diff --git a/class2.php b/class2.php index e4c91be1b..7fe0878a7 100644 --- a/class2.php +++ b/class2.php @@ -223,6 +223,23 @@ $e107_paths = compact('ADMIN_DIRECTORY', 'FILES_DIRECTORY', 'IMAGES_DIRECTORY', $sql_info = compact('mySQLserver', 'mySQLuser', 'mySQLpassword', 'mySQLdefaultdb', 'mySQLprefix'); $e107 = e107::getInstance()->initCore($e107_paths, realpath(dirname(__FILE__)), $sql_info, varset($E107_CONFIG, array())); +/** + * NEW - system security levels + * Could be overridden by e107_config.php OR $CLASS2_INCLUDE script (if not set earlier) + * + * 0 disabled + * 5 safe mode (balanced) + * 7 high + * 9 paranoid + * 10 insane + * for more detailed info see e_session SECURITY_LEVEL_* constants + * default is e_session::SECURITY_LEVEL_BALANCED (5) + */ +if(!defined('e_SECURITY_LEVEL')) +{ + require_once(e_HANDLER.'session_handler.php'); + define('e_SECURITY_LEVEL', e_session::SECURITY_LEVEL_BALANCED); +} // MOVED TO $e107->set_request() //$inArray = array("'", ';', '/**/', '/UNION/', '/SELECT/', 'AS '); @@ -281,6 +298,7 @@ $tp = e107::getParser(); //TODO - find & replace $tp, $e107->tp // All debug objects and constants are defined in the debug handler // i.e. from here on you can use E107_DEBUG_LEVEL or any // E107_DBG_* constant for debug testing. +// TODO - rewrite the debug init phase, add e107 class getters // require_once(e_HANDLER.'debug_handler.php'); @@ -292,6 +310,7 @@ if(E107_DEBUG_LEVEL && isset($db_debug) && is_object($db_debug)) // // I: Sanity check on e107_config.php // e107_config.php upgrade check +// FIXME - obsolete check, rewrite it if (!$ADMIN_DIRECTORY && !$DOWNLOADS_DIRECTORY) { message_handler('CRITICAL_ERROR', 8, ': generic, ', 'e107_config.php'); @@ -304,7 +323,7 @@ if (!$ADMIN_DIRECTORY && !$DOWNLOADS_DIRECTORY) e107::getSingleton('e107_traffic'); // We start traffic counting ASAP //$eTraffic->Calibrate($eTraffic); -e107_require_once(e_HANDLER.'mysql_class.php'); +// e107_require_once(e_HANDLER.'mysql_class.php'); //DEPRECATED, BC, $e107->sql caught by __get() $sql = e107::getDb(); //TODO - find & replace $sql, $e107->sql @@ -317,8 +336,7 @@ $merror=$sql->db_Connect($mySQLserver, $mySQLuser, $mySQLpassword, $mySQLdefault //DEPRECATED, BC, call the method only when needed $sql2 = e107::getDb('sql2'); //TODO find & replace all $sql2 calls -$sql->db_Mark_Time('Start: Prefs, misc tables'); - +$sql->db_Mark_Time('Start: Prefs, misc tables'); //DEPRECATED, BC, call the method only when needed, $e107->admin_log caught by __get() $admin_log = e107::getAdminLog(); //TODO - find & replace $admin_log, $e107->admin_log @@ -403,7 +421,7 @@ if(!e107::getConfig()->hasData()) } -//DEPRECATED, BC, call e107::getPref() instead +//DEPRECATED, BC, call e107::getPref/findPref() instead $pref = e107::getPref(); //this could be part of e107->init() method now, prefs will be auto-initialized @@ -426,7 +444,7 @@ e107::getLanguage()->detect(); // // if a cookie name pref isn't set, make one :) -// TODO - do we really need this? e107 method could do the job. +// e_COOKIE used as unique session cookie name now (see session handler) if (!$pref['cookie_name']) { $pref['cookie_name'] = 'e107cookie'; } define('e_COOKIE', $pref['cookie_name']); @@ -434,28 +452,6 @@ define('e_COOKIE', $pref['cookie_name']); //define('SITEURLBASE', ($pref['ssl_enabled'] == '1' ? 'https://' : 'http://').$_SERVER['HTTP_HOST']); //define('SITEURL', SITEURLBASE.e_HTTP); - - -// start a session if session based login is enabled -// if ($pref['user_tracking'] == 'session') -{ - session_start(); - - - - if (!isset($_SESSION['challenge'])) - { // New session - // Create a unique challenge string for CHAP login - $_SESSION['challenge'] = sha1(time().session_id()); - } - $ubrowser = md5('E107'.$_SERVER['HTTP_USER_AGENT']); - if (!isset($_SESSION['ubrowser'])) - { - $_SESSION['ubrowser'] = $ubrowser; - } -} - - // if the option to force users to use a particular url for the site is enabled, redirect users there as needed // Now matches RFC 2616 (sec 3.2): case insensitive, https/:443 and http/:80 are equivalent. // And, this is robust against hack attacks. Malignant users can put **anything** in HTTP_HOST! @@ -511,6 +507,12 @@ if($pref['redirectsiteurl'] && $pref['siteurl']) { * Set the User's Language */ $sql->db_Mark_Time('Start: Set User Language'); +// SESSION Needs to be started after: +// - Site preferences are available +// - Language detection (because of session.cookie_domain) +// to avoid multi-language 'access-denied' issues. +//session_start(); see e107::getSession() above +e107::getSession(); //init core _SESSION - actually here for reference only, it's done by language handler set() method e107::getLanguage()->set(); // set e_LANGUAGE, USERLAN, Language Session / Cookies etc. requires $pref; if(varset($pref['multilanguage']) && (e_LANGUAGE != $pref['sitelanguage'])) @@ -523,10 +525,14 @@ if(varset($pref['multilanguage']) && (e_LANGUAGE != $pref['sitelanguage'])) e107_include_once(e_LANGUAGEDIR.e_LANGUAGE.'