From 22630b849a759a8d0852afae4d771126d73a71cd Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sat, 13 Feb 2010 01:19:27 +0000 Subject: [PATCH] fixed problem pointed out by Nahuel Grisolia --- phpgwapi/inc/class.html.inc.php | 12 ---- .../server-scripts/spellchecker.php | 56 ++++++++++++++----- 2 files changed, 41 insertions(+), 27 deletions(-) diff --git a/phpgwapi/inc/class.html.inc.php b/phpgwapi/inc/class.html.inc.php index 2cfc523fd8..f90e6b03ec 100644 --- a/phpgwapi/inc/class.html.inc.php +++ b/phpgwapi/inc/class.html.inc.php @@ -622,18 +622,6 @@ class html $spell = '_spellcheck'; $oFCKeditor->Config['SpellChecker'] = 'SpellerPages'; $oFCKeditor->Config['SpellerPagesServerScript'] = 'server-scripts/spellchecker.php?enabled=1'; - if (isset($GLOBALS['egw_info']['server']['aspell_path'])) - { - $oFCKeditor->Config['SpellerPagesServerScript'] .= '&aspell_path='.$GLOBALS['egw_info']['server']['aspell_path']; - } - if (isset($GLOBALS['egw_info']['user']['preferences']['common']['spellchecker_lang'])) - { - $oFCKeditor->Config['SpellerPagesServerScript'] .= '&spellchecker_lang='.$GLOBALS['egw_info']['user']['preferences']['common']['spellchecker_lang']; - } - else - { - $oFCKeditor->Config['SpellerPagesServerScript'] .= '&spellchecker_lang='.$GLOBALS['egw_info']['user']['preferences']['common']['lang']; - } $oFCKeditor->Config['FirefoxSpellChecker'] = false; } // Now setting the user preferences diff --git a/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php b/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php index 791c1ef9e8..cddd86a87a 100644 --- a/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php +++ b/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php @@ -5,24 +5,32 @@ header('Content-type: text/html; charset=utf-8'); //$aspell_prog = '"C:\Program Files\Aspell\bin\aspell.exe"'; // by FredCK (for Windows) //$aspell_prog = 'aspell'; // by FredCK (for Linux) -if ($_GET['aspell_path']) + +// This is to prevent abitrary access to FCK's spellchecker.php AND to supply the configured path and lang +function deny_no_egw_session(&$account) { - $aspell_prog = $_GET['aspell_path']; + die('Access denied, no EGroupware session!'); +} +$GLOBALS['egw_info'] = array( + 'flags' => array( + 'currentapp' => 'home', + 'noheader' => true, + 'autocreate_session_callback' => 'deny_no_egw_session', + ) +); +// will not continue, unless the header get's included and there is a valid eGW session +require('../../../../../../../../header.inc.php'); + +if (!empty($GLOBALS['egw_info']['user']['preferences']['common']['spellchecker_lang'])) +{ + $lang = $GLOBALS['egw_info']['user']['preferences']['common']['spellchecker_lang']; } else { - $aspell_prog = 'aspell'; + $lang = $GLOBALS['egw_info']['user']['preferences']['common']['lang']; } - -if ($_GET['spellchecker_lang']) -{ - $lang = $_GET['spellchecker_lang']; -} -else -{ - $lang = 'en_US'; -} -$aspell_opts = "-a --lang=$lang --encoding=utf-8 -H --rem-sgml-check=alt"; // by FredCK + +$aspell_opts = '-a '.escapeshellarg('--lang='.$lang).' --encoding=utf-8 -H --rem-sgml-check=alt'; // by FredCK $tempfiledir = "./"; @@ -84,14 +92,32 @@ function error_handler( $err ) { ## for each misspelled word, get suggestions and put in the javascript suggs array function print_checker_results() { - global $aspell_prog; global $aspell_opts; global $tempfiledir; global $textinputs; global $input_separator; $aspell_err = ""; + + // check if admin enabled serverside (aspell based) spellchecker + if (!isset($GLOBALS['egw_info']['server']['enabled_spellcheck'])) + { + error_handler('Spellchecker is NOT enabled in global EGroupware configuration (Admin >> Site configuration)!'); + return; + } + + if (!empty($GLOBALS['egw_info']['server']['aspell_path']) && + is_executable($GLOBALS['egw_info']['server']['aspell_path'])) + { + $aspell_prog = $GLOBALS['egw_info']['server']['aspell_path']; + } + else // little fallback that might save linux users + { + $aspell_prog = 'aspell'; + } + # create temp file - $tempfile = tempnam( $tempfiledir, 'aspell_data_' ); + // use EGroupware's temp_dir + $tempfile = tempnam( $GLOBALS['egw_info']['server']['temp_dir'], 'aspell_data_' ); # open temp file, add the submitted text. if( $fh = fopen( $tempfile, 'w' )) {