X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=index.php;h=c94675a59ae65a887fe181c1350f714555d3e8d4;hb=578dc6f9672ca81a21ff70363cb16fb7cd0aca7c;hp=d3310ba1aad256026e07f9b6b3f47a32d8dce15a;hpb=f173322539fe17eb151550db6f16b0f271e80f2d;p=friendica.git diff --git a/index.php b/index.php index d3310ba1aa..c94675a59a 100644 --- a/index.php +++ b/index.php @@ -13,12 +13,16 @@ * */ -use \Friendica\Core\Config; +use Friendica\App; +use Friendica\Core\System; +use Friendica\Core\Config; -require_once('boot.php'); -require_once('object/BaseObject.php'); +require_once 'boot.php'; +require_once 'object/BaseObject.php'; -$a = new App; +if (empty($a)) { + $a = new App(__DIR__); +} BaseObject::set_app($a); // We assume that the index.php is called by a frontend process @@ -37,7 +41,7 @@ $install = ((file_exists('.htconfig.php') && filesize('.htconfig.php')) ? false // Only load config if found, don't surpress errors if (!$install) { - include(".htconfig.php"); + include ".htconfig.php"; } /** @@ -46,11 +50,11 @@ if (!$install) { * */ -require_once("include/dba.php"); +require_once "include/dba.php"; if (!$install) { - $db = new dba($db_host, $db_user, $db_pass, $db_data, $install); - unset($db_host, $db_user, $db_pass, $db_data); + dba::connect($db_host, $db_user, $db_pass, $db_data, $install); + unset($db_host, $db_user, $db_pass, $db_data); /** * Load configs from db. Overwrite configs from .htconfig.php @@ -58,22 +62,22 @@ if (!$install) { Config::load(); - if ($a->max_processes_reached() OR $a->maxload_reached()) { - header($_SERVER["SERVER_PROTOCOL"].' 503 Service Temporarily Unavailable'); + if ($a->max_processes_reached() || $a->maxload_reached()) { + header($_SERVER["SERVER_PROTOCOL"] . ' 503 Service Temporarily Unavailable'); header('Retry-After: 120'); - header('Refresh: 120; url='.App::get_baseurl()."/".$a->query_string); + header('Refresh: 120; url=' . System::baseUrl() . "/" . $a->query_string); die("System is currently unavailable. Please try again later"); } - if (get_config('system','force_ssl') AND ($a->get_scheme() == "http") AND - (intval(get_config('system','ssl_policy')) == SSL_POLICY_FULL) AND - (substr(App::get_baseurl(), 0, 8) == "https://")) { + if (get_config('system', 'force_ssl') && ($a->get_scheme() == "http") && + (intval(get_config('system', 'ssl_policy')) == SSL_POLICY_FULL) && + (substr(System::baseUrl(), 0, 8) == "https://")) { header("HTTP/1.1 302 Moved Temporarily"); - header("Location: ".App::get_baseurl()."/".$a->query_string); + header("Location: " . System::baseUrl() . "/" . $a->query_string); exit(); } - require_once("include/session.php"); + require_once 'include/session.php'; load_hooks(); call_hooks('init_1'); @@ -112,9 +116,11 @@ if (!$a->is_backend()) { */ if (x($_SESSION,'authenticated') && !x($_SESSION,'language')) { // we didn't loaded user data yet, but we need user language - $r = q("SELECT language FROM user WHERE uid=%d", intval($_SESSION['uid'])); + $r = dba::select('user', array('language'), array('uid' => $_SESSION['uid']), array('limit' => 1)); $_SESSION['language'] = $lang; - if (dbm::is_result($r)) $_SESSION['language'] = $r[0]['language']; + if (dbm::is_result($r)) { + $_SESSION['language'] = $r['language']; + } } if ((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) { @@ -125,7 +131,7 @@ if ((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) { if ((x($_GET,'zrl')) && (!$install && !$maintenance)) { // Only continue when the given profile link seems valid // Valid profile links contain a path with "/profile/" and no query parameters - if ((parse_url($_GET['zrl'], PHP_URL_QUERY) == "") AND + if ((parse_url($_GET['zrl'], PHP_URL_QUERY) == "") && strstr(parse_url($_GET['zrl'], PHP_URL_PATH), "/profile/")) { $_SESSION['my_url'] = $_GET['zrl']; $a->query_string = preg_replace('/[\?&]zrl=(.*?)([\?&]|$)/is','',$a->query_string); @@ -151,7 +157,7 @@ if ((x($_GET,'zrl')) && (!