This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
1 | <?php |
||||||
2 | /* |
||||||
3 | * You may not change or alter any portion of this comment or credits |
||||||
4 | * of supporting developers from this source code or any supporting source code |
||||||
5 | * which is considered copyrighted (c) material of the original comment or credit authors. |
||||||
6 | * |
||||||
7 | * This program is distributed in the hope that it will be useful, |
||||||
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||||
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
||||||
10 | */ |
||||||
11 | |||||||
12 | /** |
||||||
13 | * @copyright XOOPS Project https://xoops.org/ |
||||||
14 | * @license GNU GPL 2 or later (http://www.gnu.org/licenses/gpl-2.0.html) |
||||||
15 | * @package |
||||||
16 | * @since |
||||||
17 | * @author XOOPS Development Team, Kazumi Ono (AKA onokazu) |
||||||
18 | */ |
||||||
19 | |||||||
20 | use XoopsModules\Soapbox; |
||||||
21 | |||||||
22 | if (!is_object($xoopsUser) || !is_object($xoopsModule) || !$xoopsUser->isAdmin($xoopsModule->mid())) { |
||||||
23 | exit('Access Denied'); |
||||||
24 | } |
||||||
25 | $op = 'list'; |
||||||
26 | if (\Xmf\Request::hasVar('op', 'POST')) { |
||||||
27 | $op = $_POST['op']; |
||||||
28 | } |
||||||
29 | if (\Xmf\Request::hasVar('op', 'GET')) { |
||||||
30 | $op = trim($_GET['op']); |
||||||
31 | } |
||||||
32 | if (\Xmf\Request::hasVar('confcat_id', 'GET')) { |
||||||
33 | $confcat_id = \Xmf\Request::getInt('confcat_id', 0, 'GET'); |
||||||
34 | } |
||||||
35 | |||||||
36 | if ('showmod' === $op) { |
||||||
37 | $configHandler = xoops_getHandler('config'); |
||||||
38 | $mod = \Xmf\Request::getInt('mod', 0, 'GET'); |
||||||
39 | if (empty($mod)) { |
||||||
40 | header('Location: admin.php?fct=preferences'); |
||||||
41 | exit(); |
||||||
42 | } |
||||||
43 | $config = $configHandler->getConfigs(new \Criteria('conf_modid', $mod)); |
||||||
0 ignored issues
–
show
Bug
introduced
by
![]() |
|||||||
44 | $count = count($config); |
||||||
45 | if ($count < 1) { |
||||||
46 | redirect_header('admin.php?fct=preferences', 1); |
||||||
47 | } |
||||||
48 | require_once XOOPS_ROOT_PATH . '/class/xoopsformloader.php'; |
||||||
49 | $form = new \XoopsThemeForm(_MD_AM_MODCONFIG, 'pref_form', 'admin.php?fct=preferences'); |
||||||
50 | /** @var \XoopsModuleHandler $moduleHandler */ |
||||||
51 | $moduleHandler = xoops_getHandler('module'); |
||||||
52 | $module = $moduleHandler->get($mod); |
||||||
53 | |||||||
54 | /** @var Soapbox\Helper $helper */ |
||||||
55 | $helper = Soapbox\Helper::getInstance(); |
||||||
56 | $helper->loadLanguage('modinfo'); |
||||||
57 | |||||||
58 | // if has comments feature, need comment lang file |
||||||
59 | if (1 == $module->getVar('hascomments')) { |
||||||
60 | require_once XOOPS_ROOT_PATH . '/language/' . $xoopsConfig['language'] . '/comment.php'; |
||||||
61 | } |
||||||
62 | // RMV-NOTIFY |
||||||
63 | // if has notification feature, need notification lang file |
||||||
64 | if (1 == $module->getVar('hasnotification')) { |
||||||
65 | require_once XOOPS_ROOT_PATH . '/language/' . $xoopsConfig['language'] . '/notification.php'; |
||||||
66 | } |
||||||
67 | |||||||
68 | $modname = $module->getVar('name'); |
||||||
