| 37 |
37 |
* sanitize $_SERVER['HTTP_REFERER']
|
| 38 |
38 |
* @param string $sWbUrl qualified startup URL of current application
|
| 39 |
39 |
*/
|
| 40 |
|
function SanitizeHttpReferer($sWbUrl = WB_URL) {
|
|
40 |
function initSanitizeHttpReferer($sWbUrl) {
|
| 41 |
41 |
$sTmpReferer = '';
|
| 42 |
42 |
if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != '') {
|
|
43 |
$sTmpReferer = $_SERVER['HTTP_REFERER'];
|
| 43 |
44 |
$aRefUrl = parse_url($_SERVER['HTTP_REFERER']);
|
| 44 |
45 |
if ($aRefUrl !== false) {
|
| 45 |
46 |
$aRefUrl['host'] = isset($aRefUrl['host']) ? $aRefUrl['host'] : '';
|
| 46 |
47 |
$aRefUrl['path'] = isset($aRefUrl['path']) ? $aRefUrl['path'] : '';
|
| 47 |
48 |
$aRefUrl['fragment'] = isset($aRefUrl['fragment']) ? '#'.$aRefUrl['fragment'] : '';
|
| 48 |
|
$aWbUrl = parse_url(WB_URL);
|
|
49 |
$aWbUrl = parse_url($sWbUrl);
|
| 49 |
50 |
if ($aWbUrl !== false) {
|
| 50 |
51 |
$aWbUrl['host'] = isset($aWbUrl['host']) ? $aWbUrl['host'] : '';
|
| 51 |
52 |
$aWbUrl['path'] = isset($aWbUrl['path']) ? $aWbUrl['path'] : '';
|
| 52 |
53 |
if (strpos($aRefUrl['host'].$aRefUrl['path'],
|
| 53 |
54 |
$aWbUrl['host'].$aWbUrl['path']) !== false) {
|
| 54 |
55 |
$aRefUrl['path'] = preg_replace('#^'.$aWbUrl['path'].'#i', '', $aRefUrl['path']);
|
| 55 |
|
$sTmpReferer = WB_URL.$aRefUrl['path'].$aRefUrl['fragment'];
|
|
56 |
$sTmpReferer = $sWbUrl.$aRefUrl['path'].$aRefUrl['fragment'];
|
| 56 |
57 |
}
|
| 57 |
58 |
unset($aWbUrl);
|
| 58 |
59 |
}
|
| ... | ... | |
| 65 |
66 |
* Set constants for system/install values
|
| 66 |
67 |
* @throws RuntimeException
|
| 67 |
68 |
*/
|
| 68 |
|
function SetInstallPathConstants() {
|
|
69 |
function initSetInstallPathConstants() {
|
| 69 |
70 |
if(!defined('DEBUG')){ define('DEBUG', false); } // normaly set in config file
|
| 70 |
71 |
if(!defined('ADMIN_DIRECTORY')){ define('ADMIN_DIRECTORY', 'admin'); }
|
| 71 |
72 |
if(!preg_match('/xx[a-z0-9_][a-z0-9_\-\.]+/i', 'xx'.ADMIN_DIRECTORY)) {
|
| 72 |
73 |
throw new RuntimeException('Invalid admin-directory: ' . ADMIN_DIRECTORY);
|
| 73 |
74 |
}
|
| 74 |
75 |
if(!defined('WB_PATH')){ define('WB_PATH', dirname(dirname(__FILE__))); }
|
| 75 |
|
if(!defined('ADMIN_URL')){ define('ADMIN_URL', WB_URL.'/'.ADMIN_DIRECTORY); }
|
|
76 |
if(!defined('ADMIN_URL')){ define('ADMIN_URL', rtrim(WB_URL, '/\\').'/'.ADMIN_DIRECTORY); }
|
| 76 |
77 |
if(!defined('ADMIN_PATH')){ define('ADMIN_PATH', WB_PATH.'/'.ADMIN_DIRECTORY); }
|
| 77 |
78 |
if(!defined('WB_REL')){
|
| 78 |
79 |
$x1 = parse_url(WB_URL);
|
| ... | ... | |
| 80 |
81 |
}
|
| 81 |
82 |
if(!defined('ADMIN_REL')){ define('ADMIN_REL', WB_REL.'/'.ADMIN_DIRECTORY); }
|
| 82 |
83 |
if(!defined('DOCUMENT_ROOT')) {
|
| 83 |
|
define('DOCUMENT_ROOT', preg_replace('/'.preg_quote(str_replace('\\', '/', WB_REL), '/').'$/', '', str_replace('\\', '/', WB_PATH)));
|
| 84 |
|
// creating $_SERVER['DOCUMENT_ROOT'] for Windows IIS Server
|
| 85 |
|
$_SERVER['DOCUMENT_ROOT'] = DOCUMENT_ROOT;
|
|
84 |
define('DOCUMENT_ROOT', preg_replace('/'.preg_quote(str_replace('\\', '/', WB_REL), '/').'$/', '', str_replace('\\', '/', WB_PATH)));
|
|
85 |
$_SERVER['DOCUMENT_ROOT'] = DOCUMENT_ROOT;
