From c09f0eb1d9009ce0a7d2a12c41b125957604eff5 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Fri, 28 Feb 2014 17:13:42 +0100 Subject: define overridable constants for session properties FS#1913 --- inc/init.php | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'inc/init.php') diff --git a/inc/init.php b/inc/init.php index 3e422453d..08f4b45b9 100644 --- a/inc/init.php +++ b/inc/init.php @@ -140,18 +140,23 @@ if ($conf['gzip_output'] && } // init session -if (!headers_sent() && !defined('NOSESSION')){ - session_name("DokuWiki"); +if(!headers_sent() && !defined('NOSESSION')) { + if(!defined('DOKU_SESSION_NAME')) define ('DOKU_SESSION_NAME', "DokuWiki"); + if(!defined('DOKU_SESSION_LIFETIME')) define ('DOKU_SESSION_LIFETIME', 0); $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; - if (version_compare(PHP_VERSION, '5.2.0', '>')) { - session_set_cookie_params(0,$cookieDir,'',($conf['securecookie'] && is_ssl()),true); - }else{ - session_set_cookie_params(0,$cookieDir,'',($conf['securecookie'] && is_ssl())); + if(!defined('DOKU_SESSION_PATH')) define ('DOKU_SESSION_PATH', $cookieDir); + if(!defined('DOKU_SESSION_DOMAIN')) define ('DOKU_SESSION_DOMAIN', ''); + + session_name(DOKU_SESSION_NAME); + if(version_compare(PHP_VERSION, '5.2.0', '>')) { + session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl()), true); + } else { + session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl())); } session_start(); // load left over messages - if(isset($_SESSION[DOKU_COOKIE]['msg'])){ + if(isset($_SESSION[DOKU_COOKIE]['msg'])) { $MSG = $_SESSION[DOKU_COOKIE]['msg']; unset($_SESSION[DOKU_COOKIE]['msg']); } -- cgit v1.2.3 From 55a71a16cbfacd3836ca70e37e45f85bd44ceab1 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Tue, 4 Mar 2014 21:14:24 +0100 Subject: removed pre PHP 5.2 code wrt setcookie and session setting - moved cookiedir determination in the if-statement --- inc/init.php | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'inc/init.php') diff --git a/inc/init.php b/inc/init.php index 08f4b45b9..9b8465911 100644 --- a/inc/init.php +++ b/inc/init.php @@ -143,16 +143,14 @@ if ($conf['gzip_output'] && if(!headers_sent() && !defined('NOSESSION')) { if(!defined('DOKU_SESSION_NAME')) define ('DOKU_SESSION_NAME', "DokuWiki"); if(!defined('DOKU_SESSION_LIFETIME')) define ('DOKU_SESSION_LIFETIME', 0); - $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; - if(!defined('DOKU_SESSION_PATH')) define ('DOKU_SESSION_PATH', $cookieDir); + if(!defined('DOKU_SESSION_PATH')) { + $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; + define ('DOKU_SESSION_PATH', $cookieDir); + } if(!defined('DOKU_SESSION_DOMAIN')) define ('DOKU_SESSION_DOMAIN', ''); session_name(DOKU_SESSION_NAME); - if(version_compare(PHP_VERSION, '5.2.0', '>')) { - session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl()), true); - } else { - session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl())); - } + session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl()), true); session_start(); // load left over messages -- cgit v1.2.3 From 0e80bb5e347ff00c6f81627d8e39dafaaa923bc5 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 5 Mar 2014 21:58:46 +0000 Subject: use empty() where array values might not be set --- inc/init.