This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
1 | <?php |
||||||
2 | // |
||||||
3 | // ------------------------------------------------------------------------ // |
||||||
4 | // XF Guestbook // |
||||||
5 | // ------------------------------------------------------------------------- // |
||||||
6 | // This program is free software; you can redistribute it and/or modify // |
||||||
7 | // it under the terms of the GNU General Public License as published by // |
||||||
8 | // the Free Software Foundation; either version 2 of the License, or // |
||||||
9 | // (at your option) any later version. // |
||||||
10 | // // |
||||||
11 | // You may not change or alter any portion of this comment or credits // |
||||||
12 | // of supporting developers from this source code or any supporting // |
||||||
13 | // source code which is considered copyrighted (c) material of the // |
||||||
14 | // original comment or credit authors. // |
||||||
15 | // // |
||||||
16 | // This program is distributed in the hope that it will be useful, // |
||||||
17 | // but WITHOUT ANY WARRANTY; without even the implied warranty of // |
||||||
18 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // |
||||||
19 | // GNU General Public License for more details. // |
||||||
20 | // // |
||||||
21 | // You should have received a copy of the GNU General Public License // |
||||||
22 | // along with this program; if not, write to the Free Software // |
||||||
23 | // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // |
||||||
24 | // ------------------------------------------------------------------------ // |
||||||
25 | |||||||
26 | use Xmf\Module\Admin; |
||||||
27 | use Xmf\Request; |
||||||
28 | use XoopsModules\Xfguestbook; |
||||||
29 | use XoopsModules\Xfguestbook\Helper; |
||||||
30 | |||||||
31 | require_once __DIR__ . '/admin_header.php'; |
||||||
32 | require_once dirname(__DIR__) . '/include/cp_functions.php'; |
||||||
33 | |||||||
34 | /** @var Helper $helper */ |
||||||
35 | $helper = Helper::getInstance(); |
||||||
36 | |||||||
37 | if (null === $helper->getConfig('flagdir')) { |
||||||
38 | redirect_header(XOOPS_URL . '/modules/system/admin.php?fct=modulesadmin&op=update&module=' . $xoopsModule->dirname(), 4, AM_XFGUESTBOOK_MUST_UPDATE); |
||||||
39 | } |
||||||
40 | |||||||
41 | if (Request::hasVar('op', 'GET')) { |
||||||
42 | $op = $_GET['op']; |
||||||
43 | } elseif (Request::hasVar('op', 'POST')) { |
||||||
44 | $op = $_POST['op']; |
||||||
45 | } else { |
||||||
46 | $op = 'show'; |
||||||
47 | } |
||||||
48 | |||||||
49 | if (Request::hasVar('msg_id', 'GET')) { |
||||||
50 | $msg_id = Request::getInt('msg_id', 0, 'GET'); |
||||||
51 | } else { |
||||||
52 | $msg_id = Request::getInt('msg_id', 0, 'POST'); |
||||||
53 | } |
||||||
54 | |||||||
55 | $msgHandler = $helper->getHandler('Message'); |
||||||
56 | |||||||
57 | function delete() |
||||||
58 | { |
||||||
59 | global $msgHandler, $xoopsModule; |
||||||
60 | $msg_count = (!empty($_POST['msg_id']) && is_array($_POST['msg_id'])) ? count($_POST['msg_id']) : 0; |
||||||
61 | if ($msg_count > 0) { |
||||||
62 | $messagesent = AM_XFGUESTBOOK_MSGDELETED; |
||||||
63 | for ($i = 0; $i < $msg_count; $i++) { |
||||||
