--- SiteBar-3.3.8/translator.php +++ SiteBar-3.3.8/translator.php @@ -489,12 +489,19 @@ if ($update && !$this->parts[$part]['inl [Back to Translation List]

parts[$part])) + { + die("Unknown part in edit param!"); + } + + if (!preg_match('/^\w+$/',$lang)) + { + die("Not allowed characters in lang param!"); + } + $param = $this->parts[$part]; $file = sprintf($this->fmt,$lang,$param['file']); - mkdir($this->dir.'/locale/'.$lang, 0777); - chmod($this->dir.'/locale/'.$lang, 0777); - include($file); eval('$data = $'.$part.';'); eval('$'.$part.'=array();'); @@ -518,7 +525,8 @@ if ($update && !$this->parts[$part]['inl if (!$fh = fopen($file,'w')) { - echo "Cannot write results to file: $file" . + echo "Cannot write results to file: $file
\n"; + echo "Sorry for inconvinience, if possible keep this page open and inform admin. When the problem is fixed you could just reload this page and post the data once again.
\n"; exit; } @@ -572,9 +580,17 @@ if ($update && !$this->parts[$part]['inl else { $value = str_replace("\r\n","\n", $value); - fwrite( $fh, "\$".$part."['".$label."'] = <<<_P\n"); + fwrite( $fh, "\$".$part."['".$label."'] = <<<_SBHD\n"); + + // Do not allow here doc to be included in the string, + // otherwise any php code would be executed. + if (strstr($value,"_SBHD")) + { + die("Value must not contain _SBHD pattern!"); + } + fwrite( $fh, $value); - fwrite( $fh, "\n_P;\n\n"); + fwrite( $fh, "\n_SBHD;\n\n"); } } }