1
|
|
|
<?php |
|
|
|
|
2
|
|
|
// GIJOE's Ticket Class (based on Marijuana's Oreteki XOOPS) |
3
|
|
|
// nobunobu's suggestions are applied |
4
|
|
|
|
5
|
|
|
if (!class_exists('XoopsGTicket')) { |
6
|
|
|
|
7
|
|
|
class XoopsGTicket { |
|
|
|
|
8
|
|
|
|
9
|
|
|
var $_errors = array(); |
|
|
|
|
10
|
|
|
var $_latest_token = ''; |
|
|
|
|
11
|
|
|
var $messages = array(); |
|
|
|
|
12
|
|
|
|
13
|
|
|
function __construct() |
|
|
|
|
14
|
|
|
{ |
15
|
|
|
global $xoopsConfig; |
|
|
|
|
16
|
|
|
|
17
|
|
|
// language file |
18
|
|
|
if (defined('XOOPS_ROOT_PATH') && !empty($xoopsConfig['language']) && !strstr($xoopsConfig['language'], '/')) { |
19
|
|
|
if (file_exists(dirname(__DIR__) . '/language/' . $xoopsConfig['language'] . '/gticket_messages.phtml')) { |
20
|
|
|
include dirname(__DIR__) . '/language/' . $xoopsConfig['language'] . '/gticket_messages.phtml'; |
21
|
|
|
} |
22
|
|
|
} |
23
|
|
|
|
24
|
|
|
// default messages |
25
|
|
|
if(empty($this->messages)) $this->messages = array( |
26
|
|
|
'err_general' => 'GTicket Error' , |
27
|
|
|
'err_nostubs' => 'No stubs found' , |
28
|
|
|
'err_noticket' => 'No ticket found' , |
29
|
|
|
'err_nopair' => 'No valid ticket-stub pair found' , |
30
|
|
|
'err_timeout' => 'Time out' , |
31
|
|
|
'err_areaorref' => 'Invalid area or referer' , |
32
|
|
|
'fmt_prompt4repost' => 'error(s) found:<br><span style="background-color:red;font-weight:bold;color:white;">%s</span><br>Confirm it.<br>And do you want to post again?' , |
33
|
|
|
'btn_repost' => 'repost' , |
34
|
|
|
); |
35
|
|
|
} |
36
|
|
|
|
37
|
|
|
// render form as plain html |
38
|
|
|
function getTicketHtml($salt = '', $timeout = 1800, $area = '') |
|
|
|
|
39
|
|
|
{ |
40
|
|
|
return '<input type="hidden" name="XOOPS_G_TICKET" value="' . $this->issue($salt, $timeout, $area) . '">'; |
41
|
|
|
} |
42
|
|
|
|
43
|
|
|
// returns an object of XoopsFormHidden including theh ticket |
44
|
|
|
function getTicketXoopsForm($salt = '', $timeout = 1800, $area = '') |
|
|
|
|
45
|
|
|
{ |
46
|
|
|
return new XoopsFormHidden('XOOPS_G_TICKET', $this->issue($salt, $timeout, $area)); |
47
|
|
|
} |
48
|
|
|
|
49
|
|
|
// add a ticket as Hidden Element into XoopsForm |
50
|
|
|
function addTicketXoopsFormElement(&$form, $salt = '', $timeout = 1800, $area = '') |
|
|
|
|
51
|
|
|
{ |
52
|
|
|
$form->addElement(new XoopsFormHidden('XOOPS_G_TICKET', $this->issue($salt, $timeout, $area))); |
53
|
|
|
} |
54
|
|
|
|
55
|
|
|
// returns an array for xoops_confirm(); |
|
|
|
|
56
|
|
|
function getTicketArray($salt = '', $timeout = 1800, $area = '') |
|
|
|
|
57
|
|
|
{ |
58
|
|
|
return array('XOOPS_G_TICKET' => $this->issue($salt, $timeout, $area)); |
59
|
|
|
} |
60
|
|
|
|
61
|
|
|
// return GET parameter string. |
62
|
|
|
function getTicketParamString($salt = '', $noamp = false, $timeout=1800, $area = '') |
|
|
|
|
63
|
|
|
{ |
64
|
|
|
return ($noamp ? '' : '&') . 'XOOPS_G_TICKET=' . $this->issue($salt, $timeout, $area); |
65
|
|
|
} |
66
|
|
|
|
67
|
|
|
// issue a ticket |
68
|
|
|
function issue($salt = '', $timeout = 1800, $area = '') |
|
|
|
|
69
|
|
|
{ |
70
|
|
|
global $xoopsModule; |
|
|
|
|
71
|
|
|
|
72
|
|
|
// create a token |
