karadav/www/_inc.php

<?php

namespace KaraDAV;

use KD2\ErrorManager;

spl_autoload_register(function ($class) {
    $class = str_replace('\\', '/', $class);
    require_once __DIR__ . '/../lib/' . $class . '.php';
});

ErrorManager::setLogFile(__DIR__ . '/../error.log');

$cfg_file = __DIR__ . '/../config.local.php';

if (!file_exists($cfg_file)) {
	die('This server is not configured yet. Please copy config.dist.php to config.local.php and edit it.');
}

require $cfg_file;

if (!defined('KaraDAV\ERRORS_SHOW')) {
	define('KaraDAV\ERRORS_SHOW', true);
}

if (!ERRORS_SHOW) {
	ErrorManager::enable(ErrorManager::PRODUCTION);
}
else {
	ErrorManager::enable(ErrorManager::DEVELOPMENT);
}

if (defined('KaraDAV\ERRORS_EMAIL') && ERRORS_EMAIL) {
	ErrorManager::setEmail(ERRORS_EMAIL);
}

if (defined('KaraDAV\ERRORS_LOG') && ERRORS_LOG) {
	ErrorManager::setLogFile(ERRORS_LOG);
}
elseif (is_writeable(__DIR__ . '/../error.log')) {
	ErrorManager::setLogFile(__DIR__ . '/../error.log');
}

if (defined('KaraDAV\ERRORS_REPORT_URL') && ERRORS_REPORT_URL) {
	ErrorManager::setRemoteReporting(ERRORS_REPORT_URL, true);
}

// Create random secret key
if (!defined('KaraDAV\SECRET_KEY')) {
	$cfg = file_get_contents($cfg_file);

	if (false == strpos($cfg, 'SECRET_KEY')) {
		$secret = base64_encode(random_bytes(16));

		$c = sprintf("\n\n// Randomly generated secret key, please change only if necessary\nconst SECRET_KEY = %s;\n\n",
			var_export($secret, true));

		if (!is_writeable($cfg_file)) {
			echo "<h2>Configuration missing</h2>";
			echo "<h4>KaraDAV cannot write to <tt>config.local.php</tt></h4>";
			echo "<p>Please append the following code to the <tt>config.local.php</tt> file:</p>";
			printf('<textarea onclick="this.select();" cols="70" rows="5">%s</textarea>', htmlspecialchars($c));
			exit(1);
		}

		$cfg = preg_replace('/\?>\s*$|$/', $c, $cfg, 1);

		file_put_contents($cfg_file, $cfg);
		define('KaraDAV\SECRET_KEY', $secret);
		unset($secret, $cfg_file, $cfg);
	}
}

if (!defined('KaraDAV\WWW_URL')) {
	$https = (!empty($_SERVER['HTTPS']) || $_SERVER['SERVER_PORT'] == 443) ? 's' : '';
	$name = $_SERVER['SERVER_NAME'];
	$port = !in_array($_SERVER['SERVER_PORT'], [80, 443]) ? ':' . $_SERVER['SERVER_PORT'] : '';
	$root = '/';

	define('KaraDAV\WWW_URL', sprintf('http%s://%s%s%s', $https, $name, $port, $root));
}

if (!defined('KaraDAV\DEFAULT_QUOTA')) {
	define('KaraDAV\DEFAULT_QUOTA', 200);
}

// Init database
if (!file_exists(DB_FILE)) {
	$db = DB::getInstance();
	$db->exec('BEGIN;');
	$db->exec(file_get_contents(__DIR__ . '/../schema.sql'));

	if (!LDAP::enabled()) {
		$users = new Users;
		$p = 'karadavdemo';
		$users->create('demo', $p, 10, true);
		$users->login('demo', $p);
		$_SESSION['install_password'] = $p;
	}

	$db->exec('END;');
}

function html_head(string $title): void
{
	$title = htmlspecialchars($title);

	echo <<<EOF
	<!DOCTYPE html>
	<html>
	<head>
		<meta charset="utf-8" />
		<meta name="viewport" content="width=device-width, initial-scale=1.0, target-densitydpi=device-dpi" />
		<title>{$title}</title>
		<link rel="stylesheet" type="text/css" href="/ui.css" />
	</head>
	<body>
	<h1>{$title}</h1>
	<main>
EOF;

	if (isset($_SESSION['install_password'])) {
		printf('<p class="info">Your server has been installed with a user named <tt>demo</tt> and the password <tt>%s</tt>, please change it.<br /><br />This message will disappear when you log out.</p>', htmlspecialchars($_SESSION['install_password']));
	}
}

