From 03dca2fcae3026d049d4579bc31cc453bcd66dc1 Mon Sep 17 00:00:00 2001 From: Stefan Frech Date: Sun, 20 Apr 2008 13:31:29 +0000 Subject: [PATCH] sending lib to the repos --- lib/auth.php | 154 ++++++++++++++++ lib/lib.js | 112 ++++++++++++ lib/lib.php | 443 +++++++++++++++++++++++++++++++++++++++++++++++ lib/login.php | 99 +++++++++++ lib/mysql.php | 35 ++++ lib/pngfix.js | 39 +++++ lib/webstart.php | 55 ++++++ 7 files changed, 937 insertions(+) create mode 100644 lib/auth.php create mode 100644 lib/lib.js create mode 100644 lib/lib.php create mode 100644 lib/login.php create mode 100644 lib/mysql.php create mode 100644 lib/pngfix.js create mode 100644 lib/webstart.php diff --git a/lib/auth.php b/lib/auth.php new file mode 100644 index 0000000..e1e3e4b --- /dev/null +++ b/lib/auth.php @@ -0,0 +1,154 @@ +check_auth ()) { + $_SESSION['logged_in'] = true; + } + else { + $_SESSION['logged_in'] = false; + } + } + + function check_auth () { + if (session_id () + && isset ($_SESSION['challengekey']) + && strlen ($_SESSION['challengekey']) === 32 + && isset ($_SESSION['username']) + && $_SESSION['username'] != '' + && isset ($_SESSION['logged_in']) + && $_SESSION['logged_in']) { + return true; + } + else if ($this->check_cookie ()) { + return true; + } + return false; + } + + function assign_data () { + if ( isset($_POST['username']) + && isset($_POST['password']) + && $_POST['username'] != '' + && $_POST['password'] != '') { + $this->username = $_POST['username']; + $this->password = $_POST['password']; + return true; + } + return false; + } + + function login () { + $_SESSION['logged_in'] = false; + if ($this->assign_data ()) { + global $mysql; + $query = sprintf("SELECT COUNT(*) FROM user WHERE md5(username)=md5('%s') AND password=md5('%s')", + $mysql->escape ($this->username), + $mysql->escape ($this->password)); + if ($mysql->query ($query) && mysql_result ($mysql->result, 0) === "1") { + if (isset ($_POST['remember'])) { + global $cookie; + $cookie['data'] = serialize (array ($this->username, md5 ($cookie['seed'] . md5 ($this->password)))); + @setcookie ($cookie['name'], + $cookie['data'], + $cookie['expire'], + $cookie['path'], + $cookie['domain']); + } + $this->set_login_data ($this->username); + } + else { + $this->logout (); + } + } + unset ($_POST['password']); + unset ($this->password); + } + + function logout () { + global $cookie; + unset ($_SESSION['challengekey']); + unset ($_SESSION['username']); + @setcookie ($cookie['name'], "", time() - 1, $cookie['path'], $cookie['domain']); + $_SESSION['logged_in'] = false; + } + + function set_login_data ($username) { + $_SESSION['challengekey'] = md5 ($username . microtime ()); + $_SESSION['username'] = $username; + $_SESSION['logged_in'] = true; + } + + function check_cookie () { + global $cookie, $mysql; + if ( isset ($cookie['name']) + && $cookie['name'] != '' + && isset ($_COOKIE[$cookie['name']])) { + list ($cookie['username'], $cookie['password_hash']) = @unserialize ($_COOKIE[$cookie['name']]); + $query = sprintf("SELECT COUNT(*) FROM user WHERE username='%s' AND MD5(CONCAT('%s', password))='%s'", + $mysql->escape ($cookie['username']), + $mysql->escape ($cookie['seed']), + $mysql->escape ($cookie['password_hash'])); + if ($mysql->query ($query) && mysql_result ($mysql->result, 0) === "1") { + $this->set_login_data ($cookie['username']); + return true; + } + else { + $this->logout (); + return false; + } + } + return false; + } + + function display_login_form () { + ?> + +
+
+ + + + + + + + + + + + + + + + + +
Username:
Password:
Remember login:
+ +
Users Sharing Bookmarks
'; + } + ?> + +
+
