--- a/includes/template.php Wed Jan 23 19:36:16 2008 -0500
+++ b/includes/template.php Wed Jan 23 19:36:42 2008 -0500
@@ -297,7 +297,7 @@
$tb .= $button->run();
}
// Edit button
- if($session->get_permissions('read') && ($paths->namespace != 'Special' && $paths->namespace != 'Admin') && ( $session->get_permissions('edit_page') && ( ( $paths->page_protected && $session->get_permissions('even_when_protected') ) || !$paths->page_protected ) ) )
+ if($session->get_permissions('read') && ($paths->namespace != 'Special' && $paths->namespace != 'Admin' && $paths->namespace != 'Anonymous') && ( $session->get_permissions('edit_page') && ( ( $paths->page_protected && $session->get_permissions('even_when_protected') ) || !$paths->page_protected ) ) )
{
$button->assign_vars(array(
'FLAGS' => 'onclick="if ( !KILL_SWITCH ) { void(ajaxEditor()); return false; }" title="Edit the contents of this page (alt-e)" accesskey="e"',
--- a/includes/wikiengine/Tables.php Wed Jan 23 19:36:16 2008 -0500
+++ b/includes/wikiengine/Tables.php Wed Jan 23 19:36:42 2008 -0500
@@ -280,11 +280,24 @@
// In Enano 1.0.3, added this cheapo hack to keep ampersands
// from being double-sanitized. Thanks to markybob from #deluge.
+
+ // htmlspecialchars() the "manual" way
$encValue = strtr( $text, array(
- '&' => '&'
+ '&' => '&',
+ '"' => '"',
+ '<' => '<',
+ '>' => '>',
+ ''' => "'"
) );
- $encValue = htmlspecialchars( $text );
+ $encValue = strtr( $text, array(
+ '&' => '&',
+ '"' => '"',
+ '<' => '<',
+ '>' => '>',
+ "'" => '''
+ ) );
+
// Whitespace is normalized during attribute decoding,
// so if we've been passed non-spaces we must encode them
--- a/install.php Wed Jan 23 19:36:16 2008 -0500
+++ b/install.php Wed Jan 23 19:36:42 2008 -0500
@@ -495,20 +495,7 @@
$admin_user = str_replace('_', ' ', $admin_user);
$admin_user = $db->escape($admin_user);
- switch ( $_POST['db_driver'] )
- {
- case 'mysql':
- $schema_file = 'schema.sql';
- break;
- case 'postgresql':
- $schema_file = 'schema-pg.sql';
- break;
- }
-
- if ( !isset($schema_file) )
- die('insanity');
-
- $schema = file_get_contents($schema_file);
+ $schema = file_get_contents('schema.sql');
$schema = str_replace('{{SITE_NAME}}', $db->escape($_POST['sitename'] ), $schema);
$schema = str_replace('{{SITE_DESC}}', $db->escape($_POST['sitedesc'] ), $schema);
$schema = str_replace('{{COPYRIGHT}}', $db->escape($_POST['copyright'] ), $schema);
@@ -1249,76 +1236,6 @@
<?php
break;
case "database":
- echo '<h3>Choose a database driver</h3>';
- echo '<p>The next step is to choose the database driver that Enano will use. In most cases this is MySQL, but there are certain
- advantages to PostgreSQL, which is made available only experimentally.</p>';
- if ( @file_exists('/etc/enano-is-virt-appliance') )
- {
- echo '<p><b>You\'re using the Enano virtual appliance.</b><br />Unless you configured the appliance manually, PostgreSQL support is not available. In 99% of cases you\'ll want to click MySQL below.</p>';
- }
-
- $mysql_disable_reason = '';
- $pgsql_disable_reason = '';
- $mysql_disable = '';
- $pgsql_disable = '';
- if ( !function_exists('mysql_connect') )
- {
- $mysql_disable = ' disabled="disabled"';
- $mysql_disable_reason = 'You don\'t have the MySQL PHP extension installed.';
- }
- if ( !function_exists('pg_connect') )
- {
- $pgsql_disable = ' disabled="disabled"';
- $pgsql_disable_reason = 'You don\'t have the PostgreSQL PHP extensnion installed.';
- }
- if ( function_exists('pg_connect') && version_compare(PHP_VERSION, '5.0.0', '<') )
- {
- $pgsql_disable = ' disabled="disabled"';
- $pgsql_disable_reason = 'You need to have at least PHP 5 to use the PostgreSQL database driver.';
- }
-
- echo '<form action="install.php" method="get">';
- ?>
- <table border="0" cellspacing="5">
- <tr>
- <td>
- <input type="image" name="mode" value="database_mysql" src="images/about-powered-mysql.png"<?php echo $mysql_disable; ?>/>
- </td>
- <td<?php if ( $mysql_disable ) echo ' style="opacity: 0.5; filter: alpha(opacity=50);"'; ?>>
- <b>MySQL</b><br />
- Click this button to use MySQL as the database backend for your site. Most web hosts support MySQL, and if you have
- administrative access to your MySQL server, you can create a new database and user during this installation process if you
- haven't done so already.
