Commit 7d5d0a19 authored by Penny Leach's avatar Penny Leach
Browse files

ongoing (WORK IN PROGRESS) stuff = added more functions, basic smarty

and theme set up, parameter cleaning. This  is just being committed now
so I can pull, not to be considered complete
parent 8d6143a1
......@@ -52,8 +52,11 @@ if (!is_readable($CFG->docroot . 'config.php')) {
require('config.php');
$CFG = (object)array_merge((array)$cfg, (array)$CFG);
// core libraries
require('mahara.php');
require('dml.php');
require('constants.php');
require('web.php');
ensure_sanity();
// Database access functions
......@@ -94,4 +97,10 @@ catch (Exception $e) {
die;
}
load_config();
if (!get_config('theme')) {
set_config('theme','default');
}
?>
......@@ -2,4 +2,5 @@
$string['dbconnfailed'] = 'Failed to connect to database, error message was %s';
$string['registerglobals'] = 'You have dangerous PHP settings, register_globals is on. Mahara is trying to work around this, but you should really fix it';
$string['magicquotesgpc'] = 'You have dangerous PHP settings, magic_quotes_gpc is on. Mahara is trying to work around this, but you should really fix it';
$string['datarootnotwritable'] = 'Your defined data root directory, %s, is not writable. This means Mahara is not going to be fully functional.';
?>
\ No newline at end of file
<?php
/**
* This program is part of mahara
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
* @package mahara
* @subpackage core
* @author Penny Leach <penny@catalyst.net.nz>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL
* @copyright (C) 2006,2007 Catalyst IT Ltd http://catalyst.net.nz
* @copyright (C) portions from Moodle, (C) Martin Dougiamas http://dougiamas.com
*/
defined('INTERNAL') || die();
// PARAMETER CLEANING
/**
* PARAM_INT - integers only, use when expecting only numbers.
*/
define('PARAM_INT', 0x0002);
/**
* PARAM_INTEGER - an alias for PARAM_INT
*/
define('PARAM_INTEGER', 0x0002);
/**
* PARAM_ALPHA - contains only english letters.
*/
define('PARAM_ALPHA', 0x0004);
/**
* PARAM_ACTION - an alias for PARAM_ALPHA, use for various actions in formas and urls
* @TODO: should we alias it to PARAM_ALPHANUM ?
*/
define('PARAM_ACTION', 0x0004);
/**
* PARAM_FORMAT - an alias for PARAM_ALPHA, use for names of plugins, formats, etc.
* @TODO: should we alias it to PARAM_ALPHANUM ?
*/
define('PARAM_FORMAT', 0x0004);
/**
* PARAM_NOTAGS - all html tags are stripped from the text. Do not abuse this type.
*/
define('PARAM_NOTAGS', 0x0008);
/**
* PARAM_MULTILANG - general plain text compatible with multilang filter, no other html tags.
*/
define('PARAM_MULTILANG', 0x0009);
/**
* PARAM_FILE - safe file name, all dangerous chars are stripped, protects against XSS, SQL injections and directory traversals
*/
define('PARAM_FILE', 0x0010);
/**
* PARAM_PATH - safe relative path name, all dangerous chars are stripped, protects against XSS, SQL injections and directory traversals
* note: the leading slash is not removed, window drive letter is not allowed
*/
define('PARAM_PATH', 0x0020);
/**
* PARAM_HOST - expected fully qualified domain name (FQDN) or an IPv4 dotted quad (IP address)
*/
define('PARAM_HOST', 0x0040);
/**
* PARAM_URL - expected properly formatted URL.
*/
define('PARAM_URL', 0x0080);
/**
* PARAM_LOCALURL - expected properly formatted URL as well as one that refers to the local server itself. (NOT orthogonal to the others! Implies PARAM_URL!)
*/
define('PARAM_LOCALURL', 0x0180);
/**
* PARAM_CLEANFILE - safe file name, all dangerous and regional chars are removed,
* use when you want to store a new file submitted by students
*/
define('PARAM_CLEANFILE',0x0200);
/**
* PARAM_ALPHANUM - expected numbers and letters only.
*/
define('PARAM_ALPHANUM', 0x0400);
/**
* PARAM_BOOL - converts input into 0 or 1, use for switches in forms and urls.
