summaryrefslogtreecommitdiff
path: root/includes/lib
diff options
context:
space:
mode:
Diffstat (limited to 'includes/lib')
-rw-r--r--includes/lib/account.php145
-rw-r--r--includes/lib/check_weak_key.php215
-rw-r--r--includes/lib/general.php116
-rw-r--r--includes/lib/l10n.php358
4 files changed, 707 insertions, 127 deletions
diff --git a/includes/lib/account.php b/includes/lib/account.php
index f7a24fa..dd8afd3 100644
--- a/includes/lib/account.php
+++ b/includes/lib/account.php
@@ -17,35 +17,134 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
-function fix_assurer_flag($userID)
+/**
+ * Function to recalculate the cached Assurer status
+ *
+ * @param int $userID
+ * if the user ID is not given the flag will be recalculated for all users
+ *
+ * @return bool
+ * false if there was an error on fixing the flag. This does NOT return the
+ * new value of the flag
+ */
+function fix_assurer_flag($userID = NULL)
{
- // Update Assurer-Flag on users table if 100 points.
- // Should the number of points be SUM(points) or SUM(awarded)?
- $query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE '.
- '`u`.`id` = \''.(int)intval($userID).'\' AND '.
- 'EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv` '.
- 'WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND '.
- '`cp`.`user_id` = `u`.`id`) AND '.
- '(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '.
- 'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) >= 100');
- // Challenge has been passed and non-expired points >= 100
-
+ // Update Assurer-Flag on users table if 100 points and CATS passed.
+ //
+ // We may have some performance issues here if no userID is given
+ // there are ~150k assurances and ~220k users currently
+ // but the exists-clause on cats_passed should be a good filter
+ $sql = '
+ UPDATE `users` AS `u` SET `assurer` = 1
+ WHERE '.(
+ ($userID === NULL) ?
+ '`u`.`assurer` = 0' :
+ '`u`.`id` = \''.intval($userID).'\''
+ ).'
+ AND EXISTS(
+ SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv`
+ WHERE `cp`.`variant_id` = `cv`.`id`
+ AND `cv`.`type_id` = 1
+ AND `cp`.`user_id` = `u`.`id`
+ )
+ AND (
+ SELECT SUM(`points`) FROM `notary` AS `n`
+ WHERE `n`.`to` = `u`.`id`
+ AND (`n`.`expire` > now()
+ OR `n`.`expire` IS NULL)
+ AND `n`.`deleted` = 0
+ ) >= 100';
+
+ $query = mysql_query($sql);
if (!$query) {
return false;
}
-
+ // Challenge has been passed and non-expired points >= 100
+
// Reset flag if requirements are not met
- $query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 0 WHERE '.
- '`u`.`id` = \''.(int)intval($userID).'\' AND '.
- '(NOT EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS '.
- '`cv` WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 '.
- 'AND `cp`.`user_id` = `u`.`id`) OR '.
- '(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '.
- 'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) < 100)');
-
+ //
+ // Also a bit performance critical but assurer flag is only set on
+ // ~5k accounts
+ $sql = '
+ UPDATE `users` AS `u` SET `assurer` = 0
+ WHERE '.(
+ ($userID === NULL) ?
+ '`u`.`assurer` <> 0' :
+ '`u`.`id` = \''.intval($userID).'\''
+ ).'
