Code Coverage for /data/phpBB/phpbb/session.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	70.22% covered (warning)	70.22%	474 / 675	30.43% covered (danger)	30.43%	7 / 23	CRAP	0.00% covered (danger)	0.00%	0 / 1
session	70.22% covered (warning)	70.22%	474 / 675	30.43% covered (danger)	30.43%	7 / 23	2365.92	0.00% covered (danger)	0.00%	0 / 1
extract_current_page	100.00% covered (success)	100.00%	57 / 57	100.00% covered (success)	100.00%	1 / 1	20
extract_current_hostname	94.12% covered (success)	94.12%	16 / 17	0.00% covered (danger)	0.00%	0 / 1	12.03
setup	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
session_begin	71.70% covered (warning)	71.70%	76 / 106	0.00% covered (danger)	0.00%	0 / 1	103.43
session_create	81.50% covered (warning)	81.50%	141 / 173	0.00% covered (danger)	0.00%	0 / 1	122.52
session_kill	55.81% covered (warning)	55.81%	24 / 43	0.00% covered (danger)	0.00%	0 / 1	7.16
session_gc	54.90% covered (warning)	54.90%	28 / 51	0.00% covered (danger)	0.00%	0 / 1	16.43
set_cookie	88.89% covered (warning)	88.89%	16 / 18	0.00% covered (danger)	0.00%	0 / 1	9.11
check_ban	69.44% covered (warning)	69.44%	25 / 36	0.00% covered (danger)	0.00%	0 / 1	23.30
check_ban_for_current_session	83.33% covered (warning)	83.33%	5 / 6	0.00% covered (danger)	0.00%	0 / 1	4.07
check_dnsbl_spamhaus	0.00% covered (danger)	0.00%	0 / 24	0.00% covered (danger)	0.00%	0 / 1	90
check_dnsbl_ipv4_generic	0.00% covered (danger)	0.00%	0 / 9	0.00% covered (danger)	0.00%	0 / 1	20
check_dnsbl	0.00% covered (danger)	0.00%	0 / 19	0.00% covered (danger)	0.00%	0 / 1	72
set_login_key	87.50% covered (warning)	87.50%	28 / 32	0.00% covered (danger)	0.00%	0 / 1	7.10
reset_login_keys	100.00% covered (success)	100.00%	24 / 24	100.00% covered (success)	100.00%	1 / 1	6
validate_referer	93.33% covered (success)	93.33%	14 / 15	0.00% covered (danger)	0.00%	0 / 1	12.04
unset_admin	100.00% covered (success)	100.00%	4 / 4	100.00% covered (success)	100.00%	1 / 1	1
update_session	0.00% covered (danger)	0.00%	0 / 7	0.00% covered (danger)	0.00%	0 / 1	6
update_session_infos	0.00% covered (danger)	0.00%	0 / 17	0.00% covered (danger)	0.00%	0 / 1	272
id	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	2
update_user_lastvisit	100.00% covered (success)	100.00%	7 / 7	100.00% covered (success)	100.00%	1 / 1	3
update_last_active_time	100.00% covered (success)	100.00%	6 / 6	100.00% covered (success)	100.00%	1 / 1	3
is_push_notification_request	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	2

1	<?php
2	/**
3	*
4	* This file is part of the phpBB Forum Software package.
5	*
6	* @copyright (c) phpBB Limited <https://www.phpbb.com>
7	* @license GNU General Public License, version 2 (GPL-2.0)
8	*
9	* For full copyright and license information, please see
10	* the docs/CREDITS.txt file.
11	*
12	*/
13
14	namespace phpbb;
15
16	use phpbb\filesystem\helper as filesystem_helper;
17
18	/**
19	* Session class
20	*/
21	class session
22	{
23	public $cookie_data = array();
24	public $page = array();
25	public $data = array();
26	public $browser = '';
27	public $referer = '';
28	public $forwarded_for = '';
29	public $host = '';
30	public $session_id = '';
31	public $ip = '';
32	public $load = 0;
33	public $time_now = 0;
34	public $update_session_page = true;
35
36	/**
37	* Extract current session page
38	*
39	* @param string $root_path current root path (phpbb_root_path)
40	* @return array
41	*/
42	static function extract_current_page($root_path)
43	{
44	global $request, $symfony_request;
45
46	$page_array = array();
47
48	// First of all, get the request uri...
49	$script_name = $request->escape($symfony_request->getScriptName(), true);
50	$args = $request->escape(explode('&', $symfony_request->getQueryString() ?? ''), true);
51
52	// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
53	if (!$script_name)
54	{
55	$script_name = html_entity_decode($request->server('REQUEST_URI'), ENT_COMPAT);
56	$script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
57	$page_array['failover'] = 1;
58	}
59
60	// Replace backslashes and doubled slashes (could happen on some proxy setups)
61	$script_name = str_replace(array('\\', '//'), '/', $script_name);
62
63	// Now, remove the sid and let us get a clean query string...
64	$use_args = [];
65
66	// Since some browser do not encode correctly we need to do this with some "special" characters...
67	// " -> %22, ' => %27, < -> %3C, > -> %3E
68	$find = ['"', "'", '<', '>', '"', '<', '>'];
69	$replace = ['%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E'];
70
71	foreach ($args as $argument)
72	{
73	if (strpos($argument, 'sid=') === 0)
74	{
75	continue;
76	}
77
78	$use_args[] = (string) str_replace($find, $replace, $argument);
79	}
80	unset($args);
81
82	// The following examples given are for an request uri of {path to the phpbb directory}/adm/index.php?i=10&b=2
83
84	// The current query string
85	$query_string = trim(implode('&', $use_args));
86
87	// basenamed page name (for example: index.php)
88	$page_name = (substr($script_name, -1, 1) == '/') ? '' : basename($script_name);
89	$page_name = urlencode(htmlspecialchars($page_name, ENT_COMPAT));
90
91	$symfony_request_path = filesystem_helper::clean_path($symfony_request->getPathInfo());
92	if ($symfony_request_path !== '/')
93	{
94	$page_name .= str_replace('%2F', '/', urlencode($symfony_request_path));
95	}
96
97	if (substr($root_path, 0, 2) === './' && strpos($root_path, '..') === false)
98	{
99	$root_dirs = explode('/', str_replace('\\', '/', rtrim($root_path, '/')));
100	$page_dirs = explode('/', str_replace('\\', '/', '.'));
101	}
102	else
103	{
104	// current directory within the phpBB root (for example: adm)
105	$root_dirs = explode('/', str_replace('\\', '/', filesystem_helper::realpath($root_path)));
106	$page_dirs = explode('/', str_replace('\\', '/', filesystem_helper::realpath('./')));
107	}
108
109	$intersection = array_intersect_assoc($root_dirs, $page_dirs);
110
111	$root_dirs = array_diff_assoc($root_dirs, $intersection);
112	$page_dirs = array_diff_assoc($page_dirs, $intersection);
113
114	$page_dir = str_repeat('../', count($root_dirs)) . implode('/', $page_dirs);
115
116	if ($page_dir && substr($page_dir, -1, 1) == '/')
117	{
118	$page_dir = substr($page_dir, 0, -1);
119	}
120
121	// Current page from phpBB root (for example: adm/index.php?i=10&b=2)
122	$page = (($page_dir) ? $page_dir . '/' : '') . $page_name;
123	if ($query_string)
124	{
125	$page .= '?' . $query_string;
126	}
127
128	// The script path from the webroot to the current directory (for example: /phpBB/adm/) : always prefixed with / and ends in /
129	$script_path = $symfony_request->getBasePath();
130
131	// The script path from the webroot to the phpBB root (for example: /phpBB/)
132	$script_dirs = explode('/', $script_path);
133	array_splice($script_dirs, -count($page_dirs));
134	$root_script_path = implode('/', $script_dirs) . (count($root_dirs) ? '/' . implode('/', $root_dirs) : '');
135
136	// We are on the base level (phpBB root == webroot), lets adjust the variables a bit...
