Difference between revisions for Users / Eo Ny / dev




← Previous edit
Revision 4 as of 05/05/2026 19:10
7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy 4 05/05/2026 19:10 EoNy 3 05/05/2026 19:10 EoNy 2 05/05/2026 19:08 EoNy 1 05/05/2026 19:06 EoNy

(19.7 KiB)
EoNy
 Next edit →
Revision 8 as of 05/05/2026 19:24
18 05/21/2026 16:12 WikiAdmin 17 05/18/2026 15:15 WikiAdmin 16 05/18/2026 05:05 WikiAdmin 15 05/18/2026 05:04 WikiAdmin 14 05/17/2026 21:10 WikiAdmin 13 05/05/2026 19:29 EoNy 12 05/05/2026 19:28 WikiAdmin 11 05/05/2026 19:28 WikiAdmin 10 05/05/2026 19:27 WikiAdmin 9 05/05/2026 19:25 WikiAdmin 8 05/05/2026 19:24 WikiAdmin 7 05/05/2026 19:23 WikiAdmin 6 05/05/2026 19:21 EoNy 5 05/05/2026 19:11 EoNy

(15.2 KiB) -4,648
WikiAdmin

Additions:

Public Properties

Private Properties

Constructor

Purpose: Initializes the Http object and sets up HTTP session handling.
Parameters:
  • $db - Database object reference
Initialization Steps:
  1. Stores database reference
  2. Extracts and normalizes REQUEST_URI
  3. Detects TLS/HTTPS session status
  4. Determines client's real IP address
  5. Sets up TLS mark cookie name
  6. Enforces TLS session upgrade if needed
Example:

Core Methods

Session Management

session($route): void

Initializes the session handler (file-based or database-based).
Parameters:
  • $route (int) - Routing flag:
  • Bit 2 ($route & 2): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
Features:
  • Selects storage backend (file or database)
  • Configures cookie settings (security, path, httponly)
  • Binds IP and TLS validation
  • Recovers diagnostic logs from previous session
Example:

Caching System

check_cache($page, $method): void

Determines if a page can be cached and prepares the cache check.
Parameters:
  • $page (string) - Page name to cache
  • $method (string) - Request method/action (e.g., 'show', 'edit')
Caching Rules:
  • ✅ Enabled for GET requests only
  • ✅ Disabled for POST requests
  • ❌ Never cached for 'edit' or 'watch' methods
  • ✅ Only cached for anonymous users (no logged-in users)
Example:

store_cache(): void

Saves the generated page content to cache file.
Features:
  • Retrieves output buffer content
  • Saves to cache file with proper permissions
  • Records cache metadata in database
  • Only executes if caching flag is set and user is anonymous
Example:

invalidate_page($page): int

Invalidates all cached versions of a page.
Parameters:
  • $page (string) - Page name to invalidate
Returns:
  • Number of cache entries invalidated
Process:
  1. Finds all cached versions (different methods/languages)
  2. Touches files to past timestamp (faster than deletion)
  3. Removes entries from cache metadata table
  4. Returns count of invalidated caches
Example:

TLS/HTTPS Security

secure_base_url(): void

Switches base URL from HTTP to HTTPS.
Purpose:
  • Ensures all subsequent URLs use HTTPS
  • Stores original HTTP URL for fallback
  • Called when TLS session is detected
Example:

ensure_tls($url): void

Enforces HTTPS for a specific URL and redirects if necessary.
Parameters:
  • $url (string) - URL to secure
Behavior:
  • If not already HTTPS and TLS is enabled, forces HTTPS redirect
  • Handles both relative and absolute URLs
  • Converts relative URLs using current server name
Example:

IP Address Detection

real_ip(): string (Private)

Detects client's real IP address accounting for proxies.
Proxy Headers Checked (in order):
  1. HTTP_X_CLUSTER_CLIENT_IP
  2. HTTP_X_FORWARDED_FOR (or custom header)
  3. HTTP_CLIENT_IP
  4. HTTP_X_REMOTE_ADDR
  5. REMOTE_ADDR (fallback)
Features:
  • Filters out private/reserved IP ranges
  • Respects configured reverse proxy addresses
  • Returns '0.0.0.0' as fallback
Configuration in Database:
  • reverse_proxy_addresses - Comma/space-separated proxy IPs
  • reverse_proxy_header - Custom header name (default: X-Forwarded-For)
Example:

HTTPS Detection

tls_session(): bool (Private)

