Merge pull request #946 from thewilli/clean

small code cleanup
author: VirtualTam <virtualtam+github@flibidi.net> 2017-08-27 13:10:05 +0200
committer: GitHub <noreply@github.com> 2017-08-27 13:10:05 +0200
commit: 5941c4216d804da5dfec9eeafa676105576bd0d1 (patch)
tree: a9a2ce57072e73e01dba47649fcc64150ee8b16b /index.php
parent: de901736a663934c1b67f09f1d586da665f0f036 (diff)
parent: a544b113f203d3359db51cf886f5aab98605624c (diff)
download: Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.tar.gz
Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.tar.zst
Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.zip
1 files changed, 43 insertions, 51 deletions
diff --git a/index.php b/index.php
index 76526bd5..1ed1ef26 100644
--- a/index.php
+++ b/index.php
@@ -133,15 +133,6 @@ date_default_timezone_set($conf->get('general.timezone', 'UTC'));
 ob_start();  // Output buffering for the page cache.
-// In case stupid admin has left magic_quotes enabled in php.ini:
-if (get_magic_quotes_gpc())
-{
-    function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
-    $_POST = array_map('stripslashes_deep', $_POST);
-    $_GET = array_map('stripslashes_deep', $_GET);
-    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
-}
 // Prevent caching on client side or proxy: (yes, it's ugly)
 header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
 header("Cache-Control: no-store, no-cache, must-revalidate");
@@ -186,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
 */
 function setup_login_state($conf)
 {
-        if ($conf->get('security.open_shaarli')) {
+    if ($conf->get('security.open_shaarli')) {
-            return true;
+        return true;
-        }
+    }
-        $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
+    $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
-        $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
+    $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
-        if (! $conf->exists('credentials.login')) {
+    if (! $conf->exists('credentials.login')) {
-            $userIsLoggedIn = false;  // Shaarli is not configured yet.
+        $userIsLoggedIn = false;  // Shaarli is not configured yet.
-            $loginFailure = true;
+        $loginFailure = true;
-        }
+    }
-        if (isset($_COOKIE['shaarli_staySignedIn']) &&
+    if (isset($_COOKIE['shaarli_staySignedIn']) &&
-            $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
+        $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
-            !$loginFailure)
+        !$loginFailure)
-        {
+    {
-            fillSessionInfo($conf);
+        fillSessionInfo($conf);
-            $userIsLoggedIn = true;
+        $userIsLoggedIn = true;
-        }
+    }
-        // If session does not exist on server side, or IP address has changed, or session has expired, logout.
+    // If session does not exist on server side, or IP address has changed, or session has expired, logout.
-        if (empty($_SESSION['uid'])
+    if (empty($_SESSION['uid'])
        || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
        || time() >= $_SESSION['expires_on'])
-        {
+    {
-            logout();
+        logout();
-            $userIsLoggedIn = false;
+        $userIsLoggedIn = false;
-            $loginFailure = true;
+        $loginFailure = true;
-        }
+    }
-        if (!empty($_SESSION['longlastingsession'])) {
+    if (!empty($_SESSION['longlastingsession'])) {
-            $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
+        $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
-        }
+    }
-        else {
+    else {
-            $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
+        $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
-        }
+    }
-        if (!$loginFailure) {
+    if (!$loginFailure) {
-            $userIsLoggedIn = true;
+        $userIsLoggedIn = true;
-        }
+    }
-        return $userIsLoggedIn;
+    return $userIsLoggedIn;
 }
 $userIsLoggedIn = setup_login_state($conf);
@@ -245,10 +236,10 @@ function allIPs()
 */
 function fillSessionInfo($conf)
 {
-        $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
+    $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
-        $_SESSION['ip']=allIPs();                // We store IP address(es) of the client to make sure session is not hijacked.
+    $_SESSION['ip']=allIPs();                // We store IP address(es) of the client to make sure session is not hijacked.
-        $_SESSION['username']= $conf->get('credentials.login');
+    $_SESSION['username']= $conf->get('credentials.login');
-        $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
+    $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
 }
 /**
@@ -265,7 +256,7 @@ function check_auth($login, $password, $conf)
    $hash = sha1($password . $login . $conf->get('credentials.salt'));
    if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
    {   // Login/password is correct.
-                fillSessionInfo($conf);
+        fillSessionInfo($conf);
        logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
        return true;
    }
@@ -394,9 +385,10 @@ if (isset($_POST['login']))
        // If user wants to keep the session cookie even after the browser closes:
        if (!empty($_POST['longlastingsession']))
        {
-                        setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
+            $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
-            $_SESSION['longlastingsession']=31536000;  // (31536000 seconds = 1 year)
+            $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
-            $_SESSION['expires_on']=time()+$_SESSION['longlastingsession'];  // Set session expiration on server-side.
+            setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
+            $_SESSION['expires_on'] = $expiration;  // Set session expiration on server-side.
