#! /usr/bin/perl -T use CGI::Carp qw(fatalsToBrowser); ####################################################################################### # # # Commerce.cgi # # http://commerce-cgi.com # # # # Copyright 2007 Internet Express Products # # # # Last Modified 10/22/2006 # # # ####################################################################################### $version = '4.6.2'; ####################################################################################### # # The entire package as distributed here is Copyright 2008 # Internet Express Products and is distributed free of charge # consistent with the CommerceCGI Artistic License that must # be included with this package, and can also be fould at the # CommerceCGI web site at http://commerce-cgi.com. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # Pursuant to the License Agreement, this copyright notice may not be # removed or altered in any way. # ####################################################################################### # print "Content-type: text/html\n\n"; BEGIN{ open (STDERR, "> ./commerce.err"); } $benchmark = 0; if ($benchmark == 1) { use Benchmark; $t0 = new Benchmark; } use CGI::Carp qw/fatalsToBrowser/; $| = 1; $ENV{"PATH"} = ""; $time = time; $OS = $^O; if ($OS =~ /Win/i) { # $Path = "C:/Inetpub/Commerce401"; $Path = "."; } else { $Path = "."; } &set_paths; &hack_logging; #%form_data = &get_data(); %form_data = &get_data(); #After litespeed upgrade - to fix form data: #require "$sc_library_directory_path/cgi_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_library_directory_path/cgi_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); #&ReadParse(*form_data); # UPDATE Chris Costa - edite sub get_data to replace all instances of $_[0] which fixed problem foreach my $key (keys %form_data) { print STDERR "$key = $form_data{$key}\n"; } if ($form_data{'version'}) { print "Content-type: text/html\n\n"; print "VERSION: $version"; exit; } require "$sc_library_directory_path/cookie_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_library_directory_path/cookie_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); require "$sc_configuration_directory_path/commerce_user_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_configuration_directory_path/commerce_user_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); require "$sc_library_directory_path/db_setup_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_library_directory_path/db_setup_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); require "$sc_library_directory_path/order_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_library_directory_path/commerce_order_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); require "$sc_library_directory_path/html_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_library_directory_path/commerce_html_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); require "$sc_library_directory_path/cart_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_library_directory_path/cart_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); require "$sc_library_directory_path/file_lock_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_library_directory_path/file_lock_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); require "$sc_library_directory_path/encode_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_library_directory_path/encode_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); &gateway_check; $time = time + (3600 * $time_dif); # &proper_url; &get_cookie; &valid_page; &set_cart_id; &require_addons; #for affiliate codes if ($affiliate_landing_loaded){ &af_cookie;} unless ($http_headers) { print "Content-type: text/html\n"; print "Cache-Control: no-cache\n"; print "Pragma: no-cache\n\n"; $http_headers = 1; } #print " cjset is $cjset form is $form_data{\"cart_id\"} cookie is $cookie{'cart_id'} and variable is $cart_id

"; if (($form_data{'debug'} eq "yes") || ($form_data{'Ecom_Payment_Card_Number'} eq "6011000000000012") || ($form_data{'CARDNUM'} eq "6011000000000012")){ foreach $key (keys %cookie) { $cookie{$key} =~ s/ /+/g; $debug_message .= "$key\=$cookie{$key}
"; } print qq~
DEBUGGING

