a known directory, and proceed to read its contents if (is_dir($dir)) { if ($dh = opendir($dir)) { while (($file = readdir($dh)) !== false) { - if(preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css') { // _printable.css should be included with every theme - // it should be a copy of the original style, but + if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme + { // it should be a copy of the original style, but // mostly black and white // Note to self: document this $list[] = substr($file, 0, strlen($file)-4); @@ -1527,7 +1570,7 @@ global $db, $session, $paths, $template, $plugins; // Common objects ob_start(); $_ob = ''; - $e = $db->sql_query('SELECT category_id FROM '.table_prefix.'categories WHERE page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$paths->namespace.'\''); + $e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\''); if(!$e) jsdie('Error selecting category information for current page: '.mysql_error()); $cat_current = Array(); while($r = $db->fetchrow()) @@ -1579,10 +1622,10 @@ $is_prot = true; $prot = ( $is_prot ) ? ' disabled="disabled" ' : ''; $prottext = ( $is_prot ) ? '

' : ''; - echo 'catlist['.$i.'] = \''.$cat_info[$i]['urlname_nons'].'\';'; - $_ob .= ''.$cat_info[$i]['name'].$prottext.'
'; + $_ob .= '/> ' . $cat_info[$i]['name'].$prottext.'
'; } $disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : ''; @@ -1637,9 +1680,9 @@ if(!$auth) { // Find out if the page is currently in the category - $q = $db->sql_query('SELECT * FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); + $q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); if(!$q) - return 'MySQL error: '.$db->get_error(); + return 'MySQL error: ' . $db->get_error(); if($db->numrows() > 0) { $auth = true; @@ -1647,13 +1690,13 @@ } $db->free_result(); } - if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\''.$page_id.'\', \''.$namespace.'\', \''.$cat_all[$i]['urlname_nons'].'\')'; + if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')'; } if(sizeof($rowlist) > 0) { $val = implode(',', $rowlist); - $q = 'INSERT INTO '.table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';'; - $e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); + $q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';'; + $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); if(!$e) $db->_die('The old category data could not be deleted.'); $e = $db->sql_query($q); if(!$e) $db->_die('The new category data could not be inserted.'); @@ -1661,7 +1704,7 @@ } else { - $e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); + $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); if(!$e) $db->_die('The old category data could not be deleted.'); return('GOOD'); } @@ -1679,9 +1722,15 @@ { global $db, $session, $paths, $template, $plugins; // Common objects if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights'); - if(!isset($level) || (isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level))) return('Invalid mode string'); - $q = $db->sql_query('UPDATE '.table_prefix.'pages SET wiki_mode='.$level.' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); - if(!$q) return('Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); + if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) ) + { + return('Invalid mode string'); + } + $q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); + if ( !$q ) + { + return('Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); + } return('GOOD'); } @@ -1705,11 +1754,23 @@ return 'Access is denied'; if(!isset($pass)) return('Password was not set on URL'); $p = $pass; - if(!preg_match('#([0-9a-f]){40,40}#', $p)) $p = sha1($p); - if($p=='da39a3ee5e6b4b0d3255bfef95601890afd80709') $p = ''; - $e = $db->sql_query('UPDATE '.table_prefix.'pages SET password=\''.$p.'\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); - if(!$e) die('PageUtils::setpass(): Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); - if($p=='') return('The password for this page has been disabled.'); + if ( !preg_match('#([0-9a-f]){40,40}#', $p) ) + { + $p = sha1($p); + } + if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' ) + // sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709 + $p = ''; + $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); + if ( !$e ) + { + die('PageUtils::setpass(): Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); + } + // Is the new password blank? + if ( $p == '' ) + { + return('The password for this page has been disabled.'); + } else return('The password for this page has been set.'); } @@ -1741,7 +1802,7 @@ function scrollBox($text, $height = 250) { - return '

'.$text.'

'; + return '

' . $text . '

