index.php

  1. 7.x index.php
  2. 6.x index.php
  3. 5.x index.php

The primary entry point for FlightPath.

This script will determine which page the user is trying to view, and display it for them.

File

index.php
View source
  1. <?php

  2. /**

  3.  * @file

  4.  * The primary entry point for FlightPath.

  5.  * 

  6.  * This script will determine which page the user is trying to view, 

  7.  * and display it for them.

  8. */

  9. 

  10. 

  11. 

  12. // First, let's check to see if we are banning any IPs from our site...

  13. $remote_ip = $_SERVER['REMOTE_ADDR'];

  14. $blocklist_file = __DIR__ . '/custom/files/private/banned_ips.txt';

  15. $cache_key = 'banned_ips';

  16. 

  17. // Load banned IPs

  18. if (function_exists('apcu_fetch')) {

  19.   $blocked_ips_assoc = apcu_fetch($cache_key);

  20.   if ($blocked_ips_assoc === FALSE) {

  21.     // Not in cache, load from file, then store in cache

  22.     $blocked_ips_assoc = array();

  23.     if (file_exists($blocklist_file)) {

  24.       $lines = file($blocklist_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);

  25.       $lines = array_map('trim', $lines);

  26.       $blocked_ips_assoc = array_flip($lines); // fast lookup

  27.       apcu_store($cache_key, $blocked_ips_assoc, 60); // cache X seconds

  28.     }

  29.   }

  30. } // if apcu is installed 

  31. else {

  32.   // APCu not installed or we are instructed to look at the blocklist file directly

  33.   // fallback to reading file every request

  34.   $blocked_ips_assoc = array();

  35.   if (file_exists($blocklist_file)) {

  36.     $lines = file($blocklist_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);

  37.     $lines = array_map('trim', $lines);

  38.     $blocked_ips_assoc = array_flip($lines);

  39.   }

  40. }

  41. 

  42. /*

  43. // Check if IP is blocked

  44. if (isset($blocked_ips_assoc[$remote_ip])) {

  45.   

  46.   // TODO: If banned, give the user a chance to remove ban by visiting a page and answering

  47.   //       a CAPTCHA or some other challenge?

  48.   

  49.   error_log("Banned IP: $remote_ip tried to access " . $_SERVER['REQUEST_URI']); // optional

  50.   header('HTTP/1.1 403 Forbidden');

  51.   echo "403: Access denied";

  52.   exit;

  53. }

  54. */

  55. 

  56. 

  57. 

  58. //////////////////////

  59. // If we are here, we can now proceed with loading the FlightPath page.

  60. 

  61. 

  62. 

  63. // Load all of the classes, as well as the custom classes.

  64. require_once("classes/all_classes.php");

  65.   

  66. // Make sure our cookies are the most secure possible:

  67. ini_set('session.cookie_httponly', 'On');

  68. if( (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') || $_SERVER['SERVER_PORT'] == 443 ){

  69.   //enable secure cookies, since we are on HTTPS.  

  70.   ini_set('session.cookie_secure', 'On');    

  71. }

  72. 

  73. 

  74. 

  75.  

  76. // Should we init the session using a specific session_id?

  77. if (@$_GET['fp_session_str'] != '') {

  78.   

  79.   // For security, the fp_session_str is made of several pieces so we can be sure it is authentic

  80.   // and not a hacker trying to imitate a known user's session_id.

  81.   

  82.   require_once("includes/misc.inc"); // Bring in the functions we need so we can validate the fp_session_str

  83.   

  84.   // We will validate now and retrieve the PHP session_id from it, or FALSE.

  85.   $session_id = fp_get_session_id_from_str($_GET['fp_session_str']);

  86.   if ($session_id) {

  87.     session_id($session_id);

  88.   }

  89.   else {

  90.     // The session did not validate.  This might be a hacking attempt.  Kill the script.

  91.     die("Security Error: Session could not be validated by FlightPath (index.php). This is a security

  92.          feature to protect data privacy.  

  93.         <br><br>

  94.         This can happen for a number of reasons. For example, if you followed a link provided by another

  95.         user that contained sensitive session information.  Or, if you changed networks or turned a VPN

  96.         off or on.

  97.         <br><br>

  98.         Visit the base URL for this site to log in securely. Ex: https://flightpath.example.com/

  99.         <br><br>

  100.         If this error continues, contact your IT administrator.");

  101.   }  

  102. }

  103. 

  104. session_start();

  105. 

  106. // Set headers for maximum security

  107. header("Cache-control: no-cache, no-store, must-revalidate");  // HTTP 1.1

  108. header("Pragma: no-cache");  // HTTP 1.0

  109. header("X-XSS-Protection: 1");

  110. header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");  // Date in the past, to ensure it expires when we close the browser.

  111. header('X-Frame-Options: SAMEORIGIN');  // No iframes except from the same website origins.

  112. 

  113. 

  114. // If the user is requesting a "clean URLs" check, display a simple success message.

  115. if (isset($_REQUEST["q"]) && $_REQUEST["q"] == "test-clean-urls/check") {

  116.   print "CLEAN URLS CHECK SUCCESSFUL";

  117.   die;

  118. }

  119. 

  120. 

  121. // If the settings.php file doesn't exist, then FlightPath must not be installed,

  122. // and we should redirect to install.php.

  123. if (!file_exists("custom/settings.php")) {

  124.   header ("Location: install.php");

  125.   die;

  126. }

  127. 

  128. 

  129. require_once("bootstrap.inc");

  130. 

  131. 

  132. // For development reasons only:

  133. // To rebuild the cache on every page load, un-comment the following line

  134. // menu_rebuild_cache();

  135. 

  136. // FlightPath will now look at the request in the query to decide what page we are going to display.

  137. $page = menu_execute_page_request();

  138. 

  139. if (!is_int($page)) {

  140.   // Display the page!

  141.   fp_display_page($page);

  142. }

  143. else {  

  144.   if ($page == MENU_NOT_FOUND) {

  145.     display_not_found();

  146.   }

  147.   else if ($page == MENU_ACCESS_DENIED) {

  148.     

  149.     display_access_denied();

  150.   }

  151. }

  152. 

  153. // Call hook_exit as we leave the page.

  154. invoke_hook("exit"); 

  155.  

  156.  

  157.  

  158.  

  159.  

  160. 

  161.