define('shaarli_version','0.0.41 beta');
define('PHPPREFIX','<?php /* '); // Prefix to encapsulate data in php code.
define('PHPSUFFIX',' */ ?>'); // Suffix to encapsulate data in php code.
+// http://server.com/x/shaarli --> /shaarli/
+define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0)));
// Force cookie path (but do not change lifetime)
$cookie=session_get_cookie_params();
require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS.
+// a token depending of deployment salt, user password, and the current ip
+define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt']));
autoLocale(); // Sniff browser language and set date format accordingly.
header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.
return str_replace('>','>',str_replace('<','<',nl2br($html)));
}
-/* Returns the small hash of a string
+/* Returns the small hash of a string, using RFC 4648 base64url format
eg. smallHash('20111006_131924') --> yZH23w
Small hashes:
- are unique (well, as unique as crc32, at last)
function smallHash($text)
{
$t = rtrim(base64_encode(hash('crc32',$text,true)),'=');
- $t = str_replace('+','-',$t); // Get rid of characters which need encoding in URLs.
- $t = str_replace('/','_',$t);
- $t = str_replace('=','@',$t);
- return $t;
+ return strtr($t, '+/', '-_');
}
// In a string, converts urls to clickable links.
return $ip;
}
+function fillSessionInfo() {
+ $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid)
+ $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
+ $_SESSION['username']=$GLOBALS['login'];
+ $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
+}
+
// Check that user/password is correct.
function check_auth($login,$password)
{
$hash = sha1($password.$login.$GLOBALS['salt']);
if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash'])
{ // Login/password is correct.
- $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid)
- $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
- $_SESSION['username']=$login;
- $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
+ fillSessionInfo();
logm('Login successful');
return True;
}
if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet.
+ if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN)
+ {
+ fillSessionInfo();
+ return true;
+ }
// If session does not exist on server side, or IP address has changed, or session has expired, logout.
if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on'])
{
}
// Force logout.
-function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } }
+function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); }
+setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
+}
// ------------------------------------------------------------------------------------------
// If user wants to keep the session cookie even after the browser closes:
if (!empty($_POST['longlastingsession']))
{
+ setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
$_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year)
$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side.
echo '<description><![CDATA['.nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))).$descriptionlink.']]></description>'."\n</item>\n";
$i++;
}
- echo '</channel></rss><!-- Cached version of '.pageUrl().' -->';
+ echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
$cache->cache(ob_get_contents());
ob_end_flush();
$feed.='<author><name>'.htmlspecialchars($pageaddr).'</name><uri>'.htmlspecialchars($pageaddr).'</uri></author>';
$feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do.
$feed.=$entries;
- $feed.='</feed><!-- Cached version of '.pageUrl().' -->';
+ $feed.='</feed><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
echo $feed;
$cache->cache(ob_get_contents());
echo '<description><![CDATA['.$html.']]></description>'."\n</item>\n\n";
}
- echo '</channel></rss><!-- Cached version of '.pageUrl().' -->';
+ echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
$cache->cache(ob_get_contents());
ob_end_flush();
}
$LINKSDB->savedb();
- echo '<script language="JavaScript">alert("File '.$filename.' ('.$filesize.' bytes) was successfully processed: '.$import_count.' links imported.");document.location=\'?\';</script>';
+ echo '<script language="JavaScript">alert("File '.json_encode($filename).' ('.$filesize.' bytes) was successfully processed: '.$import_count.' links imported.");document.location=\'?\';</script>';
}
else
{
- echo '<script language="JavaScript">alert("File '.$filename.' ('.$filesize.' bytes) has an unknown file format. Nothing was imported.");document.location=\'?\';</script>';
+ echo '<script language="JavaScript">alert("File '.json_encode($filename).' ('.$filesize.' bytes) has an unknown file format. Nothing was imported.");document.location=\'?\';</script>';
}
}
projects / github / shaarli / Shaarli.git / blobdiff