Detects if current connection uses HTTPS/TLS.
Checks (any being true = HTTPS):
  • $_SERVER['HTTPS'] is 'on'
  • $_SERVER['SERVER_PORT'] is 443
  • $_SERVER['HTTP_X_FORWARDED_PROTO'] is 'https'
  • $_SERVER['HTTP_X_FORWARDED_SSL'] is 'on'
  • $_SERVER['HTTP_X_FORWARDED_PORT'] is 443

Security Headers

http_security_headers(): void

HTTP Methods

redirect($url, $permanent = false): void

Performs an HTTP redirect.
Parameters:
  • $url (string) - Target URL
  • $permanent (bool) - Use 301 (permanent) vs 302 (temporary)
Features:
  • Decodes & entities to prevent broken redirects
  • Only works if headers not yet sent
  • Uses output buffering to work anywhere in page processing
Example:

terminate(): void

Safe exit/die with cleanup.
Cleanup Operations:
  • Saves diagnostic logs to session flash data
  • Ends script execution
Example:

status($code): void

Sets HTTP response status code.
Supported Status Codes:
Example:

Caching Control

no_cache($client_only = true): void

Disables caching of the current page.
Parameters:
  • $client_only (bool, default: TRUE)
  • TRUE: Disable browser cache only
  • FALSE: Disable both browser and server cache
Headers Set:
  • Last-Modified: <current-time> (always fresh)
  • Cache-Control: no-store
Example:

cache_promisc(): void

Marks page as publicly cacheable.
Headers Set:
  • Cache-Control: public
Example:

Language Negotiation

user_agent_language(): string

Determines best language based on browser preferences.
Features:
  • Follows RFC 9110 section 12.5.4 (HTTP Accept-Language)
  • Parses Accept-Language header with quality factors
  • Attempts exact match first, then language fallback
  • Falls back to default system language
Example Header:
Returns:
  • Language code (e.g., 'en', 'en-US', 'de')

available_languages($subset = true): array

Returns list of available language translations.
Parameters:
  • $subset (bool, default: TRUE)
  • TRUE: Only allowed languages
  • FALSE: All available languages
Features:
  • Scans LANG_DIR for language files
  • Filters by allowed_languages config if set
  • Caches result in session
  • System language always included
Returns:
  • Associative array: ['en' => 'en', 'de' => 'de', ...]
Example:

File Serving

sendfile($path, $filename = null, $age = null): void

Serves files with proper HTTP headers and caching.
Parameters:
  • $path (string) - File path (or HTTP_XXX constant for error pages)
  • $filename (string, optional) - Custom download filename
  • $age (int, optional) - Cache age in days
Features:
  • HTTP range request support (partial file downloads)
  • ETag and Last-Modified conditional requests
  • Proper MIME type detection
  • Content-Security-Policy for special file types
  • Streaming for large files
  • GZip compression for text files
Special Paths:
Example:

mime_type($path): string

Returns MIME type for a file.
Returns:
  • MIME type string (e.g., 'application/pdf')
  • Default: 'application/octet-stream'
Example:

mime_types(): array (Private)

Loads and caches MIME types from configuration.
Features:
  • Reads from config/mime.types
  • Caches to cache/config/mime.types
  • Reloads if config is updated

Compression

gzip(): void

Compresses HTTP response with gzip/x-gzip.
Features:
  • Manually implements gzip (not relying on zlib.output_compression)
  • Produces correct Content-Length header
  • Only compresses if:
  • 860 bytes < content < 1 MB
  • Client accepts compression
  • Headers not already sent
Example:

Utility Methods

parse_str($str): array (Private)

Parses URL-encoded strings with special character handling.
Purpose:
  • Safely handles special characters in query/form data
  • Converts encoding properly
Example:

request_uri(): string (Private)

Extracts and normalizes REQUEST_URI from server.
Normalization:
  • Removes base URL prefix
  • Removes spaces
  • Collapses multiple slashes
  • Removes .. path traversal attempts
  • Removes leading/trailing slashes

cut_prefix($prefix, $path): string (Private)

Removes prefix from path (case-insensitive).

get_header_conf($file_name): string (Private)

Loads security header configuration from files.
Files Supported:
  • csp.conf / csp_custom.conf
  • permissions_policy.conf / permissions_policy_custom.conf

Configuration Dependencies

Constants Used


Deletions:

Public Properties

|| ==== Private Properties ==== ||
|| Property | Type | Description ||
|| ---------- | ------ | ------------- ||
|| ##$db## | object | Database connection reference ||
|| ##$tls_mark## | string | Cookie name for TLS session marking ||
|| ##$page## | string | Current page name being processed ||
|| ##$hash## | string | SHA1 hash of the page name ||
|| ##$query## | string | Encoded query string ||
|| ##$lang## | string | Current language code ||
|| ##$file## | string | Cache file path ||
|| ##$caching## | int | Flag indicating if page should be cached (0 or 1) ||
|| ---- ||
|| === Constructor === ||
|| 
php
||
|| **Purpose:** Initializes the Http object and sets up HTTP session handling. ||
|| **Parameters:** ||
|| - ##$db## - Database object reference ||
|| **Initialization Steps:** ||
|| 1. Stores database reference ||
|| 2. Extracts and normalizes REQUEST_URI ||
|| 3. Detects TLS/HTTPS session status ||
|| 4. Determines client's real IP address ||
|| 5. Sets up TLS mark cookie name ||
|| 6. Enforces TLS session upgrade if needed ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| === Core Methods === ||
|| ==== Session Management ==== ||
|| ===== ##session($route): void## ===== ||
|| Initializes the session handler (file-based or database-based). ||
|| **Parameters:** ||
|| - ##$route## (int) - Routing flag: ||
|| - Bit 2 (##$route & 2##): Enable static mode for files/freecap (disables replay prevention and ID regeneration) ||
|| **Features:** ||
|| - Selects storage backend (file or database) ||
|| - Configures cookie settings (security, path, httponly) ||
|| - Binds IP and TLS validation ||
|| - Recovers diagnostic logs from previous session ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== Caching System ==== ||
|| ===== ##check_cache($page, $method): void## ===== ||
|| Determines if a page can be cached and prepares the cache check. ||
|| **Parameters:** ||
|| - ##$page## (string) - Page name to cache ||
|| - ##$method## (string) - Request method/action (e.g., 'show', 'edit') ||
|| **Caching Rules:** ||
|| - ✅ Enabled for GET requests only ||
|| - ✅ Disabled for POST requests ||
|| - ❌ Never cached for 'edit' or 'watch' methods ||
|| - ✅ Only cached for anonymous users (no logged-in users) ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##store_cache(): void## ===== ||
|| Saves the generated page content to cache file. ||
|| **Features:** ||
|| - Retrieves output buffer content ||
|| - Saves to cache file with proper permissions ||
|| - Records cache metadata in database ||
|| - Only executes if caching flag is set and user is anonymous ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##invalidate_page($page): int## ===== ||
|| Invalidates all cached versions of a page. ||
|| **Parameters:** ||
|| - ##$page## (string) - Page name to invalidate ||
|| **Returns:** ||
|| - Number of cache entries invalidated ||
|| **Process:** ||
|| 1. Finds all cached versions (different methods/languages) ||
|| 2. Touches files to past timestamp (faster than deletion) ||
|| 3. Removes entries from cache metadata table ||
|| 4. Returns count of invalidated caches ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== TLS/HTTPS Security ==== ||
|| ===== ##secure_base_url(): void## ===== ||
|| Switches base URL from HTTP to HTTPS. ||
|| **Purpose:** ||
|| - Ensures all subsequent URLs use HTTPS ||
|| - Stores original HTTP URL for fallback ||
|| - Called when TLS session is detected ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##ensure_tls($url): void## ===== ||
|| Enforces HTTPS for a specific URL and redirects if necessary. ||
|| **Parameters:** ||
|| - ##$url## (string) - URL to secure ||
|| **Behavior:** ||
|| - If not already HTTPS and TLS is enabled, forces HTTPS redirect ||
|| - Handles both relative and absolute URLs ||
|| - Converts relative URLs using current server name ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== IP Address Detection ==== ||
|| ===== ##real_ip(): string## (Private) ===== ||
|| Detects client's real IP address accounting for proxies. ||
|| **Proxy Headers Checked (in order):** ||
|| 1. ##HTTP_X_CLUSTER_CLIENT_IP## ||
|| 2. ##HTTP_X_FORWARDED_FOR## (or custom header) ||
|| 3. ##HTTP_CLIENT_IP## ||
|| 4. ##HTTP_X_REMOTE_ADDR## ||
|| 5. ##REMOTE_ADDR## (fallback) ||
|| **Features:** ||
|| - Filters out private/reserved IP ranges ||
|| - Respects configured reverse proxy addresses ||
|| - Returns ##'0.0.0.0'## as fallback ||
