PageRenderTime 37ms CodeModel.GetById 13ms RepoModel.GetById 0ms app.codeStats 0ms

/mod.php

https://gitlab.com/potion/librechan
PHP | 216 lines | 166 code | 38 blank | 12 comment | 25 complexity | da044d0a153c35a5a4962952b1cce608 MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. /*
    4. 

  4.  *  Copyright (c) 2010-2014 Tinyboard Development Group
    5. 

  5.  */
    6. 

  6. 

  7. require 'inc/functions.php';
    8. 

  8. require 'inc/mod/pages.php';
    9. 

  9. 

  10. if ($config['debug'])
    11. 

  11. 	$parse_start_time = microtime(true);
    12. 

  12. 

  13. check_login(true);
    14. 

  14. 

  15. $query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : '';
    16. 

  16. 

  17. $pages = array(
    18. 

  18. 	''					=> ':?/',			// redirect to dashboard
    19. 

  19. 	'/'					=> 'dashboard',			// dashboard
    20. 

  20. 	'/confirm/(.+)'				=> 'confirm',			// confirm action (if javascript didn't work)
    21. 

  21. 	'/logout'				=> 'secure logout',		// logout
    22. 

  22. 	
    23. 

  23. 	'/users'				=> 'users',			// manage users
    24. 

  24. 	'/users/(\d+)/(promote|demote)'		=> 'secure user_promote',	// prmote/demote user
    25. 

  25. 	'/users/(\d+)'				=> 'secure_POST user',		// edit user
    26. 

  26. 	'/users/new'				=> 'secure_POST user_new',	// create a new user
    27. 

  27. 	
    28. 

  28. 	'/new_PM/([^/]+)'			=> 'secure_POST new_pm',	// create a new pm
    29. 

  29. 	'/PM/(\d+)(/reply)?'			=> 'pm',			// read a pm
    30. 

  30. 	'/inbox'				=> 'inbox',			// pm inbox
    31. 

  31. 	
    32. 

  32. 	'/log'					=> 'log',			// modlog
    33. 

  33. 	'/log/(\d+)'				=> 'log',			// modlog
    34. 

  34. 	'/log:([^/:]+)'				=> 'user_log',			// modlog
    35. 

  35. 	'/log:([^/:]+)/(\d+)'			=> 'user_log',			// modlog
    36. 

  36. 	'/log:b:([^/]+)'			=> 'board_log',			// modlog
    37. 

  37. 	'/log:b:([^/]+)/(\d+)'			=> 'board_log',			// modlog
    38. 

  38. 	'/edit_news'				=> 'secure_POST news',		// view news
    39. 

  39. 	'/edit_news/(\d+)'			=> 'secure_POST news',		// view news
    40. 

  40. 	'/edit_news/delete/(\d+)'		=> 'secure news_delete',	// delete from news
    41. 

  41. 

  42. 	'/edit_pages(?:/?(\%b)?)'		=> 'secure_POST pages',
    43. 

  43. 	'/edit_page/(\d+)'			=> 'secure_POST edit_page',
    44. 

  44. 	'/edit_pages/delete/([a-z0-9]+)'	=> 'secure delete_page',
    45. 

  45. 	'/edit_pages/delete/([a-z0-9]+)/(\%b)'	=> 'secure delete_page_board',
    46. 

  46. 	
    47. 

  47. 	'/noticeboard'				=> 'secure_POST noticeboard',	// view noticeboard
    48. 

  48. 	'/noticeboard/(\d+)'			=> 'secure_POST noticeboard',	// view noticeboard
    49. 

  49. 	'/noticeboard/delete/(\d+)'		=> 'secure noticeboard_delete',	// delete from noticeboard
    50. 

  50. 	
    51. 

  51. 	'/edit/(\%b)'				=> 'secure_POST edit_board',	// edit board details
    52. 

  52. 	'/new-board'				=> 'secure_POST new_board',	// create a new board
    53. 

  53. 	
    54. 

  54. 	'/rebuild'                     => 'secure_POST rebuild',   // rebuild static files
    55. 

  55. 	
    56. 

  56. 	// Report management
    57. 

