133 lines
5.3 KiB
PHP
133 lines
5.3 KiB
PHP
<?php declare(strict_types=1);
|
|
require 'init.php';
|
|
|
|
$pageAddress = substr($_SERVER['REQUEST_URI'], strlen(CONF['common']['prefix']) + 1);
|
|
if (strpos($pageAddress, '?') !== false) {
|
|
parse_str(substr($pageAddress, strpos($pageAddress, '?') + 1), $_GET);
|
|
$pageAddress = substr($pageAddress, 0, strpos($pageAddress, '?'));
|
|
}
|
|
define('PAGE_URL', $pageAddress);
|
|
define('PAGE_ADDRESS', $pageAddress . ((substr($pageAddress, -1) === '/' OR $pageAddress === '') ? 'index' : ''));
|
|
define('PAGE_LINEAGE', explode('/', PAGE_ADDRESS));
|
|
define('SERVICE', dirname(PAGE_ADDRESS));
|
|
|
|
if (PAGE_ADDRESS === 'config.ini') {
|
|
header('Content-Type: text/plain');
|
|
echo file_get_contents(ROOT_PATH . '/config.ini');
|
|
exit();
|
|
}
|
|
|
|
function pageNotFound(): never {
|
|
http_response_code(404);
|
|
exit(_('Page not found.'));
|
|
}
|
|
function getPageInformations(array $pages, array $pageElements): array { // Recursively retrieves page metadata from pages.php
|
|
if (!isset($pages['index']) OR $pageElements[0] === 'index') {
|
|
if (count($pageElements) !== 1)
|
|
pageNotFound();
|
|
return [
|
|
'titles_lineage' => [$pages[$pageElements[0]]['title'] ?? pageNotFound()],
|
|
'page_metadata' => $pages[$pageElements[0]],
|
|
'terminal' => $pageElements[0] !== 'index'
|
|
];
|
|
}
|
|
$result = $pages['index']['title'];
|
|
if (!isset($pageElements[1]))
|
|
unset($pages['index']);
|
|
else
|
|
$pages = $pages[array_shift($pageElements)] ?? [];
|
|
$results = getPageInformations($pages, $pageElements);
|
|
$results['titles_lineage'][] = $result;
|
|
return $results;
|
|
}
|
|
$pageInformations = getPageInformations(PAGES, PAGE_LINEAGE);
|
|
define('TITLES_LINEAGE', array_reverse($pageInformations['titles_lineage']));
|
|
define('PAGE_METADATA', $pageInformations['page_metadata']);
|
|
define('PAGE_TERMINAL', $pageInformations['terminal']);
|
|
|
|
if (isset($_SERVER['SERVER_NAME']) !== true)
|
|
exit('Missing <code>$_SERVER[\'SERVER_NAME\']</code>');
|
|
if (in_array($_SERVER['SERVER_NAME'], CONF['common']['public_domains'], true) !== true)
|
|
exit('The current <code>$_SERVER[\'SERVER_NAME\']</code> is not allowed in configuration.');
|
|
define('SERVER_NAME', $_SERVER['SERVER_NAME']);
|
|
|
|
const SESSION_COOKIE_NAME = 'servnest-session-key';
|
|
function startSession(): void {
|
|
session_start([
|
|
'name' => SESSION_COOKIE_NAME,
|
|
'sid_length' => 64,
|
|
'sid_bits_per_character' => 6,
|
|
'cookie_secure' => true,
|
|
'cookie_httponly' => true,
|
|
'cookie_samesite' => 'Strict',
|
|
'cookie_path' => CONF['common']['prefix'] . '/',
|
|
'cookie_lifetime' => 432000, // = 60*60*24*5 = 5 days
|
|
'gc_maxlifetime' => 10800,
|
|
'use_strict_mode' => true,
|
|
'use_cookies' => true,
|
|
'use_only_cookies' => true,
|
|
]);
|
|
}
|
|
if (isset($_COOKIE[SESSION_COOKIE_NAME]))
|
|
startSession(); // Resume session
|
|
|
|
if (isset($_SESSION['id'])) {
|
|
if (!isset(query('select', 'users', ['id' => $_SESSION['id']], ['id'])[0]))
|
|
logout();
|
|
|
|
// Decrypt display username
|
|
if (!isset($_COOKIE['display-username-decryption-key']))
|
|
output(403, 'The display username decryption key has not been sent.');
|
|
$decryption_result = sodium_crypto_aead_xchacha20poly1305_ietf_decrypt(
|
|
$_SESSION['display-username-cyphertext'],
|
|
'',
|
|
$_SESSION['display-username-nonce'],
|
|
base64_decode($_COOKIE['display-username-decryption-key'])
|
|
);
|
|
if ($decryption_result === false)
|
|
output(403, 'Unable to decrypt display username.');
|
|
define('DISPLAY_USERNAME', htmlspecialchars($decryption_result));
|
|
|
|
// Enable not already enabled services for this user
|
|
$user_services = array_filter(explode(',', query('select', 'users', ['id' => $_SESSION['id']], ['services'])[0]));
|
|
foreach (SERVICES_USER as $service)
|
|
if (!in_array($service, $user_services, true) AND CONF['common']['services'][$service] === 'enabled') {
|
|
$user_services[] = $service;
|
|
|
|
DB->prepare('UPDATE users SET services = :services WHERE id = :id')
|
|
->execute([':services' => implode(',', $user_services), ':id' => $_SESSION['id']]);
|
|
|
|
if ($service === 'ht')
|
|
htSetupUserFs($_SESSION['id']);
|
|
}
|
|
}
|
|
|
|
function displayFinalMessage(?array $data): void {
|
|
if (isset($data['final_message'])) {
|
|
echo $data['final_message'];
|
|
unset($data['final_message']);
|
|
}
|
|
}
|
|
|
|
if ($_POST !== []) {
|
|
if (!in_array(CONF['common']['services']['auth'], ['enabled', 'no-registration'], true) OR (in_array(SERVICE, SERVICES_USER, true) AND CONF['common']['services'][SERVICE] !== 'enabled'))
|
|
output(503, _('This service is currently under maintenance. No action can be taken on it until an administrator finishes repairing it.'));
|
|
|
|
// Protect against cross-site request forgery if a POST request is received
|
|
if (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true)
|
|
output(403, 'The <code>Sec-Fetch-Site</code> HTTP header is required when submitting a POST request to prevent Cross-Site Request Forgery (<abbr>CSRF</abbr>).');
|
|
if (!in_array($_SERVER['HTTP_SEC_FETCH_SITE'], ['none', 'same-origin'], true))
|
|
output(403, 'The <code>Sec-Fetch-Site</code> HTTP header must be <code>same-origin</code> or <code>none</code> when submitting a POST request to prevent Cross-Site Request Forgery (<abbr>CSRF</abbr>).');
|
|
|
|
if (PAGE_METADATA['require-login'] ?? true AND !isset($_SESSION['id']))
|
|
output(403, _('You need to be logged in to do this.'));
|
|
|
|
if (file_exists(ROOT_PATH . '/pg-act/' . PAGE_ADDRESS . '.php'))
|
|
require ROOT_PATH . '/pg-act/' . PAGE_ADDRESS . '.php';
|
|
}
|
|
|
|
function displayPage(?array $data): never {
|
|
require ROOT_PATH . '/view.php';
|
|
exit();
|
|
}
|
|
displayPage($data ??= NULL);
|