Total Complexity | 248 |
Total Lines | 1035 |
Duplicated Lines | 0 % |
Changes | 0 |
Complex classes like AlixarController often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use AlixarController, and based on these observations, apply Extract Interface, too.
1 | <?php |
||
34 | class AlixarController extends \Alxarafe\Base\Controller |
||
35 | { |
||
36 | |||
37 | public $authmode; |
||
38 | public $dol_authmode; |
||
39 | public $sessionname; |
||
40 | |||
41 | function __construct() |
||
42 | { |
||
43 | parent::__construct(); |
||
44 | |||
45 | $this->checkRequires(); |
||
46 | |||
47 | // Include the conf.php and functions.lib.php |
||
48 | // require_once DOL_BASE_PATH . '/filefunc.inc.php'; |
||
49 | Globals::initGlobals(); |
||
50 | |||
51 | // Init session. Name of session is specific to Dolibarr instance. |
||
52 | // Note: the function dol_getprefix may have been redefined to return a different key to manage another area to protect. |
||
53 | $prefix = DolUtils::dol_getprefix(''); |
||
54 | |||
55 | $this->sessionname = 'DOLSESSID_' . $prefix; |
||
56 | $sessiontimeout = 'DOLSESSTIMEOUT_' . $prefix; |
||
57 | if (!empty($_COOKIE[$sessiontimeout])) { |
||
58 | ini_set('session.gc_maxlifetime', $_COOKIE[$sessiontimeout]); |
||
59 | } |
||
60 | session_name($this->sessionname); |
||
61 | session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start. |
||
62 | // This create lock, released when session_write_close() or end of page. |
||
63 | // We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished. |
||
64 | if (!defined('NOSESSION')) { |
||
65 | session_start(); |
||
66 | /* if (ini_get('register_globals')) // Deprecated in 5.3 and removed in 5.4. To solve bug in using $_SESSION |
||
67 | { |
||
68 | foreach ($_SESSION as $key=>$value) |
||
69 | { |
||
70 | if (isset($GLOBALS[$key])) unset($GLOBALS[$key]); |
||
71 | } |
||
72 | } */ |
||
73 | } |
||
74 | // Init the 5 global objects, this include will make the new and set properties for: Globals::$conf, $db, Globals::$langs, Globals::$user, $mysoc |
||
75 | // require_once 'master.inc.php'; |
||
76 | // Activate end of page function |
||
77 | // register_shutdown_function('dol_shutdown'); |
||
78 | // Detection browser |
||
79 | if (isset($_SERVER["HTTP_USER_AGENT"])) { |
||
80 | $tmp = DolUtils::getBrowserInfo($_SERVER["HTTP_USER_AGENT"]); |
||
81 | Globals::$conf->browser->name = $tmp['browsername']; |
||
82 | Globals::$conf->browser->os = $tmp['browseros']; |
||
83 | Globals::$conf->browser->version = $tmp['browserversion']; |
||
84 | Globals::$conf->browser->layout = $tmp['layout']; // 'classic', 'phone', 'tablet' |
||
85 | //var_dump(Globals::$conf->browser); |
||
86 | |||
87 | if (Globals::$conf->browser->layout == 'phone') { |
||
88 | Globals::$conf->dol_no_mouse_hover = 1; |
||
89 | } |
||
90 | if (Globals::$conf->browser->layout == 'phone') { |
||
91 | Globals::$conf->global->MAIN_TESTMENUHIDER = 1; |
||
92 | } |
||
93 | } |
||
94 | |||
95 | // Force HTTPS if required (Globals::$conf->file->main_force_https is 0/1 or https dolibarr root url) |
||
96 | // $_SERVER["HTTPS"] is 'on' when link is https, otherwise $_SERVER["HTTPS"] is empty or 'off' |
||
97 | if (!empty(Globals::$conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != 'on')) { |
||
98 | $newurl = ''; |
||
99 | if (is_numeric(Globals::$conf->file->main_force_https)) { |
||
