/**
* Return the user avatar image URL
* in this first implementation, only gravatar.com avatars are supported
* @param int $p_user_id User ID
* @param int $p_size pixel size of image
* @return array|bool an array( URL, width, height ) or false when the given user has no avatar
*/
function user_get_avatar($p_user_id, $p_size = 80)
{
$t_default_avatar = config_get('show_avatar');
if (OFF === $t_default_avatar) {
# Avatars are not used
return false;
}
# Set default avatar for legacy configuration
if (ON === $t_default_avatar) {
$t_default_avatar = 'identicon';
}
# Default avatar is either one of Gravatar's options, or
# assumed to be an URL to a default avatar image
$t_default_avatar = urlencode($t_default_avatar);
$t_rating = 'G';
$t_email_hash = md5(utf8_strtolower(trim(user_get_email($p_user_id))));
# Build Gravatar URL
if (http_is_protocol_https()) {
$t_avatar_url = 'https://secure.gravatar.com/';
} else {
$t_avatar_url = 'http://www.gravatar.com/';
}
$t_avatar_url .= "avatar/{$t_email_hash}?d={$t_default_avatar}&r={$t_rating}&s={$p_size}";
return array($t_avatar_url, $p_size, $p_size);
}
/**
* Return the user avatar image URL
* in this first implementation, only gravatar.com avatars are supported
*
* This function returns an array( URL, width, height ) or an empty array when the given user has no avatar.
*
* @param integer $p_user_id A valid user identifier.
* @param integer $p_size The required number of pixel in the image to retrieve the link for.
* @return array
*/
function user_get_avatar($p_user_id, $p_size = 80)
{
$t_default_avatar = config_get('show_avatar');
if (OFF === $t_default_avatar) {
# Avatars are not used
return array();
}
# Set default avatar for legacy configuration
if (ON === $t_default_avatar) {
$t_default_avatar = 'identicon';
}
# Default avatar is either one of Gravatar's options, or
# assumed to be an URL to a default avatar image
$t_default_avatar = urlencode($t_default_avatar);
$t_rating = 'G';
if (user_exists($p_user_id)) {
$t_email_hash = md5(strtolower(trim(user_get_email($p_user_id))));
} else {
$t_email_hash = md5('generic-avatar-since-user-not-found');
}
# Build Gravatar URL
if (http_is_protocol_https()) {
$t_avatar_url = 'https://secure.gravatar.com/';
} else {
$t_avatar_url = 'http://www.gravatar.com/';
}
$t_avatar_url .= 'avatar/' . $t_email_hash . '?d=' . $t_default_avatar . '&r=' . $t_rating . '&s=' . $p_size;
return array($t_avatar_url, $p_size, $p_size);
}
/**
* Set security headers (frame busting, clickjacking/XSS/CSRF protection).
* @return void
*/
function http_security_headers()
{
if (!headers_sent()) {
header('X-Frame-Options: DENY');
# Define Content Security Policy
$t_csp = array("default-src 'self'", "frame-ancestors 'none'");
# Policy for images: Allow gravatar URL
if (config_get_global('show_avatar')) {
if (http_is_protocol_https()) {
$t_avatar_url = 'https://secure.gravatar.com:443';
} else {
$t_avatar_url = 'http://www.gravatar.com:80';
}
$t_csp[] = "img-src 'self' {$t_avatar_url}";
}
# Relaxing policy for roadmap page to allow inline styles
# This is a workaround to fix the broken progress bars (see #19501)
if ('roadmap_page.php' == basename($_SERVER['SCRIPT_NAME'])) {
$t_csp[] = "style-src 'self' 'unsafe-inline'";
}
# Set CSP header
header('Content-Security-Policy: ' . implode('; ', $t_csp));
if (http_is_protocol_https()) {
header('Strict-Transport-Security: max-age=7776000');
}
}
}
break;
}
# throw away output buffer contents (and disable it) to protect download
while (@ob_end_clean()) {
}
if (ini_get('zlib.output_compression') && function_exists('ini_set')) {
ini_set('zlib.output_compression', false);
}
http_security_headers();
# Make sure that IE can download the attachments under https.
header('Pragma: public');
# To fix an IE bug which causes problems when downloading
# attached files via HTTPS, we disable the "Pragma: no-cache"
# command when IE is used over HTTPS.
global $g_allow_file_cache;
