예제 #1
0
 public static function loadAviary()
 {
     if (Config::inst()->get('Aviary', 'LocalProcessing') && Config::inst()->get('Aviary', 'UseLocalLibrary') && ($libary = self::fetchLocalAviaryLibrary())) {
         Requirements::javascript($libary);
     } elseif (Director::is_https()) {
         Requirements::javascript('https://dme0ih8comzn4.cloudfront.net/imaging/v3/editor.js');
     } else {
         Requirements::javascript('http://feather.aviary.com/imaging/v3/editor.js');
     }
     Requirements::javascript(AVIARY_DIR . '/javascript/aviary.js');
     Requirements::css(AVIARY_DIR . '/css/aviary.css');
 }
예제 #2
0
 /**
  * Returns an endpoint (a base Oembed URL) from first matching provider.
  *
  * @param $url Human-readable URL.
  * @returns string/bool URL of an endpoint, or false if no matching provider exists.
  */
 protected static function find_endpoint($url)
 {
     foreach (self::get_providers() as $scheme => $endpoint) {
         if (self::matches_scheme($url, $scheme)) {
             $protocol = Director::is_https() ? 'https' : 'http';
             if (is_array($endpoint)) {
                 if (array_key_exists($protocol, $endpoint)) {
                     $endpoint = $endpoint[$protocol];
                 } else {
                     $endpoint = reset($endpoint);
                 }
             }
             return $endpoint;
         }
     }
     return false;
 }
 /**
  * Show the "login" page
  *
  * @return string Returns the "login" page as HTML code.
  */
 public function login()
 {
     try {
         if (!defined('OPENSTACKID_ENABLED') || OPENSTACKID_ENABLED == false) {
             return parent::login();
         }
         $member = Member::currentUser();
         if ($member) {
             // user is already logged in
             return $this->redirect(OpenStackIdCommon::getRedirectBackUrl());
         }
         if (!Director::is_https()) {
             OpenStackIdCommon::redirectToSSL($_SERVER['REQUEST_URI']);
         }
         // Begin the OpenID authentication process.
         $auth_request = $this->consumer->begin(IDP_OPENSTACKID_URL);
         //remove jainrain nonce
         unset($auth_request->return_to_args['janrain_nonce']);
         // No auth request means we can't begin OpenID.
         if (!$auth_request) {
             throw new Exception("The OpenID authentication failed.");
         }
         if (Auth_OpenID_supportsSReg($auth_request->endpoint)) {
             //SREG
             $sreg_request = Auth_OpenID_SRegRequest::build(array('email', 'fullname'), array('country', 'language'));
             if ($sreg_request) {
                 $auth_request->addExtension($sreg_request);
             }
         } else {
             //AX
             // Create attribute request object
             // See http://code.google.com/apis/accounts/docs/OpenID.html#Parameters for parameters
             // Usage: make($type_uri, $count=1, $required=false, $alias=null)
             $attribute[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/contact/email', 1, 1, 'email');
             $attribute[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson/first', 1, 1, 'firstname');
             $attribute[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson/last', 1, 1, 'lastname');
             $attribute[] = Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson', 1, 1, 'fullname');
             // Create AX fetch request
             $ax = new Auth_OpenID_AX_FetchRequest();
             // Add attributes to AX fetch request
             foreach ($attribute as $attr) {
                 $ax->add($attr);
             }
             // Add AX fetch request to authentication request
             $auth_request->addExtension($ax);
         }
         //Redirect the user to the OpenID server for authentication .
         // Store the token for this authentication so we can verify the
         // response.
         // For OpenID 1, send a redirect.  For OpenID 2, use a Javascript
         // form to send a POST request to the server.
         if ($auth_request->shouldSendRedirect()) {
             $redirect_url = $auth_request->redirectURL($this->getTrustRoot(), $this->getReturnTo());
             // If the redirect URL can't be built, display an error
             // message.
             if (Auth_OpenID::isFailure($redirect_url)) {
                 echo "Could not redirect to server: " . $redirect_url->message;
             } else {
                 // Send redirect.
                 header("Location: " . $redirect_url);
             }
         } else {
             // Generate form markup and render it.
