Plugin Directory

Changeset 537613 for zingiri-web-shop


Ignore:
Timestamp:
04/28/2012 08:03:18 AM (13 years ago)
Author:
erikpbogaerts
Message:

2.4.2

Location:
zingiri-web-shop/trunk
Files:
13 edited

Legend:

Unmodified
Added
Removed
  • zingiri-web-shop/trunk/fwkfor/classes/sub.select.class.php

    r453761 r537613  
    4444            $e->populated_value['element_'.$e->id.'_'.$i] = $xmlf->fields->{'field'.$i}->default;
    4545        }
    46         $field_markup.="<select id=\"element_{$e->id}_{$i}\" name=\"element_{$e->id}_{$i}\" class=\"element text\" style=\"width: {$xmlf->fields->{'field'.$i}->width}\" {$e->readonly}/>";
     46        $field_markup.="<select id=\"element_{$e->id}_{$i}\" name=\"element_{$e->id}_{$i}\" class=\"element text\" style=\"width: {$xmlf->fields->{'field'.$i}->width}\" {$e->readonly}>";
    4747        $option_markup="";
    4848        if ($xmlf->fields->{'field'.$i}->values->attributes()->type=='multi') {
  • zingiri-web-shop/trunk/fwkfor/embed.php

    r529379 r537613  
    132132    if (get_option('zing_apps_remote_url') == 'http://www.aphps.com') update_option('zing_apps_remote_url','http://forms.aphps.com');
    133133
     134    trigger_error('update version:'.ZING_APPS_PLAYER_VERSION);
    134135    if (!$zing_version) add_option("zing_apps_player_version",ZING_APPS_PLAYER_VERSION);
    135136    else update_option("zing_apps_player_version",ZING_APPS_PLAYER_VERSION);
     
    290291            if (strstr($file,".json")) {
    291292                $file_content = file_get_contents($dir.$file);
    292                 $a=zf_json_decode($file_content,true,false);
    293                 //zing_apps_error_handler(0,$file);
    294                 //zing_apps_error_handler(0,$file_content);
    295                 //zing_apps_error_handler(0,$a);
     293                $a=zf_json_decode($file_content,true,false,false);
    296294                zfCreate($a['NAME'],$a['ELEMENTCOUNT'],$a['ENTITY'],$a['TYPE'],$a['DATA'],$a['LABEL'],$a['PROJECT'],$a['ID']);
    297295            }
  • zingiri-web-shop/trunk/fwkfor/includes/create.inc.php

    r491042 r537613  
    3737        $newtable->update($query);
    3838    }
    39     $jdata=zf_json_decode($data,true);
     39    $jdata=zf_json_decode($data,true,true);
    4040    foreach ($jdata as $element) {
    4141        if ($element['column']!='ID' && $element['column']!='DATE_CREATED' && $element['column']!='DATE_UPDATED') {
     
    202202
    203203}
    204 ?>
  • zingiri-web-shop/trunk/fwkfor/scripts/form.php

    r532831 r537613  
    180180    if (!$noLabel && (is_admin() || ZING_CMS=='gn')) echo '<h2 class="zfaces-form-label">'.$zfform->label.'</h2>';
    181181    echo '<div class="zfaces-form">';
    182     if (defined("ZING_APPS_BUILDER") && ZingAppsIsAdmin()) {
     182    if (defined("APHPS_SHOW_EDIT_LINK") && APHPS_SHOW_EDIT_LINK) {
    183183        echo '<a href="'.zurl('?page=apps_edit&zfaces=edit&form='.$form).'" >'.z_('Edit form').'</a>';
    184184    }
  • zingiri-web-shop/trunk/fwkfor/scripts/list.php

    r529379 r537613  
    2121    $search=$zflist->setSearch($_POST,$map);
    2222} else $search='';
    23 trigger_error($action);
    24 trigger_error(print_r($search,true));
    2523
    2624$stack=new zfStack('list',$formname,$search);
  • zingiri-web-shop/trunk/fwktec/functions/qs.inc.php

    r430044 r537613  
    11<?php
    2 /*
    3  * //old version from webshop
    4  *
    5 if (!function_exists('qs')) {
    6     function qs($value) {
    7         return quote_smart($value);
    8     }
    9 }
    10 
    11 
    12 function quote_smart($value)
    13 {
    14     if( is_array($value) ) {
    15         return array_map("quote_smart", $value);
    16     } else {
    17         if( get_magic_quotes_gpc() ) {
    18             $value = stripslashes($value);
    19         }
    20         if( $value == '' ) {
    21             $value = '';
    22         }
    23         if( !is_numeric($value) || $value[0] == '0' ) {
    24             $value = "'".wsEscapeString($value)."'";
    25         }
    26         return $value;
    27     }
    28 }
    29 */
    30 
    312function qs($value,$checknull = FALSE,$forcequotes = FALSE)
    323{
     
    6233    }
    6334}
     35
     36function aphpsSanitize($var,$type=null){
     37    $flags = NULL;
     38    switch($type)
     39    {
     40        case 'url':
     41            $filter = FILTER_SANITIZE_URL;
     42            break;
     43        case 'int':
     44            $filter = FILTER_SANITIZE_NUMBER_INT;
     45            break;
     46        case 'float':
     47            $filter = FILTER_SANITIZE_NUMBER_FLOAT;
     48            $flags = FILTER_FLAG_ALLOW_FRACTION | FILTER_FLAG_ALLOW_THOUSAND;
     49            break;
     50        case 'email':
     51            $var = substr($var, 0, 254);
     52            $filter = FILTER_SANITIZE_EMAIL;
     53            break;
     54        case 'string':
     55        default:
     56            $filter = FILTER_SANITIZE_STRING;
     57            $flags = FILTER_FLAG_NO_ENCODE_QUOTES;
     58            break;
     59
     60    }
     61    $output = filter_var($var, $filter, $flags);
     62    return($output);
     63}
  • zingiri-web-shop/trunk/fws/addons/timthumb/timthumb2.php

    r420616 r537613  
    44 * Based on work done by Tim McDaniels and Darren Hoyt
    55 * http://code.google.com/p/timthumb/
    6  *
     6 * 
    77 * GNU General Public License, version 2
    88 * http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
     
