Difference between revisions for Users / Eo Ny / dev




← Previous edit
Revision 2 as of 05/05/2026 19:08
3 05/05/2026 19:10 EoNy 2 05/05/2026 19:08 EoNy 1 05/05/2026 19:06 EoNy

(4.4 KiB)
EoNy
 Next edit →
Revision 4 as of 05/05/2026 19:10
18 05/21/2026 16:12 WikiAdmin 17 05/18/2026 15:15 WikiAdmin 16 05/18/2026 05:05 WikiAdmin 15 05/18/2026 05:04 WikiAdmin 14 05/17/2026 21:10 WikiAdmin 13 05/05/2026 19:29 EoNy 12 05/05/2026 19:28 WikiAdmin 11 05/05/2026 19:28 WikiAdmin 10 05/05/2026 19:27 WikiAdmin 9 05/05/2026 19:25 WikiAdmin 8 05/05/2026 19:24 WikiAdmin 7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy 4 05/05/2026 19:10 EoNy 3 05/05/2026 19:10 EoNy

(19.7 KiB) +15,742
EoNy

Merge of Version1 & Version2
32 || ##$lang## | string | Current language code ||
33 || ##$file## | string | Cache file path ||
34 || ##$caching## | int | Flag indicating if page should be cached (0 or 1) ||
35 || ---- ||
36 || === Constructor === ||
37 || %%php
38 public function __construct(&$db)
39 %% ||
40 || **Purpose:** Initializes the Http object and sets up HTTP session handling. ||
41 || **Parameters:** ||
42 || - ##$db## - Database object reference ||
43 || **Initialization Steps:** ||
44 || 1. Stores database reference ||
45 || 2. Extracts and normalizes REQUEST_URI ||
46 || 3. Detects TLS/HTTPS session status ||
47 || 4. Determines client's real IP address ||
48 || 5. Sets up TLS mark cookie name ||
49 || 6. Enforces TLS session upgrade if needed ||
50 || **Example:** ||
51 || %%php
52 $http = new Http($db);
53 %% ||
54 || ---- ||
55 || === Core Methods === ||
56 || ==== Session Management ==== ||
57 || ===== ##session($route): void## ===== ||
58 || Initializes the session handler (file-based or database-based). ||
59 || **Parameters:** ||
60 || - ##$route## (int) - Routing flag: ||
61 || - Bit 2 (##$route & 2##): Enable static mode for files/freecap (disables replay prevention and ID regeneration) ||
62 || **Features:** ||
63 || - Selects storage backend (file or database) ||
64 || - Configures cookie settings (security, path, httponly) ||
65 || - Binds IP and TLS validation ||
66 || - Recovers diagnostic logs from previous session ||
67 || **Example:** ||
68 || %%php
69 $http->session(0); // Normal session
70 $http->session(2); // Static file serving mode
71 %% ||
72 || ---- ||
73 || ==== Caching System ==== ||
74 || ===== ##check_cache($page, $method): void## ===== ||
75 || Determines if a page can be cached and prepares the cache check. ||
76 || **Parameters:** ||
77 || - ##$page## (string) - Page name to cache ||
78 || - ##$method## (string) - Request method/action (e.g., 'show', 'edit') ||
79 || **Caching Rules:** ||
80 || - ✅ Enabled for GET requests only ||
81 || - ✅ Disabled for POST requests ||
82 || - ❌ Never cached for 'edit' or 'watch' methods ||
83 || - ✅ Only cached for anonymous users (no logged-in users) ||
84 || **Example:** ||
85 || %%php
86 $http->check_cache('HomePage', 'show');
87 %% ||
88 || ---- ||
89 || ===== ##store_cache(): void## ===== ||
90 || Saves the generated page content to cache file. ||
91 || **Features:** ||
92 || - Retrieves output buffer content ||
93 || - Saves to cache file with proper permissions ||
94 || - Records cache metadata in database ||
95 || - Only executes if caching flag is set and user is anonymous ||
96 || **Example:** ||
97 || %%php
98 // Called at end of page rendering
99 $http->store_cache();
100 %% ||
101 || ---- ||
102 || ===== ##invalidate_page($page): int## ===== ||
103 || Invalidates all cached versions of a page. ||
104 || **Parameters:** ||
105 || - ##$page## (string) - Page name to invalidate ||
106 || **Returns:** ||
107 || - Number of cache entries invalidated ||