137	if (!$root_script_path)
138	{
139	$root_script_path = ($page_dir) ? str_replace($page_dir, '', $script_path) : $script_path;
140	}
141
142	$script_path .= (substr($script_path, -1, 1) == '/') ? '' : '/';
143	$root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/';
144
145	$forum_id = $request->variable('f', 0);
146	// maximum forum id value is maximum value of mediumint unsigned column
147	$forum_id = ($forum_id > 0 && $forum_id < 16777215) ? $forum_id : 0;
148
149	$page_array += array(
150	'page_name' => $page_name,
151	'page_dir' => $page_dir,
152
153	'query_string' => $query_string,
154	'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path, ENT_COMPAT)),
155	'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path, ENT_COMPAT)),
156
157	'page' => $page,
158	'forum' => $forum_id,
159	);
160
161	return $page_array;
162	}
163
164	/**
165	* Get valid hostname/port. HTTP_HOST is used, SERVER_NAME if HTTP_HOST not present.
166	*/
167	function extract_current_hostname()
168	{
169	global $config, $request;
170
171	// Get hostname
172	$host = html_entity_decode($request->header('Host', $request->server('SERVER_NAME')), ENT_COMPAT);
173
174	// Should be a string and lowered
175	$host = (string) strtolower($host);
176
177	// If host is equal the cookie domain or the server name (if config is set), then we assume it is valid
178	if ((isset($config['cookie_domain']) && $host === $config['cookie_domain']) \|\| (isset($config['server_name']) && $host === $config['server_name']))
179	{
180	return $host;
181	}
182
183	// Is the host actually a IP? If so, we use the IP... (IPv4)
184	if (long2ip(ip2long($host)) === $host)
185	{
186	return $host;
187	}
188
189	// Now return the hostname (this also removes any port definition). The http:// is prepended to construct a valid URL, hosts never have a scheme assigned
190	$host = @parse_url('http://' . $host);
191	$host = (!empty($host['host'])) ? $host['host'] : '';
192
193	// Remove any portions not removed by parse_url (#)
194	$host = str_replace('#', '', $host);
195
196	// If, by any means, the host is now empty, we will use a "best approach" way to guess one
197	if (empty($host))
198	{
199	if (!empty($config['server_name']))
200	{
201	$host = $config['server_name'];
202	}
203	else if (!empty($config['cookie_domain']))
204	{
205	$host = (strpos($config['cookie_domain'], '.') === 0) ? substr($config['cookie_domain'], 1) : $config['cookie_domain'];
206	}
207	else
208	{
209	// Set to OS hostname or localhost
210	$host = (function_exists('php_uname')) ? php_uname('n') : 'localhost';
211	}
212	}
213
214	// It may be still no valid host, but for sure only a hostname (we may further expand on the cookie domain... if set)
215	return $host;
216	}
217
218	/**
219	* Setup basic user-specific items (style, language, ...)
220	*
221	* @param array\|string\|false $lang_set Lang set(s) to include, false if none shall be included
222	* @param int\|false $style_id Style ID to load, false to load default style
223	*
224	* @throws \RuntimeException When called on session and not user instance
225	*
226	* @return void
227	*/
228	public function setup($lang_set = false, $style_id = false)
229	{
230	throw new \RuntimeException('Calling setup on session class is not supported.');
231	}
232
233	/**
234	* Start session management
235	*
236	* This is where all session activity begins. We gather various pieces of
237	* information from the client and server. We test to see if a session already
238	* exists. If it does, fine and dandy. If it doesn't we'll go on to create a
239	* new one ... pretty logical heh? We also examine the system load (if we're
240	* running on a system which makes such information readily available) and
241	* halt if it's above an admin definable limit.
242	*
243	* @param bool $update_session_page if true the session page gets updated.
244	* This can be set to circumvent certain scripts to update the users last visited page.
245	*/
246	function session_begin($update_session_page = true)
247	{
248	global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path;
249	global $request, $phpbb_container, $user, $phpbb_log, $phpbb_dispatcher;
250
251	// Give us some basic information
252	$this->time_now = time();
253	$this->cookie_data = array('u' => 0, 'k' => '');
254	$this->update_session_page = $update_session_page;
255	$this->browser = $request->header('User-Agent');
256	$this->referer = $request->header('Referer');
257	$this->forwarded_for = $request->header('X-Forwarded-For');
258
259	$this->host = $this->extract_current_hostname();
260	$this->page = $this->extract_current_page($phpbb_root_path);
261
262	// if the forwarded for header shall be checked we have to validate its contents
263	if ($config['forwarded_for_check'])
264	{
265	$this->forwarded_for = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->forwarded_for));
266
267	// split the list of IPs
268	$ips = explode(' ', $this->forwarded_for);
269	foreach ($ips as $ip)
270	{
271	if (!filter_var($ip, FILTER_VALIDATE_IP))
272	{
273	// contains invalid data, don't use the forwarded for header
274	$this->forwarded_for = '';
275	break;
276	}
277	}
278	}
279	else
280	{
281	$this->forwarded_for = '';
282	}
283
284	if ($request->is_set($config['cookie_name'] . '_sid', \phpbb\request\request_interface::COOKIE) \|\| $request->is_set($config['cookie_name'] . '_u', \phpbb\request\request_interface::COOKIE))
285	{
286	$this->cookie_data['u'] = $request->variable($config['cookie_name'] . '_u', 0, false, \phpbb\request\request_interface::COOKIE);
287	$this->cookie_data['k'] = $request->variable($config['cookie_name'] . '_k', '', false, \phpbb\request\request_interface::COOKIE);
288	$this->session_id = $request->variable($config['cookie_name'] . '_sid', '', false, \phpbb\request\request_interface::COOKIE);
289
290	$SID = '?sid=';
291	$_SID = '';
292
293	if (empty($this->session_id) && $phpbb_container->getParameter('session.force_sid'))
294	{
295	$this->session_id = $_SID = $request->variable('sid', '');
296	$SID = '?sid=' . $this->session_id;
297	$this->cookie_data = array('u' => 0, 'k' => '');
298	}
299	}
300	else
301	{
302	$this->session_id = $_SID = $phpbb_container->getParameter('session.force_sid') ? $request->variable('sid', '') : '';
303	$SID = '?sid=' . $this->session_id;
304	}
305
306	$_EXTRA_URL = array();
307
308	// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
309	// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
310	$ip = html_entity_decode($request->server('REMOTE_ADDR'), ENT_COMPAT);
311	$ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $ip));
312
313	/**
314	* Event to alter user IP address
315	*
316	* @event core.session_ip_after
317	* @var string ip REMOTE_ADDR
318	* @since 3.1.10-RC1
319	*/
320	$vars = array('ip');
321	extract($phpbb_dispatcher->trigger_event('core.session_ip_after', compact($vars)));
322
323	// split the list of IPs
324	$ips = explode(' ', trim($ip));
325
326	// Default IP if REMOTE_ADDR is invalid
327	$this->ip = '127.0.0.1';
328
329	foreach ($ips as $ip)
330	{
331	// Normalise IP address
332	$ip = phpbb_ip_normalise($ip);
333
334	if ($ip === false)
335	{
336	// IP address is invalid.
337	break;
338	}
339
340	// IP address is valid.
341	$this->ip = $ip;
342	}
343
344	$this->load = false;
345
346	// Load limit check (if applicable)
347	if ($config['limit_load'] \|\| $config['limit_search_load'])
348	{
349	if ((function_exists('sys_getloadavg') && $load = sys_getloadavg()) \|\| ($load = explode(' ', @file_get_contents('/proc/loadavg'))))
350	{
351	$this->load = array_slice($load, 0, 1);
352	$this->load = floatval($this->load[0]);
353	}
354	else
355	{
356	$config->set('limit_load', '0');
357	$config->set('limit_search_load', '0');
358	}
359	}
360
361	// if session id is set
362	if (!empty($this->session_id))
363	{
364	$sql = 'SELECT u., s.
