2010-12-01 11:53:11 +01:00
|
|
|
<?php
|
2012-04-11 18:49:22 +02:00
|
|
|
|
|
|
|
/*
|
2014-04-12 20:12:42 +02:00
|
|
|
* Copyright (c) 2010-2014 Tinyboard Development Group
|
2012-04-11 18:49:22 +02:00
|
|
|
*/
|
|
|
|
|
|
|
|
require 'inc/functions.php';
|
2012-04-12 18:11:41 +02:00
|
|
|
require 'inc/mod/pages.php';
|
2013-01-29 18:45:38 +01:00
|
|
|
require 'inc/mod/auth.php';
|
2012-04-11 18:49:22 +02:00
|
|
|
|
2013-08-30 00:39:11 +02:00
|
|
|
if ($config['debug'])
|
|
|
|
$parse_start_time = microtime(true);
|
|
|
|
|
2012-04-12 18:11:41 +02:00
|
|
|
// Fix for magic quotes
|
2012-04-11 18:49:22 +02:00
|
|
|
if (get_magic_quotes_gpc()) {
|
|
|
|
function strip_array($var) {
|
2012-04-12 13:56:01 +02:00
|
|
|
return is_array($var) ? array_map('strip_array', $var) : stripslashes($var);
|
2012-04-11 18:49:22 +02:00
|
|
|
}
|
2010-12-01 11:53:11 +01:00
|
|
|
|
2012-04-11 18:49:22 +02:00
|
|
|
$_GET = strip_array($_GET);
|
|
|
|
$_POST = strip_array($_POST);
|
|
|
|
}
|
|
|
|
|
2013-08-05 04:49:38 +02:00
|
|
|
$query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : '';
|
2012-04-11 18:49:22 +02:00
|
|
|
|
2012-04-12 18:11:41 +02:00
|
|
|
$pages = array(
|
2013-09-23 08:48:56 +02:00
|
|
|
'' => ':?/', // redirect to dashboard
|
|
|
|
'/' => 'dashboard', // dashboard
|
|
|
|
'/confirm/(.+)' => 'confirm', // confirm action (if javascript didn't work)
|
|
|
|
'/logout' => 'secure logout', // logout
|
2012-04-16 08:40:24 +02:00
|
|
|
|
2013-09-23 08:48:56 +02:00
|
|
|
'/users' => 'users', // manage users
|
|
|
|
'/users/(\d+)/(promote|demote)' => 'secure user_promote', // prmote/demote user
|
|
|
|
'/users/(\d+)' => 'secure_POST user', // edit user
|
|
|
|
'/users/new' => 'secure_POST user_new', // create a new user
|
2012-04-13 02:41:30 +02:00
|
|
|
|
2013-09-23 08:48:56 +02:00
|
|
|
'/new_PM/([^/]+)' => 'secure_POST new_pm', // create a new pm
|
|
|
|
'/PM/(\d+)(/reply)?' => 'pm', // read a pm
|
|
|
|
'/inbox' => 'inbox', // pm inbox
|
2012-05-05 17:33:10 +02:00
|
|
|
|
2013-09-23 08:48:56 +02:00
|
|
|
'/log' => 'log', // modlog
|
|
|
|
'/log/(\d+)' => 'log', // modlog
|
|
|
|
'/log:([^/]+)' => 'user_log', // modlog
|
|
|
|
'/log:([^/]+)/(\d+)' => 'user_log', // modlog
|
|
|
|
'/news' => 'secure_POST news', // view news
|
|
|
|
'/news/(\d+)' => 'secure_POST news', // view news
|
|
|
|
'/news/delete/(\d+)' => 'secure news_delete', // delete from news
|
2012-05-05 17:33:10 +02:00
|
|
|
|
2013-09-23 08:48:56 +02:00
|
|
|
'/noticeboard' => 'secure_POST noticeboard', // view noticeboard
|
|
|
|
'/noticeboard/(\d+)' => 'secure_POST noticeboard', // view noticeboard
|
|
|
|
'/noticeboard/delete/(\d+)' => 'secure noticeboard_delete', // delete from noticeboard
|
2012-04-14 14:28:21 +02:00
|
|
|
|
2013-09-23 08:48:56 +02:00
|
|
|
'/edit/(\%b)' => 'secure_POST edit_board', // edit board details
|
|
|
|
'/new-board' => 'secure_POST new_board', // create a new board
|
|
|
|
|
2014-10-19 07:07:16 +02:00
|
|
|
'/rebuild' => 'secure_POST rebuild', // rebuild static files
|
2014-10-19 18:07:07 +02:00
|
|
|
|
|
|
|
// Report management
|
|
|
|
// (global) denotes if the action is being carried out from the global dashboard,
|
|
|
|
// and if the return address should also be the global dashboard.
