From 3e55043625a1900c759838547556acdf557f5a41 Mon Sep 17 00:00:00 2001
From: geekwright <richard@geekwright.com>
Date: Wed, 17 May 2017 16:12:43 -0500
Subject: [PATCH 1/2] Add token processing

---
 admin/item.php              | 13 +++----
 admin/mimetypes.php         | 76 ++++++++++++++++++++++++++-----------
 class/item.php              | 10 ++---
 language/english/admin.php  |  5 +++
 language/english/common.php |  2 +
 submit.php                  | 13 ++++++-
 6 files changed, 84 insertions(+), 35 deletions(-)

diff --git a/admin/item.php b/admin/item.php
index 780a71e2..3167057f 100644
--- a/admin/item.php
+++ b/admin/item.php
@@ -23,18 +23,17 @@
 
 require_once __DIR__ . '/admin_header.php';
 
+// all post requests should have a valid token
+if ('POST' === Request::getMethod() && !$GLOBALS['xoopsSecurity']->check()) {
+    redirect_header('item.php', 2, _CO_PUBLISHER_BAD_TOKEN);
+}
+
 $itemid = Request::getInt('itemid', Request::getInt('itemid', 0, 'POST'), 'GET');
 $op     = ($itemid > 0 || Request::getString('editor', '', 'POST')) ? 'mod' : '';
 //$op     = Request::getString('op', $op, 'GET');
 
 $op = Request::getString('op', Request::getString('op', $op, 'POST'), 'GET');
 
-//if (!empty(Request::getString('additem', '', 'POST'))) {
-//    $op = 'additem';
-//} elseif (!empty(Request::getString('del', '', 'POST'))) {
-//    $op = 'del';
-//}
-
 $op = Request::getString('additem', '', 'POST') ? 'additem' : (Request::getString('del', '', 'POST') ? 'del' : $op);
 
 // Where shall we start ?
@@ -146,7 +145,7 @@
 
     case 'del':
         $itemObj = $publisher->getHandler('item')->get($itemid);
-        $confirm = Request::getInt('confirm', '', 'POST');
+        $confirm = Request::getInt('confirm', 0, 'POST');
 
         if ($confirm) {
             if (!$publisher->getHandler('item')->delete($itemObj)) {
diff --git a/admin/mimetypes.php b/admin/mimetypes.php
index e4daa2e5..0acf417a 100644
--- a/admin/mimetypes.php
+++ b/admin/mimetypes.php
@@ -24,15 +24,6 @@
 require_once __DIR__ . '/admin_header.php';
 xoops_load('XoopsPagenav');
 
-//$start = $limit = 0;
-//if (isset($_GET['limit'])) {
-//    $limit = Request::getInt('limit', 0, 'GET');
-//} elseif (isset($_POST['limit'])) {
-//    $limit = Request::getInt('limit', 0, 'POST');
-//} else {
-//    $limit = 15;
-//}
-
 $start = Request::getInt('start', 0, 'GET');
 $limit = Request::getInt('limit', Request::getInt('limit', 15, 'GET'), 'POST');
 
@@ -51,6 +42,11 @@
 
 $op = Request::getString('op', 'default', 'GET');
 
+// all post requests should have a valid token
+if ('POST' === Request::getMethod() && !$GLOBALS['xoopsSecurity']->check()) {
+    redirect_header(PUBLISHER_ADMIN_URL . "/mimetypes.php?op=manage", 3, _CO_PUBLISHER_BAD_TOKEN);
+}
+
 switch ($op) {
     case 'add':
         PublisherMimetypesUtility::add();
@@ -72,6 +68,10 @@
         PublisherMimetypesUtility::updateMimeValue();
         break;
 
+    case 'confirmUpdateMimeValue':
+        PublisherMimetypesUtility::confirmUpdateMimeValue();
+        break;
+
     case 'clearAddSession':
         PublisherMimetypesUtility::clearAddSession();
         break;
@@ -127,6 +127,7 @@ public static function add()
 
             // Display add form
             echo "<form action='mimetypes.php?op=add' method='post'>";
+            echo $GLOBALS['xoopsSecurity']->getTokenHTML();
             echo "<table width='100%' cellspacing='1' class='outer'>";
             echo "<tr><th colspan='2'>" . _AM_PUBLISHER_MIME_CREATEF . '</th></tr>';
             echo "<tr valign='top'>
@@ -296,6 +297,7 @@ public static function edit()
 