365	FROM ' . SESSIONS_TABLE . ' s, ' . USERS_TABLE . " u
366	WHERE s.session_id = '" . $db->sql_escape($this->session_id) . "'
367	AND u.user_id = s.session_user_id";
368	$result = $db->sql_query($sql);
369	$this->data = $db->sql_fetchrow($result);
370	$db->sql_freeresult($result);
371
372	// Did the session exist in the DB?
373	if (isset($this->data['user_id']))
374	{
375	// Validate IP length according to admin ... enforces an IP
376	// check on bots if admin requires this
377	// $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check'];
378
379	if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
380	{
381	$s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
382	$u_ip = short_ipv6($this->ip, $config['ip_check']);
383	}
384	else
385	{
386	$s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
387	$u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
388	}
389
390	$s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
391	$u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
392
393	$s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
394	$u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
395
396	// referer checks
397	// The @ before $config['referer_validation'] suppresses notices present while running the updater
398	$check_referer_path = (@$config['referer_validation'] == REFERER_VALIDATE_PATH);
399	$referer_valid = true;
400
401	// we assume HEAD and TRACE to be foul play and thus only whitelist GET
402	if (@$config['referer_validation'] && strtolower($request->server('REQUEST_METHOD')) !== 'get')
403	{
404	$referer_valid = $this->validate_referer($check_referer_path);
405	}
406
407	if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid)
408	{
409	$session_expired = false;
410
411	// Check whether the session is still valid if we have one
412	/* @var $provider_collection \phpbb\auth\provider_collection */
413	$provider_collection = $phpbb_container->get('auth.provider_collection');
414	$provider = $provider_collection->get_provider();
415
416	if (!($provider instanceof \phpbb\auth\provider\provider_interface))
417	{
418	throw new \RuntimeException($provider . ' must implement \phpbb\auth\provider\provider_interface');
419	}
420
421	$ret = $provider->validate_session($this->data);
422	if ($ret !== null && !$ret)
423	{
424	$session_expired = true;
425	}
426
427	if (!$session_expired)
428	{
429	// Check the session length timeframe if autologin is not enabled.
430	// Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
431	if (!$this->data['session_autologin'])
432	{
433	if ($this->data['session_time'] < $this->time_now - ((int) $config['session_length'] + 60))
434	{
435	$session_expired = true;
436	}
437	}
438	else if (!$config['allow_autologin'] \|\| ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60))
439	{
440	$session_expired = true;
441	}
442	}
443
444	if (!$session_expired)
445	{
446	$this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL \|\| $this->data['user_type'] == USER_FOUNDER)) ? true : false;
447	$this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
448	$this->data['user_lang'] = basename($this->data['user_lang']);
449
450	// Is user banned? Are they excluded? Won't return on ban, exists within method
451	$this->check_ban_for_current_session($config);
452
453	// Update user last active time accordingly, but in a minute or so
454	if ($this->time_now - (int) $this->data['user_last_active'] > 60)
455	{
456	$this->update_last_active_time();
457	}
458
459	return true;
460	}
461	}
462	else
463	{
464	// Added logging temporarily to help debug bugs...
465	if ($phpbb_container->getParameter('session.log_errors') && $this->data['user_id'] != ANONYMOUS)
466	{
467	if ($referer_valid)
468	{
469	$phpbb_log->add('critical', $user->data['user_id'], $user->ip, 'LOG_IP_BROWSER_FORWARDED_CHECK', false, array(
470	$u_ip,
471	$s_ip,
472	$u_browser,
473	$s_browser,
474	htmlspecialchars($u_forwarded_for, ENT_COMPAT),
475	htmlspecialchars($s_forwarded_for, ENT_COMPAT)
476	));
477	}
478	else
479	{
480	$phpbb_log->add('critical', $user->data['user_id'], $user->ip, 'LOG_REFERER_INVALID', false, array($this->referer));
481	}
482	}
483	}
484	}
485	}
486
487	// If we reach here then no (valid) session exists. So we'll create a new one
488	return $this->session_create();
489	}
490
491	/**
492	* Create a new session
493	*
494	* If upon trying to start a session we discover there is nothing existing we
495	* jump here. Additionally this method is called directly during login to regenerate
496	* the session for the specific user. In this method we carry out a number of tasks;
497	* garbage collection, (search)bot checking, banned user comparison. Basically
498	* though this method will result in a new session for a specific user.
499	*/
500	function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)
501	{
502	global $SID, $_SID, $db, $config, $cache, $phpbb_container, $phpbb_dispatcher;
503
504	$this->data = array();
505
506	/* Garbage collection ... remove old sessions updating user information
507	// if necessary. It means (potentially) 11 queries but only infrequently
508	if ($this->time_now > $config['session_last_gc'] + $config['session_gc'])
509	{
510	$this->session_gc();
511	}*/
512
513	// Do we allow autologin on this board? No? Then override anything
514	// that may be requested here
515	if (!$config['allow_autologin'])
516	{
517	$this->cookie_data['k'] = $persist_login = false;
518	}
519
520	/**
521	* Here we do a bot check, oh er saucy! No, not that kind of bot
522	* check. We loop through the list of bots defined by the admin and
523	* see if we have any useragent and/or IP matches. If we do, this is a
524	* bot, act accordingly
525	*/
526	$bot = false;
527	$active_bots = $cache->obtain_bots();
528
529	foreach ($active_bots as $row)
530	{
531	if ($row['bot_agent'] && preg_match('#' . str_replace('\', '.?', preg_quote($row['bot_agent'], '#')) . '#i', $this->browser))
532	{
533	$bot = (int) $row['user_id'];
534	}
535
536	// If ip is supplied, we will make sure the ip is matching too...
537	if ($row['bot_ip'] && ($bot \|\| !$row['bot_agent']))
538	{
539	// Set bot to false, then we only have to set it to true if it is matching
540	$bot = false;
541
542	foreach (explode(',', $row['bot_ip']) as $bot_ip)
543	{
544	$bot_ip = trim($bot_ip);
545
546	if (!$bot_ip)
547	{
548	continue;
549	}
550
551	if (strpos($this->ip, $bot_ip) === 0)
552	{
553	$bot = (int) $row['user_id'];
554	break;
555	}
556	}
557	}
558
559	if ($bot)
560	{
561	break;
562	}
563	}
564
565	/* @var $provider_collection \phpbb\auth\provider_collection */
566	$provider_collection = $phpbb_container->get('auth.provider_collection');
567	$provider = $provider_collection->get_provider();
568	$this->data = $provider->autologin();
569
570	if ($user_id !== false && isset($this->data['user_id']) && $this->data['user_id'] != $user_id)
571	{
572	$this->data = array();
573	}
574
575	if (isset($this->data['user_id']))
576	{
577	$this->cookie_data['k'] = '';
578	$this->cookie_data['u'] = $this->data['user_id'];
579	}
580
581	// If we're presented with an autologin key we'll join against it.
582	// Else if we've been passed a user_id we'll grab data based on that
583	if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && empty($this->data))
584	{
585	$sql = 'SELECT u.*
586	FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k
587	WHERE u.user_id = ' . (int) $this->cookie_data['u'] . '
588	AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ")
589	AND k.user_id = u.user_id
590	AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
591	$result = $db->sql_query($sql);
592	$user_data = $db->sql_fetchrow($result);
593
594	if ($user_id === false \|\| (isset($user_data['user_id']) && $user_id == $user_data['user_id']))
595	{
596	$this->data = $user_data;
597	$bot = false;
598	}
599
600	$db->sql_freeresult($result);
601	}
602
603	if ($user_id !== false && empty($this->data))
604	{
605	$this->cookie_data['k'] = '';
606	$this->cookie_data['u'] = $user_id;
607
608	$sql = 'SELECT *
609	FROM ' . USERS_TABLE . '
610	WHERE user_id = ' . (int) $this->cookie_data['u'] . '
611	AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
612	$result = $db->sql_query($sql);
613	$this->data = $db->sql_fetchrow($result);
614	$db->sql_freeresult($result);
615	$bot = false;
616	}
617
618	// Bot user, if they have a SID in the Request URI we need to get rid of it
619	// otherwise they'll index this page with the SID, duplicate content oh my!