108 || **Process:** ||
109 || 1. Finds all cached versions (different methods/languages) ||
110 || 2. Touches files to past timestamp (faster than deletion) ||
111 || 3. Removes entries from cache metadata table ||
112 || 4. Returns count of invalidated caches ||
113 || **Example:** ||
114 || %%php
115 $count = $http->invalidate_page('HomePage');
116 echo "Invalidated $count cache entries";
117 %% ||
118 || ---- ||
119 || ==== TLS/HTTPS Security ==== ||
120 || ===== ##secure_base_url(): void## ===== ||
121 || Switches base URL from HTTP to HTTPS. ||
122 || **Purpose:** ||
123 || - Ensures all subsequent URLs use HTTPS ||
124 || - Stores original HTTP URL for fallback ||
125 || - Called when TLS session is detected ||
126 || **Example:** ||
127 || %%php
128 $http->secure_base_url();
129 // $db->base_url now uses https://
130 %% ||
131 || ---- ||
132 || ===== ##ensure_tls($url): void## ===== ||
133 || Enforces HTTPS for a specific URL and redirects if necessary. ||
134 || **Parameters:** ||
135 || - ##$url## (string) - URL to secure ||
136 || **Behavior:** ||
137 || - If not already HTTPS and TLS is enabled, forces HTTPS redirect ||
138 || - Handles both relative and absolute URLs ||
139 || - Converts relative URLs using current server name ||
140 || **Example:** ||
141 || %%php
142 $http->ensure_tls('/secure/payment');
143 %% ||
144 || ---- ||
145 || ==== IP Address Detection ==== ||
146 || ===== ##real_ip(): string## (Private) ===== ||
147 || Detects client's real IP address accounting for proxies. ||
148 || **Proxy Headers Checked (in order):** ||
149 || 1. ##HTTP_X_CLUSTER_CLIENT_IP## ||
150 || 2. ##HTTP_X_FORWARDED_FOR## (or custom header) ||
151 || 3. ##HTTP_CLIENT_IP## ||
152 || 4. ##HTTP_X_REMOTE_ADDR## ||
153 || 5. ##REMOTE_ADDR## (fallback) ||
154 || **Features:** ||
155 || - Filters out private/reserved IP ranges ||
156 || - Respects configured reverse proxy addresses ||
157 || - Returns ##'0.0.0.0'## as fallback ||
158 || **Configuration in Database:** ||
159 || - ##reverse_proxy_addresses## - Comma/space-separated proxy IPs ||
160 || - ##reverse_proxy_header## - Custom header name (default: ##X-Forwarded-For##) ||
161 || **Example:** ||
162 || %%php
163 $client_ip = $http->ip; // e.g., "203.0.113.42"
164 %% ||
165 || ---- ||
166 || ==== HTTPS Detection ==== ||
167 || ===== ##tls_session(): bool## (Private) ===== ||
168 || Detects if current connection uses HTTPS/TLS. ||
169 || **Checks (any being true = HTTPS):** ||
170 || - ##$_SERVER['HTTPS']## is 'on' ||
171 || - ##$_SERVER['SERVER_PORT']## is 443 ||
172 || - ##$_SERVER['HTTP_X_FORWARDED_PROTO']## is 'https' ||
173 || - ##$_SERVER['HTTP_X_FORWARDED_SSL']## is 'on' ||
174 || - ##$_SERVER['HTTP_X_FORWARDED_PORT']## is 443 ||
175 || ---- ||
176 || ==== Security Headers ==== ||
177 || ===== ##http_security_headers(): void## ===== ||
178 || Sets security-related HTTP headers. ||
179 || **Headers Set:** ||
180 || Header | Purpose | Config Key ||
181 || -------- | --------- | ------------ ||
182 || Content-Security-Policy | XSS/injection protection | ##csp## ||
183 || Permissions-Policy | Control browser features | ##permissions_policy## ||
184 || Referrer-Policy | Control referrer information | ##referrer_policy## ||
185 || Strict-Transport-Security | Force HTTPS | Auto (TLS only) ||
186 || X-Frame-Options | Clickjacking protection | Hardcoded: ##SAMEORIGIN## ||
187 || X-Content-Type-Options | MIME sniffing prevention | Hardcoded: ##nosniff## ||
188 || **CSP Configuration Options:** ||
189 || - ##0## - Disabled ||
190 || - ##1## - Default policy (from ##csp.conf##) ||
191 || - ##2## - Custom policy (from ##csp_custom.conf##) ||
192 || **Example:** ||
