--- a/includes/common.php Sun Mar 28 21:49:26 2010 -0400
+++ b/includes/common.php Sun Mar 28 23:10:46 2010 -0400
@@ -22,13 +22,13 @@
// Make sure we don't have an attempt to inject globals (register_globals on)
if ( isset($_REQUEST['GLOBALS']) )
{
- ?>
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><title>Hacking Attempt</title><meta http-equiv="Content-type" content="text/html; charset=utf-8" /></head><style type="text/css">body{background-color:#000;color:#CCC;font-family:trebuchet ms,sans-serif;font-size:9pt;}a{color:#FFF;}</style><body><p>Hacking attempt using <a href="http://www.hardened-php.net/index.76.html">PHP $GLOBALS overwrite vulnerability</a> detected, reported to admin</p><p>You're worse than this guy! Unless you are this guy...</p><p id="billp"><img alt=" " src="about:blank" id="billi" /></p><script type="text/javascript">// <![CDATA[
- window.onload=function(){counter();setInterval('counter();', 1000);};var text=false;var cnt=10;function counter(){if(!text){text=document.createElement('span');text.id='billc';text.innerHTML=cnt;text.style.fontSize='96pt';text.style.color='#FF0000';p=document.getElementById('billp');p.appendChild(text);}else{if(cnt==1){document.getElementById('billi').src='http://upload.wikimedia.org/wikipedia/commons/7/7f/Bill_Gates_2004_cr.jpg';document.getElementById('billc').innerHTML='';return;}cnt--;document.getElementById('billc').innerHTML=cnt+' ';}}
- // ]]>
- </script><p><span style="color:black;">You been f***ed by Enano | valid XHTML 1.1</span></p></body></html>
- <?php
- exit;
+ ?>
+ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><title>Hacking Attempt</title><meta http-equiv="Content-type" content="text/html; charset=utf-8" /></head><style type="text/css">body{background-color:#000;color:#CCC;font-family:trebuchet ms,sans-serif;font-size:9pt;}a{color:#FFF;}</style><body><p>Hacking attempt using <a href="http://www.hardened-php.net/index.76.html">PHP $GLOBALS overwrite vulnerability</a> detected, reported to admin</p><p>You're worse than this guy! Unless you are this guy...</p><p id="billp"><img alt=" " src="about:blank" id="billi" /></p><script type="text/javascript">// <![CDATA[
+ window.onload=function(){counter();setInterval('counter();', 1000);};var text=false;var cnt=10;function counter(){if(!text){text=document.createElement('span');text.id='billc';text.innerHTML=cnt;text.style.fontSize='96pt';text.style.color='#FF0000';p=document.getElementById('billp');p.appendChild(text);}else{if(cnt==1){document.getElementById('billi').src='http://upload.wikimedia.org/wikipedia/commons/7/7f/Bill_Gates_2004_cr.jpg';document.getElementById('billc').innerHTML='';return;}cnt--;document.getElementById('billc').innerHTML=cnt+' ';}}
+ // ]]>
+ </script><p><span style="color:black;">You been f***ed by Enano | valid XHTML 1.1</span></p></body></html>
+ <?php
+ exit;
}
// only do this if it hasn't been done yet
@@ -54,11 +54,11 @@
// First check to see if something already declared this function.... it happens often.
if ( !function_exists('microtime_float') )
{
- function microtime_float()
- {
- list($usec, $sec) = explode(" ", microtime());
- return ((float)$usec + (float)$sec);
- }
+ function microtime_float()
+ {
+ list($usec, $sec) = explode(" ", microtime());
+ return ((float)$usec + (float)$sec);
+ }
}
// Determine starting time
@@ -68,13 +68,13 @@
// Verbose error reporting
if ( defined('E_STRICT') )
{
- // PHP5, PHP6
- error_reporting(E_ALL & ~E_STRICT);
+ // PHP5, PHP6
+ error_reporting(E_ALL & ~E_STRICT);
}
else
{
- // PHP4
- error_reporting(E_ALL);
+ // PHP4
+ error_reporting(E_ALL);
}
//
@@ -88,24 +88,24 @@
// .enanodev is found in the Enano root (not /repo/).
if ( strpos(__FILE__, '/repo/') && file_exists(dirname(__FILE__) . '/../../.enanodev') )
{
- // We have a development directory. Remove /repo/ from the picture.
