Changeset 537613 for zingiri-web-shop
- Timestamp:
- 04/28/2012 08:03:18 AM (13 years ago)
- Location:
- zingiri-web-shop/trunk
- Files:
-
- 13 edited
-
fwkfor/classes/sub.select.class.php (modified) (1 diff)
-
fwkfor/embed.php (modified) (2 diffs)
-
fwkfor/includes/create.inc.php (modified) (2 diffs)
-
fwkfor/scripts/form.php (modified) (1 diff)
-
fwkfor/scripts/list.php (modified) (1 diff)
-
fwktec/functions/qs.inc.php (modified) (2 diffs)
-
fws/addons/timthumb/timthumb2.php (modified) (40 diffs)
-
fws/includes/checkout.inc.php (modified) (1 diff)
-
fws/pages-front/onecheckout.php (modified) (1 diff)
-
local/init.inc.php (modified) (1 diff)
-
readme.txt (modified) (2 diffs)
-
zing.inc.php (modified) (3 diffs)
-
zingiri_webshop.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
zingiri-web-shop/trunk/fwkfor/classes/sub.select.class.php
r453761 r537613 44 44 $e->populated_value['element_'.$e->id.'_'.$i] = $xmlf->fields->{'field'.$i}->default; 45 45 } 46 $field_markup.="<select id=\"element_{$e->id}_{$i}\" name=\"element_{$e->id}_{$i}\" class=\"element text\" style=\"width: {$xmlf->fields->{'field'.$i}->width}\" {$e->readonly} />";46 $field_markup.="<select id=\"element_{$e->id}_{$i}\" name=\"element_{$e->id}_{$i}\" class=\"element text\" style=\"width: {$xmlf->fields->{'field'.$i}->width}\" {$e->readonly}>"; 47 47 $option_markup=""; 48 48 if ($xmlf->fields->{'field'.$i}->values->attributes()->type=='multi') { -
zingiri-web-shop/trunk/fwkfor/embed.php
r529379 r537613 132 132 if (get_option('zing_apps_remote_url') == 'http://www.aphps.com') update_option('zing_apps_remote_url','http://forms.aphps.com'); 133 133 134 trigger_error('update version:'.ZING_APPS_PLAYER_VERSION); 134 135 if (!$zing_version) add_option("zing_apps_player_version",ZING_APPS_PLAYER_VERSION); 135 136 else update_option("zing_apps_player_version",ZING_APPS_PLAYER_VERSION); … … 290 291 if (strstr($file,".json")) { 291 292 $file_content = file_get_contents($dir.$file); 292 $a=zf_json_decode($file_content,true,false); 293 //zing_apps_error_handler(0,$file); 294 //zing_apps_error_handler(0,$file_content); 295 //zing_apps_error_handler(0,$a); 293 $a=zf_json_decode($file_content,true,false,false); 296 294 zfCreate($a['NAME'],$a['ELEMENTCOUNT'],$a['ENTITY'],$a['TYPE'],$a['DATA'],$a['LABEL'],$a['PROJECT'],$a['ID']); 297 295 } -
zingiri-web-shop/trunk/fwkfor/includes/create.inc.php
r491042 r537613 37 37 $newtable->update($query); 38 38 } 39 $jdata=zf_json_decode($data,true );39 $jdata=zf_json_decode($data,true,true); 40 40 foreach ($jdata as $element) { 41 41 if ($element['column']!='ID' && $element['column']!='DATE_CREATED' && $element['column']!='DATE_UPDATED') { … … 202 202 203 203 } 204 ?> -
zingiri-web-shop/trunk/fwkfor/scripts/form.php
r532831 r537613 180 180 if (!$noLabel && (is_admin() || ZING_CMS=='gn')) echo '<h2 class="zfaces-form-label">'.$zfform->label.'</h2>'; 181 181 echo '<div class="zfaces-form">'; 182 if (defined(" ZING_APPS_BUILDER") && ZingAppsIsAdmin()) {182 if (defined("APHPS_SHOW_EDIT_LINK") && APHPS_SHOW_EDIT_LINK) { 183 183 echo '<a href="'.zurl('?page=apps_edit&zfaces=edit&form='.$form).'" >'.z_('Edit form').'</a>'; 184 184 } -
zingiri-web-shop/trunk/fwkfor/scripts/list.php
r529379 r537613 21 21 $search=$zflist->setSearch($_POST,$map); 22 22 } else $search=''; 23 trigger_error($action);24 trigger_error(print_r($search,true));25 23 26 24 $stack=new zfStack('list',$formname,$search); -
zingiri-web-shop/trunk/fwktec/functions/qs.inc.php
r430044 r537613 1 1 <?php 2 /*3 * //old version from webshop4 *5 if (!function_exists('qs')) {6 function qs($value) {7 return quote_smart($value);8 }9 }10 11 12 function quote_smart($value)13 {14 if( is_array($value) ) {15 return array_map("quote_smart", $value);16 } else {17 if( get_magic_quotes_gpc() ) {18 $value = stripslashes($value);19 }20 if( $value == '' ) {21 $value = '';22 }23 if( !is_numeric($value) || $value[0] == '0' ) {24 $value = "'".wsEscapeString($value)."'";25 }26 return $value;27 }28 }29 */30 31 2 function qs($value,$checknull = FALSE,$forcequotes = FALSE) 32 3 { … … 62 33 } 63 34 } 35 36 function aphpsSanitize($var,$type=null){ 37 $flags = NULL; 38 switch($type) 39 { 40 case 'url': 41 $filter = FILTER_SANITIZE_URL; 42 break; 43 case 'int': 44 $filter = FILTER_SANITIZE_NUMBER_INT; 45 break; 46 case 'float': 47 $filter = FILTER_SANITIZE_NUMBER_FLOAT; 48 $flags = FILTER_FLAG_ALLOW_FRACTION | FILTER_FLAG_ALLOW_THOUSAND; 49 break; 50 case 'email': 51 $var = substr($var, 0, 254); 52 $filter = FILTER_SANITIZE_EMAIL; 53 break; 54 case 'string': 55 default: 56 $filter = FILTER_SANITIZE_STRING; 57 $flags = FILTER_FLAG_NO_ENCODE_QUOTES; 58 break; 59 60 } 61 $output = filter_var($var, $filter, $flags); 62 return($output); 63 } -
zingiri-web-shop/trunk/fws/addons/timthumb/timthumb2.php
r420616 r537613 4 4 * Based on work done by Tim McDaniels and Darren Hoyt 5 5 * http://code.google.com/p/timthumb/ 6 * 6 * 7 7 * GNU General Public License, version 2 8 8 * http://www.gnu.org/licenses/old-licenses/gpl-2.0.html … … 10 10 * Examples and documentation available on the project homepage 11 11 * http://www.binarymoon.co.uk/projects/timthumb/ 12 * 13 * $Rev$ 12 14 */ 13 15 14 //Main config vars 15 define ('VERSION', '2.4'); // Version of this script 16 define ('DEBUG_ON', false); // Enable debug logging to web server error log (STDERR) 17 define ('DEBUG_LEVEL', 1); // Debug level 1 is less noisy and 3 is the most noisy 18 define ('MEMORY_LIMIT', '30M'); // Set PHP memory limit 19 define ('BLOCK_EXTERNAL_LEECHERS', false); // If the image or webshot is being loaded on an external site, display a red "No Hotlinking" gif. 16 /* 17 * --- TimThumb CONFIGURATION --- 18 * To edit the configs it is best to create a file called timthumb-config.php 19 * and define variables you want to customize in there. It will automatically be 20 * loaded by timthumb. This will save you having to re-edit these variables 21 * everytime you download a new version 22 */ 23 define ('VERSION', '2.8.10'); // Version of this script 24 //Load a config file if it exists. Otherwise, use the values below 25 if( file_exists(dirname(__FILE__) . '/timthumb-config.php')) require_once('timthumb-config.php'); 26 if(! defined('DEBUG_ON') ) define ('DEBUG_ON', false); // Enable debug logging to web server error log (STDERR) 27 if(! defined('DEBUG_LEVEL') ) define ('DEBUG_LEVEL', 1); // Debug level 1 is less noisy and 3 is the most noisy 28 if(! defined('MEMORY_LIMIT') ) define ('MEMORY_LIMIT', '30M'); // Set PHP memory limit 29 if(! defined('BLOCK_EXTERNAL_LEECHERS') ) define ('BLOCK_EXTERNAL_LEECHERS', false); // If the image or webshot is being loaded on an external site, display a red "No Hotlinking" gif. 20 30 21 31 //Image fetching and caching 22 define ('ALLOW_EXTERNAL', TRUE); // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false 23 define ('ALLOW_ALL_EXTERNAL_SITES', false); // Less secure. 24 define ('FILE_CACHE_ENABLED', TRUE); // Should we store resized/modified images on disk to speed things up? 25 define ('FILE_CACHE_TIME_BETWEEN_CLEANS', 86400); // How often the cache is cleaned 26 define ('FILE_CACHE_MAX_FILE_AGE', 86400); // How old does a file have to be to be deleted from the cache 27 define ('FILE_CACHE_SUFFIX', '.timthumb.txt'); // What to put at the end of all files in the cache directory so we can identify them 32 if(! defined('ALLOW_EXTERNAL') ) define ('ALLOW_EXTERNAL', TRUE); // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false 33 if(! defined('ALLOW_ALL_EXTERNAL_SITES') ) define ('ALLOW_ALL_EXTERNAL_SITES', false); // Less secure. 34 if(! defined('FILE_CACHE_ENABLED') ) define ('FILE_CACHE_ENABLED', TRUE); // Should we store resized/modified images on disk to speed things up? 35 if(! defined('FILE_CACHE_TIME_BETWEEN_CLEANS')) define ('FILE_CACHE_TIME_BETWEEN_CLEANS', 86400); // How often the cache is cleaned 36 37 if(! defined('FILE_CACHE_MAX_FILE_AGE') ) define ('FILE_CACHE_MAX_FILE_AGE', 86400); // How old does a file have to be to be deleted from the cache 38 if(! defined('FILE_CACHE_SUFFIX') ) define ('FILE_CACHE_SUFFIX', '.timthumb.txt'); // What to put at the end of all files in the cache directory so we can identify them 39 if(! defined('FILE_CACHE_PREFIX') ) define ('FILE_CACHE_PREFIX', 'timthumb'); // What to put at the beg of all files in the cache directory so we can identify them 28 40 define ('FILE_CACHE_DIRECTORY', isset($_REQUEST["dir"]) ? $_REQUEST["dir"] : './cache'); // Directory where images are cached. Left blank it will use the system temporary directory (which is better for security) 29 define ('MAX_FILE_SIZE', 10485760); // 10 Megs is 10485760. This is the max internal or external file size that we'll process. 30 define ('CURL_TIMEOUT', 20); // Timeout duration for Curl. This only applies if you have Curl installed and aren't using PHP's default URL fetching mechanism. 31 define ('WAIT_BETWEEN_FETCH_ERRORS', 3600); //Time to wait between errors fetching remote file 41 if(! defined('MAX_FILE_SIZE') ) define ('MAX_FILE_SIZE', 10485760); // 10 Megs is 10485760. This is the max internal or external file size that we'll process. 42 if(! defined('CURL_TIMEOUT') ) define ('CURL_TIMEOUT', 20); // Timeout duration for Curl. This only applies if you have Curl installed and aren't using PHP's default URL fetching mechanism. 43 if(! defined('WAIT_BETWEEN_FETCH_ERRORS') ) define ('WAIT_BETWEEN_FETCH_ERRORS', 3600); //Time to wait between errors fetching remote file 44 32 45 //Browser caching 33 define ('BROWSER_CACHE_MAX_AGE', 864000); // Time to cache in the browser 34 define ('BROWSER_CACHE_DISABLE', false); // Use for testing if you want to disable all browser caching 35 36 //Image size 37 define ('MAX_WIDTH', 1500); // Maximum image width 38 define ('MAX_HEIGHT', 1500); // Maximum image height 46 if(! defined('BROWSER_CACHE_MAX_AGE') ) define ('BROWSER_CACHE_MAX_AGE', 864000); // Time to cache in the browser 47 if(! defined('BROWSER_CACHE_DISABLE') ) define ('BROWSER_CACHE_DISABLE', false); // Use for testing if you want to disable all browser caching 48 49 //Image size and defaults 50 if(! defined('MAX_WIDTH') ) define ('MAX_WIDTH', 1500); // Maximum image width 51 if(! defined('MAX_HEIGHT') ) define ('MAX_HEIGHT', 1500); // Maximum image height 52 if(! defined('NOT_FOUND_IMAGE') ) define ('NOT_FOUND_IMAGE', ''); // Image to serve if any 404 occurs 53 if(! defined('ERROR_IMAGE') ) define ('ERROR_IMAGE', ''); // Image to serve if an error occurs instead of showing error message 54 if(! defined('PNG_IS_TRANSPARENT') ) define ('PNG_IS_TRANSPARENT', FALSE); //42 Define if a png image should have a transparent background color. Use False value if you want to display a custom coloured canvas_colour 55 if(! defined('DEFAULT_Q') ) define ('DEFAULT_Q', 90); // Default image quality. Allows overrid in timthumb-config.php 56 if(! defined('DEFAULT_ZC') ) define ('DEFAULT_ZC', 1); // Default zoom/crop setting. Allows overrid in timthumb-config.php 57 if(! defined('DEFAULT_F') ) define ('DEFAULT_F', ''); // Default image filters. Allows overrid in timthumb-config.php 58 if(! defined('DEFAULT_S') ) define ('DEFAULT_S', 0); // Default sharpen value. Allows overrid in timthumb-config.php 59 if(! defined('DEFAULT_CC') ) define ('DEFAULT_CC', 'ffffff'); // Default canvas colour. Allows overrid in timthumb-config.php 60 39 61 40 62 //Image compression is enabled if either of these point to valid paths 41 define ('OPTIPNG_PATH', '/usr/bin/optipng'); //This will run first because it gives better compression than pngcrush. 42 define ('PNGCRUSH_PATH', '/usr/bin/pngcrush'); //This will only run if OPTIPNG_PATH is not set or is not valid 63 64 //These are now disabled by default because the file sizes of PNGs (and GIFs) are much smaller than we used to generate. 65 //They only work for PNGs. GIFs and JPEGs are not affected. 