Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: [MOD] Modified file inclusion function (sNews 1.4)  (Read 3757 times)

Mika

  • Hero Member
  • *****
  • Karma: 9
  • Posts: 1377
    • http://www.ni5ni6.com/
[MOD] Modified file inclusion function (sNews 1.4)
« on: June 06, 2006, 04:15:26 pm »

after dealing with some file inclusion problems here on forum, i came up with this modified file inclusion function

note: actually, there are three inclusion routines inside snews.php - they will be replaced with single one to simplify/optimize the code

- use with snews1.4

1. backup first - this is not a drill ;)

2. add this into //GLOBAL SETTINGS below $s['image_folder']
Quote
// GLOBAL SETTINGS
...
$s['image_folder'] = "img"; // Folder to save images
//**** for file inclusion mod ***
$s['includes_folder'] = "includes/"; // Folder to save include files
$s['file_prefix'] = "prefix_"; //File name prefix (prefix_myfile.txt) - works similar to database prefix above
//******************************

...
3. add this into // ADMINISTRATION LANGUAGE VARIABLES
Quote
// ADMINISTRATION LANGUAGE VARIABLES
...
//**** for file inclusion mod ***
$l['error_file_name'] = "forbidden file name"; //allowed characters in file name are: letters a-z, A-Z, numbers 0-9, character _ and a dot .
$l['error_file_exists'] = "file doesn't exist";// unable to locate file under given name and/or extension
$l['error_file_empty'] = "file is empty"; // no data found in file
//******************************

...
4. add this function below existing //DISPLAY MENU ITEMS FUNCTION
Quote
// DISPLAY MENU ITEMS
function menu_items() {
   echo " }

//SECURE INCLUDE
function secure_include($page)
{
   $path = s('includes_folder');
   if (preg_match("#^[a-z0-9_.]+$#i",$page))
   {
      $filename = $path.$page;
      file_exists($filename) ? include($filename) : print l('error_file_exists');
   }
   else
   {echo l('error_file_name');}
}
5. go fetch yourself a hot cup of coffee or whateva :)

6. add this function below //SECURE INCLUDE
Quote
//SECURE INCLUDE
function secure_include($page)
{
   $path = s('includes_folder');
   if (preg_match("#^[a-z0-9_.]+$#i",$page))
   {
      $filename = $path.$page;
      file_exists($filename) ? include($filename) : print l('error_file_exists');
   }
   else
   {echo l('error_file_name');}
}

// FILES INCLUSION
function inclusion($param_text, $param_size)
{
   $fulltext = $param_text;
   $findme = '[include]';
   $pos = strpos($fulltext, $findme);
   $findme = '[/include]';
   $pos2 = strpos($fulltext, $findme);
   $file = substr($fulltext, $pos + 9, $pos2 - 9);
   if ($pos2 > 0)
   {
      $text = str_replace('[include]', '|&|', $fulltext);
      $text = str_replace('[/include]', '|&|', $text);
      $text = explode('|&|', $text);
      $num = count($text);
      for ($i = 0; ; $i++)
      {
         if ($i == $num) {break;}
         if (strpos($text[$i], '.php') === false AND strpos($text[$i], '.txt') === false AND strpos($text[$i], '.inc') === false)
            {echo substr(stripslashes($text[$i]), 0, $param_size);}
         else
         {
            if (false !== (strpos($text[$i], s('file_prefix'), 0)) AND strpos($text[$i], '.txt'))
            {
               //basic html output formatting
               echo '
';
               if (file_exists(s('includes_folder').$text[$i]))
               {
                  $file_array = file(s('includes_folder').$text[$i]);
                  if (!empty($file_array))
                  {
                     for($j = 0; $j < count($file_array); $j++)
                        {echo htmlspecialchars($file_array[$j]).'
';}
                  }
                  else
                  {echo l('error_file_empty');}
               }
               else
                  {echo l('error_file_exists');}
               //basic html output formatting
               echo '
';
            }
            else
            {
               secure_include($text[$i]);
            }
         }
      }
   }
   else
   {echo substr(stripslashes($fulltext), 0, $param_size);}
}
quite small, isn't it? :lol:

7. (is it seven already?) as i previously mentioned, there are three inclusion routines inside function left(), function center() and function right()

8. find existing inclusion routine inside function left(), delete it (yes, delete that blue monster completely :D) an replace it with red code:
Quote
//LEFT
function left() {
....
// PHP files inclusion routine
         $fulltext = $r['text'];
         $findme  = "[include]";
         $pos = strpos($fulltext, $findme);
         $findme  = "[/include]";
         $pos2 = strpos($fulltext, $findme);
         $file = substr($fulltext, $pos + 9, $pos2 - 9);
         if ($pos2 > 0) {
            $text = str_replace("[include]", "|&|", $fulltext);
            $text = str_replace("[/include]", "|&|", $text);
            $text = explode("|&|", $text);
            $num = count($text);
            for ($i = 0; ; $i++) {
               if ($i == $num) {
                  break;
               }
               if (strpos($text[$i], '.php') === false AND strpos($text[$i], '.txt') === false AND strpos($text[$i], '.inc') === false) {
                  echo substr(stripslashes($text[$i]), 0, $textlimit);
               } else {
                  include $text[$i];
               }}} else {
                  echo substr(stripslashes($fulltext), 0, $textlimit);

inclusion($r['text'], $textlimit);
....
now your //LEFT looks like this
Quote
//LEFT
function left() {
....
// PHP files inclusion routine
inclusion($r['text'], $textlimit);
...
9. function center is almost the same ;)
Quote
//CENTER
function center() {
...
// PHP files inclusion routine
//... large chunk of it's code is the same (99%), but it ends slightly different
echo substr(stripslashes($fulltext), 0, $shorten);
//compare it's ending with //LEFT to get a full picture
...
after deletion (of the same large chunk of code as //LEFT) and insertion of red piece, a new code is
Quote
//CENTER
function center() {
...
// PHP files inclusion routine
inclusion($r['text'], $shorten);
...
10. the //RIGHT function is exactly the same as //LEFT one, so feel free to proceed accordingly
Quote
//RIGHT
function right() {
....
// PHP files inclusion routine
inclusion($r['text'], $textlimit);
...
note: i have a functional snews1.4 on localhost with this mod installed, but because of its size and impact, this mod should be checked by Luka himself. if it passes his test, you'll have a fresh modded copy of snews1.4 to download

more info on how to use this mod can be found here
Logged
http://www.ni5ni6.com/ - Tutorials, Mods and How-To's about sNews CMS
sNews 1.6 Developers Edition - commented sNews 1.6 version

fallback

  • Newbie
  • *
  • Karma: 0
  • Posts: 3
[MOD] Modified file inclusion function (sNews 1.4)
« Reply #1 on: June 17, 2006, 04:10:41 pm »

This is a great mod.

I have tried with the code before posting this but how can you prevent files from being included in the category pages. I only want the [include] code to work in article pages and not category pages that have the article captions.
Logged

Mika

  • Hero Member
  • *****
  • Karma: 9
  • Posts: 1377
    • http://www.ni5ni6.com/
[MOD] Modified file inclusion function (sNews 1.4)
« Reply #2 on: June 17, 2006, 05:04:11 pm »

well...this might be a bug. can you post a link?

edit: i almost forgot, welcome fallback :) glad to have you around...
Logged
http://www.ni5ni6.com/ - Tutorials, Mods and How-To's about sNews CMS
sNews 1.6 Developers Edition - commented sNews 1.6 version

fallback

  • Newbie
  • *
  • Karma: 0
  • Posts: 3
[MOD] Modified file inclusion function (sNews 1.4)
« Reply #3 on: June 18, 2006, 01:15:12 pm »

Thanks! I fixed it actually. I wanted to:

1. Include actual code (html form data & javascript) in the article via the include.

2. Ensure that the include only appears in the main article body itself and not the category view.

In the snews // CENTER section change the inclusion code to the following:
Code: [Select]
// PHP files inclusion routine


if ($article == "") {
$fulltext = $r['text'];

$r['text'] = str_replace("[include]", "|&|", $r['text']);
$r['text'] = str_replace("[/include]", "|&|", $r['text']);
inclusion($r['text'], $shorten);
}else{
inclusion($r['text'], $shorten);
}
Replace the code added to the  "// FILES INCLUSION" section with the code below. Mainly what I did was to remove the htmlspecial characters output and the
 tags which prevented the html or other code from being parsed rendered correctly when included.

