';
-}
-
-function helplink($id) {
- return '' . _ERROR_BADTICKET . "
\n"; - - /* Show the form to confirm action */ - // PHP 4.0.x support - $get= (isset($_GET)) ? $_GET : $HTTP_GET_VARS; - $post= (isset($_POST)) ? $_POST : $HTTP_POST_VARS; - // Resolve URI and QUERY_STRING - if ($uri=serverVar('REQUEST_URI')) { - list($uri,$qstring)=explode('?',$uri); - } else { - if ( !($uri=serverVar('PHP_SELF')) ) $uri=serverVar('SCRIPT_NAME'); - $qstring=serverVar('QUERY_STRING'); - } - if ($qstring) $qstring='?'.$qstring; - echo ''._SETTINGS_UPDATE.' : '._QMENU_PLUGINS.' '. - htmlspecialchars($plugin_name)." ?
\n"; - switch(strtoupper(serverVar('REQUEST_METHOD'))){ - case 'POST': - echo '\n"; - - $oPluginAdmin->end(); - exit; - } - - /* Create new ticket */ - $ticket=$manager->addTicketToUrl(''); - $ticketforplugin['ticket']=substr($ticket,strpos($ticket,'ticket=')+7); -} -function _addInputTags(&$keys,$prefix=''){ - foreach($keys as $key=>$value){ - if ($prefix) $key=$prefix.'['.$key.']'; - if (is_array($value)) _addInputTags($value,$key); - else { - if (get_magic_quotes_gpc()) $value=stripslashes($value); - if ($key=='ticket') continue; - echo ''."\n"; - } - } -} - -/** - * Convert the server string such as $_SERVER['REQUEST_URI'] - * to arry like arry['blogid']=1 and array['page']=2 etc. - */ -function serverStringToArray($str, &$array, &$frontParam) -{ - // init param - $array = array(); - $fronParam = ""; - - // split front param, e.g. /index.php, and others, e.g. blogid=1&page=2 - if (strstr($str, "?")){ - list($frontParam, $args) = preg_split("/\?/", $str, 2); - } - else { - $args = $str; - $frontParam = ""; - } - - // If there is no args like blogid=1&page=2, return - if (!strstr($str, "=") && !strlen($frontParam)) { - $frontParam = $str; - return; - } - - $array = explode("&", $args); -} - -/** - * Convert array like array['blogid'] to server string - * such as $_SERVER['REQUEST_URI'] - */ -function arrayToServerString($array, $frontParam, &$str) -{ - if (strstr($str, "?")) { - $str = $frontParam . "?"; - } else { - $str = $frontParam; - } - if (count($array)) { - $str .= implode("&", $array); - } -} - -/** - * Sanitize array parameters. - * This function checks both key and value. - * - check key if it inclues " (double quote), remove from array - * - check value if it includes \ (escape sequece), remove remaining string - */ -function sanitizeArray(&$array) -{ - $excludeListForSanitization = array('query'); -// $excludeListForSanitization = array(); - - foreach ($array as $k => $v) { - - // split to key and value - list($key, $val) = preg_split("/=/", $v, 2); - if (!isset($val)) { - continue; - } - - // when magic quotes is on, need to use stripslashes, - // and then addslashes - if (get_magic_quotes_gpc()) { - $val = stripslashes($val); - } - $val = addslashes($val); - - // if $key is included in exclude list, skip this param - if (!in_array($key, $excludeListForSanitization)) { - - // check value - list($val, $tmp) = explode('\\', $val); - - // remove control code etc. - $val = strtr($val, "\0\r\n<>'\"", " "); - - // check key - if (preg_match('/\"/i', $key)) { - unset($array[$k]); - continue; - } - - // set sanitized info - $array[$k] = sprintf("%s=%s", $key, $val); - } - } -} - -/** - * Convert array for sanitizeArray function - */ -function convArrayForSanitizing($src, &$array) -{ - $array = array(); - foreach ($src as $key => $val) { - if (key_exists($key, $_GET)) { - array_push($array, sprintf("%s=%s", $key, $val)); - } - } -} - -/** - * Revert array after sanitizeArray function - */ -function revertArrayForSanitizing($array, &$dst) -{ - foreach ($array as $v) { - list($key, $val) = preg_split("/=/", $v, 2); - $dst[$key] = $val; - } -} - -/** - * Stops processing the request and redirects to the given URL. - * - no actual contents should have been sent to the output yet - * - the URL will be stripped of illegal or dangerous characters - */ -function redirect($url) { - $url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:@%]|i', '', $url); - header('Location: ' . $url); - exit; -} - -/** - * Strip HTML tags from a string - * This function is a bit more intelligent than a regular call to strip_tags(), - * because it also deletes the contents of certain tags and cleans up any - * unneeded whitespace. - */ -function stringStripTags ($string) { - $string = preg_replace("/','\n',$data); //hack - $data = strtr($data,$from_entities); - $data = strtr($data,$to_entities); - $data = str_replace('\n','