             // Display edit form
             echo "<form action='mimetypes.php?op=edit&amp;id=" . $mimeId . "' method='post'>";
+            echo $GLOBALS['xoopsSecurity']->getTokenHTML();
             echo "<input type='hidden' name='limit' value='" . $limit . "' />";
             echo "<input type='hidden' name='start' value='" . $start . "' />";
             echo "<table width='100%' cellspacing='1' class='outer'>";
@@ -437,6 +439,7 @@ public static function manage()
         echo "<table width='100%' cellspacing='1' class='outer'>";
         echo "<tr><td colspan='6' align='right'>";
         echo "<form action='" . PUBLISHER_ADMIN_URL . "/mimetypes.php?op=search' style='margin:0; padding:0;' method='post'>";
+        echo $GLOBALS['xoopsSecurity']->getTokenHTML();
         echo '<table>';
         echo '<tr>';
         echo "<td align='right'>" . _AM_PUBLISHER_TEXT_SEARCH_BY . '</td>';
@@ -454,6 +457,7 @@ public static function manage()
 
         echo "<tr><td colspan='6'>";
         echo "<form action='" . PUBLISHER_ADMIN_URL . "/mimetypes.php?op=manage' style='margin:0; padding:0;' method='post'>";
+        echo $GLOBALS['xoopsSecurity']->getTokenHTML();
         echo "<table width='100%'>";
         echo "<tr><td align='right'>" . _AM_PUBLISHER_TEXT_SORT_BY . "
     <select name='sort'>";
@@ -614,8 +618,9 @@ public static function search()
 
         PublisherUtility::openCollapsableBar('mimemsearchtable', 'mimesearchicon', _AM_PUBLISHER_MIME_SEARCH);
 
-        if (!Request::getString('mime_search', '')) {
+        if (!Request::hasVar('mime_search')) {
             echo "<form action='mimetypes.php?op=search' method='post'>";
+            echo $GLOBALS['xoopsSecurity']->getTokenHTML();
             echo "<table width='100%' cellspacing='1' class='outer'>";
             echo "<tr><th colspan='2'>" . _AM_PUBLISHER_TEXT_SEARCH_MIME . '</th></tr>';
             echo "<tr><td class='head' width='20%'>" . _AM_PUBLISHER_TEXT_SEARCH_BY . "</td>
@@ -641,9 +646,10 @@ public static function search()
             echo '</table></form>';
         } else {
             $searchField = Request::getString('search_by', '');
+            $searchField = isset($aSearchBy[$searchField]) ? $searchField : 'mime_ext' ;
             $searchText  = Request::getString('search_text', '');
 
-            $crit = new Criteria($searchField, "%$searchText%", 'LIKE');
+            $crit = new Criteria($searchField, '%' . $GLOBALS['xoopsDB']->escape($searchText) . '%', 'LIKE');
             $crit->setSort($sort);
             $crit->setOrder($order);
             $crit->setLimit($limit);
@@ -659,6 +665,7 @@ public static function search()
             echo "<table width='100%' cellspacing='1' class='outer'>";
             echo "<tr><td colspan='6' align='right'>";
             echo "<form action='" . PUBLISHER_ADMIN_URL . "/mimetypes.php?op=search' style='margin:0; padding:0;' method='post'>";
+            echo $GLOBALS['xoopsSecurity']->getTokenHTML();
             echo '<table>';
             echo '<tr>';
             echo "<td align='right'>" . _AM_PUBLISHER_TEXT_SEARCH_BY . '</td>';
@@ -676,6 +683,7 @@ public static function search()
 
             echo "<tr><td colspan='6'>";
             echo "<form action='" . PUBLISHER_ADMIN_URL . "/mimetypes.php?op=search' style='margin:0; padding:0;' method='post'>";
+            echo $GLOBALS['xoopsSecurity']->getTokenHTML();
             echo "<table width='100%'>";
             echo "<tr><td align='right'>" . _AM_PUBLISHER_TEXT_SORT_BY . "
         <select name='sort'>";
@@ -815,29 +823,53 @@ public static function search()
         xoops_cp_footer();
     }
 
