-
Notifications
You must be signed in to change notification settings - Fork 8
/
uno.php
250 lines (242 loc) · 11.7 KB
/
uno.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
<!DOCTYPE html>
<?php
// **********************************
// CMSUno
$version = '1.9.6';
$previousVersion = '1.9.5';
// **********************************
// *** DEBUG MODE ***
// error_reporting(E_ALL); ini_set('display_errors',1);
// ******************
$lang = 'en';
$Urawgit = 'https://cdn.jsdelivr.net/gh/boiteasite/cmsuno@';
$Udep = 'uno/';
session_set_cookie_params(['path'=>'/;SameSite=Strict', 'samesite'=>'Strict']);
ini_set('session.use_trans_sid', 0);
session_start();
if(is_writable(dirname(__FILE__).'/uno')) {
if(file_exists('uno/config.php')) include('uno/config.php');
if(empty($Uversion) || $Uversion!=$version || empty($sdata) || empty($Ukey)) {
if(empty($sdata)) $sdata = f_setKey('Sdata');
if(empty($Ukey)) $Ukey = f_setKey('Ukey');
$out = '<?php $lang = "'.$lang.'"; $sdata = "'.$sdata.'"; $Ukey = "'.$Ukey.'"; $Uversion = "'.(isset($version)?$version:'1.0').'"; ?>';
file_put_contents('uno/config.php', $out);
$Uversion = (isset($version)?$version:'1.0');
}
if(file_exists('uno/patch.php')) include('uno/patch.php');
}
include('uno/includes/lang/lang.php');
if(!is_dir('uno/includes/js/ckeditor/')) $Udep = $Urawgit.$Uversion."/uno/"; // LIGHT HOSTED VERSION
session_regenerate_id();
define('CMSUNO', 'cmsuno');
require('uno/password.php');
if(!empty($_POST['user']) && !empty($_POST['pass']) && !empty($_POST['unox']) && !empty($_SESSION) && empty($_POST['newpass'])) {
if(is_writable(dirname(__FILE__)) && $_POST['user']===$user && f_check_pass($_POST['pass'],$pass,$user) && $_SESSION['unox']===$_POST['unox']) {
$hta = '# CMSUno - HTACCESS auto'."\r\n".
'Options -Indexes'."\r\n".
'Allow from all'."\r\n\r\n".
'<IfModule mod_deflate.c>'."\r\n".
"\t".'SetOutputFilter DEFLATE'."\r\n".
"\t".'SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip'."\r\n".
'</IfModule>'."\r\n\r\n".
'<IfModule mod_expires.c>'."\r\n".
"\t".'ExpiresActive On'."\r\n".
"\t".'ExpiresDefault "access plus 7200 seconds"'."\r\n".
"\t".'ExpiresByType image/jpg "access plus 1 week"'."\r\n".
"\t".'ExpiresByType image/jpeg "access plus 1 week"'."\r\n".
"\t".'ExpiresByType image/png "access plus 1 week"'."\r\n".
"\t".'ExpiresByType text/javascript "access plus 7200 seconds"'."\r\n".
"\t".'ExpiresByType application/x-javascript "access plus 7200 seconds"'."\r\n".
"\t".'ExpiresByType application/javascript "access plus 7200 seconds"'."\r\n".
'</IfModule>'."\r\n";
$_SESSION['cmsuno']=true;
if(!is_dir('uno/data')) mkdir('uno/data');
if(!is_dir('uno/data/_sdata-'.$sdata)) mkdir('uno/data/_sdata-'.$sdata,0711);
if(!is_dir('files')) mkdir('files');
if(!is_dir('uno/data/_sdata-'.$sdata.'/_unosave')) mkdir('uno/data/_sdata-'.$sdata.'/_unosave',0711);
if(!file_exists('.htaccess')) file_put_contents('.htaccess', $hta);
if(!file_exists('uno/.htaccess')) file_put_contents('uno/.htaccess', $hta);
if(!file_exists('uno/data/.htaccess')) file_put_contents('uno/data/.htaccess', 'Options -Indexes'."\r\n".'Allow from all');
if(!file_exists('uno/data/index.html')) file_put_contents('uno/data/index.html', '<html></html>');
if(!file_exists('uno/data/_sdata-'.$sdata.'/.htaccess')) file_put_contents('uno/data/_sdata-'.$sdata.'/.htaccess', 'Order Allow,Deny'."\r\n".'Deny from all');
f_chmodR('uno/data/_sdata-'.$sdata,0600,0711);
if(!is_readable('files') || !is_writable('files')) f_chmodR('files',0644,0755);
if(!file_exists('uno/data/busy.json')) file_put_contents('uno/data/busy.json', '{"nom":"index"}');
if(is_dir('files/.tmb')) { // clean up - free space
if($h=opendir('files/.tmb')) {
while(false!==($f=readdir($h))) if(is_file('files/.tmb/'.$f)) unlink('files/.tmb/'.$f);
closedir($h);
}
}
if(is_dir('uno/includes/elfinder/.tmb')) { // clean up - free space
