0007461_v3.patch

Administrator Admin, 2009-09-30 18:48

Download (7.81 KB)

View differences:

t3lib/config_default.php (Arbeitskopie)
62 62
		'compat_version' => '3.8',				// Compatibility version. TYPO3 behavior will try to be compatible with the output from the TYPO3 version set here. It is recommended to change this setting with the Upgrade Wizard.
63 63
		'encryptionKey' => '',					// This is a "salt" used for various kinds of encryption, CRC checksums and validations. You can enter any rubbish string here but try to keep it secret. You should notice that a change to this value might invalidate temporary information, URLs etc. At least, clear all cache if you change this so any such information can be rebuild with the new key.
64 64
		'cookieDomain' => '',					// When setting the value to ".example.com" (replace example.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. /\.(example1|example2)\.com$/ or /\.(example1\.com)|(example2\.net)$/
65
		'cookieSecure' => 0,					// Integer (0, 1, 2): Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. If set to 1 (force HTTPS), the cookie will only be set if a secure (HTTPS) connection exists - use this in combination with lockSSL since otherwise the application will fail and throw an exception! If set to 2, the cookie will be set in each case, but uses the secure flag if a secure (HTTPS) connection exists.
66
		'cookieHttpOnly' => 0,					// Boolean: When enabled the cookie will be made accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).
65 67
		'doNotCheckReferer' => 0,				// Boolean. If set, it's NOT checked numerous places that the refering host is the same as the current. This is an option you should set if you have problems with proxies not passing the HTTP_REFERER variable.
66 68
		'recursiveDomainSearch' => 0,			// Boolean. If set, the search for domain records will be done recursively by stripping parts of the host name off until a matching domain record is found.
67 69
		'devIPmask' => '127.0.0.1,::1',			// Defines a list of IP addresses which will allow development-output to display. The debug() function will use this as a filter. See the function t3lib_div::cmpIP() for details on syntax. Setting this to blank value will deny all. Setting to "*" will allow all.
t3lib/class.t3lib_userauth.php (Arbeitskopie)
274 274
		if ($this->writeDevLog && !is_array($this->user)) t3lib_div::devLog('No user session found.', 't3lib_userAuth', 2);
275 275

  
276 276
			// Setting cookies
277
		if ($TYPO3_CONF_VARS['SYS']['cookieDomain'])	{
278
			if ($TYPO3_CONF_VARS['SYS']['cookieDomain']{0} == '/')	{
279
				$matchCnt = @preg_match($TYPO3_CONF_VARS['SYS']['cookieDomain'], t3lib_div::getIndpEnv('TYPO3_HOST_ONLY'), $match);
280
				if ($matchCnt === FALSE)	{
281
					t3lib_div::sysLog('The regular expression of $TYPO3_CONF_VARS[SYS][cookieDomain] contains errors. The session is not shared across sub-domains.', 'Core', 3);
282
				} elseif ($matchCnt)	{
283
					$cookieDomain = $match[0];
284
				}
285
			} else {
286
				$cookieDomain = $TYPO3_CONF_VARS['SYS']['cookieDomain'];
287
			}
277
		if (!$this->dontSetCookie)	{
278
			$this->setSessionCookie();
288 279
		}
289 280

  
290
			// If new session and the cookie is a sessioncookie, we need to set it only once!
291
		if ($this->isSetSessionCookie())	{
292
			if (!$this->dontSetCookie)	{
293
				if ($cookieDomain)	{
294
					SetCookie($this->name, $id, 0, '/', $cookieDomain);
295
				} else {
296
					SetCookie($this->name, $id, 0, t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
297
				}
298
				if ($this->writeDevLog) 	t3lib_div::devLog('Set new Cookie: '.$id.($cookieDomain ? ', '.$cookieDomain : ''), 't3lib_userAuth');
299
			}
300
		}
301

  
302
			// If it is NOT a session-cookie, we need to refresh it.
303
		if ($this->isRefreshTimeBasedCookie())	{
304
			if (!$this->dontSetCookie)	{
305
				if ($cookieDomain)	{
306
					SetCookie($this->name, $id, $GLOBALS['EXEC_TIME'] + $this->lifetime, '/', $cookieDomain);
307
				} else {
308
					SetCookie($this->name, $id, $GLOBALS['EXEC_TIME'] + $this->lifetime, t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
309
				}
310
				if ($this->writeDevLog) 	t3lib_div::devLog('Update Cookie: '.$id.($cookieDomain ? ', '.$cookieDomain : ''), 't3lib_userAuth');
311
			}
312
		}
313