             $form_id = 'openid_message';
             $form_html = $auth_request->htmlMarkup(OpenStackIdCommon::getTrustRoot(), OpenStackIdCommon::getReturnTo(), false, array('id' => $form_id));
             // Display an error if the form markup couldn't be generated;
             // otherwise, render the HTML.
             if (Auth_OpenID::isFailure($form_html)) {
                 echo "Could not redirect to server: " . $form_html->message;
             } else {
                 print $form_html;
             }
         }
         exit;
     } catch (Exception $ex) {
         SS_Log::log($ex, SS_Log::WARN);
         Session::set("Security.Message.message", $ex->getMessage());
         Session::set("Security.Message.type", "bad");
         return $this->redirect("Security/badlogin");
     }
 }
예제 #4
0
 /**
  * Is there a session ID in the request?
  * @return bool
  */
 public static function request_contains_session_id()
 {
     $secure = Director::is_https() && Config::inst()->get('Session', 'cookie_secure');
     $name = $secure ? 'SECSESSID' : session_name();
     return isset($_COOKIE[$name]) || isset($_REQUEST[$name]);
 }
예제 #5
0
파일: HTTP.php 프로젝트: tcaiger/mSupplyNZ
 /**
  * Add the appropriate caching headers to the response, including If-Modified-Since / 304 handling.
  * Note that setting HTTP::$cache_age will overrule any cache headers set by PHP's
  * session_cache_limiter functionality. It is your responsibility to ensure only cacheable data
  * is in fact cached, and HTTP::$cache_age isn't set when the HTTP body contains session-specific content.
  *
  * @param SS_HTTPResponse $body The SS_HTTPResponse object to augment.  Omitted the argument or passing a string is
  *                            deprecated; in these cases, the headers are output directly.
  */
 public static function add_cache_headers($body = null)
 {
     $cacheAge = self::$cache_age;
     // Validate argument
     if ($body && !$body instanceof SS_HTTPResponse) {
         user_error("HTTP::add_cache_headers() must be passed an SS_HTTPResponse object", E_USER_WARNING);
         $body = null;
     }
     // Development sites have frequently changing templates; this can get stuffed up by the code
     // below.
     if (Director::isDev()) {
         $cacheAge = 0;
     }
     // The headers have been sent and we don't have an SS_HTTPResponse object to attach things to; no point in
     // us trying.
     if (headers_sent() && !$body) {
         return;
     }
     // Populate $responseHeaders with all the headers that we want to build
     $responseHeaders = array();
     $config = Config::inst();
     $cacheControlHeaders = Config::inst()->get('HTTP', 'cache_control');
     // currently using a config setting to cancel this, seems to be so that the CMS caches ajax requests
     if (function_exists('apache_request_headers') && $config->get(get_called_class(), 'cache_ajax_requests')) {
         $requestHeaders = array_change_key_case(apache_request_headers(), CASE_LOWER);
         if (isset($requestHeaders['x-requested-with']) && $requestHeaders['x-requested-with'] == 'XMLHttpRequest') {
             $cacheAge = 0;
         }
     }
     if ($cacheAge > 0) {
         $cacheControlHeaders['max-age'] = self::$cache_age;
         // Set empty pragma to avoid PHP's session_cache_limiter adding conflicting caching information,
         // defaulting to "nocache" on most PHP configurations (see http://php.net/session_cache_limiter).
         // Since it's a deprecated HTTP 1.0 option, all modern HTTP clients and proxies should
         // prefer the caching information indicated through the "Cache-Control" header.
         $responseHeaders["Pragma"] = "";
         // To do: User-Agent should only be added in situations where you *are* actually
         // varying according to user-agent.
         $responseHeaders['Vary'] = 'Cookie, X-Forwarded-Protocol, User-Agent, Accept';
     } else {
         if ($body) {
             // Grab header for checking. Unfortunately HTTPRequest uses a mistyped variant.
             $contentDisposition = $body->getHeader('Content-disposition');
             if (!$contentDisposition) {
                 $contentDisposition = $body->getHeader('Content-Disposition');
             }
         }
         if ($body && Director::is_https() && isset($_SERVER['HTTP_USER_AGENT']) && strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE') == true && strstr($contentDisposition, 'attachment;') == true) {
             // IE6-IE8 have problems saving files when https and no-cache are used
             // (http://support.microsoft.com/kb/323308)
             // Note: this is also fixable by ticking "Do not save encrypted pages to disk" in advanced options.
