/** * Redirects the user to the requested page under the specified * security context (https or http). * * If the current context matches the requested context, then processing will * continue as normal. * * @param bool $ssl * A boolean indicating whether to switch to https or http. */ public static function ssl($ssl = true) { if (!is_bool($ssl)) { throw new InvalidArgumentException('Invalid argument passed to go::ssl(). Must be a boolean value.'); } if (is::ssl() == $ssl) { return; } go::url(get::url($ssl)); }
/** * Attempts to construct the full URL for the given file. * * Files that match a url (begin with http, ftp, or https followed by * ://) will be returned as is. * Files that appear to be a url (start with www.) will have the * current scheme prepended to them. * * All others will be checked to see if the file exists relative to * the document root, and the current URL directory (request came from * http://www.mysite.com/path/two/otherfile.php then it would check * both relative to http://www.mysite.com/path/two/ and http://www.mysite.com/. * If the file exists and is within the document root (can't have anyone * accessing system files using ../../ patterns) it will return the url * to the file. * * If it cannot match as a URL or a valid file, it returns the passed * file exactly as it is. * * Example: * Called from - http://www.mysite.com/path/file.php * File exists - http://www.mysite.com/css/layout.css * File exists - /var/systemfile (/var/www being the document root) * $file -> $return * css/layout.css -> http://www.mysite.com/css/layout.css * ../css/layout.css -> http://www.mysite.com/css/layout.css * http://www.othersite.com/file.pdf -> http://www.othersite.com/file.pdf * www.otheriste.com/file.pdf -> http://www.othersite.com/file.pdf * ../../systemfile -> systemfile (would result it broken link) * css/notthere.css -> css/notthere.css * * @param string $file * The file to create the URL for. * * @return string * The full URL of the file specified or the filename as given. * If outside the server document root, the filename only. */ public static function cache_file_url($file) { if (preg_match('/^(http|ftp|https):\\/\\//', $file)) { return $file; } if (strlen($file) > 4 && strtolower(substr($file, 0, 4)) == 'www.') { return 'http' . (is::ssl() ? 's' : '') . '://' . $file; } $docroot = strtr($_SERVER['DOCUMENT_ROOT'], '\\', '/'); $self = strtr($_SERVER['PHP_SELF'], '\\', '/'); if (substr($docroot, -1) != '/') { $docroot .= '/'; } if (substr($self, 0, 1) == '/') { $self = substr($self, 1); } $base_dir = get::dirname($docroot . $self); if (substr($base_dir, -1) != '/') { $base_dir .= '/'; } if (strlen($file) > strlen($docroot) && strtolower(substr($file, 0, strlen($docroot))) == strtolower($docroot)) { $file = substr($file, strlen($docroot)); } //try relative (from basename of URL file, and server docroot) if (file_exists($base_dir . $file) || file_exists($docroot . $file)) { $path = get::realpath(file_exists($base_dir . $file) ? $base_dir . $file : $docroot . $file); if ($path !== false && strtolower(substr($path, 0, strlen($docroot))) == strtolower($docroot)) { //file is within the website $self_url = self::url(); if ($self_url == null) { define('DEBUG_URL', true); $self_url = self::url(); log::debug($self_url); define('URL_DEBUGGED', true); } $current = parse_url($self_url); $temp = ''; if (isset($current['user']) && isset($current['pass'])) { $temp .= sprintf('%s:%s@', $current['user'], $current['pass']); } $temp .= $current['host']; if (isset($current['port'])) { $temp .= ':' . $current['port']; } return $current['scheme'] . '://' . str_replace('//', '/', $temp . '/' . substr($path, strlen($docroot))); } else { //file is outside of the website - hacking attempt return basename($file); } } return $file; }
/** * Starts the application. * * @return void */ public static function run() { self::$starttime = microtime(true); error_reporting(config::ERROR_LEVEL); if (isset(config::$session_cookie_domain)) { ini_set('session.cookie_domain', config::$session_cookie_domain); } if (class_exists('formHelper')) { formHelper::fixArrays(); } if (class_exists('csrfHelper')) { injector::register(array('csrfHelper', 'injector')); } if (is::ssl() && isset(config::$https_domain) && !isset(config::$http_domain)) { if (is::existset($_GET, 'r_domain')) { config::$http_domain = get::fulldomain($_GET['r_domain']); } else { config::$http_domain = get::fulldomain('www'); } } session_start(); if (config::$isolated_subdomains) { // find the domain $domain = isset(config::$http_domain) ? config::$http_domain : get::fulldomain(); // kill any subdomain sessions that have been transfered to another subdomain $existing = array_keys($_SESSION); foreach ($existing as $d) { if (!is_array($_SESSION[$d])) { continue; } if (array_key_exists('kill_munla_session', $_SESSION[$d]) && $_SESSION[$d]['kill_munla_session']) { unset($_SESSION[$d]); } } // initialize and setup the session for this subdomain if (!array_key_exists($domain, $_SESSION)) { $_SESSION[$domain] = array(); } munla::$session =& $_SESSION[$domain]; } else { munla::$session =& $_SESSION; } if (class_exists('singleUseArray')) { if (!is::existset(munla::$session, 'MUNLA_SINGLE_USE')) { munla::$singleUse = new singleUseArray(); } else { munla::$singleUse = unserialize(munla::$session['MUNLA_SINGLE_USE']); } } $route = get::route(); if (is_array($route) && $route['controller'] == 'csrf' && $route['action'] == 'keepalive' && class_exists('csrfHelper') && is::existset($route, 'params') && count($route['params']) > 0) { if (isset($_POST['token'])) { echo csrfHelper::keepAlive($route['params'][0], $_POST['token']); } exit; } if (class_exists('user') && is_subclass_of('user', 'userBase')) { if (!is::existset(munla::$session, 'MUNLA_USER')) { munla::$session['MUNLA_USER'] = new userWrapper(new user()); } } injector::start(); if (class_exists('app') && is_callable(array('app', 'setup'))) { app::setup(); } if (!isset(munla::$user) && is::existset(munla::$session, 'MUNLA_USER')) { munla::$user =& munla::$session['MUNLA_USER']; } if (!is::ajax()) { $submittedForm = formHelper::process(); if (isset($submittedForm)) { formHelper::process($submittedForm); } } if (class_exists('app') && is_callable(array('app', 'start'))) { $route = app::start($route); } if ($route === null) { $route = array('controller' => 'index', 'action' => 'index', 'params' => null); } $controller = get::controller($route['controller']); if (!isset($controller) && $route['controller'] != 'index') { //push action to params, controller to action, and set controller to index and try again. if ($route['action'] != 'index') { if (!isset($route['params'])) { $route['params'] = array(); } array_unshift($route['params'], $route['action']); } $route['action'] = $route['controller']; $route['controller'] = 'index'; $controller = get::controller('index'); } $view = null; if (isset($controller)) { $action = $controller->getAction(array($route['action'], $route['params'])); if (isset($action)) { try { $viewParams = call_user_func_array(array($controller, $action['action']), $action['params']); //various things could happen here... if (!isset($viewParams)) { $viewParams = array(); } elseif (!is_array($viewParams)) { $viewParams = array($viewParams); } $view = get::view($route, $controller, $viewParams); } catch (SSLException $e) { go::ssl(!is::ssl()); } catch (PermissionException $e) { munla::$nohistory = true; if (isset(munla::$user) && !munla::$user->is_logged_in() && munla::$user->getLoginView()) { $view = munla::$user->getLoginView(); } else { $view = get::view('errors/generic', 'default', array('error_msg' => $e->getMessage())); } } catch (Exception $e) { munla::$nohistory = true; $view = get::view('errors/generic', 'default', array('error_msg' => $e->getMessage())); } } else { $view = get::view($route, $controller); } } else { $view = get::view($route); } if ($view != null) { $view->render(); } else { throw new Exception('View not found!'); } if (class_exists('app', false)) { munla::$nohistory = app::finish(munla::$nohistory); } if (munla::$nohistory === false) { munla::$session['lastpage'] = get::url(); } if (isset(munla::$singleUse)) { munla::$session['MUNLA_SINGLE_USE'] = serialize(munla::$singleUse); } }
/** * Checks the access permission for the given method name. Checks SSL context, and user permission. * * @param string $name The method the check. * * @throws SSLException|PermissionException when access permission is invalid. * * @return void */ public function check_permission($name) { //first ignore some functions for some classes if (is_subclass_of($this->internal, 'controller') && $name == 'getAction') { return; } //check SSL access $ssl = $this->internal->getSSL(); if (isset($ssl)) { if (is_bool($ssl) && $ssl != is::ssl() || is_array($ssl) && array_key_exists($name, $ssl) && is_bool($ssl[$name]) && $ssl[$name] != is::ssl()) { throw new SSLException(sprintf('Invalid context to run "%s" on %s. Must be %sssl.', $name, get_class($this->internal), $ssl ? '' : 'non-')); } } //check permission access $access = $this->internal->getAccess(); if (is_array($access) && array_key_exists($name, $access) && isset($access[$name])) { $ret = munla::$user->hasPermission($access[$name]); if (is_string($ret)) { throw new PermissionException($ret); } elseif ($ret === false) { throw new PermissionException(sprintf('Invalid permissions to run "%s" on %s.', $name, get_class($this->internal))); } } }