/////////////////////////////////////////////////
// PukiWiki - Yet another WikiWikiWeb clone.
//
-// $Id: init.php,v 1.77 2004/06/27 11:15:51 henoheno Exp $
+// $Id: init.php,v 1.92 2004/07/23 14:38:33 henoheno Exp $
//
/////////////////////////////////////////////////
// ½é´üÀßÄê (¥¨¥é¡¼½ÐÎÏ¥ì¥Ù¥ë)
-// (E_WARNING | E_NOTICE)¤ò½ü³°¤·¤Æ¤¤¤Þ¤¹¡£
-error_reporting(E_ERROR | E_PARSE);
+error_reporting(E_ERROR | E_PARSE); // (E_WARNING | E_NOTICE)¤ò½ü³°¤·¤Æ¤¤¤Þ¤¹
+//error_reporting(E_ALL);
/////////////////////////////////////////////////
// ½é´üÀßÄê (ʸ»ú¥¨¥ó¥³¡¼¥É¡¢¸À¸ì)
mb_http_output('pass');
mb_detect_order('auto');
-
/////////////////////////////////////////////////
// ½é´üÀßÄê(ÀßÄê¥Õ¥¡¥¤¥ë¤Î¾ì½ê)
-define('LANG_FILE', LANG.'.lng');
-define('INI_FILE','./pukiwiki.ini.php');
+define('LANG_FILE', DATA_HOME . LANG . '.lng');
+define('INI_FILE', DATA_HOME . './pukiwiki.ini.php');
/////////////////////////////////////////////////
// ½é´üÀßÄê (¥Ð¡¼¥¸¥ç¥ó/Ãøºî¸¢)
/////////////////////////////////////////////////
// ½é´üÀßÄê (¥µ¡¼¥ÐÊÑ¿ô)
-foreach (array('HTTP_USER_AGENT','PHP_SELF','SERVER_NAME','SERVER_SOFTWARE','SERVER_ADMIN') as $key) {
- define($key,array_key_exists($key,$_SERVER) ? $_SERVER[$key] : '');
+foreach (array('SCRIPT_NAME', 'SERVER_ADMIN', 'SERVER_NAME',
+ 'SERVER_PORT', 'SERVER_SOFTWARE') as $key) {
+ define($key, isset($_SERVER[$key]) ? $_SERVER[$key] : '');
+ unset(${$key}, $_SERVER[$key], $HTTP_SERVER_VARS[$key]);
}
/////////////////////////////////////////////////
// ½é´üÀßÄê (¥°¥í¡¼¥Ð¥ëÊÑ¿ô)
-// ¥µ¡¼¥Ð¤«¤éÍè¤ëÊÑ¿ô
-$vars = array();
+
// µÓÃí
$foot_explain = array();
// ´ØÏ¢¤¹¤ë¥Ú¡¼¥¸
/////////////////////////////////////////////////
// ¥Õ¥¡¥¤¥ëÆɤ߹þ¤ß
-$die = FALSE; $message = '';
+$die = '';
foreach(array('LANG_FILE', 'INI_FILE') as $file){
if (!file_exists(constant($file)) || !is_readable(constant($file))) {
- $die = TRUE;
- $message = "${message}File is not found. ($file)\n";
+ $die = "${die}File is not found. ($file)\n";
} else {
require(constant($file));
}
}
-if ($die) { die_message(nl2br("\n\n" . $message . "\n")); }
+if ($die) { die_message(nl2br("\n\n" . $die)); }
/////////////////////////////////////////////////
// INI_FILE: $script: ½é´üÀßÄê
if (!isset($script) or $script == '') {
$script = get_script_uri();
if ($script === FALSE or (php_sapi_name() == 'cgi' and !is_url($script,TRUE))) {
- die_message("get_script_uri() failed: Please set \$script at INI_FILE manually.");
+ die_message('get_script_uri() failed: Please set $script at INI_FILE manually.');
}
}
/////////////////////////////////////////////////
-// INI_FILE: $agents: UserAgentÊ̤ÎÀßÄê¥Õ¥¡¥¤¥ëÆɤ߹þ¤ß
+// INI_FILE: $agents: UserAgent¤Î¼±ÊÌ
+
+$ua = 'HTTP_USER_AGENT';
+$user_agent = $matches = array();
+
+$user_agent['agent'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
+unset(${$ua}, $_SERVER[$ua], $HTTP_SERVER_VARS[$ua], $ua); // safety
+
foreach ($agents as $agent) {
- if (preg_match($agent['pattern'],HTTP_USER_AGENT,$matches)) {
- $agent['matches'] = $matches;
- $user_agent = $agent;
+ if (preg_match($agent['pattern'], $user_agent['agent'], $matches)) {
+ $user_agent['profile'] = isset($agent['profile']) ? $agent['profile'] : '';
