This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
1 | <?php |
||
2 | // |
||
3 | // ------------------------------------------------------------------------ // |
||
4 | // XF Guestbook // |
||
5 | // ------------------------------------------------------------------------- // |
||
6 | // This program is free software; you can redistribute it and/or modify // |
||
7 | // it under the terms of the GNU General Public License as published by // |
||
8 | // the Free Software Foundation; either version 2 of the License, or // |
||
9 | // (at your option) any later version. // |
||
10 | // // |
||
11 | // You may not change or alter any portion of this comment or credits // |
||
12 | // of supporting developers from this source code or any supporting // |
||
13 | // source code which is considered copyrighted (c) material of the // |
||
14 | // original comment or credit authors. // |
||
15 | // // |
||
16 | // This program is distributed in the hope that it will be useful, // |
||
17 | // but WITHOUT ANY WARRANTY; without even the implied warranty of // |
||
18 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // |
||
19 | // GNU General Public License for more details. // |
||
20 | // // |
||
21 | // You should have received a copy of the GNU General Public License // |
||
22 | // along with this program; if not, write to the Free Software // |
||
23 | // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // |
||
24 | // ------------------------------------------------------------------------ // |
||
25 | |||
26 | use Xmf\Module\Admin; |
||
27 | use Xmf\Request; |
||
28 | use XoopsModules\Xfguestbook; |
||
29 | use XoopsModules\Xfguestbook\Helper; |
||
30 | |||
31 | require_once __DIR__ . '/admin_header.php'; |
||
32 | require_once dirname(__DIR__) . '/include/cp_functions.php'; |
||
33 | |||
34 | /** @var Helper $helper */ |
||
35 | $helper = Helper::getInstance(); |
||
36 | |||
37 | if (null === $helper->getConfig('flagdir')) { |
||
38 | redirect_header(XOOPS_URL . '/modules/system/admin.php?fct=modulesadmin&op=update&module=' . $xoopsModule->dirname(), 4, AM_XFGUESTBOOK_MUST_UPDATE); |
||
39 | } |
||
40 | |||
41 | if (Request::hasVar('op', 'GET')) { |
||
42 | $op = $_GET['op']; |
||
43 | } elseif (Request::hasVar('op', 'POST')) { |
||
44 | $op = $_POST['op']; |
||
45 | } else { |
||
46 | $op = 'show'; |
||
47 | } |
||
48 | |||
49 | if (Request::hasVar('msg_id', 'GET')) { |
||
50 | $msg_id = Request::getInt('msg_id', 0, 'GET'); |
||
51 | } else { |
||
52 | $msg_id = Request::getInt('msg_id', 0, 'POST'); |
||
53 | } |
||
54 | |||
55 | $msgHandler = $helper->getHandler('Message'); |
||
56 | |||
57 | function delete() |
||
58 | { |
||
59 | global $msgHandler, $xoopsModule; |
||
60 | $msg_count = (!empty($_POST['msg_id']) && is_array($_POST['msg_id'])) ? count($_POST['msg_id']) : 0; |
||
61 | if ($msg_count > 0) { |
||
62 | $messagesent = AM_XFGUESTBOOK_MSGDELETED; |
||
63 | for ($i = 0; $i < $msg_count; $i++) { |
||
64 | $msg = $msgHandler->get($_POST['msg_id'][$i]); |
||
65 | $filename = $msg->getVar('title'); |
||
0 ignored issues
–
show
Unused Code
introduced
by
![]() |
|||
66 | $filename = $msg->getVar('photo'); |
||
67 | if (!$msgHandler->delete($msg)) { |
||
68 | $messagesent = AM_XFGUESTBOOK_ERRORDEL; |
||
69 | } |
||
70 | if ('' !== $filename) { |
||
71 | $filename = XOOPS_UPLOAD_PATH . '/' . $xoopsModule->getVar('dirname') . '/' . $filename; |
