r31k
/
bludit
2
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Updates

This commit is contained in:
dignajar 2015-09-07 21:51:48 -03:00
parent 3120e7975a
commit 62196c1177
33 changed files with 240 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
admin/controllers/login.php
View File

@ -22,6 +22,9 @@ function checkPost($args)
// Verify User sanitize the input // Verify User sanitize the input
if( $Login->verifyUser($_POST['username'], $_POST['password']) ) if( $Login->verifyUser($_POST['username'], $_POST['password']) )
{ {
// Renew the token. This token will be the same inside the session for multiple forms.
$Security->generateToken();
Redirect::page('admin', 'dashboard'); Redirect::page('admin', 'dashboard');
return true; return true;
} }

6
admin/themes/default/css/default.css
View File

@ -32,7 +32,7 @@ span.label {
/* ----------- HEAD ----------- */ /* ----------- HEAD ----------- */
#head { #head {
overflow: auto; overflow: auto;
border-top: 10px #f1f1f1 solid; border-top: 10px #eee solid;
border-bottom: 1px solid #f1f1f1; border-bottom: 1px solid #f1f1f1;
padding: 10px 0; padding: 10px 0;
} }
@ -105,6 +105,10 @@ h2.title {
font-weight: normal; font-weight: normal;
} }
h2.title i.fa {
margin-right: 8px;
}
/* ----------- TABLE ----------- */ /* ----------- TABLE ----------- */
table { table {
background-color: #fff; background-color: #fff;

3
admin/views/add-user.php
View File

@ -3,6 +3,9 @@
<?php makeNavbar('users'); ?> <?php makeNavbar('users'); ?>
<form method="post" action="" class="forms" autocomplete="off"> <form method="post" action="" class="forms" autocomplete="off">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<label> <label>
<?php $Language->p('Username') ?> <?php $Language->p('Username') ?>
<input type="text" name="username" class="width-50" value="<?php echo (isset($_POST['username'])?$_POST['username']:'') ?>"> <input type="text" name="username" class="width-50" value="<?php echo (isset($_POST['username'])?$_POST['username']:'') ?>">

1
admin/views/configure-plugin.php
View File

@ -2,6 +2,7 @@
<form id="jsformplugin" method="post" action="" class="forms"> <form id="jsformplugin" method="post" action="" class="forms">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<input type="hidden" id="jskey" name="key" value=""> <input type="hidden" id="jskey" name="key" value="">
<?php <?php

1
admin/views/edit-page.php
View File

@ -2,6 +2,7 @@
<form id="jsform" method="post" action="" class="forms"> <form id="jsform" method="post" action="" class="forms">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<input type="hidden" id="jskey" name="key" value="<?php echo $_Page->key() ?>"> <input type="hidden" id="jskey" name="key" value="<?php echo $_Page->key() ?>">
<label> <label>

1
admin/views/edit-post.php
View File

@ -2,6 +2,7 @@
<form method="post" action="" class="forms"> <form method="post" action="" class="forms">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<input type="hidden" id="jskey" name="key" value="<?php echo $_Post->key() ?>"> <input type="hidden" id="jskey" name="key" value="<?php echo $_Post->key() ?>">
<label> <label>

2
admin/views/edit-user.php
View File

@ -18,6 +18,8 @@
<div id="profile"> <div id="profile">
<form method="post" action="" class="forms"> <form method="post" action="" class="forms">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<input type="hidden" name="edit-user" value="true"> <input type="hidden" name="edit-user" value="true">
<input type="hidden" name="username" value="<?php echo $_user['username'] ?>"> <input type="hidden" name="username" value="<?php echo $_user['username'] ?>">

