1 bootstrap.inc backdrop_settings_initialize()

Sets the base URL, cookie domain, and session name from configuration.

File

core/includes/bootstrap.inc, line 820
Functions that need to be loaded on every Backdrop request.

Code

function backdrop_settings_initialize() {
  global $base_url, $base_path, $base_root;

  // Export these settings.php variables to the global namespace.
  global $databases, $cookie_domain, $conf, $settings, $installed_profile, $is_https, $base_secure_url, $base_insecure_url, $config_directories;
  $conf = array();
  $settings = array();

  $conf_path = conf_path();
  if (file_exists($conf_path . '/settings.php')) {
    require_once $conf_path . '/settings.php';
  }
  if (!empty($settings['backdrop_drupal_compatibility'])) {
    require_once BACKDROP_ROOT . '/core/includes/drupal.inc';
  }

  // Convert simplified database settings into the full databases array.
  if (!empty($database) && $database !== 'mysql://user:pass@localhost/database_name') {
    $database_parts = parse_url($database);
    if (!$database_parts) {
      trigger_error('The database setting could not be parsed. Please check the $database setting in settings.php.', E_USER_ERROR);
    }
    $databases['default']['default'] = array(
      'driver' => $database_parts['scheme'],
      'database' => rawurldecode(substr($database_parts['path'], 1)), // Remove leading slash.
      'username' => isset($database_parts['user']) ? rawurldecode($database_parts['user']) : '',
      'password' => isset($database_parts['pass']) ? rawurldecode($database_parts['pass']) : '',
      'host' => $database_parts['host'],
      'port' => isset($database_parts['port']) ? $database_parts['port'] : NULL,
      'prefix' => !empty($database_prefix) ? $database_prefix : '',
    );
    $required_parts = array('driver', 'database', 'username', 'host');
    foreach ($required_parts as $key) {
      if (!$databases['default']['default'][$key]) {
        $missing_field = ($key == 'database') ? 'name' : $key;
        trigger_error('Could not find a value for the database "' . $missing_field . '" setting. Please check the $database setting in settings.php.', E_USER_ERROR);
      }
    }
  }

  $is_https = backdrop_is_https();

  // Load settings specified by the server, if present
  if (isset($_SERVER['BACKDROP_SETTINGS'])) {
    $server_settings = @json_decode($_SERVER['BACKDROP_SETTINGS'], TRUE);
    if (!is_array($server_settings)) {
      trigger_error('The values in $_SERVER[BACKDROP_SETTINGS] could not be read. Ensure it is a valid JSON string with no spaces.', E_USER_ERROR);
    }
    else {
      foreach ($server_settings as $key => $value) {
        // One level of depth should be enough for $settings and $databases.
        if ($key == 'settings') {
          foreach ($value as $settings_key => $settings_value) {
            $settings[$settings_key] = $settings_value;
          }
        }
        elseif ($key == 'databases') {
          // Protect default configuration but allow the specification of
          // additional databases.
          if (!isset($databases) || !is_array($databases)) {
            $databases = array();
          }
          $databases = array_replace_recursive($databases, $value);
        }
        else {
          $$key = $value;
        }
      }
    }
  }

  // Pull in the database charset option if specified. This removes the need
  // to use the long-form array and allows enabling ut8mb4 support even if the
  // server provided options via $_SERVER['BACKDROP_SETTINGS'].
  if (isset($database_charset) && isset($databases['default']['default']) && !isset($databases['default']['default']['charset'])) {
    $databases['default']['default']['charset'] = $database_charset;
  }

  if (isset($base_url)) {
    // Parse fixed base URL from settings.php.
    $parts = parse_url($base_url);
    if (!isset($parts['path'])) {
      $parts['path'] = '';
    }
    $base_path = $parts['path'] . '/';
    // Build $base_root (everything until first slash after "scheme://").
    $base_root = substr($base_url, 0, strlen($base_url) - strlen($parts['path']));
  }
  else {
    // Create base URL.
    $http_protocol = $is_https ? 'https' : 'http';
    $base_root = $http_protocol . '://' . $_SERVER['HTTP_HOST'];

    $base_url = $base_root;

    // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not
    // be modified by a visitor.
    if ($dir = rtrim(dirname($_SERVER['SCRIPT_NAME']), '\/')) {
      // Remove "core" directory if present, allowing install.php, update.php,
      // cron.php and others to auto-detect a base path.
      $core_position = strrpos($dir, '/core');
      if ($core_position !== FALSE && strlen($dir) - 5 == $core_position) {
        $base_path = substr($dir, 0, $core_position);
      }
      else {
        $base_path = $dir;
      }
      $base_url .= $base_path;
      $base_path .= '/';
    }
    else {
      $base_path = '/';
    }
  }
  $base_secure_url = str_replace('http://', 'https://', $base_url);
  $base_insecure_url = str_replace('https://', 'http://', $base_url);

  if ($cookie_domain) {
    // If the user specifies the cookie domain, also use it for session name.
    $session_name = $cookie_domain;
  }
  else {
    // Otherwise use $base_url as session name, without the protocol
    // to use the same session identifiers across HTTP and HTTPS.
    list(, $session_name) = explode('://', $base_url, 2);
    // HTTP_HOST can be modified by a visitor, but we already sanitized it
    // in backdrop_settings_initialize().
    if (!empty($_SERVER['HTTP_HOST'])) {
      $cookie_domain = $_SERVER['HTTP_HOST'];
      // Strip leading periods, www., and port numbers from cookie domain.
      $cookie_domain = ltrim($cookie_domain, '.');
      if (strpos($cookie_domain, 'www.') === 0) {
        $cookie_domain = substr($cookie_domain, 4);
      }
      $cookie_domain = explode(':', $cookie_domain);
      $cookie_domain = '.' . $cookie_domain[0];
    }
  }
  // Per RFC 2109, cookie domains must contain at least one dot other than the
  // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
  if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
    ini_set('session.cookie_domain', $cookie_domain);
  }
  // To prevent session cookies from being hijacked, a user can configure the
  // SSL version of their website to only transfer session cookies via SSL by
  // using PHP's session.cookie_secure setting. The browser will then use two
  // separate session cookies for the HTTPS and HTTP versions of the site. So we
  // must use different session identifiers for HTTPS and HTTP to prevent a
  // cookie collision.
  if ($is_https) {
    ini_set('session.cookie_secure', TRUE);
  }
  $prefix = ini_get('session.cookie_secure') ? 'SSESS' : 'SESS';
  session_name($prefix . substr(hash('sha256', $session_name), 0, 32));
}