             $cacheControlHeaders['max-age'] = 3;
             // Set empty pragma to avoid PHP's session_cache_limiter adding conflicting caching information,
             // defaulting to "nocache" on most PHP configurations (see http://php.net/session_cache_limiter).
             // Since it's a deprecated HTTP 1.0 option, all modern HTTP clients and proxies should
             // prefer the caching information indicated through the "Cache-Control" header.
             $responseHeaders["Pragma"] = "";
         } else {
             $cacheControlHeaders['no-cache'] = "true";
         }
     }
     foreach ($cacheControlHeaders as $header => $value) {
         if (is_null($value)) {
             unset($cacheControlHeaders[$header]);
         } elseif (is_bool($value) && $value || $value === "true") {
             $cacheControlHeaders[$header] = $header;
         } else {
             $cacheControlHeaders[$header] = $header . "=" . $value;
         }
     }
     $responseHeaders['Cache-Control'] = implode(', ', $cacheControlHeaders);
     unset($cacheControlHeaders, $header, $value);
     if (self::$modification_date && $cacheAge > 0) {
         $responseHeaders["Last-Modified"] = self::gmt_date(self::$modification_date);
         // Chrome ignores Varies when redirecting back (http://code.google.com/p/chromium/issues/detail?id=79758)
         // which means that if you log out, you get redirected back to a page which Chrome then checks against
         // last-modified (which passes, getting a 304)
         // when it shouldn't be trying to use that page at all because it's the "logged in" version.
         // By also using and etag that includes both the modification date and all the varies
         // values which we also check against we can catch this and not return a 304
         $etagParts = array(self::$modification_date, serialize($_COOKIE));
         $etagParts[] = Director::is_https() ? 'https' : 'http';
         if (isset($_SERVER['HTTP_USER_AGENT'])) {
             $etagParts[] = $_SERVER['HTTP_USER_AGENT'];
         }
         if (isset($_SERVER['HTTP_ACCEPT'])) {
             $etagParts[] = $_SERVER['HTTP_ACCEPT'];
         }
         $etag = sha1(implode(':', $etagParts));
         $responseHeaders["ETag"] = $etag;
         // 304 response detection
         if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
             $ifModifiedSince = strtotime(stripslashes($_SERVER['HTTP_IF_MODIFIED_SINCE']));
             // As above, only 304 if the last request had all the same varies values
             // (or the etag isn't passed as part of the request - but with chrome it always is)
             $matchesEtag = !isset($_SERVER['HTTP_IF_NONE_MATCH']) || $_SERVER['HTTP_IF_NONE_MATCH'] == $etag;
             if ($ifModifiedSince >= self::$modification_date && $matchesEtag) {
                 if ($body) {
                     $body->setStatusCode(304);
                     $body->setBody('');
                 } else {
                     header('HTTP/1.0 304 Not Modified');
                     die;
                 }
             }
         }
         $expires = time() + $cacheAge;
         $responseHeaders["Expires"] = self::gmt_date($expires);
     }
     if (self::$etag) {
         $responseHeaders['ETag'] = self::$etag;
     }
     // Now that we've generated them, either output them or attach them to the SS_HTTPResponse as appropriate
     foreach ($responseHeaders as $k => $v) {
         if ($body) {
             // Set the header now if it's not already set.
