X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=index.php;h=fdc4fbac8eecd350880ca9a92e5d2e4501a73703;hb=4ade7393a33e0ae3b40bb6a4dc8e051b0ed04169;hp=4068272c0b84f36f940dde37d95aad217aca1934;hpb=9e8209064db1e06b99b98ff3309d368d110b22b3;p=github%2Fshaarli%2FShaarli.git diff --git a/index.php b/index.php index 4068272c..fdc4fbac 100644 --- a/index.php +++ b/index.php @@ -1,9 +1,15 @@ '); // Suffix to encapsulate data in php code. +// http://server.com/x/shaarli --> /shaarli/ +define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0))); // Force cookie path (but do not change lifetime) $cookie=session_get_cookie_params(); $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; -session_set_cookie_params($cookie['lifetime'],$cookiedir); // Set default cookie expiration and path. +session_set_cookie_params($cookie['lifetime'],$cookiedir,$_SERVER['HTTP_HOST']); // Set default cookie expiration and path. + +// Set session parameters on server side. +define('INACTIVITY_TIMEOUT',3600); // (in seconds). If the user does not access any page within this time, his/her session is considered expired. +ini_set('session.use_cookies', 1); // Use cookies to store session. +ini_set('session.use_only_cookies', 1); // Force cookies for session (phpsessionID forbidden in URL) +ini_set('session.use_trans_sid', false); // Prevent php to use sessionID in URL if cookies are disabled. +session_name('shaarli'); +if (session_id() == '') session_start(); // Start session if needed (Some server auto-start sessions). // PHP Settings ini_set('max_input_time','60'); // High execution time in case of problematic imports/exports. @@ -70,25 +86,34 @@ header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); // Directories creations (Note that your web host may require differents rights than 705.) +if (!is_writable(realpath(dirname(__FILE__)))) die('
ERROR: Shaarli does not have the right to write in its own directory ('.realpath(dirname(__FILE__)).').'); if (!is_dir($GLOBALS['config']['DATADIR'])) { mkdir($GLOBALS['config']['DATADIR'],0705); chmod($GLOBALS['config']['DATADIR'],0705); } if (!is_dir('tmp')) { mkdir('tmp',0705); chmod('tmp',0705); } // For RainTPL temporary files. if (!is_file($GLOBALS['config']['DATADIR'].'/.htaccess')) { file_put_contents($GLOBALS['config']['DATADIR'].'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files. +// Second check to see if Shaarli can write in its directory, because on some hosts is_writable() is not reliable. +if (!is_file($GLOBALS['config']['DATADIR'].'/.htaccess')) die('
ERROR: Shaarli does not have the right to write in its data directory ('.realpath($GLOBALS['config']['DATADIR']).').'); if ($GLOBALS['config']['ENABLE_LOCALCACHE']) { if (!is_dir($GLOBALS['config']['CACHEDIR'])) { mkdir($GLOBALS['config']['CACHEDIR'],0705); chmod($GLOBALS['config']['CACHEDIR'],0705); } if (!is_file($GLOBALS['config']['CACHEDIR'].'/.htaccess')) { file_put_contents($GLOBALS['config']['CACHEDIR'].'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files. } -// Run config screen if first run: -if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install(); - -require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. - // Handling of old config file which do not have the new parameters. if (empty($GLOBALS['title'])) $GLOBALS['title']='Shared links on '.htmlspecialchars(indexUrl()); if (empty($GLOBALS['timezone'])) $GLOBALS['timezone']=date_default_timezone_get(); +if (empty($GLOBALS['redirector'])) $GLOBALS['redirector']=''; if (empty($GLOBALS['disablesessionprotection'])) $GLOBALS['disablesessionprotection']=false; +if (empty($GLOBALS['disablejquery'])) $GLOBALS['disablejquery']=false; +if (empty($GLOBALS['privateLinkByDefault'])) $GLOBALS['privateLinkByDefault']=false; +// I really need to rewrite Shaarli with a proper configuation manager. + +// Run config screen if first run: +if (!is_file($GLOBALS['config']['CONFIG_FILE'])) install(); +require $GLOBALS['config']['CONFIG_FILE']; // Read login/password hash into $GLOBALS. + +// a token depending of deployment salt, user password, and the current ip +define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt'])); autoLocale(); // Sniff browser language and set date format accordingly. header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. @@ -137,7 +162,7 @@ class pageCache private $shouldBeCached; // boolean: Should this url be cached ? private $filename; // Name of the cache file for this url - /* + /* $url = url (typically the value returned by pageUrl()) $shouldBeCached = boolean. If false, the cache will be disabled. */ @@ -146,7 +171,7 @@ class pageCache $this->url = $url; $this->filename = $GLOBALS['config']['PAGECACHE'].'