    1010 * Examples and documentation available on the project homepage
    1111 * http://www.binarymoon.co.uk/projects/timthumb/
     12 *
     13 * $Rev$
    1214 */
    1315
    14 //Main config vars
    15 define ('VERSION', '2.4');              // Version of this script
    16 define ('DEBUG_ON', false);             // Enable debug logging to web server error log (STDERR)
    17 define ('DEBUG_LEVEL', 1);              // Debug level 1 is less noisy and 3 is the most noisy
    18 define ('MEMORY_LIMIT', '30M');             // Set PHP memory limit
    19 define ('BLOCK_EXTERNAL_LEECHERS', false);      // If the image or webshot is being loaded on an external site, display a red "No Hotlinking" gif.
     16/*
     17 * --- TimThumb CONFIGURATION ---
     18 * To edit the configs it is best to create a file called timthumb-config.php
     19 * and define variables you want to customize in there. It will automatically be
     20 * loaded by timthumb. This will save you having to re-edit these variables
     21 * everytime you download a new version
     22*/
     23define ('VERSION', '2.8.10');                                                                       // Version of this script
     24//Load a config file if it exists. Otherwise, use the values below
     25if( file_exists(dirname(__FILE__) . '/timthumb-config.php'))    require_once('timthumb-config.php');
     26if(! defined('DEBUG_ON') )                  define ('DEBUG_ON', false);                             // Enable debug logging to web server error log (STDERR)
     27if(! defined('DEBUG_LEVEL') )               define ('DEBUG_LEVEL', 1);                              // Debug level 1 is less noisy and 3 is the most noisy
     28if(! defined('MEMORY_LIMIT') )              define ('MEMORY_LIMIT', '30M');                         // Set PHP memory limit
     29if(! defined('BLOCK_EXTERNAL_LEECHERS') )   define ('BLOCK_EXTERNAL_LEECHERS', false);              // If the image or webshot is being loaded on an external site, display a red "No Hotlinking" gif.
    2030
    2131//Image fetching and caching
    22 define ('ALLOW_EXTERNAL', TRUE);            // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false
    23 define ('ALLOW_ALL_EXTERNAL_SITES', false);     // Less secure.
    24 define ('FILE_CACHE_ENABLED', TRUE);            // Should we store resized/modified images on disk to speed things up?
    25 define ('FILE_CACHE_TIME_BETWEEN_CLEANS', 86400);   // How often the cache is cleaned
    26 define ('FILE_CACHE_MAX_FILE_AGE', 86400);      // How old does a file have to be to be deleted from the cache
    27 define ('FILE_CACHE_SUFFIX', '.timthumb.txt');      // What to put at the end of all files in the cache directory so we can identify them
     32if(! defined('ALLOW_EXTERNAL') )            define ('ALLOW_EXTERNAL', TRUE);                        // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false
     33if(! defined('ALLOW_ALL_EXTERNAL_SITES') )  define ('ALLOW_ALL_EXTERNAL_SITES', false);             // Less secure.
     34if(! defined('FILE_CACHE_ENABLED') )        define ('FILE_CACHE_ENABLED', TRUE);                    // Should we store resized/modified images on disk to speed things up?
     35if(! defined('FILE_CACHE_TIME_BETWEEN_CLEANS')) define ('FILE_CACHE_TIME_BETWEEN_CLEANS', 86400);   // How often the cache is cleaned
     36
     37if(! defined('FILE_CACHE_MAX_FILE_AGE') )   define ('FILE_CACHE_MAX_FILE_AGE', 86400);              // How old does a file have to be to be deleted from the cache
     38if(! defined('FILE_CACHE_SUFFIX') )         define ('FILE_CACHE_SUFFIX', '.timthumb.txt');          // What to put at the end of all files in the cache directory so we can identify them
     39if(! defined('FILE_CACHE_PREFIX') )         define ('FILE_CACHE_PREFIX', 'timthumb');               // What to put at the beg of all files in the cache directory so we can identify them
    2840define ('FILE_CACHE_DIRECTORY', isset($_REQUEST["dir"]) ? $_REQUEST["dir"] : './cache');        // Directory where images are cached. Left blank it will use the system temporary directory (which is better for security)
    29 define ('MAX_FILE_SIZE', 10485760);         // 10 Megs is 10485760. This is the max internal or external file size that we'll process.
    30 define ('CURL_TIMEOUT', 20);                // Timeout duration for Curl. This only applies if you have Curl installed and aren't using PHP's default URL fetching mechanism.
    31 define ('WAIT_BETWEEN_FETCH_ERRORS', 3600);     //Time to wait between errors fetching remote file
     41if(! defined('MAX_FILE_SIZE') )             define ('MAX_FILE_SIZE', 10485760);                     // 10 Megs is 10485760. This is the max internal or external file size that we'll process. 
     42if(! defined('CURL_TIMEOUT') )              define ('CURL_TIMEOUT', 20);                            // Timeout duration for Curl. This only applies if you have Curl installed and aren't using PHP's default URL fetching mechanism.
     43if(! defined('WAIT_BETWEEN_FETCH_ERRORS') ) define ('WAIT_BETWEEN_FETCH_ERRORS', 3600);             //Time to wait between errors fetching remote file
     44
    3245//Browser caching
    33 define ('BROWSER_CACHE_MAX_AGE', 864000);       // Time to cache in the browser
    34 define ('BROWSER_CACHE_DISABLE', false);            // Use for testing if you want to disable all browser caching
    35 
    36 //Image size
    37 define ('MAX_WIDTH', 1500);             // Maximum image width
    38 define ('MAX_HEIGHT', 1500);                // Maximum image height
     46if(! defined('BROWSER_CACHE_MAX_AGE') )     define ('BROWSER_CACHE_MAX_AGE', 864000);               // Time to cache in the browser
     47if(! defined('BROWSER_CACHE_DISABLE') )     define ('BROWSER_CACHE_DISABLE', false);                // Use for testing if you want to disable all browser caching
     48
     49//Image size and defaults
     50if(! defined('MAX_WIDTH') )             define ('MAX_WIDTH', 1500);                                 // Maximum image width
     51if(! defined('MAX_HEIGHT') )            define ('MAX_HEIGHT', 1500);                                // Maximum image height
     52if(! defined('NOT_FOUND_IMAGE') )       define ('NOT_FOUND_IMAGE', '');                             // Image to serve if any 404 occurs
     53if(! defined('ERROR_IMAGE') )           define ('ERROR_IMAGE', '');                                 // Image to serve if an error occurs instead of showing error message
     54if(! defined('PNG_IS_TRANSPARENT') )    define ('PNG_IS_TRANSPARENT', FALSE);  //42 Define if a png image should have a transparent background color. Use False value if you want to display a custom coloured canvas_colour
     55if(! defined('DEFAULT_Q') )             define ('DEFAULT_Q', 90);                                   // Default image quality. Allows overrid in timthumb-config.php
     56if(! defined('DEFAULT_ZC') )            define ('DEFAULT_ZC', 1);                                   // Default zoom/crop setting. Allows overrid in timthumb-config.php
     57if(! defined('DEFAULT_F') )             define ('DEFAULT_F', '');                                   // Default image filters. Allows overrid in timthumb-config.php
     58if(! defined('DEFAULT_S') )             define ('DEFAULT_S', 0);                                    // Default sharpen value. Allows overrid in timthumb-config.php
     59if(! defined('DEFAULT_CC') )            define ('DEFAULT_CC', 'ffffff');                            // Default canvas colour. Allows overrid in timthumb-config.php
     60
    3961
    4062//Image compression is enabled if either of these point to valid paths
    41 define ('OPTIPNG_PATH', '/usr/bin/optipng'); //This will run first because it gives better compression than pngcrush.
    42 define ('PNGCRUSH_PATH', '/usr/bin/pngcrush'); //This will only run if OPTIPNG_PATH is not set or is not valid
     63
     64//These are now disabled by default because the file sizes of PNGs (and GIFs) are much smaller than we used to generate.
     65//They only work for PNGs. GIFs and JPEGs are not affected.
     66if(! defined('OPTIPNG_ENABLED') )       define ('OPTIPNG_ENABLED', false); 
     67if(! defined('OPTIPNG_PATH') )          define ('OPTIPNG_PATH', '/usr/bin/optipng'); //This will run first because it gives better compression than pngcrush.
     68if(! defined('PNGCRUSH_ENABLED') )      define ('PNGCRUSH_ENABLED', false);
     69if(! defined('PNGCRUSH_PATH') )         define ('PNGCRUSH_PATH', '/usr/bin/pngcrush'); //This will only run if OPTIPNG_PATH is not set or is not valid
    4370
    4471/*
    45  -------====Website Screenshots configuration - BETA====-------
    46 