|
|
|
|
// Important to note that (?:global) will make no argument.
|
|
|
|
// (global)? will make argument 0 either "global" or "".
|
2014-10-21 14:50:25 +02:00
|
|
|
'/reports(?:/)?' => 'reports', // report queue
|
|
|
|
'/reports/(global)?(?:/)?' => 'reports', // global report queue
|
|
|
|
'/reports/(global)?(?:/)?(content)/(\%b)/(\d+)(?:/)?' => 'reports', // specific reported content (also historic)
|
|
|
|
'/reports/(global)?(?:/)?(content)/(\%b)/(\d+)/dismiss(?:/)?' => 'secure report_dismiss', // dismiss all reports on content
|
|
|
|
'/reports/(global)?(?:/)?(content)/(\%b)/(\d+)/demote(?:/)?' => 'secure report_demote', // demote all reports on content
|
|
|
|
'/reports/(global)?(?:/)?(content)/(\%b)/(\d+)/promote(?:/)?' => 'secure report_promote', // demote all reports on content
|
|
|
|
'/reports/(global)?(?:/)?(\d+)/dismiss(all)?(?:/)?' => 'secure report_dismiss', // dismiss a report
|
|
|
|
'/reports/(global)?(?:/)?(\d+)/demote(?:/)?' => 'secure report_demote', // demote a global report to a local report
|
|
|
|
'/reports/(global)?(?:/)?(\d+)/promote(?:/)?' => 'secure report_promote', // promote a local report to a global report
|
|
|
|
'/reports/(global)?(?:/)?(\%b)/(un)?clean/(\d+)/(global)?(?:\+)?(local)?' => 'secure report_clean', // protect/unprotect from reports
|
2013-09-23 08:48:56 +02:00
|
|
|
|
|
|
|
'/IP/([\w.:]+)' => 'secure_POST ip', // view ip address
|
|
|
|
'/IP/([\w.:]+)/remove_note/(\d+)' => 'secure ip_remove_note', // remove note from ip address
|
2014-10-10 03:39:37 +02:00
|
|
|
'/IP_less/(\%b)/(\d+)' => 'secure_POST ip_less', // view ip address (limited for user privacy)
|
|
|
|
'/IP_less/([\w.:]+)/remove_note/(\d+)' => 'secure ip_remove_note', // remove note from ip address
|
2013-07-20 13:50:33 +02:00
|
|
|
|
2013-08-04 03:04:45 +02:00
|
|
|
'/ban' => 'secure_POST ban', // new ban
|
2013-09-23 08:48:56 +02:00
|
|
|
'/bans' => 'secure_POST bans', // ban list
|
2014-10-08 23:23:59 +02:00
|
|
|
'/bans.json' => 'secure bans_json', // ban list JSON
|
2013-09-23 08:48:56 +02:00
|
|
|
'/ban-appeals' => 'secure_POST ban_appeals', // view ban appeals
|
|
|
|
|
2014-03-17 23:11:16 +01:00
|
|
|
'/recent/(\d+)' => 'recent_posts', // view recent posts
|
|
|
|
|
2013-09-23 08:48:56 +02:00
|
|
|
'/search' => 'search_redirect', // search
|
|
|
|
'/search/(posts|IP_notes|bans|log)/(.+)/(\d+)' => 'search', // search
|
|
|
|
'/search/(posts|IP_notes|bans|log)/(.+)' => 'search', // search
|
2014-10-20 17:17:19 +02:00
|
|
|
|
|
|
|
// Content management
|
|
|
|
'/(\%b)/ban(&delete)?/(\d+)' => 'secure_POST ban_post', // ban poster
|
|
|
|
'/(\%b)/move/(\d+)' => 'secure_POST move', // move thread
|
|
|
|
'/(\%b)/move_reply/(\d+)' => 'secure_POST move_reply', // move reply
|
|
|
|
'/(\%b)/edit(_raw)?/(\d+)' => 'secure_POST edit_post', // edit post
|
|
|
|
'/(\%b)/delete/(\d+)' => 'secure delete', // delete post
|
|
|
|
'/(\%b)/deletefile/(\d+)/(\d+)' => 'secure deletefile', // delete file from post
|
|
|
|
'/(\%b+)/spoiler/(\d+)/(\d+)' => 'secure spoiler_image', // spoiler file
|
|
|
|
'/(\%b)/deletebyip/(\d+)(/global)?' => 'secure deletebyip', // delete all posts by IP address
