hedera-web-mindshore/usr/share/hedera-web/php/web/hedera.php

<?php

$homeConf = $_SERVER['CONTEXT_DOCUMENT_ROOT'].'/../.config/hedera-web/config.php';

if (file_exists ($homeConf))
	require_once ($homeConf);
else
	require_once ('/etc/hedera-web/config.php');

require_once ('php/db/db.php');
require_once ('php/web/auth.php');

function checkToken ($token)
{
	return preg_match ('/^[\w\-]+$/', $token);
}

function ifNull ($map, $key)
{
	return isset ($map[$key]) ? $map[$key] : NULL;
}

class Hedera
{
	static $sysConn;
	static $conn;
	static $newAccess = FALSE;

	static function init ()
	{
		global $conf;
	
		session_start ();

		$sysConn = new DbConn ();
		$sysConn->open (
			 'p:'. $conf['db']['host']
			,$conf['db']['user']
			,base64_decode ($conf['db']['pass'])
			,$conf['db']['name']
		);


		self::$sysConn = $sysConn;
		self::$conn = new DbConn ();
		
		// Setting the locale

		if (!isset ($_COOKIE['hedera_lang']) || $_COOKIE['hedera_lang'] == '')
		{
			if ($sysConn->isOpen () && isset ($_SERVER['HTTP_ACCEPT_LANGUAGE']))
			{
				$query = 'SELECT COUNT(*) FROM language WHERE code = %s AND active != FALSE';
				$regexp = '/([a-z]{1,4})(?:-[a-z]{1,4})?\s*(?:;\s*q\s*=\s*(?:1|0\.[0-9]+))?,?/i';

				preg_match_all ($regexp, $_SERVER['HTTP_ACCEPT_LANGUAGE'], $languages);

				foreach ($languages[1] as $lang)
				if ($sysConn->getValue ($query, $lang))
				{
					$_SESSION['lang'] = $lang;
					break;
				}
			}

			if (!isset ($_SESSION['lang']))
				$_SESSION['lang'] = $conf['defaultLang'];

			setcookie ('hedera_lang', $_SESSION['lang']);
		}
		else
			$_SESSION['lang'] = $_COOKIE['hedera_lang'];

		if (!$sysConn->isOpen ())
			return;

		// Setting the version

		$_SESSION['version'] = $sysConn->getValue ('SELECT version FROM version LIMIT 1');
		
		// Registering the visit

		if (!isset ($_COOKIE['PHPSESSID'])
		|| isset ($_SESSION['access'])
		|| isset ($_SESSION['skipVisit']))
			return;

		$agent = $_SERVER['HTTP_USER_AGENT'];
		$browser = get_browser ($agent, TRUE);
		
		if (isset ($browser['crawler']) && $browser['crawler'])
		{
			$_SESSION['skipVisit'] = TRUE;
			return;
		}

		if (isset ($_SERVER['REMOTE_ADDR']))
			$ip = ip2long ($_SERVER['REMOTE_ADDR']);

		$row = $sysConn->getRow (
			'CALL visit_register (%s, %s, %s, %s, %s, %s, %s, %s, %s)'
			,ifNull ($_COOKIE, 'hedera_visit')
			,ifNull ($browser, 'platform')
			,ifNull ($browser, 'browser') 
			,ifNull ($browser, 'version')
			,ifNull ($browser, 'javascript')
			,ifNull ($browser, 'cookies')
			,isset ($agent) ? $agent : NULL
			,isset ($ip) ? $ip : NULL
			,ifNull ($_SERVER, 'HTTP_REFERER')
		);

		if (isset ($row['access']))
		{
			setcookie ('hedera_visit', $row['visit'], time () + 365*60*60*24);
			$_SESSION['access'] = $row['access'];
			self::$newAccess = TRUE;
		}
		else
			$_SESSION['skipVisit'] = TRUE;
	}

	static function deinit ()
	{
		self::$sysConn->query (
			'UPDATE user_session SET connection_id = NULL WHERE ssid = %s'
			,session_id ()
		);
	}

	static function login ()
	{
		$wasLoged = isset ($_SESSION['user']);
		$success = Auth::login (self::$conn);
		
		if ($success)
		{
			$row = self::$conn->getRow (
				'SELECT account.user_get_id () user, CONNECTION_ID() conn');
			
			if (!$wasLoged)
				unset ($_SESSION['visitUser']);
		}
		else
			$row = NULL;