5
admin/views/login.php
View File

@ -1,12 +1,17 @@
<h2 class="title"><?php $Language->p('Login') ?></h2> <h2 class="title"><?php $Language->p('Login') ?></h2>
<form method="post" action="<?php echo HTML_PATH_ADMIN_ROOT.'login' ?>" class="forms" autocomplete="off"> <form method="post" action="<?php echo HTML_PATH_ADMIN_ROOT.'login' ?>" class="forms" autocomplete="off">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<label> <label>
<input type="text" name="username" placeholder="<?php $Language->p('Username') ?>" class="width-100" autocomplete="off"> <input type="text" name="username" placeholder="<?php $Language->p('Username') ?>" class="width-100" autocomplete="off">
</label> </label>
<label> <label>
<input type="password" name="password" placeholder="<?php $Language->p('Password') ?>" class="width-100" autocomplete="off"> <input type="password" name="password" placeholder="<?php $Language->p('Password') ?>" class="width-100" autocomplete="off">
</label> </label>
<p> <p>
<button class="btn btn-blue width-100"><?php $Language->p('Login') ?></button> <button class="btn btn-blue width-100"><?php $Language->p('Login') ?></button>
</p> </p>

2
admin/views/new-page.php
View File

@ -2,6 +2,8 @@
<form method="post" action="" class="forms"> <form method="post" action="" class="forms">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<label> <label>
<?php $Language->p('Title') ?> <?php $Language->p('Title') ?>
<input id="jstitle" name="title" type="text" class="width-90"> <input id="jstitle" name="title" type="text" class="width-90">

2
admin/views/new-post.php
View File

@ -2,6 +2,8 @@
<form method="post" action="" class="forms"> <form method="post" action="" class="forms">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<label> <label>
<?php $Language->p('Title') ?> <?php $Language->p('Title') ?>
<input id="jstitle" name="title" type="text" class="width-90"> <input id="jstitle" name="title" type="text" class="width-90">

9
admin/views/settings.php
View File

@ -15,6 +15,9 @@
<div id="general"> <div id="general">
<form method="post" action="" class="forms"> <form method="post" action="" class="forms">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<label> <label>
<?php $Language->p('Site title') ?> <?php $Language->p('Site title') ?>
<input type="text" name="title" class="width-50" value="<?php echo $Site->title() ?>"> <input type="text" name="title" class="width-50" value="<?php echo $Site->title() ?>">
@ -50,6 +53,9 @@
<div id="advanced"> <div id="advanced">
<form method="post" action="" class="forms"> <form method="post" action="" class="forms">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<label for="postsperpage"> <label for="postsperpage">
<?php $Language->p('Posts per page') ?> <?php $Language->p('Posts per page') ?>
<select name="postsperpage" class="width-50"> <select name="postsperpage" class="width-50">
@ -112,6 +118,9 @@
<div id="regional"> <div id="regional">
<form method="post" action="" class="forms" name="form-regional"> <form method="post" action="" class="forms" name="form-regional">
<input type="hidden" id="jstoken" name="token" value="<?php $Security->printToken() ?>">
<label for="jslanguage"> <label for="jslanguage">
<?php $Language->p('Language') ?> <?php $Language->p('Language') ?>
<select id="jslanguage" name="language" class="width-50"> <select id="jslanguage" name="language" class="width-50">

4
kernel/boot/admin.php
View File

@ -45,12 +45,16 @@ else
include(PATH_RULES.'99.header.php'); include(PATH_RULES.'99.header.php');
include(PATH_RULES.'99.paginator.php'); include(PATH_RULES.'99.paginator.php');
include(PATH_RULES.'99.themes.php'); include(PATH_RULES.'99.themes.php');
include(PATH_RULES.'99.security.php');
if($Url->notFound() || !$Login->isLogged() || ($Url->slug()==='login') ) if($Url->notFound() || !$Login->isLogged() || ($Url->slug()==='login') )
{ {
$layout['controller'] = 'login'; $layout['controller'] = 'login';
$layout['view'] = 'login'; $layout['view'] = 'login';
$layout['template'] = 'login.php'; $layout['template'] = 'login.php';
// Generate the token for the user not logged, when the user is loggued the token will be change.
$Security->generateToken();
} }
// Plugins before admin area loaded // Plugins before admin area loaded

3
kernel/boot/rules/70.posts.php
View File

@ -99,8 +99,7 @@ function buildPostsForPage($pageNumber=0, $amount=POSTS_PER_PAGE_ADMIN, $removeU
} }
// There are not posts for the page number then set the page notfound // There are not posts for the page number then set the page notfound
//if(empty($list) && $pageNumber>0) { if(empty($list) && $pageNumber>0) {
if(empty($list)) {
$Url->setNotFound(true); $Url->setNotFound(true);
} }

