lib.urlhandlers.php @ 2770:2a2989b67bfb

Visit:

Revision 2770:2a2989b67bfb, 17.0 KB checked in by franck <carnet.franck.paul@…>, 11 years ago (diff)
Prevents integer conversion of "post_id" array key, fixes #1970

Line
1	<?php
2	# -- BEGIN LICENSE BLOCK ---------------------------------------
3	#
4	# This file is part of Dotclear 2.
5	#
6	# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
7	# Licensed under the GPL version 2.0 license.
8	# See LICENSE file or
9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10	#
11	# -- END LICENSE BLOCK -----------------------------------------
12	if (!defined('DC_RC_PATH')) { return; }
13
14	class dcUrlHandlers extends urlHandler
15	{
16	public $args;
17
18	public function getURLFor($type,$value='') {
19	$core =& $GLOBALS['core'];
20	$url = $core->callBehavior("publicGetURLFor",$type,$value);
21	if (!$url) {
22	$url = $this->getBase($type);
23	if ($value) {
24	if ($url) {
25	$url .= '/';
26	}
27	$url .= $value;
28	}
29	}
30	return $url;
31	}
32
33	public function register($type,$url,$representation,$handler)
34	{
35	$core =& $GLOBALS['core'];
36	$t = new ArrayObject(array($type,$url,$representation,$handler));
37	$core->callBehavior("publicRegisterURL",$t);
38	parent::register($t[0],$t[1],$t[2],$t[3]);
39	}
40
41	public static function p404()
42	{
43	throw new Exception ("Page not found",404);
44	}
45
46	public static function default404($args,$type,$e)
47	{
48	if ($e->getCode() != 404) {
49	throw $e;
50	}
51	$_ctx =& $GLOBALS['_ctx'];
52	$core = $GLOBALS['core'];
53
54	header('Content-Type: text/html; charset=UTF-8');
55	http::head(404,'Not Found');
56	$core->url->type = '404';
57	$_ctx->current_tpl = '404.html';
58	$_ctx->content_type = 'text/html';
59
60	echo $core->tpl->getData($_ctx->current_tpl);
61
62	# --BEHAVIOR-- publicAfterDocument
63	$core->callBehavior('publicAfterDocument',$core);
64	exit;
65	}
66
67	protected static function getPageNumber(&$args)
68	{
69	if (preg_match('#(^\|/)page/([0-9]+)$#',$args,$m)) {
70	$n = (integer) $m[2];
71	if ($n > 0) {
72	$args = preg_replace('#(^\|/)page/([0-9]+)$#','',$args);
73	return $n;
74	}
75	}
76
77	return false;
78	}
79
80	protected static function serveDocument($tpl,$content_type='text/html',$http_cache=true,$http_etag=true)
81	{
82	$_ctx =& $GLOBALS['_ctx'];
83	$core =& $GLOBALS['core'];
84
85	if ($_ctx->nb_entry_per_page === null) {
86	$_ctx->nb_entry_per_page = $core->blog->settings->system->nb_post_per_page;
87	}
88	if ($_ctx->nb_entry_first_page === null) {
89	$_ctx->nb_entry_first_page = $_ctx->nb_entry_per_page;
90	}
91
92	$tpl_file = $core->tpl->getFilePath($tpl);
93
94	if (!$tpl_file) {
95	throw new Exception('Unable to find template ');
96	}
97
98	$result = new ArrayObject;
99
100	$_ctx->current_tpl = $tpl;
101	$_ctx->content_type = $content_type;
102	$_ctx->http_cache = $http_cache;
103	$_ctx->http_etag = $http_etag;
104	$core->callBehavior('urlHandlerBeforeGetData',$_ctx);
105
106	if ($_ctx->http_cache) {
107	$GLOBALS['mod_files'][] = $tpl_file;
108	http::cache($GLOBALS['mod_files'],$GLOBALS['mod_ts']);
109	}
110
111	header('Content-Type: '.$_ctx->content_type.'; charset=UTF-8');
112	$result['content'] = $core->tpl->getData($_ctx->current_tpl);
113	$result['content_type'] = $_ctx->content_type;
114	$result['tpl'] = $_ctx->current_tpl;
115	$result['blogupddt'] = $core->blog->upddt;
116
117	# --BEHAVIOR-- urlHandlerServeDocument
118	$core->callBehavior('urlHandlerServeDocument',$result);
119
120	if ($_ctx->http_cache && $_ctx->http_etag) {
121	http::etag($result['content'],http::getSelfURI());
122	}