function html_foot(): void
{
	echo '
	</main>
	<footer>
		Powered by <a href="https://github.com/kd2org/karadav/">KaraDAV</a>
	</footer>
	</body>
	</html>';
}

function format_bytes(int $bytes, string $unit = 'B'): string
{
	if ($bytes >= 1024*1024*1024) {
		return round($bytes / (1024*1024*1024), 1) . ' G' . $unit;
	}
	elseif ($bytes >= 1024*1024) {
		return round($bytes / (1024*1024), 1) . ' M' . $unit;
	}
	elseif ($bytes >= 1024) {
		return round($bytes / 1024, 1) . ' K' . $unit;
	}
	else {
		return $bytes . ' ' . $unit;
	}
}

function http_log(string $message, ...$params): void
{
	if (!LOG_FILE) {
		return;
	}

	$msg = vsprintf($message, $params) . "\n\n";

	if (LOG_FILE) {
		file_put_contents(LOG_FILE, $msg, FILE_APPEND);
	}
}

function html_csrf()
{
	$expire = time() + 1800;
	$random = random_bytes(10);
	$action = $_SERVER['REQUEST_URI'];
	$token = hash_hmac('sha256', $expire . $random . $action, STORAGE_PATH . session_id());

	return sprintf('<input type="hidden" name="_c_" value="%s:%s:%s" />', $token, base64_encode($random), $expire);
}

function csrf_check(): bool
{
	if (empty($_POST['_c_'])) {
		return false;
	}

	$verify = strtok($_POST['_c_'], ':');
	$random = base64_decode(strtok(':'));
	$expire = strtok(false);

	if ($expire < time()) {
		return false;
	}

	$action = $_SERVER['REQUEST_URI'];

	$token = hash_hmac('sha256', $expire . $random . $action, STORAGE_PATH . session_id());

	return hash_equals($token, $verify);
}

function html_csrf_error()
{
	if (empty($_POST['_c_'])) {
		return;
	}

	if (!csrf_check()) {
		echo '<p class="error">Sorry, but the form expired, please submit it again.</p>';
	}
}
Initial release 2022-08-30 05:01:39 +00:00			`<?php`

			`namespace KaraDAV;`

			`use KD2\ErrorManager;`

Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00			`spl_autoload_register(function ($class) {`
			`$class = str_replace('\\', '/', $class);`
			`require_once __DIR__ . '/../lib/' . $class . '.php';`
			`});`
Initial release 2022-08-30 05:01:39 +00:00
Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00			`ErrorManager::setLogFile(__DIR__ . '/../error.log');`
Initial release 2022-08-30 05:01:39 +00:00
Various security enhancements: * forbid XML with DOCTYPE * use a common HMAC method for consistency * Generate a secret key and store it in local config if it does not exist 2022-10-29 22:52:35 +00:00			`$cfg_file = __DIR__ . '/../config.local.php';`

			`if (!file_exists($cfg_file)) {`
Initial release 2022-08-30 05:01:39 +00:00			`die('This server is not configured yet. Please copy config.dist.php to config.local.php and edit it.');`
			`}`

Various security enhancements: * forbid XML with DOCTYPE * use a common HMAC method for consistency * Generate a secret key and store it in local config if it does not exist 2022-10-29 22:52:35 +00:00			`require $cfg_file;`

Expose all ErrorManager options to configuration 2022-11-21 15:13:02 +00:00			`if (!defined('KaraDAV\ERRORS_SHOW')) {`
			`define('KaraDAV\ERRORS_SHOW', true);`
			`}`

			`if (!ERRORS_SHOW) {`
			`ErrorManager::enable(ErrorManager::PRODUCTION);`
Allow to disable error messages in production (was: Initialize ErrorManager based on RUN_MODE environment variable. (#17)) 2022-11-21 14:52:31 +00:00			`}`
			`else {`
Expose all ErrorManager options to configuration 2022-11-21 15:13:02 +00:00			`ErrorManager::enable(ErrorManager::DEVELOPMENT);`
			`}`

			`if (defined('KaraDAV\ERRORS_EMAIL') && ERRORS_EMAIL) {`
			`ErrorManager::setEmail(ERRORS_EMAIL);`
			`}`

