From 1d42d1b9817050974c8bc8b91bc34a6c3cfbfef8 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Tue, 22 Aug 2006 21:26:06 +0000 Subject: some updates. Also adjusted the utf tools and normalizer more to our coding guidelines. git-svn-id: file:///svn/phpbb/trunk@6312 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 64a203e0bf..0e934edb8a 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -588,6 +588,9 @@ class session $SID = '?sid='; $this->session_id = $_SID = ''; + // To make sure a valid session is created we create one for the anonymous user + $this->session_create(ANONYMOUS); + return true; } @@ -1207,7 +1210,7 @@ class user extends session /** * Set language entry (called by add_lang) - * @access: private + * @access private */ function set_lang(&$lang, &$help, $lang_file, $use_db = false, $use_help = false) { -- cgit v1.2.1 From c0a880b6652d330b760b7da7cdde8076f854d836 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Mon, 28 Aug 2006 17:20:21 +0000 Subject: - birthdays/age in user's timezone and not server's local time - parse bbcode in posts with fewer characters than selected maximum on search results page - retrieve search word context in posts which are longer than maximum characters (no raw BBCode anymore) - formatted text is processed in the same order everywhere now: censor_text, replace newlines, bbcode, smileys, attachments, highlighting [including Bug #2048] - highlighting pattern updated to exclude style and script (e.g custom BBCode) [Bug #3856] - fixed a style problem in Opera [Bug #3770] - performance increase for user::img() - slight adjustments to search git-svn-id: file:///svn/phpbb/trunk@6321 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 0e934edb8a..5441f7e556 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1340,13 +1340,15 @@ class user extends session static $imgs; global $phpbb_root_path; - if (empty($imgs[$img . $suffix]) || $width !== false) + $img_data = $imgs[$img . $suffix]; + + if (empty($img_data) || $width !== false) { if (!isset($this->theme[$img]) || !$this->theme[$img]) { // Do not fill the image to let designers decide what to do if the image is empty - $imgs[$img . $suffix] = ''; - return $imgs[$img . $suffix]; + $img_data = ''; + return $img_data; } // Do not include dimensions? @@ -1372,9 +1374,9 @@ class user extends session $imgsrc = str_replace('{SUFFIX}', $suffix, $imgsrc); } - $imgs[$img . $suffix]['src'] = $phpbb_root_path . 'styles/' . $this->theme['imageset_path'] . '/imageset/' . str_replace('{LANG}', $this->img_lang, $imgsrc); - $imgs[$img . $suffix]['width'] = $width; - $imgs[$img . $suffix]['height'] = $height; + $img_data['src'] = $phpbb_root_path . 'styles/' . $this->theme['imageset_path'] . '/imageset/' . str_replace('{LANG}', $this->img_lang, $imgsrc); + $img_data['width'] = $width; + $img_data['height'] = $height; } $alt = (!empty($this->lang[$alt])) ? $this->lang[$alt] : $alt; @@ -1382,19 +1384,19 @@ class user extends session switch ($type) { case 'src': - return $imgs[$img . $suffix]['src']; + return $img_data['src']; break; case 'width': - return $imgs[$img . $suffix]['width']; + return $img_data['width']; break; case 'height': - return $imgs[$img . $suffix]['height']; + return $img_data['height']; break; default: - return '' . $alt . ''; + return '' . $alt . ''; break; } } -- cgit v1.2.1 From 8799d8d65c3543d37375dcaebac11d2aca0eb6f4 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Wed, 6 Sep 2006 20:58:53 +0000 Subject: oops git-svn-id: file:///svn/phpbb/trunk@6356 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 5441f7e556..5549606bcc 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1340,7 +1340,7 @@ class user extends session static $imgs; global $phpbb_root_path; - $img_data = $imgs[$img . $suffix]; + $img_data = &$imgs[$img . $suffix]; if (empty($img_data) || $width !== false) { -- cgit v1.2.1 From b76222cb6e9ed69ee8ed0c09f0196eaaafd33fad Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Wed, 13 Sep 2006 16:08:36 +0000 Subject: - fixed some bugs - changed attachment handling a bit - tried to remove target tags out of the code - do not add session ids to urls for bots as well as not creating a new session on each page view for them I bet i introduced some bugs too. ;) git-svn-id: file:///svn/phpbb/trunk@6364 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 64 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 61 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 5549606bcc..458eb44b40 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -405,9 +405,21 @@ class session $this->cookie_data['k'] = ''; $this->cookie_data['u'] = ($bot) ? $bot : ANONYMOUS; - $sql = 'SELECT * - FROM ' . USERS_TABLE . ' - WHERE user_id = ' . (int) $this->cookie_data['u']; + if (!