WebSVN – MLAB – Rev 130 – Blame

130

kaklik

1

<?php

2

/***************************************************************************

3

* common.php

4

* -------------------

5

* begin : Saturday, Feb 23, 2001

6

7

* email : support@phpbb.com

8

*

9

* $Id: common.php,v 1.74.2.25 2006/05/26 17:46:59 grahamje Exp $

10

*

11

***************************************************************************/

12

13

/***************************************************************************

14

*

15

* This program is free software; you can redistribute it and/or modify

16

* it under the terms of the GNU General Public License as published by

17

* the Free Software Foundation; either version 2 of the License, or

18

* (at your option) any later version.

19

*

20

***************************************************************************/

21

22

if ( !defined('IN_PHPBB') )

23

{

24

die("Hacking attempt");

25

}

26

27

//

28

error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables

29

set_magic_quotes_runtime(0); // Disable magic_quotes_runtime

30

31

// The following code (unsetting globals)

32

// Thanks to Matt Kavanagh and Stefan Esser for providing feedback as well as patch files

33

34

// PHP5 with register_long_arrays off?

35

if (@phpversion() >= '5.0.0' && (!@ini_get('register_long_arrays') || @ini_get('register_long_arrays') == '0' || strtolower(@ini_get('register_long_arrays')) == 'off'))

36

{

37

$HTTP_POST_VARS = $_POST;

38

$HTTP_GET_VARS = $_GET;

39

$HTTP_SERVER_VARS = $_SERVER;

40

$HTTP_COOKIE_VARS = $_COOKIE;

41

$HTTP_ENV_VARS = $_ENV;

42

$HTTP_POST_FILES = $_FILES;

43

44

// _SESSION is the only superglobal which is conditionally set

45

if (isset($_SESSION))

46

{

47

$HTTP_SESSION_VARS = $_SESSION;

48

}

49

}

50

51

// Protect against GLOBALS tricks

52

if (isset($HTTP_POST_VARS['GLOBALS']) || isset($HTTP_POST_FILES['GLOBALS']) || isset($HTTP_GET_VARS['GLOBALS']) || isset($HTTP_COOKIE_VARS['GLOBALS']))

53

{

54

die("Hacking attempt");

55

}

56

57

// Protect against HTTP_SESSION_VARS tricks

58

if (isset($HTTP_SESSION_VARS) && !is_array($HTTP_SESSION_VARS))

59

{

60

die("Hacking attempt");

61

}

62

63

if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')

64

{

65

// PHP4+ path

66

	$not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 'HTTP_SESSION_VARS', 'HTTP_ENV_VARS', 'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');

67

68

// Not only will array_merge give a warning if a parameter

69

// is not an array, it will actually fail. So we check if

70

// HTTP_SESSION_VARS has been initialised.

71

if (!isset($HTTP_SESSION_VARS) || !is_array($HTTP_SESSION_VARS))

72

{

73

$HTTP_SESSION_VARS = array();

74

}

75

76

// Merge all into one extremely huge array; unset

77

// this later

78

	$input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES);

79

80

unset($input['input']);

81

unset($input['not_unset']);

82

83

while (list($var,) = @each($input))

84

{

85

if (in_array($var, $not_unset))

86

{

87

die('Hacking attempt!');

88

}

89

unset($$var);

90

}

91

92

unset($input);

93

}

94

95

//

96

// addslashes to vars if magic_quotes_gpc is off

97

// this is a security precaution to prevent someone

98

// trying to break out of a SQL statement.

99

//

100

if( !get_magic_quotes_gpc() )

101

{

102

if( is_array($HTTP_GET_VARS) )

103

{

104

while( list($k, $v) = each($HTTP_GET_VARS) )

105

{

106

if( is_array($HTTP_GET_VARS[$k]) )

107

{

108

while( list($k2, $v2) = each($HTTP_GET_VARS[$k]) )

109

{

110

$HTTP_GET_VARS[$k][$k2] = addslashes($v2);

111

}

112

@reset($HTTP_GET_VARS[$k]);

113

}

114

else

115

{

116

$HTTP_GET_VARS[$k] = addslashes($v);