',$data); //hack - return $data; - } - -/** - * Returns the Javascript code for a bookmarklet that works on most modern browsers - * - * @param blogid - */ -function getBookmarklet($blogid) { - global $CONF; - - // normal - $document = 'document'; - $bookmarkletline = "javascript:Q='';x=".$document.";y=window;if(x.selection){Q=x.selection.createRange().text;}else if(y.getSelection){Q=y.getSelection();}else if(x.getSelection){Q=x.getSelection();}wingm=window.open('"; - $bookmarkletline .= $CONF['AdminURL'] . "bookmarklet.php?blogid=$blogid"; - $bookmarkletline .="&logtext='+escape(Q)+'&loglink='+escape(x.location.href)+'&loglinktitle='+escape(x.title),'nucleusbm','scrollbars=yes,width=600,height=500,left=10,top=10,status=yes,resizable=yes');wingm.focus();"; - - return $bookmarkletline; -} -// END: functions from the end of file ADMIN.php - -/** - * Returns a variable or null if not set - * - * @param mixed Variable - * @return mixed Variable - */ -function ifset(&$var) { - if (isset($var)) { - return $var; - } - - return null; -} - -?> + 0) { + $nucleus['version'] .= '/' . getNucleusPatchLevel(); +} + +// Avoid notices +if (!isset($CONF['installscript'])) { + $CONF['installscript'] = 0; +} + +/* + * Include multibyte function if some functions related to mbstring are not loaded. + * By Japanese Packaging Team, Jan.31, 2011 + */ +if (!function_exists('mb_convert_encoding')){ + global $mbemu_internals; + include_once($DIR_LIBS.'mb_emulator/mb-emulator.php'); +} + +// we will use postVar, getVar, ... methods instead of HTTP_GET_VARS or _GET +if ($CONF['installscript'] != 1) { // vars were already included in install.php + if (phpversion() >= '4.1.0') { + include_once($DIR_LIBS . 'vars4.1.0.php'); + } else { + include_once($DIR_LIBS . 'vars4.0.6.php'); + } +} + +// sanitize option +$bLoggingSanitizedResult=0; +$bSanitizeAndContinue=0; + +$orgRequestURI = serverVar('REQUEST_URI'); +sanitizeParams(); + +// get all variables that can come from the request and put them in the global scope +$blogid = requestVar('blogid'); +$itemid = intRequestVar('itemid'); +$catid = intRequestVar('catid'); +$skinid = requestVar('skinid'); +$memberid = requestVar('memberid'); +$archivelist = requestVar('archivelist'); +$imagepopup = requestVar('imagepopup'); +$archive = requestVar('archive'); +$query = requestVar('query'); +$highlight = requestVar('highlight'); +$amount = requestVar('amount'); +$action = requestVar('action'); +$nextaction = requestVar('nextaction'); +$maxresults = requestVar('maxresults'); +$startpos = intRequestVar('startpos'); +$errormessage = ''; +$error = ''; +$special = requestVar('special'); +$virtualpath = ((getVar('virtualpath') != null) ? getVar('virtualpath') : serverVar('PATH_INFO')); + +if (!headers_sent() ) { + header('Generator: Nucleus CMS ' . $nucleus['version']); +} + +// include core classes that are needed for login & plugin handling +include_once($DIR_LIBS . 'mysql.php'); +// added for 3.5 sql_* wrapper +global $MYSQL_HANDLER; +if (!isset($MYSQL_HANDLER)) + $MYSQL_HANDLER = array('mysql',''); +if ($MYSQL_HANDLER[0] == '') + $MYSQL_HANDLER[0] = 'mysql'; +include_once($DIR_LIBS . 'sql/'.$MYSQL_HANDLER[0].'.php'); +// end new for 3.5 sql_* wrapper +include($DIR_LIBS . 'MEMBER.php'); +include($DIR_LIBS . 'ACTIONLOG.php'); +include($DIR_LIBS . 'MANAGER.php'); +include($DIR_LIBS . 'PLUGIN.php'); + +$manager =& MANAGER::instance(); + +// make sure there's no unnecessary escaping: +//set_magic_quotes_runtime(0); +if (version_compare(PHP_VERSION, '5.3.0', '<')) { + ini_set('magic_quotes_runtime', '0'); +} + +// Avoid notices +if (!isset($CONF['UsingAdminArea'])) { + $CONF['UsingAdminArea'] = 0; +} + +// only needed when updating logs +if ($CONF['UsingAdminArea']) { + include($DIR_LIBS . 'xmlrpc.inc.php'); // XML-RPC client classes + include_once($DIR_LIBS . 'ADMIN.php'); +} + +// connect to database +sql_connect(); +$SQLCount = 0; + +// logs sanitized result if need +if ($orgRequestURI!==serverVar('REQUEST_URI')) { + $msg = "Sanitized [" . serverVar('REMOTE_ADDR') . "] "; + $msg .= $orgRequestURI . " -> " . serverVar('REQUEST_URI'); + if ($bLoggingSanitizedResult) { + addToLog(WARNING, $msg); + } + if (!$bSanitizeAndContinue) { + die(""); + } +} + +// makes sure database connection gets closed on script termination +register_shutdown_function('sql_disconnect'); + +// read config +getConfig(); + +// Properly set $CONF['Self'] and others if it's not set... usually when we are access from admin menu +if (!isset($CONF['Self'])) { + $CONF['Self'] = $CONF['IndexURL']; + // strip trailing / + if ($CONF['Self'][strlen($CONF['Self']) -1] == "/") { + $CONF['Self'] = substr($CONF['Self'], 0, strlen($CONF['Self']) -1); + } + +/* $CONF['ItemURL'] = $CONF['Self']; + $CONF['ArchiveURL'] = $CONF['Self']; + $CONF['ArchiveListURL'] = $CONF['Self']; + $CONF['MemberURL'] = $CONF['Self']; + $CONF['SearchURL'] = $CONF['Self']; + $CONF['BlogURL'] = $CONF['Self']; + $CONF['CategoryURL'] = $CONF['Self'];*/ +} + +$CONF['ItemURL'] = $CONF['Self']; +$CONF['ArchiveURL'] = $CONF['Self']; +$CONF['ArchiveListURL'] = $CONF['Self']; +$CONF['MemberURL'] = $CONF['Self']; +$CONF['SearchURL'] = $CONF['Self']; +$CONF['BlogURL'] = $CONF['Self']; +$CONF['CategoryURL'] = $CONF['Self']; + +// switch URLMode back to normal when $CONF['Self'] ends in .php +// this avoids urls like index.php/item/13/index.php/item/15 +if (!isset($CONF['URLMode']) || (($CONF['URLMode'] == 'pathinfo') && (substr($CONF['Self'], strlen($CONF['Self']) - 4) == '.php'))) { + $CONF['URLMode'] = 'normal'; +} + +// automatically use simpler toolbar for mozilla +if (($CONF['DisableJsTools'] == 0) && strstr(serverVar('HTTP_USER_AGENT'), 'Mozilla/5.0') && strstr(serverVar('HTTP_USER_AGENT'), 'Gecko') ) { + $CONF['DisableJsTools'] = 2; +} + +// login if cookies set +$member = new MEMBER(); + +// secure cookie key settings (either 'none', 0, 8, 16, 24, or 32) +if (!isset($CONF['secureCookieKey'])) $CONF['secureCookieKey']=24; +switch($CONF['secureCookieKey']){ +case 8: + $CONF['secureCookieKeyIP']=preg_replace('/\.