+ + + + + \ No newline at end of file diff --git a/lib/lib.js b/lib/lib.js new file mode 100644 index 0000000..ca95bf1 --- /dev/null +++ b/lib/lib.js @@ -0,0 +1,112 @@ +function reloadclose(){ + window.opener.location.reload(); + self.close(); +} + +function bookmarknew(folderid) { + bookmark_new = window.open("./bookmark_new.php?folderid=" + folderid, "bookmarknew","toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=500"); +} + +function bookmarkedit(bmlist) { + if (bmlist==""){ + alert("No Bookmarks selected."); + } + else { + bookmark_edit = window.open("./bookmark_edit.php?bmlist=" + bmlist, "bookmarkedit","toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=500"); + } +} + +function bookmarkmove(bmlist) { + if (bmlist==""){ + alert("No Bookmarks selected."); + } + else { + bookmark_move = window.open("./bookmark_move.php", bmlist, "toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=450"); + } +} + +function bookmarkdelete(bmlist) { + if (bmlist==""){ + alert("No Bookmarks selected."); + } + else { + bookmark_delete = window.open("./bookmark_delete.php?bmlist=" + bmlist, "bookmarkdelete", "toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=450"); + } +} + +function foldernew(folderid) { + folder_new = window.open("./folder_new.php?folderid=" + folderid, "foldernew", "toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=200"); +} + +function folderedit(folderid) { + if (folderid=="" || folderid=='0'){ + alert("No Folder selected."); + } + else { + folder_edit = window.open("./folder_edit.php?folderid=" + folderid, "folderedit", "toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=220"); + } +} + +function foldermove(folderid) { + if (folderid=="" || folderid=='0'){ + alert("No Folder selected."); + } + else { + folder_move = window.open("./folder_move.php", folderid, "toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=450"); + } +} + +function folderdelete(folderid) { + if (folderid=="" || folderid=="0"){ + alert("No Folder selected."); + } + else { + folder_delete= window.open("./folder_delete.php?folderid=" + folderid, "folderdelete", "toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=200"); + } +} + +function selectfolder(url) { + select_folder = window.open("./select_folder.php" + url, "selectfolder", "toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=450"); +} + +function chpw() { + chpw_window = window.open("./change_password.php", "chpw", "toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes,width=500,height=200"); +} + +function checkselected(){ +var i; +var parameter=''; + for ( i = 0; i < window.document.forms['bookmarks'].elements.length; i++) { + if (window.document.forms['bookmarks'].elements[i].checked == true) { + parameter = parameter + window.document.forms['bookmarks'].elements[i].name + "_"; + } + } + result=parameter.replace(/_$/,""); + return result +} + +/* This function is from the following location: + http://www.squarefree.com/bookmarklets/ +*/ + +function selection(boxes){ + var x,k,f,j; + x=document.forms; + + for (k = 0; k < x.length; ++k){ + f = x[k]; + for (j = 0; j < f.length; ++j){ + if (f[j].type.toLowerCase() == "checkbox"){ + if (boxes == "all"){ + f[j].checked = true ; + } + else if (boxes == "none"){ + f[j].checked = false ; + } + else if (boxes == "toggle") { + f[j].checked = !f[j].checked ; + } + } + } + } +} diff --git a/lib/lib.php b/lib/lib.php new file mode 100644 index 0000000..f6d81b2 --- /dev/null +++ b/lib/lib.php @@ -0,0 +1,443 @@ +" . $message . "

"; + } + require_once (ABSOLUTE_PATH . "footer.php"); +} + +/* + * Checks whether the user is logged in. + * Displays a link to login if not and exit application. + */ +function logged_in_only () { + if (! isset ($_SESSION['logged_in']) || ! $_SESSION['logged_in']) { + global $auth; + $auth->display_login_form (); + require_once (ABSOLUTE_PATH . "footer.php"); + } +} + +function input_validation ($data, $charset = 'UTF-8') { + if (is_array ($data)) { + foreach ($data as $key => $value) { + $data[$key] = input_validation ($value); + } + } + else { + $data = htmlentities (trim ($data), ENT_QUOTES, $charset); + } + return $data; +} + +/* + * Verify some GET variables + */ +### +### Setting the expand variable. If empty in _GET we use the one from _SESSION if available. +### Call this function only once, otherwise some strange things will happen. +### +function set_get_expand () { + if (!isset ($_GET['expand'])) { + if (isset ($_SESSION['expand']) && is_array ($_SESSION['expand'])) { + $return = set_num_array ($_SESSION['expand']); + } + else { + $return = array(); + } + } + else if ($_GET['expand'] == '') { + $return = array(); + } + else { + $return = explode (",", $_GET['expand']); + $return = set_num_array ($return); + } + $return = input_validation ($return); + $_SESSION['expand'] = $return; + return ($return); +} + +function set_get_folderid () { + if (!isset ($_GET['folderid']) || $_GET['folderid'] == '' || !is_numeric ($_GET['folderid'])) { + if (isset ($_SESSION['folderid'])) { + $return = $_SESSION['folderid']; + } + else { + $return = 0; + } + } + else { + $return = $_GET['folderid']; + } + $return = input_validation ($return); + $_SESSION['folderid'] = $return; + return ($return); +} + + + + +################## GET title and url are handled a bit special + +function set_get_title () { + if (!isset ($_GET['title']) || $_GET['title'] == '') { + $return = ''; + } + else { + $return = $_GET['title']; + } + return input_validation ($return); +} + +function set_get_url () { + if (!isset ($_GET['url']) || $_GET['url'] == '') { + $return = ''; + } + else { + $return = $_GET['url']; + } + return input_validation ($return); +} + +function set_session_title () { + if (!isset ($_SESSION['title']) || $_SESSION['title'] == '') { + $return = ''; + } + else { + $return = $_SESSION['title']; + } + return $return; +} + +function set_session_url () { + if (!isset ($_SESSION['url']) || $_SESSION['url'] == '') { + $return = ''; + } + else { + $return = $_SESSION['url']; + } + return $return; +} + +function set_title () { + $get_title = set_get_title (); + $session_title = set_session_title (); + + if ($get_title == '' && $session_title == '') { + $return = ''; + } + else if ($get_title != '') { + $_SESSION['title'] = $get_title; + $return = $get_title; + } + else if ($session_title != '') { + $_SESSION['title'] = $session_title; + $return = $session_title; + } + return $return; +} + +function set_url () { + $get_url = set_get_url (); + $session_url = set_session_url (); + + if ($get_url == '' && $session_url == '') { + $return = ''; + } + else if ($get_url != '') { + $_SESSION['url'] = $get_url; + $return = $get_url; + } + else if ($session_url != '') { + $_SESSION['url'] = $session_url; + $return = $session_url; + } + return $return; +} + +############################################# + +function set_get_noconfirm () { + if (!isset ($_GET['noconfirm']) || $_GET['noconfirm'] == '') { + $return = false; + } + else { + $return = true; + } + return $return; +} + +/* + * Verify some POST variables + */ + +function set_post_childof () { + if (!isset ($_POST['childof']) || $_POST['childof'] == '' || !is_numeric($_POST['childof'])) { + $return = 0; + } + else { + $return = $_POST['childof']; + } + return input_validation ($return); +} + +function set_post_title () { + if (!isset ($_POST['title']) || $_POST['title'] == '') { + $return = ''; + } + else { + $return = $_POST['title']; + } + return input_validation ($return); +} + +function set_post_url () { + if (!isset ($_POST['url']) || $_POST['url'] == '') { + $return = ''; + } + else { + $return = $_POST['url']; + } + return input_validation ($return); +} + +function set_post_description () { + if (!isset ($_POST['description']) || $_POST['description'] == '') { + $return = ''; + } + else { + $return = $_POST['description']; + } + return input_validation ($return); +} + +function set_post_foldername () { + if (!isset ($_POST['foldername']) || $_POST['foldername'] == '') { + $return = ''; + } + else { + $return = $_POST['foldername']; + } + return input_validation ($return); +} + +function set_post_sourcefolder () { + if (!isset ($_POST['sourcefolder']) || $_POST['sourcefolder'] == '' || !is_numeric ($_POST['sourcefolder'])) { + $return = ''; + } + else { + $return = $_POST['sourcefolder']; + } + return input_validation ($return); +} + +function set_post_parentfolder () { + if (!isset ($_POST['parentfolder']) || $_POST['parentfolder'] == '' || !is_numeric ($_POST['parentfolder'])) { + $return = 0; + } + else { + $return = $_POST['parentfolder']; + } + return input_validation ($return); +} + +function set_post_browser () { + if (!isset ($_POST['browser'])) { + $return = ''; + } + else if ($_POST['browser'] == 'opera') { + $return = 'opera'; + } + else if ($_POST['browser'] == 'netscape') { + $return = 'netscape'; + } + else if ($_POST['browser'] == 'IE') { + $return = 'IE'; + } + else { + $return = ''; + } + return input_validation ($return); +} + + + +######################################################### + +### +### +### + +function return_charsets () { + $charsets = array ( + 