+ AND (
+ NOT EXISTS(
+ SELECT 1 FROM `cats_passed` AS `cp`,
+ `cats_variant` AS `cv`
+ WHERE `cp`.`variant_id` = `cv`.`id`
+ AND `cv`.`type_id` = 1
+ AND `cp`.`user_id` = `u`.`id`
+ )
+ OR (
+ SELECT SUM(`points`) FROM `notary` AS `n`
+ WHERE `n`.`to` = `u`.`id`
+ AND (
+ `n`.`expire` > now()
+ OR `n`.`expire` IS NULL
+ )
+ AND `n`.`deleted` = 0
+ ) < 100
+ )';
+
+ $query = mysql_query($sql);
if (!$query) {
return false;
}
-
+
return true;
-} \ No newline at end of file
+}
+
+/**
+ * Supported hash algorithms for signing certificates
+ */
+class HashAlgorithms {
+ /**
+ * Default hash algorithm identifier for signing
+ * @var string
+ */
+ public static $default = 'sha256';
+
+ /**
+ * Get display strings for the supported hash algorithms
+ * @return array(string=>array('name'=>string, 'info'=>string))
+ * - [$hash_identifier]['name'] = Name that should be displayed in UI
+ * - [$hash_identifier]['info'] = Additional information that can help
+ * with the selection of a suitable algorithm
+ */
+ public static function getInfo() {
+ return array(
+ 'sha256' => array(
+ 'name' => 'SHA-256',
+ 'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'),
+ ),
+ 'sha384' => array(
+ 'name' => 'SHA-384',
+ 'info' => '',
+ ),
+ 'sha512' => array(
+ 'name' => 'SHA-512',
+ 'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'),
+ ),
+ );
+ }
+
+ /**
+ * Check if the input is a supported hash algorithm identifier otherwise
+ * return the identifier of the default hash algorithm
+ *
+ * @param string $hash_identifier
+ * @return string The cleaned identifier
+ */
+ public static function clean($hash_identifier) {
+ if (array_key_exists($hash_identifier, self::getInfo() )) {
+ return $hash_identifier;
+ } else {
+ return self::$default;
+ }
+ }
+}
diff --git a/includes/lib/check_weak_key.php b/includes/lib/check_weak_key.php
index d2aa33d..59c6cd6 100644
--- a/includes/lib/check_weak_key.php
+++ b/includes/lib/check_weak_key.php
@@ -33,37 +33,18 @@ require_once 'general.php';
*/
function checkWeakKeyCSR($csr, $encoding = "PEM")
{
- // non-PEM-encodings may be binary so don't use echo
- $descriptorspec = array(
- 0 => array("pipe", "r"), // STDIN for child
- 1 => array("pipe", "w"), // STDOUT for child
- );
$encoding = escapeshellarg($encoding);
- $proc = proc_open("openssl req -inform $encoding -text -noout",
- $descriptorspec, $pipes);
-
- if (is_resource($proc))
- {
- fwrite($pipes[0], $csr);
- fclose($pipes[0]);
-
- $csrText = "";
- while (!feof($pipes[1]))
- {
- $csrText .= fread($pipes[1], 8192);
- }
- fclose($pipes[1]);
-
- if (($status = proc_close($proc)) !== 0 || $csrText === "")
- {
- return _("I didn't receive a valid Certificate Request, hit ".
- "the back button and try again.");
- }
- } else {
+ $status = runCommand("openssl req -inform $encoding -text -noout",
+ $csr, $csrText);
+ if ($status === true) {
return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
}
-
-
+
+ if ($status !== 0 || $csrText === "") {
+ return _("I didn't receive a valid Certificate Request. Hit ".
+ "the back button and try again.");
+ }
+
return checkWeakKeyText($csrText);
}
@@ -80,37 +61,18 @@ function checkWeakKeyCSR($csr, $encoding = "PEM")
*/
function checkWeakKeyX509($cert, $encoding = "PEM")
{
- // non-PEM-encodings may be binary so don't use echo
- $descriptorspec = array(
- 0 => array("pipe", "r"), // STDIN for child
- 1 => array("pipe", "w"), // STDOUT for child
- );
$encoding = escapeshellarg($encoding);
- $proc = proc_open("openssl x509 -inform $encoding -text -noout",
- $descriptorspec, $pipes);
-
- if (is_resource($proc))
- {
- fwrite($pipes[0], $cert);
- fclose($pipes[0]);
-
- $certText = "";
- while (!feof($pipes[1]))
- {
- $certText .= fread($pipes[1], 8192);
- }
- fclose($pipes[1]);
-
- if (($status = proc_close($proc)) !== 0 || $certText === "")
- {
- return _("I didn't receive a valid Certificate Request, hit ".
- "the back button and try again.");
- }
- } else {
- return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
+ $status = runCommand("openssl x509 -inform $encoding -text -noout",
+ $cert, $certText);
+ if ($status === true) {
+ return failWithId("checkWeakKeyX509(): Failed to start OpenSSL");
}
-
-
+
+ if ($status !== 0 || $certText === "") {
+ return _("I didn't receive a valid Certificate Request. Hit ".
