mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-05-31 16:14:17 +02:00
Code Issues Releases Wiki Activity

Mass changes (work in progress - related beta testing and feedback highly appreciated)

Browse Source 
- New session handler - appropriate changes made at important core areas (language handler, chap login related)
- Overall better COOKIE handling (on both server and client side) - cookies respect now installation path, domain (based on language settings)
- Introduced Security Levels (see session handler constants/docs), security level option could be added to install routine now
- Security level printed on Administration info panel, appropriate lans added (subject of discussion)
- e_TOKEN security part of session handling now - logic depends depends on security level (TODO - POST_REFERER removal)
- e_print, e_dump debug functions added (for quick and nice debug view via site output), native overall FirePhp support planned
- a lot of minor bugfixes
This commit is contained in:
secretr 2010-10-26 07:41:20 +00:00
parent 6196a3e425
commit 645d2dda6d
29 changed files with 342 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
class2.php
View File

@ -223,6 +223,23 @@ $e107_paths = compact('ADMIN_DIRECTORY', 'FILES_DIRECTORY', 'IMAGES_DIRECTORY',
$sql_info = compact('mySQLserver', 'mySQLuser', 'mySQLpassword', 'mySQLdefaultdb', 'mySQLprefix');
$e107 = e107::getInstance()->initCore($e107_paths, realpath(dirname(__FILE__)), $sql_info, varset($E107_CONFIG, array()));
/**
* NEW - system security levels
* Could be overridden by e107_config.php OR $CLASS2_INCLUDE script (if not set earlier)
*
* 0 disabled
* 5 safe mode (balanced)
* 7 high
* 9 paranoid
* 10 insane
* for more detailed info see e_session SECURITY_LEVEL_* constants
* default is e_session::SECURITY_LEVEL_BALANCED (5)
*/
if(!defined('e_SECURITY_LEVEL'))
{
require_once(e_HANDLER.'session_handler.php');
define('e_SECURITY_LEVEL', e_session::SECURITY_LEVEL_BALANCED);
}
// MOVED TO $e107->set_request()
//$inArray = array("'", ';', '/**/', '/UNION/', '/SELECT/', 'AS ');
@ -281,6 +298,7 @@ $tp = e107::getParser(); //TODO - find & replace $tp, $e107->tp
// All debug objects and constants are defined in the debug handler
// i.e. from here on you can use E107_DEBUG_LEVEL or any
// E107_DBG_* constant for debug testing.
// TODO - rewrite the debug init phase, add e107 class getters
//
require_once(e_HANDLER.'debug_handler.php');
@ -292,6 +310,7 @@ if(E107_DEBUG_LEVEL && isset($db_debug) && is_object($db_debug))
//
// I: Sanity check on e107_config.php
// e107_config.php upgrade check
// FIXME - obsolete check, rewrite it
if (!$ADMIN_DIRECTORY && !$DOWNLOADS_DIRECTORY)
{
message_handler('CRITICAL_ERROR', 8, ': generic, ', 'e107_config.php');
@ -304,7 +323,7 @@ if (!$ADMIN_DIRECTORY && !$DOWNLOADS_DIRECTORY)
e107::getSingleton('e107_traffic'); // We start traffic counting ASAP
//$eTraffic->Calibrate($eTraffic);
e107_require_once(e_HANDLER.'mysql_class.php');
// e107_require_once(e_HANDLER.'mysql_class.php');
//DEPRECATED, BC, $e107->sql caught by __get()
$sql = e107::getDb(); //TODO - find & replace $sql, $e107->sql
@ -317,8 +336,7 @@ $merror=$sql->db_Connect($mySQLserver, $mySQLuser, $mySQLpassword, $mySQLdefault
//DEPRECATED, BC, call the method only when needed
$sql2 = e107::getDb('sql2'); //TODO find & replace all $sql2 calls
$sql->db_Mark_Time('Start: Prefs, misc tables');
$sql->db_Mark_Time('Start: Prefs, misc tables');
//DEPRECATED, BC, call the method only when needed, $e107->admin_log caught by __get()
$admin_log = e107::getAdminLog(); //TODO - find & replace $admin_log, $e107->admin_log
@ -403,7 +421,7 @@ if(!e107::getConfig()->hasData())
}
//DEPRECATED, BC, call e107::getPref() instead
//DEPRECATED, BC, call e107::getPref/findPref() instead
$pref = e107::getPref();
//this could be part of e107->init() method now, prefs will be auto-initialized
@ -426,7 +444,7 @@ e107::getLanguage()->detect();
//
// if a cookie name pref isn't set, make one :)
// TODO - do we really need this? e107 method could do the job.
// e_COOKIE used as unique session cookie name now (see session handler)
if (!$pref['cookie_name']) { $pref['cookie_name'] = 'e107cookie'; }
define('e_COOKIE', $pref['cookie_name']);
@ -434,28 +452,6 @@ define('e_COOKIE', $pref['cookie_name']);
//define('SITEURLBASE', ($pref['ssl_enabled'] == '1' ? 'https://' : 'http://').$_SERVER['HTTP_HOST']);
//define('SITEURL', SITEURLBASE.e_HTTP);
// start a session if session based login is enabled
// if ($pref['user_tracking'] == 'session')
{
session_start();
if (!isset($_SESSION['challenge']))
{ // New session
// Create a unique challenge string for CHAP login
$_SESSION['challenge'] = sha1(time().session_id());
}
$ubrowser = md5('E107'.$_SERVER['HTTP_USER_AGENT']);
if (!isset($_SESSION['ubrowser']))
{
$_SESSION['ubrowser'] = $ubrowser;
}
}
// if the option to force users to use a particular url for the site is enabled, redirect users there as needed
// Now matches RFC 2616 (sec 3.2): case insensitive, https/:443 and http/:80 are equivalent.
// And, this is robust against hack attacks. Malignant users can put **anything** in HTTP_HOST!
@ -511,6 +507,12 @@ if($pref['redirectsiteurl'] && $pref['siteurl']) {
* Set the User's Language
*/
$sql->db_Mark_Time('Start: Set User Language');
// SESSION Needs to be started after:
// - Site preferences are available
// - Language detection (because of session.cookie_domain)
// to avoid multi-language 'access-denied' issues.
//session_start(); see e107::getSession() above
e107::getSession(); //init core _SESSION - actually here for reference only, it's done by language handler set() method
e107::getLanguage()->set(); // set e_LANGUAGE, USERLAN, Language Session / Cookies etc. requires $pref;
if(varset($pref['multilanguage']) && (e_LANGUAGE != $pref['sitelanguage']))
@ -523,10 +525,14 @@ if(varset($pref['multilanguage']) && (e_LANGUAGE != $pref['sitelanguage']))
e107_include_once(e_LANGUAGEDIR.e_LANGUAGE.'/'.e_LANGUAGE.'.php');
e107_include_once(e_LANGUAGEDIR.e_LANGUAGE."/".e_LANGUAGE.'_custom.php');
e107::getSession()
->challenge() // Create a unique challenge string for CHAP login
->check(); // Token protection
// echo e_print($_SESSION, e107::getSession()->getSessionId(), e107::getSession()->getSessionName());
//
// N: misc setups: online user tracking, cache
//
$sql -> db_Mark_Time('Start: Misc resources. Online user tracking, cache');
$sql->db_Mark_Time('Start: Misc resources. Online user tracking, cache');
//DEPRECATED, BC, call the method only when needed, $e107->ecache caught by __get()
$e107cache = e107::getCache(); //TODO - find & replace $e107cache, $e107->ecache
@ -771,8 +777,8 @@ if (isset($_POST['userlogin']) || isset($_POST['userlogin_x']))
// $usr = new userlogin($_POST['username'], $_POST['userpass'], $_POST['autologin'], varset($_POST['hashchallenge'],''));
}
if ((e_QUERY == 'logout') || (($pref['user_tracking'] == 'session') && isset($_SESSION['ubrowser']) && ($_SESSION['ubrowser'] != $ubrowser)))
// $_SESSION['ubrowser'] check not needed anymore - see session handler
if ((e_QUERY == 'logout')/* || (($pref['user_tracking'] == 'session') && isset($_SESSION['ubrowser']) && ($_SESSION['ubrowser'] != $ubrowser))*/)
{
if (USER)
{
@ -784,6 +790,8 @@ if ((e_QUERY == 'logout') || (($pref['user_tracking'] == 'session') && isset($_S
$ip = $e107->getip();
$udata = (USER === true ? USERID.'.'.USERNAME : '0');
// TODO - should be done inside online handler, more core areas need it (session handler for example)
$sql->db_Update('online', "online_user_id = 0, online_pagecount=online_pagecount+1 WHERE online_user_id = '{$udata}' LIMIT 1");
if ($pref['user_tracking'] == 'session')
@ -1423,6 +1431,7 @@ function init_session()
define('POST_REFERER', md5($user->getToken()));
// Check for intruders - outside the model for now
// TODO replace __referer with e-token, remove the above
if((isset($_POST['__referer']) && !$user->checkToken($_POST['__referer']))
|| (isset($_GET['__referer']) && !$user->checkToken($_GET['__referer'])))
{
@ -1691,6 +1700,16 @@ if(!isset($_E107['no_online']) && varset($pref['track_online']))
e107::getOnline()->goOnline($pref['track_online'], $pref['flood_protect']);
}
/**
* Set Cookie
* @param string $name
* @param string $value
* @param integer $expire seconds
* @param string $path
* @param string $domain
* @param boolean $secure
* @return void
*/
function cookie($name, $value, $expire=0, $path = e_HTTP, $domain = '', $secure = 0)
{
setcookie($name, $value, $expire, $path, $domain, $secure);