||
72 | unlink($filename); |
||
73 | } |
||
74 | } |
||
75 | } else { |
||
76 | $messagesent = AM_XFGUESTBOOK_NOMSG; |
||
77 | } |
||
78 | redirect_header($_SERVER['SCRIPT_NAME'], 2, $messagesent); |
||
79 | } |
||
80 | |||
81 | function approve() |
||
82 | { |
||
83 | global $msgHandler; |
||
84 | $msg_count = (!empty($_POST['msg_id']) && is_array($_POST['msg_id'])) ? count($_POST['msg_id']) : 0; |
||
85 | if ($msg_count > 0) { |
||
86 | $messagesent = AM_XFGUESTBOOK_VALIDATE; |
||
87 | for ($i = 0; $i < $msg_count; $i++) { |
||
88 | $msg = $msgHandler->get($_POST['msg_id'][$i]); |
||
89 | $msg->setVar('moderate', 0); |
||
90 | if (!$msgHandler->insert($msg)) { |
||
91 | $messagesent = AM_XFGUESTBOOK_ERRORVALID; |
||
92 | } |
||
93 | } |
||
94 | } else { |
||
95 | $messagesent = AM_XFGUESTBOOK_NOMSG; |
||
96 | } |
||
97 | redirect_header($_SERVER['SCRIPT_NAME'], 2, $messagesent); |
||
98 | } |
||
99 | |||
100 | function banish() |
||
101 | { |
||
102 | global $msgHandler, $xoopsDB; |
||
103 | $msg_count = (!empty($_POST['msg_id']) && is_array($_POST['msg_id'])) ? count($_POST['msg_id']) : 0; |
||
104 | if ($msg_count > 0) { |
||
105 | $messagesent = AM_XFGUESTBOOK_BANISHED; |
||
106 | for ($i = 0; $i < $msg_count; $i++) { |
||
107 | $msg = $msgHandler->get($_POST['msg_id'][$i]); |
||
108 | $ip[$i] = $msg->getVar('poster_ip'); |
||
109 | $msg->setVar('moderate', 1); |
||
110 | if (!$msgHandler->insert($msg)) { |
||
111 | $messagesent = AM_XFGUESTBOOK_ERRORBANISHED; |
||
112 | } |
||
113 | } |
||
114 | $ip = array_unique($ip); |
||
115 | $badips = Xfguestbook\Utility::get_badips(); |
||
116 | foreach ($ip as $oneip) { |
||
117 | if (!in_array($oneip, $badips)) { |
||
118 | $sql = 'INSERT INTO ' . $xoopsDB->prefix('xfguestbook_badips') . " (ip_value) VALUES ('$oneip')"; |
||
119 | $result = $xoopsDB->query($sql); |
||
0 ignored issues
–
show
|
|||
120 | } |
||
121 | } |
||
122 | } else { |
||
123 | $messagesent = AM_XFGUESTBOOK_NOMSG; |
||
124 | } |
||
125 | |||
126 | redirect_header($_SERVER['SCRIPT_NAME'], 2, $messagesent); |
||
127 | } |
||
128 | |||
129 | function show() |
||
130 | { |
||
131 | global $msgHandler, $xoopsModule, $pathIcon16; |
||
132 | $pick = Request::getInt('pick', 0, 'GET'); |
||
0 ignored issues
–
show
|
|||
133 | $start = Request::getInt('start', 0, 'GET'); |
||
134 | $sel_status = Request::getInt('sel_status', 0, 'GET'); |
||
135 | $sel_order = Request::getInt('sel_order', 0, 'GET'); |
||
136 | $limit = 10; |
||
137 | $status_option0 = ''; |
||
138 | $status_option1 = ''; |
||
139 | $status_option2 = ''; |
||
140 | $order_option_asc = ''; |
||
141 | $order_option_desc = ''; |
||
142 | |||
143 | switch ($sel_status) { |
||
144 | case 0: |
||
145 | $status_option0 = 'selected'; |
||
146 | $title = AM_XFGUESTBOOK_ALLMSG; |
||
147 | $criteria = new \Criteria('msg_id', 0, '>'); |
||
148 | $criteria->setSort('post_time'); |
||
149 | break; |
||
150 | case 1: |
||
151 | $status_option1 = 'selected'; |
||
152 | $title = AM_XFGUESTBOOK_PUBMSG; |
||
153 | $criteria = new \Criteria('moderate', '0'); |
||
154 | $criteria->setSort('post_time'); |
||
155 | break; |
||
156 | case 2: |
||
157 | $status_option2 = 'selected'; |
||
158 | $title = AM_XFGUESTBOOK_WAITMSG; |
||
159 | $criteria = new \Criteria('moderate', '1'); |
||
160 | $criteria->setSort('post_time'); |
||
161 | break; |
||
162 | } |
||
