![(please configure the [header_logo] section in trac.ini)](/wow/chrome/site/your_project_logo.png){kind=logo}
Changeset 702 for trunk/forum/includes/session.php
- Timestamp:
- Mar 31, 2010, 6:32:40 PM (15 years ago)
- File:
-
- 1 edited
-
trunk/forum/includes/session.php (modified) (31 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/forum/includes/session.php
r400 r702 3 3 * 4 4 * @package phpBB3 5 * @version $Id : session.php 9170 2008-12-04 12:56:12Z toonarmy$5 * @version $Id$ 6 6 * @copyright (c) 2005 phpBB Group 7 7 * @license http://opensource.org/licenses/gpl-license.php GNU Public License … … 214 214 $this->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : ''; 215 215 $this->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : ''; 216 $this->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR']: '';216 $this->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? htmlspecialchars((string) $_SERVER['HTTP_X_FORWARDED_FOR']) : ''; 217 217 218 218 $this->host = $this->extract_current_hostname(); … … 222 222 if ($config['forwarded_for_check']) 223 223 { 224 $this->forwarded_for = preg_replace('# , +#', ', ', $this->forwarded_for);224 $this->forwarded_for = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->forwarded_for)); 225 225 226 226 // split the list of IPs 227 $ips = explode(' ,', $this->forwarded_for);227 $ips = explode(' ', $this->forwarded_for); 228 228 foreach ($ips as $ip) 229 229 { … … 268 268 // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests 269 269 // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip. 270 $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars($_SERVER['REMOTE_ADDR']) : ''; 270 $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : ''; 271 $this->ip = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->ip)); 272 273 // split the list of IPs 274 $ips = explode(' ', $this->ip); 275 276 // Default IP if REMOTE_ADDR is invalid 277 $this->ip = '127.0.0.1'; 278 279 foreach ($ips as $ip) 280 { 281 // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly 282 if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip)) 283 { 284 // Just break 285 break; 286 } 287 288 // Use the last in chain 289 $this->ip = $ip; 290 } 291 271 292 $this->load = false; 272 293 … … 397 418 $db->sql_query($sql); 398 419 } 420 421 if ($this->data['user_id'] != ANONYMOUS && !empty($config['new_member_post_limit']) && $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts']) 422 { 423 $this->leave_newly_registered(); 424 } 399 425 } 400 426 … … 481 507 foreach (explode(',', $row['bot_ip']) as $bot_ip) 482 508 { 509 $bot_ip = trim($bot_ip); 510 511 if (!$bot_ip) 512 { 513 continue; 514 } 515 483 516 if (strpos($this->ip, $bot_ip) === 0) 484 517 { … … 595 628 else 596 629 { 597 $ips = explode(' ,', $this->forwarded_for);630 $ips = explode(' ', $this->forwarded_for); 598 631 $ips[] = $this->ip; 599 632 $this->check_ban($this->data['user_id'], $ips); … … 720 753 // $db->sql_return_on_error(false); 721 754 755 // Something quite important: session_page always holds the *last* page visited, except for the *first* visit. 756 // We are not able to simply have an empty session_page btw, therefore we need to tell phpBB how to detect this special case. 757 // If the session id is empty, we have a completely new one and will set an "identifier" here. This identifier is able to be checked later. 