application/Utils.php

   1 <?php
   2 /**
   3  * Shaarli utilities
   4  */
   5
   6 /**
   7  *  Returns the small hash of a string, using RFC 4648 base64url format
   8  *
   9  *  Small hashes:
  10  *   - are unique (well, as unique as crc32, at last)
  11  *   - are always 6 characters long.
  12  *   - only use the following characters: a-z A-Z 0-9 - _ @
  13  *   - are NOT cryptographically secure (they CAN be forged)
  14  *
  15  *  In Shaarli, they are used as a tinyurl-like link to individual entries,
  16  *  e.g. smallHash('20111006_131924') --> yZH23w
  17  */
  18 function smallHash($text)
  19 {
  20     $t = rtrim(base64_encode(hash('crc32', $text, true)), '=');
  21     return strtr($t, '+/', '-_');
  22 }
  23
  24 /**
  25  * Tells if a string start with a substring
  26  */
  27 function startsWith($haystack, $needle, $case=true)
  28 {
  29     if ($case) {
  30         return (strcmp(substr($haystack, 0, strlen($needle)), $needle) === 0);
  31     }
  32     return (strcasecmp(substr($haystack, 0, strlen($needle)), $needle) === 0);
  33 }
  34
  35 /**
  36  * Tells if a string ends with a substring
  37  */
  38 function endsWith($haystack, $needle, $case=true)
  39 {
  40     if ($case) {
  41         return (strcmp(substr($haystack, strlen($haystack) - strlen($needle)), $needle) === 0);
  42     }
  43     return (strcasecmp(substr($haystack, strlen($haystack) - strlen($needle)), $needle) === 0);
  44 }
  45
  46 /**
  47  * Same as nl2br(), but escapes < and >
  48  */
  49 function nl2br_escaped($html)
  50 {
  51     return str_replace('>', '&gt;', str_replace('<', '&lt;', nl2br($html)));
  52 }
  53
  54 /**
  55  * htmlspecialchars wrapper
  56  */
  57 function escape($str)
  58 {
  59     return htmlspecialchars($str, ENT_COMPAT, 'UTF-8', false);
  60 }
  61
  62 /**
  63  * Link sanitization before templating
  64  */
  65 function sanitizeLink(&$link)
  66 {
  67     $link['url'] = escape($link['url']); // useful?
  68     $link['title'] = escape($link['title']);
  69     $link['description'] = escape($link['description']);
  70     $link['tags'] = escape($link['tags']);
  71 }
  72
  73 /**
  74  * Checks if a string represents a valid date
  75  *
  76  * @param string        a string-formatted date
  77  * @param format        the expected DateTime format of the string
  78  * @return              whether the string is a valid date
  79  * @see                 http://php.net/manual/en/class.datetime.php
  80  * @see                 http://php.net/manual/en/datetime.createfromformat.php
  81  */
  82 function checkDateFormat($format, $string)
  83 {
  84     $date = DateTime::createFromFormat($format, $string);
  85     return $date && $date->format($string) == $string;
  86 }
  87
  88 /**
  89  * Generate a header location from HTTP_REFERER.
  90  * Make sure the referer is Shaarli itself and prevent redirection loop.
  91  *
  92  * @param string $referer - HTTP_REFERER.
  93  * @param string $host - Server HOST.
  94  * @param array $loopTerms - Contains list of term to prevent redirection loop.
  95  *
  96  * @return string $referer - final referer.
  97  */
  98 function generateLocation($referer, $host, $loopTerms = array())
  99 {
 100     $finalReferer = '?';
 101
 102     // No referer if it contains any value in $loopCriteria.
 103     foreach ($loopTerms as $value) {
 104         if (strpos($referer, $value) !== false) {
 105             return $finalReferer;
 106         }
 107     }
 108
 109     // Remove port from HTTP_HOST
 110     if ($pos = strpos($host, ':')) {
 111         $host = substr($host, 0, $pos);
 112     }
 113
 114     $refererHost = parse_url($referer, PHP_URL_HOST);
 115     if (!empty($referer) && (strpos($refererHost, $host) !== false || startsWith('?', $refererHost))) {
 116         $finalReferer = $referer;
 117     }
 118
 119     return $finalReferer;
 120 }
 121
 122 /**
 123  * Checks the PHP version to ensure Shaarli can run
 124  *
 125  * @param string $minVersion minimum PHP required version
 126  * @param string $curVersion current PHP version (use PHP_VERSION)
 127  *
 128  * @throws Exception    the PHP version is not supported
 129  */
 130 function checkPHPVersion($minVersion, $curVersion)
 131 {
 132     if (version_compare($curVersion, $minVersion) < 0) {
 133         throw new Exception(
 134             'Your PHP version is obsolete!'
 135             .' Shaarli requires at least PHP '.$minVersion.', and thus cannot run.'
 136             .' Your PHP version has known security vulnerabilities and should be'
 137             .' updated as soon as possible.'
 138         );
 139     }
 140 }
 141
 142 /**
 143  * Validate session ID to prevent Full Path Disclosure.
 144  *
 145  * See #298.
 146  * The session ID's format depends on the hash algorithm set in PHP settings
 147  *
 148  * @param string $sessionId Session ID
 149  *
 150  * @return true if valid, false otherwise.
 151  *
 152  * @see http://php.net/manual/en/function.hash-algos.php
 153  * @see http://php.net/manual/en/session.configuration.php
 154  */
 155 function is_session_id_valid($sessionId)
 156 {
 157     if (empty($sessionId)) {
 158         return false;
 159     }
 160
 161     if (!$sessionId) {
 162         return false;
 163     }
 164
 165     if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
 166         return false;
 167     }
 168
 169     return true;
 170 }