69 | $buttonTray = new \XoopsFormElementTray(''); |
||||||
70 | if ($module->getInfo('adminindex')) { |
||||||
71 | // $form->addElement(new \XoopsFormHidden('redirect', XOOPS_URL.'/modules/'.$module->getVar('dirname').'/'.$module->getInfo('adminindex'))); |
||||||
72 | $buttonTray->addElement(new \XoopsFormHidden('redirect', XOOPS_URL . '/modules/' . $module->getVar('dirname') . '/admin/admin.php?fct=preferences&op=showmod&mod=' . $module->getVar('mid'))); // GIJ Patch |
||||||
73 | } |
||||||
74 | for ($i = 0; $i < $count; ++$i) { |
||||||
75 | $title4tray = (!defined($config[$i]->getVar('conf_desc')) |
||||||
76 | || '' == constant($config[$i]->getVar('conf_desc'))) ? constant($config[$i]->getVar('conf_title')) : constant($config[$i]->getVar('conf_title')) . '<br><br><span style="font-weight:normal;">' . constant($config[$i]->getVar('conf_desc')) . '</span>'; // GIJ |
||||||
77 | $title = ''; // GIJ |
||||||
78 | switch ($config[$i]->getVar('conf_formtype')) { |
||||||
79 | case 'textarea': |
||||||
80 | $myts = \MyTextSanitizer::getInstance(); |
||||||
81 | if ('array' === $config[$i]->getVar('conf_valuetype')) { |
||||||
82 | // this is exceptional.. only when value type is arrayneed a smarter way for this |
||||||
83 | $ele = ('' != $config[$i]->getVar('conf_value')) ? new \XoopsFormTextArea($title, $config[$i]->getVar('conf_name'), $myts->htmlSpecialChars(implode('|', $config[$i]->getConfValueForOutput())), 5, 50) : new \XoopsFormTextArea($title, $config[$i]->getVar('conf_name'), '', 5, 50); |
||||||
84 | } else { |
||||||
85 | $ele = new \XoopsFormTextArea($title, $config[$i]->getVar('conf_name'), $myts->htmlSpecialChars($config[$i]->getConfValueForOutput()), 5, 50); |
||||||
86 | } |
||||||
87 | break; |
||||||
88 | case 'select': |
||||||
89 | $ele = new \XoopsFormSelect($title, $config[$i]->getVar('conf_name'), $config[$i]->getConfValueForOutput()); |
||||||
90 | $options = $configHandler->getConfigOptions(new \Criteria('conf_id', $config[$i]->getVar('conf_id'))); |
||||||
0 ignored issues
–
show
The method
getConfigOptions() does not exist on XoopsObjectHandler . It seems like you code against a sub-type of XoopsObjectHandler such as XoopsPersistableObjectHandler .
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
![]() |
|||||||
91 | $opcount = count($options); |
||||||
92 | for ($j = 0; $j < $opcount; ++$j) { |
||||||
93 | $optval = defined($options[$j]->getVar('confop_value')) ? constant($options[$j]->getVar('confop_value')) : $options[$j]->getVar('confop_value'); |
||||||
94 | $optkey = defined($options[$j]->getVar('confop_name')) ? constant($options[$j]->getVar('confop_name')) : $options[$j]->getVar('confop_name'); |
||||||
95 | $ele->addOption($optval, $optkey); |
||||||
96 | } |
||||||
97 | break; |
||||||
98 | case 'select_multi': |
||||||
99 | $ele = new \XoopsFormSelect($title, $config[$i]->getVar('conf_name'), $config[$i]->getConfValueForOutput(), 5, true); |
||||||
100 | $options = $configHandler->getConfigOptions(new \Criteria('conf_id', $config[$i]->getVar('conf_id'))); |
||||||
101 | $opcount = count($options); |
||||||
102 | for ($j = 0; $j < $opcount; ++$j) { |
||||||
103 | $optval = defined($options[$j]->getVar('confop_value')) ? constant($options[$j]->getVar('confop_value')) : $options[$j]->getVar('confop_value'); |