if($h=opendir('uno/includes/elfinder/.tmb')) {
while(false!==($f=readdir($h))) if(is_file('uno/includes/elfinder/.tmb/'.$f)) unlink('uno/includes/elfinder/.tmb/'.$f);
closedir($h);
}
}
if(file_exists('uno/data/_sdata-'.$sdata.'/restore.txt')) unlink('uno/data/_sdata-'.$sdata.'/restore.txt');
}
else sleep(2);
if(!is_writable(dirname(__FILE__))) echo '<div style="clear:both;text-align:center;color:red;font-weight:700;padding-top:20px;"><span style="color:#000;">'.dirname(__FILE__).'</span> '.T_("must writable recursively !").'</div>';
else if(!is_writable(dirname(__FILE__).'/uno')) echo '<div style="clear:both;text-align:center;color:red;font-weight:700;padding-top:20px;"><span style="color:#000;">'.dirname(__FILE__).'/uno</span> '.T_("must writable recursively !").'</div>';
else echo '<script type="text/javascript">window.location=document.URL; </script>';
}
//
else if(isset($_POST['logout']) && $_POST['logout']==1) {
session_unset();
session_destroy();
echo '<script type="text/javascript">window.location=document.URL; </script>';
}
//
else if(isset($_SESSION['cmsuno'])) {
$unox = md5(mt_rand().mt_rand());
$_SESSION['unox'] = $unox; // ajax security
include('uno/edition.php');
}
//
else {
$a = explode("?", $_SERVER['REQUEST_URI']);
$home = $a[0];
if(!empty($_POST['lost'])) {
if(file_exists('uno/data/_sdata-'.$sdata.'/ssite.json')) $qs = @file_get_contents('uno/data/_sdata-'.$sdata.'/ssite.json');
if(!empty($qs)) {
$a = json_decode($qs,true);
$mel = (isset($a['mel'])?$a['mel']:'');
$header = 'MIME-Version: 1.0'."\r\n".'Content-type: text/html; charset=iso-8859-1'."\r\n";
$res = md5(mt_rand().mt_rand());
file_put_contents('uno/data/_sdata-'.$sdata.'/restore.txt',$res);
$link = strtok((isset($_SERVER['HTTPS'])&&$_SERVER['HTTPS']==='on'?"https":"http")."://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], "?") .'?res='.$res;
$msg = '<html><body><p>USER : '.$user.'</p><a href="'.$link.'">'.$link.'</a></body></html>';
if(filter_var($mel, FILTER_VALIDATE_EMAIL)) {
mail($mel, T_("Lost password"), $msg, $header);
$lost = 1;
}
}
}
else if(!empty($_GET['res'])) {
if(file_exists('uno/data/_sdata-'.$sdata.'/restore.txt')) $res = file_get_contents('uno/data/_sdata-'.$sdata.'/restore.txt');
if(!empty($res) && strlen($res)===32 && $res===$_GET['res']) {
if(isset($user) && !empty($_POST['user']) && !empty($_POST['newpass']) && !empty($_POST['unox']) && !empty($_SESSION['unox']) && $_SESSION['unox']===$_POST['unox']) {
$b = filter_var(strip_tags($_POST['newpass']),FILTER_SANITIZE_URL);
if($b!==$_POST['newpass'] || strlen($b)<6 || $_POST['user']!==$user) $errpass = T_('Wrong current elements');
else {
$password = '<?php if(!defined(\'CMSUNO\')) exit(); $user = "'.$user.'"; $pass = \''.password_hash($b, PASSWORD_BCRYPT).'\'; ?>';
if(file_put_contents('uno/password.php', $password)) {
if(file_exists('uno/data/_sdata-'.$sdata.'/restore.txt')) unlink('uno/data/_sdata-'.$sdata.'/restore.txt');
}
else $errpass = T_('Impossible backup');
}
if(empty($errpass)) echo '<script type="text/javascript">let u=document.URL.split("?")[0];window.location=u;</script>';
else {
echo '<script type="text/javascript">alert("'.$errpass.'");</script>';
$restore = 1;
}
}
else $restore = 1; // password Form Field
}
}
$unox = md5(mt_rand().mt_rand());
$_SESSION['unox'] = $unox; // secure connection (CSRF)
?>
<html lang="<?php echo $lang; ?>">
<head>
<meta charset="utf-8" />
<meta name="robots" content="noindex" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>CMSUno - <?php echo T_("Login");?></title>
<link rel="icon" type="image/png" href="<?php echo $Udep; ?>includes/img/favicon.png" />
<link rel="stylesheet" href="<?php echo $Udep; ?>includes/css/uno.css" />
</head>
<body>
<div class="blocTop bgNoir">
<div class="container">
<span class="titre"><a href="https://github.com/boiteasite/cmsuno" title="<?php echo T_("CMSUno on GitHub");?>" target="_blank">CMSUno<?php if(isset($Uversion)) echo ' <em>'.$Uversion.'</em>'; ?></a></span>
