X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=d9fd8c305724cbabd3d34efa96a9f711ac164b58;hb=1ea749c4abfe081bd7f1b4b11c65a61b311a189e;hp=6e783373f94d7d8982767a2357e1de31b6c98864;hpb=e995fe17b02ab69e4223b0f643ec9ab365c58b87;p=fa-stable.git diff --git a/includes/session.inc b/includes/session.inc index 6e783373..d9fd8c30 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -175,11 +175,11 @@ function password_reset_success() function check_faillog() { - global $login_delay, $login_faillog, $login_max_attempts; + global $SysPrefs, $login_faillog; $user = $_SESSION["wa_current_user"]->user; - if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay)) + if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay)) return true; return false; @@ -190,7 +190,7 @@ function check_faillog() */ function write_login_filelog($login, $result) { - global $login_faillog, $login_max_attempts, $path_to_root; + global $login_faillog, $SysPrefs, $path_to_root; $user = $_SESSION["wa_current_user"]->user; @@ -201,7 +201,7 @@ function write_login_filelog($login, $result) if (!$result) { - if ($login_faillog[$user][$ip] < @$login_max_attempts) { + if ($login_faillog[$user][$ip] < @$SysPrefs->login_max_attempts) { $login_faillog[$user][$ip]++; } else { @@ -219,7 +219,7 @@ function write_login_filelog($login, $result) $filename = $path_to_root."/tmp/faillog.php"; - if ((!file_exists($filename) && is_writable($path_to_root)) || is_writable($filename)) + if ((!file_exists($filename) && is_writable($path_to_root.'/tmp')) || is_writable($filename)) { file_put_contents($filename, $msg); } @@ -240,7 +240,8 @@ function check_page_security($page_security) _("Security settings have not been defined for your user account.") . "
" . _("Please contact your system administrator.") : _("Please remove \$security_groups and \$security_headings arrays from config.php file!"); - } elseif (!$_SESSION['SysPrefs']->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) { + } elseif (!$_SESSION['SysPrefs']->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) + { $msg = _('Access to application has been blocked until database upgrade is completed by system administrator.'); } @@ -309,14 +310,25 @@ function strip_quotes($data) return $data; } +/* + htmlspecialchars does not support certain encodings. + ISO-8859-2 fortunately has the same special characters positions as + ISO-8859-1, so fix is easy. If any other unsupported encoding is used, + add workaround here. +*/ +function html_specials_encode($str) +{ + return htmlspecialchars($str, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? + 'ISO-8859-1' : $_SESSION['language']->encoding); +} + function html_cleanup(&$parms) { foreach($parms as $name => $value) { -// $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding); if (is_array($value)) html_cleanup($parms[$name]); else - $parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding); + $parms[$name] = html_specials_encode($value); } reset($parms); // needed for direct key() usage later throughout the sources } @@ -342,16 +354,6 @@ if (!isset($path_to_root)) $path_to_root = "."; } -//---------------------------------------------------------------------------------------- -// set to reasonable values if not set in config file (pre-2.3.12 installations) - -if ((!isset($login_delay)) || ($login_delay < 0)) - $login_delay = 10; - -if ((!isset($login_max_attempts)) || ($login_max_attempts < 0)) - $login_max_attempts = 3; - - // Prevent register_globals vulnerability if (isset($_GET['path_to_root']) || isset($_POST['path_to_root'])) die("Restricted access"); @@ -363,7 +365,7 @@ set_error_handler('error_handler' /*, errtypes */); include_once($path_to_root . "/includes/current_user.inc"); include_once($path_to_root . "/frontaccounting.php"); include_once($path_to_root . "/admin/db/security_db.inc"); -include_once($path_to_root . "/includes/lang/language.php"); +include_once($path_to_root . "/includes/lang/language.inc"); include_once($path_to_root . "/config_db.php"); include_once($path_to_root . "/includes/ajax.inc"); include_once($path_to_root . "/includes/ui/ui_msgs.inc"); @@ -379,6 +381,32 @@ foreach ($installed_extensions as $ext) include_once($path_to_root.'/'.$ext['path'].'/hooks.php'); } +$_SESSION['SysPrefs'] = new sys_prefs(); + +$SysPrefs = &$_SESSION['SysPrefs']; + +//---------------------------------------------------------------------------------------- +// set to reasonable values if not set in config file (pre-2.3.12 installations) + +if ((!isset($SysPrefs->login_delay)) || ($SysPrefs->login_delay < 0)) + $SysPrefs->login_delay = 10; + +if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts < 0)) + $SysPrefs->login_max_attempts = 3; + +if ($SysPrefs->go_debug > 0) + error_reporting(-1); +else + error_reporting(E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE); +ini_set("display_errors", "On"); + +if ($SysPrefs->error_logfile != '') { + ini_set("error_log", $SysPrefs->error_logfile); + ini_set("ignore_repeated_errors", "On"); + ini_set("log_errors", "On"); +} + + /* Uncomment the setting below when using FA on shared hosting to avoid unexpeced session timeouts. @@ -388,20 +416,22 @@ foreach ($installed_extensions as $ext) ini_set('session.gc_maxlifetime', 36000); // 10hrs +hook_session_start(@$_POST["company_login_name"]); + $Session_manager = new SessionManager(); $Session_manager->sessionStart('FA'.md5(dirname(__FILE__))); // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks header("Cache-control: private"); -include_once($path_to_root . "/config.php"); get_text_init(); -if ($login_delay > 0) +if ($SysPrefs->login_delay > 0) @include_once($path_to_root . "/tmp/faillog.php"); // Page Initialisation -if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language')) +if (!isset($_SESSION['wa_current_user']) || !$_SESSION['wa_current_user']->logged_in() + || !isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language')) { $l = array_search_value($dflt_lang, $installed_languages, 'code'); $_SESSION['language'] = new language($l['name'], $l['code'], $l['encoding'], @@ -414,6 +444,7 @@ $_SESSION['language']->set_language($_SESSION['language']->code); include_once($path_to_root . "/includes/access_levels.inc"); include_once($path_to_root . "/version.php"); include_once($path_to_root . "/includes/main.inc"); +include_once($path_to_root . "/includes/app_entries.inc"); // Ajax communication object $Ajax = new Ajax(); @@ -452,7 +483,7 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ if (!$_SESSION["wa_current_user"]->logged_in()) { - if (@$allow_password_reset && !$allow_demo_mode + if (@$SysPrefs->allow_password_reset && !$SysPrefs->allow_demo_mode && (isset($_GET['reset']) || isset($_POST['email_entry_field']))) { if (!isset($_POST["email_entry_field"])) { include($path_to_root . "/access/password_reset.php"); @@ -484,7 +515,7 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ { // strip ajax marker from uri, to force synchronous page reload $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s', - '', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding)), + '', html_specials_encode($_SERVER['REQUEST_URI'])), 'post' => $_POST); include($path_to_root . "/access/login.php"); @@ -523,7 +554,10 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ $lang->set_language($_SESSION['language']->code); } } else - set_global_connection(); + { set_global_connection(); + if (db_fixed()) + db_set_encoding($_SESSION['language']->encoding); + } if (!isset($_SESSION["App"])) { $_SESSION["App"] = new front_accounting(); @@ -531,10 +565,7 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ } } -$SysPrefs = &$_SESSION['SysPrefs']; // POST vars cleanup needed for direct reuse. // We quote all values later with db_escape() before db update. $_POST = strip_quotes($_POST); - -?>