    47  If you just want image thumbnails and don't want website screenshots, you can safely leave this as is.
    48 
    49  If you would like to get website screenshots set up, you will need root access to your own server.
    50 
    51  Enable ALLOW_ALL_EXTERNAL_SITES so you can fetch any external web page. This is more secure now that we're using a non-web folder for cache.
    52  Enable BLOCK_EXTERNAL_LEECHERS so that your site doesn't generate thumbnails for the whole Internet.
    53 
    54  Instructions to get website screenshots enabled on Ubuntu Linux:
    55 
    56  1. Install Xvfb with the following command: sudo apt-get install subversion libqt4-webkit libqt4-dev g++ xvfb
    57  2. Go to a directory where you can download some code
    58  3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
    59  4. Compile CutyCapt by doing: cd cutycapt/CutyCapt
    60  5. qmake
    61  6. make
    62  7. cp CutyCapt /usr/local/bin/
    63  8. Test it by running: xvfb-run --server-args="-screen 0, 1024x768x24" CutyCapt --url="http://markmaunder.com/" --out=test.png
    64  9. If you get a file called test.png with something in it, it probably worked. Now test the script by accessing it as follows:
    65  10. http://yoursite.com/path/to/timthumb.php?src=http://markmaunder.com/&webshot=1
    66 
    67  Notes on performance:
    68  The first time a webshot loads, it will take a few seconds.
    69  From then on it uses the regular timthumb caching mechanism with the configurable options above
    70  and loading will be very fast.
    71 
    72  --ADVANCED USERS ONLY--
    73  If you'd like a slight speedup (about 25%) and you know Linux, you can run the following command which will keep Xvfb running in the background.
    74  nohup Xvfb :100 -ac -nolisten tcp -screen 0, 1024x768x24 > /dev/null 2>&1 &
    75  Then set WEBSHOT_XVFB_RUNNING = true below. This will save your server having to fire off a new Xvfb server and shut it down every time a new shot is generated.
    76  You will need to take responsibility for keeping Xvfb running in case it crashes. (It seems pretty stable)
    77  You will also need to take responsibility for server security if you're running Xvfb as root.
    78 
    79 
    80  */
    81 define ('WEBSHOT_ENABLED', false);          //Beta feature. Adding webshot=1 to your query string will cause the script to return a browser screenshot rather than try to fetch an image.
    82 define ('WEBSHOT_CUTYCAPT', '/usr/local/bin/CutyCapt'); //The path to CutyCapt.
    83 define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run');       //The path to the Xvfb server
    84 define ('WEBSHOT_SCREEN_X', '1024');            //1024 works ok
    85 define ('WEBSHOT_SCREEN_Y', '768');         //768 works ok
    86 define ('WEBSHOT_COLOR_DEPTH', '24');           //I haven't tested anything besides 24
    87 define ('WEBSHOT_IMAGE_FORMAT', 'png');         //png is about 2.5 times the size of jpg but is a LOT better quality
    88 define ('WEBSHOT_TIMEOUT', '300');          //Seconds to wait for a webshot
    89 define ('WEBSHOT_USER_AGENT', "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"); //I hate to do this, but a non-browser robot user agent might not show what humans see. So we pretend to be Firefox
    90 define ('WEBSHOT_JAVASCRIPT_ON', true);         //Setting to false might give you a slight speedup and block ads. But it could cause other issues.
    91 define ('WEBSHOT_JAVA_ON', false);          //Have only tested this as fase
    92 define ('WEBSHOT_PLUGINS_ON', true);            //Enable flash and other plugins
    93 define ('WEBSHOT_PROXY', '');               //In case you're behind a proxy server.
    94 define ('WEBSHOT_XVFB_RUNNING', false);         //ADVANCED: Enable this if you've got Xvfb running in the background.
    95 
    96 
    97 // If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
    98 $ALLOWED_SITES = array (
     72    -------====Website Screenshots configuration - BETA====-------
     73   
     74    If you just want image thumbnails and don't want website screenshots, you can safely leave this as is. 
     75   
     76    If you would like to get website screenshots set up, you will need root access to your own server.
     77
     78    Enable ALLOW_ALL_EXTERNAL_SITES so you can fetch any external web page. This is more secure now that we're using a non-web folder for cache.
     79    Enable BLOCK_EXTERNAL_LEECHERS so that your site doesn't generate thumbnails for the whole Internet.
     80
     81    Instructions to get website screenshots enabled on Ubuntu Linux:
     82
     83    1. Install Xvfb with the following command: sudo apt-get install subversion libqt4-webkit libqt4-dev g++ xvfb
     84    2. Go to a directory where you can download some code
     85    3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
     86    4. Compile CutyCapt by doing: cd cutycapt/CutyCapt
     87    5. qmake
     88    6. make
     89    7. cp CutyCapt /usr/local/bin/
     90    8. Test it by running: xvfb-run --server-args="-screen 0, 1024x768x24" CutyCapt --url="http://markmaunder.com/" --out=test.png
     91    9. If you get a file called test.png with something in it, it probably worked. Now test the script by accessing it as follows:
     92    10. http://yoursite.com/path/to/timthumb.php?src=http://markmaunder.com/&webshot=1
     93
     94    Notes on performance:
     95    The first time a webshot loads, it will take a few seconds.
     96    From then on it uses the regular timthumb caching mechanism with the configurable options above
     97    and loading will be very fast.
     98
     99    --ADVANCED USERS ONLY--
     100    If you'd like a slight speedup (about 25%) and you know Linux, you can run the following command which will keep Xvfb running in the background.
     101    nohup Xvfb :100 -ac -nolisten tcp -screen 0, 1024x768x24 > /dev/null 2>&1 &
     102    Then set WEBSHOT_XVFB_RUNNING = true below. This will save your server having to fire off a new Xvfb server and shut it down every time a new shot is generated.
     103    You will need to take responsibility for keeping Xvfb running in case it crashes. (It seems pretty stable)
     104    You will also need to take responsibility for server security if you're running Xvfb as root.
     105
     106
     107*/
     108if(! defined('WEBSHOT_ENABLED') )   define ('WEBSHOT_ENABLED', false);          //Beta feature. Adding webshot=1 to your query string will cause the script to return a browser screenshot rather than try to fetch an image.
     109if(! defined('WEBSHOT_CUTYCAPT') )  define ('WEBSHOT_CUTYCAPT', '/usr/local/bin/CutyCapt'); //The path to CutyCapt.
     110if(! defined('WEBSHOT_XVFB') )      define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run');       //The path to the Xvfb server
     111if(! defined('WEBSHOT_SCREEN_X') )  define ('WEBSHOT_SCREEN_X', '1024');            //1024 works ok
     112if(! defined('WEBSHOT_SCREEN_Y') )  define ('WEBSHOT_SCREEN_Y', '768');         //768 works ok
     113if(! defined('WEBSHOT_COLOR_DEPTH') )   define ('WEBSHOT_COLOR_DEPTH', '24');           //I haven't tested anything besides 24
     114if(! defined('WEBSHOT_IMAGE_FORMAT') )  define ('WEBSHOT_IMAGE_FORMAT', 'png');         //png is about 2.5 times the size of jpg but is a LOT better quality
     115if(! defined('WEBSHOT_TIMEOUT') )   define ('WEBSHOT_TIMEOUT', '20');           //Seconds to wait for a webshot
     116if(! defined('WEBSHOT_USER_AGENT') )    define ('WEBSHOT_USER_AGENT', "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"); //I hate to do this, but a non-browser robot user agent might not show what humans see. So we pretend to be Firefox
     117if(! defined('WEBSHOT_JAVASCRIPT_ON') ) define ('WEBSHOT_JAVASCRIPT_ON', true);         //Setting to false might give you a slight speedup and block ads. But it could cause other issues.
     118if(! defined('WEBSHOT_JAVA_ON') )   define ('WEBSHOT_JAVA_ON', false);          //Have only tested this as fase
     119if(! defined('WEBSHOT_PLUGINS_ON') )    define ('WEBSHOT_PLUGINS_ON', true);            //Enable flash and other plugins
     120if(! defined('WEBSHOT_PROXY') )     define ('WEBSHOT_PROXY', '');               //In case you're behind a proxy server.
     121if(! defined('WEBSHOT_XVFB_RUNNING') )  define ('WEBSHOT_XVFB_RUNNING', false);         //ADVANCED: Enable this if you've got Xvfb running in the background.
     122
     123
     124// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
     125if(! isset($ALLOWED_SITES)){
     126    $ALLOWED_SITES = array (
    99127        'flickr.com',
     128        'staticflickr.com',
    100129        'picasa.com',
    101130        'img.youtube.com',
     