620	if ($bot && isset($_GET['sid']))
621	{
622	send_status_line(301, 'Moved Permanently');
623	redirect(build_url(array('sid')));
624	}
625
626	// If no data was returned one or more of the following occurred:
627	// Key didn't match one in the DB
628	// User does not exist
629	// User is inactive
630	// User is bot
631	if (!is_array($this->data) \|\| !count($this->data))
632	{
633	$this->cookie_data['k'] = '';
634	$this->cookie_data['u'] = ($bot) ? $bot : ANONYMOUS;
635
636	if (!$bot)
637	{
638	$sql = 'SELECT *
639	FROM ' . USERS_TABLE . '
640	WHERE user_id = ' . (int) $this->cookie_data['u'];
641	}
642	else
643	{
644	// We give bots always the same session if it is not yet expired.
645	$sql = 'SELECT u., s.
646	FROM ' . USERS_TABLE . ' u
647	LEFT JOIN ' . SESSIONS_TABLE . ' s ON (s.session_user_id = u.user_id)
648	WHERE u.user_id = ' . (int) $bot;
649	}
650
651	$result = $db->sql_query($sql);
652	$this->data = $db->sql_fetchrow($result);
653	$db->sql_freeresult($result);
654	}
655
656	if ($this->data['user_id'] != ANONYMOUS && !$bot)
657	{
658	$this->data['session_last_visit'] = (isset($this->data['session_time']) && $this->data['session_time']) ? $this->data['session_time'] : (($this->data['user_lastvisit']) ? $this->data['user_lastvisit'] : time());
659	}
660	else
661	{
662	$this->data['session_last_visit'] = $this->time_now;
663	}
664
665	// Force user id to be integer...
666	$this->data['user_id'] = (int) $this->data['user_id'];
667
668	// At this stage we should have a filled data array, defined cookie u and k data.
669	// data array should contain recent session info if we're a real user and a recent
670	// session exists in which case session_id will also be set
671
672	// Is user banned? Are they excluded? Won't return on ban, exists within method
673	$this->check_ban_for_current_session($config);
674
675	$this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL \|\| $this->data['user_type'] == USER_FOUNDER)) ? true : false;
676	$this->data['is_bot'] = ($bot) ? true : false;
677
678	// If our friend is a bot, we re-assign a previously assigned session
679	if ($this->data['is_bot'] && $bot == $this->data['user_id'] && $this->data['session_id'])
680	{
681	// Only assign the current session if the ip, browser and forwarded_for match...
682	if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
683	{
684	$s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
685	$u_ip = short_ipv6($this->ip, $config['ip_check']);
686	}
687	else
688	{
689	$s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
690	$u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
691	}
692
693	$s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
694	$u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
695
696	$s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
697	$u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
698
699	if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for)
700	{
701	$this->session_id = $this->data['session_id'];
702
703	// Only update session DB a minute or so after last update or if page changes
704	if ($this->time_now - $this->data['session_time'] > 60 \|\| ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
705	{
706	// Update the last visit time
707	$this->update_user_lastvisit();
708	}
709
710	$SID = '?sid=';
711	$_SID = '';
712	return true;
713	}
714	else
715	{
716	// If the ip and browser does not match make sure we only have one bot assigned to one session
717	$db->sql_query('DELETE FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = ' . $this->data['user_id']);
718	}
719	}
720
721	$session_autologin = (($this->cookie_data['k'] \|\| $persist_login) && $this->data['is_registered']) ? true : false;
722	$set_admin = ($set_admin && $this->data['is_registered']) ? true : false;
723
724	// Create or update the session
725	$sql_ary = array(
726	'session_user_id' => (int) $this->data['user_id'],
727	'session_start' => (int) $this->time_now,
728	'session_last_visit' => (int) $this->data['session_last_visit'],
729	'session_time' => (int) $this->time_now,
730	'session_browser' => (string) trim(substr($this->browser, 0, 149)),
731	'session_forwarded_for' => (string) $this->forwarded_for,
732	'session_ip' => (string) $this->ip,
733	'session_autologin' => ($session_autologin) ? 1 : 0,
734	'session_admin' => ($set_admin) ? 1 : 0,
735	'session_viewonline' => ($viewonline) ? 1 : 0,
736	);
737
738	if ($this->update_session_page)
739	{
740	$sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
741	$sql_ary['session_forum_id'] = $this->page['forum'];
742	}
743
744	$db->sql_return_on_error(true);
745
746	$sql = 'DELETE
747	FROM ' . SESSIONS_TABLE . '
748	WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'
749	AND session_user_id = ' . ANONYMOUS;
750
751	if (!defined('IN_ERROR_HANDLER') && (!$this->session_id \|\| !$db->sql_query($sql) \|\| !$db->sql_affectedrows()))
752	{
753	// Limit new sessions in 1 minute period (if required)
754	if (empty($this->data['session_time']) && $config['active_sessions'])
755	{
756	// $db->sql_return_on_error(false);
757
758	$sql = 'SELECT COUNT(session_id) AS sessions
759	FROM ' . SESSIONS_TABLE . '
760	WHERE session_time >= ' . ($this->time_now - 60);
761	$result = $db->sql_query($sql);
762	$row = $db->sql_fetchrow($result);
763	$db->sql_freeresult($result);
764
765	if ((int) $row['sessions'] > (int) $config['active_sessions'])
766	{
767	send_status_line(503, 'Service Unavailable');
768	trigger_error('BOARD_UNAVAILABLE');
769	}
770	}
771	}
772
773	// Since we re-create the session id here, the inserted row must be unique. Therefore, we display potential errors.
774	// Commented out because it will not allow forums to update correctly
775	// $db->sql_return_on_error(false);
776
777	// Something quite important: session_page always holds the last page visited, except for the first visit.
778	// We are not able to simply have an empty session_page btw, therefore we need to tell phpBB how to detect this special case.
779	// If the session id is empty, we have a completely new one and will set an "identifier" here. This identifier is able to be checked later.
