10 files changed, 263 insertions, 111 deletions
diff --git a/inc/3rdparty/FlattrItem.class.php b/inc/3rdparty/FlattrItem.class.php
new file mode 100644
index 00000000..c940fcd6
--- /dev/null
+++ b/inc/3rdparty/FlattrItem.class.php
@@ -0,0 +1,49 @@
+<?php
+/* 
+* Class for Flattr querying
+*/
+class FlattrItem {
+    public $status;
+    public $urltoflattr;
+    public $flattrItemURL;
+    public $numflattrs;
+    public function checkItem($urltoflattr) {
+        $this->cacheflattrfile($urltoflattr);
+        $flattrResponse = file_get_contents(CACHE . "/flattr/".base64_encode($urltoflattr).".cache");
+        if($flattrResponse != FALSE) {
+            $result = json_decode($flattrResponse);
+            if (isset($result->message)){
+                if ($result->message == "flattrable") {
+                    $this->status = FLATTRABLE;
+                }
+            } 
+            elseif ($result->link) {
+                $this->status = FLATTRED;
+                $this->flattrItemURL = $result->link;
+                $this->numflattrs = $result->flattrs;
+            }
+            else {
+                $this->status = NOT_FLATTRABLE;
+            }
+        }
+        else {
+            $this->status = "FLATTR_ERR_CONNECTION";
+        }
+    }
+    private function cacheflattrfile($urltoflattr) {
+        if (!is_dir(CACHE . '/flattr')) {
+            mkdir(CACHE . '/flattr', 0777);
+        }
+        // if a cache flattr file for this url already exists and it's been less than one day than it have been updated, see in /cache
+        if ((!file_exists(CACHE . "/flattr/".base64_encode($urltoflattr).".cache")) || (time() - filemtime(CACHE . "/flattr/".base64_encode($urltoflattr).".cache") > 86400)) {
+            $askForFlattr = Tools::getFile(FLATTR_API . $urltoflattr);
+            $flattrCacheFile = fopen(CACHE . "/flattr/".base64_encode($urltoflattr).".cache", 'w+');
+            fwrite($flattrCacheFile, $askForFlattr);
+            fclose($flattrCacheFile);
+        }
+    }
+}
+\ No newline at end of file
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
index 3162f507..df913a06 100644
--- a/inc/3rdparty/Session.class.php
+++ b/inc/3rdparty/Session.class.php
@@ -1,136 +1,279 @@
 <?php
 /**
 * Session management class
+ *
 * http://www.developpez.net/forums/d51943/php/langage/sessions/
 * http://sebsauvage.net/wiki/doku.php?id=php:session
 * http://sebsauvage.net/wiki/doku.php?id=php:shaarli
- *
+ * 
 * Features:
 * - Everything is stored on server-side (we do not trust client-side data,
 *   such as cookie expiration)
- * - IP addresses + user agent are checked on each access to prevent session
+ * - IP addresses are checked on each access to prevent session cookie hijacking
- *   cookie hijacking (such as Firesheep)
+ *   (such as Firesheep)
 * - Session expires on user inactivity (Session expiration date is
 *   automatically updated everytime the user accesses a page.)
 * - A unique secret key is generated on server-side for this session
- *   (and never sent over the wire) which can be used
+ *   (and never sent over the wire) which can be used to sign forms (HMAC)
- *   to sign forms (HMAC) (See $_SESSION['uid'] )
+ *   (See $_SESSION['uid'])
- * - Token management to prevent XSRF attacks.
+ * - Token management to prevent XSRF attacks
+ * - Brute force protection with ban management
 *
- * TODO:
+ * TODOs
- * - log login fail
+ * - Replace globals with variables in Session class
- * - prevent brute force (ban IP)
 *
- * HOWTOUSE:
+ * How to use:
- * - Just call Session::init(); to initialize session and
+ * - http://tontof.net/kriss/php5/session
- *   check if connected with Session::isLogged()
 */
 class Session
 {
+    // Personnalize PHP session name
+    public static $sessionName = '';
    // If the user does not access any page within this time,
-    // his/her session is considered expired (in seconds).
+    // his/her session is considered expired (3600 sec. = 1 hour)
-    public static $inactivity_timeout = 3600;
+    public static $inactivityTimeout = 3600;
-    private static $_instance;
+    // If you get disconnected often or if your IP address changes often.
+    // Let you disable session cookie hijacking protection
+    public static $disableSessionProtection = false;
+    // Ban IP after this many failures.
+    public static $banAfter = 4;
+    // Ban duration for IP address after login failures (in seconds).
+    // (1800 sec. = 30 minutes)
+    public static $banDuration = 1800;
+    // File storage for failures and bans. If empty, no ban management.