||||||
104 | $optkey = defined($options[$j]->getVar('confop_name')) ? constant($options[$j]->getVar('confop_name')) : $options[$j]->getVar('confop_name'); |
||||||
105 | $ele->addOption($optval, $optkey); |
||||||
106 | } |
||||||
107 | break; |
||||||
108 | case 'yesno': |
||||||
109 | $ele = new \XoopsFormRadioYN($title, $config[$i]->getVar('conf_name'), $config[$i]->getConfValueForOutput(), _YES, _NO); |
||||||
110 | break; |
||||||
111 | case 'group': |
||||||
112 | require_once XOOPS_ROOT_PATH . '/class/xoopslists.php'; |
||||||
113 | $ele = new \XoopsFormSelectGroup($title, $config[$i]->getVar('conf_name'), false, $config[$i]->getConfValueForOutput(), 1, false); |
||||||
114 | break; |
||||||
115 | case 'group_multi': |
||||||
116 | require_once XOOPS_ROOT_PATH . '/class/xoopslists.php'; |
||||||
117 | $ele = new \XoopsFormSelectGroup($title, $config[$i]->getVar('conf_name'), false, $config[$i]->getConfValueForOutput(), 5, true); |
||||||
118 | break; |
||||||
119 | // RMV-NOTIFY: added 'user' and 'user_multi' |
||||||
120 | case 'user': |
||||||
121 | require_once XOOPS_ROOT_PATH . '/class/xoopslists.php'; |
||||||
122 | $ele = new \XoopsFormSelectUser($title, $config[$i]->getVar('conf_name'), false, $config[$i]->getConfValueForOutput(), 1, false); |
||||||
123 | break; |
||||||
124 | case 'user_multi': |
||||||
125 | require_once XOOPS_ROOT_PATH . '/class/xoopslists.php'; |
||||||
126 | $ele = new \XoopsFormSelectUser($title, $config[$i]->getVar('conf_name'), false, $config[$i]->getConfValueForOutput(), 5, true); |
||||||
127 | break; |
||||||
128 | case 'password': |
||||||
129 | $myts = \MyTextSanitizer::getInstance(); |
||||||
130 | $ele = new \XoopsFormPassword($title, $config[$i]->getVar('conf_name'), 50, 255, $myts->htmlSpecialChars($config[$i]->getConfValueForOutput())); |
||||||
131 | break; |
||||||
132 | case 'textbox': |
||||||
133 | default: |
||||||
134 | $myts = \MyTextSanitizer::getInstance(); |
||||||
135 | $ele = new \XoopsFormText($title, $config[$i]->getVar('conf_name'), 50, 255, $myts->htmlSpecialChars($config[$i]->getConfValueForOutput())); |
||||||
136 | break; |
||||||
137 | } |
||||||
138 | $hidden = new \XoopsFormHidden('conf_ids[]', $config[$i]->getVar('conf_id')); |
||||||
139 | $ele_tray = new \XoopsFormElementTray($title4tray, ''); |
||||||
140 | $ele_tray->addElement($ele); |
||||||
141 | $ele_tray->addElement($hidden); |
||||||
142 | $form->addElement($ele_tray); |
||||||
143 | unset($ele_tray, $ele, $hidden); |
||||||
144 | } |
||||||
145 | $buttonTray->addElement(new \XoopsFormHidden('op', 'save')); |
||||||
146 | // $xoopsGTicket->addTicketXoopsFormElement($buttonTray, __LINE__, 1800, 'mymenu'); |
||||||
147 | $buttonTray->addElement(new \XoopsFormButton('', 'button', _GO, 'submit')); |
||||||
148 | $form->addElement($buttonTray); |
||||||
149 | xoops_cp_header(); |
||||||
150 | // GIJ patch start |
||||||
151 | require_once __DIR__ . '/mymenu.php'; |
||||||
152 | echo "<h3 style='text-align:left;'>" . $module->getVar('name') . ' ' . _PREFERENCES . "</h3>\n"; |
||||||
153 | // GIJ patch end |
||||||
154 | $form->display(); |
||||||
155 | xoops_cp_footer(); |
||||||
156 | exit(); |
||||||
157 | } |
||||||
158 | |||||||
159 | if ('save' === $op) { |
||||||
160 | //if ( !admin_refcheck("/modules/$admin_mydirname/admin/") ) { |
