From 85e4c16f39a8b00b229644bcd175663541dfd51a Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Mon, 4 Feb 2013 20:37:25 -0500
Subject: Doc fixes and inline type hints for variables (big static analysis
 cleanup)

---
 engine/lib/admin.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'engine/lib/admin.php')

diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 35ab5599d..3677a3b69 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -380,6 +380,7 @@ function elgg_admin_add_plugin_settings_menu() {
  */
 function elgg_admin_sort_page_menu($hook, $type, $return, $params) {
 	$configure_items = $return['configure'];
+	/* @var ElggMenuItem[] $configure_items */
 	foreach ($configure_items as $menu_item) {
 		if ($menu_item->getName() == 'settings') {
 			$settings = $menu_item;
@@ -387,6 +388,7 @@ function elgg_admin_sort_page_menu($hook, $type, $return, $params) {
 	}
 
 	// keep the basic and advanced settings at the top
+	/* @var ElggMenuItem $settings */
 	$children = $settings->getChildren();
 	$site_settings = array_splice($children, 0, 2);
 	usort($children, array('ElggMenuBuilder', 'compareByText'));
@@ -552,7 +554,7 @@ function admin_plugin_screenshot_page_handler($pages) {
  *	* COPYRIGHT.txt
  *	* LICENSE.txt
  *
- * @param type $page
+ * @param array $pages
  * @return bool
  * @access private
  */
@@ -615,7 +617,11 @@ function admin_markdown_page_handler($pages) {
 /**
  * Adds default admin widgets to the admin dashboard.
  *
- * @return void
+ * @param string $event
+ * @param string $type
+ * @param ElggUser $user
+ *
+ * @return null|true
  * @access private
  */
 function elgg_add_admin_widgets($event, $type, $user) {
@@ -637,6 +643,7 @@ function elgg_add_admin_widgets($event, $type, $user) {
 			$guid = elgg_create_widget($user->getGUID(), $handler, 'admin');
 			if ($guid) {
 				$widget = get_entity($guid);
+				/* @var ElggWidget $widget */
 				$widget->move($column, $position);
 			}
 		}
-- 
cgit v1.2.3


From 707df9db27cf2154910978427b9844448bcf931a Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Mon, 4 Feb 2013 20:51:07 -0500
Subject: Small changes to remove static analysis noise and simplify flow

---
 engine/classes/ElggAutoP.php           | 11 ++++++-----
 engine/classes/ElggData.php            |  1 +
 engine/classes/ElggDiskFilestore.php   |  2 --
 engine/classes/ElggFile.php            |  4 +++-
 engine/classes/ElggGroup.php           |  2 +-
 engine/classes/ElggMenuBuilder.php     |  1 +
 engine/classes/ElggRelationship.php    |  2 ++
 engine/lib/admin.php                   |  2 +-
 engine/lib/annotations.php             |  1 +
 engine/lib/cache.php                   |  6 +++---
 engine/lib/configuration.php           |  2 +-
 engine/lib/cron.php                    |  1 -
 engine/lib/elgglib.php                 |  1 +
 engine/lib/export.php                  | 17 +++++++++--------
 engine/lib/location.php                |  2 +-
 engine/lib/plugins.php                 | 16 +++++++++-------
 engine/lib/relationships.php           |  3 +--
 engine/lib/river.php                   |  1 +
 engine/lib/sessions.php                |  2 +-
 engine/lib/sites.php                   |  2 +-
 engine/lib/statistics.php              |  3 ++-
 engine/lib/system_log.php              |  6 +++---
 engine/lib/tags.php                    |  1 +
 engine/lib/upgrades/create_upgrade.php |  3 ++-
 engine/lib/user_settings.php           |  1 +
 engine/lib/users.php                   | 16 ++++++++--------
 engine/lib/views.php                   |  6 +-----
 27 files changed, 62 insertions(+), 53 deletions(-)

(limited to 'engine/lib/admin.php')

diff --git a/engine/classes/ElggAutoP.php b/engine/classes/ElggAutoP.php
index 40600aa13..f3c7cc972 100644
--- a/engine/classes/ElggAutoP.php
+++ b/engine/classes/ElggAutoP.php
@@ -159,8 +159,9 @@ class ElggAutoP {
 			/* @var DOMElement $el */
 			$autops = $this->_xpath->query('./autop', $el);
 			if ($autops->length === 1) {
-				// strip w/ preg_replace later (faster than moving nodes out)
-				$autops->item(0)->setAttribute("r", "1");
+				$firstAutop = $autops->item(0);
+				/* @var DOMElement $firstAutop */
+				$firstAutop->setAttribute("r", "1");
 			}
 		}
 
@@ -220,12 +221,12 @@ class ElggAutoP {
 
 				$isElement = ($node->nodeType === XML_ELEMENT_NODE);
 				if ($isElement) {
-					$elName = $node->nodeName;
+					$isBlock = in_array($node->nodeName, $this->_blocks);
+				} else {
+					$isBlock = false;
 				}
-				$isBlock = ($isElement && in_array($elName, $this->_blocks));
 
 				if ($alterInline) {
-					$isInline = $isElement && ! $isBlock;
 					$isText = ($node->nodeType === XML_TEXT_NODE);
 					$isLastInline = (! $node->nextSibling
 								   || ($node->nextSibling->nodeType === XML_ELEMENT_NODE
diff --git a/engine/classes/ElggData.php b/engine/classes/ElggData.php
index a0df3c924..426248ca3 100644
--- a/engine/classes/ElggData.php
+++ b/engine/classes/ElggData.php
@@ -273,6 +273,7 @@ abstract class ElggData implements
 		if (array_key_exists($key, $this->attributes)) {
 			return $this->attributes[$key];
 		}
+		return null;
 	}
 
