Xibo

Merge lp:~dangarner/xibo/396735 into lp:xibo/1.0

  1. 396735
  2. Merge into halley
Proposed by Dan Garner
Status: Merged
Merged at revision: not available
Proposed branch: lp:~dangarner/xibo/396735
Merge into: lp:xibo/1.0
Diff against target: None lines
To merge this branch: bzr merge lp:~dangarner/xibo/396735
Reviewer Review Type Date Requested Status
Xibo Maintainters Pending
Review via email: mp+8784@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'server/lib/app/session.class.php'
2--- server/lib/app/session.class.php 2008-12-19 22:10:39 +0000
3+++ server/lib/app/session.class.php 2009-07-07 20:01:49 +0000
4@@ -29,7 +29,8 @@
5
6 public $isExpired = 1;
7
8- function __construct(database $db) {
9+ function __construct(database $db)
10+ {
11 $this->db =& $db;
12
13 session_set_save_handler(array(&$this, 'open'),
14@@ -64,38 +65,27 @@
15 {
16 $db =& $this->db;
17
18- $userAgent = $_SERVER['HTTP_USER_AGENT'];
19- $remoteAddr = $_SERVER['REMOTE_ADDR'];
20+ $userAgent = Kit::GetParam('HTTP_USER_AGENT', $_SERVER, _STRING, 'No user agent');
21+ $remoteAddr = Kit::GetParam('REMOTE_ADDR', $_SERVER, _STRING);
22+ $securityToken = Kit::GetParam('SecurityToken', _POST, _STRING, null);
23
24 $this->key = $key;
25 $newExp = time() + $this->max_lifetime;
26
27 $this->gc($this->max_lifetime);
28
29- if(isset($_POST['SecurityToken']))
30- {
31- $securityToken = validate($_POST['SecurityToken']);
32-
33- if (!$securityToken)
34- {
35- log_entry($db, "error", "Invalid Security Token");
36- $securityToken = null;
37- }
38- }
39- else
40- {
41- $securityToken = null;
42- }
43-
44+ // Get this session
45 $SQL = " SELECT session_data, IsExpired, SecurityToken FROM session ";
46- $SQL .= " WHERE session_id = '$key' ";
47- $SQL .= " AND RemoteAddr = '$remoteAddr' ";
48-
49- if (!$result = $db->query($SQL));
50+ $SQL .= " WHERE session_id = '%s' ";
51+ $SQL .= " AND UserAgent = '%s' ";
52+
53+ $SQL = sprintf($SQL, $db->escape_string($key), $db->escape_string($userAgent));
54+
55+ $result = $db->query($SQL);
56
57 if ($db->num_rows($result) != 0)
58 {
59-
60+ // Get the row
61 $row = $db->get_row($result);
62
63 // We have the Key and the Remote Address.
64@@ -109,10 +99,10 @@
65 // We have a security token, so dont require a login
66 $this->isExpired = 0;
67
68- if (!$db->query("UPDATE session SET session_expiration = $newExp, isExpired = 0 WHERE session_id = '$key' "))
69+ if (!$db->query(sprintf("UPDATE session SET session_expiration = $newExp, isExpired = 0 WHERE session_id = '%s' ", $db->escape_string($key))))
70 {
71 log_entry($db, "error", $db->error());
72- }
73+ }
74 }
75 else
76 {
77@@ -123,49 +113,55 @@
78 }
79
80 // Either way - update this SESSION so that the security token is NULL
81- $db->query("UPDATE session SET SecurityToken = NULL WHERE session_id = '$key' ");
82+ $db->query(sprintf("UPDATE session SET SecurityToken = NULL WHERE session_id = '%s' ", $db->escape_string($key)));
83
84 return($row[0]);
85 }
86- else {
87+ else
88+ {
89 $empty = '';
90 return settype($empty, "string");
91 }
92 }
93
94- function write($key, $val) {
95-
96- $db =& $this->db;
97-
98- $val = addslashes($val);
99+ function write($key, $val)
100+ {
101+ $db =& $this->db;
102
103 $newExp = time() + $this->max_lifetime;
104 $lastaccessed = date("Y-m-d H:i:s");