|
| 86 |
86 |
}
|
| 87 |
87 |
if(!defined('TMP_PATH')){ define('TMP_PATH', WB_PATH.'/temp'); }
|
| 88 |
88 |
}
|
| 89 |
89 |
/**
|
| 90 |
|
* Read DB settings from configuration file
|
| 91 |
|
* @return string
|
|
90 |
* checkValidCaller
|
|
91 |
* @param array $aCaller list of allowed scripts
|
|
92 |
* @return true || Exception
|
| 92 |
93 |
* @throws RuntimeException
|
| 93 |
|
*
|
|
94 |
* @description test if acctual file is called from one of the given list
|
| 94 |
95 |
*/
|
| 95 |
|
function readConfiguration($sRetvalType = 'url') {
|
| 96 |
|
// check for valid file request. Becomes more stronger in next version
|
|
96 |
function initCheckValidCaller(array $aCaller)
|
|
97 |
{
|
| 97 |
98 |
$x = debug_backtrace();
|
| 98 |
|
$bValidRequest = false;
|
| 99 |
|
if(sizeof($x) != 0) {
|
| 100 |
|
foreach($x as $aStep) {
|
| 101 |
|
// define the scripts which can read the configuration
|
| 102 |
|
if(preg_match('/(save.php|index.php|config.php|upgrade-script.php)$/si', $aStep['file'])) {
|
| 103 |
|
$bValidRequest = true;
|
| 104 |
|
break;
|
| 105 |
|
}
|
|
99 |
if(sizeof($x) == 0) {
|
|
100 |
return true;
|
|
101 |
}
|
|
102 |
$sPattern = '/('.str_replace('#', '|', preg_quote(implode('#', $aCaller), '/')).')$/si';
|
|
103 |
foreach($x as $aStep) {
|
|
104 |
// define the scripts which can read the configuration
|
|
105 |
if(preg_match($sPattern, $aStep['file'])) {
|
|
106 |
return true;
|
| 106 |
107 |
}
|
| 107 |
|
} else {
|
| 108 |
|
$bValidRequest = true;
|
| 109 |
108 |
}
|
| 110 |
|
if(!$bValidRequest) {
|
| 111 |
|
throw new RuntimeException('illegal function request!');
|
| 112 |
|
}
|
| 113 |
|
$aRetval = array();
|
|
109 |
throw new RuntimeException('illegal file request!');
|
|
110 |
}
|
|
111 |
/**
|
|
112 |
* Read DB settings from configuration file
|
|
113 |
* @return array
|
|
114 |
* @throws RuntimeException
|
|
115 |
*
|
|
116 |
*/
|
|
117 |
function initReadSetupFile()
|
|
118 |
{
|
|
119 |
// check for valid file request. Becomes more stronger in next version
|
|
120 |
initCheckValidCaller(array('save.php','index.php','config.php','upgrade-script.php'));
|
|
121 |
$aCfg = array();
|
|
122 |
|
| 114 |
123 |
$sSetupFile = dirname(dirname(__FILE__)).'/setup.ini.php';
|
| 115 |
124 |
if(is_readable($sSetupFile)) {
|
| 116 |
125 |
$aCfg = parse_ini_file($sSetupFile, true);
|
| ... | ... | |
| 120 |
129 |
$value = filter_var($value, FILTER_VALIDATE_BOOLEAN);
|
| 121 |
130 |
if(!defined('DEBUG')) { define('DEBUG', $value); }
|
| 122 |
131 |
break;
|
| 123 |
|
case 'WB_URL':
|
|
132 |
case 'WB_URL': // << case is set deprecated
|
| 124 |
133 |
case 'AppUrl':
|
| 125 |
134 |
$value = trim(str_replace('\\', '/', $value), '/');
|
| 126 |
135 |
if(!defined('WB_URL')) { define('WB_URL', $value); }
|
| 127 |
136 |
break;
|
| 128 |
|
case 'ADMIN_DIRECTORY':
|
|
137 |
case 'ADMIN_DIRECTORY': // << case is set deprecated
|
| 129 |
138 |
case 'AcpDir':
|
| 130 |
139 |
$value = trim(str_replace('\\', '/', $value), '/');
|
| 131 |
140 |
if(!defined('ADMIN_DIRECTORY')) { define('ADMIN_DIRECTORY', $value); }
|
| ... | ... | |
| 135 |
144 |
break;
|
| 136 |
145 |
endswitch;
|
| 137 |
146 |
}
|
| 138 |
