Merge pull request #217 from WBCE/1.1.x

1.1.11 Security issues Fixes

wbce/admin/addons/index.php

@@ -10,18 +10,20 @@
  * @license GNU GPL2 (or any later version)
  */
 
-require('../../config.php');
-require_once(WB_PATH.'/framework/class.admin.php');
-$admin = new admin('Addons', 'addons');
+// Include required files
+require '../../config.php';
+
+// Setup admin object, print header and check section permissions
+$admin = new admin('Addons', 'addons', true, true);
 
-// Setup template object, parse vars to it, then parse it
 // Create new template object
 $template = new Template(dirname($admin->correct_theme_source('addons.htt')));
 $template->set_file('page', 'addons.htt');
 $template->set_block('page', 'main_block', 'main');
 
 // Insert values into the template object
-$template->set_var(array(
+$template->set_var(
+	array(
 		'ADMIN_URL' => ADMIN_URL,
 		'THEME_URL' => THEME_URL,
 		'WB_URL' => WB_URL
@@ -41,7 +43,7 @@
  *	Obsolete as we are using blocks ... see "parsing the blocks" section
  */
 $display_none = "style=\"display: none;\"";
-if($admin->get_permission('modules') != true) 	$template->set_var('DISPLAY_MODULES', $display_none);	
+if($admin->get_permission('modules') != true) 	$template->set_var('DISPLAY_MODULES', $display_none);
 if($admin->get_permission('templates') != true)	$template->set_var('DISPLAY_TEMPLATES', $display_none);
 if($admin->get_permission('languages') != true)	$template->set_var('DISPLAY_LANGUAGES', $display_none);
 if($admin->get_permission('admintools') != true)	$template->set_var('DISPLAY_ADVANCED', $display_none);
@@ -64,8 +66,8 @@
 	'MESSAGE_RELOAD_ADDONS' => $MESSAGE['ADDON_RELOAD'],
 	'TEXT_RELOAD' => $TEXT['RELOAD'],
 	'RELOAD_URL' => ADMIN_URL . '/addons/reload.php',
-	'URL_ADVANCED' => $admin->get_permission('admintools')
-                ? '<a href="' . ADMIN_URL . '/addons/index.php?advanced">' . $TEXT['ADVANCED'] . '</a>' : '',
+	'URL_ADVANCED' => $admin->get_permission('admintools') ?
+		'<a href="' . ADMIN_URL . '/addons/index.php?advanced">' . $TEXT['ADVANCED'] . '</a>' : '',
 	'ADVANCED_URL' => $admin->get_permission('admintools') ? ADMIN_URL . '/addons/index.php' : '',
     'TEXT_ADVANCED' => $TEXT['ADVANCED'],
 	'FTAN'			=> $admin->getFTAN()

wbce/admin/addons/reload.php

@@ -10,55 +10,39 @@
  * @license GNU GPL2 (or any later version)
  */
 
-/**
- * check if there is anything to do
- */
+// Include required files
+require '../../config.php';
+require_once WB_PATH . '/framework/functions.php';	// for WBCE 1.1.x compatibility
+
+// limit advanced Addon settings to users with access to admintools
+$admin = new admin('Admintools', 'admintools', false, false);
+if ($admin->get_permission('admintools') == false) {
+	die(header('Location: index.php'));
+}
+
+// reload Addon overview page if not at least on advanced Addon setting was selected
 $post_check = array('reload_modules', 'reload_templates', 'reload_languages');
 foreach ($post_check as $index => $key) {
 	if (!isset($_POST[$key])) unset($post_check[$index]);
 }
-if (count($post_check) == 0) die(header('Location: index.php?advanced'));
-
-/**
- * check if user has permissions to access this file
- */
-// include WB configuration file and WB admin class
-require_once('../../config.php');
-require_once('../../framework/class.admin.php');
-
-// check user permissions for admintools (redirect users with wrong permissions)
-$admin = new admin('Admintools', 'admintools', false, false);
-
-if ($admin->get_permission('admintools') == false) die(header('Location: ../../index.php'));
-
-// check if the referer URL if available
-$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] :
-	(isset($HTTP_SERVER_VARS['HTTP_REFERER']) ? $HTTP_SERVER_VARS['HTTP_REFERER'] : '');
-$referer = '';
-// if referer is set, check if script was invoked from "admin/modules/index.php"
-$required_url = ADMIN_URL . '/addons/index.php';
-if ($referer != '' && (!(strpos($referer, $required_url) !== false || strpos($referer, $required_url) !== false)))
-	die(header('Location: ../../index.php'));
-
-// include WB functions file
-require_once(WB_PATH . '/framework/functions.php');
-
-// load WB language file
-require_once(WB_PATH . '/languages/' . LANGUAGE .'.php');
+if (count($post_check) == 0) {
+	die(header('Location: index.php?advanced'));
+}
 