193 || %%php
194 $http->http_security_headers();
195 %% ||
196 || ---- ||
197 || ==== HTTP Methods ==== ||
198 || ===== ##redirect($url, $permanent = false): void## ===== ||
199 || Performs an HTTP redirect. ||
200 || **Parameters:** ||
201 || - ##$url## (string) - Target URL ||
202 || - ##$permanent## (bool) - Use 301 (permanent) vs 302 (temporary) ||
203 || **Features:** ||
204 || - Decodes ##&## entities to prevent broken redirects ||
205 || - Only works if headers not yet sent ||
206 || - Uses output buffering to work anywhere in page processing ||
207 || **Example:** ||
208 || %%php
209 $http->redirect('http://example.com/new-page', true); // 301
210 $http->redirect('/wiki/HomePage'); // 302
211 %% ||
212 || ---- ||
213 || ===== ##terminate(): void## ===== ||
214 || Safe exit/die with cleanup. ||
215 || **Cleanup Operations:** ||
216 || - Saves diagnostic logs to session flash data ||
217 || - Ends script execution ||
218 || **Example:** ||
219 || %%php
220 $http->terminate();
221 %% ||
222 || ---- ||
223 || ===== ##status($code): void## ===== ||
224 || Sets HTTP response status code. ||
225 || **Supported Status Codes:** ||
226 || %%php
227 200 => 'OK'
228 206 => 'Partial Content'
229 301 => 'Moved Permanently'
230 302 => 'Moved Temporarily'
231 304 => 'Not Modified'
232 400 => 'Bad Request'
233 401 => 'Unauthorized'
234 403 => 'Forbidden'
235 404 => 'Not Found'
236 405 => 'Method Not Allowed'
237 409 => 'Conflict'
238 410 => 'Gone'
239 416 => 'Requested Range Not Satisfiable'
240 500 => 'Internal Server Error'
241 501 => 'Not Implemented'
242 503 => 'Service Unavailable'
243 %% ||
244 || **Example:** ||
245 || %%php
246 $http->status(404); // Send 404 Not Found
247 %% ||
248 || ---- ||
249 || ==== Caching Control ==== ||
250 || ===== ##no_cache($client_only = true): void## ===== ||
251 || Disables caching of the current page. ||
252 || **Parameters:** ||
253 || - ##$client_only## (bool, default: TRUE) ||
254 || - ##TRUE##: Disable browser cache only ||
255 || - ##FALSE##: Disable both browser and server cache ||
256 || **Headers Set:** ||
257 || - ##Last-Modified: <current-time>## (always fresh) ||
258 || - ##Cache-Control: no-store## ||
259 || **Example:** ||
260 || %%php
261 $http->no_cache(); // Client-side only
262 $http->no_cache(false); // Both client & server
263 %% ||
264 || ---- ||
265 || ===== ##cache_promisc(): void## ===== ||
266 || Marks page as publicly cacheable. ||
267 || **Headers Set:** ||
268 || - ##Cache-Control: public## ||
269 || **Example:** ||
270 || %%php
271 $http->cache_promisc();
272 %% ||
273 || ---- ||
274 || ==== Language Negotiation ==== ||
275 || ===== ##user_agent_language(): string## ===== ||
276 || Determines best language based on browser preferences. ||
277 || **Features:** ||
278 || - Follows RFC 9110 section 12.5.4 (HTTP Accept-Language) ||
279 || - Parses ##Accept-Language## header with quality factors ||
280 || - Attempts exact match first, then language fallback ||
281 || - Falls back to default system language ||
282 || **Example Header:** ||
283 || %%
284 Accept-Language: en-US,en;q=0.9,de;q=0.8
285 %% ||
286 || **Returns:** ||
287 || - Language code (e.g., 'en', 'en-US', 'de') ||
288 || ---- ||
289 || ===== ##available_languages($subset = true): array## ===== ||
290 || Returns list of available language translations. ||
291 || **Parameters:** ||
292 || - ##$subset## (bool, default: TRUE) ||
293 || - ##TRUE##: Only allowed languages ||
294 || - ##FALSE##: All available languages ||
295 || **Features:** ||
296 || - Scans ##LANG_DIR## for language files ||
297 || - Filters by ##allowed_languages## config if set ||
298 || - Caches result in session ||
