mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-21 20:29:57 +09:00
merge with 1.4.5 branch(1.4.5.10)
git-svn-id: http://xe-core.googlecode.com/svn/trunk@9269 201d5d3c-b55e-5fd7-737f-ddc643e51545
This commit is contained in:
flyskyko
parent
92332c8ebb
commit
a0d57a320f
98 changed files with 970 additions and 432 deletions
|
|
@ -701,6 +701,7 @@
|
|||
function _filterNumber(&$value)
|
||||
{
|
||||
$value = preg_replace('/[^\d\w\+\-\*\/\.\(\)]/', '', $value);
|
||||
$value = preg_replace('@\b(?:select|update|delete)\b|[/+\*]{2,}|(-){2,}@i', '$1', $value);
|
||||
if(!$value) $value = 0;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@
|
|||
var $column_type = array(
|
||||
'bignumber' => 'INTEGER',
|
||||
'number' => 'INTEGER',
|
||||
'varchar' => 'VARHAR',
|
||||
'varchar' => 'VARCHAR',
|
||||
'char' => 'CHAR',
|
||||
'text' => 'TEXT',
|
||||
'bigtext' => 'TEXT',
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@
|
|||
var $column_type = array(
|
||||
'bignumber' => 'INTEGER',
|
||||
'number' => 'INTEGER',
|
||||
'varchar' => 'VARHAR',
|
||||
'varchar' => 'VARCHAR',
|
||||
'char' => 'CHAR',
|
||||
'text' => 'TEXT',
|
||||
'bigtext' => 'TEXT',
|
||||
|
|
|
|||
|
|
@ -266,16 +266,36 @@
|
|||
$oModule = &$this->getModuleInstance($forward->module, $type, $kind);
|
||||
}
|
||||
$xml_info = $oModuleModel->getModuleActionXml($forward->module);
|
||||
$oMemberModel = &getModel('member');
|
||||
$logged_info = $oMemberModel->getLoggedInfo();
|
||||
|
||||
if($this->module == "admin" && $type == "view")
|
||||
{
|
||||
$oMemberModel = &getModel('member');
|
||||
|
||||
$logged_info = $oMemberModel->getLoggedInfo();
|
||||
if($logged_info->is_admin=='Y') {
|
||||
$orig_module->loadSideBar();
|
||||
$oModule->setLayoutPath("./modules/admin/tpl");
|
||||
$oModule->setLayoutFile("layout.html");
|
||||
}
|
||||
else{
|
||||
$this->error = 'msg_is_not_administrator';
|
||||
$oMessageObject = &ModuleHandler::getModuleInstance('message',$type);
|
||||
$oMessageObject->setError(-1);
|
||||
$oMessageObject->setMessage($this->error);
|
||||
$oMessageObject->dispMessage();
|
||||
return $oMessageObject;
|
||||
}
|
||||
}
|
||||
if ($kind == 'admin'){
|
||||
$grant = $oModuleModel->getGrant($this->module_info, $logged_info);
|
||||
if(!$grant->is_admin && !$grant->manager) {
|
||||
$this->error = 'msg_is_not_manager';
|
||||
$oMessageObject = &ModuleHandler::getModuleInstance('message',$type);
|
||||
$oMessageObject->setError(-1);
|
||||
$oMessageObject->setMessage($this->error);
|
||||
$oMessageObject->dispMessage();
|
||||
return $oMessageObject;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
else if($xml_info->default_index_act && method_exists($oModule, $xml_info->default_index_act))
|
||||
|
|
|
|||
111
classes/security/Security.class.php
Normal file
111
classes/security/Security.class.php
Normal file
|
|
@ -0,0 +1,111 @@
|
|||
<?php
|
||||
/**
|
||||
* @class Security
|
||||
* @brief This class helps to solve security problems.
|
||||
* @author NHN (developers@xpressengine.com)
|
||||
**/
|
||||
class Security
|
||||
{
|
||||
/**
|
||||
* @brief Action target variable. If this value is null, the method will use Context variables
|
||||
* @protected
|
||||
**/
|
||||
var $_targetVar = null;
|
||||
|
||||
/**
|
||||
* @constructor
|
||||
* @param $var Target context
|
||||
*/
|
||||
function Security($var = null)
|
||||
{
|
||||
$this->_targetVar = $var;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Convert special characters to HTML entities for the target variables.
|
||||
* The results of conversion are equivalent to the results of htmlspecialchars() which is a native function of PHP.