$bot) + { + $sql = 'SELECT * + FROM ' . USERS_TABLE . ' + WHERE user_id = ' . (int) $this->cookie_data['u']; + } + else + { + // We give bots always the same session if it is not yet expired. + $sql = 'SELECT u.*, s.* + FROM ' . USERS_TABLE . ' u + LEFT JOIN ' . SESSIONS_TABLE . ' s ON (s.session_user_id = u.user_id) + WHERE u.user_id = ' . (int) $bot; + } + $result = $db->sql_query($sql); $this->data = $db->sql_fetchrow($result); $db->sql_freeresult($result); @@ -440,6 +452,47 @@ class session // // + // If our friend is a bot, we re-assign a previously assigned session + if ($this->data['is_bot'] && $bot === $this->data['user_id'] && $this->data['session_id']) + { + // Only assign the current session if the ip and browser match... + $s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check'])); + $u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check'])); + + $s_browser = ($config['browser_check']) ? strtolower(substr($this->data['session_browser'], 0, 149)) : ''; + $u_browser = ($config['browser_check']) ? strtolower(substr($this->browser, 0, 149)) : ''; + + if ($u_ip === $s_ip && $s_browser === $u_browser) + { + $this->session_id = $this->data['session_id']; + + // Only update session DB a minute or so after last update or if page changes + if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page'])) + { + $sql_ary = array('session_time' => $this->time_now, 'session_last_visit' => $this->time_now, 'session_admin' => 0); + + if ($this->update_session_page) + { + $sql_ary['session_page'] = substr($this->page['page'], 0, 199); + } + + $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . " + WHERE session_id = '" . $db->sql_escape($this->session_id) . "'"; + $db->sql_query($sql); + } + + $SID = '?sid='; + $_SID = ''; + + return true; + } + else + { + // If the ip and browser does not match make sure we only have one bot assigned to one session + $db->sql_query('DELETE FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = ' . $this->data['user_id']); + } + } + // @todo Change this ... check for "... && user_type & USER_NORMAL" ? $session_autologin = (($this->cookie_data['k'] || $persist_login) && $this->data['is_registered']) ? true : false; @@ -516,6 +569,11 @@ class session unset($cookie_expire); } + else + { + $SID = '?sid='; + $_SID = ''; + } return true; } -- cgit v1.2.1 From 1d7e3e0fd95fb5baf92937d1f911649cb1a665e9 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Fri, 22 Sep 2006 22:14:05 +0000 Subject: some tiny fixes here and there git-svn-id: file:///svn/phpbb/trunk@6383 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 458eb44b40..9af770e240 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1202,7 +1202,7 @@ class user extends session // Does the user need to change their password? If so, redirect to the // ucp profile reg_details page ... of course do not redirect if we're already in the ucp - if (!defined('IN_ADMIN') && $config['chg_passforce'] && $this->data['is_registered'] && $this->data['user_passchg'] < time() - ($config['chg_passforce'] * 86400)) + if (!defined('IN_ADMIN') && !defined('ADMIN_START') && $config['chg_passforce'] && $this->data['is_registered'] && $this->data['user_passchg'] < time() - ($config['chg_passforce'] * 86400)) { if (strpos($this->page['query_string'], 'mode=reg_details') === false && $this->page['page_name'] != "ucp.$phpEx") { -- cgit v1.2.1 From 12f2fbc4158515713c0b1b1d99f5d43c6c7eacf9 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Mon, 25 Sep 2006 14:32:05 +0000 Subject: use the "old" approach git-svn-id: file:///svn/phpbb/trunk@6407 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 112 +++++++++++++++------------------------------ 1 file changed, 36 insertions(+), 76 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 9af770e240..8cef9c3806 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -671,88 +671,48 @@ class session $this->time_now = time(); } - switch (SQL_LAYER) - { - case 'mysql4': - case 'mysqli': - // Firstly, delete guest sessions - $sql = 'DELETE FROM ' . SESSIONS_TABLE . ' - WHERE session_user_id = ' . ANONYMOUS . ' - AND session_time < ' . (int) ($this->time_now - $config['session_length']); - $db->sql_query($sql); - - // Keep only the most recent session for each user - // Note: if the