- <?php
- if ( $mysql_disable )
- {
- echo "<br /><br /><b>$mysql_disable_reason</b>";
- }
- ?>
- </td>
- </tr>
- <tr>
- <td>
- <input type="image" name="mode" value="database_pgsql" src="images/about-powered-pgsql.png"<?php echo $pgsql_disable; ?> />
- </td>
- <td<?php if ( $pgsql_disable ) echo ' style="opacity: 0.5; filter: alpha(opacity=50);"'; ?>>
- <b>PostgreSQL</b><br />
- Click this button to use PostgreSQL as the database backend for your site. While not as widely supported, PostgreSQL has more
- liberal licensing conditions and when properly configured is faster than MySQL. Some plugins may not work with the PostgreSQL
- driver.
- <?php
- if ( $pgsql_disable )
- {
- echo "<br /><br /><b>$pgsql_disable_reason</b>";
- }
- ?>
- </td>
- </tr>
- </table>
- <?php
- echo '</form>';
- break;
- case "database_mysql":
?>
<script type="text/javascript">
function ajaxGet(uri, f) {
@@ -1526,7 +1443,6 @@
}
?>
<form name="dbinfo" action="install.php?mode=website" method="post">
- <input type="hidden" name="db_driver" value="mysql" />
<table border="0">
<tr><td colspan="3" style="text-align: center"><h3>Database information</h3></td></tr>
<tr><td><b>Database hostname</b><br />This is the hostname (or sometimes the IP address) of your MySQL server. In many cases, this is "localhost".<br /><span style="color: #993300" id="e_db_host"></span></td><td><input onkeyup="verify();" name="db_host" size="30" type="text" /></td><td><img id="s_db_host" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
@@ -1551,231 +1467,6 @@
</form>
<?php
break;
- case "database_pgsql":
- ?>
- <script type="text/javascript">
- function ajaxGet(uri, f) {
- if (window.XMLHttpRequest) {
- ajax = new XMLHttpRequest();
- } else {
- if (window.ActiveXObject) {
- ajax = new ActiveXObject("Microsoft.XMLHTTP");
- } else {
- alert('Enano client-side runtime error: No AJAX support, unable to continue');
- return;
- }
- }
- ajax.onreadystatechange = f;
- ajax.open('GET', uri, true);
- ajax.send(null);
- }
-
- function ajaxPost(uri, parms, f) {
- if (window.XMLHttpRequest) {
- ajax = new XMLHttpRequest();
- } else {
- if (window.ActiveXObject) {
- ajax = new ActiveXObject("Microsoft.XMLHTTP");
- } else {
- alert('Enano client-side runtime error: No AJAX support, unable to continue');
- return;
- }
- }
- ajax.onreadystatechange = f;
- ajax.open('POST', uri, true);
- ajax.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
- ajax.setRequestHeader("Content-length", parms.length);
- ajax.setRequestHeader("Connection", "close");
- ajax.send(parms);
- }
- function ajaxTestConnection()
- {
- v = verify();
- if(!v)
- {
- alert('One or more of the form fields is incorrect. Please correct any information in the form that has an "X" next to it.');
- return false;
- }
- var frm = document.forms.dbinfo;
- db_host = escape(frm.db_host.value.replace('+', '%2B'));
- db_name = escape(frm.db_name.value.replace('+', '%2B'));
- db_user = escape(frm.db_user.value.replace('+', '%2B'));
- db_pass = escape(frm.db_pass.value.replace('+', '%2B'));
- db_root_user = escape(frm.db_root_user.value.replace('+', '%2B'));
- db_root_pass = escape(frm.db_root_pass.value.replace('+', '%2B'));
-
- parms = 'host='+db_host+'&name='+db_name+'&user='+db_user+'&pass='+db_pass+'&root_user='+db_root_user+'&root_pass='+db_root_pass;
- ajaxPost('<?php echo scriptPath; ?>/install.php?mode=pgsql_test', parms, function() {
- if(ajax.readyState==4)
- {
- s = ajax.responseText.substr(0, 4);
- t = ajax.responseText.substr(4, ajax.responseText.length);
- if(s.substr(0, 4)=='good')
- {
- document.getElementById('s_db_host').src='images/good.gif';
- document.getElementById('s_db_name').src='images/good.gif';
- document.getElementById('s_db_auth').src='images/good.gif';
- document.getElementById('s_db_root').src='images/good.gif';
- if(t.match(/_creating_db/)) document.getElementById('e_db_name').innerHTML = '<b>Warning:<\/b> The database you specified does not exist. It will be created during installation.';