'; } /** @@ -1762,8 +1823,8 @@ !preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt'; // OK we made it through security // Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries - if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id1.' AND log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';')) return 'MySQL error: '.mysql_error(); - if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id2.' AND log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';')) return 'MySQL error: '.mysql_error(); + if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error(); + if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error(); $row1 = $db->fetchrow($q1); $db->free_result($q1); $row2 = $db->fetchrow($q2); @@ -1805,8 +1866,8 @@ $parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false; $page_id =& $parms['page_id']; $namespace =& $parms['namespace']; - $page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\''.$db->escape($page_id).'\' AND a.namespace=\''.$db->escape($namespace).'\''; - $page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\''; + $page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\''; + $page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\''; //die(print_r($page_id,true)); $template->load_theme(); // $perms_obj = $session->fetch_page_acl($page_id, $namespace); @@ -1828,7 +1889,7 @@ { case 'listgroups': $return['groups'] = Array(); - $q = $db->sql_query('SELECT group_id,group_name FROM '.table_prefix.'groups ORDER BY group_name ASC;'); + $q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;'); while($row = $db->fetchrow()) { $return['groups'][] = Array( @@ -1838,7 +1899,7 @@ } $db->free_result(); $return['page_groups'] = Array(); - $q = $db->sql_query('SELECT pg_id,pg_name FROM '.table_prefix.'page_groups ORDER BY pg_name ASC;'); + $q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;'); if ( !$q ) return Array( 'mode' => 'error', @@ -1862,18 +1923,18 @@ switch($parms['target_type']) { case ACL_TYPE_USER: - $q = $db->sql_query('SELECT a.rules,u.user_id FROM '.table_prefix.'users AS u - LEFT JOIN '.table_prefix.'acl AS a + $q = $db->sql_query('SELECT a.rules,u.user_id FROM ' . table_prefix.'users AS u + LEFT JOIN ' . table_prefix.'acl AS a ON a.target_id=u.user_id WHERE a.target_type='.ACL_TYPE_USER.' - AND u.username=\''.$db->escape($parms['target_id']).'\' - '.$page_where_clause.';'); + AND u.username=\'' . $db->escape($parms['target_id']) . '\' + ' . $page_where_clause . ';'); if(!$q) return(Array('mode'=>'error','error'=>mysql_error())); if($db->numrows() < 1) { $return['type'] = 'new'; - $q = $db->sql_query('SELECT user_id FROM '.table_prefix.'users WHERE username=\''.$db->escape($parms['target_id']).'\';'); + $q = $db->sql_query('SELECT user_id FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';'); if(!$q) return(Array('mode'=>'error','error'=>mysql_error())); if($db->numrows() < 1) @@ -1909,18 +1970,18 @@ } break; case ACL_TYPE_GROUP: - $q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM '.table_prefix.'groups AS g - LEFT JOIN '.table_prefix.'acl AS a + $q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g + LEFT JOIN ' . table_prefix.'acl AS a ON a.target_id=g.group_id WHERE a.target_type='.ACL_TYPE_GROUP.' AND g.group_id=\''.intval($parms['target_id']).'\' - '.$page_where_clause.';'); + ' . $page_where_clause . ';'); if(!$q) return(Array('mode'=>'error','error'=>mysql_error())); if($db->numrows() < 1) { $return['type'] = 'new'; - $q = $db->sql_query('SELECT group_id,group_name FROM '.table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';'); + $q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';'); if(!$q) return(Array('mode'=>'error','error'=>mysql_error())); if($db->numrows() < 1) @@ -1968,8 +2029,8 @@ { return Array('mode'=>'error','error'=>'Editing access control lists is disabled in the administration demo.'); } - $q = $db->sql_query('DELETE FROM '.table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' - '.$page_where_clause_lite.';'); + $q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' + ' . $page_where_clause_lite . ';'); if(!$q) return Array('mode'=>'error','error'=>mysql_error()); $rules = $session->perm_to_string($parms['perms']); @@ -1980,10 +2041,10 @@ 'error' => 'Supplied rule list has a length of zero' ); } - $q = ($page_id && $namespace) ? 'INSERT INTO '.table_prefix.'acl ( target_type, target_id, page_id, namespace, rules ) - VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \''.$db->escape($page_id).'\', \''.$db->escape($namespace).'\', \''.$db->escape($rules).'\' )' : - 'INSERT INTO '.table_prefix.'acl ( target_type, target_id, rules ) - VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \''.$db->escape($rules).'\' )'; + $q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules ) + VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' : + 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules ) + VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )'; if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>mysql_error()); return Array( 'mode' => 'success', @@ -1999,8 +2060,8 @@ { return Array('mode'=>'error','error'=>'Editing access control lists is disabled in the administration demo.'); } - $q = $db->sql_query('DELETE FROM '.table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' - '.$page_where_clause_lite.';'); + $q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' + ' . $page_where_clause_lite . ';'); if(!$q) return Array('mode'=>'error','error'=>mysql_error()); return Array( @@ -2144,7 +2205,7 @@ } $type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? 'group' : 'user'; $scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? 'this group of pages' : 'this page' ) : 'this entire site'; - echo 'This panel allows you to edit what the '.$type.' "'.$response['target_name'].'" can do on '.$scope.'. Unless you set a permission to "Deny", these permissions may be overridden by other rules.'; + echo 'This panel allows you to edit what the ' . $type . ' "' . $response['target_name'] . '" can do on ' . $scope . '. Unless you set a permission to "Deny", these permissions may be overridden by other rules.'; echo $formstart; $parser = $template->makeParserText( $response['template']['acl_field_begin'] ); echo $parser->run(); diff -r 996572e55dc9 -r 861807631f70 includes/render.php --- a/includes/render.php Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/render.php Wed Oct 24 12:45:05 2007 -0400 @@ -708,6 +708,7 @@ ':-/' => 'face-plain.png', ':joke:' => 'face-plain.png', ']:->' => 'face-devil-grin.png', + ']:->' => 'face-devil-grin.png', ':kiss:' => 'face-kiss.png', ':-P' => 'face-tongue-out.png', ':P' => 'face-tongue-out.png', diff -r 996572e55dc9 -r 861807631f70 includes/sessions.php --- a/includes/sessions.php Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/sessions.php Wed Oct 24 12:45:05 2007 -0400 @@ -547,55 +547,14 @@ * @param string $aes_key The MD5 hash of the encryption key, hex-encoded * @param string $challenge The 256-bit MD5 challenge string - first 128 bits should be the hash, the last 128 should be the challenge salt * @param int $level The privilege level we're authenticating for, defaults to 0 - * @param array $captcha_hash Optional. If we're locked out and the lockout policy is captcha, this should be the identifier for the code. - * @param array $captcha_code Optional. If we're locked out and the lockout policy is captcha, this should be the code the user entered. * @return string 'success' on success, or error string on failure */ - function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false) + function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER) { global $db, $session, $paths, $template, $plugins; // Common objects $privcache = $this->private_key; - - if ( !defined('IN_ENANO_INSTALL') ) - { - // Lockout stuff - $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; - $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; - // convert to minutes - $duration = $duration * 60; - $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; - if ( $policy == 'captcha' && $captcha_hash && $captcha_code ) - { - // policy is captcha -- check if it's correct, and if so, bypass lockout check - $real_code = $this->get_captcha($captcha_hash); - } - if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) ) - { - $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); - $timestamp_cutoff = time() - $duration; - $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); - $fails = $db->numrows(); - if ( $fails >= $threshold ) - { - // ooh boy, somebody's in trouble ;-) - $row = $db->fetchrow(); - $db->free_result(); - return array( - 'success' => false, - 'error' => 'locked_out', - 'lockout_threshold' => $threshold, - 'lockout_duration' => ( $duration / 60 ), - 'lockout_fails' => $fails, - 'lockout_policy' => $policy, - 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ), - 'lockout_last_time' => $row['timestamp'] - ); - } - $db->free_result(); - } - } // Instanciate the Rijndael encryption object $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); @@ -604,19 +563,13 @@ $aes_key = $this->fetch_public_key($aes_key); if(!