105- $userAgent = $_SERVER['HTTP_USER_AGENT'];
106- $remoteAddr = $_SERVER['REMOTE_ADDR'];
107+ $userAgent = Kit::GetParam('HTTP_USER_AGENT', $_SERVER, _STRING, 'No user agent');
108+ $remoteAddr = Kit::GetParam('REMOTE_ADDR', $_SERVER, _STRING);
109
110- $result = $db->query("SELECT session_id FROM session WHERE session_id = '$key'");
111+ $result = $db->query(sprintf("SELECT session_id FROM session WHERE session_id = '%s'", $db->escape_string($key)));
112
113 if ($db->num_rows($result) == 0)
114 {
115 //INSERT
116 $SQL = "INSERT INTO session (session_id, session_data, session_expiration, LastAccessed, LastPage, userID, IsExpired, UserAgent, RemoteAddr)
117- VALUES ('$key','$val',$newExp,'$lastaccessed','login', NULL, 0, '$userAgent', '$remoteAddr')";
118+ VALUES ('%s', '%s', %d, '%s', 'login', NULL, 0, '%s', '%s')";
119+
120+ $SQL = sprintf($SQL, $db->escape_string($key), $db->escape_string($val), $newExp, $db->escape_string($lastaccessed), $db->escape_string($userAgent), $db->escape_string($remoteAddr));
121 }
122 else
123 {
124 //UPDATE
125 $SQL = "UPDATE session SET ";
126- $SQL .= " session_data = '$val', ";
127- $SQL .= " session_expiration = '$newExp', ";
128- $SQL .= " lastaccessed = '$lastaccessed' ";
129- $SQL .= " WHERE session_id = '$key' ";
130+ $SQL .= " session_data = '%s', ";
131+ $SQL .= " session_expiration = %d, ";
132+ $SQL .= " lastaccessed = '%s', ";
133+ $SQL .= " RemoteAddr = '%s' ";
134+ $SQL .= " WHERE session_id = '%s' ";
135+
136+ $SQL = sprintf($SQL, $db->escape_string($val), $newExp, $db->escape_string($lastaccessed), $db->escape_string($remoteAddr), $db->escape_string($key));
137 }
138
139- if(!$db->query($SQL)) {
140+ if(!$db->query($SQL))
141+ {
142 log_entry($db, "error", $db->error());
143 return(false);
144 }
145+
146 return true;
147 }
148
149@@ -173,7 +169,7 @@
150 {
151 $db =& $this->db;
152
153- $SQL = "UPDATE session SET IsExpired = 1 WHERE session_id = '$key'";
154+ $SQL = sprintf("UPDATE session SET IsExpired = 1 WHERE session_id = '%s'", $db->escape_string($key));
155
156 $result = $db->query("$SQL");
157
158@@ -193,26 +189,32 @@
159 {
160 $db =& $this->db;
161
162- $SQL = "UPDATE session SET userID = $userid WHERE session_id = '$key' ";
163+ $SQL = sprintf("UPDATE session SET userID = %d WHERE session_id = '%s' ",$userid, $db->escape_string($key));
164
165- if(!$db->query($SQL)) {
166+ if(!$db->query($SQL))
167+ {
168 trigger_error($db->error(), E_USER_NOTICE);
169 return(false);
170 }
171 return true;
172 }
173
174- // Update the session (after login)
175- static function RegenerateSessionID()
176+ /**
177+ * Updates the session ID with a new one
178+ * @return
179+ */
180+ public function RegenerateSessionID($oldSessionID)
181 {
182- $old_sess_id = session_id();
183+ $db =& $this->db;
184
185 session_regenerate_id(false);
186
187 $new_sess_id = session_id();
188+
189+ $this->key = $new_sess_id;
190
191- $query = "UPDATE `session` SET `session_id` = '$new_sess_id' WHERE session_id = '$old_sess_id'";
192- mysql_query($query);
193+ $query = sprintf("UPDATE session SET session_id = '%s' WHERE session_id = '%s'", $db->escape_string($new_sess_id), $db->escape_string($oldSessionID));
194+ $db->query($query);
195 }
196
197 function set_page($key, $lastpage)
198@@ -221,9 +223,10 @@
199
200 $_SESSION['pagename'] = $lastpage;