/'.e_LANGUAGE.'.php'); e107_include_once(e_LANGUAGEDIR.e_LANGUAGE."/".e_LANGUAGE.'_custom.php'); +e107::getSession() + ->challenge() // Create a unique challenge string for CHAP login + ->check(); // Token protection +// echo e_print($_SESSION, e107::getSession()->getSessionId(), e107::getSession()->getSessionName()); // // N: misc setups: online user tracking, cache // -$sql -> db_Mark_Time('Start: Misc resources. Online user tracking, cache'); +$sql->db_Mark_Time('Start: Misc resources. Online user tracking, cache'); //DEPRECATED, BC, call the method only when needed, $e107->ecache caught by __get() $e107cache = e107::getCache(); //TODO - find & replace $e107cache, $e107->ecache @@ -771,8 +777,8 @@ if (isset($_POST['userlogin']) || isset($_POST['userlogin_x'])) // $usr = new userlogin($_POST['username'], $_POST['userpass'], $_POST['autologin'], varset($_POST['hashchallenge'],'')); } - -if ((e_QUERY == 'logout') || (($pref['user_tracking'] == 'session') && isset($_SESSION['ubrowser']) && ($_SESSION['ubrowser'] != $ubrowser))) +// $_SESSION['ubrowser'] check not needed anymore - see session handler +if ((e_QUERY == 'logout')/* || (($pref['user_tracking'] == 'session') && isset($_SESSION['ubrowser']) && ($_SESSION['ubrowser'] != $ubrowser))*/) { if (USER) { @@ -784,6 +790,8 @@ if ((e_QUERY == 'logout') || (($pref['user_tracking'] == 'session') && isset($_S $ip = $e107->getip(); $udata = (USER === true ? USERID.'.'.USERNAME : '0'); + + // TODO - should be done inside online handler, more core areas need it (session handler for example) $sql->db_Update('online', "online_user_id = 0, online_pagecount=online_pagecount+1 WHERE online_user_id = '{$udata}' LIMIT 1"); if ($pref['user_tracking'] == 'session') @@ -1423,6 +1431,7 @@ function init_session() define('POST_REFERER', md5($user->getToken())); // Check for intruders - outside the model for now + // TODO replace __referer with e-token, remove the above if((isset($_POST['__referer']) && !$user->checkToken($_POST['__referer'])) || (isset($_GET['__referer']) && !$user->checkToken($_GET['__referer']))) { @@ -1691,6 +1700,16 @@ if(!isset($_E107['no_online']) && varset($pref['track_online'])) e107::getOnline()->goOnline($pref['track_online'], $pref['flood_protect']); } +/** + * Set Cookie + * @param string $name + * @param string $value + * @param integer $expire seconds + * @param string $path + * @param string $domain + * @param boolean $secure + * @return void + */ function cookie($name, $value, $expire=0, $path = e_HTTP, $domain = '', $secure = 0) { setcookie($name, $value, $expire, $path, $domain, $secure); diff --git a/e107_admin/auth.php b/e107_admin/auth.php index d6401f757..5f1efe169 100644 --- a/e107_admin/auth.php +++ b/e107_admin/auth.php @@ -115,11 +115,13 @@ else } $edata_li = array("user_id"=>$row['user_id'], "user_name"=>$row['user_name'], 'class_list'=>implode(',', $class_list), 'user_admin'=> $row['user_admin']); - - e107::getEvent()->trigger("login", $edata_li); - + + // Fix - set cookie before login trigger session_set(e_COOKIE, $cookieval, (time() + 3600 * 24 * 30)); - echo "\n"; + + e107::getEvent()->trigger("login", $edata_li); + e107::getRedirect()->redirect(e_ADMIN_ABS.'admin.php'); + //echo "\n"; } } @@ -166,9 +168,10 @@ class auth ".ADLAN_90." \n"; - if (isset($_SESSION['challenge']) && varset($pref['password_CHAP'], 0)) + $session = e107::getSession(); + if ($session->is('challenge') && varset($pref['password_CHAP'], 0)) - $text .= "\n\n"; + $text .= "\n\n"; $text .= "\n"; if ($use_imagecode) @@ -210,7 +213,7 @@ class auth $tp = e107::getParser(); $sql_auth = e107::getDb('sql_auth'); - $user_info = e107::getSession(); + $user_info = e107::getUserSession(); $reason = ''; $authname = $tp->toDB(preg_replace("/\sOR\s|\=|\#/", "", trim($authname))); @@ -239,9 +242,10 @@ class auth } if (!$reason && ($row['user_id'])) // Can validate password { - if (($authresponse && isset($_SESSION['challenge'])) && ($authresponse != $_SESSION['challenge'])) + $session = e107::getSession(); + if (($authresponse && $session->is('challenge')) && ($authresponse != $session->get('challenge'))) { // Verify using CHAP (can't handle login by email address - only loginname - although with this code it does still work if the password is stored unsalted) - if (($pass_result = $user_info->CheckCHAP($_SESSION['challenge'], $authresponse, $authname, $row['user_password'])) !== PASSWORD_INVALID) + if (($pass_result = $user_info->CheckCHAP($session->get('challenge'), $authresponse, $authname, $row['user_password'])) !== PASSWORD_INVALID) { return $$row; } diff --git a/e107_admin/cron.php b/e107_admin/cron.php index 540b226d1..388908b02 100644 --- a/e107_admin/cron.php +++ b/e107_admin/cron.php @@ -291,7 +291,7 @@ function setCronPwd() { global $pref; - $userMethods = e107::getSession(); + $userMethods = e107::getUserSession(); $newpwd = $userMethods->generateRandomString('*^*#.**^*'); $newpwd = sha1($newpwd.time()); $pref['e_cron_pwd'] = $newpwd; diff --git a/e107_admin/footer.php b/e107_admin/footer.php index 322846ca2..56cacfe73 100644 --- a/e107_admin/footer.php +++ b/e107_admin/footer.php @@ -21,6 +21,9 @@ $In_e107_Footer = TRUE; // For registered shutdown function global $error_handler,$db_time,$ADMIN_FOOTER; +// Clean session shutdown +e107::getSession()->shutdown(); + // // SHUTDOWN SEQUENCE // @@ -287,6 +290,8 @@ e107::getJs()->renderJs('footer_inline', true); // This must be done as late as possible in page processing. $_serverTime = time(); $lastSet = isset($_COOKIE['e107_tdSetTime']) ? $_COOKIE['e107_tdSetTime'] : 0; +$_serverPath = e_HTTP; +$_serverDomain = deftrue('MULTILANG_SUBDOMAIN') ? '.'.e_DOMAIN : ''; if (abs($_serverTime - $lastSet) > 120) { /* update time delay every couple of minutes. @@ -294,7 +299,7 @@ if (abs($_serverTime - $lastSet) > 120) * Drawback: each update may cause all server times to display a bit different */ echo "\n"; } diff --git a/e107_admin/language.php b/e107_admin/language.php index 91d0d98be..10e0cae7f 100644 --- a/e107_admin/language.php +++ b/e107_admin/language.php @@ -25,10 +25,10 @@ $e_sub_cat = 'language'; require_once ("auth.php"); require_once (e_HANDLER."form_handler.php"); require_once (e_HANDLER."message_handler.php"); -$frm = new e_form(); -$emessage = &eMessage::getInstance(); +$frm = e107::getForm(); +$emessage = e107::getMessage(); $tabs = table_list(); // array("news","content","links"); -$lanlist = explode(",", e_LANLIST); +$lanlist = e107::getLanguage()->installed();// Bugfix - don't use e_LANLIST as it's cached (SESSION) $message = ''; if (e_QUERY) { diff --git a/e107_admin/links.php b/e107_admin/links.php index 031ea477b..b84961a8f 100644 --- a/e107_admin/links.php +++ b/e107_admin/links.php @@ -1,21 +1,25 @@ array('title'=> '', 'width' => '3%','forced' => true,'thclass' => 'center first','class' => 'center first'), 'link_button' => array('title'=> LAN_ICON, 'type'=>'icon', 'width'=>'5%', 'thclass' => 'center', 'class'=>'center'), 'link_id' => array('title'=> ID, 'nolist'=>TRUE), - 'link_name' => array('title'=> LCLAN_15, 'width'=>'auto','type'=>'method'), + 'link_name' => array('title'=> LCLAN_15, 'width'=>'auto','type'=>'method', 'validate' => true), 'link_parent' => array('title'=> 'Sublink of', 'type' => 'dropdown', 'width' => 'auto', 'batch'=>true, 'filter'=>true, 'thclass' => 'left first'), - 'link_url' => array('title'=> LCLAN_93, 'width'=>'auto', 'type'=>'text'), + 'link_url' => array('title'=> LCLAN_93, 'width'=>'auto', 'type'=>'text', 'validate' => true), 'link_class' => array('title'=> LAN_USERCLASS, 'type' => 'userclass', 'batch'=>true, 'filter'=>true, 'width' => 'auto'), 'link_description' => array('title'=> LCLAN_17, 'type' => 'bbarea', 'method'=>'tinymce_plugins', 'width' => 'auto'), 'link_category' => array('title'=> LCLAN_12, 'type' => 'dropdown', 'batch'=>true, 'filter'=>true, 'width' => 'auto'), diff --git a/e107_admin/updateadmin.php b/e107_admin/updateadmin.php index 020b85f7a..3cd977408 100644 --- a/e107_admin/updateadmin.php +++ b/e107_admin/updateadmin.php @@ -23,10 +23,10 @@ $e_sub_cat = 'admin_pass'; require_once(e_ADMIN.'auth.php'); require_once(e_HANDLER.'message_handler.php'); -// require_once(e_HANDLER.'user_handler.php'); //use e107::getSession() instead. +// require_once(e_HANDLER.'user_handler.php'); //use e107::getUserSession() instead. require_once(e_HANDLER.'validator_class.php'); -$userMethods = e107::getSession(); -$emessage = &eMessage::getInstance(); +$userMethods = e107::getUserSession(); +$emessage = e107::getMessage(); if (isset($_POST['update_settings'])) { diff --git a/e107_admin/users.php b/e107_admin/users.php index 407619a19..52bad7999 100644 --- a/e107_admin/users.php +++ b/e107_admin/users.php @@ -89,7 +89,7 @@ require_once (e_HANDLER.'validator_class.php'); // $userMethods = new UserHandler; // $colList = $userMethods->getNiceNames(TRUE); $ue = new e107_user_extended; -$userMethods = e107::getSession(); +$userMethods = e107::getUserSession(); $user_data = array(); $frm = new e_form; $rs = new form; diff --git a/e107_core/shortcodes/batch/admin_shortcodes.php b/e107_core/shortcodes/batch/admin_shortcodes.php index c3bb6d487..42291d5ed 100644 --- a/e107_core/shortcodes/batch/admin_shortcodes.php +++ b/e107_core/shortcodes/batch/admin_shortcodes.php @@ -776,7 +776,7 @@ class admin_shortcodes $obj = e107::getDateConvert(); $install_date = $obj->convert_date($pref['install_date'], 'long'); - + $text = "".FOOTLAN_1."
". SITENAME." @@ -790,6 +790,10 @@ class admin_shortcodes
".FOOTLAN_3." ".$e107info['e107_version']."

+ ".FOOTLAN_20." +
+ [".e_SECURITY_LEVEL."] ".defset('LAN_SECURITYL_'.e_SECURITY_LEVEL, 'n/a')." +

".FOOTLAN_18."
".$pref['sitetheme']."

".FOOTLAN_5." diff --git a/e107_files/e107.js b/e107_files/e107.js index c5accdd6b..dbe630864 100644 --- a/e107_files/e107.js +++ b/e107_files/e107.js @@ -36,21 +36,24 @@ var localTime = Math.floor(nowLocal.getTime()/1000); /* time, in ms -- recorded * The value calculated in SyncWithServerTime is not known until after the * entire page has been processed. */ -function SyncWithServerTime(serverTime) +function SyncWithServerTime(serverTime, path, domain) { if (serverTime) { /* update time difference cookie */ var serverDelta=Math.floor(localTime-serverTime); - document.cookie = 'e107_tdOffset='+serverDelta+'; path=/'; - document.cookie = 'e107_tdSetTime='+(localTime-serverDelta)+'; path=/'; /* server time when set */ + if(!path) path = '/'; + if(!domain) domain = ''; + else domain = '; domain=' + domain; + document.cookie = 'e107_tdOffset='+serverDelta+'; path='+path+domain; + document.cookie = 'e107_tdSetTime='+(localTime-serverDelta)+'; path='+path+domain; /* server time when set */ } var tzCookie = 'e107_tzOffset='; // if (document.cookie.indexOf(tzCookie) < 0) { /* set if not already set */ var timezoneOffset = nowLocal.getTimezoneOffset(); /* client-to-GMT in minutes */ - document.cookie = tzCookie + timezoneOffset+'; path=/'; + document.cookie = tzCookie + timezoneOffset+'; path='+path+domain; // } } var ns6=0; diff --git a/e107_files/jslib/e107.js.php b/e107_files/jslib/e107.js.php index 435ec6690..4b76a971b 100644 --- a/e107_files/jslib/e107.js.php +++ b/e107_files/jslib/e107.js.php @@ -31,21 +31,24 @@ var localTime = Math.floor(nowLocal.getTime()/1000); /* time, in ms -- recorded * The value calculated in SyncWithServerTime is not known until after the * entire page has been processed. */ -function SyncWithServerTime(serverTime) +function SyncWithServerTime(serverTime, path, domain) { - if (serverTime) + if (serverTime) { /* update time difference cookie */ var serverDelta=Math.floor(localTime-serverTime); - document.cookie = 'e107_tdOffset='+serverDelta+'; path=/'; - document.cookie = 'e107_tdSetTime='+(localTime-serverDelta)+'; path=/'; /* server time when set */ + if(!path) path = '/'; + if(!domain) domain = ''; + else domain = '; domain=' + domain; + document.cookie = 'e107_tdOffset='+serverDelta+'; path='+path+domain; + document.cookie = 'e107_tdSetTime='+(localTime-serverDelta)+'; path='+path+domain; /* server time when set */ } var tzCookie = 'e107_tzOffset='; // if (document.cookie.indexOf(tzCookie) < 0) { /* set if not already set */ var timezoneOffset = nowLocal.getTimezoneOffset(); /* client-to-GMT in minutes */ - document.cookie = tzCookie + timezoneOffset+'; path=/'; + document.cookie = tzCookie + timezoneOffset+'; path='+path+domain; // } } diff --git a/e107_handlers/admin_log_class.php b/e107_handlers/admin_log_class.php index e2dbf8e31..b834777a0 100644 --- a/e107_handlers/admin_log_class.php +++ b/e107_handlers/admin_log_class.php @@ -88,7 +88,9 @@ class e_admin_log define('USER_AUDIT_TEMP_ACCOUNT', 24); // User temporary account // Init E_MESSAGE_* constants if not already done - e107::getMessage(); + // e107::getMessage(); - just include, message handler is creating session in construct + // it breaks stuff (see class2 - language detection and comments) + require_once(e_HANDLER.'message_handler.php'); $this->_messages = array(); } @@ -139,6 +141,11 @@ class e_admin_log $event_detail = implode("[!br!]\n", $tmp); unset($tmp); } + else + { + // auto-format long details - TODO - shrink details on administration log page, expand/show in DHTML window full details. + $event_detail = str_replace("\n", "[!br!]", $event_detail); + } if ($this->_options['backtrace'] == true) { diff --git a/e107_handlers/admin_ui.php b/e107_handlers/admin_ui.php index 2af7511b2..10e310fa6 100644 --- a/e107_handlers/admin_ui.php +++ b/e107_handlers/admin_ui.php @@ -2989,6 +2989,7 @@ class e_admin_controller_ui extends e_admin_controller { $this->$callbackAfter($model->getData(), $old_data, $model->getId()); } + $model->setMessages(true); //FIX - move messages (and session messages) to the default stack $this->doAfterSubmit($model->getId(), $noredirectAction); return true; } diff --git a/e107_handlers/core_functions.php b/e107_handlers/core_functions.php index 97f9b5bd0..fe7a423a2 100644 --- a/e107_handlers/core_functions.php +++ b/e107_handlers/core_functions.php @@ -152,6 +152,26 @@ function print_a($var, $return = FALSE) } } +function e_print($expr = null) +{ + $args = func_get_args(); + if(!$args) return; + foreach ($args as $arg) + { + print_a($arg); + } +} + +function e_dump($expr = null) +{ + $args = func_get_args(); + if(!$args) return; + + echo '
';
+	call_user_func_array('var_dump', $args);
+	echo '
'; +} + /** * Strips slashes from a var if magic_quotes_gqc is enabled * diff --git a/e107_handlers/e107_class.php b/e107_handlers/e107_class.php index ea9ea7dc2..7f89a9bc1 100644 --- a/e107_handlers/e107_class.php +++ b/e107_handlers/e107_class.php @@ -144,6 +144,7 @@ class e107 'e107_user_extended' => '{e_HANDLER}user_extended_class.php', 'e107plugin' => '{e_HANDLER}plugin_class.php', 'eURL' => '{e_HANDLER}e107Url.php', + 'e_core_session' => '{e_HANDLER}session_handler.php', 'e_admin_controller' => '{e_HANDLER}admin_ui.php', 'e_admin_controller_ui' => '{e_HANDLER}admin_ui.php', 'e_admin_dispatcher' => '{e_HANDLER}admin_ui.php', @@ -949,10 +950,27 @@ class e107 * * @return UserHandler */ - public static function getSession() + public static function getUserSession() { return self::getSingleton('UserHandler', true); } + + /** + * Retrieve core session singleton object(s) + * + * @return e_core_session + */ + public static function getSession($namespace = null) + { + $id = 'core/e107/session/'.(null === $namespace ? 'e107' : $namespace); + if(self::getRegistry($id)) + { + return self::getRegistry($id); + } + $session = self::getObject('e_core_session', array('namespace' => $namespace), true); + self::setRegistry($id, $session); + return $session; + } /** * Retrieve redirection singleton object diff --git a/e107_handlers/form_handler.php b/e107_handlers/form_handler.php index 2d5a9500a..8872d2551 100644 --- a/e107_handlers/form_handler.php +++ b/e107_handlers/form_handler.php @@ -660,9 +660,9 @@ class e_form * Generate hidden security field * @return string */ - function referer() + function token() { - return ""; + return ""; } function submit($name, $value, $options = array()) @@ -1724,7 +1724,7 @@ class e_form $text = "
-
".$this->referer()." +
".$this->token()." ".vartrue($options['fieldset_pre'])."
".$options['legend']." @@ -1845,7 +1845,7 @@ class e_form $text .= "
- ".$this->referer()." + ".$this->token()." "; foreach ($form['fieldsets'] as $elid => $data) @@ -2119,7 +2119,7 @@ class form { $method = ($form_method ? "method='".$form_method."'" : ""); $target = ($form_target ? " target='".$form_target."'" : ""); $name = ($form_name ? " id='".$form_name."' " : " id='myform'"); - return "\n".e107::getForm()->referer(); + return "\n".e107::getForm()->token(); } function form_text($form_name, $form_size, $form_value, $form_maxlength = FALSE, $form_class = "tbox", $form_readonly = "", $form_tooltip = "", $form_js = "") { diff --git a/e107_handlers/language_class.php b/e107_handlers/language_class.php index 2f52dd75c..98dcb172f 100644 --- a/e107_handlers/language_class.php +++ b/e107_handlers/language_class.php @@ -1,14 +1,22 @@ * 5. $GLOBALS['elan'] eg. detect && !$foce) return $this->detect; + if(varsettrue($pref['multilanguage_subdomain']) && $this->isLangDomain(e_DOMAIN) && (defset('MULTILANG_SUBDOMAIN') !== FALSE)) { $detect_language = (e_SUBDOMAIN) ? $this->isValid(e_SUBDOMAIN) : $pref['sitelanguage']; - e107_ini_set("session.cookie_domain", ".".e_DOMAIN); // Must be before session_start() + // Done in session handler now, based on MULTILANG_SUBDOMAIN value + //e107_ini_set("session.cookie_domain", ".".e_DOMAIN); // Must be before session_start() define('MULTILANG_SUBDOMAIN',TRUE); } elseif(e_MENU && ($detect_language = $this->isValid(e_MENU))) // @@ -403,7 +418,8 @@ class language{ $detect_language = FALSE; // ie. No Change. } - e107_ini_set("session.cookie_path", e_HTTP); + // Done in session handler now + // e107_ini_set("session.cookie_path", e_HTTP); $this->detect = $detect_language; return $detect_language; @@ -417,14 +433,15 @@ class language{ */ function set() { - global $pref; + $pref = e107::getPref(); + $session = e107::getSession(); // default core session namespace if($this->detect) // Language-Change Trigger Detected. { - if(!varset($_SESSION['e_language']) || (($_SESSION['e_language'] != $this->detect) && $this->isValid($_SESSION['e_language']))) + // new - e_language moved to e107 namespace - $_SESSION['e107']['e_language'] + if(!$session->has('e_language') || (($session->get('e_language') != $this->detect) && $this->isValid($session->get('e_language')))) { - $_SESSION['e_language'] = $this->detect; - // echo "Assigning Session Language"; + $session->set('e_language', $this->detect); } if(varset($_COOKIE['e107_language'])!=$this->detect && (defset('MULTILANG_SUBDOMAIN') != TRUE)) @@ -444,21 +461,21 @@ class language{ } else // No Language-change Trigger Detected. { - if(varset($_SESSION['e_language'])!='') + if($session->has('e_language')) { - $user_language = $_SESSION['e_language']; + $user_language = $session->get('e_language'); } elseif(isset($_COOKIE['e107_language']) && ($user_language = $this->isValid($_COOKIE['e107_language']))) { - $_SESSION['e_language'] = $user_language; + $session->set('e_language', $user_language); } else { $user_language = $pref['sitelanguage']; - if(isset($_SESSION['e_language'])) + if($session->is('e_language')) { - unset($_SESSION['e_language']); + $session->clear('e_language'); } if(isset($_COOKIE['e107_language'])) @@ -485,13 +502,14 @@ class language{ global $pref; $language = $this->e_language; + $session = e107::getSession(); - if(!isset($_SESSION['language-list'])) + if(!$session->is('language-list')) { - $_SESSION['language-list'] = implode(',',$this->installed()); + $session->set('language-list', implode(',',$this->installed())); } - define('e_LANLIST', $_SESSION['language-list']); + define('e_LANLIST', $session->get('language-list')); define('e_LANGUAGE', $language); define('USERLAN', $language); // Keep USERLAN for backward compatibility $iso = $this->convert($language); @@ -511,8 +529,3 @@ class language{ } - - - - -?> \ No newline at end of file diff --git a/e107_handlers/login.php b/e107_handlers/login.php index 12e6702ae..93e4dd046 100644 --- a/e107_handlers/login.php +++ b/e107_handlers/login.php @@ -345,7 +345,7 @@ class userlogin } // Now check password - $this->userMethods = e107::getSession(); + $this->userMethods = e107::getUserSession(); if ($forceLogin) { if (md5($this->userData['user_name'].$this->userData['user_password'].$this->userData['user_join']) != $userpass) @@ -355,17 +355,18 @@ class userlogin } else { - if ((($pref['password_CHAP'] > 0) && ($response && isset($_SESSION['challenge'])) && ($response != $_SESSION['challenge'])) || ($pref['password_CHAP'] == 2)) + $session = e107::getSession(); + if ((($pref['password_CHAP'] > 0) && ($response && $session->is('challenge')) && ($response != $session->get('challenge'))) || ($pref['password_CHAP'] == 2)) { // Verify using CHAP - // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","CHAP login","U: {$username}, P: {$userpass}, C: {$_SESSION['challenge']} R:{$response} S: {$this->userData['user_password']}",FALSE,LOG_TO_ROLLING); - if (($pass_result = $this->userMethods->CheckCHAP($_SESSION['challenge'], $response, $username, $requiredPassword)) === PASSWORD_INVALID) + // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","CHAP login","U: {$username}, P: {$userpass}, C: ".$session->get('challenge')." R:{$response} S: {$this->userData['user_password']}",FALSE,LOG_TO_ROLLING); + if (($pass_result = $this->userMethods->CheckCHAP($session->get('challenge'), $response, $username, $requiredPassword)) === PASSWORD_INVALID) { return $this->invalidLogin($username,LOGIN_CHAP_FAIL); } } else { // Plaintext password - // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Plaintext login","U: {$username}, P: {$userpass}, C: {$_SESSION['challenge']} R:{$response} S: {$this->userData['user_password']}",FALSE,LOG_TO_ROLLING); + // $this->e107->admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Plaintext login","U: {$username}, P: {$userpass}, C: ".$session->get('challenge')." R:{$response} S: {$this->userData['user_password']}",FALSE,LOG_TO_ROLLING); if (($pass_result = $this->userMethods->CheckPassword($userpass,($this->lookEmail ? $this->userData['user_loginname'] : $username),$requiredPassword)) === PASSWORD_INVALID) { return $this->invalidLogin($username,LOGIN_BAD_PW); diff --git a/e107_handlers/message_handler.php b/e107_handlers/message_handler.php index a94abeb9b..852257704 100644 --- a/e107_handlers/message_handler.php +++ b/e107_handlers/message_handler.php @@ -30,7 +30,7 @@ define('E_MESSAGE_DEBUG', 'debug'); * Handle system messages * * @package e107 - * @subpackage e107_handlers + * @subpackage e107_handlers * @version $Id$ * @author SecretR * @copyright Copyright (C) 2008-2010 e107 Inc (e107.org) @@ -52,6 +52,11 @@ class eMessage */ protected $_session_id; + /** + * @var e_core_session + */ + protected $_session_handler = null; + /** * Singleton instance * @@ -69,26 +74,10 @@ class eMessage */ protected function __construct() { - if(!session_id()) session_start(); + //if(!session_id()) session_start(); require_once(e_HANDLER.'e107_class.php'); - $this->_session_id = e107::getPref('cookie_name', 'e107').'_system_messages'; - - //clean up old not used sessions - $tmp = array_keys($_SESSION); - foreach ($tmp as $key) - { - if($key != $this->_session_id && strpos($key, '_system_messages')) - { - unset($_SESSION[$key]); - } - } - unset($tmp); - - if(!isset($_SESSION[$this->_session_id])) - { - $_SESSION[$this->_session_id] = array(); - } + $this->_session_id = '_system_messages'; $this->reset()->mergeWithSession(); } @@ -120,11 +109,36 @@ class eMessage * @param string $name * @return object $this */ - public function setSessionId($name) + public function setSessionId($name = '') { - $this->_session_id = $name.'_system_messages'; + $sid = $name.'_system_messages'; + if($this->_session_id != $sid) + { + if(session_id()) + { + $session = $this->getSessionHandler(); + $session->set($sid, $session->get($this->_session_id, true)); // move + if(!$session->has($sid)) $session->set($sid, array()); // be sure it's array + } + $this->_session_id = $sid; + } return $this; } + + /** + * Get session handler + * @return unknown_type + */ + public function getSessionHandler() + { + if(null === $this->_session_handler) + { + $session = e107::getSession(); + if(!$session->has($this->_session_id)) $session->set($this->_session_id, array()); + $this->_session_handler = $session; + } + return $this->_session_handler; + } /** * Add message to a type stack and default message stack @@ -258,7 +272,7 @@ class eMessage */ public function addSession($message, $type = E_MESSAGE_INFO) { - if(empty($message)) return $this; + if(empty($message) || !session_id()) return $this; $mstack = 'default'; if(is_array($message)) @@ -266,8 +280,13 @@ class eMessage $mstack = $message[1]; $message = $message[0]; } + $SESSION = $this->getSessionHandler()->get($this->_session_id); - if($this->isType($type)) $_SESSION[$this->_session_id][$type][$mstack][] = $message; + if($this->isType($type)) + { + $SESSION[$type][$mstack][] = $message; + $this->getSessionHandler()->set($this->_session_id, $SESSION); + } return $this; } @@ -362,7 +381,9 @@ class eMessage */ public function getSession($type, $mstack = 'default', $raw = false, $reset = true) { - $message = isset($_SESSION[$this->_session_id][$type][$mstack]) ? $_SESSION[$this->_session_id][$type][$mstack] : ''; + if(!session_id()) return null; + $SESSION = $this->getSessionHandler()->get($this->_session_id); + $message = isset($SESSION[$type][$mstack]) ? $SESSION[$type][$mstack] : ''; if($reset) $this->resetSession($type, $mstack); return (true === $raw ? $message : self::formatMessage($mstack, $type, $message)); @@ -378,6 +399,7 @@ class eMessage */ public function getAllSession($mstack = 'default', $raw = false, $reset = true) { + if(!session_id()) return array(); $ret = array(); foreach ($this->_get_types() as $type) { @@ -511,35 +533,37 @@ class eMessage */ public function resetSession($type = false, $mstack = false) { + if(!session_id()) return $this; + $SESSION = $this->getSessionHandler()->get($this->_session_id); if(false === $type) { if(false === $mstack) { - $_SESSION[$this->_session_id] = $this->_type_map(); + $SESSION = $this->_type_map(); } - elseif($_SESSION[$this->_session_id]) + elseif($SESSION) { - foreach ($_SESSION[$this->_session_id] as $t => $_mstack) + foreach ($SESSION as $t => $_mstack) { if(is_array($_mstack)) { - unset($_SESSION[$this->_session_id][$t][$mstack]); + unset($SESSION[$t][$mstack]); } } } } - elseif(isset($_SESSION[$this->_session_id][$type])) + elseif(isset($SESSION[$type])) { if(false === $mstack) { - $_SESSION[$this->_session_id][$type] = array(); + $SESSION[$type] = array(); } - elseif(is_array($_SESSION[$this->_session_id][$type])) + elseif(is_array($SESSION[$type])) { - unset($_SESSION[$this->_session_id][$type][$mstack]); + unset($SESSION[$type][$mstack]); } } - + $this->getSessionHandler()->set($this->_session_id, $SESSION); return $this; } @@ -551,27 +575,31 @@ class eMessage */ public function mergeWithSession($reset = true, $mstack = false) { - if(is_array($_SESSION[$this->_session_id])) + // do nothing if there is still no session + if(!session_id()) return $this; + $SESSION = $this->getSessionHandler()->get($this->_session_id); + + if(!empty($SESSION)) { - foreach (array_keys($_SESSION[$this->_session_id]) as $type) + foreach (array_keys($SESSION) as $type) { if(!$this->isType($type)) { - unset($_SESSION[$this->_session_id][$type]); + unset($SESSION[$type]); continue; } if(false === $mstack) { - $this->_sysmsg[$type] = array_merge_recursive($this->_sysmsg[$type], $_SESSION[$this->_session_id][$type]); + $this->_sysmsg[$type] = array_merge_recursive($this->_sysmsg[$type], $SESSION[$type]); continue; } - if(isset($_SESSION[$this->_session_id][$type][$mstack])) + if(isset($SESSION[$type][$mstack])) { - $this->_sysmsg[$type][$mstack] = $_SESSION[$this->_session_id][$type][$mstack]; + $this->_sysmsg[$type][$mstack] = $SESSION[$type][$mstack]; } - } + $this->getSessionHandler()->set($this->_session_id, $SESSION); } if($reset) $this->resetSession(false, $mstack); return $this; @@ -586,6 +614,10 @@ class eMessage */ public function moveToSession($mstack = false, $message_type = false) { + // do nothing if there is still no session + if(!session_id()) return $this; + $SESSION = $this->getSessionHandler()->get($this->_session_id); + foreach (array_keys($this->_sysmsg) as $type) { if(!$this->isType($type) || ($message_type && $message_type !== $type)) @@ -595,16 +627,16 @@ class eMessage } if(false === $mstack) { - $_SESSION[$this->_session_id][$type] = array_merge_recursive( $_SESSION[$this->_session_id][$type], $this->_sysmsg[$type]); + $SESSION[$type] = array_merge_recursive($SESSION[$type], $this->_sysmsg[$type]); continue; } if(isset($this->_sysmsg[$type][$mstack])) { - $_SESSION[$this->_session_id][$type][$mstack] = $this->_sysmsg[$type][$mstack]; + $SESSION[$type][$mstack] = $this->_sysmsg[$type][$mstack]; } } - + $this->getSessionHandler()->set($this->_session_id, $SESSION); $this->reset($message_type, $mstack, false); return $this; } @@ -656,8 +688,11 @@ class eMessage */ public function moveSessionStack($from_stack, $to_stack = 'default', $type = false) { - if($from_stack == $to_stack) return $this; - foreach ($_SESSION[$this->_session_id] as $_type => $stacks) + // do nothing if there is still no session + if(!session_id() || $from_stack == $to_stack) return $this; + $SESSION = $this->getSessionHandler()->get($this->_session_id); + + foreach ($SESSION as $_type => $stacks) { if($type && $type !== $_type) { @@ -665,14 +700,15 @@ class eMessage } if(isset($stacks[$from_stack])) { - if(!isset($_SESSION[$this->_session_id][$_type][$to_stack])) + if(!isset($SESSION[$_type][$to_stack])) { - $_SESSION[$this->_session_id][$_type][$to_stack] = array(); + $SESSION[$_type][$to_stack] = array(); } - $_SESSION[$this->_session_id][$_type][$to_stack] = array_merge($_SESSION[$this->_session_id][$_type][$to_stack], $this->_sysmsg[$_type][$from_stack]); - unset($_SESSION[$this->_session_id][$_type][$from_stack]); + $SESSION[$_type][$to_stack] = array_merge($SESSION[$_type][$to_stack], $this->_sysmsg[$_type][$from_stack]); + unset($SESSION[$_type][$from_stack]); } } + $this->getSessionHandler()->set($this->_session_id, $SESSION); return $this; } diff --git a/e107_handlers/user_model.php b/e107_handlers/user_model.php index f1c477c83..88219159d 100644 --- a/e107_handlers/user_model.php +++ b/e107_handlers/user_model.php @@ -183,13 +183,16 @@ class e_user_model extends e_front_model return ($this->isAdmin() ? $this->get('user_perms') : false); } + /** + * DEPRECATED - will be removed or changed soon (see e_session) + * @return string + */ public function getToken() { - if($this->isUser()) return ''; - if(null === $this->get('user_token')) { - $this->set('user_token', md5($this->get('user_password').$this->get('user_lastvisit').$this->get('user_pwchange').$this->get('user_class'))); + //$this->set('user_token', md5($this->get('user_password').$this->get('user_lastvisit').$this->get('user_pwchange').$this->get('user_class'))); + $this->set('user_token', e107::getSession()->getFormToken(false)); } return $this->get('user_token'); } @@ -307,6 +310,7 @@ class e_user_model extends e_front_model /** * Check passed value against current user token + * DEPRECATED - will be removed or changed soon (see e_core_session) * @param string $token md5 sum of e.g. posted token * @return boolean */ @@ -1286,6 +1290,7 @@ class e_user extends e_user_model { $this->_session_key = e107::getPref('cookie_name', 'e107cookie'); $this->_session_type = e107::getPref('user_tracking', 'cookie'); + if('session' == $this->_session_type && isset($_SESSION[$this->_session_key]) && !empty($_SESSION[$this->_session_key])) { $this->_session_data = &$_SESSION[$this->_session_key]; diff --git a/e107_languages/English/admin/lan_admin.php b/e107_languages/English/admin/lan_admin.php index 916f69af9..8da2eedec 100644 --- a/e107_languages/English/admin/lan_admin.php +++ b/e107_languages/English/admin/lan_admin.php @@ -315,7 +315,8 @@ define("LAN_DESCRIPTION", "Description"); define("LAN_VISIBILITY", "Visibility"); define("LAN_ICON", "Icon"); - - - - +define("LAN_SECURITYL_0", "Looking for troubles (none)"); +define("LAN_SECURITYL_5", "Balanced"); +define("LAN_SECURITYL_7", "High"); +define("LAN_SECURITYL_9", "Paranoid"); +define("LAN_SECURITYL_10", "Insane"); diff --git a/e107_languages/English/admin/lan_footer.php b/e107_languages/English/admin/lan_footer.php index 988955677..6a8637a7f 100644 --- a/e107_languages/English/admin/lan_footer.php +++ b/e107_languages/English/admin/lan_footer.php @@ -28,4 +28,5 @@ define("FOOTLAN_16", "Database"); define("FOOTLAN_17", "Charset"); define("FOOTLAN_18", "Site Theme"); define("FOOTLAN_19", "Server Time"); +define("FOOTLAN_20", "Security level"); ?