From cabd6f6205756a51064fb856aca2ed94d28b1cf7 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Fri, 12 Sep 2008 11:31:19 -0400
Subject: [PATCH] Disabled suphp_UserGroup directive by default to make the setup compatible with the suphp compile options from most linux distributions. If you want some extra security, enable this directive again and recompile mod_suphp with the the option --with-setid-mode=paranoid

---
 interface/web/designer/module_nav_edit.php |  107 ++++++++++++++++++++++++-----------------------------
 1 files changed, 49 insertions(+), 58 deletions(-)

diff --git a/interface/web/designer/module_nav_edit.php b/interface/web/designer/module_nav_edit.php
index 973692c..73c010e 100644
--- a/interface/web/designer/module_nav_edit.php
+++ b/interface/web/designer/module_nav_edit.php
@@ -30,126 +30,117 @@
 require_once('../../lib/config.inc.php');
 require_once('../../lib/app.inc.php');
 
-if($_SESSION["s"]["user"]["typ"] != "admin") die("Admin permissions required.");
-
-// Checke Berechtigungen f�r Modul
-if(!stristr($_SESSION["s"]["user"]["modules"],$_SESSION["s"]["module"]["name"])) {
-	header("Location: ../index.php");
-	exit;
+//* Security checkpoint
+if($_SESSION['s']['user']['typ'] != 'admin'){
+    die('Admin permissions required.');
 }
 
-// Lade Template
+//* Check permissions for module
+$app->auth->check_module_permissions('designer');
+
+//* Load template
 $app->uses('tpl');
-$app->tpl->newTemplate("form.tpl.htm");
-$app->tpl->setInclude('content_tpl','templates/module_nav_edit.htm');
+$app->tpl->newTemplate('form.tpl.htm');
+$app->tpl->setInclude('content_tpl', 'templates/module_nav_edit.htm');
 
 // TODO: Check module and nav_id for malicius chars, nav_id can be empty or any number, even 0
-$module_name = $_REQUEST["module_name"];
-$nav_id = $_REQUEST["nav_id"];
+$module_name = $_REQUEST['module_name'];
+$nav_id = $_REQUEST['nav_id'];
 
-if(!preg_match('/^[A-Za-z0-9_]{1,50}$/',$module_name)) die("module_name contains invalid chars.");
-if(!preg_match('/^[A-Za-z0-9_]{0,50}$/',$nav_id)) die("nav_id contains invalid chars.");
-
-if(empty($module_name)) die("module is empty.");
+//** Sanity checks of module
+if(!preg_match('/^[A-Za-z0-9_]{1,50}$/', $module_name)){
+    die('module_name contains invalid chars.');
+}
+if(!preg_match('/^[A-Za-z0-9_]{0,50}$/', $nav_id)){
+    die('nav_id contains invalid chars.');
+}
+if(empty($module_name)){
+    die('module is empty.');
+}
 
 if(count($_POST) > 0) {
-	// Bestimme aktion
-	if($nav_id != '') {
-		$action = 'UPDATE';
-	} else {
-		$action = 'INSERT';
-	}
-	
+	//* Determine Action
+	$action = ($nav_id != '') ? 'UPDATE' : 'INSERT';
 	$error = '';
 	
 	// TODO: Check variables
-
 	
 	if($error == '') {
 	
-		$filename = "../".$module_name."/lib/module.conf.php";
+		$filename = '../'.$module_name.'/lib/module.conf.php';
 		
-		if(!@is_file($filename)) die("File not found: $filename");
+		if(!@is_file($filename)){
+            die("File not found: $filename");
+        }
 		include_once($filename);
 		
-		if($action == 'UPDATE') {
-			$items = $module["nav"][$nav_id]["items"];
-		} else {
-			$items = array();
-		}
+        $items = ($action == 'UPDATE') ?  $module['nav'][$nav_id]['items'] : array();
 		
-		$tmp = array('title' =>$_POST["nav"]["title"],
-					 'open' => 1,
+		$tmp = array('title' => $_POST['nav']['title'],
+					 'open' =>  1,
 					 'items' => $items);
-		
+        
 		if($action == 'UPDATE') {
-			$module["nav"][$nav_id] = $tmp;
+			$module['nav'][$nav_id] = $tmp;
 		} else {
-			$module["nav"][] = $tmp;
+			$module['nav'][] = $tmp;
 		}
 		
 		$m = "<?php\r\n".'$module = '.var_export($module,true)."\r\n?>";
 				
-		// writing module.conf
+		//* writing module.conf
 		if (!$handle = fopen($filename, 'w')) { 
-			print "Cannot open file ($filename)"; 
-			exit; 
+			die("Cannot open file ($filename)"); 
 		} 
 
 		if (!fwrite($handle, $m)) { 
-			print "Cannot write to file ($filename)"; 
-			exit; 
+			die("Cannot write to file ($filename)"); 
 		} 
     
 		fclose($handle);
 		
 		
-		// zu Liste springen
-    	header("Location: module_show.php?id=$module_name");
+		//* Jump to list
+    	header('Location: module_show.php?id='.urlencode($module_name));
         exit;
 			
 	} else {
-		$app->tpl->setVar("error","<b>Fehler:</b><br>".$error);
+		$app->tpl->setVar('error', '<b>Fehler:</b><br>'.$error);
 		$app->tpl->setVar($_POST);
 	}
 }
 
 if($nav_id != '') {
-// Datensatz besteht bereits
-	// bestehenden Datensatz anzeigen
+    //* Data record exists
 	if($error == '') {
-		// es liegt ein Fehler vor
-		include_once("../".$module_name."/lib/module.conf.php");
-		$record = $module["nav"][$nav_id];
+		include_once('../'.$module_name.'/lib/module.conf.php');
+		$record = $module['nav'][$nav_id];
 	} else {
-		// ein Fehler
+		//* error
 		$record = $_POST;
 	}
 	//$record["readonly"] = 'style="background-color: #EEEEEE;" readonly';
 } else {
-// neuer datensatz
+    //* New data record
 	if($error == '') {
-		// es liegt kein Fehler vor
+		//* es liegt kein Fehler vor
 	} else {
-		// ein Fehler
+		//* error
 		$record = $_POST;
 		
 	}
 	//$record["readonly"] = '';
 }
 
-$record["nav_id"] = $nav_id;
-$record["module_name"] = $module_name;
+$record['nav_id'] = $nav_id;
+$record['module_name'] = $module_name;
 
 $app->tpl->setVar($record);
 
-include_once("lib/lang/".$_SESSION["s"]["language"]."_module_nav_edit.lng");
+include_once('lib/lang/'.$_SESSION['s']['language'].'_module_nav_edit.lng');
 $app->tpl->setVar($wb);
 
-// Defaultwerte setzen
 $app->tpl_defaults();
-
-// Template parsen
 $app->tpl->pparse();
 
 ?>
\ No newline at end of file

--
Gitblit v1.9.1