diff options
Diffstat (limited to 'index.php')
-rw-r--r-- | index.php | 102 |
1 files changed, 47 insertions, 55 deletions
@@ -48,8 +48,8 @@ if (! file_exists(__DIR__ . '/vendor/autoload.php')) { | |||
48 | ."If you installed Shaarli through Git or using the development branch,\n" | 48 | ."If you installed Shaarli through Git or using the development branch,\n" |
49 | ."please refer to the installation documentation to install PHP" | 49 | ."please refer to the installation documentation to install PHP" |
50 | ." dependencies using Composer:\n" | 50 | ." dependencies using Composer:\n" |
51 | ."- https://github.com/shaarli/Shaarli/wiki/Server-requirements\n" | 51 | ."- https://shaarli.readthedocs.io/en/master/Server-requirements/\n" |
52 | ."- https://github.com/shaarli/Shaarli/wiki/Download-and-Installation"; | 52 | ."- https://shaarli.readthedocs.io/en/master/Download-and-Installation/"; |
53 | exit; | 53 | exit; |
54 | } | 54 | } |
55 | require_once 'inc/rain.tpl.class.php'; | 55 | require_once 'inc/rain.tpl.class.php'; |
@@ -133,15 +133,6 @@ date_default_timezone_set($conf->get('general.timezone', 'UTC')); | |||
133 | 133 | ||
134 | ob_start(); // Output buffering for the page cache. | 134 | ob_start(); // Output buffering for the page cache. |
135 | 135 | ||
136 | // In case stupid admin has left magic_quotes enabled in php.ini: | ||
137 | if (get_magic_quotes_gpc()) | ||
138 | { | ||
139 | function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } | ||
140 | $_POST = array_map('stripslashes_deep', $_POST); | ||
141 | $_GET = array_map('stripslashes_deep', $_GET); | ||
142 | $_COOKIE = array_map('stripslashes_deep', $_COOKIE); | ||
143 | } | ||
144 | |||
145 | // Prevent caching on client side or proxy: (yes, it's ugly) | 136 | // Prevent caching on client side or proxy: (yes, it's ugly) |
146 | header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); | 137 | header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); |
147 | header("Cache-Control: no-store, no-cache, must-revalidate"); | 138 | header("Cache-Control: no-store, no-cache, must-revalidate"); |
@@ -186,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { | |||
186 | */ | 177 | */ |
187 | function setup_login_state($conf) | 178 | function setup_login_state($conf) |
188 | { | 179 | { |
189 | if ($conf->get('security.open_shaarli')) { | 180 | if ($conf->get('security.open_shaarli')) { |
190 | return true; | 181 | return true; |
191 | } | 182 | } |
192 | $userIsLoggedIn = false; // By default, we do not consider the user as logged in; | 183 | $userIsLoggedIn = false; // By default, we do not consider the user as logged in; |
193 | $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. | 184 | $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. |
194 | if (! $conf->exists('credentials.login')) { | 185 | if (! $conf->exists('credentials.login')) { |
195 | $userIsLoggedIn = false; // Shaarli is not configured yet. | 186 | $userIsLoggedIn = false; // Shaarli is not configured yet. |
196 | $loginFailure = true; | 187 | $loginFailure = true; |
197 | } | 188 | } |
198 | if (isset($_COOKIE['shaarli_staySignedIn']) && | 189 | if (isset($_COOKIE['shaarli_staySignedIn']) && |
199 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && | 190 | $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && |
200 | !$loginFailure) | 191 | !$loginFailure) |
201 | { | 192 | { |
202 | fillSessionInfo($conf); | 193 | fillSessionInfo($conf); |
203 | $userIsLoggedIn = true; | 194 | $userIsLoggedIn = true; |
204 | } | 195 | } |
205 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 196 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
206 | if (empty($_SESSION['uid']) | 197 | if (empty($_SESSION['uid']) |
207 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) | 198 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) |
208 | || time() >= $_SESSION['expires_on']) | 199 | || time() >= $_SESSION['expires_on']) |
209 | { | 200 | { |
210 | logout(); | 201 | logout(); |
211 | $userIsLoggedIn = false; | 202 | $userIsLoggedIn = false; |
212 | $loginFailure = true; | 203 | $loginFailure = true; |
213 | } | 204 | } |
214 | if (!empty($_SESSION['longlastingsession'])) { | 205 | if (!empty($_SESSION['longlastingsession'])) { |
215 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. | 206 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. |