758 if (empty($this->data['session_id'])) 759 { 760 // This is a temporary variable, only set for the very first visit 761 $this->data['session_created'] = true; 762 } 763 722 764 $this->session_id = $this->data['session_id'] = md5(unique_id()); 723 765 … … 876 918 function session_gc() 877 919 { 878 global $db, $config ;920 global $db, $config, $phpbb_root_path, $phpEx; 879 921 880 922 $batch_size = 10; … … 934 976 $db->sql_query($sql); 935 977 } 936 $this->confirm_gc(); 978 979 // only called from CRON; should be a safe workaround until the infrastructure gets going 980 if (!class_exists('captcha_factory')) 981 { 982 include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx); 983 } 984 phpbb_captcha_factory::garbage_collect($config['captcha_plugin']); 937 985 } 938 986 939 987 return; 940 988 } 941 942 function confirm_gc($type = 0)943 {944 global $db, $config;945 946 $sql = 'SELECT DISTINCT c.session_id947 FROM ' . CONFIRM_TABLE . ' c948 LEFT JOIN ' . SESSIONS_TABLE . ' s ON (c.session_id = s.session_id)949 WHERE s.session_id IS NULL' .950 ((empty($type)) ? '' : ' AND c.confirm_type = ' . (int) $type);951 $result = $db->sql_query($sql);952 953 if ($row = $db->sql_fetchrow($result))954 {955 $sql_in = array();956 do957 {958 $sql_in[] = (string) $row['session_id'];959 }960 while ($row = $db->sql_fetchrow($result));961 962 if (sizeof($sql_in))963 {964 $sql = 'DELETE FROM ' . CONFIRM_TABLE . '965 WHERE ' . $db->sql_in_set('session_id', $sql_in);966 $db->sql_query($sql);967 }968 }969 $db->sql_freeresult($result);970 }971 972 989 973 990 /** … … 1205 1222 1206 1223 $dnsbl_check = array( 1207 'sbl -xbl.spamhaus.org' => 'http://www.spamhaus.org/query/bl?ip=',1224 'sbl.spamhaus.org' => 'http://www.spamhaus.org/query/bl?ip=', 1208 1225 ); 1209 1226 … … 1339 1356 global $config, $db; 1340 1357 1341 $user_id = ($user_id === false) ? $this->data['user_id'] :$user_id;1358 $user_id = ($user_id === false) ? (int) $this->data['user_id'] : (int) $user_id; 1342 1359 1343 1360 $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . ' … … 1345 1362 $db->sql_query($sql); 1346 1363 1364 // If the user is logged in, update last visit info first before deleting sessions 1365 $sql = 'SELECT session_time, session_page 1366 FROM ' . SESSIONS_TABLE . ' 1367 WHERE session_user_id = ' . (int) $user_id . ' 1368 ORDER BY session_time DESC'; 1369 $result = $db->sql_query_limit($sql, 1); 1370 $row = $db->sql_fetchrow($result); 1371 $db->sql_freeresult($result); 1372 1373 if ($row) 1374 { 1375 $sql = 'UPDATE ' . USERS_TABLE . ' 1376 SET user_lastvisit = ' . (int) $row['session_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' 1377 WHERE user_id = " . (int) $user_id; 1378 $db->sql_query($sql); 1379 } 1380 1347 1381 // Let's also clear any current sessions for the specified user_id 1348 1382 // If it's the current user then we'll leave this session intact 1349 1383 $sql_where = 'session_user_id = ' . (int) $user_id; 1350 $sql_where .= ($user_id === $this->data['user_id']) ? " AND session_id <> '" . $db->sql_escape($this->session_id) . "'" : '';1384 $sql_where .