		// Registering the user access

		if (isset ($_SESSION['access']))
		{
			$_SESSION['visitUser'] = self::$sysConn->getValue (
				'CALL visit_user (%s, %s, %s, %s, %s)'
				,$_SESSION['access']
				,ifNull ($_SESSION, 'visitUser')
				,ifNull ($row, 'user')
				,ifNull ($row, 'conn')
				,session_id ()
			);
		
			if (!isset ($_SESSION['visitUnknown']) && !$success)
				$_SESSION['visitUnknown'] = $_SESSION['visitUser'];
		}

		return $success;
	}
	
	static function logout ()
	{
		self::$sysConn->query (
			'DELETE FROM user_session WHERE ssid = %s'
			,session_id ()
		);

		$_SESSION['visitUser'] = ifNull ($_SESSION, 'visitUnknown');
		Auth::logout (self::$conn);
	}
}

?>
Initial commit 2014-05-09 12:19:53 +00:00			`<?php`

Solucionados fallos de seguridad en la configuracion y en inyeccion php 2014-05-10 10:47:57 +00:00			`$homeConf = $_SERVER['CONTEXT_DOCUMENT_ROOT'].'/../.config/hedera-web/config.php';`

			`if (file_exists ($homeConf))`
			`require_once ($homeConf);`
			`else`
			`require_once ('/etc/hedera-web/config.php');`

Initial commit 2014-05-09 12:19:53 +00:00			`require_once ('php/db/db.php');`
			`require_once ('php/web/auth.php');`

Solucionados fallos de seguridad en la configuracion y en inyeccion php 2014-05-10 10:47:57 +00:00			`function checkToken ($token)`
			`{`
			`return preg_match ('/^[\w\-]+$/', $token);`
			`}`

Initial commit 2014-05-09 12:19:53 +00:00			`function ifNull ($map, $key)`
			`{`
			`return isset ($map[$key]) ? $map[$key] : NULL;`
			`}`

			`class Hedera`
			`{`
			`static $sysConn;`
			`static $conn;`
			`static $newAccess = FALSE;`

			`static function init ()`
			`{`
			`global $conf;`

			`session_start ();`

			`$sysConn = new DbConn ();`
			`$sysConn->open (`
			`'p:'. $conf['db']['host']`
			`,$conf['db']['user']`
			`,base64_decode ($conf['db']['pass'])`
			`,$conf['db']['name']`
			`);`


			`self::$sysConn = $sysConn;`
			`self::$conn = new DbConn ();`

			`// Setting the locale`

			`if (!isset ($_COOKIE['hedera_lang']) \|\| $_COOKIE['hedera_lang'] == '')`
			`{`
			`if ($sysConn->isOpen () && isset ($_SERVER['HTTP_ACCEPT_LANGUAGE']))`
			`{`
			`$query = 'SELECT COUNT(*) FROM language WHERE code = %s AND active != FALSE';`
			`$regexp = '/([a-z]{1,4})(?:-[a-z]{1,4})?\s(?:;\sq\s=\s(?:1\|0\.[0-9]+))?,?/i';`

			`preg_match_all ($regexp, $_SERVER['HTTP_ACCEPT_LANGUAGE'], $languages);`

			`foreach ($languages[1] as $lang)`
			`if ($sysConn->getValue ($query, $lang))`
			`{`
			`$_SESSION['lang'] = $lang;`
			`break;`
			`}`
			`}`

