gitlabFork/ISPConfig3.git - Solinfo Gitblit

- Added warning in the interface when a path for a shelluser is set that is...

Till Brehm

2014-08-14 9edea9976bd605071e0694a90d704266c0b7e0f9

commit \| author \| age
a172b7	1	<?php
T	2	/*
	3	Copyright (c) 2008, Till Brehm, projektfarm Gmbh
	4	All rights reserved.
	5
	6	Redistribution and use in source and binary forms, with or without modification,
	7	are permitted provided that the following conditions are met:
	8
	9	* Redistributions of source code must retain the above copyright notice,
	10	this list of conditions and the following disclaimer.
	11	* Redistributions in binary form must reproduce the above copyright notice,
	12	this list of conditions and the following disclaimer in the documentation
	13	and/or other materials provided with the distribution.
	14	* Neither the name of ISPConfig nor the names of its contributors
	15	may be used to endorse or promote products derived from this software without
	16	specific prior written permission.
	17
	18	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	19	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	20	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	21	IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
	22	INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	23	BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	24	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	25	OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
	26	NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
	27	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
7fe908	30	require_once '../../lib/config.inc.php';
MC	31	require_once '../../lib/app.inc.php';
a172b7	32
992797	33	function normalize_string($string, $quote, $allow_special = false) {
7fe908	34	$escaped = false;
MC	35	$in_string = true;
	36	$new_string = '';
	37
	38	for($c = 0; $c < mb_strlen($string); $c++) {
	39	$char = $string{$c};
	40
	41	if($in_string === true && $escaped === false && $char === $quote) {
	42	// this marks a string end (e.g. for concatenation)
	43	$in_string = false;
	44	continue;
	45	} elseif($in_string === false) {
	46	if($escaped === false && $char === $quote) {
	47	$in_string = true;
	48	continue;
	49	} else {
	50	continue; // we strip everything from outside the string!
	51	}
	52	}
	53
	54	if($char === '"' && $escaped === true && $quote === '"') {
	55	// unescape this
	56	$new_string .= $char;
	57	$escaped = false;
	58	continue;
	59	} elseif($char === "'" && $escaped === false && $quote === '"') {
	60	// escape this
	61	$new_string .= '\\' . $char;
	62	continue;
	63	}
	64
	65	if($escaped === true) {
	66	// the next character is the escaped one.
	67	if($allow_special === true && ($char === 'n' \|\| $char === 'r' \|\| $char === 't')) {
	68	$new_string .= '\' . "\\' . $char . '" . \'';
	69	} else {
	70	$new_string .= '\\' . $char;
	71	}
	72	$escaped = false;
	73	} else {
	74	if($char === '\\') {
	75	$escaped = true;
	76	} else {
	77	$new_string .= $char;
	78	}
	79	}
	80	}
	81	return $new_string;
992797	82	}
MC	83
	84	function validate_line($line) {
7fe908	85	$line = trim($line);
MC	86	if($line === '' \|\| $line === '<?php' \|\| $line === '?>') return $line; // don't treat empty lines as malicious
992797	87
7fe908	88	$ok = preg_match('/^\s\$wb\[(["\'])(.?)\\1\]\s=\s(["\'])(.?)\\3\s;\s*$/', $line, $matches);
MC	89	if(!$ok) return false; // this line has invalid form and could lead to malfunction
	90
	91	$keyquote = $matches[1]; // ' or "
	92	$key = $matches[2];
	93	if(strpos($key, '"') !== false \|\| strpos($key, "'") !== false) return false;
	94
	95	$textquote = $matches[3]; // ' or "
	96	$text = $matches[4];
	97
	98	$new_line = '$wb[\'';
	99
	100	// validate the language key