100 | if (Globals::$conf->file->main_force_https == '1' && !empty($_SERVER["SCRIPT_URI"])) { // If SCRIPT_URI supported by server |
||
101 | if (preg_match('/^http:/i', $_SERVER["SCRIPT_URI"]) && !preg_match('/^https:/i', $_SERVER["SCRIPT_URI"])) { // If link is http |
||
102 | $newurl = preg_replace('/^http:/i', 'https:', $_SERVER["SCRIPT_URI"]); |
||
103 | } |
||
104 | } else { // Check HTTPS environment variable (Apache/mod_ssl only) |
||
105 | $newurl = preg_replace('/^http:/i', 'https:', DOL_MAIN_URL_ROOT) . $_SERVER["REQUEST_URI"]; |
||
106 | } |
||
107 | } else { |
||
108 | // Check HTTPS environment variable (Apache/mod_ssl only) |
||
109 | $newurl = Globals::$conf->file->main_force_https . $_SERVER["REQUEST_URI"]; |
||
110 | } |
||
111 | // Start redirect |
||
112 | if ($newurl) { |
||
113 | DolUtils::dol_syslog("main.inc: dolibarr_main_force_https is on, we make a redirect to " . $newurl); |
||
114 | echo $newurl; |
||
115 | throw Exception('x'); |
||
|
|||
116 | header("Location: " . $newurl); |
||
117 | exit; |
||
118 | } else { |
||
119 | DolUtils::dol_syslog("main.inc: dolibarr_main_force_https is on but we failed to forge new https url so no redirect is done", LOG_WARNING); |
||
120 | } |
||
121 | } |
||
122 | |||
123 | if (!defined('NOLOGIN') && !defined('NOIPCHECK') && !empty($dolibarr_main_restrict_ip)) { |
||
124 | $listofip = explode(',', $dolibarr_main_restrict_ip); |
||
125 | $found = false; |
||
126 | foreach ($listofip as $ip) { |
||
127 | $ip = trim($ip); |
||
128 | if ($ip == $_SERVER['REMOTE_ADDR']) { |
||
129 | $found = true; |
||
130 | break; |
||
131 | } |
||
132 | } |
||
133 | if (!$found) { |
||
134 | print 'Access refused by IP protection'; |
||
135 | exit; |
||
136 | } |
||
137 | } |
||
138 | |||
139 | // Loading of additional presentation includes |
||
140 | if (!defined('NOREQUIREHTML')) { |
||
141 | require_once DOL_BASE_PATH . '/core/class/html.form.class.php'; // Need 660ko memory (800ko in 2.2) |
||
142 | } |
||
143 | if (!defined('NOREQUIREAJAX') && Globals::$conf->use_javascript_ajax) { |
||
144 | require_once DOL_BASE_PATH . '/core/lib/ajax.lib.php'; // Need 22ko memory |
||
145 | } |
||
146 | // If install or upgrade process not done or not completely finished, we call the install page. |
||
147 | if (!empty(Globals::$conf->global->MAIN_NOT_INSTALLED) || !empty(Globals::$conf->global->MAIN_NOT_UPGRADED)) { |
||
148 | DolUtils::dol_syslog("main.inc: A previous install or upgrade was not complete. Redirect to install page.", LOG_WARNING); |
||
149 | throw Exception('x'); |
||
150 | header("Location: " . DOL_BASE_URI . "/install/index.php"); |
||
151 | exit; |
||
152 | } |
||
153 | // If an upgrade process is required, we call the install page. |
||
154 | if ((!empty(Globals::$conf->global->MAIN_VERSION_LAST_UPGRADE) && (Globals::$conf->global->MAIN_VERSION_LAST_UPGRADE != DOL_VERSION)) || (empty(Globals::$conf->global->MAIN_VERSION_LAST_UPGRADE) && !empty(Globals::$conf->global->MAIN_VERSION_LAST_INSTALL) && (Globals::$conf->global->MAIN_VERSION_LAST_INSTALL != DOL_VERSION))) { |
||
155 | $versiontocompare = empty(Globals::$conf->global->MAIN_VERSION_LAST_UPGRADE) ? Globals::$conf->global->MAIN_VERSION_LAST_INSTALL : Globals::$conf->global->MAIN_VERSION_LAST_UPGRADE; |
||
156 | require_once DOL_BASE_PATH . '/core/lib/admin.lib.php'; |
||
157 | $dolibarrversionlastupgrade = preg_split('/[.-]/', $versiontocompare); |
||
158 | $dolibarrversionprogram = preg_split('/[.-]/', DOL_VERSION); |
||
