1 files changed, 0 insertions, 346 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
deleted file mode 100644
index b56e4c54..00000000
--- a/inc/3rdparty/Session.class.php
+++ /dev/null
@@ -1,346 +0,0 @@
-<?php
-/**
- * Session management class
- *
- * http://www.developpez.net/forums/d51943/php/langage/sessions/
- * http://sebsauvage.net/wiki/doku.php?id=php:session
- * http://sebsauvage.net/wiki/doku.php?id=php:shaarli
- * 
- * Features:
- * - Everything is stored on server-side (we do not trust client-side data,
- *   such as cookie expiration)
- * - IP addresses are checked on each access to prevent session cookie hijacking
- *   (such as Firesheep)
- * - Session expires on user inactivity (Session expiration date is
- *   automatically updated everytime the user accesses a page.)
- * - A unique secret key is generated on server-side for this session
- *   (and never sent over the wire) which can be used to sign forms (HMAC)
- *   (See $_SESSION['uid'])
- * - Token management to prevent XSRF attacks
- * - Brute force protection with ban management
- *
- * TODOs
- * - Replace globals with variables in Session class
- *
- * How to use:
- * - http://tontof.net/kriss/php5/session
- */
-class Session
-{
-    // Personnalize PHP session name
-    public static $sessionName = '';
-    // If the user does not access any page within this time,
-    // his/her session is considered expired (3600 sec. = 1 hour)
-    public static $inactivityTimeout = 3600;
-    // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
-    public static $longSessionTimeout = 7776000; // 7776000 = 90 days
-    // If you get disconnected often or if your IP address changes often.
-    // Let you disable session cookie hijacking protection
-    public static $disableSessionProtection = false;
-    // Ban IP after this many failures.
-    public static $banAfter = 4;
-    // Ban duration for IP address after login failures (in seconds).
-    // (1800 sec. = 30 minutes)
-    public static $banDuration = 1800;
-    // File storage for failures and bans. If empty, no ban management.
-    public static $banFile = '';
-    /**
-     * Initialize session
-     */
-    public static function init($longlastingsession = false)
-    {
-        //check if session name is correct
-        if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) {
-            session_destroy();
-        }
-        // Force cookie path (but do not change lifetime)
-        $cookie = session_get_cookie_params();
-        // Default cookie expiration and path.
-        $cookiedir = '';
-        if (dirname($_SERVER['SCRIPT_NAME'])!='/') {
-            $cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/';
-        }
-        $ssl = false;
-        if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
-            $ssl = true;
-        }
-        if ( $longlastingsession ) {
-            session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true);
-        }
-        else {
-            session_set_cookie_params(0, $cookiedir, null, $ssl, true);
-        }
-        //set server side valid session timeout
-        //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application
-        ini_set('session.gc_maxlifetime', self::$longSessionTimeout);
-        // Use cookies to store session.
-        ini_set('session.use_cookies', 1);
-        // Force cookies for session  (phpsessionID forbidden in URL)
-        ini_set('session.use_only_cookies', 1);
-        if ( !session_id() ) {
-            // Prevent php to use sessionID in URL if cookies are disabled.
-            ini_set('session.use_trans_sid', false);
-            if (!empty(self::$sessionName)) {
-                session_name(self::$sessionName);
-            }
-            session_start();
-        }
-    }
-    /**
-     * Returns the IP address
-     * (Used to prevent session cookie hijacking.)
-     *
-     * @return string IP addresses
-     */
-    private static function _allIPs()
-    {
-        $ip = $_SERVER["REMOTE_ADDR"];
-        $ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : '';
-        $ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : '';
-        return $ip;
-    }
-    /**
-     * Check that user/password is correct and then init some SESSION variables.
