X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=index.php;h=c94675a59ae65a887fe181c1350f714555d3e8d4;hb=d2dc61c246fcbb896f33f23698426893148b2f65;hp=639437017a09696a445045fbf2e511e8887fc7dc;hpb=fa3fa42d966e00534aa6cbf33d60ef438a8e3b97;p=friendica.git

diff --git a/index.php b/index.php
index 639437017a..c94675a59a 100644
--- a/index.php
+++ b/index.php
@@ -14,12 +14,15 @@
  */
 
 use Friendica\App;
+use Friendica\Core\System;
 use Friendica\Core\Config;
 
 require_once 'boot.php';
 require_once 'object/BaseObject.php';
 
-$a = new App(__DIR__);
+if (empty($a)) {
+	$a = new App(__DIR__);
+}
 BaseObject::set_app($a);
 
 // We assume that the index.php is called by a frontend process
@@ -50,7 +53,7 @@ if (!$install) {
 require_once "include/dba.php";
 
 if (!$install) {
-	$db = new dba($db_host, $db_user, $db_pass, $db_data, $install);
+	dba::connect($db_host, $db_user, $db_pass, $db_data, $install);
 	unset($db_host, $db_user, $db_pass, $db_data);
 
 	/**
@@ -59,18 +62,18 @@ if (!$install) {
 
 	Config::load();
 
-	if ($a->max_processes_reached() OR $a->maxload_reached()) {
+	if ($a->max_processes_reached() || $a->maxload_reached()) {
 		header($_SERVER["SERVER_PROTOCOL"] . ' 503 Service Temporarily Unavailable');
 		header('Retry-After: 120');
-		header('Refresh: 120; url=' . App::get_baseurl() . "/" . $a->query_string);
+		header('Refresh: 120; url=' . System::baseUrl() . "/" . $a->query_string);
 		die("System is currently unavailable. Please try again later");
 	}
 
-	if (get_config('system', 'force_ssl') AND ($a->get_scheme() == "http") AND
-		(intval(get_config('system', 'ssl_policy')) == SSL_POLICY_FULL) AND
-		(substr(App::get_baseurl(), 0, 8) == "https://")) {
+	if (get_config('system', 'force_ssl') && ($a->get_scheme() == "http") &&
+		(intval(get_config('system', 'ssl_policy')) == SSL_POLICY_FULL) &&
+		(substr(System::baseUrl(), 0, 8) == "https://")) {
 		header("HTTP/1.1 302 Moved Temporarily");
-		header("Location: " . App::get_baseurl() . "/" . $a->query_string);
+		header("Location: " . System::baseUrl() . "/" . $a->query_string);
 		exit();
 	}
 
@@ -113,9 +116,11 @@ if (!$a->is_backend()) {
  */
 if (x($_SESSION,'authenticated') && !x($_SESSION,'language')) {
 	// we didn't loaded user data yet, but we need user language
-	$r = q("SELECT language FROM user WHERE uid=%d", intval($_SESSION['uid']));
+	$r = dba::select('user', array('language'), array('uid' => $_SESSION['uid']), array('limit' => 1));
 	$_SESSION['language'] = $lang;
-	if (dbm::is_result($r)) $_SESSION['language'] = $r[0]['language'];
+	if (dbm::is_result($r)) {
+		$_SESSION['language'] = $r['language'];
+	}
 }
 
 if ((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) {
@@ -126,7 +131,7 @@ if ((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) {
 if ((x($_GET,'zrl')) && (!$install && !$maintenance)) {
 	// Only continue when the given profile link seems valid
 	// Valid profile links contain a path with "/profile/" and no query parameters
-	if ((parse_url($_GET['zrl'], PHP_URL_QUERY) == "") AND
+	if ((parse_url($_GET['zrl'], PHP_URL_QUERY) == "") &&
 		strstr(parse_url($_GET['zrl'], PHP_URL_PATH), "/profile/")) {
 		$_SESSION['my_url'] = $_GET['zrl'];
 		$a->query_string = preg_replace('/[\?&]zrl=(.*?)([\?&]|$)/is','',$a->query_string);
@@ -152,7 +157,7 @@ if ((x($_GET,'zrl')) && (!$install && !$maintenance)) {
  *
  */
 
