def _query_callback(match, init = False): """ Helper function for db_query(). """ php.static(_query_callback, 'args') if (init): _query_callback.args = list(match); return; # We must use type casting to int to convert FALSE/NULL/(TRUE?) if match[1] == '%d': # We don't need db_escape_string as numbers are db-safe return str(int(php.array_shift(_query_callback.args))); elif match[1] == '%s': return db.escape_string(php.array_shift(_query_callback.args)); elif match[1] == '%n': # Numeric values have arbitrary precision, so can't be treated as float. # is_numeric() allows hex values (0xFF), but they are not valid. value = php.trim(php.array_shift(args)); return (value if (php.is_numeric(value) and not \ php.stripos(value, 'x')) else '0') elif match[1] == '%%': return '%'; elif match[1] == '%f': return float(php.array_shift(_query_callback.args)); elif match[1] == '%b': # binary data return db.encode_blob(php.array_shift(_query_callback.args));
def conf_init(): """ Loads the configuration and sets the base URL, cookie domain, and session name correctly. """ # These will come from settings # db_url, db_prefix, cookie_domain, conf, installed_profile, update_free_access if (lib_appglobals.base_url != None): # Parse fixed base URL from settings.php. parts = php.parse_url(lib_appglobals.base_url) if (not php.isset(parts, 'path')): parts['path'] = '' lib_appglobals.base_path = parts['path'] + '/' # Build base_root (everything until first slash after "scheme://"). lib_appglobals.base_root = \ php.substr(lib_appglobals.base_url, 0, \ php.strlen(lib_appglobals.base_url) - \ php.strlen(parts['path'])) else: # Create base URL lib_appglobals.base_root = \ ('https' if (php.isset(php.SERVER, 'HTTPS') and \ php.SERVER['HTTPS'] == 'on') else 'http') # As php.SERVER['HTTP_HOST'] is user input, ensure it only contains # characters allowed in hostnames. lib_appglobals.base_root += '://' + \ php.preg_replace('/[^a-z0-9-:._]/i', '', \ php.SERVER['HTTP_HOST']) lib_appglobals.base_url = lib_appglobals.base_root # php.SERVER['SCRIPT_NAME'] can, in contrast to php.SERVER['PHP_SELF'], not # be modified by a visitor. dir = php.trim(php.dirname(php.SERVER['SCRIPT_NAME']), '\,/') if (len(dir) > 0): lib_appglobals.base_path = "/dir" lib_appglobals.base_url += lib_appglobals.base_path lib_appglobals.base_path += '/' else: lib_appglobals.base_path = '/' if (settings.cookie_domain != None): # If the user specifies the cookie domain, also use it for session name. session_name_ = settings.cookie_domain else: # Otherwise use base_url as session name, without the protocol # to use the same session identifiers across http and https. session_name_ = php.explode('://', lib_appglobals.base_url, 2)[1] # We escape the hostname because it can be modified by a visitor. if (not php.empty(php.SERVER['HTTP_HOST'])): settings.cookie_domain = check_plain(php.SERVER['HTTP_HOST']) # To prevent session cookies from being hijacked, a user can configure the # SSL version of their website to only transfer session cookies via SSL by # using PHP's session.cookie_secure setting. The browser will then use two # separate session cookies for the HTTPS and HTTP versions of the site. So we # must use different session identifiers for HTTPS and HTTP to prevent a # cookie collision. if (php.ini_get('session.cookie_secure')): session_name_ += 'SSL' # Strip leading periods, www., and port numbers from cookie domain. settings.cookie_domain = php.ltrim(settings.cookie_domain, '.') if (php.strpos(settings.cookie_domain, 'www.') == 0): settings.cookie_domain = php.substr(settings.cookie_domain, 4) settings.cookie_domain = php.explode(':', settings.cookie_domain) settings.cookie_domain = '.' + settings.cookie_domain[0] # Per RFC 2109, cookie domains must contain at least one dot other than the # first. For hosts such as 'localhost' or IP Addresses we don't set a # cookie domain. if (php.count(php.explode('.', settings.cookie_domain)) > 2 and not \ php.is_numeric(php.str_replace('.', '', settings.cookie_domain))): php.ini_set('session.cookie_domain', settings.cookie_domain) #print session_name; lib_session.name('SESS' + php.md5(session_name_))
def conf_init(): """ Loads the configuration and sets the base URL, cookie domain, and session name correctly. """ # These will come from settings # db_url, db_prefix, cookie_domain, conf, installed_profile, update_free_access if lib_appglobals.base_url != None: # Parse fixed base URL from settings.php. parts = php.parse_url(lib_appglobals.base_url) if not php.isset(parts, "path"): parts["path"] = "" lib_appglobals.base_path = parts["path"] + "/" # Build base_root (everything until first slash after "scheme://"). lib_appglobals.base_root = php.substr( lib_appglobals.base_url, 0, php.strlen(lib_appglobals.base_url) - php.strlen(parts["path"]) ) else: # Create base URL lib_appglobals.base_root = ( "https" if (php.isset(php.SERVER, "HTTPS") and php.SERVER["HTTPS"] == "on") else "http" ) # As php.SERVER['HTTP_HOST'] is user input, ensure it only contains # characters allowed in hostnames. lib_appglobals.base_root += "://" + php.preg_replace("/[^a-z0-9-:._]/i", "", php.SERVER["HTTP_HOST"]) lib_appglobals.base_url = lib_appglobals.base_root # php.SERVER['SCRIPT_NAME'] can, in contrast to php.SERVER['PHP_SELF'], not # be modified by a visitor. dir = php.trim(php.dirname(php.SERVER["SCRIPT_NAME"]), "\,/") if len(dir) > 0: lib_appglobals.base_path = "/dir" lib_appglobals.base_url += lib_appglobals.base_path lib_appglobals.base_path += "/" else: lib_appglobals.base_path = "/" if settings.cookie_domain != None: # If the user specifies the cookie domain, also use it for session name. session_name_ = settings.cookie_domain else: # Otherwise use base_url as session name, without the protocol # to use the same session identifiers across http and https. session_name_ = php.explode("://", lib_appglobals.base_url, 2)[1] # We escape the hostname because it can be modified by a visitor. if not php.empty(php.SERVER["HTTP_HOST"]): settings.cookie_domain = check_plain(php.SERVER["HTTP_HOST"]) # To prevent session cookies from being hijacked, a user can configure the # SSL version of their website to only transfer session cookies via SSL by # using PHP's session.cookie_secure setting. The browser will then use two # separate session cookies for the HTTPS and HTTP versions of the site. So we # must use different session identifiers for HTTPS and HTTP to prevent a # cookie collision. if php.ini_get("session.cookie_secure"): session_name_ += "SSL" # Strip leading periods, www., and port numbers from cookie domain. settings.cookie_domain = php.ltrim(settings.cookie_domain, ".") if php.strpos(settings.cookie_domain, "www.") == 0: settings.cookie_domain = php.substr(settings.cookie_domain, 4) settings.cookie_domain = php.explode(":", settings.cookie_domain) settings.cookie_domain = "." + settings.cookie_domain[0] # Per RFC 2109, cookie domains must contain at least one dot other than the # first. For hosts such as 'localhost' or IP Addresses we don't set a # cookie domain. if php.count(php.explode(".", settings.cookie_domain)) > 2 and not php.is_numeric( php.str_replace(".", "", settings.cookie_domain) ): php.ini_set("session.cookie_domain", settings.cookie_domain) # print session_name; lib_session.name("SESS" + php.md5(session_name_))