You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
330 lines
12 KiB
PHP
330 lines
12 KiB
PHP
<?php
|
|
|
|
# ***** BEGIN LICENSE BLOCK *****
|
|
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
#
|
|
# The contents of this file are subject to the Mozilla Public License Version
|
|
# 1.1 (the "License"); you may not use this file except in compliance with
|
|
# the License. You may obtain a copy of the License at
|
|
# http://www.mozilla.org/MPL/
|
|
#
|
|
# Software distributed under the License is distributed on an "AS IS" basis,
|
|
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
# for the specific language governing rights and limitations under the
|
|
# License.
|
|
#
|
|
# The Initial Developer of the Original Code is balu
|
|
#
|
|
# Portions created by the Initial Developer are Copyright (C) 2012
|
|
# the Initial Developer. All Rights Reserved.
|
|
#
|
|
# Contributor(s):
|
|
# Daniel Triendl <daniel@pew.cc>
|
|
# Mark Straver <moonchild@palemoon.org>
|
|
# Christian Wittmer <chris@computersalat.de>
|
|
#
|
|
# Alternatively, the contents of this file may be used under the terms of
|
|
# either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
# in which case the provisions of the GPL or the LGPL are applicable instead
|
|
# of those above. If you wish to allow use of your version of this file only
|
|
# under the terms of either the GPL or the LGPL, and not to allow others to
|
|
# use your version of this file under the terms of the MPL, indicate your
|
|
# decision by deleting the provisions above and replace them with the notice
|
|
# and other provisions required by the GPL or the LGPL. If you do not delete
|
|
# the provisions above, a recipient may use your version of this file under
|
|
# the terms of any one of the MPL, the GPL or the LGPL.
|
|
#
|
|
# ***** END LICENSE BLOCK *****
|
|
|
|
#Error constants
|
|
define ('WEAVE_ERROR_INVALID_PROTOCOL', 1);
|
|
define ('WEAVE_ERROR_INCORRECT_CAPTCHA', 2);
|
|
define ('WEAVE_ERROR_INVALID_USERNAME', 3);
|
|
define ('WEAVE_ERROR_NO_OVERWRITE', 4);
|
|
define ('WEAVE_ERROR_USERID_PATH_MISMATCH', 5);
|
|
define ('WEAVE_ERROR_JSON_PARSE', 6);
|
|
define ('WEAVE_ERROR_MISSING_PASSWORD', 7);
|
|
define ('WEAVE_ERROR_INVALID_WBO', 8);
|
|
define ('WEAVE_ERROR_BAD_PASSWORD_STRENGTH', 9);
|
|
define ('WEAVE_ERROR_INVALID_RESET_CODE', 10);
|
|
define ('WEAVE_ERROR_FUNCTION_NOT_SUPPORTED', 11);
|
|
define ('WEAVE_ERROR_NO_EMAIL', 12);
|
|
define ('WEAVE_ERROR_INVALID_COLLECTION', 13);
|
|
define ('WEAVE_ERROR_OVER_QUOTA', 14);
|
|
|
|
|
|
define ('LOG_THE_ERROR', 0);
|
|
define ('LOG_QUOTAS', 0);
|
|
|
|
function log_quota($msg)
|
|
{
|
|
if ( LOG_QUOTAS == 1 )
|
|
{
|
|
$datei = fopen("/tmp/FSyncMS-quota.log","a");
|
|
// $fmsg = sprintf("$msg\n");
|
|
fputs($datei,"$msg\n");
|
|
// fputs($datei,"Server ".print_r( $_SERVER, true));
|
|
fclose($datei);
|
|
}
|
|
}
|
|
|
|
function log_error($msg)
|
|
{
|
|
if ( LOG_THE_ERROR == 1 )
|
|
{
|
|
$datei = fopen("/tmp/FSyncMS-error.txt","a");
|
|
// $fmsg = sprintf("$msg\n");
|
|
fputs($datei,"$msg\n");
|
|
// fputs($datei,"Server ".print_r( $_SERVER, true));
|
|
fclose($datei);
|
|
}
|
|
}
|
|
|
|
function report_problem($message, $code = 503)
|
|
{
|
|
$headers = array('400' => '400 Bad Request',
|
|
'401' => '401 Unauthorized',
|
|
'403' => '403 Forbidden',
|
|
'404' => '404 Not Found',
|
|
'412' => '412 Precondition Failed',
|
|
'503' => '503 Service Unavailable');
|
|
header('HTTP/1.1 ' . $headers{$code},true,$code);
|
|
|
|
if ($code == 401)
|
|
{
|
|
header('WWW-Authenticate: Basic realm="Weave"');
|
|
}
|
|
log_error($message);
|
|
exit(json_encode($message));
|
|
}
|
|
|
|
|
|
function fix_utf8_encoding($string)
|
|
{
|
|
if(mb_detect_encoding($string . " ", 'UTF-8,ISO-8859-1') == 'UTF-8')
|
|
return $string;
|
|
else
|
|
return utf8_encode($string);
|
|
}
|
|
|
|
function get_phpinput()
|
|
{
|
|
#stupid php being helpful with input data...