+ "the back button and try again.");
+ }
+
return checkWeakKeyText($certText);
}
@@ -127,16 +89,17 @@ function checkWeakKeyX509($cert, $encoding = "PEM")
*/
function checkWeakKeySPKAC($spkac, $spkacname = "SPKAC")
{
- /* Check for the debian OpenSSL vulnerability */
-
- $spkac = escapeshellarg($spkac);
$spkacname = escapeshellarg($spkacname);
- $spkacText = `echo $spkac | openssl spkac -spkac $spkacname`;
- if ($spkacText === null) {
- return _("I didn't receive a valid Certificate Request, hit the ".
- "back button and try again.");
+ $status = runCommand("openssl spkac -spkac $spkacname", $spkac, $spkacText);
+ if ($status === true) {
+ return failWithId("checkWeakKeySPKAC(): Failed to start OpenSSL");
}
-
+
+ if ($status !== 0 || $spkacText === "") {
+ return _("I didn't receive a valid Certificate Request. Hit the ".
+ "back button and try again.");
+ }
+
return checkWeakKeyText($spkacText);
}
@@ -157,7 +120,7 @@ function checkWeakKeyText($text)
$algorithm))
{
return failWithId("checkWeakKeyText(): Couldn't extract the ".
- "public key algorithm used");
+ "public key algorithm used.\nData:\n$text");
} else {
$algorithm = $algorithm[1];
}
@@ -165,16 +128,15 @@ function checkWeakKeyText($text)
if ($algorithm === "rsaEncryption")
{
- if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
- $keysize))
+ if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize))
{
return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
- "key size");
+ "key size.\nData:\n$text");
} else {
$keysize = intval($keysize[1]);
}
-
- if ($keysize < 1024)
+
+ if ($keysize < 2048)
{
return sprintf(_("The keys that you use are very small ".
"and therefore insecure. Please generate stronger ".
@@ -182,14 +144,8 @@ function checkWeakKeyText($text)
"found in %sthe wiki%s"),
"<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
"</a>");
- } elseif ($keysize < 2048) {
- // not critical but log so we have some statistics about
- // affected users
- trigger_error("checkWeakKeyText(): Certificate for small ".
- "key (< 2048 bit) requested", E_USER_NOTICE);
}
-
-
+
$debianVuln = checkDebianVulnerability($text, $keysize);
if ($debianVuln === true)
{
@@ -204,19 +160,20 @@ function checkWeakKeyText($text)
// not vulnerable => do nothing
} else {
return failWithId("checkWeakKeyText(): Something went wrong in".
- "checkDebianVulnerability()");
+ "checkDebianVulnerability().\nKeysize: $keysize\n".
+ "Data:\n$text");
}
-
+
if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text,
$exponent))
{
return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
- "exponent");
+ "exponent.\nData:\n$text");
} else {
$exponent = $exponent[1]; // exponent might be very big =>
//handle as string using bc*()
- if (bccomp($exponent, "3") === 0)
+ if (bccomp($exponent, "65537") < 0)
{
return sprintf(_("The keys you use might be insecure. ".
"Although there is currently no known attack for ".
@@ -228,9 +185,9 @@ function checkWeakKeyText($text)
"<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
"</a>");
} elseif (!(bccomp($exponent, "65537") >= 0 &&
- (bccomp($exponent, "100000") === -1 ||
- // speed things up if way smaller than 2^256
- bccomp($exponent, bcpow("2", "256")) === -1) )) {
+ (bccomp($exponent, "100000") === -1 ||
+ // speed things up if way smaller than 2^256
+ bccomp($exponent, bcpow("2", "256")) === -1) )) {
// 65537 <= exponent < 2^256 recommended by NIST
// not critical but log so we have some statistics about
// affected users
@@ -239,10 +196,83 @@ function checkWeakKeyText($text)
E_USER_NOTICE);
}
}
- }
- /* No weakness found */
- return "";
+ // No weakness found
+ return "";
+ } // End RSA
+
+/*
+//Fails to work due to outdated OpenSSL 0.9.8o
+//For this to work OpenSSL 1.0.1f or newer is required
+//which is currently unavailable on the systems
+//If DSA2048 or longer is used the CSR hangs pending on the signer.
