summaryrefslogtreecommitdiff
path: root/includes/fix.inc.php
diff options
context:
space:
mode:
Diffstat (limited to 'includes/fix.inc.php')
-rw-r--r--includes/fix.inc.php205
1 files changed, 205 insertions, 0 deletions
diff --git a/includes/fix.inc.php b/includes/fix.inc.php
new file mode 100644
index 0000000..1ba5229
--- /dev/null
+++ b/includes/fix.inc.php
@@ -0,0 +1,205 @@
+<?php
+
+/*
+ * This file is meant to add every hack that is needed to fix default PHP
+ * behaviours, and to ensure that our PHP env will be able to run flyspray
+ * correctly.
+ *
+ */
+ini_set('display_errors', 1);
+
+// html errors will mess the layout
+ini_set('html_errors', 0);
+
+//error_reporting(E_ALL);
+if(version_compare(PHP_VERSION, '7.2.0') >= 0) {
+ # temporary for php7.2+ (2017-11-30)
+ # not all parts of Flyspray and 3rd party libs like ADODB 5.20.9 not yet 'since-php7.2-deprecated'-ready
+ error_reporting(E_ALL & ~E_STRICT & ~E_DEPRECATED);
+}else{
+ error_reporting(E_ALL & ~E_STRICT);
+}
+// our default charset
+
+ini_set('default_charset','utf-8');
+
+// This to stop PHP being retarded and using the '&' char for session id delimiters
+ini_set('arg_separator.output','&amp;');
+
+// no transparent session id improperly configured servers
+if (isset($_SERVER['REQUEST_URI']) && strpos($_SERVER['REQUEST_URI'], '/setup/') === false) // Skip installer, as it starts the session before calling fix.inc.php causing a warning as this can't be used when a session is already active
+ ini_set('session.use_trans_sid', 0);
+
+//see http://php.net/manual/en/ref.session.php#ini.session.use-only-cookies
+ini_set('session.use_only_cookies',1);
+
+//no session auto start
+ini_set('session.auto_start',0);
+
+/*this stops most cookie attacks via XSS at the interpreter level
+* see http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
+* supported by IE 6 SP1, Safari, Konqueror, Opera, silently ignored by others
+* ( sadly, including firefox) available since PHP 5.2.0
+ */
+
+ini_set('session.cookie_httponly',1);
+
+// use stronger entropy in sessions whenever possible
+ini_set('session.entropy_file', '/dev/urandom');
+ini_set('session.entropy_length', 16);
+// use sha-1 for sessions
+ini_set('session.hash_function',1);
+
+ini_set('auto_detect_line_endings', 0);
+
+# for using stronger blowfish hashing functions also with php5.3 < yourphpversion < php5.5
+# minimal php5.3.8 recommended, see https://github.com/ircmaxell/password_compat
+if(!function_exists('password_hash')){
+ require_once dirname(__FILE__).'/password_compat.php';
+}
+
+# for php < php.5.6
+if(!function_exists('hash_equals')) {
+ function hash_equals($str1, $str2) {
+ if(strlen($str1) != strlen($str2)) {
+ return false;
+ } else {
+ $res = $str1 ^ $str2;
+ $ret = 0;
+ for($i = strlen($res) - 1; $i >= 0; $i--) $ret |= ord($res[$i]);
+ return !$ret;
+ }
+ }
+}
+
+
+ini_set('include_path', join( PATH_SEPARATOR, array(
+ dirname(__FILE__) . '/external' ,
+ ini_get('include_path'))));
+
+
+if(count($_GET)) {
+ foreach ($_GET as $key => $value) {
+ if(is_array($value))
+ $_GET[$key] = filter_input(INPUT_GET, $key, FILTER_UNSAFE_RAW, FILTER_REQUIRE_ARRAY);
+ else
+ $_GET[$key] = filter_input(INPUT_GET, $key, FILTER_UNSAFE_RAW);
+ }
+}
+if(count($_POST)) {
+ foreach ($_POST as $key => $value) {