user is currently browsing the board, his - // last_visit field won't be updated, which I believe should be - // the normal behavior anyway - $db->sql_return_on_error(true); - - $sql = 'DELETE FROM ' . SESSIONS_TABLE . ' - USING ' . SESSIONS_TABLE . ' s1, ' . SESSIONS_TABLE . ' s2 - WHERE s1.session_user_id = s2.session_user_id - AND s1.session_time < s2.session_time'; - $db->sql_query($sql); - - $db->sql_return_on_error(false); - - // Update last visit time - $sql = 'UPDATE ' . USERS_TABLE. ' u, ' . SESSIONS_TABLE . ' s - SET u.user_lastvisit = s.session_time, u.user_lastpage = s.session_page - WHERE s.session_time < ' . (int) ($this->time_now - $config['session_length']) . ' - AND u.user_id = s.session_user_id'; - $db->sql_query($sql); - - // Delete everything else now - $sql = 'DELETE FROM ' . SESSIONS_TABLE . ' - WHERE session_time < ' . (int) ($this->time_now - $config['session_length']); - $db->sql_query($sql); - - set_config('session_last_gc', $this->time_now, true); - break; - - default: + // Firstly, delete guest sessions + $sql = 'DELETE FROM ' . SESSIONS_TABLE . ' + WHERE session_user_id = ' . ANONYMOUS . ' + AND session_time < ' . (int) ($this->time_now - $config['session_length']); + $db->sql_query($sql); - // Get expired sessions, only most recent for each user - $sql = 'SELECT session_user_id, session_page, MAX(session_time) AS recent_time - FROM ' . SESSIONS_TABLE . ' - WHERE session_time < ' . ($this->time_now - $config['session_length']) . ' - GROUP BY session_user_id, session_page'; - $result = $db->sql_query_limit($sql, 5); + // Get expired sessions, only most recent for each user + $sql = 'SELECT session_user_id, session_page, MAX(session_time) AS recent_time + FROM ' . SESSIONS_TABLE . ' + WHERE session_time < ' . ($this->time_now - $config['session_length']) . ' + GROUP BY session_user_id, session_page'; + $result = $db->sql_query_limit($sql, 10); - $del_user_id = array(); - $del_sessions = 0; + $del_user_id = array(); + $del_sessions = 0; - while ($row = $db->sql_fetchrow($result)); - { - if ($row['session_user_id'] != ANONYMOUS) - { - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' - WHERE user_id = " . (int) $row['session_user_id']; - $db->sql_query($sql); - } + while ($row = $db->sql_fetchrow($result)); + { + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' + WHERE user_id = " . (int) $row['session_user_id']; + $db->sql_query($sql); - $del_user_id[] = (int) $row['session_user_id']; - $del_sessions++; - } - $db->sql_freeresult($result); + $del_user_id[] = (int) $row['session_user_id']; + $del_sessions++; + } + $db->sql_freeresult($result); - if (sizeof($del_user_id)) - { - // Delete expired sessions - $sql = 'DELETE FROM ' . SESSIONS_TABLE . ' - WHERE ' . $db->sql_in_set('session_user_id', $del_user_id) . ' - AND session_time < ' . ($this->time_now - $config['session_length']); - $db->sql_query($sql); - } + if (sizeof($del_user_id)) + { + // Delete expired sessions + $sql = 'DELETE FROM ' . SESSIONS_TABLE . ' + WHERE ' . $db->sql_in_set('session_user_id', $del_user_id) . ' + AND session_time < ' . ($this->time_now - $config['session_length']); + $db->sql_query($sql); + } - if ($del_sessions < 5) - { - // Less than 5 sessions, update gc timer ... else we want gc - // called again to delete other sessions - set_config('session_last_gc', $this->time_now, true); - } - break; + if ($del_sessions < 10) + { + // Less than 10 sessions, update gc timer ... else we want gc + // called again to delete other sessions + set_config('session_last_gc', $this->time_now, true); } if ($config['max_autologin_time']) -- cgit v1.2.1 From 26befa094147b542e48e36867eb41eaf424225f7 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 28 Sep 2006 15:04:59 +0000 Subject: - added confirmation to removing bbcodes - added optional MX and DNSBL checks - added backtrace (triggering sql error) on error within sql_in_set as well as making sure it is handling an array - let users having f_list access to a forum actually see the forum without a topic list and not displaying an error message - this allows for giving people access to subforums but not the parent forum without the need to add the (sub-)forum to the index. - some additional bugfixes git-svn-id: file:///svn/phpbb/trunk@6414 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 8cef9c3806..b61643dea5 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -846,6 +846,45 @@ class session return ($banned) ? true : false; } + /** + * Check if ip is blacklisted + * This