|
$db = $aCfg['DataBase'];
|
| 139 |
|
$db['type'] = isset($db['type']) ? $db['type'] : 'mysql';
|
| 140 |
|
$db['user'] = isset($db['user']) ? $db['user'] : 'foo';
|
| 141 |
|
$db['pass'] = isset($db['pass']) ? $db['pass'] : 'bar';
|
| 142 |
|
$db['host'] = isset($db['host']) ? $db['host'] : 'localhost';
|
| 143 |
|
$db['port'] = isset($db['port']) ? $db['port'] : '3306';
|
| 144 |
|
$db['port'] = ($db['port'] != '3306') ? $db['port'] : '';
|
| 145 |
|
$db['name'] = isset($db['name']) ? $db['name'] : 'dummy';
|
| 146 |
|
$db['charset'] = isset($db['charset']) ? trim($db['charset']) : '';
|
| 147 |
|
$db['table_prefix'] = (isset($db['table_prefix']) ? $db['table_prefix'] : '');
|
| 148 |
|
if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $db['table_prefix']); }
|
| 149 |
|
if($sRetvalType == 'dsn') {
|
| 150 |
|
$aRetval[0] = $db['type'].':dbname='.$db['name'].';host='.$db['host'].';'
|
| 151 |
|
. ($db['port'] != '' ? 'port='.(int)$db['port'].';' : '');
|
| 152 |
|
$aRetval[1] = array('CHARSET' => $db['charset'], 'TABLE_PREFIX' => $db['table_prefix']);
|
| 153 |
|
$aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']);
|
| 154 |
|
}else { // $sRetvalType == 'url'
|
| 155 |
|
$aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@'
|
| 156 |
|
. $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']
|
| 157 |
|
. '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix'];
|
| 158 |
|
}
|
| 159 |
|
unset($db, $aCfg);
|
| 160 |
|
return $aRetval;
|
| 161 |
147 |
}
|
| 162 |
|
throw new RuntimeException('unable to read setup.ini.php');
|
|
148 |
return $aCfg;
|
|
149 |
// throw new RuntimeException('unable to read setup.ini.php');
|
| 163 |
150 |
}
|
|
151 |
/**
|
|
152 |
* GetDbConnectData
|
|
153 |
* @param array $aCfg
|
|
154 |
* @param string $sDbConnectType can be 'url' or 'dsn'
|
|
155 |
* @return array
|
|
156 |
*
|
|
157 |
*/
|
|
158 |
function initGetDbConnectData(array $aCfg, $sDbConnectType = 'url')
|
|
159 |
{
|
|
160 |
if(defined('DB_TYPE'))
|
|
161 |
{
|
|
162 |
// import constants for compatibility reasons
|
|
163 |
$db = array();
|
|
164 |
if(defined('DB_TYPE')) { $db['type'] = DB_TYPE; }
|
|
165 |
if(defined('DB_USERNAME')) { $db['user'] = DB_USERNAME; }
|
|
166 |
if(defined('DB_PASSWORD')) { $db['pass'] = DB_PASSWORD; }
|
|
167 |
if(defined('DB_HOST')) { $db['host'] = DB_HOST; }
|
|
168 |
if(defined('DB_PORT')) { $db['port'] = DB_PORT; }
|
|
169 |
if(defined('DB_NAME')) { $db['name'] = DB_NAME; }
|
|
170 |
if(defined('DB_CHARSET')) { $db['charset'] = DB_CHARSET; }
|
|
171 |
if(defined('TABLE_PREFIX')) { $db['table_prefix'] = TABLE_PREFIX; }
|
|
172 |
$aCfg['DataBase'] = $db;
|
|
173 |
}
|
|
174 |
// sanitize values
|
|
175 |
$db = $aCfg['DataBase'];
|
|
176 |
$db['type'] = isset($db['type']) ? $db['type'] : 'mysql';
|
|
177 |
$db['user'] = isset($db['user']) ? $db['user'] : 'foo';
|
|
178 |
$db['pass'] = isset($db['pass']) ? $db['pass'] : 'bar';
|
|
179 |
$db['host'] = isset($db['host']) ? $db['host'] : 'localhost';
|
|
180 |
$db['port'] = isset($db['port']) ? $db['port'] : '3306';
|
|
181 |
$db['port'] = ($db['port'] != '3306') ? $db['port'] : '';
|
|
182 |