66 if(! defined('OPTIPNG_ENABLED') ) define ('OPTIPNG_ENABLED', false); 67 if(! defined('OPTIPNG_PATH') ) define ('OPTIPNG_PATH', '/usr/bin/optipng'); //This will run first because it gives better compression than pngcrush. 68 if(! defined('PNGCRUSH_ENABLED') ) define ('PNGCRUSH_ENABLED', false); 69 if(! defined('PNGCRUSH_PATH') ) define ('PNGCRUSH_PATH', '/usr/bin/pngcrush'); //This will only run if OPTIPNG_PATH is not set or is not valid 43 70 44 71 /* 45 -------====Website Screenshots configuration - BETA====------- 46 47 If you just want image thumbnails and don't want website screenshots, you can safely leave this as is. 48 49 If you would like to get website screenshots set up, you will need root access to your own server. 50 51 Enable ALLOW_ALL_EXTERNAL_SITES so you can fetch any external web page. This is more secure now that we're using a non-web folder for cache. 52 Enable BLOCK_EXTERNAL_LEECHERS so that your site doesn't generate thumbnails for the whole Internet. 53 54 Instructions to get website screenshots enabled on Ubuntu Linux: 55 56 1. Install Xvfb with the following command: sudo apt-get install subversion libqt4-webkit libqt4-dev g++ xvfb 57 2. Go to a directory where you can download some code 58 3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt 59 4. Compile CutyCapt by doing: cd cutycapt/CutyCapt 60 5. qmake 61 6. make 62 7. cp CutyCapt /usr/local/bin/ 63 8. Test it by running: xvfb-run --server-args="-screen 0, 1024x768x24" CutyCapt --url="http://markmaunder.com/" --out=test.png 64 9. If you get a file called test.png with something in it, it probably worked. Now test the script by accessing it as follows: 65 10. http://yoursite.com/path/to/timthumb.php?src=http://markmaunder.com/&webshot=1 66 67 Notes on performance: 68 The first time a webshot loads, it will take a few seconds. 69 From then on it uses the regular timthumb caching mechanism with the configurable options above 70 and loading will be very fast. 71 72 --ADVANCED USERS ONLY-- 73 If you'd like a slight speedup (about 25%) and you know Linux, you can run the following command which will keep Xvfb running in the background. 74 nohup Xvfb :100 -ac -nolisten tcp -screen 0, 1024x768x24 > /dev/null 2>&1 & 75 Then set WEBSHOT_XVFB_RUNNING = true below. This will save your server having to fire off a new Xvfb server and shut it down every time a new shot is generated. 76 You will need to take responsibility for keeping Xvfb running in case it crashes. (It seems pretty stable) 77 You will also need to take responsibility for server security if you're running Xvfb as root. 78 79 80 */ 81 define ('WEBSHOT_ENABLED', false); //Beta feature. Adding webshot=1 to your query string will cause the script to return a browser screenshot rather than try to fetch an image. 82 define ('WEBSHOT_CUTYCAPT', '/usr/local/bin/CutyCapt'); //The path to CutyCapt. 83 define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run'); //The path to the Xvfb server 84 define ('WEBSHOT_SCREEN_X', '1024'); //1024 works ok 85 define ('WEBSHOT_SCREEN_Y', '768'); //768 works ok 86 define ('WEBSHOT_COLOR_DEPTH', '24'); //I haven't tested anything besides 24 87 define ('WEBSHOT_IMAGE_FORMAT', 'png'); //png is about 2.5 times the size of jpg but is a LOT better quality 88 define ('WEBSHOT_TIMEOUT', '300'); //Seconds to wait for a webshot 89 define ('WEBSHOT_USER_AGENT', "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"); //I hate to do this, but a non-browser robot user agent might not show what humans see. So we pretend to be Firefox 90 define ('WEBSHOT_JAVASCRIPT_ON', true); //Setting to false might give you a slight speedup and block ads. But it could cause other issues. 91 define ('WEBSHOT_JAVA_ON', false); //Have only tested this as fase 92 define ('WEBSHOT_PLUGINS_ON', true); //Enable flash and other plugins 93 define ('WEBSHOT_PROXY', ''); //In case you're behind a proxy server. 94 define ('WEBSHOT_XVFB_RUNNING', false); //ADVANCED: Enable this if you've got Xvfb running in the background. 95 96 97 // If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains. 98 $ALLOWED_SITES = array ( 72 -------====Website Screenshots configuration - BETA====------- 73 74 If you just want image thumbnails and don't want website screenshots, you can safely leave this as is. 75 76 If you would like to get website screenshots set up, you will need root access to your own server. 77 78 Enable ALLOW_ALL_EXTERNAL_SITES so you can fetch any external web page. This is more secure now that we're using a non-web folder for cache. 79 Enable BLOCK_EXTERNAL_LEECHERS so that your site doesn't generate thumbnails for the whole Internet. 80 81 Instructions to get website screenshots enabled on Ubuntu Linux: 82 83 1. Install Xvfb with the following command: sudo apt-get install subversion libqt4-webkit libqt4-dev g++ xvfb 84 2. Go to a directory where you can download some code 85 3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt 86 4. Compile CutyCapt by doing: cd cutycapt/CutyCapt 87 5. qmake 88 6. make 89 7. cp CutyCapt /usr/local/bin/ 90 8. Test it by running: xvfb-run --server-args="-screen 0, 1024x768x24" CutyCapt --url="http://markmaunder.com/" --out=test.png 91 9. If you get a file called test.png with something in it, it probably worked. Now test the script by accessing it as follows: 92 10. http://yoursite.com/path/to/timthumb.php?src=http://markmaunder.com/&webshot=1 93 94 Notes on performance: 95 The first time a webshot loads, it will take a few seconds. 96 From then on it uses the regular timthumb caching mechanism with the configurable options above 97 and loading will be very fast. 98 99 --ADVANCED USERS ONLY-- 100 If you'd like a slight speedup (about 25%) and you know Linux, you can run the following command which will keep Xvfb running in the background. 101 nohup Xvfb :100 -ac -nolisten tcp -screen 0, 1024x768x24 > /dev/null 2>&1 & 102 Then set WEBSHOT_XVFB_RUNNING = true below. This will save your server having to fire off a new Xvfb server and shut it down every time a new shot is generated. 