 	/**
diff --git a/engine/classes/ElggDiskFilestore.php b/engine/classes/ElggDiskFilestore.php
index 5483eed81..2d86e7c2d 100644
--- a/engine/classes/ElggDiskFilestore.php
+++ b/engine/classes/ElggDiskFilestore.php
@@ -316,8 +316,6 @@ class ElggDiskFilestore extends ElggFilestore {
 		} else {
 			return str_split($string);
 		}
-
-		return false;
 	}
 
 	/**
diff --git a/engine/classes/ElggFile.php b/engine/classes/ElggFile.php
index 86406d108..3f652ff19 100644
--- a/engine/classes/ElggFile.php
+++ b/engine/classes/ElggFile.php
@@ -127,9 +127,11 @@ class ElggFile extends ElggObject {
 	 * @param mixed $default A default. Useful to pass what the browser thinks it is.
 	 * @since 1.7.12
 	 *
+	 * @note If $file is provided, this may be called statically
+	 *
 	 * @return mixed Detected type on success, false on failure.
 	 */
-	static function detectMimeType($file = null, $default = null) {
+	public function detectMimeType($file = null, $default = null) {
 		if (!$file) {
 			if (isset($this) && $this->filename) {
 				$file = $this->filename;
diff --git a/engine/classes/ElggGroup.php b/engine/classes/ElggGroup.php
index d17fa4f1a..24bdee79e 100644
--- a/engine/classes/ElggGroup.php
+++ b/engine/classes/ElggGroup.php
@@ -284,7 +284,7 @@ class ElggGroup extends ElggEntity
 	 *
 	 * @return bool
 	 */
-	public function isMember($user = 0) {
+	public function isMember($user = null) {
 		if (!($user instanceof ElggUser)) {
 			$user = elgg_get_logged_in_user_entity();
 		}
diff --git a/engine/classes/ElggMenuBuilder.php b/engine/classes/ElggMenuBuilder.php
index 2fd5ad9c4..028eef15f 100644
--- a/engine/classes/ElggMenuBuilder.php
+++ b/engine/classes/ElggMenuBuilder.php
@@ -122,6 +122,7 @@ class ElggMenuBuilder {
 			// attach children to parents
 			$iteration = 0;
 			$current_gen = $parents;
+			$next_gen = null;
 			while (count($children) && $iteration < 5) {
 				foreach ($children as $index => $menu_item) {
 					$parent_name = $menu_item->getParentName();
diff --git a/engine/classes/ElggRelationship.php b/engine/classes/ElggRelationship.php
index 377a41093..d2e88882a 100644
--- a/engine/classes/ElggRelationship.php
+++ b/engine/classes/ElggRelationship.php
@@ -180,6 +180,8 @@ class ElggRelationship extends ElggData implements
 				return true;
 			}
 		}
+
+		return false;
 	}
 
 	// SYSTEM LOG INTERFACE ////////////////////////////////////////////////////////////
diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 3677a3b69..ec19a5476 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -346,7 +346,7 @@ function elgg_admin_add_plugin_settings_menu() {
 	$active_plugins = elgg_get_plugins('active');
 	if (!$active_plugins) {
 		// nothing added because no items
-		return FALSE;
+		return;
 	}
 
 	foreach ($active_plugins as $plugin) {
diff --git a/engine/lib/annotations.php b/engine/lib/annotations.php
index 9ba0491b2..3d94a1d55 100644
--- a/engine/lib/annotations.php
+++ b/engine/lib/annotations.php
@@ -542,6 +542,7 @@ function elgg_comment_url_handler(ElggAnnotation $comment) {
 	if ($entity) {
 		return $entity->getURL() . '#item-annotation-' . $comment->id;
 	}
+	return "";
 }
 
 /**
diff --git a/engine/lib/cache.php b/engine/lib/cache.php
index 5c917bb18..74644019c 100644
--- a/engine/lib/cache.php
+++ b/engine/lib/cache.php
@@ -125,7 +125,7 @@ function elgg_get_filepath_cache() {
  * @access private
  */
 function elgg_filepath_cache_reset() {
-	return elgg_reset_system_cache();
+	elgg_reset_system_cache();
 }
 /**
  * @access private
@@ -143,13 +143,13 @@ function elgg_filepath_cache_load($type) {
  * @access private
  */
 function elgg_enable_filepath_cache() {
-	return elgg_enable_system_cache();
+	elgg_enable_system_cache();
 }
 /**
  * @access private
  */
 function elgg_disable_filepath_cache() {
-	return elgg_disable_system_cache();
+	elgg_disable_system_cache();
 }
 