- $filename = str_replace('/repo/', '/', __FILE__);
+ // We have a development directory. Remove /repo/ from the picture.
+ $filename = str_replace('/repo/', '/', __FILE__);
}
else
{
- // Standard Enano installation
- $filename = __FILE__;
+ // Standard Enano installation
+ $filename = __FILE__;
}
// ENANO_ROOT is sometimes defined by plugins like AjIM that need the constant before the Enano API is initialized
if ( !defined('ENANO_ROOT') )
- define('ENANO_ROOT', dirname(dirname($filename)));
+ define('ENANO_ROOT', dirname(dirname($filename)));
// We deprecated debugConsole in 1.0.2 because it was never used and there were a lot of unneeded debugging points in the code.
// _nightly.php is used to tag non-Mercurial-generated nightly builds
if ( file_exists( ENANO_ROOT . '/_nightly.php') )
- require(ENANO_ROOT.'/_nightly.php');
+ require(ENANO_ROOT.'/_nightly.php');
// List of scheduled tasks (don't change this manually, use register_cron_task())
$cron_tasks = array();
@@ -113,11 +113,11 @@
} // check for ENANO_COMMON_ROOT_LOADED
else
{
- // loading a second time
- if ( !defined('ENANO_COMMON_ROOT_LOADED_MULTI') )
- {
- define('ENANO_COMMON_ROOT_LOADED_MULTI', 1);
- }
+ // loading a second time
+ if ( !defined('ENANO_COMMON_ROOT_LOADED_MULTI') )
+ {
+ define('ENANO_COMMON_ROOT_LOADED_MULTI', 1);
+ }
}
// If all we really need is the root directory, just leave now
@@ -125,7 +125,7 @@
// is included a second time, the rest of Enano will load.
if ( defined('ENANO_COMMON_ROOTONLY') && !defined('ENANO_COMMON_ROOT_LOADED_MULTI') )
{
- return true;
+ return true;
}
// Start including files. LOTS of files. Yeah!
@@ -160,7 +160,7 @@
global $db, $session, $paths, $template, $plugins; // Common objects
global $enano_config; // A global used to cache config information without making loads of queries ;-)
- // In addition, $enano_config is used to fetch config information if die_semicritical() is called.
+ // In addition, $enano_config is used to fetch config information if die_semicritical() is called.
// Jim Tucek's e-mail encryption code
global $email;
@@ -182,17 +182,17 @@
// Divert to CLI loader if running from CLI
if ( defined('ENANO_CLI') || ( isset($argc) && isset($argv) ) )
{
- if ( defined('ENANO_CLI') || ( is_int($argc) && is_array($argv) && !isset($_SERVER['REQUEST_URI']) ) )
- {
- require(ENANO_ROOT . '/includes/common_cli.php');
- return;
- }
+ if ( defined('ENANO_CLI') || ( is_int($argc) && is_array($argv) && !isset($_SERVER['REQUEST_URI']) ) )
+ {
+ require(ENANO_ROOT . '/includes/common_cli.php');
+ return;
+ }
}
// Because Enano sends out complete URLs in several occasions, we need to know what hostname the user is requesting the page from.