-     *
-     * @param string $login        Login reference
-     * @param string $password     Password reference
-     * @param string $loginTest    Login to compare with login reference
-     * @param string $passwordTest Password to compare with password reference
-     * @param array  $pValues      Array of variables to store in SESSION
-     *
-     * @return true|false          True if login and password are correct, false
-     *                             otherwise
-     */
-    public static function login (
-        $login,
-        $password,
-        $loginTest,
-        $passwordTest,
-        $longlastingsession,
-        $pValues = array())
-    {
-        self::banInit();
-        if (self::banCanLogin()) {
-            if ($login === $loginTest && $password === $passwordTest) {
-                self::banLoginOk();
-                self::init($longlastingsession);
-                // Generate unique random number to sign forms (HMAC)
-                $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
-                $_SESSION['ip'] = self::_allIPs();
-                $_SESSION['username'] = $login;
-                // Set session expiration.
-                $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
-                if ($longlastingsession) {
-                        $_SESSION['longlastingsession'] = self::$longSessionTimeout;
-                        $_SESSION['expires_on'] += $_SESSION['longlastingsession'];
-                }
-                
-                foreach ($pValues as $key => $value) {
-                    $_SESSION[$key] = $value;
-                }
-                return true;
-            }
-            self::banLoginFailed();
-        }
-        self::init();
-        return false;
-    }
-    /**
-     * Unset SESSION variable to force logout
-     */
-    public static function logout()
-    {
-        // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
-        
-        // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres)
-        $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params()));
-        $args[2] = time() - 3600;
-        call_user_func_array('setcookie', $args);
-        // Suppression physique de la session
-        session_destroy();
-    }
-    /**
-     * Make sure user is logged in.
-     *
-     * @return true|false True if user is logged in, false otherwise
-     */
-    public static function isLogged()
-    {
-        if (!isset ($_SESSION['uid'])
-            || (self::$disableSessionProtection === false
-                && $_SESSION['ip'] !== self::_allIPs())
-            || time() >= $_SESSION['expires_on']) {
-            //self::logout();
-            return false;
-        }
-        // User accessed a page : Update his/her session expiration date.
-        $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
-        if (!empty($_SESSION['longlastingsession'])) {
-                $_SESSION['expires_on'] += $_SESSION['longlastingsession'];
-        }
-        return true;
-    }
-    /**
-     * Create a token, store it in SESSION and return it
-     *
-     * @param string $salt to prevent birthday attack
-     *
-     * @return string Token created
-     */
-    public static function getToken($salt = '')
-    {
-        if (!isset($_SESSION['tokens'])) {
-            $_SESSION['tokens']=array();
-        }
-        // We generate a random string and store it on the server side.
-        $rnd = sha1(uniqid('', true).'_'.mt_rand().$salt);
-        $_SESSION['tokens'][$rnd]=1;
-        return $rnd;
-    }
-    /**
-     * Tells if a token is ok. Using this function will destroy the token.
-     *
-     * @param string $token Token to test
-     *
-     * @return true|false   True if token is correct, false otherwise
-     */
-    public static function isToken($token)
-    {
-        if (isset($_SESSION['tokens'][$token])) {
-            unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
-            return true; // Token is ok.
-        }
-        return false; // Wrong token, or already used.
-    }
-    /**
-     * Signal a failed login. Will ban the IP if too many failures:
-     */
-    public static function banLoginFailed()
-    {
-        if (self::$banFile !== '') {
-            $ip = $_SERVER["REMOTE_ADDR"];
-            $gb = $GLOBALS['IPBANS'];
-            if (!isset($gb['FAILURES'][$ip])) {
-                $gb['FAILURES'][$ip] = 0;
-            }
-            $gb['FAILURES'][$ip]++;
-            if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) {
-                $gb['BANS'][$ip]= time() + self::$banDuration;
-            }
-            $GLOBALS['IPBANS'] = $gb;
-            file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
-        }
-    }
-    /**
-     * Signals a successful login. Resets failed login counter.