 /* Simplecache */
diff --git a/engine/lib/configuration.php b/engine/lib/configuration.php
index 851430127..a0f297f0c 100644
--- a/engine/lib/configuration.php
+++ b/engine/lib/configuration.php
@@ -182,7 +182,7 @@ function verify_installation() {
 	global $CONFIG;
 
 	if (isset($CONFIG->installed)) {
-		return $CONFIG->installed;
+		return;
 	}
 
 	try {
diff --git a/engine/lib/cron.php b/engine/lib/cron.php
index f2939bdd6..dd83a9849 100644
--- a/engine/lib/cron.php
+++ b/engine/lib/cron.php
@@ -52,7 +52,6 @@ function cron_page_handler($page) {
 	$params['time'] = time();
 
 	// Data to return to
-	$std_out = "";
 	$old_stdout = "";
 	ob_start();
 
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index 746fd8aa9..6a2ebf97b 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -1903,6 +1903,7 @@ function elgg_cacheable_view_page_handler($page, $type) {
 		echo $return;
 		return true;
 	}
+	return false;
 }
 
 /**
diff --git a/engine/lib/export.php b/engine/lib/export.php
index 31afc1b74..1996bc885 100644
--- a/engine/lib/export.php
+++ b/engine/lib/export.php
@@ -117,18 +117,19 @@ function _process_element(ODD $odd) {
 	global $IMPORTED_DATA, $IMPORTED_OBJECT_COUNTER;
 
 	// See if anyone handles this element, return true if it is.
+	$to_be_serialised = null;
 	if ($odd) {
 		$handled = elgg_trigger_plugin_hook("import", "all", array("element" => $odd), $to_be_serialised);
-	}
 
-	// If not, then see if any of its sub elements are handled
-	if ($handled) {
-		// Increment validation counter
-		$IMPORTED_OBJECT_COUNTER ++;
-		// Return the constructed object
-		$IMPORTED_DATA[] = $handled;
+		// If not, then see if any of its sub elements are handled
+		if ($handled) {
+			// Increment validation counter
+			$IMPORTED_OBJECT_COUNTER ++;
+			// Return the constructed object
+			$IMPORTED_DATA[] = $handled;
 
-		return true;
+			return true;
+		}
 	}
 
 	return false;
diff --git a/engine/lib/location.php b/engine/lib/location.php
index 5b889509b..b319bb3bb 100644
--- a/engine/lib/location.php
+++ b/engine/lib/location.php
@@ -101,7 +101,7 @@ function elgg_get_entities_from_location(array $options = array()) {
 	$long_min = $long - $long_distance;
 	$long_max = $long + $long_distance;
 
-	$where = array();
+	$wheres = array();
 	$wheres[] = "lat_name.string='geo:lat'";
 	$wheres[] = "lat_value.string >= $lat_min";
 	$wheres[] = "lat_value.string <= $lat_max";
diff --git a/engine/lib/plugins.php b/engine/lib/plugins.php
index 3a42cb9b8..973ca4026 100644
--- a/engine/lib/plugins.php
+++ b/engine/lib/plugins.php
@@ -261,6 +261,8 @@ function elgg_get_max_plugin_priority() {
 	$data = get_data($q);
 	if ($data) {
 		$max = $data[0]->max;
+	} else {
+		$max = 1;
 	}
 
 	// can't have a priority of 0.
@@ -442,6 +444,7 @@ function elgg_set_plugin_priorities(array $order) {
 	// though we do start with 1
 	$order = array_values($order);
 
+	$missing_plugins = array();
 	foreach ($plugins as $plugin) {
 		$plugin_id = $plugin->getID();
 
@@ -640,19 +643,18 @@ function elgg_get_plugins_provides($type = null, $name = null) {
  * @access private
  */
 function elgg_check_plugins_provides($type, $name, $version = null, $comparison = 'ge') {
-	if (!$provided = elgg_get_plugins_provides($type, $name)) {
+	$provided = elgg_get_plugins_provides($type, $name);
+	if (!$provided) {
 		return array(
 			'status' => false,
 			'version' => ''
 		);
 	}
 
-	if ($provided) {
-		if ($version) {
-			$status = version_compare($provided['version'], $version, $comparison);
-		} else {
-			$status = true;
-		}
+	if ($version) {
+		$status = version_compare($provided['version'], $version, $comparison);
+	} else {
+		$status = true;
 	}
 
 	return array(
diff --git a/engine/lib/relationships.php b/engine/lib/relationships.php
index 74954b4ff..6f18bda93 100644
--- a/engine/lib/relationships.php
+++ b/engine/lib/relationships.php
@@ -571,9 +571,8 @@ function import_relationship_plugin_hook($hook, $entity_type, $returnvalue, $par
 	if ($element instanceof ODDRelationship) {
 		$tmp = new ElggRelationship();
 		$tmp->import($element);
-
-		return $tmp;
 	}
+	return $tmp;
 }
 
 /**
diff --git a/engine/lib/river.php b/engine/lib/river.php
index 148fee051..6274887b5 100644
--- a/engine/lib/river.php
+++ b/engine/lib/river.php
@@ -500,6 +500,7 @@ function elgg_get_river_type_subtype_where_sql($table, $types, $subtypes, $pairs
 		return '';
 	}
 
+	$wheres = array();
 	$types_wheres = array();
 	$subtypes_wheres = array();
 
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index 72ca0a1c2..eb451f05a 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -616,7 +616,7 @@ function _elgg_session_destroy($id) {
 		global $sess_save_path;
 
