From 7f179985b497053c59338667fe49c390aa626ab7 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Mon, 30 May 2016 20:15:36 +0200
Subject: [PATCH] Remove remaining settings initialization in index.php

Except for those which require external data (timezone and $_SERVER).
---
 application/Updater.php              | 23 ++++++++++
 application/config/ConfigManager.php | 64 ++++++----------------------
 index.php                            | 33 +++-----------
 3 files changed, 42 insertions(+), 78 deletions(-)

diff --git a/application/Updater.php b/application/Updater.php
index 31630ff..db2144f 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -191,6 +191,29 @@ class Updater
             return false;
         }
     }
+
+    /**
+     * Escape settings which have been manually escaped in every request in previous versions:
+     *   - general.title
+     *   - general.header_link
+     *   - extras.redirector
+     *
+     * @return bool true if the update is successful, false otherwise.
+     */
+    public function escapeUnescapedConfig()
+    {
+        $conf = ConfigManager::getInstance();
+        try {
+            $conf->set('general.title', escape($conf->get('general.title')));
+            $conf->set('general.header_link', escape($conf->get('general.header_link')));
+            $conf->set('extras.redirector', escape($conf->get('extras.redirector')));
+            $conf->write($this->isLoggedIn);
+        } catch (Exception $e) {
+            error_log($e->getMessage());
+            return false;
+        }
+        return true;
+    }
 }
 
 /**
diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php
index a663a07..c0482cf 100644
--- a/application/config/ConfigManager.php
+++ b/application/config/ConfigManager.php
@@ -9,6 +9,9 @@ require_once 'ConfigJson.php';
  * Class ConfigManager
  *
  * Singleton, manages all Shaarli's settings.
+ * See the documentation for more information on settings:
+ *   - doc/Shaarli-configuration.html
+ *   - https://github.com/shaarli/Shaarli/wiki/Shaarli-configuration
  */
 class ConfigManager
 {
@@ -286,81 +289,40 @@ class ConfigManager
      */
     protected function setDefaultValues()
     {
-        // Data subdirectory
         $this->setEmpty('path.data_dir', 'data');
-
-        // Main configuration file
         $this->setEmpty('path.config', 'data/config.php');
-
-        // Link datastore
         $this->setEmpty('path.datastore', 'data/datastore.php');
-
-        // Banned IPs
         $this->setEmpty('path.ban_file', 'data/ipbans.php');
-
-        // Processed updates file.
         $this->setEmpty('path.updates', 'data/updates.txt');
-
-        // Access log
         $this->setEmpty('path.log', 'data/log.txt');
-
-        // For updates check of Shaarli
         $this->setEmpty('path.update_check', 'data/lastupdatecheck.txt');
-
-        // Set ENABLE_UPDATECHECK to disabled by default.
-        $this->setEmpty('general.check_updates', false);
-
-        // RainTPL cache directory (keep the trailing slash!)
-        $this->setEmpty('path.raintpl_tmp', 'tmp/');
-        // Raintpl template directory (keep the trailing slash!)
         $this->setEmpty('path.raintpl_tpl', 'tpl/');
-
-        // Thumbnail cache directory
+        $this->setEmpty('path.raintpl_tmp', 'tmp/');
         $this->setEmpty('path.thumbnails_cache', 'cache');
-
-        // Atom & RSS feed cache directory
         $this->setEmpty('path.page_cache', 'pagecache');
 
-        // Ban IP after this many failures
         $this->setEmpty('security.ban_after', 4);
-        // Ban duration for IP address after login failures (in seconds)
         $this->setEmpty('security.ban_after', 1800);
+        $this->setEmpty('security.session_protection_disabled', false);
 
-        // Feed options
-        // Enable RSS permalinks by default.
-        // This corresponds to the default behavior of shaarli before this was added as an option.
+        $this->setEmpty('general.check_updates', false);
         $this->setEmpty('general.rss_permalinks', true);
-        // If true, an extra "ATOM feed" button will be displayed in the toolbar
-        $this->setEmpty('extras.show_atom', false);
-
-        // Link display options
-        $this->setEmpty('extras.hide_public_links', false);
-        $this->setEmpty('extras.hide_timestamps', false);
         $this->setEmpty('general.links_per_page', 20);
-
-        // Private checkbox is checked by default
         $this->setEmpty('general.default_private_links', false);
-
-        // Open Shaarli (true): anyone can add/edit/delete links without having to login
-        $this->setEmpty('extras.open_shaarli', false);
-
-        // Thumbnails
-        // Display thumbnails in links
         $this->setEmpty('general.enable_thumbnails', true);
-        // Store thumbnails in a local cache
         $this->setEmpty('general.enable_localcache', true);
-
-        // Update check frequency for Shaarli. 86400 seconds=24 hours
         $this->setEmpty('general.check_updates_branch', 'stable');
         $this->setEmpty('general.check_updates_interval', 86400);
+        $this->setEmpty('general.header_link', '?');
+        $this->setEmpty('general.enabled_plugins', array('qrcode'));
 