'ISO-8859-1', + 'ISO-8859-15', + 'UTF-8', + 'cp866', + 'cp1251', + 'cp1252', + 'KOI8-R', + 'BIG5', + 'GB2312', + 'BIG5-HKSCS', + 'Shift_JIS', + 'EUC-JP', + ); + return $charsets; +} + +function set_post_charset () { + $charsets = return_charsets (); + + if (!isset ($_POST['charset']) || $_POST['charset'] == '') { + $return = 'UTF-8'; + } + else if (in_array ($_POST['charset'], $charsets)) { + $return = $_POST['charset']; + } + else { + $return = 'UTF-8'; + } + return $return; +} + +function check_username ($username) { + $return = false; + if (isset ($username) || $username == '') { + global $mysql; + $query = sprintf ("SELECT COUNT(*) FROM user WHERE md5(username)=md5('%s')", + $mysql->escape ($username)); + if ($mysql->query ($query)) { + if (mysql_result ($mysql->result, 0) == 1) { + $return = true; + } + } + } + return input_validation ($return); +} + +function admin_only () { + $return = false; + global $mysql, $username; + $query = sprintf ("SELECT COUNT(*) FROM user WHERE admin='1' + AND username='%s'", + $mysql->escape ($username)); + if ($mysql->query ($query)) { + if (mysql_result ($mysql->result, 0) == "1") { + $return = true; + } + } + return input_validation ($return); +} + +function set_get_string_var ($varname, $default = '') { + if (! isset ($_GET[$varname]) || $_GET[$varname] == '') { + $return = $default; + } + else { + $return = $_GET[$varname]; + } + return input_validation ($return); +} + +function set_post_string_var ($varname, $default = '') { + if (! isset ($_POST[$varname]) || $_POST[$varname] == '') { + $return = $default; + } + else { + $return = $_POST[$varname]; + } + return input_validation ($return); +} + +function set_post_num_var ($varname, $default = 0) { + if (! isset ($_POST[$varname]) || $_POST[$varname] == '' || !is_numeric ($_POST[$varname])) { + $return = $default; + } + else { + $return = intval ($_POST[$varname]); + } + return input_validation ($return); +} + +function set_post_bool_var ($varname, $default = true) { + if (! isset ($_POST[$varname])) { + $return = $default; + } + else if (! $_POST[$varname] ) { + $return = false; + } + else if ($_POST[$varname] ) { + $return = true; + } + else { + $return = $default; + } + return $return; +} + +function set_get_num_list ($varname) { + if (!isset ($_GET[$varname]) || $_GET[$varname] == '') { + $return = array (); + } + else { + $return = set_num_array (explode ("_", $_GET[$varname])); + } + return input_validation ($return); +} + +function set_post_num_list ($varname) { + if (!isset ($_POST[$varname]) || $_POST[$varname] == '') { + $return = array (); + } + else { + $return = set_num_array (explode ("_", $_POST[$varname])); + } + return input_validation ($return); +} + +/* + * This function checks the values of each entry in an array. + * It returns an array with unique and only numeric entries. + */ +function set_num_array ($array){ + foreach ($array as $key => $value) { + if ($value == '' || !is_numeric ($value)) { + unset ($array[$key]); + } + } + return array_unique ($array); +} + +function print_footer () { + echo 'Online-Bookmarks' . "\n"; + @readfile (ABSOLUTE_PATH . "VERSION"); + echo ' by Stefan Frech'; +} + +function object_count () { + global $mysql, $username; + $return = ''; + $query = sprintf ("SELECT (SELECT COUNT(*) FROM bookmark WHERE user='%s') AS bookmarks, + (SELECT COUNT(*) FROM folder WHERE user='%s') AS folders", + $mysql->escape ($username), + $mysql->escape ($username)); + + if ($mysql->query ($query)) { + if (mysql_num_rows ($mysql->result) == "1") { + $row = mysql_fetch_object ($mysql->result); + $return = "You have $row->bookmarks Bookmarks and $row->folders Folders"; + } + } + else { + $return = $mysql->error; + } + echo $return; +} + +?