aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.md2
-rw-r--r--CONTRIBUTING.md2
-rw-r--r--application/LinkDB.php2
-rw-r--r--application/config/ConfigManager.php4
-rw-r--r--composer.json2
-rw-r--r--doc/md/Plugin-System.md4
-rw-r--r--doc/md/Plugins.md2
-rw-r--r--doc/md/Security.md3
-rw-r--r--doc/md/index.md2
-rw-r--r--index.php103
-rw-r--r--plugins/playvideos/README.md2
11 files changed, 60 insertions, 68 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4b018cb4..60262d56 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -61,7 +61,7 @@ The documentation has been migrated to ReadTheDocs:
61This release introduces the REST API, and requires updating HTTP server 61This release introduces the REST API, and requires updating HTTP server
62configuration to enable URL rewriting, see: 62configuration to enable URL rewriting, see:
63- https://shaarli.github.io/api-documentation/ 63- https://shaarli.github.io/api-documentation/
64- https://github.com/shaarli/Shaarli/wiki/Server-configuration 64- https://shaarli.readthedocs.io/en/master/Server-configuration/
65 65
66**WARNING**: Shaarli now requires PHP 5.5+. 66**WARNING**: Shaarli now requires PHP 5.5+.
67 67
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index bb82951d..03564fd2 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -54,7 +54,7 @@ Please report any problem you might find.
54 * starting from branch ` master`, switch to a new branch (eg. `git checkout -b my-awesome-feature`) 54 * starting from branch ` master`, switch to a new branch (eg. `git checkout -b my-awesome-feature`)
55 * edit the required files (from the Github web interface or your text editor) 55 * edit the required files (from the Github web interface or your text editor)
56 * add and commit your changes with a meaningful commit message (eg `Cool new feature, fixes issue #1001`) 56 * add and commit your changes with a meaningful commit message (eg `Cool new feature, fixes issue #1001`)
57 * run unit tests against your patched version, see [Running unit tests](https://github.com/shaarli/Shaarli/wiki/Running-unit-tests) 57 * run unit tests against your patched version, see [Running unit tests](https://shaarli.readthedocs.io/en/master/Unit-tests/#run-unit-tests)
58 * Open your fork in the Github web interface and click the "Compare and Pull Request" button, enter required info and submit your Pull Request. 58 * Open your fork in the Github web interface and click the "Compare and Pull Request" button, enter required info and submit your Pull Request.
59 59
60All changes you will do on the `my-awesome-feature` in the future will be added to your Pull Request. Don't work directly on the master branch, don't do unrelated work on your `my-awesome-feature` branch. 60All changes you will do on the `my-awesome-feature` in the future will be added to your Pull Request. Don't work directly on the master branch, don't do unrelated work on your `my-awesome-feature` branch.
diff --git a/application/LinkDB.php b/application/LinkDB.php
index 9308164a..22c1f0ab 100644
--- a/application/LinkDB.php
+++ b/application/LinkDB.php
@@ -249,7 +249,7 @@ class LinkDB implements Iterator, Countable, ArrayAccess
249 $link = array( 249 $link = array(
250 'id' => 1, 250 'id' => 1,
251 'title'=>' Shaarli: the personal, minimalist, super-fast, no-database delicious clone', 251 'title'=>' Shaarli: the personal, minimalist, super-fast, no-database delicious clone',
252 'url'=>'https://github.com/shaarli/Shaarli/wiki', 252 'url'=>'https://shaarli.readthedocs.io',
253 'description'=>'Welcome to Shaarli! This is your first public bookmark. To edit or delete me, you must first login. 253 'description'=>'Welcome to Shaarli! This is your first public bookmark. To edit or delete me, you must first login.
254 254
255To learn how to use Shaarli, consult the link "Help/documentation" at the bottom of this page. 255To learn how to use Shaarli, consult the link "Help/documentation" at the bottom of this page.
diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php
index c94d92a8..fdd5b3d7 100644
--- a/application/config/ConfigManager.php
+++ b/application/config/ConfigManager.php
@@ -9,8 +9,8 @@ use Shaarli\Config\Exception\UnauthorizedConfigException;
9 * 9 *
10 * Manages all Shaarli's settings. 10 * Manages all Shaarli's settings.