103 You will need to take responsibility for keeping Xvfb running in case it crashes. (It seems pretty stable) 104 You will also need to take responsibility for server security if you're running Xvfb as root. 105 106 107 */ 108 if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', false); //Beta feature. Adding webshot=1 to your query string will cause the script to return a browser screenshot rather than try to fetch an image. 109 if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT', '/usr/local/bin/CutyCapt'); //The path to CutyCapt. 110 if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run'); //The path to the Xvfb server 111 if(! defined('WEBSHOT_SCREEN_X') ) define ('WEBSHOT_SCREEN_X', '1024'); //1024 works ok 112 if(! defined('WEBSHOT_SCREEN_Y') ) define ('WEBSHOT_SCREEN_Y', '768'); //768 works ok 113 if(! defined('WEBSHOT_COLOR_DEPTH') ) define ('WEBSHOT_COLOR_DEPTH', '24'); //I haven't tested anything besides 24 114 if(! defined('WEBSHOT_IMAGE_FORMAT') ) define ('WEBSHOT_IMAGE_FORMAT', 'png'); //png is about 2.5 times the size of jpg but is a LOT better quality 115 if(! defined('WEBSHOT_TIMEOUT') ) define ('WEBSHOT_TIMEOUT', '20'); //Seconds to wait for a webshot 116 if(! defined('WEBSHOT_USER_AGENT') ) define ('WEBSHOT_USER_AGENT', "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"); //I hate to do this, but a non-browser robot user agent might not show what humans see. So we pretend to be Firefox 117 if(! defined('WEBSHOT_JAVASCRIPT_ON') ) define ('WEBSHOT_JAVASCRIPT_ON', true); //Setting to false might give you a slight speedup and block ads. But it could cause other issues. 118 if(! defined('WEBSHOT_JAVA_ON') ) define ('WEBSHOT_JAVA_ON', false); //Have only tested this as fase 119 if(! defined('WEBSHOT_PLUGINS_ON') ) define ('WEBSHOT_PLUGINS_ON', true); //Enable flash and other plugins 120 if(! defined('WEBSHOT_PROXY') ) define ('WEBSHOT_PROXY', ''); //In case you're behind a proxy server. 121 if(! defined('WEBSHOT_XVFB_RUNNING') ) define ('WEBSHOT_XVFB_RUNNING', false); //ADVANCED: Enable this if you've got Xvfb running in the background. 122 123 124 // If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains. 125 if(! isset($ALLOWED_SITES)){ 126 $ALLOWED_SITES = array ( 99 127 'flickr.com', 128 'staticflickr.com', 100 129 'picasa.com', 101 130 'img.youtube.com', … … 104 133 'imgur.com', 105 134 'imageshack.us', 106 'tinypic.com' 107 ); 135 'tinypic.com', 136 ); 137 } 108 138 // ------------------------------------------------------------- 109 139 // -------------- STOP EDITING CONFIGURATION HERE -------------- … … 114 144 class timthumb { 115 145 protected $src = ""; 146 protected $is404 = false; 116 147 protected $docRoot = ""; 117 148 protected $lastURLError = false; … … 127 158 protected $startTime = 0; 128 159 protected $lastBenchTime = 0; 129 protected $isOwnHost = false;130 160 protected $cropTop = false; 131 161 protected $salt = ""; … … 153 183 global $ALLOWED_SITES; 154 184 $this->startTime = microtime(true); 185 date_default_timezone_set('UTC'); 155 186 $this->debug(1, "Starting new request from " . $this->getIP() . " to " . $_SERVER['REQUEST_URI']); 156 187 $this->calcDocRoot(); … … 167 198 } 168 199 $this->cacheDirectory = FILE_CACHE_DIRECTORY; 169 touch($this->cacheDirectory . '/index.php'); 170 touch($this->cacheDirectory . '/index.html'); 200 if (!touch($this->cacheDirectory . '/index.html')) { 201 $this->error("Could not create the index.html file - to fix this create an empty file named index.html file in the cache directory."); 202 } 171 203 } else { 172 204 $this->cacheDirectory = sys_get_temp_dir(); 173 205 } 174 //Clean the cache before we do anything because we don't want the first visitor after FILE_CACHE_TIME_BETWEEN_CLEANS expires to get a stale image. 206 //Clean the cache before we do anything because we don't want the first visitor after FILE_CACHE_TIME_BETWEEN_CLEANS expires to get a stale image. 175 207 $this->cleanCache(); 176 208 177 209 $this->myHost = preg_replace('/^www\./i', '', $_SERVER['HTTP_HOST']); 178 210 $this->src = $this->param('src'); 179 211 $this->url = parse_url($this->src); 212 $this->src = preg_replace('/https?:\/\/(?:www\.)?' . $this->myHost . '/i', '', $this->src); 213 180 214 if(strlen($this->src) <= 3){ 181 215 $this->error("No image specified"); … … 183 217 } 184 218 if(BLOCK_EXTERNAL_LEECHERS && array_key_exists('HTTP_REFERER', $_SERVER) && (! preg_match('/^https?:\/\/(?:www\.)?' . $this->myHost . '(?:$|\/)/i', $_SERVER['HTTP_REFERER']))){ 219 // base64 encoded red image that says 'no hotlinkers' 220 // nothing to worry about! :) 185 221 $imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs="); 186 222 header('Content-Type: image/gif'); … … 193 229 exit(0); 194 230 } 195 if(preg_match('/https?:\/\/(?:www\.)?' . $this->myHost . '(?:$|\/)/i', $this->src)){196 $this->isOwnHost = true;197 }198 231 if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){ 199 232 $this->debug(2, "Is a request for an external URL: " . $this->src); … … 207 240 } 208 241 if($this->isURL){ 209 if(ALLOW_ALL_EXTERNAL_SITES || $this->isOwnHost){210 $this->debug(2, "Fetching from all external sites is enabled or this is our own server.");242 if(ALLOW_ALL_EXTERNAL_SITES){ 243 $this->debug(2, "Fetching from all external sites is enabled."); 211 244 } else { 212 245 $this->debug(2, "Fetching only from selected external sites is enabled."); 213 246 $allowed = false; 214 247 foreach($ALLOWED_SITES as $site){ 215 if ( preg_match ('/(?:^|\.)' . $site . '$/i', $this->url['host'])) {248 if ((strtolower(substr($this->url['host'],-strlen($site)-1)) === strtolower(".$site")) || (strtolower($this->url['host'])===strtolower($site))) { 216 249 $this->debug(3, "URL hostname {$this->url['host']} matches $site so allowing."); 217 250 $allowed = true; … … 224 257 } 225 258 226 $cachePrefix = ($this->isURL ? ' timthumb_ext_' : 'timthumb_int_');259 $cachePrefix = ($this->isURL ? '_ext_' : '_int_'); 227 260 if($this->isURL){ 228 $this->cachefile = $this->cacheDirectory . '/' . $cachePrefix . md5($this->salt . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX; 261 $arr = explode('&', $_SERVER ['QUERY_STRING']); 262 asort($arr); 263 $this->cachefile = $this->cacheDirectory . '/' . FILE_CACHE_PREFIX . $cachePrefix . md5($this->salt . implode('', $arr) . $this->fileCacheVersion) . FILE_CACHE_SUFFIX; 229 264 } else { 230 265 $this->localImage = $this->getLocalImagePath($this->src); 231 266 if(! $this->localImage){ 267 $this->debug(1, "Could not find the local image: {$this->localImage}"); 232 268 $this->error("Could not find the internal image you specified."); 269 $this->set404(); 233 270 return false; 234 271 } … … 236 273 $this->localImageMTime = @filemtime($this->localImage); 237 274 //We include the mtime of the local file in case in changes on disk. 238 $this->cachefile = $this->cacheDirectory . '/' . $cachePrefix . md5($this->salt . $this->localImageMTime . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX;275 $this->cachefile = $this->cacheDirectory . '/' . FILE_CACHE_PREFIX . $cachePrefix . md5($this->salt . $this->localImageMTime . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX; 239 276 } 240 277 $this->debug(2, "Cache file is: " . $this->cachefile); … … 266 303 $this->debug(3, "webshot is NOT set so we're going to try to fetch a regular image."); 267 304 $this->serveExternalImage(); 305 268 306 } 269 307 } else { … … 274 312 } 275 313 protected function handleErrors(){ 276 if($this->haveErrors()){ 277 $this->serveErrors(); 278 exit(0); 314 if($this->haveErrors()){ 315 if(NOT_FOUND_IMAGE && $this->is404()){ 316 if($this->serveImg(NOT_FOUND_IMAGE)){ 317 exit(0); 318 } else { 319 $this->error("Additionally, the 404 image that is configured could not be found or there was an error serving it."); 320 } 321 } 322 if(ERROR_IMAGE){ 323 if($this->serveImg(ERROR_IMAGE)){ 324 exit(0); 325 } else { 326 $this->error("Additionally, the error image that is configured could not be found or there was an error serving it."); 327 } 328 } 329 $this->serveErrors(); 330 exit(0); 279 331 } 280 332 return false; … … 310 362 } else { //Otherwise serve a 304 311 363 $this->debug(3, "File has not been modified since last get, so serving a 304."); 312 header ( 'HTTP/1.1304 Not Modified');364 header ($_SERVER['SERVER_PROTOCOL'] . ' 304 Not Modified'); 313 365 $this->debug(1, "Returning 304 not modified"); 314 366 return true; … … 332 384 } else { 333 385 $this->debug(3, "Empty cachefile is still fresh so returning message saying we had an error fetching this image from remote host."); 386 $this->set404(); 334 387 $this->error("An error occured fetching image."); 335 return false; 388 return false; 336 389 } 337 390 } … … 363 416 } 364 417 protected function serveErrors(){ 418 header ($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request'); 365 419 $html = '<ul>'; 366 420 foreach($this->errors as $err){ … … 368 422 } 369 423 $html .= '</ul>'; 370 header ('HTTP/1.1 400 Bad Request');371 424 echo '<h1>A TimThumb error has occured</h1>The following error(s) occured:<br />' . $html . '<br />'; 372 425 echo '<br />Query String : ' . htmlentities ($_SERVER['QUERY_STRING']); … … 392 445 $this->serveCacheFile(); 393 446 return true; 394 } else { 447 } else { 395 448 return false; 396 449 } 397 450 } 398 451 protected function cleanCache(){ 452 if (FILE_CACHE_TIME_BETWEEN_CLEANS < 0) { 453 return; 454 } 399 455 $this->debug(3, "cleanCache() called"); 400 456 $lastCleanFile = $this->cacheDirectory . '/timthumb_cacheLastCleanTime.touch'; 401 457 402 458 //If this is a new timthumb installation we need to create the file 403 459 if(! is_file($lastCleanFile)){ 404 460 $this->debug(1, "File tracking last clean doesn't exist. Creating $lastCleanFile"); 405 touch($lastCleanFile); 461 if (!touch($lastCleanFile)) { 462 $this->error("Could not create cache clean timestamp file."); 463 } 406 464 return; 407 465 } … … 409 467 $this->debug(1, "Cache was last cleaned more than " . FILE_CACHE_TIME_BETWEEN_CLEANS . " seconds ago. Cleaning now."); 410 468 // Very slight race condition here, but worst case we'll have 2 or 3 servers cleaning the cache simultaneously once a day. 411 touch($lastCleanFile); 469 if (!touch($lastCleanFile)) { 470 $this->error("Could not create cache clean timestamp file."); 471 } 412 472 $files = glob($this->cacheDirectory . '/*' . FILE_CACHE_SUFFIX); 413 $timeAgo = time() - FILE_CACHE_MAX_FILE_AGE; 414 foreach($files as $file){ 415 if(@filemtime($file) < $timeAgo){ 416 $this->debug(3, "Deleting cache file $file older than max age: " . FILE_CACHE_MAX_FILE_AGE . " seconds"); 417 @unlink($file); 473 if ($files) { 474 $timeAgo = time() - FILE_CACHE_MAX_FILE_AGE; 475 foreach($files as $file){ 476 if(@filemtime($file) < $timeAgo){ 477 $this->debug(3, "Deleting cache file $file older than max age: " . FILE_CACHE_MAX_FILE_AGE . " seconds"); 478 @unlink($file); 479 } 418 480 } 419 481 } … … 425 487 } 426 488 protected function processImageAndWriteToCache($localImage){ 427 $mimeType = $this->getMimeType($localImage); 489 $sData = getimagesize($localImage); 490 $origType = $sData[2]; 491 $mimeType = $sData['mime']; 492 428 493 $this->debug(3, "Mime type of image is $mimeType"); 429 494 if(! preg_match('/^image\/(?:gif|jpg|jpeg|png)$/i', $mimeType)){ … … 432 497 433 498 if (!function_exists ('imagecreatetruecolor')) { 434 return $this->error('GD Library Error: imagecreatetruecolor does not exist - please contact your webhost and ask them to install the GD library');499 return $this->error('GD Library Error: imagecreatetruecolor does not exist - please contact your webhost and ask them to install the GD library'); 435 500 } 436 501 437 502 if (function_exists ('imagefilter') && defined ('IMG_FILTER_NEGATE')) { 438 503 $imageFilters = array ( 439 1 => array (IMG_FILTER_NEGATE, 0),440 2 => array (IMG_FILTER_GRAYSCALE, 0),441 3 => array (IMG_FILTER_BRIGHTNESS, 1),442 4 => array (IMG_FILTER_CONTRAST, 1),443 5 => array (IMG_FILTER_COLORIZE, 4),444 6 => array (IMG_FILTER_EDGEDETECT, 0),445 7 => array (IMG_FILTER_EMBOSS, 0),446 8 => array (IMG_FILTER_GAUSSIAN_BLUR, 0),447 9 => array (IMG_FILTER_SELECTIVE_BLUR, 0),448 10 => array (IMG_FILTER_MEAN_REMOVAL, 0),449 11 => array (IMG_FILTER_SMOOTH, 0),504 1 => array (IMG_FILTER_NEGATE, 0), 505 2 => array (IMG_FILTER_GRAYSCALE, 0), 506 3 => array (IMG_FILTER_BRIGHTNESS, 1), 507 4 => array (IMG_FILTER_CONTRAST, 1), 508 5 => array (IMG_FILTER_COLORIZE, 4), 509 6 => array (IMG_FILTER_EDGEDETECT, 0), 510 7 => array (IMG_FILTER_EMBOSS, 0), 511 8 => array (IMG_FILTER_GAUSSIAN_BLUR, 0), 512 9 => array (IMG_FILTER_SELECTIVE_BLUR, 0), 513 10 => array (IMG_FILTER_MEAN_REMOVAL, 0), 514 11 => array (IMG_FILTER_SMOOTH, 0), 450 515 ); 451 516 } 452 517 453 // get standard input properties 518 // get standard input properties 454 519 $new_width = (int) abs ($this->param('w', 0)); 455 520 $new_height = (int) abs ($this->param('h', 0)); 456 $zoom_crop = (int) $this->param('zc', 1);457 $quality = (int) abs ($this->param('q', 90));521 $zoom_crop = (int) $this->param('zc', DEFAULT_ZC); 522 $quality = (int) abs ($this->param('q', DEFAULT_Q)); 458 523 $align = $this->cropTop ? 't' : $this->param('a', 'c'); 459 $filters = $this->param('f', ''); 460 $sharpen = (bool) $this->param('s', 0); 461 $canvas_color = $this->param('cc', 'ffffff'); 524 $filters = $this->param('f', DEFAULT_F); 525 $sharpen = (bool) $this->param('s', DEFAULT_S); 526 $canvas_color = $this->param('cc', DEFAULT_CC); 527 $canvas_trans = (bool) $this->param('ct', '1'); 462 528 463 529 // set default width and height if neither are set already 464 530 if ($new_width == 0 && $new_height == 0) { 465 $new_width = 100;466 $new_height = 100;531 $new_width = 100; 532 $new_height = 100; 467 533 } 468 534 … … 510 576 imagealphablending ($canvas, false); 511 577 512 if (strlen ($canvas_color) < 6) { 513 $canvas_color = 'ffffff'; 514 } 578 if (strlen($canvas_color) == 3) { //if is 3-char notation, edit string into 6-char notation 579 $canvas_color = str_repeat(substr($canvas_color, 0, 1), 2) . str_repeat(substr($canvas_color, 1, 1), 2) . str_repeat(substr($canvas_color, 2, 1), 2); 580 } else if (strlen($canvas_color) != 6) { 581 $canvas_color = DEFAULT_CC; // on error return default canvas color 582 } 515 583 516 584 $canvas_color_R = hexdec (substr ($canvas_color, 0, 2)); 517 585 $canvas_color_G = hexdec (substr ($canvas_color, 2, 2)); 518 $canvas_color_B = hexdec (substr ($canvas_color, 2, 2));586 $canvas_color_B = hexdec (substr ($canvas_color, 4, 2)); 519 587 520 588 // Create a new transparent color for image 521 $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 127); 589 // If is a png and PNG_IS_TRANSPARENT is false then remove the alpha transparency 590 // (and if is set a canvas color show it in the background) 591 if(preg_match('/^image\/png$/i', $mimeType) && !PNG_IS_TRANSPARENT && $canvas_trans){ 592 $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 127); 593 }else{ 594 $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 0); 595 } 596 522 597 523 598 // Completely fill the background of the new image with allocated color. … … 647 722 648 723 $sharpenMatrix = array ( 649 array (-1,-1,-1),650 array (-1,16,-1),651 array (-1,-1,-1),652 );724 array (-1,-1,-1), 725 array (-1,16,-1), 726 array (-1,-1,-1), 727 ); 653 728 654 729 $divisor = 8; … … 658 733 659 734 } 735 //Straight from Wordpress core code. Reduces filesize by up to 70% for PNG's 736 if ( (IMAGETYPE_PNG == $origType || IMAGETYPE_GIF == $origType) && function_exists('imageistruecolor') && !imageistruecolor( $image ) && imagecolortransparent( $image ) > 0 ){ 737 imagetruecolortopalette( $canvas, false, imagecolorstotal( $image ) ); 738 } 739 660 740 $imgType = ""; 661 741 $tempfile = tempnam($this->cacheDirectory, 'timthumb_tmpimg_'); 662 if(preg_match('/^image\/(?:jpg|jpeg)$/i', $mimeType)){ 742 if(preg_match('/^image\/(?:jpg|jpeg)$/i', $mimeType)){ 663 743 $imgType = 'jpg'; 664 imagejpeg($canvas, $tempfile, $quality); 665 } else if(preg_match('/^image\/png$/i', $mimeType)){ 744 imagejpeg($canvas, $tempfile, $quality); 745 } else if(preg_match('/^image\/png$/i', $mimeType)){ 666 746 $imgType = 'png'; 667 747 imagepng($canvas, $tempfile, floor($quality * 0.09)); 668 748 } else if(preg_match('/^image\/gif$/i', $mimeType)){ 669 749 $imgType = 'gif'; 670 image png($canvas, $tempfile, floor($quality * 0.09));750 imagegif($canvas, $tempfile); 671 751 } else { 672 752 return $this->sanityFail("Could not match mime type after verifying it previously."); 673 753 } 674 754 675 if( OPTIPNG_PATH && @is_file(OPTIPNG_PATH)){755 if($imgType == 'png' && OPTIPNG_ENABLED && OPTIPNG_PATH && @is_file(OPTIPNG_PATH)){ 676 756 $exec = OPTIPNG_PATH; 677 757 $this->debug(3, "optipng'ing $tempfile"); … … 688 768 $this->debug(1, "optipng did not change image size."); 689 769 } 690 } else if( PNGCRUSH_PATH && @is_file(PNGCRUSH_PATH)){770 } else if($imgType == 'png' && PNGCRUSH_ENABLED && PNGCRUSH_PATH && @is_file(PNGCRUSH_PATH)){ 691 771 $exec = PNGCRUSH_PATH; 692 772 $tempfile2 = tempnam($this->cacheDirectory, 'timthumb_tmpimg_'); … … 715 795 $context = stream_context_create (); 716 796 $fp = fopen($tempfile,'r',0,$context); 717 file_put_contents($tempfile4, $this->filePrependSecurityBlock . $imgType . ' ?' . '>'); //6 extra bytes, first 3 being image type 797 file_put_contents($tempfile4, $this->filePrependSecurityBlock . $imgType . ' ?' . '>'); //6 extra bytes, first 3 being image type 718 798 file_put_contents($tempfile4, $fp, FILE_APPEND); 719 799 fclose($fp); … … 739 819 $this->debug(3, "Done image replace with security header. Cleaning up and running cleanCache()"); 740 820 imagedestroy($canvas); 821 imagedestroy($image); 741 822 return true; 742 823 } 743 824 protected function calcDocRoot(){ 744 825 $docRoot = @$_SERVER['DOCUMENT_ROOT']; 745 if(!isset($docRoot)){ 826 if (defined('LOCAL_FILE_BASE_DIRECTORY')) { 827 $docRoot = LOCAL_FILE_BASE_DIRECTORY; 