+ $user_agent['name'] = isset($matches[1]) ? $matches[1] : ''; // device or browser name
+ $user_agent['vers'] = isset($matches[2]) ? $matches[2] : ''; // 's version
break;
}
}
+unset($agents, $matches);
+
+// Profile-related init and setting
+define('UA_PROFILE', isset($user_agent['profile']) ? $user_agent['profile'] : '');
-define('UA_INI_FILE' ,$user_agent['name'] . '.ini.php');
+//// Not needed now
+// define('INI_PRO_FILE', SUB_DIR . 'init.' . UA_PROFILE . '.php');
+// if (file_exists(INI_PRO_FILE) && is_readable(INI_PRO_FILE)) {
+// require(INI_PRO_FILE); // A chance to set or rewrite $user_agent['name'] and ['vers'] automatically
+// }
+
+define('UA_INI_FILE', UA_PROFILE . '.ini.php');
if (!file_exists(UA_INI_FILE) || !is_readable(UA_INI_FILE)) {
- die_message("UA_INI_FILE not found.");
+ die_message('UA_INI_FILE for "' . UA_PROFILE . '" not found.');
+} else {
+ require(UA_INI_FILE); // Also manually
}
-require(UA_INI_FILE);
+
+define('UA_NAME', isset($user_agent['name']) ? $user_agent['name'] : '');
+define('UA_VERS', isset($user_agent['vers']) ? $user_agent['vers'] : '');
+unset($user_agent); // Unset after reading UA_INI_FILE
/////////////////////////////////////////////////
// ¥Ç¥£¥ì¥¯¥È¥ê¤Î¥Á¥§¥Ã¥¯
-$die = FALSE; $message = $temp = '';
+$die = '';
foreach(array('DATA_DIR', 'DIFF_DIR', 'BACKUP_DIR', 'CACHE_DIR') as $dir){
if(!is_writable(constant($dir))) {
- $die = TRUE;
- $temp = "${temp}Directory is not found or not writable ($dir)\n";
+ $die = "${die}Directory is not found or not writable ($dir)\n";
}
}
-if ($temp) { $message = "$temp\n"; }
// ÀßÄê¥Õ¥¡¥¤¥ë¤ÎÊÑ¿ô¥Á¥§¥Ã¥¯
$temp = '';
if (!isset(${$var})) { $temp .= "\$$var\n"; }
}
if ($temp) {
- $die = TRUE;
- $message = "${message}Variable(s) not found: (Maybe the old *.ini.php?)\n" . $temp . "\n";
+ if ($die) { $die .= "\n"; } // A breath
+ $die = "${die}Variable(s) not found: (Maybe the old *.ini.php?)\n" . $temp;
}
$temp = '';
if (!defined($def)) $temp .= "$def\n";
}
if ($temp) {
- $die = TRUE;
- $message = "${message}Define(s) not found: (Maybe the old *.ini.php?)\n" . $temp . "\n";
+ if ($die) { $die .= "\n"; } // A breath
+ $die = "${die}Define(s) not found: (Maybe the old *.ini.php?)\n" . $temp;
}
-if($die){ die_message(nl2br("\n\n" . $message)); }
+if($die){ die_message(nl2br("\n\n" . $die)); }
+unset($die, $temp);
/////////////////////////////////////////////////
// ɬ¿Ü¤Î¥Ú¡¼¥¸¤¬Â¸ºß¤·¤Ê¤±¤ì¤Ð¡¢¶õ¤Î¥Õ¥¡¥¤¥ë¤òºîÀ®¤¹¤ë
-$pages = array($defaultpage, $whatsnew, $interwiki);
-foreach($pages as $page){
+
+foreach(array($defaultpage, $whatsnew, $interwiki) as $page){
if (!is_page($page)) { touch(get_filename($page)); }
}
/////////////////////////////////////////////////
-// ³°Éô¤«¤é¤¯¤ëÊÑ¿ô¤ò¥µ¥Ë¥¿¥¤¥º
-$get = sanitize($_GET);
-$post = sanitize($_POST);
-$cookie = sanitize($_COOKIE);
+// ³°Éô¤«¤é¤¯¤ëÊÑ¿ô¤ò¥Á¥§¥Ã¥¯
+
+// Prohibit $_GET attack
+foreach (array('msg', 'pass') as $key) {
+ if (isset($_GET[$key])) die_message("Sorry, already reserved: $key=");
+}
+
+$_GET = input_filter($_GET); $get = & $_GET;
+$_POST = input_filter($_POST); $post = & $_POST;
+$_COOKIE = input_filter($_COOKIE); $cookie = & $_COOKIE;
+
+// Expire risk
+unset($HTTP_GET_VARS, $HTTP_POST_VARS); //, 'SERVER', 'ENV', 'SESSION', ...
