diff --git a/about.php b/about.php index 6a5175d533..780af5ef14 100644 --- a/about.php +++ b/about.php @@ -11,21 +11,17 @@ /* $Id$ */ - $GLOBALS['egw_info'] = array(); - $app = $_GET['app']; - if(isset($app) && $_GET['app'] != 'eGroupWare') - { - $GLOBALS['egw_info']['flags']['currentapp'] = $app; - } - else - { - $GLOBALS['egw_info']['flags']['currentapp'] = 'about'; - } - - $GLOBALS['egw_info']['flags']['disable_Template_class'] = True; - $GLOBALS['egw_info']['flags']['noheader'] = True; + $GLOBALS['egw_info'] = array( + 'flags' => array( + 'currentapp' => isset($_GET['app']) && $_GET['app'] != 'eGroupWare' ? $_GET['app'] : 'about', + 'disable_Template_class' => True, + 'noheader' => True, + ) + ); include('header.inc.php'); + $app = isset($_GET['app']) && $_GET['app'] != 'eGroupWare' ? basename($_GET['app']) : 'about'; + if ($app) { if (!($included = $GLOBALS['egw']->hooks->single('about',$app))) @@ -38,7 +34,7 @@ $api_only = True; } - $tpl = CreateObject('phpgwapi.Template',$GLOBALS['egw']->common->get_tpl_dir('phpgwapi')); + $tpl =& CreateObject('phpgwapi.Template',$GLOBALS['egw']->common->get_tpl_dir('phpgwapi')); $tpl->set_file(array( 'phpgw_about' => 'about.tpl', 'phpgw_about_unknown' => 'about_unknown.tpl' @@ -46,7 +42,7 @@ $title = isset($GLOBALS['egw_info']['apps'][$app]) ? $GLOBALS['egw_info']['apps'][$app]['title'] : 'eGroupWare'; $GLOBALS['egw_info']['flags']['app_header'] = lang('About %1',$title); - $GLOBALS['egw']->common->phpgw_header(); + $GLOBALS['egw']->common->egw_header(); $tpl->set_block('phpgw_about', 'egroupware','egroupware'); $tpl->set_block('phpgw_about', 'application','application'); @@ -77,11 +73,11 @@ } } - $GLOBALS['egw']->common->phpgw_footer(); + $GLOBALS['egw']->common->egw_footer(); function about_app() { - global $app; + $app = basename($_GET['app']); include(EGW_INCLUDE_ROOT . "/$app/setup/setup.inc.php"); $info = $setup_info[$app]; $info['icon'] = $GLOBALS['egw']->common->image($app,array('navbar','nonav')); diff --git a/index.php b/index.php index e0d6a00c04..dc008b309f 100755 --- a/index.php +++ b/index.php @@ -11,7 +11,6 @@ /* $Id$ */ - $egw_info = array(); if(!file_exists('header.inc.php')) { Header('Location: setup/index.php'); @@ -35,9 +34,9 @@ /* This is the menuaction driver for the multi-layered design */ - if(isset($_GET['menuaction'])) + if(isset($_GET['menuaction']) && preg_match('/^[A-Za-z0-9_]+\.[A-Za-z0-9_]+\.[A-Za-z0-9_]+$/',$_GET['menuaction'])) { - list($app,$class,$method) = explode('.',@$_GET['menuaction']); + list($app,$class,$method) = explode('.',$_GET['menuaction']); if(! $app || ! $class || ! $method) { $invalid_data = True; @@ -45,9 +44,6 @@ } else { - //$egw->log->message('W-BadmenuactionVariable, menuaction missing or corrupt: %1',$menuaction); - //$egw->log->commit(); - $app = 'home'; $invalid_data = True; } @@ -58,19 +54,21 @@ $api_requested = True; } - $GLOBALS['egw_info']['flags'] = array( - 'noheader' => True, - 'nonavbar' => True, - 'enable_network_class' => True, - 'enable_contacts_class' => True, - 'enable_nextmatchs_class' => True, - 'currentapp' => $app + $GLOBALS['egw_info'] = array( + 'flags' => array( + 'noheader' => True, + 'nonavbar' => True, + 'enable_network_class' => True, + 'enable_contacts_class' => True, + 'enable_nextmatchs_class' => True, + 'currentapp' => $app + ) ); include('./header.inc.php'); // Check if we are using windows or normal webpage $windowed = false; - $tpl_info = EGW_SERVER_ROOT . '/phpgwapi/templates/' . $GLOBALS['egw_info']['user']['preferences']['common']['template_set'] . '/setup/setup.inc.php'; + $tpl_info = EGW_SERVER_ROOT . '/phpgwapi/templates/' . basename($GLOBALS['egw_info']['user']['preferences']['common']['template_set']) . '/setup/setup.inc.php'; if(@file_exists($tpl_info)) { @@ -122,7 +120,7 @@ } $GLOBALS[$class] = CreateObject($app.'.'.$class); // dont use =& with $GLOBALS, it does NOT behave as expected - if((is_array($GLOBALS[$class]->public_functions) && $GLOBALS[$class]->public_functions[$method]) && ! $invalid_data) + if((is_array($GLOBALS[$class]->public_functions) && $GLOBALS[$class]->public_functions[$method]) && !$invalid_data) { execmethod($_GET['menuaction']); unset($app); @@ -133,7 +131,7 @@ } else { - if(!$app || !$class || !$method) + if(!$app || !$class || !