X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=d8a82f8bd0699087dae83f27ff70d1fc1bf3a6fb;hb=cfaa5cec1f5137bcc1599a4306879e3265d1dacd;hp=b5cb1e2ea3637ed5efe47a321cf8f6e8c2dc1549;hpb=5e63c6ace55729bbb5ee3b060035a25a4426eb0a;p=fa-stable.git diff --git a/includes/session.inc b/includes/session.inc index b5cb1e2e..d8a82f8b 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -240,7 +240,8 @@ function check_page_security($page_security) _("Security settings have not been defined for your user account.") . "
" . _("Please contact your system administrator.") : _("Please remove \$security_groups and \$security_headings arrays from config.php file!"); - } elseif (!$_SESSION['SysPrefs']->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) { + } elseif (!$SysPrefs->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) + { $msg = _('Access to application has been blocked until database upgrade is completed by system administrator.'); } @@ -261,7 +262,7 @@ function check_page_security($page_security) end_page(@$_REQUEST['popup']); exit; } - if (!$_SESSION['SysPrefs']->db_ok + if (!$SysPrefs->db_ok && !in_array($page_security, array('SA_SOFTWAREUPGRADE', 'SA_OPEN', 'SA_BACKUP'))) { display_error(_('System is blocked after source upgrade until database is updated on System/Software Upgrade page')); @@ -309,14 +310,25 @@ function strip_quotes($data) return $data; } +/* + htmlspecialchars does not support certain encodings. + ISO-8859-2 fortunately has the same special characters positions as + ISO-8859-1, so fix is easy. If any other unsupported encoding is used, + add workaround here. +*/ +function html_specials_encode($str) +{ + return htmlspecialchars($str, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? + 'ISO-8859-1' : $_SESSION['language']->encoding); +} + function html_cleanup(&$parms) { foreach($parms as $name => $value) { -// $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding); if (is_array($value)) html_cleanup($parms[$name]); else - $parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? 'ISO-8859-1' : $_SESSION['language']->encoding); + $parms[$name] = html_specials_encode($value); } reset($parms); // needed for direct key() usage later throughout the sources } @@ -342,16 +354,6 @@ if (!isset($path_to_root)) $path_to_root = "."; } -//---------------------------------------------------------------------------------------- -// set to reasonable values if not set in config file (pre-2.3.12 installations) - -if ((!isset($SysPrefs->login_delay)) || ($SysPrefs->login_delay < 0)) - $SysPrefs->login_delay = 10; - -if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts < 0)) - $SysPrefs->login_max_attempts = 3; - - // Prevent register_globals vulnerability if (isset($_GET['path_to_root']) || isset($_POST['path_to_root'])) die("Restricted access"); @@ -378,11 +380,22 @@ foreach ($installed_extensions as $ext) if (file_exists($path_to_root.'/'.$ext['path'].'/hooks.php')) include_once($path_to_root.'/'.$ext['path'].'/hooks.php'); } +$Session_manager = new SessionManager(); +$Session_manager->sessionStart('FA'.md5(dirname(__FILE__))); $_SESSION['SysPrefs'] = new sys_prefs(); $SysPrefs = &$_SESSION['SysPrefs']; +//---------------------------------------------------------------------------------------- +// set to reasonable values if not set in config file (pre-2.3.12 installations) + +if ((!isset($SysPrefs->login_delay)) || ($SysPrefs->login_delay < 0)) + $SysPrefs->login_delay = 10; + +if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts < 0)) + $SysPrefs->login_max_attempts = 3; + if ($SysPrefs->go_debug > 0) error_reporting(-1); else @@ -407,9 +420,6 @@ ini_set('session.gc_maxlifetime', 36000); // 10hrs hook_session_start(@$_POST["company_login_name"]); -$Session_manager = new SessionManager(); -$Session_manager->sessionStart('FA'.md5(dirname(__FILE__))); - // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks header("Cache-control: private"); @@ -504,8 +514,7 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ { // strip ajax marker from uri, to force synchronous page reload $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s', - '', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' - ? 'ISO-8859-1' : $_SESSION['language']->encoding)), + '', html_specials_encode($_SERVER['REQUEST_URI'])), 'post' => $_POST); include($path_to_root . "/access/login.php"); @@ -544,18 +553,20 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ $lang->set_language($_SESSION['language']->code); } } else - { set_global_connection(); - if (db_fixed()) - db_set_encoding($_SESSION['language']->encoding); - } + { + set_global_connection(); + + if (db_fixed()) + db_set_encoding($_SESSION['language']->encoding); + $SysPrefs->refresh(); + } if (!isset($_SESSION["App"])) { $_SESSION["App"] = new front_accounting(); $_SESSION["App"]->init(); } } - // POST vars cleanup needed for direct reuse. // We quote all values later with db_escape() before db update. $_POST = strip_quotes($_POST);