22
e107_admin/auth.php
View File

@ -115,11 +115,13 @@ else
}
$edata_li = array("user_id"=>$row['user_id'], "user_name"=>$row['user_name'], 'class_list'=>implode(',', $class_list), 'user_admin'=> $row['user_admin']);
e107::getEvent()->trigger("login", $edata_li);
// Fix - set cookie before login trigger
session_set(e_COOKIE, $cookieval, (time() + 3600 * 24 * 30));
echo "<script type='text/javascript'>document.location.href='admin.php'</script>\n";
e107::getEvent()->trigger("login", $edata_li);
e107::getRedirect()->redirect(e_ADMIN_ABS.'admin.php');
//echo "<script type='text/javascript'>document.location.href='admin.php'</script>\n";
}
}
@ -166,9 +168,10 @@ class auth
<td style='width:35%' class='forumheader3'>".ADLAN_90."</td>
<td class='forumheader3' style='text-align:center'><input class='tbox' type='password' name='authpass' id='userpass' size='30' value='' maxlength='30' />\n";
if (isset($_SESSION['challenge']) && varset($pref['password_CHAP'], 0))
$session = e107::getSession();
if ($session->is('challenge') && varset($pref['password_CHAP'], 0))
$text .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='{$_SESSION['challenge']}' />\n\n";
$text .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='".$session->get('challenge')."' />\n\n";
$text .= "</td></tr>\n";
if ($use_imagecode)
@ -210,7 +213,7 @@ class auth
$tp = e107::getParser();
$sql_auth = e107::getDb('sql_auth');
$user_info = e107::getSession();
$user_info = e107::getUserSession();
$reason = '';
$authname = $tp->toDB(preg_replace("/\sOR\s|\=|\#/", "", trim($authname)));
@ -239,9 +242,10 @@ class auth
}
if (!$reason && ($row['user_id'])) // Can validate password
{
if (($authresponse && isset($_SESSION['challenge'])) && ($authresponse != $_SESSION['challenge']))
$session = e107::getSession();
if (($authresponse && $session->is('challenge')) && ($authresponse != $session->get('challenge')))
{ // Verify using CHAP (can't handle login by email address - only loginname - although with this code it does still work if the password is stored unsalted)
if (($pass_result = $user_info->CheckCHAP($_SESSION['challenge'], $authresponse, $authname, $row['user_password'])) !== PASSWORD_INVALID)
if (($pass_result = $user_info->CheckCHAP($session->get('challenge'), $authresponse, $authname, $row['user_password'])) !== PASSWORD_INVALID)
{
return $$row;
}