if (http_is_protocol_https() && is_browser_internet_explorer()) {
# Suppress "Pragma: no-cache" header.
} else {
if (!isset($g_allow_file_cache)) {
header('Pragma: no-cache');
}
}
header('Expires: ' . gmdate('D, d M Y H:i:s \\G\\M\\T', time()));
header('Last-Modified: ' . gmdate('D, d M Y H:i:s \\G\\M\\T', $v_date_added));
$t_filename = file_get_display_name($v_filename);
# For Internet Explorer 8 as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
# Don't let IE second guess our content-type!
header('X-Content-Type-Options: nosniff');
http_content_disposition_header($t_filename, $f_show_inline);
header('Content-Length: ' . $v_filesize);
# If finfo is available (always true for PHP >= 5.3.0) we can use it to determine the MIME type of files
* @link http://www.mantisbt.org
*
* @uses config_api.php
* @uses constant_inc.php
* @uses error_api.php
* @uses http_api.php
*/
require_api('config_api.php');
require_api('constant_inc.php');
require_api('error_api.php');
require_api('http_api.php');
# Determines (once-off) whether the client is accessing this script via a
# secure connection. If they are, we want to use the Secure cookie flag to
# prevent the cookie from being transmitted to other domains.
# @global boolean $g_cookie_secure_flag_enabled
$g_cookie_secure_flag_enabled = http_is_protocol_https();
/**
* Retrieve a GPC variable.
* If the variable is not set, the default is returned.
*
* You may pass in any variable as a default (including null) but if
* you pass in *no* default then an error will be triggered if the field
* cannot be found
*
* @param string $p_var_name Variable name.
* @param mixed $p_default Default value.
* @return null
*/
function gpc_get($p_var_name, $p_default = null)
{
if (isset($_POST[$p_var_name])) {
/**
* Return the user avatar image URL
* in this first implementation, only gravatar.com avatars are supported
* @return array|bool an array( URL, width, height ) or false when the given user has no avatar
*/
function user_get_avatar($p_user_id, $p_size = 80)
{
$t_email = utf8_strtolower(trim(user_get_email($p_user_id)));
if (is_blank($t_email)) {
$t_result = false;
} else {
$t_size = $p_size;
if (http_is_protocol_https()) {
$t_gravatar_domain = 'https://secure.gravatar.com/';
} else {
$t_gravatar_domain = 'http://www.gravatar.com/';
}
$t_avatar_url = $t_gravatar_domain . 'avatar/' . md5($t_email) . '?d=identicon&r=G&s=' . $t_size;
$t_result = array($t_avatar_url, $t_size, $t_size);
}
return $t_result;
}
/**
* Set security headers (frame busting, clickjacking/XSS/CSRF protection).
*/
function http_security_headers()
{
if (!headers_sent()) {
header('X-Frame-Options: DENY');
$t_avatar_img_allow = '';
if (config_get_global('show_avatar')) {
if (http_is_protocol_https()) {
$t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
} else {
$t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80";
}
}
header("X-Content-Security-Policy: allow 'self';{$t_avatar_img_allow}; frame-ancestors 'none'");
if (http_is_protocol_https()) {
header('Strict-Transport-Security: max-age=7776000');
}
}
}
/**
* Set security headers (frame busting, clickjacking/XSS/CSRF protection).
*/
function http_security_headers()
{
if (!headers_sent()) {
header('X-Frame-Options: DENY');
$t_avatar_img_allow = '';
if (config_get_global('show_avatar')) {
if (http_is_protocol_https()) {
$t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
} else {
$t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80";
}
}
header("X-Content-Security-Policy: allow 'self'; options inline-script eval-script{$t_avatar_img_allow}; frame-ancestors 'none'");
}
}
/**
* Gets the gravatar base URL
*
* @return string The gravatar URL.
*/
private static function getAvatarUrl()
{
if (http_is_protocol_https()) {
$t_avatar_url = self::GRAVATAR_URL_SECURE;
} else {
$t_avatar_url = self::GRAVATAR_URL;
}
return $t_avatar_url;
}