  57. 	// (global) denotes if the action is being carried out from the global dashboard,
    58. 

  58. 	// and if the return address should also be the global dashboard.
    59. 

  59. 	// Important to note that (?:global) will make no argument.
    60. 

  60. 	// (global)? will make argument 0 either "global" or "".
    61. 

  61. 	'/reports(?:/)?'                                                          => 'reports',               // report queue
    62. 

  62. 	'/reports/(global)?(?:/)?(json)?'                                         => 'reports',               // global report queue
    63. 

  63. 	'/reports/(global)?(?:/)?(content)/(\%b)/(\d+)(?:/)?'                     => 'reports',               // specific reported content (also historic)
    64. 

  64. 	'/reports/(global)?(?:/)?(content)/(\%b)/(\d+)/dismiss(?:/)?'             => 'secure report_dismiss', // dismiss all reports on content
    65. 

  65. 	'/reports/(global)?(?:/)?(content)/(\%b)/(\d+)/demote(?:/)?'              => 'secure report_demote',  // demote all reports on content
    66. 

  66. 	'/reports/(global)?(?:/)?(content)/(\%b)/(\d+)/promote(?:/)?'             => 'secure report_promote', // demote all reports on content
    67. 

  67. 	'/reports/(global)?(?:/)?(\d+)/dismiss(all)?(?:/)?'                       => 'secure report_dismiss', // dismiss a report
    68. 

  68. 	'/reports/(global)?(?:/)?(\d+)/demote(?:/)?'                              => 'secure report_demote',  // demote a global report to a local report
    69. 

  69. 	'/reports/(global)?(?:/)?(\d+)/promote(?:/)?'                             => 'secure report_promote', // promote a local report to a global report
    70. 

  70. 	'/reports/(global)?(?:/)?(\%b)/(un)?clean/(\d+)/(global)?(?:\+)?(local)?' => 'secure report_clean',   // protect/unprotect from reports
    71. 

  71. 	
    72. 

  72. 	'/IP/([\w.:]+)'				=> 'secure_POST ip',		// view ip address
    73. 

  73. 	'/IP/([\w.:]+)/remove_note/(\d+)'	=> 'secure ip_remove_note',	// remove note from ip address
    74. 

  74. 	'/IP_less/(\%b)/(\d+)'				=> 'secure_POST ip_less',		// view ip address (limited for user privacy)
    75. 

  75. 	'/IP_less/([\w.:]+)/remove_note/(\d+)'	=> 'secure ip_remove_note',	// remove note from ip address
    76. 

  76. 	
    77. 

  77. 	'/ban'					=> 'secure_POST ban',		// new ban
    78. 

  78. 	'/bans'					=> 'secure_POST bans',		// ban list
    79. 

  79. 	'/bans.json'				=> 'secure bans_json',		// ban list JSON
    80. 

  80. 	'/ban-appeals'				=> 'secure_POST ban_appeals',	// view ban appeals
    81. 

  81. 	
    82. 

  82. 	'/recent/(\d+)'				=> 'recent_posts',		// view recent posts
    83. 

  83. 

  84. 	'/search'				=> 'search_redirect',		// search
    85. 

  85. 	'/search/(posts|IP_notes|bans|log)/(.+)/(\d+)'	=> 'search',		// search
    86. 

  86. 	'/search/(posts|IP_notes|bans|log)/(.+)'	=> 'search',		// search
    87. 

  87. 	
    88. 

  88. 	// Content management
    89. 

  89. 	'/(\%b)/ban(&delete)?/(\d+)'                      => 'secure_POST ban_post',   // ban poster
    90. 

  90. 	'/(\%b)/move/(\d+)'                               => 'secure_POST move',       // move thread
    91. 

  91. 	'/(\%b)/move_reply/(\d+)'                         => 'secure_POST move_reply', // move reply
    92. 

  92. 	'/(\%b)/edit(_raw)?/(\d+)'                        => 'secure_POST edit_post',  // edit post
    93. 

  93. 	'/(\%b)/delete/(\d+)'                             => 'secure delete',          // delete post
    94. 

  94. 	'/(\%b)/deletefile/(\d+)/(\d+)'                   => 'secure deletefile',      // delete file from post
    95. 