159 | $rescomp = versioncompare($dolibarrversionprogram, $dolibarrversionlastupgrade); |
||
160 | if ($rescomp > 0) { // Programs have a version higher than database. We did not add "&& $rescomp < 3" because we want upgrade process for build upgrades |
||
161 | DolUtils::dol_syslog("main.inc: database version " . $versiontocompare . " is lower than programs version " . DOL_VERSION . ". Redirect to install page.", LOG_WARNING); |
||
162 | throw Exception('x'); |
||
163 | header("Location: " . DOL_BASE_URI . "/install/index.php"); |
||
164 | exit; |
||
165 | } |
||
166 | } |
||
167 | |||
168 | // Creation of a token against CSRF vulnerabilities |
||
169 | if (!defined('NOTOKENRENEWAL')) { |
||
170 | // roulement des jetons car cree a chaque appel |
||
171 | if (isset($_SESSION['newtoken'])) { |
||
172 | $_SESSION['token'] = $_SESSION['newtoken']; |
||
173 | } |
||
174 | |||
175 | // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] |
||
176 | $token = Security::dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number |
||
177 | $_SESSION['newtoken'] = $token; |
||
178 | } |
||
179 | if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty(Globals::$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) || defined('CSRFCHECK_WITH_TOKEN')) { // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set |
||
180 | if ($_SERVER['REQUEST_METHOD'] == 'POST' && !DolUtils::GETPOST('token', 'alpha')) { // Note, offender can still send request by GET |
||
181 | print "Access refused by CSRF protection in main.inc.php. Token not provided.\n"; |
||
182 | print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; |
||
183 | die; |
||
184 | } |
||
185 | if ($_SERVER['REQUEST_METHOD'] === 'POST') { // This test must be after loading $_SESSION['token']. |
||
186 | if (DolUtils::GETPOST('token', 'alpha') != $_SESSION['token']) { |
||
187 | DolUtils::dol_syslog("Invalid token in " . $_SERVER['HTTP_REFERER'] . ", action=" . DolUtils::GETPOST('action', 'aZ09') . ", _POST['token']=" . DolUtils::GETPOST('token', 'alpha') . ", _SESSION['token']=" . $_SESSION['token'], LOG_WARNING); |
||
188 | //print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers. |
||
189 | unset($_POST); |
||
190 | } |
||
191 | } |
||
192 | } |
||
193 | |||
194 | // Disable modules (this must be after session_start and after conf has been loaded) |
||
195 | if (DolUtils::GETPOST('disablemodules', 'alpha')) { |
||
196 | $_SESSION["disablemodules"] = DolUtils::GETPOST('disablemodules', 'alpha'); |
||
197 | } |
||
198 | if (!empty($_SESSION["disablemodules"])) { |
||
199 | $disabled_modules = explode(',', $_SESSION["disablemodules"]); |
||
200 | foreach ($disabled_modules as $module) { |
||
201 | if ($module) { |
||
202 | if (empty(Globals::$conf->$module)) { |
||
203 | Globals::$conf->$module = new stdClass(); |
||
204 | } |
||
205 | Globals::$conf->$module->enabled = false; |
||
206 | if ($module == 'fournisseur') { // Special case |
||
207 | Globals::$conf->supplier_order->enabled = 0; |
||
208 | Globals::$conf->supplier_invoice->enabled = 0; |
||
209 | } |
||
210 | } |
||
211 | } |
||
212 | } |
||
213 | |||
214 | $this->testLogin(); |
||
215 | |||
216 | // Case forcing style from url |
||
217 | if (DolUtils::GETPOST('theme', 'alpha')) { |
||
218 | Globals::$conf->theme = DolUtils::GETPOST('theme', 'alpha', 1); |
||
219 | // Globals::$conf->css = "/theme/" . Globals::$conf->theme . "/style.css.php"; |
||
