/** * Checks if the current host is valid and sets variables on the given view, including: * * - **isValidHost** - true if host is valid, false if otherwise * - **invalidHostMessage** - message to display if host is invalid (only set if host is invalid) * - **invalidHost** - the invalid hostname (only set if host is invalid) * - **mailLinkStart** - the open tag of a link to email the Super User of this problem (only set * if host is invalid) * * @param View $view * @api */ public static function setHostValidationVariablesView($view) { // check if host is valid $view->isValidHost = Url::isValidHost(); if (!$view->isValidHost) { // invalid host, so display warning to user $validHosts = Url::getTrustedHostsFromConfig(); $validHost = $validHosts[0]; $invalidHost = Common::sanitizeInputValue($_SERVER['HTTP_HOST']); $emailSubject = rawurlencode(Piwik::translate('CoreHome_InjectedHostEmailSubject', $invalidHost)); $emailBody = rawurlencode(Piwik::translate('CoreHome_InjectedHostEmailBody')); $superUserEmail = implode(',', Piwik::getAllSuperUserAccessEmailAddresses()); $mailToUrl = "mailto:{$superUserEmail}?subject={$emailSubject}&body={$emailBody}"; $mailLinkStart = "<a href=\"{$mailToUrl}\">"; $invalidUrl = Url::getCurrentUrlWithoutQueryString($checkIfTrusted = false); $validUrl = Url::getCurrentScheme() . '://' . $validHost . Url::getCurrentScriptName(); $invalidUrl = Common::sanitizeInputValue($invalidUrl); $validUrl = Common::sanitizeInputValue($validUrl); $changeTrustedHostsUrl = "index.php" . Url::getCurrentQueryStringWithParametersModified(array('module' => 'CoreAdminHome', 'action' => 'generalSettings')) . "#trustedHostsSection"; $warningStart = Piwik::translate('CoreHome_InjectedHostWarningIntro', array('<strong>' . $invalidUrl . '</strong>', '<strong>' . $validUrl . '</strong>')) . ' <br/>'; if (Piwik::hasUserSuperUserAccess()) { $view->invalidHostMessage = $warningStart . ' ' . Piwik::translate('CoreHome_InjectedHostSuperUserWarning', array("<a href=\"{$changeTrustedHostsUrl}\">", $invalidHost, '</a>', "<br/><a href=\"{$validUrl}\">", $validHost, '</a>')); } else { if (Piwik::isUserIsAnonymous()) { $view->invalidHostMessage = $warningStart . ' ' . Piwik::translate('CoreHome_InjectedHostNonSuperUserWarning', array("<br/><a href=\"{$validUrl}\">", '</a>', '<span style="display:none">', '</span>')); } else { $view->invalidHostMessage = $warningStart . ' ' . Piwik::translate('CoreHome_InjectedHostNonSuperUserWarning', array("<br/><a href=\"{$validUrl}\">", '</a>', $mailLinkStart, '</a>')); } } $view->invalidHostMessageHowToFix = '<p><b>How do I fix this problem and how do I login again?</b><br/> The Piwik Super User can manually edit the file piwik/config/config.ini.php and add the following lines: <pre>[General]' . "\n" . 'trusted_hosts[] = "' . $invalidHost . '"</pre>After making the change, you will be able to login again.</p> <p>You may also <i>disable this security feature (not recommended)</i>. To do so edit config/config.ini.php and add: <pre>[General]' . "\n" . 'enable_trusted_host_check=0</pre>'; $view->invalidHost = $invalidHost; // for UserSettings warning $view->invalidHostMailLinkStart = $mailLinkStart; } }
/** * @group Core */ public function test_getCurrentScriptName() { $names = array('PATH_INFO', 'REQUEST_URI', 'SCRIPT_NAME', 'SCRIPT_FILENAME', 'argv', 'HTTPS', 'HTTP_HOST', 'QUERY_STRING', 'HTTP_REFERER'); foreach ($names as $name) { unset($_SERVER[$name]); } $tests = array(array('/', 'http://example.com/', null), array('/', '/', null), array('/index.php', '/index.php', null), array('/index.php', '/index.php?module=Foo', null), array('/index.php', '/index.php/route/1', '/route/1'), array('/index.php', '/index.php/route/2?module=Bar', '/route/2'), array('/path/index.php', '/path/index.php/route/3/?module=Fu&action=Bar#Hash', '/route/3/')); foreach ($tests as $test) { list($expected, $uri, $pathInfo) = $test; $_SERVER['REQUEST_URI'] = $uri; $_SERVER['PATH_INFO'] = $pathInfo; $scriptPathName = Url::getCurrentScriptName(); $this->assertEquals($expected, $scriptPathName); } }
/** * @group Core */ public function test_getCurrentScriptName() { $this->resetGlobalVariables(); $tests = array(array('/', 'http://example.com/', null), array('/', '/', null), array('/index.php', '/index.php', null), array('/index.php', '/index.php?module=Foo', null), array('/index.php', '/index.php/route/1', '/route/1'), array('/index.php', '/index.php/route/2?module=Bar', '/route/2'), array('/path/index.php', '/path/index.php/route/3/?module=Fu&action=Bar#Hash', '/route/3/')); foreach ($tests as $test) { list($expected, $uri, $pathInfo) = $test; $_SERVER['REQUEST_URI'] = $uri; $_SERVER['PATH_INFO'] = $pathInfo; $scriptPathName = Url::getCurrentScriptName(); $this->assertEquals($expected, $scriptPathName); } }
/** * Check force_ssl_login and redirect if connection isn't secure and not using a reverse proxy * * @param none * @return void */ protected function checkForceSslLogin() { $forceSslLogin = Config::getInstance()->General['force_ssl_login']; if ($forceSslLogin && !ProxyHttp::isHttps()) { $url = 'https://' . Url::getCurrentHost() . Url::getCurrentScriptName() . Url::getCurrentQueryString(); Url::redirectToUrl($url); } }