diff --git a/application/Updater.php b/application/Updater.php index 31630ff5..db2144fe 100644 --- a/application/Updater.php +++ b/application/Updater.php @@ -191,6 +191,29 @@ public function updateMethodConfigToJson() return false; } } + + /** + * Escape settings which have been manually escaped in every request in previous versions: + * - general.title + * - general.header_link + * - extras.redirector + * + * @return bool true if the update is successful, false otherwise. + */ + public function escapeUnescapedConfig() + { + $conf = ConfigManager::getInstance(); + try { + $conf->set('general.title', escape($conf->get('general.title'))); + $conf->set('general.header_link', escape($conf->get('general.header_link'))); + $conf->set('extras.redirector', escape($conf->get('extras.redirector'))); + $conf->write($this->isLoggedIn); + } catch (Exception $e) { + error_log($e->getMessage()); + return false; + } + return true; + } } /** diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php index a663a071..c0482cf3 100644 --- a/application/config/ConfigManager.php +++ b/application/config/ConfigManager.php @@ -9,6 +9,9 @@ * Class ConfigManager * * Singleton, manages all Shaarli's settings. + * See the documentation for more information on settings: + * - doc/Shaarli-configuration.html + * - https://github.com/shaarli/Shaarli/wiki/Shaarli-configuration */ class ConfigManager { @@ -286,81 +289,40 @@ protected static function setConfig($settings, $value, &$conf) */ protected function setDefaultValues() { - // Data subdirectory $this->setEmpty('path.data_dir', 'data'); - - // Main configuration file $this->setEmpty('path.config', 'data/config.php'); - - // Link datastore $this->setEmpty('path.datastore', 'data/datastore.php'); - - // Banned IPs $this->setEmpty('path.ban_file', 'data/ipbans.php'); - - // Processed updates file. $this->setEmpty('path.updates', 'data/updates.txt'); - - // Access log $this->setEmpty('path.log', 'data/log.txt'); - - // For updates check of Shaarli $this->setEmpty('path.update_check', 'data/lastupdatecheck.txt'); - - // Set ENABLE_UPDATECHECK to disabled by default. - $this->setEmpty('general.check_updates', false); - - // RainTPL cache directory (keep the trailing slash!) - $this->setEmpty('path.raintpl_tmp', 'tmp/'); - // Raintpl template directory (keep the trailing slash!) $this->setEmpty('path.raintpl_tpl', 'tpl/'); - - // Thumbnail cache directory + $this->setEmpty('path.raintpl_tmp', 'tmp/'); $this->setEmpty('path.thumbnails_cache', 'cache'); - - // Atom & RSS feed cache directory $this->setEmpty('path.page_cache', 'pagecache'); - // Ban IP after this many failures $this->setEmpty('security.ban_after', 4); - // Ban duration for IP address after login failures (in seconds) $this->setEmpty('security.ban_after', 1800); + $this->setEmpty('security.session_protection_disabled', false); - // Feed options - // Enable RSS permalinks by default. - // This corresponds to the default behavior of shaarli before this was added as an option. + $this->setEmpty('general.check_updates', false); $this->setEmpty('general.rss_permalinks', true); - // If true, an extra "ATOM feed" button will be displayed in the toolbar - $this->setEmpty('extras.show_atom', false); - - // Link display options - $this->setEmpty('extras.hide_public_links', false); - $this->setEmpty('extras.hide_timestamps', false); $this->setEmpty('general.links_per_page', 20); - - // Private checkbox is checked by default $this->setEmpty('general.default_private_links', false); - - // Open Shaarli (true): anyone can add/edit/delete links without having to login - $this->setEmpty('extras.open_shaarli', false); - - // Thumbnails - // Display thumbnails in links $this->setEmpty('general.enable_thumbnails', true); - // Store thumbnails in a local cache $this->setEmpty('general.enable_localcache', true); - - // Update check frequency for Shaarli. 