|
|
$putdata = fopen("php://input", "r");
|
|
$string = '';
|
|
while ($data = fread($putdata,2048)) {$string .= $data;} //hier will man ein limit einbauen
|
|
return $string;
|
|
}
|
|
function get_json()
|
|
{
|
|
$jsonstring = get_phpinput();
|
|
$json = json_decode(fix_utf8_encoding($jsonstring), true);
|
|
|
|
if ($json === null)
|
|
report_problem(WEAVE_ERROR_JSON_PARSE, 400);
|
|
|
|
return $json;
|
|
}
|
|
|
|
function validate_username($username)
|
|
{
|
|
if (!$username)
|
|
return false;
|
|
|
|
if (strlen($username) > 32)
|
|
return false;
|
|
|
|
return preg_match('/[^A-Z0-9._-]/i', $username) ? false : true;
|
|
}
|
|
|
|
function validate_collection($collection)
|
|
{
|
|
if (!$collection)
|
|
return false;
|
|
|
|
if (strlen($collection) > 32)
|
|
return false;
|
|
|
|
// allow characters '?' and '=' in the collection string which e.g.
|
|
// appear if the following request is send from firefox:
|
|
// http://<server>/weave/1.1/<user>/storage/clients?full=1
|
|
return preg_match('/[^A-Z0-9?=._-]/i', $collection) ? false : true;
|
|
}
|
|
|
|
#user exitsts
|
|
function exists_user( $db)
|
|
{
|
|
#$user = strtolower($user);
|
|
try{
|
|
|
|
if(!$db->exists_user())
|
|
return 0;
|
|
return 1;
|
|
}
|
|
catch(Exception $e)
|
|
{
|
|
header("X-Weave-Backoff: 1800");
|
|
report_problem($e->getMessage(), $e->getCode());
|
|
}
|
|
}
|
|
# Gets the username and password out of the http headers, and checks them against the auth
|
|
function verify_user($url_user, $db)
|
|
{
|
|
if (!$url_user || !preg_match('/^[A-Z0-9._-]+$/i', $url_user))
|
|
report_problem(WEAVE_ERROR_INVALID_USERNAME, 400);
|
|
|
|
$auth_user = array_key_exists('PHP_AUTH_USER', $_SERVER) ? $_SERVER['PHP_AUTH_USER'] : null;
|
|
$auth_pw = array_key_exists('PHP_AUTH_PW', $_SERVER) ? $_SERVER['PHP_AUTH_PW'] : null;
|
|
|
|
if (is_null($auth_user) || is_null($auth_pw))
|
|
{
|
|
/* CGI/FCGI auth workarounds */
|
|
$auth_str = null;
|
|
if (array_key_exists('Authorization', $_SERVER))
|
|
/* Standard fastcgi configuration */
|
|
$auth_str = $_SERVER['Authorization'];
|
|
else if (array_key_exists('AUTHORIZATION', $_SERVER))
|
|
/* Alternate fastcgi configuration */
|
|
$auth_str = $_SERVER['AUTHORIZATION'];
|
|
else if (array_key_exists('HTTP_AUTHORIZATION', $_SERVER))
|
|
/* IIS/ISAPI and newer (yet to be released) fastcgi */