/'.sha1($url).'.cache'; $this->shouldBeCached = $shouldBeCached; - } + } // If the page should be cached and a cached version exists, // returns the cached version (otherwise, return null). @@ -174,7 +199,7 @@ class pageCache $handler = opendir($GLOBALS['config']['PAGECACHE']); if ($handler!==false) { - while (($filename = readdir($handler))!==false) + while (($filename = readdir($handler))!==false) { if (endsWith($filename,'.cache')) { unlink($GLOBALS['config']['PAGECACHE'].'/'.$filename); } } @@ -200,7 +225,7 @@ function nl2br_escaped($html) return str_replace('>','>',str_replace('<','<',nl2br($html))); } -/* Returns the small hash of a string +/* Returns the small hash of a string, using RFC 4648 base64url format eg. smallHash('20111006_131924') --> yZH23w Small hashes: - are unique (well, as unique as crc32, at last) @@ -212,10 +237,7 @@ function nl2br_escaped($html) function smallHash($text) { $t = rtrim(base64_encode(hash('crc32',$text,true)),'='); - $t = str_replace('+','-',$t); // Get rid of characters which need encoding in URLs. - $t = str_replace('/','_',$t); - $t = str_replace('=','@',$t); - return $t; + return strtr($t, '+/', '-_'); } // In a string, converts urls to clickable links. @@ -231,7 +253,7 @@ function text2clickable($url) function keepMultipleSpaces($text) { return str_replace(' ',' ',$text); - + } // ------------------------------------------------------------------------------------------ // Sniff browser language to display dates in the right format automatically. @@ -265,12 +287,6 @@ function pubsubhub() // ------------------------------------------------------------------------------------------ // Session management -define('INACTIVITY_TIMEOUT',3600); // (in seconds). If the user does not access any page within this time, his/her session is considered expired. -ini_set('session.use_cookies', 1); // Use cookies to store session. -ini_set('session.use_only_cookies', 1); // Force cookies for session (phpsessionID forbidden in URL) -ini_set('session.use_trans_sid', false); // Prevent php to use sessionID in URL if cookies are disabled. -session_name('shaarli'); -session_start(); // Returns the IP address of the client (Used to prevent session cookie hijacking.) function allIPs() @@ -282,16 +298,20 @@ function allIPs() return $ip; } +function fillSessionInfo() { + $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) + $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. + $_SESSION['username']=$GLOBALS['login']; + $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. +} + // Check that user/password is correct. function check_auth($login,$password) { $hash = sha1($password.$login.$GLOBALS['salt']); if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) { // Login/password is correct. - $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // generate unique random number (different than phpsessionid) - $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. - $_SESSION['username']=$login; - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. + fillSessionInfo(); logm('Login successful'); return True; } @@ -304,6 +324,13 @@ function isLoggedIn() { if ($GLOBALS['config']['OPEN_SHAARLI']) return true; + if (!isset($GLOBALS['login'])) return false; // Shaarli is not configured yet. + + if (@$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN) + { + fillSessionInfo(); + return true; + } // If session does not exist on server side, or IP address has changed, or session has expired, logout. if (empty($_SESSION['uid']) || ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || time()>=$_SESSION['expires_on']) { @@ -317,7 +344,9 @@ function isLoggedIn() } // Force