Friendica Communications Platform (please note that this is a clone of the repository at github, issues are handled there)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

index.php 15KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500
  1. <?php
  2. /**
  3. * @file index.php
  4. * Friendica
  5. */
  6. /**
  7. * Bootstrap the application
  8. */
  9. use Friendica\App;
  10. use Friendica\Content\Nav;
  11. use Friendica\Core\Addon;
  12. use Friendica\Core\Config;
  13. use Friendica\Core\L10n;
  14. use Friendica\Core\Session;
  15. use Friendica\Core\System;
  16. use Friendica\Core\Theme;
  17. use Friendica\Core\Worker;
  18. use Friendica\Database\DBA;
  19. use Friendica\Model\Profile;
  20. use Friendica\Module\Login;
  21. require_once 'boot.php';
  22. $a = new App(__DIR__);
  23. // We assume that the index.php is called by a frontend process
  24. // The value is set to "true" by default in boot.php
  25. $a->backend = false;
  26. /**
  27. * Try to open the database;
  28. */
  29. require_once "include/dba.php";
  30. // Missing DB connection: ERROR
  31. if ($a->getMode()->has(App\Mode::LOCALCONFIGPRESENT) && !$a->getMode()->has(App\Mode::DBAVAILABLE)) {
  32. System::httpExit(500, ['title' => 'Error 500 - Internal Server Error', 'description' => 'Apologies but the website is unavailable at the moment.']);
  33. }
  34. // Max Load Average reached: ERROR
  35. if ($a->isMaxProcessesReached() || $a->isMaxLoadReached()) {
  36. header('Retry-After: 120');
  37. header('Refresh: 120; url=' . System::baseUrl() . "/" . $a->query_string);
  38. System::httpExit(503, ['title' => 'Error 503 - Service Temporarily Unavailable', 'description' => 'System is currently overloaded. Please try again later.']);
  39. }
  40. if (!$a->getMode()->isInstall()) {
  41. if (Config::get('system', 'force_ssl') && ($a->get_scheme() == "http")
  42. && (intval(Config::get('system', 'ssl_policy')) == SSL_POLICY_FULL)
  43. && (substr(System::baseUrl(), 0, 8) == "https://")
  44. && ($_SERVER['REQUEST_METHOD'] == 'GET')) {
  45. header("HTTP/1.1 302 Moved Temporarily");
  46. header("Location: " . System::baseUrl() . "/" . $a->query_string);
  47. exit();
  48. }
  49. Config::init();
  50. Session::init();
  51. Addon::loadHooks();
  52. Addon::callHooks('init_1');
  53. }
  54. $lang = L10n::getBrowserLanguage();
  55. L10n::loadTranslationTable($lang);
  56. /**
  57. * Important stuff we always need to do.
  58. *
  59. * The order of these may be important so use caution if you think they're all
  60. * intertwingled with no logical order and decide to sort it out. Some of the
  61. * dependencies have changed, but at least at one time in the recent past - the
  62. * order was critical to everything working properly
  63. */
  64. // Exclude the backend processes from the session management
  65. if (!$a->is_backend()) {
  66. $stamp1 = microtime(true);
  67. session_start();
  68. $a->save_timestamp($stamp1, "parser");
  69. } else {
  70. $_SESSION = [];
  71. Worker::executeIfIdle();
  72. }
  73. /**
  74. * Language was set earlier, but we can over-ride it in the session.
  75. * We have to do it here because the session was just now opened.
