From 5ca959fa688255a8de61f89fe2751eb4d24a6912 Mon Sep 17 00:00:00 2001
From: Florian Schaal <florian@schaal-24.de>
Date: Tue, 22 Mar 2016 09:22:07 -0400
Subject: [PATCH] fixed typo
---
interface/lib/classes/tform_base.inc.php | 233 ++++++++++++++++++++++++++++++++++++++-------------------
1 files changed, 154 insertions(+), 79 deletions(-)
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index f5ae05b..4405de4 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -98,6 +98,7 @@
var $errorMessage = '';
var $dateformat = "d.m.Y";
+ var $datetimeformat = 'd.m.Y H:i'; // is set to the correct value in loadFormDef
var $formDef = array();
var $wordbook;
var $module;
@@ -126,6 +127,7 @@
global $app, $conf;
include $file;
+ $app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$form['name'] . ':on_before_formdef', $this);
$this->formDef = $form;
$this->module = $module;
@@ -149,10 +151,13 @@
$wb = $app->functions->array_merge($wb_global, $wb);
}
if(isset($wb_global)) unset($wb_global);
-
+
$this->wordbook = $wb;
+
+ $app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'] . ':on_after_formdef', $this);
$this->dateformat = $app->lng('conf_format_dateshort');
+ $this->datetimeformat = $app->lng('conf_format_datetime');
return true;
}
@@ -412,6 +417,28 @@
if(!is_array($this->formDef)) $app->error("No form definition found.");
if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");
+ /* CSRF PROTECTION */
+ // generate csrf protection id and key
+ $csrf_token = $app->auth->csrf_token_get($this->formDef['name']);
+ $_csrf_id = $csrf_token['csrf_id'];
+ $_csrf_value = $csrf_token['csrf_key'];
+
+ $this->formDef['tabs'][$tab]['fields']['_csrf_id'] = array(
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'TEXT',
+ 'default' => $_csrf_id,
+ 'value' => $_csrf_id
+ );
+ $this->formDef['tabs'][$tab]['fields']['_csrf_key'] = array(
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'TEXT',
+ 'default' => $_csrf_value,
+ 'value' => $_csrf_value
+ );
+ $record['_csrf_id'] = $_csrf_id;
+ $record['_csrf_key'] = $_csrf_value;
+ /* CSRF PROTECTION */
+
$new_record = array();
if($action == 'EDIT') {
$record = $this->decode($record, $tab);
@@ -445,7 +472,7 @@
if(is_array($field['value'])) {
foreach($field['value'] as $k => $v) {
$selected = ($k == $val)?' SELECTED':'';
- if(!empty($this->wordbook[$v]))
+ if(isset($this->wordbook[$v]))
$v = $this->wordbook[$v];
$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
}
@@ -667,8 +694,46 @@
*/
protected function _encode($record, $tab, $dbencode = true, $api = false) {
global $app;
- if($api == true) $fields = &$this->formDef['fields'];
- else $fields = &$this->formDef['tabs'][$tab]['fields'];
+ if($api == true) {
+ $fields = &$this->formDef['fields'];
+ } else {
+ $fields = &$this->formDef['tabs'][$tab]['fields'];
+ /* CSRF PROTECTION */
+ if(isset($_POST) && is_array($_POST)) {
+ $_csrf_valid = false;
+ if(isset($_POST['_csrf_id']) && isset($_POST['_csrf_key'])) {
+ $_csrf_id = trim($_POST['_csrf_id']);
+ $_csrf_key = trim($_POST['_csrf_key']);
+ if(isset($_SESSION['_csrf']) && isset($_SESSION['_csrf'][$_csrf_id]) && isset($_SESSION['_csrf_timeout']) && isset($_SESSION['_csrf_timeout'][$_csrf_id])) {
+ if($_SESSION['_csrf'][$_csrf_id] === $_csrf_key && $_SESSION['_csrf_timeout'] >= time()) $_csrf_valid = true;
+ }
+ }
+ if($_csrf_valid !== true) {
+ $app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN);
+ $errmsg = 'err_csrf_attempt_blocked';
+ $this->errorMessage .= ($api == true ? $errmsg : $this->wordbook[$errmsg]."<br />") . "\r\n";
+ unset($_POST);
+ unset($record);
+ }
+
+ if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) {
+ $to_unset = array();
+ foreach($_SESSION['_csrf_timeout'] as $_csrf_id => $timeout) {
+ if($timeout < time()) $to_unset[] = $_csrf_id;
+ }
+ foreach($to_unset as $_csrf_id) {
