1 files changed, 49 insertions, 54 deletions
diff --git a/index.php b/index.php
index f2f3b93e..e0a7b416 100644
--- a/index.php
+++ b/index.php
@@ -48,8 +48,8 @@ if (! file_exists(__DIR__ . '/vendor/autoload.php')) {
        ."If you installed Shaarli through Git or using the development branch,\n"
        ."please refer to the installation documentation to install PHP"
        ." dependencies using Composer:\n"
-        ."- https://github.com/shaarli/Shaarli/wiki/Server-requirements\n"
+        ."- https://shaarli.readthedocs.io/en/master/Server-requirements/\n"
-        ."- https://github.com/shaarli/Shaarli/wiki/Download-and-Installation";
+        ."- https://shaarli.readthedocs.io/en/master/Download-and-Installation/";
    exit;
 }
 require_once 'inc/rain.tpl.class.php';
@@ -133,15 +133,6 @@ date_default_timezone_set($conf->get('general.timezone', 'UTC'));
 ob_start();  // Output buffering for the page cache.
-// In case stupid admin has left magic_quotes enabled in php.ini:
-if (get_magic_quotes_gpc())
-{
-    function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
-    $_POST = array_map('stripslashes_deep', $_POST);
-    $_GET = array_map('stripslashes_deep', $_GET);
-    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
-}
 // Prevent caching on client side or proxy: (yes, it's ugly)
 header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
 header("Cache-Control: no-store, no-cache, must-revalidate");
@@ -186,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
 */
 function setup_login_state($conf)
 {
-        if ($conf->get('security.open_shaarli')) {
+    if ($conf->get('security.open_shaarli')) {
-            return true;
+        return true;
-        }
+    }
-        $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
+    $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
-        $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
+    $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
-        if (! $conf->exists('credentials.login')) {
+    if (! $conf->exists('credentials.login')) {
-            $userIsLoggedIn = false;  // Shaarli is not configured yet.
+        $userIsLoggedIn = false;  // Shaarli is not configured yet.
-            $loginFailure = true;
+        $loginFailure = true;
-        }
+    }
-        if (isset($_COOKIE['shaarli_staySignedIn']) &&
+    if (isset($_COOKIE['shaarli_staySignedIn']) &&
-            $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
+        $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
-            !$loginFailure)
+        !$loginFailure)
-        {
+    {
-            fillSessionInfo($conf);
+        fillSessionInfo($conf);
-            $userIsLoggedIn = true;
+        $userIsLoggedIn = true;
-        }
+    }
-        // If session does not exist on server side, or IP address has changed, or session has expired, logout.
+    // If session does not exist on server side, or IP address has changed, or session has expired, logout.
-        if (empty($_SESSION['uid'])
+    if (empty($_SESSION['uid'])
        || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
        || time() >= $_SESSION['expires_on'])
-        {
+    {
-            logout();
+        logout();
-            $userIsLoggedIn = false;
+        $userIsLoggedIn = false;
-            $loginFailure = true;
+        $loginFailure = true;
-        }
+    }
-        if (!empty($_SESSION['longlastingsession'])) {
+    if (!empty($_SESSION['longlastingsession'])) {
-            $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
+        $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
-        }
+    }
-        else {
+    else {
-            $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
+        $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
-        }
+    }
-        if (!$loginFailure) {
+    if (!$loginFailure) {
-            $userIsLoggedIn = true;
+        $userIsLoggedIn = true;
-        }
+    }
-        return $userIsLoggedIn;
+    return $userIsLoggedIn;
 }
 $userIsLoggedIn = setup_login_state($conf);
@@ -245,10 +236,10 @@ function allIPs()
 */
 function fillSessionInfo($conf)
 {
-        $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
+    $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
-        $_SESSION['ip']=allIPs();                // We store IP address(es) of the client to make sure session is not hijacked.
+    $_SESSION['ip']=allIPs();                // We store IP address(es) of the client to make sure session is not hijacked.
-        $_SESSION['username']= $conf->get('credentials.login');
+    $_SESSION['username']= $conf->get('credentials.login');
-        $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
+    $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
 }
 /**
@@ -265,7 +256,7 @@ function check_auth($login, $password, $conf)
    $hash = sha1($password . $login . $conf->get('credentials.salt'));
    if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
    {   // Login/password is correct.