+ if ($algorithm === "dsaEncryption")
+ {
+ if (!preg_match('/^\s*Public Key Algorithm:\s+dsaEncryption\s+pub:\s+([0-9a-fA-F:\s]+)\s+P:\s+([0-9a-fA-F:\s]+)\s+Q:\s+([0-9a-fA-F:\s]+)\s+G:\s+([0-9a-fA-F:\s]+)\s+$/sm', $text, $keydetail))
+ {
+ return failWithId("checkWeakKeyText(): Couldn't parse the DSA ".
+ "key size.\nData:\n$text");
+ }
+
+ $key_pub = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[1]), "ABCDEF", "abcdef");
+ $key_P = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[2]), "ABCDEF", "abcdef");
+ $key_Q = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[3]), "ABCDEF", "abcdef");
+ $key_G = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[4]), "ABCDEF", "abcdef");
+
+ //Verify the numbers provided by the client
+ $num_pub = @gmp_init($key_pub, 16);
+ $num_P = @gmp_init($key_P, 16);
+ $num_Q = @gmp_init($key_Q, 16);
+ $num_G = @gmp_init($key_G, 16);
+
+ $bit_P = ltrim(gmp_strval($num_P, 2), "0");
+ $keysize = strlen($bit_P);
+
+ if ($keysize < 2048) {
+ return sprintf(_("The keys that you use are very small ".
+ "and therefore insecure. Please generate stronger ".
+ "keys. More information about this issue can be ".
+ "found in %sthe wiki%s"),
+ "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
+ "</a>");
+ }
+
+ //Following checks based on description of key generation in Wikipedia
+ //These checks do not ensure a strong key, but at least check for enough sanity in the key material
+ // cf. https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Key_generation
+
+ //Check that P is prime
+ if(!gmp_testprime($num_P)) {
+ return failWithId("checkWeakKeyText(): The supplied DSA ".
+ "key does seem to have a non-prime public modulus.\nData:\n$text");
+ }
+
+ //Check that Q is prime
+ if(!gmp_testprime($num_Q)) {
+ return failWithId("checkWeakKeyText(): The supplied DSA ".
+ "key does seem to have a non-prime Q-value.\nData:\n$text");
+ }
+
+ //Check if P-1 is diviseable by Q
+ if(0 !== gmp_cmp("1", gmp_mod($num_P, $num_Q))) {
+ return failWithId("checkWeakKeyText(): The supplied DSA ".
+ "key does seem to have P mod Q === 1 (i.e. P-1 is not diviseable by Q).\nData:\n$text");
+ }
+
+ //Check the numbers are all less than the public modulus P
+ if(0 <= gmp_cmp($num_Q, $num_P) || 0 <= gmp_cmp($num_G, $num_P) || 0 <= gmp_cmp($num_pub, $num_P)) {
+ return failWithId("checkWeakKeyText(): The supplied DSA ".
+ "key does seem to be normalized to have Q < P, G < P and pub < P.\nData:\n$text");
+ }
+
+ // No weakness found
+ return "";
+ } // End DSA
+*/
+
+
+ return _("The keys you supplied use an unrecognized algorithm. ".
+ "For security reasons these keys can not be signed by CAcert.");
}
/**
@@ -268,7 +298,8 @@ function checkDebianVulnerability($text, $keysize = 0)
$algorithm))
{
trigger_error("checkDebianVulnerability(): Couldn't extract ".
- "the public key algorithm used", E_USER_WARNING);
+ "the public key algorithm used.\nData:\n$text",
+ E_USER_WARNING);
return null;
} else {
$algorithm = $algorithm[1];
@@ -281,7 +312,7 @@ function checkDebianVulnerability($text, $keysize = 0)
$keysize))
{
trigger_error("checkDebianVulnerability(): Couldn't parse the ".
- "RSA key size", E_USER_WARNING);
+ "RSA key size.\nData:\n$text", E_USER_WARNING);
return null;
} else {
$keysize = intval($keysize[1]);
@@ -312,7 +343,7 @@ function checkDebianVulnerability($text, $keysize = 0)
$text, $modulus))
{
trigger_error("checkDebianVulnerability(): Couldn't extract the ".