163 | |||
164 | switch ($sel_order) { |
||
165 | case 1: |
||
166 | $order_option_asc = 'selected'; |
||
167 | $criteria->setOrder('ASC'); |
||
168 | break; |
||
169 | case 0: |
||
170 | $order_option_desc = 'selected'; |
||
171 | $criteria->setOrder('DESC'); |
||
172 | break; |
||
173 | } |
||
174 | |||
175 | $totalcount = $msgHandler->countMsg($criteria); |
||
176 | $criteria->setOrder('DESC'); |
||
177 | $criteria->setLimit($limit); |
||
178 | $criteria->setStart($start); |
||
179 | $msg = $msgHandler->getObjects($criteria); |
||
180 | |||
181 | $badips = Xfguestbook\Utility::get_badips(); |
||
182 | |||
183 | /* -- Code to show selected terms -- */ |
||
184 | echo "<form name='pick' id='pick' action='" . $_SERVER['SCRIPT_NAME'] . '\' method=\'GET\' style=\'margin: 0;\'>'; |
||
185 | |||
186 | echo " |
||
187 | <table width='100%' cellspacing='1' cellpadding='2' border='0' style='border-left: 1px solid #c0c0c0; border-top: 1px solid #c0c0c0; border-right: 1px solid #c0c0c0;'> |
||
188 | <tr> |
||
189 | <td><span style='font-weight: bold; font-size: 12px; font-variant: small-caps;'>" . $title . ' : ' . $totalcount . "</span></td> |
||
190 | <td align='right'> |
||
191 | " . AM_XFGUESTBOOK_DISPLAY . " : |
||
192 | <select name='sel_status' onchange='submit()'> |
||
193 | <option value = '0' $status_option0>" . AM_XFGUESTBOOK_ALLMSG . " </option> |
||
194 | <option value = '1' $status_option1>" . AM_XFGUESTBOOK_PUBMSG . " </option> |
||
195 | <option value = '2' $status_option2>" . AM_XFGUESTBOOK_WAITMSG . ' </option> |
||
196 | </select> |
||
197 | ' . AM_XFGUESTBOOK_SELECT_SORT . " |
||
198 | <select name='sel_order' onchange='submit()'> |
||
199 | <option value = '1' $order_option_asc>" . AM_XFGUESTBOOK_SORT_ASC . "</option> |
||
200 | <option value = '0' $order_option_desc>" . AM_XFGUESTBOOK_SORT_DESC . '</option> |
||
201 | </select> |
||
202 | </td> |
||
203 | </tr> |
||
204 | </table> |
||
205 | </form>'; |
||
206 | /* -- end code to show selected terms -- */ |
||
207 | |||
208 | echo "<table border='1' width='100%' cellpadding ='2' cellspacing='1'>"; |
||
209 | echo "<tr class='bg3'>"; |
||
210 | echo "<td align='center'></td>"; |
||
211 | echo "<td align='center'><b><input type='hidden' name='op' value='delete'></td>"; |
||
212 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_NAME . '</td>'; |
||
213 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_TITLE . '</td>'; |
||
214 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_MESSAGE . '</td>'; |
||
215 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_DATE . '</td>'; |
||
216 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_ACTION . '</td>'; |
||
217 | echo '</tr>'; |
||
218 | |||
219 | if ('0' != $totalcount) { |
||
220 | echo "<form name='msglist' id='list' action='" . $_SERVER['SCRIPT_NAME'] . '\' method=\'POST\' style=\'margin: 0;\'>'; |
||
221 | |||
222 | /** @var \XoopsModules\Xfguestbook\Message $onemsg */ |
||
223 | foreach ($msg as $onemsg) { |
||
224 | $all_msg = []; |
||
225 | $all_msg['post_time'] = formatTimestamp($onemsg->getVar('post_time')); |
||
226 | $all_msg['msg_id'] = $onemsg->getVar('msg_id'); |
||
227 | $all_msg['user'] = ($onemsg->getVar('user_id') > 0) ? \XoopsUser::getUnameFromId($onemsg->getVar('user_id')) : $onemsg->getVar('uname'); |
||
228 | $all_msg['action'] = "<a href='main.php?op=edit&msg_id=" . $onemsg->getVar('msg_id') . '\'><img src=\'' . $pathIcon16 . "/edit.png'></a>"; |