|
|
$auth_str = $_SERVER['HTTP_AUTHORIZATION'];
|
|
else if (array_key_exists('REDIRECT_HTTP_AUTHORIZATION', $_SERVER))
|
|
/* mod_rewrite - per-directory internal redirect */
|
|
$auth_str = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
|
|
if (!is_null($auth_str))
|
|
{
|
|
/* Basic base64 auth string */
|
|
if (preg_match('/Basic\s+(.*)$/', $auth_str))
|
|
{
|
|
$auth_str = substr($auth_str, 6);
|
|
$auth_str = base64_decode($auth_str, true);
|
|
if ($auth_str != FALSE) {
|
|
$tmp = explode(':', $auth_str);
|
|
if (count($tmp) == 2)
|
|
{
|
|
$auth_user = $tmp[0];
|
|
$auth_pw = $tmp[1];
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if ( ! $auth_user || ! $auth_pw) #do this first to avoid the cryptic error message if auth is missing
|
|
{
|
|
log_error("Auth failed 1 {");
|
|
log_error(" User pw: ". $auth_user ." | ". $auth_pw);
|
|
log_error(" Url_user: ". $url_user);
|
|
log_error("}");
|
|
report_problem('Authentication failed', '401');
|
|
}
|
|
$url_user = strtolower($url_user);
|
|
if (strtolower($auth_user) != $url_user)
|
|
{
|
|
log_error("(140) Missmatch:".strtolower($auth_user)."|".$url_user);
|
|
report_problem(WEAVE_ERROR_USERID_PATH_MISMATCH, 400);
|
|
}
|
|
|
|
try
|
|
{
|
|
$existingHash = $db->get_password_hash();
|
|
$hash = WeaveHashFactory::factory();
|
|
|
|
if ( ! $hash->verify(fix_utf8_encoding($auth_pw), $existingHash) )
|
|
{
|
|
log_error("Auth failed 2 {");
|
|
log_error(" User pw: ". $auth_user ."|".$auth_pw ."|md5:". md5($auth_pw) ."|fix:". fix_utf8_encoding($auth_pw) ."|fix md5 ". md5(fix_utf8_encoding($auth_pw)));
|
|
log_error(" Url_user: ".$url_user);
|
|
log_error(" Existing hash: ".$existingHash);
|
|
log_error("}");
|
|
report_problem('Authentication failed', '401');
|
|
} else {
|
|
if ( $hash->needsUpdate($existingHash) ) {
|
|
$db->change_password($hash->hash(fix_utf8_encoding($auth_pw)));
|
|
}
|
|
}
|
|
}
|
|
catch(Exception $e)
|
|
{
|
|
header("X-Weave-Backoff: 1800");
|
|
log_error($e->getMessage(), $e->getCode());
|
|
report_problem($e->getMessage(), $e->getCode());
|
|
}
|
|
// Login success - record login time
|
|
$db->store_user_login($auth_user);
|
|
return true;
|
|
}
|
|
|
|
function check_quota(&$db)
|
|
{
|
|
// Checks the quota and if over limit, returns "over quota" to the user.