64 | $msg = $msgHandler->get($_POST['msg_id'][$i]); |
||||||
65 | $filename = $msg->getVar('title'); |
||||||
0 ignored issues
–
show
Unused Code
introduced
by
![]() |
|||||||
66 | $filename = $msg->getVar('photo'); |
||||||
67 | if (!$msgHandler->delete($msg)) { |
||||||
68 | $messagesent = AM_XFGUESTBOOK_ERRORDEL; |
||||||
69 | } |
||||||
70 | if ('' !== $filename) { |
||||||
71 | $filename = XOOPS_UPLOAD_PATH . '/' . $xoopsModule->getVar('dirname') . '/' . $filename; |
||||||
72 | unlink($filename); |
||||||
73 | } |
||||||
74 | } |
||||||
75 | } else { |
||||||
76 | $messagesent = AM_XFGUESTBOOK_NOMSG; |
||||||
77 | } |
||||||
78 | redirect_header($_SERVER['SCRIPT_NAME'], 2, $messagesent); |
||||||
79 | } |
||||||
80 | |||||||
81 | function approve() |
||||||
82 | { |
||||||
83 | global $msgHandler; |
||||||
84 | $msg_count = (!empty($_POST['msg_id']) && is_array($_POST['msg_id'])) ? count($_POST['msg_id']) : 0; |
||||||
85 | if ($msg_count > 0) { |
||||||
86 | $messagesent = AM_XFGUESTBOOK_VALIDATE; |
||||||
87 | for ($i = 0; $i < $msg_count; $i++) { |
||||||
88 | $msg = $msgHandler->get($_POST['msg_id'][$i]); |
||||||
89 | $msg->setVar('moderate', 0); |
||||||
90 | if (!$msgHandler->insert($msg)) { |
||||||
91 | $messagesent = AM_XFGUESTBOOK_ERRORVALID; |
||||||
92 | } |
||||||
93 | } |
||||||
94 | } else { |
||||||
95 | $messagesent = AM_XFGUESTBOOK_NOMSG; |
||||||
96 | } |
||||||
97 | redirect_header($_SERVER['SCRIPT_NAME'], 2, $messagesent); |
||||||
98 | } |
||||||
99 | |||||||
100 | function banish() |
||||||
101 | { |
||||||
102 | global $msgHandler, $xoopsDB; |
||||||
103 | $msg_count = (!empty($_POST['msg_id']) && is_array($_POST['msg_id'])) ? count($_POST['msg_id']) : 0; |
||||||
104 | if ($msg_count > 0) { |
||||||
105 | $messagesent = AM_XFGUESTBOOK_BANISHED; |
||||||
106 | for ($i = 0; $i < $msg_count; $i++) { |
||||||
107 | $msg = $msgHandler->get($_POST['msg_id'][$i]); |
||||||
108 | $ip[$i] = $msg->getVar('poster_ip'); |
||||||
109 | $msg->setVar('moderate', 1); |
||||||
110 | if (!$msgHandler->insert($msg)) { |
||||||
111 | $messagesent = AM_XFGUESTBOOK_ERRORBANISHED; |
||||||
112 | } |
||||||
113 | } |
||||||
114 | $ip = array_unique($ip); |
||||||
0 ignored issues
–
show
Comprehensibility
Best Practice
introduced
by
|
|||||||
115 | $badips = Xfguestbook\Utility::get_badips(); |
||||||
116 | foreach ($ip as $oneip) { |
||||||
117 | if (!in_array($oneip, $badips)) { |
||||||
118 | $sql = 'INSERT INTO ' . $xoopsDB->prefix('xfguestbook_badips') . " (ip_value) VALUES ('$oneip')"; |
||||||
119 | $result = $xoopsDB->query($sql); |
||||||
0 ignored issues
–
show
|
|||||||
120 | } |
||||||
121 | } |
||||||
122 | } else { |
||||||
123 | $messagesent = AM_XFGUESTBOOK_NOMSG; |
||||||
124 | } |
||||||
125 | |||||||
126 | redirect_header($_SERVER['SCRIPT_NAME'], 2, $messagesent); |
||||||
127 | } |
||||||
128 | |||||||
129 | function show() |
||||||
130 | { |
||||||
131 | global $msgHandler, $xoopsModule, $pathIcon16; |
||||||
132 | $pick = Request::getInt('pick', 0, 'GET'); |
||||||
0 ignored issues
–
show
|
|||||||
133 | $start = Request::getInt('start', 0, 'GET'); |
||||||
134 | $sel_status = Request::getInt('sel_status', 0, 'GET'); |
||||||
135 | $sel_order = Request::getInt('sel_order', 0, 'GET'); |