299 || - System language always included ||
300 || **Returns:** ||
301 || - Associative array: ##['en' => 'en', 'de' => 'de', ...]## ||
302 || **Example:** ||
303 || %%php
304 $all_langs = $http->available_languages(false);
305 $allowed = $http->available_languages(true);
306 %% ||
307 || ---- ||
308 || ==== File Serving ==== ||
309 || ===== ##sendfile($path, $filename = null, $age = null): void## ===== ||
310 || Serves files with proper HTTP headers and caching. ||
311 || **Parameters:** ||
312 || - ##$path## (string) - File path (or HTTP_XXX constant for error pages) ||
313 || - ##$filename## (string, optional) - Custom download filename ||
314 || - ##$age## (int, optional) - Cache age in days ||
315 || **Features:** ||
316 || - HTTP range request support (partial file downloads) ||
317 || - ETag and Last-Modified conditional requests ||
318 || - Proper MIME type detection ||
319 || - Content-Security-Policy for special file types ||
320 || - Streaming for large files ||
321 || - GZip compression for text files ||
322 || **Special Paths:** ||
323 || %%php
324 $http->sendfile(404); // Serves file defined by HTTP_404 constant
325 $http->sendfile(403); // Serves file defined by HTTP_403 constant
326 %% ||
327 || **Example:** ||
328 || %%php
329 $http->sendfile('uploads/document.pdf', 'my-document.pdf', 30);
330 %% ||
331 || ---- ||
332 || ===== ##mime_type($path): string## ===== ||
333 || Returns MIME type for a file. ||
334 || **Returns:** ||
335 || - MIME type string (e.g., 'application/pdf') ||
336 || - Default: ##'application/octet-stream'## ||
337 || **Example:** ||
338 || %%php
339 $mime = $http->mime_type('file.pdf'); // 'application/pdf'
340 %% ||
341 || ---- ||
342 || ===== ##mime_types(): array## (Private) ===== ||
343 || Loads and caches MIME types from configuration. ||
344 || **Features:** ||
345 || - Reads from ##config/mime.types## ||
346 || - Caches to ##cache/config/mime.types## ||
347 || - Reloads if config is updated ||
348 || ---- ||
349 || ==== Compression ==== ||
350 || ===== ##gzip(): void## ===== ||
351 || Compresses HTTP response with gzip/x-gzip. ||
352 || **Features:** ||
353 || - Manually implements gzip (not relying on zlib.output_compression) ||
354 || - Produces correct ##Content-Length## header ||
355 || - Only compresses if: ||
356 || - 860 bytes < content < 1 MB ||
357 || - Client accepts compression ||
358 || - Headers not already sent ||
359 || **Example:** ||
360 || %%php
361 $http->gzip();
362 %% ||
363 || ---- ||
364 || ==== Utility Methods ==== ||
365 || ===== ##parse_str($str): array## (Private) ===== ||
366 || Parses URL-encoded strings with special character handling. ||
367 || **Purpose:** ||
368 || - Safely handles special characters in query/form data ||
369 || - Converts encoding properly ||
370 || **Example:** ||
371 || %%php
372 $data = $http->parse_str('name=John&age=30');
373 %% ||
374 || ---- ||
375 || ===== ##request_uri(): string## (Private) ===== ||
376 || Extracts and normalizes REQUEST_URI from server. ||
377 || **Normalization:** ||
378 || - Removes base URL prefix ||
379 || - Removes spaces ||
380 || - Collapses multiple slashes ||
381 || - Removes ##..## path traversal attempts ||
382 || - Removes leading/trailing slashes ||
383 || ---- ||
384 || ===== ##cut_prefix($prefix, $path): string## (Private) ===== ||
385 || Removes prefix from path (case-insensitive). ||
386 || ---- ||
387 || ===== ##get_header_conf($file_name): string## (Private) ===== ||
388 || Loads security header configuration from files. ||
389 || **Files Supported:** ||
390 || - ##csp.conf## / ##csp_custom.conf## ||
391 || - ##permissions_policy.conf## / ##permissions_policy_custom.conf## ||
392 || ---- ||