should be called only where absolutly necessary + * + * Only IPv4 (rbldns does not support AAAA records/IPv6 lookups) + * + * @author satmd (from the php manual) + * @return false if ip is not blacklisted, else an array([checked server], [lookup]) + */ + function check_dnsbl($ip = false) + { + if ($ip === false) + { + $ip = $this->ip; + } + + $dnsbl_check = array( + 'bl.spamcop.net' => 'http://spamcop.net/bl.shtml?', + 'list.dsbl.org' => 'http://dsbl.org/listing?', + 'sbl-xbl.spamhaus.org' => 'http://www.spamhaus.org/query/bl?ip=', + ); + + if ($ip) + { + $quads = explode('.', $ip); + $reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0]; + + foreach ($dnsbl_check as $dnsbl => $lookup) + { + if (phpbb_checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true) + { + return array($dnsbl, $lookup . $ip); + } + } + } + + return false; + } + /** * Set/Update a persistent login key * -- cgit v1.2.1 From c42b75d1bc1154c849b5f55becfc42452242c86d Mon Sep 17 00:00:00 2001 From: Graham Eames Date: Sun, 1 Oct 2006 11:10:15 +0000 Subject: Prevent cookies from other applications interfering with our forms git-svn-id: file:///svn/phpbb/trunk@6423 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index b61643dea5..9c720bbb52 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -151,9 +151,9 @@ class session // Switch to request_var ... can this cause issues, can a _GET/_POST param // be used to poison this? Not sure that it makes any difference in terms of // the end result, be it a cookie or param. - $this->cookie_data['u'] = request_var($config['cookie_name'] . '_u', 0); - $this->cookie_data['k'] = request_var($config['cookie_name'] . '_k', ''); - $this->session_id = request_var($config['cookie_name'] . '_sid', ''); + $this->cookie_data['u'] = request_var($config['cookie_name'] . '_u', 0, false, true); + $this->cookie_data['k'] = request_var($config['cookie_name'] . '_k', '', false, true); + $this->session_id = request_var($config['cookie_name'] . '_sid', '', false, true); $SID = (defined('NEED_SID')) ? '?sid=' . $this->session_id : '?sid='; $_SID = (defined('NEED_SID')) ? $this->session_id : ''; -- cgit v1.2.1 From 17989aba24faf1b63c7f5b9c35836fa6a2cc8afa Mon Sep 17 00:00:00 2001 From: Graham Eames Date: Sun, 1 Oct 2006 17:18:37 +0000 Subject: Allow for tomorrow in relative dates git-svn-id: file:///svn/phpbb/trunk@6426 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 9c720bbb52..b0237c2f3f 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1323,12 +1323,17 @@ class user extends session $midnight = gmmktime(0, 0, 0, $m, $d, $y) - $this->timezone - $this->dst; } - if (strpos($format, '|') === false || (!($gmepoch > $midnight && !$forcedate) && !($gmepoch > $midnight - 86400 && !$forcedate))) + if (strpos($format, '|') === false || ($gmepoch < $midnight - 86400 && !$forcedate) || ($gmepoch > $midnight + 172800 && !$forcedate)) { return strtr(@gmdate(str_replace('|', '', $format), $gmepoch + $this->timezone + $this->dst), $lang_dates); } - if ($gmepoch > $midnight && !$forcedate) + if ($gmepoch > $midnight + 86400 && !$forcedate) + { + $format = substr($format, 0, strpos($format, '|')) . '||' . substr(strrchr($format, '|'), 1); + return str_replace('||', $this->lang['datetime']['TOMORROW'], strtr(@gmdate($format, $gmepoch + $this->timezone + $this->dst), $lang_dates)); + } + else if ($gmepoch > $midnight && !$forcedate) { $format = substr($format, 0, strpos($format, '|')) . '||' . substr(strrchr($format, '|'), 1); return str_replace('||', $this->lang['datetime']['TODAY'], strtr(@gmdate($format, $gmepoch + $this->timezone + $this->dst), $lang_dates)); -- cgit v1.2.1 From 5284f321789b5d0456b48a529ed59a99956020e8 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Tue, 3 Oct 2006 18:35:59 +0000 Subject: - extend config checking to include check for writeable path - removed not utilized user_allow_email column from schema - removed inactive groups (they had no use at all, since inactive users are not able to login) The only benefit those brought are distinguish users - but this is no longer needed too due to the inactive code present. This also allows us to retain group memberships as well as default settings for users being set inactive due to profile changes. - rewrote user_active_flip to support multiple users and a mode, as well as coping with the aforementioned changes - implemented updated jabber class to support SRV server records and for better jabberd2 support. - jabber errors now logged to the error log with a full transaction - fixed user_delete calls to include usernames where possible and also update last post information correctly - implemented additioal checks to user management to cope with common mistakes - On installation, guess the required mysql schema as best as possible. Users now only need to decide if they want to use the mysqli extension or not (mysqli selected by default) and no longer need to know their mysql version. - founders do not need to re-activate their account on profile changes - remove older session if re-authentication was successful (re-authentication always assigns a new session id) - set the cookie directly instead of using php's function - added inactive_remind to see which users got deactivated because of reminders (or re-activation) sent out hopefully not introduced too many bugs - those testing with CVS releases, please concentrate on user registration, activation, profile changes (email/password)... git-svn-id: file:///svn/phpbb/trunk@6436 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 54 +++++++++++++++++++--------------------------- 1 file changed, 22 insertions(+), 32 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index b0237c2f3f..41708d19ab 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -127,9 +127,6 @@ class session * * @param bool $update_session_page if true the session page gets updated. * This can be set to circumvent certain scripts to update the users last visited page. - * - * @todo Introduce further user types, bot, guest - * @todo Change user_type (as above) to a bitfield? user_type & USER_FOUNDER for example */ function session_begin($update_session_page = true) { @@ -148,9 +145,6 @@ class session if (isset($_COOKIE[$config['cookie_name'] . '_sid']) || isset($_COOKIE[$config['cookie_name'] . '_u'])) { - // Switch to request_var ... can this cause issues, can a _GET/_POST param - // be used to poison this? Not sure that it makes any difference in terms of - // the end result, be it a cookie or param. $this->cookie_data['u'] = request_var($config['cookie_name'] . '_u', 0, false, true); $this->cookie_data['k'] = request_var($config['cookie_name'] . '_k', '', false, true); $this->session_id = request_var($config['cookie_name'] . '_sid', '', false, true); @@ -265,7 +259,6 @@ class session $db->sql_query($sql); } - // Ultimately to be removed $this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false; $this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false; @@ -275,7 +268,10 @@ class session else { // Added logging temporarly to help debug bugs... - add_log('critical', 'LOG_IP_BROWSER_CHECK', $u_ip, $s_ip, $u_browser, $s_browser); + if (defined('DEBUG_EXTRA')) + { + add_log('critical', 'LOG_IP_BROWSER_CHECK', $u_ip, $s_ip, $u_browser, $s_browser); + } } } } @@ -374,7 +370,7 @@ class session $sql = 'SELECT u.* FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k WHERE u.user_id = ' . (int) $this->cookie_data['u'] . ' - AND u.user_type <> ' . USER_INACTIVE . " + AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ") AND k.user_id = u.user_id AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'"; $result = $db->sql_query($sql); @@ -389,7 +385,7 @@ class session $sql = 'SELECT * FROM ' . USERS_TABLE . ' WHERE user_id = ' . (int) $this->cookie_data['u'] . ' - AND user_type <> ' . USER_INACTIVE; + AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')'; $result = $db->sql_query($sql); $this->data = $db->sql_fetchrow($result); $db->sql_freeresult($result); @@ -439,18 +435,14 @@ class session // session exists in which case session_id will also be set // Is user banned? Are they excluded? Won't return on ban, exists within method - // @todo Change to !$this->data['user_type'] & USER_FOUNDER && !$this->data['user_type'] & USER_BOT in time if ($this->data['user_type'] != USER_FOUNDER) { $this->check_ban($this->data['user_id'], $this->ip); } - // - // Do away with ultimately? - $this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS) ? true : false; + + $this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false; $this->data['is_bot'] = ($bot) ? true : false; - // - // // If our friend is a bot, we re-assign a previously assigned session if ($this->data['is_bot'] && $bot === $this->data['user_id'] && $this->data['session_id']) @@ -493,8 +485,8 @@ class session } } - // @todo Change this ... check for "... && user_type & USER_NORMAL" ? $session_autologin = (($this->cookie_data['k'] || $persist_login) && $this->data['is_registered']) ? true : false; + $set_admin = ($set_admin && $this->data['is_registered']) ? true : false; // Create or update the session $sql_ary = array( @@ -734,20 +726,11 @@ class session { global $config; - if (!