            $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
            session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
author	VirtualTam <virtualtam+github@flibidi.net>	2017-08-27 13:10:05 +0200
committer	GitHub <noreply@github.com>	2017-08-27 13:10:05 +0200
commit	5941c4216d804da5dfec9eeafa676105576bd0d1 (patch)
tree	a9a2ce57072e73e01dba47649fcc64150ee8b16b /index.php
parent	de901736a663934c1b67f09f1d586da665f0f036 (diff)
parent	a544b113f203d3359db51cf886f5aab98605624c (diff)
download	Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.tar.gz Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.tar.zst Shaarli-5941c4216d804da5dfec9eeafa676105576bd0d1.zip

diff --git a/index.php b/index.php index 76526bd5..1ed1ef26 100644 --- a/index.php +++ b/index.php
@@ -133,15 +133,6 @@ date_default_timezone_set($conf->get('general.timezone', 'UTC'));
133		133
134	ob_start(); // Output buffering for the page cache.	134	ob_start(); // Output buffering for the page cache.
135		135
136	// In case stupid admin has left magic_quotes enabled in php.ini:
137	if (get_magic_quotes_gpc())
138	{
139	function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
140	$_POST = array_map('stripslashes_deep', $_POST);
141	$_GET = array_map('stripslashes_deep', $_GET);
142	$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
143	}
144
145	// Prevent caching on client side or proxy: (yes, it's ugly)	136	// Prevent caching on client side or proxy: (yes, it's ugly)
146	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");	137	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
147	header("Cache-Control: no-store, no-cache, must-revalidate");	138	header("Cache-Control: no-store, no-cache, must-revalidate");
@@ -186,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
186	*/	177	*/
187	function setup_login_state($conf)	178	function setup_login_state($conf)
188	{	179	{
189	if ($conf->get('security.open_shaarli')) {	180	if ($conf->get('security.open_shaarli')) {
190	return true;	181	return true;
191	}	182	}
192	$userIsLoggedIn = false; // By default, we do not consider the user as logged in;	183	$userIsLoggedIn = false; // By default, we do not consider the user as logged in;
193	$loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.	184	$loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
194	if (! $conf->exists('credentials.login')) {	185	if (! $conf->exists('credentials.login')) {
195	$userIsLoggedIn = false; // Shaarli is not configured yet.	186	$userIsLoggedIn = false; // Shaarli is not configured yet.
196	$loginFailure = true;	187	$loginFailure = true;
197	}	188	}
198	if (isset($_COOKIE['shaarli_staySignedIn']) &&	189	if (isset($_COOKIE['shaarli_staySignedIn']) &&
199	$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&	190	$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
200	!$loginFailure)	191	!$loginFailure)
201	{	192	{
202	fillSessionInfo($conf);	193	fillSessionInfo($conf);
203	$userIsLoggedIn = true;	194	$userIsLoggedIn = true;
204	}	195	}
205	// If session does not exist on server side, or IP address has changed, or session has expired, logout.	196	// If session does not exist on server side, or IP address has changed, or session has expired, logout.
206	if (empty($_SESSION['uid'])	197	if (empty($_SESSION['uid'])
207	\|\| ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())	198	\|\| ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
208	\|\| time() >= $_SESSION['expires_on'])	199	\|\| time() >= $_SESSION['expires_on'])
209	{	200	{
210	logout();	201	logout();
211	$userIsLoggedIn = false;	202	$userIsLoggedIn = false;
212	$loginFailure = true;	203	$loginFailure = true;
213	}	204	}
214	if (!empty($_SESSION['longlastingsession'])) {	205	if (!empty($_SESSION['longlastingsession'])) {
215	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.	206	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
216	}	207	}
217	else {	208	else {
218	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.	209	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
219	}	210	}
220	if (!$loginFailure) {	211	if (!$loginFailure) {
221	$userIsLoggedIn = true;	212	$userIsLoggedIn = true;
222	}	213	}
223		214
224	return $userIsLoggedIn;	215	return $userIsLoggedIn;
225	}	216	}
226	$userIsLoggedIn = setup_login_state($conf);	217	$userIsLoggedIn = setup_login_state($conf);
227		218
@@ -245,10 +236,10 @@ function allIPs()
245	*/	236	*/
246	function fillSessionInfo($conf)	237	function fillSessionInfo($conf)
247	{	238	{
248	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)	239	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
249	$_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.	240	$_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
250	$_SESSION['username']= $conf->get('credentials.login');	241	$_SESSION['username']= $conf->get('credentials.login');
251	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.	242	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
252	}	243	}
253		244
254	/**	245	/**
@@ -265,7 +256,7 @@ function check_auth($login, $password, $conf)
265	$hash = sha1($password . $login . $conf->get('credentials.salt'));	256	$hash = sha1($password . $login . $conf->get('credentials.salt'));
266	if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))	257	if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
267	{ // Login/password is correct.	258	{ // Login/password is correct.
268	fillSessionInfo($conf);	259	fillSessionInfo($conf);
269	logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');	260	logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
270	return true;	261	return true;
271	}	262	}
@@ -394,9 +385,10 @@ if (isset($_POST['login']))
394	// If user wants to keep the session cookie even after the browser closes:	385	// If user wants to keep the session cookie even after the browser closes:
395	if (!empty($_POST['longlastingsession']))	386	if (!empty($_POST['longlastingsession']))
396	{	387	{
397	setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);	388	$_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
398	$_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year)	389	$expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
399	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side.	390	setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
		391	$_SESSION['expires_on'] = $expiration; // Set session expiration on server-side.
400		392
401	$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';	393	$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
402	session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side	394	session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side