10 files changed, 110 insertions, 8 deletions

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 56936f582..8047914ac 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -364,16 +364,19 @@ function generate_action_token($timestamp) {
 }
 
 /**
- * Initialise the site secret hash.
+ * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL).
  *
  * Used during installation and saves as a datalist.
  *
+ * Note: Old secrets were hex encoded.
+ *
  * @return mixed The site secret hash or false
  * @access private
  * @todo Move to better file.
  */
 function init_site_secret() {
-	$secret = md5(rand() . microtime());
+	$secret = 'z' . ElggCrypto::getRandomString(31);
+
 	if (datalist_set('__site_secret__', $secret)) {
 		return $secret;
 	}
@@ -400,6 +403,26 @@ function get_site_secret() {
 }
 
 /**
+ * Get the strength of the site secret
+ *
+ * @return string "strong", "moderate", or "weak"
+ * @access private
+ */
+function _elgg_get_site_secret_strength() {
+	$secret = get_site_secret();
+	if ($secret[0] !== 'z') {
+		$rand_max = getrandmax();
+		if ($rand_max < pow(2, 16)) {
+			return 'weak';
+		}
+		if ($rand_max < pow(2, 32)) {
+			return 'moderate';
+		}
+	}
+	return 'strong';
+}
+
+/**
  * Check if an action is registered and its script exists.
  *
  * @param string $action Action name
diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 7f82108c0..f36f29668 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -236,6 +236,7 @@ function admin_init() {
 	elgg_register_action('admin/site/update_advanced', '', 'admin');
 	elgg_register_action('admin/site/flush_cache', '', 'admin');
 	elgg_register_action('admin/site/unlock_upgrade', '', 'admin');
+	elgg_register_action('admin/site/regenerate_secret', '', 'admin');
 
 	elgg_register_action('admin/menu/save', '', 'admin');
 
@@ -291,6 +292,7 @@ function admin_init() {
 	elgg_register_admin_menu_item('configure', 'settings', null, 100);
 	elgg_register_admin_menu_item('configure', 'basic', 'settings', 10);
 	elgg_register_admin_menu_item('configure', 'advanced', 'settings', 20);
+	elgg_register_admin_menu_item('configure', 'advanced/site_secret', 'settings', 25);
 	elgg_register_admin_menu_item('configure', 'menu_items', 'appearance', 30);
 	elgg_register_admin_menu_item('configure', 'profile_fields', 'appearance', 40);
 	// default widgets is added via an event handler elgg_default_widgets_init() in widgets.php
diff --git a/engine/lib/deprecated-1.7.php b/engine/lib/deprecated-1.7.php
index 519eea89d..ee95b5611 100644
--- a/engine/lib/deprecated-1.7.php
+++ b/engine/lib/deprecated-1.7.php
@@ -1137,6 +1137,7 @@ function make_register_object($register_name, $register_value, $children_array =
  * @param int $guid GUID
  *
  * @return 1
+ * @deprecated 1.7
  */
 function delete_object_entity($guid) {
 	system_message(elgg_echo('deprecatedfunction', array('delete_user_entity')));
@@ -1154,6 +1155,7 @@ function delete_object_entity($guid) {
  * @param int $guid User GUID
  *
  * @return 1
+ * @deprecated 1.7
  */
 function delete_user_entity($guid) {
 	system_message(elgg_echo('deprecatedfunction', array('delete_user_entity')));
diff --git a/engine/lib/deprecated-1.8.php b/engine/lib/deprecated-1.8.php
index 6aa42a81d..91068d047 100644
--- a/engine/lib/deprecated-1.8.php
+++ b/engine/lib/deprecated-1.8.php
@@ -3414,6 +3414,7 @@ function list_annotations($entity_guid, $name = "", $limit = 25, $asc = true) {
  * @param unknown_type $timeupper
  * @param unknown_type $calculation
  * @internal Don't use this at all.
+ * @deprecated 1.8 Use elgg_get_annotations()
  */
 function elgg_deprecated_annotation_calculation($entity_guid = 0, $entity_type = "", $entity_subtype = "",
 $name = "", $value = "", $value_type = "", $owner_guid = 0, $timelower = 0,
@@ -4667,6 +4668,7 @@ function display_widget(ElggObject $widget) {
  *
  * @param ElggEntity $entity
  * @return int Number of comments
+ * @deprecated 1.8 Use ElggEntity->countComments()
  */
 function elgg_count_comments($entity) {
 	elgg_deprecated_notice('elgg_count_comments() is deprecated by ElggEntity->countComments()', 1.8);
diff --git a/engine/lib/memcache.php b/engine/lib/memcache.php
index f79fba4a9..79b87e850 100644
--- a/engine/lib/memcache.php
+++ b/engine/lib/memcache.php
@@ -35,3 +35,23 @@ function is_memcache_available() {
 
 	return $memcache_available;
 }
+
+/**
+ * Invalidate an entity in memcache
+ *
+ * @param int $entity_guid The GUID of the entity to invalidate
+ *
+ * @return void
+ * @access private
+ */
+function _elgg_invalidate_memcache_for_entity($entity_guid) {
+	static $newentity_cache;
+	

