This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
1 | <?php |
||
2 | /** |
||
3 | * About |
||
4 | * |
||
5 | * You may not change or alter any portion of this comment or credits |
||
6 | * of supporting developers from this source code or any supporting source code |
||
7 | * which is considered copyrighted (c) material of the original comment or credit authors. |
||
8 | * This program is distributed in the hope that it will be useful, |
||
9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
||
11 | * |
||
12 | * @copyright The XOOPS Co.Ltd. http://www.xoops.com.cn |
||
13 | * @copyright XOOPS Project (https://xoops.org) |
||
14 | * @license GNU GPL 2 or later (https://www.gnu.org/licenses/gpl-2.0.html) |
||
15 | * @since 1.0.0 |
||
16 | * @author Mengjue Shao <[email protected]> |
||
17 | * @author Susheng Yang <[email protected]> |
||
18 | */ |
||
19 | |||
20 | use Xmf\Request; |
||
21 | use Xmf\Module\Admin; |
||
22 | use XoopsModules\About\Constants; |
||
23 | use XoopsModules\About\PageHandler; |
||
24 | /** @var \XoopsModules\About\PageHandler $pageHandler */ |
||
25 | /** @var Helper $helper */ |
||
26 | |||
27 | require_once __DIR__ . '/admin_header.php'; |
||
28 | |||
29 | xoops_cp_header(); |
||
30 | |||
31 | $adminObject = Xmf\Module\Admin::getInstance(); |
||
32 | $adminObject->displayNavigation(basename(__FILE__)); |
||
33 | |||
34 | $op = Request::getCmd('op', null); |
||
35 | $op = $op ?? (isset($_REQUEST['id']) ? 'edit' : 'list'); |
||
36 | $page_id = Request::getInt('id', null); |
||
37 | |||
38 | //$pageHandler = new About\PageHandler(); |
||
39 | |||
40 | switch ($op) { |
||
41 | default: |
||
42 | case 'list': |
||
43 | // Page order |
||
44 | if (Request::hasVar('page_order', 'POST')) { |
||
45 | $page_order = Request::getArray('page_order', [], 'POST'); //$_POST['page_order']; |
||
46 | foreach ($page_order as $page_id => $order) { |
||
47 | $pageObj = $pageHandler->get($page_id); |
||
48 | if ($page_order[$page_id] != $pageObj->getVar('page_order')) { |
||
49 | $pageObj->setVar('page_order', $page_order[$page_id]); |
||
50 | $pageHandler->insert($pageObj); |
||
51 | } |
||
52 | unset($pageObj); |
||
53 | } |
||
54 | } |
||
55 | // Set index |
||
56 | if (Request::hasVar('page_index', 'POST')) { |
||
57 | $page_index = Request::getInt('page_index', Constants::NOT_INDEX, 'POST'); |
||
58 | $pageObj = $pageHandler->get($page_index); |
||
59 | if ($page_index != $pageObj->getVar('page_index')) { |
||
60 | $pageObj = $pageHandler->get($page_index); |
||
61 | if (!$pageObj->getVar('page_title')) { |
||
62 | $helper->redirect('admin/admin.page.php', Constants::REDIRECT_DELAY_MEDIUM, _AM_ABOUT_PAGE_ORDER_ERROR); |
||
63 | } |
||
64 | $pageHandler->updateAll('page_index', Constants::NOT_INDEX, null); |
||
65 | unset($criteria); |
||
66 | $pageObj->setVar('page_index', Constants::DEFAULT_INDEX); |
||
67 | $pageHandler->insert($pageObj); |
||
68 | } |
||
69 | unset($pageObj); |
||
70 | } |
||
71 | $fields = [ |
||
