website.inc.php 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265
  1. <?php
  2. /* Copyright (C) 2017-2019 Laurent Destailleur <eldy@users.sourceforge.net>
  3. *
  4. * This program is free software; you can redistribute it and/or modify
  5. * it under the terms of the GNU General Public License as published by
  6. * the Free Software Foundation; either version 3 of the License, or
  7. * (at your option) any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful,
  10. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. * GNU General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  16. * or see https://www.gnu.org/
  17. */
  18. /**
  19. * \file htdocs/core/website.inc.php
  20. * \brief Common file loaded by all website pages (after master.inc.php). It set the new object $weblangs, using parameter 'l'.
  21. * This file is included in top of all container pages and is run only when a web page is called.
  22. * The global variable $websitekey must be defined.
  23. */
  24. // Load website class
  25. include_once DOL_DOCUMENT_ROOT.'/website/class/website.class.php';
  26. include_once DOL_DOCUMENT_ROOT.'/website/class/websitepage.class.php';
  27. $website = null;
  28. $websitepage = null;
  29. $weblangs = null;
  30. $pagelangs = null;
  31. // Detection browser (copy of code from main.inc.php)
  32. if (isset($_SERVER["HTTP_USER_AGENT"]) && is_object($conf) && empty($conf->browser->name)) {
  33. $tmp = getBrowserInfo($_SERVER["HTTP_USER_AGENT"]);
  34. $conf->browser->name = $tmp['browsername'];
  35. $conf->browser->os = $tmp['browseros'];
  36. $conf->browser->version = $tmp['browserversion'];
  37. $conf->browser->layout = $tmp['layout']; // 'classic', 'phone', 'tablet'
  38. //var_dump($conf->browser);
  39. if ($conf->browser->layout == 'phone') {
  40. $conf->dol_no_mouse_hover = 1;
  41. }
  42. }
  43. // Define $website
  44. if (!is_object($website)) {
  45. $website = new Website($db);
  46. $website->fetch(0, $websitekey);
  47. }
  48. // Define $websitepage if we have $websitepagefile defined
  49. if (empty($pageid) && !empty($websitepagefile)) {
  50. $pageid = str_replace(array('.tpl.php', 'page'), array('', ''), basename($websitepagefile));
  51. if ($pageid == 'index.php') {
  52. $pageid = $website->fk_default_home;
  53. }
  54. }
  55. if (!is_object($websitepage)) {
  56. $websitepage = new WebsitePage($db);
  57. }
  58. // Define $weblangs
  59. if (!is_object($weblangs)) {
  60. $weblangs = new Translate('', $conf);
  61. }
  62. if (!is_object($pagelangs)) {
  63. $pagelangs = new Translate('', $conf);
  64. }
  65. if ($pageid > 0) {
  66. $websitepage->fetch($pageid);
  67. $weblangs->setDefaultLang(GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : (empty($_COOKIE['weblangs-shortcode']) ? 'auto' : preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['weblangs-shortcode'])));
  68. $pagelangs->setDefaultLang($websitepage->lang ? $websitepage->lang : $weblangs->shortlang);
  69. if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status) && !defined('USEDOLIBARRSERVER'))) {
  70. $weblangs->load("website");
  71. // Security options
  72. // X-Content-Type-Options
  73. header("X-Content-Type-Options: nosniff");
  74. // X-Frame-Options
  75. if (empty($websitepage->allowed_in_frames) && empty($conf->global->WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES)) {
  76. header("X-Frame-Options: SAMEORIGIN");
  77. }
  78. //httponly_accessforbidden('<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>', 404, 1);
  79. http_response_code(404);
  80. print '<center><br><br>'.$weblangs->trans("YouTryToAccessToAFileThatIsNotAWebsitePage", $websitepage->pageurl, $websitepage->type_container, $websitepage->status).'</center>';
  81. exit;
  82. }
  83. }
  84. if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
  85. // Security options
  86. // X-Content-Type-Options
  87. header("X-Content-Type-Options: nosniff");
  88. // X-Frame-Options
  89. if (empty($websitepage->allowed_in_frames) && empty($conf->global->WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES)) {
  90. header("X-Frame-Options: SAMEORIGIN");
  91. }
  92. // X-XSS-Protection
  93. //header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
  94. // Content-Security-Policy-Report-Only
  95. if (!defined('WEBSITE_MAIN_SECURITY_FORCECSPRO')) {
  96. // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
  97. // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
  98. // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
  99. // For example, to restrict everything to itself except img that can be on other servers:
  100. // default-src 'self'; img-src *;
  101. // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
  102. // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
  103. //
  104. // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
  105. // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
  106. $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO');
  107. if (!is_object($hookmanager)) {
  108. include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
  109. $hookmanager = new HookManager($db);
  110. }
  111. $hookmanager->initHooks(array("main"));
  112. $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'reportonly');
  113. $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
  114. if ($result > 0) {
  115. $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
