aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorrvelices <rv-github@modusoptimus.com>2008-09-12 02:17:35 +0000
committerrvelices <rv-github@modusoptimus.com>2008-09-12 02:17:35 +0000
commit4d86bb2234af3939f1e8add3633deaa425fe526e (patch)
treebfc5274c3fa9e427dc7407288173355e585a9080 /include
parent272113c4175992de5dee7fed77fa2ab9fdef2850 (diff)
- images.file categories.permalink old_permalinks.permalink - become binary
- session security improvement: now the sessions are valid only for originating ip addr (with mask 255.255.0.0 to allow users behind load balancing proxies) -> stealing the session cookie is almost a non issue (with the exception of the 65536 machines in range) - metadata sync from the sync button does not overwrite valid data with empty metadata - other small fixes/enhancements: - added event get_category_image_orders - fix display issue with redirect.tpl (h1/h2 within h1) - fix known_script smarty function registration - query search form not submitted if q is empty - better admin css rules - some other minor changes (ws_core, rest_handler, functions_search...) git-svn-id: http://piwigo.org/svn/trunk@2521 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r--include/functions.inc.php9
-rw-r--r--include/functions_category.inc.php9
-rw-r--r--include/functions_search.inc.php8
-rw-r--r--include/functions_session.inc.php13
-rw-r--r--include/page_header.php3
-rw-r--r--include/template.class.php2
-rw-r--r--include/ws_core.inc.php8
-rw-r--r--include/ws_protocols/rest_handler.php4
8 files changed, 32 insertions, 24 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 5a22c475d..3dd62802e 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -747,13 +747,8 @@ function redirect_html( $url , $msg = '', $refresh_time = 0)
if (empty($msg))
{
- $redirect_msg = l10n('redirect_msg');
+ $msg = nl2br(l10n('redirect_msg'));
}
- else
- {
- $redirect_msg = $msg;
- }
- $redirect_msg = nl2br($redirect_msg);
$refresh = $refresh_time;
$url_link = $url;
@@ -764,6 +759,8 @@ function redirect_html( $url , $msg = '', $refresh_time = 0)
include( PHPWG_ROOT_PATH.'include/page_header.php' );
$template->set_filenames( array( 'redirect' => 'redirect.tpl' ) );
+ $template->assign('REDIRECT_MSG', $msg);
+
$template->parse('redirect');
include( PHPWG_ROOT_PATH.'include/page_tail.php' );
diff --git a/include/functions_category.inc.php b/include/functions_category.inc.php
index 92e9cf229..77657b8b1 100644
--- a/include/functions_category.inc.php
+++ b/include/functions_category.inc.php
@@ -258,8 +258,9 @@ SELECT galleries_url
function get_category_preferred_image_orders()
{
global $conf, $page;
-
- return array(
+
+ return trigger_event('get_category_preferred_image_orders',
+ array(
array(l10n('default_sort'), '', true),
array(l10n('Average rate'), 'average_rate DESC', $conf['rate']),
array(l10n('most_visited_cat'), 'hit DESC', true),
@@ -269,9 +270,9 @@ function get_category_preferred_image_orders()
array(
l10n('Rank'),
'rank ASC',
- ('categories' == $page['section'] and !isset($page['flat']))
+ ('categories' == @$page['section'] and !isset($page['flat']))
)
- );
+ ));
}
function display_select_categories($categories,
diff --git a/include/functions_search.inc.php b/include/functions_search.inc.php
index a043f041c..2ec709936 100644
--- a/include/functions_search.inc.php
+++ b/include/functions_search.inc.php
@@ -352,6 +352,10 @@ function get_qsearch_like_clause($q, $field)
}
else
{
+ if ( strcspn($ch, '%_')==0)
+ {// escape LIKE specials %_
+ $ch = '\\'.$ch;
+ }
$crt_token .= $ch;
}
break;
@@ -366,6 +370,10 @@ function get_qsearch_like_clause($q, $field)
$state=0;
break;
default:
+ if ( strcspn($ch, '%_')==0)
+ {// escape LIKE specials %_
+ $ch = '\\'.$ch;
+ }
$crt_token .= $ch;
}
break;
diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php
index f17f2377a..dce1551ea 100644
--- a/include/functions_session.inc.php
+++ b/include/functions_session.inc.php
@@ -90,6 +90,11 @@ function pwg_session_close()
return true;
}
+function get_remote_addr_session_hash()
+{
+ return vsprintf( "%02X%02X", explode('.',$_SERVER['REMOTE_ADDR']) );
+}
+
/**
* this function returns
* a string corresponding to the value of the variable save in the session
@@ -102,7 +107,7 @@ function pwg_session_read($session_id)
$query = '
SELECT data
FROM '.SESSIONS_TABLE.'