123	echo $result['content'];
124	}
125
126	public function getDocument()
127	{
128	$core =& $GLOBALS['core'];
129
130	$type = $args = '';
131
132	if ($this->mode == 'path_info')
133	{
134	$part = substr($_SERVER['PATH_INFO'],1);
135	}
136	else
137	{
138	$part = '';
139
140	$qs = $this->parseQueryString();
141
142	# Recreates some _GET and _REQUEST pairs
143	if (!empty($qs))
144	{
145	foreach ($_GET as $k => $v) {
146	if (isset($_REQUEST[$k])) {
147	unset($_REQUEST[$k]);
148	}
149	}
150	$_GET = $qs;
151	$_REQUEST = array_merge($qs,$_REQUEST);
152
153	list($k,$v) = each($qs);
154	if ($v === null) {
155	$part = $k;
156	unset($_GET[$k]);
157	unset($_REQUEST[$k]);
158	}
159	}
160	}
161
162	$_SERVER['URL_REQUEST_PART'] = $part;
163
164	$this->getArgs($part,$type,$this->args);
165
166	# --BEHAVIOR-- urlHandlerGetArgsDocument
167	$core->callBehavior('urlHandlerGetArgsDocument',$this);
168
169	if (!$type)
170	{
171	$this->type = 'default';
172	$this->callDefaultHandler($this->args);
173	}
174	else
175	{
176	$this->type = $type;
177	$this->callHandler($type,$this->args);
178	}
179	}
180
181	public static function home($args)
182	{
183	$n = self::getPageNumber($args);
184
185	if ($args && !$n)
186	{
187	# "Then specified URL went unrecognized by all URL handlers and
188	# defaults to the home page, but is not a page number.
189	self::p404();
190	}
191	else
192	{
193	$_ctx =& $GLOBALS['_ctx'];
194	$core =& $GLOBALS['core'];
195
196	if ($n) {
197	$GLOBALS['_page_number'] = $n;
198	$core->url->type = $n > 1 ? 'default-page' : 'default';
199	}
200
201	if (empty($_GET['q'])) {
202	if ($core->blog->settings->system->nb_post_for_home !== null) {
203	$_ctx->nb_entry_first_page = $core->blog->settings->system->nb_post_for_home;
204	}
205	self::serveDocument('home.html');
206	$core->blog->publishScheduledEntries();
207	} else {
208	self::search();
209	}
210	}
211	}
212
213	public static function search()
214	{
215	$_ctx =& $GLOBALS['_ctx'];
216	$core =& $GLOBALS['core'];
217
218	$core->url->type='search';
219
220	$GLOBALS['_search'] = !empty($_GET['q']) ? rawurldecode($_GET['q']) : '';
221	if ($GLOBALS['_search']) {
222	$params = new ArrayObject(array('search' => $GLOBALS['_search']));
223	$core->callBehavior('publicBeforeSearchCount',$params);
224	$GLOBALS['_search_count'] = $core->blog->getPosts($params,true)->f(0);
225	}
226
227	self::serveDocument('search.html');
228	}
229
230	public static function lang($args)
231	{
232	$_ctx =& $GLOBALS['_ctx'];
233	$core =& $GLOBALS['core'];
234
235	$n = self::getPageNumber($args);
236	$params = new ArrayObject(array(
237	'lang' => $args));
238
239	$core->callBehavior('publicLangBeforeGetLangs',$params,$args);
240
241	$_ctx->langs = $core->blog->getLangs($params);
242
243	if ($_ctx->langs->isEmpty()) {
244	# The specified language does not exist.
245	self::p404();
246	}
247	else
248	{
249	if ($n) {
250	$GLOBALS['_page_number'] = $n;
251	}
252	$_ctx->cur_lang = $args;
253	self::home(null);
254	}
255	}
256
257	public static function category($args)
258	{
259	$_ctx =& $GLOBALS['_ctx'];
260	$core =& $GLOBALS['core'];
261
262	$n = self::getPageNumber($args);
263
264	if ($args == '' && !$n) {
265	# No category was specified.
266	self::p404();
267	}
268	else
269	{
270	$params = new ArrayObject(array(
271	'cat_url' => $args,
272	'post_type' => 'post',
273	'without_empty' => false));
274
275	$core->callBehavior('publicCategoryBeforeGetCategories',$params,$args);
276
277	$_ctx->categories = $core->blog->getCategories($params);
278
279	if ($_ctx->categories->isEmpty()) {
280	# The specified category does no exist.