Code: [Select]
// FILES INCLUSION


function inclusion($param_text, $param_size)
{
    $fulltext = $param_text;
    $findme = '[include]';
    $pos = strpos($fulltext, $findme);
    $findme = '[/include]';
    $pos2 = strpos($fulltext, $findme);
    $file = substr($fulltext, $pos + 9, $pos2 - 9);
    if ($pos2 > 0)
    {
        $text = str_replace('[include]', '|&|', $fulltext);
        $text = str_replace('[/include]', '|&|', $text);
        $text = explode('|&|', $text);
        $num = count($text);
        for ($i = 0; ; $i++)
        {
            if ($i == $num) {break;}
            if (strpos($text[$i], '.php') === false AND strpos($text[$i], '.txt') === false AND strpos($text[$i], '.inc') === false)
                {echo substr(stripslashes($text[$i]), 0, $param_size);}
            else
            {
                if (false !== (strpos($text[$i], s('file_prefix'), 0)) AND strpos($text[$i], '.txt'))
                {
                    //basic html output formatting
                    echo '
';
                    if (file_exists(s('includes_folder').$text[$i]))
                    {
                        $file_array = file(s('includes_folder').$text[$i]);
                        if (!empty($file_array))
                        {
                            for($j = 0; $j < count($file_array); $j++)
                                {
                               echo $file_array[$j];}
                        }
                        else
                        {echo l('error_file_empty');}
                    }
                    else
                        {echo l('error_file_exists');}
                    //basic html output formatting
                    echo '
';
                }
                else
                {
                    secure_include($text[$i]);
                }
            }
        }
    }
    else
    {echo substr(stripslashes($fulltext), 0, $param_size);}
}
Its a quick fix but it works...
Logged

Dom

  • Full Member
  • ***
  • Karma: 5
  • Posts: 163
    • domdelimar.com
[MOD] Modified file inclusion function (sNews 1.4)
« Reply #4 on: July 08, 2006, 01:53:02 pm »

fallback, or anybody who has implemented fallback's quick fix, could you please explain me this a bit more... could you please show me the exact code which I should replace with your code snippets?

After "// PHP files inclusion routine" part in center function, I'm not sure where "the inclusion code" actually ends so I'm not able to replace it with your code.

Thanks!
Logged

Mika

  • Hero Member
  • *****
  • Karma: 9
  • Posts: 1377
    • http://www.ni5ni6.com/
[MOD] Modified file inclusion function (sNews 1.4)
« Reply #5 on: July 08, 2006, 02:07:39 pm »

Quote
//CENTER
function center() {
...
// PHP files inclusion routine
//... large chunk of it's code is the same (99%), but it ends slightly different
echo substr(stripslashes($fulltext), 0, $shorten);
//compare it's ending with //LEFT to get a full picture
...
Logged
http://www.ni5ni6.com/ - Tutorials, Mods and How-To's about sNews CMS
sNews 1.6 Developers Edition - commented sNews 1.6 version

Dom

  • Full Member
  • ***
  • Karma: 5
  • Posts: 163
    • domdelimar.com
[MOD] Modified file inclusion function (sNews 1.4)
« Reply #6 on: July 09, 2006, 01:14:09 pm »

I'm sorry mika, I guess I just misunderstood about this quick fix...

I thought I could just apply this fallback's code as a quick fix for what
I needed (ensure that the include only appears in the main article body
itself and not the category view) and didn't realize it was actually based
on your mod (which I haven't checked out as, hmm, I needed a really quick
fix :) )

Now that I had a bit more time on my hand, I read your whole post and
applied your mod and fallback's quick fix and everything works fine.

Thanks mika, thanks fallback.
Logged