- if(t.match(/_creating_user/)) document.getElementById('e_db_auth').innerHTML = '<b>Warning:<\/b> The specified regular user does not exist or the password is incorrect. The user will be created during installation. If the user already exists, the password will be reset.';
- document.getElementById('s_mysql_version').src='images/good.gif';
- document.getElementById('e_mysql_version').innerHTML = 'Your version of PostgreSQL meets Enano requirements.';
- }
- else
- {
- switch(s)
- {
- case 'host':
- document.getElementById('s_db_host').src='images/bad.gif';
- document.getElementById('s_db_name').src='images/unknown.gif';
- document.getElementById('s_db_auth').src='images/unknown.gif';
- document.getElementById('s_db_root').src='images/unknown.gif';
- document.getElementById('e_db_host').innerHTML = '<b>Error:<\/b> The database server "'+document.forms.dbinfo.db_host.value+'" couldn\'t be contacted.<br \/>'+t;
- document.getElementById('e_mysql_version').innerHTML = 'The MySQL version that your server is running could not be determined.';
- break;
- case 'auth':
- document.getElementById('s_db_host').src='images/good.gif';
- document.getElementById('s_db_name').src='images/unknown.gif';
- document.getElementById('s_db_auth').src='images/bad.gif';
- document.getElementById('s_db_root').src='images/unknown.gif';
- document.getElementById('e_db_auth').innerHTML = '<b>Error:<\/b> Access to MySQL under the specified credentials was denied.<br \/>'+t;
- document.getElementById('e_mysql_version').innerHTML = 'The MySQL version that your server is running could not be determined.';
- break;
- case 'perm':
- document.getElementById('s_db_host').src='images/good.gif';
- document.getElementById('s_db_name').src='images/bad.gif';
- document.getElementById('s_db_auth').src='images/good.gif';
- document.getElementById('s_db_root').src='images/unknown.gif';
- document.getElementById('e_db_name').innerHTML = '<b>Error:<\/b> Access to the specified database using those login credentials was denied.<br \/>'+t;
- document.getElementById('e_mysql_version').innerHTML = 'The MySQL version that your server is running could not be determined.';
- break;
- case 'name':
- document.getElementById('s_db_host').src='images/good.gif';
- document.getElementById('s_db_name').src='images/bad.gif';
- document.getElementById('s_db_auth').src='images/good.gif';
- document.getElementById('s_db_root').src='images/unknown.gif';
- document.getElementById('e_db_name').innerHTML = '<b>Error:<\/b> The specified database does not exist<br \/>'+t;
- document.getElementById('e_mysql_version').innerHTML = 'The MySQL version that your server is running could not be determined.';
- break;
- case 'root':
- document.getElementById('s_db_host').src='images/good.gif';
- document.getElementById('s_db_name').src='images/unknown.gif';
- document.getElementById('s_db_auth').src='images/unknown.gif';
- document.getElementById('s_db_root').src='images/bad.gif';
- document.getElementById('e_db_root').innerHTML = '<b>Error:<\/b> Access to MySQL under the specified credentials was denied.<br \/>'+t;
- document.getElementById('e_mysql_version').innerHTML = 'The MySQL version that your server is running could not be determined.';
- break;
- case 'vers':
- document.getElementById('s_db_host').src='images/good.gif';
- document.getElementById('s_db_name').src='images/good.gif';
- document.getElementById('s_db_auth').src='images/good.gif';
- document.getElementById('s_db_root').src='images/good.gif';
- if(t.match(/_creating_db/)) document.getElementById('e_db_name').innerHTML = '<b>Warning:<\/b> The database you specified does not exist. It will be created during installation.';
- if(t.match(/_creating_user/)) document.getElementById('e_db_auth').innerHTML = '<b>Warning:<\/b> The specified regular user does not exist or the password is incorrect. The user will be created during installation. If the user already exists, the password will be reset.';
