gitlabFork/ISPConfig3.git - Solinfo Gitblit

Fixed language file import problem: https://www.howtoforge.com/community/th...

Till Brehm

2015-06-17 24949e78caa699da0d6069ad266a5a331f5a366c

commit \| author \| age
a172b7	1	<?php
T	2	/*
	3	Copyright (c) 2008, Till Brehm, projektfarm Gmbh
	4	All rights reserved.
	5
	6	Redistribution and use in source and binary forms, with or without modification,
	7	are permitted provided that the following conditions are met:
	8
	9	* Redistributions of source code must retain the above copyright notice,
	10	this list of conditions and the following disclaimer.
	11	* Redistributions in binary form must reproduce the above copyright notice,
	12	this list of conditions and the following disclaimer in the documentation
	13	and/or other materials provided with the distribution.
	14	* Neither the name of ISPConfig nor the names of its contributors
	15	may be used to endorse or promote products derived from this software without
	16	specific prior written permission.
	17
	18	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	19	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	20	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	21	IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
	22	INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	23	BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	24	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	25	OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
	26	NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
	27	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
7fe908	30	require_once '../../lib/config.inc.php';
MC	31	require_once '../../lib/app.inc.php';
a172b7	32
992797	33	function normalize_string($string, $quote, $allow_special = false) {
7fe908	34	$escaped = false;
MC	35	$in_string = true;
	36	$new_string = '';
	37
	38	for($c = 0; $c < mb_strlen($string); $c++) {
24949e	39	$char = mb_substr($string, $c, 1);
7fe908	40
MC	41	if($in_string === true && $escaped === false && $char === $quote) {
	42	// this marks a string end (e.g. for concatenation)
	43	$in_string = false;
	44	continue;
	45	} elseif($in_string === false) {
	46	if($escaped === false && $char === $quote) {
	47	$in_string = true;
	48	continue;
	49	} else {
	50	continue; // we strip everything from outside the string!
	51	}
	52	}
	53
	54	if($char === '"' && $escaped === true && $quote === '"') {
	55	// unescape this
	56	$new_string .= $char;
	57	$escaped = false;
	58	continue;
	59	} elseif($char === "'" && $escaped === false && $quote === '"') {
	60	// escape this
	61	$new_string .= '\\' . $char;
	62	continue;
	63	}
	64
	65	if($escaped === true) {
	66	// the next character is the escaped one.
	67	if($allow_special === true && ($char === 'n' \|\| $char === 'r' \|\| $char === 't')) {
	68	$new_string .= '\' . "\\' . $char . '" . \'';
	69	} else {
	70	$new_string .= '\\' . $char;
	71	}
	72	$escaped = false;
	73	} else {
	74	if($char === '\\') {
	75	$escaped = true;
	76	} else {
	77	$new_string .= $char;
	78	}
	79	}
	80	}
	81	return $new_string;
992797	82	}
MC	83
	84	function validate_line($line) {
7fe908	85	$line = trim($line);
MC	86	if($line === '' \|\| $line === '<?php' \|\| $line === '?>') return $line; // don't treat empty lines as malicious
992797	87
7fe908	88	$ok = preg_match('/^\s\$wb\[(["\'])(.?)\\1\]\s=\s(["\'])(.?)\\3\s;\s*$/', $line, $matches);
MC	89	if(!$ok) return false; // this line has invalid form and could lead to malfunction
	90
	91	$keyquote = $matches[1]; // ' or "
	92	$key = $matches[2];
	93	if(strpos($key, '"') !== false \|\| strpos($key, "'") !== false) return false;
	94
	95	$textquote = $matches[3]; // ' or "
	96	$text = $matches[4];
	97
	98	$new_line = '$wb[\'';
	99
	100	// validate the language key
	101	$key = normalize_string($key, $keyquote);
	102
	103	$new_line .= $key . '\'] = \'';
	104
	105	// validate this text to avoid code injection