+ if(is_array($value))
+ $_POST[$key] = filter_input(INPUT_POST, $key, FILTER_UNSAFE_RAW, FILTER_REQUIRE_ARRAY);
+ else
+ $_POST[$key] = filter_input(INPUT_POST, $key, FILTER_UNSAFE_RAW);
+ }
+}
+if(count($_COOKIE)) {
+ foreach ($_COOKIE as $key => $value) {
+ if(is_array($value))
+ $_COOKIE[$key] = filter_input(INPUT_COOKIE, $key, FILTER_UNSAFE_RAW, FILTER_REQUIRE_ARRAY);
+ else
+ $_COOKIE[$key] = filter_input(INPUT_COOKIE, $key, FILTER_UNSAFE_RAW);
+ }
+}
+if(isset($_SESSION) && is_array($_SESSION) && count($_SESSION)) {
+ foreach ($_SESSION as $key => $value) {
+ if(is_array($value))
+ $_SESSION[$key] = filter_input(INPUT_SESSION, $key, FILTER_UNSAFE_RAW, FILTER_REQUIRE_ARRAY);
+ else
+ $_SESSION[$key] = filter_input(INPUT_SESSION, $key, FILTER_UNSAFE_RAW);
+ }
+}
+
+
+// This is for retarded Windows servers not having REQUEST_URI
+
+if (!isset($_SERVER['REQUEST_URI']))
+{
+ if (isset($_SERVER['SCRIPT_NAME'])) {
+ $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'];
+ }
+ else {
+ // this is tained now.
+ $_SERVER['REQUEST_URI'] = $_SERVER['PHP_SELF'];
+ }
+
+ if (isset($_SERVER['QUERY_STRING'])) {
+ $_SERVER['REQUEST_URI'] .= '?'.$_SERVER['QUERY_STRING'];
+ }
+}
+
+if (!isset($_SERVER['QUERY_STRING']))
+{
+ $_SERVER['QUERY_STRING'] = '';
+}
+
+
+/**
+ * Replace glob() since this function is apparently
+ * disabled for no apparent reason ("security") on some systems
+ *
+ * @see glob()
+ * @require PHP 4.3.0 (fnmatch)
+ * @todo is this still required?
+ */
+function glob_compat($pattern, $flags = 0) {
+
+ $split = explode('/', $pattern);
+ $match = array_pop($split);
+ $path = implode('/', $split);
+ if (($dir = opendir($path)) !== false) {
+ $glob = array();
+ while (($file = readdir($dir)) !== false) {
+ if (fnmatch($match, $file)) {
+ if (is_dir("$path/$file") || !($flags & GLOB_ONLYDIR)) {
+ if ($flags & GLOB_MARK) $file .= '/';
+ $glob[] = $file;
+ }
+ }
+ }
+ closedir($dir);
+ if (!($flags & GLOB_NOSORT)) sort($glob);
+ return $glob;
+ }
+ return false;
+}
+
+// now for all those borked PHP installations...
+// TODO still required. Enabled by default since 4.2
+if (!function_exists('ctype_alnum')) {
+ function ctype_alnum($text) {
+ return is_string($text) && preg_match('/^[a-z0-9]+$/iD', $text);
+ }
+}
+if (!function_exists('ctype_digit')) {
+ function ctype_digit($text) {
+ return is_string($text) && preg_match('/^[0-9]+$/iD', $text);
+ }
+}
+
+if(!isset($_SERVER['SERVER_NAME']) && php_sapi_name() === 'cli') {
+ $_SERVER['SERVER_NAME'] = php_uname('n');
+}
+
+//for reasons outside flsypray, the PHP core may throw Exceptions in PHP5
+// for a good example see this article
+// http://ilia.ws/archives/107-Another-unserialize-abuse.html
+
+function flyspray_exception_handler($exception) {
+ // Sometimes it helps removing temporary comments from the following three lines.
+ // echo "<pre>";
+ // var_dump(debug_backtrace());
+ // echo "</pre>";
+ die("Completely unexpected exception: " .
+ htmlspecialchars($exception->getMessage(),ENT_QUOTES, 'utf-8') . "<br/>" .
+ "This should <strong> never </strong> happend, please inform Flyspray Developers");
+
+}
+
+set_exception_handler('flyspray_exception_handler');
+
+
+// We don't need session IDs in URLs
+output_reset_rewrite_vars();
+