[0-9]+\.[0-9]+\.[0-9]+$/','',serverVar('REMOTE_ADDR')); + break; +case 16: + $CONF['secureCookieKeyIP']=preg_replace('/\.[0-9]+\.[0-9]+$/','',serverVar('REMOTE_ADDR')); + break; +case 24: + $CONF['secureCookieKeyIP']=preg_replace('/\.[0-9]+$/','',serverVar('REMOTE_ADDR')); + break; +case 32: + $CONF['secureCookieKeyIP']=serverVar('REMOTE_ADDR'); + break; +default: + $CONF['secureCookieKeyIP']=''; +} + +// login/logout when required or renew cookies +if ($action == 'login') { + // Form Authentication + $login = postVar('login'); + $pw = postVar('password'); + $shared = intPostVar('shared'); // shared computer or not + + $pw=substr($pw,0,40); // avoid md5 collision by using a long key + + if ($member->login($login, $pw) ) { + + $member->newCookieKey(); + $member->setCookies($shared); + + if ($CONF['secureCookieKey']!=='none') { + // secure cookie key + $member->setCookieKey(md5($member->getCookieKey().$CONF['secureCookieKeyIP'])); + $member->write(); + } + + // allows direct access to parts of the admin area after logging in + if ($nextaction) { + $action = $nextaction; + } + + $manager->notify('LoginSuccess', array('member' => &$member, 'username' => $login) ); + $errormessage = ''; + ACTIONLOG::add(INFO, "Login successful for $login (sharedpc=$shared)"); + } else { + // errormessage for [%errordiv%] + $trimlogin = trim($login); + if (empty($trimlogin)) + { + $errormessage = "Please enter a username."; + } + else + { + $errormessage = 'Login failed for ' . $login; + } + $manager->notify('LoginFailed', array('username' => $login) ); + ACTIONLOG::add(INFO, $errormessage); + } +/* + +Backed out for now: See http://forum.nucleuscms.org/viewtopic.php?t=3684 for details + +} elseif (serverVar('PHP_AUTH_USER') && serverVar('PHP_AUTH_PW')) { + // HTTP Authentication + $login = serverVar('PHP_AUTH_USER'); + $pw = serverVar('PHP_AUTH_PW'); + + if ($member->login($login, $pw) ) { + $manager->notify('LoginSuccess',array('member' => &$member)); + ACTIONLOG::add(INFO, "HTTP authentication successful for $login"); + } else { + $manager->notify('LoginFailed',array('username' => $login)); + ACTIONLOG::add(INFO, 'HTTP authentication failed for ' . $login); + + //Since bad credentials, generate an apropriate error page + header("WWW-Authenticate: Basic realm=\"Nucleus CMS {$nucleus['version']}\""); + header('HTTP/1.0 401 Unauthorized'); + echo 'Invalid username or password'; + exit; + } +*/ + +} elseif (($action == 'logout') && (!headers_sent() ) && cookieVar($CONF['CookiePrefix'] . 'user') ) { + // remove cookies on logout + setcookie($CONF['CookiePrefix'] . 'user', '', (time() - 2592000), $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']); + setcookie($CONF['CookiePrefix'] . 'loginkey', '', (time() - 2592000), $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']); + $manager->notify('Logout', array('username' => cookieVar($CONF['CookiePrefix'] . 'user') ) ); +} elseif (cookieVar($CONF['CookiePrefix'] . 'user') ) { + // Cookie Authentication + $ck=cookieVar($CONF['CookiePrefix'] . 'loginkey'); + // secure cookie key + $ck=substr($ck,0,32); // avoid md5 collision by using a long key + if ($CONF['secureCookieKey']!=='none') $ck=md5($ck.$CONF['secureCookieKeyIP']); + $res = $member->cookielogin(cookieVar($CONF['CookiePrefix'] . 'user'), $ck ); + unset($ck); + + // renew cookies when not on a shared computer + if ($res && (cookieVar($CONF['CookiePrefix'] . 'sharedpc') != 1) && (!headers_sent() ) ) { + $member->setCookieKey(cookieVar($CONF['CookiePrefix'] . 'loginkey')); + $member->setCookies(); + } +} + +// login completed +$manager->notify('PostAuthentication', array('loggedIn' => $member->isLoggedIn() ) ); +ticketForPlugin(); + +// first, let's see if the site is disabled or not. always allow admin area access. +if ($CONF['DisableSite'] && !$member->isAdmin() && !$CONF['UsingAdminArea']) { + redirect($CONF['DisableSiteURL']); + exit; +} + +// load other classes +include($DIR_LIBS . 'PARSER.php'); +include($DIR_LIBS . 'SKIN.php'); +include($DIR_LIBS . 'TEMPLATE.php'); +include($DIR_LIBS . 'BLOG.php'); +include($DIR_LIBS . 'BODYACTIONS.php'); +include($DIR_LIBS . 'COMMENTS.php'); +include($DIR_LIBS . 'COMMENT.php'); +//include($DIR_LIBS . 'ITEM.php'); +include($DIR_LIBS . 'NOTIFICATION.php'); +include($DIR_LIBS . 'BAN.php'); +include($DIR_LIBS . 'PAGEFACTORY.php'); +include($DIR_LIBS . 'SEARCH.php'); +include($DIR_LIBS . 'entity.php'); + + +// set lastVisit cookie (if allowed) +if (!headers_sent() ) { + if ($CONF['LastVisit']) { + setcookie($CONF['CookiePrefix'] . 