// In future versions we may include a fallback "safety" host to use, but that's too much to worry about now
if ( !isset($_SERVER['HTTP_HOST']) )
- grinding_halt('Cannot get hostname', '<p>Your web browser did not provide the HTTP Host: field. This site requires a modern browser that supports the HTTP 1.1 standard.</p>');
+ grinding_halt('Cannot get hostname', '<p>Your web browser did not provide the HTTP Host: field. This site requires a modern browser that supports the HTTP 1.1 standard.</p>');
//
// END BACKGROUND AND ENVIRONMENT CHECKS
@@ -212,7 +212,7 @@
@include(ENANO_ROOT . $config_file);
unset($dbuser, $dbpasswd);
if ( !isset($dbdriver) )
- $dbdriver = 'mysql';
+ $dbdriver = 'mysql';
$db = new $dbdriver();
$db->connect();
@@ -229,18 +229,18 @@
// Build the list of system tables (this is mostly done in constants.php, but that's before table_prefix is known)
if ( defined('table_prefix') && !defined('ENANO_TABLELIST_PREFIXED') )
{
- define('ENANO_TABLELIST_PREFIXED', 1);
- foreach ( $system_table_list as $i => $_ )
- {
- $system_table_list[$i] = table_prefix . $system_table_list[$i];
- }
+ define('ENANO_TABLELIST_PREFIXED', 1);
+ foreach ( $system_table_list as $i => $_ )
+ {
+ $system_table_list[$i] = table_prefix . $system_table_list[$i];
+ }
}
// Select and fetch the site configuration
$e = $db->sql_query('SELECT config_name, config_value FROM '.table_prefix.'config;');
if ( !$e )
{
- $db->_die('Some critical configuration information could not be selected.');
+ $db->_die('Some critical configuration information could not be selected.');
}
// Used in die_semicritical to figure out whether to call getConfig() or not
define('ENANO_CONFIG_FETCHED', '');
@@ -249,7 +249,7 @@
$enano_config = Array();
while($r = $db->fetchrow())
{
- $enano_config[$r['config_name']] = $r['config_value'];
+ $enano_config[$r['config_name']] = $r['config_value'];
}
$db->free_result();
@@ -258,22 +258,22 @@
if ( defined('ENANO_EXIT_AFTER_CONFIG') )
{
- return true;
+ return true;
}
// Now that we have the config, check the Enano version.
if ( enano_version(false, true) != $version && !defined('IN_ENANO_UPGRADE') )
{
- grinding_halt('Version mismatch', '<p>It seems that the Enano release we\'re trying to run ('.$version.') is different from the version specified in your database ('.enano_version().'). Perhaps you need to <a href="'.scriptPath.'/install/index.php">upgrade</a>?</p>');
+ grinding_halt('Version mismatch', '<p>It seems that the Enano release we\'re trying to run ('.$version.') is different from the version specified in your database ('.enano_version().'). Perhaps you need to <a href="'.scriptPath.'/install/index.php">upgrade</a>?</p>');
}
// Set our CDN path
if ( !defined('cdnPath') )
{
- $cdnpath = getConfig('cdn_path', scriptPath);
- if ( empty($cdnpath) )
- $cdnpath = scriptPath;
- define('cdnPath', $cdnpath);
+ $cdnpath = getConfig('cdn_path', scriptPath);
+ if ( empty($cdnpath) )
+ $cdnpath = scriptPath;
+ define('cdnPath', $cdnpath);
}
//
@@ -283,47 +283,47 @@
// If the AES key size has been changed, bail out and fast
if ( !getConfig('aes_key_size') )
{
- setConfig('aes_key_size', AES_BITS);
+ setConfig('aes_key_size', AES_BITS);
}
else if ( $ks = getConfig('aes_key_size') )
{
- if ( intval($ks) != AES_BITS )
- {
- grinding_halt('AES key size changed', '<p>Enano has detected that the AES key size in constants.php has been changed. This change cannot be performed after installation, otherwise the private key would have to be re-generated and all passwords would have to be re-encrypted.</p><p>Please change the key size back to ' . $ks . ' bits and reload this page.</p>');
- }
+ if ( intval($ks) != AES_BITS )
+ {
+ grinding_halt('AES key size changed', '<p>Enano has detected that the AES key size in constants.php has been changed. This change cannot be performed after installation, otherwise the private key would have to be re-generated and all passwords would have to be re-encrypted.</p><p>Please change the key size back to ' . $ks . ' bits and reload this page.</p>');
+ }
}
// Same for AES block size
if ( !getConfig('aes_block_size') )
{
- setConfig('aes_block_size', AES_BLOCKSIZE);
+ setConfig('aes_block_size', AES_BLOCKSIZE);
}
else if ( $ks = getConfig('aes_block_size') )
{
- if ( intval($ks) != AES_BLOCKSIZE )
- {
- grinding_halt('AES block size changed', '<p>Enano has detected that the AES block size in constants.php has been changed. This change cannot be performed after installation, otherwise all passwords would have to be re-encrypted.</p><p>Please change the block size back to ' . $ks . ' bits and reload this page.</p>');
- }
+ if ( intval($ks) != AES_BLOCKSIZE )
+ {
+ grinding_halt('AES block size changed', '<p>Enano has detected that the AES block size in constants.php has been changed. This change cannot be performed after installation, otherwise all passwords would have to be re-encrypted.</p><p>Please change the block size back to ' . $ks . ' bits and reload this page.</p>');
+ }
}
// Is there no default language?