  76. */
  77. if (!empty($_SESSION['authenticated']) && empty($_SESSION['language'])) {
  78. $_SESSION['language'] = $lang;
  79. // we haven't loaded user data yet, but we need user language
  80. if (!empty($_SESSION['uid'])) {
  81. $user = DBA::selectFirst('user', ['language'], ['uid' => $_SESSION['uid']]);
  82. if (DBA::isResult($user)) {
  83. $_SESSION['language'] = $user['language'];
  84. }
  85. }
  86. }
  87. if (!empty($_SESSION['language']) && $_SESSION['language'] !== $lang) {
  88. $lang = $_SESSION['language'];
  89. L10n::loadTranslationTable($lang);
  90. }
  91. if (!empty($_GET['zrl']) && $a->getMode()->isNormal()) {
  92. $a->query_string = Profile::stripZrls($a->query_string);
  93. if (!local_user()) {
  94. // Only continue when the given profile link seems valid
  95. // Valid profile links contain a path with "/profile/" and no query parameters
  96. if ((parse_url($_GET['zrl'], PHP_URL_QUERY) == "") &&
  97. strstr(parse_url($_GET['zrl'], PHP_URL_PATH), "/profile/")) {
  98. if (defaults($_SESSION, "visitor_home", "") != $_GET["zrl"]) {
  99. $_SESSION['my_url'] = $_GET['zrl'];
  100. $_SESSION['authenticated'] = 0;
  101. }
  102. Profile::zrlInit($a);
  103. } else {
  104. // Someone came with an invalid parameter, maybe as a DDoS attempt
  105. // We simply stop processing here
  106. logger("Invalid ZRL parameter " . $_GET['zrl'], LOGGER_DEBUG);
  107. header('HTTP/1.1 403 Forbidden');
  108. echo "<h1>403 Forbidden</h1>";
  109. exit();
  110. }
  111. }
  112. }
  113. if (!empty($_GET['owt']) && $a->getMode()->isNormal()) {
  114. $token = $_GET['owt'];
  115. $a->query_string = Profile::stripQueryParam($a->query_string, 'owt');
  116. Profile::openWebAuthInit($token);
  117. }
  118. /**
  119. * For Mozilla auth manager - still needs sorting, and this might conflict with LRDD header.
  120. * Apache/PHP lumps the Link: headers into one - and other services might not be able to parse it
  121. * this way. There's a PHP flag to link the headers because by default this will over-write any other
  122. * link header.
  123. *
  124. * What we really need to do is output the raw headers ourselves so we can keep them separate.
  125. */
  126. // header('Link: <' . System::baseUrl() . '/amcd>; rel="acct-mgmt";');
  127. Login::sessionAuth();
  128. if (empty($_SESSION['authenticated'])) {
  129. header('X-Account-Management-Status: none');
  130. }
  131. $_SESSION['sysmsg'] = defaults($_SESSION, 'sysmsg' , []);
  132. $_SESSION['sysmsg_info'] = defaults($_SESSION, 'sysmsg_info' , []);
  133. $_SESSION['last_updated'] = defaults($_SESSION, 'last_updated', []);
  134. /*
  135. * check_config() is responsible for running update scripts. These automatically
  136. * update the DB schema whenever we push a new one out. It also checks to see if
  137. * any addons have been added or removed and reacts accordingly.
  138. */
  139. // in install mode, any url loads install module
  140. // but we need "view" module for stylesheet
  141. if ($a->getMode()->isInstall() && $a->module != 'view') {
  142. $a->module = 'install';
  143. } elseif (!$a->getMode()->has(App\Mode::MAINTENANCEDISABLED) && $a->module != 'view') {
  144. $a->module = 'maintenance';
  145. } else {
  146. check_url($a);
  147. check_db(false);
  148. Addon::check();
  149. }
  150. Nav::setSelected('nothing');
  151. //Don't populate apps_menu if apps are private
  152. $privateapps = Config::get('config', 'private_addons');
  153. if ((local_user()) || (! $privateapps === "1")) {
  154. $arr = ['app_menu' => $a->apps];
  155. Addon::callHooks('app_menu', $arr);
  156. $a->apps = $arr['app_menu'];
  157. }
  158. /**
  159. * We have already parsed the server path into $a->argc and $a->argv
  160. *
  161. * $a->argv[0] is our module name. We will load the file mod/{$a->argv[0]}.php
  162. * and use it for handling our URL request.