11 * See the documentation for more information on settings: 11 * See the documentation for more information on settings:
12 * - doc/Shaarli-configuration.html 12 * - doc/md/Shaarli-configuration.md
13 * - https://github.com/shaarli/Shaarli/wiki/Shaarli-configuration 13 * - https://shaarli.readthedocs.io/en/master/Shaarli-configuration/#configuration
14 */ 14 */
15class ConfigManager 15class ConfigManager
16{ 16{
diff --git a/composer.json b/composer.json
index 756ea588..afb8aca4 100644
--- a/composer.json
+++ b/composer.json
@@ -6,7 +6,7 @@
6 "homepage": "https://github.com/shaarli/Shaarli", 6 "homepage": "https://github.com/shaarli/Shaarli",
7 "support": { 7 "support": {
8 "issues": "https://github.com/shaarli/Shaarli/issues", 8 "issues": "https://github.com/shaarli/Shaarli/issues",
9 "wiki": "https://github.com/shaarli/Shaarli/wiki" 9 "wiki": "https://shaarli.readthedocs.io"
10 }, 10 },
11 "keywords": ["bookmark", "link", "share", "web"], 11 "keywords": ["bookmark", "link", "share", "web"],
12 "config": { 12 "config": {
diff --git a/doc/md/Plugin-System.md b/doc/md/Plugin-System.md
index 30f0ae74..cbec04c0 100644
--- a/doc/md/Plugin-System.md
+++ b/doc/md/Plugin-System.md
@@ -49,10 +49,10 @@ hook_<plugin_name>_<hook_name>($data, $conf)
49 49
50Parameters: 50Parameters:
51 51
52- data: see [$data section](https://github.com/shaarli/Shaarli/wiki/Plugin-System#plugins-data) 52- data: see [$data section](https://shaarli.readthedocs.io/en/master/Plugin-System/#plugins-data)
53- conf: the `ConfigManager` instance. 53- conf: the `ConfigManager` instance.
54 54
55For exemple, if my plugin want to add data to the header, this function is needed: 55For example, if my plugin want to add data to the header, this function is needed:
56 56
57 hook_demo_plugin_render_header 57 hook_demo_plugin_render_header
58 58
diff --git a/doc/md/Plugins.md b/doc/md/Plugins.md
index 7d40637f..463dae17 100644
--- a/doc/md/Plugins.md
+++ b/doc/md/Plugins.md
@@ -72,4 +72,4 @@ Usage of each plugin is documented in it's README file:
72 72
73#### Third party plugins 73#### Third party plugins
74 74
75See [Community & related software](https://github.com/shaarli/Shaarli/wiki/Community-%26-Related-software#third-party-plugins) 75See [Community & related software](https://shaarli.readthedocs.io/en/master/Community-&-Related-software/)
diff --git a/doc/md/Security.md b/doc/md/Security.md
index 36f629af..65db4225 100644
--- a/doc/md/Security.md
+++ b/doc/md/Security.md
@@ -1,9 +1,6 @@
1## Client browser 1## Client browser
2- Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work 2- Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work
3 3
4## PHP
5- `magic_quotes` is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with `magic_quotes` on, so you should not be bothered even on crappy hosts.
6
7## Server and sessions 4## Server and sessions
8- Directories are protected using `.htaccess` files 5- Directories are protected using `.htaccess` files
9- Forms are protected against XSRF (Cross-site requests forgery): 6- Forms are protected against XSRF (Cross-site requests forgery):
diff --git a/doc/md/index.md b/doc/md/index.md
index b10e3cf4..24ada6c7 100644
--- a/doc/md/index.md
+++ b/doc/md/index.md
@@ -37,7 +37,7 @@ Login: `demo`; Password: `demo`
37 - daily RSS feed 37 - daily RSS feed
38- permalinks for easy reference 38- permalinks for easy reference
39- links can be public or private 39- links can be public or private
40- extensible through [plugins](https://github.com/shaarli/Shaarli/wiki/Plugins#plugin-usage) 40- extensible through [plugins](https://shaarli.readthedocs.io/en/master/Plugins/#plugin-usage)
41 41
42### Tag, view and search your links! 42### Tag, view and search your links!