281	self::p404();
282	}
283	else
284	{
285	if ($n) {
286	$GLOBALS['_page_number'] = $n;
287	}
288	self::serveDocument('category.html');
289	}
290	}
291	}
292
293	public static function archive($args)
294	{
295	$_ctx =& $GLOBALS['_ctx'];
296	$core =& $GLOBALS['core'];
297
298	$year = $month = $cat_url = null;
299	# Nothing or year and month
300	if ($args == '')
301	{
302	self::serveDocument('archive.html');
303	}
304	elseif (preg_match('\|^/([0-9]{4})/([0-9]{2})$\|',$args,$m))
305	{
306	$params = new ArrayObject(array(
307	'year' => $m[1],
308	'month' => $m[2],
309	'type' => 'month'));
310
311	$core->callBehavior('publicArchiveBeforeGetDates',$params,$args);
312
313	$_ctx->archives = $core->blog->getDates($params);
314
315	if ($_ctx->archives->isEmpty()) {
316	# There is no entries for the specified period.
317	self::p404();
318	}
319	else
320	{
321	self::serveDocument('archive_month.html');
322	}
323	}
324	else {
325	# The specified URL is not a date.
326	self::p404();
327	}
328	}
329
330	public static function post($args)
331	{
332	if ($args == '') {
333	# No entry was specified.
334	self::p404();
335	}
336	else
337	{
338	$_ctx =& $GLOBALS['_ctx'];
339	$core =& $GLOBALS['core'];
340
341	$core->blog->withoutPassword(false);
342
343	$params = new ArrayObject(array(
344	'post_url' => $args));
345
346	$core->callBehavior('publicPostBeforeGetPosts',$params,$args);
347
348	$_ctx->posts = $core->blog->getPosts($params);
349
350	$_ctx->comment_preview = new ArrayObject();
351	$_ctx->comment_preview['content'] = '';
352	$_ctx->comment_preview['rawcontent'] = '';
353	$_ctx->comment_preview['name'] = '';
354	$_ctx->comment_preview['mail'] = '';
355	$_ctx->comment_preview['site'] = '';
356	$_ctx->comment_preview['preview'] = false;
357	$_ctx->comment_preview['remember'] = false;
358
359	$core->blog->withoutPassword(true);
360
361	if ($_ctx->posts->isEmpty())
362	{
363	# The specified entry does not exist.
364	self::p404();
365	}
366	else
367	{
368	$post_id = $_ctx->posts->post_id;
369	$post_password = $_ctx->posts->post_password;
370
371	# Password protected entry
372	if ($post_password != '' && !$_ctx->preview)
373	{
374	# Get passwords cookie
375	if (isset($_COOKIE['dc_passwd'])) {
376	$pwd_cookie = json_decode($_COOKIE['dc_passwd']);
377	if ($pwd_cookie === NULL) {
378	$pwd_cookie = array();
379	} else {
380	$pwd_cookie = (array) $pwd_cookie;
381	}
382	} else {
383	$pwd_cookie = array();
384	}
385
386	# Check for match
387	# Note: We must prefix post_id key with '#'' in pwd_cookie array in order to avoid integer conversion
388	# because MyArray["12345"] is treated as MyArray[12345]
389	if ((!empty($_POST['password']) && $_POST['password'] == $post_password)
390	\|\| (isset($pwd_cookie['#'.$post_id]) && $pwd_cookie['#'.$post_id] == $post_password))
391	{
392	$pwd_cookie['#'.$post_id] = $post_password;
393	setcookie('dc_passwd',json_encode($pwd_cookie),0,'/');
394	}
395	else
396	{
397	self::serveDocument('password-form.html','text/html',false);
398	return;
399	}
400	}
401
402	$post_comment =
403	isset($_POST['c_name']) && isset($_POST['c_mail']) &&
404	isset($_POST['c_site']) && isset($_POST['c_content']) &&
405	$_ctx->posts->commentsActive();
406
407	# Posting a comment
408	if ($post_comment)
409	{
410	# Spam trap
411	if (!empty($_POST['f_mail'])) {
412	http::head(412,'Precondition Failed');
413	header('Content-Type: text/plain');
414	echo "So Long, and Thanks For All the Fish";
415	# Exits immediately the application to preserve the server.
