forked from icecoder/ICEcoder
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsettings-common.php
More file actions
182 lines (158 loc) · 6.21 KB
/
settings-common.php
File metadata and controls
182 lines (158 loc) · 6.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
<?php
// Don't display, but log all errors
ini_set('display_errors', 0);
ini_set('log_errors', 1);
ini_set('error_log', dirname(__FILE__).'/../error-log.txt');
error_reporting(-1);
// Set our default timezone and supress warning with @
@date_default_timezone_set(date_default_timezone_get());
// Set a stream context timeout for file reading
$context = stream_context_create(array('http'=>
array(
'timeout' => 60 // secs
)
));
// Start a session if we haven't already
if(!isset($_SESSION)) {
ini_set('session.use_cookies','1'); // Use cookies not URL parameters
ini_set('session.use_only_cookies','1'); // Force use of cookies and nothing else
ini_set('session.name','ICEcoder_Cookie'); // Set a seperate cookie session name
ini_set('session.cookie_lifetime','0'); // Until the browser restarts by default
ini_set('session.cookie_domain',''); // This domain only
// ini_set('session.cookie_path',str_replace($_SERVER['DOCUMENT_ROOT'],'',dirname(dirname(__FILE__)))); // ICEcoder path only, fails ON IE
ini_set('session.use_trans_sid','0'); // Ensure this insecure feature is disabled
ini_set('session.hash_function','sha512'); // Use Sha512 for session
ini_set('session.hash_bits_per_character','6'); // Specify hash scheme of 0-9,a-v,A-Z,-,,
// ini_set('session.use_strict_mode','1'); // Reject any session ID that was user provided and not generated by the session (since PHP 5.5.2)
ini_set('session.httponly','1'); // Only allow http protocol (ie, not JS) access to the cookie (since PHP 5.2.0)
ini_set('session.save_path',dirname(__FILE__).'/../tmp'); // Localise the session files to /tmp
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
ini_set('session.cookie_secure','1'); // Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition
}
@session_start(); // Finally, start the session!
if (!isset($_SESSION['csrf'])){
session_regenerate_id(true); // Create a new ID to help prevent fixation
}
}
// Set the language file, if now possible
if (isset($_SESSION['text'])) {
$text = $_SESSION['text'];
$t = $text['settings-common'];
}
// Logout if that's the action we're taking
if (isset($_GET['logout'])) {
include(dirname(__FILE__)."/../processes/on-user-logout.php");
$_SESSION['loggedIn']=false;
$_SESSION['username']=false;
session_destroy();
header("Location: .");
die("Logging you out...");
}
// If magic quotes are still on (attempted to switch off in php.ini)
if (get_magic_quotes_gpc ()) {
function stripslashes_deep($value) {
$value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
return $value;
}
$_POST = (isset($_POST) && !empty($_POST)) ? array_map('stripslashes_deep', $_POST) : array();
$_GET = (isset($_GET) && !empty($_GET)) ? array_map('stripslashes_deep', $_GET) : array();
$_COOKIE = (isset($_COOKIE) && !empty($_COOKIE)) ? array_map('stripslashes_deep', $_COOKIE) : array();
$_REQUEST = (isset($_REQUEST) && !empty($_REQUEST)) ? array_map('stripslashes_deep', $_REQUEST) : array();
}
// Function to handle salted hashing
define('SALT_LENGTH',12);
function generateHash($plainText,$salt=null) {
if ($salt === null) {
$salt = substr(md5(uniqid(rand(), true)),0,SALT_LENGTH);
} else {
$salt = substr($salt,0,SALT_LENGTH);
}
return $salt.sha1($salt.$plainText);
}
// returns converted entities which have HTML entity equivalents
function strClean($var) {
return preg_replace("/javascript\:/i","javascript:",htmlentities($var, ENT_QUOTES, "UTF-8"));
}
// returns a number, whole or decimal or null
function numClean($var) {
return is_numeric($var) ? floatval($var) : false;
}
// Clean XSS attempts using different contexts
function xssClean($data,$type) {
// === html ===
if ($type == "html") {
$bad = array("<", ">");
$good = array("<", ">");
}
// === style ===
if ($type == "style") {
$bad = array("<", ">", "\"", "'", "``", "(", ")", "&", "\\\\");
$good = array("<", ">", """, "'", "`", "(", ")", "&", "\");
}
// === attribute ===
if ($type == "attribute") {
$bad = array("\"", "'", "``");
$good = array(""", "'", "`");
}
// === script ===
if ($type == "script") {
$bad = array("<", ">", "\"", "'", "\\\\", "%", "&");
$good = array("<", ">", """, "'", "\", "%", "&");
}
// === url ===
if ($type == "url") {
if(preg_match("#^(?:(?:https?|ftp):{1})\/\/[^\"\s\\\\]*.[^\"\s\\\\]*$#iu",(string)$data,$match)) {
return $match[0];
} else {
return 'javascript:void(0)';
}
}
$output = str_replace($bad, $good, $data);
return $output;
}
// returns a UTF8 based string with any UFT8 BOM removed
function toUTF8noBOM($string,$message) {
// Attempt to detect encoding
if (function_exists('mb_detect_encoding')) {
$strictUTF8 = mb_detect_encoding($string, 'UTF-8', true);
// Get rid of any UTF-8 BOM
$string = preg_replace('/\x{EF}\x{BB}\x{BF}/','',$string);
// Test for any bad characters
$teststring = $string;
$teststringBroken = utf8_decode($teststring);
$teststringConverted = iconv("UTF-8", "UTF-8//IGNORE", $teststringBroken);
// If we have a matching length, UTF8 encode it
if (!$strictUTF8 && strlen($teststringConverted) == strlen($teststringBroken)) {
$string = utf8_encode($string);
if ($message) {
echo "top.ICEcoder.message('".$t['Your document does...'].".');";
}
}
}
return $string;
}
// Polyfill for array_replace_recursive, which is in PHP 5.3+
if (!function_exists('array_replace_recursive')) {
function array_replace_recursive($base, $replacements) {
foreach (array_slice(func_get_args(), 1) as $replacements) {
$bref_stack = array(&$base);
$head_stack = array($replacements);
do {
end($bref_stack);
$bref = &$bref_stack[key($bref_stack)];
$head = array_pop($head_stack);
unset($bref_stack[key($bref_stack)]);
foreach (array_keys($head) as $key) {
if (isset($key, $bref) && is_array($bref[$key]) && is_array($head[$key])) {
$bref_stack[] = &$bref[$key];
$head_stack[] = $head[$key];
} else {
$bref[$key] = $head[$key];
}
}
} while(count($head_stack));
}
return $base;
}
}
?>