780	if (empty($this->data['session_id']))
781	{
782	// This is a temporary variable, only set for the very first visit
783	$this->data['session_created'] = true;
784	}
785
786	$this->session_id = $this->data['session_id'] = md5(unique_id());
787
788	$sql_ary['session_id'] = (string) $this->session_id;
789	$sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
790	$sql_ary['session_forum_id'] = $this->page['forum'];
791
792	$sql = 'INSERT INTO ' . SESSIONS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
793	$db->sql_query($sql);
794
795	$db->sql_return_on_error(false);
796
797	// Regenerate autologin/persistent login key
798	if ($session_autologin)
799	{
800	$this->set_login_key();
801	}
802
803	// refresh data
804	if ($phpbb_container->getParameter('session.force_sid'))
805	{
806	$SID = '?sid=' . $this->session_id;
807	$_SID = $this->session_id;
808	}
809	$this->data = array_merge($this->data, $sql_ary);
810
811	if (!$bot)
812	{
813	$cookie_expire = $this->time_now + (($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);
814
815	$this->set_cookie('u', $this->cookie_data['u'], $cookie_expire);
816	$this->set_cookie('k', $this->cookie_data['k'], $cookie_expire);
817	$this->set_cookie('sid', $this->session_id, $cookie_expire);
818
819	unset($cookie_expire);
820
821	if ($this->data['user_id'] != ANONYMOUS)
822	{
823	$sql = 'SELECT COUNT(session_id) AS sessions
824	FROM ' . SESSIONS_TABLE . '
825	WHERE session_user_id = ' . (int) $this->data['user_id'] . '
826	AND session_time >= ' . (int) ($this->time_now - (max((int) $config['session_length'], (int) $config['form_token_lifetime'])));
827	$result = $db->sql_query($sql);
828	$row = $db->sql_fetchrow($result);
829	$db->sql_freeresult($result);
830
831	if ((int) $row['sessions'] <= 1 \|\| empty($this->data['user_form_salt']))
832	{
833	$this->data['user_form_salt'] = unique_id();
834	// Update the form key
835	$sql = 'UPDATE ' . USERS_TABLE . '
836	SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\',
837	user_last_active = ' . (int) $this->time_now . '
838	WHERE user_id = ' . (int) $this->data['user_id'];
839	$db->sql_query($sql);
840	}
841	}
842	else
843	{
844	$this->update_last_active_time();
845	}
846	}
847	else
848	{
849	$this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;
850
851	$this->update_user_lastvisit();
852
853	if ($phpbb_container->getParameter('session.force_sid'))
854	{
855	$SID = '?sid=';
856	$_SID = '';
857	}
858	}
859
860	$session_data = $sql_ary;
861	/**
862	* Event to send new session data to extension
863	* Read-only event
864	*
865	* @event core.session_create_after
866	* @var array session_data Associative array of session keys to be updated
867	* @since 3.1.6-RC1
868	*/
869	$vars = array('session_data');
870	extract($phpbb_dispatcher->trigger_event('core.session_create_after', compact($vars)));
871	unset($session_data);
872
873	return true;
874	}
875
876	/**
877	* Kills a session
878	*
879	* This method does what it says on the tin. It will delete a pre-existing session.
880	* It resets cookie information (destroying any autologin key within that cookie data)
881	* and update the users information from the relevant session data. It will then
882	* grab guest user information.
883	*/
884	function session_kill($new_session = true)
885	{
886	global $SID, $_SID, $db, $phpbb_container, $phpbb_dispatcher;
887
888	$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
889	WHERE session_id = '" . $db->sql_escape($this->session_id) . "'
890	AND session_user_id = " . (int) $this->data['user_id'];
891	$db->sql_query($sql);
892
893	$user_id = (int) $this->data['user_id'];
894	$session_id = $this->session_id;
895	/**
896	* Event to send session kill information to extension
897	* Read-only event
898	*
899	* @event core.session_kill_after
900	* @var int user_id user_id of the session user.
901	* @var string session_id current user's session_id
902	* @var bool new_session should we create new session for user
903	* @since 3.1.6-RC1
904	*/
905	$vars = array('user_id', 'session_id', 'new_session');
906	extract($phpbb_dispatcher->trigger_event('core.session_kill_after', compact($vars)));
907	unset($user_id);
908	unset($session_id);
909
910	// Allow connecting logout with external auth method logout
911	/* @var $provider_collection \phpbb\auth\provider_collection */
912	$provider_collection = $phpbb_container->get('auth.provider_collection');
913	$provider = $provider_collection->get_provider();
914	$provider->logout($this->data, $new_session);
915
916	if ($this->data['user_id'] != ANONYMOUS)
917	{
918	// Delete existing session, update last visit info first!
919	if (!isset($this->data['session_time']))
920	{
921	$this->data['session_time'] = time();
922	}
923
924	$sql = 'UPDATE ' . USERS_TABLE . '
925	SET user_lastvisit = ' . (int) $this->data['session_time'] . '
926	WHERE user_id = ' . (int) $this->data['user_id'];
927	$db->sql_query($sql);
928
929	if ($this->cookie_data['k'])
930	{
931	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
932	WHERE user_id = ' . (int) $this->data['user_id'] . "
933	AND key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
934	$db->sql_query($sql);
935	}
936
937	// Reset the data array
938	$this->data = array();
939
940	$sql = 'SELECT *
941	FROM ' . USERS_TABLE . '
942	WHERE user_id = ' . ANONYMOUS;
943	$result = $db->sql_query($sql);
944	$this->data = $db->sql_fetchrow($result);
945	$db->sql_freeresult($result);
946	}
947
948	$cookie_expire = $this->time_now - 31536000;
949	$this->set_cookie('u', '', $cookie_expire);
950	$this->set_cookie('k', '', $cookie_expire);
951	$this->set_cookie('sid', '', $cookie_expire);
952	unset($cookie_expire);
953
954	$SID = '?sid=';
955	$this->session_id = $_SID = '';
956
957	// To make sure a valid session is created we create one for the anonymous user
958	if ($new_session)
959	{
960	$this->session_create(ANONYMOUS);
961	}
962
963	return true;
964	}
965
966	/**
967	* Session garbage collection
968	*
969	* This looks a lot more complex than it really is. Effectively we are
970	* deleting any sessions older than an admin definable limit. Due to the
971	* way in which we maintain session data we have to ensure we update user
972	* data before those sessions are destroyed. In addition this method
973	* removes autologin key information that is older than an admin defined
974	* limit.
975	*/
976	function session_gc()
977	{
978	global $db, $config, $phpbb_container, $phpbb_dispatcher;
979
980	if (!$this->time_now)
981	{
982	$this->time_now = time();
983	}
984
985	/**
986	* Get expired sessions for registered users, only most recent for each user
987	* Inner SELECT gets most recent expired sessions for unique session_user_id
988	* Outer SELECT gets data for them
989	*/
990	$sql_select = 'SELECT s1.session_page, s1.session_user_id, s1.session_time AS recent_time
991	FROM ' . SESSIONS_TABLE . ' AS s1
992	INNER JOIN (
993	SELECT session_user_id, MAX(session_time) AS recent_time
994	FROM ' . SESSIONS_TABLE . '
995	WHERE session_time < ' . ($this->time_now - (int) $config['session_length']) . '
996	AND session_user_id <> ' . ANONYMOUS . '
997	GROUP BY session_user_id
998	) AS s2
999	ON s1.session_user_id = s2.session_user_id
1000	AND s1.session_time = s2.recent_time';
1001
1002	switch ($db->get_sql_layer())
1003	{
1004	case 'sqlite3':
1005	if (phpbb_version_compare($db->sql_server_info(true), '3.8.3', '>='))
1006	{
1007	// For SQLite versions 3.8.3+ which support Common Table Expressions (CTE)
1008	$sql = "WITH s3 (session_page, session_user_id, session_time) AS ($sql_select)
1009	UPDATE " . USERS_TABLE . '
1010	SET (user_lastpage, user_lastvisit) = (SELECT session_page, session_time FROM s3 WHERE session_user_id = user_id)
1011	WHERE EXISTS (SELECT session_user_id FROM s3 WHERE session_user_id = user_id)';
1012	$db->sql_query($sql);
1013
1014	break;
1015	}
1016
1017	// No break, for SQLite versions prior to 3.8.3 and Oracle
1018	case 'oracle':
1019	$result = $db->sql_query($sql_select);
1020	while ($row = $db->sql_fetchrow($result))
1021	{
1022	$sql = 'UPDATE ' . USERS_TABLE . '
1023	SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
1024	WHERE user_id = " . (int) $row['session_user_id'];
1025	$db->sql_query($sql);
1026	}
1027	$db->sql_freeresult($result);
1028	break;
1029
1030	case 'mysqli':
1031	$sql = 'UPDATE ' . USERS_TABLE . " u,
1032	($sql_select) s3
1033	SET u.user_lastvisit = s3.recent_time, u.user_lastpage = s3.session_page
1034	WHERE u.user_id = s3.session_user_id";
1035	$db->sql_query($sql);
1036	break;
1037
1038	default:
1039	$sql = 'UPDATE ' . USERS_TABLE . "
1040	SET user_lastvisit = s3.recent_time, user_lastpage = s3.session_page
1041	FROM ($sql_select) s3
1042	WHERE user_id = s3.session_user_id";
1043	$db->sql_query($sql);
1044	break;
1045	}
1046
1047	// Delete all expired sessions
1048	$sql = 'DELETE FROM ' . SESSIONS_TABLE . '
1049	WHERE session_time < ' . ($this->time_now - (int) $config['session_length']);
1050	$db->sql_query($sql);
1051
1052	// Update gc timer
1053	$config->set('session_last_gc', $this->time_now, false);
1054
1055	if ($config['max_autologin_time'])
1056	{
1057	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
1058	WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time']));
1059	$db->sql_query($sql);
1060	}
1061
1062	// only called from CRON; should be a safe workaround until the infrastructure gets going
1063	/* @var \phpbb\captcha\factory $captcha_factory */
1064	$captcha_factory = $phpbb_container->get('captcha.factory');
1065	$captcha_factory->garbage_collect($config['captcha_plugin']);
1066
1067	$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
1068	WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']);
1069	$db->sql_query($sql);
1070
1071	/**
1072	* Event to trigger extension on session_gc
1073	*
1074	* @event core.session_gc_after
1075	* @since 3.1.6-RC1
1076	*/
1077	$phpbb_dispatcher->trigger_event('core.session_gc_after');
1078	}
1079
1080	/**
1081	* Sets a cookie
1082	*
1083	* Sets a cookie of the given name with the specified data for the given length of time. If no time is specified, a session cookie will be set.
