torrentpier/upload/misc.php
fly.dvorkin 5b718d4428 r474
Частичный откат к 471, с сохранением фиксов. git-svn-id: https://torrentpier2.googlecode.com/svn/trunk@474 a8ac35ab-4ca4-ca47-4c2d-a49a94f06293
2012-11-13 14:03:13 +00:00

145 lines
3.8 KiB
PHP

<?php
define('IN_PHPBB', true);
define('BB_SCRIPT', 'misc');
define('BB_ROOT', './');
require(BB_ROOT ."common.php");
// Start Session Management
$user->session_start();
$do = request_var('do', '');
if ($do == 'attach_rules')
{
if (!$forum_id = @intval(request_var('f', '')) OR !forum_exists($forum_id))
{
bb_die('invalid forum_id');
}
require(BB_ROOT .'attach_mod/attachment_mod.php');
// Display the allowed Extension Groups and Upload Size
$auth = auth(AUTH_ALL, $forum_id, $userdata);
$_max_filesize = $attach_config['max_filesize'];
if (!$auth['auth_attachments'] || !$auth['auth_view'])
{
bb_die('You are not allowed to call this file');
}
$sql = 'SELECT group_id, group_name, max_filesize, forum_permissions
FROM ' . BB_EXTENSION_GROUPS . '
WHERE allow_group = 1
ORDER BY group_name ASC';
if (!($result = DB()->sql_query($sql)))
{
message_die(GENERAL_ERROR, 'Could not query Extension Groups.', '', __LINE__, __FILE__, $sql);
}
$allowed_filesize = array();
$rows = DB()->sql_fetchrowset($result);
$num_rows = DB()->num_rows($result);
DB()->sql_freeresult($result);
// Ok, only process those Groups allowed within this forum
$nothing = true;
for ($i = 0; $i < $num_rows; $i++)
{
$auth_cache = trim($rows[$i]['forum_permissions']);
$permit = ((is_forum_authed($auth_cache, $forum_id)) || trim($rows[$i]['forum_permissions']) == '');
if ($permit)
{
$nothing = false;
$group_name = $rows[$i]['group_name'];
$f_size = intval(trim($rows[$i]['max_filesize']));
$det_filesize = (!$f_size) ? $_max_filesize : $f_size;
$max_filesize = (!$det_filesize) ? $lang['UNLIMITED'] : humn_size($det_filesize);
$template->assign_block_vars('group_row', array(
'GROUP_RULE_HEADER' => sprintf($lang['GROUP_RULE_HEADER'], $group_name, $max_filesize))
);
$sql = 'SELECT extension
FROM ' . BB_EXTENSIONS . "
WHERE group_id = " . (int) $rows[$i]['group_id'] . "
ORDER BY extension ASC";
if (!($result = DB()->sql_query($sql)))
{
message_die(GENERAL_ERROR, 'Could not query Extensions.', '', __LINE__, __FILE__, $sql);
}
$e_rows = DB()->sql_fetchrowset($result);
$e_num_rows = DB()->num_rows($result);
DB()->sql_freeresult($result);
for ($j = 0; $j < $e_num_rows; $j++)
{
$template->assign_block_vars('group_row.extension_row', array(
'EXTENSION' => $e_rows[$j]['extension'])
);
}
}
}
$template->assign_vars(array(
'PAGE_TITLE' => $lang['ATTACH_RULES_TITLE'])
);
if ($nothing)
{
$template->assign_block_vars('switch_nothing', array());
}
print_page('attach_rules.tpl', 'simple');
}
elseif ($do == 'info')
{
$req_mode = (string) request_var('show', 'not_found');
if(preg_match('/\//i', $req_mode))
{
die('Include detected!');
}
if(preg_match('/</i', $req_mode))
{
die('XSS detected!');
}
$req_mode = clean_filename(basename($req_mode));
$html_dir = $bb_cfg['html_path'];
$require = file_exists($html_dir . $req_mode .'.html') ? $html_dir . $req_mode .'.html' : $html_dir . 'not_found.html';
$in_info = true;
?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<link rel="stylesheet" href="./templates/default/css/main.css" type="text/css">
</head>
<body>
<style type="text/css">
#infobox-wrap { width: 760px; }
#infobox-body {
background: #FFFFFF; color: #000000; padding: 1em;
height: 400px; overflow: auto; border: 1px inset #000000;
}
</style>
<br />
<?php require($require) ?>
</body>
</html>
<?php
}
else
{
message_die(GENERAL_ERROR, 'Invalid mode <br /> <a href="javascript:history.go(-1)">Go back</a>');
}