			`if (!isset ($_SESSION['lang']))`
			`$_SESSION['lang'] = $conf['defaultLang'];`

			`setcookie ('hedera_lang', $_SESSION['lang']);`
			`}`
			`else`
			`$_SESSION['lang'] = $_COOKIE['hedera_lang'];`

			`if (!$sysConn->isOpen ())`
			`return;`

			`// Setting the version`

			`$_SESSION['version'] = $sysConn->getValue ('SELECT version FROM version LIMIT 1');`

			`// Registering the visit`

			`if (!isset ($_COOKIE['PHPSESSID'])`
			`\|\| isset ($_SESSION['access'])`
			`\|\| isset ($_SESSION['skipVisit']))`
			`return;`

			`$agent = $_SERVER['HTTP_USER_AGENT'];`
			`$browser = get_browser ($agent, TRUE);`

			`if (isset ($browser['crawler']) && $browser['crawler'])`
			`{`
			`$_SESSION['skipVisit'] = TRUE;`
			`return;`
			`}`

			`if (isset ($_SERVER['REMOTE_ADDR']))`
			`$ip = ip2long ($_SERVER['REMOTE_ADDR']);`

			`$row = $sysConn->getRow (`
			`'CALL visit_register (%s, %s, %s, %s, %s, %s, %s, %s, %s)'`
			`,ifNull ($_COOKIE, 'hedera_visit')`
			`,ifNull ($browser, 'platform')`
			`,ifNull ($browser, 'browser')`
			`,ifNull ($browser, 'version')`
			`,ifNull ($browser, 'javascript')`
			`,ifNull ($browser, 'cookies')`
			`,isset ($agent) ? $agent : NULL`
			`,isset ($ip) ? $ip : NULL`
			`,ifNull ($_SERVER, 'HTTP_REFERER')`
			`);`

			`if (isset ($row['access']))`
			`{`
			`setcookie ('hedera_visit', $row['visit'], time () + 3656060*24);`
			`$_SESSION['access'] = $row['access'];`
			`self::$newAccess = TRUE;`
			`}`
			`else`
			`$_SESSION['skipVisit'] = TRUE;`
			`}`

			`static function deinit ()`
			`{`
			`self::$sysConn->query (`
			`'UPDATE user_session SET connection_id = NULL WHERE ssid = %s'`
			`,session_id ()`
			`);`
			`}`

			`static function login ()`
			`{`
			`$wasLoged = isset ($_SESSION['user']);`
			`$success = Auth::login (self::$conn);`

			`if ($success)`
			`{`
			`$row = self::$conn->getRow (`
			`'SELECT account.user_get_id () user, CONNECTION_ID() conn');`

			`if (!$wasLoged)`
			`unset ($_SESSION['visitUser']);`
			`}`
			`else`
			`$row = NULL;`

			`// Registering the user access`

			`if (isset ($_SESSION['access']))`
			`{`
			`$_SESSION['visitUser'] = self::$sysConn->getValue (`
			`'CALL visit_user (%s, %s, %s, %s, %s)'`
			`,$_SESSION['access']`
			`,ifNull ($_SESSION, 'visitUser')`
			`,ifNull ($row, 'user')`
			`,ifNull ($row, 'conn')`
			`,session_id ()`
			`);`

			`if (!isset ($_SESSION['visitUnknown']) && !$success)`
			`$_SESSION['visitUnknown'] = $_SESSION['visitUser'];`
			`}`

			`return $success;`
			`}`

			`static function logout ()`
			`{`
			`self::$sysConn->query (`
			`'DELETE FROM user_session WHERE ssid = %s'`
			`,session_id ()`
			`);`

			`$_SESSION['visitUser'] = ifNull ($_SESSION, 'visitUnknown');`
			`Auth::logout (self::$conn);`
			`}`
			`}`

			`?>`