2
e107_admin/cron.php
View File

@ -291,7 +291,7 @@ function setCronPwd()
{
global $pref;
$userMethods = e107::getSession();
$userMethods = e107::getUserSession();
$newpwd = $userMethods->generateRandomString('*^*#.**^*');
$newpwd = sha1($newpwd.time());
$pref['e_cron_pwd'] = $newpwd;

7
e107_admin/footer.php
View File

@ -21,6 +21,9 @@ $In_e107_Footer = TRUE; // For registered shutdown function
global $error_handler,$db_time,$ADMIN_FOOTER;
// Clean session shutdown
e107::getSession()->shutdown();
//
// SHUTDOWN SEQUENCE
//
@ -287,6 +290,8 @@ e107::getJs()->renderJs('footer_inline', true);
// This must be done as late as possible in page processing.
$_serverTime = time();
$lastSet = isset($_COOKIE['e107_tdSetTime']) ? $_COOKIE['e107_tdSetTime'] : 0;
$_serverPath = e_HTTP;
$_serverDomain = deftrue('MULTILANG_SUBDOMAIN') ? '.'.e_DOMAIN : '';
if (abs($_serverTime - $lastSet) > 120)
{
/* update time delay every couple of minutes.
@ -294,7 +299,7 @@ if (abs($_serverTime - $lastSet) > 120)
* Drawback: each update may cause all server times to display a bit different
*/
echo "<script type='text/javascript'>\n";
echo "SyncWithServerTime('{$_serverTime}');
echo "SyncWithServerTime('{$_serverTime}', '{$_serverPath}', '{$_serverDomain}');
</script>\n";
}

6
e107_admin/language.php
View File

@ -25,10 +25,10 @@ $e_sub_cat = 'language';
require_once ("auth.php");
require_once (e_HANDLER."form_handler.php");
require_once (e_HANDLER."message_handler.php");
$frm = new e_form();
$emessage = &eMessage::getInstance();
$frm = e107::getForm();
$emessage = e107::getMessage();
$tabs = table_list(); // array("news","content","links");
$lanlist = explode(",", e_LANLIST);
$lanlist = e107::getLanguage()->installed();// Bugfix - don't use e_LANLIST as it's cached (SESSION)
$message = '';
if (e_QUERY)
{

40
e107_admin/links.php
View File

@ -1,21 +1,25 @@
<?php
/*
+ ----------------------------------------------------------------------------+
| e107 website system
|
| Copyright (C) 2008-2009 e107 Inc (e107.org)
| http://e107.org
|
|
| Released under the terms and conditions of the
| GNU General Public License (http://gnu.org).
|
| $Source: /cvs_backup/e107_0.8/e107_admin/links.php,v $
| $Revision$
| $Date$
| $Author$
+----------------------------------------------------------------------------+
*/
* e107 website system
*
* Copyright (C) 2008-2010 e107 Inc (e107.org)
* Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
*
* Site navigation administration
*
* $URL$
* $Id$
*/
/**
* @package e107
* @subpackage admin
* @version $Id$
*
* Manage site navigation links
*/
require_once("../class2.php");
if (!getperms("I"))
{
@ -66,9 +70,9 @@ class links_admin_ui extends e_admin_ui
'checkboxes' => array('title'=> '', 'width' => '3%','forced' => true,'thclass' => 'center first','class' => 'center first'),
'link_button' => array('title'=> LAN_ICON, 'type'=>'icon', 'width'=>'5%', 'thclass' => 'center', 'class'=>'center'),
'link_id' => array('title'=> ID, 'nolist'=>TRUE),
'link_name' => array('title'=> LCLAN_15, 'width'=>'auto','type'=>'method'),
'link_name' => array('title'=> LCLAN_15, 'width'=>'auto','type'=>'method', 'validate' => true),
'link_parent' => array('title'=> 'Sublink of', 'type' => 'dropdown', 'width' => 'auto', 'batch'=>true, 'filter'=>true, 'thclass' => 'left first'),
'link_url' => array('title'=> LCLAN_93, 'width'=>'auto', 'type'=>'text'),
'link_url' => array('title'=> LCLAN_93, 'width'=>'auto', 'type'=>'text', 'validate' => true),
'link_class' => array('title'=> LAN_USERCLASS, 'type' => 'userclass', 'batch'=>true, 'filter'=>true, 'width' => 'auto'),
'link_description' => array('title'=> LCLAN_17, 'type' => 'bbarea', 'method'=>'tinymce_plugins', 'width' => 'auto'),
'link_category' => array('title'=> LCLAN_12, 'type' => 'dropdown', 'batch'=>true, 'filter'=>true, 'width' => 'auto'),

6
e107_admin/updateadmin.php
View File

@ -23,10 +23,10 @@ $e_sub_cat = 'admin_pass';
require_once(e_ADMIN.'auth.php');
require_once(e_HANDLER.'message_handler.php');
// require_once(e_HANDLER.'user_handler.php'); //use e107::getSession() instead.
// require_once(e_HANDLER.'user_handler.php'); //use e107::getUserSession() instead.
require_once(e_HANDLER.'validator_class.php');
$userMethods = e107::getSession();
$emessage = &eMessage::getInstance();
$userMethods = e107::getUserSession();
$emessage = e107::getMessage();
if (isset($_POST['update_settings']))
{

2
e107_admin/users.php
View File

@ -89,7 +89,7 @@ require_once (e_HANDLER.'validator_class.php');
// $userMethods = new UserHandler;
// $colList = $userMethods->getNiceNames(TRUE);
$ue = new e107_user_extended;
$userMethods = e107::getSession();
$userMethods = e107::getUserSession();
$user_data = array();
$frm = new e_form;
$rs = new form;

6
e107_core/shortcodes/batch/admin_shortcodes.php
View File

@ -776,7 +776,7 @@ class admin_shortcodes
$obj = e107::getDateConvert();
$install_date = $obj->convert_date($pref['install_date'], 'long');
$text = "<b>".FOOTLAN_1."</b>
<br />".
SITENAME."
@ -790,6 +790,10 @@ class admin_shortcodes
<br />
".FOOTLAN_3." ".$e107info['e107_version']."
<br /><br />
<b>".FOOTLAN_20."</b>
<br />
[".e_SECURITY_LEVEL."] ".defset('LAN_SECURITYL_'.e_SECURITY_LEVEL, 'n/a')."
<br /><br />
<b>".FOOTLAN_18."</b>
<br />".$pref['sitetheme']."<br /><br />
<b>".FOOTLAN_5."</b>

