gauvain/san-reymoros
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Tentative de régler le bordel

Browse Source
This commit is contained in:
Gauvain Boiché
2020-03-31 15:58:31 +02:00
parent a1864c0414
commit 459b46df7b
345 changed files with 10758 additions and 4066 deletions
Download Patch File Download Diff File Expand all files Collapse all files

219
phpbb/session.php
View File

@@ -250,8 +250,7 @@ class session
$ips = explode(' ', $this->forwarded_for);
foreach ($ips as $ip)
{
// check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))
if (!filter_var($ip, FILTER_VALIDATE_IP))
{
// contains invalid data, don't use the forwarded for header
$this->forwarded_for = '';
@@ -311,49 +310,17 @@ class session
foreach ($ips as $ip)
{
if (function_exists('phpbb_ip_normalise'))
// Normalise IP address
$ip = phpbb_ip_normalise($ip);
if ($ip === false)
{
// Normalise IP address
$ip = phpbb_ip_normalise($ip);
if (empty($ip))
{
// IP address is invalid.
break;
}
// IP address is valid.
$this->ip = $ip;
// Skip legacy code.
continue;
}
if (preg_match(get_preg_expression('ipv4'), $ip))
{
$this->ip = $ip;
}
else if (preg_match(get_preg_expression('ipv6'), $ip))
{
// Quick check for IPv4-mapped address in IPv6
if (stripos($ip, '::ffff:') === 0)
{
$ipv4 = substr($ip, 7);
if (preg_match(get_preg_expression('ipv4'), $ipv4))
{
$ip = $ipv4;
}
}
$this->ip = $ip;
}
else
{
// We want to use the last valid address in the chain
// Leave foreach loop when address is invalid
// IP address is invalid.
break;
}
// IP address is valid.
$this->ip = $ip;
}
$this->load = false;
@@ -478,8 +445,8 @@ class session
}
else
{
// Added logging temporarly to help debug bugs...
if (defined('DEBUG') && $this->data['user_id'] != ANONYMOUS)
// Added logging temporarily to help debug bugs...
if ($phpbb_container->getParameter('session.log_errors') && $this->data['user_id'] != ANONYMOUS)
{
if ($referer_valid)
{
@@ -987,72 +954,96 @@ class session
{
global $db, $config, $phpbb_container, $phpbb_dispatcher;
$batch_size = 10;
if (!$this->time_now)
{
$this->time_now = time();
}
// Firstly, delete guest sessions
/**
* Get expired sessions for registered users, only most recent for each user
* Inner SELECT gets most recent expired sessions for unique session_user_id
* Outer SELECT gets data for them
*/
$sql_select = 'SELECT s1.session_page, s1.session_user_id, s1.session_time AS recent_time
FROM ' . SESSIONS_TABLE . ' AS s1
INNER JOIN (
SELECT session_user_id, MAX(session_time) AS recent_time
FROM ' . SESSIONS_TABLE . '
WHERE session_time < ' . ($this->time_now - (int) $config['session_length']) . '
AND session_user_id <> ' . ANONYMOUS . '
GROUP BY session_user_id
) AS s2
ON s1.session_user_id = s2.session_user_id
AND s1.session_time = s2.recent_time';
switch ($db->get_sql_layer())
{
case 'sqlite3':
if (phpbb_version_compare($db->sql_server_info(true), '3.8.3', '>='))
{
// For SQLite versions 3.8.3+ which support Common Table Expressions (CTE)
$sql = "WITH s3 (session_page, session_user_id, session_time) AS ($sql_select)
UPDATE " . USERS_TABLE . '
SET (user_lastpage, user_lastvisit) = (SELECT session_page, session_time FROM s3 WHERE session_user_id = user_id)
WHERE EXISTS (SELECT session_user_id FROM s3 WHERE session_user_id = user_id)';
$db->sql_query($sql);
break;
}
// No break, for SQLite versions prior to 3.8.3 and Oracle
case 'oracle':
$result = $db->sql_query($sql_select);
while ($row = $db->sql_fetchrow($result))
{
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
WHERE user_id = " . (int) $row['session_user_id'];
$db->sql_query($sql);
}
$db->sql_freeresult($result);
break;
case 'mysqli':
$sql = 'UPDATE ' . USERS_TABLE . " u,
($sql_select) s3
SET u.user_lastvisit = s3.recent_time, u.user_lastpage = s3.session_page
WHERE u.user_id = s3.session_user_id";
$db->sql_query($sql);
break;
default:
$sql = 'UPDATE ' . USERS_TABLE . "
SET user_lastvisit = s3.recent_time, user_lastpage = s3.session_page
FROM ($sql_select) s3
WHERE user_id = s3.session_user_id";
$db->sql_query($sql);
break;
}
// Delete all expired sessions
$sql = 'DELETE FROM ' . SESSIONS_TABLE . '
WHERE session_user_id = ' . ANONYMOUS . '
AND session_time < ' . (int) ($this->time_now - $config['session_length']);
WHERE session_time < ' . ($this->time_now - (int) $config['session_length']);
$db->sql_query($sql);
// Get expired sessions, only most recent for each user
$sql = 'SELECT session_user_id, session_page, MAX(session_time) AS recent_time
FROM ' . SESSIONS_TABLE . '
WHERE session_time < ' . ($this->time_now - $config['session_length']) . '