             if ($body->getHeader($k) === null) {
                 $body->addHeader($k, $v);
             }
         } elseif (!headers_sent()) {
             header("{$k}: {$v}");
         }
     }
 }
예제 #6
0
 public function testIsHttps()
 {
     if (!TRUSTED_PROXY) {
         $this->markTestSkipped('Test cannot be run without trusted proxy');
     }
     // nothing available
     $headers = array('HTTP_X_FORWARDED_PROTOCOL', 'HTTPS', 'SSL');
     $origServer = $_SERVER;
     foreach ($headers as $header) {
         if (isset($_SERVER[$header])) {
             unset($_SERVER['HTTP_X_FORWARDED_PROTOCOL']);
         }
     }
     $this->assertFalse(Director::is_https());
     $_SERVER['HTTP_X_FORWARDED_PROTOCOL'] = 'https';
     $this->assertTrue(Director::is_https());
     $_SERVER['HTTP_X_FORWARDED_PROTOCOL'] = 'http';
     $this->assertFalse(Director::is_https());
     $_SERVER['HTTP_X_FORWARDED_PROTOCOL'] = 'ftp';
     $this->assertFalse(Director::is_https());
     $_SERVER['HTTP_X_FORWARDED_PROTO'] = 'https';
     $this->assertTrue(Director::is_https());
     $_SERVER['HTTP_X_FORWARDED_PROTO'] = 'http';
     $this->assertFalse(Director::is_https());
     $_SERVER['HTTP_X_FORWARDED_PROTO'] = 'ftp';
     $this->assertFalse(Director::is_https());
     $_SERVER['HTTP_FRONT_END_HTTPS'] = 'On';
     $this->assertTrue(Director::is_https());
     $_SERVER['HTTP_FRONT_END_HTTPS'] = 'Off';
     $this->assertFalse(Director::is_https());
     // https via HTTPS
     $_SERVER['HTTPS'] = 'true';
     $this->assertTrue(Director::is_https());
     $_SERVER['HTTPS'] = '1';
     $this->assertTrue(Director::is_https());
     $_SERVER['HTTPS'] = 'off';
     $this->assertFalse(Director::is_https());
     // https via SSL
     $_SERVER['SSL'] = '';
     $this->assertTrue(Director::is_https());
     $_SERVER = $origServer;
 }
 /**
  * @param File|string $f - the string should be the Filename field of a File
  * @param int $linkType [optional]
  * @return string
  */
 public function getLinkFor($f, $linkType = self::LINK_SMART)
 {
     switch ($linkType) {
         case self::LINK_HTTP:
             $field = 'baseURL';
             break;
         case self::LINK_HTTPS:
             $field = 'secureURL';
             break;
         default:
             $ssl = Director::is_https() && !empty($this->secureURL);
             $field = $ssl ? 'secureURL' : 'baseURL';
     }
     $base = null;
     if (count($this->{$field}) > 1 && is_object($f)) {
         // If there are multiple urls, use cloud meta to remember
         // which one we used so the url stays the same for any
         // given image, allowing the image to still be cached
         $base = $f->getCloudMeta($field);
         if (!$base) {
             $base = $this->roundRobinGet($field);
             $f->setCloudMeta($field, $base);
             $f->write();
         }
     } else {
         // If there's only one, don't touch meta data
         $base = $this->roundRobinGet($field);
     }
     return $base . $this->getRelativeLinkFor($f);
 }
 /**
  * 
  * @param File $file
  * @return void
  */
 public function sendFileToBrowser($file)
 {
     $path = $file->getFullPath();
     if (SapphireTest::is_running_test()) {
         return file_get_contents($path);
     }
     $basename = basename($path);
     $length = $file->getAbsoluteSize();
     $type = HTTP::get_mime_type($file->getRelativePath());
     //handling time limitation
     if ($threshold = $this->config()->bandwidth_threshold) {
         increase_time_limit_to((int) ($length / $threshold));
     } else {
         increase_time_limit_to();
     }
     // send header
     header('Content-Description: File Transfer');
     /*
      * allow inline 'save as' popup, double quotation is present to prevent browser (eg. Firefox) from handling
      * wrongly a file with a name with whitespace, through a file in SilverStripe should not contain any whitespace
      * if the file is uploaded through SS interface
      * http://kb.mozillazine.org/Filenames_with_spaces_are_truncated_upon_download
      */
     header('Content-Type: ' . $type);
     header('Content-Disposition: inline; filename=' . $basename);
     header('Content-Transfer-Encoding: binary');
     header('Content-Length: ' . $length);
     /**
      * issue fixes for IE6,7,8  when downloading a file over HTTPS (http://support.microsoft.com/kb/812935)
      * http://www.dotvoid.com/2009/10/problem-with-downloading-files-with-internet-explorer-over-https/
      */
     if (Director::is_https()) {
         header('Pragma: ');
     }
     header('Expires: 0');
     header('Cache-Control: must-revalidate');
     /**
      * unload the php session file
      * see http://konrness.com/php5/how-to-prevent-blocking-php-requests
      */
     session_write_close();
     // if output buffering is active, we clear it to prevent the script from trying to to allocate memory for entire file.
     while (ob_get_level() > 0) {
         ob_end_clean();
     }
     flush();
     readfile($path);
     exit(0);
 }
예제 #9
0
 /**
  * Add the appropriate caching headers to the response, including If-Modified-Since / 304 handling.