= ($user_id === (int) $this->data['user_id']) ? " AND session_id <> '" . $db->sql_escape($this->session_id) . "'" : ''; 1351 1385 1352 1386 $sql = 'DELETE FROM ' . SESSIONS_TABLE . " … … 1356 1390 // We're changing the password of the current user and they have a key 1357 1391 // Lets regenerate it to be safe 1358 if ($user_id === $this->data['user_id'] && $this->cookie_data['k'])1392 if ($user_id === (int) $this->data['user_id'] && $this->cookie_data['k']) 1359 1393 { 1360 1394 $this->set_login_key($user_id); … … 1369 1403 function validate_referer($check_script_path = false) 1370 1404 { 1405 global $config; 1406 1371 1407 // no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason) 1372 1408 if (empty($this->referer) || empty($this->host)) … … 1378 1414 $ref = substr($this->referer, strpos($this->referer, '://') + 3); 1379 1415 1380 if (!(stripos($ref, $host) === 0) )1416 if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] || !(stripos($ref, $config['server_name']) === 0))) 1381 1417 { 1382 1418 return false; … … 1436 1472 var $img_array = array(); 1437 1473 1438 // Able to add new option (id 7)1439 var $keyoptions = array('viewimg' => 0, 'viewflash' => 1, 'viewsmilies' => 2, 'viewsigs' => 3, 'viewavatars' => 4, 'viewcensors' => 5, 'attachsig' => 6, 'bbcode' => 8, 'smilies' => 9, 'popuppm' => 10 );1474 // Able to add new options (up to id 31) 1475 var $keyoptions = array('viewimg' => 0, 'viewflash' => 1, 'viewsmilies' => 2, 'viewsigs' => 3, 'viewavatars' => 4, 'viewcensors' => 5, 'attachsig' => 6, 'bbcode' => 8, 'smilies' => 9, 'popuppm' => 10, 'sig_bbcode' => 15, 'sig_smilies' => 16, 'sig_links' => 17); 1440 1476 var $keyvalues = array(); 1441 1477 … … 1528 1564 $lang = &$this->lang; 1529 1565 1530 if ((@include $this->lang_path . $this->lang_name . "/common.$phpEx") === false) 1566 // Do not suppress error if in DEBUG_EXTRA mode 1567 $include_result = (defined('DEBUG_EXTRA')) ? (include $this->lang_path . $this->lang_name . "/common.$phpEx") : (@include $this->lang_path . $this->lang_name . "/common.$phpEx"); 1568 1569 if ($include_result === false) 1531 1570 { 1532 1571 die('Language file ' . $this->lang_path . $this->lang_name . "/common.$phpEx" . " couldn't be opened."); … … 1536 1575 unset($lang_set); 1537 1576 1538 if (!empty($_GET['style']) && $auth->acl_get('a_styles') )1577 if (!empty($_GET['style']) && $auth->acl_get('a_styles') && !defined('ADMIN_START')) 1539 1578 { 1540 1579 global $SID, $_EXTRA_URL; … … 1658 1697 $this->img_lang = (file_exists($phpbb_root_path . 'styles/' . $this->theme['imageset_path'] . '/imageset/' . $this->lang_name)) ? $this->lang_name : $config['default_lang']; 1659 1698 1660 $sql = 'SELECT image_name, image_filename, image_lang, image_height, image_width 1699 // Same query in style.php 1700 $sql = 'SELECT * 1661 1701 FROM ' . STYLES_IMAGESET_DATA_TABLE . ' 1662 1702 WHERE imageset_id = ' . $this->theme['imageset_id'] . " … … 1757 1797 // Disable board if the install/ directory is still present 1758 1798 // For the brave development army we do not care about this, else we need to comment out this everytime we develop locally 1759 if (!defined('DEBUG_EXTRA') && !defined('ADMIN_START') && !defined('IN_INSTALL') && !defined('IN_LOGIN') && file_exists($phpbb_root_path . 'install') )1799 if (!defined('DEBUG_EXTRA') && !defined('ADMIN_START') && !defined('IN_INSTALL') && !defined('IN_LOGIN') && file_exists($phpbb_root_path . 'install') && !is_file($phpbb_root_path . 'install')) 1760 1800 { 1761 1801 // Adjust the message slightly according to the permissions … … 1774 1814 if ($config['board_disable'] && !defined('IN_LOGIN') && !$auth->acl_gets('a_', 'm_') && !