- "RSA modulus", E_USER_WARNING);
+ "RSA modulus.\nData:\n$text", E_USER_WARNING);
return null;
} else {
$modulus = $modulus[1];
@@ -339,7 +370,7 @@ function checkDebianVulnerability($text, $keysize = 0)
// $checksum and $blacklist should be safe, but just to make sure
$checksum = escapeshellarg($checksum);
$blacklist = escapeshellarg($blacklist);
- exec("grep $checksum $blacklist", $dummy, $debianVuln);
+ $debianVuln = runCommand("grep $checksum $blacklist");
if ($debianVuln === 0) // grep returned something => it is on the list
{
return true;
diff --git a/includes/lib/general.php b/includes/lib/general.php
index 6cfbd10..127c6b7 100644
--- a/includes/lib/general.php
+++ b/includes/lib/general.php
@@ -18,10 +18,10 @@
/**
* Checks if the user may log in and retrieve the user id
- *
+ *
* Usually called with $_SERVER['SSL_CLIENT_M_SERIAL'] and
* $_SERVER['SSL_CLIENT_I_DN_CN']
- *
+ *
* @param $serial string
* usually $_SERVER['SSL_CLIENT_M_SERIAL']
* @param $issuer_cn string
@@ -43,20 +43,20 @@ function get_user_id_from_cert($serial, $issuer_cn)
$row = mysql_fetch_assoc($res);
return intval($row['memid']);
}
-
+
return -1;
}
/**
-* Produces a log entry with the error message with log level E_USER_WARN
-* and a random ID an returns a message that can be displayed to the user
-* including the generated ID
-*
-* @param $errormessage string
-* The error message that should be logged
-* @return string containing the generated ID that can be displayed to the
-* user
-*/
+ * Produces a log entry with the error message with log level E_USER_WARN
+ * and a random ID an returns a message that can be displayed to the user
+ * including the generated ID
+ *
+ * @param $errormessage string
+ * The error message that should be logged
+ * @return string containing the generated ID that can be displayed to the
+ * user
+ */
function failWithId($errormessage) {
$errorId = rand();
trigger_error("$errormessage. ID: $errorId", E_USER_WARNING);
@@ -68,3 +68,95 @@ function failWithId($errormessage) {
$errorId);
}
+
+/**
+ * Runs a command on the shell and return it's exit code and output
+ *
+ * @param string $command
+ * The command to run. Make sure that you escapeshellarg() any non-constant
+ * parts as this is executed on a shell!
+ * @param string|bool $input
+ * The input that is passed to the command via STDIN, if true the real
+ * STDIN is passed through
+ * @param string|bool $output
+ * The output the command wrote to STDOUT (this is passed as reference),
+ * if true the output will be written to the real STDOUT. Output is ignored
+ * by default
+ * @param string|bool $errors
+ * The output the command wrote to STDERR (this is passed as reference),
+ * if true (default) the output will be written to the real STDERR
+ *
+ * @return int|bool
+ * The exit code of the command, true if the execution of the command
+ * failed (true because then
+ * <code>if (runCommand('echo "foo"')) handle_error();</code> will work)
+ */
+function runCommand($command, $input = "", &$output = null, &$errors = true) {
+ $descriptorspec = array();
+
+ if ($input !== true) {
+ $descriptorspec[0] = array("pipe", "r"); // STDIN for child
+ }
+
+ if ($output !== true) {
+ $descriptorspec[1] = array("pipe", "w"); // STDOUT for child
+ }
+
+ if ($errors !== true) {
+ $descriptorspec[2] = array("pipe", "w"); // STDERR for child
+ }
+
+ $proc = proc_open($command, $descriptorspec, $pipes);
+
+ if (is_resource($proc))
+ {
+ if ($input !== true) {
+ fwrite($pipes[0], $input);
+ fclose($pipes[0]);
+ }
+
+ if ($output !== true) {
+ $output = stream_get_contents($pipes[1]);
+ }
+
+ if ($errors !== true) {
+ $errors = stream_get_contents($pipes[2]);
+ }
+
+ return proc_close($proc);
+
+ } else {
+ return true;
+ }
+}
+
+ // returns 0 if $userID is an Assurer
+ // Otherwise :
+ // Bit 0 is always set
+ // Bit 1 is set if 100 Assurance Points are not reached
+ // Bit 2 is set if Assurer Test is missing
+ // Bit 3 is set if the user is not allowed to be an Assurer (assurer_blocked > 0)
+ function get_assurer_status($userID)
+ {
+ $Result = 0;
+ $query = mysql_query('SELECT * FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` '.
+ ' WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = \''.(int)intval($userID).'\'');
+ if(mysql_num_rows($query) < 1)
+ {
+ $Result |= 5;
+ }
+
+ $query = mysql_query('SELECT SUM(`points`) AS `points` FROM `notary` AS `n` WHERE `n`.`to` = \''.(int)intval($userID).'\' AND `n`.`expire` < now() and `deleted` = 0');
+ $row = mysql_fetch_assoc($query);
+ if ($row['points'] < 100) {
+ $Result |= 3;
+ }
+
+ $query = mysql_query('SELECT `assurer_blocked` FROM `users` WHERE `id` = \''.(int)intval($userID).'\'');
+ $row = mysql_fetch_assoc($query);
+ if ($row['assurer_blocked'] > 0) {
+ $Result |= 9;
+ }
+
+ return $Result;
+ }
diff --git a/includes/lib/l10n.php b/includes/lib/l10n.php
new file mode 100644
index 0000000..e325add
--- /dev/null
+++ b/includes/lib/l10n.php
@@ -0,0 +1,358 @@
+<?php /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2011 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+
+/**
+ * This class provides some functions for language handling
+ */
+class L10n {
+ /**
+ * These are tranlations we currently support.
+ *
+ * If another translation is added, it doesn't suffice to have gettext set
+ * up, you also need to add it here, because it acts as a white list.
+ *
+ * @var array("ISO-language code" => "native name of the language")
+ */
+ public static $translations = array(
+ "ar" => "&#1575;&#1604;&#1593;&#1585;&#1576;&#1610;&#1577;",
+ "bg" => "&#1041;&#1098;&#1083;&#1075;&#1072;&#1088;&#1089;&#1082;&#1080;",
+ "cs" => "&#268;e&scaron;tina",
+ "da" => "Dansk",
+ "de" => "Deutsch",
+ "el" => "&Epsilon;&lambda;&lambda;&eta;&nu;&iota;&kappa;&#940;",
+ "en" => "English",
+ "es" => "Espa&#xf1;ol",
+ "fi" => "Suomi",
+ "fr" => "Fran&#xe7;ais",
+ "hu" => "Magyar",
+ "it" => "Italiano",
+ "ja" => "&#26085;&#26412;&#35486;",
+ "lv" => "Latvie&scaron;u",
+ "nl" => "Nederlands",
+ "pl" => "Polski",
+ "pt" => "Portugu&#xea;s",
+ "pt-br" => "Portugu&#xea;s Brasileiro",
+ "ru" => "&#x420;&#x443;&#x441;&#x441;&#x43a;&#x438;&#x439;",
+ "sv" => "Svenska",
+ "tr" => "T&#xfc;rk&#xe7;e",
+ "zh-cn" => "&#x4e2d;&#x6587;(&#x7b80;&#x4f53;)",
+ "zh-tw" => "&#x4e2d;&#x6587;(&#33274;&#28771;)",
+ );
+
+ /**
+ * setlocale needs a language + region code for whatever reason so here's
+ * the mapping from a translation code to locales with the region that
+ * seemed the most common for this language
+ *
+ * You probably never need this. Use {@link set_translation()} to change the
+ * language instead of manually calling setlocale().
+ *
+ * @var array(string => string)
+ */
+ private static $locales = array(
+ "ar" => "ar_JO",
+ "bg" => "bg_BG",
+ "cs" => "cs_CZ",
+ "da" => "da_DK",
+ "de" => "de_DE",
+ "el" => "el_GR",
+ "en" => "en_US",
+ "es" => "es_ES",
+ "fa" => "fa_IR",
+ "fi" => "fi_FI",
+ "fr" => "fr_FR",
+ "he" => "he_IL",
+ "hr" => "hr_HR",
+ "hu" => "hu_HU",
+ "id" => "id_ID",
+ "is" => "is_IS",
+ "it" => "it_IT",
+ "ja" => "ja_JP",
+ "ka" => "ka_GE",
+ "ko" => "ko_KR",
+ "lv" => "lv_LV",
+ "nb" => "nb_NO",
+ "nl" => "nl_NL",
+ "pl" => "pl_PL",
+ "pt" => "pt_PT",
+ "pt-br" => "pt_BR",
+ "ro" => "ro_RO",
+ "ru" => "ru_RU",
+ "sl" => "sl_SI",
+ "sv" => "sv_SE",
+ "th" => "th_TH",
+ "tr" => "tr_TR",
+ "uk" => "uk_UA",
+ "zh-cn" => "zh_CN",
+ "zh-tw" => "zh_TW",
+ );
+
+ /**
+ * Auto-detects the language that should be used and sets it. Only works for
+ * HTTP, not in a command line script.
