phpBB

Code Changes

File: phpbb/session.php

  Unmodified   Added   Modified   Removed
Line 49Line 49
		// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
if (!$script_name)
{

		// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
if (!$script_name)
{

			$script_name = htmlspecialchars_decode($request->server('REQUEST_URI'), ENT_COMPAT);

			$script_name = html_entity_decode($request->server('REQUEST_URI'), ENT_COMPAT);

			$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
$page_array['failover'] = 1;
}

			$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
$page_array['failover'] = 1;
}

Line 166Line 166
		global $config, $request;

// Get hostname

		global $config, $request;

// Get hostname

		$host = htmlspecialchars_decode($request->header('Host', $request->server('SERVER_NAME')), ENT_COMPAT);

		$host = html_entity_decode($request->header('Host', $request->server('SERVER_NAME')), ENT_COMPAT);


// Should be a string and lowered
$host = (string) strtolower($host);


// Should be a string and lowered
$host = (string) strtolower($host);

Line 289Line 289

// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.


// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.

		$ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'), ENT_COMPAT);

		$ip = html_entity_decode($request->server('REMOTE_ADDR'), ENT_COMPAT);

		$ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $ip));

/**

		$ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $ip));

/**

Line 420Line 420
						// Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
if (!$this->data['session_autologin'])
{

						// Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
if (!$this->data['session_autologin'])
{

							if ($this->data['session_time'] < $this->time_now - ($config['session_length'] + 60))

							if ($this->data['session_time'] < $this->time_now - ((int) $config['session_length'] + 60))

							{
$session_expired = true;
}

							{
$session_expired = true;
}

Line 439Line 439

// Is user banned? Are they excluded? Won't return on ban, exists within method
$this->check_ban_for_current_session($config);


// Is user banned? Are they excluded? Won't return on ban, exists within method
$this->check_ban_for_current_session($config);

 

// Update user last active time accordingly, but in a minute or so
if ($this->time_now - (int) $this->data['user_last_active'] > 60)
{
$this->update_last_active_time();
}


return true;
}


return true;
}

Line 688Line 694
				if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
{
// Update the last visit time

				if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
{
// Update the last visit time

					$sql = 'UPDATE ' . USERS_TABLE . '
SET user_lastvisit = ' . (int) $this->data['session_time'] . '
WHERE user_id = ' . (int) $this->data['user_id'];
$db->sql_query($sql);

					$this->update_user_lastvisit();




				}

$SID = '?sid=';

				}

$SID = '?sid=';

Line 815Line 818
				$this->data['user_form_salt'] = unique_id();
// Update the form key
$sql = 'UPDATE ' . USERS_TABLE . '

				$this->data['user_form_salt'] = unique_id();
// Update the form key
$sql = 'UPDATE ' . USERS_TABLE . '

					SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\'


					SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\',
user_last_active = ' . (int) $this->time_now . '

					WHERE user_id = ' . (int) $this->data['user_id'];
$db->sql_query($sql);

					WHERE user_id = ' . (int) $this->data['user_id'];
$db->sql_query($sql);

 
			}
else
{
$this->update_last_active_time();

			}
}
else
{
$this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;


			}
}
else
{
$this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;


			// Update the last visit time
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_lastvisit = ' . (int) $this->data['session_time'] . '
WHERE user_id = ' . (int) $this->data['user_id'];
$db->sql_query($sql);

			$this->update_user_lastvisit();






$SID = '?sid=';
$_SID = '';


$SID = '?sid=';
$_SID = '';

Line 1344Line 1348
				$this->check_ban($this->data['user_id'], $ips);
}
}

				$this->check_ban($this->data['user_id'], $ips);
}
}

 
	}

/**
* Check if ip is blacklisted by Spamhaus SBL
*
* Disables DNSBL setting if errors are returned by Spamhaus due to a policy violation.
* https://www.spamhaus.com/product/help-for-spamhaus-public-mirror-users/
*
* @param string $dnsbl the blacklist to check against
* @param string|false $ip the IPv4 address to check
*
* @return bool true if listed in spamhaus database, false if not
*/
function check_dnsbl_spamhaus($dnsbl, $ip = false)
{
global $config, $phpbb_log;

if ($ip === false)
{
$ip = $this->ip;
}

// Spamhaus does not support IPv6 addresses.
if (strpos($ip, ':') !== false)
{
return false;
}

if ($ip)
{
$quads = explode('.', $ip);
$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];