43- add a custom title and description to archived links 43- add a custom title and description to archived links
diff --git a/index.php b/index.php
index f2f3b93e..e0a7b416 100644
--- a/index.php
+++ b/index.php
@@ -48,8 +48,8 @@ if (! file_exists(__DIR__ . '/vendor/autoload.php')) {
48 ."If you installed Shaarli through Git or using the development branch,\n" 48 ."If you installed Shaarli through Git or using the development branch,\n"
49 ."please refer to the installation documentation to install PHP" 49 ."please refer to the installation documentation to install PHP"
50 ." dependencies using Composer:\n" 50 ." dependencies using Composer:\n"
51 ."- https://github.com/shaarli/Shaarli/wiki/Server-requirements\n" 51 ."- https://shaarli.readthedocs.io/en/master/Server-requirements/\n"
52 ."- https://github.com/shaarli/Shaarli/wiki/Download-and-Installation"; 52 ."- https://shaarli.readthedocs.io/en/master/Download-and-Installation/";
53 exit; 53 exit;
54} 54}
55require_once 'inc/rain.tpl.class.php'; 55require_once 'inc/rain.tpl.class.php';
@@ -133,15 +133,6 @@ date_default_timezone_set($conf->get('general.timezone', 'UTC'));
133 133
134ob_start(); // Output buffering for the page cache. 134ob_start(); // Output buffering for the page cache.
135 135
136// In case stupid admin has left magic_quotes enabled in php.ini:
137if (get_magic_quotes_gpc())
138{
139 function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
140 $_POST = array_map('stripslashes_deep', $_POST);
141 $_GET = array_map('stripslashes_deep', $_GET);
142 $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
143}
144
145// Prevent caching on client side or proxy: (yes, it's ugly) 136// Prevent caching on client side or proxy: (yes, it's ugly)
146header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 137header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
147header("Cache-Control: no-store, no-cache, must-revalidate"); 138header("Cache-Control: no-store, no-cache, must-revalidate");
@@ -186,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
186 */ 177 */
187function setup_login_state($conf) 178function setup_login_state($conf)
188{ 179{
189 if ($conf->get('security.open_shaarli')) { 180 if ($conf->get('security.open_shaarli')) {
190 return true; 181 return true;
191 } 182 }
192 $userIsLoggedIn = false; // By default, we do not consider the user as logged in; 183 $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
193 $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. 184 $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
194 if (! $conf->exists('credentials.login')) { 185 if (! $conf->exists('credentials.login')) {
195 $userIsLoggedIn = false; // Shaarli is not configured yet. 186 $userIsLoggedIn = false; // Shaarli is not configured yet.
196 $loginFailure = true; 187 $loginFailure = true;
197 } 188 }
198 if (isset($_COOKIE['shaarli_staySignedIn']) && 189 if (isset($_COOKIE['shaarli_staySignedIn']) &&
199 $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && 190 $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
200 !$loginFailure) 191 !$loginFailure)
201 { 192 {
202 fillSessionInfo($conf); 193 fillSessionInfo($conf);
203 $userIsLoggedIn = true; 194 $userIsLoggedIn = true;
204 } 195 }
205 // If session does not exist on server side, or IP address has changed, or session has expired, logout. 196 // If session does not exist on server side, or IP address has changed, or session has expired, logout.