$config['cookie_domain'] || $config['cookie_domain'] == 'localhost' || $config['cookie_domain'] == '127.0.0.1') - { - @setcookie($config['cookie_name'] . '_' . $name, $cookiedata, $cookietime, $config['cookie_path']); - } - else - { - // Firefox does not allow setting cookies with a domain containing no periods. - if (strpos($config['cookie_domain'], '.') === false) - { - $config['cookie_domain'] = '.' . $config['cookie_domain']; - } + $name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata); + $expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime); + $domain = (!$config['cookie_domain'] || $config['cookie_domain'] == 'localhost' || $config['cookie_domain'] == '127.0.0.1') ? '' : '; domain=' . $config['cookie_domain']; - @setcookie($config['cookie_name'] . '_' . $name, $cookiedata, $cookietime, $config['cookie_path'], $config['cookie_domain'], $config['cookie_secure']); - } + header('Set-Cookie: ' . $name_data . '; expires=' . $expire . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . '; HttpOnly', false); } /** @@ -1020,15 +1003,20 @@ class user extends session $this->timezone = $config['board_timezone'] * 3600; $this->dst = $config['board_dst'] * 3600; -/* Browser-specific language setting removed - might re-appear later + /** + * If a guest user is surfing, we try to guess his/her language first by obtaining the browser language + * @todo if re-enabled we need to make sure only those languages installed are checked if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { $accept_lang_ary = explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']); + foreach ($accept_lang_ary as $accept_lang) { // Set correct format ... guess full xx_YY form $accept_lang = substr($accept_lang, 0, 2) . '_' . strtoupper(substr($accept_lang, 3, 2)); + $accept_lang = basename($accept_lang); + if (file_exists($phpbb_root_path . 'language/' . $accept_lang . "/common.$phpEx")) { $this->lang_name = $config['default_lang'] = $accept_lang; @@ -1039,6 +1027,8 @@ class user extends session { // No match on xx_YY so try xx $accept_lang = substr($accept_lang, 0, 2); + $accept_lang = basename($accept_lang); + if (file_exists($phpbb_root_path . 'language/' . $accept_lang . "/common.$phpEx")) { $this->lang_name = $config['default_lang'] = $accept_lang; @@ -1048,7 +1038,7 @@ class user extends session } } } -*/ + */ } // We include common language file here to not load it every time a custom language file is included -- cgit v1.2.1 From 0f0d160ded7fd129d40a4ec0372cab11d7ce7a88 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Fri, 6 Oct 2006 18:43:55 +0000 Subject: - support re-caching of theme data if stylesheet.css changed and load_tplcompile enabled - mcp fixes - fixed some usability issues git-svn-id: file:///svn/phpbb/trunk@6447 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 41708d19ab..0489bdba38 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -785,6 +785,7 @@ class session $result = $db->sql_query($sql); + $ban_triggered_by = 'user'; while ($row = $db->sql_fetchrow($result)) { if ((!empty($row['ban_userid']) && intval($row['ban_userid']) == $user_id) || @@ -800,6 +801,20 @@ class session { $banned = true; $ban_row = $row; + + if (!empty($row['ban_userid']) && intval($row['ban_userid']) == $user_id) + { + $ban_triggered_by = 'user'; + } + else if (!empty($row['ban_ip']) && preg_match('#^' . str_replace('*', '.*?', $row['ban_ip']) . '$#i', $user_ip)) + { + $ban_triggered_by = 'ip'; + } + else + { + $ban_triggered_by = 'email'; + } + // Don't break. Check if there is an exclude rule for this user } } @@ -823,6 +838,8 @@ class session $message = sprintf($this->lang[$message], $till_date, '', ''); $message .= ($ban_row['ban_give_reason']) ? '

' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : ''; + $message .= '