  95. 	'/(\%b+)/spoiler/(\d+)/(\d+)'                     => 'secure spoiler_image',   // spoiler file
    96. 

  96. 	'/(\%b+)/spoiler_all/(\d+)'                       => 'secure spoiler_images',   // spoiler file
    97. 

  97. 	'/(\%b)/deletebyip/(\d+)(/global)?'               => 'secure deletebyip',      // delete all posts by IP address
    98. 

  98. 	'/(\%b)/(un)?lock/(\d+)'                          => 'secure lock',            // lock thread
    99. 

  99. 	'/(\%b)/(un)?sticky/(\d+)'                        => 'secure sticky',          // sticky thread
    100. 

  100. 	'/(\%b)/(un)?cycle/(\d+)'                         => 'secure cycle',          // cycle thread
    101. 

  101. 	'/(\%b)/bump(un)?lock/(\d+)'                      => 'secure bumplock',        // "bumplock" thread
    102. 

  102. 	
    103. 

  103. 	'/themes'				=> 'themes_list',		// manage themes
    104. 

  104. 	'/themes/(\w+)'				=> 'secure_POST theme_configure',		// configure/reconfigure theme
    105. 

  105. 	'/themes/(\w+)/rebuild'			=> 'secure theme_rebuild',		// rebuild theme
    106. 

  106. 	'/themes/(\w+)/uninstall'		=> 'secure theme_uninstall',		// uninstall theme
    107. 

  107. 	
    108. 

  108. 	'/config'				=> 'secure_POST config',	// config editor
    109. 

  109. 	'/config/(\%b)'				=> 'secure_POST config',	// config editor
    110. 

  110. 	
    111. 

  111. 	// these pages aren't listed in the dashboard without $config['debug']
    112. 

  112. 	'/debug/antispam'			=> 'debug_antispam',
    113. 

  113. 	'/debug/recent'				=> 'debug_recent_posts',
    114. 

  114. 	'/debug/apc'				=> 'debug_apc',
    115. 

  115. 	'/debug/sql'				=> 'secure_POST debug_sql',
    116. 

  116. 	
    117. 

  117. 	// This should always be at the end:
    118. 

  118. 	'/(\%b)/?'										=> 'view_board',
    119. 

  119. 	'/(\%b)/' . preg_quote($config['file_index'], '!')					=> 'view_board',
    120. 

  120. 	'/(\%b)/' . str_replace('%d', '(\d+)', preg_quote($config['file_page'], '!'))		=> 'view_board',
    121. 

  121. 	'/(\%b)/' . preg_quote($config['dir']['res'], '!') .
    122. 

  122. 			str_replace('%d', '(\d+)', preg_quote($config['file_page50'], '!'))	=> 'view_thread50',
    123. 

  123. 	'/(\%b)/' . preg_quote($config['dir']['res'], '!') .
    124. 

  124. 			str_replace('%d', '(\d+)', preg_quote($config['file_page'], '!'))	=> 'view_thread',
    125. 

  125. );
    126. 

  126. 

  127. 

  128. if (!$mod) {
    129. 

  129. 	$pages = array('!^(.+)?$!' => 'login');
    130. 

  130. } elseif (isset($_GET['status'], $_GET['r'])) {
    131. 

  131. 	header('Location: ' . $_GET['r'], true, (int)$_GET['status']);
    132. 

  132. 	exit;
    133. 

  133. }
    134. 

  134. 

  135. if (isset($config['mod']['custom_pages'])) {
    136. 

  136. 	$pages = array_merge($pages, $config['mod']['custom_pages']);
    137. 

  137. }
    138. 

  138. 

  139. $new_pages = array();
    140. 

  140. foreach ($pages as $key => $callback) {
    141. 

  141. 	if (is_string($callback) && preg_match('/^secure /', $callback))
    142. 

  142. 		$key .= '(/(?P<token>[a-f0-9]{8}))?';
    143. 

  143. 	$key = str_replace('\%b', '?P<board>' . sprintf(substr($config['board_path'], 0, -1), $config['board_regex']), $key);
    144. 