$auth->acl_getf_global('m_')) 1775 1815 { 1776 header('HTTP/1.1 503 Service Unavailable'); 1816 if ($this->data['is_bot']) 1817 { 1818 header('HTTP/1.1 503 Service Unavailable'); 1819 } 1777 1820 1778 1821 $message = (!empty($config['board_disable_msg'])) ? $config['board_disable_msg'] : 'BOARD_DISABLE'; … … 1790 1833 if (!$auth->acl_gets('a_', 'm_') && !$auth->acl_getf_global('m_')) 1791 1834 { 1792 header('HTTP/1.1 503 Service Unavailable'); 1835 if ($this->data['is_bot']) 1836 { 1837 header('HTTP/1.1 503 Service Unavailable'); 1838 } 1793 1839 trigger_error('BOARD_UNAVAILABLE'); 1794 1840 } … … 1828 1874 // Does the user need to change their password? If so, redirect to the 1829 1875 // ucp profile reg_details page ... of course do not redirect if we're already in the ucp 1830 if (!defined('IN_ADMIN') && !defined('ADMIN_START') && $config['chg_passforce'] && $this->data['is_registered']&& $auth->acl_get('u_chgpasswd') && $this->data['user_passchg'] < time() - ($config['chg_passforce'] * 86400))1876 if (!defined('IN_ADMIN') && !defined('ADMIN_START') && $config['chg_passforce'] && !empty($this->data['is_registered']) && $auth->acl_get('u_chgpasswd') && $this->data['user_passchg'] < time() - ($config['chg_passforce'] * 86400)) 1831 1877 { 1832 1878 if (strpos($this->page['query_string'], 'mode=reg_details') === false && $this->page['page_name'] != "ucp.$phpEx") … … 2001 2047 } 2002 2048 2003 if ((@include $language_filename) === false) 2049 if (!file_exists($language_filename)) 2050 { 2051 global $config; 2052 2053 if ($this->lang_name == 'en') 2054 { 2055 // The user's selected language is missing the file, the board default's language is missing the file, and the file doesn't exist in /en. 2056 $language_filename = str_replace($this->lang_path . 'en', $this->lang_path . $this->data['user_lang'], $language_filename); 2057 trigger_error('Language file ' . $language_filename . ' couldn\'t be opened.', E_USER_ERROR); 2058 } 2059 else if ($this->lang_name == basename($config['default_lang'])) 2060 { 2061 // Fall back to the English Language 2062 $this->lang_name = 'en'; 2063 $this->set_lang($lang, $help, $lang_file, $use_db, $use_help); 2064 } 2065 else if ($this->lang_name == $this->data['user_lang']) 2066 { 2067 // Fall back to the board default language 2068 $this->lang_name = basename($config['default_lang']); 2069 $this->set_lang($lang, $help, $lang_file, $use_db, $use_help); 2070 } 2071 2072 // Reset the lang name 2073 $this->lang_name = (file_exists($this->lang_path . $this->data['user_lang'] . "/common.$phpEx")) ? $this->data['user_lang'] : basename($config['default_lang']); 2074 return; 2075 } 2076 2077 // Do not suppress error if in DEBUG_EXTRA mode 2078 $include_result = (defined('DEBUG_EXTRA')) ? (include $language_filename) : (@include $language_filename); 2079 2080 if ($include_result === false) 2004 2081 { 2005 2082 trigger_error('Language file ' . $language_filename . ' couldn\'t be opened.', E_USER_ERROR); … … 2037 2114 $date_cache[$format] = array( 2038 2115 'is_short' => strpos($format, '|'), 2039 'zone_offset' => $this->timezone + $this->dst,2040 2116 'format_short' => substr($format, 0, strpos($format, '|')) . '||' . substr(strrchr($format, '|'), 1), 2041 2117 'format_long' => str_replace('|', '', $format), … … 2050 2126 } 2051 2127 2128 // Zone offset 2129 $zone_offset = $this->timezone + $this->dst; 2130 2052 2131 // Show date <= 1 hour ago as 'xx min ago' 2053 // A small tolerence is given for times in the future and times in the futurebut in the same minute are displayed as '< than a minute ago'2132 // A small tolerence is given for times in the future but in the same minute are displayed as '< than a minute ago' 2054 2133 if ($delta <= 3600 && ($delta >= -5 || (($now / 60) % 60) == (($gmepoch / 60) % 60)) && $date_cache[$format]['is_short'] !