 		$sess_file = "$sess_save_path/sess_$id";
-		return(@unlink($sess_file));
+		return (@unlink($sess_file));
 	}
 
 	return false;
diff --git a/engine/lib/sites.php b/engine/lib/sites.php
index fe9af8c7a..8ee3213d3 100644
--- a/engine/lib/sites.php
+++ b/engine/lib/sites.php
@@ -26,7 +26,7 @@ function elgg_get_site_entity($site_guid = 0) {
 		$site = get_entity($site_guid);
 	}
 	
-	if($site instanceof ElggSite){
+	if ($site instanceof ElggSite) {
 		$result = $site;
 	}
 
diff --git a/engine/lib/statistics.php b/engine/lib/statistics.php
index 5ee640549..0c9a3c945 100644
--- a/engine/lib/statistics.php
+++ b/engine/lib/statistics.php
@@ -101,9 +101,10 @@ function get_online_users() {
 	if ($objects) {
 		return elgg_view_entity_list($objects, array(
 			'count' => $count,
-			'limit' => 10
+			'limit' => 10,
 		));
 	}
+	return '';
 }
 
 /**
diff --git a/engine/lib/system_log.php b/engine/lib/system_log.php
index 8149d3fac..38bc4ba96 100644
--- a/engine/lib/system_log.php
+++ b/engine/lib/system_log.php
@@ -25,9 +25,9 @@
  * @param string    $ip_address The IP address.
  * @return mixed
  */
-function get_system_log($by_user = "", $event = "", $class = "", $type = "", $subtype = "",
-$limit = 10, $offset = 0, $count = false, $timebefore = 0, $timeafter = 0, $object_id = 0,
-$ip_address = false) {
+function get_system_log($by_user = "", $event = "", $class = "", $type = "", $subtype = "", $limit = 10,
+						$offset = 0, $count = false, $timebefore = 0, $timeafter = 0, $object_id = 0,
+						$ip_address = "") {
 
 	global $CONFIG;
 
diff --git a/engine/lib/tags.php b/engine/lib/tags.php
index a25bd7d33..586a9b9e4 100644
--- a/engine/lib/tags.php
+++ b/engine/lib/tags.php
@@ -172,6 +172,7 @@ function elgg_get_tags(array $options = array()) {
 	// catch for tags that were spaces
 	$wheres[] = "msv.string != ''";
 
+	$sanitised_tags = array();
 	foreach ($options['tag_names'] as $tag) {
 		$sanitised_tags[] = '"' . sanitise_string($tag) . '"';
 	}
diff --git a/engine/lib/upgrades/create_upgrade.php b/engine/lib/upgrades/create_upgrade.php
index 3652e18a2..f0fa9b594 100644
--- a/engine/lib/upgrades/create_upgrade.php
+++ b/engine/lib/upgrades/create_upgrade.php
@@ -93,7 +93,7 @@ if (!$h) {
 	die("Could not open file $upgrade_file");
 }
 
-if (!fputs($h, $upgrade_code)) {
+if (!fwrite($h, $upgrade_code)) {
 	die("Could not write to $upgrade_file");
 } else {
 	elgg_set_version_dot_php_version($upgrade_version);
@@ -130,6 +130,7 @@ function elgg_set_version_dot_php_version($version) {
 
 	fputs($h, $out);
 	fclose($h);
+	return true;
 }
 
 /**
diff --git a/engine/lib/user_settings.php b/engine/lib/user_settings.php
index e4069fb53..cca5359a4 100644
--- a/engine/lib/user_settings.php
+++ b/engine/lib/user_settings.php
@@ -332,6 +332,7 @@ function usersettings_page_handler($page) {
 		require $path;
 		return true;
 	}
+	return false;
 }
 
 /**
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 22ce08e10..7a6245261 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -560,7 +560,7 @@ function get_user_by_username($username) {
 
 	// Caching
 	if ((isset($USERNAME_TO_GUID_MAP_CACHE[$username]))
-	&& (retrieve_cached_entity($USERNAME_TO_GUID_MAP_CACHE[$username]))) {
+			&& (retrieve_cached_entity($USERNAME_TO_GUID_MAP_CACHE[$username]))) {
 		return retrieve_cached_entity($USERNAME_TO_GUID_MAP_CACHE[$username]);
 	}
 
@@ -687,15 +687,14 @@ function send_new_password_request($user_guid) {
 		$code = generate_random_cleartext_password();
 		$user->setPrivateSetting('passwd_conf_code', $code);
 
-
 		// generate link
-		$link = $CONFIG->site->url . "resetpassword?u=$user_guid&c=$code";
+		$link = elgg_get_site_url() . "resetpassword?u=$user_guid&c=$code";
 
 		// generate email
 		$email = elgg_echo('email:resetreq:body', array($user->name, $_SERVER['REMOTE_ADDR'], $link));
 
