'. t('Insufficient permissions:') .'
- ';
foreach ($errors as $error) {
$message .= '
- '.$error.' '; @@ -157,251 +175,64 @@ if (! is_file($conf->getConfigFileExt())) { } // Display the installation form if no existing config is found - install($conf); -} - -// a token depending of deployment salt, user password, and the current ip -define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt'))); - -// Sniff browser language and set date format accordingly. -if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { - autoLocale($_SERVER['HTTP_ACCEPT_LANGUAGE']); -} - -/** - * Checking session state (i.e. is the user still logged in) - * - * @param ConfigManager $conf The configuration manager. - * - * @return bool: true if the user is logged in, false otherwise. - */ -function setup_login_state($conf) -{ - if ($conf->get('security.open_shaarli')) { - return true; - } - $userIsLoggedIn = false; // By default, we do not consider the user as logged in; - $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. - if (! $conf->exists('credentials.login')) { - $userIsLoggedIn = false; // Shaarli is not configured yet. - $loginFailure = true; - } - if (isset($_COOKIE['shaarli_staySignedIn']) && - $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && - !$loginFailure) - { - fillSessionInfo($conf); - $userIsLoggedIn = true; - } - // If session does not exist on server side, or IP address has changed, or session has expired, logout. - if (empty($_SESSION['uid']) - || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) - || time() >= $_SESSION['expires_on']) - { - logout(); - $userIsLoggedIn = false; - $loginFailure = true; - } - if (!empty($_SESSION['longlastingsession'])) { - $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. - } - else { - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. - } - if (!$loginFailure) { - $userIsLoggedIn = true; - } - - return $userIsLoggedIn; -} -$userIsLoggedIn = setup_login_state($conf); - -// ------------------------------------------------------------------------------------------ -// Session management - -// Returns the IP address of the client (Used to prevent session cookie hijacking.) -function allIPs() -{ - $ip = $_SERVER['REMOTE_ADDR']; - // Then we use more HTTP headers to prevent session hijacking from users behind the same proxy. - if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$ip.'_'.$_SERVER['HTTP_X_FORWARDED_FOR']; } - if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip=$ip.'_'.$_SERVER['HTTP_CLIENT_IP']; } - return $ip; + install($conf, $sessionManager, $loginManager); } -/** - * Load user session. - * - * @param ConfigManager $conf Configuration Manager instance. - */ -function fillSessionInfo($conf) -{ - $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) - $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. - $_SESSION['username']= $conf->get('credentials.login'); - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. -} +$loginManager->checkLoginState($_COOKIE, $clientIpId); /** - * Check that user/password is correct. + * Adapter function to ensure compatibility with third-party templates * - * @param string $login Username - * @param string $password User password - * @param ConfigManager $conf Configuration Manager instance. + * @see https://github.com/shaarli/Shaarli/pull/1086 * - * @return bool: authentication successful or not. + * @return bool true when the user is logged in, false otherwise */ -function check_auth($login, $password, $conf) -{ - $hash = sha1($password . $login . $conf->get('credentials.salt')); - if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) - { // Login/password is correct. - fillSessionInfo($conf); - logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); - return true; - } - logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login failed for user '.$login); - return false; -} - -// Returns true if the user is logged in. function isLoggedIn() { - global $userIsLoggedIn; - return $userIsLoggedIn; -} - -// Force logout. -function logout() { - if (isset($_SESSION)) { - unset($_SESSION['uid']); - unset($_SESSION['ip']); - unset($_SESSION['username']); - unset($_SESSION['privateonly']); - unset($_SESSION['untaggedonly']); - } - setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); -} - - -// ------------------------------------------------------------------------------------------ -// Brute force protection system -// Several consecutive failed logins will ban the IP address for 30 minutes. -if (!is_file($conf->get('resource.ban_file', 'data/ipbans.php'))) { - // FIXME! globals - file_put_contents( - $conf->get('resource.ban_file', 'data/ipbans.php'), - "array(),'BANS'=>array()),true).";\n?>" - ); -} -include $conf->get('resource.ban_file', 'data/ipbans.php'); -/** - * Signal a failed login. Will ban the IP if too many failures: - * - * @param ConfigManager $conf Configuration Manager instance. - */ -function ban_loginFailed($conf) -{ - $ip = $_SERVER['REMOTE_ADDR']; - $trusted = $conf->get('security.trusted_proxies', array()); - if (in_array($ip, $trusted)) { - $ip = getIpAddressFromProxy($_SERVER, $trusted); - if (!$ip) { - return; - } - } - $gb = $GLOBALS['IPBANS']; - if (! isset($gb['FAILURES'][$ip])) { - $gb['FAILURES'][$ip]=0; - } - $gb['FAILURES'][$ip]++; - if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1)) - { - $gb['BANS'][$ip] = time() + $conf->get('security.ban_after', 1800); - logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'IP address banned from login'); - } - $GLOBALS['IPBANS'] = $gb; - file_put_contents( - $conf->get('resource.ban_file', 'data/ipbans.php'), - "" - ); -} - -/** - * Signals a successful login. Resets failed login counter. - * - * @param ConfigManager $conf Configuration Manager instance. - */ -function ban_loginOk($conf) -{ - $ip = $_SERVER['REMOTE_ADDR']; - $gb = $GLOBALS['IPBANS']; - unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); - $GLOBALS['IPBANS'] = $gb; - file_put_contents( - $conf->get('resource.ban_file', 'data/ipbans.php'), - "" - ); + global $loginManager; + return $loginManager->isLoggedIn(); } -/** - * Checks if the user CAN login. If 'true', the user can try to