*/
define('PARAM_BOOL', 0x0800);
/**
* PARAM_CLEANHTML - cleans submitted HTML code and removes slashes
* note: do not forget to addslashes() before storing into database!
*/
define('PARAM_CLEANHTML',0x1000);
/**
* PARAM_ALPHAEXT the same contents as PARAM_ALPHA plus the chars in quotes: "/-_" allowed,
* suitable for include() and require()
* @TODO: should we rename this function to PARAM_SAFEDIRS??
*/
define('PARAM_ALPHAEXT', 0x2000);
/**
* PARAM_SAFEDIR - safe directory name, suitable for include() and require()
*/
define('PARAM_SAFEDIR', 0x4000);
/**
* PARAM_SEQUENCE - expects a sequence of numbers like 8 to 1,5,6,4,6,8,9. Numbers and comma only.
*/
define('PARAM_SEQUENCE', 0x8000);
/**
* REQUEST_POST - retrieve from $_POST
*/
define('REQUEST_POST', 2);
/**
* REQUEST_GET - retrieve from $_GET
*/
define('REQUEST_GET', 1);
/**
* REQUEST_EITHER - retrieve from either $_POST or $_GET
* $_POST has preference.
*/
define('REQUEST_EITHER',0);
?>
\ No newline at end of file
<?php
/**
* Copyright 2006,2007 Catalyst IT Ltd (http://www.catalyst.net.nz)
* This program is part of mahara
*
* This file is part of maraha.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* maraha is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
* maraha is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with maraha; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
* @package mahara
* @subpackage core
* @author Penny Leach <penny@catalyst.net.nz>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL
* @copyright (C) 2006,2007 Catalyst IT Ltd http://catalyst.net.nz
* @copyright (C) portions from Moodle, (C) Martin Dougiamas http://dougiamas.com
*/
defined('INTERNAL') || die();
/**
* This function checks core and plugins
* for which need to be upgraded/installed
* @returns array of objects
*/
function check_upgrades() {
$toupgrade = array();
// check core first...
if (!$coreversion = get_config('version')) {
$core = new StdClass;
$core->install = true;
$toupgrade['core'] = $core;
// just return here, there's no point doing anything else right now...
return $toupgrade;
}
else {
require('version.php');
if ($config->version > $coreversion) {
$core = new StdClass;
$core->upgrade = true;
$core->from = $coreversion;
if ($corerelease = get_config('release')) {
$core->fromrelease = $corerelease;
}
$core->to = $config->version;
$core->torelease = $config->release;
$toupgrade['core'] = $core;
}
}
// artefact plugins next..
$dirhandle = opendir(get_config('docroot').'artefacts/');
while (false !== ($dir = readdir($dirhandle))) {
if (!$pluginversion = get_config_plugin('arfetact',$dir,'version')) {
$plugin = new StdClass;
$plugin->install = true;
$toupgrade['artefact'][$dir] = $plugin;
}
else {
require(get_config('docroot').'artefacts/'.$dir.'/version.php');
if ($config->version > $pluginversion) {
$plugin = new StdClass;
$plugin->upgrade = true;
$plugin->from = $pluginversion;
if ($pluginrelease = get_config_plugin('artefact',$dir,'release')) {
$plugin->fromrelease = $pluginrelease;
}
$plugin->to = $config->version;
if (!empty($config->release)) {
$plugin->torelease = $config->release;
}
}
}
}
return $toupgrade;
}
/**
* work around silly php settings
* and broken setup stuff about the install
......@@ -70,6 +137,14 @@ function ensure_sanity() {
trigger_error(get_string('datarootinsidedocroot','error'));
}
// dataroot not writable..
if (!check_dir_exists(get_config('dataroot')) || !is_writable(get_config('dataroot'))) {
trigger_error(get_string('datarootnotwritable','error',get_config('dataroot')));
}
check_dir_exists(get_config('dataroot').'smarty/compile');
check_dir_exists(get_config('dataroot').'smarty/cache');
// more later?