117

}

118

}

119

@reset($HTTP_GET_VARS);

120

}

121

122

if( is_array($HTTP_POST_VARS) )

123

{

124

while( list($k, $v) = each($HTTP_POST_VARS) )

125

{

126

if( is_array($HTTP_POST_VARS[$k]) )

127

{

128

while( list($k2, $v2) = each($HTTP_POST_VARS[$k]) )

129

{

130

$HTTP_POST_VARS[$k][$k2] = addslashes($v2);

131

}

132

@reset($HTTP_POST_VARS[$k]);

133

}

134

else

135

{

136

$HTTP_POST_VARS[$k] = addslashes($v);

137

}

138

}

139

@reset($HTTP_POST_VARS);

140

}

141

142

if( is_array($HTTP_COOKIE_VARS) )

143

{

144

while( list($k, $v) = each($HTTP_COOKIE_VARS) )

145

{

146

if( is_array($HTTP_COOKIE_VARS[$k]) )

147

{

148

while( list($k2, $v2) = each($HTTP_COOKIE_VARS[$k]) )

149

{

150

$HTTP_COOKIE_VARS[$k][$k2] = addslashes($v2);

151

}

152

@reset($HTTP_COOKIE_VARS[$k]);

153

}

154

else

155

{

156

$HTTP_COOKIE_VARS[$k] = addslashes($v);

157

}

158

}

159

@reset($HTTP_COOKIE_VARS);

160

}

161

}

162

163

//

164

// Define some basic configuration arrays this also prevents

165

// malicious rewriting of language and otherarray values via

166

// URI params

167

//

168

$board_config = array();

169

$userdata = array();

170

$theme = array();

171

$images = array();

172

$lang = array();

173

$nav_links = array();

174

$dss_seeded = false;

175

$gen_simple_header = FALSE;

176

177

include($phpbb_root_path . 'config.'.$phpEx);

178

179

if( !defined("PHPBB_INSTALLED") )

180

{

181

header('Location: ' . $phpbb_root_path . 'install/install.' . $phpEx);

182

exit;

183

}

184

185

include($phpbb_root_path . 'includes/constants.'.$phpEx);

186

include($phpbb_root_path . 'includes/template.'.$phpEx);

187

include($phpbb_root_path . 'includes/sessions.'.$phpEx);

188

include($phpbb_root_path . 'includes/auth.'.$phpEx);

189

include($phpbb_root_path . 'includes/functions.'.$phpEx);

190

include($phpbb_root_path . 'includes/db.'.$phpEx);

191

192

// We do not need this any longer, unset for safety purposes

193

unset($dbpasswd);

194

195

//

196

// Obtain and encode users IP

197

//

198

// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as

199

// private range IP's appearing instead of the guilty routable IP, tough, don't

200

// even bother complaining ... go scream and shout at the idiots out there who feel

201

// "clever" is doing harm rather than good ... karma is a great thing ... :)

202

//

203

$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );

204

$user_ip = encode_ip($client_ip);

205

206

//

207

// Setup forum wide options, if this fails

208

// then we output a CRITICAL_ERROR since

209

// basic forum information is not available

210

//

211

$sql = "SELECT *

212

FROM " . CONFIG_TABLE;

213

if( !($result = $db->sql_query($sql)) )

214

{

215

message_die(CRITICAL_ERROR, "Could not query config information", "", __LINE__, __FILE__, $sql);

216

}

217

218

while ( $row = $db->sql_fetchrow($result) )

219

{

220

$board_config[$row['config_name']] = $row['config_value'];

221

}

222

223

if (file_exists('install') || file_exists('contrib'))

224

{

225

message_die(GENERAL_MESSAGE, 'Please_remove_install_contrib');

226

}

227

228

//

229

// Show 'Board is disabled' message if needed.

230

//

231

if( $board_config['board_disable'] && !defined("IN_ADMIN") && !defined("IN_LOGIN") )

232

{

233

message_die(GENERAL_MESSAGE, 'Board_disable', 'Information');

234

}

235

236

?>

Subversion Repositories – MLAB

(root)/Forum/common.php @ 374

Rev 130