$aes_key) - return array( - 'success' => false, - 'error' => 'key_not_found' - ); + return 'Couldn\'t look up public key "'.$aes_key.'" for decryption'; // Convert the key to a binary string $bin_key = hexdecode($aes_key); if(strlen($bin_key) != AES_BITS / 8) - return array( - 'success' => false, - 'error' => 'key_wrong_length' - ); + return 'The decryption key is the wrong length'; // Decrypt our password $password = $aes->decrypt($aes_data, $bin_key, ENC_HEX); @@ -637,29 +590,7 @@ $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); else $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); - - if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') ) - { - $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); - // increment fail count - $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); - $fails++; - // ooh boy, somebody's in trouble ;-) - return array( - 'success' => false, - 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials', - 'lockout_threshold' => $threshold, - 'lockout_duration' => ( $duration / 60 ), - 'lockout_fails' => $fails, - 'time_rem' => ( $duration / 60 ), - 'lockout_policy' => $policy - ); - } - - return array( - 'success' => false, - 'error' => 'invalid_credentials' - ); + return "The username and/or password is incorrect."; } $row = $db->fetchrow(); @@ -710,10 +641,7 @@ if($success) { if($level > $row['user_level']) - return array( - 'success' => false, - 'error' => 'too_big_for_britches' - ); + return 'You are not authorized for this level of access.'; $sess = $this->register_session(intval($row['user_id']), $username, $password, $level); if($sess) @@ -733,15 +661,10 @@ { eval($cmd); } - return array( - 'success' => true - ); + return 'success'; } else - return array( - 'success' => false, - 'error' => 'backend_fail' - ); + return 'Your login credentials were correct, but an internal error occurred while registering the session key in the database.'; } else { @@ -750,28 +673,7 @@ else $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); - // Do we also need to increment the lockout countdown? - if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') ) - { - $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); - // increment fail count - $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); - $fails++; - return array( - 'success' => false, - 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials', - 'lockout_threshold' => $threshold, - 'lockout_duration' => ( $duration / 60 ), - 'lockout_fails' => $fails, - 'time_rem' => ( $duration / 60 ), - 'lockout_policy' => $policy - ); - } - - return array( - 'success' => false, - 'error' => 'invalid_credentials' - ); + return 'The username and/or password is incorrect.'; } } @@ -797,45 +699,6 @@ return $this->login_compat($username, $pass_hashed, $level); } - if ( !defined('IN_ENANO_INSTALL') ) - { - // Lockout stuff - $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; - $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; - // convert to minutes - $duration = $duration * 60; - $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; - if ( $policy == 'captcha' && $captcha_hash && $captcha_code ) - { - // policy is captcha -- check if it's correct, and if so, bypass lockout check - $real_code = $this->get_captcha($captcha_hash); - } - if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) ) - { - $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); - $timestamp_cutoff = time() - $duration; - $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); - $fails = $db->numrows(); - if ( $fails > $threshold ) - { - // ooh boy, somebody's in trouble ;-) - $row = $db->fetchrow(); - $db->free_result(); - return array( - 'success' => false, - 'error' => 'locked_out', - 'lockout_threshold' => $threshold, - 'lockout_duration' => ( $duration / 60 ), - 'lockout_fails' => $fails, - 'lockout_policy' => $policy, - 'time_rem' => $duration - round( ( time() - $row['timestamp'] ) / 60 ), - 'lockout_last_time' => $row['timestamp'] - ); - } - $db->free_result(); - } - } - // Instanciate the Rijndael encryption object $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); @@ -844,35 +707,14 @@ // Retrieve the real password from the database $this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';'); - if($db->numrows() < 1) + if ( $db->numrows() < 1 ) { // This wasn't logged in <1.0.2, dunno how it slipped through if($level > USER_LEVEL_MEMBER) $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); else $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); - - // Do we also need to increment the lockout countdown? - if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') ) - { - $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); - // increment fail count - $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); - $fails++; - return array( - 'success' => false, - 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials', - 'lockout_threshold' => $threshold, - 'lockout_duration' => ( $duration / 60 ), - 'lockout_fails' => $fails, - 'lockout_policy' => $policy - ); - } - - return array( - 'success' => false, - 'error' => 'invalid_credentials' - ); + return "The username and/or password is incorrect."; } $row = $db->fetchrow(); @@ -922,10 +764,7 @@ if($success) { if((int)$level > (int)$row['user_level']) - return array( - 'success' => false, - 'error' => 'too_big_for_britches' - ); + return 'You are not authorized for this level of access.'; $sess = $this->register_session(intval($row['user_id']), $username, $real_pass, $level); if($sess) { @@ -940,15 +779,10 @@ eval($cmd); } - return array( - 'success' => true - ); + return 'success'; } else - return array( - 'success' => false, - 'error' => 'backend_fail' - ); + return 'Your login credentials were correct, but an internal error occured while registering the session key in the database.'; } else { @@ -957,27 +791,7 @@ else $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); - // Do we also need to increment the lockout countdown? - if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') ) - { - $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); - // increment fail count - $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); - $fails++; - return array( - 'success' => false, - 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials', - 'lockout_threshold' => $threshold, - 'lockout_duration' => ( $duration / 60 ), - 'lockout_fails' => $fails, - 'lockout_policy' => $policy - ); - } - - return array( - 'success' => false, - 'error' => 'invalid_credentials' - ); + return 'The username and/or password is incorrect.'; } } @@ -1049,7 +863,7 @@ { // Stash it in a cookie // For now, make the cookie last forever, we can change this in 1.1.x - setcookie( 'sid', $session_key, time()+315360000, scriptPath.'/' ); + setcookie( 'sid', $session_key, time()+315360000, scriptPath.'/', null, ( isset($_SERVER['HTTPS']) ) ); $_COOKIE['sid'] = $session_key; } // $keyhash is stored in the database, this is for compatibility with the older DB structure diff -r 996572e55dc9 -r 861807631f70 includes/template.php --- a/includes/template.php Wed Oct 24 09:34:19 2007 -0400 +++ b/includes/template.php Wed Oct 24 12:45:05 2007 -0400 @@ -42,7 +42,7 @@ $this->plugin_blocks = Array(); $this->theme_loaded = false; - $this->fading_button = '