+ $_SESSION['_csrf'][$_csrf_id] = null;
+ $_SESSION['_csrf_timeout'][$_csrf_id] = null;
+ unset($_SESSION['_csrf'][$_csrf_id]);
+ unset($_SESSION['_csrf_timeout'][$_csrf_id]);
+ }
+ unset($to_unset);
+ }
+ }
+ /* CSRF PROTECTION */
+ }
+
+ $new_record = array();
if(is_array($record)) {
foreach($fields as $key => $field) {
@@ -708,13 +773,8 @@
if($record[$key] != '' && $record[$key] != '0000-00-00') {
if(function_exists('date_parse_from_format')) {
$date_parts = date_parse_from_format($this->dateformat, $record[$key]);
- //list($tag,$monat,$jahr) = explode('.',$record[$key]);
- $new_record[$key] = $date_parts['year'].'-'.$date_parts['month'].'-'.$date_parts['day'];
- //$tmp = strptime($record[$key],$this->dateformat);
- //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
+ $new_record[$key] = $date_parts['year'].'-'.str_pad($date_parts['month'], 2, "0", STR_PAD_LEFT).'-'.str_pad($date_parts['day'], 2, "0", STR_PAD_LEFT);
} else {
- //$tmp = strptime($record[$key],$this->dateformat);
- //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
$tmp = strtotime($record[$key]);
$new_record[$key] = date('Y-m-d', $tmp);
}
@@ -724,8 +784,6 @@
break;
case 'INTEGER':
$new_record[$key] = (isset($record[$key]))?$app->functions->intval($record[$key]):0;
- //if($new_record[$key] != $record[$key]) $new_record[$key] = $field['default'];
- //if($key == 'refresh') die($record[$key]);
break;
case 'DOUBLE':
$new_record[$key] = $record[$key];
@@ -735,7 +793,7 @@
break;
case 'DATETIME':
- if (is_array($record[$key]))
+ /*if (is_array($record[$key]))
{
$filtered_values = array_map(create_function('$item', 'return (int)$item;'), $record[$key]);
extract($filtered_values, EXTR_PREFIX_ALL, '_dt');
@@ -743,7 +801,22 @@
if ($_dt_day != 0 && $_dt_month != 0 && $_dt_year != 0) {
$new_record[$key] = date( 'Y-m-d H:i:s', mktime($_dt_hour, $_dt_minute, $_dt_second, $_dt_month, $_dt_day, $_dt_year) );
}
- }
+ } else {*/
+ if($record[$key] != '' && $record[$key] != '0000-00-00 00:00:00') {
+ //$tmp = strtotime($record[$key]);
+ //$new_record[$key] = date($this->datetimeformat, $tmp);
+ $parsed_date = date_parse_from_format($this->datetimeformat,$record[$key]);
+ if($parsed_date['error_count'] > 0 || ($parsed_date['year'] == 1899 && $parsed_date['month'] == 12 && $parsed_date['day'] == 31)) {
+ // There was an error, set the date to 0
+ $new_record[$key] = '0000-00-00 00:00:00';
+ } else {
+ // Date parsed successfully. Convert it to database format
+ $new_record[$key] = date( 'Y-m-d H:i:s', mktime($parsed_date['hour'], $parsed_date['minute'], $parsed_date['second'], $parsed_date['month'], $parsed_date['day'], $parsed_date['year']) );
+ }
+ } else {
+ $new_record[$key] = '0000-00-00 00:00:00';
+ }
+ /*}*/
break;
}
@@ -809,6 +882,12 @@
break;
case 'IDNTOUTF8':
$returnval = $app->functions->idn_decode($returnval);
+ break;
+ case 'TRIM':
+ $returnval = trim($returnval);
+ break;
+ case 'NOWHITESPACE':
+ $returnval = preg_replace('/\s+/', '', $returnval);
break;
default:
$this->errorMessage .= "Unknown Filter: ".$filter['type'];
@@ -876,7 +955,7 @@
}
break;
case 'NOTEMPTY':
- if(empty($field_value)) {
+ if(!isset($field_value) || $field_value === '') {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
$this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
@@ -895,28 +974,25 @@
}
}
case 'ISEMAIL':
- if(function_exists('filter_var')) {
- if(filter_var($field_value, FILTER_VALIDATE_EMAIL) === false) {
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
- }
- }
+ if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
+ if($validator['allowempty'] == 'y' && $field_value == '') {
+ //* Do nothing
} else {
- if(!preg_match("/^\w+[\w\.\-\+]*\w{0,}@\w+[\w.-]*\w+\.[a-zA-Z0-9\-]{2,30}$/i", $field_value)) {
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
+ if(function_exists('filter_var')) {