2
kernel/boot/rules/80.plugins.php
View File

@ -83,7 +83,7 @@ function build_plugins()
$Language->add($databaseArray); $Language->add($databaseArray);
// Push Plugin to array all plugins installed and not installed. // Push Plugin to array all plugins installed and not installed.
array_push($plugins['all'], $Plugin); $plugins['all'][$pluginClass] = $Plugin;
// If the plugin installed // If the plugin installed
if($Plugin->installed()) if($Plugin->installed())

41
kernel/boot/rules/99.security.php Normal file
View File

@ -0,0 +1,41 @@
<?php defined('BLUDIT') or die('Bludit CMS.');
// ============================================================================
// Variables
// ============================================================================
// ============================================================================
// Functions
// ============================================================================
// ============================================================================
// Main before POST
// ============================================================================
// ============================================================================
// POST Method
// ============================================================================
if( $_SERVER['REQUEST_METHOD'] == 'POST' )
{
$token = isset($_POST['token']) ? Sanitize::html($_POST['token']) : false;
if( !$Security->validateToken($token) )
{
Log::set(__METHOD__.LOG_SEP.'Error occurred when trying validate the token. Token ID: '.$token);
// Destroy the session.
Session::destroy();
// Redirect to login panel.
Redirect::page('admin', 'login');
}
else
{
unset($_POST['token']);
}
}
// ============================================================================
// Main after POST
// ============================================================================

3
kernel/boot/site.php
View File

@ -20,6 +20,9 @@ if( Sanitize::pathFile(PATH_THEMES, $Site->theme().DS.'init.php') ) {
if( Sanitize::pathFile(PATH_THEMES, $Site->theme().DS.'index.php') ) { if( Sanitize::pathFile(PATH_THEMES, $Site->theme().DS.'index.php') ) {
include(PATH_THEMES.$Site->theme().DS.'index.php'); include(PATH_THEMES.$Site->theme().DS.'index.php');
} }
else {
$Language->p('Please check your theme configuration');
}
// Plugins after site loaded // Plugins after site loaded
Theme::plugins('afterSiteLoad'); Theme::plugins('afterSiteLoad');

9
kernel/dbposts.class.php
View File

@ -112,6 +112,12 @@ class dbPosts extends dbJSON
$args['status'] = 'scheduled'; $args['status'] = 'scheduled';
} }
// Tags
if(Text::isNotEmpty($args['tags'])) {
$cleanTags = array_map('trim', explode(',', $args['tags']));
$args['tags'] = implode(',', $cleanTags);
}
// Verify arguments with the database fields. // Verify arguments with the database fields.
foreach($this->dbFields as $field=>$options) foreach($this->dbFields as $field=>$options)
{ {
@ -336,9 +342,6 @@ class dbPosts extends dbJSON
uasort($this->db, array($this, 'sortLowToHigh')); uasort($this->db, array($this, 'sortLowToHigh'));
} }
Log::set(__METHOD__.LOG_SEP.'Sorted.'.$HighToLow);
return true; return true;
} }

3
kernel/dbtags.class.php
View File

@ -65,7 +65,8 @@ class dbTags extends dbJSON
foreach($explode as $tagName) foreach($explode as $tagName)
{ {
$tagName = trim($tagName); $tagName = trim($tagName);
$tagKey = Text::cleanUrl($tagName); $tagKey = $tagName;
//$tagKey = Text::cleanUrl($tagName);
// If the tag is not empty. // If the tag is not empty.
if(Text::isNotEmpty($tagName)) if(Text::isNotEmpty($tagName))

3
kernel/helpers/session.class.php
View File

@ -25,7 +25,8 @@ class Session {
// Gets current cookies params. // Gets current cookies params.
$cookieParams = session_get_cookie_params(); $cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieLifetime, session_set_cookie_params(
$cookieLifetime,
$cookieParams["path"], $cookieParams["path"],
$cookieParams["domain"], $cookieParams["domain"],
$secure, $secure,

2
kernel/helpers/text.class.php
View File

@ -148,7 +148,7 @@ class Text {
public static function imgRel2Abs($string, $base) public static function imgRel2Abs($string, $base)
{ {
return preg_replace('/(?!code).(src)="([^:"]*)(?:")/', "$1=\"$base$2\"", $string); return preg_replace('/(src)="([^:"]*)(?:")/', "$1=\"$base$2\"", $string);
} }
public static function pre2htmlentities($string) public static function pre2htmlentities($string)