|
||||
* @params string $varName
|
||||
* A variable's name to convert
|
||||
* To process properties of an object or elements of an array,
|
||||
* separate the owner(object or array) and the item(property or element) using a dot(.)
|
||||
* @public
|
||||
*/
|
||||
function encodeHTML(/*, $varName1, $varName2, ... */)
|
||||
{
|
||||
$varNames = func_get_args();
|
||||
if(count($varNames) < 0) return false;
|
||||
|
||||
$use_context = is_null($this->_targetVar);
|
||||
if(!$use_context) {
|
||||
if(!count($varNames) || (!is_object($this->_targetVar) && !is_array($this->_targetVar)) ) return $this->_encodeHTML($this->_targetVar);
|
||||
|
||||
$is_object = is_object($this->_targetVar);
|
||||
}
|
||||
|
||||
foreach($varNames as $varName) {
|
||||
$varName = explode('.', $varName);
|
||||
$varName0 = array_shift($varName);
|
||||
if($use_context) {
|
||||
$var = Context::get($varName0);
|
||||
} else {
|
||||
$var = $is_object ? $this->_targetVar->{$varName0} : $this->_targetVar[$varName0];
|
||||
}
|
||||
$var = $this->_encodeHTML($var, $varName);
|
||||
|
||||
if($var !== false) {
|
||||
if($use_context) {
|
||||
Context::set($varName0, $var);
|
||||
} elseif($is_object) {
|
||||
$this->_targetVar->{$varName0} = $var;
|
||||
} else {
|
||||
$this->_targetVar[$varName0] = $var;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!$use_context) return $this->_targetVar;
|
||||
}
|
||||
|
||||
/**
|
||||
* @protected
|
||||
*/
|
||||
function _encodeHTML($var, $name=array())
|
||||
{
|
||||
if(is_string($var)) {
|
||||
if (!preg_match('/^\$user_lang->/', $var)) $var = htmlspecialchars($var);
|
||||
return $var;
|
||||
}
|
||||
|
||||
if(!count($name) || (!is_array($var) && !is_object($var)) ) return false;
|
||||
|
||||
$is_object = is_object($var);
|
||||
$name0 = array_shift($name);
|
||||
|
||||
if(strlen($name0)) {
|
||||
$target = $is_object ? $var->{$name0} : $var[$name0];
|
||||
$target = $this->_encodeHTML($target, $name);
|
||||
|
||||
if($target === false) return $var;
|
||||
|
||||
if($is_object) $var->{$name0} = $target;
|
||||
else $var[$name0] = $target;
|
||||
|
||||
return $var;
|
||||
}
|
||||
|
||||
foreach($var as $key=>$target) {
|
||||
$cloned_name = array_slice($name, 0);
|
||||
$target = $this->_encodeHTML($target, $name);
|
||||
$name = $cloned_name;
|
||||
|
||||
if($target === false) continue;
|
||||
|
||||
if($is_object) $var->{$key} = $target;
|
||||
else $var[$key] = $target;
|
||||
}
|
||||
|
||||
return $var;
|
||||
}
|
||||
}
|
||||
|
||||
/* End of file : Security.class.php */
|
||||
|
|
@ -258,11 +258,18 @@
|
|||
$pre_pos = strrpos($pre, '<');
|
||||
|
||||
preg_match('/^ loop="([^"]+)"/i',$next,$m);
|
||||
$tag = substr($next,0,strlen($m[0]));
|
||||
$orgTag = $tag = substr($next,0,strlen($m[0]));
|
||||
$next = substr($next,strlen($m[0]));
|
||||
$next_pos = strpos($next, '<');
|
||||
|
||||
$tag = substr($pre, $pre_pos). $tag. substr($next, 0, $next_pos);
|
||||
// search end tag
|
||||
/* tag as '<br cond="condition"/>blahblah' to be '<br cond="condition"/>' */
|
||||
preg_match('/\/>(\w+)/',$tag, $mm);
|
||||
if ($mm[1]){
|
||||
$next_pos = strpos($next, $mm[1]);
|
||||
$tag = substr($pre, $pre_pos). $orgTag. substr($next, 0, $next_pos);
|
||||
}
|
||||
$pre = substr($pre, 0, $pre_pos);
|
||||