$debug_message
~; } $are_any_query_fields_filled_in = "no"; foreach $query_field (@sc_db_query_criteria) { @criteria = split(/\|/, $query_field); if ($form_data{$criteria[0]} ne "") { $are_any_query_fields_filled_in = "yes"; } } if ($form_data{'per'}) { $items_per_page = $form_data{'per'}; } ####################################################################### # Main Code # ####################################################################### if ($form_data{'add_to_cart_button'} || $form_data{'add_to_cart_button.x'}) { &add_to_the_cart; } elsif ($form_data{'viewOrder'} || $form_data{'viewOrder.x'}) { &display_cart_table(""); &cart_footer; } elsif ($form_data{'submit_change_quantity_button'} || $form_data{'submit_change_quantity_button.x'}) { &modify_quantity_of_items_in_cart; } elsif ($form_data{'submit_change_recipient_button'} || $form_data{'submit_change_recipient_button.x'}) { &modify_extra_variables_in_cart; } elsif ($form_data{'submit_change_message_button'} || $form_data{'submit_change_message_button.x'}) { &modify_extra_variables_in_cart; } elsif ($form_data{'submit_deletion_button'} || $form_data{'submit_deletion_button.x'}) { &delete_from_cart; } elsif ($form_data{'order_form_button'} || $form_data{'order_form_button.x'}) { require "$Path/configuration/rand_key.pl" || &errorcode(__FILE__, __LINE__, "$Path/configuration/rand_key.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); &{$gateway . "_display_order_form"}; } elsif ($form_data{'submit_order_form_button'} || $form_data{'submit_order_form_button.x'}) { require "$Path/configuration/rand_key.pl" || &errorcode(__FILE__, __LINE__, "$Path/configuration/rand_key.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); &process_order_form; } elsif ($are_any_query_fields_filled_in =~ /yes/i) { &create_html_page_from_db; } elsif ($gateway && $form_data{$process_variable{$gateway}}) { &{$gateway . "_processOrder"}; } elsif ($page ne "") { &display_page("$sc_pages_directory_path/$page", "sub create_html_page_from_db", __FILE__, __LINE__); ################################################################## # Add custom actions here! ################################################################## } elsif ($form_data{'custom_action'} eq "view_reviews") { &view_reviews; } elsif ($form_data{'custom_action'} eq "review") { &review; } elsif ($form_data{'custom_action'} eq "post_review") { &post_review; } elsif ($form_data{'af'}) { &affiliate_landing_page("$sc_pages_directory_path/af/$form_data{'af'}\.htm", "sub affiliate_landing_page", __FILE__, __LINE__); ################################################################## } else { &display_page("$sc_pages_directory_path/Home.htm", "Output Frontpage", __FILE__, __LINE__); } if ($benchmark == 1) { $t1 = new Benchmark; $td = timediff($t1, $t0); print 'Overall Benchmark: ' . timestr($td) . ''; } exit; ################################################################# # get_date Subroutine # ################################################################# sub get_date { local ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst,$date); local (@days, @months); @days = ('Sunday','Monday','Tuesday','Wednesday','Thursday', 'Friday', 'Saturday'); @months = ('January','February','March','April','May','June','July','August','September','October','November','December'); ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($time); $hour = sprintf("%02d", $hour); $min = sprintf("%02d", $min); $sec = sprintf("%02d", $sec); $year += 1900; $date = "$days[$wday], $months[$mon] $mday, $year at $hour\:$min\:$sec"; return $date; } ####################################################################### # format_price # ####################################################################### sub format_price { my ($unformatted_price) = @_; my ($formatted_price); $formatted_price = sprintf ("%.2f", $unformatted_price); # $formatted_price =~ s/\./\,/; return $formatted_price; } ############################################################ # Get form input ############################################################ sub get_data { my ($string, $prev); if ($ENV{'REQUEST_METHOD'} eq 'GET') { $_ = $string = $ENV{'QUERY_STRING'}; tr/\"~;/_/; $string = $_; } else { read(STDIN, $string, $ENV{'CONTENT_LENGTH'}); $_ = $string; $OK_CHARS='a-zA-Z0-9=&%\n\/_\-\.