GROUP BY session_user_id, session_page';
$result = $db->sql_query_limit($sql, $batch_size);
// Update gc timer
$config->set('session_last_gc', $this->time_now, false);
$del_user_id = array();
$del_sessions = 0;
while ($row = $db->sql_fetchrow($result))
if ($config['max_autologin_time'])
{
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
WHERE user_id = " . (int) $row['session_user_id'];
$db->sql_query($sql);
$del_user_id[] = (int) $row['session_user_id'];
$del_sessions++;
}
$db->sql_freeresult($result);
if (count($del_user_id))
{
// Delete expired sessions
$sql = 'DELETE FROM ' . SESSIONS_TABLE . '
WHERE ' . $db->sql_in_set('session_user_id', $del_user_id) . '
AND session_time < ' . ($this->time_now - $config['session_length']);
$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time']));
$db->sql_query($sql);
}
if ($del_sessions < $batch_size)
{
// Less than 10 users, update gc timer ... else we want gc
// called again to delete other sessions
$config->set('session_last_gc', $this->time_now, false);
// only called from CRON; should be a safe workaround until the infrastructure gets going
/* @var \phpbb\captcha\factory $captcha_factory */
$captcha_factory = $phpbb_container->get('captcha.factory');
$captcha_factory->garbage_collect($config['captcha_plugin']);
if ($config['max_autologin_time'])
{
$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time']));
$db->sql_query($sql);
}
// only called from CRON; should be a safe workaround until the infrastructure gets going
/* @var $captcha_factory \phpbb\captcha\factory */
$captcha_factory = $phpbb_container->get('captcha.factory');
$captcha_factory->garbage_collect($config['captcha_plugin']);
$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
$db->sql_query($sql);
}
$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
$db->sql_query($sql);
/**
* Event to trigger extension on session_gc
@@ -1077,7 +1068,7 @@ class session
*/
function set_cookie($name, $cookiedata, $cookietime, $httponly = true)
{
global $config;
global $config, $phpbb_dispatcher;
// If headers are already set, we just return
if (headers_sent())
@@ -1085,6 +1076,32 @@ class session
return;
}
$disable_cookie = false;
/**
* Event to modify or disable setting cookies
*
* @event core.set_cookie
* @var bool disable_cookie Set to true to disable setting this cookie
* @var string name Name of the cookie
* @var string cookiedata The data to hold within the cookie
* @var int cookietime The expiration time as UNIX timestamp
* @var bool httponly Use HttpOnly?
* @since 3.2.9-RC1
*/
$vars = array(
'disable_cookie',
'name',
'cookiedata',
'cookietime',
'httponly',
);
extract($phpbb_dispatcher->trigger_event('core.set_cookie', compact($vars)));
if ($disable_cookie)
{
return;
}
$name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata);
$expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime);
$domain = (!$config['cookie_domain'] || $config['cookie_domain'] == '127.0.0.1' || strpos($config['cookie_domain'], '.') === false) ? '' : '; domain=' . $config['cookie_domain'];
@@ -1336,7 +1353,7 @@ class session
* Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)
*
* @author satmd (from the php manual)
* @param string $mode register/post - spamcop for example is ommitted for posting
* @param string $mode register/post - spamcop for example is omitted for posting
* @param string|false $ip the IPv4 address to check
*
* @return false if ip is not blacklisted, else an array([checked server], [lookup])
@@ -1374,7 +1391,7 @@ class session
foreach ($dnsbl_check as $dnsbl => $lookup)
{
if (phpbb_checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)
if (checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)
{
$info = array($dnsbl, $lookup . $ip);
}
@@ -1395,7 +1412,7 @@ class session
/**
* Check if URI is blacklisted
* This should be called only where absolutly necessary, for example on the submitted website field
* This should be called only where absolutely necessary, for example on the submitted website field
* This function is not in use at the moment and is only included for testing purposes, it may not work at all!
* This means it is untested at the moment and therefore commented out
*
@@ -1418,7 +1435,7 @@ class session
{
// One problem here... the return parameter for the "windows" method is different from what
// we expect... this may render this check useless...
if (phpbb_checkdnsrr($uri . '.multi.uribl.com.', 'A') === true)
if (checkdnsrr($uri . '.multi.uribl.com.', 'A') === true)
{
return true;
}