73
|
|
|
list($usec, $sec) = explode(' ', microtime()); |
74
|
|
|
$appendix_salt = empty($_SERVER['PATH']) ? XOOPS_DB_NAME : $_SERVER['PATH']; |
75
|
|
|
$token = crypt( $salt . $usec . $appendix_salt . $sec ); |
76
|
|
|
$this->_latest_token = $token; |
77
|
|
|
|
78
|
|
|
if (empty($_SESSION['XOOPS_G_STUBS'])) { |
79
|
|
|
$_SESSION['XOOPS_G_STUBS'] = array(); |
80
|
|
|
} |
81
|
|
|
|
82
|
|
|
// limit max stubs 10 |
83
|
|
|
if (sizeof($_SESSION['XOOPS_G_STUBS']) > 10) { |
84
|
|
|
$_SESSION['XOOPS_G_STUBS'] = array_slice( $_SESSION['XOOPS_G_STUBS'] , -10 ); |
85
|
|
|
} |
86
|
|
|
|
87
|
|
|
// record referer if browser send it |
88
|
|
|
$referer = empty( $_SERVER['HTTP_REFERER'] ) ? '' : $_SERVER['REQUEST_URI']; |
89
|
|
|
|
90
|
|
|
// area as module's dirname |
91
|
|
|
if (!$area && is_object(@$xoopsModule)) { |
92
|
|
|
$area = $xoopsModule->getVar('dirname'); |
93
|
|
|
} |
94
|
|
|
|
95
|
|
|
// store stub |
96
|
|
|
$_SESSION['XOOPS_G_STUBS'][] = array( |
97
|
|
|
'expire' => time() + $timeout , |
98
|
|
|
'referer' => $referer , |
99
|
|
|
'area' => $area , |
100
|
|
|
'token' => $token |
101
|
|
|
); |
102
|
|
|
|
103
|
|
|
// paid md5ed token as a ticket |
104
|
|
|
return md5($token . XOOPS_DB_PREFIX); |
105
|
|
|
} |
106
|
|
|
|
107
|
|
|
// check a ticket |
108
|
|
|
function check($post = true, $area = '', $allow_repost = true) |
|
|
|
|
109
|
|
|
{ |
110
|
|
|
global $xoopsModule; |
|
|
|
|
111
|
|
|
|
112
|
|
|
$this->_errors = array(); |
113
|
|
|
|
114
|
|
|
// CHECK: stubs are not stored in session |
115
|
|
|
if (! is_array(@$_SESSION['XOOPS_G_STUBS'])) { |
116
|
|
|
$this->_errors[] = $this->messages['err_nostubs']; |
117
|
|
|
$_SESSION['XOOPS_G_STUBS'] = array(); |
118
|
|
|
} |
119
|
|
|
|
120
|
|
|
// get key&val of the ticket from a user's query |
121
|
|
|
$ticket = $post ? @$_POST['XOOPS_G_TICKET'] : @$_GET['XOOPS_G_TICKET']; |
122
|
|
|
|
123
|
|
|
// CHECK: no tickets found |
124
|
|
|
if (empty($ticket)) { |
125
|
|
|
$this->_errors[] = $this->messages['err_noticket']; |
126
|
|
|
} |
127
|
|
|
|
128
|
|
|
// gargage collection & find a right stub |
129
|
|
|
$stubs_tmp = $_SESSION['XOOPS_G_STUBS']; |
130
|
|
|
$_SESSION['XOOPS_G_STUBS'] = array(); |
131
|
|
|
foreach ($stubs_tmp as $stub) { |
132
|
|
|
// default lifetime 30min |
133
|
|
|
if ($stub['expire'] >= time()) { |
134
|
|
|
if (md5($stub['token'] . XOOPS_DB_PREFIX) === $ticket) { |
135
|
|
|
$found_stub = $stub; |
136
|
|
|
} else { |
137
|
|
|
// store the other valid stubs into session |
138
|
|
|
$_SESSION['XOOPS_G_STUBS'][] = $stub; |
139
|
|
|
} |
140
|
|
|
} else { |
141
|
|
|
if (md5($stub['token'] . XOOPS_DB_PREFIX) === $ticket) { |
142
|
|
|
// not CSRF but Time-Out |
143
|
|
|
$timeout_flag = true; |
144
|
|
|
} |
145
|
|
|
} |
146
|
|
|
} |
147
|
|
|
|
148
|
|
|
// CHECK: the right stub found or not |
149
|
|
|
if (empty($found_stub)) { |
150
|
|
|
if (empty($timeout_flag)) { |
151
|
|
|
$this->_errors[] = $this->messages['err_nopair']; |
152
|
|
|
} else { |
153
|
|
|
$this->_errors[] = $this->messages['err_timeout']; |
154
|
|
|
} |
155
|
|
|
} else { |
156
|
|
|
|
157
|
|
|
// set area if necessary |
158
|
|
|