if ( getConfig('default_language') === false && !defined('IN_ENANO_MIGRATION') )
{
- $q = $db->sql_query('SELECT lang_id FROM '.table_prefix.'language LIMIT 1;');
- if ( !$q )
- $db->_die('common.php - setting default language');
- if ( $db->numrows() < 1 && !defined('ENANO_ALLOW_LOAD_NOLANG') )
- {
- grinding_halt('No languages', '<p>There are no languages installed on this site.</p>
- <p>If you are the website administrator, you may install a language by writing and executing a simple PHP script to install it:</p>
- <pre>
+ $q = $db->sql_query('SELECT lang_id FROM '.table_prefix.'language LIMIT 1;');
+ if ( !$q )
+ $db->_die('common.php - setting default language');
+ if ( $db->numrows() < 1 && !defined('ENANO_ALLOW_LOAD_NOLANG') )
+ {
+ grinding_halt('No languages', '<p>There are no languages installed on this site.</p>
+ <p>If you are the website administrator, you may install a language by writing and executing a simple PHP script to install it:</p>
+ <pre>
<?php
define("ENANO_ALLOW_LOAD_NOLANG", 1);
require("includes/common.php");
install_language("eng", "English", "English", ENANO_ROOT . "/language/english/enano.json");</pre>');
- }
- $row = $db->fetchrow();
- setConfig('default_language', $row['lang_id']);
+ }
+ $row = $db->fetchrow();
+ setConfig('default_language', $row['lang_id']);
}
profiler_log('Ran checks');
@@ -348,8 +348,8 @@
// Load plugins from common because we can't give plugins full abilities in object context
foreach ( $plugins->load_list as $f )
{
- if ( file_exists(ENANO_ROOT . '/plugins/' . $f) )
- include_once ENANO_ROOT . '/plugins/' . $f;
+ if ( file_exists(ENANO_ROOT . '/plugins/' . $f) )
+ include_once ENANO_ROOT . '/plugins/' . $f;
}
profiler_log('Loaded plugins');
@@ -371,125 +371,125 @@
// script though, because that will make the DBAL look in the wrong place for the config file.
if ( !defined('IN_ENANO_INSTALL') )
{
- // And here you have it, the de facto way to place a hook. Plugins can place hooks and hook
- // into other plugins. You just never know.
- $code = $plugins->setHook('base_classes_initted');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
-
- profiler_log('Finished base_classes_initted hook');
-
- // One quick security check...
- if ( !is_valid_ip($_SERVER['REMOTE_ADDR']) )
- {
- die('SECURITY: spoofed IP address: ' . htmlspecialchars($_SERVER['REMOTE_ADDR']));
- }
-
- // For special and administration pages, sometimes there is a "preloader" function that must be run
- // before the session manager and/or path manager get the init signal. Call it here.
