3 files changed, 42 insertions, 78 deletions
diff --git a/application/Updater.php b/application/Updater.php
index 31630ff5..db2144fe 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -191,6 +191,29 @@ class Updater
            return false;
        }
    }
+    /**
+     * Escape settings which have been manually escaped in every request in previous versions:
+     *   - general.title
+     *   - general.header_link
+     *   - extras.redirector
+     *
+     * @return bool true if the update is successful, false otherwise.
+     */
+    public function escapeUnescapedConfig()
+    {
+        $conf = ConfigManager::getInstance();
+        try {
+            $conf->set('general.title', escape($conf->get('general.title')));
+            $conf->set('general.header_link', escape($conf->get('general.header_link')));
+            $conf->set('extras.redirector', escape($conf->get('extras.redirector')));
+            $conf->write($this->isLoggedIn);
+        } catch (Exception $e) {
+            error_log($e->getMessage());
+            return false;
+        }
+        return true;
+    }
 }
 /**
diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php
index a663a071..c0482cf3 100644
--- a/application/config/ConfigManager.php
+++ b/application/config/ConfigManager.php
@@ -9,6 +9,9 @@ require_once 'ConfigJson.php';
 * Class ConfigManager
 *
 * Singleton, manages all Shaarli's settings.
+ * See the documentation for more information on settings:
+ *   - doc/Shaarli-configuration.html
+ *   - https://github.com/shaarli/Shaarli/wiki/Shaarli-configuration
 */
 class ConfigManager
 {
@@ -286,81 +289,40 @@ class ConfigManager
     */
    protected function setDefaultValues()
    {
-        // Data subdirectory
        $this->setEmpty('path.data_dir', 'data');
-        // Main configuration file
        $this->setEmpty('path.config', 'data/config.php');
-        // Link datastore
        $this->setEmpty('path.datastore', 'data/datastore.php');
-        // Banned IPs
        $this->setEmpty('path.ban_file', 'data/ipbans.php');
-        // Processed updates file.
        $this->setEmpty('path.updates', 'data/updates.txt');
-        // Access log
        $this->setEmpty('path.log', 'data/log.txt');
-        // For updates check of Shaarli
        $this->setEmpty('path.update_check', 'data/lastupdatecheck.txt');
-        // Set ENABLE_UPDATECHECK to disabled by default.
-        $this->setEmpty('general.check_updates', false);
-        // RainTPL cache directory (keep the trailing slash!)
-        $this->setEmpty('path.raintpl_tmp', 'tmp/');
-        // Raintpl template directory (keep the trailing slash!)
        $this->setEmpty('path.raintpl_tpl', 'tpl/');
+        $this->setEmpty('path.raintpl_tmp', 'tmp/');
-        // Thumbnail cache directory
        $this->setEmpty('path.thumbnails_cache', 'cache');
-        // Atom & RSS feed cache directory
        $this->setEmpty('path.page_cache', 'pagecache');
-        // Ban IP after this many failures
        $this->setEmpty('security.ban_after', 4);
-        // Ban duration for IP address after login failures (in seconds)
        $this->setEmpty('security.ban_after', 1800);
+        $this->setEmpty('security.session_protection_disabled', false);
-        // Feed options
+        $this->setEmpty('general.check_updates', false);
-        // Enable RSS permalinks by default.
-        // This corresponds to the default behavior of shaarli before this was added as an option.
        $this->setEmpty('general.rss_permalinks', true);
-        // If true, an extra "ATOM feed" button will be displayed in the toolbar
-        $this->setEmpty('extras.show_atom', false);
-        // Link display options
-        $this->setEmpty('extras.hide_public_links', false);
-        $this->setEmpty('extras.hide_timestamps', false);
        $this->setEmpty('general.links_per_page', 20);
-        // Private checkbox is checked by default
        $this->setEmpty('general.default_private_links', false);
-        // Open Shaarli (true): anyone can add/edit/delete links without having to login
-        $this->setEmpty('extras.open_shaarli', false);
-        // Thumbnails
-        // Display thumbnails in links
        $this->setEmpty('general.enable_thumbnails', true);
-        // Store thumbnails in a local cache
        $this->setEmpty('general.enable_localcache', true);
-        // Update check frequency for Shaarli. 86400 seconds=24 hours
        $this->setEmpty('general.check_updates_branch', 'stable');
        $this->setEmpty('general.check_updates_interval', 86400);
+        $this->setEmpty('general.header_link', '?');
+        $this->setEmpty('general.enabled_plugins', array('qrcode'));
+        $this->setEmpty('extras.show_atom', false);
+        $this->setEmpty('extras.hide_public_links', false);
+        $this->setEmpty('extras.hide_timestamps', false);
+        $this->setEmpty('extras.open_shaarli', false);
        $this->setEmpty('extras.redirector', '');
        $this->setEmpty('extras.redirector_encode_url', true);
-        // Enabled plugins.