||||||
136 | $limit = 10; |
||||||
137 | $status_option0 = ''; |
||||||
138 | $status_option1 = ''; |
||||||
139 | $status_option2 = ''; |
||||||
140 | $order_option_asc = ''; |
||||||
141 | $order_option_desc = ''; |
||||||
142 | |||||||
143 | switch ($sel_status) { |
||||||
144 | case 0: |
||||||
145 | $status_option0 = 'selected'; |
||||||
146 | $title = AM_XFGUESTBOOK_ALLMSG; |
||||||
147 | $criteria = new \Criteria('msg_id', 0, '>'); |
||||||
148 | $criteria->setSort('post_time'); |
||||||
149 | break; |
||||||
150 | case 1: |
||||||
151 | $status_option1 = 'selected'; |
||||||
152 | $title = AM_XFGUESTBOOK_PUBMSG; |
||||||
153 | $criteria = new \Criteria('moderate', '0'); |
||||||
154 | $criteria->setSort('post_time'); |
||||||
155 | break; |
||||||
156 | case 2: |
||||||
157 | $status_option2 = 'selected'; |
||||||
158 | $title = AM_XFGUESTBOOK_WAITMSG; |
||||||
159 | $criteria = new \Criteria('moderate', '1'); |
||||||
160 | $criteria->setSort('post_time'); |
||||||
161 | break; |
||||||
162 | } |
||||||
163 | |||||||
164 | switch ($sel_order) { |
||||||
165 | case 1: |
||||||
166 | $order_option_asc = 'selected'; |
||||||
167 | $criteria->setOrder('ASC'); |
||||||
0 ignored issues
–
show
Comprehensibility
Best Practice
introduced
by
|
|||||||
168 | break; |
||||||
169 | case 0: |
||||||
170 | $order_option_desc = 'selected'; |
||||||
171 | $criteria->setOrder('DESC'); |
||||||
172 | break; |
||||||
173 | } |
||||||
174 | |||||||
175 | $totalcount = $msgHandler->countMsg($criteria); |
||||||
176 | $criteria->setOrder('DESC'); |
||||||
177 | $criteria->setLimit($limit); |
||||||
178 | $criteria->setStart($start); |
||||||
179 | $msg = $msgHandler->getObjects($criteria); |
||||||
180 | |||||||
181 | $badips = Xfguestbook\Utility::get_badips(); |
||||||
182 | |||||||
183 | /* -- Code to show selected terms -- */ |
||||||
184 | echo "<form name='pick' id='pick' action='" . $_SERVER['SCRIPT_NAME'] . '\' method=\'GET\' style=\'margin: 0;\'>'; |
||||||
185 | |||||||
186 | echo " |
||||||
187 | <table width='100%' cellspacing='1' cellpadding='2' border='0' style='border-left: 1px solid #c0c0c0; border-top: 1px solid #c0c0c0; border-right: 1px solid #c0c0c0;'> |
||||||
188 | <tr> |
||||||
189 | <td><span style='font-weight: bold; font-size: 12px; font-variant: small-caps;'>" . $title . ' : ' . $totalcount . "</span></td> |
||||||
0 ignored issues
–
show
Comprehensibility
Best Practice
introduced
by
|
|||||||
190 | <td align='right'> |
||||||
191 | " . AM_XFGUESTBOOK_DISPLAY . " : |
||||||
192 | <select name='sel_status' onchange='submit()'> |
||||||
193 | <option value = '0' $status_option0>" . AM_XFGUESTBOOK_ALLMSG . " </option> |
||||||
194 | <option value = '1' $status_option1>" . AM_XFGUESTBOOK_PUBMSG . " </option> |
||||||
195 | <option value = '2' $status_option2>" . AM_XFGUESTBOOK_WAITMSG . ' </option> |
||||||
196 | </select> |
||||||
197 | ' . AM_XFGUESTBOOK_SELECT_SORT . " |
||||||
198 | <select name='sel_order' onchange='submit()'> |
||||||
199 | <option value = '1' $order_option_asc>" . AM_XFGUESTBOOK_SORT_ASC . "</option> |
||||||
200 | <option value = '0' $order_option_desc>" . AM_XFGUESTBOOK_SORT_DESC . '</option> |
||||||
201 | </select> |
||||||
202 | </td> |
||||||
