/** * Return the user avatar image URL * in this first implementation, only gravatar.com avatars are supported * @param int $p_user_id User ID * @param int $p_size pixel size of image * @return array|bool an array( URL, width, height ) or false when the given user has no avatar */ function user_get_avatar($p_user_id, $p_size = 80) { $t_default_avatar = config_get('show_avatar'); if (OFF === $t_default_avatar) { # Avatars are not used return false; } # Set default avatar for legacy configuration if (ON === $t_default_avatar) { $t_default_avatar = 'identicon'; } # Default avatar is either one of Gravatar's options, or # assumed to be an URL to a default avatar image $t_default_avatar = urlencode($t_default_avatar); $t_rating = 'G'; $t_email_hash = md5(utf8_strtolower(trim(user_get_email($p_user_id)))); # Build Gravatar URL if (http_is_protocol_https()) { $t_avatar_url = 'https://secure.gravatar.com/'; } else { $t_avatar_url = 'http://www.gravatar.com/'; } $t_avatar_url .= "avatar/{$t_email_hash}?d={$t_default_avatar}&r={$t_rating}&s={$p_size}"; return array($t_avatar_url, $p_size, $p_size); }
/** * Return the user avatar image URL * in this first implementation, only gravatar.com avatars are supported * * This function returns an array( URL, width, height ) or an empty array when the given user has no avatar. * * @param integer $p_user_id A valid user identifier. * @param integer $p_size The required number of pixel in the image to retrieve the link for. * @return array */ function user_get_avatar($p_user_id, $p_size = 80) { $t_default_avatar = config_get('show_avatar'); if (OFF === $t_default_avatar) { # Avatars are not used return array(); } # Set default avatar for legacy configuration if (ON === $t_default_avatar) { $t_default_avatar = 'identicon'; } # Default avatar is either one of Gravatar's options, or # assumed to be an URL to a default avatar image $t_default_avatar = urlencode($t_default_avatar); $t_rating = 'G'; if (user_exists($p_user_id)) { $t_email_hash = md5(strtolower(trim(user_get_email($p_user_id)))); } else { $t_email_hash = md5('generic-avatar-since-user-not-found'); } # Build Gravatar URL if (http_is_protocol_https()) { $t_avatar_url = 'https://secure.gravatar.com/'; } else { $t_avatar_url = 'http://www.gravatar.com/'; } $t_avatar_url .= 'avatar/' . $t_email_hash . '?d=' . $t_default_avatar . '&r=' . $t_rating . '&s=' . $p_size; return array($t_avatar_url, $p_size, $p_size); }
/** * Set security headers (frame busting, clickjacking/XSS/CSRF protection). * @return void */ function http_security_headers() { if (!headers_sent()) { header('X-Frame-Options: DENY'); # Define Content Security Policy $t_csp = array("default-src 'self'", "frame-ancestors 'none'"); # Policy for images: Allow gravatar URL if (config_get_global('show_avatar')) { if (http_is_protocol_https()) { $t_avatar_url = 'https://secure.gravatar.com:443'; } else { $t_avatar_url = 'http://www.gravatar.com:80'; } $t_csp[] = "img-src 'self' {$t_avatar_url}"; } # Relaxing policy for roadmap page to allow inline styles # This is a workaround to fix the broken progress bars (see #19501) if ('roadmap_page.php' == basename($_SERVER['SCRIPT_NAME'])) { $t_csp[] = "style-src 'self' 'unsafe-inline'"; } # Set CSP header header('Content-Security-Policy: ' . implode('; ', $t_csp)); if (http_is_protocol_https()) { header('Strict-Transport-Security: max-age=7776000'); } } }