login. - * - * @param ConfigManager $conf Configuration Manager instance. - * - * @return bool: true if the user is allowed to login. - */ -function ban_canLogin($conf) -{ - $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; - if (isset($gb['BANS'][$ip])) - { - // User is banned. Check if the ban has expired: - if ($gb['BANS'][$ip]<=time()) - { // Ban expired, user can try to login again. - logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Ban lifted.'); - unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); - file_put_contents( - $conf->get('resource.ban_file', 'data/ipbans.php'), - "" - ); - return true; // Ban has expired, user can login. - } - return false; // User is banned. - } - return true; // User is not banned. -} // ------------------------------------------------------------------------------------------ // Process login form: Check if login/password is correct. -if (isset($_POST['login'])) -{ - if (!ban_canLogin($conf)) die('I said: NO. You are banned for the moment. Go away.'); +if (isset($_POST['login'])) { + if (! $loginManager->canLogin($_SERVER)) { + die(t('I said: NO. You are banned for the moment. Go away.')); + } if (isset($_POST['password']) - && tokenOk($_POST['token']) - && (check_auth($_POST['login'], $_POST['password'], $conf)) - ) { // Login/password is OK. - ban_loginOk($conf); - // If user wants to keep the session cookie even after the browser closes: - if (!empty($_POST['longlastingsession'])) - { - $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) - $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) - setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); - $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. + && $sessionManager->checkToken($_POST['token']) + && $loginManager->checkCredentials($_SERVER['REMOTE_ADDR'], $clientIpId, $_POST['login'], $_POST['password']) + ) { + $loginManager->handleSuccessfulLogin($_SERVER); - $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; - session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side + $cookiedir = ''; + if (dirname($_SERVER['SCRIPT_NAME']) != '/') { // Note: Never forget the trailing slash on the cookie path! - session_regenerate_id(true); // Send cookie with new expiration date to browser. + $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/'; } - else // Standard session expiration (=when browser closes) - { - $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; - session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes" - session_regenerate_id(true); + + if (!empty($_POST['longlastingsession'])) { + // Keep the session cookie even after the browser closes + $sessionManager->setStaySignedIn(true); + $expirationTime = $sessionManager->extendSession(); + + setcookie( + $loginManager::$STAY_SIGNED_IN_COOKIE, + $loginManager->getStaySignedInToken(), + $expirationTime, + WEB_PATH + ); + + } else { + // Standard session expiration (=when browser closes) + $expirationTime = 0; } + // Send cookie with the new expiration date to the browser + session_set_cookie_params($expirationTime, $cookiedir, $_SERVER['SERVER_NAME']); + session_regenerate_id(true); + // Optional redirect after login: if (isset($_GET['post'])) { $uri = '?post='. urlencode($_GET['post']); @@ -427,11 +258,9 @@ if (isset($_POST['login'])) } } header('Location: ?'); exit; - } - else - { - ban_loginFailed($conf); - $redir = '&username='. $_POST['login']; + } else { + $loginManager->handleFailedLogin($_SERVER); + $redir = '&username='. urlencode($_POST['login']); if (isset($_GET['post'])) { $redir .= '&post=' . urlencode($_GET['post']); foreach (array('description', 'source', 'title', 'tags') as $param) { @@ -440,7 +269,8 @@ if (isset($_POST['login'])) } } } - echo ''; // Redirect to login screen. + // Redirect to login screen. + echo ''; exit; } } @@ -450,46 +280,21 @@ if (isset($_POST['login'])) // Token should be used in any form which acts on data (create,update,delete,import...). if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array(); // Token are attached to the session. -/** - * Returns a token. - * - * @param ConfigManager $conf Configuration Manager instance. - * - * @return string token. - */ -function getToken($conf) -{ - $rnd = sha1(uniqid('', true) .'_'. mt_rand() . $conf->get('credentials.salt')); // We generate a random string. - $_SESSION['tokens'][$rnd]=1; // Store it on the server side. - return $rnd; -} - -// Tells if a token is OK. Using this function will destroy the token. -// true=token is OK. -function tokenOk($token) -{ - if (isset($_SESSION['tokens'][$token])) - { - unset($_SESSION['tokens'][$token]); // Token is used: destroy it. - return true; // Token is OK. - } - return false; // Wrong token, or already used. -} - /** * Daily RSS feed: 1 RSS entry per day giving all the links on that day. * Gives the last 7 days (which have links). * This RSS feed cannot be filtered. * - * @param ConfigManager $conf Configuration Manager instance. + * @param ConfigManager $conf Configuration Manager instance + * @param LoginManager $loginManager LoginManager instance */ -function showDailyRSS($conf) { +function showDailyRSS($conf, $loginManager) { // Cache system $query = $_SERVER['QUERY_STRING']; $cache = new CachedPage( $conf->get('config.PAGE_CACHE'), page_url($_SERVER), - startsWith($query,'do=dailyrss') && !isLoggedIn() + startsWith($query,'do=dailyrss') && !