improved error-message on incorrect ownership of lib/userdata.inc.php; set correct copyright in hint-templates; beautify code in lib/init.php
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
216
lib/init.php
216
lib/init.php
@@ -34,8 +34,7 @@ header("X-Content-Security-Policy: allow 'self'; frame-ancestors 'none'");
|
||||
header('X-Frame-Options: DENY');
|
||||
|
||||
// If Froxlor was called via HTTPS -> enforce it for the next time
|
||||
if(isset( $_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off' ))
|
||||
{
|
||||
if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) {
|
||||
header('Strict-Transport-Security: max-age=500');
|
||||
}
|
||||
|
||||
@@ -44,8 +43,7 @@ if(isset( $_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off' ))
|
||||
header('X-Content-Type-Options: nosniff' );
|
||||
|
||||
// ensure that default timezone is set
|
||||
if(function_exists("date_default_timezone_set") && function_exists("date_default_timezone_get"))
|
||||
{
|
||||
if (function_exists("date_default_timezone_set") && function_exists("date_default_timezone_get")) {
|
||||
@date_default_timezone_set(@date_default_timezone_get());
|
||||
}
|
||||
|
||||
@@ -53,11 +51,8 @@ if(function_exists("date_default_timezone_set") && function_exists("date_default
|
||||
* Register Globals Security Fix
|
||||
* - unsetting every variable registered in $_REQUEST and as variable itself
|
||||
*/
|
||||
|
||||
foreach($_REQUEST as $key => $value)
|
||||
{
|
||||
if(isset($$key))
|
||||
{
|
||||
foreach ($_REQUEST as $key => $value) {
|
||||
if (isset($$key)) {
|
||||
unset($$key);
|
||||
}
|
||||
}
|
||||
@@ -65,39 +60,55 @@ foreach($_REQUEST as $key => $value)
|
||||
unset($_);
|
||||
unset($value);
|
||||
unset($key);
|
||||
|
||||
$filename = basename($_SERVER['PHP_SELF']);
|
||||
|
||||
// keep this for compatibility reasons
|
||||
$pathtophpfiles = dirname(dirname(__FILE__));
|
||||
|
||||
if(!file_exists('lib/userdata.inc.php'))
|
||||
{
|
||||
$config_hint = file_get_contents('templates/Froxlor/misc/configurehint.tpl');
|
||||
// define default theme for configurehint, etc.
|
||||
$_deftheme = 'Sparkle';
|
||||
|
||||
define('FROXLOR_INSTALL_DIR', dirname(dirname(__FILE__)));
|
||||
|
||||
// check whether the userdata file exists
|
||||
if (!file_exists(FROXLOR_INSTALL_DIR.'/lib/userdata.inc.php')) {
|
||||
$config_hint = file_get_contents(FROXLOR_INSTALL_DIR.'/templates/'.$_deftheme.'/misc/configurehint.tpl');
|
||||
die($config_hint);
|
||||
}
|
||||
|
||||
if(!is_readable('lib/userdata.inc.php'))
|
||||
{
|
||||
die('You have to make the file "lib/userdata.inc.php" readable for the http-process!');
|
||||
// check whether we can read the userdata file
|
||||
if (!is_readable(FROXLOR_INSTALL_DIR.'/lib/userdata.inc.php')) {
|
||||
// get possible owner
|
||||
$posixusername = posix_getpwuid(posix_getuid());
|
||||
$posixgroup = posix_getgrgid(posix_getgid());
|
||||
// get hint-template
|
||||
$owner_hint = file_get_contents(FROXLOR_INSTALL_DIR.'/templates/'.$_deftheme.'/misc/ownershiphint.tpl');
|
||||
// replace values
|
||||
$owner_hint = str_replace("<USER>", $posixusername['name'], $owner_hint);
|
||||
$owner_hint = str_replace("<GROUP>", $posixgroup['name'], $owner_hint);
|
||||
$owner_hint = str_replace("<FROXLOR_INSTALL_DIR>", FROXLOR_INSTALL_DIR, $owner_hint);
|
||||
// show
|
||||
die($owner_hint);
|
||||
}
|
||||
|
||||
define('FROXLOR_INSTALL_DIR', dirname(dirname(__FILE__)));
|
||||
|
||||
/**
|
||||
* Includes the Usersettings eg. MySQL-Username/Passwort etc.