220 | Globals::$conf->css = '?controller=theme/' . Globals::$conf->theme . '&method=style.css'; |
||
221 | } |
||
222 | |||
223 | |||
224 | // Set javascript option |
||
225 | if (!DolUtils::GETPOST('nojs', 'int')) { // If javascript was not disabled on URL |
||
226 | if (!empty(Globals::$user->conf->MAIN_DISABLE_JAVASCRIPT)) { |
||
227 | Globals::$conf->use_javascript_ajax = !$user->conf->MAIN_DISABLE_JAVASCRIPT; |
||
228 | } |
||
229 | } else { |
||
230 | Globals::$conf->use_javascript_ajax = 0; |
||
231 | } |
||
232 | // Set MAIN_OPTIMIZEFORTEXTBROWSER |
||
233 | if (DolUtils::GETPOST('textbrowser', 'int') || (!empty(Globals::$conf->browser->name) && Globals::$conf->browser->name == 'lynxlinks') || !empty(Globals::$user->conf->MAIN_OPTIMIZEFORTEXTBROWSER)) { // If we must enable text browser |
||
234 | Globals::$conf->global->MAIN_OPTIMIZEFORTEXTBROWSER = 1; |
||
235 | } elseif (!empty(Globals::$user->conf->MAIN_OPTIMIZEFORTEXTBROWSER)) { |
||
236 | Globals::$conf->global->MAIN_OPTIMIZEFORTEXTBROWSER = Globals::$user->conf->MAIN_OPTIMIZEFORTEXTBROWSER; |
||
237 | } |
||
238 | |||
239 | // Set terminal output option according to conf->browser. |
||
240 | if (DolUtils::GETPOST('dol_hide_leftmenu', 'int') || !empty($_SESSION['dol_hide_leftmenu'])) { |
||
241 | Globals::$conf->dol_hide_leftmenu = 1; |
||
242 | } |
||
243 | if (DolUtils::GETPOST('dol_hide_topmenu', 'int') || !empty($_SESSION['dol_hide_topmenu'])) { |
||
244 | Globals::$conf->dol_hide_topmenu = 1; |
||
245 | } |
||
246 | if (DolUtils::GETPOST('dol_optimize_smallscreen', 'int') || !empty($_SESSION['dol_optimize_smallscreen'])) { |
||
247 | Globals::$conf->dol_optimize_smallscreen = 1; |
||
248 | } |
||
249 | if (DolUtils::GETPOST('dol_no_mouse_hover', 'int') || !empty($_SESSION['dol_no_mouse_hover'])) { |
||
250 | Globals::$conf->dol_no_mouse_hover = 1; |
||
251 | } |
||
252 | if (DolUtils::GETPOST('dol_use_jmobile', 'int') || !empty($_SESSION['dol_use_jmobile'])) { |
||
253 | Globals::$conf->dol_use_jmobile = 1; |
||
254 | } |
||
255 | if (!empty(Globals::$conf->browser->layout) && Globals::$conf->browser->layout != 'classic') { |
||
256 | Globals::$conf->dol_no_mouse_hover = 1; |
||
257 | } |
||
258 | if ((!empty(Globals::$conf->browser->layout) && Globals::$conf->browser->layout == 'phone') || (!empty($_SESSION['dol_screenwidth']) && $_SESSION['dol_screenwidth'] < 400) || (!empty($_SESSION['dol_screenheight']) && $_SESSION['dol_screenheight'] < 400) |
||
259 | ) { |
||
260 | Globals::$conf->dol_optimize_smallscreen = 1; |
||
261 | } |
||
262 | // If we force to use jmobile, then we reenable javascript |
||
263 | if (!empty(Globals::$conf->dol_use_jmobile)) { |
||
264 | Globals::$conf->use_javascript_ajax = 1; |
||
265 | } |
||
266 | // Replace themes bugged with jmobile with eldy |
||
267 | if (!empty(Globals::$conf->dol_use_jmobile) && in_array(Globals::$conf->theme, array('bureau2crea', 'cameleo', 'amarok'))) { |
||
268 | Globals::$conf->theme = 'eldy'; |
||
269 | // Globals::$conf->css = "/theme/" . Globals::$conf->theme . "/style.css.php"; |
||
270 | Globals::$conf->css = '?controller=theme/' . Globals::$conf->theme . '&method=style.css'; |
||
271 | } |
||
272 | |||
273 | if (!defined('NOREQUIRETRAN')) { |
||
274 | if (!DolUtils::GETPOST('lang', 'aZ09')) { // If language was not forced on URL |
||
275 | // If user has chosen its own language |
||
276 | if (!empty(Globals::$user->conf->MAIN_LANG_DEFAULT)) { |
||