+ if(filter_var($field_value, FILTER_VALIDATE_EMAIL) === false) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
}
- }
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
}
break;
case 'ISINT':
if(function_exists('filter_var') && $field_value < 2147483647) {
+ //if($field_value != '' && filter_var($field_value, FILTER_VALIDATE_INT, array("options" => array('min_range'=>0))) === false) {
if($field_value != '' && filter_var($field_value, FILTER_VALIDATE_INT) === false) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -925,9 +1001,11 @@
$this->errorMessage .= $errmsg."<br />\r\n";
}
}
- } else {
- $tmpval = $app->functions->intval($field_value);
- if($tmpval === 0 and !empty($field_value)) {
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
+ break;
+ case 'ISPOSITIVE':
+ if(function_exists('filter_var')) {
+ if($field_value != '' && filter_var($field_value, FILTER_VALIDATE_INT, array("options" => array('min_range'=>1))) === false) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
$this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
@@ -935,21 +1013,10 @@
$this->errorMessage .= $errmsg."<br />\r\n";
}
}
- }
- break;
- case 'ISPOSITIVE':
- if(!is_numeric($field_value) || $field_value <= 0){
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
- }
- }
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
break;
case 'V6PREFIXEND':
$explode_field_value = explode(':',$field_value);
-// if ($explode_field_value[count($explode_field_value)-1]=='' && $explode_field_value[count($explode_field_value)-2]=='' ){ }
if (!$explode_field_value[count($explode_field_value)-1]=='' && $explode_field_value[count($explode_field_value)-2]!='' ) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -993,26 +1060,32 @@
}
break;
-
-
case 'ISIPV4':
- $vip=1;
- if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){
- $groups=explode(".", $field_value);
- foreach($groups as $group){
- if($group<0 or $group>255)
- $vip=0;
+ if(function_exists('filter_var')) {
+ if(!filter_var($field_value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
}
- }else{$vip=0;}
- if($vip==0) {
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
- }
- }
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
break;
+
+ case 'ISIPV6':
+ if(function_exists('filter_var')) {
+ if(!filter_var($field_value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
+ break;
+
case 'ISIP':
if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
if($validator['allowempty'] == 'y' && $field_value == '') {
@@ -1036,27 +1109,29 @@
$this->errorMessage .= $errmsg."<br />\r\n";
}
}
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
+ }
+ }
+ break;
+
+ case 'ISDATETIME':
+ /* Checks a datetime value against the date format of the current language */
+ if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
+ if($validator['allowempty'] == 'y' && $field_value == '') {
+ //* Do nothing
+ } else {
+ $parsed_date = date_parse_from_format($this->datetimeformat,$field_value);
+ if($parsed_date['error_count'] > 0 || ($parsed_date['year'] == 1899 && $parsed_date['month'] == 12 && $parsed_date['day'] == 31)) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- //* Check content with regex, if we use php < 5.2
- $ip_ok = 0;
- if(preg_match("/^(\:\:([a-f0-9]{1,4}\:){0,6}?[a-f0-9]{0,4}|[a-f0-9]{1,4}(\:[a-f0-9]{1,4}){0,6}?\:\:|[a-f0-9]{1,4}(\:[a-f0-9]{1,4}){1,6}?\:\:([a-f0-9]{1,4}\:){1,6}?[a-f0-9]{1,4})(\/\d{1,3})?$/i", $field_value)){
- $ip_ok = 1;
- }
- if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){
- $ip_ok = 1;
- }
- if($ip_ok == 0) {
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
- }
- }
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
}
break;
+
case 'RANGE':
//* Checks if the value is within the given range or above / below a value
//* Range examples: < 10 = ":10", between 2 and 10 = "2:10", above 5 = "5:".
--
Gitblit v1.9.1