    104133        'imgur.com',
    105134        'imageshack.us',
    106         'tinypic.com'
    107 );
     135        'tinypic.com',
     136    );
     137}
    108138// -------------------------------------------------------------
    109139// -------------- STOP EDITING CONFIGURATION HERE --------------
     
    114144class timthumb {
    115145    protected $src = "";
     146    protected $is404 = false;
    116147    protected $docRoot = "";
    117148    protected $lastURLError = false;
     
    127158    protected $startTime = 0;
    128159    protected $lastBenchTime = 0;
    129     protected $isOwnHost = false;
    130160    protected $cropTop = false;
    131161    protected $salt = "";
     
    153183        global $ALLOWED_SITES;
    154184        $this->startTime = microtime(true);
     185        date_default_timezone_set('UTC');
    155186        $this->debug(1, "Starting new request from " . $this->getIP() . " to " . $_SERVER['REQUEST_URI']);
    156187        $this->calcDocRoot();
     
    167198            }
    168199            $this->cacheDirectory = FILE_CACHE_DIRECTORY;
    169             touch($this->cacheDirectory . '/index.php');
    170             touch($this->cacheDirectory . '/index.html');
     200            if (!touch($this->cacheDirectory . '/index.html')) {
     201                $this->error("Could not create the index.html file - to fix this create an empty file named index.html file in the cache directory.");
     202            }
    171203        } else {
    172204            $this->cacheDirectory = sys_get_temp_dir();
    173205        }
    174         //Clean the cache before we do anything because we don't want the first visitor after FILE_CACHE_TIME_BETWEEN_CLEANS expires to get a stale image.
     206        //Clean the cache before we do anything because we don't want the first visitor after FILE_CACHE_TIME_BETWEEN_CLEANS expires to get a stale image. 
    175207        $this->cleanCache();
    176 
     208       
    177209        $this->myHost = preg_replace('/^www\./i', '', $_SERVER['HTTP_HOST']);
    178210        $this->src = $this->param('src');
    179211        $this->url = parse_url($this->src);
     212        $this->src = preg_replace('/https?:\/\/(?:www\.)?' . $this->myHost . '/i', '', $this->src);
     213       
    180214        if(strlen($this->src) <= 3){
    181215            $this->error("No image specified");
     
    183217        }
    184218        if(BLOCK_EXTERNAL_LEECHERS && array_key_exists('HTTP_REFERER', $_SERVER) && (! preg_match('/^https?:\/\/(?:www\.)?' . $this->myHost . '(?:$|\/)/i', $_SERVER['HTTP_REFERER']))){
     219            // base64 encoded red image that says 'no hotlinkers'
     220            // nothing to worry about! :)
    185221            $imgData = base64_decode("R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAAwAAAJpjI+py+0Po5y0OgAMjjv01YUZ\nOGplhWXfNa6JCLnWkXplrcBmW+spbwvaVr/cDyg7IoFC2KbYVC2NQ5MQ4ZNao9Ynzjl9ScNYpneb\nDULB3RP6JuPuaGfuuV4fumf8PuvqFyhYtjdoeFgAADs=");
    186222            header('Content-Type: image/gif');
     
    193229            exit(0);
    194230        }
    195         if(preg_match('/https?:\/\/(?:www\.)?' . $this->myHost . '(?:$|\/)/i', $this->src)){
    196             $this->isOwnHost = true;
    197         }
    198231        if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){
    199232            $this->debug(2, "Is a request for an external URL: " . $this->src);
     
    207240        }
    208241        if($this->isURL){
    209             if(ALLOW_ALL_EXTERNAL_SITES || $this->isOwnHost){
    210                 $this->debug(2, "Fetching from all external sites is enabled or this is our own server.");
     242            if(ALLOW_ALL_EXTERNAL_SITES){
     243                $this->debug(2, "Fetching from all external sites is enabled.");
    211244            } else {
    212245                $this->debug(2, "Fetching only from selected external sites is enabled.");
    213246                $allowed = false;
    214247                foreach($ALLOWED_SITES as $site){
    215                     if (preg_match ('/(?:^|\.)' . $site . '$/i', $this->url['host'])) {
     248                    if ((strtolower(substr($this->url['host'],-strlen($site)-1)) === strtolower(".$site")) || (strtolower($this->url['host'])===strtolower($site))) {
    216249                        $this->debug(3, "URL hostname {$this->url['host']} matches $site so allowing.");
    217250                        $allowed = true;
     
    224257        }
    225258
    226         $cachePrefix = ($this->isURL ? 'timthumb_ext_' : 'timthumb_int_');
     259        $cachePrefix = ($this->isURL ? '_ext_' : '_int_');
    227260        if($this->isURL){
    228             $this->cachefile = $this->cacheDirectory . '/' . $cachePrefix . md5($this->salt . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX;
     261            $arr = explode('&', $_SERVER ['QUERY_STRING']);
     262            asort($arr);
     263            $this->cachefile = $this->cacheDirectory . '/' . FILE_CACHE_PREFIX . $cachePrefix . md5($this->salt . implode('', $arr) . $this->fileCacheVersion) . FILE_CACHE_SUFFIX;
    229264        } else {
    230265            $this->localImage = $this->getLocalImagePath($this->src);
    231266            if(! $this->localImage){
     267                $this->debug(1, "Could not find the local image: {$this->localImage}");
    232268                $this->error("Could not find the internal image you specified.");
     269                $this->set404();
    233270                return false;
    234271            }
     