-     */
-    public static function banLoginOk()
-    {
-        if (self::$banFile !== '') {
-            $ip = $_SERVER["REMOTE_ADDR"];
-            $gb = $GLOBALS['IPBANS'];
-            unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]);
-            $GLOBALS['IPBANS'] = $gb;
-            file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
-        }
-    }
-    /**
-     * Ban init
-     */
-    public static function banInit()
-    {
-        if (self::$banFile !== '') {
-            if (!is_file(self::$banFile)) {
-                file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>");
-            }
-            include self::$banFile;
-        }
-    }
-    /**
-     * Checks if the user CAN login. If 'true', the user can try to login.
-     *
-     * @return boolean true if user is banned, false otherwise
-     */
-    public static function banCanLogin()
-    {
-        if (self::$banFile !== '') {
-            $ip = $_SERVER["REMOTE_ADDR"];
-            $gb = $GLOBALS['IPBANS'];
-            if (isset($gb['BANS'][$ip])) {
-                // User is banned. Check if the ban has expired:
-                if ($gb['BANS'][$ip] <= time()) {
-                    // Ban expired, user can try to login again.
-                    unset($gb['FAILURES'][$ip]);
-                    unset($gb['BANS'][$ip]);
-                    file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
-                    return true; // Ban has expired, user can login.
-                }
-                return false; // User is banned.
-            }
-        }
-        return true; // User is not banned.
-    }
-    /**
-     * Tells if a param exists in session
-     *
-     * @param $name name of the param to test
-     * @return bool
-     */
-    public static function isInSession($name)
-    {
-        return (isset($_SESSION[$name]) ? : FALSE);
-    }
-    /**
-     * Returns param in session
-     *
-     * @param $name name of the param to return
-     * @return mixed param or null
-     */
-    public static function getParam($name)
-    {
-        return (self::isInSession($name) ? $_SESSION[$name] : NULL);
-    }
-    /**
-     * Store value in session
-     *
-     * @param $name     name of the variable to store
-     * @param $value    value to store
-     */
-    public static function setParam($name, $value)
-    {
-        $_SESSION[$name] = $value;
-    }
-}

diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php deleted file mode 100644 index b56e4c54..00000000 --- a/inc/3rdparty/Session.class.php +++ /dev/null
@@ -1,346 +0,0 @@
1	<?php
2	/**
3	* Session management class
4	*
5	* http://www.developpez.net/forums/d51943/php/langage/sessions/
6	* http://sebsauvage.net/wiki/doku.php?id=php:session
7	* http://sebsauvage.net/wiki/doku.php?id=php:shaarli
8	*
9	* Features:
10	* - Everything is stored on server-side (we do not trust client-side data,
11	* such as cookie expiration)
12	* - IP addresses are checked on each access to prevent session cookie hijacking
13	* (such as Firesheep)
14	* - Session expires on user inactivity (Session expiration date is
15	* automatically updated everytime the user accesses a page.)
16	* - A unique secret key is generated on server-side for this session
17	* (and never sent over the wire) which can be used to sign forms (HMAC)
18	* (See $_SESSION['uid'])
19	* - Token management to prevent XSRF attacks
20	* - Brute force protection with ban management
21	*
22	* TODOs
23	* - Replace globals with variables in Session class
24	*
25	* How to use:
26	* - http://tontof.net/kriss/php5/session
27	*/
28	class Session
29	{
30	// Personnalize PHP session name
31	public static $sessionName = '';
32	// If the user does not access any page within this time,
33	// his/her session is considered expired (3600 sec. = 1 hour)
34	public static $inactivityTimeout = 3600;
35	// Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
36	public static $longSessionTimeout = 7776000; // 7776000 = 90 days
37	// If you get disconnected often or if your IP address changes often.
38	// Let you disable session cookie hijacking protection
39	public static $disableSessionProtection = false;
40	// Ban IP after this many failures.
41	public static $banAfter = 4;
42	// Ban duration for IP address after login failures (in seconds).
43	// (1800 sec. = 30 minutes)
44	public static $banDuration = 1800;
45	// File storage for failures and bans. If empty, no ban management.
46	public static $banFile = '';
47
48	/**
49	* Initialize session
50	*/
51	public static function init($longlastingsession = false)
52	{
53	//check if session name is correct
54	if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) \|\| $longlastingsession ) {
55	session_destroy();
56	}
57
58	// Force cookie path (but do not change lifetime)
59	$cookie = session_get_cookie_params();
60	// Default cookie expiration and path.