'lastVisit', time(), time() + 2592000, $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']); + } else { + setcookie($CONF['CookiePrefix'] . 'lastVisit', '', (time() - 2592000), $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']); + } +} + +// read language file, only after user has been initialized +$language = getLanguageName(); + +# replaced ereg_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0 +# original ereg_replace: ereg_replace( '[\\|/]', '', $language) . '.php') +# important note that '\' must be matched with '\\\\' in preg* expressions +include($DIR_LANG . preg_replace('#[\\\\|/]#', '', $language) . '.php'); + +// check if valid charset +if (!encoding_check(false, false, _CHARSET)) { + foreach(array($_GET, $_POST) as $input) { + array_walk($input, 'encoding_check'); + } +} + +/* + * for preventing I/O strings from auto-detecting the charactor encodings by MySQL + * since 3.62_beta-jp + * Jan.20, 2011 by kotorisan and cacher + * refering to their conversation below, + * http://japan.nucleuscms.org/bb/viewtopic.php?p=26581 + * + * NOTE: shift_jis is only supported for output. Using shift_jis in DB is prohibited. + * NOTE: iso-8859-x,windows-125x if _CHARSET is unset. + */ +if (in_array('mysql',$MYSQL_HANDLER)) { + switch(strtolower(_CHARSET)){ + case 'utf-8': + $charset = 'utf8'; + break; + case 'euc-jp': + $charset = 'ujis'; + break; + case 'gb2312': + $charset = 'gb2312'; + break; + case 'shift_jis': + $charset = 'sjis'; + break; + default: + $resource = sql_query("show variables LIKE 'character_set_database'"); + $fetchDat = sql_fetch_assoc($resource); + $charset = $fetchDat['Value']; + break; + } + $mySqlVer = implode('.', array_map('intval', explode('.', sql_get_server_info($MYSQL_CONN)))); + if ($mySqlVer >= '5.0.7' && function_exists('mysql_set_charset')) { + mysql_set_charset($charset); + } elseif ($mySqlVer >= '4.1.0') { + sql_query("SET CHARACTER SET " . $charset); + } +} + +/* + Backed out for now: See http://forum.nucleuscms.org/viewtopic.php?t=3684 for details + +// To remove after v2.5 is released and language files have been updated. +// Including this makes sure that language files for v2.5beta can still be used for v2.5final +// without having weird _SETTINGS_EXTAUTH string showing up in the admin area. +if (!defined('_MEMBERS_BYPASS')) +{ + define('_SETTINGS_EXTAUTH', 'Enable External Authentication'); + define('_WARNING_EXTAUTH', 'Warning: Enable only if needed.'); + define('_MEMBERS_BYPASS', 'Use External Authentication'); +} + +*/ + +// make sure the archivetype skinvar keeps working when _ARCHIVETYPE_XXX not defined +if (!defined('_ARCHIVETYPE_MONTH') ) +{ + define('_ARCHIVETYPE_DAY', 'day'); + define('_ARCHIVETYPE_MONTH', 'month'); + define('_ARCHIVETYPE_YEAR', 'year'); +} + +// decode path_info +if ($CONF['URLMode'] == 'pathinfo') { + // initialize keywords if this hasn't been done before + if (!isset($CONF['ItemKey']) || $CONF['ItemKey'] == '') { + $CONF['ItemKey'] = 'item'; + } + + if (!isset($CONF['ArchiveKey']) || $CONF['ArchiveKey'] == '') { + $CONF['ArchiveKey'] = 'archive'; + } + + if (!isset($CONF['ArchivesKey']) || $CONF['ArchivesKey'] == '') { + $CONF['ArchivesKey'] = 'archives'; + } + + if (!isset($CONF['MemberKey']) || $CONF['MemberKey'] == '') { + $CONF['MemberKey'] = 'member'; + } + + if (!isset($CONF['BlogKey']) || $CONF['BlogKey'] == '') { + $CONF['BlogKey'] = 'blog'; + } + + if (!isset($CONF['CategoryKey']) || $CONF['CategoryKey'] == '') { + $CONF['CategoryKey'] = 'category'; + } + + if (!isset($CONF['SpecialskinKey']) || $CONF['SpecialskinKey'] == '') { + $CONF['SpecialskinKey'] = 'special'; + } + + $parsed = false; + $manager->notify( + 'ParseURL', + array( + 'type' => basename(serverVar('SCRIPT_NAME') ), // e.g. item, blog, ... + 'info' => $virtualpath, + 'complete' => &$parsed + ) + ); + + if (!$parsed) { + // default implementation + $data = explode("/", $virtualpath ); + for ($i = 0; $i < sizeof($data); $i++) { + switch ($data[$i]) { + case $CONF['ItemKey']: // item/1 (blogid) + $i++; + + if ($i < sizeof($data) ) { + $itemid = intval($data[$i]); + } + break; + + case $CONF['ArchivesKey']: // archives/1 (blogid) + $i++; + + if ($i < sizeof($data) ) { + $archivelist = intval($data[$i]); + } + break; + + case $CONF['ArchiveKey']: // two possibilities: archive/yyyy-mm or archive/1/yyyy-mm (with blogid) + if ((($i + 1) < sizeof($data) ) && (!strstr($data[$i + 1], '-') ) ) { + $blogid = intval($data[++$i]); + } + + $i++; + + if ($i < sizeof($data) ) { + $archive = $data[$i]; + } + break; + + case 'blogid': // blogid/1 + case $CONF['BlogKey']: // blog/1 + $i++; + + if ($i < sizeof($data) ) { + $blogid = intval($data[$i]); + } + break; + + case $CONF['CategoryKey']: // category/1 (catid) + case 'catid': + $i++; + + if ($i < sizeof($data) ) { + $catid = intval($data[$i]); + } + break; + + case $CONF['MemberKey']: + $i++; + + if ($i < sizeof($data) ) { + $memberid = intval($data[$i]); + } + break; + + case $CONF['SpecialskinKey']: + $i++; + + if ($i < sizeof($data) ) { + $special = $data[$i]; + $_REQUEST['special'] = $special; + } + break; + + default: + // skip... + } + } + } +} +/* PostParseURL is a place to cleanup any of the path-related global variables before the selector function is run. + It has 2 values in the data in case the original virtualpath is needed, but most the use will be in tweaking + global variables to clean up (scrub out catid or add catid) or to set someother global variable based on + the values of something like catid or itemid + New in 3.60 +*/ +$manager->notify( + 'PostParseURL', + array( + 'type' => basename(serverVar('SCRIPT_NAME') ), // e.g. item, blog, ... + 'info' => $virtualpath + ) +); + +function include_libs($file,$once=true,$require=true){ + global $DIR_LIBS; + if (!is_dir($DIR_LIBS)) exit; + if ($once && $require) require_once($DIR_LIBS.$file); + elseif ($once && !$require) include_once($DIR_LIBS.$file); + elseif ($require) require($DIR_LIBS.$file); + else include($DIR_LIBS.$file); +} + +function include_plugins($file,$once=true,$require=true){ + global $DIR_PLUGINS; + if (!is_dir($DIR_PLUGINS)) exit; + if ($once && $require) require_once($DIR_PLUGINS.$file); + elseif ($once && !$require) include_once($DIR_PLUGINS.$file); + elseif ($require) require($DIR_PLUGINS.$file); + else include($DIR_PLUGINS.$file); +} + +function intPostVar($name) { + return intval(postVar($name) ); +} + +function intGetVar($name) { + return intval(getVar($name) ); +} + +function intRequestVar($name) { + return intval(requestVar($name) ); +} + +function intCookieVar($name) { + return intval(cookieVar($name) ); +} + +/** + * returns the currently used version (100 = 1.00, 101 = 1.01, etc...) + */ +function getNucleusVersion() { + return 362; +} + +/** + * power users can install patches in between nucleus releases. These patches + * usually add new functionality in the plugin API and allow those to + * be tested without having to install CVS. + */ +function getNucleusPatchLevel() { + return 0; +} + +/** + * returns the latest version available for download from nucleuscms.org + * or false if unable to attain data + * format will be major.minor/patachlevel + * e.g. 3.41 or 3.41/02 + */ +function getLatestVersion() { + if (!function_exists('curl_init')) return false; + $crl = curl_init(); + $timeout = 5; + curl_setopt ($crl, CURLOPT_URL,'http://nucleuscms.org/version_check.php'); + curl_setopt ($crl, CURLOPT_RETURNTRANSFER, 1); + curl_setopt ($crl, CURLOPT_CONNECTTIMEOUT, $timeout); + $ret = curl_exec($crl); + curl_close($crl); + return $ret; + +} + +/** + * Connects to mysql server + */ +/* moved to $DIR_LIBS/sql/*.php handler files +function sql_connect() { + global $MYSQL_HOST, $MYSQL_USER, $MYSQL_PASSWORD, $MYSQL_DATABASE, $MYSQL_CONN; + + $MYSQL_CONN = @mysql_connect($MYSQL_HOST, $MYSQL_USER, $MYSQL_PASSWORD) or startUpError('
Could not connect to MySQL database.
', 'Connect Error'); + mysql_select_db($MYSQL_DATABASE) or startUpError('Could not select database: ' . mysql_error() . '
', 'Connect Error'); + + return $MYSQL_CONN; +}*/ + +/** + * returns a prefixed nucleus table name + */ +function sql_table($name) { + global $MYSQL_PREFIX; + + if ($MYSQL_PREFIX) { + return $MYSQL_PREFIX . 'nucleus_' . $name; + } else { + return 'nucleus_' . $name; + } +} + +function sendContentType($contenttype, $pagetype = '', $charset = _CHARSET) { + global $manager, $CONF; + + if (!headers_sent() ) { + // if content type is application/xhtml+xml, only send it to browsers + // that can handle it (IE6 cannot). Otherwise, send text/html + + // v2.5: For admin area pages, keep sending text/html (unless it's a debug version) + // application/xhtml+xml still causes too much problems with the javascript implementations + + // v3.3: ($CONF['UsingAdminArea'] && !$CONF['debug']) gets removed, + // application/xhtml+xml seems to be working, so we're going to use it if we can. + // + // Note: reverted the following function in JP version + // + /* + // v3.3 code + if ( + ($contenttype == 'application/xhtml+xml') + && (!stristr(serverVar('HTTP_ACCEPT'), 'application/xhtml+xml') ) + ) { + $contenttype = 'text/html'; + } + */ + // v3.2x code + if ( + ($contenttype == 'application/xhtml+xml') + && (($CONF['UsingAdminArea'] && !$CONF['debug']) || !stristr(serverVar('HTTP_ACCEPT'),'application/xhtml+xml')) + ) + { + $contenttype = 'text/html'; + } + + $manager->notify( + 'PreSendContentType', + array( + 'contentType' => &$contenttype, + 'charset' => &$charset, + 'pageType' => $pagetype + ) + ); + + // strip strange characters + $contenttype = preg_replace('|[^a-z0-9-+./]|i', '', $contenttype); + $charset = preg_replace('|[^a-z0-9-_]|i', '', $charset); + + if ($charset != '') { + header('Content-Type: ' . $contenttype . '; charset=' . $charset); + } else { + header('Content-Type: ' . $contenttype); + } + + // check if valid charset + if (!encoding_check(false,false,$charset)) { + foreach(array($_GET, $_POST) as $input) { + array_walk($input, 'encoding_check'); + } + } + } +} + +/** + * Errors before the database connection has been made - moved to + */ +/* moved to $DIR_LIBS/sql/*.php handler files +function startUpError($msg, $title) { + if (!defined('_CHARSET')) define('_CHARSET', 'iso-8859-1'); + header('Content-Type: text/html; charset=' . _CHARSET); + ?