-        $this->setEmpty('general.enabled_plugins', array('qrcode'));
-        // Initialize plugin parameters array.
        $this->setEmpty('plugins', array());
    }
@@ -370,7 +332,7 @@ class ConfigManager
     * @param string $key   Setting key.
     * @param mixed  $value Setting value.
     */
-    protected function setEmpty($key, $value)
+    public function setEmpty($key, $value)
    {
        if (! $this->exists($key)) {
            $this->set($key, $value);
diff --git a/index.php b/index.php
index 9546ee15..ac4a680d 100644
--- a/index.php
+++ b/index.php
@@ -106,7 +106,8 @@ if (isset($_COOKIE['shaarli']) && !is_session_id_valid($_COOKIE['shaarli'])) {
 }
 $conf = ConfigManager::getInstance();
+$conf->setEmpty('general.timezone', date_default_timezone_get());
+$conf->setEmpty('general.title', 'Shared links on '. escape(index_url($_SERVER)));
 RainTPL::$tpl_dir = $conf->get('path.raintpl_tpl'); // template directory
 RainTPL::$cache_dir = $conf->get('path.raintpl_tmp'); // cache directory
@@ -132,23 +133,6 @@ header("Cache-Control: no-store, no-cache, must-revalidate");
 header("Cache-Control: post-check=0, pre-check=0", false);
 header("Pragma: no-cache");
-// Handling of old config file which do not have the new parameters.
-if (! $conf->exists('general.title')) {
-    $conf->set('general.title', 'Shared links on '. escape(index_url($_SERVER)));
-}
-if (! $conf->exists('general.timezone')) {
-    $conf->set('general.timezone', date_default_timezone_get());
-}
-if (! $conf->exists('security.session_protection_disabled')) {
-    $conf->set('security.session_protection_disabled', false);
-}
-if (! $conf->exists('general.default_private_links')) {
-    $conf->set('general.default_private_links', false);
-}
-if (! $conf->exists('general.header_link')) {
-    $conf->set('general.header_link', '?');
-}
 if (! is_file($conf->getConfigFile())) {
    // Ensure Shaarli has proper access to its resources
    $errors = ApplicationUtils::checkResourcePermissions();
@@ -170,11 +154,6 @@ if (! is_file($conf->getConfigFile())) {
    install();
 }
-// FIXME! Update these value with Updater and escpae it during the install/config save.
-$conf->set('general.title', escape($conf->get('general.title')));
-$conf->set('general.header_link', escape($conf->get('general.header_link')));
-$conf->set('extras.redirector', escape($conf->get('extras.redirector')));
 // a token depending of deployment salt, user password, and the current ip
 define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt')));
@@ -1101,9 +1080,9 @@ function renderPage()
                $tz = $_POST['continent'] . '/' . $_POST['city'];
            }
            $conf->set('general.timezone', $tz);
-            $conf->set('general.title', $_POST['title']);
+            $conf->set('general.title', escape($_POST['title']));
-            $conf->set('general.header_link', $_POST['titleLink']);
+            $conf->set('general.header_link', escape($_POST['titleLink']));
-            $conf->set('extras.redirector', $_POST['redirector']);
+            $conf->set('extras.redirector', escape($_POST['redirector']));
            $conf->set('security.session_protection_disabled', !empty($_POST['disablesessionprotection']));
            $conf->set('general.default_private_links', !empty($_POST['privateLinkByDefault']));
            $conf->set('general.rss_permalinks', !empty($_POST['enableRssPermalinks']));
@@ -1951,7 +1930,7 @@ function install()
        $conf->set('credentials.salt', $salt);
        $conf->set('credentials.hash', sha1($_POST['setpassword'] . $login . $salt));
        if (!empty($_POST['title'])) {
-            $conf->set('general.title', $_POST['title']);
+            $conf->set('general.title', escape($_POST['title']));
        } else {
            $conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER)));
        }

diff --git a/application/Updater.php b/application/Updater.php index 31630ff5..db2144fe 100644 --- a/application/Updater.php +++ b/application/Updater.php
@@ -191,6 +191,29 @@ class Updater
191	return false;	191	return false;
192	}	192	}
193	}	193	}
		194
		195	/**
		196	* Escape settings which have been manually escaped in every request in previous versions:
		197	* - general.title
		198	* - general.header_link
		199	* - extras.redirector
		200	*
		201	* @return bool true if the update is successful, false otherwise.