// area as module's dirname |
159
|
|
|
if (!$area && is_object(@$xoopsModule)) { |
160
|
|
|
$area = $xoopsModule->getVar('dirname'); |
161
|
|
|
} |
162
|
|
|
|
163
|
|
|
// check area or referer |
164
|
|
|
if (@$found_stub['area'] == $area) { |
165
|
|
|
$area_check = true; |
166
|
|
|
} |
167
|
|
|
if (!empty($found_stub['referer'] ) && strstr(@$_SERVER['HTTP_REFERER'], $found_stub['referer'])) { |
168
|
|
|
$referer_check = true; |
169
|
|
|
} |
170
|
|
|
|
171
|
|
|
if (empty($area_check) && empty($referer_check)) { // loose |
172
|
|
|
$this->_errors[] = $this->messages['err_areaorref']; |
173
|
|
|
} |
174
|
|
|
} |
175
|
|
|
|
176
|
|
|
if (!empty($this->_errors)) { |
177
|
|
|
if ($allow_repost) { |
178
|
|
|
// repost form |
179
|
|
|
$this->draw_repost_form( $area ); |
180
|
|
|
exit; |
|
|
|
|
181
|
|
|
} else { |
182
|
|
|
// failed |
183
|
|
|
$this->clear(); |
184
|
|
|
return false; |
185
|
|
|
} |
186
|
|
|
} else { |
187
|
|
|
// all green |
188
|
|
|
return true; |
189
|
|
|
} |
190
|
|
|
} |
191
|
|
|
|
192
|
|
|
// draw form for repost |
193
|
|
|
function draw_repost_form($area = '') |
|
|
|
|
194
|
|
|
{ |
195
|
|
|
// Notify which file is broken |
196
|
|
|
if (headers_sent()) { |
197
|
|
|
restore_error_handler(); |
198
|
|
|
set_error_handler('GTicket_ErrorHandler4FindOutput'); |
199
|
|
|
header('Dummy: for warning'); |
200
|
|
|
restore_error_handler(); |
201
|
|
|
exit; |
|
|
|
|
202
|
|
|
} |
203
|
|
|
|
204
|
|
|
error_reporting( 0 ); |
205
|
|
|
while (ob_get_level()) { |
206
|
|
|
ob_end_clean(); |
207
|
|
|
} |
208
|
|
|
|
209
|
|
|
$table = '<table>'; |
210
|
|
|
$form = '<form action="?' . htmlspecialchars(@$_SERVER['QUERY_STRING'],ENT_QUOTES) . '" method="post" >'; |
211
|
|
|
foreach ($_POST as $key => $val) { |
212
|
|
|
if ($key == 'XOOPS_G_TICKET') { |
213
|
|
|
continue; |
214
|
|
|
} |
215
|
|
|
if (get_magic_quotes_gpc()) { |
216
|
|
|
$key = stripslashes($key); |
217
|
|
|
} |
218
|
|
|
if (is_array($val)) { |
219
|
|
|
list($tmp_table, $tmp_form) = $this->extract_post_recursive( htmlspecialchars($key,ENT_QUOTES), $val); |
220
|
|
|
$table .= $tmp_table; |
221
|
|
|
$form .= $tmp_form; |
222
|
|
|
} else { |
223
|
|
|
if (get_magic_quotes_gpc()) { |
224
|
|
|
$val = stripslashes($val); |
225
|
|
|
} |
226
|
|
|
$table .= '<tr><th>' . htmlspecialchars($key, ENT_QUOTES) . '</th><td>' . htmlspecialchars($val, ENT_QUOTES) . '</td></tr>'."\n"; |
227
|
|
|
$form .= '<input type="hidden" name="' . htmlspecialchars($key, ENT_QUOTES) . '" value="'.htmlspecialchars($val, ENT_QUOTES) . '">'."\n"; |
228
|
|
|
} |
229
|
|
|
} |
230
|
|
|
$table .= '</table>'; |
231
|
|
|
$form .= $this->getTicketHtml(__LINE__, 300, $area) . '<input type="submit" value="' . $this->messages['btn_repost'] . '"></form>'; |
232
|
|
|
|
233
|
|
|
echo '<html><head><title>' . $this->messages['err_general'] . '</title><style>table,td,th {border:solid black 1px; border-collapse:collapse;}</style></head><body>' . sprintf($this->messages['fmt_prompt4repost'], $this->getErrors()) . $table . $form . '</body></html>'; |
234
|
|
|
} |
235
|
|
|
|
236
|
|
|
function extract_post_recursive($key_name, $tmp_array) { |
|
|
|
|
237
|
|
|
$table = ''; |
238