203 | </tr> |
||||||
204 | </table> |
||||||
205 | </form>'; |
||||||
206 | /* -- end code to show selected terms -- */ |
||||||
207 | |||||||
208 | echo "<table border='1' width='100%' cellpadding ='2' cellspacing='1'>"; |
||||||
209 | echo "<tr class='bg3'>"; |
||||||
210 | echo "<td align='center'></td>"; |
||||||
211 | echo "<td align='center'><b><input type='hidden' name='op' value='delete'></td>"; |
||||||
212 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_NAME . '</td>'; |
||||||
213 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_TITLE . '</td>'; |
||||||
214 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_MESSAGE . '</td>'; |
||||||
215 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_DATE . '</td>'; |
||||||
216 | echo "<td align='center'><b>" . AM_XFGUESTBOOK_ACTION . '</td>'; |
||||||
217 | echo '</tr>'; |
||||||
218 | |||||||
219 | if ('0' != $totalcount) { |
||||||
220 | echo "<form name='msglist' id='list' action='" . $_SERVER['SCRIPT_NAME'] . '\' method=\'POST\' style=\'margin: 0;\'>'; |
||||||
221 | |||||||
222 | /** @var \XoopsModules\Xfguestbook\Message $onemsg */ |
||||||
223 | foreach ($msg as $onemsg) { |
||||||
224 | $all_msg = []; |
||||||
225 | $all_msg['post_time'] = formatTimestamp($onemsg->getVar('post_time')); |
||||||
226 | $all_msg['msg_id'] = $onemsg->getVar('msg_id'); |
||||||
227 | $all_msg['user'] = ($onemsg->getVar('user_id') > 0) ? \XoopsUser::getUnameFromId($onemsg->getVar('user_id')) : $onemsg->getVar('uname'); |
||||||
228 | $all_msg['action'] = "<a href='main.php?op=edit&msg_id=" . $onemsg->getVar('msg_id') . '\'><img src=\'' . $pathIcon16 . "/edit.png'></a>"; |
||||||
229 | $img_status = "<img src='" . XOOPS_URL . '/modules/' . $xoopsModule->dirname() . '/assets/images/'; |
||||||
230 | if ($onemsg->getVar('moderate')) { |
||||||
231 | $img_status .= "ic15_question.gif'>"; |
||||||
232 | } else { |
||||||
233 | $img_status .= "ic15_ok.gif'>"; |
||||||
234 | } |
||||||
235 | $all_msg['title'] = "<a href='../index.php?op=show_one&msg_id=" . $onemsg->getVar('msg_id') . '\'>' . $onemsg->getVar('title') . '</a>'; |
||||||
236 | $all_msg['message'] = $onemsg->getVar('message'); |
||||||
237 | |||||||
238 | if ($onemsg->getVar('photo')) { |
||||||
239 | $all_msg['message'] = '<img src="' . XOOPS_UPLOAD_URL . '/' . $xoopsModule->getVar('dirname') . '/' . $onemsg->getVar('photo') . '" align = "left" hspace ="10">' . $onemsg->getVar('message'); |
||||||
240 | } else { |
||||||
241 | $all_msg['message'] = $onemsg->getVar('message'); |
||||||
242 | } |
||||||
243 | |||||||
244 | echo '<tr>'; |
||||||
245 | echo "<td align='center' class='even'><input type='checkbox' name='msg_id[]' id='msg_id[]' value='" . $all_msg['msg_id'] . '\'></td>'; |
||||||
246 | echo "<td align='center' class = 'head'><b>" . $img_status . '</b></td>'; |
||||||
247 | echo "<td align='center' class = 'even'>" . $all_msg['user'] . '</td>'; |
||||||
248 | echo "<td align='left' class = 'odd'>" . $all_msg['title'] . '</td>'; |
||||||
249 | echo "<td align='left' class = 'even'>" . $all_msg['message'] . '</td>'; |
||||||
250 | echo "<td class='odd'>" . $all_msg['post_time'] . '<br>'; |
||||||
251 | if (in_array($onemsg->getVar('poster_ip'), $badips)) { |
||||||
