getToken(); $_SESSION['token'] = $token; } $_SESSION['admin-uuid'] = $cryptography->uniqueID(); if(!isset($_SESSION['admin-uuid']) || empty($_SESSION['admin-uuid'])) { echo 'Could not initialize a session. Possible reasons: session data might be full or not possible to create a session. For security reasons the administration panel cannot be loaded. Exiting.'; exit; } // create a new admin token if(!isset($_SESSION['uuid'])) { $token = $cryptography->uniqueID(); $token .= $cryptography->uniqueID(); $token .= $cryptography->uniqueID(); $token .= $cryptography->uniqueID(); $_SESSION['uuid'] = $token; } else { $token = $_SESSION['uuid']; } // configuration files are stored in the /server/ folder. $serverconfig_csv = [ 'currencies.conf.csv', 'messages.conf.csv', 'orders.conf.csv', 'shipping.conf.csv', 'shop.conf.csv', 'site.conf.csv', 'tax.conf.csv', 'payment.conf.csv']; $serverconfig_json = [ 'currencies.conf.json', 'messages.conf.json', 'orders.conf.json', 'shipping.conf.json', 'shop.conf.json', 'site.conf.json', 'tax.conf.json', 'payment.conf.json']; ?>
Welcome to the administration panel. This part of the page should be placed behind a password protected area. No warranty given, use at your own discretion.
Token is incorrect.'; exit; } echo "
"; $j=1; $count = count($_FILES['json_file']['name']); for ($i = 0; $i < $count; $i++) { if($_FILES['json_file']['error'][$i] == UPLOAD_ERR_OK && is_uploaded_file($_FILES['json_file']['tmp_name'][$i])) { if($_FILES['json_file']['type'][$i] != 'application/json') { echo "
File is not a JSON file.
"; exit; } // Sanitize filename and prevent directory traversal $uploaded_file = $_FILES['json_file']['tmp_name'][$i]; $file = file_get_contents($uploaded_file); $name = $_FILES['json_file']['name'][$i]; $upload = $converter->convert($file,'json_to_csv_admin',$name,'../inventory/backups/'); echo $j ."
Successfully upload ".$sanitizer->sanitize($_FILES['json_file']['name'][$i],'table')." JSON and converted to CSV.
"; } else { echo $sanitizer->sanitize($_FILES['json_file']['error'][$i],'table'); } $j++; } echo '
'; unset($_SESSION['uuid']); } if(isset($_POST['upload_csv'])) { if($_SESSION['uuid'] != $_POST['token']) { echo 'Token is incorrect.'; exit; } echo "
"; $count = count($_FILES['csv_file']['name']); $j=1; for ($i = 0; $i < $count; $i++) { if($_FILES['csv_file']['error'][$i] == UPLOAD_ERR_OK && is_uploaded_file($_FILES['csv_file']['tmp_name'][$i])) { if($_FILES['csv_file']['type'][$i] != 'text/csv') { echo "
File is not a CSV! the mime type should be text/csv.
"; exit; } // $file = file_get_contents($_FILES['csv_file']['tmp_name'][$i]); $file = iconv('windows-1252', 'utf-8', file_get_contents($_FILES['csv_file']['tmp_name'][$i])); $showfile = $converter->convert($file,'csv_to_json',$_FILES['csv_file']['name'][$i],'../inventory/backups/'); $f = str_replace('.csv','',$_FILES['csv_file']['name'][$i]); if(in_array($_FILES['csv_file']['name'][$i],$serverconfig_csv)) { $server_path = '../server/config/'; } else { $server_path = '../inventory/'; } @chmod($server_path.$sanitizer->sanitize($f,'alphanum').'.json',0777); @chmod($server_path.'/csv/'.$sanitizer->sanitize($_FILES['csv_file']['name'][$i]),0777); $json_upload = $storagecontainer->storedata($server_path.$sanitizer->sanitize($f,'table').'.json',$showfile,'json'); $csv_upload = $storagecontainer->storedata($server_path.'/csv/'.$sanitizer->sanitize($f,'table').'.csv',$file,'csv'); if($json_upload != true) { echo "
JSON file could not be stored. Please make sure the /inventory/ directory has adequate writing permissions.
"; } elseif($csv_upload != true) { echo "
a CSV copy file could not be stored. Please make sure the /inventory/csv/ directory has adequate writing permissions.
"; } else { echo "
".$j.": Successfully upload ".$sanitizer->sanitize(str_ireplace('.csv','',$_FILES['csv_file']['name'][$i]),'alphanum').".csv and converted to JSON.
"; @chmod($server_path.$sanitizer->sanitize($f,'alphanum').'.json',0755); @chmod($server_path.'/csv/'.$sanitizer->sanitize($_FILES['csv_file']['name'][$i]),0755); } } else { echo $sanitizer->sanitize($_FILES['csv_file']['error'][$i],'table'); } $j++; } echo '
'; unset($_SESSION['uuid']); } if(isset($_POST['upload'])) { if($_SESSION['uuid'] != $_POST['token']) { echo '
Token is incorrect.
'; exit; } if($_POST['upload'] == 1) { $createdir = true; if(isset($_POST['destination'])) { if($_POST['destination'] != '') { $destination = '../resources/images/'; $catfolder = strtolower($sanitizer->sanitize($_POST['destination'],'dir')); if(strstr($catfolder,'../') || strstr($catfolder,'./')) { echo "
Directory traversal is not allowed.
".PHP_EOL; exit; } else { $destination .= strtolower($sanitizer->sanitize($_POST['destination'],'dir')); if (!is_dir($destination)) { $createdir = mkdir($destination, 0777, true); if($createdir == true) { echo "
Directory did not exist, OpenShop created the new directory. (Be mindful that OpenShop does not allow special characters in directory names, including spaces).
The new directory is named: ".$sanitizer->sanitize($destination,'encode')."
".PHP_EOL; $createdir = true; } } } $disallowed = ['./','\\','../',':',';']; $countimages = count($_FILES['files']['name']); if($countimages >=1) { for($g=0;$g<$countimages;$g++) { for($f=0;$fImage name contains illegal characters, directory traversal is not allowed.".PHP_EOL; exit; } } if($_FILES['files']['error'][0] != 1) { if($createdir) { move_uploaded_file($_FILES['files']['tmp_name'][$g], strtolower($destination).'/'.$sanitizer->sanitize($_FILES['files']['name'][$g],'image')) or die('error: could not upload image.'); echo "
Image successfully uploaded.
"; } } else { } } } } } } unset($_SESSION['uuid']); } ?>