From e1ceb050e19c7574bca146a8da7047ee4ff456b5 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Sun, 10 Jul 2016 05:02:35 -0400
Subject: [PATCH] Merge branch 'stable-3.1'
---
interface/lib/app.inc.php | 85 +++++++++++++++++++++++++++++++++++++-----
1 files changed, 74 insertions(+), 11 deletions(-)
diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php
index 6c19f57..f9ef167 100755
--- a/interface/lib/app.inc.php
+++ b/interface/lib/app.inc.php
@@ -48,6 +48,9 @@
private $_wb;
private $_loaded_classes = array();
private $_conf;
+ private $_security_config;
+
+ public $loaded_plugins = array();
public function __construct() {
global $conf;
@@ -55,7 +58,7 @@
if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS']) || isset($_REQUEST['s']) || isset($_REQUEST['s_old']) || isset($_REQUEST['conf'])) {
die('Internal Error: var override attempt detected');
}
-
+
$this->_conf = $conf;
if($this->_conf['start_db'] == true) {
$this->load('db_'.$this->_conf['db_type']);
@@ -66,12 +69,38 @@
if($this->_conf['start_session'] == true) {
$this->uses('session');
- $tmp = $this->db->queryOneRecord("SELECT `value` FROM sys_config WHERE `config_id` = 2 AND `group` = 'interface' AND `name` = 'session_timeout'");
- if($tmp && $tmp['value'] > 0) {
- $this->session->set_timeout($tmp['value']);
- session_set_cookie_params(($tmp['value'] * 60) + 300); // make the cookie live 5 minutes longer
+ $sess_timeout = $this->conf('interface', 'session_timeout');
+ $cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
+
+ // Workaround for Nginx servers
+ if($cookie_domain == '_') {
+ $tmp = explode(':',$_SERVER["HTTP_HOST"]);
+ $cookie_domain = $tmp[0];
+ unset($tmp);
+ }
+ $cookie_secure = ($_SERVER["HTTPS"] == 'on')?true:false;
+ if($sess_timeout) {
+ /* check if user wants to stay logged in */
+ if(isset($_POST['s_mod']) && isset($_POST['s_pg']) && $_POST['s_mod'] == 'login' && $_POST['s_pg'] == 'index' && isset($_POST['stay']) && $_POST['stay'] == '1') {
+ /* check if staying logged in is allowed */
+ $this->uses('ini_parser');
+ $tmp = $this->db->queryOneRecord('SELECT config FROM sys_ini WHERE sysini_id = 1');
+ $tmp = $this->ini_parser->parse_ini_string(stripslashes($tmp['config']));
+ if(!isset($tmp['misc']['session_allow_endless']) || $tmp['misc']['session_allow_endless'] != 'y') {
+ $this->session->set_timeout($sess_timeout);
+ session_set_cookie_params(3600 * 24 * 365,'/',$cookie_domain,$cookie_secure,true); // cookie timeout is never updated, so it must not be short
+ } else {
+ // we are doing login here, so we need to set the session data
+ $this->session->set_permanent(true);
+ $this->session->set_timeout(365 * 24 * 3600,'/',$cookie_domain,$cookie_secure,true); // one year
+ session_set_cookie_params(3600 * 24 * 365,'/',$cookie_domain,$cookie_secure,true); // cookie timeout is never updated, so it must not be short
+ }
+ } else {
+ $this->session->set_timeout($sess_timeout);
+ session_set_cookie_params(3600 * 24 * 365,'/',$cookie_domain,$cookie_secure,true); // cookie timeout is never updated, so it must not be short
+ }
} else {
- session_set_cookie_params(0); // until browser is closed
+ session_set_cookie_params(0,'/',$cookie_domain,$cookie_secure,true); // until browser is closed
}
session_set_save_handler( array($this->session, 'open'),
@@ -90,9 +119,18 @@
}
$this->uses('functions'); // we need this before all others!
- $this->uses('auth,plugin');
+ $this->uses('auth,plugin,ini_parser,getconf');
+
}
+ public function __get($prop) {
+ if(property_exists($this, $prop)) return $this->{$prop};
+
+ $this->uses($prop);
+ if(property_exists($this, $prop)) return $this->{$prop};
+ else return null;
+ }
+
public function __destruct() {
session_write_close();
}
@@ -103,7 +141,7 @@
foreach($cl as $classname) {
$classname = trim($classname);
//* Class is not loaded so load it
- if(!array_key_exists($classname, $this->_loaded_classes)) {
+ if(!array_key_exists($classname, $this->_loaded_classes) && is_file(ISPC_CLASS_PATH."/$classname.inc.php")) {
include_once ISPC_CLASS_PATH."/$classname.inc.php";
$this->$classname = new $classname();
$this->_loaded_classes[$classname] = true;
@@ -121,6 +159,22 @@
}
}
}
+
+ public function conf($plugin, $key, $value = null) {
+ if(is_null($value)) {
+ $tmpconf = $this->db->queryOneRecord("SELECT `value` FROM `sys_config` WHERE `group` = ? AND `name` = ?", $plugin, $key);
+ if($tmpconf) return $tmpconf['value'];
+ else return null;
+ } else {
+ if($value === false) {
+ $this->db->query("DELETE FROM `sys_config` WHERE `group` = ? AND `name` = ?", $plugin, $key);
+ return null;
+ } else {
+ $this->db->query("REPLACE INTO `sys_config` (`group`, `name`, `value`) VALUES (?, ?, ?)", $plugin, $key, $value);
+ return $value;
+ }
+ }
+ }
/** Priority values are: 0 = DEBUG, 1 = WARNING, 2 = ERROR */
@@ -132,8 +186,8 @@
$server_id = 0;
$priority = $this->functions->intval($priority);
$tstamp = time();
- $msg = $this->db->quote('[INTERFACE]: '.$msg);
- $this->db->query("INSERT INTO sys_log (server_id,datalog_id,loglevel,tstamp,message) VALUES ($server_id,0,$priority,$tstamp,'$msg')");
+ $msg = '[INTERFACE]: '.$msg;
+ $this->db->query("INSERT INTO sys_log (server_id,datalog_id,loglevel,tstamp,message) VALUES (?, 0, ?, ?, ?)", $server_id, $priority,$tstamp,$msg);
/*
if (is_writable($this->_conf['log_file'])) {
if (!$fp = fopen ($this->_conf['log_file'], 'a')) {
@@ -193,7 +247,7 @@
}
$this->_language_inc = 1;
}
- if(!empty($this->_wb[$text])) {
+ if(isset($this->_wb[$text]) && $this->wb[$text] !== '') {
$text = $this->_wb[$text];
} else {
if($this->_conf['debug_language']) {
@@ -284,4 +338,13 @@
//* possible future = new app($conf);
$app = new app();
+// load and enable PHP Intrusion Detection System (PHPIDS)
+$ids_security_config = $app->getconf->get_security_config('ids');
+
+if(is_dir(ISPC_CLASS_PATH.'/IDS') && $ids_security_config['ids_enabled'] == 'yes') {
+ $app->uses('ids');
+ $app->ids->start();
+}
+unset($ids_security_config);
+
?>
--
Gitblit v1.9.1