123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329 |
- <?php
- # ***** BEGIN LICENSE BLOCK *****
- # Version: MPL 1.1/GPL 2.0/LGPL 2.1
- #
- # The contents of this file are subject to the Mozilla Public License Version
- # 1.1 (the "License"); you may not use this file except in compliance with
- # the License. You may obtain a copy of the License at
- # http://www.mozilla.org/MPL/
- #
- # Software distributed under the License is distributed on an "AS IS" basis,
- # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- # for the specific language governing rights and limitations under the
- # License.
- #
- # The Initial Developer of the Original Code is balu
- #
- # Portions created by the Initial Developer are Copyright (C) 2012
- # the Initial Developer. All Rights Reserved.
- #
- # Contributor(s):
- # Daniel Triendl <daniel@pew.cc>
- # Mark Straver <moonchild@palemoon.org>
- # Christian Wittmer <chris@computersalat.de>
- #
- # Alternatively, the contents of this file may be used under the terms of
- # either the GNU General Public License Version 2 or later (the "GPL"), or
- # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- # in which case the provisions of the GPL or the LGPL are applicable instead
- # of those above. If you wish to allow use of your version of this file only
- # under the terms of either the GPL or the LGPL, and not to allow others to
- # use your version of this file under the terms of the MPL, indicate your
- # decision by deleting the provisions above and replace them with the notice
- # and other provisions required by the GPL or the LGPL. If you do not delete
- # the provisions above, a recipient may use your version of this file under
- # the terms of any one of the MPL, the GPL or the LGPL.
- #
- # ***** END LICENSE BLOCK *****
- #Error constants
- define ('WEAVE_ERROR_INVALID_PROTOCOL', 1);
- define ('WEAVE_ERROR_INCORRECT_CAPTCHA', 2);
- define ('WEAVE_ERROR_INVALID_USERNAME', 3);
- define ('WEAVE_ERROR_NO_OVERWRITE', 4);
- define ('WEAVE_ERROR_USERID_PATH_MISMATCH', 5);
- define ('WEAVE_ERROR_JSON_PARSE', 6);
- define ('WEAVE_ERROR_MISSING_PASSWORD', 7);
- define ('WEAVE_ERROR_INVALID_WBO', 8);
- define ('WEAVE_ERROR_BAD_PASSWORD_STRENGTH', 9);
- define ('WEAVE_ERROR_INVALID_RESET_CODE', 10);
- define ('WEAVE_ERROR_FUNCTION_NOT_SUPPORTED', 11);
- define ('WEAVE_ERROR_NO_EMAIL', 12);
- define ('WEAVE_ERROR_INVALID_COLLECTION', 13);
- define ('WEAVE_ERROR_OVER_QUOTA', 14);
- define ('LOG_THE_ERROR', 0);
- define ('LOG_QUOTAS', 0);
- function log_quota($msg)
- {
- if ( LOG_QUOTAS == 1 )
- {
- $datei = fopen("/tmp/FSyncMS-quota.log","a");
- // $fmsg = sprintf("$msg\n");
- fputs($datei,"$msg\n");
- // fputs($datei,"Server ".print_r( $_SERVER, true));
- fclose($datei);
- }
- }
- function log_error($msg)
- {
- if ( LOG_THE_ERROR == 1 )
- {
- $datei = fopen("/tmp/FSyncMS-error.txt","a");
- // $fmsg = sprintf("$msg\n");
- fputs($datei,"$msg\n");
- // fputs($datei,"Server ".print_r( $_SERVER, true));
- fclose($datei);
- }
- }
-
- function report_problem($message, $code = 503)
- {
- $headers = array('400' => '400 Bad Request',
- '401' => '401 Unauthorized',
- '403' => '403 Forbidden',
- '404' => '404 Not Found',
- '412' => '412 Precondition Failed',
- '503' => '503 Service Unavailable');
- header('HTTP/1.1 ' . $headers{$code},true,$code);
-
- if ($code == 401)
- {
- header('WWW-Authenticate: Basic realm="Weave"');
- }
- log_error($message);
- exit(json_encode($message));
- }
-
-
- function fix_utf8_encoding($string)
- {
- if(mb_detect_encoding($string . " ", 'UTF-8,ISO-8859-1') == 'UTF-8')
- return $string;
- else
- return utf8_encode($string);
- }
-
- function get_phpinput()
- {
- #stupid php being helpful with input data...