-		return notify_user($user->guid, $CONFIG->site->guid,
-			elgg_echo('email:resetreq:subject'), $email, NULL, 'email');
+		return notify_user($user->guid, elgg_get_site_entity()->guid,
+			elgg_echo('email:resetreq:subject'), $email, array(), 'email');
 	}
 
 	return false;
@@ -760,7 +759,7 @@ function execute_new_password_request($user_guid, $conf_code) {
 				$email = elgg_echo('email:resetpassword:body', array($user->name, $password));
 
 				return notify_user($user->guid, $CONFIG->site->guid,
-					elgg_echo('email:resetpassword:subject'), $email, NULL, 'email');
+					elgg_echo('email:resetpassword:subject'), $email, array(), 'email');
 			}
 		}
 	}
@@ -1036,7 +1035,7 @@ function elgg_get_user_validation_status($user_guid) {
 		'metadata_name' => 'validated'
 	));
 	if ($md == false) {
-		return;
+		return null;
 	}
 
 	if ($md[0]->value) {
@@ -1208,7 +1207,8 @@ function set_last_login($user_guid) {
 function user_create_hook_add_site_relationship($event, $object_type, $object) {
 	global $CONFIG;
 
-	add_entity_relationship($object->getGUID(), 'member_of_site', $CONFIG->site->getGUID());
+	add_entity_relationship($object->getGUID(), 'member_of_site', elgg_get_site_entity()->guid);
+	return true;
 }
 
 /**
diff --git a/engine/lib/views.php b/engine/lib/views.php
index 9ee7ae00c..7d8347863 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -1451,17 +1451,13 @@ function elgg_get_views($dir, $base) {
  */
 function elgg_view_tree($view_root, $viewtype = "") {
 	global $CONFIG;
-	static $treecache;
+	static $treecache = array();
 
 	// Get viewtype
 	if (!$viewtype) {
 		$viewtype = elgg_get_viewtype();
 	}
 
-	// Has the treecache been initialised?
-	if (!isset($treecache)) {
-		$treecache = array();
-	}
 	// A little light internal caching
 	if (!empty($treecache[$view_root])) {
 		return $treecache[$view_root];
-- 
cgit v1.2.3


From 459e8d04b88b8bf7914105b1723624d23a5b3669 Mon Sep 17 00:00:00 2001
From: cash <cash.costello@gmail.com>
Date: Thu, 2 May 2013 19:56:52 -0400
Subject: Fixes #5405 fixes fatal error

---
 engine/lib/admin.php | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'engine/lib/admin.php')

diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index ec19a5476..243cdef46 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -468,14 +468,18 @@ function admin_page_handler($page) {
 	$vars = array('page' => $page);
 
 	// special page for plugin settings since we create the form for them
-	if ($page[0] == 'plugin_settings' && isset($page[1]) &&
-		(elgg_view_exists("settings/{$page[1]}/edit") || elgg_view_exists("plugins/{$page[1]}/settings"))) {
+	if ($page[0] == 'plugin_settings') {
+		if (isset($page[1]) && (elgg_view_exists("settings/{$page[1]}/edit") || 
+			elgg_view_exists("plugins/{$page[1]}/settings"))) {
 
-		$view = 'admin/plugin_settings';
-		$plugin = elgg_get_plugin_from_id($page[1]);
-		$vars['plugin'] = $plugin;
+			$view = 'admin/plugin_settings';
+			$plugin = elgg_get_plugin_from_id($page[1]);
+			$vars['plugin'] = $plugin;
 
-		$title = elgg_echo("admin:{$page[0]}");
+			$title = elgg_echo("admin:{$page[0]}");
+		} else {
+			forward('', '404');
+		}
 	} else {
 		$view = 'admin/' . implode('/', $page);
 		$title = elgg_echo("admin:{$page[0]}");
-- 
cgit v1.2.3


From e630f8ceb980ab40fbab57145eae68f592034266 Mon Sep 17 00:00:00 2001
From: cash <cash.costello@gmail.com>
Date: Tue, 28 May 2013 18:17:36 -0400
Subject: Fixes #5337 properly checking if admin notice exists

---
 engine/lib/admin.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'engine/lib/admin.php')

diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 243cdef46..7f82108c0 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -134,11 +134,11 @@ function elgg_delete_admin_notice($id) {
 }
 
 /**
- * List all admin messages.
+ * Get admin notices. An admin must be logged in since the notices are private.
  *
  * @param int $limit Limit
  *
- * @return array List of admin notices
+ * @return array Array of admin notices
  * @since 1.8.0
  */
 function elgg_get_admin_notices($limit = 10) {
@@ -158,11 +158,13 @@ function elgg_get_admin_notices($limit = 10) {
  * @since 1.8.0
  */
 function elgg_admin_notice_exists($id) {
+	$old_ia = elgg_set_ignore_access(true);
 	$notice = elgg_get_entities_from_metadata(array(
 		'type' => 'object',
 		'subtype' => 'admin_notice',
 		'metadata_name_value_pair' => array('name' => 'admin_notice_id', 'value' => $id)
 	));
+	elgg_set_ignore_access($old_ia);
 
 	return ($notice) ? TRUE : FALSE;
 }
-- 
cgit v1.2.3


From e98f933857548be9cd078416a93011ea9c2f3e3a Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Mon, 10 Jun 2013 23:16:45 -0400
Subject: Allow regenerating site secret