$loginManager->isLoggedIn() ); $cached = $cache->cachedVersion(); if (!empty($cached)) { @@ -501,7 +306,7 @@ function showDailyRSS($conf) { // Read links from database (and filter private links if used it not logged in). $LINKSDB = new LinkDB( $conf->get('resource.datastore'), - isLoggedIn(), + $loginManager->isLoggedIn(), $conf->get('privacy.hide_public_links'), $conf->get('redirector.url'), $conf->get('redirector.encode_url') @@ -546,8 +351,11 @@ function showDailyRSS($conf) { // We pre-format some fields for proper output. foreach ($links as &$link) { - $link['formatedDescription'] = format_description($link['description'], $conf->get('redirector.url')); - $link['thumbnail'] = thumbnail($conf, $link['url']); + $link['formatedDescription'] = format_description( + $link['description'], + $conf->get('redirector.url'), + $conf->get('redirector.encode_url') + ); $link['timestamp'] = $link['created']->getTimestamp(); if (startsWith($link['url'], '?')) { $link['url'] = index_url($_SERVER) . $link['url']; // make permalink URL absolute @@ -562,6 +370,7 @@ function showDailyRSS($conf) { $tpl->assign('links', $links); $tpl->assign('rssdate', escape($dayDate->format(DateTime::RSS))); $tpl->assign('hide_timestamps', $conf->get('privacy.hide_timestamps', false)); + $tpl->assign('index_url', $pageaddr); $html = $tpl->draw('dailyrss', true); echo $html . PHP_EOL; @@ -579,9 +388,10 @@ function showDailyRSS($conf) { * @param PageBuilder $pageBuilder Template engine wrapper. * @param LinkDB $LINKSDB LinkDB instance. * @param ConfigManager $conf Configuration Manager instance. - * @param PluginManager $pluginManager Plugin Manager instane. + * @param PluginManager $pluginManager Plugin Manager instance. + * @param LoginManager $loginManager Login Manager instance */ -function showDaily($pageBuilder, $LINKSDB, $conf, $pluginManager) +function showDaily($pageBuilder, $LINKSDB, $conf, $pluginManager, $loginManager) { $day = date('Ymd', strtotime('-1 day')); // Yesterday, in format YYYYMMDD. if (isset($_GET['day'])) { @@ -618,11 +428,28 @@ function showDaily($pageBuilder, $LINKSDB, $conf, $pluginManager) $taglist = explode(' ',$link['tags']); uasort($taglist, 'strcasecmp'); $linksToDisplay[$key]['taglist']=$taglist; - $linksToDisplay[$key]['formatedDescription'] = format_description($link['description'], $conf->get('redirector.url')); - $linksToDisplay[$key]['thumbnail'] = thumbnail($conf, $link['url']); + $linksToDisplay[$key]['formatedDescription'] = format_description( + $link['description'], + $conf->get('redirector.url'), + $conf->get('redirector.encode_url') + ); $linksToDisplay[$key]['timestamp'] = $link['created']->getTimestamp(); } + $dayDate = DateTime::createFromFormat(LinkDB::LINK_DATE_FORMAT, $day.'_000000'); + $data = array( + 'pagetitle' => $conf->get('general.title') .' - '. format_date($dayDate, false), + 'linksToDisplay' => $linksToDisplay, + 'day' => $dayDate->getTimestamp(), + 'dayDate' => $dayDate, + 'previousday' => $previousday, + 'nextday' => $nextday, + ); + + /* Hook is called before column construction so that plugins don't have + to deal with columns. */ + $pluginManager->executeHooks('render_daily', $data, array('loggedin' => $loginManager->isLoggedIn())); + /* We need to spread the articles on 3 columns. I did not want to use a JavaScript lib like http://masonry.desandro.com/ so I manually spread entries with a simple method: I roughly evaluate the @@ -630,7 +457,7 @@ function showDaily($pageBuilder, $LINKSDB, $conf, $pluginManager) */ $columns = array(array(), array(), array()); // Entries to display, for each column. $fill = array(0, 0, 0); // Rough estimate of columns fill. - foreach($linksToDisplay as $key => $link) { + foreach($data['linksToDisplay'] as $key => $link) { // Roughly estimate length of entry (by counting characters) // Title: 30 chars = 1 line. 1 line is 30 pixels height. // Description: 836 characters gives roughly 342 pixel height. @@ -646,23 +473,13 @@ function showDaily($pageBuilder, $LINKSDB, $conf, $pluginManager) $fill[$index] += $length; } - $dayDate = DateTime::createFromFormat(LinkDB::LINK_DATE_FORMAT, $day.'_000000'); - $data = array( - 'pagetitle' => $conf->get('general.title') .' - '. format_date($dayDate, false), - 'linksToDisplay' => $linksToDisplay, - 'cols' => $columns, - 'day' => $dayDate->getTimestamp(), - 'dayDate' => $dayDate, - 'previousday' => $previousday, - 'nextday' => $nextday, - ); - - $pluginManager->executeHooks('render_daily', $data, array('loggedin' => isLoggedIn())); + $data['cols'] = $columns; foreach ($data as $key => $value) { $pageBuilder->assign($key, $value); } + $pageBuilder->assign('pagetitle', t('Daily') .' - '. $conf->get('general.title', 'Shaarli')); $pageBuilder->renderPage('daily'); exit; } @@ -675,26 +492,29 @@ function showDaily($pageBuilder, $LINKSDB, $conf, $pluginManager) * @param ConfigManager $conf Configuration Manager instance. * @param PluginManager $pluginManager Plugin Manager instance. */ -function showLinkList($PAGE, $LINKSDB, $conf, $pluginManager) { - buildLinkList($PAGE,$LINKSDB, $conf, $pluginManager); // Compute list of links to display +function showLinkList($PAGE, $LINKSDB, $conf, $pluginManager, $loginManager) { + buildLinkList($PAGE,$LINKSDB, $conf, $pluginManager, $loginManager); $PAGE->renderPage('linklist'); } /** * Render HTML page (according to URL parameters and user rights) * - * @param ConfigManager $conf Configuration Manager instance. - * @param PluginManager $pluginManager Plugin Manager instance, - * @param LinkDB $LINKSDB - * @param History $history instance + * @param ConfigManager $conf Configuration Manager instance. + * @param PluginManager $pluginManager Plugin Manager instance, + * @param LinkDB $LINKSDB + * @param History $history instance + * @param SessionManager $sessionManager SessionManager instance + * @param LoginManager $loginManager LoginManager instance */ -function renderPage($conf, $pluginManager, $LINKSDB, $history) +function renderPage($conf, $pluginManager, $LINKSDB, $history, $sessionManager, $loginManager) { $updater = new Updater( read_updates_file($conf->get('resource.updates')), $LINKSDB, $conf, - isLoggedIn() + $loginManager->isLoggedIn(), + $_SESSION ); try { $newUpdates = $updater->update(); @@ -709,14 +529,31 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) die($e->getMessage()); } - $PAGE = new PageBuilder($conf, $LINKSDB); + $PAGE = new PageBuilder($conf, $_SESSION, $LINKSDB, $sessionManager->generateToken(), $loginManager->isLoggedIn()); $PAGE->assign('linkcount', count($LINKSDB)); $PAGE->assign('privateLinkcount', count_private($LINKSDB)); $PAGE->assign('plugin_errors', $pluginManager->getErrors()); // Determine which page will be rendered. $query = (isset($_SERVER['QUERY_STRING'])) ? $_SERVER['QUERY_STRING'] : ''; - $targetPage = Router::findPage($query, $_GET, isLoggedIn()); + $targetPage = Router::findPage($query, $_GET, $loginManager->isLoggedIn()); + + if ( + // if the user isn't logged in + !