break; } # throw away output buffer contents (and disable it) to protect download while (@ob_end_clean()) { } if (ini_get('zlib.output_compression') && function_exists('ini_set')) { ini_set('zlib.output_compression', false); } http_security_headers(); # Make sure that IE can download the attachments under https. header('Pragma: public'); # To fix an IE bug which causes problems when downloading # attached files via HTTPS, we disable the "Pragma: no-cache" # command when IE is used over HTTPS. global $g_allow_file_cache; if (http_is_protocol_https() && is_browser_internet_explorer()) { # Suppress "Pragma: no-cache" header. } else { if (!isset($g_allow_file_cache)) { header('Pragma: no-cache'); } } header('Expires: ' . gmdate('D, d M Y H:i:s \\G\\M\\T', time())); header('Last-Modified: ' . gmdate('D, d M Y H:i:s \\G\\M\\T', $v_date_added)); $t_filename = file_get_display_name($v_filename); # For Internet Explorer 8 as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx # Don't let IE second guess our content-type! header('X-Content-Type-Options: nosniff'); http_content_disposition_header($t_filename, $f_show_inline); header('Content-Length: ' . $v_filesize); # If finfo is available (always true for PHP >= 5.3.0) we can use it to determine the MIME type of files
* @link http://www.mantisbt.org * * @uses config_api.php * @uses constant_inc.php * @uses error_api.php * @uses http_api.php */ require_api('config_api.php'); require_api('constant_inc.php'); require_api('error_api.php'); require_api('http_api.php'); # Determines (once-off) whether the client is accessing this script via a # secure connection. If they are, we want to use the Secure cookie flag to # prevent the cookie from being transmitted to other domains. # @global boolean $g_cookie_secure_flag_enabled $g_cookie_secure_flag_enabled = http_is_protocol_https(); /** * Retrieve a GPC variable. * If the variable is not set, the default is returned. * * You may pass in any variable as a default (including null) but if * you pass in *no* default then an error will be triggered if the field * cannot be found * * @param string $p_var_name Variable name. * @param mixed $p_default Default value. * @return null */ function gpc_get($p_var_name, $p_default = null) { if (isset($_POST[$p_var_name])) {
/** * Return the user avatar image URL * in this first implementation, only gravatar.com avatars are supported * @return array|bool an array( URL, width, height ) or false when the given user has no avatar */ function user_get_avatar($p_user_id, $p_size = 80) { $t_email = utf8_strtolower(trim(user_get_email($p_user_id))); if (is_blank($t_email)) { $t_result = false; } else { $t_size = $p_size; if (http_is_protocol_https()) { $t_gravatar_domain = 'https://secure.gravatar.com/'; } else { $t_gravatar_domain = 'http://www.gravatar.com/'; } $t_avatar_url = $t_gravatar_domain . 'avatar/' . md5($t_email) . '?d=identicon&r=G&s=' . $t_size; $t_result = array($t_avatar_url, $t_size, $t_size); } return $t_result; }
/** * Set security headers (frame busting, clickjacking/XSS/CSRF protection). */ function http_security_headers() { if (!headers_sent()) { header('X-Frame-Options: DENY'); $t_avatar_img_allow = ''; if (config_get_global('show_avatar')) { if (http_is_protocol_https()) { $t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443"; } else { $t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80"; } } header("X-Content-Security-Policy: allow 'self';{$t_avatar_img_allow}; frame-ancestors 'none'"); if (http_is_protocol_https()) { header('Strict-Transport-Security: max-age=7776000'); } } }
/** * Set security headers (frame busting, clickjacking/XSS/CSRF protection). */ function http_security_headers() { if (!headers_sent()) { header('X-Frame-Options: DENY'); $t_avatar_img_allow = ''; if (config_get_global('show_avatar')) { if (http_is_protocol_https()) { $t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443"; } else { $t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80"; } } header("X-Content-Security-Policy: allow 'self'; options inline-script eval-script{$t_avatar_img_allow}; frame-ancestors 'none'"); } }
/** * Gets the gravatar base URL * * @return string The gravatar URL. */ private static function getAvatarUrl() { if (http_is_protocol_https()) { $t_avatar_url = self::GRAVATAR_URL_SECURE; } else { $t_avatar_url = self::GRAVATAR_URL; } return $t_avatar_url; }