Security fix! Big thank you to Matthias <http://blog.yumdap.net/> for…

… spotting it!

* add static routes (to avoid 'file inclusion vulnerability')
* move routing to Router class

again, thanks Matthias!

README.md

@@ -9,6 +9,7 @@ You're welcome for contributing or testing though! :o)<br>
 
 
 ### ToDo:
+* archivate sent newsletters
 * admin UI:
   * protect admin dir with .htaccess/.htpasswd + add UI accordingly
     (not so sure this is practical, will be tied to Apache...)

admin/index.php

@@ -71,6 +71,14 @@
 
   }
 
+  if (isset($error)) {
+    $logTimeFormat = date("Y-m-d");
+    file_put_contents(
+      $cbNewsletter["basedir"] . "/admin/logs/debug_" . $logTimeFormat . ".log",
+      "\n\n=============================================================================================================================\n" . date("Y-m-d H:i:s") . "\n\n" . $Debugout->output(true),
+      FILE_APPEND | LOCK_EX
+    );
+  }
 
 
   $cbNewsletter_endTime = microtime();

admin/lib/routes.php

@@ -0,0 +1,13 @@
+<?php
+
+  return array(
+
+    ""                  => "/admin/actions/subscriptions.action.php",
+    "subscriptions"     => "/admin/actions/subscriptions.action.php",
+    "config"            => "/admin/actions/config.action.php",
+    "create_newsletter" => "/admin/actions/create_newsletter.action.php",
+    "send_newsletter"   => "/admin/actions/send_newsletter.action.php",
+
+  );
+
+?>

admin/lib/routing.php

@@ -57,19 +57,16 @@
 
 
 
-// ================  routing  ================
+// =================== Routing ===================
 
-  if (isset($_GET["view"]) and strlen($_GET["view"]) > 1 and $_GET["view"] != "subscriptions") {
 
-    include_once(checkout("/admin/actions/" . $_GET["view"] . ".action.php"));
+  include_once(checkout(
+    Router::load("/admin/lib/routes.php")
+      ->direct($cbNewsletter["config"]["view"])
+  ));
 
-  } else {
 
-    include_once(checkout("/admin/actions/subscriptions.action.php"));
-
-  }
-
-// ================  routing  ================
+// =================== Routing ===================
 
 
 

index.php

@@ -81,7 +81,7 @@
 
 
 
-  if ($debug and isset($error)) {
+  if (isset($error)) {
     cbNewsletter_showErrors($error);
   }
 
@@ -92,7 +92,7 @@
     $logTimeFormat = date("Y-m-d");
     file_put_contents(
       $cbNewsletter["basedir"] . "/admin/logs/debug_" . $logTimeFormat . ".log",
-      $Debugout->output(true),
+      "\n\n=============================================================================================================================\n" . date("Y-m-d H:i:s") . "\n\n" . $Debugout->output(true),
       FILE_APPEND | LOCK_EX
     );
   }

lib/bootstrap.common.php

@@ -10,6 +10,16 @@
 
 
 
+  include_once(checkout("/lib/classes/Router.class.php"));
+
+  include_once(checkout("/lib/classes/Request.class.php"));
+
+  $cbNewsletter["config"]["view"] = Request::view();
+
+  $Debugout->add("\$cbNewsletter[\"config\"][\"view\"] set to", $cbNewsletter["config"]["view"]);
+
+
+
   // General functions
   include_once(checkout("/lib/classes/HTML.class.php"));
   $HTML = new HTML;

lib/bootstrap.php

@@ -2,9 +2,7 @@
 
   $Debugout->add("<pre><b>[ bootstrap ]</b>");
 
-  if (isset($_GET["view"])) {
-    $cbNewsletter["config"]["view"] = $_GET["view"];
-  }
+
 
 
   // Other classes
@@ -15,6 +13,8 @@
 
 
 
+
+
   // common bootstrap
   include_once(checkout("/lib/bootstrap.common.php"));
 

lib/classes/Request.class.php

@@ -0,0 +1,25 @@
+<?php
+
+class Request {
+
+  public static function view() {
+
+    global $Debugout;
+
+    if (isset($_GET["view"])) {
+
+      $view = $_GET["view"];
+
+    } else {
+
+      $view = "";
+
+    }
+
+    return $view;
+
+  }
+
+}
+
+?>

lib/classes/Router.class.php

@@ -0,0 +1,52 @@
+<?php
+
+class Router {
+
+  protected $routes = array();
+
+
+
+  public static function load($file) {
+
+    $Router = new static;
+
+    $Router->routes = include_once(checkout($file));
+
+    return $Router;
+
+  }
+
+  public function direct($view) {
+
+    global $Debugout, $error;
+
+    if (array_key_exists($view, $this->routes)) {
+
+      $route = $this->routes[$view];
+
+      $Debugout->add(
+        "directing known view '" . $view . "' to",
+        $route
+      );
+
+      return $route;
+
+    } else {
+
+      $route = $this->routes[""];
+
+      $error["routing"]["invalid_route"] = $view;
+
+      $Debugout->add(
+        "directing unknown view '" . $view . "' to error page"
+      );
+
+      return "/views/error.view.php";
+
+    }
+
+  }
+
+}
+
+?>

lib/routes.php

@@ -0,0 +1,15 @@
+<?php
+
+
+  return array(
+
+    ""                      => "/views/subscription.form.php",
+    "enter_subscription"    => "/actions/enter_subscription.action.php",
+    "manage_subscription"   => "/actions/manage_subscription.action.php",
+    "verify_subscription"   => "/actions/verify_subscription.action.php",
+    "verify_unsubscription" => "/action/verify_unsubscription.action.php",
+
+  );
+
+
+?>

lib/routing.php

@@ -2,7 +2,6 @@
 
   $Debugout->add("<pre><b>[ routing ]</b>");
 
-// =================== Routing ===================
 
 // ================  pre display  ================
 
@@ -52,17 +51,16 @@
 
 
 
+// =================== Routing ===================
 
-  if (isset($cbNewsletter["config"]["view"]) and strlen($cbNewsletter["config"]["view"]) > 1) {
-
-    include_once(checkout("/actions/" . $_GET["view"] . ".action.php"));
-
-  } else {
 
-    include_once(checkout("/views/subscription.form.php"));
+  include_once(checkout(
+    Router::load("/lib/routes.php")
+      ->direct($cbNewsletter["config"]["view"])
+  ));
 
-  }
 
+// =================== Routing ===================
 
 
 
@@ -76,7 +74,7 @@
 
 // ===============  post display  ================
 
-// =================== Routing ===================
+
 
   $Debugout->add("</pre>");
 

views/error.view.php

@@ -0,0 +1,4 @@
+
+    <h1><?php echo gettext("Error") ?></h1>
+
+    <p><?php echo gettext("An error has occured. Most likely the link is broken. Please try again and make sure that you use the complete and correct link."); ?></p>