  163. * The module file contains a few functions that we call in various circumstances
  164. * and in the following order:
  165. *
  166. * "module"_init
  167. * "module"_post (only called if there are $_POST variables)
  168. * "module"_afterpost
  169. * "module"_content - the string return of this function contains our page body
  170. *
  171. * Modules which emit other serialisations besides HTML (XML,JSON, etc.) should do
  172. * so within the module init and/or post functions and then invoke killme() to terminate
  173. * further processing.
  174. */
  175. if (strlen($a->module)) {
  176. /**
  177. * We will always have a module name.
  178. * First see if we have an addon which is masquerading as a module.
  179. */
  180. // Compatibility with the Android Diaspora client
  181. if ($a->module == 'stream') {
  182. goaway('network?f=&order=post');
  183. }
  184. if ($a->module == 'conversations') {
  185. goaway('message');
  186. }
  187. if ($a->module == 'commented') {
  188. goaway('network?f=&order=comment');
  189. }
  190. if ($a->module == 'liked') {
  191. goaway('network?f=&order=comment');
  192. }
  193. if ($a->module == 'activity') {
  194. goaway('network/?f=&conv=1');
  195. }
  196. if (($a->module == 'status_messages') && ($a->cmd == 'status_messages/new')) {
  197. goaway('bookmarklet');
  198. }
  199. if (($a->module == 'user') && ($a->cmd == 'user/edit')) {
  200. goaway('settings');
  201. }
  202. if (($a->module == 'tag_followings') && ($a->cmd == 'tag_followings/manage')) {
  203. goaway('search');
  204. }
  205. // Compatibility with the Firefox App
  206. if (($a->module == "users") && ($a->cmd == "users/sign_in")) {
  207. $a->module = "login";
  208. }
  209. $privateapps = Config::get('config', 'private_addons');
  210. if (is_array($a->addons) && in_array($a->module, $a->addons) && file_exists("addon/{$a->module}/{$a->module}.php")) {
  211. //Check if module is an app and if public access to apps is allowed or not
  212. if ((!local_user()) && Addon::isApp($a->module) && $privateapps === "1") {
  213. info(L10n::t("You must be logged in to use addons. "));
  214. } else {
  215. include_once "addon/{$a->module}/{$a->module}.php";
  216. if (function_exists($a->module . '_module')) {
  217. $a->module_loaded = true;
  218. }
  219. }
  220. }
  221. // Controller class routing
  222. if (! $a->module_loaded && class_exists('Friendica\\Module\\' . ucfirst($a->module))) {
  223. $a->module_class = 'Friendica\\Module\\' . ucfirst($a->module);
  224. $a->module_loaded = true;
  225. }
  226. /**
  227. * If not, next look for a 'standard' program module in the 'mod' directory
  228. */
  229. if (! $a->module_loaded && file_exists("mod/{$a->module}.php")) {
  230. include_once "mod/{$a->module}.php";
  231. $a->module_loaded = true;
  232. }
  233. /**
  234. * The URL provided does not resolve to a valid module.
  235. *
  236. * On Dreamhost sites, quite often things go wrong for no apparent reason and they send us to '/internal_error.html'.
  237. * We don't like doing this, but as it occasionally accounts for 10-20% or more of all site traffic -
  238. * we are going to trap this and redirect back to the requested page. As long as you don't have a critical error on your page
  239. * this will often succeed and eventually do the right thing.
  240. *
  241. * Otherwise we are going to emit a 404 not found.
  242. */
  243. if (! $a->module_loaded) {
  244. // Stupid browser tried to pre-fetch our Javascript img template. Don't log the event or return anything - just quietly exit.