|
||||
*/
|
||||
require (FROXLOR_INSTALL_DIR.'/lib/userdata.inc.php');
|
||||
|
||||
require ('lib/userdata.inc.php');
|
||||
|
||||
if(!isset($sql)
|
||||
|| !is_array($sql))
|
||||
{
|
||||
$config_hint = file_get_contents('templates/Froxlor/misc/configurehint.tpl');
|
||||
if (!isset($sql)
|
||||
|| !is_array($sql)
|
||||
) {
|
||||
$config_hint = file_get_contents(FROXLOR_INSTALL_DIR.'/templates/'.$_deftheme.'/misc/configurehint.tpl');
|
||||
die($config_hint);
|
||||
}
|
||||
|
||||
// Legacy sql-root-information
|
||||
if(isset($sql['root_user']) && isset($sql['root_password']) && (!isset($sql_root) || !is_array($sql_root)))
|
||||
{
|
||||
if (isset($sql['root_user'])
|
||||
&& isset($sql['root_password'])
|
||||
&& (!isset($sql_root) || !is_array($sql_root))
|
||||
) {
|
||||
$sql_root = array(0 => array('caption' => 'Default', 'host' => $sql['host'], 'user' => $sql['root_user'], 'password' => $sql['root_password']));
|
||||
unset($sql['root_user']);
|
||||
unset($sql['root_password']);
|
||||
@@ -106,33 +117,27 @@ if(isset($sql['root_user']) && isset($sql['root_password']) && (!isset($sql_root
|
||||
/**
|
||||
* Includes the Functions
|
||||
*/
|
||||
|
||||
require ('lib/functions.php');
|
||||
require (FROXLOR_INSTALL_DIR.'/lib/functions.php');
|
||||
|
||||
/**
|
||||
* Includes the MySQL-Tabledefinitions etc.
|
||||
*/
|
||||
|
||||
require ('lib/tables.inc.php');
|
||||
require (FROXLOR_INSTALL_DIR.'/lib/tables.inc.php');
|
||||
|
||||
/**
|
||||
* Includes the MySQL-Connection-Class
|
||||
*/
|
||||
|
||||
$db = new db($sql['host'], $sql['user'], $sql['password'], $sql['db']);
|
||||
unset($sql['password']);
|
||||
|
||||
// we will try to unset most of the $sql information if they are not needed
|
||||
// by the calling script.
|
||||
|
||||
if(!isset($need_db_sql_data) || $need_db_sql_data !== true)
|
||||
{
|
||||
if (!isset($need_db_sql_data) || $need_db_sql_data !== true) {
|
||||
unset($sql);
|
||||
$sql = array();
|
||||
}
|
||||
|
||||
if(!isset($need_root_db_sql_data) || $need_root_db_sql_data !== true)
|
||||
{
|
||||
if (!isset($need_root_db_sql_data) || $need_root_db_sql_data !== true) {
|
||||
unset($sql_root);
|
||||
$sql_root = array();
|
||||
}
|
||||
@@ -140,14 +145,12 @@ if(!isset($need_root_db_sql_data) || $need_root_db_sql_data !== true)
|
||||
/**
|
||||
* Create a new idna converter
|
||||
*/
|
||||
|
||||
$idna_convert = new idna_convert_wrapper();
|
||||
|
||||
/**
|
||||
* disable magic_quotes_runtime if enabled
|
||||
*/
|
||||
if(get_magic_quotes_runtime())
|
||||
{
|
||||
if (get_magic_quotes_runtime()) {
|
||||
//Deactivate
|
||||
set_magic_quotes_runtime(false);
|
||||
}
|
||||
@@ -155,39 +158,30 @@ if(get_magic_quotes_runtime())
|
||||
/**
|
||||
* Reverse magic_quotes_gpc=on to have clean GPC data again
|
||||
*/
|
||||
|
||||
if(get_magic_quotes_gpc())
|
||||
{
|
||||
if (get_magic_quotes_gpc()) {
|
||||
$in = array(&$_GET, &$_POST, &$_COOKIE);
|
||||
|
||||
while(list($k, $v) = each($in))
|
||||
{
|
||||
foreach($v as $key => $val)