@'; tr/\"~;/_/; $string = $_; } @data = split(/&/, $string); foreach (@data) { if ($_ =~ /\=/i) { my @stuff = split(/=/, $_); $stuff[0] =~ s/\+/ /g; $stuff[0] =~ s/%(..)/pack("c", hex($1))/ge; $prev = $_; $data{"$stuff[0]"} = $stuff[1]; } else { $data{"$prev"} .= "\&$stuff"; } } foreach (keys %data) { $data{"$_"} =~ s/\+/ /g; $data{"$_"} =~ s/%(..)/pack("c", hex($1))/ge; } %data; } ####################################################################### # Error Code ####################################################################### # &errorcode(__FILE__, __LINE__, "$bad_file", "$!", "print", "FILE OPEN ERROR", "0"); sub errorcode { local ($this_file, $line, $bad_file, $error, $action, $type, $error_number) = @_; local ($log_entry, $email_body, $variable, @env_vars); local ($errors, $description); $errors{'0'} = qq~There was an error opening up a file. First make sure that this file exists, then make sure that you have the permissions set properly on this file. Then also make sure that this file has been uploaded in the proper format, i.e. ASCII or BINARY. The last thing that also occurs is that when FTPing files sometime it will change the case on the files. Make sure that they match up because Unix is case sensitive.~; $errors{'1'} = qq~There was an error opening up a file. First make sure that this file exists, then make sure that you have the permissions set properly on this file. Then also make sure that this file has been uploaded in the proper format, i.e. ASCII or BINARY. The last thing that also occurs is that when FTPing files sometime it will change the case on the files. Make sure that they match up because Unix is case sensitive.~; $errors{'2'} = qq~Error creating lock file. Lock file errors are usually caused because you do not have permissions to write to the specified folder.~; $errors{'3'} = qq~There was an error opening the specified directory. Either this directory does not exist for some strange reason or the path to this directory is wrong. The last option would be that you have the permissions on this folder incorrect.~; $errors{'4'} = qq~There was an error writing your order to the server! Please contact the store owner regarding your order to get this problem resolved and insure that you order has been recieved.~; $errors{'5'} = qq~There must be something wrong because the script cannot get a unique number for your shopping cart. Please check the code in the Assign a Shopping Cart routine.~; $errors{'6'} = qq~I am sorry, but you may only use this program to view HTML pages.~; $errors{'7'} = qq~I was unable to require this file because it does not exist or the file is corrupt. One thing to check it that the file name is in the proper case as was the program is trying to use.~; $errors{'8'} = qq~I was unable to require this file because the path or permissions maybe wrong.~; $errors{'9'} = qq~We use encrypted control numbers in several places in the program to insure that the data on the page has not been changed. This will prevent someone from downloading the source code of the page and then editing the code and then submitting it from there local computer.~; $errors{'10'} = qq~Invalid cart_id! The cart_id used is not a number. This is ussually cause by having %%cart_id%% in the link and for some reason the program is not replacing it with the value~; $description = $errors{$error_number}; if ($action !=~ /ignore/ && $action !=~ /noprint/) { unless ($http_headers) { print "Content-type: text/html\n"; print "Cache-Control: no-cache\n"; print "Pragma: no-cache\n\n"; $http_headers = 1; } print qq~