  245. if (!empty($_SERVER['QUERY_STRING']) && preg_match('/{[0-9]}/', $_SERVER['QUERY_STRING']) !== 0) {
  246. killme();
  247. }
  248. if (!empty($_SERVER['QUERY_STRING']) && ($_SERVER['QUERY_STRING'] === 'q=internal_error.html') && isset($dreamhost_error_hack)) {
  249. logger('index.php: dreamhost_error_hack invoked. Original URI =' . $_SERVER['REQUEST_URI']);
  250. goaway(System::baseUrl() . $_SERVER['REQUEST_URI']);
  251. }
  252. logger('index.php: page not found: ' . $_SERVER['REQUEST_URI'] . ' ADDRESS: ' . $_SERVER['REMOTE_ADDR'] . ' QUERY: ' . $_SERVER['QUERY_STRING'], LOGGER_DEBUG);
  253. header($_SERVER["SERVER_PROTOCOL"] . ' 404 ' . L10n::t('Not Found'));
  254. $tpl = get_markup_template("404.tpl");
  255. $a->page['content'] = replace_macros($tpl, [
  256. '$message' => L10n::t('Page not found.')
  257. ]);
  258. }
  259. }
  260. /**
  261. * Load current theme info
  262. */
  263. $theme_info_file = 'view/theme/' . $a->getCurrentTheme() . '/theme.php';
  264. if (file_exists($theme_info_file)) {
  265. require_once $theme_info_file;
  266. }
  267. /* initialise content region */
  268. if ($a->getMode()->isNormal()) {
  269. Addon::callHooks('page_content_top', $a->page['content']);
  270. }
  271. /**
  272. * Call module functions
  273. */
  274. if ($a->module_loaded) {
  275. $a->page['page_title'] = $a->module;
  276. $placeholder = '';
  277. Addon::callHooks($a->module . '_mod_init', $placeholder);
  278. if ($a->module_class) {
  279. call_user_func([$a->module_class, 'init']);
  280. } else if (function_exists($a->module . '_init')) {
  281. $func = $a->module . '_init';
  282. $func($a);
  283. }
  284. // "rawContent" is especially meant for technical endpoints.
  285. // This endpoint doesn't need any theme initialization or other comparable stuff.
  286. if (!$a->error && $a->module_class) {
  287. call_user_func([$a->module_class, 'rawContent']);
  288. }
  289. if (function_exists(str_replace('-', '_', $a->getCurrentTheme()) . '_init')) {
  290. $func = str_replace('-', '_', $a->getCurrentTheme()) . '_init';
  291. $func($a);
  292. }
  293. if (! $a->error && $_SERVER['REQUEST_METHOD'] === 'POST') {
  294. Addon::callHooks($a->module . '_mod_post', $_POST);
  295. if ($a->module_class) {
  296. call_user_func([$a->module_class, 'post']);
  297. } else if (function_exists($a->module . '_post')) {
  298. $func = $a->module . '_post';
  299. $func($a);
  300. }
  301. }
  302. if (! $a->error) {
  303. Addon::callHooks($a->module . '_mod_afterpost', $placeholder);
  304. if ($a->module_class) {
  305. call_user_func([$a->module_class, 'afterpost']);
  306. } else if (function_exists($a->module . '_afterpost')) {
  307. $func = $a->module . '_afterpost';
  308. $func($a);
  309. }
  310. }
  311. if (! $a->error) {
  312. $arr = ['content' => $a->page['content']];
  313. Addon::callHooks($a->module . '_mod_content', $arr);
  314. $a->page['content'] = $arr['content'];
  315. if ($a->module_class) {
  316. $arr = ['content' => call_user_func([$a->module_class, 'content'])];
  317. } else if (function_exists($a->module . '_content')) {
  318. $func = $a->module . '_content';
  319. $arr = ['content' => $func($a)];
  320. }
  321. Addon::callHooks($a->module . '_mod_aftercontent', $arr);
  322. $a->page['content'] .= $arr['content'];
  323. }
  324. if (function_exists(str_replace('-', '_', $a->getCurrentTheme()) . '_content_loaded')) {
  325. $func = str_replace('-', '_', $a->getCurrentTheme()) . '_content_loaded';
  326. $func($a);
  327. }
  328. }
  329. /*
  330. * Create the page head after setting the language
  331. * and getting any auth credentials.
