Fixed issues discovered by siph0n

includes/calendar.php

@@ -27,9 +27,15 @@
 require_once("$phpc_includes_path/html.php");
 require_once("$phpc_includes_path/util.php");
 
+// Displayed in admin
+$phpc_version = "2.0.8";
+
 function __($msg) {
 	global $phpc_gettext;
 
+	if (empty($phpc_gettext))
+		return $msg;
+
 	return $phpc_gettext->gettext($msg);
 }
 

includes/calendar_delete.php

@@ -30,41 +30,32 @@ function calendar_delete()
 		return $html;
 	}
 
-	if (is_array($vars["cid"])) {
-		$ids = $vars["cid"];
-	} else {
-		$ids = array($vars["cid"]);
-	}
+	$id = $vars["cid"];
+	$calendar = $phpcdb->get_calendar($id);
+
+	if(empty($calendar))
+		soft_error(__("Invalid calendar ID."));
 
 	if (empty($vars["confirm"])) {
-		$list = tag('ul');
-		foreach ($ids as $id) {
-			$calendar = $phpcdb->get_calendar($id);
-			$list->add(tag('li', "$id: ".$calendar->get_title()));
-		}
-		$html->add(tag('p', __('Confirm you want to delete:')));
-		$html->add($list);
+		$html->add(tag('p', __('Confirm you want to delete calendar:'). $calendar->get_title()));
 		$html->add(" [ ", create_action_link(__('Confirm'),
-					"calendar_delete", array("cid" => $ids,
+					"calendar_delete", array("cid" => $id,
 						"confirm" => "1")), " ] ");
 		$html->add(" [ ", create_action_link(__('Deny'),
 					"display_month"), " ] ");
 		return $html;
 	}
 
-	foreach($ids as $id) {
-		$calendar = $phpcdb->get_calendar($id);
-		if(!$calendar->can_admin()) {
-			$html->add(tag('p', __("You do not have permission to remove calendar") . ": $id"));
-			continue;
-		}
+	if(!$calendar->can_admin()) {
+		$html->add(tag('p', __("You do not have permission to remove calendar") . ": $id"));
+		return $html;
+	}
 
-		if($phpcdb->delete_calendar($id)) {
-			$html->add(tag('p', __("Removed calendar") . ": $id"));
-		} else {        
-			$html->add(tag('p', __("Could not remove calendar")
-						. ": $id"));
-		}
+	if($phpcdb->delete_calendar($id)) {
+		$html->add(tag('p', __("Removed calendar") . ": $id"));
+	} else {        
+		$html->add(tag('p', __("Could not remove calendar")
+					. ": $id"));
 	}
 
         return message_redirect($html, "$phpc_script?action=admin");

includes/display_week.php

@@ -38,8 +38,8 @@ function display_week()
 	if(!isset($vars['week']) || !isset($vars['year']))
 		soft_error(__('Invalid date.'));
 
-	$week_of_year = $vars['week'];
-	$year = $vars['year'];
+	$week_of_year = intval($vars['week']);
+	$year = intval($vars['year']);
 
 	$day_of_year = 1 + ($week_of_year - 1) * 7 - day_of_week(1, 1, $year);
 	$from_stamp = mktime(0, 0, 0, 1, $day_of_year, $year);

includes/login.php

@@ -57,7 +57,7 @@ function login_form()
                                 create_submit(__('Log in')));
 
         if(!empty($vars['lasturl'])) {
-		$lasturl = $vars['lasturl'];
+		$lasturl = urlencode($vars['lasturl']);
                 $submit_data->prepend(create_hidden('lasturl',
                                         $lasturl));
 	}

includes/setup.php

@@ -23,9 +23,6 @@
        die("Hacking attempt");
 }
 
-// Displayed in admin
-$phpc_version = "2.0.1";
-
 // Run the installer if we have no config file
 // This doesn't work when embedded from outside
 if(!file_exists($phpc_config_file)) {
@@ -96,7 +93,10 @@
 
 $vars = array_merge(real_escape_r($_GET), real_escape_r($_POST));
 
-if(!empty($vars['phpcid']) && is_numeric($vars['phpcid'])) {
+// Find an appropriate calendar id
+if(!empty($vars['phpcid'])) {
+	if(!is_numeric($vars['phpcid']))
+		soft_error(__("Invalid calendar ID."));
         $phpcid = $vars['phpcid'];
 } elseif(!empty($default_calendar_id)) {
 	$phpcid = $default_calendar_id;
@@ -106,6 +106,13 @@
 
 $phpc_cal = $phpcdb->get_calendar($phpcid);
 
+if(empty($phpc_cal)) {
+	$phpcid = 1;
+	$phpc_cal = $phpcdb->get_calendar($phpcid);
+	if(empty($phpc_cal))
+		soft_error(__("Could not find a calendar."));
+}
+
 //set action
 if(empty($vars['action'])) {
 	$action = 'display_month';