$records = dns_get_record($reverse_ip . '.' . $dnsbl . '.', DNS_A);
if (empty($records))
{
return false;
}
else
{
$error = false;
foreach ($records as $record)
{
if ($record['ip'] == '127.255.255.254')
{
$error = 'LOG_SPAMHAUS_OPEN_RESOLVER';
break;
}
else if ($record['ip'] == '127.255.255.255')
{
$error = 'LOG_SPAMHAUS_VOLUME_LIMIT';
break;
}
}

if ($error !== false)
{
$config->set('check_dnsbl', 0);
$phpbb_log->add('critical', $this->data['user_id'], $ip, $error);
}
else
{
// The existence of a non-error A record means it's a hit
return true;
}
}
}

return false;
}

/**
* Checks if an IPv4 address is in a specified DNS blacklist
*
* Only checks if a record is returned or not.
*
* @param string $dnsbl the blacklist to check against
* @param string|false $ip the IPv4 address to check
*
* @return bool true if record is returned, false if not
*/
function check_dnsbl_ipv4_generic($dnsbl, $ip = false)
{
if ($ip === false)
{
$ip = $this->ip;
}

// This function does not support IPv6 addresses.
if (strpos($ip, ':') !== false)
{
return false;
}

$quads = explode('.', $ip);
$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];

if (checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)
{
return true;
}

return false;

	}

/**

	}

/**

Line 1372Line 1479
		}

$dnsbl_check = array(

		}

$dnsbl_check = array(

			'sbl.spamhaus.org'	=> 'http://www.spamhaus.org/query/bl?ip=',

			'sbl.spamhaus.org'	=> ['https://check.spamhaus.org/listed/?searchterm=', 'check_dnsbl_spamhaus'],

		);

if ($mode == 'register')
{

		);

if ($mode == 'register')
{

			$dnsbl_check['bl.spamcop.net'] = 'http://spamcop.net/bl.shtml?';

			$dnsbl_check['bl.spamcop.net'] = ['https://www.spamcop.net/bl.shtml?', 'check_dnsbl_ipv4_generic'];

		}

if ($ip)
{

		}

if ($ip)
{

			$quads = explode('.', $ip);
$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];


 
			// Need to be listed on all servers...
$listed = true;
$info = array();

foreach ($dnsbl_check as $dnsbl => $lookup)
{

			// Need to be listed on all servers...
$listed = true;
$info = array();

foreach ($dnsbl_check as $dnsbl => $lookup)
{

				if (checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)

				if (call_user_func(array($this, $lookup[1]), $dnsbl, $ip) === true)

				{

				{

					$info = array($dnsbl, $lookup . $ip);

					$info = array($dnsbl, $lookup[0] . $ip);

				}
else
{

				}
else
{

Line 1660Line 1764
		}

// Do not update the session page for ajax requests, so the view online still works as intended

		}

// Do not update the session page for ajax requests, so the view online still works as intended

		$page_changed = $this->update_session_page && (!isset($this->data['session_page']) || $this->data['session_page'] != $this->page['page']) && !$request->is_ajax();

		$page_changed = $this->update_session_page && (!isset($this->data['session_page']) || $this->data['session_page'] != $this->page['page'] || $this->data['session_forum_id'] != $this->page['forum']) && !$request->is_ajax();


// Only update session DB a minute or so after last update or if page changes
if ($this->time_now - (isset($this->data['session_time']) ? $this->data['session_time'] : 0) > 60 || $page_changed)


// Only update session DB a minute or so after last update or if page changes
if ($this->time_now - (isset($this->data['session_time']) ? $this->data['session_time'] : 0) > 60 || $page_changed)

Line 1696Line 1800
	public function id() : int
{
return isset($this->data['user_id']) ? (int) $this->data['user_id'] : ANONYMOUS;

	public function id() : int
{
return isset($this->data['user_id']) ? (int) $this->data['user_id'] : ANONYMOUS;

 
	}

/**
* Update user last visit time
*/
public function update_user_lastvisit()
{
global $db;

if (isset($this->data['session_time'], $this->data['user_id']))
{
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_lastvisit = ' . (int) $this->data['session_time'] . ',
user_last_active = ' . $this->time_now . '
WHERE user_id = ' . (int) $this->data['user_id'];
$db->sql_query($sql);
}
}

/**
* Update user's last active time
*
* @return void
*/
public function update_last_active_time()
{
global $db;

if (isset($this->time_now, $this->data['user_id']))
{
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_last_active = ' . $this->time_now . '
WHERE user_id = ' . (int) $this->data['user_id'];
$db->sql_query($sql);
}

	}
}


	}
}