252 | echo "<span style='color: #FF0000; '><b>" . $onemsg->getVar('poster_ip') . '</b></span></td>'; |
||||||
253 | } else { |
||||||
254 | echo $onemsg->getVar('poster_ip') . '</td>'; |
||||||
255 | } |
||||||
256 | echo "<td align='center' class='even'>" . $all_msg['action'] . '</td>'; |
||||||
257 | echo '</tr>'; |
||||||
258 | unset($all_msg); |
||||||
259 | } |
||||||
260 | echo "<tr class='foot'><td><select name='op'>"; |
||||||
261 | if (1 != $sel_status) { |
||||||
262 | echo "<option value='approve'>" . AM_XFGUESTBOOK_PUB . '</option>'; |
||||||
263 | } |
||||||
264 | echo "<option value='delete'>" . _DELETE . '</option>'; |
||||||
265 | echo "<option value='banish'>" . AM_XFGUESTBOOK_BAN . '</option>'; |
||||||
266 | echo '</select> </td>'; |
||||||
267 | echo "<td colspan='6'>" . $GLOBALS['xoopsSecurity']->getTokenHTML() . "<input type='submit' value='" . _GO . '\'>'; |
||||||
268 | echo '</td></tr>'; |
||||||
269 | echo '</form>'; |
||||||
270 | } else { |
||||||
271 | echo "<tr ><td align='center' colspan ='10' class = 'head'><b>" . AM_XFGUESTBOOK_NOMSG . '</b></td></tr>'; |
||||||
272 | } |
||||||
273 | echo '</table><br>'; |
||||||
274 | if ($totalcount > $limit) { |
||||||
275 | require_once XOOPS_ROOT_PATH . '/class/pagenav.php'; |
||||||
276 | $pagenav = new \XoopsPageNav($totalcount, $limit, $start, 'start', 'sel_status=' . $sel_status . '&sel_order=' . $sel_order); |
||||||
277 | echo "<div class='center;' class = 'head'>" . $pagenav->renderNav() . '</div><br>'; |
||||||
278 | } else { |
||||||
279 | echo ''; |
||||||
280 | } |
||||||
281 | echo '<br>'; |
||||||
282 | } |
||||||
283 | |||||||
284 | switch ($op) { |
||||||
285 | case 'save': |
||||||
286 | global $xoopsModule; |
||||||
287 | if (!$GLOBALS['xoopsSecurity']->check()) { |
||||||
288 | redirect_header('index.php', 2, implode('<br>', $GLOBALS['xoopsSecurity']->getErrors())); |
||||||
289 | } |
||||||
290 | $msgstop = ''; |
||||||
291 | $msg = $msgHandler->get($msg_id); |
||||||
292 | $del_img = Request::getInt('del_img', 0, 'POST'); |
||||||
293 | if ($del_img) { |
||||||
294 | $filename = XOOPS_UPLOAD_PATH . '/' . $xoopsModule->getVar('dirname') . '/' . $msg->getVar('photo'); |
||||||
295 | unlink($filename); |
||||||
296 | $msg->setVar('photo', ''); |
||||||
297 | } elseif (!empty($_FILES['photo']['name'])) { |
||||||
298 | Xfguestbook\Utility::upload(); |
||||||
299 | $photo = str_replace('tmp_', 'msg_', $preview_name); |
||||||
300 | $photos_dir = XOOPS_UPLOAD_PATH . '/' . $xoopsModule->getVar('dirname') . '/'; |
||||||
301 | rename($photos_dir . $preview_name, $photos_dir . $photo); |
||||||
302 | if ('' !== $msg->getVar('photo')) { |
||||||
303 | $filename = XOOPS_UPLOAD_PATH . '/' . $xoopsModule->getVar('dirname') . '/' . $msg->getVar('photo'); |
||||||
304 | unlink($filename); |
||||||
305 | } |
||||||
306 | $msg->setVar('photo', $photo); |
||||||
307 | } |
||||||
308 | if (!empty($msgstop)) { |
||||||
0 ignored issues
–
show
|
|||||||
309 | redirect_header('main.php?op=edit&msg_id=' . $msg_id, 2, $msgstop); |
||||||
310 | } |
||||||
311 | $uname = Request::getString('uname', '', 'POST'); |
||||||
312 | $email = Request::getString('email', '', 'POST'); |
||||||
313 | $url = Request::getString('url', '', 'POST'); |
