phpBB

Code Changes

File: phpbb/session.php

  Unmodified   Added   Modified   Removed
Line 91Line 91
			$page_name .= str_replace('%2F', '/', urlencode($symfony_request_path));
}


			$page_name .= str_replace('%2F', '/', urlencode($symfony_request_path));
}


 
		if (substr($root_path, 0, 2) === './' && strpos($root_path, '..') === false)
{
$root_dirs = explode('/', str_replace('\\', '/', rtrim($root_path, '/')));
$page_dirs = explode('/', str_replace('\\', '/', '.'));
}
else
{

		// current directory within the phpBB root (for example: adm)
$root_dirs = explode('/', str_replace('\\', '/', $phpbb_filesystem->realpath($root_path)));
$page_dirs = explode('/', str_replace('\\', '/', $phpbb_filesystem->realpath('./')));

		// current directory within the phpBB root (for example: adm)
$root_dirs = explode('/', str_replace('\\', '/', $phpbb_filesystem->realpath($root_path)));
$page_dirs = explode('/', str_replace('\\', '/', $phpbb_filesystem->realpath('./')));

 
		}


		$intersection = array_intersect_assoc($root_dirs, $page_dirs);

$root_dirs = array_diff_assoc($root_dirs, $intersection);
$page_dirs = array_diff_assoc($page_dirs, $intersection);


		$intersection = array_intersect_assoc($root_dirs, $page_dirs);

$root_dirs = array_diff_assoc($root_dirs, $intersection);
$page_dirs = array_diff_assoc($page_dirs, $intersection);


		$page_dir = str_repeat('../', sizeof($root_dirs)) . implode('/', $page_dirs);

		$page_dir = str_repeat('../', count($root_dirs)) . implode('/', $page_dirs);


if ($page_dir && substr($page_dir, -1, 1) == '/')
{


if ($page_dir && substr($page_dir, -1, 1) == '/')
{

Line 118Line 127

// The script path from the webroot to the phpBB root (for example: /phpBB3/)
$script_dirs = explode('/', $script_path);


// The script path from the webroot to the phpBB root (for example: /phpBB3/)
$script_dirs = explode('/', $script_path);

		array_splice($script_dirs, -sizeof($page_dirs));
$root_script_path = implode('/', $script_dirs) . (sizeof($root_dirs) ? '/' . implode('/', $root_dirs) : '');

		array_splice($script_dirs, -count($page_dirs));
$root_script_path = implode('/', $script_dirs) . (count($root_dirs) ? '/' . implode('/', $root_dirs) : '');


// We are on the base level (phpBB root == webroot), lets adjust the variables a bit...
if (!$root_script_path)


// We are on the base level (phpBB root == webroot), lets adjust the variables a bit...
if (!$root_script_path)

Line 460Line 469
						$this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
$this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
$this->data['user_lang'] = basename($this->data['user_lang']);

						$this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
$this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
$this->data['user_lang'] = basename($this->data['user_lang']);

 

// Is user banned? Are they excluded? Won't return on ban, exists within method
$this->check_ban_for_current_session($config);


return true;
}


return true;
}

Line 572Line 584
		$provider = $provider_collection->get_provider();
$this->data = $provider->autologin();


		$provider = $provider_collection->get_provider();
$this->data = $provider->autologin();


		if ($user_id !== false && sizeof($this->data) && $this->data['user_id'] != $user_id)

		if ($user_id !== false && isset($this->data['user_id']) && $this->data['user_id'] != $user_id)

		{
$this->data = array();
}


		{
$this->data = array();
}


		if (sizeof($this->data))

		if (isset($this->data['user_id']))

		{
$this->cookie_data['k'] = '';
$this->cookie_data['u'] = $this->data['user_id'];

		{
$this->cookie_data['k'] = '';
$this->cookie_data['u'] = $this->data['user_id'];

Line 585Line 597

// If we're presented with an autologin key we'll join against it.
// Else if we've been passed a user_id we'll grab data based on that


// If we're presented with an autologin key we'll join against it.
// Else if we've been passed a user_id we'll grab data based on that

		if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data))

		if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && empty($this->data))

		{
$sql = 'SELECT u.*
FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k

		{
$sql = 'SELECT u.*
FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k

Line 605Line 617
			$db->sql_freeresult($result);
}


			$db->sql_freeresult($result);
}


		if ($user_id !== false && !sizeof($this->data))

		if ($user_id !== false && empty($this->data))

		{
$this->cookie_data['k'] = '';
$this->cookie_data['u'] = $user_id;

		{
$this->cookie_data['k'] = '';
$this->cookie_data['u'] = $user_id;

Line 633Line 645
		// User does not exist
// User is inactive
// User is bot

		// User does not exist
// User is inactive
// User is bot

		if (!sizeof($this->data) || !is_array($this->data))

		if (!is_array($this->data) || !count($this->data))

		{
$this->cookie_data['k'] = '';
$this->cookie_data['u'] = ($bot) ? $bot : ANONYMOUS;

		{
$this->cookie_data['k'] = '';
$this->cookie_data['u'] = ($bot) ? $bot : ANONYMOUS;