    236273            $this->localImageMTime = @filemtime($this->localImage);
    237274            //We include the mtime of the local file in case in changes on disk.
    238             $this->cachefile = $this->cacheDirectory . '/' . $cachePrefix . md5($this->salt . $this->localImageMTime . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX;
     275            $this->cachefile = $this->cacheDirectory . '/' . FILE_CACHE_PREFIX . $cachePrefix . md5($this->salt . $this->localImageMTime . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX;
    239276        }
    240277        $this->debug(2, "Cache file is: " . $this->cachefile);
     
    266303                $this->debug(3, "webshot is NOT set so we're going to try to fetch a regular image.");
    267304                $this->serveExternalImage();
     305
    268306            }
    269307        } else {
     
    274312    }
    275313    protected function handleErrors(){
    276         if($this->haveErrors()){
    277             $this->serveErrors();
    278             exit(0);
     314        if($this->haveErrors()){
     315            if(NOT_FOUND_IMAGE && $this->is404()){
     316                if($this->serveImg(NOT_FOUND_IMAGE)){
     317                    exit(0);
     318                } else {
     319                    $this->error("Additionally, the 404 image that is configured could not be found or there was an error serving it.");
     320                }
     321            }
     322            if(ERROR_IMAGE){
     323                if($this->serveImg(ERROR_IMAGE)){
     324                    exit(0);
     325                } else {
     326                    $this->error("Additionally, the error image that is configured could not be found or there was an error serving it.");
     327                }
     328            }
     329            $this->serveErrors();
     330            exit(0);
    279331        }
    280332        return false;
     
    310362            } else { //Otherwise serve a 304
    311363                $this->debug(3, "File has not been modified since last get, so serving a 304.");
    312                 header ('HTTP/1.1 304 Not Modified');
     364                header ($_SERVER['SERVER_PROTOCOL'] . ' 304 Not Modified');
    313365                $this->debug(1, "Returning 304 not modified");
    314366                return true;
     
    332384                    } else {
    333385                        $this->debug(3, "Empty cachefile is still fresh so returning message saying we had an error fetching this image from remote host.");
     386                        $this->set404();
    334387                        $this->error("An error occured fetching image.");
    335                         return false;
     388                        return false; 
    336389                    }
    337390                }
     
    363416    }
    364417    protected function serveErrors(){
     418        header ($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
    365419        $html = '<ul>';
    366420        foreach($this->errors as $err){
     
    368422        }
    369423        $html .= '</ul>';
    370         header ('HTTP/1.1 400 Bad Request');
    371424        echo '<h1>A TimThumb error has occured</h1>The following error(s) occured:<br />' . $html . '<br />';
    372425        echo '<br />Query String : ' . htmlentities ($_SERVER['QUERY_STRING']);
     
    392445            $this->serveCacheFile();
    393446            return true;
    394         } else {
     447        } else { 
    395448            return false;
    396449        }
    397450    }
    398451    protected function cleanCache(){
     452        if (FILE_CACHE_TIME_BETWEEN_CLEANS < 0) {
     453            return;
     454        }
    399455        $this->debug(3, "cleanCache() called");
    400456        $lastCleanFile = $this->cacheDirectory . '/timthumb_cacheLastCleanTime.touch';
    401 
     457       
    402458        //If this is a new timthumb installation we need to create the file
    403459        if(! is_file($lastCleanFile)){
    404460            $this->debug(1, "File tracking last clean doesn't exist. Creating $lastCleanFile");
    405             touch($lastCleanFile);
     461            if (!touch($lastCleanFile)) {
     462                $this->error("Could not create cache clean timestamp file.");
     463            }
    406464            return;
    407465        }
     
    409467            $this->debug(1, "Cache was last cleaned more than " . FILE_CACHE_TIME_BETWEEN_CLEANS . " seconds ago. Cleaning now.");
    410468            // Very slight race condition here, but worst case we'll have 2 or 3 servers cleaning the cache simultaneously once a day.
    411             touch($lastCleanFile);
     469            if (!touch($lastCleanFile)) {
     470                $this->error("Could not create cache clean timestamp file.");
     471            }
    412472            $files = glob($this->cacheDirectory . '/*' . FILE_CACHE_SUFFIX);
    413             $timeAgo = time() - FILE_CACHE_MAX_FILE_AGE;
    414             foreach($files as $file){
    415                 if(@filemtime($file) < $timeAgo){
    416                     $this->debug(3, "Deleting cache file $file older than max age: " . FILE_CACHE_MAX_FILE_AGE . " seconds");
    417                     @unlink($file);
     473            if ($files) {
     474                $timeAgo = time() - FILE_CACHE_MAX_FILE_AGE;
     475                foreach($files as $file){
     476                    if(@filemtime($file) < $timeAgo){
     477                        $this->debug(3, "Deleting cache file $file older than max age: " . FILE_CACHE_MAX_FILE_AGE . " seconds");
     478                        @unlink($file);
     479                    }
    418480                }
    419481            }
     
    425487    }
    426488    protected function processImageAndWriteToCache($localImage){
    427         $mimeType = $this->getMimeType($localImage);
     489        $sData = getimagesize($localImage);
     490        $origType = $sData[2];
     491        $mimeType = $sData['mime'];
     492
    428493        $this->debug(3, "Mime type of image is $mimeType");
    429494        if(! preg_match('/^image\/(?:gif|jpg|jpeg|png)$/i', $mimeType)){
     