+ $this->fading_button = '

'; @@ -958,6 +958,7 @@ function compile_tpl_code($text) { + global $db, $session, $paths, $template, $plugins; // Common objects // A random seed used to salt tags $seed = md5 ( microtime() . mt_rand() ); @@ -986,29 +987,88 @@ // Conditionals // - // If-else-end - $text = preg_replace('/(.*?)(.*?)/is', '\'; if ( $this->tpl_bool[\'\\1\'] ) { echo \'\\2\'; } else { echo \'\\3\'; } echo \'', $text); - - // If-end - $text = preg_replace('/(.*?)/is', '\'; if ( $this->tpl_bool[\'\\1\'] ) { echo \'\\2\'; } echo \'', $text); + $keywords = array('BEGIN', 'BEGINNOT', 'IFSET', 'IFPLUGIN'); + $code = $plugins->setHook('template_compile_logic_keyword'); + foreach ( $code as $cmd ) + { + eval($cmd); + } - // If not-else-end - $text = preg_replace('/(.*?)(.*?)/is', '\'; if ( !$this->tpl_bool[\'\\1\'] ) { echo \'\\2\'; } else { echo \'\\3\'; } echo \'', $text); + $keywords = implode('|', $keywords); - // If not-end - $text = preg_replace('/(.*?)/is', '\'; if ( !$this->tpl_bool[\'\\1\'] ) { echo \'\\2\'; } echo \'', $text); + // Matches + // 1 2 3 4 56 7 8 + $regexp = '/()(.*)(()(.*))?()/isU'; + + /* + The way this works is: match all blocks using the standard form with a different keyword in the block each time, + and replace them with appropriate PHP logic. Plugin-extensible now. :-) - // If set-else-end - $text = preg_replace('/(.*?)(.*?)/is', '\'; if ( isset($this->tpl_strings[\'\\1\']) ) { echo \'\\2\'; } else { echo \'\\3\'; } echo \'', $text); - - // If set-end - $text = preg_replace('/(.*?)/is', '\'; if ( isset($this->tpl_strings[\'\\1\']) ) { echo \'\\2\'; } echo \'', $text); + The while-loop is to bypass what is apparently a PCRE bug. It's hackish but it works. Properly written plugins should only need + to compile templates (using this method) once for each time the template file is changed. + */ + while ( preg_match($regexp, $text) ) + { + preg_match_all($regexp, $text, $matches); + for ( $i = 0; $i < count($matches[0]); $i++ ) + { + $start_tag =& $matches[1][$i]; + $type =& $matches[2][$i]; + $test =& $matches[3][$i]; + $particle_true =& $matches[4][$i]; + $else_tag =& $matches[6][$i]; + $particle_else =& $matches[7][$i]; + $end_tag =& $matches[8][$i]; + + switch($type) + { + case 'BEGIN': + $cond = "isset(\$this->tpl_bool['$test']) && \$this->tpl_bool['$test']"; + break; + case 'BEGINNOT': + $cond = "!isset(\$this->tpl_bool['$test']) || ( isset(\$this->tpl_bool['$test']) && !\$this->tpl_bool['$test'] )"; + break; + case 'IFPLUGIN': + $cond = "getConfig('plugin_$test') == '1'"; + break; + case 'IFSET': + $cond = "isset(\$this->tpl_strings['$test'])"; + break; + default: + $code = $plugins->setHook('template_compile_logic_cond'); + foreach ( $code as $cmd ) + { + eval($cmd); + } + break; + } + + if ( !isset($cond) || ( isset($cond) && !is_string($cond) ) ) + continue; + + $tag_complete = <<(.*?)(.*?)/is', '\'; if ( getConfig(\'plugin_\\1\') == \'1\' ) { echo \'\\2\'; } else { echo \'\\3\'; } echo \'', $text); - - // If plugin loaded-end - $text = preg_replace('/(.*?)/is', '\'; if ( getConfig(\'plugin_\\1\') == \'1\' ) { echo \'\\2\'; } echo \'', $text); + // For debugging ;-) + // die("

<?php\n" . htmlspecialchars($text."\n\n".print_r($matches,true)) . "\n\n?>

"); // // Data substitution/variables @@ -1029,6 +1089,8 @@ $text = str_replace_once($tag, "'; $match echo '", $text); } + // echo('

' . htmlspecialchars($text) . '

'); + return $text; } @@ -1411,7 +1473,7 @@ function username_field($name, $value = false) { $randomid = md5( time() . microtime() . mt_rand() ); - $text = 'user_level >= USER_LEVEL_ADMIN ) ? 'title="You may disable this button in the admin panel under General Configuration."' : ''; if(getConfig('sflogo_enabled')=='1') { - $ob[] = '

'; + $sflogo_secure = ( isset($_SERVER['HTTPS']) ) ? 'https' : 'http'; + $ob[] = '

'; } if(getConfig('w3c_v32') =='1') $ob[] = '

'; if(getConfig('w3c_v40') =='1') $ob[] = '

'; diff -r 996572e55dc9 -r 861807631f70 install.php --- a/install.php Wed Oct 24 09:34:19 2007 -0400 +++ b/install.php Wed Oct 24 12:45:05 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.1 + * Version 1.0.2 (Coblynau) * Copyright (C) 2006-2007 Dan Fuhry * install.php - handles everything related to installation and initial configuration * @@ -14,7 +14,8 @@ */ @include('config.php'); -if( ( defined('ENANO_INSTALLED') || defined('MIDGET_INSTALLED') ) && ((isset($_GET['mode']) && ($_GET['mode']!='finish' && $_GET['mode']!='css')) || !isset($_GET['mode']))) { +if( ( defined('ENANO_INSTALLED') || defined('MIDGET_INSTALLED') ) && ((isset($_GET['mode']) && ($_GET['mode']!='finish' && $_GET['mode']!='css')) || !isset($_GET['mode']))) +{ $_GET['title'] = 'Enano:Installation_locked'; require('includes/common.php'); die_friendly('Installation locked', '

The Enano installer has found a Enano installation in this directory. You MUST delete config.php if you want to re-install Enano.

If you wish to upgrade an older Enano installation to this version, please use the upgrade script.

'); @@ -23,7 +24,7 @@ define('IN_ENANO_INSTALL', 'true'); -define('ENANO_VERSION', '1.1.1'); +define('ENANO_VERSION', '1.0.2'); // In beta versions, define ENANO_BETA_VERSION here if(!defined('scriptPath')) { @@ -260,7 +261,7 @@ } $template = new template_nodb(); -$template->load_theme('stpatty', 'shamrock', false); +$template->load_theme('oxygen', 'bleu', false); $modestrings = Array( 'welcome' => 'Welcome', @@ -313,9 +314,10 @@ case 'welcome': ?>

Welcome to Enano

version 1.1.1 – unstable

version 1.0.2 – stable
+ also affectionately known as "coblynau" `:)`

Your changes to the site configuration have been saved.