		202	*/
		203	public function escapeUnescapedConfig()
		204	{
		205	$conf = ConfigManager::getInstance();
		206	try {
		207	$conf->set('general.title', escape($conf->get('general.title')));
		208	$conf->set('general.header_link', escape($conf->get('general.header_link')));
		209	$conf->set('extras.redirector', escape($conf->get('extras.redirector')));
		210	$conf->write($this->isLoggedIn);
		211	} catch (Exception $e) {
		212	error_log($e->getMessage());
		213	return false;
		214	}
		215	return true;
		216	}
194	}	217	}
195		218
196	/**	219	/**


diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php index a663a071..c0482cf3 100644 --- a/application/config/ConfigManager.php +++ b/application/config/ConfigManager.php
@@ -9,6 +9,9 @@ require_once 'ConfigJson.php';
9	* Class ConfigManager	9	* Class ConfigManager
10	*	10	*
11	* Singleton, manages all Shaarli's settings.	11	* Singleton, manages all Shaarli's settings.
		12	* See the documentation for more information on settings:
		13	* - doc/Shaarli-configuration.html
		14	* - https://github.com/shaarli/Shaarli/wiki/Shaarli-configuration
12	*/	15	*/
13	class ConfigManager	16	class ConfigManager
14	{	17	{
@@ -286,81 +289,40 @@ class ConfigManager
286	*/	289	*/
287	protected function setDefaultValues()	290	protected function setDefaultValues()
288	{	291	{
289	// Data subdirectory
290	$this->setEmpty('path.data_dir', 'data');	292	$this->setEmpty('path.data_dir', 'data');
291
292	// Main configuration file
293	$this->setEmpty('path.config', 'data/config.php');	293	$this->setEmpty('path.config', 'data/config.php');
294
295	// Link datastore
296	$this->setEmpty('path.datastore', 'data/datastore.php');	294	$this->setEmpty('path.datastore', 'data/datastore.php');
297
298	// Banned IPs
299	$this->setEmpty('path.ban_file', 'data/ipbans.php');	295	$this->setEmpty('path.ban_file', 'data/ipbans.php');
300
301	// Processed updates file.
302	$this->setEmpty('path.updates', 'data/updates.txt');	296	$this->setEmpty('path.updates', 'data/updates.txt');
303
304	// Access log
305	$this->setEmpty('path.log', 'data/log.txt');	297	$this->setEmpty('path.log', 'data/log.txt');
306
307	// For updates check of Shaarli
308	$this->setEmpty('path.update_check', 'data/lastupdatecheck.txt');	298	$this->setEmpty('path.update_check', 'data/lastupdatecheck.txt');
309
310	// Set ENABLE_UPDATECHECK to disabled by default.
311	$this->setEmpty('general.check_updates', false);
312
313	// RainTPL cache directory (keep the trailing slash!)
314	$this->setEmpty('path.raintpl_tmp', 'tmp/');
315	// Raintpl template directory (keep the trailing slash!)
