| [ Index ] |
PHP Cross Reference of Nucleus CMS 3.32 |
[Summary view] [Print] [Text view]
1 <?php 2 3 /* 4 * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/) 5 * Copyright (C) 2002-2007 The Nucleus Group 6 * 7 * This program is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU General Public License 9 * as published by the Free Software Foundation; either version 2 10 * of the License, or (at your option) any later version. 11 * (see nucleus/documentation/index.html#license for more info) 12 */ 13 /** 14 * code to make it easier to create plugin admin areas 15 * 16 * @license http://nucleuscms.org/license.txt GNU General Public License 17 * @copyright Copyright (C) 2002-2007 The Nucleus Group 18 * @version $Id: PLUGINADMIN.php 1151 2007-05-19 23:38:50Z kaigreve $ 19 */ 20 21 global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS; 22 $aVarsToCheck = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_ENV_VARS', 'HTTP_SESSION_VARS', 'HTTP_POST_FILES', 'HTTP_SERVER_VARS', 'GLOBALS', 'argv', 'argc', '_GET', '_POST', '_COOKIE', '_ENV', '_SESSION', '_SERVER', '_FILES', 'DIR_LIBS'); 23 24 foreach ($aVarsToCheck as $varName) 25 { 26 if (phpversion() >= '4.1.0') 27 { 28 if ( isset($_GET[$varName]) 29 || isset($_POST[$varName]) 30 || isset($_COOKIE[$varName]) 31 || isset($_ENV[$varName]) 32 || isset($_SESSION[$varName]) 33 || isset($_FILES[$varName]) 34 ){ 35 die('Sorry. An error occurred.'); 36 } 37 } else { 38 if ( isset($HTTP_GET_VARS[$varName]) 39 || isset($HTTP_POST_VARS[$varName]) 40 || isset($HTTP_COOKIE_VARS[$varName]) 41 || isset($HTTP_ENV_VARS[$varName]) 42 || isset($HTTP_SESSION_VARS[$varName]) 43 || isset($HTTP_POST_FILES[$varName]) 44 ){ 45 die('Sorry. An error occurred.'); 46 } 47 } 48 } 49 50 if (!isset($DIR_LIBS)) { 51 die('Sorry.'); 52 } 53 54 include ($DIR_LIBS . 'ADMIN.php'); 55 56 class PluginAdmin { 57 58 var $strFullName; // NP_SomeThing 59 var $plugin; // ref. to plugin object 60 var $bValid; // evaluates to true when object is considered valid 61 var $admin; // ref to an admin object 62 63 function PluginAdmin($pluginName) 64 { 65 global $manager; 66 67 $this->strFullName = 'NP_' . $pluginName; 68 69 // check if plugin exists and is installed 70 if (!$manager->pluginInstalled($this->strFullName)) 71 doError('Invalid plugin'); 72 73 $this->plugin =& $manager->getPlugin($this->strFullName); 74 $this->bValid = $this->plugin; 75 76 if (!$this->bValid) 77 doError('Invalid plugin'); 78 79 $this->admin = new ADMIN(); 80 $this->admin->action = 'plugin_' . $pluginName; 81 } 82 83 function start($extraHead = '') 84 { 85 global $CONF; 86 $strBaseHref = '<base href="' . htmlspecialchars($CONF['AdminURL']) . '" />'; 87 $extraHead .= $strBaseHref; 88 89 $this->admin->pagehead($extraHead); 90 } 91 92 function end() 93 { 94 $this->_AddTicketByJS(); 95 $this->admin->pagefoot(); 96 } 97 98 /** 99 * Add ticket when not used in plugin's admin page 100 * to avoid CSRF. 101 */ 102 function _AddTicketByJS(){ 103 global $CONF,$ticketforplugin; 104 if (!($ticket=$ticketforplugin['ticket'])) { 105 //echo "\n<!--TicketForPlugin skipped-->\n"; 106 return; 107 } 108 $ticket=htmlspecialchars($ticket,ENT_QUOTES); 109 110 ?><script type="text/javascript"> 111 /*<![CDATA[*/ 112 /* Add tickets for available links (outside blog excluded) */ 113 for (i=0;document.links[i];i++){ 114 if (document.links[i].href.indexOf('<?php echo $CONF['PluginURL']; ?>',0)<0 115 && !(document.links[i].href.indexOf('//',0)<0)) continue; 116 if ((j=document.links[i].href.indexOf('?',0))<0) continue; 117 if (document.links[i].href.indexOf('ticket=',j)>=0) continue; 118 document.links[i].href=document.links[i].href.substring(0,j+1)+'ticket=<?php echo $ticket; ?>&'+document.links[i].href.substring(j+1); 119 } 120 /* Add tickets for forms (outside blog excluded) */ 121 for (i=0;document.forms[i];i++){ 122 /* check if ticket is already used */ 123 for (j=0;document.forms[i].elements[j];j++) { 124 if (document.forms[i].elements[j].name=='ticket') { 125 j=-1; 126 break; 127 } 128 } 129 if (j==-1) continue; 130 131 /* check if the modification works */ 132 try{document.forms[i].innerHTML+='';}catch(e){ 133 /* Modificaion falied: this sometime happens on IE */ 134 if (!document.forms[i].action.name && document.forms[i].method.toUpperCase()=="POST") { 135 /* <input name="action"/> is not used for POST method*/ 136 if (document.forms[i].action.indexOf('<?php echo $CONF['PluginURL']; ?>',0)<0 137 && !(document.forms[i].action.indexOf('//',0)<0)) continue; 138 if (0<(j=document.forms[i].action.indexOf('?',0))) if (0<document.forms[i].action.indexOf('ticket=',j)) continue; 139 if (j<0) document.forms[i].action+='?'+'ticket=<?php echo $ticket; ?>'; 140 else document.forms[i].action+='&'+'ticket=<?php echo $ticket; ?>'; 141 continue; 142 } 143 document.write('<p><b>Error occured druing automatic addition of tickets.</b></p>'); 144 j=document.forms[i].outerHTML; 145 while (j!=j.replace('<','<')) j=j.replace('<','<'); 146 document.write('<p>'+j+'</p>'); 147 continue; 148 } 149 /* check the action paramer in form tag */ 150 /* note that <input name="action"/> may be used here */ 151 j=document.forms[i].innerHTML; 152 document.forms[i].innerHTML=''; 153 if ((document.forms[i].action+'').indexOf('<?php echo $CONF['PluginURL']; ?>',0)<0 154 && !((document.forms[i].action+'').indexOf('//',0)<0)) { 155 document.forms[i].innerHTML=j; 156 continue; 157 } 158 /* add ticket */ 159 document.forms[i].innerHTML=j+'<input type="hidden" name="ticket" value="<?php echo $ticket; ?>"/>'; 160 } 161 /*]]>*/ 162 </script><?php 163 164 } 165 } 166 167 168 169 ?>
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Tue Feb 12 15:34:36 2008 | Cross-referenced by PHPXref 0.7 |