13
kernel/post.class.php
View File

@ -111,9 +111,18 @@ class Post extends fileContent
return $date; return $date;
} }
public function tags() public function tags($returnsArray=false)
{ {
return $this->getField('tags'); global $Url;
$tags = $this->getField('tags');
if($returnsArray) {
return explode(',', $tags);
}
else {
return $tags;
}
} }
public function slug() public function slug()

36
kernel/security.class.php
View File

@ -13,6 +13,42 @@ class Security extends dbJSON
parent::__construct(PATH_DATABASES.'security.php'); parent::__construct(PATH_DATABASES.'security.php');
} }
// ====================================================
// TOKEN FOR CSRF
// ====================================================
// Generate and save the token in Session.
public function generateToken()
{
$token = Text::randomText(8);
$token = sha1($token);
Session::set('token', $token);
}
// Validate the token.
public function validateToken($token)
{
$sessionToken = Session::get('token');
return ( !empty($sessionToken) && ($sessionToken===$token) );
}
// Returns the token.
public function getToken()
{
return Session::get('token');
}
public function printToken()
{
echo Session::get('token');
}
// ====================================================
// BRUTE FORCE PROTECTION
// ====================================================
public function isBlocked() public function isBlocked()
{ {
$ip = $this->getUserIp(); $ip = $this->getUserIp();

10
kernel/url.class.php
View File

@ -100,9 +100,15 @@ class Url
} }
// Return the filter used // Return the filter used
public function filters($type) public function filters($type, $trim=true)
{ {
return $this->filters[$type]; $filter = $this->filters[$type];
if($trim) {
$filter = trim($filter, '/');
}
return $filter;
} }
// Return: home, tag, post // Return: home, tag, post

3
languages/en_US.json
View File

@ -161,5 +161,6 @@
"date": "Date", "date": "Date",
"you-can-schedule-the-post-just-select-the-date-and-time": "You can schedule the post, just select the date and time.", "you-can-schedule-the-post-just-select-the-date-and-time": "You can schedule the post, just select the date and time.",
"scheduled": "Scheduled", "scheduled": "Scheduled",
"publish": "Publish" "publish": "Publish",
"please-check-your-theme-configuration": "Please check your theme configuration."
} }

8
plugins/pages/plugin.php
View File

@ -34,7 +34,13 @@ class pluginPages extends Plugin {
global $Site; global $Site;
$html = '<div class="plugin plugin-pages">'; $html = '<div class="plugin plugin-pages">';
$html .= '<h2>'.$this->getDbField('label').'</h2>';
// If the label is not empty, print it.
$label = $this->getDbField('label');
if( !empty($label) ) {
$html .= '<h2>'.$label.'</h2>';
}
$html .= '<div class="plugin-content">'; $html .= '<div class="plugin-content">';
$parents = $pagesParents[NO_PARENT_CHAR]; $parents = $pagesParents[NO_PARENT_CHAR];

2
plugins/simplemde/plugin.php
View File

@ -82,7 +82,7 @@ class pluginsimpleMDE extends Plugin {
toolbarTips: true, toolbarTips: true,
toolbarGuideIcon: true, toolbarGuideIcon: true,
autofocus: false, autofocus: false,
lineWrapping: false, lineWrapping: true,
indentWithTabs: true, indentWithTabs: true,
tabSize: '.$this->getDbField('tabSize').', tabSize: '.$this->getDbField('tabSize').',
spellChecker: false, spellChecker: false,

2
plugins/tags/plugin.php
View File

@ -28,7 +28,7 @@ class pluginTags extends Plugin {
global $Url; global $Url;
$db = $dbTags->db['postsIndex']; $db = $dbTags->db['postsIndex'];
$filter = trim($Url->filters('tag'), '/'); $filter = $Url->filters('tag');
$html = '<div class="plugin plugin-tags">'; $html = '<div class="plugin plugin-tags">';
$html .= '<h2>'.$this->getDbField('label').'</h2>'; $html .= '<h2>'.$this->getDbField('label').'</h2>';