11
e107_files/e107.js
View File

@ -36,21 +36,24 @@ var localTime = Math.floor(nowLocal.getTime()/1000); /* time, in ms -- recorded
* The value calculated in SyncWithServerTime is not known until after the
* entire page has been processed.
*/
function SyncWithServerTime(serverTime)
function SyncWithServerTime(serverTime, path, domain)
{
if (serverTime)
{
/* update time difference cookie */
var serverDelta=Math.floor(localTime-serverTime);
document.cookie = 'e107_tdOffset='+serverDelta+'; path=/';
document.cookie = 'e107_tdSetTime='+(localTime-serverDelta)+'; path=/'; /* server time when set */
if(!path) path = '/';
if(!domain) domain = '';
else domain = '; domain=' + domain;
document.cookie = 'e107_tdOffset='+serverDelta+'; path='+path+domain;
document.cookie = 'e107_tdSetTime='+(localTime-serverDelta)+'; path='+path+domain; /* server time when set */
}
var tzCookie = 'e107_tzOffset=';
// if (document.cookie.indexOf(tzCookie) < 0) {
/* set if not already set */
var timezoneOffset = nowLocal.getTimezoneOffset(); /* client-to-GMT in minutes */
document.cookie = tzCookie + timezoneOffset+'; path=/';
document.cookie = tzCookie + timezoneOffset+'; path='+path+domain;
// }
}
var ns6=0;

13
e107_files/jslib/e107.js.php
View File

@ -31,21 +31,24 @@ var localTime = Math.floor(nowLocal.getTime()/1000); /* time, in ms -- recorded
* The value calculated in SyncWithServerTime is not known until after the
* entire page has been processed.
*/
function SyncWithServerTime(serverTime)
function SyncWithServerTime(serverTime, path, domain)
{
if (serverTime)
if (serverTime)
{
/* update time difference cookie */
var serverDelta=Math.floor(localTime-serverTime);
document.cookie = 'e107_tdOffset='+serverDelta+'; path=/';
document.cookie = 'e107_tdSetTime='+(localTime-serverDelta)+'; path=/'; /* server time when set */
if(!path) path = '/';
if(!domain) domain = '';
else domain = '; domain=' + domain;
document.cookie = 'e107_tdOffset='+serverDelta+'; path='+path+domain;
document.cookie = 'e107_tdSetTime='+(localTime-serverDelta)+'; path='+path+domain; /* server time when set */
}
var tzCookie = 'e107_tzOffset=';
// if (document.cookie.indexOf(tzCookie) < 0) {
/* set if not already set */
var timezoneOffset = nowLocal.getTimezoneOffset(); /* client-to-GMT in minutes */
document.cookie = tzCookie + timezoneOffset+'; path=/';
document.cookie = tzCookie + timezoneOffset+'; path='+path+domain;
// }
}

9
e107_handlers/admin_log_class.php
View File

@ -88,7 +88,9 @@ class e_admin_log
define('USER_AUDIT_TEMP_ACCOUNT', 24); // User temporary account
// Init E_MESSAGE_* constants if not already done
e107::getMessage();
// e107::getMessage(); - just include, message handler is creating session in construct
// it breaks stuff (see class2 - language detection and comments)
require_once(e_HANDLER.'message_handler.php');
$this->_messages = array();
}
@ -139,6 +141,11 @@ class e_admin_log
$event_detail = implode("[!br!]\n", $tmp);
unset($tmp);
}
else
{
// auto-format long details - TODO - shrink details on administration log page, expand/show in DHTML window full details.
$event_detail = str_replace("\n", "[!br!]", $event_detail);
}
if ($this->_options['backtrace'] == true)
{

1
e107_handlers/admin_ui.php
View File

@ -2989,6 +2989,7 @@ class e_admin_controller_ui extends e_admin_controller
{
$this->$callbackAfter($model->getData(), $old_data, $model->getId());
}
$model->setMessages(true); //FIX - move messages (and session messages) to the default stack
$this->doAfterSubmit($model->getId(), $noredirectAction);
return true;
}

20
e107_handlers/core_functions.php
View File

@ -152,6 +152,26 @@ function print_a($var, $return = FALSE)
}
}
function e_print($expr = null)
{
$args = func_get_args();
if(!$args) return;
foreach ($args as $arg)
{
print_a($arg);
}
}
function e_dump($expr = null)
{
$args = func_get_args();
if(!$args) return;
echo '<pre>';
call_user_func_array('var_dump', $args);
echo '</pre>';
}
/**
* Strips slashes from a var if magic_quotes_gqc is enabled
*

20
e107_handlers/e107_class.php
View File

@ -144,6 +144,7 @@ class e107
'e107_user_extended' => '{e_HANDLER}user_extended_class.php',
'e107plugin' => '{e_HANDLER}plugin_class.php',
'eURL' => '{e_HANDLER}e107Url.php',
'e_core_session' => '{e_HANDLER}session_handler.php',
'e_admin_controller' => '{e_HANDLER}admin_ui.php',
'e_admin_controller_ui' => '{e_HANDLER}admin_ui.php',
'e_admin_dispatcher' => '{e_HANDLER}admin_ui.php',
@ -949,10 +950,27 @@ class e107
*
* @return UserHandler
*/
public static function getSession()
public static function getUserSession()
{
return self::getSingleton('UserHandler', true);
}
/**
* Retrieve core session singleton object(s)
*
* @return e_core_session
*/
public static function getSession($namespace = null)
{
$id = 'core/e107/session/'.(null === $namespace ? 'e107' : $namespace);
if(self::getRegistry($id))
{
return self::getRegistry($id);
}
$session = self::getObject('e_core_session', array('namespace' => $namespace), true);
self::setRegistry($id, $session);
return $session;
}
/**
* Retrieve redirection singleton object