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/init.php') diff --git a/inc/init.php b/inc/init.php index 9b8465911..6fb27bd2a 100644 --- a/inc/init.php +++ b/inc/init.php @@ -176,7 +176,7 @@ if(function_exists('set_magic_quotes_runtime')) @set_magic_quotes_runtime(0); $_REQUEST = array_merge($_GET,$_POST); // we don't want a purge URL to be digged -if(isset($_REQUEST['purge']) && $_SERVER['HTTP_REFERER']) unset($_REQUEST['purge']); +if(isset($_REQUEST['purge']) && !empty($_SERVER['HTTP_REFERER'])) unset($_REQUEST['purge']); // disable gzip if not available if($conf['compression'] == 'bz2' && !function_exists('bzopen')){ -- cgit v1.2.3 From f87b5dbbbad408da775ac4c60ceb9f9666280527 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 5 Mar 2014 22:04:14 +0000 Subject: use isset() + ?: or error suppression where value may not be set --- inc/init.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'inc/init.php') diff --git a/inc/init.php b/inc/init.php index 6fb27bd2a..bcd96e5e4 100644 --- a/inc/init.php +++ b/inc/init.php @@ -441,12 +441,12 @@ function getBaseURL($abs=null){ //split hostheader into host and port if(isset($_SERVER['HTTP_HOST'])){ $parsed_host = parse_url('http://'.$_SERVER['HTTP_HOST']); - $host = $parsed_host['host']; - $port = $parsed_host['port']; + $host = isset($parsed_host['host']) ? $parsed_host['host'] : null; + $port = isset($parsed_host['port']) ? $parsed_host['port'] : null; }elseif(isset($_SERVER['SERVER_NAME'])){ $parsed_host = parse_url('http://'.$_SERVER['SERVER_NAME']); - $host = $parsed_host['host']; - $port = $parsed_host['port']; + $host = isset($parsed_host['host']) ? $parsed_host['host'] : null; + $port = isset($parsed_host['port']) ? $parsed_host['port'] : null; }else{ $host = php_uname('n'); $port = ''; -- cgit v1.2.3 From 585bf44e2b756eac2e1cfce7035ef237bc02a788 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Thu, 6 Mar 2014 19:55:56 +0000 Subject: amend $_SERVER to $INPUT->server --- inc/init.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'inc/init.php') diff --git a/inc/init.php b/inc/init.php index bcd96e5e4..4ff239787 100644 --- a/inc/init.php +++ b/inc/init.php @@ -402,6 +402,10 @@ function remove_magic_quotes(&$array) { * Returns the full absolute URL to the directory where * DokuWiki is installed in (includes a trailing slash) * + * !! Can not access $_SERVER values through $INPUT + * !! here as this function is called before $INPUT is + * !! initialized. + * * @author Andreas Gohr */ function getBaseURL($abs=null){ -- cgit v1.2.3 From 19738e65138f2c83e73e0e8eedf259cd12fdf1c7 Mon Sep 17 00:00:00 2001 From: Enrico Tagliavini Date: Sat, 12 Jul 2014 23:26:45 +0200 Subject: adding X-Forwarded-Proto support in is_ssl() This commit adds support for X-Forwarded-Proto in case dokuwiki runs behind a reverse (SSL) proxy, but the connection between the proxy and the web server running dokuwki is plain HTTP. If an authenticated user is accidentaly dropped to HTTP from HTTPS the securecookie setting should be honored and the redirection when saving or canceling a page edit should point to the correct protocol. This happens every time a user hits cancel after editing a page, and likely even after saving. If the webserver doesn't enforce HTTPS the coockie might be sent in clear. --- inc/init.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'inc/init.php') diff --git a/inc/init.php b/inc/init.php index 4ff239787..d825b5250 100644 --- a/inc/init.php +++ b/inc/init.php @@ -456,10 +456,6 @@ function getBaseURL($abs=null){ $port = ''; } - if(!$port && isset($_SERVER['SERVER_PORT'])) { - $port = $_SERVER['SERVER_PORT']; - } - if(is_null($port)){ $port = ''; } @@ -490,6 +486,14 @@ function getBaseURL($abs=null){ * @returns bool true when SSL is active */ function is_ssl(){ + // check if we are behind a reverse proxy + if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { + if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { + return true; + } else { + return false; + } + } if (!isset($_SERVER['HTTPS']) || preg_match('/^(|off|false|disabled)$/i',$_SERVER['HTTPS'])){ return false; -- cgit v1.2.3