- $urlname = get_title(true);
- list($page_id, $namespace) = RenderMan::strToPageID($urlname);
- list($page_id_top) = explode('/', $page_id);
- $fname = "page_{$namespace}_{$page_id_top}_preloader";
- if( ( $namespace == 'Admin' || $namespace == 'Special' ) && function_exists($fname))
- {
- call_user_func($fname);
- }
-
- profiler_log('Checked for (and ran, if applicable) preloader');
-
- // Add all of our built in special pages
- foreach ( array('SpecialUserFuncs', 'SpecialPageFuncs', 'SpecialAdmin', 'SpecialCSS', 'SpecialUpDownload', 'SpecialSearch', 'PrivateMessages', 'SpecialGroups', 'SpecialLog') as $plugin )
- {
- $funcname = "{$plugin}_paths_init";
- if ( function_exists($funcname) )
- {
- $funcname();
- }
- }
- profiler_log('Added special pages');
-
- // All checks passed! Start the main components up.
- $session->start();
-
- // This is where plugins will want to add pages from 1.1.x on out. You can still add
- // pages at base_classes_initted but the titles won't be localized. This is because
- // the session manager has to be started before localization will work in the user's
- // preferred language.
- $code = $plugins->setHook('session_started');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
-
- profiler_log('Ran session_started hook');
-
- $paths->init($urlname);
-
- // setup output format
- if ( defined('ENANO_OUTPUT_FORMAT') )
- $class = 'Output_' . ENANO_OUTPUT_FORMAT;
- else
- $class = ( isset($_GET['noheaders']) ) ? 'Output_Naked' : 'Output_HTML';
-
- $output = new $class();
-
- // Are we running from the API? If so, did the page set a title?
- if ( !defined('ENANO_INTERFACE_INDEX') && !defined('ENANO_INTERFACE_AJAX') && isset($title) )
- {
- $output->set_title($title);
- }
-
- // We're ready for whatever life throws us now, at least from an API point of view.
- define('ENANO_MAINSTREAM', '');
-
- // If the site is disabled, bail out, unless we're trying to log in or administer the site
- if(getConfig('site_disabled') == '1' && $session->user_level < USER_LEVEL_ADMIN)
- {
- // is this one of the more critical special pages?
- if ( $paths->namespace == 'Admin' || ( $paths->namespace == 'Special' && ( $paths->page_id == 'CSS' || $paths->page_id == 'Administration' || $paths->page_id == 'Login' ) ) )
- {
- // yeah, we need to keep this page available. do nothing; allow execution to continue
- }
- else
- {
- if(!$n = getConfig('site_disabled_notice'))
- {
- $n = 'The administrator has disabled the site. Please check back later.';
- }
-
- $text = RenderMan::render($n) . '
- <div class="info-box">
- If you have an administrative account, you may <a href="'.makeUrlNS('Special', 'Login').'">log in</a> to the site.
- </div>';
- $paths->wiki_mode = 0;
- die_semicritical('Site disabled', $text);
- }
- }
- else if ( getConfig('site_disabled') == '1' && $session->user_level >= USER_LEVEL_ADMIN )
- {
- // If the site is disabled but the user has admin rights, allow browsing
- // and stuff, but display the orange box notifying the admin.
- $template->site_disabled = true;
- }
-
- // At this point all of Enano is fully initialized and running and you're ready to do whatever you want.
- $code = $plugins->setHook('common_post');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
-
- profiler_log('Ran disabled-site checks and common_post');
-
- load_rank_data();
-
- profiler_log('Loaded user rank data');
-
- if ( isset($_GET['noheaders']) )
- $template->no_headers = true;
+ // And here you have it, the de facto way to place a hook. Plugins can place hooks and hook
+ // into other plugins. You just never know.
+ $code = $plugins->setHook('base_classes_initted');
+ foreach ( $code as $cmd )
+ {
+ eval($cmd);
+ }
+
+ profiler_log('Finished base_classes_initted hook');
+
+ // One quick security check...
+ if ( !is_valid_ip($_SERVER['REMOTE_ADDR']) )
+ {
+ die('SECURITY: spoofed IP address: ' . htmlspecialchars($_SERVER['REMOTE_ADDR']));
+ }
+
+ // For special and administration pages, sometimes there is a "preloader" function that must be run
+ // before the session manager and/or path manager get the init signal. Call it here.