' . $user->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . ''; + trigger_error($message); } -- cgit v1.2.1 From e168cd2793e975e12e9f13d916d99816571359bb Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Tue, 10 Oct 2006 13:59:02 +0000 Subject: ok, i do not why the db is setting the type for user id to string - but with this change bots should no longer "spawn" sessions. ;) git-svn-id: file:///svn/phpbb/trunk@6475 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 0489bdba38..09a52feb1f 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -430,6 +430,9 @@ class session $this->data['session_last_visit'] = $this->time_now; } + // Force user id to be integer... + $this->data['user_id'] = (int) $this->data['user_id']; + // At this stage we should have a filled data array, defined cookie u and k data. // data array should contain recent session info if we're a real user and a recent // session exists in which case session_id will also be set @@ -445,7 +448,7 @@ class session $this->data['is_bot'] = ($bot) ? true : false; // If our friend is a bot, we re-assign a previously assigned session - if ($this->data['is_bot'] && $bot === $this->data['user_id'] && $this->data['session_id']) + if ($this->data['is_bot'] && $bot == $this->data['user_id'] && $this->data['session_id']) { // Only assign the current session if the ip and browser match... $s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check'])); -- cgit v1.2.1 From 23ef85fa74c07093a9f7de6879fabebc0aeed18f Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 12 Oct 2006 15:20:33 +0000 Subject: some test code, hopefully working for all occassions where we are using the functions... git-svn-id: file:///svn/phpbb/trunk@6487 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 09a52feb1f..079d7b9f07 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -64,7 +64,8 @@ class session $query_string = trim(implode('&', $args)); // basenamed page name (for example: index.php) - $page_name = htmlspecialchars(basename($script_name)); + $page_name = basename($script_name); + $page_name = urlencode(htmlspecialchars($page_name)); // current directory within the phpBB root (for example: adm) $root_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($root_path))); @@ -112,6 +113,11 @@ class session 'page' => $page ); + if (!file_exists($page_name)) + { + trigger_error('You are on a page that does not exist!', E_USER_ERROR); + } + return $page_array; } -- cgit v1.2.1 From f373eba5a49982506653f391c10873b03ad6a748 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 12 Oct 2006 15:33:24 +0000 Subject: comment out for the moment - it may be not fair to disallow "virtual" urls. :) git-svn-id: file:///svn/phpbb/trunk@6488 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 079d7b9f07..40ed6b98ae 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -113,10 +113,12 @@ class session 'page' => $page ); +/* if (!file_exists($page_name)) { trigger_error('You are on a page that does not exist!', E_USER_ERROR); } +*/ return $page_array; } -- cgit v1.2.1 From cd3eaf0e178a5b1cc9e45f8df2d1648e63a965c2 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 26 Oct 2006 10:58:58 +0000 Subject: some bugfixes git-svn-id: file:///svn/phpbb/trunk@6527 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 40ed6b98ae..1ac5d8fde7 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -690,7 +690,7 @@ class session $del_user_id = array(); $del_sessions = 0; - while ($row = $db->sql_fetchrow($result)); + while ($row = $db->sql_fetchrow($result)) { $sql = 'UPDATE ' . USERS_TABLE . ' SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "' -- cgit v1.2.1 From 8b90d5998b944c055c24fd0d17dba25e2de9860c Mon Sep 17 00:00:00 2001 From: David M Date: Sat, 4 Nov 2006 16:30:51 +0000 Subject: #5094 git-svn-id: file:///svn/phpbb/trunk@6551 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 1ac5d8fde7..6a8d3142d8 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -849,7 +849,7 @@ class session $message = sprintf($this->lang[$message], $till_date, '', ''); $message .= ($ban_row['ban_give_reason']) ? '

' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : ''; - $message .= '

' . $user->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . ''; + $message .= '

' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . ''; trigger_error($message); } -- cgit v1.2.1 From d89f60f182afa07e28d4e58f59b90dd25555e3a6 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 12 Nov 2006 15:35:43 +0000 Subject: consistant obtain_* functions git-svn-id: file:///svn/phpbb/trunk@6572 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/session.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'phpBB/includes/session.php') diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 6a8d3142d8..b69bcc5f44 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -324,8 +324,7 @@ class session * bot, act accordingly */ $bot = false; - $active_bots = array(); - $cache->obtain_bots($active_bots); + $active_bots = $cache->obtain_bots(); foreach ($active_bots as $row) { -- cgit v1.2.1