828 } 829 if(!isset($docRoot)){ 746 830 $this->debug(3, "DOCUMENT_ROOT is not set. This is probably windows. Starting search 1."); 747 831 if(isset($_SERVER['SCRIPT_FILENAME'])){ 748 832 $docRoot = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0-strlen($_SERVER['PHP_SELF']))); 749 833 $this->debug(3, "Generated docRoot using SCRIPT_FILENAME and PHP_SELF as: $docRoot"); 750 } 751 } 752 if(!isset($docRoot)){ 834 } 835 } 836 if(!isset($docRoot)){ 753 837 $this->debug(3, "DOCUMENT_ROOT still is not set. Starting search 2."); 754 838 if(isset($_SERVER['PATH_TRANSLATED'])){ 755 839 $docRoot = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0-strlen($_SERVER['PHP_SELF']))); 756 840 $this->debug(3, "Generated docRoot using PATH_TRANSLATED and PHP_SELF as: $docRoot"); 757 } 758 } 759 if($docRoot ){ $docRoot = preg_replace('/\/$/', '', $docRoot); }841 } 842 } 843 if($docRoot && $_SERVER['DOCUMENT_ROOT'] != '/'){ $docRoot = preg_replace('/\/$/', '', $docRoot); } 760 844 $this->debug(3, "Doc root is: " . $docRoot); 761 845 $this->docRoot = $docRoot; … … 763 847 } 764 848 protected function getLocalImagePath($src){ 765 $src = preg_replace('/^\//', '', $src); //strip off the leading '/' 766 849 $src = ltrim($src, '/'); //strip off the leading '/' 767 850 if(! $this->docRoot){ 768 851 $this->debug(3, "We have no document root set, so as a last resort, lets check if the image is in the current dir and serve that."); … … 770 853 $file = preg_replace('/^.*?([^\/\\\\]+)$/', '$1', $src); //strip off any path info and just leave the filename. 771 854 if(is_file($file)){ 772 return realpath($file);855 return $this->realpath($file); 773 856 } 774 857 return $this->error("Could not find your website document root and the file specified doesn't exist in timthumbs directory. We don't support serving files outside timthumb's directory without a document root for security reasons."); 775 } 776 777 if (file_exists ($this->docRoot . '/' . $src)) { 858 } //Do not go past this point without docRoot set 859 860 //Try src under docRoot 861 if(file_exists ($this->docRoot . '/' . $src)) { 778 862 $this->debug(3, "Found file as " . $this->docRoot . '/' . $src); 779 $real = realpath($this->docRoot . '/' . $src); 780 if(strpos($real, $this->docRoot) !== 0){ 863 $real = $this->realpath($this->docRoot . '/' . $src); 864 if(stripos($real, $this->docRoot) === 0){ 865 return $real; 866 } else { 781 867 $this->debug(1, "Security block: The file specified occurs outside the document root."); 782 return false; 783 } 784 return $real; 785 } 868 //allow search to continue 869 } 870 } 871 //Check absolute paths and then verify the real path is under doc root 872 $absolute = $this->realpath('/' . $src); 873 if($absolute && file_exists($absolute)){ //realpath does file_exists check, so can probably skip the exists check here 874 $this->debug(3, "Found absolute path: $absolute"); 875 if(! $this->docRoot){ $this->sanityFail("docRoot not set when checking absolute path."); } 876 if(stripos($absolute, $this->docRoot) === 0){ 877 return $absolute; 878 } else { 879 $this->debug(1, "Security block: The file specified occurs outside the document root."); 880 //and continue search 881 } 882 } 883 786 884 $base = $this->docRoot; 787 foreach (explode('/', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME'])) as $sub){ 885 886 // account for Windows directory structure 887 if (strstr($_SERVER['SCRIPT_FILENAME'],':')) { 888 $sub_directories = explode('\\', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME'])); 889 } else { 890 $sub_directories = explode('/', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME'])); 891 } 892 893 foreach ($sub_directories as $sub){ 788 894 $base .= $sub . '/'; 789 895 $this->debug(3, "Trying file as: " . $base . $src); 790 896 if(file_exists($base . $src)){ 791 897 $this->debug(3, "Found file as: " . $base . $src); 792 $real = realpath($base . $src); 793 if(strpos($real, $this->docRoot) !== 0){ 898 $real = $this->realpath($base . $src); 899 if(stripos($real, $this->realpath($this->docRoot)) === 0){ 900 return $real; 901 } else { 794 902 $this->debug(1, "Security block: The file specified occurs outside the document root."); 795 return false; 796 } 797 return $real; 903 //And continue search 904 } 798 905 } 799 906 } 800 907 return false; 908 } 909 protected function realpath($path){ 910 //try to remove any relative paths 911 $remove_relatives = '/\w+\/\.\.\//'; 912 while(preg_match($remove_relatives,$path)){ 913 $path = preg_replace($remove_relatives, '', $path); 914 } 915 //if any remain use PHP realpath to strip them out, otherwise return $path 916 //if using realpath, any symlinks will also be resolved 917 return preg_match('#^\.\./|/\.\./#', $path) ? realpath($path) : $path; 801 918 } 802 919 protected function toDelete($name){ … … 831 948 } 832 949 $url = preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/', '', $url); //RFC 3986 833 //Very important we don't allow injection of shell commands here. URL is between quotes and we are only allowing through chars allowed by a the RFC 834 // which AFAIKT can't be used for shell injection. 950 //Very important we don't allow injection of shell commands here. URL is between quotes and we are only allowing through chars allowed by a the RFC 951 // which AFAIKT can't be used for shell injection. 835 952 if(WEBSHOT_XVFB_RUNNING){ 836 953 putenv('DISPLAY=:100.0'); … … 843 960 $this->debug(3, "Received output: $out"); 844 961 if(! is_file($tempfile)){ 962 $this->set404(); 845 963 return $this->error("The command to create a thumbnail failed."); 846 964 } … … 928 1046 } 929 1047 protected function sendImageHeaders($mimeType, $dataSize){ 1048 if(! preg_match('/^image\//i', $mimeType)){ 1049 $mimeType = 'image/' . $mimeType; 1050 } 1051 if(strtolower($mimeType) == 'image/jpg'){ 1052 $mimeType = 'image/jpeg'; 1053 } 930 1054 $gmdate_expires = gmdate ('D, d M Y H:i:s', strtotime ('now +10 days')) . ' GMT'; 931 1055 $gmdate_modified = gmdate ('D, d M Y H:i:s') . ' GMT'; … … 958 1082 protected function openImage($mimeType, $src){ 959 1083 switch ($mimeType) { 960 case 'image/jpg':961 $image = imagecreatefromjpeg ($src);962 break;963 1084 case 'image/jpeg': 964 1085 $image = imagecreatefromjpeg ($src); … … 972 1093 $image = imagecreatefromgif ($src); 973 1094 break; 1095 1096 default: 1097 $this->error("Unrecognised mimeType"); 974 1098 } 975 1099 … … 980 1104 $ff = @$_SERVER["HTTP_X_FORWARDED_FOR"]; 981 1105 $ci = @$_SERVER["HTTP_CLIENT_IP"]; 982 if(preg_match('/^(?:192\.168|172\.16|10\.