$next = substr($next, $next_pos);
|
||||
|
||||
|
|
@ -285,21 +292,30 @@
|
|||
if(false!== $fpos = strpos($loop,'=>'))
|
||||
{
|
||||
$target = trim(substr($loop,0,$fpos));
|
||||
if(substr($target, 0, 1) == '$') $target = sprintf('$__Context->%s ', substr($target, 1));
|
||||
|
||||
$vars = trim(substr($loop,$fpos+2));
|
||||
if(false===strpos($vars,','))
|
||||
{
|
||||
if(substr($vars, 0, 1) == '$') $vars = sprintf('$__Context->%s ', substr($vars, 1));
|
||||
|
||||
$tag_head .= '<?php if(count('.$target.')) { foreach('.$target.' as '.$vars.') { ?>';
|
||||
$tag_tail .= '<?php } } ?>';
|
||||
}
|
||||
else
|
||||
{
|
||||
$t = explode(',',$vars);
|
||||
foreach($t as $key => $val){
|
||||
if(substr(trim($val), 0, 1) == '$') $val = sprintf('$__Context->%s ', substr(trim($val), 1));
|
||||
$t[$key] = trim($val);
|
||||
}
|
||||
$tag_head .= '<?php if(count('.$target.')) { foreach('.$target.' as '.trim($t[0]).' => '.trim($t[1]).') { ?>';
|
||||
$tag_tail .= '<?php } } ?>';
|
||||
}
|
||||
}
|
||||
elseif(false!==strpos($loop,';'))
|
||||
{
|
||||
$loop = preg_replace('/\$(\w+)/', '$__Context->$1', $loop);
|
||||
$tag_head .= '<?php for('.$loop.'){ ?>';
|
||||
$tag_tail .= '<?php } ?>';
|
||||
}
|
||||
|
|
@ -337,8 +353,10 @@
|
|||
{
|
||||
if(strpos($matches[0],'|cond')!==false) {
|
||||
while(strpos($matches[0],'|cond="')!==false) {
|
||||
if(preg_match('/ (\w+)=\"([^\"]+)\"\|cond=\"([^\"]+)\"/is', $matches[0], $m))
|
||||
if(preg_match('/ (\w+)=\"([^\"]+)\"\|cond=\"([^\"]+)\"/is', $matches[0], $m)){
|
||||
$m[3] = preg_replace('/^\$(\w+)/', '$__Context->$1', $m[3]);
|
||||
$matches[0] = str_replace($m[0], sprintf('<?php if(%s) {?> %s="%s"<?php }?>', $m[3], $m[1], $m[2]), $matches[0]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -362,6 +380,14 @@
|
|||
$next_pos = strpos($next, $m[0]);
|
||||
|
||||
$tag = substr($pre, $pre_pos). substr($next, 0, $next_pos);
|
||||
|
||||
// search end tag
|
||||
/* tag as '<br cond="condition"/>blahblah' to be '<br cond="condition"/>' */
|
||||
preg_match('/\/>(\w+)/',$tag, $mm);
|
||||
if ($mm[1]){
|
||||
$next_pos = strpos($next, $mm[1]);
|
||||
$tag = substr($pre, $pre_pos). substr($next, 0, $next_pos);
|
||||
}
|
||||
$pre = substr($pre, 0, $pre_pos);
|
||||
$next = substr($next, $next_pos);
|
||||
$tag_name = trim(substr($tag,1,strpos($tag,' ')));
|
||||
|
|
@ -371,6 +397,7 @@
|
|||
{
|
||||
for($i=0,$c=count($m[0]);$i<$c;$i++)
|
||||
{
|
||||
$m[1][$i] = preg_replace('/^\$(\w+)/', '$__Context->$1', $m[1][$i]);
|
||||
$tag_head .= '<?php if('.$m[1][$i].') { ?>';
|
||||
$tag_tail .= '<?php } ?>';
|
||||
}
|
||||
|
|
@ -478,9 +505,11 @@
|
|||
|
||||
// otherwise try to load xml, css, js file
|
||||
} else {
|
||||
if(substr($target,0,1)!='/') $source_filename = $base_path.$target;
|
||||
if(substr($target,0,1)!='/' && !preg_match('/^(http|https)/i',$target)) $source_filename = $base_path.$target;
|
||||
else $source_filename = $target;
|
||||
$source_filename = str_replace(array('/./','//'),'/',$source_filename);
|
||||
|
||||
if(!preg_match('/^(http|https)/i',$source_filename))
|
||||
$source_filename = str_replace(array('/./','//'),'/',$source_filename);
|
||||
|
||||
// get filename and path
|
||||
$tmp_arr = explode("/",$source_filename);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue