language_import.php 6.95 KB
Newer Older
tbrehm's avatar
tbrehm committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
<?php
/*
Copyright (c) 2008, Till Brehm, projektfarm Gmbh
All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright notice,
      this list of conditions and the following disclaimer in the documentation
      and/or other materials provided with the distribution.
    * Neither the name of ISPConfig nor the names of its contributors
      may be used to endorse or promote products derived from this software without
      specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

30 31
require_once '../../lib/config.inc.php';
require_once '../../lib/app.inc.php';
tbrehm's avatar
tbrehm committed
32

33
function normalize_string($string, $quote, $allow_special = false) {
34 35 36 37 38
	$escaped = false;
	$in_string = true;
	$new_string = '';

	for($c = 0; $c < mb_strlen($string); $c++) {
39
		$char = mb_substr($string, $c, 1);
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81

		if($in_string === true && $escaped === false && $char === $quote) {
			// this marks a string end (e.g. for concatenation)
			$in_string = false;
			continue;
		} elseif($in_string === false) {
			if($escaped === false && $char === $quote) {
				$in_string = true;
				continue;
			} else {
				continue; // we strip everything from outside the string!
			}
		}

		if($char === '"' && $escaped === true && $quote === '"') {
			// unescape this
			$new_string .= $char;
			$escaped = false;
			continue;
		} elseif($char === "'" && $escaped === false && $quote === '"') {
			// escape this
			$new_string .= '\\' . $char;
			continue;
		}

		if($escaped === true) {
			// the next character is the escaped one.
			if($allow_special === true && ($char === 'n' || $char === 'r' || $char === 't')) {
				$new_string .= '\' . "\\' . $char . '" . \'';
			} else {
				$new_string .= '\\' . $char;
			}
			$escaped = false;
		} else {
			if($char === '\\') {
				$escaped = true;
			} else {
				$new_string .= $char;
			}
		}
	}
	return $new_string;
82 83 84
}

function validate_line($line) {
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
	$line = trim($line);
	if($line === '' || $line === '<?php' || $line === '?>') return $line; // don't treat empty lines as malicious

	$ok = preg_match('/^\s*\$wb\[(["\'])(.*?)\\1\]\s*=\s*(["\'])(.*?)\\3\s*;\s*$/', $line, $matches);
	if(!$ok) return false; // this line has invalid form and could lead to malfunction

	$keyquote = $matches[1]; // ' or "
	$key = $matches[2];
	if(strpos($key, '"') !== false || strpos($key, "'") !== false) return false;

	$textquote = $matches[3]; // ' or "
	$text = $matches[4];

	$new_line = '$wb[\'';

	// validate the language key
	$key = normalize_string($key, $keyquote);

	$new_line .= $key . '\'] = \'';

	// validate this text to avoid code injection
	$text = normalize_string($text, $textquote, true);

	$new_line .= $text . '\';';

	return $new_line;
111 112
}

113 114
//* Check permissions for module
$app->auth->check_module_permissions('admin');
115
$app->auth->check_security_permissions('admin_allow_langedit');
tbrehm's avatar
tbrehm committed
116 117 118

//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
119
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
tbrehm's avatar
tbrehm committed
120

121 122
if(!$conf['language_file_import_enabled']) $app->error('Languge import function is disabled in the interface config.inc.php file.');

tbrehm's avatar
tbrehm committed
123 124 125 126 127 128 129 130 131
$app->uses('tpl');

$app->tpl->newTemplate('form.tpl.htm');
$app->tpl->setInclude('content_tpl', 'templates/language_import.htm');
$msg = '';
$error = '';

// Export the language file
if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
Till Brehm's avatar
Till Brehm committed
132 133 134 135
	
	//* CSRF Check
	$app->auth->csrf_token_check();
	
tbrehm's avatar
tbrehm committed
136 137
	$lines = file($_FILES['file']['tmp_name']);
	// initial check
138
	$parts = explode('|', $lines[0]);
tbrehm's avatar
tbrehm committed
139
	if($parts[0] == '---' && $parts[1] == 'ISPConfig Language File') {
tbrehm's avatar
tbrehm committed
140
		if($_POST['ignore_version'] != 1 && $parts[2] != $conf["app_version"]) {
tbrehm's avatar
tbrehm committed
141 142 143
			$error .= 'Application version does not match. Appversion: '.$conf["app_version"].' Lanfile version: '.$parts[2];
		} else {
			unset($lines[0]);
144

tbrehm's avatar
tbrehm committed
145 146 147
			$buffer = '';
			$langfile_path = '';
			// all other lines
148
			$ln = 1;
tbrehm's avatar
tbrehm committed
149
			foreach($lines as $line) {
150 151
				$ln++;
				$parts = explode('|', $line);
tbrehm's avatar
tbrehm committed
152 153 154
				if(is_array($parts) && count($parts) > 0 && $parts[0] == '--') {
					// Write language file, if its not the first file
					if($buffer != '' && $langfile_path != '') {
155
						$buffer = trim($buffer)."\n";
tbrehm's avatar
tbrehm committed
156 157 158 159
						if(@$_REQUEST['overwrite'] != 1 && @is_file($langfile_path)) {
							$error .= "File exists, not written: $langfile_path<br />";
						} else {
							$msg .= "File written: $langfile_path<br />";
160
							file_put_contents($langfile_path, $buffer);
tbrehm's avatar
tbrehm committed
161 162 163 164
						}
					}
					// empty buffer and set variables
					$buffer = '';
165 166 167 168
					$module_name = trim($parts[1]);
					$selected_language = trim($parts[2]);
					$file_name = trim($parts[3]);
					if(!preg_match("/^[a-z]{2}$/i", $selected_language)) die("unallowed characters in selected language name: $selected_language");
tbrehm's avatar
tbrehm committed
169
					if(!preg_match("/^[a-z_]+$/i", $module_name)) die('unallowed characters in module name.');
170
					if(!preg_match("/^[a-z\._\-]+$/i", $file_name) || stristr($file_name, '..')) die("unallowed characters in language file name: '$file_name'");
tbrehm's avatar
tbrehm committed
171 172 173 174 175
					if($module_name == 'global') {
						$langfile_path = trim(ISPC_LIB_PATH."/lang/".$selected_language.".lng");
					} else {
						$langfile_path = trim(ISPC_WEB_PATH.'/'.$module_name.'/lib/lang/'.$file_name);
					}
176
				} elseif(is_array($parts) && count($parts) > 1 && $parts[0] == '---' && $parts[1] == 'EOF') {
177 178 179 180
					// EOF line, ignore it.
				} else {
					$line = validate_line($line);
					if($line === false) $error .= "Language file contains invalid language entry on line $ln.<br />";
181
					else $buffer .= $line."\n";
tbrehm's avatar
tbrehm committed
182 183 184 185 186 187
				}
			}
		}
	}
}

188 189
$app->tpl->setVar('msg', $msg);
$app->tpl->setVar('error', $error);
tbrehm's avatar
tbrehm committed
190

Till Brehm's avatar
Till Brehm committed
191 192 193 194 195
//* SET csrf token
$csrf_token = $app->auth->csrf_token_get('language_import');
$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);

196
//* load language file
Till Brehm's avatar
Till Brehm committed
197
$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_import.lng';
198
include $lng_file;
tbrehm's avatar
tbrehm committed
199 200 201 202 203 204
$app->tpl->setVar($wb);

$app->tpl_defaults();
$app->tpl->pparse();


205
?>