Cleared upload_data , commented out "gallery" feature, commented out jabber from...

author niekt0 <niekt0@kyberia.cz>

Mon, 26 Sep 2011 15:31:57 +0000 (17:31 +0200)

committer niekt0 <niekt0@kyberia.cz>

Mon, 26 Sep 2011 15:31:57 +0000 (17:31 +0200)
author niekt0 <niekt0@kyberia.cz>
Mon, 26 Sep 2011 15:31:57 +0000 (17:31 +0200)
committer niekt0 <niekt0@kyberia.cz>
Mon, 26 Sep 2011 15:31:57 +0000 (17:31 +0200)
diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc

index 8f33e55e684b539d3cdcd0eb708b82577cd1eeb3..46252a3e05cdc50fe8a52b3b05f61f8461d10fcc 100644 (file)
--- a/wwwroot/inc/eventz/login.inc
+++ b/wwwroot/inc/eventz/login.inc
@@ -12,22 +12,24 @@ function jabberctl($command, $args) { //XXXTODO Move to some .inc file...
  
  function login_check($login, $password, $login_type='id') {
  
-    global $db,$error,$node_id;
-               $login = db_escape_string($login); //Not SQLi in $password but be carefull
-    $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());'
-
-    $hash_query='(';
-    foreach($password_hash_algos as $algo) {
-      $hash_query.="password='".hash($algo, $password)."' OR ";
-    }
-    $hash_query.='false )';
+       global $db,$error,$node_id;
+       $login = db_escape_string($login); 
+       //Not SQLi in $password but be carefull
+       $password_hash_algos=array('sha256','sha1','md5'); 
+       //List of supported algos can be obtained using: php -r 'print_r(hash_algos());'
+
+       $hash_query='(';
+       foreach($password_hash_algos as $algo) {
+               $hash_query.="password='".hash($algo, $password)."' OR ";
+       }
+       $hash_query.='false )';
  
-    $referer = $_SERVER['HTTP_REFERER'];
+       $referer = $_SERVER['HTTP_REFERER'];
  
-    if (!session_id()) {
-        $error='asi nemas zapnute cookies alebo co';
-        return false;
-    }
+       if (!session_id()) {
+               $error='asi nemas zapnute cookies alebo co';
+               return false;
+       }
  
         switch ($login_type) {
                 case "name":
@@ -130,9 +132,12 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name"
         $xmpp_pass=hash('md5', 'jabber:'.$_POST['password']);
         setcookie('jabber_password', $xmpp_pass, time()+60*60*24*10, '/'); //10days on whole domain
         $xmpp_domain='kyberia.cz'; //XXX TODO Hardcoded kyberia.cz jabber domain (NOT dev.kyberia.cz!!!!!)
-       jabberctl('register',           array($xmpp, $xmpp_domain, $xmpp_pass));
-       jabberctl('change_password',    array($xmpp, $xmpp_domain, $xmpp_pass));
-       jabberctl('push_alltoall',      array($xmpp_domain, $xmpp_domain));
+
+       # XXX dissabled, was causing 20+ sec. delay while logging in
+#      jabberctl('register',           array($xmpp, $xmpp_domain, $xmpp_pass));
+#      jabberctl('change_password',    array($xmpp, $xmpp_domain, $xmpp_pass));
+#      jabberctl('push_alltoall',      array($xmpp_domain, $xmpp_domain));
+
          if (!empty($cube_vector)) $_SESSION['cube_vector']=$cube_vector;
          if (empty($_SESSION['template_set'])) $_SESSION['template_set']=$set->getString('template_set');
          if (is_numeric($_POST['screen_width'])) $_SESSION['browser']['screen_width']=$_POST['screen_width'];
diff --git a/wwwroot/inc/eventz/upload_data_file.inc b/wwwroot/inc/eventz/upload_data_file.inc

index 09aa33eae3bd99a0393b970edbb25205f79ca487..7c21f3ae8b83bd0e84ceba2dffbb3889e0e5fee6 100644 (file)
--- a/wwwroot/inc/eventz/upload_data_file.inc
+++ b/wwwroot/inc/eventz/upload_data_file.inc
@@ -1,7 +1,5 @@
  <?php
  
-
-
  function upload_data_file() {
         // XXX sec. bug over sec. bug
  
@@ -17,7 +15,7 @@ function upload_data_file() {
  
         $node_id=$node['node_id'];
         