---
 actions/admin/site/regenerate_secret.php           |  11 ++
 engine/classes/ElggCrypto.php                      | 134 +++++++++++++++++++++
 engine/lib/actions.php                             |  27 ++++-
 engine/lib/admin.php                               |   2 +
 ...3060900-1.8.15-site_secret-404fc165cf9e0ac9.php |  13 ++
 languages/en.php                                   |  18 ++-
 .../admin/settings/advanced/site_secret.php        |  11 ++
 views/default/css/admin.php                        |  20 +++
 .../default/forms/admin/site/regenerate_secret.php |  24 ++++
 9 files changed, 257 insertions(+), 3 deletions(-)
 create mode 100644 actions/admin/site/regenerate_secret.php
 create mode 100644 engine/classes/ElggCrypto.php
 create mode 100644 engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
 create mode 100644 views/default/admin/settings/advanced/site_secret.php
 create mode 100644 views/default/forms/admin/site/regenerate_secret.php

(limited to 'engine/lib/admin.php')

diff --git a/actions/admin/site/regenerate_secret.php b/actions/admin/site/regenerate_secret.php
new file mode 100644
index 000000000..3112fb5f3
--- /dev/null
+++ b/actions/admin/site/regenerate_secret.php
@@ -0,0 +1,11 @@
+<?php
+/**
+ * Generate a new site secret
+ */
+
+init_site_secret();
+elgg_reset_system_cache();
+
+system_message(elgg_echo('admin:site:secret_regenerated'));
+
+forward(REFERER);
diff --git a/engine/classes/ElggCrypto.php b/engine/classes/ElggCrypto.php
new file mode 100644
index 000000000..364af4542
--- /dev/null
+++ b/engine/classes/ElggCrypto.php
@@ -0,0 +1,134 @@
+<?php
+/**
+ * ElggCrypto
+ *
+ * @package    Elgg.Core
+ * @subpackage Crypto
+ *
+ * @access private
+ */
+class ElggCrypto {
+
+	/**
+	 * Character set for temp passwords (no risk of embedded profanity/glyphs that look similar)
+	 */
+	const CHARS_PASSWORD = 'bcdfghjklmnpqrstvwxyz2346789';
+
+	/**
+	 * Returns a string of highly randomized bytes (over the full 8-bit range).
+	 *
+	 * This function is better than simply calling mt_rand() or any other built-in
+	 * PHP function because it can return a long string of bytes (compared to < 4
+	 * bytes normally from mt_rand()) and uses the best available pseudo-random
+	 * source.
+	 *
+	 * @param int $count The number of characters (bytes) to return in the string.
+	 * @return string
+	 *
+	 * @copyright Copyright 2001 - 2012 by the original authors
+	 *            https://github.com/drupal/drupal/blob/7.x/COPYRIGHT.txt
+	 * @license   https://github.com/drupal/drupal/blob/7.x/LICENSE.txt GPL 2
+	 *
+	 * @see https://github.com/drupal/drupal/blob/7.x/includes/bootstrap.inc#L1942
+	 */
+	public static function getRandomBytes($count)  {
+		// $random_state does not use drupal_static as it stores random bytes.
+		static $random_state, $bytes, $php_compatible;
+		// Initialize on the first call. The contents of $_SERVER includes a mix of
+		// user-specific and system information that varies a little with each page.
+		if (!isset($random_state)) {
+			$random_state = print_r($_SERVER, true);
+			if (function_exists('getmypid')) {
+				// Further initialize with the somewhat random PHP process ID.
+				$random_state .= getmypid();
+			}
+			$bytes = '';
+		}
+		if (strlen($bytes) < $count) {
+			// PHP versions prior 5.3.4 experienced openssl_random_pseudo_bytes()
+			// locking on Windows and rendered it unusable.
+			if (!isset($php_compatible)) {
+				$php_compatible = version_compare(PHP_VERSION, '5.3.4', '>=');
+			}
+			// /dev/urandom is available on many *nix systems and is considered the
+			// best commonly available pseudo-random source.
+			if ($fh = @fopen('/dev/urandom', 'rb')) {
+				// PHP only performs buffered reads, so in reality it will always read
+				// at least 4096 bytes. Thus, it costs nothing extra to read and store
+				// that much so as to speed any additional invocations.
+				$bytes .= fread($fh, max(4096, $count));
+				fclose($fh);
+			} elseif ($php_compatible && function_exists('openssl_random_pseudo_bytes')) {
+				// openssl_random_pseudo_bytes() will find entropy in a system-dependent
+				// way.
+				$bytes .= openssl_random_pseudo_bytes($count - strlen($bytes));
+			}
+			// If /dev/urandom is not available or returns no bytes, this loop will
+			// generate a good set of pseudo-random bytes on any system.
+			// Note that it may be important that our $random_state is passed
+			// through hash() prior to being rolled into $output, that the two hash()
+			// invocations are different, and that the extra input into the first one -
+			// the microtime() - is prepended rather than appended. This is to avoid
+			// directly leaking $random_state via the $output stream, which could
+			// allow for trivial prediction of further "random" numbers.
+			while (strlen($bytes) < $count) {
+				$random_state = hash('sha256', microtime() . mt_rand() . $random_state);
+				$bytes .= hash('sha256', mt_rand() . $random_state, true);
+			}
+		}
+		$output = substr($bytes, 0, $count);
+		$bytes = substr($bytes, $count);
+		return $output;
+	}
+
+	/**
+	 * Generate a random string of specified length.
+	 *
+	 * Uses supplied character list for generating the new string.
+	 * If no character list provided - uses Base64 URL character set.
+	 *
+	 * @param  int         $length Desired length of the string
+	 * @param  string|null $chars  Characters to be chosen from randomly. If not given, the Base64 URL
+	 *                             charset will be used.
+	 *
+	 * @return string The random string
+	 *
+	 * @throws InvalidArgumentException
+	 *
+	 * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
+	 * @license   http://framework.zend.com/license/new-bsd New BSD License
+	 *
+	 * @see https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L179
+	 */
+	public static function getRandomString($length, $chars = null)
+	{
+		if ($length < 1) {
+			throw new InvalidArgumentException('Length should be >= 1');
+		}
+
+		if (empty($chars)) {
+			$numBytes = ceil($length * 0.75);
+			$bytes    = self::getRandomBytes($numBytes);
+			$string = substr(rtrim(base64_encode($bytes), '='), 0, $length);
+
+			// Base64 URL
+			return strtr($string, '+/', '-_');
+		}
+
+		$listLen = strlen($chars);
+
+		if ($listLen == 1) {
+			return str_repeat($chars, $length);
+		}
+
+		$bytes  = self::getRandomBytes($length);
+		$pos    = 0;
+		$result = '';
+		for ($i = 0; $i < $length; $i++) {
+			$pos     = ($pos + ord($bytes[$i])) % $listLen;
+			$result .= $chars[$pos];
+		}
+
+		return $result;
+	}
+}
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 56936f582..8047914ac 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -364,16 +364,19 @@ function generate_action_token($timestamp) {
 }
 