  *
  * @param SS_HTTPResponse The SS_HTTPResponse object to augment.  Omitted the argument or passing a string is
  *                            deprecated; in these cases, the headers are output directly.
  */
 public static function add_cache_headers($body = null)
 {
     $cacheAge = self::$cache_age;
     // Validate argument
     if ($body && !$body instanceof SS_HTTPResponse) {
         user_error("HTTP::add_cache_headers() must be passed an SS_HTTPResponse object", E_USER_WARNING);
         $body = null;
     }
     // Development sites have frequently changing templates; this can get stuffed up by the code
     // below.
     if (Director::isDev()) {
         $cacheAge = 0;
     }
     // The headers have been sent and we don't have an SS_HTTPResponse object to attach things to; no point in
     // us trying.
     if (headers_sent() && !$body) {
         return;
     }
     // Popuplate $responseHeaders with all the headers that we want to build
     $responseHeaders = array();
     if (function_exists('apache_request_headers')) {
         $requestHeaders = apache_request_headers();
         if (isset($requestHeaders['X-Requested-With']) && $requestHeaders['X-Requested-With'] == 'XMLHttpRequest') {
             $cacheAge = 0;
         }
         // bdc: now we must check for DUMB IE6:
         if (isset($requestHeaders['x-requested-with']) && $requestHeaders['x-requested-with'] == 'XMLHttpRequest') {
             $cacheAge = 0;
         }
     }
     if ($cacheAge > 0) {
         $responseHeaders["Cache-Control"] = "max-age={$cacheAge}, must-revalidate, no-transform";
         $responseHeaders["Pragma"] = "";
         // To do: User-Agent should only be added in situations where you *are* actually
         // varying according to user-agent.
         $responseHeaders['Vary'] = 'Cookie, X-Forwarded-Protocol, User-Agent, Accept';
     } else {
         if ($body) {
             // Grab header for checking. Unfortunately HTTPRequest uses a mistyped variant.
             $contentDisposition = $body->getHeader('Content-disposition');
             if (!$contentDisposition) {
                 $contentDisposition = $body->getHeader('Content-Disposition');
             }
         }
         if ($body && Director::is_https() && strstr($_SERVER["HTTP_USER_AGENT"], 'MSIE') == true && strstr($contentDisposition, 'attachment;') == true) {
             // IE6-IE8 have problems saving files when https and no-cache are used
             // (http://support.microsoft.com/kb/323308)
             // Note: this is also fixable by ticking "Do not save encrypted pages to disk" in advanced options.
             $responseHeaders["Cache-Control"] = "max-age=3, must-revalidate, no-transform";
             $responseHeaders["Pragma"] = "";
         } else {
             $responseHeaders["Cache-Control"] = "no-cache, max-age=0, must-revalidate, no-transform";
         }
     }
     if (self::$modification_date && $cacheAge > 0) {
         $responseHeaders["Last-Modified"] = self::gmt_date(self::$modification_date);
         // Chrome ignores Varies when redirecting back (http://code.google.com/p/chromium/issues/detail?id=79758)
         // which means that if you log out, you get redirected back to a page which Chrome then checks against
         // last-modified (which passes, getting a 304)
         // when it shouldn't be trying to use that page at all because it's the "logged in" version.