'; } @@ -361,43 +351,6 @@ - - -

- - - - - - - - - - - - - - - - - - - - @@ -2732,7 +2685,7 @@ } else { - echo ''; + echo '

Please wait while the administration panel loads. You need to be using a recent browser with AJAX support in order to use Runt.

'; } ?> @@ -3026,7 +2979,7 @@ echo '

$_GET[\'side\'] contained an SQL injection attempt

'; break; } - $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . $db->escape($_GET['id']) . ';'); + $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . intval($_GET['id']) . ';'); if(!$query) { echo $db->get_error(); @@ -3036,7 +2989,7 @@ echo '

Item moved.

'; break; case 'delete': - $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); // Already checked for injection attempts ;-) + $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); // Already checked for injection attempts ;-) if(!$query) { echo $db->get_error(); @@ -3051,7 +3004,7 @@ echo '

Item deleted.

'; break; case 'disenable'; - $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); + $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); if(!$q) { echo $db->get_error(); @@ -3061,7 +3014,22 @@ $r = $db->fetchrow(); $db->free_result(); $e = ( $r['item_enabled'] == 1 ) ? '0' : '1'; - $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . $db->escape($_GET['id']) . ';'); + $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . intval($_GET['id']) . ';'); + if(!$q) + { + echo $db->get_error(); + $template->footer(); + exit; + } + if(isset($_GET['ajax'])) + { + ob_end_clean(); + die('GOOD'); + } + break; + case 'rename'; + $newname = $db->escape($_POST['newname']); + $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_name=\''.$newname.'\' WHERE item_id=' . intval($_GET['id']) . ';'); if(!$q) { echo $db->get_error(); @@ -3075,7 +3043,7 @@ } break; case 'getsource': - $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); + $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); if(!$q) { echo $db->get_error(); @@ -3091,7 +3059,7 @@ case 'save': if ( defined('ENANO_DEMO_MODE') ) { - $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); + $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); if(!$q) { echo 'var status=unescape(\''.hexencode($db->get_error()).'\');'; @@ -3107,13 +3075,13 @@ $_POST['content'] = sanitize_html($_POST['content'], true); } } - $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . $db->escape($_GET['id']) . ';'); + $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . intval($_GET['id']) . ';'); if(!$q) { echo 'var status=unescape(\''.hexencode($db->get_error()).'\');'; exit; } - $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); + $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); if(!$q) { echo 'var status=unescape(\''.hexencode($db->get_error()).'\');'; @@ -3205,6 +3173,8 @@ $parser = $template->makeParserText($vars['sidebar_section']); $c = $template->tplWikiFormat($row['block_content'], false, 'sidebar-editor.tpl'); $c = preg_replace('#(.*?)#is', '\\2', $c); + // fix for the "Administration" link that somehow didn't get rendered properly + $c = preg_replace("/(^|\n)([ ]*)(.+)<\/a>()([\r\n]+|$)/isU", '\\1\\2

\\4

\\7', $c); break; case BLOCK_HTML: $parser = $template->makeParserText($vars['sidebar_section_raw']); @@ -3224,7 +3194,10 @@ $c = ($template->fetch_block($row['block_content'])) ? $template->fetch_block($row['block_content']) : 'Can\'t find plugin block'; break; } - $t = $template->tplWikiFormat($row['block_name']); + $block_name = $template->tplWikiFormat($row['block_name']); + if ( empty($block_name) ) + $block_name = '<Unnamed>'; + $t = '' . $block_name . ''; if($row['item_enabled'] == 0) $t .= ' (disabled)'; else $t .= ' '; $side = ( $row['sidebar_id'] == SIDEBAR_LEFT ) ? SIDEBAR_RIGHT : SIDEBAR_LEFT; diff -r 996572e55dc9 -r 861807631f70 plugins/SpecialCSS.php --- a/plugins/SpecialCSS.php Wed Oct 24 09:34:19 2007 -0400 +++ b/plugins/SpecialCSS.php Wed Oct 24 12:45:05 2007 -0400 @@ -4,13 +4,13 @@ Plugin URI: http://enanocms.org/ Description: Provides the page Special:CSS, which is used in template files to reference the style sheet. Disabling or deleting this plugin will result in site instability. Author: Dan Fuhry -Version: 1.0.1 +Version: 1.0.2 Author URI: http://enanocms.org/ */ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0 release candidate 2 + * Version 1.0.2 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 996572e55dc9 -r 861807631f70 plugins/SpecialGroups.php --- a/plugins/SpecialGroups.php Wed Oct 24 09:34:19 2007 -0400 +++ b/plugins/SpecialGroups.php Wed Oct 24 12:45:05 2007 -0400 @@ -4,13 +4,13 @@ Plugin URI: http://enanocms.org/ Description: Provides group moderators and site administrators with the ability to control who is part of their groups. Author: Dan Fuhry -Version: 1.0.1 +Version: 1.0.2 Author URI: http://enanocms.org/ */ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0 release candidate 2 + * Version 1.0.2 * Copyright (C) 2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -50,10 +50,10 @@ { die_friendly('Error', '

Hacking attempt

'); } - $q = $db->sql_query('SELECT group_name,group_type FROM '.table_prefix.'groups WHERE group_id=' . $gid . ';'); + $q = $db->sql_query('SELECT group_name,group_type,system_group FROM '.table_prefix.'groups WHERE group_id=' . $gid . ';'); if ( !$q ) { - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); } $row = $db->fetchrow(); $db->free_result(); @@ -70,7 +70,7 @@ ORDER BY m.is_mod DESC,u.username ASC;'); if ( !$q ) { - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); } $is_member = false; @@ -127,11 +127,29 @@ { die_friendly('ERROR', '

Hacking attempt

'); } - $q = $db->sql_query('UPDATE '.table_prefix.'groups SET group_type=' . intval($_POST['group_state']) . ' WHERE group_id=' . intval( $_POST['group_id']) . ';'); - if (!$q) - $db->_die(); - $row['group_type'] = $_POST['group_state']; - echo '

The group state was updated.

