Another year, another svn update.

Not all plugins are updated, because there are too many plugins and i can't test all of them.

This is a important update, please update your leechers as soon as possible.

[SECURITY] Fixed CRITICAL issue that may be exploited to download files on any dir.
Fixed some XSS.
[PLUGINS] Changed upload plugins for hosts with XFS to loaders for the generic XFS plugin.
Updated some of my plugins
[REMOVED] Deleted Plugins For Some Not Loading & Closed Hosts.
[FIX] DL stop at 99% with mega.co.nz plugin.
JS error in sorttable when there is no server files table.
"bw_save"'s checks where added to ftp downloads.
notes.php was saving the file always in files/
Download issues when protocol wasn't in lowercase
Better checks for "bw_save".
[CHANGE] Added a "init" file (rl_init.php) for load rapidleech's config and functions.
Added crc32 and sha1 options.
Renamed "disable_md5" setting to "disable_hashing".
Improvements on cURL function for reusing connections.
"use_curl" setting is now enabled by default at setup.
Added setting for disable referer checks at download.
Added "X-Frame-Options" header for disable framing from external pages.
Updated GetCookiesArr for delete "expired" cookies.
Setup now force no-cache for js.js and template's css.
Updated some .htaccess files.
Secretkey will be generated if no filled at setup.
Corrected some error msgs at ftp.php
Updated Youtube format selector in audl.
Error reporting for critical & parse error is now enforced when loading download plugins.
Protocol is now checked at download's redirects.
Disable automatic retry on "Connection lost" errors.
Removed references to $secretkey from accounts.php. ($secretkey is now at config.php)

.htaccess

@@ -1,6 +1,6 @@
 order deny,allow
 
-<files ~ "\.(?i:s?php.*|cgi|p[l|y]|sh|asp|[d|s|p]?html?)$">
+<files ~ "\.(?i:s?php.*|cgi|p[ly]|sh|asp|[dsp]?html?)$">
 deny from all
 </files>
 
@@ -29,10 +29,6 @@ allow from all
 allow from all
 </files>
 
-<files ~ "\.upload.html$">
-allow from all
-</files>
-
 <files auul.php>
 allow from all
 </files>
@@ -43,4 +39,12 @@ allow from all
 
 <files ~ "^\.">
 deny from all
-</files>
+</files>
+
+#CGI Auth Fix
+<IfModule mod_rewrite.c>
+	Options +SymLinksIfOwnerMatch
+	RewriteEngine on
+	RewriteCond %{HTTP:Authorization} !^$
+	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+</IfModule>

audl.php

@@ -1,33 +1,13 @@
 <?php
-define('RAPIDLEECH', 'yes');
-error_reporting(0);
-//ini_set('display_errors', 1);
-@set_time_limit(0);
-ini_alter('memory_limit', '1024M');
-if (ob_get_level()) ob_end_clean();
-ob_implicit_flush(true);
-ignore_user_abort(true);
-clearstatcache();
-$PHP_SELF = $_SERVER['SCRIPT_NAME'];
-$nn = "\r\n";
-define('HOST_DIR', 'hosts/');
-define('CLASS_DIR', 'classes/');
-define('CONFIG_DIR', 'configs/');
-define('ROOT_DIR', realpath('./'));
-define('PATH_SPLITTER', ((strpos(ROOT_DIR, '\\') !== false) ? '\\' : '/'));
-require_once(CONFIG_DIR . 'setup.php');
-if (substr($options['download_dir'], - 1) != '/') $options['download_dir'] .= '/';
-define('DOWNLOAD_DIR', (substr($options['download_dir'], 0, 6) == 'ftp://' ? '' : $options['download_dir']));
-
-require_once(CLASS_DIR . 'other.php');
-
-define('TEMPLATE_DIR', 'templates/' . $options['template_used'] . '/');
-define('IMAGE_DIR', TEMPLATE_DIR . 'images/');
 
+require_once('rl_init.php');
 if ($options['auto_download_disable']) {
 	require_once('deny.php');
 	exit();
 }
+error_reporting(0);
+ignore_user_abort(true);
+
 login_check();
 
 require(TEMPLATE_DIR . '/header.php');
@@ -80,6 +60,7 @@ function resetProgress() {
 
 			$LINK = $getlinks[$i];
 			$Url = parse_url($LINK);
+			$Url['scheme'] = strtolower($Url['scheme']);
 			$Url['path'] = (empty($Url['path'])) ? '/' :str_replace('%2F', '/', rawurlencode(rawurldecode($Url['path'])));
 
 			$Referer = $Url;
@@ -393,21 +374,16 @@ function HideAll() {
 											<label><input type="checkbox" name="ytube_mp4" onclick="javascript:var displ=this.checked?'':'none';document.getElementById('ytubeopt').style.display=displ;" checked="checked" />&nbsp;<?php echo lang(206); ?></label>
 											<table width="150" border="0" id="ytubeopt" style="display: none;">
 												<tr>
-													<td><small><?php echo lang(218); ?></small></td>
+													<td>&nbsp;<label><input type="checkbox" name="cleanname" checked="checked" /><small>&nbsp;Remove non-supported characters from filename</small></label></td>
+												</tr>
+												<tr>
 													<td>
 														<select name="yt_fmt" id="yt_fmt">
 															<option value="highest" selected="selected"><?php echo lang(219); ?></option>
-															<option value="38"><?php echo lang(377); ?></option>
-															<option value="37"><?php echo lang(228); ?></option>
-															<option value="22"><?php echo lang(227); ?></option>
-															<option value="45"><?php echo lang(225); ?></option>
-															<option value="35"><?php echo lang(223); ?></option>
-															<option value="44"><?php echo lang(389); ?></option>
-															<option value="34"><?php echo lang(222); ?></option>
-															<option value="43"><?php echo lang(224); ?></option>
-															<option value="18"><?php echo lang(226); ?></option>
-															<option value="5"><?php echo lang(221); ?></option>
-															<option value="17"><?php echo lang(220); ?></option>
+															<option value='22'>[22] Video: MP4 720p | Audio: AAC ~192 kbps</option>
+															<option value='43'>[43] Video: WebM 360p | Audio: Vorbis ~128 kbps</option>
+															<option value='18'>[18] Video: MP4 360p | Audio: AAC ~96 kbps</option>
+															<option value='5'>[5] Video: FLV 240p | Audio: MP3 ~64 kbps</option>
 														</select>
 													</td>
 												</tr>

