Knah-Tsaeb/MyShaarli
Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #946 from thewilli/clean

Browse source 
small code cleanup
This commit is contained in:
VirtualTam 2017-08-27 13:10:05 +02:00 committed by GitHub
commit 5941c4216d
2 changed files with 42 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/md/Security.md
View file

@ -1,9 +1,6 @@
## Client browser ## Client browser
- Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work - Shaarli relies on `HTTP_REFERER` for some functions (like redirects and clicking on tags). If you have disabled or masqueraded `HTTP_REFERER` in your browser, some features of Shaarli may not work
## PHP
- `magic_quotes` is an horrible option of PHP which is often activated on servers. No serious developer should rely on this horror to secure their code against SQL injections. You should disable it (and Shaarli expects this option to be disabled). Nevertheless, I have added code to cope with `magic_quotes` on, so you should not be bothered even on crappy hosts.
## Server and sessions ## Server and sessions
- Directories are protected using `.htaccess` files - Directories are protected using `.htaccess` files
- Forms are protected against XSRF (Cross-site requests forgery): - Forms are protected against XSRF (Cross-site requests forgery):

14
index.php
View file

@ -133,15 +133,6 @@
ob_start(); // Output buffering for the page cache. ob_start(); // Output buffering for the page cache.
// In case stupid admin has left magic_quotes enabled in php.ini:
if (get_magic_quotes_gpc())
{
function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
// Prevent caching on client side or proxy: (yes, it's ugly) // Prevent caching on client side or proxy: (yes, it's ugly)
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: no-store, no-cache, must-revalidate");
@ -394,9 +385,10 @@ function ban_canLogin($conf)
// If user wants to keep the session cookie even after the browser closes: // If user wants to keep the session cookie even after the browser closes:
if (!empty($_POST['longlastingsession'])) if (!empty($_POST['longlastingsession']))
{ {
setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
$_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
$_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
$_SESSION['expires_on'] = $expiration; // Set session expiration on server-side.
$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side