||||||
161 | // exit('Invalid referer'); |
||||||
162 | //} |
||||||
163 | if (!$GLOBALS['xoopsSecurity']->check()) { |
||||||
164 | redirect_header(XOOPS_URL . '/', 3, $GLOBALS['xoopsSecurity']->getErrors()); |
||||||
165 | } |
||||||
166 | require_once XOOPS_ROOT_PATH . '/class/template.php'; |
||||||
167 | $xoopsTpl = new \XoopsTpl(); |
||||||
168 | $xoopsTpl->clear_all_cache(); |
||||||
169 | // regenerate admin menu file |
||||||
170 | // xoops_module_write_admin_menu(xoops_module_get_admin_menu()); |
||||||
171 | if (\Xmf\Request::hasVar('conf_ids', 'POST')) { |
||||||
172 | $conf_ids = $_POST['conf_ids']; |
||||||
173 | } |
||||||
174 | $count = count($conf_ids); |
||||||
175 | $tpl_updated = false; |
||||||
176 | $theme_updated = false; |
||||||
177 | $startmod_updated = false; |
||||||
178 | $lang_updated = false; |
||||||
179 | if ($count > 0) { |
||||||
180 | for ($i = 0; $i < $count; ++$i) { |
||||||
181 | $config = $configHandler->getConfig($conf_ids[$i]); |
||||||
182 | $new_value = $_POST[$config->getVar('conf_name')]; |
||||||
183 | if (is_array($new_value) || $new_value != $config->getVar('conf_value')) { |
||||||
184 | // if language has been changed |
||||||
185 | if (!$lang_updated && XOOPS_CONF == $config->getVar('conf_catid') |
||||||
186 | && 'language' === $config->getVar('conf_name')) { |
||||||
187 | // regenerate admin menu file |
||||||
188 | $xoopsConfig['language'] = $_POST[$config->getVar('conf_name')]; |
||||||
189 | // xoops_module_write_admin_menu(xoops_module_get_admin_menu()); |
||||||
190 | $lang_updated = true; |
||||||
191 | } |
||||||
192 | |||||||
193 | // if default theme has been changed |
||||||
194 | if (!$theme_updated && XOOPS_CONF == $config->getVar('conf_catid') |
||||||
195 | && 'theme_set' === $config->getVar('conf_name')) { |
||||||
196 | /** @var \XoopsMemberHandler $memberHandler */ |
||||||
197 | $memberHandler = xoops_getHandler('member'); |
||||||
198 | $memberHandler->updateUsersByField('theme', $_POST[$config->getVar('conf_name')]); |
||||||
199 | $theme_updated = true; |
||||||
200 | } |
||||||
201 | |||||||
202 | // if default template set has been changed |
||||||
203 | if (!$tpl_updated && XOOPS_CONF == $config->getVar('conf_catid') |
||||||
204 | && 'template_set' === $config->getVar('conf_name')) { |
||||||
205 | // clear cached/compiled files and regenerate them if default theme has been changed |
||||||
206 | if ($xoopsConfig['template_set'] != $_POST[$config->getVar('conf_name')]) { |
||||||
207 | $newtplset = $_POST[$config->getVar('conf_name')]; |
||||||
208 | |||||||
209 | // clear all compiled and cachedfiles |
||||||
210 | $xoopsTpl->clear_compiled_tpl(); |
||||||
211 | |||||||
212 | // generate compiled files for the new theme |
||||||
213 | // block files only for now.. |
||||||
214 | /** @var \XoopsTplfileHandler $tplfileHandler */ |
||||||
215 | $tplfileHandler = xoops_getHandler('tplfile'); |
||||||
216 | $dtemplates = $tplfileHandler->find('default', 'block'); |
||||||
217 | $dcount = count($dtemplates); |
||||||
218 | |||||||
219 | // need to do this to pass to xoops_template_touch function |
||||||
220 | $GLOBALS['xoopsConfig']['template_set'] = $newtplset; |
||||||
221 | |||||||
222 | foreach ($dtemplates as $iValue) { |