1084	*
1085	* @param string $name Name of the cookie, will be automatically prefixed with the phpBB cookie name. track becomes [cookie_name]_track then.
1086	* @param string $cookiedata The data to hold within the cookie
1087	* @param int $cookietime The expiration time as UNIX timestamp. If 0 is provided, a session cookie is set.
1088	* @param bool $httponly Use HttpOnly. Defaults to true. Use false to make cookie accessible by client-side scripts.
1089	*/
1090	function set_cookie($name, $cookiedata, $cookietime, $httponly = true)
1091	{
1092	global $config, $phpbb_dispatcher;
1093
1094	// If headers are already set, we just return
1095	if (headers_sent())
1096	{
1097	return;
1098	}
1099
1100	$disable_cookie = false;
1101	/**
1102	* Event to modify or disable setting cookies
1103	*
1104	* @event core.set_cookie
1105	* @var bool disable_cookie Set to true to disable setting this cookie
1106	* @var string name Name of the cookie
1107	* @var string cookiedata The data to hold within the cookie
1108	* @var int cookietime The expiration time as UNIX timestamp
1109	* @var bool httponly Use HttpOnly?
1110	* @since 3.2.9-RC1
1111	*/
1112	$vars = array(
1113	'disable_cookie',
1114	'name',
1115	'cookiedata',
1116	'cookietime',
1117	'httponly',
1118	);
1119	extract($phpbb_dispatcher->trigger_event('core.set_cookie', compact($vars)));
1120
1121	if ($disable_cookie)
1122	{
1123	return;
1124	}
1125
1126	$name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata);
1127	$expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime);
1128	$domain = (!$config['cookie_domain'] \|\| $config['cookie_domain'] == '127.0.0.1' \|\| strpos($config['cookie_domain'], '.') === false) ? '' : '; domain=' . $config['cookie_domain'];
1129
1130	header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . ';' . (($httponly) ? ' HttpOnly' : ''), false);
1131	}
1132
1133	/**
1134	* Check for banned user
1135	*
1136	* Checks whether the supplied user is banned by id, ip or email. If no parameters
1137	* are passed to the method pre-existing session data is used.
1138	*
1139	* @param int\|false $user_id The user id
1140	* @param mixed $user_ips Can contain a string with one IP or an array of multiple IPs
1141	* @param string\|false $user_email The user email
1142	* @param bool $return If $return is false this routine does not return on finding a banned user,
1143	* it outputs a relevant message and stops execution.
1144	*/
1145	function check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false)
1146	{
1147	global $phpbb_container, $phpbb_dispatcher;
1148
1149	if (defined('IN_CHECK_BAN') \|\| defined('SKIP_CHECK_BAN'))
1150	{
1151	return false;
1152	}
1153
1154	/** @var \phpbb\ban\manager $ban_manager */
1155	$ban_manager = $phpbb_container->get('ban.manager');
1156	$ban_row = $ban_manager->check(['user_id' => $user_id, 'user_email' => $user_email]);
1157	if (empty($ban_row))
1158	{
1159	return false;
1160	}
1161
1162	$banned = true;
1163	$ban_triggered_by = $ban_row['mode'];
1164
1165	/**
1166	* Event to set custom ban type
1167	*
1168	* @event core.session_set_custom_ban
1169	* @var bool return If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution
1170	* @var bool banned Check if user already banned
1171	* @var array\|false ban_row Ban data
1172	* @var string ban_triggered_by Method that caused ban, can be your custom method
1173	* @since 3.1.3-RC1
1174	*/
1175	$ban_row = isset($ban_row) ? $ban_row : false;
1176	$vars = array('return', 'banned', 'ban_row', 'ban_triggered_by');
1177	extract($phpbb_dispatcher->trigger_event('core.session_set_custom_ban', compact($vars)));
1178
1179	if ($banned && !$return)
1180	{
1181	global $config, $phpbb_root_path, $phpEx;
1182
1183	// Initiate environment ... since it won't be set at this stage
1184	$this->setup();
1185
1186	// Logout the user, banned users are unable to use the normal 'logout' link
1187	if ($this->data['user_id'] != ANONYMOUS)
1188	{
1189	$this->session_kill();
1190	}
1191
1192	// We show a login box here to allow founders accessing the board if banned by IP
1193	if (defined('IN_LOGIN') && $this->data['user_id'] == ANONYMOUS)
1194	{
1195	$this->setup('ucp');
1196	$this->data['is_registered'] = $this->data['is_bot'] = false;
1197
1198	// Set as a precaution to allow login_box() handling this case correctly as well as this function not being executed again.
1199	define('IN_CHECK_BAN', 1);
1200
1201	login_box("index.$phpEx");
1202
1203	// The false here is needed, else the user is able to circumvent the ban.
1204	$this->session_kill(false);
1205	}
1206
1207	// Ok, we catch the case of an empty session id for the anonymous user...
1208	// This can happen if the user is logging in, banned by username and the login_box() being called "again".
1209	if (empty($this->session_id) && defined('IN_CHECK_BAN'))
1210	{
1211	$this->session_create(ANONYMOUS);
1212	}
1213
1214	// Determine which message to output
1215	$contact_link = phpbb_get_board_contact_link($config, $phpbb_root_path, $phpEx);
1216	$message = $ban_manager->get_ban_message($ban_row, $ban_triggered_by, $contact_link);
1217
1218	// A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
1219	if (defined('IN_CRON'))
1220	{
1221	garbage_collection();
1222	exit_handler();
1223	exit;
1224	}
1225
1226	// To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
1227	$this->session_kill(false);
1228
1229	trigger_error($message);
1230	}
1231
1232	if (!empty($ban_row))
1233	{
1234	$ban_row['ban_triggered_by'] = $ban_triggered_by;
1235	}
1236
1237	return ($banned && $ban_row) ? $ban_row : $banned;
1238	}
1239
1240	/**
1241	* Check the current session for bans
1242	*/
1243	protected function check_ban_for_current_session($config)
1244	{
1245	if (!defined('SKIP_CHECK_BAN') && $this->data['user_type'] != USER_FOUNDER)
1246	{
1247	if (!$config['forwarded_for_check'])
1248	{
1249	$this->check_ban($this->data['user_id'], $this->ip);
1250	}
1251	else
1252	{
1253	$ips = explode(' ', $this->forwarded_for);
1254	$ips[] = $this->ip;
1255	$this->check_ban($this->data['user_id'], $ips);
1256	}
1257	}
1258	}
1259
1260	/**
1261	* Check if ip is blacklisted by Spamhaus SBL
1262	*
1263	* Disables DNSBL setting if errors are returned by Spamhaus due to a policy violation.