Line 675Line 687
		// session exists in which case session_id will also be set

// Is user banned? Are they excluded? Won't return on ban, exists within method

		// session exists in which case session_id will also be set

// Is user banned? Are they excluded? Won't return on ban, exists within method

		if ($this->data['user_type'] != USER_FOUNDER)
{
if (!$config['forwarded_for_check'])
{
$this->check_ban($this->data['user_id'], $this->ip);
}
else
{
$ips = explode(' ', $this->forwarded_for);
$ips[] = $this->ip;
$this->check_ban($this->data['user_id'], $ips);
}
}

		$this->check_ban_for_current_session($config);














$this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
$this->data['is_bot'] = ($bot) ? true : false;


$this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
$this->data['is_bot'] = ($bot) ? true : false;

Line 1022Line 1022
		}
$db->sql_freeresult($result);


		}
$db->sql_freeresult($result);


		if (sizeof($del_user_id))

		if (count($del_user_id))

		{
// Delete expired sessions
$sql = 'DELETE FROM ' . SESSIONS_TABLE . '

		{
// Delete expired sessions
$sql = 'DELETE FROM ' . SESSIONS_TABLE . '

Line 1077Line 1077
	*/
function set_cookie($name, $cookiedata, $cookietime, $httponly = true)
{

	*/
function set_cookie($name, $cookiedata, $cookietime, $httponly = true)
{

		global $config;

		global $config, $phpbb_dispatcher;


// If headers are already set, we just return
if (headers_sent())


// If headers are already set, we just return
if (headers_sent())

 
		{
return;
}

$disable_cookie = false;
/**
* Event to modify or disable setting cookies
*
* @event core.set_cookie
* @var bool disable_cookie Set to true to disable setting this cookie
* @var string name Name of the cookie
* @var string cookiedata The data to hold within the cookie
* @var int cookietime The expiration time as UNIX timestamp
* @var bool httponly Use HttpOnly?
* @since 3.2.9-RC1
*/
$vars = array(
'disable_cookie',
'name',
'cookiedata',
'cookietime',
'httponly',
);
extract($phpbb_dispatcher->trigger_event('core.set_cookie', compact($vars)));

if ($disable_cookie)

		{
return;
}

		{
return;
}

Line 1156Line 1182
			$where_sql[] = $_sql;
}


			$where_sql[] = $_sql;
}


		$sql .= (sizeof($where_sql)) ? implode(' AND ', $where_sql) : '';

		$sql .= (count($where_sql)) ? implode(' AND ', $where_sql) : '';

		$result = $db->sql_query($sql, $cache_ttl);

$ban_triggered_by = 'user';

		$result = $db->sql_query($sql, $cache_ttl);

$ban_triggered_by = 'user';

Line 1284Line 1310
			$message = sprintf($this->lang[$message], $till_date, '<a href="' . $contact_link . '">', '</a>');
$message .= ($ban_row['ban_give_reason']) ? '<br /><br />' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : '';
$message .= '<br /><br /><em>' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . '</em>';

			$message = sprintf($this->lang[$message], $till_date, '<a href="' . $contact_link . '">', '</a>');
$message .= ($ban_row['ban_give_reason']) ? '<br /><br />' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : '';
$message .= '<br /><br /><em>' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . '</em>';


// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
$this->session_kill(false);

 

// A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
if (defined('IN_CRON'))


// A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
if (defined('IN_CRON'))

Line 1295Line 1318
				exit_handler();
exit;
}

				exit_handler();
exit;
}

 

// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
$this->session_kill(false);


trigger_error($message);
}



trigger_error($message);
}


		return ($banned && $ban_row['ban_give_reason']) ? $ban_row['ban_give_reason'] : $banned;




























		if (!empty($ban_row))
{
$ban_row['ban_triggered_by'] = $ban_triggered_by;
}

return ($banned && $ban_row) ? $ban_row : $banned;
}

/**
* Check the current session for bans
*
* @return true if session user is banned.
*/
protected function check_ban_for_current_session($config)
{
if (!defined('SKIP_CHECK_BAN') && $this->data['user_type'] != USER_FOUNDER)
{
if (!$config['forwarded_for_check'])
{
$this->check_ban($this->data['user_id'], $this->ip);
}
else
{
$ips = explode(' ', $this->forwarded_for);
$ips[] = $this->ip;
$this->check_ban($this->data['user_id'], $ips);
}
}

	}

/**

	}

/**

Line 1591Line 1644
		{
return;
}

		{
return;
}

 

// Do not update the session page for ajax requests, so the view online still works as intended
$page_changed = $this->update_session_page && $this->data['session_page'] != $this->page['page'] && !$request->is_ajax();


// Only update session DB a minute or so after last update or if page changes


// Only update session DB a minute or so after last update or if page changes

		if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))

		if ($this->time_now - (isset($this->data['session_time']) ? $this->data['session_time'] : 0) > 60 || $page_changed)

		{
$sql_ary = array('session_time' => $this->time_now);


		{
$sql_ary = array('session_time' => $this->time_now);


			// Do not update the session page for ajax requests, so the view online still works as intended
if ($this->update_session_page && !$request->is_ajax())

			if ($page_changed)


			{
$sql_ary['session_page'] = substr($this->page['page'], 0, 199);
$sql_ary['session_forum_id'] = $this->page['forum'];

			{
$sql_ary['session_page'] = substr($this->page['page'], 0, 199);
$sql_ary['session_forum_id'] = $this->page['forum'];