||
229 | $img_status = "<img src='" . XOOPS_URL . '/modules/' . $xoopsModule->dirname() . '/assets/images/'; |
||
230 | if ($onemsg->getVar('moderate')) { |
||
231 | $img_status .= "ic15_question.gif'>"; |
||
232 | } else { |
||
233 | $img_status .= "ic15_ok.gif'>"; |
||
234 | } |
||
235 | $all_msg['title'] = "<a href='../index.php?op=show_one&msg_id=" . $onemsg->getVar('msg_id') . '\'>' . $onemsg->getVar('title') . '</a>'; |
||
236 | $all_msg['message'] = $onemsg->getVar('message'); |
||
237 | |||
238 | if ($onemsg->getVar('photo')) { |
||
239 | $all_msg['message'] = '<img src="' . XOOPS_UPLOAD_URL . '/' . $xoopsModule->getVar('dirname') . '/' . $onemsg->getVar('photo') . '" align = "left" hspace ="10">' . $onemsg->getVar('message'); |
||
240 | } else { |
||
241 | $all_msg['message'] = $onemsg->getVar('message'); |
||
242 | } |
||
243 | |||
244 | echo '<tr>'; |
||
245 | echo "<td align='center' class='even'><input type='checkbox' name='msg_id[]' id='msg_id[]' value='" . $all_msg['msg_id'] . '\'></td>'; |
||
246 | echo "<td align='center' class = 'head'><b>" . $img_status . '</b></td>'; |
||
247 | echo "<td align='center' class = 'even'>" . $all_msg['user'] . '</td>'; |
||
248 | echo "<td align='left' class = 'odd'>" . $all_msg['title'] . '</td>'; |
||
249 | echo "<td align='left' class = 'even'>" . $all_msg['message'] . '</td>'; |
||
250 | echo "<td class='odd'>" . $all_msg['post_time'] . '<br>'; |
||
251 | if (in_array($onemsg->getVar('poster_ip'), $badips)) { |
||
252 | echo "<span style='color: #FF0000; '><b>" . $onemsg->getVar('poster_ip') . '</b></span></td>'; |
||
253 | } else { |
||
254 | echo $onemsg->getVar('poster_ip') . '</td>'; |
||
255 | } |
||
256 | echo "<td align='center' class='even'>" . $all_msg['action'] . '</td>'; |
||
257 | echo '</tr>'; |
||
258 | unset($all_msg); |
||
259 | } |
||
260 | echo "<tr class='foot'><td><select name='op'>"; |
||
261 | if (1 != $sel_status) { |
||
262 | echo "<option value='approve'>" . AM_XFGUESTBOOK_PUB . '</option>'; |
||
263 | } |
||
264 | echo "<option value='delete'>" . _DELETE . '</option>'; |
||
265 | echo "<option value='banish'>" . AM_XFGUESTBOOK_BAN . '</option>'; |
||
266 | echo '</select> </td>'; |
||
267 | echo "<td colspan='6'>" . $GLOBALS['xoopsSecurity']->getTokenHTML() . "<input type='submit' value='" . _GO . '\'>'; |
||
268 | echo '</td></tr>'; |
||
269 | echo '</form>'; |
||
270 | } else { |
||
271 | echo "<tr ><td align='center' colspan ='10' class = 'head'><b>" . AM_XFGUESTBOOK_NOMSG . '</b></td></tr>'; |
||
272 | } |
||
273 | echo '</table><br>'; |
||
274 | if ($totalcount > $limit) { |
||
275 | require_once XOOPS_ROOT_PATH . '/class/pagenav.php'; |
||
276 | $pagenav = new \XoopsPageNav($totalcount, $limit, $start, 'start', 'sel_status=' . $sel_status . '&sel_order=' . $sel_order); |
||
277 | echo "<div class='center;' class = 'head'>" . $pagenav->renderNav() . '</div><br>'; |
||
278 | } else { |
||
279 | echo ''; |
||
280 | } |
||
281 | echo '<br>'; |
||
282 | } |
||
283 | |||
284 | switch ($op) { |
||
285 | case 'save': |
||
286 | global $xoopsModule; |
||
287 | if (!$GLOBALS['xoopsSecurity']->check()) { |
||
288 | redirect_header('index.php', 2, implode('<br>', $GLOBALS['xoopsSecurity']->getErrors())); |
||
289 | } |
||
290 | $msgstop = ''; |
||
291 | $msg = $msgHandler->get($msg_id); |
||