			`if (defined('KaraDAV\ERRORS_LOG') && ERRORS_LOG) {`
			`ErrorManager::setLogFile(ERRORS_LOG);`
			`}`
Create error log if possible by default 2023-02-14 12:27:42 +00:00			`elseif (is_writeable(__DIR__ . '/../error.log')) {`
			`ErrorManager::setLogFile(__DIR__ . '/../error.log');`
			`}`
Expose all ErrorManager options to configuration 2022-11-21 15:13:02 +00:00
			`if (defined('KaraDAV\ERRORS_REPORT_URL') && ERRORS_REPORT_URL) {`
			`ErrorManager::setRemoteReporting(ERRORS_REPORT_URL, true);`
Allow to disable error messages in production (was: Initialize ErrorManager based on RUN_MODE environment variable. (#17)) 2022-11-21 14:52:31 +00:00			`}`

Various security enhancements: * forbid XML with DOCTYPE * use a common HMAC method for consistency * Generate a secret key and store it in local config if it does not exist 2022-10-29 22:52:35 +00:00			`// Create random secret key`
			`if (!defined('KaraDAV\SECRET_KEY')) {`
			`$cfg = file_get_contents($cfg_file);`

			`if (false == strpos($cfg, 'SECRET_KEY')) {`
			`$secret = base64_encode(random_bytes(16));`

			`$c = sprintf("\n\n// Randomly generated secret key, please change only if necessary\nconst SECRET_KEY = %s;\n\n",`
			`var_export($secret, true));`

If config.local.php cannot be written to, then ask the user to do it 2022-10-29 23:07:42 +00:00			`if (!is_writeable($cfg_file)) {`
			`echo "<h2>Configuration missing</h2>";`
			`echo "<h4>KaraDAV cannot write to <tt>config.local.php</tt></h4>";`
			`echo "<p>Please append the following code to the <tt>config.local.php</tt> file:</p>";`
			`printf('<textarea onclick="this.select();" cols="70" rows="5">%s</textarea>', htmlspecialchars($c));`
			`exit(1);`
			`}`

Various security enhancements: * forbid XML with DOCTYPE * use a common HMAC method for consistency * Generate a secret key and store it in local config if it does not exist 2022-10-29 22:52:35 +00:00			`$cfg = preg_replace('/\?>\s*$\|$/', $c, $cfg, 1);`

			`file_put_contents($cfg_file, $cfg);`
If config.local.php cannot be written to, then ask the user to do it 2022-10-29 23:07:42 +00:00			`define('KaraDAV\SECRET_KEY', $secret);`
Various security enhancements: * forbid XML with DOCTYPE * use a common HMAC method for consistency * Generate a secret key and store it in local config if it does not exist 2022-10-29 22:52:35 +00:00			`unset($secret, $cfg_file, $cfg);`
			`}`
			`}`
Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00
Fix issue with Cyberduck, move WWW_URL auto-detection outside of config file, add CHANGES log 2022-11-13 17:35:31 +00:00			`if (!defined('KaraDAV\WWW_URL')) {`
			`$https = (!empty($_SERVER['HTTPS']) \|\| $_SERVER['SERVER_PORT'] == 443) ? 's' : '';`
			`$name = $_SERVER['SERVER_NAME'];`
			`$port = !in_array($_SERVER['SERVER_PORT'], [80, 443]) ? ':' . $_SERVER['SERVER_PORT'] : '';`
			`$root = '/';`

			`define('KaraDAV\WWW_URL', sprintf('http%s://%s%s%s', $https, $name, $port, $root));`
			`}`

* Change methods to get recursive directory size and to delete a directory recursively * Allow "unlimited" disk quota 2023-02-14 11:15:15 +00:00			`if (!defined('KaraDAV\DEFAULT_QUOTA')) {`
			`define('KaraDAV\DEFAULT_QUOTA', 200);`
			`}`

Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00			`// Init database`
			`if (!file_exists(DB_FILE)) {`
			`$db = DB::getInstance();`
			`$db->exec('BEGIN;');`
			`$db->exec(file_get_contents(__DIR__ . '/../schema.sql'));`

Add LDAP support 2022-10-24 22:35:52 +00:00			`if (!LDAP::enabled()) {`
			`$users = new Users;`
			`$p = 'karadavdemo';`
			`$users->create('demo', $p, 10, true);`
			`$users->login('demo', $p);`
Add CSRF stateless protection to forms 2022-10-28 21:42:55 +00:00			`$_SESSION['install_password'] = $p;`
Add LDAP support 2022-10-24 22:35:52 +00:00			`}`
Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00
			`$db->exec('END;');`
			`}`

Add NextCloud login 2022-08-31 07:57:49 +00:00			`function html_head(string $title): void`
Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00			`{`
			`$title = htmlspecialchars($title);`

