Project

General

Profile

« Previous | Next » 

Revision 2015

Added by darkviper almost 11 years ago

  1. some fixes in upgrade-script and UpgradeHelper.
    ! update initialize.php for secure use of setup.ini.php

View differences:

initialize.php
37 37
 * sanitize $_SERVER['HTTP_REFERER']
38 38
 * @param string $sWbUrl qualified startup URL of current application
39 39
 */
40
	function SanitizeHttpReferer($sWbUrl = WB_URL) {
40
	function initSanitizeHttpReferer($sWbUrl) {
41 41
		$sTmpReferer = '';
42 42
		if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != '') {
43
			$sTmpReferer = $_SERVER['HTTP_REFERER'];
43 44
			$aRefUrl = parse_url($_SERVER['HTTP_REFERER']);
44 45
			if ($aRefUrl !== false) {
45 46
				$aRefUrl['host'] = isset($aRefUrl['host']) ? $aRefUrl['host'] : '';
46 47
				$aRefUrl['path'] = isset($aRefUrl['path']) ? $aRefUrl['path'] : '';
47 48
				$aRefUrl['fragment'] = isset($aRefUrl['fragment']) ? '#'.$aRefUrl['fragment'] : '';
48
				$aWbUrl = parse_url(WB_URL);
49
				$aWbUrl = parse_url($sWbUrl);
49 50
				if ($aWbUrl !== false) {
50 51
					$aWbUrl['host'] = isset($aWbUrl['host']) ? $aWbUrl['host'] : '';
51 52
					$aWbUrl['path'] = isset($aWbUrl['path']) ? $aWbUrl['path'] : '';
52 53
					if (strpos($aRefUrl['host'].$aRefUrl['path'],
53 54
							   $aWbUrl['host'].$aWbUrl['path']) !== false) {
54 55
						$aRefUrl['path'] = preg_replace('#^'.$aWbUrl['path'].'#i', '', $aRefUrl['path']);
55
						$sTmpReferer = WB_URL.$aRefUrl['path'].$aRefUrl['fragment'];
56
						$sTmpReferer = $sWbUrl.$aRefUrl['path'].$aRefUrl['fragment'];
56 57
					}
57 58
					unset($aWbUrl);
58 59
				}
......
65 66
 * Set constants for system/install values
66 67
 * @throws RuntimeException
67 68
 */
68
	function SetInstallPathConstants() {
69
	function initSetInstallPathConstants() {
69 70
		if(!defined('DEBUG')){ define('DEBUG', false); } // normaly set in config file
70 71
		if(!defined('ADMIN_DIRECTORY')){ define('ADMIN_DIRECTORY', 'admin'); }
71 72
		if(!preg_match('/xx[a-z0-9_][a-z0-9_\-\.]+/i', 'xx'.ADMIN_DIRECTORY)) {
72 73
			throw new RuntimeException('Invalid admin-directory: ' . ADMIN_DIRECTORY);
73 74
		}
74 75
		if(!defined('WB_PATH')){ define('WB_PATH', dirname(dirname(__FILE__))); }
75
		if(!defined('ADMIN_URL')){ define('ADMIN_URL', WB_URL.'/'.ADMIN_DIRECTORY); }
76
		if(!defined('ADMIN_URL')){ define('ADMIN_URL', rtrim(WB_URL, '/\\').'/'.ADMIN_DIRECTORY); }
76 77
		if(!defined('ADMIN_PATH')){ define('ADMIN_PATH', WB_PATH.'/'.ADMIN_DIRECTORY); }
77 78
		if(!defined('WB_REL')){
78 79
			$x1 = parse_url(WB_URL);
......
80 81
		}
81 82
		if(!defined('ADMIN_REL')){ define('ADMIN_REL', WB_REL.'/'.ADMIN_DIRECTORY); }
82 83
		if(!defined('DOCUMENT_ROOT')) {
83
            define('DOCUMENT_ROOT', preg_replace('/'.preg_quote(str_replace('\\', '/', WB_REL), '/').'$/', '', str_replace('\\', '/', WB_PATH)));			
84
            // creating $_SERVER['DOCUMENT_ROOT'] for Windows IIS Server
85
            $_SERVER['DOCUMENT_ROOT'] = DOCUMENT_ROOT;
84
			define('DOCUMENT_ROOT', preg_replace('/'.preg_quote(str_replace('\\', '/', WB_REL), '/').'$/', '', str_replace('\\', '/', WB_PATH)));
85
			$_SERVER['DOCUMENT_ROOT'] = DOCUMENT_ROOT;
86 86
		}
87 87
		if(!defined('TMP_PATH')){ define('TMP_PATH', WB_PATH.'/temp'); }
88 88
	}
89 89
/**
90
 * Read DB settings from configuration file
91
 * @return string
90
 * checkValidCaller
91
 * @param array $aCaller list of allowed scripts
92
 * @return true || Exception
92 93
 * @throws RuntimeException
93
 * 
94
 * @description test if acctual file is called from one of the given list
94 95
 */
95
	function readConfiguration($sRetvalType = 'url') {
96
		// check for valid file request. Becomes more stronger in next version
96
	function initCheckValidCaller(array $aCaller)
97
	{
97 98
		$x = debug_backtrace();
98
		$bValidRequest = false;
99
		if(sizeof($x) != 0) {
100
			foreach($x as $aStep) {
101
				// define the scripts which can read the configuration
102
				if(preg_match('/(save.php|index.php|config.php|upgrade-script.php)$/si', $aStep['file'])) {
103
					$bValidRequest = true;
104
					break;
105
				}
99
		if(sizeof($x) == 0) {
100
			return true;
101
		}
102
		$sPattern = '/('.str_replace('#', '|', preg_quote(implode('#', $aCaller), '/')).')$/si';
103
		foreach($x as $aStep) {
104
			// define the scripts which can read the configuration
105
			if(preg_match($sPattern, $aStep['file'])) {
106
				return true;
106 107
			}
107
		} else {
108
			$bValidRequest = true;
109 108
		}
110
		if(!$bValidRequest) {
111
			throw new RuntimeException('illegal function request!'); 
112
		}
113
		$aRetval = array();
109
		throw new RuntimeException('illegal file request!');
110
	}
111
/**
112
 * Read DB settings from configuration file
113
 * @return array
114
 * @throws RuntimeException
115
 * 
116
 */
117
	function initReadSetupFile()
118
	{
119
	// check for valid file request. Becomes more stronger in next version
120
		initCheckValidCaller(array('save.php','index.php','config.php','upgrade-script.php'));
121
		$aCfg = array();
122