logout. -function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']);} } +function logout() { if (isset($_SESSION)) { unset($_SESSION['uid']); unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); } +setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); +} // ------------------------------------------------------------------------------------------ @@ -379,18 +408,19 @@ if (isset($_POST['login'])) // If user wants to keep the session cookie even after the browser closes: if (!empty($_POST['longlastingsession'])) { + setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; - session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir); // Set session cookie expiration on client side + session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['HTTP_HOST']); // Set session cookie expiration on client side // Note: Never forget the trailing slash on the cookie path ! session_regenerate_id(true); // Send cookie with new expiration date to browser. } else // Standard session expiration (=when browser closes) { $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; - session_set_cookie_params(0,$cookiedir); // 0 means "When browser closes" + session_set_cookie_params(0,$cookiedir,$_SERVER['HTTP_HOST']); // 0 means "When browser closes" session_regenerate_id(true); } // Optional redirect after login: @@ -405,7 +435,9 @@ if (isset($_POST['login'])) else { ban_loginFailed(); - echo ''; // Redirect to login screen. + $redir = ''; + if (isset($_GET['post'])) { $redir = '&post='.urlencode($_GET['post']).(!empty($_GET['title'])?'&title='.urlencode($_GET['title']):'').(!empty($_GET['source'])?'&source='.urlencode($_GET['source']):''); } + echo ''; // Redirect to login screen. exit; } } @@ -420,7 +452,7 @@ function serverUrl() { $https = (!empty($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS'])=='on')) || $_SERVER["SERVER_PORT"]=='443'; // HTTPS detection. $serverport = ($_SERVER["SERVER_PORT"]=='80' || ($https && $_SERVER["SERVER_PORT"]=='443') ? '' : ':'.$_SERVER["SERVER_PORT"]); - return 'http'.($https?'s':'').'://'.$_SERVER["SERVER_NAME"].$serverport; + return 'http'.($https?'s':'').'://'.$_SERVER['HTTP_HOST'].$serverport; } // Returns the absolute URL of current script, without the query. @@ -547,7 +579,7 @@ function getHTTP($url,$timeout=30) { try { - $options = array('http'=>array('method'=>'GET','timeout' => $timeout)); // Force network timeout + $options = array('http'=>array('method'=>'GET','timeout' => $timeout, 'user_agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0')); // Force network timeout $context = stream_context_create($options); $data=file_get_contents($url,false,$context,-1, 4000000); // We download at most 4 Mb from source. if (!$data) { return array('HTTP Error',array(),''); } @@ -576,7 +608,7 @@ if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array(); // Token are atta // Returns a token. function getToken() { - $rnd = sha1(uniqid('',true).'_'.mt_rand()); // We generate a random string. + $rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']); // We generate a random string. $_SESSION['tokens'][$rnd]=1; // Store it on the server side. return $rnd; } @@ -599,7 +631,7 @@ function tokenOk($token) p = new pageBuilder; p.assign('myfield','myvalue'); p.renderPage('mytemplate'); - + */ class pageBuilder { @@ -608,11 +640,11 @@ class pageBuilder function __construct() { $this->tpl=false; - } + } private function initialize() - { - $this->tpl = new RainTPL; + { + $this->tpl = new RainTPL; $this->tpl->assign('newversion',checkUpdate()); $this->tpl->assign('feedurl',htmlspecialchars(indexUrl())); $searchcrits=''; // Search criteria @@ -627,16 +659,16 @@ class pageBuilder if (!empty($GLOBALS['title'])) $this->tpl->assign('pagetitle',$GLOBALS['title']); if (!empty($GLOBALS['pagetitle'])) $this->tpl->assign('pagetitle',$GLOBALS['pagetitle']); $this->tpl->assign('shaarlititle',empty($GLOBALS['title']) ? 'Shaarli': $GLOBALS['title'] ); - return; + return; } - + // The following assign() method is basically the same as RainTPL (except that it's lazy) public function assign($what,$where) { if ($this->tpl===false) $this->initialize(); // Lazy initialization $this->tpl->assign($what,$where); } - + // Render a specific page (using a template). // eg. pb.renderPage('picwall') public function renderPage($page) @@ -654,14 +686,14 @@ class pageBuilder echo $mylinks['20110826_161819']['title']; foreach($mylinks as $link) echo $link['title'].' at url '.