> \ No newline at end of file diff --git a/e107_plugins/login_menu/login_menu_shortcodes.php b/e107_plugins/login_menu/login_menu_shortcodes.php index 938a02ddc..8b8accbc8 100755 --- a/e107_plugins/login_menu/login_menu_shortcodes.php +++ b/e107_plugins/login_menu/login_menu_shortcodes.php @@ -55,7 +55,7 @@ SC_END SC_BEGIN LM_PASSWORD_INPUT global $pref; $t_password = "\n"; -if (!USER && isset($_SESSION['challenge']) && varset($pref['password_CHAP'],0)) $t_password .= "\n\n"; +if (!USER && e107::getSession()->is('challenge') && varset($pref['password_CHAP'],0)) $t_password .= "\n\n"; return $t_password; SC_END diff --git a/e107_themes/templates/footer_default.php b/e107_themes/templates/footer_default.php index e3bf1bc32..030cc6259 100644 --- a/e107_themes/templates/footer_default.php +++ b/e107_themes/templates/footer_default.php @@ -20,6 +20,9 @@ $In_e107_Footer = TRUE; // For registered shutdown function global $error_handler,$db_time,$FOOTER; +// Clean session shutdown +e107::getSession()->shutdown(); + // // SHUTDOWN SEQUENCE // @@ -267,6 +270,8 @@ e107::getJs()->renderJs('footer_inline', true); // This must be done as late as possible in page processing. $_serverTime = time(); $lastSet = isset($_COOKIE['e107_tdSetTime']) ? $_COOKIE['e107_tdSetTime'] : 0; +$_serverPath = e_HTTP; +$_serverDomain = deftrue('MULTILANG_SUBDOMAIN') ? '.'.e_DOMAIN : ''; if (abs($_serverTime - $lastSet) > 120) { /* update time delay every couple of minutes. @@ -274,7 +279,7 @@ if (abs($_serverTime - $lastSet) > 120) * Drawback: each update may cause all server times to display a bit different */ echo "\n"; } diff --git a/fpw.php b/fpw.php index 5615ce2b5..2d5f405f5 100644 --- a/fpw.php +++ b/fpw.php @@ -44,7 +44,7 @@ if ($pref['membersonly_enabled']) $FOOTER = preg_replace("/\{(.*?)\}/e", '$\1', $FPW_TABLE_FOOTER); } -$user_info = e107::getSession(); +$user_info = e107::getUserSession(); require_once(HEADERF); diff --git a/install_.php b/install_.php index c67d62941..1d0ff4120 100644 --- a/install_.php +++ b/install_.php @@ -160,7 +160,13 @@ $e107_paths = array(); $e107 = e107::getInstance(); $e107->initInstall($e107_paths, realpath(dirname(__FILE__))); unset($e107_paths); -session_start(); + +// NEW - session handler +require_once(e_HANDLER.'session_handler.php'); +define('e_SECURITY_LEVEL', e_session::SECURITY_LEVEL_NONE); +define('e_COOKIE', 'e107install'); +e107::getSession(); // starts session, creates default namespace +// session_start(); function include_lan($path, $force = false) { @@ -199,7 +205,7 @@ class e_install var $required = ""; //TODO - use for highlighting required fields with css/js. var $logFile; // Name of log file, empty string if logging disabled var $dbLink = NULL; // DB link - needed for PHP5.3 bug - + var $session = null; // public function __construct() function e_install() @@ -208,6 +214,9 @@ class e_install define('USERID', 1); define('USER', true); define('ADMIN', true); + + // session instance + $this->session = e107::getSession(); $this->logFile = ''; if (MAKE_INSTALL_LOG) @@ -1357,7 +1366,7 @@ class e_install return nl2br(LANINS_060)."

"; } - preg_match_all("/create(.*?)(?:myisam|innodb);/si", $sql_data, $result ); + preg_match_all("/create(.*?)(?:myisam|innodb);/si", $sql_data, $result ); // Force UTF-8 again $this->dbqry('SET NAMES `utf8`'); diff --git a/login.php b/login.php index ee7150f2e..f6dfde7eb 100644 --- a/login.php +++ b/login.php @@ -48,9 +48,9 @@ if (!USER) $LOGIN_TABLE_LOGINMESSAGE = LOGINMESSAGE; $LOGIN_TABLE_USERNAME = ""; $LOGIN_TABLE_PASSWORD = ""; - if (!USER && isset($_SESSION['challenge']) && varset($pref['password_CHAP'],0)) + if (!USER && e107::getSession()->is('challenge') && varset($pref['password_CHAP'],0)) { - $LOGIN_TABLE_PASSWORD .= "\n\n"; + $LOGIN_TABLE_PASSWORD .= "\n\n"; } if ($use_imagecode) { diff --git a/signup.php b/signup.php index 374ba9278..6db4aff54 100644 --- a/signup.php +++ b/signup.php @@ -36,7 +36,7 @@ require_once(e_HANDLER.'calendar/calendar_class.php'); $cal = new DHTML_Calendar(true); require_once(e_HANDLER.'validator_class.php'); // require_once(e_HANDLER.'user_handler.php'); -$userMethods = e107::getSession(); +$userMethods = e107::getUserSession(); $userMethods->deleteExpired(); // Delete time-expired partial registrations require_once(e107::coreTemplatePath('signup')); //correct way to load a core template. diff --git a/usersettings.php b/usersettings.php index 751685568..05c663982 100644 --- a/usersettings.php +++ b/usersettings.php @@ -53,7 +53,7 @@ require_once (e_HANDLER.'user_extended_class.php'); require_once(e_HANDLER.'validator_class.php'); $ue = new e107_user_extended; -$userMethods = e107::getSession(); +$userMethods = e107::getUserSession(); require_once (e_HANDLER.'ren_help.php'); include_once (e107::coreTemplatePath('usersettings')); //correct way to load a core template.