277 | // If different than current language |
||
278 | //print ">>>".Globals::$langs->getDefaultLang()."-".$user->conf->MAIN_LANG_DEFAULT; |
||
279 | if (Globals::$langs->getDefaultLang() != Globals::$user->conf->MAIN_LANG_DEFAULT) { |
||
280 | Globals::$langs->setDefaultLang(Globals::$user->conf->MAIN_LANG_DEFAULT); |
||
281 | } |
||
282 | } |
||
283 | } |
||
284 | } |
||
285 | |||
286 | if (!defined('NOLOGIN')) { |
||
287 | // If the login is not recovered, it is identified with an account that does not exist. |
||
288 | // Hacking attempt? |
||
289 | if (!Globals::$user->login) { |
||
290 | accessforbidden(); |
||
291 | } |
||
292 | |||
293 | // Check if user is active |
||
294 | if (Globals::$user->statut < 1) { |
||
295 | // If not active, we refuse the user |
||
296 | Globals::$langs->load("other"); |
||
297 | DolUtils::dol_syslog("Authentification ko as login is disabled"); |
||
298 | accessforbidden(Globals::$langs->trans("ErrorLoginDisabled")); |
||
299 | exit; |
||
300 | } |
||
301 | |||
302 | // Load permissions |
||
303 | Globals::$user->getrights(); |
||
304 | } |
||
305 | |||
306 | |||
307 | DolUtils::dol_syslog("--- Access to " . $_SERVER["PHP_SELF"] . ' - action=' . DolUtils::GETPOST('action', 'az09') . ', massaction=' . DolUtils::GETPOST('massaction', 'az09')); |
||
308 | //Another call for easy debugg |
||
309 | //dol_syslog("Access to ".$_SERVER["PHP_SELF"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST)); |
||
310 | // Load main languages files |
||
311 | if (!defined('NOREQUIRETRAN')) { |
||
312 | // Load translation files required by page |
||
313 | Globals::$langs->loadLangs(array('main', 'dict')); |
||
314 | } |
||
315 | |||
316 | // Define some constants used for style of arrays |
||
317 | $bc = array(0 => 'class="impair"', 1 => 'class="pair"'); |
||
318 | $bcdd = array(0 => 'class="drag drop oddeven"', 1 => 'class="drag drop oddeven"'); |
||
319 | $bcnd = array(0 => 'class="nodrag nodrop nohover"', 1 => 'class="nodrag nodrop nohoverpair"'); // Used for tr to add new lines |
||
320 | $bctag = array(0 => 'class="impair tagtr"', 1 => 'class="pair tagtr"'); |
||
321 | |||
322 | // Define messages variables |
||
323 | $mesg = ''; |
||
324 | $warning = ''; |
||
325 | $error = 0; |
||
326 | // deprecated, see setEventMessages() and dol_htmloutput_events() |
||
327 | $mesgs = array(); |
||
328 | $warnings = array(); |
||
329 | $errors = array(); |
||
330 | |||
331 | // Constants used to defined number of lines in textarea |
||
332 | if (empty(Globals::$conf->browser->firefox)) { |
||
333 | define('ROWS_1', 1); |
||
334 | define('ROWS_2', 2); |
||
335 | define('ROWS_3', 3); |
||
336 | define('ROWS_4', 4); |
||
337 | define('ROWS_5', 5); |
||
338 | define('ROWS_6', 6); |
||
339 | define('ROWS_7', 7); |
||
340 | define('ROWS_8', 8); |
||
341 | define('ROWS_9', 9); |
||
342 | } else { |
||
343 | define('ROWS_1', 0); |
||
344 | define('ROWS_2', 1); |
||
345 | define('ROWS_3', 2); |
||
346 | define('ROWS_4', 3); |
||
347 | define('ROWS_5', 4); |
||
348 | define('ROWS_6', 5); |
||
349 | define('ROWS_7', 6); |
||
350 | define('ROWS_8', 7); |
||
351 | define('ROWS_9', 8); |
||
352 | } |
||
353 | |||
354 | $heightforframes = 50; |
||
355 | |||
356 | // Init menu manager |
||
357 | if (!defined('NOREQUIREMENU')) { |
||
358 | if (empty(Globals::$user->societe_id)) { // If internal user or not defined |
||