+ *
+ * Priority:
+ * <ol>
+ * <li>explicit parameter "lang" passed in HTTP (e.g. via GET)</li>
+ * <li>existing setting in the session (stick to the setting we had before)
+ * </li>
+ * <li>auto-detect via the HTTP Accept-Language header sent by the user
+ * agent</li>
+ * </ol>
+ */
+ public static function detect_language() {
+ if ( (self::get_translation() != "")
+ // already set in the session?
+ &&
+ !(array_key_exists("lang", $_REQUEST) &&
+ trim($_REQUEST["lang"]) != "")
+ // explicit parameter?
+ )
+ {
+ if ( self::set_translation(self::get_translation()) ) {
+ return;
+ }
+ }
+
+
+ $languages = array();
+
+ // parse Accept-Language header
+ if (array_key_exists('HTTP_ACCEPT_LANGUAGE', $_SERVER)) {
+ $bits = explode(",", strtolower(
+ str_replace(" ", "", $_SERVER['HTTP_ACCEPT_LANGUAGE'])
+ ));
+ foreach($bits as $lang)
+ {
+ $b = explode(";", $lang);
+ if(count($b)>1 && substr($b[1], 0, 2) == "q=")
+ $c = floatval(substr($b[1], 2));
+ else
+ $c = 1;
+
+ if ($c != 0)
+ {
+ $languages[trim($b[0])] = $c;
+ }
+ }
+ }
+
+ // check if there is an explicit language given as parameter
+ if(array_key_exists("lang",$_REQUEST) && trim($_REQUEST["lang"]) != "")
+ {
+ // higher priority than those values in the header
+ $languages[strtolower(trim($_REQUEST["lang"]))] = 2.0;
+ }
+
+ arsort($languages, SORT_NUMERIC);
+
+ // this is used to be compatible with browsers like internet
+ // explorer which only provide the language code including the
+ // region not without. Also handles the fallback to English (qvalues
+ // may only have three digits after the .)
+ $fallbacks = array("en" => 0.0005);
+
+ foreach($languages as $lang => $qvalue)
+ {
+ // ignore any non-conforming values (that's why we don't need to
+ // mysql_real_escape() or escapeshellarg(), but take care of
+ // the '*')
+ // spec: ( ( 1*8ALPHA *( "-" 1*8ALPHA ) ) | "*" )
+ if ( preg_match('/^(?:([a-zA-Z]{1,8})(?:-[a-zA-Z]{1,8})*|\*)$/',
+ $lang, $matches) !== 1 ) {
+ continue;
+ }
+ $lang_prefix = $matches[1]; // usually two-letter language code
+ $fallbacks[$lang_prefix] = $qvalue;
+
+ $chosen_translation = "";
+ if ($lang === '*') {
+ // According to the standard '*' matches anything but any
+ // language explicitly specified. So in theory if there
+ // was an explicit mention of "en" with a lower priority
+ // this would be incorrect, but that's too much trouble.