10
e107_handlers/form_handler.php
View File

@ -660,9 +660,9 @@ class e_form
* Generate hidden security field
* @return string
*/
function referer()
function token()
{
return "<input type='hidden' name='__referer' value='".defset('POST_REFERER', '')."' id='e-form-referer' />";
return "<input type='hidden' name='e-token' value='".defset('e_TOKEN', '')."' />";
}
function submit($name, $value, $options = array())
@ -1724,7 +1724,7 @@ class e_form
$text = "
<form method='post' action='{$formurl}' id='{$elid}-list-form'>
<div>".$this->referer()."
<div>".$this->token()."
".vartrue($options['fieldset_pre'])."
<fieldset id='{$elid}-list'>
<legend class='e-hideme'>".$options['legend']."</legend>
@ -1845,7 +1845,7 @@ class e_form
$text .= "
<form method='post' action='".$url."' id='{$form['id']}-form' enctype='multipart/form-data'>
<div>
".$this->referer()."
".$this->token()."
";
foreach ($form['fieldsets'] as $elid => $data)
@ -2119,7 +2119,7 @@ class form {
$method = ($form_method ? "method='".$form_method."'" : "");
$target = ($form_target ? " target='".$form_target."'" : "");
$name = ($form_name ? " id='".$form_name."' " : " id='myform'");
return "\n<form action='".$form_action."' ".$method.$target.$name.$form_enctype.$form_js.">".e107::getForm()->referer();
return "\n<form action='".$form_action."' ".$method.$target.$name.$form_enctype.$form_js.">".e107::getForm()->token();
}
function form_text($form_name, $form_size, $form_value, $form_maxlength = FALSE, $form_class = "tbox", $form_readonly = "", $form_tooltip = "", $form_js = "") {

71
e107_handlers/language_class.php
View File

@ -1,14 +1,22 @@
<?php
/*
+ ----------------------------------------------------------------------------+
| e107 website system - Language Class.
|
| $URL$
| $Revision$
| $Id$
| $Author$
+----------------------------------------------------------------------------+
*/
* e107 website system
*
* Copyright (C) 2008-2010 e107 Inc (e107.org)
* Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
*
* Language handler
*
* $URL$
* $Id$
*/
/**
* @package e107
* @subpackage e107_handlers
* @version $Id$
*/
class language{
@ -370,14 +378,21 @@ class language{
* 3. $_GET['elan'] eg. /index.php?elan=es
* 4. $_POST['sitelanguage'] eg. <input type='hidden' name='sitelanguage' value='Spanish' />
* 5. $GLOBALS['elan'] eg. <?php $GLOBALS['elan']='es' (deprecated)
*
* @param boolean $force force detection, don't use cached value
*/
function detect()
function detect($force = false)
{
global $pref;
if(false !== $this->detect && !$foce) return $this->detect;
if(varsettrue($pref['multilanguage_subdomain']) && $this->isLangDomain(e_DOMAIN) && (defset('MULTILANG_SUBDOMAIN') !== FALSE))
{
$detect_language = (e_SUBDOMAIN) ? $this->isValid(e_SUBDOMAIN) : $pref['sitelanguage'];
e107_ini_set("session.cookie_domain", ".".e_DOMAIN); // Must be before session_start()
// Done in session handler now, based on MULTILANG_SUBDOMAIN value
//e107_ini_set("session.cookie_domain", ".".e_DOMAIN); // Must be before session_start()
define('MULTILANG_SUBDOMAIN',TRUE);
}
elseif(e_MENU && ($detect_language = $this->isValid(e_MENU))) //
@ -403,7 +418,8 @@ class language{
$detect_language = FALSE; // ie. No Change.
}
e107_ini_set("session.cookie_path", e_HTTP);
// Done in session handler now
// e107_ini_set("session.cookie_path", e_HTTP);
$this->detect = $detect_language;
return $detect_language;
@ -417,14 +433,15 @@ class language{
*/
function set()
{
global $pref;
$pref = e107::getPref();
$session = e107::getSession(); // default core session namespace
if($this->detect) // Language-Change Trigger Detected.
{
if(!varset($_SESSION['e_language']) || (($_SESSION['e_language'] != $this->detect) && $this->isValid($_SESSION['e_language'])))
// new - e_language moved to e107 namespace - $_SESSION['e107']['e_language']
if(!$session->has('e_language') || (($session->get('e_language') != $this->detect) && $this->isValid($session->get('e_language'))))
{
$_SESSION['e_language'] = $this->detect;
// echo "Assigning Session Language";
$session->set('e_language', $this->detect);
}
if(varset($_COOKIE['e107_language'])!=$this->detect && (defset('MULTILANG_SUBDOMAIN') != TRUE))
@ -444,21 +461,21 @@ class language{
}
else // No Language-change Trigger Detected.
{
if(varset($_SESSION['e_language'])!='')
if($session->has('e_language'))
{
$user_language = $_SESSION['e_language'];
$user_language = $session->get('e_language');
}
elseif(isset($_COOKIE['e107_language']) && ($user_language = $this->isValid($_COOKIE['e107_language'])))
{
$_SESSION['e_language'] = $user_language;
$session->set('e_language', $user_language);
}
else
{
$user_language = $pref['sitelanguage'];
if(isset($_SESSION['e_language']))
if($session->is('e_language'))
{
unset($_SESSION['e_language']);
$session->clear('e_language');
}
if(isset($_COOKIE['e107_language']))
@ -485,13 +502,14 @@ class language{
global $pref;
$language = $this->e_language;
$session = e107::getSession();
if(!isset($_SESSION['language-list']))
if(!$session->is('language-list'))
{
$_SESSION['language-list'] = implode(',',$this->installed());
$session->set('language-list', implode(',',$this->installed()));
}
define('e_LANLIST', $_SESSION['language-list']);
define('e_LANLIST', $session->get('language-list'));
define('e_LANGUAGE', $language);
define('USERLAN', $language); // Keep USERLAN for backward compatibility
$iso = $this->convert($language);
@ -511,8 +529,3 @@ class language{
}
?>