$db['name'] = isset($db['name']) ? $db['name'] : 'dummy';
|
|
183 |
$db['charset'] = isset($db['charset']) ? trim($db['charset']) : 'utf8';
|
|
184 |
$db['table_prefix'] = (isset($db['table_prefix']) ? $db['table_prefix'] : '');
|
|
185 |
if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $db['table_prefix']); }
|
|
186 |
if($sDbConnectType == 'dsn') {
|
|
187 |
// build dsn to connect
|
|
188 |
$aRetval[0] = $db['type'].':dbname='.$db['name'].';host='.$db['host'].';'
|
|
189 |
. ($db['port'] != '' ? 'port='.(int)$db['port'].';' : '');
|
|
190 |
$aRetval[1] = array('CHARSET' => $db['charset'], 'TABLE_PREFIX' => $db['table_prefix']);
|
|
191 |
$aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']);
|
|
192 |
}else {
|
|
193 |
// build url to connect
|
|
194 |
$aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@'
|
|
195 |
. $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']
|
|
196 |
. '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix'];
|
|
197 |
}
|
|
198 |
return $aRetval;
|
|
199 |
}
|
|
200 |
|
| 164 |
201 |
/* ***************************************************************************************
|
| 165 |
202 |
* Start initialization *
|
| 166 |
203 |
****************************************************************************************/
|
| 167 |
204 |
// initialize debug evaluation values ---
|
| 168 |
|
$sDbConnectType = 'url'; // depending from class WbDatabase it can be 'url' or 'dsn'
|
| 169 |
205 |
$starttime = array_sum(explode(" ",microtime()));
|
| 170 |
206 |
$iPhpDeclaredClasses = sizeof(get_declared_classes());
|
|
207 |
$sDbConnectType = 'url'; // depending from class WbDatabase it can be 'url' or 'dsn'
|
| 171 |
208 |
// disable all kind of magic_quotes in PHP versions before 5.4 ---
|
| 172 |
209 |
if(version_compare(PHP_VERSION, '5.4.0', '<')) {
|
| 173 |
|
if(get_magic_quotes_gpc() || get_magic_quotes_runtime()) {
|
| 174 |
|
@ini_set('magic_quotes_sybase', 0);
|
| 175 |
|
@ini_set('magic_quotes_gpc', 0);
|
| 176 |
|
@ini_set('magic_quotes_runtime', 0);
|
| 177 |
|
}
|
|
210 |
@set_magic_quotes_runtime(0);
|
| 178 |
211 |
}
|
| 179 |
|
// load db configuration ---
|
| 180 |
|
if(defined('DB_TYPE')) {
|
| 181 |
|
$sTmp = ($sTmp=((defined('DB_PORT') && DB_PORT !='') ? DB_PORT : '')) ? ':'.$sTmp : '';
|
| 182 |
|
$sTmp = DB_TYPE.'://'.DB_USERNAME.':'.DB_PASSWORD.'@'.DB_HOST.$sTmp.'/'.DB_NAME.'?Charset=';
|
| 183 |
|
$sTmp .= (defined('DB_CHARSET') ? DB_CHARSET : '').'&TablePrefix='.TABLE_PREFIX;
|
| 184 |
|
$aSqlData = array( 0 => $sTmp);
|
| 185 |
|
}else {
|
| 186 |
|
$aSqlData = readConfiguration($sDbConnectType);
|
| 187 |
|
}
|
| 188 |
|
SetInstallPathConstants();
|
|
212 |
// load configuration ---
|
|
213 |
$aCfg = initReadSetupFile();
|
| 189 |
214 |
// sanitize $_SERVER['HTTP_REFERER'] ---
|
| 190 |
|
SanitizeHttpReferer(WB_URL);
|
|
215 |
initSetInstallPathConstants();
|
|
216 |
initSanitizeHttpReferer(WB_URL);
|
| 191 |
217 |
// register WB basic autoloader ---
|
| 192 |
218 |
$sTmp = dirname(__FILE__).'/WbAutoloader.php';
|
| 193 |
219 |
if(!class_exists('WbAutoloader')){
|
| 194 |
220 |
include($sTmp);
|
| 195 |
221 |
}
|
| 196 |
222 |