- $putdata = fopen("php://input", "r");
- $string = '';
- while ($data = fread($putdata,2048)) {$string .= $data;} //hier will man ein limit einbauen
- return $string;
- }
- function get_json()
- {
- $jsonstring = get_phpinput();
- $json = json_decode(fix_utf8_encoding($jsonstring), true);
- if ($json === null)
- report_problem(WEAVE_ERROR_JSON_PARSE, 400);
-
- return $json;
- }
- function validate_username($username)
- {
- if (!$username)
- return false;
-
- if (strlen($username) > 32)
- return false;
-
- return preg_match('/[^A-Z0-9._-]/i', $username) ? false : true;
- }
-
- function validate_collection($collection)
- {
- if (!$collection)
- return false;
-
- if (strlen($collection) > 32)
- return false;
- // allow characters '?' and '=' in the collection string which e.g.
- // appear if the following request is send from firefox:
- // http://<server>/weave/1.1/<user>/storage/clients?full=1
- return preg_match('/[^A-Z0-9?=._-]/i', $collection) ? false : true;
- }
-
- #user exitsts
- function exists_user( $db)
- {
- #$user = strtolower($user);
- try{
- if(!$db->exists_user())
- return 0;
- return 1;
- }
- catch(Exception $e)
- {
- header("X-Weave-Backoff: 1800");
- report_problem($e->getMessage(), $e->getCode());
- }
- }
- # Gets the username and password out of the http headers, and checks them against the auth
- function verify_user($url_user, $db)
- {
- if (!$url_user || !preg_match('/^[A-Z0-9._-]+$/i', $url_user))
- report_problem(WEAVE_ERROR_INVALID_USERNAME, 400);
- $auth_user = array_key_exists('PHP_AUTH_USER', $_SERVER) ? $_SERVER['PHP_AUTH_USER'] : null;
- $auth_pw = array_key_exists('PHP_AUTH_PW', $_SERVER) ? $_SERVER['PHP_AUTH_PW'] : null;
- if (is_null($auth_user) || is_null($auth_pw))
- {
- /* CGI/FCGI auth workarounds */
- $auth_str = null;
- if (array_key_exists('Authorization', $_SERVER))
- /* Standard fastcgi configuration */
- $auth_str = $_SERVER['Authorization'];
- else if (array_key_exists('AUTHORIZATION', $_SERVER))
- /* Alternate fastcgi configuration */
- $auth_str = $_SERVER['AUTHORIZATION'];
- else if (array_key_exists('HTTP_AUTHORIZATION', $_SERVER))
- /* IIS/ISAPI and newer (yet to be released) fastcgi */
- $auth_str = $_SERVER['HTTP_AUTHORIZATION'];
- else if (array_key_exists('REDIRECT_HTTP_AUTHORIZATION', $_SERVER))
- /* mod_rewrite - per-directory internal redirect */
- $auth_str = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
- if (!is_null($auth_str))
- {
- /* Basic base64 auth string */
- if (preg_match('/Basic\s+(.*)$/', $auth_str))
- {
- $auth_str = substr($auth_str, 6);
- $auth_str = base64_decode($auth_str, true);
- if ($auth_str != FALSE) {
- $tmp = explode(':', $auth_str);
- if (count($tmp) == 2)
- {
- $auth_user = $tmp[0];
- $auth_pw = $tmp[1];
- }
- }
- }
- }
- }
- if ( ! $auth_user || ! $auth_pw) #do this first to avoid the cryptic error message if auth is missing
- {
- log_error("Auth failed 1 {");
- log_error(" User pw: ". $auth_user ." | ". $auth_pw);
- log_error(" Url_user: ". $url_user);
- log_error("}");
- report_problem('Authentication failed', '401');
- }
- $url_user = strtolower($url_user);
- if (strtolower($auth_user) != $url_user)
- {
- log_error("(140) Missmatch:".strtolower($auth_user)."|".$url_user);
- report_problem(WEAVE_ERROR_USERID_PATH_MISMATCH, 400);
- }
- try
- {
- $existingHash = $db->get_password_hash();
- $hash = WeaveHashFactory::factory();
-
- if ( ! $hash->verify(fix_utf8_encoding($auth_pw), $existingHash) )
- {
- log_error("Auth failed 2 {");
- log_error(" User pw: ". $auth_user ."|".$auth_pw ."|md5:". md5($auth_pw) ."|fix:". fix_utf8_encoding($auth_pw) ."|fix md5 ". md5(fix_utf8_encoding($auth_pw)));
- log_error(" Url_user: ".$url_user);
- log_error(" Existing hash: ".$existingHash);
- log_error("}");
- report_problem('Authentication failed', '401');
- } else {
- if ( $hash->needsUpdate($existingHash) ) {
- $db->change_password($hash->hash(fix_utf8_encoding($auth_pw)));
- }
- }
- }
- catch(Exception $e)
- {
- header("X-Weave-Backoff: 1800");
- log_error($e->getMessage(), $e->getCode());
- report_problem($e->getMessage(), $e->getCode());
- }
- // Login success - record login time
- $db->store_user_login($auth_user);
- return true;
- }
- function check_quota(&$db)
- {
- // Checks the quota and if over limit, returns "over quota" to the user.