+    public static $banFile = '';
-    // constructor
+    /**
-    private function __construct()
+     * Initialize session
+     */
+    public static function init()
    {
+        // Force cookie path (but do not change lifetime)
+        $cookie = session_get_cookie_params();
+        // Default cookie expiration and path.
+        $cookiedir = '';
+        if (dirname($_SERVER['SCRIPT_NAME'])!='/') {
+            $cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/';
+        }
+        $ssl = false;
+        if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
+            $ssl = true;
+        }
+        session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl);
        // Use cookies to store session.
        ini_set('session.use_cookies', 1);
        // Force cookies for session  (phpsessionID forbidden in URL)
        ini_set('session.use_only_cookies', 1);
-        if (!session_id()){
+        if (!session_id()) {
            // Prevent php to use sessionID in URL if cookies are disabled.
            ini_set('session.use_trans_sid', false);
-            session_start('poche');
+            if (!empty(self::$sessionName)) {
+                session_name(self::$sessionName);
+            }
+            session_start();
        }
    }
-    // initialize session
+    /**
-    public static function init()
+     * Returns the IP address
+     * (Used to prevent session cookie hijacking.)
+     *
+     * @return string IP addresses
+     */
+    private static function _allIPs()
    {
-        if (!isset(self::$_instance)) {
+        $ip = $_SERVER["REMOTE_ADDR"];
-            self::$_instance = new Session();
+        $ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : '';
-        }
+        $ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : '';
-    }
-    // Returns the IP address, user agent and language of the client
+        return $ip;
-    // (Used to prevent session cookie hijacking.)
-    private static function _allInfos()
-    {
-        $infos = $_SERVER["REMOTE_ADDR"];
-        if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
-            $infos.=$_SERVER['HTTP_X_FORWARDED_FOR'];
-        }
-        if (isset($_SERVER['HTTP_CLIENT_IP'])) {
-            $infos.='_'.$_SERVER['HTTP_CLIENT_IP'];
-        }
-        $infos.='_'.$_SERVER['HTTP_USER_AGENT'];
-        $infos.='_'.$_SERVER['HTTP_ACCEPT_LANGUAGE'];
-        return sha1($infos);
    }
-    // Check that user/password is correct and init some SESSION variables.
+    /**
-    public static function login($login,$password,$login_test,$password_test,
+     * Check that user/password is correct and then init some SESSION variables.
-                                 $pValues = array())
+     *
+     * @param string $login        Login reference
+     * @param string $password     Password reference
+     * @param string $loginTest    Login to compare with login reference
+     * @param string $passwordTest Password to compare with password reference
+     * @param array  $pValues      Array of variables to store in SESSION
+     *
+     * @return true|false          True if login and password are correct, false
+     *                             otherwise
+     */
+    public static function login (
+        $login,
+        $password,
+        $loginTest,
+        $passwordTest,
+        $pValues = array())
    {
-        foreach ($pValues as $key => $value) {
+        self::banInit();
-            $_SESSION[$key] = $value;
+        if (self::banCanLogin()) {
-        }
+            if ($login === $loginTest && $password === $passwordTest) {
-        if ($login==$login_test && $password==$password_test){
+                self::banLoginOk();
-            // generate unique random number to sign forms (HMAC)
+                // Generate unique random number to sign forms (HMAC)
-            $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand());
+                $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
-            $_SESSION['info']=Session::_allInfos();
+                $_SESSION['ip'] = self::_allIPs();
-            $_SESSION['username']=$login;
+                $_SESSION['username'] = $login;
-            // Set session expiration.
+                // Set session expiration.
-            $_SESSION['expires_on']=time()+Session::$inactivity_timeout;
+                $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
-            return true;
+                foreach ($pValues as $key => $value) {
+                    $_SESSION[$key] = $value;
+                }
+                return true;
+            }
+            self::banLoginFailed();
        }
        return false;
    }
-    // Force logout
+    /**
+     * Unset SESSION variable to force logout
+     */
    public static function logout()
    {
-        unset($_SESSION['uid'],$_SESSION['info'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);
+        unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);
    }
-    // Make sure user is logged in.
+    /**
+     * Make sure user is logged in.
+     *
+     * @return true|false True if user is logged in, false otherwise
+     */
    public static function isLogged()
    {
        if (!isset ($_SESSION['uid'])
-            || $_SESSION['info']!=Session::_allInfos()
+            || (self::$disableSessionProtection === false
-            || time()>=$_SESSION['expires_on']){
+                && $_SESSION['ip'] !== self::_allIPs())
-            Session::logout();
+            || time() >= $_SESSION['expires_on']) {
+            self::logout();
            return false;
        }
        // User accessed a page : Update his/her session expiration date.