-                fillSessionInfo($conf);
+        fillSessionInfo($conf);
        logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
        return true;
    }
@@ -394,9 +385,10 @@ if (isset($_POST['login']))
        // If user wants to keep the session cookie even after the browser closes:
        if (!empty($_POST['longlastingsession']))
        {
-                        setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
+            $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
-            $_SESSION['longlastingsession']=31536000;  // (31536000 seconds = 1 year)
+            $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
-            $_SESSION['expires_on']=time()+$_SESSION['longlastingsession'];  // Set session expiration on server-side.
+            setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
+            $_SESSION['expires_on'] = $expiration;  // Set session expiration on server-side.
            $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
            session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
@@ -1235,7 +1227,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
        // Linkdate is kept here to:
        //   - use the same permalink for notes as they're displayed when creating them
        //   - let users hack creation date of their posts
-        //     See: https://github.com/shaarli/Shaarli/wiki/Datastore-hacks#changing-the-timestamp-for-a-link
+        //     See: https://shaarli.readthedocs.io/en/master/Various-hacks/#changing-the-timestamp-for-a-shaare
        $linkdate = escape($_POST['lf_linkdate']);
        if (isset($LINKSDB[$id])) {
            // Edit
@@ -1258,6 +1250,9 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
        // Remove duplicates.
        $tags = implode(' ', array_unique(explode(' ', $tags)));
+        if (empty(trim($_POST['lf_url']))) {
+            $_POST['lf_url'] = '?' . smallHash($linkdate . $id);
+        }
        $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
        $link = array(

diff --git a/index.php b/index.php index f2f3b93e..e0a7b416 100644 --- a/index.php +++ b/index.php
@@ -48,8 +48,8 @@ if (! file_exists(__DIR__ . '/vendor/autoload.php')) {
48	."If you installed Shaarli through Git or using the development branch,\n"	48	."If you installed Shaarli through Git or using the development branch,\n"
49	."please refer to the installation documentation to install PHP"	49	."please refer to the installation documentation to install PHP"
50	." dependencies using Composer:\n"	50	." dependencies using Composer:\n"
51	."- https://github.com/shaarli/Shaarli/wiki/Server-requirements\n"	51	."- https://shaarli.readthedocs.io/en/master/Server-requirements/\n"
52	."- https://github.com/shaarli/Shaarli/wiki/Download-and-Installation";	52	."- https://shaarli.readthedocs.io/en/master/Download-and-Installation/";
53	exit;	53	exit;
54	}	54	}
55	require_once 'inc/rain.tpl.class.php';	55	require_once 'inc/rain.tpl.class.php';
@@ -133,15 +133,6 @@ date_default_timezone_set($conf->get('general.timezone', 'UTC'));
133		133
134	ob_start(); // Output buffering for the page cache.	134	ob_start(); // Output buffering for the page cache.
135		135
136	// In case stupid admin has left magic_quotes enabled in php.ini:
137	if (get_magic_quotes_gpc())
138	{
139	function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
140	$_POST = array_map('stripslashes_deep', $_POST);
141	$_GET = array_map('stripslashes_deep', $_GET);
142	$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
143	}
144
145	// Prevent caching on client side or proxy: (yes, it's ugly)	136	// Prevent caching on client side or proxy: (yes, it's ugly)
146	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");	137	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
147	header("Cache-Control: no-store, no-cache, must-revalidate");	138	header("Cache-Control: no-store, no-cache, must-revalidate");
@@ -186,42 +177,42 @@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
186	*/	177	*/
187	function setup_login_state($conf)	178	function setup_login_state($conf)
188	{	179	{
189	if ($conf->get('security.open_shaarli')) {	180	if ($conf->get('security.open_shaarli')) {
190	return true;	181	return true;
191	}	182	}
192	$userIsLoggedIn = false; // By default, we do not consider the user as logged in;	183	$userIsLoggedIn = false; // By default, we do not consider the user as logged in;
193	$loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.	184	$loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
194	if (! $conf->exists('credentials.login')) {	185	if (! $conf->exists('credentials.login')) {
195	$userIsLoggedIn = false; // Shaarli is not configured yet.	186	$userIsLoggedIn = false; // Shaarli is not configured yet.
