Difference between revisions for Users / Eo Ny / dev




← Previous edit
Revision 4 as of 05/05/2026 19:10
6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy 4 05/05/2026 19:10 EoNy 3 05/05/2026 19:10 EoNy 2 05/05/2026 19:08 EoNy 1 05/05/2026 19:06 EoNy

(19.7 KiB)
EoNy
 Next edit →
Revision 7 as of 05/05/2026 19:23
18 05/21/2026 16:12 WikiAdmin 17 05/18/2026 15:15 WikiAdmin 16 05/18/2026 05:05 WikiAdmin 15 05/18/2026 05:04 WikiAdmin 14 05/17/2026 21:10 WikiAdmin 13 05/05/2026 19:29 EoNy 12 05/05/2026 19:28 WikiAdmin 11 05/05/2026 19:28 WikiAdmin 10 05/05/2026 19:27 WikiAdmin 9 05/05/2026 19:25 WikiAdmin 8 05/05/2026 19:24 WikiAdmin 7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy

(14.8 KiB) -5,064
WikiAdmin

Additions:

Private Properties

Constructor

Purpose: Initializes the Http object and sets up HTTP session handling.
Parameters:
  • $db - Database object reference
Initialization Steps:
  1. Stores database reference
  2. Extracts and normalizes REQUEST_URI
  3. Detects TLS/HTTPS session status
  4. Determines client's real IP address
  5. Sets up TLS mark cookie name
  6. Enforces TLS session upgrade if needed
Example:

Core Methods

Session Management

session($route): void

Initializes the session handler (file-based or database-based).
Parameters:
  • $route (int) - Routing flag:
  • Bit 2 ($route & 2): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
Features:
  • Selects storage backend (file or database)
  • Configures cookie settings (security, path, httponly)
  • Binds IP and TLS validation
  • Recovers diagnostic logs from previous session
Example:

Caching System

check_cache($page, $method): void

Determines if a page can be cached and prepares the cache check.
Parameters:
  • $page (string) - Page name to cache
  • $method (string) - Request method/action (e.g., 'show', 'edit')
Caching Rules:
  • ✅ Enabled for GET requests only
  • ✅ Disabled for POST requests
  • ❌ Never cached for 'edit' or 'watch' methods
  • ✅ Only cached for anonymous users (no logged-in users)
Example:

store_cache(): void

Saves the generated page content to cache file.
Features:
  • Retrieves output buffer content
  • Saves to cache file with proper permissions
  • Records cache metadata in database
  • Only executes if caching flag is set and user is anonymous
Example:

invalidate_page($page): int

Invalidates all cached versions of a page.
Parameters:
  • $page (string) - Page name to invalidate
Returns:
  • Number of cache entries invalidated
Process:
  1. Finds all cached versions (different methods/languages)
  2. Touches files to past timestamp (faster than deletion)
  3. Removes entries from cache metadata table
  4. Returns count of invalidated caches
Example:

TLS/HTTPS Security

secure_base_url(): void

Switches base URL from HTTP to HTTPS.
Purpose:
  • Ensures all subsequent URLs use HTTPS
  • Stores original HTTP URL for fallback
  • Called when TLS session is detected
Example:

ensure_tls($url): void

Enforces HTTPS for a specific URL and redirects if necessary.
Parameters:
  • $url (string) - URL to secure
Behavior:
  • If not already HTTPS and TLS is enabled, forces HTTPS redirect
  • Handles both relative and absolute URLs
  • Converts relative URLs using current server name
Example:

IP Address Detection

real_ip(): string (Private)

Detects client's real IP address accounting for proxies.
Proxy Headers Checked (in order):
  1. HTTP_X_CLUSTER_CLIENT_IP
  2. HTTP_X_FORWARDED_FOR (or custom header)
  3. HTTP_CLIENT_IP
  4. HTTP_X_REMOTE_ADDR
  5. REMOTE_ADDR (fallback)
Features:
  • Filters out private/reserved IP ranges
  • Respects configured reverse proxy addresses
  • Returns '0.0.0.0' as fallback
Configuration in Database:
  • reverse_proxy_addresses - Comma/space-separated proxy IPs
  • reverse_proxy_header - Custom header name (default: X-Forwarded-For)
Example:

HTTPS Detection

tls_session(): bool (Private)

Detects if current connection uses HTTPS/TLS.
Checks (any being true = HTTPS):
  • $_SERVER['HTTPS'] is 'on'
  • $_SERVER['SERVER_PORT'] is 443
  • $_SERVER['HTTP_X_FORWARDED_PROTO'] is 'https'
  • $_SERVER['HTTP_X_FORWARDED_SSL'] is 'on'
  • $_SERVER['HTTP_X_FORWARDED_PORT'] is 443