-        $_SESSION['expires_on']=time()+Session::$inactivity_timeout;
+        $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
+        if (!empty($_SESSION['longlastingsession'])) {
+                $_SESSION['expires_on'] += $_SESSION['longlastingsession'];
+        }
        return true;
    }
-    // Returns a token.
+    /**
-    public static function getToken()
+     * Create a token, store it in SESSION and return it
+     *
+     * @param string $salt to prevent birthday attack
+     *
+     * @return string Token created
+     */
+    public static function getToken($salt = '')
    {
-        if (!isset($_SESSION['tokens'])){
+        if (!isset($_SESSION['tokens'])) {
            $_SESSION['tokens']=array();
        }
        // We generate a random string and store it on the server side.
-        $rnd = sha1(uniqid('',true).'_'.mt_rand());
+        $rnd = sha1(uniqid('', true).'_'.mt_rand().$salt);
        $_SESSION['tokens'][$rnd]=1;
        return $rnd;
    }
-    // Tells if a token is ok. Using this function will destroy the token.
+    /**
-    // return true if token is ok.
+     * Tells if a token is ok. Using this function will destroy the token.
+     *
+     * @param string $token Token to test
+     *
+     * @return true|false   True if token is correct, false otherwise
+     */
    public static function isToken($token)
    {
-        if (isset($_SESSION['tokens'][$token]))
+        if (isset($_SESSION['tokens'][$token])) {
-        {
            unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
            return true; // Token is ok.
        }
        return false; // Wrong token, or already used.
    }
-}
-\ No newline at end of file
+    /**
+     * Signal a failed login. Will ban the IP if too many failures:
+     */
+    public static function banLoginFailed()
+    {
+        if (self::$banFile !== '') {
+            $ip = $_SERVER["REMOTE_ADDR"];
+            $gb = $GLOBALS['IPBANS'];
+            if (!isset($gb['FAILURES'][$ip])) {
+                $gb['FAILURES'][$ip] = 0;
+            }
+            $gb['FAILURES'][$ip]++;
+            if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) {
+                $gb['BANS'][$ip]= time() + self::$banDuration;
+            }
+            $GLOBALS['IPBANS'] = $gb;
+            file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
+        }
+    }
+    /**
+     * Signals a successful login. Resets failed login counter.
+     */
+    public static function banLoginOk()
+    {
+        if (self::$banFile !== '') {
+            $ip = $_SERVER["REMOTE_ADDR"];
+            $gb = $GLOBALS['IPBANS'];
+            unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]);
+            $GLOBALS['IPBANS'] = $gb;
+            file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
+        }
+    }
+    /**
+     * Ban init
+     */
+    public static function banInit()
+    {
+        if (self::$banFile !== '') {
+            if (!is_file(self::$banFile)) {
+                file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>");
+            }
+            include self::$banFile;
+        }
+    }
+    /**
+     * Checks if the user CAN login. If 'true', the user can try to login.
+     *
+     * @return boolean true if user is banned, false otherwise
+     */
+    public static function banCanLogin()
+    {
+        if (self::$banFile !== '') {
+            $ip = $_SERVER["REMOTE_ADDR"];
+            $gb = $GLOBALS['IPBANS'];
+            if (isset($gb['BANS'][$ip])) {
+                // User is banned. Check if the ban has expired:
+                if ($gb['BANS'][$ip] <= time()) {
+                    // Ban expired, user can try to login again.
+                    unset($gb['FAILURES'][$ip]);
+                    unset($gb['BANS'][$ip]);
+                    file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
+                    return true; // Ban has expired, user can login.
+                }
+                return false; // User is banned.
+            }
+        }
+        return true; // User is not banned.
+    }
+}
diff --git a/inc/3rdparty/class.messages.php b/inc/3rdparty/class.messages.php
index e60bd3a1..e60bd3a1 100755..100644
--- a/inc/3rdparty/class.messages.php
+++ b/inc/3rdparty/class.messages.php
diff --git a/inc/3rdparty/content-extractor/ContentExtractor.php b/inc/3rdparty/content-extractor/ContentExtractor.php
index db371c6a..26878392 100644
--- a/inc/3rdparty/content-extractor/ContentExtractor.php
+++ b/inc/3rdparty/content-extractor/ContentExtractor.php
@@ -138,7 +138,7 @@ class ContentExtractor
                }
                
                // load and parse html
-                $this->readability = new Readability($html, $url);              
+                $this->readability = new PocheReadability($html, $url);         
                
                // we use xpath to find elements in the given HTML document
                // see http://en.wikipedia.org/wiki/XPath_1.0
diff --git a/inc/3rdparty/site_config/README.txt b/inc/3rdparty/site_config/README.txt
deleted file mode 100644
index 0aff456b..00000000
--- a/inc/3rdparty/site_config/README.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Full-Text RSS Site Patterns
---------------------------
-Site patterns allow you to specify what should be extracted from specific sites.