+    /**
+     * confirm update to mime access, resubmit as POST, including TOKEN
+     */
     public static function updateMimeValue()
     {
-        $mimeId    = 0;
+        // op=updateMimeValue&id=65&mime_admin=0&limit=15&start=0
+        PublisherUtility::cpHeader();
+        $hiddens = array(
+            'id'    => Request::getInt('id', 0, 'GET'),
+            'start' =>  Request::getInt('start', 0, 'GET'),
+            'limit' =>  Request::getInt('limit', 15, 'GET'),
+        );
+
         $publisher = PublisherPublisher::getInstance();
+        $mimeTypeObj = $publisher->getHandler('mimetype')->get($hiddens['id']);
+        if (Request::hasVar('mime_admin')) {
+            $hiddens['mime_admin'] = Request::getInt('mime_admin', 0, 'GET');
+            $msg = sprintf(_AM_PUBLISHER_MIME_ACCESS_CONFIRM_ADMIN, $mimeTypeObj->getVar('mime_name'));
+        } else {
+            $hiddens['mime_user'] = Request::getInt('mime_user', 0, 'GET');
+            $msg = sprintf(_AM_PUBLISHER_MIME_ACCESS_CONFIRM_USER, $mimeTypeObj->getVar('mime_name'));
+        }
+
+        $action = PUBLISHER_ADMIN_URL . '/mimetypes.php?op=confirmUpdateMimeValue';
+        $submit = _AM_PUBLISHER_MIME_ACCESS_CONFIRM;
+
+        xoops_confirm($hiddens, $action, $msg, $submit, true);
+        xoops_cp_footer();
+    }
 
-        $limit = Request::getInt('limit', 0, 'GET');
-        $start = Request::getInt('start', 0, 'GET');
+    public static function confirmUpdateMimeValue()
+    {
+        $publisher = PublisherPublisher::getInstance();
 
-        if (!Request::getString('id', '', 'GET')) {
+        $limit = Request::getInt('limit', 0, 'POST');
+        $start = Request::getInt('start', 0, 'POST');
+        $mimeId = Request::getInt('id', 0, 'POST');
+        if (0 === $mimeId) {
             redirect_header(PUBLISHER_ADMIN_URL . '/mimetypes.php', 3, _AM_PUBLISHER_MESSAGE_NO_ID);
-        } else {
-            $mimeId = Request::getInt('id', 0, 'GET');
         }
 
         $mimeTypeObj = $publisher->getHandler('mimetype')->get($mimeId);
 
-        if ('' !== ($mimeAdmin = Request::getString('mime_admin', '', 'GET'))) {
-            //            $mimeAdmin = Request::getInt('mime_admin', 0, 'GET');
+        if (-1 !== ($mimeAdmin = Request::getInt('mime_admin', -1, 'POST'))) {
             $mimeAdmin = self::changeMimeValue($mimeAdmin);
             $mimeTypeObj->setVar('mime_admin', $mimeAdmin);
-        }
-        if ('' !== ($mimeUser = Request::getString('mime_user', '', 'GET'))) {
-            //            $mimeUser = Request::getInt('mime_user', 0, 'GET');
+        } elseif (-1 !== ($mimeUser = Request::getInt('mime_user', -1, 'POST'))) {
             $mimeUser = self::changeMimeValue($mimeUser);
             $mimeTypeObj->setVar('mime_user', $mimeUser);
         }
diff --git a/class/item.php b/class/item.php
index 3e5cb799..75f6cb8b 100644
--- a/class/item.php
+++ b/class/item.php
@@ -994,7 +994,7 @@ protected function convertForJapanese($str)
     public function getForm($title = 'default', $checkperm = true)
     {
         include_once $GLOBALS['xoops']->path('modules/' . PUBLISHER_DIRNAME . '/class/form/item.php');
-        $form = new PublisherItemForm($title, 'form', xoops_getenv('PHP_SELF'));
+        $form = new PublisherItemForm($title, 'form', xoops_getenv('PHP_SELF'), 'post', true);
         $form->setCheckPermissions($checkperm);
         $form->createElements($this);
 
@@ -1043,7 +1043,7 @@ public function setVarsFromRequest()
         $this->setVar('subtitle', Request::getString('subtitle', '', 'POST'));
         $this->setVar('item_tag', Request::getString('item_tag', '', 'POST'));
 
-        if (false !== ($imageFeatured = Request::getString('image_featured', '', 'POST'))) {
+        if ('' !== ($imageFeatured = Request::getString('image_featured', '', 'POST'))) {
             $imageItem = Request::getArray('image_item', array(), 'POST');
             //            $imageFeatured = Request::getString('image_featured', '', 'POST');
             //Todo: get a better image class for xoops!
@@ -1078,14 +1078,14 @@ public function setVarsFromRequest()
         //mb TODO check on version
         //check if date is set and convert it to GMT date
         //        if (($datesub = Request::getString('datesub', '', 'POST'))) {
-        if ('' !== Request::getString('datesub', '', 'POST')) {
+        if (Request::hasVar('datesub', 'POST')) {
             //            if (version_compare(PHP_VERSION, '5.4.0') >= 0) {
             //                $this->setVar('datesub', strtotime(Request::getArray('datesub', array(), 'POST')['date']) + Request::getArray('datesub', array(), 'POST')['time']);
             //            } else {
             $resDate = Request::getArray('datesub', array(), 'POST');
-            $resTime = Request::getArray('datesub', array(), 'POST');
+            //$resTime = Request::getArray('datesub', array(), 'POST');
             //            $this->setVar('datesub', strtotime($resDate['date']) + $resTime['time']);
-            $localTimestamp = strtotime($resDate['date']) + $resTime['time'];
+            $localTimestamp = strtotime($resDate['date']) + $resDate['time'];
 