11
e107_handlers/login.php
View File

@ -345,7 +345,7 @@ class userlogin
}
// Now check password
$this->userMethods = e107::getSession();
$this->userMethods = e107::getUserSession();
if ($forceLogin)
{
if (md5($this->userData['user_name'].$this->userData['user_password'].$this->userData['user_join']) != $userpass)
@ -355,17 +355,18 @@ class userlogin
}
else
{
if ((($pref['password_CHAP'] > 0) && ($response && isset($_SESSION['challenge'])) && ($response != $_SESSION['challenge'])) || ($pref['password_CHAP'] == 2))
$session = e107::getSession();
if ((($pref['password_CHAP'] > 0) && ($response && $session->is('challenge')) && ($response != $session->get('challenge'))) || ($pref['password_CHAP'] == 2))
{ // Verify using CHAP
// $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","CHAP login","U: {$username}, P: {$userpass}, C: {$_SESSION['challenge']} R:{$response} S: {$this->userData['user_password']}",FALSE,LOG_TO_ROLLING);
if (($pass_result = $this->userMethods->CheckCHAP($_SESSION['challenge'], $response, $username, $requiredPassword)) === PASSWORD_INVALID)
// $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","CHAP login","U: {$username}, P: {$userpass}, C: ".$session->get('challenge')." R:{$response} S: {$this->userData['user_password']}",FALSE,LOG_TO_ROLLING);
if (($pass_result = $this->userMethods->CheckCHAP($session->get('challenge'), $response, $username, $requiredPassword)) === PASSWORD_INVALID)
{
return $this->invalidLogin($username,LOGIN_CHAP_FAIL);
}
}
else
{ // Plaintext password
// $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Plaintext login","U: {$username}, P: {$userpass}, C: {$_SESSION['challenge']} R:{$response} S: {$this->userData['user_password']}",FALSE,LOG_TO_ROLLING);
// $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Plaintext login","U: {$username}, P: {$userpass}, C: ".$session->get('challenge')." R:{$response} S: {$this->userData['user_password']}",FALSE,LOG_TO_ROLLING);
if (($pass_result = $this->userMethods->CheckPassword($userpass,($this->lookEmail ? $this->userData['user_loginname'] : $username),$requiredPassword)) === PASSWORD_INVALID)
{
return $this->invalidLogin($username,LOGIN_BAD_PW);

134
e107_handlers/message_handler.php
View File

@ -30,7 +30,7 @@ define('E_MESSAGE_DEBUG', 'debug');
* Handle system messages
*
* @package e107
* @subpackage e107_handlers
* @subpackage e107_handlers
* @version $Id$
* @author SecretR
* @copyright Copyright (C) 2008-2010 e107 Inc (e107.org)
@ -52,6 +52,11 @@ class eMessage
*/
protected $_session_id;
/**
* @var e_core_session
*/
protected $_session_handler = null;
/**
* Singleton instance
*
@ -69,26 +74,10 @@ class eMessage
*/
protected function __construct()
{
if(!session_id()) session_start();
//if(!session_id()) session_start();
require_once(e_HANDLER.'e107_class.php');
$this->_session_id = e107::getPref('cookie_name', 'e107').'_system_messages';
//clean up old not used sessions
$tmp = array_keys($_SESSION);
foreach ($tmp as $key)
{
if($key != $this->_session_id && strpos($key, '_system_messages'))
{
unset($_SESSION[$key]);
}
}
unset($tmp);
if(!isset($_SESSION[$this->_session_id]))
{
$_SESSION[$this->_session_id] = array();
}
$this->_session_id = '_system_messages';
$this->reset()->mergeWithSession();
}
@ -120,11 +109,36 @@ class eMessage
* @param string $name
* @return object $this
*/
public function setSessionId($name)
public function setSessionId($name = '')
{
$this->_session_id = $name.'_system_messages';
$sid = $name.'_system_messages';
if($this->_session_id != $sid)
{
if(session_id())
{
$session = $this->getSessionHandler();
$session->set($sid, $session->get($this->_session_id, true)); // move
if(!$session->has($sid)) $session->set($sid, array()); // be sure it's array
}
$this->_session_id = $sid;
}
return $this;
}
/**
* Get session handler
* @return unknown_type
*/
public function getSessionHandler()
{
if(null === $this->_session_handler)
{
$session = e107::getSession();
if(!$session->has($this->_session_id)) $session->set($this->_session_id, array());
$this->_session_handler = $session;
}
return $this->_session_handler;
}
/**
* Add message to a type stack and default message stack
@ -258,7 +272,7 @@ class eMessage
*/
public function addSession($message, $type = E_MESSAGE_INFO)
{
if(empty($message)) return $this;
if(empty($message) || !session_id()) return $this;
$mstack = 'default';
if(is_array($message))
@ -266,8 +280,13 @@ class eMessage
$mstack = $message[1];
$message = $message[0];
}
$SESSION = $this->getSessionHandler()->get($this->_session_id);
if($this->isType($type)) $_SESSION[$this->_session_id][$type][$mstack][] = $message;
if($this->isType($type))
{
$SESSION[$type][$mstack][] = $message;
$this->getSessionHandler()->set($this->_session_id, $SESSION);
}
return $this;
}
@ -362,7 +381,9 @@ class eMessage
*/
public function getSession($type, $mstack = 'default', $raw = false, $reset = true)
{
$message = isset($_SESSION[$this->_session_id][$type][$mstack]) ? $_SESSION[$this->_session_id][$type][$mstack] : '';
if(!session_id()) return null;
$SESSION = $this->getSessionHandler()->get($this->_session_id);
$message = isset($SESSION[$type][$mstack]) ? $SESSION[$type][$mstack] : '';
if($reset) $this->resetSession($type, $mstack);
return (true === $raw ? $message : self::formatMessage($mstack, $type, $message));
@ -378,6 +399,7 @@ class eMessage
*/
public function getAllSession($mstack = 'default', $raw = false, $reset = true)
{
if(!session_id()) return array();
$ret = array();
foreach ($this->_get_types() as $type)
{
@ -511,35 +533,37 @@ class eMessage
*/
public function resetSession($type = false, $mstack = false)
{
if(!session_id()) return $this;
$SESSION = $this->getSessionHandler()->get($this->_session_id);
if(false === $type)
{
if(false === $mstack)
{
$_SESSION[$this->_session_id] = $this->_type_map();
$SESSION = $this->_type_map();
}
elseif($_SESSION[$this->_session_id])
elseif($SESSION)
{
foreach ($_SESSION[$this->_session_id] as $t => $_mstack)
foreach ($SESSION as $t => $_mstack)
{
if(is_array($_mstack))
{
unset($_SESSION[$this->_session_id][$t][$mstack]);
unset($SESSION[$t][$mstack]);
}
}
}
}
elseif(isset($_SESSION[$this->_session_id][$type]))
elseif(isset($SESSION[$type]))
{
if(false === $mstack)
{
$_SESSION[$this->_session_id][$type] = array();
$SESSION[$type] = array();
}
elseif(is_array($_SESSION[$this->_session_id][$type]))
elseif(is_array($SESSION[$type]))
{
unset($_SESSION[$this->_session_id][$type][$mstack]);
unset($SESSION[$type][$mstack]);
}
}
$this->getSessionHandler()->set($this->_session_id, $SESSION);
return $this;
}
@ -551,27 +575,31 @@ class eMessage
*/
public function mergeWithSession($reset = true, $mstack = false)
{
if(is_array($_SESSION[$this->_session_id]))
// do nothing if there is still no session
if(!session_id()) return $this;
$SESSION = $this->getSessionHandler()->get($this->_session_id);
if(!empty($SESSION))
{
foreach (array_keys($_SESSION[$this->_session_id]) as $type)
foreach (array_keys($SESSION) as $type)
{
if(!$this->isType($type))
{
unset($_SESSION[$this->_session_id][$type]);
unset($SESSION[$type]);
continue;
}
if(false === $mstack)
{
$this->_sysmsg[$type] = array_merge_recursive($this->_sysmsg[$type], $_SESSION[$this->_session_id][$type]);
$this->_sysmsg[$type] = array_merge_recursive($this->_sysmsg[$type], $SESSION[$type]);
continue;
}
if(isset($_SESSION[$this->_session_id][$type][$mstack]))
if(isset($SESSION[$type][$mstack]))
{
$this->_sysmsg[$type][$mstack] = $_SESSION[$this->_session_id][$type][$mstack];
$this->_sysmsg[$type][$mstack] = $SESSION[$type][$mstack];
}
}
$this->getSessionHandler()->set($this->_session_id, $SESSION);
}
if($reset) $this->resetSession(false, $mstack);
return $this;
@ -586,6 +614,10 @@ class eMessage
*/
public function moveToSession($mstack = false, $message_type = false)
{
// do nothing if there is still no session
if(!session_id()) return $this;
$SESSION = $this->getSessionHandler()->get($this->_session_id);
foreach (array_keys($this->_sysmsg) as $type)
{
if(!$this->isType($type) || ($message_type && $message_type !== $type))
@ -595,16 +627,16 @@ class eMessage
}
if(false === $mstack)
{
$_SESSION[$this->_session_id][$type] = array_merge_recursive( $_SESSION[$this->_session_id][$type], $this->_sysmsg[$type]);
$SESSION[$type] = array_merge_recursive($SESSION[$type], $this->_sysmsg[$type]);
continue;
}
if(isset($this->_sysmsg[$type][$mstack]))
{
$_SESSION[$this->_session_id][$type][$mstack] = $this->_sysmsg[$type][$mstack];
$SESSION[$type][$mstack] = $this->_sysmsg[$type][$mstack];
}
}
$this->getSessionHandler()->set($this->_session_id, $SESSION);
$this->reset($message_type, $mstack, false);
return $this;
}
@ -656,8 +688,11 @@ class eMessage
*/
public function moveSessionStack($from_stack, $to_stack = 'default', $type = false)
{
if($from_stack == $to_stack) return $this;
foreach ($_SESSION[$this->_session_id] as $_type => $stacks)
// do nothing if there is still no session
if(!session_id() || $from_stack == $to_stack) return $this;
$SESSION = $this->getSessionHandler()->get($this->_session_id);
foreach ($SESSION as $_type => $stacks)
{
if($type && $type !== $_type)
{
@ -665,14 +700,15 @@ class eMessage
}
if(isset($stacks[$from_stack]))
{
if(!isset($_SESSION[$this->_session_id][$_type][$to_stack]))
if(!isset($SESSION[$_type][$to_stack]))
{
$_SESSION[$this->_session_id][$_type][$to_stack] = array();
$SESSION[$_type][$to_stack] = array();
}
$_SESSION[$this->_session_id][$_type][$to_stack] = array_merge($_SESSION[$this->_session_id][$_type][$to_stack], $this->_sysmsg[$_type][$from_stack]);
unset($_SESSION[$this->_session_id][$_type][$from_stack]);
$SESSION[$_type][$to_stack] = array_merge($SESSION[$_type][$to_stack], $this->_sysmsg[$_type][$from_stack]);
unset($SESSION[$_type][$from_stack]);
}
}
$this->getSessionHandler()->set($this->_session_id, $SESSION);
return $this;
}

11
e107_handlers/user_model.php
View File

@ -183,13 +183,16 @@ class e_user_model extends e_front_model
return ($this->isAdmin() ? $this->get('user_perms') : false);
}
/**
* DEPRECATED - will be removed or changed soon (see e_session)
* @return string
*/
public function getToken()
{
if($this->isUser()) return '';
if(null === $this->get('user_token'))
{
$this->set('user_token', md5($this->get('user_password').$this->get('user_lastvisit').$this->get('user_pwchange').$this->get('user_class')));
//$this->set('user_token', md5($this->get('user_password').$this->get('user_lastvisit').$this->get('user_pwchange').$this->get('user_class')));
$this->set('user_token', e107::getSession()->getFormToken(false));
}
return $this->get('user_token');
}
@ -307,6 +310,7 @@ class e_user_model extends e_front_model
/**
* Check passed value against current user token
* DEPRECATED - will be removed or changed soon (see e_core_session)
* @param string $token md5 sum of e.g. posted token
* @return boolean
*/
@ -1286,6 +1290,7 @@ class e_user extends e_user_model
{
$this->_session_key = e107::getPref('cookie_name', 'e107cookie');
$this->_session_type = e107::getPref('user_tracking', 'cookie');
if('session' == $this->_session_type && isset($_SESSION[$this->_session_key]) && !empty($_SESSION[$this->_session_key]))
{
$this->_session_data = &$_SESSION[$this->_session_key];