/////////////////////////////////////////////////
// ʸ»ú¥³¡¼¥É¤òÊÑ´¹
// <form> ¤ÇÁ÷¿®¤µ¤ì¤¿Ê¸»ú (¥Ö¥é¥¦¥¶¤¬¥¨¥ó¥³¡¼¥É¤·¤¿¥Ç¡¼¥¿) ¤Î¥³¡¼¥É¤òÊÑ´¹
// post ¤Ï¾ï¤Ë <form> ¤Ê¤Î¤Ç¡¢É¬¤ºÊÑ´¹
-if (array_key_exists('encode_hint',$post))
+if (isset($post['encode_hint']) && $post['encode_hint'] != '')
{
- // html.php ¤ÎÃæ¤Ç¡¢<form> ¤Ë encode_hint ¤ò»Å¹þ¤ó¤Ç¤¤¤ë¤Î¤Ç¡¢É¬¤º encode_hint ¤¬¤¢¤ë¤Ï¤º¡£
- // encode_hint ¤ΤߤòÍѤ¤¤Æ¥³¡¼¥É¸¡½Ð¤¹¤ë¡£
- // Á´ÂΤò¸«¤Æ¥³¡¼¥É¸¡½Ð¤¹¤ë¤È¡¢µ¡¼ï°Í¸ʸ»ú¤ä¡¢Ì¯¤Ê¥Ð¥¤¥Ê¥ê¥³¡¼¥É¤¬º®Æþ¤·¤¿¾ì¹ç¤Ë¡¢
- // ¥³¡¼¥É¸¡½Ð¤Ë¼ºÇÔ¤¹¤ë¶²¤ì¤¬¤¢¤ë¤¿¤á¡£
+ // html.php ¤ÎÃæ¤Ç¡¢<form> ¤Ë encode_hint ¤ò»Å¹þ¤ó¤Ç¤¤¤ë¤Î¤Ç¡¢
+ // encode_hint ¤òÍѤ¤¤Æ¥³¡¼¥É¸¡½Ð¤¹¤ë¡£
+ // Á´ÂΤò¸«¤Æ¥³¡¼¥É¸¡½Ð¤¹¤ë¤È¡¢µ¡¼ï°Í¸ʸ»ú¤ä¡¢Ì¯¤Ê¥Ð¥¤¥Ê¥ê
+ // ¥³¡¼¥É¤¬º®Æþ¤·¤¿¾ì¹ç¤Ë¡¢¥³¡¼¥É¸¡½Ð¤Ë¼ºÇÔ¤¹¤ë¶²¤ì¤¬¤¢¤ë¡£
$encode = mb_detect_encoding($post['encode_hint']);
- mb_convert_variables(SOURCE_ENCODING,$encode,$post);
+ mb_convert_variables(SOURCE_ENCODING, $encode, $post);
+ mb_convert_variables(SOURCE_ENCODING, $encode, $vars);
}
-else if (array_key_exists('charset',$post))
+else if (isset($post['charset']) && $post['charset'] != '')
{
// TrackBack Ping¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¤³¤È¤¬¤¢¤ë
// »ØÄꤵ¤ì¤¿¾ì¹ç¤Ï¡¢¤½¤ÎÆâÍƤÇÊÑ´¹¤ò»î¤ß¤ë
- if (mb_convert_variables(SOURCE_ENCODING,$post['charset'],$post) !== $post['charset'])
- {
- // ¤¦¤Þ¤¯¤¤¤«¤Ê¤«¤Ã¤¿¾ì¹ç¤Ï¥³¡¼¥É¸¡½Ð¤ÎÀßÄê¤ÇÊÑ´¹¤·¤Ê¤ª¤·
- mb_convert_variables(SOURCE_ENCODING,'auto',$post);
- }
+ // ¤¦¤Þ¤¯¤¤¤«¤Ê¤«¤Ã¤¿¾ì¹ç¤Ï¥³¡¼¥É¸¡½Ð¤ÎÀßÄê¤ÇÊÑ´¹¤·¤Ê¤ª¤·
+ if (mb_convert_variables(SOURCE_ENCODING, $post['charset'], $post) !== $post['charset'])
+ mb_convert_variables(SOURCE_ENCODING, 'auto', $post);
+
+ if (mb_convert_variables(SOURCE_ENCODING, $vars['charset'], $vars) !== $vars['charset'])
+ mb_convert_variables(SOURCE_ENCODING, 'auto', $vars);
}
else if (count($post) > 0)
{
- // encode_hint ¤¬Ìµ¤¤¤È¤¤¤¦¤³¤È¤Ï¡¢Ìµ¤¤¤Ï¤º¡£