         // By also using and etag that includes both the modification date and all the varies
         // values which we also check against we can catch this and not return a 304
         $etagParts = array(self::$modification_date, serialize($_COOKIE));
         $etagParts[] = Director::is_https() ? 'https' : 'http';
         if (isset($_SERVER['HTTP_USER_AGENT'])) {
             $etagParts[] = $_SERVER['HTTP_USER_AGENT'];
         }
         if (isset($_SERVER['HTTP_ACCEPT'])) {
             $etagParts[] = $_SERVER['HTTP_ACCEPT'];
         }
         $etag = sha1(implode(':', $etagParts));
         $responseHeaders["ETag"] = $etag;
         // 304 response detection
         if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
             $ifModifiedSince = strtotime(stripslashes($_SERVER['HTTP_IF_MODIFIED_SINCE']));
             // As above, only 304 if the last request had all the same varies values
             // (or the etag isn't passed as part of the request - but with chrome it always is)
             $matchesEtag = !isset($_SERVER['HTTP_IF_NONE_MATCH']) || $_SERVER['HTTP_IF_NONE_MATCH'] == $etag;
             if ($ifModifiedSince >= self::$modification_date && $matchesEtag) {
                 if ($body) {
                     $body->setStatusCode(304);
                     $body->setBody('');
                 } else {
                     header('HTTP/1.0 304 Not Modified');
                     die;
                 }
             }
         }
         $expires = time() + $cacheAge;
         $responseHeaders["Expires"] = self::gmt_date($expires);
     }
     if (self::$etag) {
         $responseHeaders['ETag'] = self::$etag;
     }
     // Now that we've generated them, either output them or attach them to the SS_HTTPResponse as appropriate
     foreach ($responseHeaders as $k => $v) {
         if ($body) {
             $body->addHeader($k, $v);
         } else {
             if (!headers_sent()) {
                 header("{$k}: {$v}");
             }
         }
     }
 }
예제 #10
0
 /**
  * @param Object $originator
  * @param SS_HTTPRequest $request
  * @param SS_HTTPResponse $response
  * @param DataModel $model
  */
 public function applyToResponse($originator, SS_HTTPRequest $request, SS_HTTPResponse $response, DataModel $model)
 {
     $cacheAge = $this->cacheAge;
     $vary = $this->vary;
     $responseHeaders = array();
     // Allow overriding max-age from the object hooked up to the policed controller.
     if ($originator->hasMethod('getCacheAge')) {
         $extendedCacheAge = $originator->getCacheAge($cacheAge);
         if ($extendedCacheAge !== null) {
             $cacheAge = $extendedCacheAge;
         }
     }
     // Same for vary, but probably less useful.
     if ($originator->hasMethod('getVary')) {
         $extendedVary = $originator->getVary($vary);
         if ($extendedVary !== null) {
             $vary = $extendedVary;
         }
     }
     if ($cacheAge > 0) {
         // Note: must-revalidate means that the cache must revalidate AFTER the entry has gone stale.
         $responseHeaders["Cache-Control"] = "max-age=" . $cacheAge . ", must-revalidate, no-transform";
         $responseHeaders["Pragma"] = "";
         $responseHeaders['Vary'] = $vary;
         // Find out when the URI was last modified. Allows customisation, but fall back HTTP timestamp collector.
         if ($originator->hasMethod('getModificationTimestamp')) {
             $timestamp = $originator->getModificationTimestamp();
         } else {
             $timestamp = HTTP::$modification_date;
         }
         if ($timestamp) {
             $responseHeaders["Last-Modified"] = self::gmt_date($timestamp);
             // Chrome ignores Varies when redirecting back (http://code.google.com/p/chromium/issues/detail?id=79758)
             // which means that if you log out, you get redirected back to a page which Chrome then checks against
             // last-modified (which passes, getting a 304)
             // when it shouldn't be trying to use that page at all because it's the "logged in" version.
             // By also using and etag that includes both the modification date and all the varies
             // values which we also check against we can catch this and not return a 304
             $etagParts = array($timestamp, serialize($_COOKIE));
             $etagParts[] = Director::is_https() ? 'https' : 'http';
             if (isset($_SERVER['HTTP_USER_AGENT'])) {
                 $etagParts[] = $_SERVER['HTTP_USER_AGENT'];
             }
             if (isset($_SERVER['HTTP_ACCEPT'])) {
                 $etagParts[] = $_SERVER['HTTP_ACCEPT'];
             }
             $etag = sha1(implode(':', $etagParts));
             $responseHeaders['ETag'] = $etag;
             // 304 response detection
             if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
                 $ifModifiedSince = strtotime(stripslashes($_SERVER['HTTP_IF_MODIFIED_SINCE']));
                 // As above, only 304 if the last request had all the same varies values
                 // (or the etag isn't passed as part of the request - but with chrome it always is)
                 $matchesEtag = !isset($_SERVER['HTTP_IF_NONE_MATCH']) || $_SERVER['HTTP_IF_NONE_MATCH'] == $etag;
                 if ($ifModifiedSince >= $timestamp && $matchesEtag) {
                     $response->setStatusCode(304);
                     $response->setBody('');
                 }
             }
             $expires = time() + $cacheAge;
             $responseHeaders['Expires'] = self::gmt_date($expires);
         }
     }
     if (self::$etag) {
         $responseHeaders['ETag'] = self::$etag;
     }
     // Now that we've generated them, either output them or attach them to the SS_HTTPResponse as appropriate
     foreach ($responseHeaders as $k => $v) {
         $response->addHeader($k, $v);
     }
 }
예제 #11
0
 /**
  * Initialize session.
