continue
= FAIL => Abbruchmeldung und Schlußverarbeitung
+ Prüfung auf gültige Authentifizierung
= OK => continue
= FAIL => Abbruchmeldung und Schlußverarbeitung
+ Prüfung auf Wartungsstatus
= OK => continue
= FAIL => Abbruchmeldung und Schlußverarbeitung
+ Verarbeitung der Submit-Aktionen (POST), Anzeige der einzelnen Orga-Formulare
*/
// this script needs following additional server modules for PHP
// - (none)
// write HTTP header (anti-cache)
header('Expires: Sun, 31 Dec 1989 23:59:59 GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0');
header('Pragma: no-cache');
// define general server constants
define( "SERVER_SITE_MAINTENANCE", false ); // maintenance state, set to TRUE to lock this page temporarily
define( "SERVER_LOCALHOST_IP", "127.0.0.1" ); // localhost IP, which does not need authentication
define( "SERVER_PROTOCOL_HTTPS", "HTTPS" ); // HTTPS protocol name
// define server file constants
define( "SERVER_FILE_MYSELF", "announce.php" ); // submit target of forms = this file itself
define( "SERVER_FILE_ANNOUNCE", "index.shtml" ); // announcement file; e.g. index file
define( "SERVER_FILE_HEADER", "ssi_site_header.html" ); // SSI file for site header
define( "SERVER_FILE_INTRO", "ssi_site_intro.html" ); // SSI file for site intro
define( "SERVER_FILE_EXTRO", "ssi_site_extro.html" ); // SSI file for site extro
// define auth constants
define( "AUTH_SERVER_PASS", "Osterüberraschung" ); // auth password, [todo:] should be outsourced to an external, secured data file
// init references to $_POST variables ($pxxx)
$pstrauth = & $_POST['txtauth'];
$pstrtitle = & $_POST['txttitle'];
$pstrannouncement = & $_POST['txtannouncement'];
$pbolannouncement = & $_POST['cmdannouncement'];
// init post variables (only for mandatory variables, ignore variables submitted by special forms!)
if ( !isset($pstrauth) ) $pstrauth = '';
if ( !isset($pstrtitle) ) $pstrtitle = '';
if ( !isset($pstrannouncement) ) $pstrannouncement = '';
// init instance variables
$intnow = time();
$strmsg = ''; // (status/error/etc.) message to user
$strauth = '';
$strinput = '';
$stroutput = '';
$intfileid = 0;
$strtitle = '';
$strannouncement = '';
$strauth = '';
$bolannouncement = false;
$bolauthabort= false;
$bolok = false; // action feedback, triggers confirmation if true or warning if false
// function library
function addmsg ($straddmsg)
{
// adds $straddmsg to $strmsg
global $strmsg;
if ( $straddmsg != '' )
{
$strmsg = $strmsg . '
' . $straddmsg . '';
}
}
function showmsg ()
{
// shows messages in $strmsg if available
global $strmsg, $bolok;
if ( $strmsg != '' )
{
echo
'
';
$strmsg = '';
}
}
// check input variables
//$bolannouncement = isset( $pbolannouncement ); // does not work in IE when submitted from within a text field by pressing Return key, reason unknown
$bolannouncement = ( isset( $pbolannouncement ) || $pstrannouncement != '' ); //workaround for IE problem, see line above
$intwsid = $pintwsid;
$strtitle = $pstrtitle;
$strannouncement = $pstrannouncement;
$strauth = $pstrauth;
// defuse input variables
$strtitle = trim( htmlentities( $pstrtitle, ENT_QUOTES ));
// leave announcement html'ed
//$strannouncement = trim( htmlentities( $pstrannouncement, ENT_QUOTES ));
$strauth = trim( htmlentities( $pstrauth, ENT_QUOTES ));
// shorten input variables
if ( strlen( $strauth ) > 255 ) $strauth = substr( $strauth, 0, 4095 ); //cut it, do not modify
if ( strlen( $strtitle ) > 255 ) $strtitle = substr( $strtitle, 0, 252 ) . "...";
if ( strlen( $strannouncement ) > 4095 ) $strannouncement = substr( $strannouncement, 0, 4092 ) . "...";
if
(
// localhost access
(
// direkter Aufruf von localhost
htmlspecialchars( $_SERVER['HTTP_X_FORWARDED_FOR'], ENT_QUOTES ) == ''
&&
htmlspecialchars( $_SERVER['REMOTE_ADDR'], ENT_QUOTES ) == constant("SERVER_LOCALHOST_IP")
)
||
(
// indirekter Aufruf (z.B. transparenter SSL-Proxy) mit übergebenem localhost
htmlspecialchars( $_SERVER['HTTP_X_FORWARDED_FOR'], ENT_QUOTES ) == constant("SERVER_LOCALHOST_IP")
)
)
{
// localhost ist immer eingeloggt
// -> continue
}
else
{
// check protocol and timeout
// check secure connection
// possible results:
// - secure => continue
// - insecure => force logout ($bolauthlogoutnow), show error page and prepare message ($strmsg)
if
(
(
// direct connection without HTTPS
$_SERVER['HTTPS'] == ''
&&
$_SERVER['HTTP_X_FORWARDED_PROTO'] == ''
)
||
(
// indirect connection without local HTTPS proxy, e.g. orenosp
strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) != strtolower(constant("SERVER_PROTOCOL_HTTPS"))
&& $_SERVER['HTTP_X_FORWARDED_PROTO'] != ''
)
)
{
// insecure connection -> abort
addmsg ( 'Dein Verbindungsprotokoll ist HTTP. Bitte verwende für die Announce-Seite Verschlüsselung mittels HTTPS.' );
$bolauthabort = true;
}
}
// check maintenance state
if ( constant("SERVER_SITE_MAINTENANCE") )
{
// cancel because of maintenance
addmsg ( 'Die Announce-Seite ist zurzeit wegen Wartungsarbeiten deaktiviert. Bitte später wiederkommen. Danke.' );
$bolauthabort = true;
}
// prepare announce page
// assume that all ssi files are there. No, I won't check _that_ explicitely.