<ul id="topMenu" class="topMenu topMenuUno">
<?php
if(file_exists('uno/data/busy.json')) { $q = file_get_contents('uno/data/busy.json'); $a = json_decode($q,true); $Ubusy = $a['nom']; }
else $Ubusy = 'index';
?>
<li id="wait"><img style="margin:2px 6px 0 0;display:none;" src="<?php echo $Udep; ?>includes/img/wait.gif" /></li>
<li><a href="<?php echo $Ubusy; ?>.html" target="_blank"><?php echo T_("See the website");?></a></li>
</ul>
</div>
</div><!-- .blocTop-->
<?php $init = (!file_exists('uno/data/busy.json')?1:0); ?>
<div class="container">
<form name="login" class="blocLogin" method="POST" action="<?php if(empty($restore)) echo $home; ?>">
<input type="hidden" name="unox" value="<?php echo $unox; ?>" />
<input type="hidden" name="lost" value="0" />
<img style="margin-bottom:20px;" src="<?php echo $Udep; ?>includes/img/logo-uno220.png" alt="cms uno" />
<div class="clearfix">
<label><?php echo T_("Administrator");?></label>
<div>
<input type="text" class="input" name="user" id="username"<?php if(!empty($init)) echo ' placeholder="cmsuno"'; ?> />
</div>
</div>
<?php if(empty($restore)) { ?>
<div class="clearfix">
<label><?php echo T_("Password");?></label>
<div>
<input type="password" class="input" name="pass" id="password"<?php if(!empty($init)) echo ' placeholder="654321"'; ?> />
</div>
</div>
<div>
<?php if(empty($lost)) { ?>
<a onClick="document.forms['login'].elements['lost'].value=1;document.forms['login'].submit();" href="javascript:void(0)" style="display:inline-block;margin-top:10px;">
<i><?php echo T_("Lost password");?></i>
</a>
<?php } ?>
<input type="submit" class="bouton fr" value="<?php echo T_("Login");?>" />
<?php } else { ?>
<div class="clearfix">
<label><?php echo T_("New password");?></label>
<div>
<input type="password" class="input" name="newpass" id="newpassword" />
</div>
</div>
<div>
<input type="submit" class="bouton fr" value="<?php echo T_("Save password");?>" />
<?php } ?>
</div>
</form>
<div style="clear:both;text-align:center;color:red;font-weight:700;padding-top:20px;">
<?php
if(!is_writable(dirname(__FILE__))) echo '<span style="color:#000;">'.dirname(__FILE__).'</span> '.T_("must writable recursively !");
else if(!is_writable(dirname(__FILE__).'/uno')) echo '<br /><span style="color:#000;">'.dirname(__FILE__).'/uno</span> '.T_("must writable recursively !");
else if(!empty($lost)) echo '<span style="color:#000;">'.T_("A recovery link has been sent by email").'</span>';
if(defined('PHP_VERSION') && version_compare(PHP_VERSION,'5.5.0')<0) echo '<span style="color:#000;">'.T_("Your PHP is too old. CMSUno requires at least PHP 5.5. Your version :").' </span>'.PHP_VERSION;
?>
</div>
</div><!-- .container -->
<script type="text/javascript" src="<?php echo $Udep; ?>includes/js/ckeditor/ckeditor.js"></script>
</body>
</html>
<?php }
//
function f_chmodR($path, $fr=0644, $dr=0755) {
if(!file_exists($path)) return(false);
if(is_file($path)) @chmod($path, $fr);
else if(is_dir($path)) {
$re = scandir($path);
$q = array_slice($re, 2);
foreach($q as $r) f_chmodR($path.'/'.$r, $fr, $dr);
@chmod($path, $dr);
}
return(true);
}
function f_check_pass($a,$b,$user) {
if(substr($b,0,1)=='$' && strlen($b)==60 && password_verify($a,$b)) return true;
else if($b===$a) {
$pass = password_hash($b, PASSWORD_BCRYPT);
file_put_contents('uno/password.php', '<?php if(!defined(\'CMSUNO\')) exit(); $user = "'.$user.'"; $pass = \''.$pass.'\';'."\r\n".'// Lost password? Enter the new one in clear text here in $pass and log in again. ?>');
return true;
}
return false;
}
function f_setKey($f) {
$b = 'abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ123456789';$a = '';
if($f=='Sdata') for($v=0;$v<15;++$v) $a .= $b[mt_rand(0, strlen($b)-1)];
else for($v=0;$v<63;++$v) $a .= $b[mt_rand(0, strlen($b)-1)];
return $a;
}
?>