diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index 6aae8f8c..2c3f8a35 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -48,7 +48,7 @@ public function beforeFilter() { // find any xss vulnability on request data $datas = $this->request->data; - $this->request->data = $this->xssProtection($datas); + $this->request->data = $this->xssProtection($datas, ['command', 'cmd', 'order', 'broadcast']); $this->request->data["xss"] = $datas; // lowercase to avoid errors when the controller is called with uppercase $this->params['controller'] = strtolower($this->params['controller']); @@ -57,7 +57,7 @@ public function beforeFilter() $LoginCondition = $this->here != "/login" || !$this->EyPlugin->isInstalled('phpierre.signinup'); $this->loadModel("Maintenance"); - if ($this->params['controller'] != "user" and $this->params['controller'] != "maintenance" and !$this->Permissions->can("BYPASS_MAINTENANCE") and $maintenance = $this->Maintenance->checkMaintenance($this->here) and $LoginCondition) { + if ($this->params['controller'] != "user" and $this->params['controller'] != "maintenance" and !$this->Permissions->can("BYPASS_MAINTENANCE") and $maintenance = $this->Maintenance->checkMaintenance($this->here, $this->Util) and $LoginCondition) { $this->redirect([ 'controller' => 'maintenance', 'action' => $maintenance['url'], @@ -113,10 +113,13 @@ public function beforeFilter() } - public function xssProtection($array) + public function xssProtection($array, $excluded = []) { foreach ($array as $key => $value) { - $array[$key] = is_array($value) ? $this->xssProtection($value) : $this->EySecurity->xssProtection($value); + if (strlen(str_replace($excluded, '', $key)) !== strlen($key)) + $array[$key] = $value; + else + $array[$key] = is_array($value) ? $this->xssProtection($value) : $this->EySecurity->xssProtection($value); } return $array; @@ -550,9 +553,17 @@ public function __initSeoConfiguration() $default = $this->Seo->find('first', ["conditions" => ['page' => null]])['Seo']; $current_url = $this->here; $get_page = []; - $check = max($this->Seo->find('all', ['conditions' => ["'" . $current_url . "' LIKE CONCAT(page, '%')"]])); - if ($check && ($check['Seo']["page"] == $current_url || $current_url != "/")) + $condition = ["'" . $current_url . "' LIKE CONCAT(page, '%')"]; + + $use_sqlite = $this->Util->useSqlite(); + + if ($use_sqlite) + $condition = ["'" . $current_url . "' LIKE 'page' || '%' "]; + $check = $this->Seo->find('all', ['conditions' => $condition]); + + if ($check && ($check = max($check)) && ($check['Seo']["page"] == $current_url || $current_url != "/")) $get_page = $check['Seo']; + $seo_config['title'] = (!empty($default['title']) ? $default['title'] : "{TITLE} - {WEBSITE_NAME}"); $seo_config['title'] = (!empty($get_page['title']) ? $get_page['title'] : $seo_config['title']); $seo_config['description'] = (!empty($get_page['description']) ? $get_page['description'] : (!empty($default['description']) ? $default['description'] : "")); diff --git a/app/Controller/Component/UtilComponent.php b/app/Controller/Component/UtilComponent.php index 27aba45d..5c6cf39d 100755 --- a/app/Controller/Component/UtilComponent.php +++ b/app/Controller/Component/UtilComponent.php @@ -1,5 +1,6 @@ controller->Configuration === null) { $this->controller->Configuration = ClassRegistry::init('Configuration'); } + } function startup($controller) { + $this->db_type = ConnectionManager::$config->default['datasource']; } // Get ip (support cloudfare) @@ -346,5 +351,16 @@ public function random($list, $probabilityTotal) return $item; } + public function getDBType() + { + return $this->db_type; + } + + public function useSqlite() { + if (strpos(strtolower($this->getDBType()), "sqlite")) + return true; + return false; + } + } diff --git a/app/Controller/ConfigurationController.php b/app/Controller/ConfigurationController.php index 0ce3f542..fc7bdb0b 100755 --- a/app/Controller/ConfigurationController.php +++ b/app/Controller/ConfigurationController.php @@ -14,51 +14,11 @@ public function admin_index() if ($this->request->is('post')) { foreach ($this->request->data as $key => $value) { - if ($key != "version" && $key != "social_btn" && $key != "social_btn_edited" && $key != "social_btn_added") { + if ($key != "version") { if ($key == "banner_server") { $value = serialize($value); } $data[$key] = $value; - } else if ($key == "social_btn") { // si c'est pour les boutons sociaux personnalisés - - $this->loadModel('SocialButton'); - foreach ($value as $k => $v) { // on enregistre le tout - if (!empty($v['color']) && !empty($v['url']) && (!empty($v['title']) || !empty($v['img']))) { - $this->SocialButton->create(); - $this->SocialButton->set([ - 'title' => $v['title'], - 'img' => $v['img'], - 'color' => $v['color'], - 'url' => $v['url'] - ]); - $this->SocialButton->save(); - } - } - - } else if ($key == "social_btn_edited") { // si c'est pour les boutons sociaux personnalisés - - $this->loadModel('SocialButton'); - foreach ($value as $k => $v) { // on enregistre le tout - if (!empty($v['color']) && !empty($v['url']) && (!empty($v['title']) || !empty($v['img']))) { - $this->SocialButton->read(null, $v['id']); - $this->SocialButton->set([ - 'title' => $v['title'], - 'img' => $v['img'], - 'color' => $v['color'], - 'url' => $v['url'] - ]); - $this->SocialButton->save(); - } - } - - } else if ($key == "social_btn_added") { - $this->loadModel('SocialButton'); - foreach ($value['deleted'] as $k => $v) { // on enregistre le tout - $find = $this->SocialButton->findById($v); - if (!empty($find)) { - $this->SocialButton->delete($v); - } - } } } @@ -98,8 +58,6 @@ public function admin_index() $this->set('shopIsInstalled', $this->EyPlugin->isInstalled('eywek.shop')); - $this->loadModel('SocialButton'); - $this->set('social_buttons', $this->SocialButton->find('all', ['order' => 'id desc'])); } else { $this->redirect('/'); } diff --git a/app/Controller/NavbarController.php b/app/Controller/NavbarController.php index 8617f6a9..12262cd8 100755 --- a/app/Controller/NavbarController.php +++ b/app/Controller/NavbarController.php @@ -54,7 +54,7 @@ public function admin_save_ajax() if ($this->isConnected and $this->Permissions->can('MANAGE_NAV')) { if ($this->request->is('post')) { if (!empty($this->request->data)) { - $data = $this->request->data['xss']['nav']; + $data = $this->request->data['navbar_order']; $data = explode('&', $data); $i = 1; foreach ($data as $key => $value) { diff --git a/app/Model/Maintenance.php b/app/Model/Maintenance.php index b7a83842..e711b868 100644 --- a/app/Model/Maintenance.php +++ b/app/Model/Maintenance.php @@ -2,9 +2,16 @@ class Maintenance extends AppModel { - function checkMaintenance($url = "") + function checkMaintenance($url, $utilComponent) { - $check = $this->find("first", ["conditions" => ["'" . $url . "' LIKE CONCAT(Maintenance.url, '%')", "active" => 1]]); + $use_sqlite = $utilComponent->useSqlite(); + + $condition = ["'" . $url . "' LIKE CONCAT(Maintenance.url, '%')", "active" => 1]; + + if ($use_sqlite) + $condition = ["'" . $url . "' LIKE 'Maintenance.url' || '%')", "active" => 1]; + + $check = $this->find("first", ["conditions" => $condition]); if (isset($check["Maintenance"])) $check = $check["Maintenance"]; if ($check && (($check["url"] == $url) || ($check["sub_url"] && $url != "/"))) diff --git a/app/View/Navbar/admin_index.ctp b/app/View/Navbar/admin_index.ctp index 051deefb..42122fc3 100755 --- a/app/View/Navbar/admin_index.ctp +++ b/app/View/Navbar/admin_index.ctp @@ -73,10 +73,8 @@ axis: 'y', stop: function (event, ui) { $('#save').empty().html('get('NAVBAR__SAVE_IN_PROGRESS') ?>'); - var inputs = {}; - var nav = $(this).sortable('serialize'); - inputs['nav'] = nav; - $('#yolo').text(nav); + let inputs = {}; + inputs['navbar_order'] = $(this).sortable('serialize'); inputs['data[_Token][key]'] = ''; $.post("Html->url(['controller' => 'navbar', 'action' => 'save_ajax', 'admin' => true]) ?>", inputs, function (data) { if (data.statut) {