mirror/php-typemill
1
0
Fork 0
mirror of https://github.com/typemill/typemill.git synced 2025-08-06 14:16:46 +02:00
Code Issues Releases Wiki Activity

Version 1.1.7 Removed session and improved security

Browse Source
This commit is contained in:
Sebastian
2018-05-29 21:50:51 +02:00
parent 96f595c05c
commit 6b7fac91a4
6 changed files with 73 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cache/lastCache.txt vendored
View File

@@ -1 +1 @@
1527151147
1527608103

6
settings/settings.yaml.example
View File

@@ -1,6 +0,0 @@
title: MyWebsite
author: 'Your Name'
copyright: ©
year: '2018'
theme: typemill
startpage: true

4
system/Controllers/AuthController.php
View File

@@ -34,7 +34,7 @@ class AuthController extends Controller
*/
public function show(Request $request, Response $response, $args)
{
{
$data = array();
/* check previous login attemps */
@@ -63,7 +63,7 @@ class AuthController extends Controller
}
}
$this->c->view->render($response, '/auth/login.twig', $data);
$this->render($response, '/auth/login.twig', $data);
}
/**

12
system/Controllers/Controller.php
View File

@@ -18,9 +18,17 @@ abstract class Controller
protected function render($response, $route, $data)
{
$data = $this->c->dispatcher->dispatch('onPageReady', new OnPageReady($data))->getData();
unset($_SESSION['old']);
if(isset($_SESSION['old']))
{
unset($_SESSION['old']);
}
if($this->c->request->getUri()->getScheme() == 'https')
{
$response = $response->withAddedHeader('Strict-Transport-Security', 'max-age=63072000');
}
$response = $response->withAddedHeader('X-Content-Type-Options', 'nosniff');
$response = $response->withAddedHeader('X-Frame-Options', 'SAMEORIGIN');
$response = $response->withAddedHeader('X-XSS-Protection', '1;mode=block');

3
system/author/settings/system.twig
View File

@@ -57,6 +57,9 @@
{% if errors.settings.language %}
<span class="error">{{ errors.settings.language | first }}</span>
{% endif %}
</div><div class="medium">
<label for="settings[sitemap]">Google Sitemap <small>(Readonly)</small></label>
<input type="text" name="settings[sitemap]" id="sitemap" readonly value="{{ base_url }}cache/sitemap.xml" />
</div><div class="medium">
<span class="label">Startpage</span>
<label class="control-group">Startpage is designed as landing-page.

88
system/system.php
View File

@@ -3,14 +3,6 @@
use Typemill\Events\OnSettingsLoaded;
use Typemill\Events\OnPluginsLoaded;
/************************
* START SESSION *
************************/
ini_set( 'session.cookie_httponly', 1 );
session_name('typemill_session');
session_start();
/****************************
* CREATE EVENT DISPATCHER *
****************************/
@@ -35,17 +27,6 @@ $app = new \Slim\App($settings);
$container = $app->getContainer();
/************************
* ADD CSRF PROTECTION *
************************/
$container['csrf'] = function ($c) {
$guard = new \Slim\Csrf\Guard();
$guard->setPersistentTokenMode(true);
return $guard;
};
/************************
* LOAD PLUGINS *
************************/
@@ -117,14 +98,52 @@ $container['assets'] = function($c)
return new \Typemill\Assets($c['request']->getUri()->getBaseUrl());
};
/******************************
* ADD FLASH MESSAGES FOR TIWG *
******************************/
$container['flash'] = function ()
/************************
* DECIDE FOR SESSION *
************************/
$session_segments = array('setup/', 'tm/');
$path = $container['request']->getUri()->getPath();
$container['flash'] = false;
$container['csrf'] = false;
foreach($session_segments as $segment)
{
return new \Slim\Flash\Messages();
};
if(substr( $path, 0, strlen($segment) ) === $segment)
{
/* start a session */
ini_set( 'session.cookie_httponly', 1 );
ini_set('session.use_strict_mode', 1);
if($container['request']->getUri()->getScheme() == 'https')
{
ini_set('session.cookie_secure', 1);
session_name('__Secure-typemill-session');
}
else
{
session_name('typemill-session');
}
session_start();
/* add csrf-protection */
$container['csrf'] = function ($c)
{
$guard = new \Slim\Csrf\Guard();
$guard->setPersistentTokenMode(true);
return $guard;
};
/* add flash to container */
$container['flash'] = function ()
{
return new \Slim\Flash\Messages();
};
break;
}
}
/************************
* LOAD TWIG VIEW *
@@ -144,14 +163,17 @@ $container['view'] = function ($container)
$basePath = rtrim(str_ireplace('index.php', '', $container['request']->getUri()->getBasePath()), '/');
$view->addExtension(new Slim\Views\TwigExtension($container['router'], $basePath));
$view->addExtension(new Twig_Extension_Debug());
$view->addExtension(new Typemill\Extensions\TwigCsrfExtension($container['csrf']));
$view->addExtension(new Typemill\Extensions\TwigUserExtension());
/* use {{ base_url() }} in twig templates */
$view['base_url'] = $container['request']->getUri()->getBaseUrl();
/* add flash messages to all views */
$view->getEnvironment()->addGlobal('flash', $container->flash);
/* if session route, add flash messages and csrf-protection */
if($container['flash'])
{
$view->getEnvironment()->addGlobal('flash', $container->flash);
$view->addExtension(new Typemill\Extensions\TwigCsrfExtension($container['csrf']));
}
/* add asset-function to all views */
$view->getEnvironment()->addGlobal('assets', $container->assets);
@@ -183,9 +205,13 @@ foreach($middleware as $pluginMiddleware)
$app->add(new $middlewareClass($middlewareParams));
}
}
$app->add(new \Typemill\Middleware\ValidationErrorsMiddleware($container['view']));
$app->add(new \Typemill\Middleware\OldInputMiddleware($container['view']));
$app->add($container->get('csrf'));
if($container['flash'])
{
$app->add(new \Typemill\Middleware\ValidationErrorsMiddleware($container['view']));
$app->add(new \Typemill\Middleware\OldInputMiddleware($container['view']));
$app->add($container->get('csrf'));
}
/************************
* ADD ROUTES *