1264	* https://www.spamhaus.com/product/help-for-spamhaus-public-mirror-users/
1265	*
1266	* @param string $dnsbl the blacklist to check against
1267	* @param string\|false $ip the IPv4 address to check
1268	*
1269	* @return bool true if listed in spamhaus database, false if not
1270	*/
1271	function check_dnsbl_spamhaus($dnsbl, $ip = false)
1272	{
1273	global $config, $phpbb_log;
1274
1275	if ($ip === false)
1276	{
1277	$ip = $this->ip;
1278	}
1279
1280	// Spamhaus does not support IPv6 addresses.
1281	if (strpos($ip, ':') !== false)
1282	{
1283	return false;
1284	}
1285
1286	if ($ip)
1287	{
1288	$quads = explode('.', $ip);
1289	$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];
1290
1291	$records = dns_get_record($reverse_ip . '.' . $dnsbl . '.', DNS_A);
1292	if (empty($records))
1293	{
1294	return false;
1295	}
1296	else
1297	{
1298	$error = false;
1299	foreach ($records as $record)
1300	{
1301	if ($record['ip'] == '127.255.255.254')
1302	{
1303	$error = 'LOG_SPAMHAUS_OPEN_RESOLVER';
1304	break;
1305	}
1306	else if ($record['ip'] == '127.255.255.255')
1307	{
1308	$error = 'LOG_SPAMHAUS_VOLUME_LIMIT';
1309	break;
1310	}
1311	}
1312
1313	if ($error !== false)
1314	{
1315	$config->set('check_dnsbl', 0);
1316	$phpbb_log->add('critical', $this->data['user_id'], $ip, $error);
1317	}
1318	else
1319	{
1320	// The existence of a non-error A record means it's a hit
1321	return true;
1322	}
1323	}
1324	}
1325
1326	return false;
1327	}
1328
1329	/**
1330	* Checks if an IPv4 address is in a specified DNS blacklist
1331	*
1332	* Only checks if a record is returned or not.
1333	*
1334	* @param string $dnsbl the blacklist to check against
1335	* @param string\|false $ip the IPv4 address to check
1336	*
1337	* @return bool true if record is returned, false if not
1338	*/
1339	function check_dnsbl_ipv4_generic($dnsbl, $ip = false)
1340	{
1341	if ($ip === false)
1342	{
1343	$ip = $this->ip;
1344	}
1345
1346	// This function does not support IPv6 addresses.
1347	if (strpos($ip, ':') !== false)
1348	{
1349	return false;
1350	}
1351
1352	$quads = explode('.', $ip);
1353	$reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];
1354
1355	if (checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)
1356	{
1357	return true;
1358	}
1359
1360	return false;
1361	}
1362
1363	/**
1364	* Check if ip is blacklisted
1365	* This should be called only where absolutely necessary
1366	*
1367	* Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)
1368	*
1369	* @author satmd (from the php manual)
1370	* @param string $mode register/post - spamcop for example is omitted for posting
1371	* @param string\|false $ip the IPv4 address to check
1372	*
1373	* @return array\|false false if ip is not blacklisted, else an array([checked server], [lookup])
1374	*/
1375	function check_dnsbl($mode, $ip = false)
1376	{
1377	if ($ip === false)
1378	{
1379	$ip = $this->ip;
1380	}
1381
1382	// Neither Spamhaus nor Spamcop supports IPv6 addresses.
1383	if (strpos($ip, ':') !== false)
1384	{
1385	return false;
1386	}
1387
1388	$dnsbl_check = array(
1389	'sbl.spamhaus.org' => ['https://check.spamhaus.org/listed/?searchterm=', 'check_dnsbl_spamhaus'],
1390	);
1391
1392	if ($mode == 'register')
1393	{
1394	$dnsbl_check['bl.spamcop.net'] = ['https://www.spamcop.net/bl.shtml?', 'check_dnsbl_ipv4_generic'];
1395	}
1396
1397	if ($ip)
1398	{
1399	// Need to be listed on all servers...
1400	$listed = true;
1401	$info = array();
1402
1403	foreach ($dnsbl_check as $dnsbl => $lookup)
1404	{
1405	if (call_user_func(array($this, $lookup[1]), $dnsbl, $ip) === true)
1406	{
1407	$info = array($dnsbl, $lookup[0] . $ip);
1408	}
1409	else
1410	{
1411	$listed = false;
1412	}
1413	}
1414
1415	if ($listed)
1416	{
1417	return $info;
1418	}
1419	}
1420
1421	return false;
1422	}
1423
1424	/**
1425	* Check if URI is blacklisted
1426	* This should be called only where absolutely necessary, for example on the submitted website field
1427	* This function is not in use at the moment and is only included for testing purposes, it may not work at all!
1428	* This means it is untested at the moment and therefore commented out
1429	*
1430	* @param string $uri URI to check
1431	* @return true if uri is on blacklist, else false. Only blacklist is checked (~zero FP), no grey lists
1432	function check_uribl($uri)
1433	{
1434	// Normally parse_url() is not intended to parse uris
1435	// We need to get the top-level domain name anyway... change.
1436	$uri = parse_url($uri);
1437
1438	if ($uri === false \|\| empty($uri['host']))
1439	{
1440	return false;
1441	}
1442
1443	$uri = trim($uri['host']);
1444
1445	if ($uri)
1446	{
1447	// One problem here... the return parameter for the "windows" method is different from what
1448	// we expect... this may render this check useless...
1449	if (checkdnsrr($uri . '.multi.uribl.com.', 'A') === true)
1450	{
1451	return true;
1452	}
1453	}
1454
1455	return false;
1456	}
1457	*/
1458
1459	/**
1460	* Set/Update a persistent login key
1461	*
1462	* This method creates or updates a persistent session key. When a user makes
1463	* use of persistent (formerly auto-) logins a key is generated and stored in the
1464	* DB. When they revisit with the same key it's automatically updated in both the
1465	* DB and cookie. Multiple keys may exist for each user representing different
1466	* browsers or locations. As with _any_ non-secure-socket no passphrase login this
1467	* remains vulnerable to exploit.