  
114 123
		$sSetupFile = dirname(dirname(__FILE__)).'/setup.ini.php';
115 124
		if(is_readable($sSetupFile)) {
116 125
			$aCfg = parse_ini_file($sSetupFile, true);
......
120 129
						$value = filter_var($value, FILTER_VALIDATE_BOOLEAN);
121 130
						if(!defined('DEBUG')) { define('DEBUG', $value); }
122 131
						break;
123
					case 'WB_URL':
132
					case 'WB_URL': // << case is set deprecated
124 133
					case 'AppUrl':
125 134
						$value = trim(str_replace('\\', '/', $value), '/'); 
126 135
						if(!defined('WB_URL')) { define('WB_URL', $value); }
127 136
						break;
128
					case 'ADMIN_DIRECTORY':
137
					case 'ADMIN_DIRECTORY': // << case is set deprecated
129 138
					case 'AcpDir':
130 139
						$value = trim(str_replace('\\', '/', $value), '/'); 
131 140
						if(!defined('ADMIN_DIRECTORY')) { define('ADMIN_DIRECTORY', $value); }
......
135 144
						break;
136 145
				endswitch;
137 146
			}
138
			$db = $aCfg['DataBase'];
139
			$db['type'] = isset($db['type']) ? $db['type'] : 'mysql';
140
			$db['user'] = isset($db['user']) ? $db['user'] : 'foo';
141
			$db['pass'] = isset($db['pass']) ? $db['pass'] : 'bar';
142
			$db['host'] = isset($db['host']) ? $db['host'] : 'localhost';
143
			$db['port'] = isset($db['port']) ? $db['port'] : '3306';
144
			$db['port'] = ($db['port'] != '3306') ? $db['port'] : '';
145
			$db['name'] = isset($db['name']) ? $db['name'] : 'dummy';
146
			$db['charset'] = isset($db['charset']) ? trim($db['charset']) : '';
147
			$db['table_prefix'] = (isset($db['table_prefix']) ? $db['table_prefix'] : '');
148
			if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $db['table_prefix']); }
149
			if($sRetvalType == 'dsn') {
150
				$aRetval[0] = $db['type'].':dbname='.$db['name'].';host='.$db['host'].';'
151
				            . ($db['port'] != '' ? 'port='.(int)$db['port'].';' : '');
152
				$aRetval[1] = array('CHARSET' => $db['charset'], 'TABLE_PREFIX' => $db['table_prefix']);
153
				$aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']);
154
			}else { // $sRetvalType == 'url'
155
				$aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@'
156
				            . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']
157
				            . '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix'];
158
			}
159
			unset($db, $aCfg);
160
			return $aRetval;
161 147
		}
162
		throw new RuntimeException('unable to read setup.ini.php');
148
		return $aCfg;
149
//		throw new RuntimeException('unable to read setup.ini.php');
163 150
	}
151
 /**
152
 * GetDbConnectData
153
 * @param array $aCfg
154
 * @param string $sDbConnectType  can be 'url' or 'dsn'
155
 * @return array
156
 *
157
 */
158
	function initGetDbConnectData(array $aCfg, $sDbConnectType = 'url')
159
	{
160
		if(defined('DB_TYPE'))
161
		{
162
		// import constants for compatibility reasons
163
			$db = array();
164
			if(defined('DB_TYPE'))      { $db['type']         = DB_TYPE; }
165
			if(defined('DB_USERNAME'))  { $db['user']         = DB_USERNAME; }
166
			if(defined('DB_PASSWORD'))  { $db['pass']         = DB_PASSWORD; }
167
			if(defined('DB_HOST'))      { $db['host']         = DB_HOST; }
168
			if(defined('DB_PORT'))      { $db['port']         = DB_PORT; }
169
			if(defined('DB_NAME'))      { $db['name']         = DB_NAME; }
170
			if(defined('DB_CHARSET'))   { $db['charset']      = DB_CHARSET; }
171
			if(defined('TABLE_PREFIX')) { $db['table_prefix'] = TABLE_PREFIX; }
172
			$aCfg['DataBase'] = $db;
173
		}
174
		// sanitize values
175
		$db = $aCfg['DataBase'];
176
		$db['type'] = isset($db['type']) ? $db['type'] : 'mysql';
177
		$db['user'] = isset($db['user']) ? $db['user'] : 'foo';
178
		$db['pass'] = isset($db['pass']) ? $db['pass'] : 'bar';
179
		$db['host'] = isset($db['host']) ? $db['host'] : 'localhost';
180
		$db['port'] = isset($db['port']) ? $db['port'] : '3306';
181
		$db['port'] = ($db['port'] != '3306') ? $db['port'] : '';
182
		$db['name'] = isset($db['name']) ? $db['name'] : 'dummy';
183
		$db['charset'] = isset($db['charset']) ? trim($db['charset']) : 'utf8';
184
		$db['table_prefix'] = (isset($db['table_prefix']) ? $db['table_prefix'] : '');
185
		if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $db['table_prefix']); }
186
		if($sDbConnectType == 'dsn') {
187
		// build dsn to connect
188
			$aRetval[0] = $db['type'].':dbname='.$db['name'].';host='.$db['host'].';'
189
						. ($db['port'] != '' ? 'port='.(int)$db['port'].';' : '');
190
			$aRetval[1] = array('CHARSET' => $db['charset'], 'TABLE_PREFIX' => $db['table_prefix']);
191
			$aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']);
192
		}else { 
193
		// build url to connect
194
			$aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@'
195
						. $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']
196
						. '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix'];
197
		}
198
		return $aRetval;
199
	}
200

