aboutsummaryrefslogtreecommitdiffhomepage
path: root/index.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2015-07-25 13:15:47 +0200
committerArthurHoaro <arthur@hoa.ro>2015-08-22 10:10:55 +0200
commit06b6660a7e8891c6e1c47815cf50ee5b2ef5f270 (patch)
treeb496ead047ccedb898c1917ee98d95c9cbde179c /index.php
parentd7efade5d651ec60a05a86baa53f99188ad5d72c (diff)
downloadShaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.tar.gz
Shaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.tar.zst
Shaarli-06b6660a7e8891c6e1c47815cf50ee5b2ef5f270.zip
Avoid Full Path Disclosure error on session error.
* Add a function to validate session ID. * Generate a new session ID if an invalid token is passed.
Diffstat (limited to 'index.php')
-rwxr-xr-xindex.php41
1 files changed, 28 insertions, 13 deletions
diff --git a/index.php b/index.php
index 8e04fa3e..a093a283 100755
--- a/index.php
+++ b/index.php
@@ -43,19 +43,6 @@ define('shaarli_version','0.5.1');
43// http://server.com/x/shaarli --> /shaarli/ 43// http://server.com/x/shaarli --> /shaarli/
44define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0))); 44define('WEB_PATH', substr($_SERVER["REQUEST_URI"], 0, 1+strrpos($_SERVER["REQUEST_URI"], '/', 0)));
45 45
46// Force cookie path (but do not change lifetime)
47$cookie=session_get_cookie_params();
48$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
49session_set_cookie_params($cookie['lifetime'],$cookiedir,$_SERVER['SERVER_NAME']); // Set default cookie expiration and path.
50
51// Set session parameters on server side.
52define('INACTIVITY_TIMEOUT',3600); // (in seconds). If the user does not access any page within this time, his/her session is considered expired.
53ini_set('session.use_cookies', 1); // Use cookies to store session.
54ini_set('session.use_only_cookies', 1); // Force cookies for session (phpsessionID forbidden in URL).
55ini_set('session.use_trans_sid', false); // Prevent PHP form using sessionID in URL if cookies are disabled.
56session_name('shaarli');
57if (session_id() == '') session_start(); // Start session if needed (Some server auto-start sessions).
58
59// PHP Settings 46// PHP Settings
60ini_set('max_input_time','60'); // High execution time in case of problematic imports/exports. 47ini_set('max_input_time','60'); // High execution time in case of problematic imports/exports.
61ini_set('memory_limit', '128M'); // Try to set max upload file size and read (May not work on some hosts). 48ini_set('memory_limit', '128M'); // Try to set max upload file size and read (May not work on some hosts).
@@ -87,6 +74,34 @@ try {
87 exit; 74 exit;
88} 75}
89 76
77// Force cookie path (but do not change lifetime)
78$cookie = session_get_cookie_params();
79$cookiedir = '';
80if (dirname($_SERVER['SCRIPT_NAME']) != '/') {
81 $cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/';
82}
83// Set default cookie expiration and path.
84session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['SERVER_NAME']);
85// Set session parameters on server side.
86// If the user does not access any page within this time, his/her session is considered expired.
87define('INACTIVITY_TIMEOUT', 3600); // in seconds.
88// Use cookies to store session.
89ini_set('session.use_cookies', 1);
90// Force cookies for session (phpsessionID forbidden in URL).
91ini_set('session.use_only_cookies', 1);
92// Prevent PHP form using sessionID in URL if cookies are disabled.
93ini_set('session.use_trans_sid', false);
94
95// Regenerate session id if invalid or not defined in cookie.
96if (isset($_COOKIE['shaarli']) && !is_session_id_valid($_COOKIE['shaarli'])) {
97 $_COOKIE['shaarli'] = uniqid();
98}
99session_name('shaarli');
100// Start session if needed (Some server auto-start sessions).
101if (session_id() == '') {
102 session_start();
103}
104
90include "inc/rain.tpl.class.php"; //include Rain TPL 105include "inc/rain.tpl.class.php"; //include Rain TPL
91raintpl::$tpl_dir = $GLOBALS['config']['RAINTPL_TPL']; // template directory 106raintpl::$tpl_dir = $GLOBALS['config']['RAINTPL_TPL']; // template directory
92raintpl::$cache_dir = $GLOBALS['config']['RAINTPL_TMP']; // cache directory 107raintpl::$cache_dir = $GLOBALS['config']['RAINTPL_TMP']; // cache directory