-// create Admin object with admin header
-$admin = new admin('Addons', '', false, false);
+// Setup admin object, skip header for FTAN validation and check section permissions
+$admin = new admin('Addons', 'addons', false, true);
 $js_back = ADMIN_URL . '/addons/index.php?advanced';
-
-if (!$admin->checkFTAN())
-{
-	$admin->print_header();
-	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$js_back);
+if(! $admin->checkFTAN()) {
+    $admin->print_header();
+    $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], $js_back);
 }
+// Output admin backend header (this creates a new FTAN)
+$admin->print_header();
 
 /**
  * Reload all specified Addons
  */
+require_once WB_PATH . '/languages/' . LANGUAGE .'.php';
 $msg = array();
 $table = TABLE_PREFIX . 'addons';
 
@@ -85,7 +69,7 @@
 				$admin->print_error($MESSAGE['ADDON_ERROR_RELOAD'], $js_back);
 			}
 			break;
-			
+
 		case 'reload_templates':
 			if ($handle = opendir(WB_PATH . '/templates')) {
 				// delete templates from database
@@ -104,7 +88,6 @@
 
 			} else {
 				// provide error message and stop
-				$admin->print_header();
 				$admin->print_error($MESSAGE['ADDON_ERROR_RELOAD'], $js_back);
 			}
 			break;
@@ -114,7 +97,7 @@
 				// delete languages from database
 				$sql = "DELETE FROM `$table` WHERE `type` = 'language'";
 				$database->query($sql);
-			
+
 				// loop over all languages
 				while(false !== ($file = readdir($handle))) {
 					if ($file != '' && substr($file, 0, 1) != '.' && $file != 'index.php') {
@@ -124,17 +107,15 @@
 				closedir($handle);
 				// add success message
 				$msg[] = $MESSAGE['ADDON_LANGUAGES_RELOADED'];
-				
+
 			} else {
 				// provide error message and stop
-				$admin->print_header();
 				$admin->print_error($MESSAGE['ADDON_ERROR_RELOAD'], $js_back);
 			}
 			break;
 	}
 }
 
 // output success message
-$admin->print_header();
 $admin->print_success(implode($msg, '<br />'), $js_back);
 $admin->print_footer();

wbce/admin/interface/version.php

@@ -16,12 +16,12 @@
 }
 
 // set WBCE version and release tag
-define('NEW_WBCE_VERSION', '1.1.10');
+define('NEW_WBCE_VERSION', '1.1.11');
 if (!defined('WBCE_VERSION')) {
     define('WBCE_VERSION', NEW_WBCE_VERSION);
 }
 
-define('NEW_WBCE_TAG', '1.1.10');
+define('NEW_WBCE_TAG', '1.1.11');
 if (!defined('WBCE_TAG')) {
     define('WBCE_TAG', NEW_WBCE_TAG);
 }

wbce/admin/languages/details.php

@@ -1,95 +1,79 @@
 <?php
 /**
+ * WebsiteBaker Community Edition (WBCE)
+ * Way Better Content Editing.
+ * Visit http://wbce.org to learn more and to join the community.
  *
- * @category        admin
- * @package         languages
- * @author          WebsiteBaker Project
- * @copyright       Ryan Djurovich
- * @copyright       WebsiteBaker Org. e.V.
- * @link            http://websitebaker.org/
- * @license         http://www.gnu.org/licenses/gpl.html
- * @platform        WebsiteBaker 2.8.3
- * @requirements    PHP 5.3.6 and higher
- * @version         $Id: details.php 1625 2012-02-29 00:50:57Z Luisehahne $
- * @filesource      $HeadURL: svn://isteam.dynxs.de/wb_svn/wb280/branches/2.8.x/wb/admin/languages/details.php $
- * @lastmodified    $Date: 2012-02-29 01:50:57 +0100 (Mi, 29. Feb 2012) $
- * @description
- *
+ * @copyright Ryan Djurovich (2004-2009)
+ * @copyright WebsiteBaker Org. e.V. (2009-2015)
+ * @copyright WBCE Project (2015-)
+ * @license GNU GPL2 (or any later version)
  */
 
-// Include the config code
-require('../../config.php');
+// Include required files
+require '../../config.php';
+require_once WB_PATH . '/framework/functions.php';	// for WBCE 1.1.x compatibility
 