    432497
    433498        if (!function_exists ('imagecreatetruecolor')) {
    434             return $this->error('GD Library Error: imagecreatetruecolor does not exist - please contact your webhost and ask them to install the GD library');
     499            return $this->error('GD Library Error: imagecreatetruecolor does not exist - please contact your webhost and ask them to install the GD library');
    435500        }
    436501
    437502        if (function_exists ('imagefilter') && defined ('IMG_FILTER_NEGATE')) {
    438503            $imageFilters = array (
    439             1 => array (IMG_FILTER_NEGATE, 0),
    440             2 => array (IMG_FILTER_GRAYSCALE, 0),
    441             3 => array (IMG_FILTER_BRIGHTNESS, 1),
    442             4 => array (IMG_FILTER_CONTRAST, 1),
    443             5 => array (IMG_FILTER_COLORIZE, 4),
    444             6 => array (IMG_FILTER_EDGEDETECT, 0),
    445             7 => array (IMG_FILTER_EMBOSS, 0),
    446             8 => array (IMG_FILTER_GAUSSIAN_BLUR, 0),
    447             9 => array (IMG_FILTER_SELECTIVE_BLUR, 0),
    448             10 => array (IMG_FILTER_MEAN_REMOVAL, 0),
    449             11 => array (IMG_FILTER_SMOOTH, 0),
     504                1 => array (IMG_FILTER_NEGATE, 0),
     505                2 => array (IMG_FILTER_GRAYSCALE, 0),
     506                3 => array (IMG_FILTER_BRIGHTNESS, 1),
     507                4 => array (IMG_FILTER_CONTRAST, 1),
     508                5 => array (IMG_FILTER_COLORIZE, 4),
     509                6 => array (IMG_FILTER_EDGEDETECT, 0),
     510                7 => array (IMG_FILTER_EMBOSS, 0),
     511                8 => array (IMG_FILTER_GAUSSIAN_BLUR, 0),
     512                9 => array (IMG_FILTER_SELECTIVE_BLUR, 0),
     513                10 => array (IMG_FILTER_MEAN_REMOVAL, 0),
     514                11 => array (IMG_FILTER_SMOOTH, 0),
    450515            );
    451516        }
    452517
    453         // get standard input properties
     518        // get standard input properties       
    454519        $new_width =  (int) abs ($this->param('w', 0));
    455520        $new_height = (int) abs ($this->param('h', 0));
    456         $zoom_crop = (int) $this->param('zc', 1);
    457         $quality = (int) abs ($this->param('q', 90));
     521        $zoom_crop = (int) $this->param('zc', DEFAULT_ZC);
     522        $quality = (int) abs ($this->param('q', DEFAULT_Q));
    458523        $align = $this->cropTop ? 't' : $this->param('a', 'c');
    459         $filters = $this->param('f', '');
    460         $sharpen = (bool) $this->param('s', 0);
    461         $canvas_color = $this->param('cc', 'ffffff');
     524        $filters = $this->param('f', DEFAULT_F);
     525        $sharpen = (bool) $this->param('s', DEFAULT_S);
     526        $canvas_color = $this->param('cc', DEFAULT_CC);
     527        $canvas_trans = (bool) $this->param('ct', '1');
    462528
    463529        // set default width and height if neither are set already
    464530        if ($new_width == 0 && $new_height == 0) {
    465             $new_width = 100;
    466             $new_height = 100;
     531            $new_width = 100;
     532            $new_height = 100;
    467533        }
    468534
     
    510576        imagealphablending ($canvas, false);
    511577
    512         if (strlen ($canvas_color) < 6) {
    513             $canvas_color = 'ffffff';
    514         }
     578        if (strlen($canvas_color) == 3) { //if is 3-char notation, edit string into 6-char notation
     579            $canvas_color =  str_repeat(substr($canvas_color, 0, 1), 2) . str_repeat(substr($canvas_color, 1, 1), 2) . str_repeat(substr($canvas_color, 2, 1), 2);
     580        } else if (strlen($canvas_color) != 6) {
     581            $canvas_color = DEFAULT_CC; // on error return default canvas color
     582        }
    515583
    516584        $canvas_color_R = hexdec (substr ($canvas_color, 0, 2));
    517585        $canvas_color_G = hexdec (substr ($canvas_color, 2, 2));
    518         $canvas_color_B = hexdec (substr ($canvas_color, 2, 2));
     586        $canvas_color_B = hexdec (substr ($canvas_color, 4, 2));
    519587
    520588        // Create a new transparent color for image
    521         $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 127);
     589        // If is a png and PNG_IS_TRANSPARENT is false then remove the alpha transparency
     590        // (and if is set a canvas color show it in the background)
     591        if(preg_match('/^image\/png$/i', $mimeType) && !PNG_IS_TRANSPARENT && $canvas_trans){
     592            $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 127);     
     593        }else{
     594            $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 0);
     595        }
     596
    522597
    523598        // Completely fill the background of the new image with allocated color.
     
    647722
    648723            $sharpenMatrix = array (
    649             array (-1,-1,-1),
    650             array (-1,16,-1),
    651             array (-1,-1,-1),
    652             );
     724                    array (-1,-1,-1),
     725                    array (-1,16,-1),
     726                    array (-1,-1,-1),
     727                    );
    653728
    654729            $divisor = 8;
     
    658733
    659734        }
     735        //Straight from Wordpress core code. Reduces filesize by up to 70% for PNG's
     736        if ( (IMAGETYPE_PNG == $origType || IMAGETYPE_GIF == $origType) && function_exists('imageistruecolor') && !imageistruecolor( $image ) && imagecolortransparent( $image ) > 0 ){
     737            imagetruecolortopalette( $canvas, false, imagecolorstotal( $image ) );
     738        }
     739
    660740        $imgType = "";
    661741        $tempfile = tempnam($this->cacheDirectory, 'timthumb_tmpimg_');
    662         if(preg_match('/^image\/(?:jpg|jpeg)$/i', $mimeType)){
     742        if(preg_match('/^image\/(?:jpg|jpeg)$/i', $mimeType)){ 
    663743            $imgType = 'jpg';
    664             imagejpeg($canvas, $tempfile, $quality);
    665         } else if(preg_match('/^image\/png$/i', $mimeType)){
     744            imagejpeg($canvas, $tempfile, $quality); 
     745        } else if(preg_match('/^image\/png$/i', $mimeType)){ 
    666746            $imgType = 'png';
    667747            imagepng($canvas, $tempfile, floor($quality * 0.09));
    668748        } else if(preg_match('/^image\/gif$/i', $mimeType)){
    669749            $imgType = 'gif';
    670             imagepng($canvas, $tempfile, floor($quality * 0.09));
     750            imagegif($canvas, $tempfile);
    671751        } else {
    672752            return $this->sanityFail("Could not match mime type after verifying it previously.");
    673753        }
    674754
    675         if( OPTIPNG_PATH && @is_file(OPTIPNG_PATH)){
     755        if($imgType == 'png' && OPTIPNG_ENABLED && OPTIPNG_PATH && @is_file(OPTIPNG_PATH)){
    676756            $exec = OPTIPNG_PATH;
    677757            $this->debug(3, "optipng'ing $tempfile");
     
    688768                $this->debug(1, "optipng did not change image size.");
    689769            }
    690         } else if(PNGCRUSH_PATH && @is_file(PNGCRUSH_PATH)){
     770        } else if($imgType == 'png' && PNGCRUSH_ENABLED && PNGCRUSH_PATH && @is_file(PNGCRUSH_PATH)){
    691771            $exec = PNGCRUSH_PATH;
    692772            $tempfile2 = tempnam($this->cacheDirectory, 'timthumb_tmpimg_');
     
    715795        $context = stream_context_create ();
    716796        $fp = fopen($tempfile,'r',0,$context);
    717         file_put_contents($tempfile4, $this->filePrependSecurityBlock . $imgType . ' ?' . '>'); //6 extra bytes, first 3 being image type
     797        file_put_contents($tempfile4, $this->filePrependSecurityBlock . $imgType . ' ?' . '>'); //6 extra bytes, first 3 being image type 
    718798        file_put_contents($tempfile4, $fp, FILE_APPEND);
    719799        fclose($fp);
     