-Please see http://help.fivefilters.org/customer/portal/articles/223153-site-patterns for more information.
-\ No newline at end of file
diff --git a/inc/3rdparty/site_config/custom/inthepoche.com.txt b/inc/3rdparty/site_config/custom/inthepoche.com.txt
deleted file mode 100644
index ede74b97..00000000
--- a/inc/3rdparty/site_config/custom/inthepoche.com.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-title: //title
-body: //div[@class='post-content']
-prune: no
-tidy: no
-test_url: http://www.inthepoche.com/?post/poche-hosting
-\ No newline at end of file
diff --git a/inc/3rdparty/site_config/index.php b/inc/3rdparty/site_config/index.php
deleted file mode 100644
index a3d5f739..00000000
--- a/inc/3rdparty/site_config/index.php
+++ /dev/null
@@ -1,3 +0,0 @@
-<?php
-// this is here to prevent directory listing over the web
-?>
-\ No newline at end of file
diff --git a/inc/3rdparty/site_config/standard/.wikipedia.org.txt b/inc/3rdparty/site_config/standard/.wikipedia.org.txt
deleted file mode 100644
index 8b98ae4b..00000000
--- a/inc/3rdparty/site_config/standard/.wikipedia.org.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-title: //h1[@id='firstHeading']
-body: //div[@id = 'bodyContent']
-strip_id_or_class: editsection
-#strip_id_or_class: toc
-strip_id_or_class: vertical-navbox
-strip: //table[@id='toc']
-strip: //div[@id='catlinks']
-strip: //div[@id='jump-to-nav']
-strip: //div[@class='thumbcaption']//div[@class='magnify']
-strip: //table[@class='navbox']
-strip: //table[contains(@class, 'infobox')]
-strip: //div[@class='dablink']
-strip: //div[@id='contentSub']
-strip: //table[contains(@class, 'metadata')]
-strip: //*[contains(@class, 'noprint')]
-strip: //span[@title='pronunciation:']
-prune: no
-tidy: no
-test_url: http://en.wikipedia.org/wiki/Christopher_Lloyd
-\ No newline at end of file
diff --git a/inc/3rdparty/site_config/standard/index.php b/inc/3rdparty/site_config/standard/index.php
deleted file mode 100644
index a3d5f739..00000000
--- a/inc/3rdparty/site_config/standard/index.php
+++ /dev/null
@@ -1,3 +0,0 @@
-<?php
-// this is here to prevent directory listing over the web
-?>
-\ No newline at end of file
diff --git a/inc/3rdparty/site_config/standard/version.php b/inc/3rdparty/site_config/standard/version.php
deleted file mode 100644
index e61807ed..00000000
--- a/inc/3rdparty/site_config/standard/version.php
+++ /dev/null
@@ -1,2 +0,0 @@
-<?php 
-return 1;
-\ No newline at end of file

diff --git a/inc/3rdparty/FlattrItem.class.php b/inc/3rdparty/FlattrItem.class.php new file mode 100644 index 00000000..c940fcd6 --- /dev/null +++ b/inc/3rdparty/FlattrItem.class.php
@@ -0,0 +1,49 @@
		1	<?php
		2	/*
		3	* Class for Flattr querying
		4	*/
		5	class FlattrItem {
		6
		7	public $status;
		8	public $urltoflattr;
		9	public $flattrItemURL;
		10	public $numflattrs;
		11
		12	public function checkItem($urltoflattr) {
		13	$this->cacheflattrfile($urltoflattr);
		14	$flattrResponse = file_get_contents(CACHE . "/flattr/".base64_encode($urltoflattr).".cache");
		15	if($flattrResponse != FALSE) {
		16	$result = json_decode($flattrResponse);
		17	if (isset($result->message)){
		18	if ($result->message == "flattrable") {
		19	$this->status = FLATTRABLE;
		20	}
		21	}
		22	elseif ($result->link) {
		23	$this->status = FLATTRED;
		24	$this->flattrItemURL = $result->link;
		25	$this->numflattrs = $result->flattrs;
		26	}
		27	else {
		28	$this->status = NOT_FLATTRABLE;
		29	}
		30	}
		31	else {
		32	$this->status = "FLATTR_ERR_CONNECTION";
		33	}
		34	}
		35
		36	private function cacheflattrfile($urltoflattr) {
		37	if (!is_dir(CACHE . '/flattr')) {
		38	mkdir(CACHE . '/flattr', 0777);
		39	}
		40
		41	// if a cache flattr file for this url already exists and it's been less than one day than it have been updated, see in /cache
		42	if ((!file_exists(CACHE . "/flattr/".base64_encode($urltoflattr).".cache")) \|\| (time() - filemtime(CACHE . "/flattr/".base64_encode($urltoflattr).".cache") > 86400)) {
		43	$askForFlattr = Tools::getFile(FLATTR_API . $urltoflattr);