-// header('Link: <' . App::get_baseurl() . '/amcd>; rel="acct-mgmt";');
+// header('Link: <' . System::baseUrl() . '/amcd>; rel="acct-mgmt";');
 
 if (x($_COOKIE["Friendica"]) || (x($_SESSION,'authenticated')) || (x($_POST,'auth-params')) || ($a->module === 'login')) {
 	require("include/auth.php");
@@ -193,7 +198,7 @@ if ($install && $a->module!="view") {
 	$a->module = 'maintenance';
 } else {
 	check_url($a);
-	check_db();
+	check_db(false);
 	check_plugins($a);
 }
 
@@ -243,7 +248,7 @@ if (strlen($a->module)) {
 	}
 
 	// Compatibility with the Firefox App
-	if (($a->module == "users") AND ($a->cmd == "users/sign_in")) {
+	if (($a->module == "users") && ($a->cmd == "users/sign_in")) {
 		$a->module = "login";
 	}
 
@@ -292,7 +297,7 @@ if (strlen($a->module)) {
 
 		if ((x($_SERVER,'QUERY_STRING')) && ($_SERVER['QUERY_STRING'] === 'q=internal_error.html') && isset($dreamhost_error_hack)) {
 			logger('index.php: dreamhost_error_hack invoked. Original URI =' . $_SERVER['REQUEST_URI']);
-			goaway(App::get_baseurl() . $_SERVER['REQUEST_URI']);
+			goaway(System::baseUrl() . $_SERVER['REQUEST_URI']);
 		}
 
 		logger('index.php: page not found: ' . $_SERVER['REQUEST_URI'] . ' ADDRESS: ' . $_SERVER['REMOTE_ADDR'] . ' QUERY: ' . $_SERVER['QUERY_STRING'], LOGGER_DEBUG);
@@ -448,7 +453,7 @@ if (!$a->theme['stylesheet']) {
 $a->page['htmlhead'] = str_replace('{{$stylesheet}}',$stylesheet,$a->page['htmlhead']);
 //$a->page['htmlhead'] = replace_macros($a->page['htmlhead'], array('$stylesheet' => $stylesheet));
 
-if (isset($_GET["mode"]) AND (($_GET["mode"] == "raw") OR ($_GET["mode"] == "minimal"))) {
+if (isset($_GET["mode"]) && (($_GET["mode"] == "raw") || ($_GET["mode"] == "minimal"))) {
 	$doc = new DOMDocument();
 
 	$target = new DOMDocument();
@@ -471,7 +476,7 @@ if (isset($_GET["mode"]) AND (($_GET["mode"] == "raw") OR ($_GET["mode"] == "min
 	}
 }
 
-if (isset($_GET["mode"]) AND ($_GET["mode"] == "raw")) {
+if (isset($_GET["mode"]) && ($_GET["mode"] == "raw")) {
 
 	header("Content-type: text/html; charset=utf-8");
 
@@ -486,6 +491,19 @@ $profile = $a->profile;
 header("X-Friendica-Version: " . FRIENDICA_VERSION);
 header("Content-type: text/html; charset=utf-8");
 
+if (Config::get('system', 'hsts') && (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL)) {
+	header("Strict-Transport-Security: max-age=31536000");
+}
+
+// Some security stuff
+header('X-Content-Type-Options: nosniff');
+header('X-XSS-Protection: 1; mode=block');
+header('X-Permitted-Cross-Domain-Policies: none');
+header('X-Frame-Options: sameorigin');
+
+// Things like embedded OSM maps don't work, when this is enabled
+// header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' https: data:; media-src 'self' https:; child-src 'self' https:; object-src 'none'");
+
 /*
  * We use $_GET["mode"] for special page templates. So we will check if we have
  * to load another page template than the default one.
@@ -496,7 +514,7 @@ if (isset($_GET["mode"])) {
 }
 
 // If there is no page template use the default page template
-if (!$template) {
+if (empty($template)) {
 	$template = theme_include("default.php");
 }