	106	$text = normalize_string($text, $textquote, true);
	107
	108	$new_line .= $text . '\';';
	109
	110	return $new_line;
992797	111	}
MC	112
910093	113	//* Check permissions for module
T	114	$app->auth->check_module_permissions('admin');
9edea9	115	$app->auth->check_security_permissions('admin_allow_langedit');
a172b7	116
T	117	//* This is only allowed for administrators
	118	if(!$app->auth->is_admin()) die('only allowed for administrators.');
91624b	119	if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
992797	120
MC	121	if(!$conf['language_file_import_enabled']) $app->error('Languge import function is disabled in the interface config.inc.php file.');
a172b7	122
T	123	$app->uses('tpl');
	124
	125	$app->tpl->newTemplate('form.tpl.htm');
	126	$app->tpl->setInclude('content_tpl', 'templates/language_import.htm');
	127	$msg = '';
	128	$error = '';
	129
	130	// Export the language file
	131	if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
5af0cf	132
TB	133	//* CSRF Check
	134	$app->auth->csrf_token_check();
	135
a172b7	136	$lines = file($_FILES['file']['tmp_name']);
T	137	// initial check
7fe908	138	$parts = explode('\|', $lines[0]);
a172b7	139	if($parts[0] == '---' && $parts[1] == 'ISPConfig Language File') {
1f16ae	140	if($_POST['ignore_version'] != 1 && $parts[2] != $conf["app_version"]) {
a172b7	141	$error .= 'Application version does not match. Appversion: '.$conf["app_version"].' Lanfile version: '.$parts[2];
T	142	} else {
	143	unset($lines[0]);
7fe908	144
a172b7	145	$buffer = '';
T	146	$langfile_path = '';
	147	// all other lines
7fe908	148	$ln = 1;
a172b7	149	foreach($lines as $line) {
7fe908	150	$ln++;
MC	151	$parts = explode('\|', $line);
a172b7	152	if(is_array($parts) && count($parts) > 0 && $parts[0] == '--') {
T	153	// Write language file, if its not the first file
	154	if($buffer != '' && $langfile_path != '') {
	155	if(@$_REQUEST['overwrite'] != 1 && @is_file($langfile_path)) {
	156	$error .= "File exists, not written: $langfile_path<br />";
	157	} else {
	158	$msg .= "File written: $langfile_path<br />";
7fe908	159	file_put_contents($langfile_path, $buffer);
a172b7	160	}
T	161	}
	162	// empty buffer and set variables
	163	$buffer = '';
09ee5b	164	$module_name = trim($parts[1]);
T	165	$selected_language = trim($parts[2]);
	166	$file_name = trim($parts[3]);
	167	if(!preg_match("/^[a-z]{2}$/i", $selected_language)) die("unallowed characters in selected language name: $selected_language");
a172b7	168	if(!preg_match("/^[a-z_]+$/i", $module_name)) die('unallowed characters in module name.');
7fe908	169	if(!preg_match("/^[a-z\._\-]+$/i", $file_name) \|\| stristr($file_name, '..')) die("unallowed characters in language file name: '$file_name'");
a172b7	170	if($module_name == 'global') {
T	171	$langfile_path = trim(ISPC_LIB_PATH."/lang/".$selected_language.".lng");
	172	} else {
	173	$langfile_path = trim(ISPC_WEB_PATH.'/'.$module_name.'/lib/lang/'.$file_name);
	174	}
992797	175	} elseif(is_array($parts) && count($parts) > 1 && $parts[0] == '---' && $parts[1] == 'EOF') {
7fe908	176	// EOF line, ignore it.
MC	177	} else {
	178	$line = validate_line($line);
	179	if($line === false) $error .= "Language file contains invalid language entry on line $ln.<br />";
992797	180	else $buffer .= $line."\n";
a172b7	181	}
T	182	}
	183	}
	184	}
	185	}
	186
7fe908	187	$app->tpl->setVar('msg', $msg);
MC	188	$app->tpl->setVar('error', $error);
a172b7	189
5af0cf	190	//* SET csrf token
TB	191	$csrf_token = $app->auth->csrf_token_get('language_import');
	192	$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
	193	$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
	194
7fe908	195	//* load language file
a172b7	196	$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_import.lng';
7fe908	197	include $lng_file;
a172b7	198	$app->tpl->setVar($wb);
T	199
	200	$app->tpl_defaults();
	201	$app->tpl->pparse();
	202
	203
7fe908	204	?>