		44	$flattrCacheFile = fopen(CACHE . "/flattr/".base64_encode($urltoflattr).".cache", 'w+');
		45	fwrite($flattrCacheFile, $askForFlattr);
		46	fclose($flattrCacheFile);
		47	}
		48	}
		49	} \ No newline at end of file


diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php index 3162f507..df913a06 100644 --- a/inc/3rdparty/Session.class.php +++ b/inc/3rdparty/Session.class.php
@@ -1,136 +1,279 @@
1	<?php	1	<?php
2	/**	2	/**
3	* Session management class	3	* Session management class
		4	*
4	* http://www.developpez.net/forums/d51943/php/langage/sessions/	5	* http://www.developpez.net/forums/d51943/php/langage/sessions/
5	* http://sebsauvage.net/wiki/doku.php?id=php:session	6	* http://sebsauvage.net/wiki/doku.php?id=php:session
6	* http://sebsauvage.net/wiki/doku.php?id=php:shaarli	7	* http://sebsauvage.net/wiki/doku.php?id=php:shaarli
7	*	8	*
8	* Features:	9	* Features:
9	* - Everything is stored on server-side (we do not trust client-side data,	10	* - Everything is stored on server-side (we do not trust client-side data,
10	* such as cookie expiration)	11	* such as cookie expiration)
11	* - IP addresses + user agent are checked on each access to prevent session	12	* - IP addresses are checked on each access to prevent session cookie hijacking
12	* cookie hijacking (such as Firesheep)	13	* (such as Firesheep)
13	* - Session expires on user inactivity (Session expiration date is	14	* - Session expires on user inactivity (Session expiration date is
14	* automatically updated everytime the user accesses a page.)	15	* automatically updated everytime the user accesses a page.)
15	* - A unique secret key is generated on server-side for this session	16	* - A unique secret key is generated on server-side for this session
16	* (and never sent over the wire) which can be used	17	* (and never sent over the wire) which can be used to sign forms (HMAC)
17	* to sign forms (HMAC) (See $_SESSION['uid'] )	18	* (See $_SESSION['uid'])
18	* - Token management to prevent XSRF attacks.	19	* - Token management to prevent XSRF attacks
		20	* - Brute force protection with ban management
19	*	21	*
20	* TODO:	22	* TODOs
21	* - log login fail	23	* - Replace globals with variables in Session class
22	* - prevent brute force (ban IP)
23	*	24	*
24	* HOWTOUSE:	25	* How to use:
25	* - Just call Session::init(); to initialize session and	26	* - http://tontof.net/kriss/php5/session
26	* check if connected with Session::isLogged()
27	*/	27	*/
28
29	class Session	28	class Session
30	{	29	{
		30	// Personnalize PHP session name
		31	public static $sessionName = '';
31	// If the user does not access any page within this time,	32	// If the user does not access any page within this time,
32	// his/her session is considered expired (in seconds).	33	// his/her session is considered expired (3600 sec. = 1 hour)
33	public static $inactivity_timeout = 3600;	34	public static $inactivityTimeout = 3600;
34	private static $_instance;	35	// If you get disconnected often or if your IP address changes often.
		36	// Let you disable session cookie hijacking protection
		37	public static $disableSessionProtection = false;
		38	// Ban IP after this many failures.
		39	public static $banAfter = 4;
		40	// Ban duration for IP address after login failures (in seconds).
		41	// (1800 sec. = 30 minutes)
		42	public static $banDuration = 1800;
		43	// File storage for failures and bans. If empty, no ban management.
		44	public static $banFile = '';
35		45
36	// constructor	46	/**
37	private function __construct()	47	* Initialize session
		48	*/
		49	public static function init()
38	{	50	{
		51	// Force cookie path (but do not change lifetime)
		52	$cookie = session_get_cookie_params();
		53	// Default cookie expiration and path.
		54	$cookiedir = '';
		55	if (dirname($_SERVER['SCRIPT_NAME'])!='/') {
		56	$cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/';
		57	}
		58	$ssl = false;
		59	if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
		60	$ssl = true;
		61	}
		62	session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl);
39	// Use cookies to store session.	63	// Use cookies to store session.