|
||||
{
|
||||
if(!is_array($val))
|
||||
{
|
||||
while (list($k, $v) = each($in)) {
|
||||
foreach ($v as $key => $val) {
|
||||
if (!is_array($val)) {
|
||||
$in[$k][$key] = stripslashes($val);
|
||||
continue;
|
||||
}
|
||||
|
||||
$in[] = & $in[$k][$key];
|
||||
}
|
||||
}
|
||||
|
||||
unset($in);
|
||||
}
|
||||
|
||||
/**
|
||||
* Selects settings from MySQL-Table
|
||||
*/
|
||||
|
||||
$settings_data = loadConfigArrayDir('actions/admin/settings/');
|
||||
$settings = loadSettings($settings_data, $db);
|
||||
|
||||
/**
|
||||
* SESSION MANAGEMENT
|
||||
*/
|
||||
|
||||
$remote_addr = $_SERVER['REMOTE_ADDR'];
|
||||
|
||||
if (empty($_SERVER['HTTP_USER_AGENT'])) {
|
||||
@@ -201,30 +195,25 @@ unset($customerid);
|
||||
unset($adminid);
|
||||
unset($s);
|
||||
|
||||
if(isset($_POST['s']))
|
||||
{
|
||||
if (isset($_POST['s'])) {
|
||||
$s = $_POST['s'];
|
||||
$nosession = 0;
|
||||
}
|
||||
elseif(isset($_GET['s']))
|
||||
{
|
||||
} elseif (isset($_GET['s'])) {
|
||||
$s = $_GET['s'];
|
||||
$nosession = 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
$s = '';
|
||||
$nosession = 1;
|
||||
}
|
||||
|
||||
$timediff = time() - $settings['session']['sessiontimeout'];
|
||||
$db->query('DELETE FROM `' . TABLE_PANEL_SESSIONS . '` WHERE `lastactivity` < "' . (int)$timediff . '"');
|
||||
$userinfo = Array();
|
||||
$userinfo = array();
|
||||
|
||||
if(isset($s)
|
||||
if (isset($s)
|
||||
&& $s != ""
|
||||
&& $nosession != 1)
|
||||
{
|
||||
&& $nosession != 1
|
||||
) {
|
||||
ini_set("session.name", "s");
|
||||
ini_set("url_rewriter.tags", "");
|
||||
ini_set("session.use_cookies", false);
|
||||
@@ -232,13 +221,10 @@ if(isset($s)
|
||||
session_start();
|
||||
$query = 'SELECT `s`.*, `u`.* FROM `' . TABLE_PANEL_SESSIONS . '` `s` LEFT JOIN `';
|
||||
|
||||
if(AREA == 'admin')
|
||||
{
|
||||
if (AREA == 'admin') {
|
||||
$query.= TABLE_PANEL_ADMINS . '` `u` ON (`s`.`userid` = `u`.`adminid`)';
|
||||
$adminsession = '1';
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
$query.= TABLE_PANEL_CUSTOMERS . '` `u` ON (`s`.`userid` = `u`.`customerid`)';
|
||||
$adminsession = '0';
|
||||
}
|
||||
@@ -246,28 +232,23 @@ if(isset($s)
|
||||
$query.= 'WHERE `s`.`hash`="' . $db->escape($s) . '" AND `s`.`ipaddress`="' . $db->escape($remote_addr) . '" AND `s`.`useragent`="' . $db->escape($http_user_agent) . '" AND `s`.`lastactivity` > "' . (int)$timediff . '" AND `s`.`adminsession` = "' . $db->escape($adminsession) . '"';
|
||||
$userinfo = $db->query_first($query);
|
||||
|
||||
if((($userinfo['adminsession'] == '1' && AREA == 'admin' && isset($userinfo['adminid'])) || ($userinfo['adminsession'] == '0' && (AREA == 'customer' || AREA == 'login') && isset($userinfo['customerid'])))
|
||||
&& (!isset($userinfo['deactivated']) || $userinfo['deactivated'] != '1'))
|
||||
{
|
||||
if ((($userinfo['adminsession'] == '1' && AREA == 'admin' && isset($userinfo['adminid'])) || ($userinfo['adminsession'] == '0' && (AREA == 'customer' || AREA == 'login') && isset($userinfo['customerid'])))