             // get user Timezone offset and use it to find out the Timezone, needed for PHP DataTime
             $userTimeoffset = $GLOBALS['xoopsUser']->getVar('timezone_offset');
diff --git a/language/english/admin.php b/language/english/admin.php
index 0d71b47b..480330b5 100644
--- a/language/english/admin.php
+++ b/language/english/admin.php
@@ -381,3 +381,8 @@
 //1.05 Beta 1
 define('_AM_PUBLISHER_AUTHOR', 'Author');
 define('_AM_PUBLISHER_SAMPLEDATA_SUCCESS', 'Sample Date uploaded successfully');
+
+//added 16/05/2017
+define('_AM_PUBLISHER_MIME_ACCESS_CONFIRM', 'Confirm');
+define('_AM_PUBLISHER_MIME_ACCESS_CONFIRM_ADMIN', 'Confirm change to admin access for %s');
+define('_AM_PUBLISHER_MIME_ACCESS_CONFIRM_USER', 'Confirm change to user access for %s');
diff --git a/language/english/common.php b/language/english/common.php
index f6917916..b4d97a8a 100644
--- a/language/english/common.php
+++ b/language/english/common.php
@@ -108,3 +108,5 @@
 //Added 30/05/2012
 define('_CO_PUBLISHER_EDITFILE', 'Edit file');
 define('_CO_PUBLISHER_DELETEFILE', 'Delete file');
+// added 15/05/2017
+define('_CO_PUBLISHER_BAD_TOKEN', 'Invalid token, please try again');
diff --git a/submit.php b/submit.php
index f4bd47d5..935f134f 100644
--- a/submit.php
+++ b/submit.php
@@ -85,6 +85,14 @@
     $op = 'preview';
 }
 
+$tokenError = false;
+if ('POST' === Request::getMethod() && !$GLOBALS['xoopsSecurity']->check()) {
+    if ($op !== 'preview') {
+        $op = 'preview';
+        $tokenError = true;
+    }
+}
+
 $op = Request::getString('op', Request::getString('op', $op, 'POST'), 'GET');
 
 $allowedEditors = PublisherUtility::getEditors($gpermHandler->getItemIds('editors', $groups, $moduleId));
@@ -115,7 +123,7 @@
     'author_alias'
 );
 foreach ($elements as $element) {
-    if (Request::getString('element', '', 'POST') && !in_array(constant('PublisherConstants::PUBLISHER_' . strtoupper($element)), $formView)) {
+    if (Request::hasVar('element','POST') && !in_array(constant('PublisherConstants::PUBLISHER_' . strtoupper($element)), $formView)) {
         redirect_header('index.php', 1, _MD_PUBLISHER_SUBMIT_ERROR);
         //        exit();
     }
@@ -175,6 +183,9 @@
             $xoopsTpl->assign('langIntroTitle', sprintf(_MD_PUBLISHER_SUB_SNEWNAME, ucwords($publisher->getModule()->name())));
             $xoopsTpl->assign('langIntroText', $publisher->getConfig('submit_intro_msg'));
         }
+        if ($tokenError) {
+            $xoopsTpl->assign('langIntroText', _CO_PUBLISHER_BAD_TOKEN);
+        }
 
         $sform = $itemObj->getForm($formtitle, true);
         $sform->assign($xoopsTpl);

From 014132852b25edb5dcc584ece5ae2c4d7047ccfb Mon Sep 17 00:00:00 2001
From: geekwright <richard@geekwright.com>
Date: Wed, 17 May 2017 17:42:42 -0500
Subject: [PATCH 2/2] Fix corrupted filename

---
 class/file.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class/file.php b/class/file.php
index f2a1532b..b7bd0132 100644
--- a/class/file.php
+++ b/class/file.php
@@ -259,7 +259,7 @@ public function getNameFromFilename()
     {
         $ret    = $this->filename();
         $sepPos = strpos($ret, '_');
-        $ret    = substr($ret, $sepPos + 1, -$sepPos);
+        $ret    = substr($ret, $sepPos + 1);
 
         return $ret;
     }