292 | $del_img = Request::getInt('del_img', 0, 'POST'); |
||
293 | if ($del_img) { |
||
294 | $filename = XOOPS_UPLOAD_PATH . '/' . $xoopsModule->getVar('dirname') . '/' . $msg->getVar('photo'); |
||
295 | unlink($filename); |
||
296 | $msg->setVar('photo', ''); |
||
297 | } elseif (!empty($_FILES['photo']['name'])) { |
||
298 | Xfguestbook\Utility::upload(); |
||
299 | $photo = str_replace('tmp_', 'msg_', $preview_name); |
||
300 | $photos_dir = XOOPS_UPLOAD_PATH . '/' . $xoopsModule->getVar('dirname') . '/'; |
||
301 | rename($photos_dir . $preview_name, $photos_dir . $photo); |
||
302 | if ('' !== $msg->getVar('photo')) { |
||
303 | $filename = XOOPS_UPLOAD_PATH . '/' . $xoopsModule->getVar('dirname') . '/' . $msg->getVar('photo'); |
||
304 | unlink($filename); |
||
305 | } |
||
306 | $msg->setVar('photo', $photo); |
||
307 | } |
||
308 | if (!empty($msgstop)) { |
||
309 | redirect_header('main.php?op=edit&msg_id=' . $msg_id, 2, $msgstop); |
||
310 | } |
||
311 | $uname = Request::getString('uname', '', 'POST'); |
||
312 | $email = Request::getString('email', '', 'POST'); |
||
313 | $url = Request::getString('url', '', 'POST'); |
||
314 | $title = Request::getString('title', '', 'POST'); |
||
315 | $message = Request::getString('message', '', 'POST'); |
||
316 | $note = Request::getString('note', '', 'POST'); |
||
317 | $gender = Request::getString('gender', '', 'POST'); |
||
318 | $country = Request::getString('country', '', 'POST'); |
||
319 | $other = Request::getString('other', '', 'POST'); |
||
320 | $moderate = Request::getInt('moderate', 0, 'POST'); |
||
321 | |||
322 | $msg->setVar('uname', $uname); |
||
323 | $msg->setVar('email', $email); |
||
324 | $msg->setVar('url', $url); |
||
325 | $msg->setVar('title', $title); |
||
326 | $msg->setVar('message', $message); |
||
327 | $msg->setVar('note', $note); |
||
328 | $msg->setVar('gender', $gender); |
||
329 | if ('' !== $country) { |
||
330 | $msg->setVar('country', $country); |
||
331 | $msg->setVar('flagdir', $helper->getConfig('flagdir')); |
||
332 | } |
||
333 | $msg->setVar('other', $other); |
||
334 | $msg->setVar('moderate', $moderate); |
||
335 | if ($msgHandler->insert($msg)) { |
||
336 | redirect_header('main.php?op=show', 1, AM_XFGUESTBOOK_MSGMOD); |
||
337 | } else { |
||
338 | redirect_header('main.php?op=show', 2, AM_XFGUESTBOOK_MSGERROR); |
||
339 | } |
||
340 | break; |
||
341 | case 'edit': |
||
342 | xoops_cp_header(); |
||
343 | $adminObject = Admin::getInstance(); |
||
344 | $adminObject->displayNavigation(basename(__FILE__)); |
||
345 | //xfguestbook_admin_menu(0); |
||
346 | $msg = $msgHandler->get($msg_id); |
||
347 | require_once dirname(__DIR__) . '/include/form_edit.inc.php'; |
||
348 | $msg_form->display(); |
||
349 | require_once __DIR__ . '/admin_footer.php'; |
||
350 | //xoops_cp_footer(); |
||
351 | break; |
||
352 | case 'approve': |
||
353 | approve(); |
||
354 | break; |
||
355 | case 'delete': |
||
356 | delete(); |
||
357 | break; |
||
358 | case 'banish': |
||
359 | banish(); |
||
360 | break; |
||
361 | case 'show': |
||
362 | default: |
||
363 | xoops_cp_header(); |
||
364 | $adminObject = Admin::getInstance(); |
||
365 | $adminObject->displayNavigation(basename(__FILE__)); |
||
366 | //xfguestbook_admin_menu(0); |
||
367 | show(); |
||
368 | require_once __DIR__ . '/admin_footer.php'; |
||
369 | //xoops_cp_footer(); |
||
370 | break; |
||
371 | } |
||
372 |