$loginManager->isLoggedIn() && + // and Shaarli doesn't have public content... + $conf->get('privacy.hide_public_links') && + // and is configured to enforce the login + $conf->get('privacy.force_login') && + // and the current page isn't already the login page + $targetPage !== Router::$PAGE_LOGIN && + // and the user is not requesting a feed (which would lead to a different content-type as expected) + $targetPage !== Router::$PAGE_FEED_ATOM && + $targetPage !== Router::$PAGE_FEED_RSS + ) { + // force current page to be the login page + $targetPage = Router::$PAGE_LOGIN; + } // Call plugin hooks for header, footer and includes, specifying which page will be rendered. // Then assign generated data to RainTPL. @@ -731,7 +568,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $pluginManager->executeHooks('render_' . $name, $plugin_data, array( 'target' => $targetPage, - 'loggedin' => isLoggedIn() + 'loggedin' => $loginManager->isLoggedIn() ) ); $PAGE->assign('plugins_' . $name, $plugin_data); @@ -745,6 +582,10 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $PAGE->assign('username', escape($_GET['username'])); } $PAGE->assign('returnurl',(isset($_SERVER['HTTP_REFERER']) ? escape($_SERVER['HTTP_REFERER']):'')); + // add default state of the 'remember me' checkbox + $PAGE->assign('remember_user_default', $conf->get('privacy.remember_user_default')); + $PAGE->assign('user_can_login', $loginManager->canLogin($_SERVER)); + $PAGE->assign('pagetitle', t('Login') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('loginform'); exit; } @@ -752,7 +593,8 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) if (isset($_SERVER['QUERY_STRING']) && startsWith($_SERVER['QUERY_STRING'], 'do=logout')) { invalidateCaches($conf->get('resource.page_cache')); - logout(); + $sessionManager->logout(); + setcookie(LoginManager::$STAY_SIGNED_IN_COOKIE, 'false', 0, WEB_PATH); header('Location: ?'); exit; } @@ -760,31 +602,36 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // -------- Picture wall if ($targetPage == Router::$PAGE_PICWALL) { + $PAGE->assign('pagetitle', t('Picture wall') .' - '. $conf->get('general.title', 'Shaarli')); + if (! $conf->get('thumbnails.mode', Thumbnailer::MODE_NONE) === Thumbnailer::MODE_NONE) { + $PAGE->assign('linksToDisplay', []); + $PAGE->renderPage('picwall'); + exit; + } + // Optionally filter the results: $links = $LINKSDB->filterSearch($_GET); $linksToDisplay = array(); // Get only links which have a thumbnail. - foreach($links as $link) + // Note: we do not retrieve thumbnails here, the request is too heavy. + foreach($links as $key => $link) { - $permalink='?'.$link['shorturl']; - $thumb=lazyThumbnail($conf, $link['url'],$permalink); - if ($thumb!='') // Only output links which have a thumbnail. - { - $link['thumbnail']=$thumb; // Thumbnail HTML code. - $linksToDisplay[]=$link; // Add to array. + if (isset($link['thumbnail']) && $link['thumbnail'] !== false) { + $linksToDisplay[] = $link; // Add to array. } } $data = array( 'linksToDisplay' => $linksToDisplay, ); - $pluginManager->executeHooks('render_picwall', $data, array('loggedin' => isLoggedIn())); + $pluginManager->executeHooks('render_picwall', $data, array('loggedin' => $loginManager->isLoggedIn())); foreach ($data as $key => $value) { $PAGE->assign($key, $value); } + $PAGE->renderPage('picwall'); exit; } @@ -792,7 +639,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // -------- Tag cloud if ($targetPage == Router::$PAGE_TAGCLOUD) { - $visibility = ! empty($_SESSION['privateonly']) ? 'private' : 'all'; + $visibility = ! empty($_SESSION['visibility']) ? $_SESSION['visibility'] : ''; $filteringTags = isset($_GET['searchtags']) ? explode(' ', $_GET['searchtags']) : []; $tags = $LINKSDB->linksCountPerTag($filteringTags, $visibility); @@ -820,16 +667,19 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) ); } + $searchTags = implode(' ', escape($filteringTags)); $data = array( - 'search_tags' => implode(' ', $filteringTags), + 'search_tags' => $searchTags, 'tags' => $tagList, ); - $pluginManager->executeHooks('render_tagcloud', $data, array('loggedin' => isLoggedIn())); + $pluginManager->executeHooks('render_tagcloud', $data, array('loggedin' => $loginManager->isLoggedIn())); foreach ($data as $key => $value) { $PAGE->assign($key, $value); } + $searchTags = ! empty($searchTags) ? $searchTags .' - ' : ''; + $PAGE->assign('pagetitle', $searchTags. t('Tag cloud') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('tag.cloud'); exit; } @@ -837,7 +687,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // -------- Tag list if ($targetPage == Router::$PAGE_TAGLIST) { - $visibility = ! empty($_SESSION['privateonly']) ? 'private' : 'all'; + $visibility = ! empty($_SESSION['visibility']) ? $_SESSION['visibility'] : ''; $filteringTags = isset($_GET['searchtags']) ? explode(' ', $_GET['searchtags']) : []; $tags = $LINKSDB->linksCountPerTag($filteringTags, $visibility); foreach ($filteringTags as $tag) { @@ -850,23 +700,26 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) alphabetical_sort($tags, false, true); } + $searchTags = implode(' ', escape($filteringTags)); $data = [ - 'search_tags' => implode(' ', $filteringTags), + 'search_tags' => $searchTags, 'tags' => $tags, ]; - $pluginManager->executeHooks('render_taglist', $data, ['loggedin' => isLoggedIn()]); + $pluginManager->executeHooks('render_taglist', $data, ['loggedin' => $loginManager->isLoggedIn()]); foreach ($data as $key => $value) { $PAGE->assign($key, $value); } + $searchTags = ! empty($searchTags) ? $searchTags .' - ' : ''; + $PAGE->assign('pagetitle', $searchTags . t('Tag list') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('tag.list'); exit; } // Daily page. if ($targetPage == Router::$PAGE_DAILY) { - showDaily($PAGE, $LINKSDB, $conf, $pluginManager); + showDaily($PAGE, $LINKSDB, $conf, $pluginManager, $loginManager); } // ATOM and RSS feed. @@ -879,7 +732,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $cache = new CachedPage( $conf->get('resource.page_cache'), page_url($_SERVER), - startsWith($query,'do='. $targetPage) && !isLoggedIn() + startsWith($query,'do='. $targetPage) && !