X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2FUtils.php;h=925e1a22c909011a342b3dc3ced3c9f0f5d9a3da;hb=f211e417bf637b8a83988175c29ee072c69f7642;hp=120333c560c93c29cf33a6e6175f829ae26ca6a4;hpb=d01c234235411bafb97661d335fcb6ea1e67ffbc;p=github%2Fshaarli%2FShaarli.git diff --git a/application/Utils.php b/application/Utils.php old mode 100755 new mode 100644 index 120333c5..925e1a22 --- a/application/Utils.php +++ b/application/Utils.php @@ -3,6 +3,24 @@ * Shaarli utilities */ +/** + * Logs a message to a text file + * + * The log format is compatible with fail2ban. + * + * @param string $logFile where to write the logs + * @param string $clientIp the client's remote IPv4/IPv6 address + * @param string $message the message to log + */ +function logm($logFile, $clientIp, $message) +{ + file_put_contents( + $logFile, + date('Y/m/d H:i:s').' - '.$clientIp.' - '.strval($message).PHP_EOL, + FILE_APPEND + ); +} + /** * Returns the small hash of a string, using RFC 4648 base64url format * @@ -13,7 +31,15 @@ * - are NOT cryptographically secure (they CAN be forged) * * In Shaarli, they are used as a tinyurl-like link to individual entries, - * e.g. smallHash('20111006_131924') --> yZH23w + * built once with the combination of the date and item ID. + * e.g. smallHash('20111006_131924' . 142) --> eaWxtQ + * + * @warning before v0.8.1, smallhashes were built only with the date, + * and their value has been preserved. + * + * @param string $text Create a hash from this text. + * + * @return string generated small hash. */ function smallHash($text) { @@ -23,8 +49,14 @@ function smallHash($text) /** * Tells if a string start with a substring + * + * @param string $haystack Given string. + * @param string $needle String to search at the beginning of $haystack. + * @param bool $case Case sensitive. + * + * @return bool True if $haystack starts with $needle. */ -function startsWith($haystack, $needle, $case=true) +function startsWith($haystack, $needle, $case = true) { if ($case) { return (strcmp(substr($haystack, 0, strlen($needle)), $needle) === 0); @@ -34,8 +66,14 @@ function startsWith($haystack, $needle, $case=true) /** * Tells if a string ends with a substring + * + * @param string $haystack Given string. + * @param string $needle String to search at the end of $haystack. + * @param bool $case Case sensitive. + * + * @return bool True if $haystack ends with $needle. */ -function endsWith($haystack, $needle, $case=true) +function endsWith($haystack, $needle, $case = true) { if ($case) { return (strcmp(substr($haystack, strlen($haystack) - strlen($needle)), $needle) === 0); @@ -44,23 +82,45 @@ function endsWith($haystack, $needle, $case=true) } /** - * Same as nl2br(), but escapes < and > + * Htmlspecialchars wrapper + * Support multidimensional array of strings. + * + * @param mixed $input Data to escape: a single string or an array of strings. + * + * @return string escaped. */ -function nl2br_escaped($html) +function escape($input) { - return str_replace('>', '>', str_replace('<', '<', nl2br($html))); + if (is_bool($input)) { + return $input; + } + + if (is_array($input)) { + $out = array(); + foreach ($input as $key => $value) { + $out[$key] = escape($value); + } + return $out; + } + return htmlspecialchars($input, ENT_COMPAT, 'UTF-8', false); } /** - * htmlspecialchars wrapper + * Reverse the escape function. + * + * @param string $str the string to unescape. + * + * @return string unescaped string. */ -function escape($str) +function unescape($str) { - return htmlspecialchars($str, ENT_COMPAT, 'UTF-8', false); + return htmlspecialchars_decode($str); } /** - * Link sanitization before templating + * Sanitize link before rendering. + * + * @param array $link Link to escape. */ function sanitizeLink(&$link) { @@ -72,12 +132,14 @@ function sanitizeLink(&$link) /** * Checks if a string represents a valid date + + * @param string $format The expected DateTime format of the string + * @param string $string A string-formatted date * - * @param string a string-formatted date - * @param format the expected DateTime format of the string - * @return whether the string is a valid date - * @see http://php.net/manual/en/class.datetime.php - * @see http://php.net/manual/en/datetime.createfromformat.php + * @return bool whether the string is a valid date + * + * @see http://php.net/manual/en/class.datetime.php + * @see http://php.net/manual/en/datetime.createfromformat.php */ function checkDateFormat($format, $string) { @@ -120,51 +182,280 @@ function generateLocation($referer, $host, $loopTerms = array()) } /** - * Checks the PHP version to ensure Shaarli can run + * Sniff browser language to set the locale automatically. + * Note that is may not work on your server if the corresponding locale is not installed. * - * @param string $minVersion minimum PHP required version - * @param string $curVersion current PHP version (use PHP_VERSION) + * @param string $headerLocale Locale send in HTTP headers (e.g. "fr,fr-fr;q=0.8,en;q=0.5,en-us;q=0.3"). + **/ +function autoLocale($headerLocale) +{ + // Default if browser does not send HTTP_ACCEPT_LANGUAGE + $locales = array('en_US', 'en_US.utf8', 'en_US.UTF-8'); + if (! empty($headerLocale)) { + if (preg_match_all('/([a-z]{2,3})[-_]?([a-z]{2})?,?/i', $headerLocale, $matches, PREG_SET_ORDER)) { + $attempts = []; + foreach ($matches as $match) { + $first = [strtolower($match[1]), strtoupper($match[1])]; + $separators = ['_', '-']; + $encodings = ['utf8', 'UTF-8']; + if (!empty($match[2])) { + $second = [strtoupper($match[2]), strtolower($match[2])]; + $items = [$first, $separators, $second, ['.'], $encodings]; + } else { + $items = [$first, $separators, $first, ['.'], $encodings]; + } + $attempts = array_merge($attempts, iterator_to_array(cartesian_product_generator($items))); + } + + if (! empty($attempts)) { + $locales = array_merge(array_map('implode', $attempts), $locales); + } + } + } + + setlocale(LC_ALL, $locales); +} + +/** + * Build a Generator object representing the cartesian product from given $items. + * + * Example: + * [['a'], ['b', 'c']] + * will generate: + * [ + * ['a', 'b'], + * ['a', 'c'], + * ] + * + * @param array $items array of array of string + * + * @return Generator representing the cartesian product of given array. * - * @throws Exception the PHP version is not supported + * @see https://en.wikipedia.org/wiki/Cartesian_product */ -function checkPHPVersion($minVersion, $curVersion) +function cartesian_product_generator($items) { - if (version_compare($curVersion, $minVersion) < 0) { - throw new Exception( - 'Your PHP version is obsolete!' - .' Shaarli requires at least PHP '.$minVersion.', and thus cannot run.' - .' Your PHP version has known security vulnerabilities and should be' - .' updated as soon as possible.' - ); + if (empty($items)) { + yield []; + } + $subArray = array_pop($items); + if (empty($subArray)) { + return; + } + foreach (cartesian_product_generator($items) as $item) { + foreach ($subArray as $value) { + yield $item + [count($item) => $value]; + } } } /** - * Validate session ID to prevent Full Path Disclosure. - * - * See #298. - * The session ID's format depends on the hash algorithm set in PHP settings + * Generates a default API secret. * - * @param string $sessionId Session ID + * Note that the random-ish methods used in this function are predictable, + * which makes them NOT suitable for crypto. + * BUT the random string is salted with the salt and hashed with the username. + * It makes the generated API secret secured enough for Shaarli. * - * @return true if valid, false otherwise. + * PHP 7 provides random_int(), designed for cryptography. + * More info: http://stackoverflow.com/questions/4356289/php-random-string-generator + + * @param string $username Shaarli login username + * @param string $salt Shaarli password hash salt * - * @see http://php.net/manual/en/function.hash-algos.php - * @see http://php.net/manual/en/session.configuration.php + * @return string|bool Generated API secret, 12 char length. + * Or false if invalid parameters are provided (which will make the API unusable). */ -function is_session_id_valid($sessionId) +function generate_api_secret($username, $salt) { - if (empty($sessionId)) { + if (empty($username) || empty($salt)) { return false; } - if (!