WbAutoloader::doRegister(array(ADMIN_DIRECTORY=>'a', 'modules'=>'m'));
|
|
223 |
// instantiate and initialize adaptor for temporary registry replacement ---
|
|
224 |
WbAdaptor::getInstance()->getWbConstants();
|
| 197 |
225 |
// register TWIG autoloader ---
|
| 198 |
226 |
$sTmp = dirname(dirname(__FILE__)).'/include/Sensio/Twig/lib/Twig/Autoloader.php';
|
| 199 |
227 |
if(!class_exists('Twig_Autoloader')) {
|
| ... | ... | |
| 205 |
233 |
include(dirname(__FILE__).'/globalExceptionHandler.php');
|
| 206 |
234 |
}
|
| 207 |
235 |
// ---------------------------
|
|
236 |
// get Database connection data from configuration
|
|
237 |
$aSqlData = initGetDbConnectData($aCfg, $sDbConnectType);
|
| 208 |
238 |
// Create global database instance ---
|
| 209 |
|
$database = WbDatabase::getInstance();
|
|
239 |
$oDb = $database = WbDatabase::getInstance();
|
| 210 |
240 |
if($sDbConnectType == 'dsn') {
|
| 211 |
|
$bTmp = $database->doConnect($aSqlData[0], $aSqlData[1]['user'], $aSqlData[1]['pass'], $aSqlData[2]);
|
|
241 |
$bTmp = $oDb->doConnect($aSqlData[0], $aSqlData[1]['user'], $aSqlData[1]['pass'], $aSqlData[2]);
|
| 212 |
242 |
}else {
|
| 213 |
|
$bTmp = $database->doConnect($aSqlData[0]);
|
|
243 |
$bTmp = $oDb->doConnect($aSqlData[0]);
|
| 214 |
244 |
}
|
| 215 |
|
unset($aSqlData);
|
|
245 |
// remove critical data from memory
|
|
246 |
unset($aSqlData, $aCfg);
|
|
247 |
|
|
248 |
if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $oDb->TablePrefix); }
|
|
249 |
|
| 216 |
250 |
// load global settings from database and define global consts from ---
|
| 217 |
251 |
$sql = 'SELECT `name`, `value` FROM `'.TABLE_PREFIX.'settings`';
|
| 218 |
252 |
if(($oSettings = $database->query($sql))) {
|
| ... | ... | |
| 333 |
367 |
}
|
| 334 |
368 |
/** end of deprecated part **/
|
| 335 |
369 |
// instantiate and initialize adaptor for temporary registry replacement ---
|
| 336 |
|
if(class_exists('WbAdaptor')) {
|
| 337 |
|
WbAdaptor::getInstance()->getWbConstants();
|
| 338 |
|
}
|
|
370 |
WbAdaptor::getInstance()->getWbConstants();
|
| 339 |
371 |
// load and activate new global translation table
|
| 340 |
372 |
Translate::getInstance()->initialize('en',
|
| 341 |
373 |
(defined('DEFAULT_LANGUAGE') ? DEFAULT_LANGUAGE : ''),
|
| 342 |
374 |
(defined('LANGUAGE') ? LANGUAGE : ''),
|
| 343 |
375 |
'WbOldStyle',
|
| 344 |
|
(DEBUG ? Translate::CACHE_DISABLED|Translate::KEEP_MISSING : 0)
|
|
376 |
(Translate::CACHE_DISABLED|Translate::KEEP_MISSING)
|
|
377 |
// (DEBUG ? Translate::CACHE_DISABLED|Translate::KEEP_MISSING : 0)
|
| 345 |
378 |
);
|
| 346 |
379 |
if(!class_exists('PasswordHash', false)) { include(WB_PATH.'/include/phpass/PasswordHash.php'); }
|
| 347 |
380 |
$oPass = Password::getInstance(new PasswordHash(Password::CRYPT_LOOPS_DEFAULT, Password::HASH_TYPE_AUTO));
|
| 348 |
381 |
if(defined('PASSWORD_CRYPT_LOOPS')) { $oPass->setIteration(PASSWORD_CRYPT_LOOPS); }
|
| 349 |
382 |
if(defined('PASSWORD_HASH_TYPES')) { $oPass->setHashType(PASSWORD_HASH_TYPES); }
|
| 350 |
383 |
// *** END OF FILE ***********************************************************************
|
| 351 |
|
|
|
384 |
|
! update initialize.php for secure use of setup.ini.php