40	ini_set('session.use_cookies', 1);	64	ini_set('session.use_cookies', 1);
41	// Force cookies for session (phpsessionID forbidden in URL)	65	// Force cookies for session (phpsessionID forbidden in URL)
42	ini_set('session.use_only_cookies', 1);	66	ini_set('session.use_only_cookies', 1);
43	if (!session_id()){	67	if (!session_id()) {
44	// Prevent php to use sessionID in URL if cookies are disabled.	68	// Prevent php to use sessionID in URL if cookies are disabled.
45	ini_set('session.use_trans_sid', false);	69	ini_set('session.use_trans_sid', false);
46	session_start('poche');	70	if (!empty(self::$sessionName)) {
		71	session_name(self::$sessionName);
		72	}
		73	session_start();
47	}	74	}
48	}	75	}
49		76
50	// initialize session	77	/**
51	public static function init()	78	* Returns the IP address
		79	* (Used to prevent session cookie hijacking.)
		80	*
		81	* @return string IP addresses
		82	*/
		83	private static function _allIPs()
52	{	84	{
53	if (!isset(self::$_instance)) {	85	$ip = $_SERVER["REMOTE_ADDR"];
54	self::$_instance = new Session();	86	$ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : '';
55	}	87	$ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : '';
56	}
57		88
58	// Returns the IP address, user agent and language of the client	89	return $ip;
59	// (Used to prevent session cookie hijacking.)
60	private static function _allInfos()
61	{
62	$infos = $_SERVER["REMOTE_ADDR"];
63	if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
64	$infos.=$_SERVER['HTTP_X_FORWARDED_FOR'];
65	}
66	if (isset($_SERVER['HTTP_CLIENT_IP'])) {
67	$infos.='_'.$_SERVER['HTTP_CLIENT_IP'];
68	}
69	$infos.='_'.$_SERVER['HTTP_USER_AGENT'];
70	$infos.='_'.$_SERVER['HTTP_ACCEPT_LANGUAGE'];
71	return sha1($infos);
72	}	90	}
73		91
74	// Check that user/password is correct and init some SESSION variables.	92	/**
75	public static function login($login,$password,$login_test,$password_test,	93	* Check that user/password is correct and then init some SESSION variables.
76	$pValues = array())	94	*
		95	* @param string $login Login reference
		96	* @param string $password Password reference
		97	* @param string $loginTest Login to compare with login reference
		98	* @param string $passwordTest Password to compare with password reference
		99	* @param array $pValues Array of variables to store in SESSION
		100	*
		101	* @return true\|false True if login and password are correct, false
		102	* otherwise
		103	*/
		104	public static function login (
		105	$login,
		106	$password,
		107	$loginTest,
		108	$passwordTest,
		109	$pValues = array())
77	{	110	{
78	foreach ($pValues as $key => $value) {	111	self::banInit();
79	$_SESSION[$key] = $value;	112	if (self::banCanLogin()) {
80	}	113	if ($login === $loginTest && $password === $passwordTest) {
81	if ($login==$login_test && $password==$password_test){	114	self::banLoginOk();
82	// generate unique random number to sign forms (HMAC)	115	// Generate unique random number to sign forms (HMAC)
83	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand());	116	$_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
84	$_SESSION['info']=Session::_allInfos();	117	$_SESSION['ip'] = self::_allIPs();
85	$_SESSION['username']=$login;	118	$_SESSION['username'] = $login;
86	// Set session expiration.	119	// Set session expiration.
87	$_SESSION['expires_on']=time()+Session::$inactivity_timeout;	120	$_SESSION['expires_on'] = time() + self::$inactivityTimeout;
88	return true;	121
		122	foreach ($pValues as $key => $value) {
		123	$_SESSION[$key] = $value;
		124	}
		125
		126	return true;
		127	}
		128	self::banLoginFailed();
89	}	129	}
		130
90	return false;	131	return false;
91	}	132	}
92		133
93	// Force logout	134	/**
		135	* Unset SESSION variable to force logout
		136	*/
94	public static function logout()	137	public static function logout()
95	{	138	{
96	unset($_SESSION['uid'],$_SESSION['info'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);	139	unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);
97	}	140	}
98		141
99	// Make sure user is logged in.	142	/**
		143	* Make sure user is logged in.
		144	*
		145	* @return true\|false True if user is logged in, false otherwise
		146	*/
100	public static function isLogged()	147	public static function isLogged()
101	{	148	{
102	if (!isset ($_SESSION['uid'])	149	if (!isset ($_SESSION['uid'])
103	\|\| $_SESSION['info']!=Session::_allInfos()	150	\|\| (self::$disableSessionProtection === false
104	\|\| time()>=$_SESSION['expires_on']){	151	&& $_SESSION['ip'] !== self::_allIPs())
105	Session::logout();	152	\|\| time() >= $_SESSION['expires_on']) {
		153	self::logout();
		154
106	return false;	155	return false;
107	}	156	}
108	// User accessed a page : Update his/her session expiration date.	157	// User accessed a page : Update his/her session expiration date.