416	exit;
417	}
418
419	$name = $_POST['c_name'];
420	$mail = $_POST['c_mail'];
421	$site = $_POST['c_site'];
422	$content = $_POST['c_content'];
423	$preview = !empty($_POST['preview']);
424
425	if ($content != '')
426	{
427	# --BEHAVIOR-- publicBeforeCommentTransform
428	$buffer = $core->callBehavior('publicBeforeCommentTransform',$content);
429	if ($buffer != '') {
430	$content = $buffer;
431	} else {
432	if ($core->blog->settings->system->wiki_comments) {
433	$core->initWikiComment();
434	} else {
435	$core->initWikiSimpleComment();
436	}
437	$content = $core->wikiTransform($content);
438	}
439	$content = $core->HTMLfilter($content);
440	}
441
442	$_ctx->comment_preview['content'] = $content;
443	$_ctx->comment_preview['rawcontent'] = $_POST['c_content'];
444	$_ctx->comment_preview['name'] = $name;
445	$_ctx->comment_preview['mail'] = $mail;
446	$_ctx->comment_preview['site'] = $site;
447
448	if ($preview)
449	{
450	# --BEHAVIOR-- publicBeforeCommentPreview
451	$core->callBehavior('publicBeforeCommentPreview',$_ctx->comment_preview);
452
453	$_ctx->comment_preview['preview'] = true;
454	}
455	else
456	{
457	# Post the comment
458	$cur = $core->con->openCursor($core->prefix.'comment');
459	$cur->comment_author = $name;
460	$cur->comment_site = html::clean($site);
461	$cur->comment_email = html::clean($mail);
462	$cur->comment_content = $content;
463	$cur->post_id = $_ctx->posts->post_id;
464	$cur->comment_status = $core->blog->settings->system->comments_pub ? 1 : -1;
465	$cur->comment_ip = http::realIP();
466
467	$redir = $_ctx->posts->getURL();
468	$redir .= $core->blog->settings->system->url_scan == 'query_string' ? '&' : '?';
469
470	try
471	{
472	if (!text::isEmail($cur->comment_email)) {
473	throw new Exception(__('You must provide a valid email address.'));
474	}
475
476	# --BEHAVIOR-- publicBeforeCommentCreate
477	$core->callBehavior('publicBeforeCommentCreate',$cur);
478	if ($cur->post_id) {
479	$comment_id = $core->blog->addComment($cur);
480
481	# --BEHAVIOR-- publicAfterCommentCreate
482	$core->callBehavior('publicAfterCommentCreate',$cur,$comment_id);
483	}
484
485	if ($cur->comment_status == 1) {
486	$redir_arg = 'pub=1';
487	} else {
488	$redir_arg = 'pub=0';
489	}
490
491	header('Location: '.$redir.$redir_arg);
492	}
493	catch (Exception $e)
494	{
495	$_ctx->form_error = $e->getMessage();
496	$_ctx->form_error;
497	}
498	}
499	}
500
501	# The entry
502	if ($_ctx->posts->trackbacksActive()) {
503	header('X-Pingback: '.$core->blog->url.$core->url->getURLFor("xmlrpc",$core->blog->id));
504	}
505	self::serveDocument('post.html');
506	}
507	}
508	}
509
510	public static function preview($args)
511	{
512	$core = $GLOBALS['core'];
513	$_ctx = $GLOBALS['_ctx'];
514
515	if (!preg_match('#^(.+?)/([0-9a-z]{40})/(.+?)$#',$args,$m)) {
516	# The specified Preview URL is malformed.
517	self::p404();
518	}
519	else
520	{
521	$user_id = $m[1];
522	$user_key = $m[2];
523	$post_url = $m[3];
524	if (!$core->auth->checkUser($user_id,null,$user_key)) {
525	# The user has no access to the entry.
526	self::p404();
527	}
528	else
529	{
530	$_ctx->preview = true;
531	self::post($post_url);
532	}
533	}
534	}
535
536	public static function feed($args)
537	{
538	$type = null;
539	$comments = false;
540	$cat_url = false;
541	$post_id = null;
542	$subtitle = '';
543
544	$mime = 'application/xml';
545
546	$_ctx =& $GLOBALS['_ctx'];
547	$core =& $GLOBALS['core'];
548
549	if (preg_match('!^([a-z]{2}(-[a-z]{2})?)/(.*)$!',$args,$m)) {
550	$params = new ArrayObject(array('lang' => $m[1]));
551
552	$args = $m[3];
553
554	$core->callBehavior('publicFeedBeforeGetLangs',$params,$args);
555
556	$_ctx->langs = $core->blog->getLangs($params);
557
558	if ($_ctx->langs->isEmpty()) {
559	# The specified language does not exist.
560	self::p404();
561	return;
562	} else {
563	$_ctx->cur_lang = $m[1];
564	}
565	}
566
567	if (preg_match('#^rss2/xslt$#',$args,$m))
568	{
569	# RSS XSLT stylesheet
570	self::serveDocument('rss2.xsl','text/xml');
571	return;
572	}
573	elseif (preg_match('#^(atom\|rss2)/comments/([0-9]+)$#',$args,$m))
574	{
575	# Post comments feed
576	$type = $m[1];
577	$comments = true;
578	$post_id = (integer) $m[2];
579	}
580	elseif (preg_match('#^(?:category/(.+)/)?(atom\|rss2)(/comments)?$#',$args,$m))
581	{
582	# All posts or comments feed
583	$type = $m[2];
584	$comments = !empty($m[3]);
585	if (!empty($m[1])) {
586	$cat_url = $m[1];
587	}
588	}
589	else
590	{
591	# The specified Feed URL is malformed.