$loginManager->isLoggedIn() ); $cached = $cache->cachedVersion(); if (!empty($cached)) { @@ -888,15 +741,15 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) } // Generate data. - $feedGenerator = new FeedBuilder($LINKSDB, $feedType, $_SERVER, $_GET, isLoggedIn()); + $feedGenerator = new FeedBuilder($LINKSDB, $feedType, $_SERVER, $_GET, $loginManager->isLoggedIn()); $feedGenerator->setLocale(strtolower(setlocale(LC_COLLATE, 0))); - $feedGenerator->setHideDates($conf->get('privacy.hide_timestamps') && !isLoggedIn()); + $feedGenerator->setHideDates($conf->get('privacy.hide_timestamps') && !$loginManager->isLoggedIn()); $feedGenerator->setUsePermalinks(isset($_GET['permalinks']) || !$conf->get('feed.rss_permalinks')); $data = $feedGenerator->buildData(); // Process plugin hook. $pluginManager->executeHooks('render_feed', $data, array( - 'loggedin' => isLoggedIn(), + 'loggedin' => $loginManager->isLoggedIn(), 'target' => $targetPage, )); @@ -946,7 +799,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) if (empty($params['searchtags'])) { $params['searchtags'] = trim($_GET['addtag']); } - else if ($addtag) { + elseif ($addtag) { $params['searchtags'] = trim($params['searchtags']).' '.trim($_GET['addtag']); } @@ -1003,15 +856,26 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) } // -------- User wants to see only private links (toggle) - if (isset($_GET['privateonly'])) { - if (empty($_SESSION['privateonly'])) { - $_SESSION['privateonly'] = 1; // See only private links - } else { - unset($_SESSION['privateonly']); // See all links + if (isset($_GET['visibility'])) { + if ($_GET['visibility'] === 'private') { + // Visibility not set or not already private, set private, otherwise reset it + if (empty($_SESSION['visibility']) || $_SESSION['visibility'] !== 'private') { + // See only private links + $_SESSION['visibility'] = 'private'; + } else { + unset($_SESSION['visibility']); + } + } elseif ($_GET['visibility'] === 'public') { + if (empty($_SESSION['visibility']) || $_SESSION['visibility'] !== 'public') { + // See only public links + $_SESSION['visibility'] = 'public'; + } else { + unset($_SESSION['visibility']); + } } if (! empty($_SERVER['HTTP_REFERER'])) { - $location = generateLocation($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'], array('privateonly')); + $location = generateLocation($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'], array('visibility')); } else { $location = '?'; } @@ -1033,7 +897,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) } // -------- Handle other actions allowed for non-logged in users: - if (!isLoggedIn()) + if (!$loginManager->isLoggedIn()) { // User tries to post new link but is not logged in: // Show login screen, then redirect to ?post=... @@ -1049,7 +913,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) exit; } - showLinkList($PAGE, $LINKSDB, $conf, $pluginManager); + showLinkList($PAGE, $LINKSDB, $conf, $pluginManager, $loginManager); if (isset($_GET['edit_link'])) { header('Location: ?do=login&edit_link='. escape($_GET['edit_link'])); exit; @@ -1063,16 +927,17 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // -------- Display the Tools menu if requested (import/export/bookmarklet...) if ($targetPage == Router::$PAGE_TOOLS) { - $data = array( + $data = [ 'pageabsaddr' => index_url($_SERVER), - 'sslenabled' => !empty($_SERVER['HTTPS']) - ); + 'sslenabled' => is_https($_SERVER), + ]; $pluginManager->executeHooks('render_tools', $data); foreach ($data as $key => $value) { $PAGE->assign($key, $value); } + $PAGE->assign('pagetitle', t('Tools') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('tools'); exit; } @@ -1081,22 +946,25 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) if ($targetPage == Router::$PAGE_CHANGEPASSWORD) { if ($conf->get('security.open_shaarli')) { - die('You are not supposed to change a password on an Open Shaarli.'); + die(t('You are not supposed to change a password on an Open Shaarli.')); } if (!empty($_POST['setpassword']) && !empty($_POST['oldpassword'])) { - if (!tokenOk($_POST['token'])) die('Wrong token.'); // Go away! + if (!$sessionManager->checkToken($_POST['token'])) die(t('Wrong token.')); // Go away! // Make sure old password is correct. $oldhash = sha1($_POST['oldpassword'].$conf->get('credentials.login').$conf->get('credentials.salt')); - if ($oldhash!= $conf->get('credentials.hash')) { echo ''; exit; } + if ($oldhash!= $conf->get('credentials.hash')) { + echo ''; + exit; + } // Save new password // Salt renders rainbow-tables attacks useless. $conf->set('credentials.salt', sha1(uniqid('', true) .'_'. mt_rand())); $conf->set('credentials.hash', sha1($_POST['setpassword'] . $conf->get('credentials.login') . $conf->get('credentials.salt'))); try { - $conf->write(isLoggedIn()); + $conf->write($loginManager->isLoggedIn()); } catch(Exception $e) { error_log( @@ -1108,11 +976,12 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) echo ''; exit; } - echo ''; + echo ''; exit; } else // show the change password form. { + $PAGE->assign('pagetitle', t('Change password') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('changepassword'); exit; } @@ -1123,8 +992,8 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) { if (!empty($_POST['title']) ) { - if (!tokenOk($_POST['token'])) { - die('Wrong token.'); // Go away! + if (!$sessionManager->checkToken($_POST['token'])) { + die(t('Wrong token.')); // Go away! } $tz = 'UTC'; if (!empty($_POST['continent']) && !empty($_POST['city']) @@ -1136,7 +1005,6 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $conf->set('general.title', escape($_POST['title'])); $conf->set('general.header_link', escape($_POST['titleLink'])); $conf->set('resource.theme', escape($_POST['theme'])); - $conf->set('redirector.url', escape($_POST['redirector'])); $conf->set('security.session_protection_disabled', !empty($_POST['disablesessionprotection'])); $conf->set('privacy.default_private_links', !empty($_POST['privateLinkByDefault'])); $conf->set('feed.rss_permalinks', !empty($_POST['enableRssPermalinks'])); @@ -1144,8 +1012,20 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $conf->set('privacy.hide_public_links', !empty($_POST['hidePublicLinks'])); $conf->set('api.enabled', !empty($_POST['enableApi'])); $conf->set('api.secret', escape($_POST['apiSecret'])); + $conf->set('translation.language', escape($_POST['language'])); + + $thumbnailsMode = extension_loaded('gd') ? $_POST['enableThumbnails'] : Thumbnailer::MODE_NONE; + if ($thumbnailsMode !