> + > + +([\r\n])/", "$1", $var); +} + +// shortens a text string to maxlength ($toadd) is what needs to be added +// at the end (end length is <= $maxlength) +function shorten($text, $maxlength, $toadd) { + // 1. remove entities... +// $trans = get_html_translation_table(HTML_ENTITIES); + $trans = get_html_translation_table(HTML_SPECIALCHARS); // for Japanese + $trans = array_flip($trans); + $text = strtr($text, $trans); + + // 2. the actual shortening + if (strlen($text) > $maxlength) { +// $text = substr($text, 0, $maxlength - strlen($toadd) ) . $toadd; + $text = mb_strimwidth($text, 0, $maxlength, $toadd, _CHARSET); // for Japanese + } + + return $text; +} + +/** + * Converts a unix timestamp to a mysql DATETIME format, and places + * quotes around it. + */ +function mysqldate($timestamp) { + return '"' . date('Y-m-d H:i:s', $timestamp) . '"'; +} + +/** + * functions for use in index.php + */ +function selectBlog($shortname) { + global $blogid, $archivelist; + if (!$blogid) { + $blogid = getBlogIDFromName($shortname); + } + + // also force archivelist variable, if it is set + if ($archivelist) { + $archivelist = $blogid; + } +} + +function selectSkin($skinname) { + global $skinid; + if (!$skinid) { + $skinid = SKIN::getIdFromName($skinname); + } +} + +/** + * Can take either a category ID or a category name (be aware that + * multiple categories can have the same name) + */ +function selectCategory($cat) { + global $catid; + if (!$catid) { + if (is_numeric($cat) ) { + $catid = intval($cat); + } else { + $catid = getCatIDFromName($cat); + } + } +} + +function selectItem($id) { + global $itemid; + if (!$itemid) { + $itemid = intval($id); + } +} + +// force the use of a language file (warning: can cause warnings) +function selectLanguage($language) { + + global $DIR_LANG; + + # replaced ereg_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0 + # original ereg_replace: preg_replace( '@\\|/@', '', $language) . '.php') + # important note that '\' must be matched with '\\\\' in preg* expressions + + include($DIR_LANG . preg_replace('#[\\\\|/]#', '', $language) . '.php'); + +} + +function parseFile($filename, $includeMode = 'normal', $includePrefix = '') { + $handler = new ACTIONS('fileparser'); + $parser = new PARSER(SKIN::getAllowedActionsForType('fileparser'), $handler); + $handler->parser =& $parser; + + // set IncludeMode properties of parser + PARSER::setProperty('IncludeMode', $includeMode); + PARSER::setProperty('IncludePrefix', $includePrefix); + + if (!file_exists($filename) ) { + doError(_GFUNCTIONS_PARSEFILE_FILEMISSING); + } + + $fsize = filesize($filename); + + if ($fsize <= 0) { + return; + } + + // read file + $fd = fopen ($filename, 'r'); + $contents = fread ($fd, $fsize); + fclose ($fd); + + // parse file contents + $parser->parse($contents); +} + +/** + * Outputs a debug message + */ +function debug($msg) { + echo '
' . $msg . "
\n"; +} + +// shortcut +function addToLog($level, $msg) { + ACTIONLOG::add($level, $msg); +} + +// shows a link to help file +function help($id) { + echo helpHtml($id); +} + +function helpHtml($id) { + global $CONF; + return helplink($id) . '
Unknown or non-supported encoding.
', 'Encoding Error'); + exit; + } + if (isset($checked[$encoding])) return true; // Already checked. + $checked[$encoding]=true; + } + if ($key===false) return false; // Not yet checked. + if ($search===false) return true; // non-multibyte encoding + if (isset($excludes[$key])) return true; // This key isn't checked. + if (is_array($val)) { + array_walk($val, 'encoding_check'); + } else { + $result=preg_replace($search,'',$val); + if (strlen($result)!=0) { + startUpError('Invalid input.
', 'Input Error'); + exit; + } + } + $result=preg_replace($search,'',$key); + if (strlen($result)!=0) { + startUpError('Invalid input.
', 'Input Error'); + exit; + } + return true; +} + +function checkVars($aVars) { + global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS; + + foreach ($aVars as $varName) { + + if (phpversion() >= '4.1.0') { + + if ( isset($_GET[$varName]) + || isset($_POST[$varName]) + || isset($_COOKIE[$varName]) + || isset($_ENV[$varName]) + || isset($_SESSION[$varName]) + || isset($_FILES[$varName]) + ) { + die('Sorry. An error occurred.'); + } + + } else { + + if ( isset($HTTP_GET_VARS[$varName]) + || isset($HTTP_POST_VARS[$varName]) + || isset($HTTP_COOKIE_VARS[$varName]) + || isset($HTTP_ENV_VARS[$varName]) + || isset($HTTP_SESSION_VARS[$varName]) + || isset($HTTP_POST_FILES[$varName]) + ) { + die('Sorry. An error occurred.'); + } + + } + } +} + + +/** + * Sanitize parameters such as $_GET and $_SERVER['REQUEST_URI'] etc. + * to avoid XSS + */ +function