393 || === Configuration Dependencies === ||
394 || The class relies on these database configuration settings: ||
395 || Setting | Type | Purpose ||
396 || --------- | ------ | --------- ||
397 || ##base_url## | string | Wiki's base URL ||
398 || ##tls## | bool | Enable HTTPS enforcement ||
399 || ##cache## | bool | Enable page caching ||
400 || ##cache_ttl## | int | Cache lifetime in seconds ||
401 || ##session_store## | int | 1=File, 0=Database ||
402 || ##system_seed_hash## | string | Session encryption seed ||
403 || ##cookie_prefix## | string | Session cookie prefix ||
404 || ##cookie_path## | string | Cookie path ||
405 || ##allow_persistent_cookie## | bool | Allow persistent login ||
406 || ##session_length## | int | Session lifetime in seconds ||
407 || ##reverse_proxy_addresses## | string | Comma/space-separated proxy IPs ||
408 || ##reverse_proxy_header## | string | Custom X-Forwarded header ||
409 || ##language## | string | Default language code ||
410 || ##multilanguage## | bool | Enable language negotiation ||
411 || ##allowed_languages## | string | Comma/space-separated allowed langs ||
412 || ##enable_security_headers## | bool | Send security headers ||
413 || ##csp## | int | CSP setting (0/1/2) ||
414 || ##permissions_policy## | int | Permissions-Policy setting (0/1/2) ||
415 || ##referrer_policy## | int | Referrer-Policy setting (0-8) ||
416 || ---- ||
417 || === Constants Used === ||
418 || Constant | Type | Purpose ||
419 || ---------- | ------ | --------- ||
420 || ##IN_WACKO## | bool | Security check (exit if not defined) ||
421 || ##CHMOD_SAFE## | int | File permissions for cache files ||
422 || ##CHMOD_FILE## | int | File permissions for config cache ||
423 || ##CACHE_PAGE_DIR## | string | Page cache directory ||
424 || ##CACHE_SESSION_DIR## | string | Session cache directory ||
425 || ##CACHE_CONFIG_DIR## | string | Config cache directory ||
426 || ##CONFIG_DIR## | string | Configuration directory ||
427 || ##LANG_DIR## | string | Language files directory ||
428 || ##DAYSECS## | int | Seconds in a day (86400) ||
429 || ##HTTP_404## | string | Path to 404 error page ||
430 || ##HTTP_403## | string | Path to 403 error page ||
431 |#
432
433 ----
434
435 === Workflow Examples ===
436
437 ==== Example 1: Handling a GET Request ====
438
439 %%php
440 // In main wiki entry point
441 $http = new Http($db);
442 $http->session(0); // Start session
443
444 // Check if page can be served from cache
445 $http->check_cache('HomePage', 'show');
446
447 // ... render page content ...
448
449 // Store rendered page in cache if applicable
450 $http->store_cache();
451
452 // Send security headers
453 $http->http_security_headers();
454
455 // Possibly compress output
456 $http->gzip();
457 %%
458
459 ==== Example 2: Handling TLS/HTTPS Upgrade ====
460
461 %%php
462 $http = new Http($db); // Constructor detects TLS requirement
463 // If TLS is enabled and user wasn't in TLS before:
464 // - Sets TLS session flag
465 // - Marks session with TLS cookie
466 // - Redirects to HTTPS version
467 %%
468
469 ==== Example 3: Invalidating Cache After Page Edit ====
470
471 %%php
472 // User edits a page
473 $http = new Http($db);
474 $count = $http->invalidate_page('HomePage');
475 // All cached versions (different languages, methods) are invalidated
476 %%
477
478 ==== Example 4: Serving a File ====
479
480 %%php
481 $http = new Http($db);
482 $http->session(2); // Static file mode - no session replay prevention
483
484 // Serve with 30-day cache
485 $http->sendfile('uploads/manual.pdf', 'user-manual.pdf', 30);
486 %%
487
488 ----
489
490 === Security Considerations ===
491
492 ==== 1. **IP Address Spoofing** ====