|| **Configuration in Database:** ||
|| - ##reverse_proxy_addresses## - Comma/space-separated proxy IPs ||
|| - ##reverse_proxy_header## - Custom header name (default: ##X-Forwarded-For##) ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== HTTPS Detection ==== ||
|| ===== ##tls_session(): bool## (Private) ===== ||
|| Detects if current connection uses HTTPS/TLS. ||
|| **Checks (any being true = HTTPS):** ||
|| - ##$_SERVER['HTTPS']## is 'on' ||
|| - ##$_SERVER['SERVER_PORT']## is 443 ||
|| - ##$_SERVER['HTTP_X_FORWARDED_PROTO']## is 'https' ||
|| - ##$_SERVER['HTTP_X_FORWARDED_SSL']## is 'on' ||
|| - ##$_SERVER['HTTP_X_FORWARDED_PORT']## is 443 ||
|| ---- ||
|| ==== Security Headers ==== ||
|| ===== ##http_security_headers(): void## ===== ||
|| Sets security-related HTTP headers. ||
|| **Headers Set:** ||
|| Header | Purpose | Config Key ||
|| -------- | --------- | ------------ ||
|| Content-Security-Policy | XSS/injection protection | ##csp## ||
|| Permissions-Policy | Control browser features | ##permissions_policy## ||
|| Referrer-Policy | Control referrer information | ##referrer_policy## ||
|| Strict-Transport-Security | Force HTTPS | Auto (TLS only) ||
|| X-Frame-Options | Clickjacking protection | Hardcoded: ##SAMEORIGIN## ||
|| X-Content-Type-Options | MIME sniffing prevention | Hardcoded: ##nosniff## ||
|| **CSP Configuration Options:** ||
|| - ##0## - Disabled ||
|| - ##1## - Default policy (from ##csp.conf##) ||
|| - ##2## - Custom policy (from ##csp_custom.conf##) ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== HTTP Methods ==== ||
|| ===== ##redirect($url, $permanent = false): void## ===== ||
|| Performs an HTTP redirect. ||
|| **Parameters:** ||
|| - ##$url## (string) - Target URL ||
|| - ##$permanent## (bool) - Use 301 (permanent) vs 302 (temporary) ||
|| **Features:** ||
|| - Decodes ##&amp;## entities to prevent broken redirects ||
|| - Only works if headers not yet sent ||
|| - Uses output buffering to work anywhere in page processing ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##terminate(): void## ===== ||
|| Safe exit/die with cleanup. ||
|| **Cleanup Operations:** ||
|| - Saves diagnostic logs to session flash data ||
|| - Ends script execution ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##status($code): void## ===== ||
|| Sets HTTP response status code. ||
|| **Supported Status Codes:** ||
|| 
php
||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== Caching Control ==== ||
|| ===== ##no_cache($client_only = true): void## ===== ||
|| Disables caching of the current page. ||
|| **Parameters:** ||
|| - ##$client_only## (bool, default: TRUE) ||
|| - ##TRUE##: Disable browser cache only ||
|| - ##FALSE##: Disable both browser and server cache ||
|| **Headers Set:** ||
|| - ##Last-Modified: <current-time>## (always fresh) ||
|| - ##Cache-Control: no-store## ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##cache_promisc(): void## ===== ||
|| Marks page as publicly cacheable. ||
|| **Headers Set:** ||
|| - ##Cache-Control: public## ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== Language Negotiation ==== ||
|| ===== ##user_agent_language(): string## ===== ||
|| Determines best language based on browser preferences. ||
|| **Features:** ||
|| - Follows RFC 9110 section 12.5.4 (HTTP Accept-Language) ||
|| - Parses ##Accept-Language## header with quality factors ||
|| - Attempts exact match first, then language fallback ||
|| - Falls back to default system language ||
|| **Example Header:** ||
||
||
|| **Returns:** ||
|| - Language code (e.g., 'en', 'en-US', 'de') ||
|| ---- ||
|| ===== ##available_languages($subset = true): array## ===== ||
|| Returns list of available language translations. ||
|| **Parameters:** ||
|| - ##$subset## (bool, default: TRUE) ||
|| - ##TRUE##: Only allowed languages ||
|| - ##FALSE##: All available languages ||
|| **Features:** ||
|| - Scans ##LANG_DIR## for language files ||
|| - Filters by ##allowed_languages## config if set ||
|| - Caches result in session ||
|| - System language always included ||
|| **Returns:** ||
|| - Associative array: ##['en' => 'en', 'de' => 'de', ...]## ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== File Serving ==== ||
|| ===== ##sendfile($path, $filename = null, $age = null): void## ===== ||
|| Serves files with proper HTTP headers and caching. ||
|| **Parameters:** ||
|| - ##$path## (string) - File path (or HTTP_XXX constant for error pages) ||