-       if ( !filez::filename_secure($_FILES['data_file']['name'])) {
+       if ( !filez::upload_filename_secure($_FILES['data_file']['name'])) {
                 $error = 'bad, naughty file type. Cruise missile launched.';
                 return false;
         }
@@ -50,8 +48,7 @@ function upload_data_file() {
  
                                 $node_params['node_name']=$file;
                                 $node_params['node_creator']=$_SESSION['user_id'];
-                               if ($_POST['gallery']) $node_params['template_id']="1041658";
-                               else $node_params['template_id']=12;
+                               $node_params['template_id']=DEF_DATA_TEMPLATE;
                                 $node_params['node_parent']=$node['node_id'];
  
                                 $node_params['node_content']=$file;
@@ -61,27 +58,30 @@ function upload_data_file() {
                                      FILE_DIR.$_SESSION['user_id'].'/'.$datanode_id.".$file_suffix");
                                 symlink(FILE_DIR.$_SESSION['user_id'].'/'.$datanode_id.".$file_suffix",
                                         SYSTEM_ROOT.'/files/'.$datanode_id);
-                               if ($_POST['gallery']) {
-                                       $image=TMP."/".$_FILES['data_file']['name']."/".$file;
-                                       $image_name=$file;
-                                       $width=NODE_IMAGE_WIDTH;
-
-                                       if (stristr($image_name,".jpg") || 
-                                           stristr($image_name,".jpeg") ){
-                                               
-                                               /// XXX UTILZ_DIR is not set. remove?
-                                               $cmd=UTILZ_DIR."/jpegtopnm  $image |".UTILZ_DIR."/pnmscale -width=$width | ".UTILZ_DIR."ppmquant 256 |".UTILZ_DIR."ppmtogif >".SYSTEM_ROOT.SYSTEM_IMAGES.'/nodes/'.substr($datanode_id,0,1)."/".substr($datanode_id,1,1)."/".$datanode_id.".gif";
-                                       }
-                                       elseif (stristr($image_name,".gif")) {
-                                               $cmd=UTILZ_DIR."/gifsicle --resize ".$width."x_ $image > ".SYSTE_ROOT.SYSTEM_IMAGES.'/nodes/'.substr($datanode_id,0,1)."/".substr($datanode_id,1,1)."/".$datanode_id.".gif";
-                                       }
-                                       if ($cmd) {
-                                               shell_exec($cmd);
-                                       }
-                                       // XXX WTF
-                                       echo $cmd;
-                               }
  
+# Removed for now, need complete rewrite
+
+#                              if ($_POST['gallery']) {
+#                                      $node_params['template_id']=DEF_GALLERY_TEMPLATE;
+#                                      $image=TMP."/".$_FILES['data_file']['name']."/".$file;
+#                                      $image_name=$file;
+#                                      $width=NODE_IMAGE_WIDTH;
+#
+#                                      if (stristr($image_name,".jpg") || 
+#                                          stristr($image_name,".jpeg") ){
+#                                              
+#                                              /// XXX UTILZ_DIR is not set. remove?
+#                                              $cmd=UTILZ_DIR."/jpegtopnm  $image |".UTILZ_DIR."/pnmscale -width=$width | ".UTILZ_DIR."ppmquant 256 |".UTILZ_DIR."ppmtogif >".SYSTEM_ROOT.SYSTEM_IMAGES.'/nodes/'.substr($datanode_id,0,1)."/".substr($datanode_id,1,1)."/".$datanode_id.".gif";
+#                                      }
+#                                      elseif (stristr($image_name,".gif")) {
+#                                              $cmd=UTILZ_DIR."/gifsicle --resize ".$width."x_ $image > ".SYSTE_ROOT.SYSTEM_IMAGES.'/nodes/'.substr($datanode_id,0,1)."/".substr($datanode_id,1,1)."/".$datanode_id.".gif";
+#                                      }
+#                                      if ($cmd) {
+#                                              shell_exec($cmd);
+#                                      }
+#                                      // XXX WTF
+#                                      echo $cmd;
+#                              }
                         }
                 }
                 closedir($handle);
@@ -94,8 +94,5 @@ function upload_data_file() {
                 symlink(FILE_DIR.$_SESSION['user_id'].'/'.$node['node_id'].".$suffix",
                         SYSTEM_ROOT.'/files/'.$node['node_id']);
         }
-
-
  }
-
  ?>
diff --git a/wwwroot/inc/filez.inc b/wwwroot/inc/filez.inc

index 5ca65c93c77d4bf06ac5c70f31d083b0727e60f5..a7fcd3943238e1abc73f0f3783461d187fd226f0 100644 (file)
--- a/wwwroot/inc/filez.inc
+++ b/wwwroot/inc/filez.inc
@@ -1,27 +1,17 @@
  <?php
-class filez {
-
-//XXX function not used, remove?
  