$sessionId) { + return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12)); +} + +/** + * Trim string, replace sequences of whitespaces by a single space. + * PHP equivalent to `normalize-space` XSLT function. + * + * @param string $string Input string. + * + * @return mixed Normalized string. + */ +function normalize_spaces($string) +{ + return preg_replace('/\s{2,}/', ' ', trim($string)); +} + +/** + * Format the date according to the locale. + * + * Requires php-intl to display international datetimes, + * otherwise default format '%c' will be returned. + * + * @param DateTime $date to format. + * @param bool $time Displays time if true. + * @param bool $intl Use international format if true. + * + * @return bool|string Formatted date, or false if the input is invalid. + */ +function format_date($date, $time = true, $intl = true) +{ + if (! $date instanceof DateTime) { return false; } - if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { + if (! $intl || ! class_exists('IntlDateFormatter')) { + $format = $time ? '%c' : '%x'; + return strftime($format, $date->getTimestamp()); + } + + $formatter = new IntlDateFormatter( + setlocale(LC_TIME, 0), + IntlDateFormatter::LONG, + $time ? IntlDateFormatter::LONG : IntlDateFormatter::NONE + ); + + return $formatter->format($date); +} + +/** + * Check if the input is an integer, no matter its real type. + * + * PHP is a bit messy regarding this: + * - is_int returns false if the input is a string + * - ctype_digit returns false if the input is an integer or negative + * + * @param mixed $input value + * + * @return bool true if the input is an integer, false otherwise + */ +function is_integer_mixed($input) +{ + if (is_array($input) || is_bool($input) || is_object($input)) { return false; } + $input = strval($input); + return ctype_digit($input) || (startsWith($input, '-') && ctype_digit(substr($input, 1))); +} + +/** + * Convert post_max_size/upload_max_filesize (e.g. '16M') parameters to bytes. + * + * @param string $val Size expressed in string. + * + * @return int Size expressed in bytes. + */ +function return_bytes($val) +{ + if (is_integer_mixed($val) || $val === '0' || empty($val)) { + return $val; + } + $val = trim($val); + $last = strtolower($val[strlen($val)-1]); + $val = intval(substr($val, 0, -1)); + switch ($last) { + case 'g': + $val *= 1024; + case 'm': + $val *= 1024; + case 'k': + $val *= 1024; + } + return $val; +} + +/** + * Return a human readable size from bytes. + * + * @param int $bytes value + * + * @return string Human readable size + */ +function human_bytes($bytes) +{ + if ($bytes === '') { + return t('Setting not set'); + } + if (! is_integer_mixed($bytes)) { + return $bytes; + } + $bytes = intval($bytes); + if ($bytes === 0) { + return t('Unlimited'); + } + + $units = [t('B'), t('kiB'), t('MiB'), t('GiB')]; + for ($i = 0; $i < count($units) && $bytes >= 1024; ++$i) { + $bytes /= 1024; + } + + return round($bytes) . $units[$i]; +} + +/** + * Try to determine max file size for uploads (POST). + * Returns an integer (in bytes) or formatted depending on $format. + * + * @param mixed $limitPost post_max_size PHP setting + * @param mixed $limitUpload upload_max_filesize PHP setting + * @param bool $format Format max upload size to human readable size + * + * @return int|string max upload file size + */ +function get_max_upload_size($limitPost, $limitUpload, $format = true) +{ + $size1 = return_bytes($limitPost); + $size2 = return_bytes($limitUpload); + // Return the smaller of two: + $maxsize = min($size1, $size2); + return $format ? human_bytes($maxsize) : $maxsize; +} + +/** + * Sort the given array alphabetically using php-intl if available. + * Case sensitive. + * + * Note: doesn't support multidimensional arrays + * + * @param array $data Input array, passed by reference + * @param bool $reverse Reverse sort if set to true + * @param bool $byKeys Sort the array by keys if set to true, by value otherwise. + */ +function alphabetical_sort(&$data, $reverse = false, $byKeys = false) +{ + $callback = function ($a, $b) use ($reverse) { + // Collator is part of PHP intl. + if (class_exists('Collator')) { + $collator = new Collator(setlocale(LC_COLLATE, 0)); + if (!intl_is_failure(intl_get_error_code())) { + return $collator->compare($a, $b) * ($reverse ? -1 : 1); + } + } + + return strcasecmp($a, $b) * ($reverse ? -1 : 1); + }; + + if ($byKeys) { + uksort($data, $callback); + } else { + usort($data, $callback); + } +} - return true; +/** + * Wrapper function for translation which match the API + * of gettext()/_() and ngettext(). + * + * @param string $text Text to translate. + * @param string $nText The plural message ID. + * @param int $nb The number of items for plural forms. + * @param string $domain The domain where the translation is stored (default: shaarli). + * + * @return string Text translated. + */ +function t($text, $nText = '', $nb = 1, $domain = 'shaarli') +{ + return dn__($domain, $text, $nText, $nb); }