PHPXRef 0.7 : MantisBT : /core/http

[Summary view] [Print] [Text view]
   1  <?php
   2  # MantisBT - A PHP based bugtracking system
   3  
   4  # MantisBT is free software: you can redistribute it and/or modify
   5  # it under the terms of the GNU General Public License as published by
   6  # the Free Software Foundation, either version 2 of the License, or
   7  # (at your option) any later version.
   8  #
   9  # MantisBT is distributed in the hope that it will be useful,
  10  # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  # GNU General Public License for more details.
  13  #
  14  # You should have received a copy of the GNU General Public License
  15  # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * HTTP API
  19   *
  20   * Provides functions to manage HTTP response headers.
  21   *
  22   * @package CoreAPI
  23   * @subpackage HTTPAPI
  24   * @copyright Copyright (C) 2002 - 2011  MantisBT Team - mantisbt-dev@lists.sourceforge.net
  25   * @link http://www.mantisbt.org
  26   *
  27   * @uses config_api.php
  28   */
  29  
  30  require_api( 'config_api.php' );
  31  
  32  /**
  33   * Check to see if the client is using Microsoft Internet Explorer so we can
  34   * enable quirks and hacky non-standards-compliant workarounds.
  35   * @return boolean True if Internet Explorer is detected as the user agent
  36   */
  37  function is_browser_internet_explorer() {
  38      $t_user_agent = isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : 'none';
  39  
  40      if ( strpos( $t_user_agent, 'MSIE' ) ) {
  41          return true;
  42      }
  43  
  44      return false;
  45  }
  46  
  47  /**
  48   * Checks to see if the client is using Google Chrome so we can enable quirks
  49   * and hacky non-standards-compliant workarounds.
  50   * @return boolean True if Chrome is detected as the user agent
  51   */
  52  function is_browser_chrome() {
  53      $t_user_agent = isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : 'none';
  54  
  55      if ( strpos( $t_user_agent, 'Chrome/' ) ) {
  56          return true;
  57      }
  58  
  59      return false;
  60  }
  61  
  62  /**
  63   * Send a Content-Disposition header. This is more complex than it sounds
  64   * because only a few browsers properly support RFC2231. For those browsers
  65   * which are behind the times or are otherwise broken, we need to use
  66   * some hacky workarounds to get them to work 'nicely' with attachments and
  67   * inline files. See http://greenbytes.de/tech/tc2231/ for full reasoning.
  68   * @param string Filename
  69   * @param boolean Display file inline (optional, default = treat as attachment)
  70   */
  71  function http_content_disposition_header( $p_filename, $p_inline = false ) {
  72      if ( !headers_sent() ) {
  73          $t_encoded_filename = rawurlencode( $p_filename );
  74          $t_disposition = '';
  75          if ( !$p_inline ) {
  76              $t_disposition = 'attachment;';
  77          }
  78          if ( is_browser_internet_explorer() || is_browser_chrome() ) {
  79              // Internet Explorer does not support RFC2231 however it does
  80              // incorrectly decode URL encoded filenames and we can use this to
  81              // get UTF8 filenames to work with the file download dialog. Chrome
  82              // behaves in the same was as Internet Explorer in this respect.
  83              // See http://greenbytes.de/tech/tc2231/#attwithfnrawpctenclong
  84              header( 'Content-Disposition:' . $t_disposition . ' filename="' . $t_encoded_filename . '"' );
  85          } else {
  86              // For most other browsers, we can use this technique:
  87              // http://greenbytes.de/tech/tc2231/#attfnboth2
  88              header( 'Content-Disposition:' . $t_disposition . ' filename*=UTF-8\'\'' . $t_encoded_filename . '; filename="' . $t_encoded_filename . '"' );
  89          }
  90      }
  91  }
  92  
  93  /**
  94   * Set caching headers that will allow or prevent browser caching.
  95   * @param boolean Allow caching
  96   */
  97  function http_caching_headers( $p_allow_caching=false ) {
  98      global $g_allow_browser_cache;
  99  
 100      // Headers to prevent caching
 101      // with option to bypass if running from script
 102      if ( !headers_sent() ) {
 103          if ( $p_allow_caching || ( isset( $g_allow_browser_cache ) && ON == $g_allow_browser_cache ) ) {
 104              if ( is_browser_internet_explorer() ) {
 105                  header( 'Cache-Control: private, proxy-revalidate' );
 106              } else {
 107                  header( 'Cache-Control: private, must-revalidate' );
 108              }
 109          } else {
 110              header( 'Cache-Control: no-store, no-cache, must-revalidate' );
 111          }
 112  
 113          header( 'Expires: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time() ) );
 114          header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time() ) );
 115      }
 116  }
 117  
 118  /**
 119   * Set content-type headers.
 120   */
 121  function http_content_headers() {
 122      if ( !headers_sent() ) {
 123          // Only use the application/xhtml+xml MIME type if the browser
 124          // has indicated support for this type. Internet Explorer
 125          // prior to version 9 only supports the text/html MIME type.
 126          if ( stristr( $_SERVER['HTTP_ACCEPT'], 'application/xhtml+xml' ) ) {
 127              header( 'Content-Type: application/xhtml+xml; charset=UTF-8' );
 128          } else {
 129              header( 'Content-Type: text/html; charset=UTF-8' );
 130          }
 131  
 132          // Disallow Internet Explorer from attempting to second guess the Content-Type
 133          // header as per http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
 134          header( 'X-Content-Type-Options: nosniff' );
 135      }
 136  }
 137  
 138  /**
 139   * Set security headers (frame busting, clickjacking/XSS/CSRF protection).
 140   */
 141  function http_security_headers() {
 142      if ( !headers_sent() ) {
 143          header( 'X-Frame-Options: DENY' );
 144          $t_avatar_img_allow = '';
 145          if ( config_get_global( 'show_avatar' ) ) {
 146              if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
 147                  $t_avatar_img_allow = "; img-src 'self' https://secure.gravatar.com:443";
 148              } else {
 149                  $t_avatar_img_allow = "; img-src 'self' http://www.gravatar.com:80";
 150              }
 151          }
 152          header( "X-Content-Security-Policy: allow 'self';$t_avatar_img_allow; frame-ancestors 'none'" );
 153          if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
 154              header( 'Strict-Transport-Security: max-age=7776000' );
 155          }
 156      }
 157  }
 158  
 159  /**
 160   * Load and set any custom headers defined by the site configuration.
 161   */
 162  function http_custom_headers() {
 163      if ( !headers_sent() ) {
 164          // send user-defined headers
 165          foreach( config_get_global( 'custom_headers' ) as $t_header ) {
 166              header( $t_header );
 167          }
 168      }
 169  }
 170  
 171  /**
 172   * Set all headers used by a normal page load.
 173   */
 174  function http_all_headers() {
 175      global $g_bypass_headers;
 176  
 177      if ( !$g_bypass_headers && !headers_sent() ) {
 178          http_content_headers();
 179          http_caching_headers();
 180          http_security_headers();
 181          http_custom_headers();
 182      }
 183  }
PHP Cross Reference of MantisBT

/core/ -> http_api.php (source)