  
314 281
			// Hook for alternative ways of filling the $this->user array (is used by the "timtaw" extension)
315 282
		if (is_array($TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postUserLookUp']))	{
316 283
			foreach ($TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postUserLookUp'] as $funcName)	{
......
345 312
	}
346 313

  
347 314
	/**
315
	 * Sets the session cookie for the current disposal.
316
	 *
317
	 * @return	void
318
	 */
319
	protected function setSessionCookie() {
320
		$isSetSessionCookie = $this->isSetSessionCookie();
321
		$isRefreshTimeBasedCookie = $this->isRefreshTimeBasedCookie();
322

  
323
		if ($isSetSessionCookie || $isRefreshTimeBasedCookie) {
324
			$settings = $GLOBALS['TYPO3_CONF_VARS']['SYS'];
325

  
326
			// Get the domain to be used for the cookie (if any):
327
			$cookieDomain = $this->getCookieDomain();
328
			// If no cookie domain is set, use the base path:
329
			$cookiePath = ($cookieDomain ? '/' : t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
330
			// If the cookie lifetime is set, use it:
331
			$cookieExpire = ($isRefreshTimeBasedCookie ? $GLOBALS['EXEC_TIME'] + $this->lifetime : 0);
332
			// Use the secure option when the current request is served by a secure connection:
333
			$cookieSecure = (bool)$settings['cookieSecure'] && t3lib_div::getIndpEnv('TYPO3_SSL');
334
			// Deliver cookies only via HTTP and prevent possible XSS by JavaScript:
335
			$cookieHttpOnly = (bool)$settings['cookieHttpOnly'];
336

  
337
			// Do not set cookie if cookieSecure is set to "1" (force HTTPS) and no secure channel is used: 
338
			if ((int)$settings['cookieSecure'] !== 1 || t3lib_div::getIndpEnv('TYPO3_SSL')) {
339
				setcookie(
340
					$this->name,
341
					$this->id,
342
					$cookieExpire,
343
					$cookiePath,
344
					$cookieDomain,
345
					$cookieSecure,
346
					$cookieHttpOnly
347
				);
348
			} else {
349
				throw new t3lib_exception(
350
					'Cookie was not set since HTTPS was forced in $TYPO3_CONF_VARS[SYS][cookieSecure].',
351
					1254325546
352
				);
353
			}
354

  
355
			if ($this->writeDevLog) {
356
				$devLogMessage = ($isRefreshTimeBasedCookie ? 'Updated Cookie: ' : 'Set Cookie: ') . $this->id;
357
				t3lib_div::devLog($devLogMessage . ($cookieDomain ? ', '.$cookieDomain : ''), 't3lib_userAuth');
358
			}
359
		}
360
	}
361

  
362
	/**
363
	 * Gets the domain to be used on setting cookies.
364
	 * The information is taken from the value in $TYPO3_CONF_VARS[SYS][cookieDomain].
365
	 * 
366
	 * @return	string		The domain to be used on setting cookies
367
	 */
368
	protected function getCookieDomain() {
369
		$result = '';
370
		$cookieDomain = $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomain'];
371

  
372
		if ($cookieDomain) {
373
			if ($cookieDomain{0} == '/') {
374
				$matchCnt = @preg_match($cookieDomain, t3lib_div::getIndpEnv('TYPO3_HOST_ONLY'), $match);
375
				if ($matchCnt === FALSE) {
376
					t3lib_div::sysLog('The regular expression of $TYPO3_CONF_VARS[SYS][cookieDomain] contains errors. The session is not shared across sub-domains.', 'Core', 3);
377
				} elseif ($matchCnt) {
378
					$result = $match[0];
379
				}
380
			} else {
381
				$result = $TYPO3_CONF_VARS['SYS']['cookieDomain'];
382
			}
383
		}
384

  
385
		return $result;
386
	}
387

  
388
	/**
348 389
	 * Determine whether a session cookie needs to be set (lifetime=0)
349 390
	 *
350 391
	 * @return	boolean