}
......@@ -214,7 +289,35 @@ function ini_get_bool($ini_get_arg) {
return false;
}
/*
/**
* This function loads up the basic $CFG
* from the database table
* note that it doesn't load plugin config
* as not every page needs them
* @return boolean false if the assignment fails (generally if the databse is not installed)
*/
function load_config() {
global $CFG;
try {
$dbconfig = get_records('config');
}
catch (ADODB_Exception $e) {
return false;
}
foreach ($dbconfig as $cfg) {
if (isset($CFG->{$cfg->field}) && $CFG->{$cfg->field} != $CFG->value) {
// @todo warn that we're overriding db config with $CFG
continue;
}
$CFG->{$cfg->field} = $cfg->value;
}
return true;
}
/**
* This function returns a value from $CFG
* or null if it is not found
*
......@@ -229,6 +332,49 @@ function get_config($key) {
return null;
}
/**
* This function sets a config variable
* both in $CFG and in the database
*
* @param string $key config field to set
* @param string $value config value
*/
function set_config($key, $value) {
if (set_field('config',$key,$value,'field',$key)) {
$CFG->{$key} = $value;
return true;
}
return false;
}
/**
* This function returns a value for $CFG for a plugin
* or null if it is not found
* note that it may go and look in the database
*
* @param string $plugintype eg artefact
* @param string $pluginname eg blog
* @param string $key the config setting to look for
*/
function get_config_plugin($plugintype, $pluginname, $key) {
global $CFG;
if (array_key_exists('plugin',$CFG)
&& array_key_exists($plugintype,$CFG->plugin)
&& array_key_exists($pluginname,$CFG->plugin->{$plugintype})
&& array_key_exists($key,$CFG->plugin->{$plugintype}->{$pluginname})) {
return $CFG->plugin->{$plugintype}->{$pluginname}->{$key};
}
if (!$value = get_field('config_'.$plugintype,'value','plugin',$pluginname,'field',$key)) {
$value = null;
}
$CFG->plugin->{$plugintype}->{$pluginname}->{$key} = $value;
return $value;
}
/**
* This function prints an array or object
* wrapped inside <pre></pre>
......@@ -283,4 +429,181 @@ function is_hash($array) {
return !empty($diff);
}
/**
* clean the variables and/or cast to specific types, based on
* an options field.
*
* @uses PARAM_INT
* @uses PARAM_INTEGER
* @uses PARAM_ALPHA
* @uses PARAM_ALPHANUM
* @uses PARAM_NOTAGS
* @uses PARAM_ALPHAEXT
* @uses PARAM_BOOL
* @uses PARAM_SAFEDIR
* @uses PARAM_CLEANFILE
* @uses PARAM_FILE
* @uses PARAM_PATH
* @uses PARAM_HOST
* @uses PARAM_URL
* @uses PARAM_LOCALURL
* @uses PARAM_CLEANHTML
* @uses PARAM_SEQUENCE
* @param mixed $param the variable we are cleaning
* @param int $type expected format of param after cleaning.
* @return mixed
*/
function clean_param($key, $type, $from=REQUEST_EITHER) {
if (is_array($param)) { // Let's loop
$newparam = array();
foreach ($param as $key => $value) {
$newparam[$key] = clean_param($value, $type);
}
return $newparam;
}
switch ($type) {
case PARAM_CLEANHTML: // prepare html fragment for display, do not store it into db!!