 /**
- * Initialise the site secret hash.
+ * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL).
  *
  * Used during installation and saves as a datalist.
  *
+ * Note: Old secrets were hex encoded.
+ *
  * @return mixed The site secret hash or false
  * @access private
  * @todo Move to better file.
  */
 function init_site_secret() {
-	$secret = md5(rand() . microtime());
+	$secret = 'z' . ElggCrypto::getRandomString(31);
+
 	if (datalist_set('__site_secret__', $secret)) {
 		return $secret;
 	}
@@ -399,6 +402,26 @@ function get_site_secret() {
 	return $secret;
 }
 
+/**
+ * Get the strength of the site secret
+ *
+ * @return string "strong", "moderate", or "weak"
+ * @access private
+ */
+function _elgg_get_site_secret_strength() {
+	$secret = get_site_secret();
+	if ($secret[0] !== 'z') {
+		$rand_max = getrandmax();
+		if ($rand_max < pow(2, 16)) {
+			return 'weak';
+		}
+		if ($rand_max < pow(2, 32)) {
+			return 'moderate';
+		}
+	}
+	return 'strong';
+}
+
 /**
  * Check if an action is registered and its script exists.
  *
diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 7f82108c0..f36f29668 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -236,6 +236,7 @@ function admin_init() {
 	elgg_register_action('admin/site/update_advanced', '', 'admin');
 	elgg_register_action('admin/site/flush_cache', '', 'admin');
 	elgg_register_action('admin/site/unlock_upgrade', '', 'admin');
+	elgg_register_action('admin/site/regenerate_secret', '', 'admin');
 
 	elgg_register_action('admin/menu/save', '', 'admin');
 
@@ -291,6 +292,7 @@ function admin_init() {
 	elgg_register_admin_menu_item('configure', 'settings', null, 100);
 	elgg_register_admin_menu_item('configure', 'basic', 'settings', 10);
 	elgg_register_admin_menu_item('configure', 'advanced', 'settings', 20);
+	elgg_register_admin_menu_item('configure', 'advanced/site_secret', 'settings', 25);
 	elgg_register_admin_menu_item('configure', 'menu_items', 'appearance', 30);
 	elgg_register_admin_menu_item('configure', 'profile_fields', 'appearance', 40);
 	// default widgets is added via an event handler elgg_default_widgets_init() in widgets.php
diff --git a/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
new file mode 100644
index 000000000..b5b614762
--- /dev/null
+++ b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
@@ -0,0 +1,13 @@
+<?php
+/**
+ * Elgg 1.8.15 upgrade 2013060900
+ * site_secret
+ *
+ * Description
+ */
+
+$strength = _elgg_get_site_secret_strength();
+
+if ($strength !== 'strong') {
+	elgg_add_admin_notice('weak_site_key', elgg_echo("upgrade:site_secret_warning:$strength"));
+}
diff --git a/languages/en.php b/languages/en.php
index ad4831db7..4eed63d4c 100644
--- a/languages/en.php
+++ b/languages/en.php
@@ -597,10 +597,24 @@ $english = array(
 	'admin:settings' => 'Settings',
 	'admin:settings:basic' => 'Basic Settings',
 	'admin:settings:advanced' => 'Advanced Settings',
+	'admin:settings:advanced/site_secret' => 'Site Secret',
 	'admin:site:description' => "This admin panel allows you to control global settings for your site. Choose an option below to get started.",
+	'admin:settings:advanced:site_secret' => 'Site Secret',
 	'admin:site:opt:linktext' => "Configure site...",
 	'admin:site:access:warning' => "Changing the access setting only affects the permissions on content created in the future.",
 