||||||
314 | $title = Request::getString('title', '', 'POST'); |
||||||
315 | $message = Request::getString('message', '', 'POST'); |
||||||
316 | $note = Request::getString('note', '', 'POST'); |
||||||
317 | $gender = Request::getString('gender', '', 'POST'); |
||||||
318 | $country = Request::getString('country', '', 'POST'); |
||||||
319 | $other = Request::getString('other', '', 'POST'); |
||||||
320 | $moderate = Request::getInt('moderate', 0, 'POST'); |
||||||
321 | |||||||
322 | $msg->setVar('uname', $uname); |
||||||
323 | $msg->setVar('email', $email); |
||||||
324 | $msg->setVar('url', $url); |
||||||
325 | $msg->setVar('title', $title); |
||||||
326 | $msg->setVar('message', $message); |
||||||
327 | $msg->setVar('note', $note); |
||||||
328 | $msg->setVar('gender', $gender); |
||||||
329 | if ('' !== $country) { |
||||||
330 | $msg->setVar('country', $country); |
||||||
331 | $msg->setVar('flagdir', $helper->getConfig('flagdir')); |
||||||
332 | } |
||||||
333 | $msg->setVar('other', $other); |
||||||
334 | $msg->setVar('moderate', $moderate); |
||||||
335 | if ($msgHandler->insert($msg)) { |
||||||
336 | redirect_header('main.php?op=show', 1, AM_XFGUESTBOOK_MSGMOD); |
||||||
337 | } else { |
||||||
338 | redirect_header('main.php?op=show', 2, AM_XFGUESTBOOK_MSGERROR); |
||||||
339 | } |
||||||
340 | break; |
||||||
341 | case 'edit': |
||||||
342 | xoops_cp_header(); |
||||||
343 | $adminObject = Admin::getInstance(); |
||||||
344 | $adminObject->displayNavigation(basename(__FILE__)); |
||||||
345 | //xfguestbook_admin_menu(0); |
||||||
346 | $msg = $msgHandler->get($msg_id); |
||||||
347 | require_once dirname(__DIR__) . '/include/form_edit.inc.php'; |
||||||
348 | $msg_form->display(); |
||||||
349 | require_once __DIR__ . '/admin_footer.php'; |
||||||
350 | //xoops_cp_footer(); |
||||||
351 | break; |
||||||
352 | case 'approve': |
||||||
353 | approve(); |
||||||
0 ignored issues
–
show
The call to
approve() has too few arguments starting with msg_id .
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
This check compares calls to functions or methods with their respective definitions. If the call has less arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. Please note the @ignore annotation hint above. ![]() |
|||||||
354 | break; |
||||||
355 | case 'delete': |
||||||
356 | delete(); |
||||||
0 ignored issues
–
show
The call to
delete() has too few arguments starting with msg_id .
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
This check compares calls to functions or methods with their respective definitions. If the call has less arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. Please note the @ignore annotation hint above. ![]() |
|||||||
357 | break; |
||||||
358 | case 'banish': |
||||||
359 | banish(); |
||||||
360 | break; |
||||||
361 | case 'show': |
||||||
362 | default: |
||||||
363 | xoops_cp_header(); |
||||||
364 | $adminObject = Admin::getInstance(); |
||||||
365 | $adminObject->displayNavigation(basename(__FILE__)); |
||||||
366 | //xfguestbook_admin_menu(0); |
||||||
367 | show(); |
||||||
368 | require_once __DIR__ . '/admin_footer.php'; |
||||||
369 | //xoops_cp_footer(); |
||||||
370 | break; |
||||||
371 | } |
||||||
372 |