X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Fnodes.php;h=6ea1ceb850fe5f1bfc0da74a117d1e317725d2fe;hb=cb4300b251c6ebccea24ac30af5121aab851cb4d;hp=586f81ecbb1d9bf4972d720eacf319038c64f732;hpb=2fb33507204ed8c25b7fb90238c9cc5b7af60fa2;p=mirrors%2FKyberia-bloodline.git

diff --git a/wwwroot/nodes.php b/wwwroot/nodes.php
index 586f81e..6ea1ceb 100644
--- a/wwwroot/nodes.php
+++ b/wwwroot/nodes.php
@@ -5,9 +5,6 @@ if (!empty($_POST['FORCE_OB']) && $_POST['FORCE_OB'] == 'true') ob_start();
 //header("Location: http://web.archive.org/web/20020925021139/http://kyberia.sk");
 //echo "je to uz uplne v pici. vsetky data su stratene, prajem pekny den :)";
 //exit;
-error_reporting(1);
-$_SESSION['debugging']=1;
-//exit;
 
 //starting timer for benchmarking purposes
 $timer_start=Time()+SubStr(MicroTime(),0,8);
@@ -15,6 +12,10 @@ $timer_start=Time()+SubStr(MicroTime(),0,8);
 //setting PHPSESSID cookie and starting user session
 session_start();
 
+error_reporting(1);
+//$_SESSION['debugging']=1;
+//exit;
+
 
 if ($_SESSION['debugging']) {
 
@@ -42,7 +43,6 @@ require(INCLUDE_DIR.'error_messages.inc');
 require(INCLUDE_DIR.'database.inc');
 
 $db = new CLASS_DATABASE();
-$logger = new logger; //XXX
 
 if (!empty($_GET['template_id'])) {
 	$template_id=$_GET['template_id'];
@@ -67,14 +67,15 @@ $smarty->template_dir = TEMPLATE_DIR;
 //echo TEMPLATE_DIR.TEMPLATE_SET;
 //echo $smarty->template_dir;
 $smarty->compile_dir = SYSTEM_DATA."templates_c/";
-$smarty->config_dir = SMARTY_DIR.'configs/'; #XXX neexistuje
+$smarty->config_dir = SMARTY_DIR.'configs/'; //XXX neexistuje
 $smarty->cache_dir = SMARTY_DIR.'cache/';
 $smarty->plugins_dir = SMARTY_PLUGIN_DIR ;
 if ($_SESSION['debugging']) $smarty->debugging=true;
 
-//initializing variables
+// initializing variables
+// preg_replace prevents LFI
 if (empty($_POST['event'])) $event=false;
-else $event=$_POST['event'];
+else $event= preg_replace( "![^a-zA-Z0-9_]+!", "", $_POST['event']);
 
 
 if ($_SESSION['debugging']) {
@@ -160,7 +161,7 @@ if ($template_id=='rss')
 	{
 	   require_once(INCLUDE_DIR.'/feedcreator.class.php');
 
-	   $rss =& new UniversalFeedCreator();
+	   $rss = new UniversalFeedCreator();
 	   $rss->title = "Kyberia mail";
 	   $rss->description = "";
 	   $rss->link = "https://". SYSTEM_URL . "/id/24";
@@ -181,7 +182,7 @@ if ($template_id=='rss')
 		   $m = $set->getRecord();
 		   if ($m['mail_to'] != $_SESSION['user_id'])
 			   continue;
-		   $item =& new FeedItem();
+		   $item = new FeedItem();
 		   $item->title = $m['mail_from_name'];
 		   $item->link = "https://".SYSTEM_URL."/id/24";
 		   $item->description = $m['mail_text'];
@@ -193,7 +194,7 @@ if ($template_id=='rss')
 	{
 		require_once(INCLUDE_DIR.'/feedcreator.class.php');
 
-		$rss =& new UniversalFeedCreator();
+		$rss = new UniversalFeedCreator();
 		$rss->title = "Kyberia bookmarks";
 		$rss->link = "http://".SYSTEM_URL."/id/19";
 
@@ -205,7 +206,7 @@ if ($template_id=='rss')
 			if (is_array($_item['children']))
 				foreach ($_item['children'] as $_b)
 				{
-					$item =& new FeedItem();
+					$item = new FeedItem();
 					$item->title = $_b['node_name'];
 					$item->link = "http://".SYSTEM_URL."/id/".$_b['node_id']."/rss";
 					$rss->addItem($item);
@@ -217,7 +218,7 @@ if ($template_id=='rss')
 	{
 		require_once(INCLUDE_DIR.'/feedcreator.class.php');
 
-		$rss =& new UniversalFeedCreator();
+		$rss = new UniversalFeedCreator();
 		$rss->title = $node['node_name'];
 		$rss->description = "";
 		$rss->link = "http://".SYSTEM_URL."/id/".$node['node_id'];
@@ -239,7 +240,7 @@ if ($template_id=='rss')
 
 		foreach ($_items as $_item)
 		{
-			$item =& new FeedItem();
+			$item = new FeedItem();
 			$item->title = $_item['node_name'];
 			$item->link = "http://".SYSTEM_URL."/id/".$_item['node_id'];
 			$item->description = $_item['node_content'];
@@ -283,7 +284,7 @@ if ($_SESSION['user_id']) {
 //if node is css
 if ($node['template_id']!='2019721'){
 
-	$logger->log('enter',$node['node_id'],'ok',$node['node_user_subchild_count']);
+	logger::log('enter',$node['node_id'],'ok',$node['node_user_subchild_count']);
 	if (!empty($_SESSION['user_id']) && is_numeric($node['node_id'])) {
 		$q="update node_access set visits=visits+1,node_user_subchild_count='0',last_visit=NOW() where node_id='".$node['node_id']."' and user_id='".$_SESSION['user_id']."'";
 //		echo $q;
@@ -330,7 +331,7 @@ elseif (!$permissions['r'] && $_GET['magic_word']) {
 
 
 else {
-	$logger->log('enter',$node['node_id'],'failed');
+	logger::log('enter',$node['node_id'],'failed');
 }
 
 
@@ -360,7 +361,7 @@ if ($user_id=$_SESSION['user_id']) {
 				$user_id);
 	$newmailset = $db->query($newmail_q);
 
-#	$newmailset=$db->query("select user_mail,user_mail_name,user_k,k_wallet from users where user_id='$user_id'");
+//$newmailset=$db->query("select user_mail,user_mail_name,user_k,k_wallet from users where user_id='$user_id'");
 
 	$newmailset->next();
 	$new_mail=$newmailset->getString('user_mail');