// ¥Ç¥Ð¥Ã¥°ÍѤˡ¢¼è¤ê¤¢¤¨¤º¡¢·Ù¹ð¥á¥Ã¥»¡¼¥¸¤ò½Ð¤·¤Æ¤ª¤¤Þ¤¹¡£
-// echo "<p>Warning: 'encode_hint' field is not found in the posted data.</p>\n";
+ // echo "<p>Warning: 'encode_hint' field is not found in the posted data.</p>\n";
+
// Á´Éô¤Þ¤È¤á¤Æ¡¢¥³¡¼¥É¸¡½Ð¡¢ÊÑ´¹
- mb_convert_variables(SOURCE_ENCODING,'auto',$post);
+ mb_convert_variables(SOURCE_ENCODING, 'auto', $post);
+ mb_convert_variables(SOURCE_ENCODING, 'auto', $vars);
}
// get ¤Ï <form> ¤«¤é¤Î¾ì¹ç¤È¡¢<a href="http;//script/?query> ¤Î¾ì¹ç¤¬¤¢¤ë
-if (array_key_exists('encode_hint',$get))
+if (isset($get['encode_hint']) && $get['encode_hint'] != '')
{
// <form> ¤Î¾ì¹ç¤Ï¡¢¥Ö¥é¥¦¥¶¤¬¥¨¥ó¥³¡¼¥É¤·¤Æ¤¤¤ë¤Î¤Ç¡¢¥³¡¼¥É¸¡½Ð¡¦ÊÑ´¹¤¬É¬Íס£
// encode_hint ¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¤Ï¤º¤Ê¤Î¤Ç¡¢¤½¤ì¤ò¸«¤Æ¡¢¥³¡¼¥É¸¡½Ð¤·¤¿¸å¡¢ÊÑ´¹¤¹¤ë¡£
// Íýͳ¤Ï¡¢post ¤ÈƱÍÍ
$encode = mb_detect_encoding($get['encode_hint']);
- mb_convert_variables(SOURCE_ENCODING,$encode,$get);
+ mb_convert_variables(SOURCE_ENCODING, $encode, $get);
}
// <a href...> ¤Î¾ì¹ç¤Ï¡¢¥µ¡¼¥Ð¡¼¤¬ rawurlencode ¤·¤Æ¤¤¤ë¤Î¤Ç¡¢¥³¡¼¥ÉÊÑ´¹¤ÏÉÔÍ×
// cmd¤âplugin¤â»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ï¡¢QUERY_STRING¤ò¥Ú¡¼¥¸Ì¾¤«InterWikiName¤Ç¤¢¤ë¤È¤ß¤Ê¤¹°Ù
// ¤Þ¤¿¡¢URI ¤ò urlencode ¤»¤º¤Ë¼êÂǤÁ¤ÇÆþÎϤ·¤¿¾ì¹ç¤ËÂн褹¤ë°Ù
$arg = '';
-if (array_key_exists('QUERY_STRING',$_SERVER) and $_SERVER['QUERY_STRING'] != '')
-{
+if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING']) {
$arg = $_SERVER['QUERY_STRING'];
-}
-else if (array_key_exists('argv',$_SERVER) and count($_SERVER['argv']))
-{
+} else if (isset($_SERVER['argv']) && count($_SERVER['argv'])) {
$arg = $_SERVER['argv'][0];
}
+// \0 ½üµî
+$arg = input_filter($arg);
-// ¥µ¥Ë¥¿¥¤¥º (\0 ½üµî)
-$arg = sanitize($arg);
+// unset QUERY_STRINGs
+foreach (array('QUERY_STRING', 'argv', 'argc') as $key) {
+ unset(${$key}, $_SERVER[$key], $HTTP_SERVER_VARS[$key]);
+}