'; + $q = $db->sql_query('SELECT group_type, system_group FROM '.table_prefix.'groups WHERE group_id=' . intval( $_POST['group_id']) . ';'); + if ( !$q ) + $db->_die('SpecialGroups.php, line ' . __LINE__); + $error = false; + if ( $db->numrows() < 1 ) + { + echo '

The group you selected does not exist.

'; + $error = true; + } + $r = $db->fetchrow(); + if ( $r['system_group'] == 1 && ( intval($_POST['group_state']) == GROUP_OPEN || intval($_POST['group_state']) == GROUP_REQUEST ) ) + { + echo '

Because this is a system group, you can\'t make it open or allow membership requests.

'; + $error = true; + } + if ( !$error ) + { + $q = $db->sql_query('UPDATE '.table_prefix.'groups SET group_type=' . intval($_POST['group_state']) . ' WHERE group_id=' . intval( $_POST['group_id']) . ';'); + if (!$q) + $db->_die('SpecialGroups.php, line ' . __LINE__); + $row['group_type'] = $_POST['group_state']; + echo '

The group state was updated.

'; + } break; case 'adduser': $username = $_POST['add_username']; @@ -139,7 +157,7 @@ $q = $db->sql_query('SELECT user_id FROM '.table_prefix.'users WHERE username=\'' . $db->escape($username) . '\';'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); if ($db->numrows() < 1) { echo '

The username you entered could not be found.

'; @@ -152,7 +170,7 @@ // Check if the user is already in the group, and if so, only update modship $q = $db->sql_query('SELECT member_id,is_mod FROM '.table_prefix.'group_members WHERE user_id=' . $uid . ' AND group_id=' . intval($_POST['group_id']) . ';'); if ( !$q ) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); if ( $db->numrows() > 0 ) { $r = $db->fetchrow(); @@ -160,7 +178,7 @@ { $q = $db->sql_query('UPDATE '.table_prefix.'group_members SET is_mod=' . $mod . ' WHERE member_id=' . $r['member_id'] . ';'); if ( !$q ) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); foreach ( $members as $i => $member ) { if ( $member['member_id'] == $r['member_id'] ) @@ -179,7 +197,7 @@ $q = $db->sql_query('INSERT INTO '.table_prefix.'group_members(group_id,user_id,is_mod) VALUES(' . intval($_POST['group_id']) . ', ' . $uid . ', ' . $mod . ');'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); echo '

The user "' . $username . '" has been added to this usergroup.

'; $q = $db->sql_query('SELECT u.username,u.email,u.reg_time,m.member_id,m.user_id,m.is_mod,COUNT(c.comment_id) @@ -195,7 +213,7 @@ ORDER BY m.is_mod DESC,u.username ASC LIMIT 1;'); if ( !$q ) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); $r = $db->fetchrow(); $members[] = $r; @@ -209,7 +227,7 @@ { $q = $db->sql_query('DELETE FROM '.table_prefix.'group_members WHERE member_id=' . $member['member_id'] . ';'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); unset($members[$i]); } } @@ -223,7 +241,7 @@ { $q = $db->sql_query('UPDATE '.table_prefix.'group_members SET pending=0 WHERE member_id=' . $member['member_id'] . ';'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); $members[] = $member; unset($pending[$i]); continue; @@ -232,7 +250,7 @@ { $q = $db->sql_query('DELETE FROM '.table_prefix.'group_members WHERE member_id=' . $member['member_id'] . ';'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); unset($pending[$i]); } } @@ -246,7 +264,7 @@ { $q = $db->sql_query('INSERT INTO '.table_prefix.'group_members(group_id,user_id) VALUES(' . $gid . ', ' . $session->user_id . ');'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); echo '

You have been added to this group.

'; $q = $db->sql_query('SELECT u.username,u.email,u.reg_time,m.member_id,m.user_id,m.is_mod,COUNT(c.comment_id) @@ -262,7 +280,7 @@ ORDER BY m.is_mod DESC,u.username ASC LIMIT 1;'); if ( !$q ) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); $r = $db->fetchrow(); $members[] = $r; @@ -274,7 +292,7 @@ { $q = $db->sql_query('INSERT INTO '.table_prefix.'group_members(group_id,user_id,pending) VALUES(' . $gid . ', ' . $session->user_id . ', 1);'); if (!$q) - $db->_die(); + $db->_die('SpecialGroups.php, line ' . __LINE__); echo '

A request has been sent to the moderator(s) of this group to add you.

'; } @@ -305,7 +323,7 @@ - + diff -r 996572e55dc9 -r 861807631f70 plugins/SpecialPageFuncs.php --- a/plugins/SpecialPageFuncs.php Wed Oct 24 09:34:19 2007 -0400 +++ b/plugins/SpecialPageFuncs.php Wed Oct 24 12:45:05 2007 -0400 @@ -4,13 +4,13 @@ Plugin URI: http://enanocms.org/ Description: Provides the page Special:CreatePage, which can be used to create new pages. Also adds the About Enano and GNU General Public License pages. Author: Dan Fuhry -Version: 1.0.1 +Version: 1.0.2 Author URI: http://enanocms.org/ */ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0 release candidate 2 + * Version 1.0.2 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -109,6 +109,17 @@ exit; } + if ( substr($urlname, 0, 8) == 'Project:' ) + { + $template->header(); + + echo '

The page could not be created.

The page title can\'t start with "Project:" because this prefix is reserved for a parser shortcut.