$install && !$maintenance)) { * */ -// header('Link: <' . App::get_baseurl() . '/amcd>; rel="acct-mgmt";'); +// header('Link: <' . System::baseUrl() . '/amcd>; rel="acct-mgmt";'); if (x($_COOKIE["Friendica"]) || (x($_SESSION,'authenticated')) || (x($_POST,'auth-params')) || ($a->module === 'login')) { require("include/auth.php"); @@ -174,6 +180,10 @@ if (! x($_SESSION,'sysmsg_info')) { $_SESSION['sysmsg_info'] = array(); } +// Array for informations about last received items +if (! x($_SESSION,'last_updated')) { + $_SESSION['last_updated'] = array(); +} /* * check_config() is responsible for running update scripts. These automatically * update the DB schema whenever we push a new one out. It also checks to see if @@ -188,7 +198,7 @@ if ($install && $a->module!="view") { $a->module = 'maintenance'; } else { check_url($a); - check_db(); + check_db(false); check_plugins($a); } @@ -238,7 +248,7 @@ if (strlen($a->module)) { } // Compatibility with the Firefox App - if (($a->module == "users") AND ($a->cmd == "users/sign_in")) { + if (($a->module == "users") && ($a->cmd == "users/sign_in")) { $a->module = "login"; } @@ -287,7 +297,7 @@ if (strlen($a->module)) { if ((x($_SERVER,'QUERY_STRING')) && ($_SERVER['QUERY_STRING'] === 'q=internal_error.html') && isset($dreamhost_error_hack)) { logger('index.php: dreamhost_error_hack invoked. Original URI =' . $_SERVER['REQUEST_URI']); - goaway(App::get_baseurl() . $_SERVER['REQUEST_URI']); + goaway(System::baseUrl() . $_SERVER['REQUEST_URI']); } logger('index.php: page not found: ' . $_SERVER['REQUEST_URI'] . ' ADDRESS: ' . $_SERVER['REMOTE_ADDR'] . ' QUERY: ' . $_SERVER['QUERY_STRING'], LOGGER_DEBUG); @@ -336,13 +346,6 @@ if ($a->module_loaded) { $func = str_replace('-','_',current_theme()) . '_init'; $func($a); } -// elseif (x($a->theme_info,"extends") && file_exists("view/theme/".$a->theme_info["extends"]."/theme.php")) { -// require_once("view/theme/".$a->theme_info["extends"]."/theme.php"); -// if (function_exists(str_replace('-','_',$a->theme_info["extends"]) . '_init')) { -// $func = str_replace('-','_',$a->theme_info["extends"]) . '_init'; -// $func($a); -// } -// } if (($_SERVER['REQUEST_METHOD'] === 'POST') && (! $a->error) && (function_exists($a->module . '_post')) @@ -376,25 +379,23 @@ if ($a->module_loaded) { /* * Create the page head after setting the language - * and getting any auth credentials + * and getting any auth credentials. * * Moved init_pagehead() and init_page_end() to after * all the module functions have executed so that all - * theme choices made by the modules can take effect + * theme choices made by the modules can take effect. */ $a->init_pagehead(); -/** +/* * Build the page ending -- this is stuff that goes right before * the closing tag */ - $a->init_page_end(); // If you're just visiting, let javascript take you home - -if (x($_SESSION,'visitor_home')) { +if (x($_SESSION, 'visitor_home')) { $homebase = $_SESSION['visitor_home']; } elseif (local_user()) { $homebase = 'profile/' . $a->user['nickname']; @@ -404,51 +405,29 @@ if (isset($homebase)) { $a->page['content'] .= ''; } -// now that we've been through the module content, see if the page reported -// a permission problem and if so, a 403 response would seem to be in order. - -if (stristr( implode("",$_SESSION['sysmsg']), t('Permission denied'))) { +/* + * now that we've been through the module content, see if the page reported + * a permission problem and if so, a 403 response would seem to be in order. + */ +if (stristr(implode("", $_SESSION['sysmsg']), t('Permission denied'))) { header($_SERVER["SERVER_PROTOCOL"] . ' 403 ' . t('Permission denied.')); } -/** - * +/* * Report anything which needs to be communicated in the notification area (before the main body) - * */ - -/*if (x($_SESSION,'sysmsg')) { - $a->page['content'] = "
{$_SESSION['sysmsg']}