			`echo <<<EOF`
Add NextCloud login 2022-08-31 07:57:49 +00:00			`<!DOCTYPE html>`
			`<html>`
			`<head>`
			`<meta charset="utf-8" />`
Add screenshots, nicer UI, users management 2022-10-24 17:06:00 +00:00			`<meta name="viewport" content="width=device-width, initial-scale=1.0, target-densitydpi=device-dpi" />`
Add NextCloud login 2022-08-31 07:57:49 +00:00			`<title>{$title}</title>`
Add screenshots, nicer UI, users management 2022-10-24 17:06:00 +00:00			`<link rel="stylesheet" type="text/css" href="/ui.css" />`
Add NextCloud login 2022-08-31 07:57:49 +00:00			`</head>`
			`<body>`
			`<h1>{$title}</h1>`
Add screenshots, nicer UI, users management 2022-10-24 17:06:00 +00:00			`<main>`
Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00			`EOF;`
Add screenshots, nicer UI, users management 2022-10-24 17:06:00 +00:00
			`if (isset($_SESSION['install_password'])) {`
			`printf('<p class="info">Your server has been installed with a user named <tt>demo</tt> and the password <tt>%s</tt>, please change it.<br /><br />This message will disappear when you log out.</p>', htmlspecialchars($_SESSION['install_password']));`
			`}`
Add NextCloud login 2022-08-31 07:57:49 +00:00			`}`
Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00
Add NextCloud login 2022-08-31 07:57:49 +00:00			`function html_foot(): void`
			`{`
			`echo '`
Add screenshots, nicer UI, users management 2022-10-24 17:06:00 +00:00			`</main>`
Add NextCloud login 2022-08-31 07:57:49 +00:00			`<footer>`
Implement chunk upload 2022-09-30 13:17:47 +00:00			`Powered by <a href="https://github.com/kd2org/karadav/">KaraDAV</a>`
Add NextCloud login 2022-08-31 07:57:49 +00:00			`</footer>`
			`</body>`
			`</html>';`
Implement PROPPATCH custom properties 2022-08-31 06:06:27 +00:00			`}`
format_bytes has moved 2022-10-10 13:20:41 +00:00
			`function format_bytes(int $bytes, string $unit = 'B'): string`
			`{`
			`if ($bytes >= 102410241024) {`
			`return round($bytes / (102410241024), 1) . ' G' . $unit;`
			`}`
			`elseif ($bytes >= 1024*1024) {`
			`return round($bytes / (1024*1024), 1) . ' M' . $unit;`
			`}`
			`elseif ($bytes >= 1024) {`
			`return round($bytes / 1024, 1) . ' K' . $unit;`
			`}`
			`else {`
			`return $bytes . ' ' . $unit;`
			`}`
			`}`
Log HTTP requests and responses 2022-10-21 16:21:38 +00:00
			`function http_log(string $message, ...$params): void`
			`{`
Remove logging to console with PHP server 2022-10-24 18:02:24 +00:00			`if (!LOG_FILE) {`
Log HTTP requests and responses 2022-10-21 16:21:38 +00:00			`return;`
			`}`

			`$msg = vsprintf($message, $params) . "\n\n";`

			`if (LOG_FILE) {`
			`file_put_contents(LOG_FILE, $msg, FILE_APPEND);`
			`}`
			`}`
Add CSRF stateless protection to forms 2022-10-28 21:42:55 +00:00
			`function html_csrf()`
			`{`
			`$expire = time() + 1800;`
			`$random = random_bytes(10);`
			`$action = $_SERVER['REQUEST_URI'];`
			`$token = hash_hmac('sha256', $expire . $random . $action, STORAGE_PATH . session_id());`

			`return sprintf('<input type="hidden" name="_c_" value="%s:%s:%s" />', $token, base64_encode($random), $expire);`
			`}`

			`function csrf_check(): bool`
			`{`
			`if (empty($_POST['_c_'])) {`
			`return false;`
			`}`

			`$verify = strtok($_POST['_c_'], ':');`
			`$random = base64_decode(strtok(':'));`
			`$expire = strtok(false);`

			`if ($expire < time()) {`
			`return false;`
			`}`

			`$action = $_SERVER['REQUEST_URI'];`

			`$token = hash_hmac('sha256', $expire . $random . $action, STORAGE_PATH . session_id());`

			`return hash_equals($token, $verify);`
			`}`

			`function html_csrf_error()`
			`{`
			`if (empty($_POST['_c_'])) {`
			`return;`
			`}`

			`if (!csrf_check()) {`
			`echo '<p class="error">Sorry, but the form expired, please submit it again.</p>';`
			`}`
			`}`