$method || $invalid_data) { if(@is_object($GLOBALS['egw']->log)) { @@ -146,7 +144,7 @@ } } - if(!is_array($GLOBALS[$class]->public_functions) || ! $$GLOBALS[$class]->public_functions[$method] && $method) + if(!is_array($GLOBALS[$class]->public_functions) || !$GLOBALS[$class]->public_functions[$method] && $method) { if(@is_object($GLOBALS['egw']->log)) { diff --git a/logout.php b/logout.php index 681ac3fe9a..f9bc4f24fc 100755 --- a/logout.php +++ b/logout.php @@ -12,13 +12,14 @@ /* $Id$ */ - $egw_info = array(); - $GLOBALS['egw_info']['flags'] = array( - 'disable_Template_class' => True, - 'currentapp' => 'logout', - 'noheader' => True, - 'nofooter' => True, - 'nonavbar' => True + $GLOBALS['egw_info'] = array( + 'flags' => array( + 'disable_Template_class' => True, + 'currentapp' => 'logout', + 'noheader' => True, + 'nofooter' => True, + 'nonavbar' => True + ) ); include('./header.inc.php'); diff --git a/rpc.php b/rpc.php index ed1d6b31d2..5ada3508c9 100644 --- a/rpc.php +++ b/rpc.php @@ -14,12 +14,13 @@ error_reporting(E_ALL & ~E_NOTICE); require_once HORDE_BASE . '/lib/core.php'; require_once 'Horde/RPC.php'; -$GLOBALS['egw_info'] = array(); -$GLOBALS['egw_info']['flags'] = array( - 'currentapp' => 'login', - 'noheader' => True, - 'nonavbar' => True, - 'disable_Template_class' => True +$GLOBALS['egw_info'] = array( + 'flags' => array( + 'currentapp' => 'login', + 'noheader' => True, + 'nonavbar' => True, + 'disable_Template_class' => True + ) ); include('./header.inc.php'); diff --git a/set_box.php b/set_box.php index 6aab59d324..c121dee7c0 100755 --- a/set_box.php +++ b/set_box.php @@ -12,10 +12,12 @@ /* $Id$ */ - $GLOBALS['egw_info']['flags'] = Array( - 'noheader' => True, - 'nofooter' => True, - 'currentapp' => 'home' + $GLOBALS['egw_info'] = array( + 'flags' => Array( + 'noheader' => True, + 'nofooter' => True, + 'currentapp' => 'home' + ) ); include('header.inc.php'); @@ -97,4 +99,3 @@ } $GLOBALS['egw']->redirect_link('/home/index.php'); -?> diff --git a/soap.php b/soap.php index b2d3a23cae..be8f3193f5 100644 --- a/soap.php +++ b/soap.php @@ -12,12 +12,13 @@ /* $Id$ */ - $egw_info = array(); - $GLOBALS['egw_info']['flags'] = array( - 'disable_Template_class' => True, - 'currentapp' => 'login', - 'noheader' => True, - 'disable_Template_class' => True + $GLOBALS['egw_info'] = array( + 'flags' => array( + 'disable_Template_class' => True, + 'currentapp' => 'login', + 'noheader' => True, + 'disable_Template_class' => True + ) ); include('./header.inc.php'); @@ -89,4 +90,3 @@ } $GLOBALS['server']->service($HTTP_RAW_POST_DATA); -?> diff --git a/xajax.php b/xajax.php index 4893325671..659696d5b9 100644 --- a/xajax.php +++ b/xajax.php @@ -71,9 +71,6 @@ $GLOBALS['xajax']->setCharEncoding($GLOBALS['egw']->translation->charset()); define('XAJAX_DEFAULT_CHAR_ENCODING',$GLOBALS['egw']->translation->charset()); - // now the header is included, we can set the charset - $GLOBALS['xajax']->setCharEncoding($GLOBALS['egw']->translation->charset()); - switch($handler) { case '/etemplate/process_exec': @@ -91,7 +88,8 @@ error_log("xajax_doXMLHTTP() /etemplate/process_exec handler: arg0='$arg0', menuaction='$_GET[menuaction]'"); break; } - if(substr($className,0,4) != 'ajax' && $arg0 != 'etemplate.etemplate.process_exec' && substr($functionName,0,4) != 'ajax') + if(substr($className,0,4) != 'ajax' && $arg0 != 'etemplate.etemplate.process_exec' && substr($functionName,0,4) != 'ajax' || + !preg_match('/^[A-Za-z0-9_]+\.[A-Za-z0-9_]+\.[A-Za-z0-9_]+$/',$arg0)) { // stopped for security reasons error_log($_SERVER['PHP_SELF']. ' stopped for security reason. '.$arg0.' is not valid. class- or function-name must start with ajax!!!'); diff --git a/xmlrpc.php b/xmlrpc.php index f09d1cc85c..d6f51251c1 100644 --- a/xmlrpc.php +++ b/xmlrpc.php @@ -15,11 +15,12 @@ /*list($usec, $sec) = explode(" ", microtime()); $GLOBALS['concisus']['script_start'] = ((float)$usec + (float)$sec);*/ - $GLOBALS['egw_info'] = array(); - $GLOBALS['egw_info']['flags'] = array( - 'currentapp' => 'login', - 'noheader' => True, - 'disable_Template_class' => True + $GLOBALS['egw_info'] = array( + 'flags' => array( + 'currentapp' => 'login', + 'noheader' => True, + 'disable_Template_class' => True + ) ); include('header.inc.php'); @@ -84,4 +85,3 @@ } $server->service($_SERVER['HTTP_RAW_POST_DATA']); -?>