-// Print admin header
-require_once(WB_PATH.'/framework/class.admin.php');
-$admin = new admin('Addons', 'languages_view', false);
-if( !$admin->checkFTAN() )
-{
-	$admin->print_header();
-	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS']);
+// Setup admin object, skip header for FTAN validation and check section permissions
+$admin = new admin('Addons', 'languages_view', false, true);
+if(! $admin->checkFTAN()) {
+    $admin->print_header();
+    $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS']);
 }
-// After check print the header
+// Output admin backend header (this creates a new FTAN)
 $admin->print_header();
 
-// Get language name
-if(!isset($_POST['code']) OR $_POST['code'] == "") {
-	$code = '';
-} else {
-	$code = $_POST['code'];
-}
-
-// fix secunia 2010-93-2
-if (!preg_match('/^[A-Z]{2}$/', $code)) {
-	header("Location: index.php");
-	exit(0);
+// Check if user selected a valid language file
+$lang_code = $admin->get_post('code');
+if (! preg_match('/^[A-Z]{2}$/', $lang_code)) {
+	// no valid WBCE language code defined (e.g. EN, DE ..)
+	$admin->print_error($MESSAGE['GENERIC_NOT_INSTALLED']);
 }
 
-// Check if the language exists
-if(!file_exists(WB_PATH.'/languages/'.$code.'.php')) {
-	header("Location: index.php");
-	exit(0);
+// Check if the language files exists
+if(! file_exists(WB_PATH . '/languages/' . $lang_code . '.php')) {
+	$admin->print_error($MESSAGE['GENERIC_NOT_INSTALLED']);
 }
 
-// Setup template object, parse vars to it, then parse it
 // Create new template object
 $template = new Template(dirname($admin->correct_theme_source('languages_details.htt')));
-// $template->debug = true;
 $template->set_file('page', 'languages_details.htt');
 $template->set_block('page', 'main_block', 'main');
 
 // Insert values
-require(WB_PATH.'/languages/'.$code.'.php');
-$template->set_var(array(
-								'CODE' => $language_code,
-								'NAME' => $language_name,
-								'AUTHOR' => $language_author,
-								'VERSION' => $language_version,
-								'DESIGNED_FOR' => $language_platform,
-								'ADMIN_URL' => ADMIN_URL,
-								'WB_URL' => WB_URL,
-								'THEME_URL' => THEME_URL
-								)
-						);
+require(WB_PATH.'/languages/'.$lang_code.'.php');
+$template->set_var(
+	array(
+		'CODE' => $language_code,
+		'NAME' => $language_name,
+		'AUTHOR' => $language_author,
+		'VERSION' => $language_version,
+		'DESIGNED_FOR' => $language_platform,
+		'ADMIN_URL' => ADMIN_URL,
+		'WB_URL' => WB_URL,
+		'THEME_URL' => THEME_URL
+		)
+);
 
 // Restore language to original code
 require(WB_PATH.'/languages/'.LANGUAGE.'.php');
 
 // Insert language headings
-$template->set_var(array(
-								'HEADING_LANGUAGE_DETAILS' => $HEADING['LANGUAGE_DETAILS']
-								)
-						);
-// Insert language text and messages
-$template->set_var(array(
-								'TEXT_CODE' => $TEXT['CODE'],
-								'TEXT_NAME' => $TEXT['NAME'],
-								'TEXT_TYPE' => $TEXT['TYPE'],
-								'TEXT_AUTHOR' => $TEXT['AUTHOR'],
-								'TEXT_VERSION' => $TEXT['VERSION'],
-								'TEXT_DESIGNED_FOR' => $TEXT['DESIGNED_FOR'],
-								'TEXT_BACK' => $TEXT['BACK']
-								)
-						);
+$template->set_var(
+	array(
+		// Headings
+		'HEADING_LANGUAGE_DETAILS' => $HEADING['LANGUAGE_DETAILS'],
+
+		// Text messages
+		'TEXT_CODE' => $TEXT['CODE'],
+		'TEXT_NAME' => $TEXT['NAME'],
+		'TEXT_TYPE' => $TEXT['TYPE'],
+		'TEXT_AUTHOR' => $TEXT['AUTHOR'],
+		'TEXT_VERSION' => $TEXT['VERSION'],
+		'TEXT_DESIGNED_FOR' => $TEXT['DESIGNED_FOR'],
+		'TEXT_BACK' => $TEXT['BACK']
+		)
+);
 
 // Parse language object
 $template->parse('main', 'main_block', false);