> \ No newline at end of file diff --git a/lib/login.php b/lib/login.php new file mode 100644 index 0000000..576fe74 --- /dev/null +++ b/lib/login.php @@ -0,0 +1,99 @@ +login (); + } + if (isset ($_GET['login']) && $_GET['login'] && ! $_SESSION['logged_in']) { + $display_login_form = true; + } + if (isset ($_GET['logout']) && $_GET['logout'] && $_SESSION['logged_in']) { + $auth->logout (); + } + if (isset ($_SESSION['username']) && ! check_username ($_SESSION['username'])) { # XXX hoffe das ist ok so. + $auth->logout (); + } + + if (isset ($_SESSION['logged_in']) && $_SESSION['logged_in']) { + if (isset ($_SESSION['username']) && $_SESSION['username'] != '') { + $username = $_SESSION['username']; + $query = sprintf ("SELECT * FROM user WHERE username='%s'", + $mysql->escape ($username)); + + # now get the settings. + if ($mysql->query ($query)) { + $settings = mysql_fetch_assoc ($mysql->result); + } + else { + message ($mysql->error); + } + + unset ($settings['password']); + } + else { + # instead of user preferences, set default settings. + $settings = default_settings (); + $username = ''; + $auth->logout (); + } + } + else { + $settings = default_settings (); + $username = ''; + $auth->logout (); + } +} +else { + $settings = default_settings (); + $username = ''; + $auth->logout (); +} + +function default_settings () { + $settings = array ( + 'root_folder_name' => '', + 'column_width_folder' => 400, + 'column_width_bookmark' => 0, + 'table_height' => 400, + 'confirm_delete' => true, + 'open_new_window' => true, + 'show_bookmark_description' => true, + 'show_bookmark_icon' => true, + 'show_column_date' => true, + 'date_format' => '0', + 'show_column_edit' => false, + 'show_column_move' => false, + 'show_column_delete' => false, + 'fast_folder_minus' => true, + 'fast_folder_plus' => true, + 'fast_symbol' => true, + 'simple_tree_mode' => false, + ); + return $settings; +} + +# adjust some settings +if ($settings['column_width_bookmark'] == 0 || ! is_numeric ($settings['column_width_bookmark'])) { + $column_width_bookmark = "100%"; +} +else { + $column_width_bookmark = $settings['column_width_bookmark'] . "px"; +} + +$column_width_folder = $settings['column_width_folder'] . "px"; +$table_height = $settings['table_height'] . "px"; + +if ( ! is_numeric ($settings['date_format'])) { + $settings['date_format'] = 0; +} + +# set some often used vars +$folderid = set_get_folderid (); +$expand = set_get_expand (); + +?> \ No newline at end of file diff --git a/lib/mysql.php b/lib/mysql.php new file mode 100644 index 0000000..0f2bced --- /dev/null +++ b/lib/mysql.php @@ -0,0 +1,35 @@ +error = mysql_error (); + } + if ( ! @mysql_select_db ($dsn['database'])) { + $this->error = mysql_error (); + } + } + + function query ($query) { + if ($this->result = mysql_query ($query)) { + return true; + } + else{ + $this->error = mysql_error (); + return false; + } + } + + function escape ($string) { + return mysql_real_escape_string ($string); + } + + +} + +?> \ No newline at end of file diff --git a/lib/pngfix.js b/lib/pngfix.js new file mode 100644 index 0000000..9b9d5ca --- /dev/null +++ b/lib/pngfix.js @@ -0,0 +1,39 @@ +/* + +Correctly handle PNG transparency in Win IE 5.5 & 6. +http://homepage.ntlworld.com/bobosola. Updated 18-Jan-2006. + +Use in with DEFER keyword wrapped in conditional comments: + + +*/ + +var arVersion = navigator.appVersion.split("MSIE") +var version = parseFloat(arVersion[1]) + +if ((version >= 5.5) && (document.body.filters)) +{ + for(var i=0; i" + img.outerHTML = strNewHTML + i = i-1 + } + } +} \ No newline at end of file diff --git a/lib/webstart.php b/lib/webstart.php new file mode 100644 index 0000000..0aeba8f --- /dev/null +++ b/lib/webstart.php @@ -0,0 +1,55 @@ +$GLOBALS overwrite vulnerability'); + } + $verboten = array( + 'GLOBALS', + '_SERVER', + 'HTTP_SERVER_VARS', + '_GET', + 'HTTP_GET_VARS', + '_POST', + 'HTTP_POST_VARS', + '_COOKIE', + 'HTTP_COOKIE_VARS', + '_FILES', + 'HTTP_POST_FILES', + '_ENV', + 'HTTP_ENV_VARS', + '_REQUEST', + '_SESSION', + 'HTTP_SESSION_VARS' + ); + foreach ( $_REQUEST as $name => $value ) { + if( in_array( $name, $verboten ) ) { + header( "HTTP/1.x 500 Internal Server Error" ); + echo "register_globals security paranoia: trying to overwrite superglobals, aborting."; + die( -1 ); + } + unset( $GLOBALS[$name] ); + } +} + +function &fix_magic_quotes( &$arr ) { + if ( get_magic_quotes_gpc() ) { + foreach( $arr as $key => $val ) { + if( is_array( $val ) ) { + fix_magic_quotes( $arr[$key] ); + } else { + $arr[$key] = stripslashes( $val ); + } + } + } + return $arr; +} + +fix_magic_quotes( $_COOKIE ); +fix_magic_quotes( $_ENV ); +fix_magic_quotes( $_GET ); +fix_magic_quotes( $_POST ); +fix_magic_quotes( $_REQUEST ); + + +?> \ No newline at end of file