$link['url'].' ; description:'.$link['description']; - + Available keys: title : Title of the link url : URL of the link. Can be absolute or relative. Relative URLs are permalinks (eg.'?m-ukcw') description : description of the entry private : Is this link private ? 0=no, other value=yes linkdate : date of the creation of this entry, in the form YYYYMMDD_HHMMSS (eg.'20110914_192317') - tags : tags attached to this entry (separated by spaces) + tags : tags attached to this entry (separated by spaces) We implement 3 interfaces: - ArrayAccess so that this object behaves like an associative array. @@ -721,7 +753,7 @@ class linkdb implements Iterator, Countable, ArrayAccess $this->links = array(); $link = array('title'=>'Shaarli - sebsauvage.net','url'=>'http://sebsauvage.net/wiki/doku.php?id=php:shaarli','description'=>'Welcome to Shaarli ! This is a bookmark. To edit or delete me, you must first login.','private'=>0,'linkdate'=>'20110914_190000','tags'=>'opensource software'); $this->links[$link['linkdate']] = $link; - $link = array('title'=>'My secret stuff... - Pastebin.com','url'=>'http://pastebin.com/smCEEeSn','description'=>'SShhhh!! I\'m a private link only YOU can see. You can delete me too.','private'=>1,'linkdate'=>'20110914_074522','tags'=>'secretstuff'); + $link = array('title'=>'My secret stuff... - Pastebin.com','url'=>'http://sebsauvage.net/paste/?8434b27936c09649#bR7XsXhoTiLcqCpQbmOpBi3rq2zzQUC5hBI7ZT1O3x8=','description'=>'SShhhh!! I\'m a private link only YOU can see. You can delete me too.','private'=>1,'linkdate'=>'20110914_074522','tags'=>'secretstuff'); $this->links[$link['linkdate']] = $link; file_put_contents($GLOBALS['config']['DATASTORE'], PHPPREFIX.base64_encode(gzdeflate(serialize($this->links))).PHPSUFFIX); // Write database to disk } @@ -840,7 +872,7 @@ class linkdb implements Iterator, Countable, ArrayAccess arsort($tags); // Sort tags by usage (most used tag first) return $tags; } - + // Returns the list of days containing articles (oldest first) // Output: An array containing days (in format YYYYMMDD). public function days() @@ -857,7 +889,7 @@ class linkdb implements Iterator, Countable, ArrayAccess } // ------------------------------------------------------------------------------------------ -// Ouput the last 50 links in RSS 2.0 format. +// Ouput the last N links in RSS 2.0 format. function showRSS() { header('Content-Type: application/rss+xml; charset=utf-8'); @@ -879,6 +911,11 @@ function showRSS() if (!empty($_GET['searchterm'])) $linksToDisplay = $LINKSDB->filterFulltext($_GET['searchterm']); elseif (!empty($_GET['searchtags'])) $linksToDisplay = $LINKSDB->filterTags(trim($_GET['searchtags'])); else $linksToDisplay = $LINKSDB; + $nblinksToDisplay = 50; // Number of links to display. + if (!empty($_GET['nb'])) // In URL, you can specificy the number of links. Example: nb=200 or nb=all for all links. + { + $nblinksToDisplay = $_GET['nb']=='all' ? count($linksToDisplay) : max($_GET['nb']+0,1) ; + } $pageaddr=htmlspecialchars(indexUrl()); echo '
Sessions do not seem to work correctly on your server.'; + die; + } + if (!isset($_SESSION['session_tested'])) + { // Step 1 : Try to store data in session and reload page. + $_SESSION['session_tested'] = 'Working'; // Try to set a variable in session. + header('Location: '.indexUrl().'?test_session'); // Redirect to check stored data. + } + if (isset($_GET['test_session'])) + { // Step 3: Sessions are ok. Remove test parameter from URL. + header('Location: '.indexUrl()); + } + if (!empty($_POST['setlogin']) && !empty($_POST['setpassword'])) { @@ -1991,7 +2103,7 @@ function install() // Display config form: list($timezone_form,$timezone_js) = templateTZform(); $timezone_html=''; if ($timezone_form!='') $timezone_html='
'; + echo 'Make sure the variable session.save_path is set correctly in your php config, and that you have write access to it.
'; + echo 'It currently points to '.session_save_path().'
Click to try again.