|| - ##$filename## (string, optional) - Custom download filename ||
|| - ##$age## (int, optional) - Cache age in days ||
|| **Features:** ||
|| - HTTP range request support (partial file downloads) ||
|| - ETag and Last-Modified conditional requests ||
|| - Proper MIME type detection ||
|| - Content-Security-Policy for special file types ||
|| - Streaming for large files ||
|| - GZip compression for text files ||
|| **Special Paths:** ||
|| 
php
||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##mime_type($path): string## ===== ||
|| Returns MIME type for a file. ||
|| **Returns:** ||
|| - MIME type string (e.g., 'application/pdf') ||
|| - Default: ##'application/octet-stream'## ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##mime_types(): array## (Private) ===== ||
|| Loads and caches MIME types from configuration. ||
|| **Features:** ||
|| - Reads from ##config/mime.types## ||
|| - Caches to ##cache/config/mime.types## ||
|| - Reloads if config is updated ||
|| ---- ||
|| ==== Compression ==== ||
|| ===== ##gzip(): void## ===== ||
|| Compresses HTTP response with gzip/x-gzip. ||
|| **Features:** ||
|| - Manually implements gzip (not relying on zlib.output_compression) ||
|| - Produces correct ##Content-Length## header ||
|| - Only compresses if: ||
|| - 860 bytes < content < 1 MB ||
|| - Client accepts compression ||
|| - Headers not already sent ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ==== Utility Methods ==== ||
|| ===== ##parse_str($str): array## (Private) ===== ||
|| Parses URL-encoded strings with special character handling. ||
|| **Purpose:** ||
|| - Safely handles special characters in query/form data ||
|| - Converts encoding properly ||
|| **Example:** ||
|| 
php
||
|| ---- ||
|| ===== ##request_uri(): string## (Private) ===== ||
|| Extracts and normalizes REQUEST_URI from server. ||
|| **Normalization:** ||
|| - Removes base URL prefix ||
|| - Removes spaces ||
|| - Collapses multiple slashes ||
|| - Removes ##..## path traversal attempts ||
|| - Removes leading/trailing slashes ||
|| ---- ||
|| ===== ##cut_prefix($prefix, $path): string## (Private) ===== ||
|| Removes prefix from path (case-insensitive). ||
|| ---- ||
|| ===== ##get_header_conf($file_name): string## (Private) ===== ||
|| Loads security header configuration from files. ||
|| **Files Supported:** ||
|| - ##csp.conf## / ##csp_custom.conf## ||
|| - ##permissions_policy.conf## / ##permissions_policy_custom.conf## ||
|| ---- ||
|| === Configuration Dependencies === ||
|| The class relies on these database configuration settings: ||
|| Setting | Type | Purpose ||
|| --------- | ------ | --------- ||
|| ##base_url## | string | Wiki's base URL ||
|| ##tls## | bool | Enable HTTPS enforcement ||
|| ##cache## | bool | Enable page caching ||
|| ##cache_ttl## | int | Cache lifetime in seconds ||
|| ##session_store## | int | 1=File, 0=Database ||
|| ##system_seed_hash## | string | Session encryption seed ||
|| ##cookie_prefix## | string | Session cookie prefix ||
|| ##cookie_path## | string | Cookie path ||
|| ##allow_persistent_cookie## | bool | Allow persistent login ||
|| ##session_length## | int | Session lifetime in seconds ||
|| ##reverse_proxy_addresses## | string | Comma/space-separated proxy IPs ||
|| ##reverse_proxy_header## | string | Custom X-Forwarded header ||
|| ##language## | string | Default language code ||
|| ##multilanguage## | bool | Enable language negotiation ||
|| ##allowed_languages## | string | Comma/space-separated allowed langs ||
|| ##enable_security_headers## | bool | Send security headers ||
|| ##csp## | int | CSP setting (0/1/2) ||
|| ##permissions_policy## | int | Permissions-Policy setting (0/1/2) ||
|| ##referrer_policy## | int | Referrer-Policy setting (0-8) ||
|| ---- ||
|| === Constants Used === ||
|| Constant | Type | Purpose ||
|| ---------- | ------ | --------- ||
|| ##IN_WACKO## | bool | Security check (exit if not defined) ||
|| ##CHMOD_SAFE## | int | File permissions for cache files ||
|| ##CHMOD_FILE## | int | File permissions for config cache ||
|| ##CACHE_PAGE_DIR## | string | Page cache directory ||
|| ##CACHE_SESSION_DIR## | string | Session cache directory ||
|| ##CACHE_CONFIG_DIR## | string | Config cache directory ||
|| ##CONFIG_DIR## | string | Configuration directory ||
|| ##LANG_DIR## | string | Language files directory ||
|| ##DAYSECS## | int | Seconds in a day (86400) ||
|| ##HTTP_404## | string | Path to 404 error page ||
|| ##HTTP_403## | string | Path to 403 error page ||