  
164 201
/* ***************************************************************************************
165 202
 * Start initialization                                                                  *
166 203
 ****************************************************************************************/
167 204
// initialize debug evaluation values ---	
168
	$sDbConnectType = 'url'; // depending from class WbDatabase it can be 'url' or 'dsn'
169 205
	$starttime = array_sum(explode(" ",microtime()));
170 206
	$iPhpDeclaredClasses = sizeof(get_declared_classes());
207
	$sDbConnectType = 'url'; // depending from class WbDatabase it can be 'url' or 'dsn'
171 208
// disable all kind of magic_quotes in PHP versions before 5.4 ---
172 209
	if(version_compare(PHP_VERSION, '5.4.0', '<')) {
173
		if(get_magic_quotes_gpc() || get_magic_quotes_runtime()) {
174
			@ini_set('magic_quotes_sybase', 0);
175
			@ini_set('magic_quotes_gpc', 0);
176
			@ini_set('magic_quotes_runtime', 0);
177
		}
210
		@set_magic_quotes_runtime(0);
178 211
	}
179
// load db configuration ---
180
	if(defined('DB_TYPE')) {
181
		$sTmp = ($sTmp=((defined('DB_PORT') && DB_PORT !='') ? DB_PORT : '')) ? ':'.$sTmp : '';
182
		$sTmp = DB_TYPE.'://'.DB_USERNAME.':'.DB_PASSWORD.'@'.DB_HOST.$sTmp.'/'.DB_NAME.'?Charset=';
183
		$sTmp .= (defined('DB_CHARSET') ? DB_CHARSET : '').'&TablePrefix='.TABLE_PREFIX;
184
		$aSqlData = array( 0 => $sTmp);
185
	}else {
186
		$aSqlData = readConfiguration($sDbConnectType);
187
	}
188
	SetInstallPathConstants();
212
// load configuration ---
213
	$aCfg = initReadSetupFile();
189 214
// sanitize $_SERVER['HTTP_REFERER'] ---
190
	SanitizeHttpReferer(WB_URL); 
215
	initSetInstallPathConstants();
216
	initSanitizeHttpReferer(WB_URL);
191 217
// register WB basic autoloader ---
192 218
	$sTmp = dirname(__FILE__).'/WbAutoloader.php';
193 219
	if(!class_exists('WbAutoloader')){ 
194 220
		include($sTmp);
195 221
	}
196 222
	WbAutoloader::doRegister(array(ADMIN_DIRECTORY=>'a', 'modules'=>'m'));
223
// instantiate and initialize adaptor for temporary registry replacement ---
224
	WbAdaptor::getInstance()->getWbConstants();
197 225
// register TWIG autoloader ---
198 226
	$sTmp = dirname(dirname(__FILE__)).'/include/Sensio/Twig/lib/Twig/Autoloader.php';
199 227
	if(!class_exists('Twig_Autoloader')) { 
......
205 233
		include(dirname(__FILE__).'/globalExceptionHandler.php');
206 234
	}
207 235
// ---------------------------
236
// get Database connection data from configuration
237
	$aSqlData = initGetDbConnectData($aCfg, $sDbConnectType);
208 238
// Create global database instance ---
209
	$database = WbDatabase::getInstance();
239
	$oDb = $database = WbDatabase::getInstance();
210 240
	if($sDbConnectType == 'dsn') {
211
		$bTmp = $database->doConnect($aSqlData[0], $aSqlData[1]['user'], $aSqlData[1]['pass'], $aSqlData[2]);
241
		$bTmp = $oDb->doConnect($aSqlData[0], $aSqlData[1]['user'], $aSqlData[1]['pass'], $aSqlData[2]);
212 242
	}else {
213
		$bTmp = $database->doConnect($aSqlData[0]);
243
		$bTmp = $oDb->doConnect($aSqlData[0]);
214 244
	}
215
	unset($aSqlData);
245
// remove critical data from memory
246
	unset($aSqlData, $aCfg);
247