72 | 'page_id', |
||
73 | 'page_pid', |
||
74 | 'page_menu_title', |
||
75 | 'page_author', |
||
76 | 'page_pushtime', |
||
77 | 'page_blank', |
||
78 | 'page_menu_status', |
||
79 | 'page_type', |
||
80 | 'page_status', |
||
81 | 'page_order', |
||
82 | 'page_index', |
||
83 | 'page_tpl', |
||
84 | ]; |
||
85 | |||
86 | $criteria = new \CriteriaCompo(); |
||
87 | $criteria->setSort('page_order'); |
||
88 | $criteria->order = 'ASC'; |
||
89 | $pages = $pageHandler->getTrees(0, '--', $fields); |
||
90 | /** @var \XoopsMemberHandler $memberHandler */ |
||
91 | $memberHandler = xoops_getHandler('member'); |
||
92 | |||
93 | foreach ($pages as $k => $v) { |
||
94 | $pages[$k]['page_menu_title'] = $v['prefix'] . $v['page_menu_title']; |
||
95 | $pages[$k]['page_pushtime'] = formatTimestamp($v['page_pushtime'], _DATESTRING); |
||
96 | $thisuser = $memberHandler->getUser($v['page_author']); |
||
97 | $pages[$k]['page_author'] = $thisuser->getVar('uname'); |
||
98 | unset($thisuser); |
||
99 | } |
||
100 | |||
101 | $xoopsTpl->assign('pages', $pages); |
||
102 | $xoopsTpl->display('db:about_admin_page.tpl'); |
||
103 | break; |
||
104 | case 'new': |
||
105 | $GLOBALS['xoTheme']->addStylesheet("modules/{$moduleDirName}/assets/css/admin_style.css"); |
||
106 | $pageObj = $pageHandler->create(); |
||
107 | $form = require $helper->path('include/form.page.php'); |
||
108 | $form->display(); |
||
109 | break; |
||
110 | case 'edit': |
||
111 | $GLOBALS['xoTheme']->addStylesheet("modules/{$moduleDirName}/assets/css/admin_style.css"); |
||
112 | $pageObj = $pageHandler->get($page_id); |
||
113 | $form = require $helper->path('include/form.page.php'); |
||
114 | $form->display(); |
||
115 | break; |
||
116 | case 'save': |
||
117 | if (!$GLOBALS['xoopsSecurity']->check()) { |
||
118 | $helper->redirect('admin/admin.page.php', Constants::REDIRECT_DELAY_MEDIUM, implode(',', $GLOBALS['xoopsSecurity']->getErrors())); |
||
119 | } |
||
120 | $pageObj = $pageHandler->get($page_id); // will get page_obj if $page_id is valid, create one if not |
||
121 | |||
122 | // Assign value to elements of objects |
||
123 | foreach (array_keys($pageObj->vars) as $key) { |
||
124 | if (isset($_POST[$key]) && $_POST[$key] != $pageObj->getVar($key)) { |
||
125 | $pageObj->setVar($key, $_POST[$key]); |
||
126 | } |
||
127 | } |
||
128 | // Assign menu title |
||
129 | if (empty($_POST['page_menu_title'])) { |
||
130 | $pageObj->setVar('page_menu_title', Request::getString('page_title', '')); |
||
131 | } |
||
132 | // Set index |
||
133 | if (!$pageHandler->getCount()) { |
||
134 | $pageObj->setVar('page_index', Constants::DEFAULT_INDEX); |
||
135 | } |
||
136 | |||
137 | // Set submitter |
||
138 | global $xoopsUser; |
||
139 | $pageObj->setVar('page_author', $xoopsUser->getVar('uid')); |
||
140 | $pageObj->setVar('page_pushtime', time()); |
||
141 | |||
142 | /* removed - this is now done during module install/update |
||
143 | require_once $helper->path("include/functions.php"); |
||