    739819        $this->debug(3, "Done image replace with security header. Cleaning up and running cleanCache()");
    740820        imagedestroy($canvas);
     821        imagedestroy($image);
    741822        return true;
    742823    }
    743824    protected function calcDocRoot(){
    744825        $docRoot = @$_SERVER['DOCUMENT_ROOT'];
    745         if(!isset($docRoot)){
     826        if (defined('LOCAL_FILE_BASE_DIRECTORY')) {
     827            $docRoot = LOCAL_FILE_BASE_DIRECTORY;   
     828        }
     829        if(!isset($docRoot)){
    746830            $this->debug(3, "DOCUMENT_ROOT is not set. This is probably windows. Starting search 1.");
    747831            if(isset($_SERVER['SCRIPT_FILENAME'])){
    748832                $docRoot = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0-strlen($_SERVER['PHP_SELF'])));
    749833                $this->debug(3, "Generated docRoot using SCRIPT_FILENAME and PHP_SELF as: $docRoot");
    750             }
    751         }
    752         if(!isset($docRoot)){
     834            } 
     835        }
     836        if(!isset($docRoot)){ 
    753837            $this->debug(3, "DOCUMENT_ROOT still is not set. Starting search 2.");
    754838            if(isset($_SERVER['PATH_TRANSLATED'])){
    755839                $docRoot = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0-strlen($_SERVER['PHP_SELF'])));
    756840                $this->debug(3, "Generated docRoot using PATH_TRANSLATED and PHP_SELF as: $docRoot");
    757             }
    758         }
    759         if($docRoot){ $docRoot = preg_replace('/\/$/', '', $docRoot); }
     841            } 
     842        }
     843        if($docRoot && $_SERVER['DOCUMENT_ROOT'] != '/'){ $docRoot = preg_replace('/\/$/', '', $docRoot); }
    760844        $this->debug(3, "Doc root is: " . $docRoot);
    761845        $this->docRoot = $docRoot;
     
    763847    }
    764848    protected function getLocalImagePath($src){
    765         $src = preg_replace('/^\//', '', $src); //strip off the leading '/'
    766 
     849        $src = ltrim($src, '/'); //strip off the leading '/'
    767850        if(! $this->docRoot){
    768851            $this->debug(3, "We have no document root set, so as a last resort, lets check if the image is in the current dir and serve that.");
     
    770853            $file = preg_replace('/^.*?([^\/\\\\]+)$/', '$1', $src); //strip off any path info and just leave the filename.
    771854            if(is_file($file)){
    772                 return realpath($file);
     855                return $this->realpath($file);
    773856            }
    774857            return $this->error("Could not find your website document root and the file specified doesn't exist in timthumbs directory. We don't support serving files outside timthumb's directory without a document root for security reasons.");
    775         }
    776 
    777         if (file_exists ($this->docRoot . '/' . $src)) {
     858        } //Do not go past this point without docRoot set
     859
     860        //Try src under docRoot
     861        if(file_exists ($this->docRoot . '/' . $src)) {
    778862            $this->debug(3, "Found file as " . $this->docRoot . '/' . $src);
    779             $real = realpath($this->docRoot . '/' . $src);
    780             if(strpos($real, $this->docRoot) !== 0){
     863            $real = $this->realpath($this->docRoot . '/' . $src);
     864            if(stripos($real, $this->docRoot) === 0){
     865                return $real;
     866            } else {
    781867                $this->debug(1, "Security block: The file specified occurs outside the document root.");
    782                 return false;
    783             }
    784             return $real;
    785         }
     868                //allow search to continue
     869            }
     870        }
     871        //Check absolute paths and then verify the real path is under doc root
     872        $absolute = $this->realpath('/' . $src);
     873        if($absolute && file_exists($absolute)){ //realpath does file_exists check, so can probably skip the exists check here
     874            $this->debug(3, "Found absolute path: $absolute");
     875            if(! $this->docRoot){ $this->sanityFail("docRoot not set when checking absolute path."); }
     876            if(stripos($absolute, $this->docRoot) === 0){
     877                return $absolute;
     878            } else {
     879                $this->debug(1, "Security block: The file specified occurs outside the document root.");
     880                //and continue search
     881            }
     882        }
     883       
    786884        $base = $this->docRoot;
    787         foreach (explode('/', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME'])) as $sub){
     885       
     886        // account for Windows directory structure
     887        if (strstr($_SERVER['SCRIPT_FILENAME'],':')) {
     888            $sub_directories = explode('\\', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME']));
     889        } else {
     890            $sub_directories = explode('/', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME']));
     891        }
     892
     893        foreach ($sub_directories as $sub){
    788894            $base .= $sub . '/';
    789895            $this->debug(3, "Trying file as: " . $base . $src);
    790896            if(file_exists($base . $src)){
    791897                $this->debug(3, "Found file as: " . $base . $src);
    792                 $real = realpath($base . $src);
    793                 if(strpos($real, $this->docRoot) !== 0){
     898                $real = $this->realpath($base . $src);
     899                if(stripos($real, $this->realpath($this->docRoot)) === 0){
     900                    return $real;
     901                } else {
    794902                    $this->debug(1, "Security block: The file specified occurs outside the document root.");
    795                     return false;
    796                 }
    797                 return $real;
     903                    //And continue search
     904                }
    798905            }
    799906        }
    800907        return false;
     908    }
     909    protected function realpath($path){
     910        //try to remove any relative paths
     911        $remove_relatives = '/\w+\/\.\.\//';
     912        while(preg_match($remove_relatives,$path)){
     913            $path = preg_replace($remove_relatives, '', $path);
     914        }
     915        //if any remain use PHP realpath to strip them out, otherwise return $path
     916        //if using realpath, any symlinks will also be resolved
     917        return preg_match('#^\.\./|/\.\./#', $path) ? realpath($path) : $path;
    801918    }
    802919    protected function toDelete($name){
     
    831948        }
    832949        $url = preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/', '', $url); //RFC 3986
    833         //Very important we don't allow injection of shell commands here. URL is between quotes and we are only allowing through chars allowed by a the RFC
    834         // which AFAIKT can't be used for shell injection.
     950        //Very important we don't allow injection of shell commands here. URL is between quotes and we are only allowing through chars allowed by a the RFC 
     951        // which AFAIKT can't be used for shell injection. 
    835952        if(WEBSHOT_XVFB_RUNNING){
    836953            putenv('DISPLAY=:100.0');
     
    843960        $this->debug(3, "Received output: $out");
    844961        if(! is_file($tempfile)){
     962            $this->set404();
    845963            return $this->error("The command to create a thumbnail failed.");
    846964        }
     
    9281046    }
    9291047    protected function sendImageHeaders($mimeType, $dataSize){
     1048        if(! preg_match('/^image\//i', $mimeType)){
     1049            $mimeType = 'image/' . $mimeType;
     1050        }
     1051        if(strtolower($mimeType) == 'image/jpg'){
     1052            $mimeType = 'image/jpeg';
     1053        }
    9301054        $gmdate_expires = gmdate ('D, d M Y H:i:s', strtotime ('now +10 days')) . ' GMT';
    9311055        $gmdate_modified = gmdate ('D, d M Y H:i:s') . ' GMT';
     
    9581082    protected function openImage($mimeType, $src){
    9591083        switch ($mimeType) {
    960             case 'image/jpg':
    961                 $image = imagecreatefromjpeg ($src);
    962                 break;
    9631084            case 'image/jpeg':
    9641085                $image = imagecreatefromjpeg ($src);
     
    9721093                $image = imagecreatefromgif ($src);
    9731094                break;
     1095           
     1096            default:
     1097                $this->error("Unrecognised mimeType");
    9741098        }
    9751099
     
