Files
@ 8d55669e05c2
Branch filter:
Location: SlatePermutate/admin.php
8d55669e05c2
5.8 KiB
text/x-php
Add some hacks to support pure HTTPS for WebAdvisor XSS automatic registration hack.
Instead of using a JSONP callback and PHP sessions to store the
TOKENIDX, the XSS script now just updates the URL parameter for the
WebAdvisor login page so that the TOKENIDX will be transferred to
webadvisor.php by a GET variable right when it is needed instead of
asynchronously.
A separate hack to help support HTTPS is that automatic uploading of
assets to Amazon S3 (which has HTTPS access) allows the XSS script to
be served over HTTPS. This eliminates the browser warnings about
accessing mixed secure/insecure content and, thus, hopefully supports
browsers which automatically block insecure content on secure pages.
Instead of using a JSONP callback and PHP sessions to store the
TOKENIDX, the XSS script now just updates the URL parameter for the
WebAdvisor login page so that the TOKENIDX will be transferred to
webadvisor.php by a GET variable right when it is needed instead of
asynchronously.
A separate hack to help support HTTPS is that automatic uploading of
assets to Amazon S3 (which has HTTPS access) allows the XSS script to
be served over HTTPS. This eliminates the browser warnings about
accessing mixed secure/insecure content and, thus, hopefully supports
browsers which automatically block insecure content on secure pages.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 | <?php /* -*- mode: php; -*- */
/*
* Copyright 2010 Nathan Gelderloos, Ethan Zonca, Nathan Phillip Brink
*
* This file is part of SlatePermutate.
*
* SlatePermutate is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* SlatePermutate is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with SlatePermutate. If not, see <http://www.gnu.org/licenses/>.
*/
require_once('inc/class.page.php');
require_once('inc/admin.inc');
$scripts = array('jQuery','jQueryUI');
$adminpage = page::page_create('Administration', $scripts);
$datepicker = '$(function() {
$( "#datepicker" ).datepicker();
$( "#datepicker" ).datepicker( "option", "dateFormat", "yy-mm-dd" );
});';
$adminpage->headcode_add('datePicker', $adminpage->script_wrap($datepicker), TRUE);
$adminpage->head();
if(!isset($admin_pass) || !isset($admin_enable) || $admin_enable !== true) {
echo "<p>The administration interface is not enabled or is improperly configured. See config.inc for more information.</p>";
$adminpage->foot();
exit;
}
// Force authentication
else if (!isset($_SERVER['PHP_AUTH_USER']) || (!isset($_SERVER['PHP_AUTH_PW'])) || $_SERVER['PHP_AUTH_PW'] != $admin_pass) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<p>You must authenticate to access the administration interface.</p>';
$adminpage->foot();
exit;
}
function isBeforeDate($toCheck, $reference) {
$formatted = date("Y-m-d", $toCheck);
$refUnix = strtotime($reference);
if($toCheck < $refUnix) {
return true;
}
return false;
}
function checkAction() {
$result = '';
if(isset($_GET['rehash'])) {
// Run the rehash
$crawl_schools = NULL;
if (isset($_REQUEST['rehash_school']))
$crawl_schools = array($_REQUEST['rehash_school']);
ob_start();
if (school_cache_recreate($crawl_schools))
$result = 'Rehash Failed';
else
$result = 'Rehash Successful';
$hashresult = htmlentities(ob_get_contents());
ob_end_clean();
if ($crawl_schools !== NULL)
$result .= ': ' . implode(', ', $crawl_schools);
// Prepend rehash output
$result = nl2br($hashresult) . '<br />' . $result;
}
else if(isset($_GET['purge']))
{
$purge_date = NULL;
if(isset($_GET['purgetodate']))
{
$t = strptime($_REQUEST['purgetodate'], '%Y-%m-%d');
$purge_date = mktime($t['tm_hour'], $t['tm_min'], $t['tm_sec'], $t['tm_mon'], $t['tm_mday'], $t['tm_year'] + 1900);
}
$schedule_store = schedule_store_init();
if (!$schedule_store)
return 'Purging saved schedules failed: unable to initialize schedule_store handle.';
$num_purged = schedule_store_purge_range($schedule_store, 0, $purge_date);
if ($num_purged === FALSE)
{
$result = 'Purging saved scheduled failed.';
if (!$admin_enable_purge)
$result .= ' Purging is disabled. To enable purging, set $admin_enable_purge = TRUE in config.inc.';
}
else
{
$result .= 'Purged ' . $num_purged . ' schedules';
if ($purge_date !== NULL)
$result .= ' up to ' . $purge_date;
}
}
return $result;
}
function getLastRehash(){
$schoollist_filename = 'cache/schools';
if (!file_exists($schoollist_filename))
return FALSE;
$stats = stat($schoollist_filename);
if(!$stats){
return FALSE;
}
return date('F j, Y, g:i a', $stats[9]);
}
function schoolsDropList()
{
$school_ids = school_list();
echo '<select name="rehash_school">';
foreach($school_ids as $school_id)
{
$school = school_load($school_id);
echo ' <option value="' . $school_id . '">' . $school['name'] . '</option>' . "\n";
}
echo "</select>";
}
function getMaxSaved()
{
$schedule_store = schedule_store_init();
if (empty($schedule_store))
return -1;
return schedule_store_getmaxid($schedule_store);
}
?>
<?php /* Check if authorized */
$res = checkAction();
if($res != '') {
echo '<p><em>' . $res . '</em> <a href="admin.php">(x)</a></p>';
}
?>
<h3>Stats</h3>
<img src="statsGraph.php" />
<h3>Update</h3>
<p>You are currently running version <?php echo SP_PACKAGE_VERSION; ?>. The latest available release is VERSION.</p>
<h3>Rehash</h3>
<?php $lastRehash = getLastRehash();
if($lastRehash) {
echo "<p>Last rehash ocurred on $lastRehash.</p>";
}
else {
echo "<p>This installation has not been rehashed. Please <a href=\"admin.php?rehash\">rehash now</a> to download school scheduling metadata.</p>";
}
?>
<ul>
<li>
<a href="admin.php?rehash">Rehash All Institutions</a>
</li>
<li>
<form action="admin.php">Rehash schedules for <?php schoolsDropList(); ?>
<input type="hidden" name="rehash" value="1" />
<input type="submit" value="Go »" />
</form>
</li>
</ul>
<h3>Purge</h3>
<p>The highest saved_schedule id is <a href="<?php $max_saved = getMaxSaved(); echo htmlentities(Schedule::url($max_saved)); ?>"><?php echo $max_saved;?></a>.</p>
<ul>
<li><a href="admin.php?purge">Purge Entire Cache</a></li>
<li>
<form action="admin.php">Purge cache up to
<input type="text" name="purgetodate" size="8" id="datepicker"/>
<input type="submit" value="Go »" />
<input type="hidden" name="purge" value="1" /> <!-- simplify our server-side code -->
</form>
</li>
</ul>
<?php
$adminpage->foot();
|