  *
  * @param string $sid Start the session with a specific ID
  */
 public static function start($sid = null)
 {
     $path = Config::inst()->get('Session', 'cookie_path');
     if (!$path) {
         $path = Director::baseURL();
     }
     $domain = Config::inst()->get('Session', 'cookie_domain');
     $secure = Director::is_https() && Config::inst()->get('Session', 'cookie_secure');
     $session_path = Config::inst()->get('Session', 'session_store_path');
     $timeout = Config::inst()->get('Session', 'timeout');
     if (!session_id() && !headers_sent()) {
         if ($domain) {
             session_set_cookie_params($timeout, $path, $domain, $secure, true);
         } else {
             session_set_cookie_params($timeout, $path, null, $secure, true);
         }
         // Allow storing the session in a non standard location
         if ($session_path) {
             session_save_path($session_path);
         }
         // If we want a secure cookie for HTTPS, use a seperate session name. This lets us have a
         // seperate (less secure) session for non-HTTPS requests
         if ($secure) {
             session_name('SECSESSID');
         }
         // @ is to supress win32 warnings/notices when session wasn't cleaned up properly
         // There's nothing we can do about this, because it's an operating system function!
         if ($sid) {
             session_id($sid);
         }
         @session_start();
     }
     // Modify the timeout behaviour so it's the *inactive* time before the session expires.
     // By default it's the total session lifetime
     if ($timeout && !headers_sent()) {
         Cookie::set(session_name(), session_id(), $timeout / 86400, $path, $domain ? $domain : null, $secure, true);
     }
 }
 /**
  * Return the Field that we will use in this protector
  *
  * @return string
  */
 public function getFormField($name = "RecaptchaField", $title = "Captcha", $value = null)
 {
     $field = new RecaptchaField($name, $title, $value);
     $field->useSSL = Director::is_https();
     return $field;
 }
 /**
  * Redirect users if found on incorrect domain
  * Detects if $_GET['session'] is present, sets session
  * and redirects back to "clean URL"
  * Both _SECURE_URL and _STANDARD_URL must be defined,
  * and include protocol (http(s)://mydomain.com) with no trailing slash
  * @return null
  */
 protected function secureHostSwitcher()
 {
     if (!DEFINED('_SECURE_URL') || !DEFINED('_STANDARD_URL')) {
         return false;
     }
     $protocol = Director::is_https() ? 'https://' : 'http://';
     $currentUrlFull = $protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
     list($currentUrlFull) = explode('#', $currentUrlFull);
     $currentUrlWithoutHost = $_SERVER['REQUEST_URI'];
     //remove fragment...just to keep it simple...
     list($currentUrlWithoutHost) = explode('#', $currentUrlWithoutHost);
     $sessionPartOfURL = "";
     $sessionID = session_id();
     if ($sessionID) {
         if (strpos($currentUrlWithoutHost, "?")) {
             $sessionPartOfURL .= "&";
         } else {
             $sessionPartOfURL = "?";
         }
         $sessionPartOfURL .= "session=" . $sessionID;
         $currentUrlWithoutHost .= $sessionPartOfURL;
     }
     $isSecure = $this->owner->isSecurePage();
     if ($isSecure && !preg_match('/^' . preg_quote(_SECURE_URL, '/') . '/', $currentUrlFull)) {
         return $this->owner->redirect(_SECURE_URL . $currentUrlWithoutHost);
     } else {
         if (!$isSecure && !preg_match('/^' . preg_quote(_STANDARD_URL, '/') . '/', $currentUrlFull)) {
             return $this->owner->redirect(_STANDARD_URL . $currentUrlWithoutHost);
         }
     }
     if ($sessionID = $this->owner->request->getVar('session')) {
         $currentUrlFull = str_replace("?session=" . $sessionID, "", $currentUrlFull);
         $currentUrlFull = str_replace("&session=" . $sessionID, "", $currentUrlFull);
         /* force hard-coded session setting */
         @session_write_close();
         @session_id($sessionID);
         @session_start();
         header("location: " . $currentUrlFull, 302);
         exit;
     }
 }