144 | if (aboutmkdirs(XOOPS_UPLOAD_PATH . "/{$moduleDirName}")) { |
||
145 | $upload_path = XOOPS_UPLOAD_PATH . "/{$moduleDirName}"; |
||
146 | } |
||
147 | */ |
||
148 | |||
149 | $upload_path = XOOPS_UPLOAD_PATH . "/{$moduleDirName}"; |
||
150 | |||
151 | // Upload image |
||
152 | if (!empty($_FILES['userfile']['name'])) { |
||
153 | require_once XOOPS_ROOT_PATH . '/class/uploader.php'; |
||
154 | $allowed_mimetypes = ['image/gif', 'image/jpeg', 'image/jpg', 'image/png', 'image/x-png']; |
||
155 | $maxfilesize = 500000; |
||
156 | $maxfilewidth = 1200; |
||
157 | $maxfileheight = 1200; |
||
158 | $uploader = new \XoopsMediaUploader($upload_path, $allowed_mimetypes, $maxfilesize, $maxfilewidth, $maxfileheight); |
||
159 | if ($uploader->fetchMedia($_POST['xoops_upload_file'][0])) { |
||
160 | $uploader->setPrefix('attch_'); |
||
161 | if (!$uploader->upload()) { |
||
162 | $error_upload = $uploader->getErrors(); |
||
163 | } elseif (file_exists($uploader->getSavedDestination())) { |
||
164 | if ($pageObj->getVar('page_image')) { |
||
165 | @unlink($upload_path . '/' . $pageObj->getVar('page_image')); |
||
0 ignored issues
–
show
|
|||
166 | } |
||
167 | $pageObj->setVar('page_image', $uploader->getSavedFileName()); |
||
168 | } |
||
169 | } |
||
170 | } |
||
171 | |||
172 | // Delete image |
||
173 | if (Request::hasVar('delete_image', 'POST') && empty($_FILES['userfile']['name'])) { |
||
174 | @unlink($upload_path . '/' . $pageObj->getVar('page_image')); |
||
175 | $pageObj->setVar('page_image', ''); |
||
176 | } |
||
177 | |||
178 | // Insert object |
||
179 | if ($pageHandler->insert($pageObj)) { |
||
180 | $helper->redirect('admin/admin.page.php', Constants::REDIRECT_DELAY_MEDIUM, sprintf(_AM_ABOUT_SAVEDSUCCESS, _AM_ABOUT_PAGE_INSERT)); |
||
181 | } |
||
182 | |||
183 | echo $pageObj->getHtmlErrors(); |
||
184 | $format = 'p'; |
||
185 | $form = require $helper->path('include/form.page.php'); |
||
186 | $form->display(); |
||
187 | |||
188 | break; |
||
189 | case 'delete': |
||
190 | $pageObj = $pageHandler->get($page_id); |
||
191 | $image = XOOPS_UPLOAD_PATH . "/{$moduleDirName}/" . $pageObj->getVar('page_image'); |
||
192 | if (Request::hasVar('ok', 'REQUEST') && Constants::CONFIRM_OK == $_REQUEST['ok']) { |
||
193 | if ($pageHandler->delete($pageObj)) { |
||
194 | if (file_exists($image)) { |
||
195 | @unlink($image); |
||
196 | } |
||
197 | $helper->redirect('admin/admin.page.php', Constants::REDIRECT_DELAY_MEDIUM, _AM_ABOUT_DELETESUCCESS); |
||
198 | } else { |
||
199 | echo $pageObj->getHtmlErrors(); |
||
200 | } |
||
201 | } else { |
||
202 | xoops_confirm(['ok' => Constants::CONFIRM_OK, 'id' => $pageObj->getVar('page_id'), 'op' => 'delete'], $_SERVER['REQUEST_URI'], sprintf(_AM_ABOUT_RUSUREDEL, $pageObj->getVar('page_menu_title'))); |
||
203 | } |
||
204 | break; |
||
205 | } |
||
206 | |||
207 | require_once __DIR__ . '/admin_footer.php'; |
||
208 |
If you suppress an error, we recommend checking for the error condition explicitly: