Skip to content

Commit

Permalink
fix issues with config.php conflicting with PEAR::Config on Windows s…
Browse files Browse the repository at this point in the history 
…ystems (be explicit over which config.php we wish to load; possible local file disclosure fix in getfile.php (SECURITY)

git-svn-id: https://xerteonlinetoolkits.googlecode.com/svn/trunk@271 912cdd6b-5c7d-d5a7-a2ba-d0f0cdb91641
  • Loading branch information
Dave Goodwin committed Mar 5, 2012
1 parent 5ec153c commit 89b7296
Show file tree
Hide file tree
Showing 20 changed files with 623 additions and 631 deletions.
2 changes: 1 addition & 1 deletion demo.php
View file
@@ -1,6 +1,6 @@
<?php

require_once("config.php");
require_once(dirname(__FILE__) . "/config.php");

_load_language_file("/index.inc");

Expand Down
6 changes: 1 addition & 5 deletions edit.php
View file
Expand Up @@ -9,7 +9,7 @@
* @package
*/

require_once("config.php");
require_once(dirname(__FILE__) . "/config.php");

require $xerte_toolkits_site->php_library_path . "screen_size_library.php";
require $xerte_toolkits_site->php_library_path . "template_status.php";
Expand All @@ -18,19 +18,15 @@
require_once(dirname(__FILE__) . '/modules/xerte/module_functions.php');

/**
*
* Function update_access_time
* This function updates the time a template was last edited
* @param array $row_edit = an array returned from a mysql query
* @return bool True or False if two params match
* @version 1.0
* @author Patrick Lockley
*/

function update_access_time($row_edit){

global $xerte_toolkits_site;

return db_query("UPDATE {$xerte_toolkits_site->database_table_prefix}templatedetails SET date_accessed=? WHERE template_id = ?", array(date('Y-m-d'), $row_edit['template_id']));

}
Expand Down
2 changes: 1 addition & 1 deletion example.php
View file
Expand Up @@ -9,7 +9,7 @@
* @package
*/

require_once("config.php");
require_once(dirname(__FILE__) . "/config.php");

require $xerte_toolkits_site->php_library_path . "screen_size_library.php";
require $xerte_toolkits_site->php_library_path . "template_status.php";
Expand Down
180 changes: 90 additions & 90 deletions folderproperties.php
View file
@@ -1,7 +1,7 @@
<?PHP
<?php

require("config.php");
_load_language_file("/folderproperties.inc");
require_once(dirname(__FILE__) . "/config.php");
_load_language_file("/folderproperties.inc");

?>

Expand Down Expand Up @@ -44,93 +44,93 @@

<body onload="javascript:folderproperties_template();tab_highlight('1');">
<div class="properties_main">
<div class="corner" style="background-image:url(website_code/images/MessBoxTL.gif); background-position:top left;">
</div>
<div class="central" style="background-image:url(website_code/images/MessBoxTop.gif);">
</div>
<div class="corner" style="background-image:url(website_code/images/MessBoxTR.gif); background-position:top right;">
</div>
<div class="main_area_holder_1">
<div class="main_area_holder_2">
<div class="main_area">
<div>
<span id="title">
<img src="website_code/images/Icon_Folder.gif" style="vertical-align:middle; padding-left:10px;" />
<?PHP echo FOLDERPROPERTIES_DISPLAY_TITLE; ?>
</span>
</div>
<div id="data_area">
<!--
Dynamic area is the DIV used by the AJAX queries (The right hand side area of the properties panel.
-->
<div id="dynamic_area">
</div>
<!--
Set up the three menu tabs
Structure
tab1-1 is the small part to the right of the main tab, this is used to deal with the border round the main section
tab1 is the actual tab with the text in it
-->
<div id="menu_tabs">
<div class="tab_spacer" style="height:35px;">
</div>
<div id="tab1-1" class="tab_right_pad" style="height:38px;">
</div>
<div id="tab1" class="tab" style="width:146px; height:38px;">
<p onclick="javascript:tab_highlight('1');folderproperties_template()">
<?PHP echo FOLDERPROPERTIES_TAB_FOLDER; ?>
</p>
</div>
<div class="tab_spacer">
</div>
<div id="tab2-1" class="tab_right_pad" style="height:38px;">
</div>
<div id="tab2" class="tab" style="width:146px; height:38px;">
<p onclick="javascript:tab_highlight('2'); folder_content_template()">
<?PHP echo FOLDERPROPERTIES_TAB_CONTENT; ?>
</p>
</div>
<div class="tab_spacer">
</div>
<div id="tab3-1" class="tab_right_pad" style="height:38px;">
</div>
<div id="tab3" class="tab" style="width:146px; height:38px;">
<p onclick="javascript:tab_highlight('3'); folder_rss_template()">
<?PHP echo FOLDERPROPERTIES_TAB_RSS; ?>
</p>
</div>
<div class="tab_spacer">
</div>
<!--
Last spacer given sufficient heigbt to fill the rest of the border for the right hand panel
-->
<div class="tab_spacer" style="height:357px;">
</div>
</div>
</div>
</div>
</div>
</div>
<div class="corner" style="background-image:url(website_code/images/MessBoxBL.gif); background-position:top left;">
</div>
<div class="central" style="background-image:url(website_code/images/MessBoxBottom.gif);">
</div>
<div class="corner" style="background-image:url(website_code/images/MessBoxBR.gif); background-position:top right;">
</div>
<div class="corner" style="background-image:url(website_code/images/MessBoxTL.gif); background-position:top left;">
</div>
<div class="central" style="background-image:url(website_code/images/MessBoxTop.gif);">
</div>
<div class="corner" style="background-image:url(website_code/images/MessBoxTR.gif); background-position:top right;">
</div>
<div class="main_area_holder_1">
<div class="main_area_holder_2">
<div class="main_area">
<div>
<span id="title">
<img src="website_code/images/Icon_Folder.gif" style="vertical-align:middle; padding-left:10px;" />
<?PHP echo FOLDERPROPERTIES_DISPLAY_TITLE; ?>
</span>
</div>
<div id="data_area">