- $auth_user = array_key_exists('PHP_AUTH_USER', $_SERVER) ? $_SERVER['PHP_AUTH_USER'] : null;
- try {
- $quota_used = $db->get_storage_total();
- // log_quota("Debug quota: ".$auth_user." @ ".$quota_used." KB.");
- } catch (Exception $e) {
- log_error($e->getMessage(), $e->getCode());
- }
- if ((defined("MINQUOTA") && MINQUOTA) && (defined("MAXQUOTA") && MAXQUOTA)) {
- if ($quota_used > MINQUOTA && $quota_used <= MAXQUOTA) {
- // Inform the sync client they are nearing the quota
- $quota_remaining = (MAXQUOTA - $quota_used);
- $quota_remaining_bytes = $quota_remaining * 1024;
- header("X-Weave-Quota-Remaining: ".$quota_remaining_bytes);
-
- log_quota(date("Y-m-d H:i:s")." Nearing quota: ".$auth_user." - ".$quota_remaining." KB remaining.");
- if (defined(MINQUOTA_LOG_ERROR_OVER_QUOTA_ENABLE) && MINQUOTA_LOG_ERROR_OVER_QUOTA_ENABLE) {
- log_error("Quota warning issued: ".$quota_used."/".MAXQUOTA." KB used.");
- }
- }
- if ($quota_used > MAXQUOTA) {
- log_quota(date("Y-m-d H:i:s")." [!!] Over quota: ".$auth_user." @ ".$quota_used." KB.");
- // HTTP 400 with body error code 14 means over quota.
- report_problem(WEAVE_ERROR_OVER_QUOTA, 400);
- }
- }
- }
-
- function check_timestamp($collection, &$db)
- {
- if (array_key_exists('HTTP_X_IF_UNMODIFIED_SINCE', $_SERVER)
- && $db->get_max_timestamp($collection) > $_SERVER['HTTP_X_IF_UNMODIFIED_SINCE'])
- report_problem(WEAVE_ERROR_NO_OVERWRITE, 412);
- }
- function validate_search_params()
- {
- $params = array();
- $params['parentid'] = (array_key_exists('parentid', $_GET) && mb_strlen($_GET['parentid'], '8bit') <= 64 && strpos($_GET['parentid'], '/') === false) ? $_GET['parentid'] : null;
- $params['predecessorid'] = (array_key_exists('predecessorid', $_GET) && mb_strlen($_GET['predecessorid'], '8bit') <= 64 && strpos($_GET['predecessorid'], '/') === false) ? $_GET['predecessorid'] : null;
-
- $params['newer'] = (array_key_exists('newer', $_GET) && is_numeric($_GET['newer'])) ? round($_GET['newer'],2) : null;
- $params['older'] = (array_key_exists('older', $_GET) && is_numeric($_GET['older'])) ? round($_GET['older'],2) : null;
-
- $params['sort'] = (array_key_exists('sort', $_GET) && ($_GET['sort'] == 'oldest' || $_GET['sort'] == 'newest' || $_GET['sort'] == 'index')) ? $_GET['sort'] : null;
- $params['limit'] = (array_key_exists('limit', $_GET) && is_numeric($_GET['limit']) && $_GET['limit'] > 0) ? (int)$_GET['limit'] : null;
- $params['offset'] = (array_key_exists('offset', $_GET) && is_numeric($_GET['offset']) && $_GET['offset'] > 0) ? (int)$_GET['offset'] : null;
-
- $params['ids'] = null;
- if (array_key_exists('ids', $_GET))
- {
- $params['ids'] = array();
- foreach(explode(',', $_GET['ids']) as $id)
- {
- if (mb_strlen($id, '8bit') <= 64 && strpos($id, '/') === false)
- $params['ids'][] = $id;
- }
- }
-
- $params['index_above'] = (array_key_exists('index_above', $_GET) && is_numeric($_GET['index_above']) && $_GET['index_above'] > 0) ? (int)$_GET['index_above'] : null;
- $params['index_below'] = (array_key_exists('index_below', $_GET) && is_numeric($_GET['index_below']) && $_GET['index_below'] > 0) ? (int)$_GET['index_below'] : null;
- $params['depth'] = (array_key_exists('depth', $_GET) && is_numeric($_GET['depth']) && $_GET['depth'] > 0) ? (int)$_GET['depth'] : null;
-
- return $params;
- }
-
- ?>
|