diff options
Diffstat (limited to 'phpBB/phpbb/session.php')
| -rw-r--r-- | phpBB/phpbb/session.php | 185 | 
1 files changed, 88 insertions, 97 deletions
| diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index cc5a1b8f8f..6851bc8188 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -250,8 +250,7 @@ class session  			$ips = explode(' ', $this->forwarded_for);  			foreach ($ips as $ip)  			{ -				// check IPv4 first, the IPv6 is hopefully only going to be used very seldomly -				if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip)) +				if (!filter_var($ip, FILTER_VALIDATE_IP))  				{  					// contains invalid data, don't use the forwarded for header  					$this->forwarded_for = ''; @@ -311,49 +310,17 @@ class session  		foreach ($ips as $ip)  		{ -			if (function_exists('phpbb_ip_normalise')) -			{ -				// Normalise IP address -				$ip = phpbb_ip_normalise($ip); - -				if (empty($ip)) -				{ -					// IP address is invalid. -					break; -				} - -				// IP address is valid. -				$this->ip = $ip; - -				// Skip legacy code. -				continue; -			} - -			if (preg_match(get_preg_expression('ipv4'), $ip)) -			{ -				$this->ip = $ip; -			} -			else if (preg_match(get_preg_expression('ipv6'), $ip)) -			{ -				// Quick check for IPv4-mapped address in IPv6 -				if (stripos($ip, '::ffff:') === 0) -				{ -					$ipv4 = substr($ip, 7); +			// Normalise IP address +			$ip = phpbb_ip_normalise($ip); -					if (preg_match(get_preg_expression('ipv4'), $ipv4)) -					{ -						$ip = $ipv4; -					} -				} - -				$this->ip = $ip; -			} -			else +			if ($ip === false)  			{ -				// We want to use the last valid address in the chain -				// Leave foreach loop when address is invalid +				// IP address is invalid.  				break;  			} + +			// IP address is valid. +			$this->ip = $ip;  		}  		$this->load = false; @@ -478,8 +445,8 @@ class session  				}  				else  				{ -					// Added logging temporarly to help debug bugs... -					if (defined('DEBUG') && $this->data['user_id'] != ANONYMOUS) +					// Added logging temporarily to help debug bugs... +					if ($phpbb_container->getParameter('session.log_errors') && $this->data['user_id'] != ANONYMOUS)  					{  						if ($referer_valid)  						{ @@ -987,72 +954,96 @@ class session  	{  		global $db, $config, $phpbb_container, $phpbb_dispatcher; -		$batch_size = 10; -  		if (!$this->time_now)  		{  			$this->time_now = time();  		} -		// Firstly, delete guest sessions -		$sql = 'DELETE FROM ' . SESSIONS_TABLE . ' -			WHERE session_user_id = ' . ANONYMOUS . ' -				AND session_time < ' . (int) ($this->time_now - $config['session_length']); -		$db->sql_query($sql); +		/** +		 * Get expired sessions for registered users, only most recent for each user +		 * Inner SELECT gets most recent expired sessions for unique session_user_id +		 * Outer SELECT gets data for them +		 */ +		$sql_select = 'SELECT s1.session_page, s1.session_user_id, s1.session_time AS recent_time +			FROM ' . SESSIONS_TABLE . ' AS s1 +			INNER JOIN ( +				SELECT session_user_id, MAX(session_time) AS recent_time +				FROM ' . SESSIONS_TABLE . ' +				WHERE session_time < ' . ($this->time_now - (int) $config['session_length']) . ' +					AND session_user_id <> ' . ANONYMOUS . ' +				GROUP BY session_user_id +			) AS s2 +			ON s1.session_user_id = s2.session_user_id +				AND s1.session_time = s2.recent_time'; + +		switch ($db->get_sql_layer()) +		{ +			case 'sqlite3': +				if (phpbb_version_compare($db->sql_server_info(true), '3.8.3', '>=')) +				{ +					// For SQLite versions 3.8.3+ which support Common Table Expressions (CTE) +					$sql = "WITH s3 (session_page, session_user_id, session_time) AS ($sql_select) +						UPDATE " . USERS_TABLE . ' +						SET (user_lastpage, user_lastvisit) = (SELECT session_page, session_time FROM s3 WHERE session_user_id = user_id) +						WHERE EXISTS (SELECT session_user_id FROM s3 WHERE session_user_id = user_id)'; +					$db->sql_query($sql); -		// Get expired sessions, only most recent for each user -		$sql = 'SELECT session_user_id, session_page, MAX(session_time) AS recent_time -			FROM ' . SESSIONS_TABLE . ' -			WHERE session_time < ' . ($this->time_now - $config['session_length']) . ' -			GROUP BY session_user_id, session_page'; -		$result = $db->sql_query_limit($sql, $batch_size); +					break; +				} -		$del_user_id = array(); -		$del_sessions = 0; +			// No break, for SQLite versions prior to 3.8.3 and Oracle +			case 'oracle': +				$result = $db->sql_query($sql_select); +				while ($row = $db->sql_fetchrow($result)) +				{ +					$sql = 'UPDATE ' . USERS_TABLE . ' +						SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' +						