|
||||
&& (!isset($userinfo['deactivated']) || $userinfo['deactivated'] != '1')
|
||||
) {
|
||||
$userinfo['newformtoken'] = strtolower(md5(uniqid(microtime(), 1)));
|
||||
$query = 'UPDATE `' . TABLE_PANEL_SESSIONS . '` SET `lastactivity`="' . time() . '", `formtoken`="' . $userinfo['newformtoken'] . '" WHERE `hash`="' . $db->escape($s) . '" AND `adminsession` = "' . $db->escape($adminsession) . '"';
|
||||
$db->query($query);
|
||||
$nosession = 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
$nosession = 1;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
$nosession = 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Language Managament
|
||||
*/
|
||||
|
||||
$langs = array();
|
||||
$languages = array();
|
||||
$iso = array();
|
||||
@@ -277,8 +258,7 @@ $query = 'SELECT * FROM `' . TABLE_PANEL_LANGUAGE . '` ';
|
||||
$result = $db->query($query);
|
||||
|
||||
// presort languages
|
||||
while($row = $db->fetch_array($result))
|
||||
{
|
||||
while ($row = $db->fetch_array($result)) {
|
||||
$langs[$row['language']][] = $row;
|
||||
// check for row[iso] cause older froxlor
|
||||
// versions didn't have that and it will
|
||||
@@ -290,8 +270,7 @@ while($row = $db->fetch_array($result))
|
||||
}
|
||||
|
||||
// buildup $languages for the login screen
|
||||
foreach($langs as $key => $value)
|
||||
{
|
||||
foreach ($langs as $key => $value) {
|
||||
$languages[$key] = $key;
|
||||
}
|
||||
|
||||
@@ -335,19 +314,14 @@ if (isset($userinfo['language']) && isset($languages[$userinfo['language']])) {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// include every english language file we can get
|
||||
foreach($langs['English'] as $key => $value)
|
||||
{
|
||||
foreach ($langs['English'] as $key => $value) {
|
||||
include_once makeSecurePath($value['file']);
|
||||
}
|
||||
|
||||
// now include the selected language if its not english
|
||||
|
||||
if($language != 'English')
|
||||
{
|
||||
foreach($langs[$language] as $key => $value)
|
||||
{
|
||||
if ($language != 'English') {
|
||||
foreach ($langs[$language] as $key => $value) {
|
||||
include_once makeSecurePath($value['file']);
|
||||
}
|
||||
}
|
||||
@@ -356,7 +330,6 @@ if($language != 'English')
|
||||
include_once makeSecurePath('lng/lng_references.php');
|
||||
|
||||
// Initialize our new link - class
|
||||
|
||||
$linker = new linker('index.php', $s);
|
||||
|
||||
/**
|
||||
@@ -383,17 +356,14 @@ if (!file_exists('templates/'.$theme.'/index.tpl')) {
|
||||
$hl_path = 'templates/'.$theme.'/assets/img';
|
||||
$header_logo = $hl_path.'/logo.png';
|
||||
|
||||
if(file_exists($hl_path.'/logo_custom.png')) {
|
||||
if (file_exists($hl_path.'/logo_custom.png')) {
|
||||
$header_logo = $hl_path.'/logo_custom.png';
|
||||
}
|
||||
|
||||
/**
|
||||
* Redirects to index.php (login page) if no session exists
|
||||
*/
|
||||
|
||||
if($nosession == 1
|
||||
&& AREA != 'login')
|
||||
{
|
||||
if ($nosession == 1 && AREA != 'login') {
|
||||
unset($userinfo);
|
||||