  116. } else {
  117. $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
  118. }
  119. if (!empty($contentsecuritypolicy)) {
  120. header("Content-Security-Policy-Report-Only: ".$contentsecuritypolicy);
  121. }
  122. }
  123. // Content-Security-Policy
  124. if (!defined('WEBSITE_MAIN_SECURITY_FORCECSP')) {
  125. // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
  126. // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
  127. // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
  128. // For example, to restrict everything to itself except img that can be on other servers:
  129. // default-src 'self'; img-src *;
  130. // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
  131. // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
  132. //
  133. // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
  134. // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
  135. $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSP');
  136. if (!is_object($hookmanager)) {
  137. include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
  138. $hookmanager = new HookManager($db);
  139. }
  140. $hookmanager->initHooks(array("main"));
  141. $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'active');
  142. $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
  143. if ($result > 0) {
  144. $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
  145. } else {
  146. $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
  147. }
  148. if (!empty($contentsecuritypolicy)) {
  149. header("Content-Security-Policy: ".$contentsecuritypolicy);
  150. }
  151. }
  152. // Referrer-Policy
  153. if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) {
  154. // The constant WEBSITE_MAIN_SECURITY_FORCERP should never be defined by page, but the variable used just after may be
  155. // For public web sites, we use the same default value than "strict-origin-when-cross-origin"
  156. $referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin");
  157. header("Referrer-Policy: ".$referrerpolicy);
  158. }
  159. // Strict-Transport-Security
  160. if (!defined('WEBSITE_MAIN_SECURITY_FORCESTS')) {
  161. // The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be
  162. // Example: "max-age=31536000; includeSubDomains"
  163. $sts = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCESTS');
  164. if (!empty($sts)) {
  165. header("Strict-Transport-Security: ".$sts);
  166. }
  167. }
  168. // Permissions-Policy (old name was Feature-Policy)
  169. if (!defined('WEBSITE_MAIN_SECURITY_FORCEPP')) {
  170. // The constant WEBSITE_MAIN_SECURITY_FORCEPP should never be defined by page, but the variable used just after may be
  171. // Example: "camera: 'none'; microphone: 'none';"
  172. $pp = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP');
  173. if (!empty($pp)) {
  174. header("Permissions-Policy: ".$pp);
  175. }
  176. }
  177. }
  178. // A lang was forced, so we change weblangs init
  179. if (GETPOST('l', 'aZ09')) {
  180. $weblangs->setDefaultLang(GETPOST('l', 'aZ09'));
  181. }
  182. // A lang was forced, so we check to find if we must make a redirect on translation page
  183. if ($_SERVER['PHP_SELF'] != DOL_URL_ROOT.'/website/index.php') { // If we browsing page using Dolibarr server or a Native web server
  184. //print_r(get_defined_constants(true));exit;
  185. if (GETPOST('l', 'aZ09')) {
  186. $sql = "SELECT wp.rowid, wp.lang, wp.pageurl, wp.fk_page";
  187. $sql .= " FROM ".MAIN_DB_PREFIX."website_page as wp";
  188. $sql .= " WHERE wp.fk_website = ".((int) $website->id);
  189. $sql .= " AND (wp.fk_page = ".((int) $pageid)." OR wp.rowid = ".((int) $pageid);
  190. if (is_object($websitepage) && $websitepage->fk_page > 0) {
  191. $sql .= " OR wp.fk_page = ".((int) $websitepage->fk_page)." OR wp.rowid = ".((int) $websitepage->fk_page);
  192. }
  193. $sql .= ")";
  194. $sql .= " AND wp.lang = '".$db->escape(GETPOST('l', 'aZ09'))."'";
  195. $resql = $db->query($sql);
  196. if ($resql) {
  197. $obj = $db->fetch_object($resql);
  198. if ($obj) {
  199. $newpageid = $obj->rowid;
  200. if ($newpageid != $pageid) { // To avoid to make a redirect on same page (infinite loop)
  201. if (defined('USEDOLIBARRSERVER')) {
  202. header("Location: ".DOL_URL_ROOT.'/public/website/index.php?website='.$websitekey.'&pageid='.$newpageid.'&l='.GETPOST('l', 'aZ09'));
  203. exit;
  204. } else {
  205. $newpageref = $obj->pageurl;
  206. header("Location: ".(($obj->lang && $obj->lang != $website->lang) ? '/'.$obj->lang.'/' : '/').$newpageref.'.php?l='.GETPOST('l', 'aZ09'));
  207. exit;
  208. }
  209. }
  210. }
  211. }
  212. }
  213. }
  214. // Show off line message when all website is off
  215. if (!defined('USEDOLIBARREDITOR') && empty($website->status)) {
  216. // Security options
  217. // X-Content-Type-Options
  218. header("X-Content-Type-Options: nosniff");
  219. // X-Frame-Options
  220. if (empty($websitepage->allowed_in_frames) && empty($conf->global->WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES)) {
  221. header("X-Frame-Options: SAMEORIGIN");
  222. }
  223. $weblangs->load("website");
  224. //httponly_accessforbidden('<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>', 503, 1);
  225. http_response_code(503);
  226. print '<center><br><br>'.$weblangs->trans("SorryWebsiteIsCurrentlyOffLine").'</center>';
  227. exit;
  228. }