359 | Globals::$conf->standard_menu = (empty(Globals::$conf->global->MAIN_MENU_STANDARD_FORCED) ? (empty(Globals::$conf->global->MAIN_MENU_STANDARD) ? 'eldy_menu.php' : Globals::$conf->global->MAIN_MENU_STANDARD) : Globals::$conf->global->MAIN_MENU_STANDARD_FORCED); |
||
360 | } else { // If external user |
||
361 | Globals::$conf->standard_menu = (empty(Globals::$conf->global->MAIN_MENUFRONT_STANDARD_FORCED) ? (empty(Globals::$conf->global->MAIN_MENUFRONT_STANDARD) ? 'eldy_menu.php' : Globals::$conf->global->MAIN_MENUFRONT_STANDARD) : Globals::$conf->global->MAIN_MENUFRONT_STANDARD_FORCED); |
||
362 | } |
||
363 | |||
364 | // Load the menu manager (only if not already done) |
||
365 | $file_menu = Globals::$conf->standard_menu; |
||
366 | if (DolUtils::GETPOST('menu', 'alpha')) { |
||
367 | $file_menu = DolUtils::GETPOST('menu', 'alpha'); // example: menu=eldy_menu.php |
||
368 | } |
||
369 | if (!class_exists('MenuManager')) { |
||
370 | $menufound = 0; |
||
371 | $dirmenus = array_merge(array("/core/menus/"), (array) Globals::$conf->modules_parts['menus']); |
||
372 | foreach ($dirmenus as $dirmenu) { |
||
373 | // $menufound = dol_include_once($dirmenu . "standard/" . $file_menu); |
||
374 | if (class_exists('MenuManager')) { |
||
375 | break; |
||
376 | } |
||
377 | } |
||
378 | if (!class_exists('MenuManager')) { // If failed to include, we try with standard eldy_menu.php |
||
379 | DolUtils::dol_syslog("You define a menu manager '" . $file_menu . "' that can not be loaded.", LOG_WARNING); |
||
380 | $file_menu = 'eldy_menu.php'; |
||
381 | // include_once DOL_DOCUMENT_ROOT . "/core/menus/standard/" . $file_menu; |
||
382 | } |
||
383 | } |
||
384 | Globals::$menuManager = new MenuManager(empty(Globals::$user->societe_id) ? 0 : 1); |
||
385 | Globals::$menuManager->loadMenu(); |
||
386 | } |
||
387 | } |
||
388 | |||
389 | function checkRequires() |
||
390 | { |
||
391 | /** |
||
392 | * $_GET = array_map('stripslashes_deep', $_GET); |
||
393 | * $_POST = array_map('stripslashes_deep', $_POST); |
||
394 | * $_FILES = array_map('stripslashes_deep', $_FILES); |
||
395 | * // $_COOKIE = array_map('stripslashes_deep', $_COOKIE); // Useless because a cookie should never be outputed on screen nor used into sql |
||
396 | * @set_magic_quotes_runtime(0); |
||
397 | */ |
||
398 | // Check consistency of NOREQUIREXXX DEFINES |
||
399 | if ((defined('NOREQUIREDB') || defined('NOREQUIRETRAN')) && !defined('NOREQUIREMENU')) { |
||
400 | print 'If define NOREQUIREDB or NOREQUIRETRAN are set, you must also set NOREQUIREMENU or not set them'; |
||
401 | exit; |
||
402 | } |
||
403 | |||
404 | // Sanity check on URL |
||
405 | if (!empty($_SERVER["PHP_SELF"])) { |
||
406 | $morevaltochecklikepost = array($_SERVER["PHP_SELF"]); |
||
407 | $this->analyseVarsForSqlAndScriptsInjection($morevaltochecklikepost, 2); |
||
408 | } |
||
409 | |||
410 | // Sanity check on GET parameters |
||
411 | if (!defined('NOSCANGETFORINJECTION') && !empty($_SERVER["QUERY_STRING"])) { |
||
412 | $morevaltochecklikeget = array($_SERVER["QUERY_STRING"]); |
||
413 | $this->analyseVarsForSqlAndScriptsInjection($morevaltochecklikeget, 1); |
||
414 | } |
||
415 | |||
416 | // Sanity check on POST |
||
417 | if (!defined('NOSCANPOSTFORINJECTION')) { |
||
418 | $this->analyseVarsForSqlAndScriptsInjection($_POST, 0); |
||
419 | } |
||
420 | |||
421 | // This is to make Dolibarr working with Plesk |
||
422 | if (!empty($_SERVER['DOCUMENT_ROOT']) && substr($_SERVER['DOCUMENT_ROOT'], -6) !== 'htdocs') { |