||||||
223 | $found = $tplfileHandler->find($newtplset, 'block', $iValue->getVar('tpl_refid'), null); |
||||||
224 | if (count($found) > 0) { |
||||||
225 | // template for the new theme found, compile it |
||||||
226 | xoops_template_touch($found[0]->getVar('tpl_id')); |
||||||
227 | } else { |
||||||
228 | // not found, so compile 'default' template file |
||||||
229 | xoops_template_touch($iValue->getVar('tpl_id')); |
||||||
230 | } |
||||||
231 | } |
||||||
232 | |||||||
233 | // generate image cache files from image binary data, save them under cache/ |
||||||
234 | /** @var \XoopsImagesetimgHandler $imageHandler */ |
||||||
235 | $imageHandler = xoops_getHandler('imagesetimg'); |
||||||
236 | $imageFiles = $imageHandler->getObjects(new \Criteria('tplset_name', $newtplset), true); |
||||||
237 | foreach (array_keys($imageFiles) as $i) { |
||||||
238 | if (!$fp = fopen(XOOPS_CACHE_PATH . '/' . $newtplset . '_' . $imageFiles[$i]->getVar('imgsetimg_file'), 'wb')) { |
||||||
239 | } else { |
||||||
240 | fwrite($fp, $imageFiles[$i]->getVar('imgsetimg_body')); |
||||||
241 | fclose($fp); |
||||||
242 | } |
||||||
243 | } |
||||||
244 | } |
||||||
245 | $tpl_updated = true; |
||||||
246 | } |
||||||
247 | |||||||
248 | // add read permission for the start module to all groups |
||||||
249 | if (!$startmod_updated && '--' != $new_value && XOOPS_CONF == $config->getVar('conf_catid') |
||||||
250 | && 'startpage' === $config->getVar('conf_name')) { |
||||||
251 | $memberHandler = xoops_getHandler('member'); |
||||||
252 | $groups = $memberHandler->getGroupList(); |
||||||
0 ignored issues
–
show
The method
getGroupList() does not exist on XoopsObjectHandler . It seems like you code against a sub-type of XoopsObjectHandler such as XoopsPersistableObjectHandler .
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
![]() |
|||||||
253 | /** @var \XoopsGroupPermHandler $grouppermHandler */ |
||||||
254 | $grouppermHandler = xoops_getHandler('groupperm'); |
||||||
255 | /** @var \XoopsModuleHandler $moduleHandler */ |
||||||
256 | $moduleHandler = xoops_getHandler('module'); |
||||||
257 | $module = $moduleHandler->getByDirname($new_value); |
||||||
258 | foreach ($groups as $groupid => $groupname) { |
||||||
259 | if (!$grouppermHandler->checkRight('module_read', $module->getVar('mid'), $groupid)) { |
||||||
260 | $grouppermHandler->addRight('module_read', $module->getVar('mid'), $groupid); |
||||||
261 | } |
||||||
262 | } |
||||||
263 | $startmod_updated = true; |
||||||
264 | } |
||||||
265 | |||||||
266 | $config->setConfValueForInput($new_value); |
||||||
267 | $configHandler->insertConfig($config); |
||||||
268 | } |
||||||
269 | unset($new_value); |
||||||
270 | } |
||||||
271 | } |
||||||
272 | if (!empty($use_mysession) && 0 == $xoopsConfig['use_mysession'] && '' != $session_name) { |
||||||
273 | setcookie($session_name, session_id(), time() + (60 * (int)$session_expire), '/', '', 0); |
||||||
274 | } |
||||||
275 | if (\Xmf\Request::hasVar('redirect', 'POST')) { |
||||||
276 | redirect_header($_POST['redirect'], 2, _MD_AM_DBUPDATED); |
||||||
0 ignored issues
–
show
|
|||||||
277 | } else { |
||||||
278 | redirect_header('admin.php?fct=preferences', 2, _MD_AM_DBUPDATED); |
||||||
279 | } |
||||||
280 | } |
||||||
281 |