-
Notifications
You must be signed in to change notification settings - Fork 581
/
index.php
122 lines (103 loc) · 3.54 KB
/
index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
<?php
/**
* TestLink Open Source Project - http://testlink.sourceforge.net/
* This script is distributed under the GNU General Public License 2 or later.
*
* @filesource index.php
* @package TestLink
* @copyright 2006-2017, TestLink community
* @link http://www.testlink.org
*
*
**/
require_once('lib/functions/configCheck.php');
checkConfiguration();
require_once('config.inc.php');
require_once('common.php');
doSessionStart();
// will be very interesting understand why we do this
unset($_SESSION['basehref']);
setPaths();
list($args,$gui) = initEnv();
// verify the session during a work
$redir2login = true;
if( isset($_SESSION['currentUser']) ) {
// Session exists we need to do other checks.
// we use/copy Mantisbt approach
$securityCookie = tlUser::auth_get_current_user_cookie();
$redir2login = is_null($securityCookie);
if(!$redir2login) {
// need to get fresh info from db, before asking for securityCookie
doDBConnect($db,database::ONERROREXIT);
$user = new tlUser();
$user->dbID = $_SESSION['currentUser']->dbID;
$user->readFromDB($db);
$dbSecurityCookie = $user->getSecurityCookie();
$redir2login = ( $securityCookie != $dbSecurityCookie );
}
}
if($redir2login) {
// destroy user in session as security measure
unset($_SESSION['currentUser']);
// If session does not exists I think is better in order to
// manage other type of authentication method/schemas
// to understand that this is a sort of FIRST Access.
//
// When TL undertand that session exists but has expired
// is OK to call login with expired indication, but is not this case
//
// Dev Notes:
// may be we are going to login.php and it will call us again!
$urlo = TL_BASE_HREF . "login.php" . ($args->ssodisable ? '?ssodisable' : '');
redirect($urlo);
exit;
}
// We arrive to these lines only if we are logged in
//
// Calling testlinkInitPage() I'm doing what we do on navBar.php
// navBar.php is called via main.tpl
// testlinkInitPage($db,('initProject' == 'initProject'));
$tplEngine = new TLSmarty();
$tplEngine->assign('gui', $gui);
$tplEngine->display('main.tpl');
/**
*
*
*/
function initEnv() {
$iParams = array("reqURI" => array(tlInputParameter::STRING_N,0,4000));
$pParams = G_PARAMS($iParams);
$args = new stdClass();
$args->ssodisable = getSSODisable();
// CWE-79:
// Improper Neutralization of Input
// During Web Page Generation ('Cross-site Scripting')
//
// https://cxsecurity.com/issue/WLB-2019110139
$args->reqURI = '';
if ($pParams["reqURI"] != '') {
$args->reqURI = $pParams["reqURI"];
// some sanity checks
// strpos ( string $haystack , mixed $needle
if (stripos($args->reqURI,'javascript') !== false) {
$args->reqURI = null;
}
}
if (null == $args->reqURI) {
$args->reqURI = 'lib/general/mainPage.php';
}
$args->reqURI = $_SESSION['basehref'] . $args->reqURI;
$args->tproject_id = isset($_REQUEST['tproject_id']) ? intval($_REQUEST['tproject_id']) : 0;
$args->tplan_id = isset($_REQUEST['tplan_id']) ? intval($_REQUEST['tplan_id']) : 0;
$gui = new stdClass();
$gui->title = lang_get('main_page_title');
$gui->mainframe = $args->reqURI;
$gui->navbar_height = config_get('navbar_height');
$sso = ($args->ssodisable ? '&ssodisable' : '');
$gui->titleframe = "lib/general/navBar.php?" .
"tproject_id={$args->tproject_id}&" .
"tplan_id={$args->tplan_id}&" .
"updateMainPage=1" . $sso;
$gui->logout = 'logout.php?viewer=' . $sso;
return array($args,$gui);
}