Security Headers

http_security_headers(): void

HTTP Methods

redirect($url, $permanent = false): void

Performs an HTTP redirect.
Parameters:
  • $url (string) - Target URL
  • $permanent (bool) - Use 301 (permanent) vs 302 (temporary)
Features:
  • Decodes & entities to prevent broken redirects
  • Only works if headers not yet sent
  • Uses output buffering to work anywhere in page processing
Example:

terminate(): void

Safe exit/die with cleanup.
Cleanup Operations:
  • Saves diagnostic logs to session flash data
  • Ends script execution
Example:

status($code): void

Sets HTTP response status code.
Supported Status Codes:
Example:

Caching Control

no_cache($client_only = true): void

Disables caching of the current page.
Parameters:
  • $client_only (bool, default: TRUE)
  • TRUE: Disable browser cache only
  • FALSE: Disable both browser and server cache
Headers Set:
  • Last-Modified: <current-time> (always fresh)
  • Cache-Control: no-store
Example:

cache_promisc(): void

Marks page as publicly cacheable.
Headers Set:
  • Cache-Control: public
Example:

Language Negotiation

user_agent_language(): string

Determines best language based on browser preferences.
Features:
  • Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
  • Parses Accept-Language header with quality factors
  • Attempts exact match first, then language fallback
  • Falls back to default system language
Example Header:
Returns:
  • Language code (e.g., 'en', 'en-US', 'de')

available_languages($subset = true): array

Returns list of available language translations.
Parameters:
  • $subset (bool, default: TRUE)
  • TRUE: Only allowed languages
  • FALSE: All available languages
Features:
  • Scans LANG_DIR for language files
  • Filters by allowed_languages config if set
  • Caches result in session
  • System language always included
Returns:
  • Associative array: ['en' => 'en', 'de' => 'de', ...]
Example:

File Serving

sendfile($path, $filename = null, $age = null): void

Serves files with proper HTTP headers and caching.
Parameters:
  • $path (string) - File path (or HTTP_XXX constant for error pages)
  • $filename (string, optional) - Custom download filename
  • $age (int, optional) - Cache age in days
Features:
  • HTTP range request support (partial file downloads)
  • ETag and Last-Modified conditional requests
  • Proper MIME type detection
  • Content-Security-Policy for special file types
  • Streaming for large files
  • GZip compression for text files
Special Paths:
Example:

mime_type($path): string

Returns MIME type for a file.
Returns:
  • MIME type string (e.g., 'application/pdf')
  • Default: 'application/octet-stream'
Example:

mime_types(): array (Private)

Loads and caches MIME types from configuration.
Features:
  • Reads from config/mime.types
  • Caches to cache/config/mime.types
  • Reloads if config is updated

Compression

gzip(): void

Compresses HTTP response with gzip/x-gzip.
Features:
  • Manually implements gzip (not relying on zlib.output_compression)
  • Produces correct Content-Length header
  • Only compresses if:
  • 860 bytes < content < 1 MB
  • Client accepts compression
  • Headers not already sent
Example:

Utility Methods

parse_str($str): array (Private)

Parses URL-encoded strings with special character handling.
Purpose:
  • Safely handles special characters in query/form data
  • Converts encoding properly
Example:

request_uri(): string (Private)

Extracts and normalizes REQUEST_URI from server.
Normalization:
  • Removes base URL prefix
  • Removes spaces
  • Collapses multiple slashes
  • Removes .. path traversal attempts
  • Removes leading/trailing slashes

cut_prefix($prefix, $path): string (Private)

Removes prefix from path (case-insensitive).

get_header_conf($file_name): string (Private)

Loads security header configuration from files.
Files Supported:
  • csp.conf / csp_custom.conf
  • permissions_policy.conf / permissions_policy_custom.conf

Configuration Dependencies

Constants Used


Deletions:
Property Type Description
$tls_session bool Indicates if the current session uses HTTPS/TLS encryption
$request_uri string Normalized REQUEST_URI (e.g., 'PageOfNoReturn/show?a=1')
$ip string Client's real IP address (accounts for proxies)
$sess Session Reference to the Session object
$method string Current HTTP method/request type

Private Properties

Property Type Description
$db object Database connection reference
$tls_mark string Cookie name for TLS session marking
$page string Current page name being processed
$hash string SHA1 hash of the page name
$query string Encoded query string
$lang string Current language code
$file string Cache file path
$caching int Flag indicating if page should be cached (0 or 1)