// If they ain't there, the user gets a partial page. ...so what? ;o)
readfile( constant("SERVER_FILE_HEADER") );
echo
'
Easterhegg 2005 - Announce
';
readfile( constant("SERVER_FILE_INTRO") );
echo
'
';
// show msg, if available
if ( $strmsg != '' )
{
echo
'
Authentifizierungshinweis:
';
$strmsg = '';
$bolauthabort = true;
}
showmsg();
if ( $bolauthabort )
{
// close page and stoprun.
echo
'
';
readfile( constant("SERVER_FILE_EXTRO") );
die();
}
// Well, Checkpoint.
// Now a defined and normal state of checking has been reached.
// Possible states are now:
// - $bolauthabort = false: user is authenticated to see this page
// - $bolauthabort = true: user is not authenticated to see this page
// If there were any messages on the way up to here, they are stored as list items () in variable $strmsg.
// check auth phrase if user tries to login
if ( $bolannouncement )
{
if ( $strauth == htmlentities( constant("AUTH_SERVER_PASS") , ENT_QUOTES ))
{
// auth accepted
if ( $strannouncement != '' )
{
// announcement accepted
if ( $strtitle != '' )
{
// title accepted
// -> continue
$bolok = true;
// this feature has been deactivated on the production machine due to security reasons
// to use it on your own machine just delete or uncomment the following lines
//addmsg ( 'Diese Funktion wurde aus Sicherheitsgründen deaktiviert.
Um sie auf Deiner Umgebung zu reaktivieren, entferne die Sperre in der Datei "announce.php".' );
//$bolok = false;
}
else
{
// title empty
addmsg ( 'Bitte gib noch einen griffigen Titel an! Danke :-)' );
}
}
else
{
// announcement empty
addmsg ( 'Das Announcement funktioniert besser, wenn Du etwas zum Announcen einträgst... ;-)' );
}
}
else
{
// auth failed
addmsg ( 'Das klappt so nicht. Vermutlich hast Du Dich beim Passwort vertippt.' );
}
}
echo
'
Announce
';
if ( $bolok && $bolannouncement )
{
$bolok = false;
//announce it now
$strinput = file_get_contents( constant("SERVER_FILE_ANNOUNCE") );
$stroutput =
'
' . $strtitle . '
' . date( "d.m.Y", $intnow ) . '
' . $strannouncement . '
';
$stroutput = str_replace( " [%announcement%] !-->", ' [%announcement%] !-->' . $stroutput, $strinput );
if ( is_writable( constant("SERVER_FILE_ANNOUNCE") ))
{
// file_put_contents does not work with PHP 4.x, so use instead: fopen, fwrite, fclose
// file_put_contents( constant("SERVER_FILE_ANNOUNCE"), $stroutput );
$intfileid = fopen( constant("SERVER_FILE_ANNOUNCE"), "w" );
fwrite( $intfileid, $stroutput );
fclose( $intfileid );
$bolok = true;
}
else
{
addmsg ( 'Die Workshopdatei "' . constant("SERVER_FILE_ANNOUNCE") . '" konnte nicht geschrieben werden. (Rechteproblem?)');
$bolok = false;
}
}
if ( $bolannouncement )
{
if ( $bolok )
{
addmsg ( 'Das Announcement wurde gesetzt.' );
}
else
{
addmsg ( 'Das Announcement wurde nicht gesetzt.' );
}
}
showmsg();
// show announce page
echo
'
Startseiten-Announcement
';
// close page and stoprun.
echo
'
';
readfile( constant("SERVER_FILE_EXTRO") );
die();
?>