== Thumbnailer::MODE_NONE + && $thumbnailsMode !== $conf->get('thumbnails.mode', Thumbnailer::MODE_NONE) + ) { + $_SESSION['warnings'][] = t( + 'You have enabled or changed thumbnails mode. Please synchronize them.' + ); + } + $conf->set('thumbnails.mode', $thumbnailsMode); + try { - $conf->write(isLoggedIn()); + $conf->write($loginManager->isLoggedIn()); $history->updateSettings(); invalidateCaches($conf->get('resource.page_cache')); } @@ -1159,7 +1039,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) echo ''; exit; } - echo ''; + echo ''; exit; } else // Show the configuration form. @@ -1167,7 +1047,6 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $PAGE->assign('title', $conf->get('general.title')); $PAGE->assign('theme', $conf->get('resource.theme')); $PAGE->assign('theme_available', ThemeUtils::getThemes($conf->get('resource.raintpl_tpl'))); - $PAGE->assign('redirector', $conf->get('redirector.url')); list($continents, $cities) = generateTimeZoneData( timezone_identifiers_list(), $conf->get('general.timezone') @@ -1181,6 +1060,11 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $PAGE->assign('hide_public_links', $conf->get('privacy.hide_public_links', false)); $PAGE->assign('api_enabled', $conf->get('api.enabled', true)); $PAGE->assign('api_secret', $conf->get('api.secret')); + $PAGE->assign('languages', Languages::getAvailableLanguages()); + $PAGE->assign('language', $conf->get('translation.language')); + $PAGE->assign('gd_enabled', extension_loaded('gd')); + $PAGE->assign('thumbnails_mode', $conf->get('thumbnails.mode', Thumbnailer::MODE_NONE)); + $PAGE->assign('pagetitle', t('Configure') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('configure'); exit; } @@ -1191,12 +1075,13 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) { if (empty($_POST['fromtag']) || (empty($_POST['totag']) && isset($_POST['renametag']))) { $PAGE->assign('fromtag', ! empty($_GET['fromtag']) ? escape($_GET['fromtag']) : ''); + $PAGE->assign('pagetitle', t('Manage tags') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('changetag'); exit; } - if (!tokenOk($_POST['token'])) { - die('Wrong token.'); + if (!$sessionManager->checkToken($_POST['token'])) { + die(t('Wrong token.')); } $alteredLinks = $LINKSDB->renameTag(escape($_POST['fromtag']), escape($_POST['totag'])); @@ -1206,9 +1091,10 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) } $delete = empty($_POST['totag']); $redirect = $delete ? 'do=changetag' : 'searchtags='. urlencode(escape($_POST['totag'])); + $count = count($alteredLinks); $alert = $delete - ? sprintf(t('The tag was removed from %d links.'), count($alteredLinks)) - : sprintf(t('The tag was renamed in %d links.'), count($alteredLinks)); + ? sprintf(t('The tag was removed from %d link.', 'The tag was removed from %d links.', $count), $count) + : sprintf(t('The tag was renamed in %d link.', 'The tag was renamed in %d links.', $count), $count); echo ''; exit; } @@ -1216,6 +1102,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // -------- User wants to add a link without using the bookmarklet: Show form. if ($targetPage == Router::$PAGE_ADDLINK) { + $PAGE->assign('pagetitle', t('Shaare a new link') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('addlink'); exit; } @@ -1224,8 +1111,8 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) if (isset($_POST['save_edit'])) { // Go away! - if (! tokenOk($_POST['token'])) { - die('Wrong token.'); + if (! $sessionManager->checkToken($_POST['token'])) { + die(t('Wrong token.')); } // lf_id should only be present if the link exists. @@ -1233,7 +1120,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // Linkdate is kept here to: // - use the same permalink for notes as they're displayed when creating them // - let users hack creation date of their posts - // See: https://shaarli.readthedocs.io/en/master/Various-hacks/#changing-the-timestamp-for-a-shaare + // See: https://shaarli.readthedocs.io/en/master/guides/various-hacks/#changing-the-timestamp-for-a-shaare $linkdate = escape($_POST['lf_linkdate']); if (isset($LINKSDB[$id])) { // Edit @@ -1278,6 +1165,11 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $link['title'] = $link['url']; } + if ($conf->get('thumbnails.mode', Thumbnailer::MODE_NONE) !== Thumbnailer::MODE_NONE) { + $thumbnailer = new Thumbnailer($conf); + $link['thumbnail'] = $thumbnailer->get($url); + } + $pluginManager->executeHooks('save_link', $link); $LINKSDB[$id] = $link; @@ -1324,14 +1216,21 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // -------- User clicked the "Delete" button when editing a link: Delete link from database. if ($targetPage == Router::$PAGE_DELETELINK) { - if (! tokenOk($_GET['token'])) { - die('Wrong token.'); + if (! $sessionManager->checkToken($_GET['token'])) { + die(t('Wrong token.')); } - if (strpos($_GET['lf_linkdate'], ' ') !== false) { - $ids = array_values(array_filter(preg_split('/\s+/', escape($_GET['lf_linkdate'])))); + $ids = trim($_GET['lf_linkdate']); + if (strpos($ids, ' ') !== false) { + // multiple, space-separated ids provided + $ids = array_values(array_filter(preg_split('/\s+/', escape($ids)))); } else { - $ids = [$_GET['lf_linkdate']]; + // only a single id provided + $ids = [$ids]; + } + // assert at least one id is given + if(!count($ids)){ + die('no id provided'); } foreach ($ids as $id) { $id = (int) escape($id); @@ -1378,6 +1277,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $PAGE->assign($key, $value); } + $PAGE->assign('pagetitle', t('Edit') .' '. t('Shaare') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('editlink'); exit; } @@ -1402,22 +1302,21 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // If this is an HTTP(S) link, we try go get the page to extract the title (otherwise we will to straight to the edit form.) if (empty($title) && strpos(get_url_scheme($url), 'http') !== false) { // Short timeout to keep the application responsive - list($headers, $content) = get_http_response($url, 4); - if (strpos($headers[0], '200 OK') !== false) { - // Retrieve charset. - $charset = get_charset($headers, $content); - // Extract title. - $title = html_extract_title($content); - // Re-encode title in utf-8 if necessary. - if (! empty($title) && strtolower($charset) != 'utf-8') { - $title = mb_convert_encoding($title, 'utf-8', $charset); - } + // The callback will fill $charset and $title with data from the downloaded page. + get_http_response( + $url, + $conf->get('general.download_timeout', 30), + $conf->get('general.download_max_size', 4194304), + get_curl_download_callback($charset, $title) + ); + if (! empty($title) && strtolower($charset) != 'utf-8') { + $title = mb_convert_encoding($title, 'utf-8', $charset); } } if ($url == '') { $url = '?' . smallHash($linkdate . $LINKSDB->getNextId()); - $title = 'Note: '; + $title = $conf->get('general.default_note_title', t('Note: ')); } $url = escape($url); $title = escape($title); @@ -1448,6 +1347,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $PAGE->assign($key, $value); } + $PAGE->assign('pagetitle', t('Shaare') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('editlink'); exit; } @@ -1456,6 +1356,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // Export links as a Netscape Bookmarks file if (empty($_GET['selection'])) { + $PAGE->assign('pagetitle', t('Export') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('export'); exit; } @@ -1517,6 +1418,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) true ) ); + $PAGE->assign('pagetitle', t('Import') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('import'); exit; } @@ -1524,14 +1426,17 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // Import bookmarks from an uploaded file if (isset($_FILES['filetoupload']['size']) && $_FILES['filetoupload']['size'] == 0) { // The file is too big or some form field may be missing. - echo ''; + $msg = sprintf( + t( + 'The file you are trying to upload is probably bigger than what this webserver can accept' + .' (%s). Please upload in smaller chunks.' + ), + get_max_upload_size(ini_get('post_max_size'), ini_get('upload_max_filesize')) + ); + echo ''; exit; } - if (! tokenOk($_POST['token'])) { + if (! $sessionManager->checkToken($_POST['token'])) { die('Wrong token.'); } $status = NetscapeBookmarkUtils::import( @@ -1562,6 +1467,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) $PAGE->assign('enabledPlugins', $enabledPlugins); $PAGE->assign('disabledPlugins', $disabledPlugins); + $PAGE->assign('pagetitle', t('Plugin administration') .' - '. $conf->get('general.title', 'Shaarli')); $PAGE->renderPage('pluginsadmin'); exit; } @@ -1578,7 +1484,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) else { $conf->set('general.enabled_plugins', save_plugin_config($_POST)); } - $conf->write(isLoggedIn()); + $conf->write($loginManager->isLoggedIn()); $history->updateSettings(); } catch (Exception $e) { @@ -1598,12 +1504,49 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) // Get a fresh token if ($targetPage == Router::$GET_TOKEN) { header('Content-Type:text/plain'); - echo getToken($conf); + echo $sessionManager->generateToken($conf); + exit; + } + + // -------- Thumbnails Update + if ($targetPage == Router::$PAGE_THUMBS_UPDATE) { + $ids = []; + foreach ($LINKSDB as $link) { + // A note or not HTTP(S) + if ($link['url'][0] === '?' || ! startsWith(strtolower($link['url']), 'http')) { + continue; + } + $ids[] = $link['id']; + } + $PAGE->assign('ids', $ids); + $PAGE->assign('pagetitle', t('Thumbnails update') .' - '. $conf->get('general.title', 'Shaarli')); + $PAGE->renderPage('thumbnails'); + exit; + } + + // -------- Single Thumbnail Update + if ($targetPage == Router::$AJAX_THUMB_UPDATE) { + if (! isset($_POST['id']) || ! ctype_digit($_POST['id'])) { + http_response_code(400); + exit; + } + $id = (int) $_POST['id']; + if (empty($LINKSDB[$id])) { + http_response_code(404); + exit; + } + $thumbnailer = new Thumbnailer($conf); + $link = $LINKSDB[$id]; + $link['thumbnail'] = $thumbnailer->get($link['url']); + $LINKSDB[$id] = $link; + $LINKSDB->save($conf->get('resource.page_cache')); + + echo json_encode($link); exit; } // -------- Otherwise, simply display search form and links: - showLinkList($PAGE, $LINKSDB, $conf, $pluginManager); + showLinkList($PAGE, $LINKSDB, $conf, $pluginManager, $loginManager); exit; } @@ -1615,8 +1558,9 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) * @param LinkDB $LINKSDB LinkDB instance. * @param ConfigManager $conf Configuration Manager instance. * @param PluginManager $pluginManager Plugin Manager instance. + * @param LoginManager $loginManager LoginManager instance */ -function buildLinkList($PAGE,$LINKSDB, $conf, $pluginManager) +function buildLinkList($PAGE, $LINKSDB, $conf, $pluginManager, $loginManager) { // Used in templates if (isset($_GET['searchtags'])) { @@ -1641,7 +1585,7 @@ function buildLinkList($PAGE,$LINKSDB, $conf, $pluginManager) } } else { // Filter links according search parameters. - $visibility = ! empty($_SESSION['privateonly']) ? 'private' : 'all'; + $visibility = ! empty($_SESSION['visibility']) ? $_SESSION['visibility'] : ''; $request = [ 'searchtags' => $searchtags, 'searchterm' => $searchterm, @@ -1655,8 +1599,6 @@ function buildLinkList($PAGE,$LINKSDB, $conf, $pluginManager) $keys[] = $key; } - - // Select articles according to paging. $pagecount = ceil(count($keys) / $_SESSION['LINKS_PER_PAGE']); $pagecount = $pagecount == 0 ? 1 : $pagecount; @@ -1666,11 +1608,21 @@ function buildLinkList($PAGE,$LINKSDB, $conf, $pluginManager) // Start index. $i = ($page-1) * $_SESSION['LINKS_PER_PAGE']; $end = $i + $_SESSION['LINKS_PER_PAGE']; + + $thumbnailsEnabled = $conf->get('thumbnails.mode', Thumbnailer::MODE_NONE) !== Thumbnailer::MODE_NONE; + if ($thumbnailsEnabled) { + $thumbnailer = new Thumbnailer($conf); + } + $linkDisp = array(); while ($i<$end && $i
'; - echo 'Make sure the variable session.save_path is set correctly in your php config, and that you have write access to it.