'; + + $template->footer(); + $db->close(); + + exit; + } $tn = $paths->nslist[$_POST['namespace']] . $urlname; if ( isset($paths->pages[$tn]) ) diff -r 996572e55dc9 -r 861807631f70 plugins/SpecialSearch.php --- a/plugins/SpecialSearch.php Wed Oct 24 09:34:19 2007 -0400 +++ b/plugins/SpecialSearch.php Wed Oct 24 12:45:05 2007 -0400 @@ -4,13 +4,13 @@ Plugin URI: http://enanocms.org/ Description: Provides the page Special:Search, which is a frontend to the Enano search engine. Author: Dan Fuhry -Version: 1.0.1 +Version: 1.0.2 Author URI: http://enanocms.org/ */ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0 release candidate 2 + * Version 1.0.2 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 996572e55dc9 -r 861807631f70 plugins/SpecialUpdownload.php --- a/plugins/SpecialUpdownload.php Wed Oct 24 09:34:19 2007 -0400 +++ b/plugins/SpecialUpdownload.php Wed Oct 24 12:45:05 2007 -0400 @@ -4,13 +4,13 @@ Plugin URI: http://enanocms.org/ Description: Provides the pages Special:UploadFile and Special:DownloadFile. UploadFile is used to upload files to the site, and DownloadFile fetches the file from the database, creates thumbnails if necessary, and sends the file to the user. Author: Dan Fuhry -Version: 1.0.1 +Version: 1.0.2 Author URI: http://enanocms.org/ */ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0 release candidate 2 + * Version 1.0.2 * Copyright (C) 2006-2007 Dan Fuhry * SpecialUpdownload.php - handles uploading and downloading of user-uploaded files - possibly the most rigorously security-enforcing script in all of Enano, although sessions.php comes in a close second * @@ -59,8 +59,14 @@ { $file = false; } - if(!is_array($file)) die_friendly('Upload failed', '

The server could not retrieve the array $_FILES[\'data\'].

'); - if($file['size'] == 0 || $file['size'] > (int)getConfig('max_file_size')) die_friendly('Upload failed', '

The file you uploaded is either too large or 0 bytes in length.

'); + if ( !is_array($file) ) + { + die_friendly('Upload failed', '

The server could not retrieve the array $_FILES[\'data\'].

'); + } + if ( $file['size'] == 0 || $file['size'] > (int)getConfig('max_file_size') ) + { + die_friendly('Upload failed', '

The file you uploaded is either too large or 0 bytes in length.

'); + } /* $allowed_mime_types = Array( 'text/plain', @@ -88,7 +94,7 @@ */ $types = fetch_allowed_extensions(); $ext = substr($file['name'], strrpos($file['name'], '.')+1, strlen($file['name'])); - if(!isset($types[$ext]) || ( isset($types[$ext]) && !$types[$ext] ) ) + if ( !isset($types[$ext]) || ( isset($types[$ext]) && !$types[$ext] ) ) { die_friendly('Upload failed', '

The file type ".'.$ext.'" is not allowed.

'); } diff -r 996572e55dc9 -r 861807631f70 plugins/SpecialUserFuncs.php --- a/plugins/SpecialUserFuncs.php Wed Oct 24 09:34:19 2007 -0400 +++ b/plugins/SpecialUserFuncs.php Wed Oct 24 12:45:05 2007 -0400 @@ -4,13 +4,13 @@ Plugin URI: http://enanocms.org/ Description: Provides the pages Special:Login, Special:Logout, Special:Register, and Special:Preferences. Author: Dan Fuhry -Version: 1.0.1 +Version: 1.0.2 Author URI: http://enanocms.org/ */ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0 release candidate 2 + * Version 1.0.2 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -104,60 +104,14 @@ $pubkey = $session->rijndael_genkey(); $challenge = $session->dss_rand(); - $locked_out = false; - // are we locked out? - $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; - $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; - // convert to minutes - $duration = $duration * 60; - $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; - if ( $policy != 'disable' ) - { - $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); - $timestamp_cutoff = time() - $duration; - $q = $session->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); - $fails = $db->numrows(); - if ( $fails >= $threshold ) - { - $row = $db->fetchrow(); - $locked_out = true; - $lockdata = array( - 'locked_out' => true, - 'lockout_threshold' => $threshold, - 'lockout_duration' => ( $duration / 60 ), - 'lockout_fails' => $fails, - 'lockout_policy' => $policy, - 'lockout_last_time' => $row['timestamp'], - 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ), - 'captcha' => '' - ); - if ( $policy == 'captcha' ) - { - $lockdata['captcha'] = $session->make_captcha(); - } - } - $db->free_result(); - } - if ( isset($_GET['act']) && $_GET['act'] == 'getkey' ) { $username = ( $session->user_logged_in ) ? $session->username : false; $response = Array( 'username' => $username, 'key' => $pubkey, - 'challenge' => $challenge, - 'locked_out' => false + 'challenge' => $challenge ); - - if ( $locked_out ) - { - foreach ( $lockdata as $x => $y ) - { - $response[$x] = $y; - } - unset($x, $y); - } - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); $response = $json->encode($response); echo $response; @@ -184,48 +138,7 @@ $header = ( $level > USER_LEVEL_MEMBER ) ? 'Please re-enter your login details' : 'Please enter your username and password to log in.'; if ( isset($_POST['login']) ) { - $errstring = $__login_status['error']; - switch($__login_status['error']) - { - case 'key_not_found': - $errstring = 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.'; - break; - case 'key_wrong_length': - $errstring = 'The encryption key was the wrong length.'; - break; - case 'too_big_for_britches': - $errstring = 'You are trying to authenticate at a level that your user account does not permit.'; - break; - case 'invalid_credentials': - $errstring = 'You have entered an invalid username or password. Please enter your login details again.'; - if ( $__login_status['lockout_policy'] == 'lockout' ) - { - $errstring .= ' You have used up '.$__login_status['lockout_fails'].' out of '.$__login_status['lockout_threshold'].' login attempts. After you have used up all '.$data['lockout_threshold'].' login attempts, you will be locked out from logging in for '.$__login_status['lockout_duration'].' minutes.'; - } - else if ( $__login_status['lockout_policy'] == 'captcha' ) - { - $errstring .= ' You have used up '.$__login_status['lockout_fails'].' out of '.$__login_status['lockout_threshold'].' login attempts. After you have used up all '.$data['lockout_threshold'].' login attempts, you will have to enter a visual confirmation code before logging in, effective for '.$__login_status['lockout_duration'].' minutes.'; - } - break; - case 'backend_fail': - $errstring = 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.'; - break; - case 'locked_out': - $attempts = intval($__login_status['lockout_fails']); - if ( $attempts > $__login_status['lockout_threshold']) - $attempts = $__login_status['lockout_threshold']; - - $server_time = time(); - $time_rem = $__login_status['lockout_duration'] - round( ( $server_time - $__login_status['lockout_last_time'] ) / 60 ); - - $s = ( $time_rem == 1 ) ? '' : 's'; - $errstring = "You have used up all {$__login_status['lockout_threshold']} allowed login attempts. Please wait {$time_rem} minute$s before attempting to log in again"; - if ( $__login_status['lockout_policy'] == 'captcha' ) - $errstring .= ', or enter the visual confirmation code shown above in the appropriate box'; - $errstring .= '.'; - break; - } - echo '

'.$errstring.'