$param = stripslashes($param); // Remove any slashes
$param = clean_text($param); // Sweep for scripts, etc
return trim($param);
case PARAM_INT:
return (int)$param; // Convert to integer
case PARAM_ALPHA: // Remove everything not a-z
return eregi_replace('[^a-zA-Z]', '', $param);
case PARAM_ALPHANUM: // Remove everything not a-zA-Z0-9
return eregi_replace('[^A-Za-z0-9]', '', $param);
case PARAM_ALPHAEXT: // Remove everything not a-zA-Z/_-
return eregi_replace('[^a-zA-Z/_-]', '', $param);
case PARAM_SEQUENCE: // Remove everything not 0-9,
return eregi_replace('[^0-9,]', '', $param);
case PARAM_BOOL: // Convert to 1 or 0
$tempstr = strtolower($param);
if ($tempstr == 'on' or $tempstr == 'yes' ) {
$param = 1;
} else if ($tempstr == 'off' or $tempstr == 'no') {
$param = 0;
} else {
$param = empty($param) ? 0 : 1;
}
return $param;
case PARAM_NOTAGS: // Strip all tags
return strip_tags($param);
case PARAM_MULTILANG: // leave only tags needed for multilang
return clean_param(strip_tags($param, '<lang><span>'), PARAM_CLEAN);
case PARAM_SAFEDIR: // Remove everything not a-zA-Z0-9_-
return eregi_replace('[^a-zA-Z0-9_-]', '', $param);
case PARAM_CLEANFILE: // allow only safe characters
return clean_filename($param);
case PARAM_FILE: // Strip all suspicious characters from filename
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\':\\/]', '', $param);
$param = ereg_replace('\.\.+', '', $param);
if($param == '.') {
$param = '';
}
return $param;
case PARAM_PATH: // Strip all suspicious characters from file path
$param = str_replace('\\\'', '\'', $param);
$param = str_replace('\\"', '"', $param);
$param = str_replace('\\', '/', $param);
$param = ereg_replace('[[:cntrl:]]|[<>"`\|\':]', '', $param);
$param = ereg_replace('\.\.+', '', $param);
$param = ereg_replace('//+', '/', $param);
return ereg_replace('/(\./)+', '/', $param);
case PARAM_HOST: // allow FQDN or IPv4 dotted quad
preg_replace('/[^\.\d\w-]/','', $param ); // only allowed chars
// match ipv4 dotted quad
if (preg_match('/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/',$param, $match)){
// confirm values are ok
if ( $match[0] > 255
|| $match[1] > 255
|| $match[3] > 255
|| $match[4] > 255 ) {
// hmmm, what kind of dotted quad is this?
$param = '';
}
} elseif ( preg_match('/^[\w\d\.-]+$/', $param) // dots, hyphens, numbers
&& !preg_match('/^[\.-]/', $param) // no leading dots/hyphens
&& !preg_match('/[\.-]$/', $param) // no trailing dots/hyphens
) {
// all is ok - $param is respected
} else {
// all is not ok...
$param='';
}
return $param;
case PARAM_URL: // allow safe ftp, http, mailto urls
include_once(get_config('libroot').'validateurlsyntax.php');
if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p-f?q?r?')) {
// all is ok, param is respected
} else {
$param =''; // not really ok
}
return $param;
case PARAM_LOCALURL: // allow http absolute, root relative and relative URLs within wwwroot
clean_param($param, PARAM_URL);
if (!empty($param)) {
if (preg_match(':^/:', $param)) {
// root-relative, ok!
} elseif (preg_match('/^'.preg_quote(get_config('wwwroot')).'/i',$param)) {
// absolute, and matches our wwwroot
} else {
// relative - let's make sure there are no tricks
if (validateUrlSyntax($param, 's-u-P-a-p-f+q?r?')) {
// looks ok.
} else {
$param = '';
}
}
}
return $param;
default: // throw error, switched parameters in optional_param or another serious problem
// @todo nigel hissy fit
error("Unknown parameter type: $type");
}
}
/**
* Function to check if a directory exists and optionally create it.
*
* @param string absolute directory path
* @param boolean create directory if does not exist
* @param boolean create directory recursively
*
* @return boolean true if directory exists or created
*/
function check_dir_exists($dir, $create=true, $recursive=true) {
error_log("checking $dir");
$status = true;
if(!is_dir($dir)) {
if (!$create) {
$status = false;
} else {
umask(0000);
$status = mkdir($dir, 0777, true);
}
}
return $status;
}
?>
\ No newline at end of file
This diff is collapsed.
<?php
/**
* This program is part of mahara
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
* @package mahara
* @subpackage core or plugintype/pluginname
* @author Your Name <you@example.org>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL
* @copyright (C) 2006,2007 Catalyst IT Ltd http://catalyst.net.nz
*
*/
defined('INTERNAL') || die();
$config = new StdClass;
$config->version = 2006100500;
$config->release = '0.1';
?>
\ No newline at end of file
<?php
/**
* This program is part of mahara
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
* @package mahara
* @subpackage core
* @author Penny Leach <penny@catalyst.net.nz>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL