diff --git a/admin/index.php b/admin/index.php index 3ef94c1..69c2e50 100755 --- a/admin/index.php +++ b/admin/index.php @@ -38,9 +38,9 @@ get_lang('acp'); //need to login again // if ( - (empty($_SESSION['ADMINLOGIN']) || $_SESSION['ADMINLOGIN'] != md5(sha1($config['h_key']) . $usrcp->name() . $config['siteurl'])) || - (empty($_SESSION['USER_SESS']) || $_SESSION['USER_SESS'] != session_id()) || - (empty($_SESSION['ADMINLOGIN_T']) || $_SESSION['ADMINLOGIN_T'] < time()) + (empty($_SESSION['ADMINLOGIN']) || $_SESSION['ADMINLOGIN'] != md5(sha1($config['h_key']) . $usrcp->name() . $config['siteurl'])) || + (empty($_SESSION['USER_SESS']) || $_SESSION['USER_SESS'] != KJ_SESSION) || + (empty($_SESSION['ADMINLOGIN_T']) || $_SESSION['ADMINLOGIN_T'] < time()) ) { if (ig('go') && g('go') == 'login') { @@ -48,7 +48,7 @@ if ( { //login $ERRORS = []; - $pass_field = 'lpass_' . preg_replace('/[^0-9]/', '', sha1($klj_session . sha1($config['h_key']) . p('kid'))); + $pass_field = 'lpass_' . preg_replace('/[^0-9]/', '', sha1(KJ_SESSION . sha1($config['h_key']) . p('kid'))); if (! empty($_SESSION['SHOW_CAPTCHA'])) @@ -79,7 +79,7 @@ if ( { if ($f = $usrcp->data(p('lname'), p($pass_field), false, 3600*6, true)) { - $_SESSION['USER_SESS'] = session_id(); + $_SESSION['USER_SESS'] = KJ_SESSION; $_SESSION['ADMINLOGIN'] = md5(sha1($config['h_key']) . $usrcp->name() . $config['siteurl']); //to make sure, sometime setting time from functions doesn't work $_SESSION['ADMINLOGIN_T'] = time() + 18000; @@ -115,7 +115,7 @@ if ( $action = './' . basename(ADMIN_PATH) . '?go=login&cp=' . $go_to; $H_FORM_KEYS = kleeja_add_form_key('admin_login'); $KEY_FOR_WEE = sha1(microtime() . sha1($config['h_key'])); - $KEY_FOR_PASS = preg_replace('/[^0-9]/', '', sha1($klj_session . sha1($config['h_key']) . $KEY_FOR_WEE)); + $KEY_FOR_PASS = preg_replace('/[^0-9]/', '', sha1(KJ_SESSION . sha1($config['h_key']) . $KEY_FOR_WEE)); $not_you = sprintf($lang['USERNAME_NOT_YOU'], '', ''); $show_captcha = ! empty($_SESSION['SHOW_CAPTCHA']); @@ -272,7 +272,7 @@ is_array($plugin_run_result = Plugins::getInstance()->run('begin_admin_page', ge /** * Exception of 406 ! dirty hosting * 'configs' word listed as dangrous requested word -* so we replaced this word with 'options' instead. +* so we replaced this word with 'options' instead. */ if ($go_to == 'options') { @@ -285,7 +285,7 @@ if (! $go_to || empty($go_to) || ! in_array($go_to, $adm_extensions)) $go_to = 'start'; } -//make array for menu +//make array for menu $adm_extensions_menu = $adm_topmenu = []; @@ -298,7 +298,7 @@ $cr_time = LAST_VISIT > 0 ? LAST_VISIT : time() - 3600*12; // check calls and reports numbers if (ig('check_msgs') || ! ig('_ajax_')): -//small bubble system +//small bubble system //any item can show what is inside it as unread messages $kbubbles = []; @@ -375,7 +375,7 @@ $assigned_klj_ver = preg_replace('!#([a-z0-9]+)!', '', KLEEJA_VERSION); //for plugins $styleePath = null; -//get it +//get it if (file_exists(ADM_FILES_PATH . '/' . $go_to . '.php')) { $include = true; diff --git a/includes/FetchFile.php b/includes/FetchFile.php index cdbf505..f760590 100644 --- a/includes/FetchFile.php +++ b/includes/FetchFile.php @@ -91,9 +91,10 @@ class FetchFile protected function finishUp() { - global $klj_session; - - session_id($klj_session); + if(defined('KJ_SESSION')) + { + session_id(constant('KJ_SESSION')); + } session_start(); } @@ -102,13 +103,15 @@ class FetchFile { $ch = curl_init($this->url); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); - curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); - curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_AUTOREFERER, true); - curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeout); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Kleeja)'); - curl_setopt($ch, CURLOPT_FAILONERROR, true); + curl_setopt($ch, CURLOPT_FAILONERROR, false); + curl_setopt($ch, CURLOPT_VERBOSE, true); + if ($this->binary) { @@ -120,7 +123,13 @@ class FetchFile { $out = fopen($this->destinationPath, 'w'); curl_setopt($ch, CURLOPT_FILE, $out); - curl_exec($ch); + $result = curl_exec($ch); + + if ($result === false) + { + kleeja_log(sprintf("cUrl error (#%d): %s\n", curl_errno($ch), htmlspecialchars(curl_error($ch)))); + } + curl_close($ch); fclose($out); @@ -129,7 +138,12 @@ class FetchFile else { $data = curl_exec($ch); + if ($data === false) + { + kleeja_log(sprintf("FetchFile error (curl: #%d): %s\n", curl_errno($ch), htmlspecialchars(curl_error($ch)))); + } curl_close($ch); + return $data; } } diff --git a/includes/common.php b/includes/common.php index 64dc7c3..7cfae85 100755 --- a/includes/common.php +++ b/includes/common.php @@ -123,8 +123,6 @@ if (! is_bot() && ! isset($_SESSION)) } - - //no enough data if (empty($dbname) || empty($dbuser)) { @@ -188,6 +186,7 @@ while ($row=$SQL->fetch_array($result)) $config[$row['name']] = $row['value']; } + $SQL->freeresult($result); //check user or guest @@ -242,16 +241,10 @@ date_default_timezone_set('GMT'); //kleeja session id -$klj_session = $SQL->escape(session_id()); - +define('KJ_SESSION', preg_replace('/[^-,a-zA-Z0-9]/', '', session_id())); //site url must end with / -if ($config['siteurl']) -{ - $config['siteurl'] = $config['siteurl'][strlen($config['siteurl'])-1] != '/' - ? $config['siteurl'] . '/' - : $config['siteurl']; -} +$config['siteurl'] = rtrim($config['siteurl'], '/') . '/'; //check lang diff --git a/includes/usr.php b/includes/usr.php index 9963e88..b6053cf 100755 --- a/includes/usr.php +++ b/includes/usr.php @@ -17,10 +17,8 @@ if (! defined('IN_COMMON')) class usrcp { - public function data ($name, $pass, $hashed = false, $expire = 86400, $loginadm = false) + public function data($name, $pass, $hashed = false, $expire = 86400, $loginadm = false) { - global $config, $userinfo; - //expire $expire = time() + ((int) $expire ? intval($expire) : 86400); $name = trim($name); @@ -35,7 +33,6 @@ class usrcp return $login_status; } - //normal return $this->normal($name, $pass, $hashed, $expire, $loginadm); } @@ -43,8 +40,6 @@ class usrcp //get username by id public function usernamebyid($user_id) { - global $config; - $return_now = $auth_status = false; is_array($plugin_run_result = Plugins::getInstance()->run('auth_func_usr_class', get_defined_vars())) ? extract($plugin_run_result) : null; //run hook @@ -92,7 +87,8 @@ class usrcp while ($row=$SQL->fetch_array($result)) { if (empty($row['password'])) - { //more security + { + //more security return false; } @@ -208,7 +204,7 @@ class usrcp } // user ids - public function id () + public function id() { is_array($plugin_run_result = Plugins::getInstance()->run('id_func_usr_class', get_defined_vars())) ? extract($plugin_run_result) : null; //run hook @@ -429,9 +425,6 @@ class usrcp //if not expire if (($hashed_expire == sha1(md5($config['h_key'] . $hashed_password) . $expire_at)) && ($expire_at > time())) { - // For better performance we will take the risks - // !defined('IN_DOWNLOAD') - //exit(print_r( @explode('|', $this->en_de_crypt($this->kleeja_get_cookie('ulogu'), 2)))); if (user_can('enter_acp', $group_id)) { $user_data = $this->data($user_id, $hashed_password, true, $expire_at); diff --git a/ucp.php b/ucp.php index 6d74e41..54381ac 100755 --- a/ucp.php +++ b/ucp.php @@ -235,7 +235,7 @@ switch (g('go')) $user_salt = (string) substr(base64_encode(pack('H*', sha1(mt_rand()))), 0, 7); $pass = (string) $usrcp->kleeja_hash_password($SQL->escape(trim(p('lpass'))) . $user_salt); $mail = (string) strtolower(trim($SQL->escape(p('lmail')))); - $session_id = (string) session_id(); + $session_id = (string) constant('KJ_SESSION'); $clean_name = (string) $usrcp->cleanusername($name); $insert_query = [