|
|
|
|
'/(\%b)/(un)?lock/(\d+)' => 'secure lock', // lock thread
|
|
|
|
'/(\%b)/(un)?sticky/(\d+)' => 'secure sticky', // sticky thread
|
|
|
|
'/(\%b)/bump(un)?lock/(\d+)' => 'secure bumplock', // "bumplock" thread
|
2012-04-16 12:11:10 +02:00
|
|
|
|
2013-09-23 08:48:56 +02:00
|
|
|
'/themes' => 'themes_list', // manage themes
|
|
|
|
'/themes/(\w+)' => 'secure_POST theme_configure', // configure/reconfigure theme
|
|
|
|
'/themes/(\w+)/rebuild' => 'secure theme_rebuild', // rebuild theme
|
|
|
|
'/themes/(\w+)/uninstall' => 'secure theme_uninstall', // uninstall theme
|
2012-08-12 16:18:13 +02:00
|
|
|
|
2013-09-23 08:48:56 +02:00
|
|
|
'/config' => 'secure_POST config', // config editor
|
|
|
|
'/config/(\%b)' => 'secure_POST config', // config editor
|
2012-05-20 12:20:50 +02:00
|
|
|
|
2012-04-16 12:11:10 +02:00
|
|
|
// these pages aren't listed in the dashboard without $config['debug']
|
2012-05-06 04:44:37 +02:00
|
|
|
'/debug/antispam' => 'debug_antispam',
|
2013-01-25 12:18:03 +01:00
|
|
|
'/debug/recent' => 'debug_recent_posts',
|
2013-09-23 02:11:16 +02:00
|
|
|
'/debug/apc' => 'debug_apc',
|
2013-01-25 13:57:51 +01:00
|
|
|
'/debug/sql' => 'secure_POST debug_sql',
|
2012-04-11 18:49:22 +02:00
|
|
|
|
2012-04-12 18:11:41 +02:00
|
|
|
// This should always be at the end:
|
2014-06-11 01:46:28 +02:00
|
|
|
'/(\%b)/?' => 'view_board',
|
2013-07-31 08:08:55 +02:00
|
|
|
'/(\%b)/' . preg_quote($config['file_index'], '!') => 'view_board',
|
|
|
|
'/(\%b)/' . str_replace('%d', '(\d+)', preg_quote($config['file_page'], '!')) => 'view_board',
|
2013-08-10 23:16:30 +02:00
|
|
|
'/(\%b)/' . preg_quote($config['dir']['res'], '!') .
|
|
|
|
str_replace('%d', '(\d+)', preg_quote($config['file_page50'], '!')) => 'view_thread50',
|
2013-07-31 08:08:55 +02:00
|
|
|
'/(\%b)/' . preg_quote($config['dir']['res'], '!') .
|
2012-05-06 04:44:37 +02:00
|
|
|
str_replace('%d', '(\d+)', preg_quote($config['file_page'], '!')) => 'view_thread',
|
2012-04-12 18:11:41 +02:00
|
|
|
);
|
|
|
|
|
2012-05-05 17:33:10 +02:00
|
|
|
|
|
|
|
if (!$mod) {
|
2013-01-29 12:11:33 +01:00
|
|
|
$pages = array('!^(.+)?$!' => 'login');
|
2012-05-05 17:33:10 +02:00
|
|
|
} elseif (isset($_GET['status'], $_GET['r'])) {
|
2012-05-06 04:29:54 +02:00
|
|
|
header('Location: ' . $_GET['r'], true, (int)$_GET['status']);
|
2012-05-06 04:44:37 +02:00
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (isset($config['mod']['custom_pages'])) {
|
2012-05-05 17:33:10 +02:00
|
|
|
$pages = array_merge($pages, $config['mod']['custom_pages']);
|
|
|
|
}
|
2012-04-12 18:11:41 +02:00
|
|
|
|
2012-05-06 04:44:37 +02:00
|
|
|
$new_pages = array();
|
|
|
|
foreach ($pages as $key => $callback) {
|
2013-07-15 14:17:49 +02:00
|
|
|
if (is_string($callback) && preg_match('/^secure /', $callback))
|
2012-08-27 07:19:05 +02:00
|
|
|
$key .= '(/(?P<token>[a-f0-9]{8}))?';
|
2013-08-03 02:52:58 +02:00
|
|
|
$key = str_replace('\%b', '?P<board>' . sprintf(substr($config['board_path'], 0, -1), $config['board_regex']), $key);
|
2013-07-31 08:08:55 +02:00
|
|
|