+ $chosen_translation = "en";
+ } else {
+ $lang_length = strlen($lang);
+ foreach (self::$translations as $translation => $ignore)
+ {
+ // May match exactly or on every '-'
+ if ( $translation === $lang ||
+ substr($translation, 0, $lang_length + 1)
+ === $lang.'-'
+ )
+ {
+ $chosen_translation = $translation;
+ break;
+ }
+ }
+ }
+
+ if ($chosen_translation !== "")
+ {
+ if (self::set_translation($chosen_translation)) {
+ return;
+ }
+ }
+ }
+
+ // No translation found yet => try the prefixes
+ arsort($fallbacks, SORT_NUMERIC);
+ foreach ($fallbacks as $lang => $qvalue) {
+ if (self::set_translation($lang)) {
+ return;
+ }
+ }
+
+ // should not get here, as the fallback of "en" is provided and that
+ // should always work => log an error
+ trigger_error("L10n::detect_language(): could not set language",
+ E_USER_WARNING);
+ }
+
+ /**
+ * Normalise the translation code (e.g. from the old codes to the new)
+ *
+ * @return string
+ * a translation code or the empty string if it can't be normalised
+ */
+ public static function normalise_translation($translation_code) {
+ // check $translation_code against whitelist
+ if (array_key_exists($translation_code, self::$translations) ) {
+ return $translation_code;
+ }
+
+ // maybe it's a locale as previously used in the system? e.g. en_AU
+ if (preg_match('/^([a-z][a-z])_([A-Z][A-Z])$/', $translation_code, $matches) !== 1) {
+ return '';
+ }
+
+ $lang_code = $matches[1];
+ $region_code = strtolower($matches[2]);
+
+ if (array_key_exists("${lang_code}-${region_code}", self::$translations)) {
+ return "${lang_code}-${region_code}";
+ }
+
+ if (array_key_exists($lang_code, self::$translations)) {
+ return $lang_code;
+ }
+
+ return '';
+ }
+
+ /**
+ * Get the set translation
+ *
+ * @return string
+ * a translation code or the empty string if not set
+ */
+ public static function get_translation() {
+ if (array_key_exists('language', $_SESSION['_config'])) {
+ return $_SESSION['_config']['language'];
+ } else {
+ return "";
+ }
+ }
+
+ /**
+ * Set the translation to use.
+ *
+ * @param string $translation_code
+ * the translation code as specified in the keys of {@link $translations}
+ *
+ * @return bool
+ * <ul>
+ * <li>true if the translation has been set successfully</li>
+ * <li>false if the $translation_code was not contained in the white
+ * list or could not be set for other reasons (e.g. setlocale()
+ * failed because the locale has not been set up on the system -
+ * details will be logged)</li>
+ * </ul>
+ */
+ public static function set_translation($translation_code) {
+ $translation_code = self::normalise_translation($translation_code);
+ if (empty($translation_code)) {
+ return false;
+ }
+
+ // map translation to locale
+ if ( !array_key_exists($translation_code, self::$locales) ) {
+ // weird. maybe you added a translation but haven't added a
+ // translation to locale mapping in self::locales?
+ trigger_error("L10n::set_translation(): could not map the ".
+ "translation $translation_code to a locale", E_USER_WARNING);
+ return false;
+ }
+ $locale = self::$locales[$translation_code];
+
+ // set up locale
+ if ( !putenv("LANG=$locale") ) {
+ trigger_error("L10n::set_translation(): could not set the ".
+ "environment variable LANG to $locale", E_USER_WARNING);
+ return false;
+ }
+ if ( !setlocale(LC_ALL, $locale) ) {
+ trigger_error("L10n::set_translation(): could not setlocale() ".
+ "LC_ALL to $locale", E_USER_WARNING);
+ return false;
+ }
+
+
+ // only set if we're running in a server not in a script
+ if (isset($_SESSION)) {
+ // save the setting
+ $_SESSION['_config']['language'] = $translation_code;
+
+
+ // Set up the recode settings needed e.g. in PDF creation
+ $_SESSION['_config']['recode'] = "html..latin-1";
+
+ if($translation_code === "zh-cn" || $translation_code === "zh-tw")
+ {
+ $_SESSION['_config']['recode'] = "html..gb2312";
+
+ } else if($translation_code === "pl" || $translation_code === "hu") {
+ $_SESSION['_config']['recode'] = "html..ISO-8859-2";
+
+ } else if($translation_code === "ja") {
+ $_SESSION['_config']['recode'] = "html..SHIFT-JIS";
+
+ } else if($translation_code === "ru") {
+ $_SESSION['_config']['recode'] = "html..ISO-8859-5";
+
+ } else if($translation_code == "lt") { // legacy, keep for reference
+ $_SESSION['_config']['recode'] = "html..ISO-8859-13";
+
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Sets up the text domain used by gettext
+ *
+ * @param string $domain
+ * the gettext domain that should be used, defaults to "messages"
+ */
+ public static function init_gettext($domain = 'messages') {
+ bindtextdomain($domain, $_SESSION['_config']['filepath'].'/locale');
+ textdomain($domain);
+ }
+} \ No newline at end of file