'; - echo 'It currently points to '.session_save_path().'
'; - echo 'Check that the hostname used to access Shaarli contains a dot. On some browsers, accessing your server via a hostname like \'localhost\' or any custom hostname without a dot causes cookie storage to fail. We recommend accessing your server via it\'s IP address or Fully Qualified Domain Name.
'; - echo '
Click to try again.'; + { + // Step 2: Check if data in session is correct. + $msg = t( + '
Sessions do not seem to work correctly on your server.'; die; } if (!isset($_SESSION['session_tested'])) @@ -1974,6 +1774,7 @@ function install($conf) } else { $conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER))); } + $conf->set('translation.language', escape($_POST['language'])); $conf->set('updates.check_updates', !empty($_POST['updateCheck'])); $conf->set('api.enabled', !empty($_POST['enableApi'])); $conf->set( @@ -1985,7 +1786,7 @@ function install($conf) ); try { // Everything is ok, let's create config file. - $conf->write(isLoggedIn()); + $conf->write($loginManager->isLoggedIn()); } catch(Exception $e) { error_log( @@ -2001,241 +1802,20 @@ function install($conf) exit; } - $PAGE = new PageBuilder($conf); + $PAGE = new PageBuilder($conf, $_SESSION, null, $sessionManager->generateToken()); list($continents, $cities) = generateTimeZoneData(timezone_identifiers_list(), date_default_timezone_get()); $PAGE->assign('continents', $continents); $PAGE->assign('cities', $cities); + $PAGE->assign('languages', Languages::getAvailableLanguages()); $PAGE->renderPage('install'); exit; } -/** - * Because some f*cking services like flickr require an extra HTTP request to get the thumbnail URL, - * I have deported the thumbnail URL code generation here, otherwise this would slow down page generation. - * The following function takes the URL a link (e.g. a flickr page) and return the proper thumbnail. - * This function is called by passing the URL: - * http://mywebsite.com/shaarli/?do=genthumbnail&hmac=[HMAC]&url=[URL] - * [URL] is the URL of the link (e.g. a flickr page) - * [HMAC] is the signature for the [URL] (so that these URL cannot be forged). - * The function below will fetch the image from the webservice and store it in the cache. - * - * @param ConfigManager $conf Configuration Manager instance, - */ -function genThumbnail($conf) -{ - // Make sure the parameters in the URL were generated by us. - $sign = hash_hmac('sha256', $_GET['url'], $conf->get('credentials.salt')); - if ($sign!=$_GET['hmac']) die('Naughty boy!'); - - $cacheDir = $conf->get('resource.thumbnails_cache', 'cache'); - // Let's see if we don't already have the image for this URL in the cache. - $thumbname=hash('sha1',$_GET['url']).'.jpg'; - if (is_file($cacheDir .'/'. $thumbname)) - { // We have the thumbnail, just serve it: - header('Content-Type: image/jpeg'); - echo file_get_contents($cacheDir .'/'. $thumbname); - return; - } - // We may also serve a blank image (if service did not respond) - $blankname=hash('sha1',$_GET['url']).'.gif'; - if (is_file($cacheDir .'/'. $blankname)) - { - header('Content-Type: image/gif'); - echo file_get_contents($cacheDir .'/'. $blankname); - return; - } - - // Otherwise, generate the thumbnail. - $url = $_GET['url']; - $domain = parse_url($url,PHP_URL_HOST); - - if ($domain=='flickr.com' || endsWith($domain,'.flickr.com')) - { - // Crude replacement to handle new flickr domain policy (They prefer www. now) - $url = str_replace('http://flickr.com/','http://www.flickr.com/',$url); - - // Is this a link to an image, or to a flickr page ? - $imageurl=''; - if (endsWith(parse_url($url, PHP_URL_PATH), '.jpg')) - { // This is a direct link to an image. e.g. http://farm1.staticflickr.com/5/5921913_ac83ed27bd_o.jpg - preg_match('!(http://farm\d+\.staticflickr\.com/\d+/\d+_\w+_)\w.jpg!',$url,$matches); - if (!empty($matches[1])) $imageurl=$matches[1].'m.jpg'; - } - else // This is a flickr page (html) - { - // Get the flickr html page. - list($headers, $content) = get_http_response($url, 20); - if (strpos($headers[0], '200 OK') !== false) - { - // flickr now nicely provides the URL of the thumbnail in each flickr page. - preg_match('! - if ($imageurl=='') - { - preg_match('! tag on that page - // http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html - // - list($headers, $content) = get_http_response($url, 5); - if (strpos($headers[0], '200 OK') !== false) { - // Extract the link to the thumbnail - preg_match('!link rel="image_src" href="(http://images.ted.com/images/ted/.+_\d+x\d+\.jpg)"!', $content, $matches); - if (!empty($matches[1])) - { // Let's download the image. - $imageurl=$matches[1]; - // No control on image size, so wait long enough - list($headers, $content) = get_http_response($imageurl, 20); - if (strpos($headers[0], '200 OK') !== false) { - $filepath = $cacheDir .'/'. $thumbname; - file_put_contents($filepath, $content); // Save image to cache. - if (resizeImage($filepath)) - { - header('Content-Type: image/jpeg'); - echo file_get_contents($filepath); - return; - } - } - } - } - } - - elseif ($domain=='xkcd.com' || endsWith($domain,'.xkcd.com')) - { - // There is no thumbnail available for xkcd comics, so download the whole image and resize it. - // http://xkcd.com/327/ - //
'. + 'Make sure the variable "session.save_path" is set correctly in your PHP config, '. + 'and that you have write access to it.
'. + 'It currently points to %s.
'. + 'On some browsers, accessing your server via a hostname like \'localhost\' '. + 'or any custom hostname without a dot causes cookie storage to fail. '. + 'We recommend accessing your server via it\'s IP address or Fully Qualified Domain Name.
' + ); + $msg = sprintf($msg, session_save_path()); + echo $msg; + echo '
'. t('Click to try again.') .'
- list($headers, $content) = get_http_response($url, 5);
- if (strpos($headers[0], '200 OK') !== false) {
- // Extract the link to the thumbnail
- preg_match('!