auul.php

@@ -1,37 +1,19 @@
 <?php
-$id=1;
-// A work of Chaza and TheOnly92!
-// Presents auto-upload script!
-// We define some constants here, essential for some parts in rapidleech
-define('RAPIDLEECH', 'yes');
-define('HOST_DIR', 'hosts/');
-define('CLASS_DIR', 'classes/');
-define('CONFIG_DIR', 'configs/');
-// Some configuration
-error_reporting(0);	// This sets error reporting to none, which means no errors will be reported
-//ini_set('display_errors', 1);	// This sets error reporting to all, all errors will be reported
-set_time_limit(0);	// Removes the time limit, so it can upload as many as possible
-ini_alter("memory_limit", "1024M");	// Set memory limit, in case it runs out when processing large files
-ob_end_clean();	// Cleans any previous outputs
-ob_implicit_flush(TRUE);	// Sets so that we can update the page without refreshing
-ignore_user_abort(1);	// Continue executing the script even if the page was stopped or closed
-clearstatcache();	// Clear caches created by PHP
-require_once(CONFIG_DIR.'setup.php');	// Reads the configuration file, so we can pick up any accounts needed to use
-define('DOWNLOAD_DIR', (substr($options['download_dir'], 0, 6) == "ftp://" ? '' : $options['download_dir']));	// Set the download directory constant
-define ( 'TEMPLATE_DIR', 'templates/'.$options['template_used'].'/' );
-define('IMAGE_DIR', TEMPLATE_DIR . 'images/');
 
-// Include other useful functions
-require_once(CLASS_DIR.'other.php');
-require_once(HOST_DIR.'download/hosts.php');
-require_once(CLASS_DIR.'http.php');
+require_once('rl_init.php');
 
 if ($options['auto_upload_disable']) {
 	require_once('deny.php');
 	exit();
 }
+error_reporting(0);
+ignore_user_abort(true);
+
 login_check();
 
+$id = 1;
+require_once(HOST_DIR.'download/hosts.php');
+require_once(CLASS_DIR.'http.php');
 include(TEMPLATE_DIR.'header.php');
 ?>
 <br />

classes/.htaccess

@@ -1,13 +1,10 @@
 order deny,allow
-
-<files ~ "\.(?i:s?php.*|cgi|p[l|y]|sh|asp|[d|s|p]?html?)$">
 deny from all
-</files>
 
-<files ~ "^\.">
-deny from all
+<files ~ "\.(?i:js)$">
+allow from all
 </files>
 
 <files bar.php>
 allow from all
-</files>
+</files>

classes/ftp.php

@@ -20,17 +20,17 @@ function getftpurl($host, $port, $url, $saveToFile = 0) {
 	$server = "$host:$port";
 	if (empty($host) || empty($port) || !$ftp->SetServer($host, (int) $port)) {
 		$ftp->quit();
-		$lastError = sprintf(lang(79), $server) . '<br /><a href="javascript:history.back(-1);">' . lang(78) . '</a><br /><br />';
+		$lastError = sprintf(lang(79), $server);
 		return FALSE;
 	} else {
 		if (!$ftp->connect()) {
 			$ftp->quit();
-			$lastError = sprintf(lang(79), $server) . '<br /><a href="javascript:history.back(-1);">' . lang(78) . '</a><br /><br />';
+			$lastError = sprintf(lang(79), $server);
 			return FALSE;
 		} else {
 			if (!$ftp->login()) {
 				$ftp->quit();
-				$lastError = lang(80) . '<br /><a href="javascript:history.back(-1);">' . lang(78) . '</a><br /><br />';
+				$lastError = lang(80);
 				return FALSE;
 			} else {
 				echo('<p>');
@@ -74,7 +74,11 @@ function getftpurl($host, $port, $url, $saveToFile = 0) {
 					$saveToFile = str_replace($filetype, $options['rename_these_filetypes_to'], $saveToFile);
 				}
 
-				if (file_exists($saveToFile)) $saveToFile = dirname($saveToFile) . PATH_SPLITTER . time() . '_' . basename($saveToFile);
+				if (@file_exists($saveToFile) && $options['bw_save']) {
+					// Skip in audl.
+					if (isset($_GET['audl'])) echo '<script type="text/javascript">parent.nextlink();</script>';
+					html_error(lang(99) . ': ' . link_for_file($saveToFile), 0);
+				} elseif (@file_exists($saveToFile)) $saveToFile = dirname($saveToFile) . PATH_SPLITTER . time() . '_' . basename($saveToFile);
 				printf(lang(83), basename($saveToFile), bytesToKbOrMbOrGb($fileSize));
 				echo "<br />";
 				require_once(TEMPLATE_DIR . '/transloadui.php');