From 1ed92e187ae2dfb51f5f2d62c290a85f93b6dc21 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Thu, 14 Aug 2014 13:54:00 -0400
Subject: [PATCH] - Added security check script. - Create md5 sums of all files at install and update.

---
 interface/lib/app.inc.php |   60 +++++++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 files changed, 53 insertions(+), 7 deletions(-)

diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php
index fc56bd0..8832f45 100755
--- a/interface/lib/app.inc.php
+++ b/interface/lib/app.inc.php
@@ -48,6 +48,8 @@
 	private $_wb;
 	private $_loaded_classes = array();
 	private $_conf;
+	
+	public $loaded_plugins = array();
 
 	public function __construct() {
 		global $conf;
@@ -55,7 +57,7 @@
 		if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS']) || isset($_REQUEST['s']) || isset($_REQUEST['s_old']) || isset($_REQUEST['conf'])) {
 			die('Internal Error: var override attempt detected');
 		}
-
+		
 		$this->_conf = $conf;
 		if($this->_conf['start_db'] == true) {
 			$this->load('db_'.$this->_conf['db_type']);
@@ -65,10 +67,30 @@
 		//* Start the session
 		if($this->_conf['start_session'] == true) {
 
-			$this->uses('session,ini_parser');
-			$tmp = $this->db->queryOneRecord("SELECT value FROM sys_config WHERE config_id = 2 AND group = 'interface' AND name = 'session_timeout'");
-			if($tmp && $tmp['value'] > 0) {
-				$this->session->set_timeout($tmp['value']);
+			$this->uses('session');
+			$sess_timeout = $this->conf('interface', 'session_timeout');
+			if($sess_timeout) {
+				/* check if user wants to stay logged in */
+				if(isset($_POST['s_mod']) && isset($_POST['s_pg']) && $_POST['s_mod'] == 'login' && $_POST['s_pg'] == 'index' && isset($_POST['stay']) && $_POST['stay'] == '1') {
+					/* check if staying logged in is allowed */
+					$this->uses('ini_parser');
+					$tmp = $this->db->queryOneRecord('SELECT config FROM sys_ini WHERE sysini_id = 1');
+					$tmp = $this->ini_parser->parse_ini_string(stripslashes($tmp['config']));
+					if(!isset($tmp['misc']['session_allow_endless']) || $tmp['misc']['session_allow_endless'] != 'y') {
+						$this->session->set_timeout($sess_timeout);
+						session_set_cookie_params(3600 * 24 * 365); // cookie timeout is never updated, so it must not be short
+					} else {
+						// we are doing login here, so we need to set the session data
+						$this->session->set_permanent(true);
+						$this->session->set_timeout(365 * 24 * 3600); // one year
+						session_set_cookie_params(3600 * 24 * 365); // cookie timeout is never updated, so it must not be short
+					}
+				} else {
+					$this->session->set_timeout($sess_timeout);
+					session_set_cookie_params(3600 * 24 * 365); // cookie timeout is never updated, so it must not be short
+				}
+			} else {
+				session_set_cookie_params(0); // until browser is closed
 			}
 			
 			session_set_save_handler( array($this->session, 'open'),
@@ -79,7 +101,7 @@
 				array($this->session, 'gc'));
 
 			session_start();
-
+			
 			//* Initialize session variables
 			if(!isset($_SESSION['s']['id']) ) $_SESSION['s']['id'] = session_id();
 			if(empty($_SESSION['s']['theme'])) $_SESSION['s']['theme'] = $conf['theme'];
@@ -90,6 +112,14 @@
 		$this->uses('auth,plugin');
 	}
 
+	public function __get($prop) {
+		if(property_exists($this, $prop)) return $this->{$prop};
+		
+		$this->uses($prop);
+		if(property_exists($this, $prop)) return $this->{$prop};
+		else return null;
+	}
+	
 	public function __destruct() {
 		session_write_close();
 	}
@@ -100,7 +130,7 @@
 			foreach($cl as $classname) {
 				$classname = trim($classname);
 				//* Class is not loaded so load it
-				if(!array_key_exists($classname, $this->_loaded_classes)) {
+				if(!array_key_exists($classname, $this->_loaded_classes) && is_file(ISPC_CLASS_PATH."/$classname.inc.php")) {
 					include_once ISPC_CLASS_PATH."/$classname.inc.php";
 					$this->$classname = new $classname();
 					$this->_loaded_classes[$classname] = true;
@@ -118,6 +148,22 @@
 			}
 		}
 	}
+	
+	public function conf($plugin, $key, $value = null) {
+		if(is_null($value)) {
+			$tmpconf = $this->db->queryOneRecord("SELECT `value` FROM `sys_config` WHERE `group` = '" . $this->db->quote($plugin) . "' AND `name` = '" . $this->db->quote($key) . "'");
+			if($tmpconf) return $tmpconf['value'];
+			else return null;
+		} else {
+			if($value === false) {
+				$this->db->query("DELETE FROM `sys_config` WHERE `group` = '" . $this->db->quote($plugin) . "' AND `name` = '" . $this->db->quote($key) . "'");
+				return null;
+			} else {
+				$this->db->query("REPLACE INTO `sys_config` (`group`, `name`, `value`) VALUES ('" . $this->db->quote($plugin) . "', '" . $this->db->quote($key) . "', '" . $this->db->quote($value) . "')");
+				return $value;
+			}
+		}
+	}
 
 	/** Priority values are: 0 = DEBUG, 1 = WARNING,  2 = ERROR */
 

--
Gitblit v1.9.1