  332. *
  333. * Moved init_pagehead() and init_page_end() to after
  334. * all the module functions have executed so that all
  335. * theme choices made by the modules can take effect.
  336. */
  337. $a->initHead();
  338. /*
  339. * Build the page ending -- this is stuff that goes right before
  340. * the closing </body> tag
  341. */
  342. $a->initFooter();
  343. /*
  344. * now that we've been through the module content, see if the page reported
  345. * a permission problem and if so, a 403 response would seem to be in order.
  346. */
  347. if (stristr(implode("", $_SESSION['sysmsg']), L10n::t('Permission denied'))) {
  348. header($_SERVER["SERVER_PROTOCOL"] . ' 403 ' . L10n::t('Permission denied.'));
  349. }
  350. /*
  351. * Report anything which needs to be communicated in the notification area (before the main body)
  352. */
  353. Addon::callHooks('page_end', $a->page['content']);
  354. /*
  355. * Add the navigation (menu) template
  356. */
  357. if ($a->module != 'install' && $a->module != 'maintenance') {
  358. Nav::build($a);
  359. }
  360. /**
  361. * Build the page - now that we have all the components
  362. */
  363. if (isset($_GET["mode"]) && (($_GET["mode"] == "raw") || ($_GET["mode"] == "minimal"))) {
  364. $doc = new DOMDocument();
  365. $target = new DOMDocument();
  366. $target->loadXML("<root></root>");
  367. $content = mb_convert_encoding($a->page["content"], 'HTML-ENTITIES', "UTF-8");
  368. /// @TODO one day, kill those error-surpressing @ stuff, or PHP should ban it
  369. @$doc->loadHTML($content);
  370. $xpath = new DOMXPath($doc);
  371. $list = $xpath->query("//*[contains(@id,'tread-wrapper-')]"); /* */
  372. foreach ($list as $item) {
  373. $item = $target->importNode($item, true);
  374. // And then append it to the target
  375. $target->documentElement->appendChild($item);
  376. }
  377. }
  378. if (isset($_GET["mode"]) && ($_GET["mode"] == "raw")) {
  379. header("Content-type: text/html; charset=utf-8");
  380. echo substr($target->saveHTML(), 6, -8);
  381. exit();
  382. }
  383. $page = $a->page;
  384. $profile = $a->profile;
  385. header("X-Friendica-Version: " . FRIENDICA_VERSION);
  386. header("Content-type: text/html; charset=utf-8");
  387. if (Config::get('system', 'hsts') && (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL)) {
  388. header("Strict-Transport-Security: max-age=31536000");
  389. }
  390. // Some security stuff
  391. header('X-Content-Type-Options: nosniff');
  392. header('X-XSS-Protection: 1; mode=block');
  393. header('X-Permitted-Cross-Domain-Policies: none');
  394. header('X-Frame-Options: sameorigin');
  395. // Things like embedded OSM maps don't work, when this is enabled
  396. // header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' https: data:; media-src 'self' https:; child-src 'self' https:; object-src 'none'");
  397. /*
  398. * We use $_GET["mode"] for special page templates. So we will check if we have
  399. * to load another page template than the default one.
  400. * The page templates are located in /view/php/ or in the theme directory.
  401. */
  402. if (isset($_GET["mode"])) {
  403. $template = Theme::getPathForFile($_GET["mode"] . '.php');
  404. }
  405. // If there is no page template use the default page template
  406. if (empty($template)) {
  407. $template = Theme::getPathForFile("default.php");
  408. }
  409. /// @TODO Looks unsafe (remote-inclusion), is maybe not but Theme::getPathForFile() uses file_exists() but does not escape anything
  410. require_once $template;