X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;ds=sidebyside;f=includes%2Fsession.inc;h=d9fd8c305724cbabd3d34efa96a9f711ac164b58;hb=1ea749c4abfe081bd7f1b4b11c65a61b311a189e;hp=b5cb1e2ea3637ed5efe47a321cf8f6e8c2dc1549;hpb=5e63c6ace55729bbb5ee3b060035a25a4426eb0a;p=fa-stable.git diff --git a/includes/session.inc b/includes/session.inc index b5cb1e2e..d9fd8c30 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -240,7 +240,8 @@ function check_page_security($page_security) _("Security settings have not been defined for your user account.") . "
" . _("Please contact your system administrator.") : _("Please remove \$security_groups and \$security_headings arrays from config.php file!"); - } elseif (!$_SESSION['SysPrefs']->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) { + } elseif (!$_SESSION['SysPrefs']->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) + { $msg = _('Access to application has been blocked until database upgrade is completed by system administrator.'); } @@ -309,14 +310,25 @@ function strip_quotes($data) return $data; } +/* + htmlspecialchars does not support certain encodings. + ISO-8859-2 fortunately has the same special characters positions as + ISO-8859-1, so fix is easy. If any other unsupported encoding is used, + add workaround here. +*/ +function html_specials_encode($str) +{ + return htmlspecialchars($str, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? + 'ISO-8859-1' : $_SESSION['language']->encoding); +} + function html_cleanup(&$parms) { foreach($parms as $name => $value) { -// $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding); if (is_array($value)) html_cleanup($parms[$name]); else - $parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? 'ISO-8859-1' : $_SESSION['language']->encoding); + $parms[$name] = html_specials_encode($value); } reset($parms); // needed for direct key() usage later throughout the sources } @@ -342,16 +354,6 @@ if (!isset($path_to_root)) $path_to_root = "."; } -//---------------------------------------------------------------------------------------- -// set to reasonable values if not set in config file (pre-2.3.12 installations) - -if ((!isset($SysPrefs->login_delay)) || ($SysPrefs->login_delay < 0)) - $SysPrefs->login_delay = 10; - -if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts < 0)) - $SysPrefs->login_max_attempts = 3; - - // Prevent register_globals vulnerability if (isset($_GET['path_to_root']) || isset($_POST['path_to_root'])) die("Restricted access"); @@ -383,6 +385,15 @@ $_SESSION['SysPrefs'] = new sys_prefs(); $SysPrefs = &$_SESSION['SysPrefs']; +//---------------------------------------------------------------------------------------- +// set to reasonable values if not set in config file (pre-2.3.12 installations) + +if ((!isset($SysPrefs->login_delay)) || ($SysPrefs->login_delay < 0)) + $SysPrefs->login_delay = 10; + +if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts < 0)) + $SysPrefs->login_max_attempts = 3; + if ($SysPrefs->go_debug > 0) error_reporting(-1); else @@ -504,8 +515,7 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ { // strip ajax marker from uri, to force synchronous page reload $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s', - '', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' - ? 'ISO-8859-1' : $_SESSION['language']->encoding)), + '', html_specials_encode($_SERVER['REQUEST_URI'])), 'post' => $_POST); include($path_to_root . "/access/login.php");