An Error Has Occurred!

ERROR IN THIS FILE:
FILE: $this_file
LINE: $line
ERROR:
TYPE: $type
FILE: $bad_file
ERROR: $error
$description ~; } $date = &get_date; if ($sc_shall_i_log_errors eq "yes" && $action !=~ /nolog/) { $log_entry = qq~ DATE: $date
FILE: $this_file
LINE: $line
ERROR TYPE: $type
ERROR FILE: $bad_file
ERROR: $error METHOD: $ENV{'REQUEST_METHOD'} FILE: $ENV{'SCRIPT_FILENAME'} IP: $ENV{'REMOTE_ADDR'} USER-AGENT: $ENV{'HTTP_USER_AGENT'} REFERER: $ENV{'HTTP_REFERER'}

$description

~; &get_file_lock("$sc_log_file_directory_path/error.log.lockfile"); open (ERROR_LOG, ">>$sc_log_file_directory_path/error.log") || die "There was an error, but I was unable to open the error log!"; print ERROR_LOG "$log_entry"; close (ERROR_LOG); &release_file_lock("$sc_log_file_directory_path/error.log.lockfile"); } if ($sc_shall_i_email_if_error eq "yes" && $action !=~ /nomail/) { $email_body .= qq~ An Error Has Occurred! SERVER: $ENV{SERVER_NAME} METHOD: $ENV{'REQUEST_METHOD'} FILE: $ENV{'SCRIPT_FILENAME'} ERROR IN THIS FILE: FILE: $this_file LINE: $line ERROR: TYPE: $type FILE: $bad_file ERROR: $error IP: $ENV{'REMOTE_ADDR'} USER-AGENT: $ENV{'HTTP_USER_AGENT'} REFERER: $ENV{'HTTP_REFERER'} $description ~; while (($key,$value) = each %ENV) { $email_body .= "$key = $value\n"; } if (!($sc_mail_lib_was_loaded =~ /yes/i)) { require "$sc_mail_lib_path" || &errorcode(__FILE__, __LINE__, "$sc_mail_lib_path", "$!", "die", "FILE REQUIRE ERROR", "8"); } &send_mail("$sc_admin_email", "$sc_admin_email", "Web Store Error", "$email_body"); } if ($action =~ /die/) { die; } } ####################################################################### # Hack Logging ####################################################################### sub hack_logging { local ($ipnum, @digits, $address, $host, $date); if ($ENV{'REQUEST_URI'} =~ /\.\./i || $ENV{'REQUEST_URI'} =~ /\%/i) { $ipnum = $ENV{'REMOTE_ADDR'}; @digits = split (/\./, $ipnum); $address = pack ("C4", @digits); $host = gethostbyaddr ($address, 2); $date = &get_date; open (HACK_LOG, "+>>$sc_log_file_directory_path/hack.log") || &errorcode(__FILE__, __LINE__, "$sc_log_file_directory_path/hack.log", "$!", "ignore", "FILE OPEN ERROR", "0"); print HACK_LOG "$ENV{'REMOTE_ADDR'}\|$ENV{'REMOTE_PORT'}\|$host\|$date\|$ENV{'REQUEST_URI'}\n"; close HACK_LOG; print "Content-type: text/html\n\n"; print qq~ Hack Attempt

Hack attempt logged and will be reported to your ISP!

IP: $ENV{'REMOTE_ADDR'}
Remote port: $ENV{'REMOTE_PORT'}
Host: $host
~; exit; } } ####################################################################### # Set Global Folder Paths ####################################################################### sub set_paths { $sc_extra_directory_path = "$Path/add-on"; $sc_configuration_directory_path = "$Path/configuration"; $sc_log_file_directory_path = "$Path/data_files"; $sc_gateway_directory_path = "$Path/gateway"; $sc_library_directory_path = "$Path/library"; $sc_options_directory_path = "$Path/options"; $sc_pages_directory_path = "$Path/pages"; $sc_carts_directory_path = "$Path/shopping_carts"; $sc_template_directory_path = "$Path/templates"; $sc_order_directory_path = "$Path/manager/orders"; if ($OS =~ /Win/i) { $sc_mail_lib_path = "$sc_library_directory_path/nt_mail-lib.pl"; } else { $sc_mail_lib_path = "$sc_library_directory_path/mail-lib.pl"; } } ####################################################################### # Gateway Check ####################################################################### sub gateway_check { local ($gateway_name, $gateway_count, $x, $remain); if ($form_data{'gateway'}) { $gateway = $form_data{'gateway'}; $gateway =~ /([\w]+)/; $gateway = "$1"; $gateway = "" if ($gateway eq "."); if (! $OS =~ /Win/i) { $gateway =~ s/^\/+//; # Get rid of any residual / prefix } require "$sc_gateway_directory_path/$gateway-order_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_gateway_directory_path/$gateway-order_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); } else { opendir (GATEWAY, "$sc_gateway_directory_path") || &errorcode(__FILE__, __LINE__, "$sc_gateway_directory_path", "$!", "die", "DIRECTORY OPEN ERROR", "Unable to open the directory listed. Make sure that it exists and that it has read permissions"); @gateways = readdir(GATEWAY); for $gateway_name (@gateways) { if ($gateway_name =~ /order_lib.pl$/i) { $gateway_name =~ /([\w]+)\-(\w+)/; $gateway_name = "$1"; $gateway_name = "" if ($gateway_name eq "."); if (! $OS =~ /Win/i) { $gateway_name =~ s/^\/+//; # Get rid of any residual / prefix } require "$sc_gateway_directory_path/$gateway_name-order_lib.pl" || &errorcode(__FILE__, __LINE__, "$sc_gateway_directory_path/$gateway_name-order_lib.pl", "$!", "die", "FILE REQUIRE ERROR", "8"); $gateway_count++; if ($check_out_image{$gateway_name} =~ /^http/) { $checkout_image = "$check_out_image{$gateway_name}"; } else { $checkout_image = "$URL_of_images_directory/$check_out_image{$gateway_name}"; } $gateway_checkout_buttons .= qq~