216 | } | 207 | } |
217 | else { | 208 | else { |
218 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. | 209 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. |
219 | } | 210 | } |
220 | if (!$loginFailure) { | 211 | if (!$loginFailure) { |
221 | $userIsLoggedIn = true; | 212 | $userIsLoggedIn = true; |
222 | } | 213 | } |
223 | 214 | ||
224 | return $userIsLoggedIn; | 215 | return $userIsLoggedIn; |
225 | } | 216 | } |
226 | $userIsLoggedIn = setup_login_state($conf); | 217 | $userIsLoggedIn = setup_login_state($conf); |
227 | 218 | ||
@@ -245,10 +236,10 @@ function allIPs() | |||
245 | */ | 236 | */ |
246 | function fillSessionInfo($conf) | 237 | function fillSessionInfo($conf) |
247 | { | 238 | { |
248 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) | 239 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) |
249 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | 240 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. |
250 | $_SESSION['username']= $conf->get('credentials.login'); | 241 | $_SESSION['username']= $conf->get('credentials.login'); |
251 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | 242 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. |
252 | } | 243 | } |
253 | 244 | ||
254 | /** | 245 | /** |
@@ -265,7 +256,7 @@ function check_auth($login, $password, $conf) | |||
265 | $hash = sha1($password . $login . $conf->get('credentials.salt')); | 256 | $hash = sha1($password . $login . $conf->get('credentials.salt')); |
266 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) | 257 | if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) |
267 | { // Login/password is correct. | 258 | { // Login/password is correct. |
268 | fillSessionInfo($conf); | 259 | fillSessionInfo($conf); |
269 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); | 260 | logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); |
270 | return true; | 261 | return true; |
271 | } | 262 | } |
@@ -394,9 +385,10 @@ if (isset($_POST['login'])) | |||
394 | // If user wants to keep the session cookie even after the browser closes: | 385 | // If user wants to keep the session cookie even after the browser closes: |
395 | if (!empty($_POST['longlastingsession'])) | 386 | if (!empty($_POST['longlastingsession'])) |
396 | { | 387 | { |
397 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); | 388 | $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) |
398 | $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) | 389 | $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) |
399 | $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. | 390 | setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); |
391 | $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. | ||
400 | 392 | ||
401 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; | 393 | $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; |
402 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side | 394 | session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side |
@@ -803,7 +795,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) | |||
803 | $maxcount = max($maxcount, $value); | 795 | $maxcount = max($maxcount, $value); |
804 | } | 796 | } |
805 | 797 | ||
806 | alphabetical_sort($tags, true, true); | 798 | alphabetical_sort($tags, false, true); |
807 | 799 | ||
808 | $tagList = array(); | 800 | $tagList = array(); |
809 | foreach($tags as $key => $value) { | 801 | foreach($tags as $key => $value) { |
@@ -1233,7 +1225,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history) | |||
1233 | // Linkdate is kept here to: | 1225 | // Linkdate is kept here to: |
1234 | // - use the same permalink for notes as they're displayed when creating them | 1226 | // - use the same permalink for notes as they're displayed when creating them |
1235 | // - let users hack creation date of their posts | 1227 | // - let users hack creation date of their posts |
1236 | // See: https://github.com/shaarli/Shaarli/wiki/Datastore-hacks#changing-the-timestamp-for-a-link | 1228 | // See: https://shaarli.readthedocs.io/en/master/Various-hacks/#changing-the-timestamp-for-a-shaare |
1237 | $linkdate = escape($_POST['lf_linkdate']); | 1229 | $linkdate = escape($_POST['lf_linkdate']); |
1238 | if (isset($LINKSDB[$id])) { | 1230 | if (isset($LINKSDB[$id])) { |
1239 | // Edit | 1231 | // Edit |