109	$_SESSION['expires_on']=time()+Session::$inactivity_timeout;	158	$_SESSION['expires_on'] = time() + self::$inactivityTimeout;
		159	if (!empty($_SESSION['longlastingsession'])) {
		160	$_SESSION['expires_on'] += $_SESSION['longlastingsession'];
		161	}
		162
110	return true;	163	return true;
111	}	164	}
112		165
113	// Returns a token.	166	/**
114	public static function getToken()	167	* Create a token, store it in SESSION and return it
		168	*
		169	* @param string $salt to prevent birthday attack
		170	*
		171	* @return string Token created
		172	*/
		173	public static function getToken($salt = '')
115	{	174	{
116	if (!isset($_SESSION['tokens'])){	175	if (!isset($_SESSION['tokens'])) {
117	$_SESSION['tokens']=array();	176	$_SESSION['tokens']=array();
118	}	177	}
119	// We generate a random string and store it on the server side.	178	// We generate a random string and store it on the server side.
120	$rnd = sha1(uniqid('',true).'_'.mt_rand());	179	$rnd = sha1(uniqid('', true).'_'.mt_rand().$salt);
121	$_SESSION['tokens'][$rnd]=1;	180	$_SESSION['tokens'][$rnd]=1;
		181
122	return $rnd;	182	return $rnd;
123	}	183	}
124		184
125	// Tells if a token is ok. Using this function will destroy the token.	185	/**
126	// return true if token is ok.	186	* Tells if a token is ok. Using this function will destroy the token.
		187	*
		188	* @param string $token Token to test
		189	*
		190	* @return true\|false True if token is correct, false otherwise
		191	*/
127	public static function isToken($token)	192	public static function isToken($token)
128	{	193	{
129	if (isset($_SESSION['tokens'][$token]))	194	if (isset($_SESSION['tokens'][$token])) {
130	{
131	unset($_SESSION['tokens'][$token]); // Token is used: destroy it.	195	unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
		196
132	return true; // Token is ok.	197	return true; // Token is ok.
133	}	198	}
		199
134	return false; // Wrong token, or already used.	200	return false; // Wrong token, or already used.
135	}	201	}
136	} \ No newline at end of file	202
		203	/**
		204	* Signal a failed login. Will ban the IP if too many failures:
		205	*/
		206	public static function banLoginFailed()
		207	{
		208	if (self::$banFile !== '') {
		209	$ip = $_SERVER["REMOTE_ADDR"];
		210	$gb = $GLOBALS['IPBANS'];
		211
		212	if (!isset($gb['FAILURES'][$ip])) {
		213	$gb['FAILURES'][$ip] = 0;
		214	}
		215	$gb['FAILURES'][$ip]++;
		216	if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) {
		217	$gb['BANS'][$ip]= time() + self::$banDuration;
		218	}
		219
		220	$GLOBALS['IPBANS'] = $gb;
		221	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
		222	}
		223	}
		224
		225	/**
		226	* Signals a successful login. Resets failed login counter.
		227	*/
		228	public static function banLoginOk()
		229	{
		230	if (self::$banFile !== '') {
		231	$ip = $_SERVER["REMOTE_ADDR"];
		232	$gb = $GLOBALS['IPBANS'];
		233	unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]);
		234	$GLOBALS['IPBANS'] = $gb;
		235	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
		236	}
		237	}
		238
		239	/**
		240	* Ban init
		241	*/
		242	public static function banInit()
		243	{
		244	if (self::$banFile !== '') {
		245	if (!is_file(self::$banFile)) {
		246	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>");
		247	}
		248	include self::$banFile;
		249	}
		250	}
		251
		252	/**
		253	* Checks if the user CAN login. If 'true', the user can try to login.
		254	*
		255	* @return boolean true if user is banned, false otherwise
		256	*/
		257	public static function banCanLogin()
		258	{
		259	if (self::$banFile !== '') {
		260	$ip = $_SERVER["REMOTE_ADDR"];
		261	$gb = $GLOBALS['IPBANS'];
		262	if (isset($gb['BANS'][$ip])) {
		263	// User is banned. Check if the ban has expired:
		264	if ($gb['BANS'][$ip] <= time()) {
		265	// Ban expired, user can try to login again.
		266	unset($gb['FAILURES'][$ip]);
		267	unset($gb['BANS'][$ip]);
		268	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
		269
		270	return true; // Ban has expired, user can login.