sanitizeParams() +{ + global $HTTP_SERVER_VARS; + + $array = array(); + $str = ''; + $frontParam = ''; + + // REQUEST_URI of $HTTP_SERVER_VARS + $str =& $HTTP_SERVER_VARS["REQUEST_URI"]; + serverStringToArray($str, $array, $frontParam); + sanitizeArray($array); + arrayToServerString($array, $frontParam, $str); + + // QUERY_STRING of $HTTP_SERVER_VARS + $str =& $HTTP_SERVER_VARS["QUERY_STRING"]; + serverStringToArray($str, $array, $frontParam); + sanitizeArray($array); + arrayToServerString($array, $frontParam, $str); + + if (phpversion() >= '4.1.0') { + // REQUEST_URI of $_SERVER + $str =& $_SERVER["REQUEST_URI"]; + serverStringToArray($str, $array, $frontParam); + sanitizeArray($array); + arrayToServerString($array, $frontParam, $str); + + // QUERY_STRING of $_SERVER + $str =& $_SERVER["QUERY_STRING"]; + serverStringToArray($str, $array, $frontParam); + sanitizeArray($array); + arrayToServerString($array, $frontParam, $str); + } + + // $_GET + convArrayForSanitizing($_GET, $array); + sanitizeArray($array); + revertArrayForSanitizing($array, $_GET); + + // $_REQUEST (only GET param) + convArrayForSanitizing($_REQUEST, $array); + sanitizeArray($array); + revertArrayForSanitizing($array, $_REQUEST); +} + +/** + * Check ticket when not checked in plugin's admin page + * to avoid CSRF. + * Also avoid the access to plugin/index.php by guest user. + */ +function ticketForPlugin(){ + global $CONF,$DIR_PLUGINS,$member,$ticketforplugin; + + /* initialize */ + $ticketforplugin=array(); + $ticketforplugin['ticket'] = FALSE; + + /* Check if using plugin's php file. */ + if ($p_translated = serverVar('PATH_TRANSLATED') ) + { + if (!file_exists($p_translated) ) + { + $p_translated = ''; + } + } + + if (!$p_translated) + { + $p_translated = serverVar('SCRIPT_FILENAME'); + if (!file_exists($p_translated) ) + { + header("HTTP/1.0 404 Not Found"); + exit(''); + } + } + + $p_translated=str_replace('\\','/',$p_translated); + $d_plugins=str_replace('\\','/',$DIR_PLUGINS); + + if (strpos($p_translated, $d_plugins) !== 0) + { + return;// This isn't plugin php file. + } + + /* Solve the plugin php file or admin directory */ + $phppath=substr($p_translated,strlen($d_plugins)); + $phppath=preg_replace('#^/#','',$phppath);// Remove the first "/" if exists. + $path=preg_replace('#^NP_(.*)\.php$#','$1',$phppath); // Remove the first "NP_" and the last ".php" if exists. + $path=preg_replace('#^([^/]*)/(.*)$#','$1',$path); // Remove the "/" and beyond. + + /* Solve the plugin name. */ + $plugins=array(); + $query='SELECT `pfile` FROM '.sql_table('plugin'); + $res=sql_query($query); + while($row=sql_fetch_row($res)) + { + $name=substr($row[0],3); + $plugins[strtolower($name)]=$name; + } + sql_free_result($res); + + if ($plugins[$path]) + { + $plugin_name = $plugins[$path]; + } + else if (in_array($path, $plugins)) + { + $plugin_name = $path; + } + else + { + header("HTTP/1.0 404 Not Found"); + exit(''); + } + + /* Return if not index.php */ + if ( ($phppath != strtolower($plugin_name) . '/') && ($phppath != strtolower($plugin_name) . '/index.php') ) + { + return; + } + + /* Exit if not logged in. */ + if ( !$member->isLoggedIn() ) + { + exit(_GFUNCTIONS_YOU_AERNT_LOGGEDIN); + } + + global $manager,$DIR_LIBS,$DIR_LANG,$HTTP_GET_VARS,$HTTP_POST_VARS; + + /* Check if this feature is needed (ie, if "$manager->checkTicket()" is not included in the script). */ + if (!($p_translated=serverVar('PATH_TRANSLATED'))) + { + $p_translated=serverVar('SCRIPT_FILENAME'); + } + if ($file=@file($p_translated)) + { + $prevline=''; + foreach($file as $line) + { + if (preg_match('/[\$]manager([\s]*)[\-]>([\s]*)checkTicket([\s]*)[\(]/i',$prevline.$line)) + { + return; + } + $prevline=$line; + } + } + + /* Show a form if not valid ticket */ + if ( ( strstr(serverVar('REQUEST_URI'),'?') || serverVar('QUERY_STRING') + || strtoupper(serverVar('REQUEST_METHOD'))=='POST' ) + && (!$manager->checkTicket()) ) + { + if (!class_exists('PluginAdmin')) + { + $language = getLanguageName(); + + # replaced ereg_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0 + # original ereg_replace: ereg_replace( '[\\|/]', '', $language) . '.php') + # important note that '\' must be matched with '\\\\' in preg* expressions + include($DIR_LANG . preg_replace('#[\\\\|/]#', '', $language) . '.php'); + include($DIR_LIBS . 'PLUGINADMIN.php'); + } + + $oPluginAdmin = new PluginAdmin($plugin_name); + $oPluginAdmin->start(); + echo '' . _ERROR_BADTICKET . "
\n"; + + /* Show the form to confirm action */ + // PHP 4.0.x support + $get= (isset($_GET)) ? $_GET : $HTTP_GET_VARS; + $post= (isset($_POST)) ? $_POST : $HTTP_POST_VARS; + // Resolve URI and QUERY_STRING + if ($uri=serverVar('REQUEST_URI')) + { + list($uri,$qstring)=explode('?',$uri); + } + else + { + if ( !($uri=serverVar('PHP_SELF')) ) + { + $uri=serverVar('SCRIPT_NAME'); + } + $qstring=serverVar('QUERY_STRING'); + } + if ($qstring) + { + $qstring='?'.$qstring; + } + echo ''._SETTINGS_UPDATE.' : '._QMENU_PLUGINS.' '.htmlspecialchars($plugin_name)." ?