196	$loginFailure = true;	187	$loginFailure = true;
197	}	188	}
198	if (isset($_COOKIE['shaarli_staySignedIn']) &&	189	if (isset($_COOKIE['shaarli_staySignedIn']) &&
199	$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&	190	$_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
200	!$loginFailure)	191	!$loginFailure)
201	{	192	{
202	fillSessionInfo($conf);	193	fillSessionInfo($conf);
203	$userIsLoggedIn = true;	194	$userIsLoggedIn = true;
204	}	195	}
205	// If session does not exist on server side, or IP address has changed, or session has expired, logout.	196	// If session does not exist on server side, or IP address has changed, or session has expired, logout.
206	if (empty($_SESSION['uid'])	197	if (empty($_SESSION['uid'])
207	\|\| ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())	198	\|\| ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
208	\|\| time() >= $_SESSION['expires_on'])	199	\|\| time() >= $_SESSION['expires_on'])
209	{	200	{
210	logout();	201	logout();
211	$userIsLoggedIn = false;	202	$userIsLoggedIn = false;
212	$loginFailure = true;	203	$loginFailure = true;
213	}	204	}
214	if (!empty($_SESSION['longlastingsession'])) {	205	if (!empty($_SESSION['longlastingsession'])) {
215	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.	206	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
216	}	207	}
217	else {	208	else {
218	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.	209	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
219	}	210	}
220	if (!$loginFailure) {	211	if (!$loginFailure) {
221	$userIsLoggedIn = true;	212	$userIsLoggedIn = true;
222	}	213	}
223		214
224	return $userIsLoggedIn;	215	return $userIsLoggedIn;
225	}	216	}
226	$userIsLoggedIn = setup_login_state($conf);	217	$userIsLoggedIn = setup_login_state($conf);
227		218
@@ -245,10 +236,10 @@ function allIPs()
245	*/	236	*/
246	function fillSessionInfo($conf)	237	function fillSessionInfo($conf)
247	{	238	{
248	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)	239	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
249	$_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.	240	$_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
250	$_SESSION['username']= $conf->get('credentials.login');	241	$_SESSION['username']= $conf->get('credentials.login');
251	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.	242	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
252	}	243	}
253		244
254	/**	245	/**
@@ -265,7 +256,7 @@ function check_auth($login, $password, $conf)
265	$hash = sha1($password . $login . $conf->get('credentials.salt'));	256	$hash = sha1($password . $login . $conf->get('credentials.salt'));
266	if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))	257	if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
267	{ // Login/password is correct.	258	{ // Login/password is correct.
268	fillSessionInfo($conf);	259	fillSessionInfo($conf);
269	logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');	260	logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
270	return true;	261	return true;
271	}	262	}
@@ -394,9 +385,10 @@ if (isset($_POST['login']))
394	// If user wants to keep the session cookie even after the browser closes:	385	// If user wants to keep the session cookie even after the browser closes:
395	if (!empty($_POST['longlastingsession']))	386	if (!empty($_POST['longlastingsession']))
396	{	387	{
397	setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);	388	$_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
398	$_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year)	389	$expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
399	$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side.	390	setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
		391	$_SESSION['expires_on'] = $expiration; // Set session expiration on server-side.
400		392
401	$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';	393	$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
402	session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side	394	session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
@@ -1235,7 +1227,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
1235	// Linkdate is kept here to:	1227	// Linkdate is kept here to:
1236	// - use the same permalink for notes as they're displayed when creating them	1228	// - use the same permalink for notes as they're displayed when creating them
1237	// - let users hack creation date of their posts	1229	// - let users hack creation date of their posts
1238	// See: https://github.com/shaarli/Shaarli/wiki/Datastore-hacks#changing-the-timestamp-for-a-link	1230	// See: https://shaarli.readthedocs.io/en/master/Various-hacks/#changing-the-timestamp-for-a-shaare
1239	$linkdate = escape($_POST['lf_linkdate']);	1231	$linkdate = escape($_POST['lf_linkdate']);
1240	if (isset($LINKSDB[$id])) {	1232	if (isset($LINKSDB[$id])) {
1241	// Edit	1233	// Edit
@@ -1258,6 +1250,9 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
1258	// Remove duplicates.	1250	// Remove duplicates.
1259	$tags = implode(' ', array_unique(explode(' ', $tags)));	1251	$tags = implode(' ', array_unique(explode(' ', $tags)));
1260		1252
		1253	if (empty(trim($_POST['lf_url']))) {
		1254	$_POST['lf_url'] = '?' . smallHash($linkdate . $id);
		1255	}
1261	$url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));	1256	$url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
1262		1257
1263	$link = array(	1258	$link = array(