aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/includes/session.php
diff options
context:
space:
mode:
Diffstat (limited to 'phpBB/includes/session.php')
-rw-r--r--phpBB/includes/session.php89
1 files changed, 70 insertions, 19 deletions
diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php
index 893ec2c0cc..e36f44ddfa 100644
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@@ -222,7 +222,7 @@ class session
// if the forwarded for header shall be checked we have to validate its contents
if ($config['forwarded_for_check'])
{
- $this->forwarded_for = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->forwarded_for));
+ $this->forwarded_for = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->forwarded_for));
// split the list of IPs
$ips = explode(' ', $this->forwarded_for);
@@ -268,11 +268,11 @@ class session
// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
- $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : '';
- $this->ip = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->ip));
+ $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? (string) $_SERVER['REMOTE_ADDR'] : '';
+ $this->ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->ip));
// split the list of IPs
- $ips = explode(' ', $this->ip);
+ $ips = explode(' ', trim($this->ip));
// Default IP if REMOTE_ADDR is invalid
$this->ip = '127.0.0.1';
@@ -297,26 +297,31 @@ class session
continue;
}
- // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
- if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))
+ if (preg_match(get_preg_expression('ipv4'), $ip))
{
- // Just break
- break;
+ $this->ip = $ip;
}
-
- // Quick check for IPv4-mapped address in IPv6
- if (stripos($ip, '::ffff:') === 0)
+ else if (preg_match(get_preg_expression('ipv6'), $ip))
{
- $ipv4 = substr($ip, 7);
-
- if (preg_match(get_preg_expression('ipv4'), $ipv4))
+ // Quick check for IPv4-mapped address in IPv6
+ if (stripos($ip, '::ffff:') === 0)
{
- $ip = $ipv4;
+ $ipv4 = substr($ip, 7);
+
+ if (preg_match(get_preg_expression('ipv4'), $ipv4))
+ {
+ $ip = $ipv4;
+ }
}
- }
- // Use the last in chain
- $this->ip = $ip;
+ $this->ip = $ip;
+ }
+ else
+ {
+ // We want to use the last valid address in the chain
+ // Leave foreach loop when address is invalid
+ break;
+ }
}
$this->load = false;
@@ -602,6 +607,7 @@ class session
// otherwise they'll index this page with the SID, duplicate content oh my!
if ($bot && isset($_GET['sid']))
{
+ send_status_line(301, 'Moved Permanently');
redirect(build_url(array('sid')));
}
@@ -1013,6 +1019,10 @@ class session
include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx);
}
phpbb_captcha_factory::garbage_collect($config['captcha_plugin']);
+
+ $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
+ WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
+ $db->sql_query($sql);
}
return;
@@ -1251,6 +1261,12 @@ class session
$ip = $this->ip;
}
+ // Neither Spamhaus nor Spamcop supports IPv6 addresses.
+ if (strpos($ip, ':') !== false)
+ {
+ return false;
+ }
+
$dnsbl_check = array(
'sbl.spamhaus.org' => 'http://www.spamhaus.org/query/bl?ip=',
);
@@ -2287,9 +2303,44 @@ class user extends session
// Use URL if told so
$root_path = (defined('PHPBB_USE_BOARD_URL_PATH') && PHPBB_USE_BOARD_URL_PATH) ? generate_board_url() . '/' : $phpbb_root_path;
- $img_data['src'] = $root_path . 'styles/' . rawurlencode($this->theme['imageset_path']) . '/imageset/' . ($this->img_array[$img]['image_lang'] ? $this->img_array[$img]['image_lang'] .'/' : '') . $this->img_array[$img]['image_filename'];
+ $path = 'styles/' . rawurlencode($this->theme['imageset_path']) . '/imageset/' . ($this->img_array[$img]['image_lang'] ? $this->img_array[$img]['image_lang'] .'/' : '') . $this->img_array[$img]['image_filename'];
+
+ $img_data['src'] = $root_path . $path;
$img_data['width'] = $this->img_array[$img]['image_width'];
$img_data['height'] = $this->img_array[$img]['image_height'];
+
+ // We overwrite the width and height to the phpbb logo's width
+ // and height here if the contents of the site_logo file are
+ // really equal to the phpbb_logo
+ // This allows us to change the dimensions of the phpbb_logo without
+ // modifying the imageset.cfg and causing a conflict for everyone
+ // who modified it for their custom logo on updating
+ if ($img == 'site_logo' && file_exists($phpbb_root_path . $path))
+ {
+ global $cache;
+
+ $img_file_hashes = $cache->get('imageset_site_logo_md5');
+
+ if ($img_file_hashes === false)
+ {
+ $img_file_hashes = array();
+ }
+
+ $key = $this->theme['imageset_path'] . '::' . $this->img_array[$img]['image_lang'];
+ if (!isset($img_file_hashes[$key]))
+ {
+ $img_file_hashes[$key] = md5(file_get_contents($phpbb_root_path . $path));
+ $cache->put('imageset_site_logo_md5', $img_file_hashes);
+ }
+
+ $phpbb_logo_hash = '0c461a32cd3621643105f0d02a772c10';
+
+ if ($phpbb_logo_hash == $img_file_hashes[$key])
+ {
+ $img_data['width'] = '149';
+ $img_data['height'] = '52';
+ }
+ }
}
$alt = (!empty($this->lang[$alt])) ? $this->lang[$alt] : $alt;