+	'admin:site:secret:intro' => 'Elgg uses a key to create security tokens for various purposes.',
+	'admin:site:secret_regenerated' => "Your site secret has been regenerated.",
+	'admin:site:secret:regenerate' => "Regenerate site secret",
+	'admin:site:secret:regenerate:help' => "Note: This may inconvenience some users by invalidating tokens used in \"remember me\" cookies, e-mail validation requests, invitation codes, etc.",
+	'site_secret:current_strength' => 'Key Strength',
+	'site_secret:strength:weak' => "Weak",
+	'site_secret:strength_msg:weak' => "We strongly recommend that you regenerate your site secret.",
+	'site_secret:strength:moderate' => "Moderate",
+	'site_secret:strength_msg:moderate' => "We recommend you regenerate your site secret for the best site security.",
+	'site_secret:strength:strong' => "Strong",
+	'site_secret:strength_msg:strong' => "&#x2713; Your site secret is sufficiently strong.",
+
 	'admin:dashboard' => 'Dashboard',
 	'admin:widget:online_users' => 'Online users',
 	'admin:widget:online_users:help' => 'Lists the users currently on the site',
@@ -1064,7 +1078,7 @@ Once you have logged in, we highly recommend that you change your password.
 	'upgrade:unlock' => 'Unlock upgrade',
 	'upgrade:unlock:confirm' => "The database is locked for another upgrade. Running concurrent upgrades is dangerous. You should only continue if you know there is not another upgrade running. Unlock?",
 	'upgrade:locked' => "Cannot upgrade. Another upgrade is running. To clear the upgrade lock, visit the Admin section.",
-	'upgrade:unlock:success' => "Upgrade unlocked suscessfully.",
+	'upgrade:unlock:success' => "Upgrade unlocked successfully.",
 	'upgrade:unable_to_upgrade' => 'Unable to upgrade.',
 	'upgrade:unable_to_upgrade_info' =>
 		'This installation cannot be upgraded because legacy views
@@ -1079,6 +1093,8 @@ Once you have logged in, we highly recommend that you change your password.
 
 	'update:twitter_api:deactivated' => 'Twitter API (previously Twitter Service) was deactivated during the upgrade. Please activate it manually if required.',
 	'update:oauth_api:deactivated' => 'OAuth API (previously OAuth Lib) was deactivated during the upgrade.  Please activate it manually if required.',
+	'upgrade:site_secret_warning:moderate' => "You are encouraged to regenerate your site key to improve system security. See Configure &gt; Site Secret",
+	'upgrade:site_secret_warning:weak' => "You are strongly encouraged to regenerate your site key to improve system security. See Configure &gt; Site Secret",
 
 	'deprecated:function' => '%s() was deprecated by %s()',
 
diff --git a/views/default/admin/settings/advanced/site_secret.php b/views/default/admin/settings/advanced/site_secret.php
new file mode 100644
index 000000000..e70ac7ab6
--- /dev/null
+++ b/views/default/admin/settings/advanced/site_secret.php
@@ -0,0 +1,11 @@
+<?php
+/**
+ * Elgg administration site secret settings
+ *
+ * @package Elgg
+ * @subpackage Core
+ */
+
+echo elgg_view_form('admin/site/regenerate_secret', array(), array(
+	'strength' => _elgg_get_site_secret_strength(),
+));
diff --git a/views/default/css/admin.php b/views/default/css/admin.php
index 3896ded5d..c435621b2 100644
--- a/views/default/css/admin.php
+++ b/views/default/css/admin.php
@@ -1543,6 +1543,26 @@ table.mceLayout {
 	margin: 0 0 1em 2em;
 }
 
+/* ***************************************
+    SITE SECRET
+*************************************** */
+.elgg-form-admin-site-regenerate-secret table {
+	width: 60%;
+	margin: 1em auto;
+}
+td.elgg-strength-strong,
+td.elgg-strength-strong h4 {
+	background: #DFF0D8; color: #468847;
+}
+td.elgg-strength-moderate,
+td.elgg-strength-moderate h4 {
+	background: #FCF8E3; color: #C09853;
+}
+td.elgg-strength-weak,
+td.elgg-strength-weak h4 {
+	background: #F2DEDE; color: #B94A48;
+}
+
 /* ***************************************
 	HELPERS
 *************************************** */
diff --git a/views/default/forms/admin/site/regenerate_secret.php b/views/default/forms/admin/site/regenerate_secret.php
new file mode 100644
index 000000000..af269b801
--- /dev/null
+++ b/views/default/forms/admin/site/regenerate_secret.php
@@ -0,0 +1,24 @@
+<?php
+
+$strength = $vars['strength'];
+
+?>
+<p><?php echo elgg_echo('admin:site:secret:intro'); ?></p>
+
+<table class="elgg-table">
+	<tr>
+		<th><?php echo elgg_echo('site_secret:current_strength'); ?></th>
+		<td class="elgg-strength-<?php echo $strength; ?>">
+			<h4><?php echo elgg_echo("site_secret:strength:$strength"); ?></h4>
+			<div><?php echo elgg_echo("site_secret:strength_msg:$strength"); ?></div>
+		</td>
+	</tr>
+</table>
+
+<div class="elgg-foot">
+	<?php echo elgg_view('input/submit', array(
+			'value' => elgg_echo('admin:site:secret:regenerate'),
+			'class' => 'elgg-requires-confirmation elgg-button elgg-button-submit',
+		)); ?>
+	<p class="elgg-text-help mts"><?php echo elgg_echo('admin:site:secret:regenerate:help'); ?></p>
+</div>
-- 
cgit v1.2.3