+        $this->setEmpty('extras.show_atom', false);
+        $this->setEmpty('extras.hide_public_links', false);
+        $this->setEmpty('extras.hide_timestamps', false);
+        $this->setEmpty('extras.open_shaarli', false);
         $this->setEmpty('extras.redirector', '');
         $this->setEmpty('extras.redirector_encode_url', true);
 
-        // Enabled plugins.
-        $this->setEmpty('general.enabled_plugins', array('qrcode'));
-
-        // Initialize plugin parameters array.
         $this->setEmpty('plugins', array());
     }
 
@@ -370,7 +332,7 @@ class ConfigManager
      * @param string $key   Setting key.
      * @param mixed  $value Setting value.
      */
-    protected function setEmpty($key, $value)
+    public function setEmpty($key, $value)
     {
         if (! $this->exists($key)) {
             $this->set($key, $value);
diff --git a/index.php b/index.php
index 9546ee1..ac4a680 100644
--- a/index.php
+++ b/index.php
@@ -106,7 +106,8 @@ if (isset($_COOKIE['shaarli']) && !is_session_id_valid($_COOKIE['shaarli'])) {
 }
 
 $conf = ConfigManager::getInstance();
-
+$conf->setEmpty('general.timezone', date_default_timezone_get());
+$conf->setEmpty('general.title', 'Shared links on '. escape(index_url($_SERVER)));
 RainTPL::$tpl_dir = $conf->get('path.raintpl_tpl'); // template directory
 RainTPL::$cache_dir = $conf->get('path.raintpl_tmp'); // cache directory
 
@@ -132,23 +133,6 @@ header("Cache-Control: no-store, no-cache, must-revalidate");
 header("Cache-Control: post-check=0, pre-check=0", false);
 header("Pragma: no-cache");
 
-// Handling of old config file which do not have the new parameters.
-if (! $conf->exists('general.title')) {
-    $conf->set('general.title', 'Shared links on '. escape(index_url($_SERVER)));
-}
-if (! $conf->exists('general.timezone')) {
-    $conf->set('general.timezone', date_default_timezone_get());
-}
-if (! $conf->exists('security.session_protection_disabled')) {
-    $conf->set('security.session_protection_disabled', false);
-}
-if (! $conf->exists('general.default_private_links')) {
-    $conf->set('general.default_private_links', false);
-}
-if (! $conf->exists('general.header_link')) {
-    $conf->set('general.header_link', '?');
-}
-
 if (! is_file($conf->getConfigFile())) {
     // Ensure Shaarli has proper access to its resources
     $errors = ApplicationUtils::checkResourcePermissions();
@@ -170,11 +154,6 @@ if (! is_file($conf->getConfigFile())) {
     install();
 }
 
-// FIXME! Update these value with Updater and escpae it during the install/config save.
-$conf->set('general.title', escape($conf->get('general.title')));
-$conf->set('general.header_link', escape($conf->get('general.header_link')));
-$conf->set('extras.redirector', escape($conf->get('extras.redirector')));
-
 // a token depending of deployment salt, user password, and the current ip
 define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt')));
 
@@ -1101,9 +1080,9 @@ function renderPage()
                 $tz = $_POST['continent'] . '/' . $_POST['city'];
             }
             $conf->set('general.timezone', $tz);
-            $conf->set('general.title', $_POST['title']);
-            $conf->set('general.header_link', $_POST['titleLink']);
-            $conf->set('extras.redirector', $_POST['redirector']);
+            $conf->set('general.title', escape($_POST['title']));
+            $conf->set('general.header_link', escape($_POST['titleLink']));
+            $conf->set('extras.redirector', escape($_POST['redirector']));
             $conf->set('security.session_protection_disabled', !empty($_POST['disablesessionprotection']));
             $conf->set('general.default_private_links', !empty($_POST['privateLinkByDefault']));
             $conf->set('general.rss_permalinks', !empty($_POST['enableRssPermalinks']));
@@ -1951,7 +1930,7 @@ function install()
         $conf->set('credentials.salt', $salt);
         $conf->set('credentials.hash', sha1($_POST['setpassword'] . $login . $salt));
         if (!empty($_POST['title'])) {
-            $conf->set('general.title', $_POST['title']);
+            $conf->set('general.title', escape($_POST['title']));
         } else {
             $conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER)));
         }