function startSessionIfRequired() { global $SETTINGS; // don't run this more than once if (defined('SESSION_STARTED')) { return; } define('SESSION_STARTED', true); // error-checking for custom session settings $customSessionErrors = getCustomSessionErrors(@$SETTINGS['advanced']['session_cookie_domain'], @$SETTINGS['advanced']['session_save_path']); if ($customSessionErrors) { $customSessionErrors .= sprintf(t('To change %1$s settings edit %2$s'), 'session', '/data/' . SETTINGS_FILENAME); die($customSessionErrors); } // Initialize session $session_name = cookiePrefix() . 'PHPSESSID'; // use a unique session cookie for each CMS installation ini_set('session.name', $session_name); // sets session.name ini_set('session.cookie_secure', isHTTPS()); // use/require secure cookies when on HTTPS:// connections ini_set('session.use_cookies', true); ini_set('session.use_only_cookies', true); ini_set('session.cookie_domain', @$SETTINGS['advanced']['session_cookie_domain']); // use this to allow shared login access between subdomains such as host1.example.com, host2.example.com, example.com ini_set('session.cookie_path', '/'); ini_set('session.cookie_httponly', true); ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365 * 25); // save session cookies forever (or 25 years) so they'll work even if users who have turned their system clocks back a few years ini_set('session.gc_maxlifetime', 60 * 60 * 24); // session garbage-collection code starts getting randomly called after this many seconds of inactiity ini_set('session.use_trans_sid', false); if (@$SETTINGS['advanced']['session_save_path']) { ini_set('session.save_path', @$SETTINGS['advanced']['session_save_path']); // use this if your host imposes restrictive session removal timeouts ini_set('session.gc_probability', 1); // after gc_maxlifetime is met old session are cleaned up randomly every (gc_probability / gc_divisor) requests ini_set('session.gc_divisor', 100); // after gc_maxlifetime is met old session are cleaned up randomly every (gc_probability / gc_divisor) requests // we don't set gc_ values by default because they cause errors on some server configs: http://bugs.php.net/bug.php?id=20720 } unset($php_errormsg); @session_start(); // session_start doesn't output correct return value until PHP 5.3.0+ so we test on the next line if (isset($php_errormsg)) { die("Couldn't start session! '{$php_errormsg}'!"); } }
function admin_saveSettings($savePagePath) { global $SETTINGS, $APP; // error checking clearAlertsAndNotices(); // so previous alerts won't prevent saving of admin options // security checks security_dieUnlessPostForm(); security_dieUnlessInternalReferer(); security_dieOnInvalidCsrfToken(); // disableInDemoMode('settings', $savePagePath); # license error checking if (array_key_exists('licenseProductId', $_REQUEST)) { if (!isValidProductId($_REQUEST['licenseProductId'])) { alert("Invalid Product License ID!"); } else { if ($SETTINGS['licenseProductId'] != $_REQUEST['licenseProductId']) { $SETTINGS['licenseCompanyName'] = $_REQUEST['licenseCompanyName']; // update settings $SETTINGS['licenseDomainName'] = $_REQUEST['licenseDomainName']; // ... $SETTINGS['licenseProductId'] = $_REQUEST['licenseProductId']; // ... $isValid = register(); // validate productId (and save new settings) if (!$isValid) { redirectBrowserToURL('?menu=admin', true); exit; } } } } # program url / adminUrl if (array_key_exists('adminUrl', $_REQUEST)) { if (!preg_match('/^http/i', $_REQUEST['adminUrl'])) { alert("Program URL must start with http:// or https://<br/>\n"); } if (preg_match('/\\?/i', $_REQUEST['adminUrl'])) { alert("Program URL can not contain a ?<br/>\n"); } } # webPrefixUrl - v2.53 if (@$_REQUEST['webPrefixUrl'] != '') { if (!preg_match("|^(\\w+:/)?/|", $_REQUEST['webPrefixUrl'])) { alert(t("Website Prefix URL must start with /") . "<br/>\n"); } if (preg_match("|/\$|", $_REQUEST['webPrefixUrl'])) { alert(t("Website Prefix URL cannot end with /") . "<br/>\n"); } } # upload url/dir if (array_key_exists('uploadDir', $_REQUEST)) { # if (!preg_match('/\/$/', $_REQUEST['uploadDir'])) { alert("Upload Directory must end with a slash! (eg: /www/htdocs/uploads/)<br/>\n"); } } if (array_key_exists('uploadUrl', $_REQUEST)) { # if (preg_match('/^\w+:\/\//', $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must be the web path only without a domain (eg: /uploads/)<br/>\n"); } # else if (!preg_match('/^\//', $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must start with a slash! (eg: /uploads/)<br/>\n"); } # if (!preg_match('/\/$/', $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must end with a slash! (eg: /uploads/)<br/>\n"); } $_REQUEST['uploadUrl'] = chop($_REQUEST['uploadUrl'], '\\\\/'); // remove trailing slashes } # admin email if (array_key_exists('adminEmail', $_REQUEST) && !isValidEmail($_REQUEST['adminEmail'])) { alert("Admin Email must be a valid email (example: user@example.com)<br/>\n"); } // error checking - require HTTPS if (@$_REQUEST['requireHTTPS'] && !isHTTPS()) { alert("Require HTTPS: You must be logged in with a secure HTTPS url to set this option!<br/>\n"); } // error checking - require HTTPS if (@$_REQUEST['restrictByIP'] && !isIpAllowed(true, @$_REQUEST['restrictByIP_allowed'])) { alert(t("Restrict IP Access: You current IP address must be in the allowed IP list!") . "<br/>\n"); } // error checking - session values $sessionErrors = getCustomSessionErrors(@$_REQUEST['session_cookie_domain'], @$_REQUEST['session_save_path']); if ($sessionErrors) { alert($sessionErrors); } # show errors if (alert()) { showInterface('admin/general.php'); exit; } ### update global settings $globalSettings =& $SETTINGS; foreach (array_keys($globalSettings) as $key) { if (array_key_exists($key, $_REQUEST)) { $globalSettings[$key] = $_REQUEST[$key]; } } # update subsection settings $subsections = array('advanced', 'wysiwyg'); foreach ($subsections as $subsection) { $sectionSettings =& $SETTINGS[$subsection]; foreach (array_keys($sectionSettings) as $key) { if (array_key_exists($key, $_REQUEST)) { $sectionSettings[$key] = $_REQUEST[$key]; } } } # save to file saveSettings(); # return to admin home notice('Settings have been saved.'); showInterface($savePagePath); }