-
- document.getElementById('e_mysql_version').innerHTML = '<b>Error:<\/b> Your version of MySQL ('+t+') is older than 4.1.17. Enano will still work, but there is a known bug with the comment system and MySQL 4.1.11 that involves some comments not being displayed, due to an issue with the PHP function mysql_fetch_row().';
- document.getElementById('s_mysql_version').src='images/bad.gif';
- default:
- alert(t);
- break;
- }
- }
- }
- });
- }
- function verify()
- {
- document.getElementById('e_db_host').innerHTML = '';
- document.getElementById('e_db_auth').innerHTML = '';
- document.getElementById('e_db_name').innerHTML = '';
- document.getElementById('e_db_root').innerHTML = '';
- var frm = document.forms.dbinfo;
- ret = true;
- if(frm.db_host.value != '')
- {
- document.getElementById('s_db_host').src='images/unknown.gif';
- }
- else
- {
- document.getElementById('s_db_host').src='images/bad.gif';
- ret = false;
- }
- if(frm.db_name.value.match(/^([a-z0-9_-]+)$/g))
- {
- document.getElementById('s_db_name').src='images/unknown.gif';
- }
- else
- {
- document.getElementById('s_db_name').src='images/bad.gif';
- ret = false;
- }
- if(frm.db_user.value != '')
- {
- document.getElementById('s_db_auth').src='images/unknown.gif';
- }
- else
- {
- document.getElementById('s_db_auth').src='images/bad.gif';
- ret = false;
- }
- if(frm.table_prefix.value.match(/^([a-z0-9_]*)$/g))
- {
- document.getElementById('s_table_prefix').src='images/good.gif';
- }
- else
- {
- document.getElementById('s_table_prefix').src='images/bad.gif';
- ret = false;
- }
- if(frm.db_root_user.value == '')
- {
- document.getElementById('s_db_root').src='images/good.gif';
- }
- else if(frm.db_root_user.value != '' && frm.db_root_pass.value == '')
- {
- document.getElementById('s_db_root').src='images/bad.gif';
- ret = false;
- }
- else
- {
- document.getElementById('s_db_root').src='images/unknown.gif';
- }
- if(ret) frm._cont.disabled = false;
- else frm._cont.disabled = true;
- return ret;
- }
- window.onload = verify;
- </script>
- <p>Now we need some information that will allow Enano to contact your database server. Enano uses PostgreSQL as a data storage backend,
- and we need to have access to a PostgreSQL server in order to continue.</p>
- <p>If you do not have access to a PostgreSQL server, and you are using your own server, you can download PostgreSQL for free from
- <a href="http://www.postgresql.org/">PostgreSQL.org</a>.</p>
- <form name="dbinfo" action="install.php?mode=website" method="post">
- <input type="hidden" name="db_driver" value="postgresql" />
- <table border="0">
- <tr><td colspan="3" style="text-align: center"><h3>Database information</h3></td></tr>
- <tr><td><b>Database hostname</b><br />This is the hostname (or sometimes the IP address) of your Postgres server. In many cases, this is "localhost".<br /><span style="color: #993300" id="e_db_host"></span></td><td><input onkeyup="verify();" name="db_host" size="30" type="text" /></td><td><img id="s_db_host" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
- <tr><td><b>Database name</b><br />The name of the actual database. If you don't already have a database, you can create one here, if you have the username and password of a PostgreSQL superuser.<br /><span style="color: #993300" id="e_db_name"></span></td><td><input onkeyup="verify();" name="db_name" size="30" type="text" /></td><td><img id="s_db_name" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
- <tr><td rowspan="2"><b>Database login</b><br />These fields should be the username and password for a role that has permission to create and alter tables, select data, insert data, update data, and delete data. You may or may not choose to allow dropping tables.<br /><span style="color: #993300" id="e_db_auth"></span></td><td><input onkeyup="verify();" name="db_user" size="30" type="text" /></td><td rowspan="2"><img id="s_db_auth" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