61	$cookiedir = '';
62	if (dirname($_SERVER['SCRIPT_NAME'])!='/') {
63	$cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/';
64	}
65	$ssl = false;
66	if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
67	$ssl = true;
68	}
69
70	if ( $longlastingsession ) {
71	session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true);
72	}
73	else {
74	session_set_cookie_params(0, $cookiedir, null, $ssl, true);
75	}
76	//set server side valid session timeout
77	//WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application
78	ini_set('session.gc_maxlifetime', self::$longSessionTimeout);
79
80	// Use cookies to store session.
81	ini_set('session.use_cookies', 1);
82	// Force cookies for session (phpsessionID forbidden in URL)
83	ini_set('session.use_only_cookies', 1);
84	if ( !session_id() ) {
85	// Prevent php to use sessionID in URL if cookies are disabled.
86	ini_set('session.use_trans_sid', false);
87	if (!empty(self::$sessionName)) {
88	session_name(self::$sessionName);
89	}
90	session_start();
91	}
92	}
93
94	/**
95	* Returns the IP address
96	* (Used to prevent session cookie hijacking.)
97	*
98	* @return string IP addresses
99	*/
100	private static function _allIPs()
101	{
102	$ip = $_SERVER["REMOTE_ADDR"];
103	$ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : '';
104	$ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : '';
105
106	return $ip;
107	}
108
109	/**
110	* Check that user/password is correct and then init some SESSION variables.
111	*
112	* @param string $login Login reference
113	* @param string $password Password reference
114	* @param string $loginTest Login to compare with login reference
115	* @param string $passwordTest Password to compare with password reference
116	* @param array $pValues Array of variables to store in SESSION
117	*
118	* @return true\|false True if login and password are correct, false
119	* otherwise
120	*/
121	public static function login (
122	$login,
123	$password,
124	$loginTest,
125	$passwordTest,
126	$longlastingsession,
127	$pValues = array())
128	{
129	self::banInit();
130	if (self::banCanLogin()) {
131	if ($login === $loginTest && $password === $passwordTest) {
132	self::banLoginOk();
133
134	self::init($longlastingsession);
135
136	// Generate unique random number to sign forms (HMAC)
137	$_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
138	$_SESSION['ip'] = self::_allIPs();
139	$_SESSION['username'] = $login;
140	// Set session expiration.
141	$_SESSION['expires_on'] = time() + self::$inactivityTimeout;
142	if ($longlastingsession) {
143	$_SESSION['longlastingsession'] = self::$longSessionTimeout;
144	$_SESSION['expires_on'] += $_SESSION['longlastingsession'];
145	}
146
147	foreach ($pValues as $key => $value) {
148	$_SESSION[$key] = $value;
149	}
150
151	return true;
152	}
153	self::banLoginFailed();
154	}
155
156	self::init();
157	return false;
158	}
159
160	/**
161	* Unset SESSION variable to force logout
162	*/
163	public static function logout()
164	{
165	// unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
166
167	// Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres)
168	$args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params()));
169	$args[2] = time() - 3600;
170	call_user_func_array('setcookie', $args);
171	// Suppression physique de la session
172	session_destroy();
173	}
174
175	/**
176	* Make sure user is logged in.
177	*
178	* @return true\|false True if user is logged in, false otherwise
179	*/
180	public static function isLogged()
181	{
182	if (!isset ($_SESSION['uid'])
183	\|\| (self::$disableSessionProtection === false
184	&& $_SESSION['ip'] !== self::_allIPs())
185	\|\| time() >= $_SESSION['expires_on']) {
186	//self::logout();
187
188	return false;
189	}
190	// User accessed a page : Update his/her session expiration date.