1468	*/
1469	function set_login_key($user_id = false, $key = false, $user_ip = false)
1470	{
1471	global $db, $phpbb_dispatcher;
1472
1473	$user_id = ($user_id === false) ? $this->data['user_id'] : $user_id;
1474	$user_ip = ($user_ip === false) ? $this->ip : $user_ip;
1475	$key = ($key === false) ? (($this->cookie_data['k']) ? $this->cookie_data['k'] : false) : $key;
1476
1477	$key_id = unique_id();
1478
1479	$sql_ary = array(
1480	'key_id' => (string) md5($key_id),
1481	'last_ip' => (string) $user_ip,
1482	'last_login' => (int) time()
1483	);
1484
1485	if (!$key)
1486	{
1487	$sql_ary += array(
1488	'user_id' => (int) $user_id
1489	);
1490	}
1491
1492	if ($key)
1493	{
1494	$sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . '
1495	SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
1496	WHERE user_id = ' . (int) $user_id . "
1497	AND key_id = '" . $db->sql_escape(md5($key)) . "'";
1498	}
1499	else
1500	{
1501	$sql = 'INSERT INTO ' . SESSIONS_KEYS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
1502	}
1503
1504	/**
1505	* Event to adjust autologin keys process
1506	*
1507	* @event core.set_login_key
1508	* @var string\|false key Current autologin key if exists, false otherwise
1509	* @var string key_id New autologin key
1510	* @var string sql SQL query to update/insert autologin key
1511	* @var array sql_ary Aray with autologin key data
1512	* @var int user_id Current user's ID
1513	* @var string user_ip Current user's IP address
1514	* @since 3.3.2-RC1
1515	*/
1516	$vars = [
1517	'key',
1518	'key_id',
1519	'sql',
1520	'sql_ary',
1521	'user_id',
1522	'user_ip',
1523	];
1524	extract($phpbb_dispatcher->trigger_event('core.set_login_key', compact($vars)));
1525
1526	$db->sql_query($sql);
1527
1528	$this->cookie_data['k'] = $key_id;
1529
1530	return false;
1531	}
1532
1533	/**
1534	* Reset all login keys for the specified user
1535	*
1536	* This method removes all current login keys for a specified (or the current)
1537	* user. It will be called on password change to render old keys unusable
1538	*/
1539	function reset_login_keys($user_id = false)
1540	{
1541	global $db;
1542
1543	$user_id = ($user_id === false) ? (int) $this->data['user_id'] : (int) $user_id;
1544
1545	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
1546	WHERE user_id = ' . (int) $user_id;
1547	$db->sql_query($sql);
1548
1549	// If the user is logged in, update last visit info first before deleting sessions
1550	$sql = 'SELECT session_time, session_page
1551	FROM ' . SESSIONS_TABLE . '
1552	WHERE session_user_id = ' . (int) $user_id . '
1553	ORDER BY session_time DESC';
1554	$result = $db->sql_query_limit($sql, 1);
1555	$row = $db->sql_fetchrow($result);
1556	$db->sql_freeresult($result);
1557
1558	if ($row)
1559	{
1560	$sql = 'UPDATE ' . USERS_TABLE . '
1561	SET user_lastvisit = ' . (int) $row['session_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
1562	WHERE user_id = " . (int) $user_id;
1563	$db->sql_query($sql);
1564	}
1565
1566	// Let's also clear any current sessions for the specified user_id
1567	// If it's the current user then we'll leave this session intact
1568	$sql_where = 'session_user_id = ' . (int) $user_id;
1569	$sql_where .= ($user_id === (int) $this->data['user_id']) ? " AND session_id <> '" . $db->sql_escape($this->session_id) . "'" : '';
1570
1571	$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
1572	WHERE $sql_where";
1573	$db->sql_query($sql);
1574
1575	// We're changing the password of the current user and they have a key
1576	// Lets regenerate it to be safe
1577	if ($user_id === (int) $this->data['user_id'] && $this->cookie_data['k'])
1578	{
1579	$this->set_login_key($user_id);
1580	}
1581	}
1582
1583
1584	/**
1585	* Check if the request originated from the same page.
1586	* @param bool $check_script_path If true, the path will be checked as well
1587	*/
1588	function validate_referer($check_script_path = false)
1589	{
1590	global $config, $request;
1591
1592	// no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason)
1593	if (empty($this->referer) \|\| empty($this->host))
1594	{
1595	return true;
1596	}
1597
1598	$host = htmlspecialchars($this->host, ENT_COMPAT);
1599	$ref = substr($this->referer, strpos($this->referer, '://') + 3);
1600
1601	if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] \|\| !(stripos($ref, $config['server_name']) === 0)))
1602	{
1603	return false;
1604	}
1605	else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '')
1606	{
1607	$ref = substr($ref, strlen($host));
1608	$server_port = $request->server('SERVER_PORT', 0);
1609
1610	if ($server_port !== 80 && $server_port !== 443 && stripos($ref, ":$server_port") === 0)
1611	{
1612	$ref = substr($ref, strlen(":$server_port"));
1613	}
1614
1615	if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0))
1616	{
1617	return false;
1618	}
1619	}
1620
1621	return true;
1622	}
1623
1624
1625	function unset_admin()
1626	{
1627	global $db;
1628	$sql = 'UPDATE ' . SESSIONS_TABLE . '
1629	SET session_admin = 0
1630	WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'';
1631	$db->sql_query($sql);
1632	}
1633
1634	/**
1635	* Update the session data
1636	*
1637	* @param array $session_data associative array of session keys to be updated
1638	* @param string $session_id optional session_id, defaults to current user's session_id
1639	*/
1640	public function update_session($session_data, $session_id = null)
1641	{
1642	global $db, $phpbb_dispatcher;
1643
1644	$session_id = ($session_id) ? $session_id : $this->session_id;
1645
1646	$sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $session_data) . "
1647	WHERE session_id = '" . $db->sql_escape($session_id) . "'";
1648	$db->sql_query($sql);
1649
1650	/**
1651	* Event to send update session information to extension
1652	* Read-only event
1653	*
1654	* @event core.update_session_after
1655	* @var array session_data Associative array of session keys to be updated
1656	* @var string session_id current user's session_id
1657	* @since 3.1.6-RC1
1658	*/
1659	$vars = array('session_data', 'session_id');
1660	extract($phpbb_dispatcher->trigger_event('core.update_session_after', compact($vars)));
1661	}
1662
1663	public function update_session_infos()
1664	{
1665	global $config, $db, $request;
1666
1667	// No need to update if it's a new session. Informations are already inserted by session_create()
1668	if (isset($this->data['session_created']) && $this->data['session_created'])
1669	{
1670	return;
1671	}
1672
1673	// Do not update the session page for ajax requests, so the view online still works as intended
1674	$page_changed = $this->update_session_page && (!isset($this->data['session_page']) \|\| $this->data['session_page'] != $this->page['page'] \|\| $this->data['session_forum_id'] != $this->page['forum']) && !$request->is_ajax();
1675
1676	// Only update session DB a minute or so after last update or if page changes
1677	if ($this->time_now - (isset($this->data['session_time']) ? $this->data['session_time'] : 0) > 60 \|\| $page_changed)
1678	{
1679	$sql_ary = array('session_time' => $this->time_now);
1680
1681	if ($page_changed)
1682	{
1683	$sql_ary['session_page'] = substr($this->page['page'], 0, 199);
1684	$sql_ary['session_forum_id'] = $this->page['forum'];
1685	}
1686
1687	$db->sql_return_on_error(true);
1688
1689	$this->update_session($sql_ary);
1690
1691	$db->sql_return_on_error(false);
1692
1693	$this->data = array_merge($this->data, $sql_ary);
1694
1695	if ($this->data['user_id'] != ANONYMOUS && isset($config['new_member_post_limit'])
1696	&& $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts']
1697	&& $this instanceof user)
1698	{
1699	$this->leave_newly_registered();
1700	}
1701	}
1702	}
1703
1704	/**
1705	* Get user ID
1706	*
1707	* @return int User ID
1708	*/
1709	public function id() : int
1710	{
1711	return isset($this->data['user_id']) ? (int) $this->data['user_id'] : ANONYMOUS;
1712	}
1713
1714	/**
1715	* Update user last visit time
1716	*/
1717	public function update_user_lastvisit()
1718	{
1719	global $db;
1720
1721	if (isset($this->data['session_time'], $this->data['user_id']) && !$this->is_push_notification_request())
1722	{
1723	$sql = 'UPDATE ' . USERS_TABLE . '
1724	SET user_lastvisit = ' . (int) $this->data['session_time'] . ',
1725	user_last_active = ' . $this->time_now . '
1726	WHERE user_id = ' . (int) $this->data['user_id'];
1727	$db->sql_query($sql);
1728	}
1729	}
1730
1731	/**
1732	* Update user's last active time
1733	*
1734	* @return void
1735	*/
1736	public function update_last_active_time()
1737	{
1738	global $db;
1739
1740	if (isset($this->time_now, $this->data['user_id']) && !$this->is_push_notification_request())
1741	{
1742	$sql = 'UPDATE ' . USERS_TABLE . '
1743	SET user_last_active = ' . $this->time_now . '
1744	WHERE user_id = ' . (int) $this->data['user_id'];
1745	$db->sql_query($sql);
1746	}
1747	}
1748
1749	/**
1750	* Determine if the request is an Ajax request from the web push service worker
1751	*
1752	* @return bool True if the request is an Ajax request and the page URL contains '/push/notification', otherwise false
1753	*/
1754	protected function is_push_notification_request(): bool
1755	{
1756	global $request;
1757
1758	return $request->is_ajax() && str_contains($this->page['page'], '/push/notification');
1759	}
1760	}