Constructor 

php
Purpose: Initializes the Http object and sets up HTTP session handling.
Parameters:
- $db - Database object reference
Initialization Steps:
1. Stores database reference
2. Extracts and normalizes REQUEST_URI
3. Detects TLS/HTTPS session status
4. Determines client's real IP address
5. Sets up TLS mark cookie name
6. Enforces TLS session upgrade if needed
Example: 
php

Core Methods

Session Management

session($route): void

Initializes the session handler (file-based or database-based).
Parameters:
- $route (int) - Routing flag:
- Bit 2 ($route & 2): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
Features:
- Selects storage backend (file or database)
- Configures cookie settings (security, path, httponly)
- Binds IP and TLS validation
- Recovers diagnostic logs from previous session
Example: 
php

Caching System

check_cache($page, $method): void

Determines if a page can be cached and prepares the cache check.
Parameters:
- $page (string) - Page name to cache
- $method (string) - Request method/action (e.g., 'show', 'edit')
Caching Rules:
- ✅ Enabled for GET requests only
- ✅ Disabled for POST requests
- ❌ Never cached for 'edit' or 'watch' methods
- ✅ Only cached for anonymous users (no logged-in users)
Example: 
php

store_cache(): void

Saves the generated page content to cache file.
Features:
- Retrieves output buffer content
- Saves to cache file with proper permissions
- Records cache metadata in database
- Only executes if caching flag is set and user is anonymous
Example: 
php

invalidate_page($page): int

Invalidates all cached versions of a page.
Parameters:
- $page (string) - Page name to invalidate
Returns:
- Number of cache entries invalidated
Process:
1. Finds all cached versions (different methods/languages)
2. Touches files to past timestamp (faster than deletion)
3. Removes entries from cache metadata table
4. Returns count of invalidated caches
Example: 
php

TLS/HTTPS Security

secure_base_url(): void

Switches base URL from HTTP to HTTPS.
Purpose:
- Ensures all subsequent URLs use HTTPS
- Stores original HTTP URL for fallback
- Called when TLS session is detected
Example: 
php

ensure_tls($url): void

Enforces HTTPS for a specific URL and redirects if necessary.
Parameters:
- $url (string) - URL to secure
Behavior:
- If not already HTTPS and TLS is enabled, forces HTTPS redirect
- Handles both relative and absolute URLs
- Converts relative URLs using current server name
Example: 
php

IP Address Detection

real_ip(): string (Private)

Detects client's real IP address accounting for proxies.
Proxy Headers Checked (in order):
1. HTTP_X_CLUSTER_CLIENT_IP
2. HTTP_X_FORWARDED_FOR (or custom header)
3. HTTP_CLIENT_IP
4. HTTP_X_REMOTE_ADDR
5. REMOTE_ADDR (fallback)
Features:
- Filters out private/reserved IP ranges
- Respects configured reverse proxy addresses
- Returns '0.0.0.0' as fallback
Configuration in Database:
- reverse_proxy_addresses - Comma/space-separated proxy IPs
- reverse_proxy_header - Custom header name (default: X-Forwarded-For)
Example: 
php

HTTPS Detection

tls_session(): bool (Private)

Detects if current connection uses HTTPS/TLS.
Checks (any being true = HTTPS):
- $_SERVER['HTTPS'] is 'on'
- $_SERVER['SERVER_PORT'] is 443
- $_SERVER['HTTP_X_FORWARDED_PROTO'] is 'https'
- $_SERVER['HTTP_X_FORWARDED_SSL'] is 'on'
- $_SERVER['HTTP_X_FORWARDED_PORT'] is 443

Security Headers

http_security_headers(): void

Sets security-related HTTP headers.
Headers Set:
Header Purpose Config Key
Content-Security-Policy XSS/injection protection csp
Permissions-Policy Control browser features permissions_policy
Referrer-Policy Control referrer information referrer_policy
Strict-Transport-Security Force HTTPS Auto (TLS only)
X-Frame-Options Clickjacking protection Hardcoded: SAMEORIGIN
X-Content-Type-Options MIME sniffing prevention Hardcoded: nosniff
CSP Configuration Options:
- 0 - Disabled
- 1 - Default policy (from csp.conf)
- 2 - Custom policy (from csp_custom.conf)
Example: 
php