		271	}
		272
		273	return false; // User is banned.
		274	}
		275	}
		276
		277	return true; // User is not banned.
		278	}
		279	}


diff --git a/inc/3rdparty/class.messages.php b/inc/3rdparty/class.messages.php index e60bd3a1..e60bd3a1 100755..100644 --- a/inc/3rdparty/class.messages.php +++ b/inc/3rdparty/class.messages.php


diff --git a/inc/3rdparty/content-extractor/ContentExtractor.php b/inc/3rdparty/content-extractor/ContentExtractor.php index db371c6a..26878392 100644 --- a/inc/3rdparty/content-extractor/ContentExtractor.php +++ b/inc/3rdparty/content-extractor/ContentExtractor.php
@@ -138,7 +138,7 @@ class ContentExtractor
138	}	138	}
139		139
140	// load and parse html	140	// load and parse html
141	$this->readability = new Readability($html, $url);	141	$this->readability = new PocheReadability($html, $url);
142		142
143	// we use xpath to find elements in the given HTML document	143	// we use xpath to find elements in the given HTML document
144	// see http://en.wikipedia.org/wiki/XPath_1.0	144	// see http://en.wikipedia.org/wiki/XPath_1.0


diff --git a/inc/3rdparty/site_config/README.txt b/inc/3rdparty/site_config/README.txt deleted file mode 100644 index 0aff456b..00000000 --- a/inc/3rdparty/site_config/README.txt +++ /dev/null
@@ -1,6 +0,0 @@
1	Full-Text RSS Site Patterns
2	---------------------------
3
4	Site patterns allow you to specify what should be extracted from specific sites.
5
6	Please see http://help.fivefilters.org/customer/portal/articles/223153-site-patterns for more information. \ No newline at end of file


diff --git a/inc/3rdparty/site_config/custom/inthepoche.com.txt b/inc/3rdparty/site_config/custom/inthepoche.com.txt deleted file mode 100644 index ede74b97..00000000 --- a/inc/3rdparty/site_config/custom/inthepoche.com.txt +++ /dev/null
@@ -1,7 +0,0 @@
1	title: //title
2	body: //div[@class='post-content']
3
4	prune: no
5	tidy: no
6
7	test_url: http://www.inthepoche.com/?post/poche-hosting \ No newline at end of file


diff --git a/inc/3rdparty/site_config/index.php b/inc/3rdparty/site_config/index.php deleted file mode 100644 index a3d5f739..00000000 --- a/inc/3rdparty/site_config/index.php +++ /dev/null
@@ -1,3 +0,0 @@
1	<?php
2	// this is here to prevent directory listing over the web
3	?> \ No newline at end of file


diff --git a/inc/3rdparty/site_config/standard/.wikipedia.org.txt b/inc/3rdparty/site_config/standard/.wikipedia.org.txt deleted file mode 100644 index 8b98ae4b..00000000 --- a/inc/3rdparty/site_config/standard/.wikipedia.org.txt +++ /dev/null
@@ -1,19 +0,0 @@
1	title: //h1[@id='firstHeading']
2	body: //div[@id = 'bodyContent']
3	strip_id_or_class: editsection
4	#strip_id_or_class: toc
5	strip_id_or_class: vertical-navbox
6	strip: //table[@id='toc']
7	strip: //div[@id='catlinks']
8	strip: //div[@id='jump-to-nav']
9	strip: //div[@class='thumbcaption']//div[@class='magnify']
10	strip: //table[@class='navbox']
11	strip: //table[contains(@class, 'infobox')]
12	strip: //div[@class='dablink']
13	strip: //div[@id='contentSub']
14	strip: //table[contains(@class, 'metadata')]
15	strip: //*[contains(@class, 'noprint')]
16	strip: //span[@title='pronunciation:']
17	prune: no
18	tidy: no
19	test_url: http://en.wikipedia.org/wiki/Christopher_Lloyd \ No newline at end of file


diff --git a/inc/3rdparty/site_config/standard/index.php b/inc/3rdparty/site_config/standard/index.php deleted file mode 100644 index a3d5f739..00000000 --- a/inc/3rdparty/site_config/standard/index.php +++ /dev/null
@@ -1,3 +0,0 @@
1	<?php
2	// this is here to prevent directory listing over the web
3	?> \ No newline at end of file


diff --git a/inc/3rdparty/site_config/standard/version.php b/inc/3rdparty/site_config/standard/version.php deleted file mode 100644 index e61807ed..00000000 --- a/inc/3rdparty/site_config/standard/version.php +++ /dev/null
@@ -1,2 +0,0 @@
1	<?php
2	return 1; \ No newline at end of file