Fix bad prev/next permalinks when using wrapper.php embedding

2007-04-05 09:33:48 +00:00 · 2007-04-05 09:33:48 +00:00 · 86c65016bc
commit 86c65016bc
parent e44a22cf06
4 changed files with 24 additions and 1 deletions
--- a/docs/NEWS
+++ b/docs/NEWS
@ -3,6 +3,12 @@
 Version 1.2 ()
 ------------------------------------------------------------------------

+    * Fix wrong next/previous page links when using wrapper.php indexFile
+      option. (garvinhicking)
+
+    * Prevent cookie-based session fixation by regenerationg server-side
+      session ID. Major thanks to David Vieira-Kurz.
+
    * Display theme's preview_fullsize.jpg image when existing. Added
      screenshots by williamts99.

--- a/include/functions_permalinks.inc.php
+++ b/include/functions_permalinks.inc.php
@ -753,12 +753,18 @@ function serendipity_currentURL($strict = false) {
 */
 function serendipity_getUriArguments($uri, $wildcard = false) {
 global $serendipity;
+static $indexFile = null;
+
+    if ($indexFile === null) {
+        $_indexFile = explode('.', $serendipity['indexFile']);
+        $indexFile = $_indexFile[0];
+    }

    /* Explode the path into sections, to later be able to check for arguments and add our own */
    preg_match('/^'. preg_quote($serendipity['serendipityHTTPPath'], '/') . '(' . preg_quote($serendipity['indexFile'], '/') . '\?\/)?(' . ($wildcard ? '.+' : '[;,_a-z0-9\-*\/%\+]+') . ')/i', $uri, $_res);
    if (strlen($_res[2]) != 0) {
        $args = explode('/', $_res[2]);
-        if ($args[0] == 'index') {
+        if ($args[0] == $indexFile || $args[0] == $serendipity['indexFile']) {
            unset($args[0]);
        }
        return $args;
--- a/index.php
+++ b/index.php
@ -3,6 +3,7 @@
 # All rights reserved.  See LICENSE file for licensing details

 $global_debug = false;
+
 if ($global_debug) {
    #apd_set_pprof_trace();

--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@ -10,6 +10,16 @@ if (defined('S9Y_FRAMEWORK')) {

 if (!headers_sent()) {
    session_start();
+    
+    // Prevent session fixation by only allowing sessions that have been sent by the server.
+    // Any session that does not contain our unique token will be regarded as foreign/fixated
+    // and be regenerated with a system-generated SID.
+    // Patch by David Vieira-Kurz of majorsecurity.de
+    if (!isset($_SESSION['SERVER_GENERATED_SID'])) {
+        session_destroy();
+        session_regenerate_id();
+        $_SESSION['SERVER_GENERATED_SID'] = true;
+    }
 }

 if (!defined('S9Y_INCLUDE_PATH')) {