-public static function files($id) {
-       global $db,$error;
-       if (!is_dir(FILE_DIR.$_SESSION['user_id'])) {
-               mkdir(FILE_DIR.$_SESSION['user_id']);
-       }
-       copy($_FILES['data_file']['tmp_name'],FILE_DIR.$_SESSION['user_id'].'/'.$_FILES['data_file']['name']);
-       return $_SESSION['user_id'].'/'.$_FILES['data_file']['name'];
-}
+class filez {
  
  // Function that check if given filename is "secure" (for uploading)
  // Dont use for reading files, directory traversal is not checked
  
-public static function filename_secure($name){
+public static function upload_filename_secure($name){
         $suffix = array_pop(explode('.', basename($name)));
         
         // This is unfornately blacklist
         // TODO extend for all possible server configuations
         // TODO: why js?
-       $preg_disallowed = '/([a-z]*)(php|htm|inc|js|vbs|cgi|asp|jsp|htaccess)([a-z]*)$/i';
+       $preg_disallowed = '/([a-z]*)(php|htm|inc|js|vbs|cgi|asp|jsp|htaccess|htpasswd|asmx)([a-z]*)$/i';
         if (preg_match($preg_disallowed, $suffix) > 0) {
                 return false;
         }
@@ -29,36 +19,4 @@ public static function filename_secure($name){
  }
  
  }
-
-/*
-*  Returns disk usage in bytes of directory $d. Limit depth level with $depth.
-*  Updates, documentation and examples: http://daniel.lorch.cc/projects/disk_usage/
-*
-*  Revision: 1.00
-*/
-
-function disk_usage($d, $depth = NULL) {
-  if(is_file($d))
-    return filesize($d);
-
-  if(isset($depth) && $depth < 0)
-    return 0;
-
-  if($d[strlen($d)-1] != '\\' || $d[strlen($d)-1] != '/')
-    $d .= '/';
-
-  $dh=@opendir($d);
-  if(!$dh)
-    return 0;
-
-  while($e = readdir($dh))
-    if($e != '.' && $e != '..')
-      $usage += disk_usage($d.$e, isset($depth) ? $depth - 1 : NULL);
-
-  closedir($dh);
-
-  return $usage;
-}
-
-
  ?>
diff --git a/wwwroot/inc/senate.inc b/wwwroot/inc/senate.inc

index 3dd497692639a07b14e5f46c6f234f57afab90ab..7fa7c8b74d8184258c7856d7fca7035aff3d4833 100644 (file)
--- a/wwwroot/inc/senate.inc
+++ b/wwwroot/inc/senate.inc
@@ -10,6 +10,9 @@ define('REGISTRATION_TEXT_NODE',791946);
  define('REGISTRATION_REQUEST_NODE',2091448);
  define('UNVERIFIED_REGISTRATIONS_NODE',1836516);
  
+define('DEF_DATA_TEMPLATE',12);
+define('DEF_GALLERY_TEMPLATE',1041658);
+
  // 1961061 citizens?
  // 1061495 citizens?
  // 1961070 citizens?
author	niekt0 <niekt0@kyberia.cz>
	Mon, 26 Sep 2011 15:31:57 +0000 (17:31 +0200)
committer	niekt0 <niekt0@kyberia.cz>
	Mon, 26 Sep 2011 15:31:57 +0000 (17:31 +0200)
wwwroot/inc/eventz/login.inc		patch \| blob \| blame \| history
wwwroot/inc/eventz/upload_data_file.inc		patch \| blob \| blame \| history
wwwroot/inc/filez.inc		patch \| blob \| blame \| history
wwwroot/inc/senate.inc		patch \| blob \| blame \| history