- <tr><td><input name="db_pass" size="30" type="password" /></td></tr>
- <tr><td colspan="3" style="text-align: center"><h3>Optional information</h3></td></tr>
- <tr><td><b>Table prefix</b><br />The value that you enter here will be added to the beginning of the name of each Enano table. You may use lowercase letters (a-z), numbers (0-9), and underscores (_).</td><td><input onkeyup="verify();" name="table_prefix" size="30" type="text" /></td><td><img id="s_table_prefix" alt="Good/bad icon" src="images/good.gif" /></td></tr>
- <tr><td rowspan="2"><b>Database administrative login</b><br />If the Postgres database or role that you entered above does not exist yet, you can create them here, assuming that you have the login information for a PostgreSQL superuser. Leave these fields blank unless you need to use them.<br /><span style="color: #993300" id="e_db_root"></span></td><td><input onkeyup="verify();" name="db_root_user" size="30" type="text" /></td><td rowspan="2"><img id="s_db_root" alt="Good/bad icon" src="images/good.gif" /></td></tr>
- <tr><td><input onkeyup="verify();" name="db_root_pass" size="30" type="password" /></td></tr>
- <tr><td><b>PostgreSQL version</b></td><td id="e_mysql_version">PostgreSQL version information will<br />be checked when you click "Test<br />Connection". You need to have at<br />least PostgreSQL 8.2.0 to install Enano.</td><td><img id="s_mysql_version" alt="Good/bad icon" src="images/unknown.gif" /></td></tr>
- <tr><td><b>Delete existing tables?</b><br />If this option is checked, all the tables that will be used by Enano will be dropped (deleted) before the schema is executed. Do NOT use this option unless specifically instructed to.</td><td><input type="checkbox" name="drop_tables" id="dtcheck" /> <label for="dtcheck">Drop existing tables</label></td></tr>
- <tr><td colspan="3" style="text-align: center"><input type="button" value="Test connection" onclick="ajaxTestConnection();" /></td></tr>
- </table>
- <div class="pagenav">
- <table border="0">
- <tr>
- <td><input type="submit" value="Continue" onclick="return verify();" name="_cont" /></td><td><p><span style="font-weight: bold;">Before clicking continue:</span><br />• Check your PostgreSQL connection using the "Test Connection" button.<br />• Be aware that your database information will be transmitted unencrypted several times.</p></td>
- </tr>
- </table>
- </div>
- </form>
- <?php
- break;
case "website":
if(!isset($_POST['_cont'])) {
echo 'No POST data signature found. Please <a href="install.php?mode=sysreqs">restart the installation</a>.';
@@ -2078,7 +1769,6 @@
!isset($_POST['db_name']) ||
!isset($_POST['db_user']) ||
!isset($_POST['db_pass']) ||
- !isset($_POST['db_driver']) ||
!isset($_POST['sitename']) ||
!isset($_POST['sitedesc']) ||
!isset($_POST['copyright']) ||
@@ -2092,12 +1782,6 @@
$template->footer();
exit;
}
- if ( !in_array($_POST['db_driver'], array('mysql', 'postgresql')) )
- {
- echo 'Invalid database driver.';
- $template->footer();
- exit;
- }
switch($_POST['urlscheme'])
{
case "ugly":
--- a/plugins/SpecialGroups.php Wed Jan 23 19:36:16 2008 -0500
+++ b/plugins/SpecialGroups.php Wed Jan 23 19:36:42 2008 -0500
@@ -502,7 +502,8 @@
echo '<select name="group_id">';
foreach ( $session->groups as $id => $group )
{
- $taboo[] = $group;
+ $taboo[] = $db->escape($group);
+ $group = htmlspecialchars($group);
if ( $group != 'Everyone' )
{
echo '<option value="' . $id . '">' . $group . '</option>';
--- a/plugins/SpecialUserFuncs.php Wed Jan 23 19:36:16 2008 -0500
+++ b/plugins/SpecialUserFuncs.php Wed Jan 23 19:36:42 2008 -0500
@@ -755,6 +755,7 @@
}
function regenCaptcha()
{
+ var frm = document.forms.regform;
document.getElementById('captchaimg').src = '<?php echo makeUrlNS("Special", "Captcha/"); ?>'+frm.captchahash.value+'/'+Math.floor(Math.random() * 100000);
return false;
}