- WHERE id = \''.$session_id.'\'
+ WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
;';
$result = pwg_query($query);
if ($result)
@@ -128,7 +133,7 @@ function pwg_session_write($session_id, $data)
UPDATE '.SESSIONS_TABLE.'
SET expiration = now(),
data = \''.$data.'\'
- WHERE id = \''.$session_id.'\'
+ WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
;';
pwg_query($query);
if ( mysql_affected_rows()>0 )
@@ -138,7 +143,7 @@ UPDATE '.SESSIONS_TABLE.'
$query = '
INSERT INTO '.SESSIONS_TABLE.'
(id,data,expiration)
- VALUES(\''.$session_id.'\',\''.$data.'\',now())
+ VALUES(\''.get_remote_addr_session_hash().$session_id.'\',\''.$data.'\',now())
;';
mysql_query($query);
return true;
@@ -154,7 +159,7 @@ function pwg_session_destroy($session_id)
$query = '
DELETE
FROM '.SESSIONS_TABLE.'
- WHERE id = \''.$session_id.'\'
+ WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
;';
pwg_query($query);
return true;
diff --git a/include/page_header.php b/include/page_header.php
index 102e2bdd8..629b45db3 100644
--- a/include/page_header.php
+++ b/include/page_header.php
@@ -69,11 +69,10 @@ if ( !empty($page['meta_robots']) )
// refresh
if ( isset( $refresh ) and intval($refresh) >= 0
- and isset( $url_link ) and isset( $redirect_msg ) )
+ and isset( $url_link ) )
{
$template->assign(
array(
- 'REDIRECT_MSG' => $redirect_msg,
'page_refresh' => array(
'TIME' => $refresh,
'U_REFRESH' => $url_link
diff --git a/include/template.class.php b/include/template.class.php
index 25389b8fa..777d4ddec 100644
--- a/include/template.class.php
+++ b/include/template.class.php
@@ -62,7 +62,7 @@ class Template {
$this->smarty->register_modifier( 'translate', array('Template', 'mod_translate') );
$this->smarty->register_modifier( 'explode', array('Template', 'mod_explode') );
$this->smarty->register_block('html_head', array(&$this, 'block_html_head') );
- $this->smarty->register_function('known_script', array(&$this, 'func_known_script'), false );
+ $this->smarty->register_function('known_script', array(&$this, 'func_known_script') );
$this->smarty->register_prefilter( array('Template', 'prefilter_white_space') );
if ( $conf['compiled_template_cache_language'] )
{
diff --git a/include/ws_core.inc.php b/include/ws_core.inc.php
index 0580d12d7..cc1c1c756 100644
--- a/include/ws_core.inc.php
+++ b/include/ws_core.inc.php
@@ -378,12 +378,10 @@ class PwgServer
{
if ( is_null($this->_responseEncoder) )
{
- set_status_header(500);
+ set_status_header(400);
@header("Content-Type: text/plain");
echo ("Cannot process your request. Unknown response format.
-Request format: ".@$this->_requestFormat." handler:".$this->_requestHandler."
-Response format: ".@$this->_responseFormat." encoder:".$this->_responseEncoder."
- ");
+Request format: ".@$this->_requestFormat." Response format: ".@$this->_responseFormat."\n");
var_export($this);
die(0);
}
@@ -391,7 +389,7 @@ Response format: ".@$this->_responseFormat." encoder:".$this->_responseEncoder."
if ( is_null($this->_requestHandler) )
{
$this->sendResponse(
- new PwgError(500, 'Unknown request format')
+ new PwgError(400, 'Unknown request format')
);
return;
}
diff --git a/include/ws_protocols/rest_handler.php b/include/ws_protocols/rest_handler.php
index c9c8ad9b0..e22d0b9e2 100644
--- a/include/ws_protocols/rest_handler.php
+++ b/include/ws_protocols/rest_handler.php
@@ -30,7 +30,7 @@ class PwgRestRequestHandler
$param_array = $service->isPost() ? $_POST : $_GET;
foreach ($param_array as $name => $value)
{
- if ($name=='format' or $name=='partner')
+ if ($name=='format')
continue; // ignore - special keys
if ($name=='method')
{
@@ -45,7 +45,7 @@ class PwgRestRequestHandler
if ( empty($method) )
{
$service->sendResponse(
- new PwgError(400, 'Missing "method" name')
+ new PwgError(WS_ERR_INVALID_METHOD, 'Missing "method" name')
);
return;
}