	101	$key = normalize_string($key, $keyquote);
	102
	103	$new_line .= $key . '\'] = \'';
	104
	105	// validate this text to avoid code injection
	106	$text = normalize_string($text, $textquote, true);
	107
	108	$new_line .= $text . '\';';
	109
	110	return $new_line;
992797	111	}
MC	112
910093	113	//* Check permissions for module
T	114	$app->auth->check_module_permissions('admin');
9edea9	115	$app->auth->check_security_permissions('admin_allow_langedit');
a172b7	116
T	117	//* This is only allowed for administrators
	118	if(!$app->auth->is_admin()) die('only allowed for administrators.');
91624b	119	if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
992797	120
MC	121	if(!$conf['language_file_import_enabled']) $app->error('Languge import function is disabled in the interface config.inc.php file.');
a172b7	122
T	123	$app->uses('tpl');
	124
	125	$app->tpl->newTemplate('form.tpl.htm');
	126	$app->tpl->setInclude('content_tpl', 'templates/language_import.htm');
	127	$msg = '';
	128	$error = '';
	129
	130	// Export the language file
	131	if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
	132	$lines = file($_FILES['file']['tmp_name']);
	133	// initial check
7fe908	134	$parts = explode('\|', $lines[0]);
a172b7	135	if($parts[0] == '---' && $parts[1] == 'ISPConfig Language File') {
1f16ae	136	if($_POST['ignore_version'] != 1 && $parts[2] != $conf["app_version"]) {
a172b7	137	$error .= 'Application version does not match. Appversion: '.$conf["app_version"].' Lanfile version: '.$parts[2];
T	138	} else {
	139	unset($lines[0]);
7fe908	140
a172b7	141	$buffer = '';
T	142	$langfile_path = '';
	143	// all other lines
7fe908	144	$ln = 1;
a172b7	145	foreach($lines as $line) {
7fe908	146	$ln++;
MC	147	$parts = explode('\|', $line);
a172b7	148	if(is_array($parts) && count($parts) > 0 && $parts[0] == '--') {
T	149	// Write language file, if its not the first file
	150	if($buffer != '' && $langfile_path != '') {
	151	if(@$_REQUEST['overwrite'] != 1 && @is_file($langfile_path)) {
	152	$error .= "File exists, not written: $langfile_path<br />";
	153	} else {
	154	$msg .= "File written: $langfile_path<br />";
7fe908	155	file_put_contents($langfile_path, $buffer);
a172b7	156	}
T	157	}
	158	// empty buffer and set variables
	159	$buffer = '';
09ee5b	160	$module_name = trim($parts[1]);
T	161	$selected_language = trim($parts[2]);
	162	$file_name = trim($parts[3]);
	163	if(!preg_match("/^[a-z]{2}$/i", $selected_language)) die("unallowed characters in selected language name: $selected_language");
a172b7	164	if(!preg_match("/^[a-z_]+$/i", $module_name)) die('unallowed characters in module name.');
7fe908	165	if(!preg_match("/^[a-z\._\-]+$/i", $file_name) \|\| stristr($file_name, '..')) die("unallowed characters in language file name: '$file_name'");
a172b7	166	if($module_name == 'global') {
T	167	$langfile_path = trim(ISPC_LIB_PATH."/lang/".$selected_language.".lng");
	168	} else {
	169	$langfile_path = trim(ISPC_WEB_PATH.'/'.$module_name.'/lib/lang/'.$file_name);
	170	}
992797	171	} elseif(is_array($parts) && count($parts) > 1 && $parts[0] == '---' && $parts[1] == 'EOF') {
7fe908	172	// EOF line, ignore it.
MC	173	} else {
	174	$line = validate_line($line);
	175	if($line === false) $error .= "Language file contains invalid language entry on line $ln.<br />";
992797	176	else $buffer .= $line."\n";
a172b7	177	}
T	178	}
	179	}
	180	}
	181	}
	182
7fe908	183	$app->tpl->setVar('msg', $msg);
MC	184	$app->tpl->setVar('error', $error);
a172b7	185
7fe908	186	//* load language file
a172b7	187	$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_import.lng';
7fe908	188	include $lng_file;
a172b7	189	$app->tpl->setVar($wb);
T	190
	191	$app->tpl_defaults();
	192	$app->tpl->pparse();
	193
	194
7fe908	195	?>