316	$this->setEmpty('path.raintpl_tpl', 'tpl/');	299	$this->setEmpty('path.raintpl_tpl', 'tpl/');
317		300	$this->setEmpty('path.raintpl_tmp', 'tmp/');
318	// Thumbnail cache directory
319	$this->setEmpty('path.thumbnails_cache', 'cache');	301	$this->setEmpty('path.thumbnails_cache', 'cache');
320
321	// Atom & RSS feed cache directory
322	$this->setEmpty('path.page_cache', 'pagecache');	302	$this->setEmpty('path.page_cache', 'pagecache');
323		303
324	// Ban IP after this many failures
325	$this->setEmpty('security.ban_after', 4);	304	$this->setEmpty('security.ban_after', 4);
326	// Ban duration for IP address after login failures (in seconds)
327	$this->setEmpty('security.ban_after', 1800);	305	$this->setEmpty('security.ban_after', 1800);
		306	$this->setEmpty('security.session_protection_disabled', false);
328		307
329	// Feed options	308	$this->setEmpty('general.check_updates', false);
330	// Enable RSS permalinks by default.
331	// This corresponds to the default behavior of shaarli before this was added as an option.
332	$this->setEmpty('general.rss_permalinks', true);	309	$this->setEmpty('general.rss_permalinks', true);
333	// If true, an extra "ATOM feed" button will be displayed in the toolbar
334	$this->setEmpty('extras.show_atom', false);
335
336	// Link display options
337	$this->setEmpty('extras.hide_public_links', false);
338	$this->setEmpty('extras.hide_timestamps', false);
339	$this->setEmpty('general.links_per_page', 20);	310	$this->setEmpty('general.links_per_page', 20);
340
341	// Private checkbox is checked by default
342	$this->setEmpty('general.default_private_links', false);	311	$this->setEmpty('general.default_private_links', false);
343
344	// Open Shaarli (true): anyone can add/edit/delete links without having to login
345	$this->setEmpty('extras.open_shaarli', false);
346
347	// Thumbnails
348	// Display thumbnails in links
349	$this->setEmpty('general.enable_thumbnails', true);	312	$this->setEmpty('general.enable_thumbnails', true);
350	// Store thumbnails in a local cache
351	$this->setEmpty('general.enable_localcache', true);	313	$this->setEmpty('general.enable_localcache', true);
352
353	// Update check frequency for Shaarli. 86400 seconds=24 hours
354	$this->setEmpty('general.check_updates_branch', 'stable');	314	$this->setEmpty('general.check_updates_branch', 'stable');
355	$this->setEmpty('general.check_updates_interval', 86400);	315	$this->setEmpty('general.check_updates_interval', 86400);
		316	$this->setEmpty('general.header_link', '?');
		317	$this->setEmpty('general.enabled_plugins', array('qrcode'));
356		318
		319	$this->setEmpty('extras.show_atom', false);
		320	$this->setEmpty('extras.hide_public_links', false);
		321	$this->setEmpty('extras.hide_timestamps', false);
		322	$this->setEmpty('extras.open_shaarli', false);
357	$this->setEmpty('extras.redirector', '');	323	$this->setEmpty('extras.redirector', '');
358	$this->setEmpty('extras.redirector_encode_url', true);	324	$this->setEmpty('extras.redirector_encode_url', true);
359		325
360	// Enabled plugins.
361	$this->setEmpty('general.enabled_plugins', array('qrcode'));
362
363	// Initialize plugin parameters array.
364	$this->setEmpty('plugins', array());	326	$this->setEmpty('plugins', array());
365	}	327	}
366		328
@@ -370,7 +332,7 @@ class ConfigManager
370	* @param string $key Setting key.	332	* @param string $key Setting key.
371	* @param mixed $value Setting value.	333	* @param mixed $value Setting value.
372	*/	334	*/
373	protected function setEmpty($key, $value)	335	public function setEmpty($key, $value)
374	{	336	{
375	if (! $this->exists($key)) {	337	if (! $this->exists($key)) {
376	$this->set($key, $value);	338	$this->set($key, $value);


diff --git a/index.php b/index.php index 9546ee15..ac4a680d 100644 --- a/index.php +++ b/index.php
@@ -106,7 +106,8 @@ if (isset($_COOKIE['shaarli']) && !is_session_id_valid($_COOKIE['shaarli'])) {
106	}	106	}
107		107
108	$conf = ConfigManager::getInstance();	108	$conf = ConfigManager::getInstance();
109		109	$conf->setEmpty('general.timezone', date_default_timezone_get());
		110	$conf->setEmpty('general.title', 'Shared links on '. escape(index_url($_SERVER)));
110	RainTPL::$tpl_dir = $conf->get('path.raintpl_tpl'); // template directory	111	RainTPL::$tpl_dir = $conf->get('path.raintpl_tpl'); // template directory
111	RainTPL::$cache_dir = $conf->get('path.raintpl_tmp'); // cache directory	112	RainTPL::$cache_dir = $conf->get('path.raintpl_tmp'); // cache directory
112		113
@@ -132,23 +133,6 @@ header("Cache-Control: no-store, no-cache, must-revalidate");
132	header("Cache-Control: post-check=0, pre-check=0", false);	133	header("Cache-Control: post-check=0, pre-check=0", false);
133	header("Pragma: no-cache");	134	header("Pragma: no-cache");
134		135
135	// Handling of old config file which do not have the new parameters.