\n"; + switch(strtoupper(serverVar('REQUEST_METHOD'))) + { + case 'POST': + echo '\n"; + + $oPluginAdmin->end(); + exit; + } + + /* Create new ticket */ + $ticket=$manager->addTicketToUrl(''); + $ticketforplugin['ticket']=substr($ticket,strpos($ticket,'ticket=')+7); +} +function _addInputTags(&$keys,$prefix=''){ + foreach($keys as $key=>$value){ + if ($prefix) $key=$prefix.'['.$key.']'; + if (is_array($value)) _addInputTags($value,$key); + else { + if (get_magic_quotes_gpc()) $value=stripslashes($value); + if ($key=='ticket') continue; + echo ''."\n"; + } + } +} + +/** + * Convert the server string such as $_SERVER['REQUEST_URI'] + * to arry like arry['blogid']=1 and array['page']=2 etc. + */ +function serverStringToArray($str, &$array, &$frontParam) +{ + // init param + $array = array(); + $fronParam = ""; + + // split front param, e.g. /index.php, and others, e.g. blogid=1&page=2 + if (strstr($str, "?")){ + list($frontParam, $args) = preg_split("/\?/", $str, 2); + } + else { + $args = $str; + $frontParam = ""; + } + + // If there is no args like blogid=1&page=2, return + if (!strstr($str, "=") && !strlen($frontParam)) { + $frontParam = $str; + return; + } + + $array = explode("&", $args); +} + +/** + * Convert array like array['blogid'] to server string + * such as $_SERVER['REQUEST_URI'] + */ +function arrayToServerString($array, $frontParam, &$str) +{ + if (strstr($str, "?")) { + $str = $frontParam . "?"; + } else { + $str = $frontParam; + } + if (count($array)) { + $str .= implode("&", $array); + } +} + +/** + * Sanitize array parameters. + * This function checks both key and value. + * - check key if it inclues " (double quote), remove from array + * - check value if it includes \ (escape sequece), remove remaining string + */ +function sanitizeArray(&$array) +{ + $excludeListForSanitization = array('query'); +// $excludeListForSanitization = array(); + + foreach ($array as $k => $v) { + + // split to key and value + list($key, $val) = preg_split("/=/", $v, 2); + if (!isset($val)) { + continue; + } + + // when magic quotes is on, need to use stripslashes, + // and then addslashes + if (get_magic_quotes_gpc()) { + $val = stripslashes($val); + } + // note that we must use addslashes here because this function is called before the db connection is made + // and sql_real_escape_string needs a db connection + $val = addslashes($val); + + // if $key is included in exclude list, skip this param + if (!in_array($key, $excludeListForSanitization)) { + + // check value + if (strpos($val, '\\')) { + list($val, $tmp) = explode('\\', $val); + } + + // remove control code etc. + $val = strtr($val, "\0\r\n<>'\"", " "); + + // check key + if (preg_match('/\"/i', $key)) { + unset($array[$k]); + continue; + } + + // set sanitized info + $array[$k] = sprintf("%s=%s", $key, $val); + } + } +} + +/** + * Convert array for sanitizeArray function + */ +function convArrayForSanitizing($src, &$array) +{ + $array = array(); + foreach ($src as $key => $val) { + if (key_exists($key, $_GET)) { + array_push($array, sprintf("%s=%s", $key, $val)); + } + } +} + +/** + * Revert array after sanitizeArray function + */ +function revertArrayForSanitizing($array, &$dst) +{ + foreach ($array as $v) { + list($key, $val) = preg_split("/=/", $v, 2); + $dst[$key] = $val; + } +} + +/** + * Stops processing the request and redirects to the given URL. + * - no actual contents should have been sent to the output yet + * - the URL will be stripped of illegal or dangerous characters + */ +function redirect($url) { + $url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:@%*]|i', '', $url); + header('Location: ' . $url); + exit; +} + +/** + * Strip HTML tags from a string + * This function is a bit more intelligent than a regular call to strip_tags(), + * because it also deletes the contents of certain tags and cleans up any + * unneeded whitespace. + */ +function stringStripTags ($string) { + $string = preg_replace("/', '\n', $data); //hack + $data = strtr($data,$from_entities); + $data = strtr($data,$to_entities); + $data = str_replace('\n', '
', $data); //hack + return $data; +} + +/** + * Returns the Javascript code for a bookmarklet that works on most modern browsers + * + * @param blogid + */ +function getBookmarklet($blogid) { + global $CONF; + + // normal + $document = 'document'; + $bookmarkletline = "javascript:Q='';x=".$document.";y=window;if(x.selection){Q=x.selection.createRange().text;}else if(y.getSelection){Q=y.getSelection();}else if(x.getSelection){Q=x.getSelection();}wingm=window.open('"; + $bookmarkletline .= $CONF['AdminURL'] . "bookmarklet.php?blogid=$blogid"; + $bookmarkletline .="&logtext='+escape(Q)+'&loglink='+encodeURIComponent(x.location.href)+'&loglinktitle='+escape(x.title),'nucleusbm','toolbar=no,scrollbars=no,width=600,height=550,left=10,top=10,status=no,resizable=yes');wingm.focus();"; + + return $bookmarkletline; +} +// END: functions from the end of file ADMIN.php + +/** + * Returns a variable or null if not set + * + * @param mixed Variable + * @return mixed Variable + */ +function ifset(&$var) { + if (isset($var)) { + return $var; + } + + return null; +} + +/** + * Returns number of subscriber to an event + * + * @param event + * @return number of subscriber(s) + */ +function numberOfEventSubscriber($event) { + $query = 'SELECT COUNT(*) as count FROM ' . sql_table('plugin_event') . ' WHERE event=\'' . $event . '\''; + $res = sql_query($query); + $obj = sql_fetch_object($res); + return $obj->count; +} + +/** + * sets $special global variable for use in index.php before selector() + * + * @param String id + * @return nothing + */ +function selectSpecialSkinType($id) { + global $special; + $special = strtolower($id); +} + +/** + * cleans filename of uploaded file for writing to file system + * + * @param String str + * @return String cleaned filename ready for use + */ +function cleanFileName($str) { + $cleaner = array(); + $cleaner[] = array('expression'=>"/[à áäãâª]/",'replace'=>"a"); + $cleaner[] = array('expression'=>"/[èéêë]/",'replace'=>"e"); + $cleaner[] = array('expression'=>"/[ìÃîï]/",'replace'=>"i"); + $cleaner[] = array('expression'=>"/[òóõôö]/",'replace'=>"o"); + $cleaner[] = array('expression'=>"/[ùúûü]/",'replace'=>"u"); + $cleaner[] = array('expression'=>"/[ñ]/",'replace'=>"n"); + $cleaner[] = array('expression'=>"/[ç]/",'replace'=>"c"); + + $str = strtolower($str); + $ext_point = strrpos($str,"."); + if ($ext_point===false) return false; + $ext = substr($str,$ext_point,strlen($str)); + $str = substr($str,0,$ext_point); + + //foreach( $cleaner as $cv ) $str = preg_replace($cv["expression"],$cv["replace"],$str); + + return preg_replace("/[^a-z0-9-]/","_",$str).$ext; +} + +/** + * generate correct timecode with the format includes Japanese charactors + * + * @param String $format standard format string. Allowd to include Japanese charactors + * @param Integer $timestamp Unix Timestamp formated integer + * @return String Formatted timestamp + */ +function strftimejp($format,$timestamp = ''){ + return (setlocale(LC_CTYPE, 0) == 'Japanese_Japan.932') + ? iconv('CP932', _CHARSET, strftime(iconv(_CHARSET, 'CP932', $format),$timestamp)) + : strftime($format,$timestamp) + ; +} +?> \ No newline at end of file