+// $_SERVER['REQUEST_URI'] is used by func.php NOW
+unset($REQUEST_URI, $HTTP_SERVER_VARS['REQUEST_URI']);
// URI ¼êÂǤξì¹ç¡¢¥³¡¼¥ÉÊÑ´¹¤·¡¢get[] ¤Ë¾å½ñ¤
// mb_convert_variables¤Î¥Ð¥°(?)Âкö ÇÛÎó¤ÇÅϤµ¤Ê¤¤¤ÈÍî¤Á¤ë
$arg = array($arg);
-mb_convert_variables(SOURCE_ENCODING,'auto',$arg);
+mb_convert_variables(SOURCE_ENCODING, 'auto', $arg);
$arg = $arg[0];
-foreach (explode('&',$arg) as $tmp_string)
+$matches = array();
+foreach (explode('&', $arg) as $tmp_string)
{
- if (preg_match('/^([^=]+)=(.+)/',$tmp_string,$matches)
+ if (preg_match('/^([^=]+)=(.+)/', $tmp_string, $matches)
and mb_detect_encoding($matches[2]) != 'ASCII')
{
$get[$matches[1]] = $matches[2];
}
}
+unset($matches);
/////////////////////////////////////////////////
// GET + POST = $vars
-$vars = array_merge($post,$get);
+$_REQUEST = input_filter($_REQUEST);
+$vars = & $_REQUEST;
// ÆþÎÏ¥Á¥§¥Ã¥¯: cmd, plugin ¤Îʸ»úÎó¤Ï±Ñ¿ô»ú°Ê³°¤¢¤ê¤¨¤Ê¤¤
foreach(array('cmd', 'plugin') as $var){
}
// À°·Á: msg, ²þ¹Ô¤ò¼è¤ê½ü¤¯
-if (!empty($vars['msg'])) {
+if (isset($vars['msg'])) {
$get['msg'] = $post['msg'] = $vars['msg'] = str_replace("\r",'',$vars['msg']);
}
}
$arg = rawurldecode($arg);
$arg = strip_bracket($arg);
- $arg = sanitize($arg);
+ $arg = input_filter($arg);
$get['cmd'] = $post['cmd'] = $vars['cmd'] = 'read';
$get['page'] = $post['page'] = $vars['page'] = $arg;
}
+// ÆþÎÏ¥Á¥§¥Ã¥¯: 'cmd=' prohibits nasty 'plugin='
+if (isset($vars['cmd']) && isset($vars['plugin']))
+ unset($get['plugin'], $post['plugin'], $vars['plugin']);
+
+
/////////////////////////////////////////////////
// ½é´üÀßÄê($WikiName,$BracketName¤Ê¤É)
// $WikiName = '[A-Z][a-z]+(?:[A-Z][a-z]+)+';
/////////////////////////////////////////////////
// ½é´üÀßÄê(¥æ¡¼¥¶ÄêµÁ¥ë¡¼¥ëÆɤ߹þ¤ß)
-require('rules.ini.php');
+require(DATA_HOME . 'rules.ini.php');
/////////////////////////////////////////////////
// ½é´üÀßÄê(¤½¤Î¾¤Î¥°¥í¡¼¥Ð¥ëÊÑ¿ô)