  144. 	$new_pages[@$key[0] == '!' ? $key : '!^' . $key . '(?:&[^&=]+=[^&]*)*$!u'] = $callback;
    145. 

  145. }
    146. 

  146. $pages = $new_pages;
    147. 

  147. 

  148. $parse_start_time = microtime(true);
    149. 

  149. 

  150. foreach ($pages as $uri => $handler) {
    151. 

  151. 	if (preg_match($uri, $query, $matches)) {
    152. 

  152. 		$matches = array_slice($matches, 1);
    153. 

  153. 		
    154. 

  154. 		if (isset($matches['board'])) {
    155. 

  155. 			$board_match = $matches['board'];
    156. 

  156. 			unset($matches['board']);
    157. 

  157. 			$key = array_search($board_match, $matches);
    158. 

  158. 			if (preg_match('/^' . sprintf(substr($config['board_path'], 0, -1), '(' . $config['board_regex'] . ')') . '$/u', $matches[$key], $board_match)) {
    159. 

  159. 				$matches[$key] = $board_match[1];
    160. 

  160. 			}
    161. 

  161. 		}
    162. 

  162. 		
    163. 

  163. 		if (is_string($handler) && preg_match('/^secure(_POST)? /', $handler, $m)) {
    164. 

  164. 			$secure_post_only = isset($m[1]);
    165. 

  165. 			if (!$secure_post_only || $_SERVER['REQUEST_METHOD'] == 'POST') {
    166. 

  166. 				$token = isset($matches['token']) ? $matches['token'] : (isset($_POST['token']) ? $_POST['token'] : false);
    167. 

  167. 				
    168. 

  168. 				if ($token === false) {
    169. 

  169. 					if ($secure_post_only)
    170. 

  170. 						error($config['error']['csrf']);
    171. 

  171. 					else {
    172. 

  172. 						mod_confirm(substr($query, 1));
    173. 

  173. 						exit;
    174. 

  174. 					}
    175. 

  175. 				}
    176. 

  176. 			
    177. 

  177. 				// CSRF-protected page; validate security token
    178. 

  178. 				$actual_query = preg_replace('!/([a-f0-9]{8})$!', '', $query);
    179. 

  179. 				if ($token != make_secure_link_token(substr($actual_query, 1))) {
    180. 

  180. 					error($config['error']['csrf']);
    181. 

  181. 				}
    182. 

  182. 			}
    183. 

  183. 			$handler = preg_replace('/^secure(_POST)? /', '', $handler);
    184. 

  184. 		}
    185. 

  185. 		
    186. 

  186. 		if ($config['debug']) {
    187. 

  187. 			$debug['mod_page'] = array(
    188. 

  188. 				'req' => $query,
    189. 

  189. 				'match' => $uri,
    190. 

  190. 				'handler' => $handler,
    191. 

  191. 			);
    192. 

  192. 			$debug['time']['parse_mod_req'] = '~' . round((microtime(true) - $parse_start_time) * 1000, 2) . 'ms';
    193. 

  193. 		}
    194. 

  194. 		
    195. 

  195. 		if (is_string($handler)) {
    196. 

  196. 			if ($handler[0] == ':') {
    197. 

  197. 				header('Location: ' . substr($handler, 1),  true, $config['redirect_http']);
    198. 

  198. 			} elseif (is_callable("mod_page_$handler")) {
    199. 

  199. 				call_user_func_array("mod_page_$handler", $matches);
    200. 

  200. 			} elseif (is_callable("mod_$handler")) {
    201. 

  201. 				call_user_func_array("mod_$handler", $matches);
    202. 

  202. 			} else {
    203. 

  203. 				error("Mod page '$handler' not found!");
    204. 

  204. 			}
    205. 

  205. 		} elseif (is_callable($handler)) {
    206. 

  206. 			call_user_func_array($handler, $matches);
    207. 

  207. 		} else {
    208. 

  208. 			error("Mod page '$handler' not a string, and not callable!");
    209. 

  209. 		}
    210. 

  210. 		
    211. 

  211. 		exit;
    212. 

  212. 	}
    213. 

  213. }
    214. 

  214. 

  215. error($config['error']['404']);
    216. 

  216. 

  217.