191	$_SESSION['expires_on'] = time() + self::$inactivityTimeout;
192	if (!empty($_SESSION['longlastingsession'])) {
193	$_SESSION['expires_on'] += $_SESSION['longlastingsession'];
194	}
195
196	return true;
197	}
198
199	/**
200	* Create a token, store it in SESSION and return it
201	*
202	* @param string $salt to prevent birthday attack
203	*
204	* @return string Token created
205	*/
206	public static function getToken($salt = '')
207	{
208	if (!isset($_SESSION['tokens'])) {
209	$_SESSION['tokens']=array();
210	}
211	// We generate a random string and store it on the server side.
212	$rnd = sha1(uniqid('', true).'_'.mt_rand().$salt);
213	$_SESSION['tokens'][$rnd]=1;
214
215	return $rnd;
216	}
217
218	/**
219	* Tells if a token is ok. Using this function will destroy the token.
220	*
221	* @param string $token Token to test
222	*
223	* @return true\|false True if token is correct, false otherwise
224	*/
225	public static function isToken($token)
226	{
227	if (isset($_SESSION['tokens'][$token])) {
228	unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
229
230	return true; // Token is ok.
231	}
232
233	return false; // Wrong token, or already used.
234	}
235
236	/**
237	* Signal a failed login. Will ban the IP if too many failures:
238	*/
239	public static function banLoginFailed()
240	{
241	if (self::$banFile !== '') {
242	$ip = $_SERVER["REMOTE_ADDR"];
243	$gb = $GLOBALS['IPBANS'];
244
245	if (!isset($gb['FAILURES'][$ip])) {
246	$gb['FAILURES'][$ip] = 0;
247	}
248	$gb['FAILURES'][$ip]++;
249	if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) {
250	$gb['BANS'][$ip]= time() + self::$banDuration;
251	}
252
253	$GLOBALS['IPBANS'] = $gb;
254	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
255	}
256	}
257
258	/**
259	* Signals a successful login. Resets failed login counter.
260	*/
261	public static function banLoginOk()
262	{
263	if (self::$banFile !== '') {
264	$ip = $_SERVER["REMOTE_ADDR"];
265	$gb = $GLOBALS['IPBANS'];
266	unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]);
267	$GLOBALS['IPBANS'] = $gb;
268	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
269	}
270	}
271
272	/**
273	* Ban init
274	*/
275	public static function banInit()
276	{
277	if (self::$banFile !== '') {
278	if (!is_file(self::$banFile)) {
279	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>");
280	}
281	include self::$banFile;
282	}
283	}
284
285	/**
286	* Checks if the user CAN login. If 'true', the user can try to login.
287	*
288	* @return boolean true if user is banned, false otherwise
289	*/
290	public static function banCanLogin()
291	{
292	if (self::$banFile !== '') {
293	$ip = $_SERVER["REMOTE_ADDR"];
294	$gb = $GLOBALS['IPBANS'];
295	if (isset($gb['BANS'][$ip])) {
296	// User is banned. Check if the ban has expired:
297	if ($gb['BANS'][$ip] <= time()) {
298	// Ban expired, user can try to login again.
299	unset($gb['FAILURES'][$ip]);
300	unset($gb['BANS'][$ip]);
301	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
302
303	return true; // Ban has expired, user can login.
304	}
305
306	return false; // User is banned.
307	}
308	}
309
310	return true; // User is not banned.
311	}
312
313
314	/**
315	* Tells if a param exists in session
316	*
317	* @param $name name of the param to test
318	* @return bool
319	*/
320	public static function isInSession($name)
321	{
322	return (isset($_SESSION[$name]) ? : FALSE);
323	}
324
325	/**
326	* Returns param in session
327	*
328	* @param $name name of the param to return
329	* @return mixed param or null
330	*/
331	public static function getParam($name)
332	{
333	return (self::isInSession($name) ? $_SESSION[$name] : NULL);
334	}
335
336	/**
337	* Store value in session
338	*
339	* @param $name name of the variable to store
340	* @param $value value to store
341	*/
342	public static function setParam($name, $value)
343	{
344	$_SESSION[$name] = $value;
345	}
346	}