|
|
|
$form = ''; |
239
|
|
|
foreach ($tmp_array as $key => $val) { |
240
|
|
|
if (get_magic_quotes_gpc()) { |
241
|
|
|
$key = stripslashes($key); |
242
|
|
|
} |
243
|
|
|
if (is_array($val)) { |
244
|
|
|
list($tmp_table, $tmp_form) = $this->extract_post_recursive($key_name . '[' . htmlspecialchars($key, ENT_QUOTES) . ']', $val); |
245
|
|
|
$table .= $tmp_table; |
246
|
|
|
$form .= $tmp_form; |
247
|
|
|
} else { |
248
|
|
|
if (get_magic_quotes_gpc()) { |
249
|
|
|
$val = stripslashes($val); |
250
|
|
|
} |
251
|
|
|
$table .= '<tr><th>' . $key_name . '[' . htmlspecialchars($key, ENT_QUOTES) . ']</th><td>' . htmlspecialchars($val, ENT_QUOTES) . '</td></tr>' . "\n"; |
252
|
|
|
$form .= '<input type="hidden" name="'.$key_name.'['.htmlspecialchars($key,ENT_QUOTES).']" value="'.htmlspecialchars($val,ENT_QUOTES).'">'."\n"; |
253
|
|
|
} |
254
|
|
|
} |
255
|
|
|
return array($table, $form); |
256
|
|
|
} |
257
|
|
|
|
258
|
|
|
|
259
|
|
|
// clear all stubs |
260
|
|
|
function clear() |
|
|
|
|
261
|
|
|
{ |
262
|
|
|
$_SESSION['XOOPS_G_STUBS'] = array(); |
263
|
|
|
} |
264
|
|
|
|
265
|
|
|
|
266
|
|
|
// Ticket Using |
267
|
|
|
function using() |
|
|
|
|
268
|
|
|
{ |
269
|
|
|
if (!empty($_SESSION['XOOPS_G_STUBS'])) { |
270
|
|
|
return true; |
271
|
|
|
} else { |
272
|
|
|
return false; |
273
|
|
|
} |
274
|
|
|
} |
275
|
|
|
|
276
|
|
|
|
277
|
|
|
// return errors |
278
|
|
|
function getErrors($ashtml = true) |
|
|
|
|
279
|
|
|
{ |
280
|
|
|
if ($ashtml) { |
281
|
|
|
$ret = ''; |
282
|
|
|
foreach ($this->_errors as $msg) { |
283
|
|
|
$ret .= "{$msg}<br>\n"; |
284
|
|
|
} |
285
|
|
|
} else { |
286
|
|
|
$ret = $this->_errors; |
287
|
|
|
} |
288
|
|
|
return $ret; |
289
|
|
|
} |
290
|
|
|
|
291
|
|
|
// end of class |
292
|
|
|
} |
293
|
|
|
|
294
|
|
|
// create a instance in global scope |
295
|
|
|
$GLOBALS['xoopsGTicket'] = new XoopsGTicket(); |
296
|
|
|
|
297
|
|
|
} |
298
|
|
|
|
299
|
|
|
if (!function_exists('admin_refcheck')) { |
300
|
|
|
|
301
|
|
|
//Admin Referer Check By Marijuana(Rev.011) |
302
|
|
|
function admin_refcheck($chkref = '') { |
|
|
|
|
303
|
|
|
if (empty($_SERVER['HTTP_REFERER'])) { |
304
|
|
|
return true; |
305
|
|
|
} else { |
306
|
|
|
$ref = $_SERVER['HTTP_REFERER']; |
307
|
|
|
} |
308
|
|
|
$cr = XOOPS_URL; |
309
|
|
|
if ($chkref != '') { |
310
|
|
|
$cr .= $chkref; |
311
|
|
|
} |
312
|
|
|
if (strpos($ref, $cr) !== 0) { |
313
|
|
|
return false; |
314
|
|
|
} |
315
|
|
|
return true; |
316
|
|
|
} |
317
|
|
|
} |
318
|
|
|
|
319
|
|
|
function GTicket_ErrorHandler4FindOutput($errNo, $errStr, $errFile, $errLine) |
|
|
|
|
320
|
|
|
{ |
321
|
|
|
if (preg_match('?' . preg_quote(XOOPS_ROOT_PATH) . '([^:]+)\:(\d+)?', $errStr, $regs)) { |
322
|
|
|
echo 'Irregular output! check the file ' . htmlspecialchars($regs[1]) . ' line ' . htmlspecialchars($regs[2]); |
323
|
|
|
} else { |
324
|
|
|
echo 'Irregular output! check language files etc.'; |
325
|
|
|
} |
326
|
|
|
return; |
327
|
|
|
} |
328
|
|
|
|
The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file.
The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place.
To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1.