86400 seconds=24 hours $this->setEmpty('general.check_updates_branch', 'stable'); $this->setEmpty('general.check_updates_interval', 86400); + $this->setEmpty('general.header_link', '?'); + $this->setEmpty('general.enabled_plugins', array('qrcode')); + $this->setEmpty('extras.show_atom', false); + $this->setEmpty('extras.hide_public_links', false); + $this->setEmpty('extras.hide_timestamps', false); + $this->setEmpty('extras.open_shaarli', false); $this->setEmpty('extras.redirector', ''); $this->setEmpty('extras.redirector_encode_url', true); - // Enabled plugins. - $this->setEmpty('general.enabled_plugins', array('qrcode')); - - // Initialize plugin parameters array. $this->setEmpty('plugins', array()); } @@ -370,7 +332,7 @@ protected function setDefaultValues() * @param string $key Setting key. * @param mixed $value Setting value. */ - protected function setEmpty($key, $value) + public function setEmpty($key, $value) { if (! $this->exists($key)) { $this->set($key, $value); diff --git a/index.php b/index.php index 9546ee15..ac4a680d 100644 --- a/index.php +++ b/index.php @@ -106,7 +106,8 @@ } $conf = ConfigManager::getInstance(); - +$conf->setEmpty('general.timezone', date_default_timezone_get()); +$conf->setEmpty('general.title', 'Shared links on '. escape(index_url($_SERVER))); RainTPL::$tpl_dir = $conf->get('path.raintpl_tpl'); // template directory RainTPL::$cache_dir = $conf->get('path.raintpl_tmp'); // cache directory @@ -132,23 +133,6 @@ function stripslashes_deep($value) { $value = is_array($value) ? array_map('stri header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); -// Handling of old config file which do not have the new parameters. -if (! $conf->exists('general.title')) { - $conf->set('general.title', 'Shared links on '. escape(index_url($_SERVER))); -} -if (! $conf->exists('general.timezone')) { - $conf->set('general.timezone', date_default_timezone_get()); -} -if (! $conf->exists('security.session_protection_disabled')) { - $conf->set('security.session_protection_disabled', false); -} -if (! $conf->exists('general.default_private_links')) { - $conf->set('general.default_private_links', false); -} -if (! $conf->exists('general.header_link')) { - $conf->set('general.header_link', '?'); -} - if (! is_file($conf->getConfigFile())) { // Ensure Shaarli has proper access to its resources $errors = ApplicationUtils::checkResourcePermissions(); @@ -170,11 +154,6 @@ function stripslashes_deep($value) { $value = is_array($value) ? array_map('stri install(); } -// FIXME! Update these value with Updater and escpae it during the install/config save. -$conf->set('general.title', escape($conf->get('general.title'))); -$conf->set('general.header_link', escape($conf->get('general.header_link'))); -$conf->set('extras.redirector', escape($conf->get('extras.redirector'))); - // a token depending of deployment salt, user password, and the current ip define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt'))); @@ -1101,9 +1080,9 @@ function renderPage() $tz = $_POST['continent'] . '/' . $_POST['city']; } $conf->set('general.timezone', $tz); - $conf->set('general.title', $_POST['title']); - $conf->set('general.header_link', $_POST['titleLink']); - $conf->set('extras.redirector', $_POST['redirector']); + $conf->set('general.title', escape($_POST['title'])); + $conf->set('general.header_link', escape($_POST['titleLink'])); + $conf->set('extras.redirector', escape($_POST['redirector'])); $conf->set('security.session_protection_disabled', !empty($_POST['disablesessionprotection'])); $conf->set('general.default_private_links', !empty($_POST['privateLinkByDefault'])); $conf->set('general.rss_permalinks', !empty($_POST['enableRssPermalinks'])); @@ -1951,7 +1930,7 @@ function install() $conf->set('credentials.salt', $salt); $conf->set('credentials.hash', sha1($_POST['setpassword'] . $login . $salt)); if (!empty($_POST['title'])) { - $conf->set('general.title', $_POST['title']); + $conf->set('general.title', escape($_POST['title'])); } else { $conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER))); }