201
202- $SQL = "UPDATE session SET LastPage = '$lastpage' WHERE session_id = '$key' ";
203+ $SQL = sprintf("UPDATE session SET LastPage = '%s' WHERE session_id = '%s' ", $db->escape_string($lastpage), $db->escape_string($key));
204
205- if(!$db->query($SQL)) {
206+ if(!$db->query($SQL))
207+ {
208 trigger_error($db->error(), E_USER_NOTICE);
209 return(false);
210 }
211@@ -236,7 +239,7 @@
212
213 $this->isExpired = $isExpired;
214
215- $SQL = "UPDATE session SET IsExpired = $this->isExpired WHERE session_id = '$this->key'";
216+ $SQL = sprintf("UPDATE session SET IsExpired = $this->isExpired WHERE session_id = '%s'", $db->escape_string($this->key));
217
218 if (!$db->query($SQL))
219 {
220@@ -248,7 +251,7 @@
221 {
222 $db =& $this->db;
223
224- $SQL = "UPDATE session SET securityToken = '$token' WHERE session_id = '$this->key'";
225+ $SQL = sprintf("UPDATE session SET securityToken = '%s' WHERE session_id = '%s'", $db->escape_string($token), $db->escape_string($this->key));
226
227 if (!$db->query($SQL))
228 {
229
230=== modified file 'server/lib/pages/report.class.php'
231--- server/lib/pages/report.class.php 2009-03-13 10:10:07 +0000
232+++ server/lib/pages/report.class.php 2009-07-07 19:44:46 +0000
233@@ -210,9 +210,7 @@
234 <td>$ip</td>
235 <td>$browser</td>
236 <td>
237- <div class="buttons">
238- <a class="neutral" href="index.php?p=report&q=ConfirmLogout&userid=$userID" onclick="return init_button(this,'Logout User', exec_filter_callback, set_form_size(450,150))"><span>Logout</span></a>
239- </div>
240+ <button class="XiboFormButton" href="index.php?p=report&q=ConfirmLogout&userid=$userID"><span>Logout</span></a>
241 </td>
242 </tr>
243 END;
244@@ -234,14 +232,15 @@
245 $userID = Kit::GetParam('userid', _GET, _INT);
246
247 $form = <<<END
248- <form class="dialog_form" method="post" action="index.php?p=report&q=LogoutUser">
249+ <form class="XiboForm" method="post" action="index.php?p=report&q=LogoutUser">
250 <input type="hidden" name="userid" value="userid" />
251 <p>Are you sure you want to logout this user?</p>
252 <input type="submit" value="Yes">
253 <input type="submit" value="No" onclick="$('#div_dialog').dialog('close');return false; ">
254 </form>
255 END;
256- $arh->SetFormSubmitResponse($form);
257+
258+ $arh->SetFormRequestResponse($form, 'Logout User', '450px', '300px');
259 $arh->Respond();
260 }
261
262
263=== modified file 'server/modules/module_user_general.php'
264--- server/modules/module_user_general.php 2009-03-25 19:36:36 +0000
265+++ server/modules/module_user_general.php 2009-07-07 20:01:49 +0000
266@@ -89,8 +89,6 @@
267
268 $sql = sprintf("SELECT UserID, UserName, UserPassword, usertypeid, groupID FROM user WHERE UserName = '%s' AND UserPassword = '%s'", $db->escape_string($username), $db->escape_string($password));
269
270- Debug::LogEntry($db, 'audit', $sql);
271-
272 if(!$result = $db->query($sql)) trigger_error('A database error occurred while checking your login details.', E_USER_ERROR);
273
274 if ($db->num_rows($result)==0)
275@@ -122,6 +120,7 @@
276 $db->query($SQL) or trigger_error("Can not write last accessed info.", E_USER_ERROR);
277
278 $session->setIsExpired(0);
279+ $session->RegenerateSessionID(session_id());
280
281 return true;
282 }

Subscribers

People subscribed via source and target branches