    9801104        $ff = @$_SERVER["HTTP_X_FORWARDED_FOR"];
    9811105        $ci = @$_SERVER["HTTP_CLIENT_IP"];
    982         if(preg_match('/^(?:192\.168|172\.16|10\.|127\.)/', $rem)){
     1106        if(preg_match('/^(?:192\.168|172\.16|10\.|127\.)/', $rem)){ 
    9831107            if($ff){ return $ff; }
    9841108            if($ci){ return $ci; }
     
    10031127    }
    10041128    protected function sanityFail($msg){
    1005         return $this->error("There is a problem in the timthumb code. Message: $msg Please report this error at <a href='http://code.google.com/p/timthumb/issues/list'>timthumb's bug tracking page</a>.");
     1129        return $this->error("There is a problem in the timthumb code. Message: Please report this error at <a href='http://code.google.com/p/timthumb/issues/list'>timthumb's bug tracking page</a>: $msg");
    10061130    }
    10071131    protected function getMimeType($file){
     
    10531177            @curl_setopt ($curl, CURLOPT_FOLLOWLOCATION, true);
    10541178            @curl_setopt ($curl, CURLOPT_MAXREDIRS, 10);
    1055                
     1179           
    10561180            $curlResult = curl_exec($curl);
    10571181            fclose(self::$curlFH);
    1058 
     1182            $httpStatus = curl_getinfo($curl, CURLINFO_HTTP_CODE);
     1183            if($httpStatus == 404){
     1184                $this->set404();
     1185            }
    10591186            if($curlResult){
    10601187                curl_close($curl);
     
    10681195            $img = @file_get_contents ($url);
    10691196            if($img === false){
    1070                 $this->lastURLError = error_get_last();
     1197                $err = error_get_last();
     1198                if(is_array($err) && $err['message']){
     1199                    $this->lastURLError = $err['message'];
     1200                } else {
     1201                    $this->lastURLError = $err;
     1202                }
     1203                if(preg_match('/404/', $this->lastURLError)){
     1204                    $this->set404();
     1205                }
     1206
    10711207                return false;
    10721208            }
     
    10791215
    10801216    }
     1217    protected function serveImg($file){
     1218        $s = getimagesize($file);
     1219        if(! ($s && $s['mime'])){
     1220            return false;
     1221        }
     1222        header ('Content-Type: ' . $s['mime']);
     1223        header ('Content-Length: ' . filesize($file) );
     1224        header ('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');
     1225        header ("Pragma: no-cache");
     1226        $bytes = @readfile($file);
     1227        if($bytes > 0){
     1228            return true;
     1229        }
     1230        $content = @file_get_contents ($file);
     1231        if ($content != FALSE){
     1232            echo $content;
     1233            return true;
     1234        }
     1235        return false;
     1236
     1237    }
     1238    protected function set404(){
     1239        $this->is404 = true;
     1240    }
     1241    protected function is404(){
     1242        return $this->is404;
     1243    }
    10811244}
    1082 ?>
  • zingiri-web-shop/trunk/fws/includes/checkout.inc.php

    r394247 r537613  
    99    if (!empty($_POST['paymentid'])) { $paymentid=intval($_POST['paymentid']); }
    1010    elseif (!empty($_GET['paymentid'])) { $paymentid=intval($_GET['paymentid']); }
    11     if (!empty($_POST['notes']))    { $notes=$_POST['notes']; }
    12     elseif (!empty($_GET['notes']))    { $notes=$_GET['notes']; }
     11    if (!empty($_POST['notes']))    { $notes=aphpsSanitize($_POST['notes']); }
     12    elseif (!empty($_GET['notes']))    { $notes=aphpsSanitize($_GET['notes']); }
    1313    else { $notes = ""; }
    1414    if (!empty($_POST['discount_code']))    { $discount_code= stripslashes(htmlentities($_POST['discount_code'])); }
  • zingiri-web-shop/trunk/fws/pages-front/onecheckout.php

    r473277 r537613  
    2626        }
    2727        if (!empty($_POST['notes'])) {
    28             $notes=$_POST['notes'];
     28            $notes=aphpsSanitize($_POST['notes']);
    2929        } else $notes='';
    3030        if (!empty($_GET['prodid'])) {
  • zingiri-web-shop/trunk/local/init.inc.php

    r532831 r537613  
    55    define('ZING_WS_PRO',false);
    66}
    7 if (!defined('ZING_VERSION')) define("ZING_VERSION","2.4.0");
    8 //if (!defined('APHPS_JSDIR')) define('APHPS_JSDIR','src');
     7if (!defined('ZING_VERSION')) define("ZING_VERSION","2.4.2");
    98global $aphps_projects;
    109$aphps_projects['fws']=array('label'=>'Web Shop','dir'=>ZING_LOC.'fws/apps/','url'=>ZING_URL.'fws/apps/');
  • zingiri-web-shop/trunk/readme.txt

    r532831 r537613  
    55Requires at least: 2.1.7
    66Tested up to: 3.3.1
    7 Stable tag: 2.4.0
     7Stable tag: 2.4.2
    88
    99Zingiri Web Shop is a Wordpress plugin that adds fantastic ecommerce capabilities to a great content management system.
     
    6161== Changelog ==
    6262
     63= 2.4.2 =
     64* Fixed two security issues
     65
     66= 2.4.1 =
     67* Updated timthumb to version 2.8.10
     68
    6369= 2.4.0 =
    6470* Fixed issue with mandatory message showing on password field
  • zingiri-web-shop/trunk/zing.inc.php

    r531438 r537613  
    345345            if (isset($post)) $cf=get_post_custom();
    346346            if (isset($_GET['page'])) {
    347                 $page=$_GET['page'];
    348                 //do nothing, page already set
     347                $page=aphpsSanitize($_GET['page'],'string');
    349348            }  elseif (isset($cf['zing_page'])) {
    350349                $page=$_GET['page']=$cf['zing_page'][0];
     
    367366                $_GET['cat']=$cf['cat'][0];
    368367            }
    369             if (!$page) $page=$_GET['page'];
     368            if (!$page) $page=aphpsSanitize($_GET['page'],'string');
    370369            $to_include="loadmain.php";
    371370            break;
     
    399398    } elseif ($to_include) {
    400399        if (isset($prefix)) echo $prefix;
    401         if ($process=='content' && $page!='ajax' && $page!='downldr') echo '<div class="zing_ws_page" id="zing_ws_'.$_GET['page'].'">';
     400        if ($process=='content' && $page!='ajax' && $page!='downldr') echo '<div class="zing_ws_page" id="zing_ws_'.aphpsSanitize($_GET['page'],'string').'">';
    402401        $aphps->doAction('content_before');
    403402        include($scripts_dir.$to_include);
  • zingiri-web-shop/trunk/zingiri_webshop.php

    r532831 r537613  
    55 Description: Zingiri Web Shop is a Wordpress plugin that adds fantastic ecommerce capabilities to a great content management system.
    66 Author: Zingiri
    7  Version: 2.4.0
     7 Version: 2.4.2
    88 Author URI: http://www.zingiri.com/
    99 */
Note: See TracChangeset for help on using the changeset viewer.