136	if (! $conf->exists('general.title')) {
137	$conf->set('general.title', 'Shared links on '. escape(index_url($_SERVER)));
138	}
139	if (! $conf->exists('general.timezone')) {
140	$conf->set('general.timezone', date_default_timezone_get());
141	}
142	if (! $conf->exists('security.session_protection_disabled')) {
143	$conf->set('security.session_protection_disabled', false);
144	}
145	if (! $conf->exists('general.default_private_links')) {
146	$conf->set('general.default_private_links', false);
147	}
148	if (! $conf->exists('general.header_link')) {
149	$conf->set('general.header_link', '?');
150	}
151
152	if (! is_file($conf->getConfigFile())) {	136	if (! is_file($conf->getConfigFile())) {
153	// Ensure Shaarli has proper access to its resources	137	// Ensure Shaarli has proper access to its resources
154	$errors = ApplicationUtils::checkResourcePermissions();	138	$errors = ApplicationUtils::checkResourcePermissions();
@@ -170,11 +154,6 @@ if (! is_file($conf->getConfigFile())) {
170	install();	154	install();
171	}	155	}
172		156
173	// FIXME! Update these value with Updater and escpae it during the install/config save.
174	$conf->set('general.title', escape($conf->get('general.title')));
175	$conf->set('general.header_link', escape($conf->get('general.header_link')));
176	$conf->set('extras.redirector', escape($conf->get('extras.redirector')));
177
178	// a token depending of deployment salt, user password, and the current ip	157	// a token depending of deployment salt, user password, and the current ip
179	define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt')));	158	define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt')));
180		159
@@ -1101,9 +1080,9 @@ function renderPage()
1101	$tz = $_POST['continent'] . '/' . $_POST['city'];	1080	$tz = $_POST['continent'] . '/' . $_POST['city'];
1102	}	1081	}
1103	$conf->set('general.timezone', $tz);	1082	$conf->set('general.timezone', $tz);
1104	$conf->set('general.title', $_POST['title']);	1083	$conf->set('general.title', escape($_POST['title']));
1105	$conf->set('general.header_link', $_POST['titleLink']);	1084	$conf->set('general.header_link', escape($_POST['titleLink']));
1106	$conf->set('extras.redirector', $_POST['redirector']);	1085	$conf->set('extras.redirector', escape($_POST['redirector']));
1107	$conf->set('security.session_protection_disabled', !empty($_POST['disablesessionprotection']));	1086	$conf->set('security.session_protection_disabled', !empty($_POST['disablesessionprotection']));
1108	$conf->set('general.default_private_links', !empty($_POST['privateLinkByDefault']));	1087	$conf->set('general.default_private_links', !empty($_POST['privateLinkByDefault']));
1109	$conf->set('general.rss_permalinks', !empty($_POST['enableRssPermalinks']));	1088	$conf->set('general.rss_permalinks', !empty($_POST['enableRssPermalinks']));
@@ -1951,7 +1930,7 @@ function install()
1951	$conf->set('credentials.salt', $salt);	1930	$conf->set('credentials.salt', $salt);
1952	$conf->set('credentials.hash', sha1($_POST['setpassword'] . $login . $salt));	1931	$conf->set('credentials.hash', sha1($_POST['setpassword'] . $login . $salt));
1953	if (!empty($_POST['title'])) {	1932	if (!empty($_POST['title'])) {
1954	$conf->set('general.title', $_POST['title']);	1933	$conf->set('general.title', escape($_POST['title']));
1955	} else {	1934	} else {
1956	$conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER)));	1935	$conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER)));
1957	}	1936	}