HTTP Methods

redirect($url, $permanent = false): void

Performs an HTTP redirect.
Parameters:
- $url (string) - Target URL
- $permanent (bool) - Use 301 (permanent) vs 302 (temporary)
Features:
- Decodes & entities to prevent broken redirects
- Only works if headers not yet sent
- Uses output buffering to work anywhere in page processing
Example: 
php

terminate(): void

Safe exit/die with cleanup.
Cleanup Operations:
- Saves diagnostic logs to session flash data
- Ends script execution
Example: 
php

status($code): void

Sets HTTP response status code.
Supported Status Codes: 
php
Example: 
php

Caching Control

no_cache($client_only = true): void

Disables caching of the current page.
Parameters:
- $client_only (bool, default: TRUE)
- TRUE: Disable browser cache only
- FALSE: Disable both browser and server cache
Headers Set:
- Last-Modified: <current-time> (always fresh)
- Cache-Control: no-store
Example: 
php

cache_promisc(): void

Marks page as publicly cacheable.
Headers Set:
- Cache-Control: public
Example: 
php

Language Negotiation

user_agent_language(): string

Determines best language based on browser preferences.
Features:
- Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
- Parses Accept-Language header with quality factors
- Attempts exact match first, then language fallback
- Falls back to default system language
Example Header:
Returns:
- Language code (e.g., 'en', 'en-US', 'de')

available_languages($subset = true): array

Returns list of available language translations.
Parameters:
- $subset (bool, default: TRUE)
- TRUE: Only allowed languages
- FALSE: All available languages
Features:
- Scans LANG_DIR for language files
- Filters by allowed_languages config if set
- Caches result in session
- System language always included
Returns:
- Associative array: ['en' => 'en', 'de' => 'de', ...]
Example: 
php

File Serving

sendfile($path, $filename = null, $age = null): void

Serves files with proper HTTP headers and caching.
Parameters:
- $path (string) - File path (or HTTP_XXX constant for error pages)
- $filename (string, optional) - Custom download filename
- $age (int, optional) - Cache age in days
Features:
- HTTP range request support (partial file downloads)
- ETag and Last-Modified conditional requests
- Proper MIME type detection
- Content-Security-Policy for special file types
- Streaming for large files
- GZip compression for text files
Special Paths: 
php
Example: 
php

mime_type($path): string

Returns MIME type for a file.
Returns:
- MIME type string (e.g., 'application/pdf')
- Default: 'application/octet-stream'
Example: 
php

mime_types(): array (Private)

Loads and caches MIME types from configuration.
Features:
- Reads from config/mime.types
- Caches to cache/config/mime.types
- Reloads if config is updated

Compression

gzip(): void

Compresses HTTP response with gzip/x-gzip.
Features:
- Manually implements gzip (not relying on zlib.output_compression)
- Produces correct Content-Length header
- Only compresses if:
- 860 bytes < content < 1 MB
- Client accepts compression
- Headers not already sent
Example: 
php

Utility Methods

parse_str($str): array (Private)

Parses URL-encoded strings with special character handling.
Purpose:
- Safely handles special characters in query/form data
- Converts encoding properly
Example: 
php

request_uri(): string (Private)

Extracts and normalizes REQUEST_URI from server.
Normalization:
- Removes base URL prefix
- Removes spaces
- Collapses multiple slashes
- Removes .. path traversal attempts
- Removes leading/trailing slashes

cut_prefix($prefix, $path): string (Private)

Removes prefix from path (case-insensitive).

get_header_conf($file_name): string (Private)

Loads security header configuration from files.
Files Supported:
- csp.conf / csp_custom.conf
- permissions_policy.conf / permissions_policy_custom.conf

Configuration Dependencies

The class relies on these database configuration settings:
Setting Type Purpose
base_url string Wiki's base URL
tls bool Enable HTTPS enforcement
cache bool Enable page caching
cache_ttl int Cache lifetime in seconds
session_store int 1=File, 0=Database
system_seed_hash string Session encryption seed
cookie_prefix string Session cookie prefix
cookie_path string Cookie path
allow_persistent_cookie bool Allow persistent login
session_length int Session lifetime in seconds
reverse_proxy_addresses string Comma/space-separated proxy IPs
reverse_proxy_header string Custom X-Forwarded header
language string Default language code
multilanguage bool Enable language negotiation
allowed_languages string Comma/space-separated allowed langs
enable_security_headers bool Send security headers
csp int CSP setting (0/1/2)
permissions_policy int Permissions-Policy setting (0/1/2)
referrer_policy int Referrer-Policy setting (0-8)

Constants Used

Constant Type Purpose
IN_WACKO bool Security check (exit if not defined)
CHMOD_SAFE int File permissions for cache files
CHMOD_FILE int File permissions for config cache
CACHE_PAGE_DIR string Page cache directory
CACHE_SESSION_DIR string Session cache directory
CACHE_CONFIG_DIR string Config cache directory
CONFIG_DIR string Configuration directory
LANG_DIR string Language files directory
DAYSECS int Seconds in a day (86400)
HTTP_404 string Path to 404 error page
HTTP_403 string Path to 403 error page