$check_out_detail{$gateway_name}
~; $remain = $gateway_count % 3; # This gets the remainder after division. if (!($remain)) { $gateway_checkout_buttons .= qq~ ~; } if ($form_data{$process_variable{$gateway_name}} && $form_data{'gateway'} eq "") { $gateway = $gateway_name; } } } closedir (GATEWAY); if ($gateway_count > 3) { while ($remain) { $gateway_count++; $remain = $gateway_count % 3; $gateway_checkout_buttons .= qq~   ~; } } } } ####################################################################### # Require Add On Modules ####################################################################### sub require_addons { local ($extra_lib, $extra_libs); opendir (ADDON, "$sc_extra_directory_path") || &errorcode(__FILE__, __LINE__, "$sc_extra_directory_path", "$!", "print", "OPENDIR ERROR", "3"); @extra_libs = readdir(ADDON); for $extra_lib(@extra_libs) { if ($extra_lib =~ /.pl/i) { $extra_lib =~ /([\w]+)(\.pl)/; $extra_lib = "$1$2"; $extra_lib = "" if ($extra_lib eq "."); if (! $OS =~ /Win/i) { $extra_lib =~ s/^\/+//; # Get rid of any residual / prefix } # open (TEST, "+>> TEST.log"); # print TEST "$extra_lib\n"; # close (TEST); require "$sc_extra_directory_path/$extra_lib" || &errorcode(__FILE__, __LINE__, "$sc_extra_directory_path/$extra_lib", "$!", "print", "FILE REQUIRE ERROR", "8"); } } closedir (ADDON); } ####################################################################### # Check for use of proper URL. ####################################################################### sub proper_url { if (("$sc_domain_name_for_cookie" ne $ENV{'HTTP_HOST'}) && ($form_data{$process_variable{$gateway}} eq "" ) && ($form_data{'submit_order_form_button'} eq "" ) && ($form_data{'order_form_button'} eq "" ) && ($form_data{'order_form_button.x'} eq "" )) { print "Location: $sc_store_url\n\n"; exit; } } ####################################################################### # Untaint page value and check for valid extension. ####################################################################### sub valid_page { local ($file_extension); $page = $form_data{'page'}; $page =~ /([\w\'\-\_]+)\.(\w+)/; $page = "$1.$2"; $page = "" if ($page eq "."); if (! $OS =~ /Win/i) { $page =~ s/^\/+//; # Get rid of any residual / prefix } @acceptable_file_extensions_to_display = (".html", ".htm"); foreach $file_extension (@acceptable_file_extensions_to_display) { if ($page =~ /$file_extension/ || $page eq "") { $valid_extension = "yes"; } } if ($valid_extension ne "yes") { &errorcode(__FILE__, __LINE__, "$page", "$!", "print", "PAGE LOAD WARNING", "6"); exit; } }