'; + echo '

'.$__login_status.'

'; } if ( $p = $paths->getAllParams() ) { @@ -276,7 +189,7 @@ ?> /> - @@ -285,21 +198,6 @@ - - - - - - - - diff -r 996572e55dc9 -r 861807631f70 themes/stpatty/footer.tpl --- a/themes/stpatty/footer.tpl Wed Oct 24 09:34:19 2007 -0400 +++ b/themes/stpatty/footer.tpl Wed Oct 24 12:45:05 2007 -0400 @@ -11,6 +11,8 @@ --> {COPYRIGHT}
Powered by Enano | Valid XHTML 1.1 | Valid CSS | [[Stats]] + +

Account lockouts
Your name or screen name:	'.$sn.'
Your name or screen name:	' . $sn . '
Comment subject:
Visual confirmation: Please enter the code you see on the right.	Code:
Visual confirmation: Please enter the code you see on the right.	Code:
Comment text: (most HTML will be stripped)
Configure Enano to prevent or restrict logins for a specified period of time if a user enters an incorrect password a specific number of times.
Lockout threshold: - How many times can a user enter wrong credentials before a lockout goes into effect? -	- -
Lockout duration: - This is how long an account lockout should last, in minutes. -	- -
Lockout policy: - What should be done when a lockout goes into effect? -	- /> Don't do anything - /> Require visual confirmation - /> Prevent all login attempts -
Password strength
Group name:	' . $row['group_name'] . '	' . $row['group_name'] . ( $row['system_group'] == 1 ? ' (system group)' : '' ) . '
Membership status:	+	Forgot your password? No problem. Maybe you need to create an account.
Password:
Code in image:
Code in image:	- -
@@ -344,12 +242,12 @@ $plugins->attachHook('login_password_reset', 'SpecialLogin_SendResponse_PasswordReset($row[\'user_id\'], $row[\'temp_password\']);'); $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); $data = $json->decode($_POST['params']); - $captcha_hash = ( isset($data['captcha_hash']) ) ? $data['captcha_hash'] : false; - $captcha_code = ( isset($data['captcha_code']) ) ? $data['captcha_code'] : false; $level = ( isset($data['level']) ) ? intval($data['level']) : USER_LEVEL_MEMBER; - $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $data['crypt_key'], $data['challenge'], $level, $captcha_hash, $captcha_code); + $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $data['crypt_key'], $data['challenge'], $level); $session->start(); - if ( $result['success'] ) + //echo "$result\n$session->sid_super"; + //exit; + if ( $result == 'success' ) { $response = Array( 'result' => 'success', @@ -358,16 +256,9 @@ } else { - $captcha = ''; - if ( $result['error'] == 'locked_out' && $result['lockout_policy'] == 'captcha' ) - { - $session->kill_captcha(); - $captcha = $session->make_captcha(); - } $response = Array( 'result' => 'error', - 'data' => $result, - 'captcha' => $captcha + 'error' => $result ); } $response = $json->encode($response); @@ -376,19 +267,17 @@ exit; } if(isset($_POST['login'])) { - $captcha_hash = ( isset($_POST['captcha_hash']) ) ? $_POST['captcha_hash'] : false; - $captcha_code = ( isset($_POST['captcha_code']) ) ? $_POST['captcha_code'] : false; if($_POST['use_crypt'] == 'yes') { - $result = $session->login_with_crypto($_POST['username'], $_POST['crypt_data'], $_POST['crypt_key'], $_POST['challenge_data'], intval($_POST['auth_level']), $captcha_hash, $captcha_code); + $result = $session->login_with_crypto($_POST['username'], $_POST['crypt_data'], $_POST['crypt_key'], $_POST['challenge_data'], intval($_POST['auth_level'])); } else { - $result = $session->login_without_crypto($_POST['username'], $_POST['pass'], false, intval($_POST['auth_level']), $captcha_hash, $captcha_code); + $result = $session->login_without_crypto($_POST['username'], $_POST['pass'], false, intval($_POST['auth_level'])); } $session->start(); $paths->init(); - if($result['success']) + if($result == 'success') { $template->load_theme($session->theme, $session->style); if(isset($_POST['return_to'])) diff -r 996572e55dc9 -r 861807631f70 plugins/SpecialUserPrefs.php --- a/plugins/SpecialUserPrefs.php Wed Oct 24 09:34:19 2007 -0400 +++ b/plugins/SpecialUserPrefs.php Wed Oct 24 12:45:05 2007 -0400 @@ -4,13 +4,13 @@ Plugin URI: http://enanocms.org/ Description: Provides the page Special:Preferences. Author: Dan Fuhry -Version: 1.0.1 +Version: 1.0.2 Author URI: http://enanocms.org/ / / * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0 release candidate 2 + * Version 1.0.2 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute it and/or modify it under the terms of the GNU General Public License diff -r 996572e55dc9 -r 861807631f70 themes/oxygen/footer.tpl --- a/themes/oxygen/footer.tpl Wed Oct 24 09:34:19 2007 -0400 +++ b/themes/oxygen/footer.tpl Wed Oct 24 12:45:05 2007 -0400 @@ -13,6 +13,8 @@ {COPYRIGHT} Website engine powered by Enano \| Valid XHTML 1.1 \| Valid CSS \| Generated in [[GenTime]]sec + +

Edits:

Other changes:

Article Comments

Got something to say?

Comment form

Got something to say?

Got something to say?

Welcome to Enano

version 1.1.1 – unstable

version 1.0.2 – stable + also affectionately known as "coblynau" :)

The page could not be created.

version 1.0.2 – stable
+ also affectionately known as "coblynau" `:)`