||
423 | set_include_path($_SERVER['DOCUMENT_ROOT'] . '/htdocs'); |
||
424 | } |
||
425 | |||
426 | // If there is a POST parameter to tell to save automatically some POST parameters into cookies, we do it. |
||
427 | // This is used for example by form of boxes to save personalization of some options. |
||
428 | // DOL_AUTOSET_COOKIE=cookiename:val1,val2 and cookiename_val1=aaa cookiename_val2=bbb will set cookie_name with value json_encode(array('val1'=> , )) |
||
429 | if (!empty($_POST["DOL_AUTOSET_COOKIE"])) { |
||
430 | $tmpautoset = explode(':', $_POST["DOL_AUTOSET_COOKIE"], 2); |
||
431 | $tmplist = explode(',', $tmpautoset[1]); |
||
432 | $cookiearrayvalue = array(); |
||
433 | foreach ($tmplist as $tmpkey) { |
||
434 | $postkey = $tmpautoset[0] . '_' . $tmpkey; |
||
435 | //var_dump('tmpkey='.$tmpkey.' postkey='.$postkey.' value='.$_POST[$postkey]); |
||
436 | if (!empty($_POST[$postkey])) { |
||
437 | $cookiearrayvalue[$tmpkey] = $_POST[$postkey]; |
||
438 | } |
||
439 | } |
||
440 | $cookiename = $tmpautoset[0]; |
||
441 | $cookievalue = json_encode($cookiearrayvalue); |
||
442 | //var_dump('setcookie cookiename='.$cookiename.' cookievalue='.$cookievalue); |
||
443 | setcookie($cookiename, empty($cookievalue) ? '' : $cookievalue, empty($cookievalue) ? 0 : (time() + (86400 * 354)), '/', null, false, true); // keep cookie 1 year and add tag httponly |
||
444 | if (empty($cookievalue)) { |
||
445 | unset($_COOKIE[$cookiename]); |
||
446 | } |
||
447 | } |
||
448 | } |
||
449 | |||
450 | /** |
||
451 | * DEPRECATED? |
||
452 | * |
||
453 | * Forcing parameter setting magic_quotes_gpc and cleaning parameters |
||
454 | * (Otherwise he would have for each position, condition |
||
455 | * Reading stripslashes variable according to state get_magic_quotes_gpc). |
||
456 | * Off mode recommended (just do Config::$dbEngine->escape for insert / update). |
||
457 | */ |
||
458 | function stripslashes_deep($value) |
||
459 | { |
||
460 | return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value)); |
||
461 | } |
||
462 | |||
463 | /** |
||
464 | * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF). |
||
465 | * |
||
466 | * @param string $val Value |
||
467 | * @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) |
||
468 | * @return int >0 if there is an injection, 0 if none |
||
469 | * @deprecated use $this->testSqlAndScriptInject |
||
470 | * @see $this->testSqlAndScriptInject($val, $type) |
||
471 | */ |
||
472 | function test_sql_and_script_inject($val, $type) |
||
476 | } |
||
477 | |||
478 | /** |
||
479 | * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF). |
||
480 | * |
||
481 | * @param string $val Value |
||
482 | * @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) |
||
483 | * @return int >0 if there is an injection, 0 if none |
||
484 | */ |
||
485 | function testSqlAndScriptInject($val, $type) |
||
486 | { |
||
487 | $inj = 0; |
||
488 | // For SQL Injection (only GET are used to be included into bad escaped SQL requests) |
||
489 | if ($type == 1 || $type == 3) { |
||
490 | $inj += preg_match('/delete\s+from/i', $val); |
||
491 | $inj += preg_match('/create\s+table/i', $val); |
||
492 | $inj += preg_match('/insert\s+into/i', $val); |
||
493 | $inj += preg_match('/select\s+from/i', $val); |
||
494 | $inj += preg_match('/into\s+(outfile|dumpfile)/i', $val); |
||
495 | $inj += preg_match('/user\s*\(/i', $val); // avoid to use function user() that return current database login |