592	self::p404();
593	return;
594	}
595
596	if ($cat_url)
597	{
598	$params = new ArrayObject(array(
599	'cat_url' => $cat_url,
600	'post_type' => 'post'));
601
602	$core->callBehavior('publicFeedBeforeGetCategories',$params,$args);
603
604	$_ctx->categories = $core->blog->getCategories($params);
605
606	if ($_ctx->categories->isEmpty()) {
607	# The specified category does no exist.
608	self::p404();
609	return;
610	}
611
612	$subtitle = ' - '.$_ctx->categories->cat_title;
613	}
614	elseif ($post_id)
615	{
616	$params = new ArrayObject(array(
617	'post_id' => $post_id,
618	'post_type' => ''));
619
620	$core->callBehavior('publicFeedBeforeGetPosts',$params,$args);
621
622	$_ctx->posts = $core->blog->getPosts($params);
623
624	if ($_ctx->posts->isEmpty()) {
625	# The specified post does not exist.
626	self::p404();
627	return;
628	}
629
630	$subtitle = ' - '.$_ctx->posts->post_title;
631	}
632
633	$tpl = $type;
634	if ($comments) {
635	$tpl .= '-comments';
636	$_ctx->nb_comment_per_page = $core->blog->settings->system->nb_comment_per_feed;
637	} else {
638	$_ctx->nb_entry_per_page = $core->blog->settings->system->nb_post_per_feed;
639	$_ctx->short_feed_items = $core->blog->settings->system->short_feed_items;
640	}
641	$tpl .= '.xml';
642
643	if ($type == 'atom') {
644	$mime = 'application/atom+xml';
645	}
646
647	$_ctx->feed_subtitle = $subtitle;
648
649	header('X-Robots-Tag: '.context::robotsPolicy($core->blog->settings->system->robots_policy,''));
650	self::serveDocument($tpl,$mime);
651	if (!$comments && !$cat_url) {
652	$core->blog->publishScheduledEntries();
653	}
654	}
655
656	public static function trackback($args)
657	{
658	if (!preg_match('/^[0-9]+$/',$args)) {
659	# The specified trackback URL is not an number
660	self::p404();
661	} else {
662	$tb = new dcTrackback($GLOBALS['core']);
663	$tb->receive($args);
664	}
665	}
666
667	public static function rsd($args)
668	{
669	$core =& $GLOBALS['core'];
670	http::cache($GLOBALS['mod_files'],$GLOBALS['mod_ts']);
671
672	header('Content-Type: text/xml; charset=UTF-8');
673	echo
674	'<?xml version="1.0" encoding="UTF-8"?>'."\n".
675	'<rsd version="1.0" xmlns="http://archipelago.phrasewise.com/rsd">'."\n".
676	"<service>\n".
677	" <engineName>Dotclear</engineName>\n".
678	" <engineLink>http://www.dotclear.org/</engineLink>\n".
679	' <homePageLink>'.html::escapeHTML($core->blog->url)."</homePageLink>\n";
680
681	if ($core->blog->settings->system->enable_xmlrpc)
682	{
683	$u = sprintf(DC_XMLRPC_URL,$core->blog->url,$core->blog->id);
684
685	echo
686	" <apis>\n".
687	' <api name="WordPress" blogID="1" preferred="true" apiLink="'.$u.'"/>'."\n".
688	' <api name="Movable Type" blogID="1" preferred="false" apiLink="'.$u.'"/>'."\n".
689	' <api name="MetaWeblog" blogID="1" preferred="false" apiLink="'.$u.'"/>'."\n".
690	' <api name="Blogger" blogID="1" preferred="false" apiLink="'.$u.'"/>'."\n".
691	" </apis>\n";
692	}
693
694	echo
695	"</service>\n".
696	"</rsd>\n";
697	}
698
699	public static function xmlrpc($args)
700	{
701	$core =& $GLOBALS['core'];
702	$blog_id = preg_replace('#^([^/]).#','$1',$args);
703	$server = new dcXmlRpc($core,$blog_id);
704	$server->serve();
705	}
706	}

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: inc/public/lib.urlhandlers.php @ 2770:2a2989b67bfb

Download in other formats:

Sites map