9
e107_languages/English/admin/lan_admin.php
View File

@ -315,7 +315,8 @@ define("LAN_DESCRIPTION", "Description");
define("LAN_VISIBILITY", "Visibility");
define("LAN_ICON", "Icon");
define("LAN_SECURITYL_0", "Looking for troubles (none)");
define("LAN_SECURITYL_5", "Balanced");
define("LAN_SECURITYL_7", "High");
define("LAN_SECURITYL_9", "Paranoid");
define("LAN_SECURITYL_10", "Insane");

1
e107_languages/English/admin/lan_footer.php
View File

@ -28,4 +28,5 @@ define("FOOTLAN_16", "Database");
define("FOOTLAN_17", "Charset");
define("FOOTLAN_18", "Site Theme");
define("FOOTLAN_19", "Server Time");
define("FOOTLAN_20", "Security level");
?>

2
e107_plugins/login_menu/login_menu_shortcodes.php
View File

@ -55,7 +55,7 @@ SC_END
SC_BEGIN LM_PASSWORD_INPUT
global $pref;
$t_password = "<input class='tbox login pass' type='password' name='userpass' id='userpass' size='15' value='' maxlength='30' />\n";
if (!USER && isset($_SESSION['challenge']) && varset($pref['password_CHAP'],0)) $t_password .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='{$_SESSION['challenge']}' />\n\n";
if (!USER && e107::getSession()->is('challenge') && varset($pref['password_CHAP'],0)) $t_password .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='".e107::getSession()->get('challenge')."' />\n\n";
return $t_password;
SC_END

7
e107_themes/templates/footer_default.php
View File

@ -20,6 +20,9 @@ $In_e107_Footer = TRUE; // For registered shutdown function
global $error_handler,$db_time,$FOOTER;
// Clean session shutdown
e107::getSession()->shutdown();
//
// SHUTDOWN SEQUENCE
//
@ -267,6 +270,8 @@ e107::getJs()->renderJs('footer_inline', true);
// This must be done as late as possible in page processing.
$_serverTime = time();
$lastSet = isset($_COOKIE['e107_tdSetTime']) ? $_COOKIE['e107_tdSetTime'] : 0;
$_serverPath = e_HTTP;
$_serverDomain = deftrue('MULTILANG_SUBDOMAIN') ? '.'.e_DOMAIN : '';
if (abs($_serverTime - $lastSet) > 120)
{
/* update time delay every couple of minutes.
@ -274,7 +279,7 @@ if (abs($_serverTime - $lastSet) > 120)
* Drawback: each update may cause all server times to display a bit different
*/
echo "<script type='text/javascript'>\n";
echo "SyncWithServerTime('{$_serverTime}');
echo "SyncWithServerTime('{$_serverTime}', '{$_serverPath}', '{$_serverDomain}');
</script>\n";
}

2
fpw.php
View File

@ -44,7 +44,7 @@ if ($pref['membersonly_enabled'])
$FOOTER = preg_replace("/\{(.*?)\}/e", '$\1', $FPW_TABLE_FOOTER);
}
$user_info = e107::getSession();
$user_info = e107::getUserSession();
require_once(HEADERF);

15
install_.php
View File

@ -160,7 +160,13 @@ $e107_paths = array();
$e107 = e107::getInstance();
$e107->initInstall($e107_paths, realpath(dirname(__FILE__)));
unset($e107_paths);
session_start();
// NEW - session handler
require_once(e_HANDLER.'session_handler.php');
define('e_SECURITY_LEVEL', e_session::SECURITY_LEVEL_NONE);
define('e_COOKIE', 'e107install');
e107::getSession(); // starts session, creates default namespace
// session_start();
function include_lan($path, $force = false)
{
@ -199,7 +205,7 @@ class e_install
var $required = ""; //TODO - use for highlighting required fields with css/js.
var $logFile; // Name of log file, empty string if logging disabled
var $dbLink = NULL; // DB link - needed for PHP5.3 bug
var $session = null;
// public function __construct()
function e_install()
@ -208,6 +214,9 @@ class e_install
define('USERID', 1);
define('USER', true);
define('ADMIN', true);
// session instance
$this->session = e107::getSession();
$this->logFile = '';
if (MAKE_INSTALL_LOG)
@ -1357,7 +1366,7 @@ class e_install
return nl2br(LANINS_060)."<br /><br />";
}
preg_match_all("/create(.*?)(?:myisam|innodb);/si", $sql_data, $result );
preg_match_all("/create(.*?)(?:myisam|innodb);/si", $sql_data, $result );
// Force UTF-8 again
$this->dbqry('SET NAMES `utf8`');

4
login.php
View File

@ -48,9 +48,9 @@ if (!USER)
$LOGIN_TABLE_LOGINMESSAGE = LOGINMESSAGE;
$LOGIN_TABLE_USERNAME = "<input class='tbox' type='text' name='username' id='username' size='40' maxlength='100' />";
$LOGIN_TABLE_PASSWORD = "<input class='tbox' type='password' name='userpass' id='userpass' size='40' maxlength='100' />";
if (!USER && isset($_SESSION['challenge']) && varset($pref['password_CHAP'],0))
if (!USER && e107::getSession()->is('challenge') && varset($pref['password_CHAP'],0))
{
$LOGIN_TABLE_PASSWORD .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='{$_SESSION['challenge']}' />\n\n";
$LOGIN_TABLE_PASSWORD .= "<input type='hidden' name='hashchallenge' id='hashchallenge' value='".e107::getSession()->get('challenge')."' />\n\n";
}
if ($use_imagecode)
{

2
signup.php
View File

@ -36,7 +36,7 @@ require_once(e_HANDLER.'calendar/calendar_class.php');
$cal = new DHTML_Calendar(true);
require_once(e_HANDLER.'validator_class.php');
// require_once(e_HANDLER.'user_handler.php');
$userMethods = e107::getSession();
$userMethods = e107::getUserSession();
$userMethods->deleteExpired(); // Delete time-expired partial registrations
require_once(e107::coreTemplatePath('signup')); //correct way to load a core template.

2
usersettings.php
View File

@ -53,7 +53,7 @@ require_once (e_HANDLER.'user_extended_class.php');
require_once(e_HANDLER.'validator_class.php');
$ue = new e107_user_extended;
$userMethods = e107::getSession();
$userMethods = e107::getUserSession();
require_once (e_HANDLER.'ren_help.php');
include_once (e107::coreTemplatePath('usersettings')); //correct way to load a core template.