  
248
	if(!defined('TABLE_PREFIX')) { define('TABLE_PREFIX', $oDb->TablePrefix); }
249

  
216 250
// load global settings from database and define global consts from ---
217 251
	$sql = 'SELECT `name`, `value` FROM `'.TABLE_PREFIX.'settings`';
218 252
	if(($oSettings = $database->query($sql))) {
......
333 367
	}
334 368
/** end of deprecated part **/
335 369
// instantiate and initialize adaptor for temporary registry replacement ---
336
	if(class_exists('WbAdaptor')) {
337
		WbAdaptor::getInstance()->getWbConstants();
338
	}
370
	WbAdaptor::getInstance()->getWbConstants();
339 371
// load and activate new global translation table
340 372
	Translate::getInstance()->initialize('en',
341 373
										 (defined('DEFAULT_LANGUAGE') ? DEFAULT_LANGUAGE : ''), 
342 374
										 (defined('LANGUAGE') ? LANGUAGE : ''),
343 375
										 'WbOldStyle',
344
										 (DEBUG ? Translate::CACHE_DISABLED|Translate::KEEP_MISSING : 0)
376
										 (Translate::CACHE_DISABLED|Translate::KEEP_MISSING)
377
//										 (DEBUG ? Translate::CACHE_DISABLED|Translate::KEEP_MISSING : 0)
345 378
										);
346 379
	if(!class_exists('PasswordHash', false)) { include(WB_PATH.'/include/phpass/PasswordHash.php'); }
347 380
	$oPass = Password::getInstance(new PasswordHash(Password::CRYPT_LOOPS_DEFAULT, Password::HASH_TYPE_AUTO));
348 381
	if(defined('PASSWORD_CRYPT_LOOPS')) { $oPass->setIteration(PASSWORD_CRYPT_LOOPS); }
349 382
	if(defined('PASSWORD_HASH_TYPES'))  { $oPass->setHashType(PASSWORD_HASH_TYPES); }
350 383
// *** END OF FILE ***********************************************************************
351
 
384
 

Also available in: Unified diff