diff options
author | VirtualTam <virtualtam+github@flibidi.net> | 2017-08-27 13:10:05 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-08-27 13:10:05 +0200 |
commit | 5941c4216d804da5dfec9eeafa676105576bd0d1 (patch) | |
tree | a9a2ce57072e73e01dba47649fcc64150ee8b16b | |
parent | de901736a663934c1b67f09f1d586da665f0f036 (diff) | |
parent | a544b113f203d3359db51cf886f5aab98605624c (diff) | |
download | Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.tar.gz Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.tar.zst Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.zip |
Merge pull request #946 from thewilli/clean
small code cleanup
-rw-r--r-- | doc/md/Security.md | 3 | ||||
-rw-r--r-- | index.php | 94 |
2 files changed, 43 insertions, 54 deletions
diff --git a/doc/md/Security.md b/doc/md/Security.md index 36f629af..65db4225 100644 --- a/doc/md/Security.md +++ b/doc/md/Security.md | |||
@@ -1,9 +1,6 @@ | |||
1 | ## Client browser | 1 | ## Client browser |
2 | - Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work | 2 | - Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work |
3 | 3 | ||
4 | ## PHP | ||
5 | - `magic_quotes` is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with `magic_quotes` on, so you should not be bothered even on crappy hosts. | ||
6 | |||
7 | ## Server and sessions | 4 | ## Server and sessions |
8 | - Directories are protected using `.htaccess` files | 5 | - Directories are protected using `.htaccess` files |
9 | - Forms are protected against XSRF (Cross-site requests forgery): | 6 | - Forms are protected against XSRF (Cross-site requests forgery): |
@@ -133,15 +133,6 @@ date_default_timezone_set($conf->get('general.timezone', 'UTC')); | |||
133 | 133 | ||
134 | ob_start(); // Output buffering for the page cache. | 134 | ob_start(); // Output buffering for the page cache. |
135 | 135 | ||
136 | // In case stupid admin has left magic_quotes enabled in php.ini: | ||
137 | if (get_magic_quotes_gpc()) | ||
138 | { | ||
139 | function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } | ||
140 | $_POST = array_map('stripslashes_deep', $_POST); | ||
141 | $_GET = array_map('stripslashes_deep', $_GET); | ||
142 | $_COOKIE = array_map('stripslashes_deep', $_COOKIE); | ||
143 | } | ||
144 | |||
145 | // Prevent caching on client side or proxy: (yes, it's ugly) | 136 | // Prevent caching on client side or proxy: (yes, it's ugly) |
146 | header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); | 137 | header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); |
147 | header("Cache-Control: no-store, no-cache, must-revalidate"); | 138 | header("Cache-Control: no-store, no-cache, must-revalidate"); |
@@ -186,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { | |||
186 | */ | 177 | */ |
187 | function setup_login_state($conf) | 178 | function setup_login_state($conf) |
188 | { | 179 | { |
189 | if ($conf->get('security.open_shaarli')) { | 180 | if ($conf->get('security.open_shaarli')) { |
190 | return true; | 181 | return true; |
191 | } | 182 | } |
192 | $userIsLoggedIn = false; // By default, we do not consider the user as logged in; | 183 | $userIsLoggedIn = false; // By default, we do not consider the user as logged in; |
193 | $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. | 184 | $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. |
194 | if (! $conf->exists('credentials.login')) { | 185 | if (! $conf->exists('credentials.login')) { |
195 | $userIsLoggedIn = false; // Shaarli is not configured yet. | 186 | $userIsLoggedIn = false; // Shaarli is not configured yet. |
196 | $loginFailure = true; | 187 | $loginFailure = true; |
197 | } | 188 | } |
198 | if (isset($_COOKIE['shaarli_staySignedIn']) && | 189 | if (isset($_COOKIE['shaarli_staySignedIn']) && |
199 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && | 190 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && |
200 | !$loginFailure) | 191 | !$loginFailure) |
201 | { | 192 | { |
202 | fillSessionInfo($conf); | 193 | fillSessionInfo($conf); |
203 | $userIsLoggedIn = true; | 194 | $userIsLoggedIn = true; |
204 | } | 195 | } |
205 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 196 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
206 | if (empty($_SESSION['uid']) | 197 | if (empty($_SESSION['uid']) |
207 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) | 198 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) |
208 | || time() >= $_SESSION['expires_on']) | 199 | || time() >= $_SESSION['expires_on']) |
209 | { | 200 | { |
210 | logout(); | 201 | logout(); |
211 | $userIsLoggedIn = false; | 202 | $userIsLoggedIn = false; |
212 | $loginFailure = true; | 203 | $loginFailure = true; |
213 | } | 204 | } |
214 | if (!empty($_SESSION['longlastingsession'])) { | 205 | if (!empty($_SESSION['longlastingsession'])) { |
215 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. | 206 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. |
216 | } | 207 | } |
217 | else { | 208 | else { |
218 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. | 209 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. |
219 | } | 210 | } |
220 | if (!$loginFailure) { | 211 | if (!$loginFailure) { |
221 | $userIsLoggedIn = true; | 212 | $userIsLoggedIn = true; |
222 | } | 213 | } |
223 | 214 | ||
224 | return $userIsLoggedIn; | 215 | return $userIsLoggedIn; |
225 | } | 216 | } |
226 | $userIsLoggedIn = setup_login_state($conf); | 217 | $userIsLoggedIn = setup_login_state($conf); |
227 | 218 | ||
@@ -245,10 +236,10 @@ function allIPs() | |||
245 | */ | 236 | */ |
246 | function fillSessionInfo($conf) | 237 | function fillSessionInfo($conf) |
247 | { | 238 | { |
248 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) | 239 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) |
249 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | 240 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. |
250 | $_SESSION['username']= $conf->get('credentials.login'); | 241 | $_SESSION['username']= $conf->get('credentials.login'); |
251 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | 242 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. |
252 | } | 243 | } |
253 | 244 | ||
254 | /** | 245 | /** |
@@ -265,7 +256,7 @@ function check_auth($login, $password, $conf) | |||
265 | $hash = sha1($password . $login . $conf->get('credentials.salt')); | 256 | $hash = sha1($password . $login . $conf->get('credentials.salt')); |
266 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) | 257 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) |
267 | { // Login/password is correct. | 258 | { // Login/password is correct. |
268 | fillSessionInfo($conf); | 259 | fillSessionInfo($conf); |
269 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); | 260 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); |
270 | return true; | 261 | return true; |
271 | } | 262 | } |
@@ -394,9 +385,10 @@ if (isset($_POST['login'])) | |||
394 | // If user wants to keep the session cookie even after the browser closes: | 385 | // If user wants to keep the session cookie even after the browser closes: |
395 | if (!empty($_POST['longlastingsession'])) | 386 | if (!empty($_POST['longlastingsession'])) |
396 | { | 387 | { |
397 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); | 388 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) |
398 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) | 389 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) |
399 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. | 390 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); |
391 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. | ||
400 | 392 | ||
401 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; | 393 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; |
402 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side | 394 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side |