|127\.)/', $rem)){ 1106 if(preg_match('/^(?:192\.168|172\.16|10\.|127\.)/', $rem)){ 983 1107 if($ff){ return $ff; } 984 1108 if($ci){ return $ci; } … … 1003 1127 } 1004 1128 protected function sanityFail($msg){ 1005 return $this->error("There is a problem in the timthumb code. Message: $msg Please report this error at <a href='http://code.google.com/p/timthumb/issues/list'>timthumb's bug tracking page</a>.");1129 return $this->error("There is a problem in the timthumb code. Message: Please report this error at <a href='http://code.google.com/p/timthumb/issues/list'>timthumb's bug tracking page</a>: $msg"); 1006 1130 } 1007 1131 protected function getMimeType($file){ … … 1053 1177 @curl_setopt ($curl, CURLOPT_FOLLOWLOCATION, true); 1054 1178 @curl_setopt ($curl, CURLOPT_MAXREDIRS, 10); 1055 1179 1056 1180 $curlResult = curl_exec($curl); 1057 1181 fclose(self::$curlFH); 1058 1182 $httpStatus = curl_getinfo($curl, CURLINFO_HTTP_CODE); 1183 if($httpStatus == 404){ 1184 $this->set404(); 1185 } 1059 1186 if($curlResult){ 1060 1187 curl_close($curl); … … 1068 1195 $img = @file_get_contents ($url); 1069 1196 if($img === false){ 1070 $this->lastURLError = error_get_last(); 1197 $err = error_get_last(); 1198 if(is_array($err) && $err['message']){ 1199 $this->lastURLError = $err['message']; 1200 } else { 1201 $this->lastURLError = $err; 1202 } 1203 if(preg_match('/404/', $this->lastURLError)){ 1204 $this->set404(); 1205 } 1206 1071 1207 return false; 1072 1208 } … … 1079 1215 1080 1216 } 1217 protected function serveImg($file){ 1218 $s = getimagesize($file); 1219 if(! ($s && $s['mime'])){ 1220 return false; 1221 } 1222 header ('Content-Type: ' . $s['mime']); 1223 header ('Content-Length: ' . filesize($file) ); 1224 header ('Cache-Control: no-store, no-cache, must-revalidate, max-age=0'); 1225 header ("Pragma: no-cache"); 1226 $bytes = @readfile($file); 1227 if($bytes > 0){ 1228 return true; 1229 } 1230 $content = @file_get_contents ($file); 1231 if ($content != FALSE){ 1232 echo $content; 1233 return true; 1234 } 1235 return false; 1236 1237 } 1238 protected function set404(){ 1239 $this->is404 = true; 1240 } 1241 protected function is404(){ 1242 return $this->is404; 1243 } 1081 1244 } 1082 ?> -
zingiri-web-shop/trunk/fws/includes/checkout.inc.php
r394247 r537613 9 9 if (!empty($_POST['paymentid'])) { $paymentid=intval($_POST['paymentid']); } 10 10 elseif (!empty($_GET['paymentid'])) { $paymentid=intval($_GET['paymentid']); } 11 if (!empty($_POST['notes'])) { $notes= $_POST['notes']; }12 elseif (!empty($_GET['notes'])) { $notes= $_GET['notes']; }11 if (!empty($_POST['notes'])) { $notes=aphpsSanitize($_POST['notes']); } 12 elseif (!empty($_GET['notes'])) { $notes=aphpsSanitize($_GET['notes']); } 13 13 else { $notes = ""; } 14 14 if (!empty($_POST['discount_code'])) { $discount_code= stripslashes(htmlentities($_POST['discount_code'])); } -
zingiri-web-shop/trunk/fws/pages-front/onecheckout.php
r473277 r537613 26 26 } 27 27 if (!empty($_POST['notes'])) { 28 $notes= $_POST['notes'];28 $notes=aphpsSanitize($_POST['notes']); 29 29 } else $notes=''; 30 30 if (!empty($_GET['prodid'])) { -
zingiri-web-shop/trunk/local/init.inc.php
r532831 r537613 5 5 define('ZING_WS_PRO',false); 6 6 } 7 if (!defined('ZING_VERSION')) define("ZING_VERSION","2.4.0"); 8 //if (!defined('APHPS_JSDIR')) define('APHPS_JSDIR','src'); 7 if (!defined('ZING_VERSION')) define("ZING_VERSION","2.4.2"); 9 8 global $aphps_projects; 10 9 $aphps_projects['fws']=array('label'=>'Web Shop','dir'=>ZING_LOC.'fws/apps/','url'=>ZING_URL.'fws/apps/'); -
zingiri-web-shop/trunk/readme.txt
r532831 r537613 5 5 Requires at least: 2.1.7 6 6 Tested up to: 3.3.1 7 Stable tag: 2.4. 07 Stable tag: 2.4.2 8 8 9 9 Zingiri Web Shop is a Wordpress plugin that adds fantastic ecommerce capabilities to a great content management system. … … 61 61 == Changelog == 62 62 63 = 2.4.2 = 64 * Fixed two security issues 65 66 = 2.4.1 = 67 * Updated timthumb to version 2.8.10 68 63 69 = 2.4.0 = 64 70 * Fixed issue with mandatory message showing on password field -
zingiri-web-shop/trunk/zing.inc.php
r531438 r537613 345 345 if (isset($post)) $cf=get_post_custom(); 346 346 if (isset($_GET['page'])) { 347 $page=$_GET['page']; 348 //do nothing, page already set 347 $page=aphpsSanitize($_GET['page'],'string'); 349 348 } elseif (isset($cf['zing_page'])) { 350 349 $page=$_GET['page']=$cf['zing_page'][0]; … … 367 366 $_GET['cat']=$cf['cat'][0]; 368 367 } 369 if (!$page) $page= $_GET['page'];368 if (!$page) $page=aphpsSanitize($_GET['page'],'string'); 370 369 $to_include="loadmain.php"; 371 370 break; … … 399 398 } elseif ($to_include) { 400 399 if (isset($prefix)) echo $prefix; 401 if ($process=='content' && $page!='ajax' && $page!='downldr') echo '<div class="zing_ws_page" id="zing_ws_'. $_GET['page'].'">';400 if ($process=='content' && $page!='ajax' && $page!='downldr') echo '<div class="zing_ws_page" id="zing_ws_'.aphpsSanitize($_GET['page'],'string').'">'; 402 401 $aphps->doAction('content_before'); 403 402 include($scripts_dir.$to_include); -
zingiri-web-shop/trunk/zingiri_webshop.php
r532831 r537613 5 5 Description: Zingiri Web Shop is a Wordpress plugin that adds fantastic ecommerce capabilities to a great content management system. 6 6 Author: Zingiri 7 Version: 2.4. 07 Version: 2.4.2 8 8 Author URI: http://www.zingiri.com/ 9 9 */
Note: See TracChangeset
for help on using the changeset viewer.