fix(lang): review language usage and controller access

centralnicgroup-opensource · Oct 8, 2019 · 5bd93d8 · 5bd93d8
1 parent 464d876
commit 5bd93d8
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 104 deletions.
diff --git a/controller/_language.php b/controller/_language.php
@@ -5,9 +5,9 @@
 if (!isset($language)) {
     $language = "english";
 }
-$file_backorder = dirname(__FILE__)."/../lang/".$language.".php";
+$file_backorder = dirname(__FILE__). DIRECTORY_SEPARATOR . ".." . DIRECTORY_SEPARATOR . "lang" . DIRECTORY_SEPARATOR . $language . ".php";
 if (file_exists($file_backorder)) {
     include($file_backorder);
 } else {
-    include(dirname(__FILE__)."/../lang/english.php");
+    include(dirname(__FILE__). DIRECTORY_SEPARATOR . ".." . DIRECTORY_SEPARATOR . "lang" . DIRECTORY_SEPARATOR . "english.php");
 }
diff --git a/controller/dropdomains.php b/controller/dropdomains.php
@@ -1,16 +1,16 @@
 <?php
 //inlude this _language file in all controllers
-include(dirname(__FILE__)."/_language.php");
+include(dirname(__FILE__). DIRECTORY_SEPARATOR . "_language.php");
 
-$statusheader = $_LANG['setallbackorder'];
+$statusheader = $_ADDONLANG['setallbackorder'];
 
 $fields = array(); //fieldname, apifieldname
 $fields[]=array ("fieldname" => "",     "apifieldname" => "BACKORDERTYPE");
-$fields[]=array ("fieldname" => $_LANG['domainname'],   "apifieldname" => "DOMAIN");
-$fields[]=array ("fieldname" => $_LANG['dropdate'],     "apifieldname" => "DROPDATE");
-$fields[]=array ("fieldname" => $_LANG['chars'],        "apifieldname" => "NUMBEROFCHARACTERS");
-$fields[]=array ("fieldname" => $_LANG['digits'],       "apifieldname" => "NUMBEROFDIGITS");
-$fields[]=array ("fieldname" => $_LANG['hyphens'],      "apifieldname" => "NUMBEROFHYPHENS");
+$fields[]=array ("fieldname" => $_ADDONLANG['domainname'],   "apifieldname" => "DOMAIN");
+$fields[]=array ("fieldname" => $_ADDONLANG['dropdate'],     "apifieldname" => "DROPDATE");
+$fields[]=array ("fieldname" => $_ADDONLANG['chars'],        "apifieldname" => "NUMBEROFCHARACTERS");
+$fields[]=array ("fieldname" => $_ADDONLANG['digits'],       "apifieldname" => "NUMBEROFDIGITS");
+$fields[]=array ("fieldname" => $_ADDONLANG['hyphens'],      "apifieldname" => "NUMBEROFHYPHENS");
 
 $vars["fields"] = $fields;
 
@@ -75,5 +75,5 @@
 }
 
 $vars["breadcrumb"][] = array("last" => false, "link" => "", "label" => "Backorder" );
-$vars["breadcrumb"][] = array("last" => true, "link" => "", "label" => $_LANG["domainheader"]);
-$vars["displayTitle"] = $_LANG["domainheader"];
+$vars["breadcrumb"][] = array("last" => true, "link" => "", "label" => $_ADDONLANG["domainheader"]);
+$vars["displayTitle"] = $_ADDONLANG["domainheader"];
diff --git a/controller/manage.php b/controller/manage.php
@@ -4,17 +4,17 @@
 include dirname(__FILE__) . DIRECTORY_SEPARATOR . "_language.php";
 
 $vars["breadcrumb"][] = array("last" => false, "link" => "", "label" => "Backorder" );
-$vars["breadcrumb"][] = array("last" => true, "link" => "", "label" => $_LANG["managebackorders"]);
-$vars["displayTitle"] = $_LANG["managebackorders"];
+$vars["breadcrumb"][] = array("last" => true, "link" => "", "label" => $_ADDONLANG["managebackorders"]);
+$vars["displayTitle"] = $_ADDONLANG["managebackorders"];
 
-$statusheader = $_LANG['setallbackorder'];
+$statusheader = $_ADDONLANG['setallbackorder'];
 