redirectTo('index.php');
|
||||
exit;
|
||||
@@ -402,33 +372,24 @@ if($nosession == 1
|
||||
/**
|
||||
* Initialize Template Engine
|
||||
*/
|
||||
|
||||
$templatecache = array();
|
||||
|
||||
/**
|
||||
* Logic moved out of lng-file
|
||||
*/
|
||||
|
||||
if(isset($userinfo['loginname'])
|
||||
&& $userinfo['loginname'] != '')
|
||||
{
|
||||
if (isset($userinfo['loginname'])
|
||||
&& $userinfo['loginname'] != ''
|
||||
) {
|
||||
$lng['menue']['main']['username'].= $userinfo['loginname'];
|
||||
|
||||
/**
|
||||
* Initialize logging
|
||||
*/
|
||||
|
||||
//Initialize logging
|
||||
$log = FroxlorLogger::getInstanceOf($userinfo, $db, $settings);
|
||||
}
|
||||
|
||||
/**
|
||||
* Fills variables for navigation, header and footer
|
||||
*/
|
||||
|
||||
if(AREA == 'admin' || AREA == 'customer')
|
||||
{
|
||||
if(hasUpdates($version))
|
||||
{
|
||||
if (AREA == 'admin' || AREA == 'customer') {
|
||||
if (hasUpdates($version)) {
|
||||
/*
|
||||
* if froxlor-files have been updated
|
||||
* but not yet configured by the admin
|
||||
@@ -463,9 +424,7 @@ if(AREA == 'admin' || AREA == 'customer')
|
||||
),
|
||||
);
|
||||
$navigation = buildNavigation($navigation_data['admin'], $userinfo);
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
$navigation_data = loadConfigArrayDir('lib/navigation/');
|
||||
$navigation = buildNavigation($navigation_data[AREA], $userinfo);
|
||||
}
|
||||
@@ -478,39 +437,27 @@ eval("\$header = \"" . getTemplate('header', '1') . "\";");
|
||||
$current_year = date('Y', time());
|
||||
eval("\$footer = \"" . getTemplate('footer', '1') . "\";");
|
||||
|
||||
if(isset($_POST['action']))
|
||||
{
|
||||
if (isset($_POST['action'])) {
|
||||
$action = $_POST['action'];
|
||||
}
|
||||
elseif(isset($_GET['action']))
|
||||
{
|
||||
} elseif(isset($_GET['action'])) {
|
||||
$action = $_GET['action'];
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
$action = '';
|
||||
|
||||
// clear request data
|
||||
if (isset($_SESSION)) {
|
||||
unset($_SESSION['requestData']);
|
||||
}
|
||||
}
|
||||
|
||||
if(isset($_POST['page']))
|
||||
{
|
||||
if (isset($_POST['page'])) {
|
||||
$page = $_POST['page'];
|
||||
}
|
||||
elseif(isset($_GET['page']))
|
||||
{
|
||||
} elseif(isset($_GET['page'])) {
|
||||
$page = $_GET['page'];
|
||||
}
|
||||
else
|
||||
{
|
||||
} else {
|
||||
$page = '';
|
||||
}
|
||||
|
||||
if($page == '')
|
||||
{
|
||||
if ($page == '') {
|
||||
$page = 'overview';
|
||||
}
|
||||
|
||||
@@ -520,8 +467,7 @@ if($page == '')
|
||||
$mail = new PHPMailer(true);
|
||||
$mail->CharSet = "UTF-8";
|
||||
|
||||
if(PHPMailer::ValidateAddress($settings['panel']['adminmail']) !== false)
|
||||
{
|
||||
if (PHPMailer::ValidateAddress($settings['panel']['adminmail']) !== false) {
|
||||
// set return-to address and custom sender-name, see #76
|
||||
$mail->SetFrom($settings['panel']['adminmail'], $settings['panel']['adminmail_defname']);
|
||||
if ($settings['panel']['adminmail_return'] != '') {
|
||||
|
||||
Reference in New Issue
Block a user