||
496 | $inj += preg_match('/information_schema/i', $val); // avoid to use request that read information_schema database |
||
497 | } |
||
498 | if ($type == 3) { |
||
499 | $inj += preg_match('/select|update|delete|replace|group\s+by|concat|count|from/i', $val); |
||
500 | } |
||
501 | if ($type != 2) { // Not common key strings, so we can check them both on GET and POST |
||
502 | $inj += preg_match('/updatexml\(/i', $val); |
||
503 | $inj += preg_match('/update.+set.+=/i', $val); |
||
504 | $inj += preg_match('/union.+select/i', $val); |
||
505 | $inj += preg_match('/(\.\.%2f)+/i', $val); |
||
506 | } |
||
507 | // For XSS Injection done by adding javascript with script |
||
508 | // This is all cases a browser consider text is javascript: |
||
509 | // When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers |
||
510 | // All examples on page: http://ha.ckers.org/xss.html#XSScalc |
||
511 | // More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet |
||
512 | $inj += preg_match('/<script/i', $val); |
||
513 | $inj += preg_match('/<iframe/i', $val); |
||
514 | $inj += preg_match('/<audio/i', $val); |
||
515 | $inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6 |
||
516 | if (!defined('NOSTYLECHECK')) { |
||
517 | $inj += preg_match('/<style/i', $val); |
||
518 | } |
||
519 | $inj += preg_match('/base[\s]+href/si', $val); |
||
520 | $inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)> |
||
521 | $inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)> |
||
522 | $inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)> |
||
523 | $inj += preg_match('/onload\s*=/i', $val); // onload can be set on svg tag <svg/onload=alert(1)> or other tag like body <body onload=alert(1)> |
||
524 | $inj += preg_match('/onloadstart\s*=/i', $val); // onload can be set on audio tag <audio onloadstart=alert(1)> |
||
525 | $inj += preg_match('/onclick\s*=/i', $val); // onclick can be set on img text html tag like <img onclick = alert(1)> |
||
526 | $inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be on textarea |
||
527 | //$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ... |
||
528 | $inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...' |
||
529 | //if ($type == 1) |
||
530 | //{ |
||
531 | $inj += preg_match('/javascript:/i', $val); |
||
532 | $inj += preg_match('/vbscript:/i', $val); |
||
533 | //} |
||
534 | // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param) |
||
535 | if ($type == 1) { |
||
536 | $inj += preg_match('/"/i', $val); // We refused " in GET parameters value |
||
537 | } |
||
538 | if ($type == 2) { |
||
539 | $inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces. |
||
540 | } |
||
541 | return $inj; |
||
542 | } |
||
543 | |||
544 | /** |
||
545 | * Return true if security check on parameters are OK, false otherwise. |
||
546 | * |
||
547 | * @param string $var Variable name |
||
548 | * @param string $type 1=GET, 0=POST, 2=PHP_SELF |
||
549 | * @return boolean|null true if there is no injection. Stop code if injection found. |
||
550 | */ |
||
551 | function analyseVarsForSqlAndScriptsInjection(&$var, $type) |
||
565 | } |
||
566 | } |
||
567 | |||
568 | /** |
||
569 | * Phase authentication / login |
||
570 | * |
||
571 | * @return string |
||
572 | * @throws type |
||
573 | */ |
||
574 | function testLogin() |
||
1069 | } |
||
1070 | } |
||
1071 | } |
||
1072 |