+	if ((!$newentity_cache) && (is_memcache_available())) {

+		$newentity_cache = new ElggMemcache('new_entity_cache');

+	}
+	

+	if ($newentity_cache) {

+		$newentity_cache->delete($entity_guid);

+	}
+}
\ No newline at end of file
diff --git a/engine/lib/notification.php b/engine/lib/notification.php
index b6399b3c6..2506867d5 100644
--- a/engine/lib/notification.php
+++ b/engine/lib/notification.php
@@ -110,12 +110,15 @@ function notify_user($to, $from, $subject, $message, array $params = NULL, $meth
 			// Are we overriding delivery?
 			$methods = $methods_override;
 			if (!$methods) {
-				$tmp = (array)get_user_notification_settings($guid);
+				$tmp = get_user_notification_settings($guid);
 				$methods = array();
-				foreach ($tmp as $k => $v) {
-					// Add method if method is turned on for user!
-					if ($v) {
-						$methods[] = $k;
+				// $tmp may be false. don't cast
+				if (is_array($tmp)) {
+					foreach ($tmp as $k => $v) {
+						// Add method if method is turned on for user!
+						if ($v) {
+							$methods[] = $k;
+						}
 					}
 				}
 			}
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 6172a5c8d..de4f911fb 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -421,6 +421,25 @@ function _elgg_html_decode($string) {
 }
 
 /**
+ * Prepares query string for output to prevent CSRF attacks.
+ * 
+ * @param string $string
+ * @return string
+ *
+ * @access private
+ */
+function _elgg_get_display_query($string) {
+	//encode <,>,&, quotes and characters above 127
+	if (function_exists('mb_convert_encoding')) {

+		$display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');

+	} else {

+		// if no mbstring extension, we just strip characters

+		$display_query = preg_replace("/[^\x01-\x7F]/", "", $string);

+	}

+	return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+}
+
+/**
  * Unit tests for Output
  *
  * @param string  $hook   unit_test
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index fb28e1e9a..e3d5ce9cd 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -326,6 +326,12 @@ function login(ElggUser $user, $persistent = false) {
 	set_last_login($_SESSION['guid']);
 	reset_login_failure_count($user->guid); // Reset any previous failed login attempts
 
+	// if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
+	if (is_memcache_available()) {
+		// this needs to happen with a shutdown function because of the timing with set_last_login()
+		register_shutdown_function("_elgg_invalidate_memcache_for_entity", $_SESSION['guid']);
+	}
+	
 	return true;
 }
 
diff --git a/engine/lib/system_log.php b/engine/lib/system_log.php
index 5a153afb2..84302632e 100644
--- a/engine/lib/system_log.php
+++ b/engine/lib/system_log.php
@@ -187,7 +187,16 @@ function system_log($object, $event) {
 		$object_subtype = $object->getSubtype();
 		$event = sanitise_string($event);
 		$time = time();
-		$ip_address = sanitise_string($_SERVER['REMOTE_ADDR']);
+
+		if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+			$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
+		} elseif (!empty($_SERVER['HTTP_X_REAL_IP'])) {
+			$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_REAL_IP']));
+		} else {
+			$ip_address = $_SERVER['REMOTE_ADDR'];
+		}
+		$ip_address = sanitise_string($ip_address);
+
 		$performed_by = elgg_get_logged_in_user_guid();
 
 		if (isset($object->access_id)) {
diff --git a/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
new file mode 100644
index 000000000..538d74dd6
--- /dev/null
+++ b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
@@ -0,0 +1,16 @@
+<?php
+/**
+ * Elgg 1.8.15 upgrade 2013060900
+ * site_secret
+ *
+ * Description
+ */
+
+$strength = _elgg_get_site_secret_strength();
+
+if ($strength !== 'strong') {
+	// a new key is needed immediately
+	register_translations(elgg_get_root_path() . 'languages/');
+
+	elgg_add_admin_notice('weak_site_key', elgg_echo("upgrade:site_secret_warning:$strength"));
+}