WHERE user_id = " . (int) $row['session_user_id']; +					$db->sql_query($sql); +				} +				$db->sql_freeresult($result); +			break; -		while ($row = $db->sql_fetchrow($result)) -		{ -			$sql = 'UPDATE ' . USERS_TABLE . ' -				SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' -				WHERE user_id = " . (int) $row['session_user_id']; -			$db->sql_query($sql); +			case 'mysqli': +				$sql = 'UPDATE ' . USERS_TABLE . " u, +					($sql_select) s3 +					SET u.user_lastvisit = s3.recent_time, u.user_lastpage = s3.session_page +					WHERE u.user_id = s3.session_user_id"; +				$db->sql_query($sql); +			break; -			$del_user_id[] = (int) $row['session_user_id']; -			$del_sessions++; +			default: +				$sql = 'UPDATE ' . USERS_TABLE . " +					SET user_lastvisit = s3.recent_time, user_lastpage = s3.session_page +					FROM ($sql_select) s3 +					WHERE user_id = s3.session_user_id"; +				$db->sql_query($sql); +			break;  		} -		$db->sql_freeresult($result); -		if (count($del_user_id)) +		// Delete all expired sessions +		$sql = 'DELETE FROM ' . SESSIONS_TABLE . ' +			WHERE session_time < ' . ($this->time_now - (int) $config['session_length']); +		$db->sql_query($sql); + +		// Update gc timer +		$config->set('session_last_gc', $this->time_now, false); + +		if ($config['max_autologin_time'])  		{ -			// Delete expired sessions -			$sql = 'DELETE FROM ' . SESSIONS_TABLE . ' -				WHERE ' . $db->sql_in_set('session_user_id', $del_user_id) . ' -					AND session_time < ' . ($this->time_now - $config['session_length']); +			$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . ' +				WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time']));  			$db->sql_query($sql);  		} -		if ($del_sessions < $batch_size) -		{ -			// Less than 10 users, update gc timer ... else we want gc -			// called again to delete other sessions -			$config->set('session_last_gc', $this->time_now, false); - -			if ($config['max_autologin_time']) -			{ -				$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . ' -					WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time'])); -				$db->sql_query($sql); -			} - -			// only called from CRON; should be a safe workaround until the infrastructure gets going -			/* @var $captcha_factory \phpbb\captcha\factory */ -			$captcha_factory = $phpbb_container->get('captcha.factory'); -			$captcha_factory->garbage_collect($config['captcha_plugin']); +		// only called from CRON; should be a safe workaround until the infrastructure gets going +		/* @var \phpbb\captcha\factory $captcha_factory */ +		$captcha_factory = $phpbb_container->get('captcha.factory'); +		$captcha_factory->garbage_collect($config['captcha_plugin']); -			$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . ' -				WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']); -			$db->sql_query($sql); -		} +		$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . ' +			WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']); +		$db->sql_query($sql);  		/**  		* Event to trigger extension on session_gc @@ -1362,7 +1353,7 @@ class session  	* Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)  	*  	* @author satmd (from the php manual) -	* @param string 		$mode	register/post - spamcop for example is ommitted for posting +	* @param string 		$mode	register/post - spamcop for example is omitted for posting  	* @param string|false	$ip		the IPv4 address to check  	*  	* @return false if ip is not blacklisted, else an array([checked server], [lookup]) @@ -1400,7 +1391,7 @@ class session  			foreach ($dnsbl_check as $dnsbl => $lookup)  			{ -				if (phpbb_checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true) +				if (checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)  				{  					$info = array($dnsbl, $lookup . $ip);  				} @@ -1421,7 +1412,7 @@ class session  	/**  	* Check if URI is blacklisted -	* This should be called only where absolutly necessary, for example on the submitted website field +	* This should be called only where absolutely necessary, for example on the submitted website field  	* This function is not in use at the moment and is only included for testing purposes, it may not work at all!  	* This means it is untested at the moment and therefore commented out  	* @@ -1444,7 +1435,7 @@ class session  		{  			// One problem here... the return parameter for the "windows" method is different from what  			// we expect... this may render this check useless... -			if (phpbb_checkdnsrr($uri . '.multi.uribl.com.', 'A') === true) +			if (checkdnsrr($uri . '.multi.uribl.com.', 'A') === true)  			{  				return true;  			} | 