 $fields = array(); //fieldname, apifieldname
 $fields[]=array ("fieldname" => "",     "apifieldname" => "BACKORDERTYPE");
 $fields[]=array ("fieldname" => "ID",   "apifieldname" => "ID");
-$fields[]=array ("fieldname" => $_LANG["domainname"],   "apifieldname" => "DOMAIN");
-$fields[]=array ("fieldname" => $_LANG["dropdate"],     "apifieldname" => "DROPDATE");
-$fields[]=array ("fieldname" => $_LANG["status"],       "apifieldname" => "STATUS");
+$fields[]=array ("fieldname" => $_ADDONLANG["domainname"],   "apifieldname" => "DOMAIN");
+$fields[]=array ("fieldname" => $_ADDONLANG["dropdate"],     "apifieldname" => "DROPDATE");
+$fields[]=array ("fieldname" => $_ADDONLANG["status"],       "apifieldname" => "STATUS");
 
 $vars["fields"] = $fields;
 
@@ -57,7 +57,7 @@
                     $tmpfield = '<div class="btn-group btn-group">';
                     //DISPLAY DELETE BUTTON ONLY FOR: "PENDING-PAYMENT", "AUCTION-PENDING", "PROCESSING"
                     if (!in_array($item['STATUS'], array("PENDING-PAYMENT", "AUCTION-PENDING", "PROCESSING"))) {
-                        $tmpfield .= '<button placeholder2="'.$item['DROPDATE'].'" placeholder="'.$cnt.'" value="'.$item['DOMAIN'].'" class="line'.$cnt.' setbackorder btn btn-default btn-sm active">'.$_LANG['deletebutton'].'</button>';
+                        $tmpfield .= '<button placeholder2="'.$item['DROPDATE'].'" placeholder="'.$cnt.'" value="'.$item['DOMAIN'].'" class="line'.$cnt.' setbackorder btn btn-default btn-sm active">'.$_ADDONLANG['deletebutton'].'</button>';
                     }
                     $tmpfield .= '</div>';
                     $newitem[] = $tmpfield;

diff --git a/ispapibackorder.php b/ispapibackorder.php
@@ -165,7 +165,7 @@ function ispapibackorder_clientarea($vars)
         $key = "ispapibackorder";
         $language = (isset($_SESSION["language"]) ? $_SESSION["language"] : "english");
         $file = getcwd() . DIRECTORY_SEPARATOR . "modules" . DIRECTORY_SEPARATOR . "addons" . DIRECTORY_SEPARATOR . $key . DIRECTORY_SEPARATOR . "lang" . DIRECTORY_SEPARATOR . $language . ".php";
-        if (file_exists($file)){
+        if (file_exists($file)) {
             include($file);
         }
 
@@ -191,35 +191,27 @@ function ispapibackorder_clientarea($vars)
     });
 
     $modulename = "ispapibackorder";
-    $modulepath = "modules/addons/".$modulename;
+    $modulepath = "modules" . DIRECTORY_SEPARATOR . "addons" . DIRECTORY_SEPARATOR . $modulename;
 
-    //include language files
-    $language = $_SESSION["Language"];
-    if (!isset($language)) {
-        $language = "english";
+    if (!preg_match("/^(manage|dropdomains)$/", $_GET["p"])) {
+        //just to ensure %00 attacks are not working - WHMCS filters it out, but still white-listing is more secure
+        die("not allowed");
     }
-    $file = getcwd()."/lang/".$language.".php";
-    $file_backorder = getcwd()."/modules/addons/ispapibackorder/lang/".$language.".php";
-    include($file);
-    if (file_exists($file_backorder)) {
-        include($file_backorder);
-    }
-
-    //include controller file
-    $vars = array();
-    $controller = getcwd()."/modules/addons/".$modulename."/controller/".$_GET["p"].".php";
+    $controller = getcwd() . DIRECTORY_SEPARATOR . $modulepath . DIRECTORY_SEPARATOR . "controller"  . DIRECTORY_SEPARATOR . $_GET["p"] . ".php";
     if (file_exists($controller)) {
-        include  $controller;
+        include $controller;
+    } else {
+        die("controller not found");
     }
+
+    $vars["moduletemplatepath"] = $modulepath . DIRECTORY_SEPARATOR . "templates";
+    $vars["modulepath"] = $modulepath . DIRECTORY_SEPARATOR;
 
     return array(
-            'pagetitle' => "Backorder",
-            'breadcrumb' => array('index.php?m=ispapibackorder'=>'Backorder'),
-            'templatefile' => "templates/".$_GET["p"],
-            'requirelogin' => true,
-            'vars' => array_merge($vars, array(
-                    'moduletemplatepath' => $modulepath."/templates",
-                    'modulepath' => $modulepath."/"
-            )),
+        'pagetitle' => "Backorder",
+        'breadcrumb' => array('index.php?m=ispapibackorder'=>'Backorder'),
+        'templatefile' => "templates/" . $_GET["p"],
+        'requirelogin' => true,
+        'vars' => $vars
     );
 }