<!--
Dynamic area is the DIV used by the AJAX queries (The right hand side area of the properties panel.
-->

<div id="dynamic_area">
</div>

<!--
Set up the three menu tabs
Structure
tab1-1 is the small part to the right of the main tab, this is used to deal with the border round the main section
tab1 is the actual tab with the text in it
-->

<div id="menu_tabs">
<div class="tab_spacer" style="height:35px;">
</div>
<div id="tab1-1" class="tab_right_pad" style="height:38px;">
</div>
<div id="tab1" class="tab" style="width:146px; height:38px;">
<p onclick="javascript:tab_highlight('1');folderproperties_template()">
<?PHP echo FOLDERPROPERTIES_TAB_FOLDER; ?>
</p>
</div>
<div class="tab_spacer">
</div>
<div id="tab2-1" class="tab_right_pad" style="height:38px;">
</div>
<div id="tab2" class="tab" style="width:146px; height:38px;">
<p onclick="javascript:tab_highlight('2'); folder_content_template()">
<?PHP echo FOLDERPROPERTIES_TAB_CONTENT; ?>
</p>
</div>
<div class="tab_spacer">
</div>
<div id="tab3-1" class="tab_right_pad" style="height:38px;">
</div>
<div id="tab3" class="tab" style="width:146px; height:38px;">
<p onclick="javascript:tab_highlight('3'); folder_rss_template()">
<?PHP echo FOLDERPROPERTIES_TAB_RSS; ?>
</p>
</div>
<div class="tab_spacer">
</div>
<!--
Last spacer given sufficient heigbt to fill the rest of the border for the right hand panel
-->

<div class="tab_spacer" style="height:357px;">
</div>
</div>
</div>
</div>
</div>
</div>
<div class="corner" style="background-image:url(website_code/images/MessBoxBL.gif); background-position:top left;">
</div>
<div class="central" style="background-image:url(website_code/images/MessBoxBottom.gif);">
</div>
<div class="corner" style="background-image:url(website_code/images/MessBoxBR.gif); background-position:top right;">
</div>
</div>

</body>
</html>
</html>
12 changes: 4 additions & 8 deletions getfile.php
View file
@@ -1,19 +1,19 @@
<?php

require_once("config.php");
require_once(dirname(__FILE__) . "/config.php");

require $xerte_toolkits_site->php_library_path . "login_library.php";
require $xerte_toolkits_site->php_library_path . "user_library.php";
require $xerte_toolkits_site->php_library_path . "template_library.php";
require $xerte_toolkits_site->php_library_path . "template_status.php";

$mysql_id=database_connect("Successful database connect for play queries","Failed database connect for play queries");

/*
* Check the template ID is numeric
*/

$safe_file_path = mysql_real_escape_string($_GET['file']);
// for security, the file name should only contain alpha numeric chars or - _ .
// We definitely do not want a file path to contain a directory separator like ../ else this could be open to abuse.
$safe_file_path = preg_replace('/[^a-z0-9\-_\.]/i', '', $_GET['file']);

$data_from_file_name = explode("-",$safe_file_path);

Expand Down Expand Up @@ -53,8 +53,4 @@

echo file_get_contents($xerte_toolkits_site->website_code_path . "error_top") . " Sorry this resource does not exist </div></div></body></html>";
die();


}

?>
2 changes: 1 addition & 1 deletion integration.php
View file
@@ -1,6 +1,6 @@
<?php

require_once("config.php");
require_once(dirname(__FILE__) . "/config.php");

/**
*
Expand Down

0 comments on commit 89b7296

Please sign in to comment.