+ $urlname = get_title(true);
+ list($page_id, $namespace) = RenderMan::strToPageID($urlname);
+ list($page_id_top) = explode('/', $page_id);
+ $fname = "page_{$namespace}_{$page_id_top}_preloader";
+ if( ( $namespace == 'Admin' || $namespace == 'Special' ) && function_exists($fname))
+ {
+ call_user_func($fname);
+ }
+
+ profiler_log('Checked for (and ran, if applicable) preloader');
+
+ // Add all of our built in special pages
+ foreach ( array('SpecialUserFuncs', 'SpecialPageFuncs', 'SpecialAdmin', 'SpecialCSS', 'SpecialUpDownload', 'SpecialSearch', 'PrivateMessages', 'SpecialGroups', 'SpecialLog') as $plugin )
+ {
+ $funcname = "{$plugin}_paths_init";
+ if ( function_exists($funcname) )
+ {
+ $funcname();
+ }
+ }
+ profiler_log('Added special pages');
+
+ // All checks passed! Start the main components up.
+ $session->start();
+
+ // This is where plugins will want to add pages from 1.1.x on out. You can still add
+ // pages at base_classes_initted but the titles won't be localized. This is because
+ // the session manager has to be started before localization will work in the user's
+ // preferred language.
+ $code = $plugins->setHook('session_started');
+ foreach ( $code as $cmd )
+ {
+ eval($cmd);
+ }
+
+ profiler_log('Ran session_started hook');
+
+ $paths->init($urlname);
+
+ // setup output format
+ if ( defined('ENANO_OUTPUT_FORMAT') )
+ $class = 'Output_' . ENANO_OUTPUT_FORMAT;
+ else
+ $class = ( isset($_GET['noheaders']) ) ? 'Output_Naked' : 'Output_HTML';
+
+ $output = new $class();
+
+ // Are we running from the API? If so, did the page set a title?
+ if ( !defined('ENANO_INTERFACE_INDEX') && !defined('ENANO_INTERFACE_AJAX') && isset($title) )
+ {
+ $output->set_title($title);
+ }
+
+ // We're ready for whatever life throws us now, at least from an API point of view.
+ define('ENANO_MAINSTREAM', '');
+
+ // If the site is disabled, bail out, unless we're trying to log in or administer the site
+ if(getConfig('site_disabled') == '1' && $session->user_level < USER_LEVEL_ADMIN)
+ {
+ // is this one of the more critical special pages?
+ if ( $paths->namespace == 'Admin' || ( $paths->namespace == 'Special' && ( $paths->page_id == 'CSS' || $paths->page_id == 'Administration' || $paths->page_id == 'Login' ) ) )
+ {
+ // yeah, we need to keep this page available. do nothing; allow execution to continue
+ }
+ else
+ {
+ if(!$n = getConfig('site_disabled_notice'))
+ {
+ $n = 'The administrator has disabled the site. Please check back later.';
+ }
+
+ $text = RenderMan::render($n) . '
+ <div class="info-box">
+ If you have an administrative account, you may <a href="'.makeUrlNS('Special', 'Login').'">log in</a> to the site.
+ </div>';
+ $paths->wiki_mode = 0;
+ die_semicritical('Site disabled', $text);
+ }
+ }
+ else if ( getConfig('site_disabled') == '1' && $session->user_level >= USER_LEVEL_ADMIN )
+ {
+ // If the site is disabled but the user has admin rights, allow browsing
+ // and stuff, but display the orange box notifying the admin.
+ $template->site_disabled = true;
+ }
+
+ // At this point all of Enano is fully initialized and running and you're ready to do whatever you want.
+ $code = $plugins->setHook('common_post');
+ foreach ( $code as $cmd )
+ {
+ eval($cmd);
+ }
+
+ profiler_log('Ran disabled-site checks and common_post');
+
+ load_rank_data();
+
+ profiler_log('Loaded user rank data');
+
+ if ( isset($_GET['noheaders']) )
+ $template->no_headers = true;
}
profiler_log('common finished');