206 if (empty($_SESSION['uid']) 197 if (empty($_SESSION['uid'])
207 || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) 198 || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
208 || time() >= $_SESSION['expires_on']) 199 || time() >= $_SESSION['expires_on'])
209 { 200 {
210 logout(); 201 logout();
211 $userIsLoggedIn = false; 202 $userIsLoggedIn = false;
212 $loginFailure = true; 203 $loginFailure = true;
213 } 204 }
214 if (!empty($_SESSION['longlastingsession'])) { 205 if (!empty($_SESSION['longlastingsession'])) {
215 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. 206 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
216 } 207 }
217 else { 208 else {
218 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. 209 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
219 } 210 }
220 if (!$loginFailure) { 211 if (!$loginFailure) {
221 $userIsLoggedIn = true; 212 $userIsLoggedIn = true;
222 } 213 }
223 214
224 return $userIsLoggedIn; 215 return $userIsLoggedIn;
225} 216}
226$userIsLoggedIn = setup_login_state($conf); 217$userIsLoggedIn = setup_login_state($conf);
227 218
@@ -245,10 +236,10 @@ function allIPs()
245 */ 236 */
246function fillSessionInfo($conf) 237function fillSessionInfo($conf)
247{ 238{
248 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) 239 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
249 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. 240 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
250 $_SESSION['username']= $conf->get('credentials.login'); 241 $_SESSION['username']= $conf->get('credentials.login');
251 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. 242 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
252} 243}
253 244
254/** 245/**
@@ -265,7 +256,7 @@ function check_auth($login, $password, $conf)
265 $hash = sha1($password . $login . $conf->get('credentials.salt')); 256 $hash = sha1($password . $login . $conf->get('credentials.salt'));
266 if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) 257 if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
267 { // Login/password is correct. 258 { // Login/password is correct.
268 fillSessionInfo($conf); 259 fillSessionInfo($conf);
269 logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); 260 logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
270 return true; 261 return true;
271 } 262 }
@@ -394,9 +385,10 @@ if (isset($_POST['login']))
394 // If user wants to keep the session cookie even after the browser closes: 385 // If user wants to keep the session cookie even after the browser closes:
395 if (!empty($_POST['longlastingsession'])) 386 if (!empty($_POST['longlastingsession']))
396 { 387 {
397 setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); 388 $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
398 $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) 389 $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
399 $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. 390 setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
391 $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side.
400 392
401 $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; 393 $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
402 session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side 394 session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
@@ -1235,7 +1227,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
1235 // Linkdate is kept here to: 1227 // Linkdate is kept here to:
1236 // - use the same permalink for notes as they're displayed when creating them 1228 // - use the same permalink for notes as they're displayed when creating them
1237 // - let users hack creation date of their posts 1229 // - let users hack creation date of their posts
1238 // See: https://github.com/shaarli/Shaarli/wiki/Datastore-hacks#changing-the-timestamp-for-a-link 1230 // See: https://shaarli.readthedocs.io/en/master/Various-hacks/#changing-the-timestamp-for-a-shaare
1239 $linkdate = escape($_POST['lf_linkdate']); 1231 $linkdate = escape($_POST['lf_linkdate']);
1240 if (isset($LINKSDB[$id])) { 1232 if (isset($LINKSDB[$id])) {
1241 // Edit 1233 // Edit
@@ -1258,6 +1250,9 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
1258 // Remove duplicates. 1250 // Remove duplicates.
1259 $tags = implode(' ', array_unique(explode(' ', $tags))); 1251 $tags = implode(' ', array_unique(explode(' ', $tags)));
1260 1252
1253 if (empty(trim($_POST['lf_url']))) {
1254 $_POST['lf_url'] = '?' . smallHash($linkdate . $id);
1255 }
1261 $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols')); 1256 $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
1262 1257
1263 $link = array( 1258 $link = array(
diff --git a/plugins/playvideos/README.md b/plugins/playvideos/README.md
index b1698470..ab4be22a 100644
--- a/plugins/playvideos/README.md
+++ b/plugins/playvideos/README.md
@@ -8,7 +8,7 @@ This uses code from https://zaius.github.io/youtube_playlist/ and is currently o
8 8
9#### Installation and setup 9#### Installation and setup
10 10
11This is a default Shaarli plugin, you just have to enable it. See https://github.com/shaarli/Shaarli/wiki/Shaarli-configuration/ 11This is a default Shaarli plugin, you just have to enable it. See https://shaarli.readthedocs.io/en/master/Shaarli-configuration/
12 12
13 13
14#### Troubleshooting 14#### Troubleshooting