$new_pages[@$key[0] == '!' ? $key : '!^' . $key . '(?:&[^&=]+=[^&]*)*$!u'] = $callback;
|
2012-05-06 04:44:37 +02:00
|
|
|
}
|
|
|
|
$pages = $new_pages;
|
|
|
|
|
2012-04-12 18:11:41 +02:00
|
|
|
foreach ($pages as $uri => $handler) {
|
|
|
|
if (preg_match($uri, $query, $matches)) {
|
|
|
|
$matches = array_slice($matches, 1);
|
|
|
|
|
2013-08-03 02:52:58 +02:00
|
|
|
if (isset($matches['board'])) {
|
|
|
|
$board_match = $matches['board'];
|
|
|
|
unset($matches['board']);
|
|
|
|
$key = array_search($board_match, $matches);
|
|
|
|
if (preg_match('/^' . sprintf(substr($config['board_path'], 0, -1), '(' . $config['board_regex'] . ')') . '$/u', $matches[$key], $board_match)) {
|
|
|
|
$matches[$key] = $board_match[1];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-07-15 14:17:49 +02:00
|
|
|
if (is_string($handler) && preg_match('/^secure(_POST)? /', $handler, $m)) {
|
2012-08-27 07:19:05 +02:00
|
|
|
$secure_post_only = isset($m[1]);
|
|
|
|
if (!$secure_post_only || $_SERVER['REQUEST_METHOD'] == 'POST') {
|
|
|
|
$token = isset($matches['token']) ? $matches['token'] : (isset($_POST['token']) ? $_POST['token'] : false);
|
|
|
|
|
|
|
|
if ($token === false) {
|
|
|
|
if ($secure_post_only)
|
|
|
|
error($config['error']['csrf']);
|
|
|
|
else {
|
|
|
|
mod_confirm(substr($query, 1));
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// CSRF-protected page; validate security token
|
|
|
|
$actual_query = preg_replace('!/([a-f0-9]{8})$!', '', $query);
|
|
|
|
if ($token != make_secure_link_token(substr($actual_query, 1))) {
|
|
|
|
error($config['error']['csrf']);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$handler = preg_replace('/^secure(_POST)? /', '', $handler);
|
|
|
|
}
|
|
|
|
|
2012-04-12 18:11:41 +02:00
|
|
|
if ($config['debug']) {
|
|
|
|
$debug['mod_page'] = array(
|
|
|
|
'req' => $query,
|
|
|
|
'match' => $uri,
|
2013-08-30 00:39:11 +02:00
|
|
|
'handler' => $handler,
|
2012-04-11 18:49:22 +02:00
|
|
|
);
|
2013-08-30 00:39:11 +02:00
|
|
|
$debug['time']['parse_mod_req'] = '~' . round((microtime(true) - $parse_start_time) * 1000, 2) . 'ms';
|
2012-04-11 18:49:22 +02:00
|
|
|
}
|
|
|
|
|
2012-05-05 17:33:10 +02:00
|
|
|
if (is_string($handler)) {
|
|
|
|
if ($handler[0] == ':') {
|
|
|
|
header('Location: ' . substr($handler, 1), true, $config['redirect_http']);
|
|
|
|
} elseif (is_callable("mod_page_$handler")) {
|
|
|
|
call_user_func_array("mod_page_$handler", $matches);
|
|
|
|
} elseif (is_callable("mod_$handler")) {
|
|
|
|
call_user_func_array("mod_$handler", $matches);
|
|
|
|
} else {
|
|
|
|
error("Mod page '$handler' not found!");
|
|
|
|
}
|
|
|
|
} elseif (is_callable($handler)) {
|
|
|
|
call_user_func_array($handler, $matches);
|
2012-04-11 18:49:22 +02:00
|
|
|
} else {
|
2012-05-05 17:33:10 +02:00
|
|
|
error("Mod page '$handler' not a string, and not callable!");
|
2012-04-11 18:49:22 +02:00
|
|
|
}
|
|
|
|
|
2012-04-12 18:11:41 +02:00
|
|
|
exit;
|
2010-12-01 11:53:11 +01:00
|
|
|
}
|
2012-04-11 18:49:22 +02:00
|
|
|
}
|
2011-11-16 08:53:37 +01:00
|
|
|
|
2012-04-12 18:11:41 +02:00
|
|
|
error($config['error']['404']);
|
|
|
|
|