|
|
$auth_user = array_key_exists('PHP_AUTH_USER', $_SERVER) ? $_SERVER['PHP_AUTH_USER'] : null;
|
|
try {
|
|
$quota_used = $db->get_storage_total();
|
|
// log_quota("Debug quota: ".$auth_user." @ ".$quota_used." KB.");
|
|
} catch (Exception $e) {
|
|
log_error($e->getMessage(), $e->getCode());
|
|
}
|
|
|
|
if ((defined("MINQUOTA") && MINQUOTA) && (defined("MAXQUOTA") && MAXQUOTA)) {
|
|
if ($quota_used > MINQUOTA && $quota_used <= MAXQUOTA) {
|
|
// Inform the sync client they are nearing the quota
|
|
$quota_remaining = (MAXQUOTA - $quota_used);
|
|
$quota_remaining_bytes = $quota_remaining * 1024;
|
|
header("X-Weave-Quota-Remaining: ".$quota_remaining_bytes);
|
|
|
|
log_quota(date("Y-m-d H:i:s")." Nearing quota: ".$auth_user." - ".$quota_remaining." KB remaining.");
|
|
if (defined(MINQUOTA_LOG_ERROR_OVER_QUOTA_ENABLE) && MINQUOTA_LOG_ERROR_OVER_QUOTA_ENABLE) {
|
|
log_error("Quota warning issued: ".$quota_used."/".MAXQUOTA." KB used.");
|
|
}
|
|
}
|
|
if ($quota_used > MAXQUOTA) {
|
|
log_quota(date("Y-m-d H:i:s")." [!!] Over quota: ".$auth_user." @ ".$quota_used." KB.");
|
|
// HTTP 400 with body error code 14 means over quota.
|
|
report_problem(WEAVE_ERROR_OVER_QUOTA, 400);
|
|
}
|
|
}
|
|
}
|
|
|
|
function check_timestamp($collection, &$db)
|
|
{
|
|
if (array_key_exists('HTTP_X_IF_UNMODIFIED_SINCE', $_SERVER)
|
|
&& $db->get_max_timestamp($collection) > $_SERVER['HTTP_X_IF_UNMODIFIED_SINCE'])
|
|
report_problem(WEAVE_ERROR_NO_OVERWRITE, 412);
|
|
}
|
|
|
|
function validate_search_params()
|
|
{
|
|
$params = array();
|
|
$params['parentid'] = (array_key_exists('parentid', $_GET) && mb_strlen($_GET['parentid'], '8bit') <= 64 && strpos($_GET['parentid'], '/') === false) ? $_GET['parentid'] : null;
|
|
$params['predecessorid'] = (array_key_exists('predecessorid', $_GET) && mb_strlen($_GET['predecessorid'], '8bit') <= 64 && strpos($_GET['predecessorid'], '/') === false) ? $_GET['predecessorid'] : null;
|
|
|
|
$params['newer'] = (array_key_exists('newer', $_GET) && is_numeric($_GET['newer'])) ? round($_GET['newer'],2) : null;
|
|
$params['older'] = (array_key_exists('older', $_GET) && is_numeric($_GET['older'])) ? round($_GET['older'],2) : null;
|
|
|
|
$params['sort'] = (array_key_exists('sort', $_GET) && ($_GET['sort'] == 'oldest' || $_GET['sort'] == 'newest' || $_GET['sort'] == 'index')) ? $_GET['sort'] : null;
|
|
$params['limit'] = (array_key_exists('limit', $_GET) && is_numeric($_GET['limit']) && $_GET['limit'] > 0) ? (int)$_GET['limit'] : null;
|
|
$params['offset'] = (array_key_exists('offset', $_GET) && is_numeric($_GET['offset']) && $_GET['offset'] > 0) ? (int)$_GET['offset'] : null;
|
|
|
|
$params['ids'] = null;
|
|
if (array_key_exists('ids', $_GET))
|
|
{
|
|
$params['ids'] = array();
|
|
foreach(explode(',', $_GET['ids']) as $id)
|
|
{
|
|
if (mb_strlen($id, '8bit') <= 64 && strpos($id, '/') === false)
|
|
$params['ids'][] = $id;
|
|
}
|
|
}
|
|
|
|
$params['index_above'] = (array_key_exists('index_above', $_GET) && is_numeric($_GET['index_above']) && $_GET['index_above'] > 0) ? (int)$_GET['index_above'] : null;
|
|
$params['index_below'] = (array_key_exists('index_below', $_GET) && is_numeric($_GET['index_below']) && $_GET['index_below'] > 0) ? (int)$_GET['index_below'] : null;
|
|
$params['depth'] = (array_key_exists('depth', $_GET) && is_numeric($_GET['depth']) && $_GET['depth'] > 0) ? (int)$_GET['depth'] : null;
|
|
|
|
return $params;
|
|
}
|
|
|
|
?>
|