== false && !$forcedate && isset($this->lang['datetime']['AGO'])) 2055 2134 { … … 2059 2138 if (!$midnight) 2060 2139 { 2061 list($d, $m, $y) = explode(' ', gmdate('j n Y', time() + $ date_cache[$format]['zone_offset']));2062 $midnight = gmmktime(0, 0, 0, $m, $d, $y) - $ date_cache[$format]['zone_offset'];2063 } 2064 2065 if ($date_cache[$format]['is_short'] !== false && !$forcedate )2140 list($d, $m, $y) = explode(' ', gmdate('j n Y', time() + $zone_offset)); 2141 $midnight = gmmktime(0, 0, 0, $m, $d, $y) - $zone_offset; 2142 } 2143 2144 if ($date_cache[$format]['is_short'] !== false && !$forcedate && !($gmepoch < $midnight - 86400 || $gmepoch > $midnight + 172800)) 2066 2145 { 2067 2146 $day = false; … … 2082 2161 if ($day !== false) 2083 2162 { 2084 return str_replace('||', $this->lang['datetime'][$day], strtr(@gmdate($date_cache[$format]['format_short'], $gmepoch + $ date_cache[$format]['zone_offset']), $date_cache[$format]['lang']));2085 } 2086 } 2087 2088 return strtr(@gmdate($date_cache[$format]['format_long'], $gmepoch + $ date_cache[$format]['zone_offset']), $date_cache[$format]['lang']);2163 return str_replace('||', $this->lang['datetime'][$day], strtr(@gmdate($date_cache[$format]['format_short'], $gmepoch + $zone_offset), $date_cache[$format]['lang'])); 2164 } 2165 } 2166 2167 return strtr(@gmdate($date_cache[$format]['format_long'], $gmepoch + $zone_offset), $date_cache[$format]['lang']); 2089 2168 } 2090 2169 … … 2156 2235 } 2157 2236 2158 $img_data['src'] = $phpbb_root_path . 'styles/' . $this->theme['imageset_path'] . '/imageset/' . ($this->img_array[$img]['image_lang'] ? $this->img_array[$img]['image_lang'] .'/' : '') . $this->img_array[$img]['image_filename']; 2237 // Use URL if told so 2238 $root_path = (defined('PHPBB_USE_BOARD_URL_PATH') && PHPBB_USE_BOARD_URL_PATH) ? generate_board_url() . '/' : $phpbb_root_path; 2239 2240 $img_data['src'] = $root_path . 'styles/' . rawurlencode($this->theme['imageset_path']) . '/imageset/' . ($this->img_array[$img]['image_lang'] ? $this->img_array[$img]['image_lang'] .'/' : '') . $this->img_array[$img]['image_filename']; 2159 2241 $img_data['width'] = $this->img_array[$img]['image_width']; 2160 2242 $img_data['height'] = $this->img_array[$img]['image_height']; … … 2229 2311 } 2230 2312 } 2313 2314 /** 2315 * Funtion to make the user leave the NEWLY_REGISTERED system group. 2316 * @access public 2317 */ 2318 function leave_newly_registered() 2319 { 2320 global $db; 2321 2322 if (empty($this->data['user_new'])) 2323 { 2324 return false; 2325 } 2326 2327 if (!function_exists('remove_newly_registered')) 2328 { 2329 global $phpbb_root_path, $phpEx; 2330 2331 include($phpbb_root_path . 'includes/functions_user.' . $phpEx); 2332 } 2333 if ($group = remove_newly_registered($this->data['user_id'], $this->data)) 2334 { 2335 $this->data['group_id'] = $group; 2336 2337 } 2338 $this->data['user_permissions'] = ''; 2339 $this->data['user_new'] = 0; 2340 2341 return true; 2342 } 2231 2343 } 2232 2344
Note:
See TracChangeset
for help on using the changeset viewer.