\r\n" - . ((x($a->page,'content')) ? $a->page['content'] : ''); - $_SESSION['sysmsg']=""; - unset($_SESSION['sysmsg']); -} -if (x($_SESSION,'sysmsg_info')) { - $a->page['content'] = "
{$_SESSION['sysmsg_info']}
\r\n" - . ((x($a->page,'content')) ? $a->page['content'] : ''); - $_SESSION['sysmsg_info']=""; - unset($_SESSION['sysmsg_info']); -}*/ - - - call_hooks('page_end', $a->page['content']); - -/** - * +/* * Add the navigation (menu) template - * */ - if ($a->module != 'install' && $a->module != 'maintenance') { nav($a); } -/** +/* * Add a "toggle mobile" link if we're using a mobile device */ - if ($a->is_mobile || $a->is_tablet) { if (isset($_SESSION['show-mobile']) && !$_SESSION['show-mobile']) { $link = 'toggle_mobile?address=' . curPageURL(); @@ -474,7 +453,7 @@ if (!$a->theme['stylesheet']) { $a->page['htmlhead'] = str_replace('{{$stylesheet}}',$stylesheet,$a->page['htmlhead']); //$a->page['htmlhead'] = replace_macros($a->page['htmlhead'], array('$stylesheet' => $stylesheet)); -if (isset($_GET["mode"]) AND (($_GET["mode"] == "raw") OR ($_GET["mode"] == "minimal"))) { +if (isset($_GET["mode"]) && (($_GET["mode"] == "raw") || ($_GET["mode"] == "minimal"))) { $doc = new DOMDocument(); $target = new DOMDocument(); @@ -482,6 +461,7 @@ if (isset($_GET["mode"]) AND (($_GET["mode"] == "raw") OR ($_GET["mode"] == "min $content = mb_convert_encoding($a->page["content"], 'HTML-ENTITIES', "UTF-8"); + /// @TODO one day, kill those error-surpressing @ stuff, or PHP should ban it @$doc->loadHTML($content); $xpath = new DomXPath($doc); @@ -489,7 +469,6 @@ if (isset($_GET["mode"]) AND (($_GET["mode"] == "raw") OR ($_GET["mode"] == "min $list = $xpath->query("//*[contains(@id,'tread-wrapper-')]"); /* */ foreach ($list as $item) { - $item = $target->importNode($item, true); // And then append it to the target @@ -497,39 +476,49 @@ if (isset($_GET["mode"]) AND (($_GET["mode"] == "raw") OR ($_GET["mode"] == "min } } -if (isset($_GET["mode"]) AND ($_GET["mode"] == "raw")) { +if (isset($_GET["mode"]) && ($_GET["mode"] == "raw")) { header("Content-type: text/html; charset=utf-8"); echo substr($target->saveHTML(), 6, -8); - if (!$a->is_backend()) { - session_write_close(); - } - exit; - + killme(); } $page = $a->page; $profile = $a->profile; -header("X-Friendica-Version: ".FRIENDICA_VERSION); +header("X-Friendica-Version: " . FRIENDICA_VERSION); header("Content-type: text/html; charset=utf-8"); -// We use $_GET["mode"] for special page templates. So we will check if we have -// to load another page template than the default one -// The page templates are located in /view/php/ or in the theme directory +if (Config::get('system', 'hsts') && (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL)) { + header("Strict-Transport-Security: max-age=31536000"); +} + +// Some security stuff +header('X-Content-Type-Options: nosniff'); +header('X-XSS-Protection: 1; mode=block'); +header('X-Permitted-Cross-Domain-Policies: none'); +header('X-Frame-Options: sameorigin'); + +// Things like embedded OSM maps don't work, when this is enabled +// header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' https: data:; media-src 'self' https:; child-src 'self' https:; object-src 'none'"); + +/* + * We use $_GET["mode"] for special page templates. So we will check if we have + * to load another page template than the default one. + * The page templates are located in /view/php/ or in the theme directory. + */ if (isset($_GET["mode"])) { - $template = theme_include($_GET["mode"].'.php'); + $template = theme_include($_GET["mode"] . '.php'); } // If there is no page template use the default page template -if (!$template) { +if (empty($template)) { $template = theme_include("default.php"); } -require_once($template); +/// @TODO Looks unsafe (remote-inclusion), is maybe not but theme_include() uses file_exists() but does not escape anything +require_once $template; -if (!$a->is_backend()) - session_write_close(); -exit; +killme();