Security Fix

.htaccess

@@ -1,8 +1,8 @@
 <IfModule mod_rewrite.c>
-RewriteEngine On
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteCond %{REQUEST_FILENAME} !-d 
-RewriteRule . index.php [L]
+    RewriteEngine On
+    RewriteCond %{REQUEST_FILENAME} !-f
+    RewriteCond %{REQUEST_FILENAME} !-d 
+    RewriteRule . index.php [L]
 </IfModule>
 
 # Prevent file browsing

README.md

@@ -1,27 +1,31 @@
 #PIP
 
-PIP is a tiny application framework built for people who use a LAMP stack. PIP aims to be as simple as possible to set up and use.
+PIP is a tiny application framework built for people who use a LAMP stack. PIP aims to be as simple as possible to setup and use. 
+
+This is Dushan's fork which features:
+
+* Security fix for a Local File Inclusion (credit LB)
+* Removal of redundant/legacy code
+* Cleanup of directory structure
+* Upgraded database handling (using PDO)
+* Various minor upgrades
 
 Visit [http://gilbitron.github.com/PIP](http://gilbitron.github.com/PIP/) for more information and documentation.
 
 ## Requirements
 
-* PHP 5.1 or greater
-* MySQL 4.1.2 or greater
-* The mod_rewrite Apache module
+* A recent version of PHP (with PDO support)
+* A recent version of MySQL or MariaDB
+* A recent version of Apache with mod_rewrite and htaccess enabled (or another compatible web server such as Nginx)
 
 ## Installation
 
-* Download PIP and extract
-* Navigate to `application/config/config.php` and fill in your `base_url`
-* You are ready to rock! Point your browser to your `base_url` and hopefully see a welcome message.
-
-## Documentation
-
-Visit [http://gilbitron.github.com/PIP](http://gilbitron.github.com/PIP/) to see the documentation.
+* Download PIP and extract to your web root
+* Navigate to `system/` and edit `db.php`, `config.php` and `controllers.php` as needed
+* Point your browser to your `base_url`
 
 ## License
 
 PIP is released under the MIT license.
 
-Want to say thanks? [Consider tipping me](https://www.gittip.com/gilbitron).
+Credit to original author [http://gilbitron.github.com/PIP](http://gilbitron.github.com/PIP/)

application/controllers/error.php

@@ -1,18 +1,11 @@
 <?php
-
-class Error extends Controller {
-
-	function index()
-	{
-		$this->error404();
-	}
-
-	function error404()
-	{
-		echo '<h1>404 Error</h1>';
-		echo '<p>Looks like this page doesn\'t exist</p>';
-	}
-
-}
-
+    class Error extends Controller {
+	    function index() {
+		    $this->errorMsg();
+	    }
+
+        function errorMsg() {
+            echo 'There is an error, that is all we know...';
+        }
+    }
 ?>

application/controllers/main.php

@@ -1,13 +1,10 @@
 <?php
-
-class Main extends Controller {
-
-	function index()
-	{
-		$template = $this->loadView('main_view');
-		$template->render();
-	}
-
-}
-
+    class Main extends Controller {
+        function index() {
+            $data = $this->loadModel('example');
+            $template = $this->loadView('view');
+            $template->set('data', 'Hello World');
+            $template->render();
+        }
+    }
 ?>

application/models/example.php

@@ -0,0 +1,15 @@
+<?php
+    class Example extends Model {
+	    public function addID($id) {
+            try {
+                $sql = 'INSERT INTO id (id) VALUES (:id)';
+                $db = $this->getDB();
+                $stmt = $db->prepare($sql);
+                $stmt->bindParam('id', $id, PDO::PARAM_INT);
+                $stmt->execute();
+            } catch (PDOException $e) {
+                echo $e->getMessage();
+            }
+        }
+    }
+?>

application/views/view.php

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <link rel="stylesheet" href="<?php echo BASE_URL; ?>static/css/style.css" type="text/css" media="screen" />
+    </head>
+    <body>
+        <p><?php echo $data; ?></p>
+    </body>
+</html>

index.php

@@ -1,26 +1,50 @@
 <?php
-/*
- * PIP v0.5.3
- */
+    // Base paths
+    define('ROOT_DIR', realpath(dirname(__FILE__)) .'/');
+    define('APP_DIR', ROOT_DIR .'application/');
+    require(ROOT_DIR .'system/config.php');
+
+    // Settings 
+    global $config;
+    define('BASE_URL', $config['base_url']);
 
-//Start the Session
-session_start(); 
+    /* Secure session (disabled as it does not function as intended, will be fixed in time)
+    if(session_id() == '' || !isset($_SESSION)) {
+        session_name($config['session_name']);
+        session_set_cookie_params($lifetime = $config['cookie_lifetime'], $secure = $config['https_cookie'], $http_only = $config['http_only']);
+        session_start();
+    } else {
+        session_start();
+    } */
 
-// Defines
-define('ROOT_DIR', realpath(dirname(__FILE__)) .'/');
-define('APP_DIR', ROOT_DIR .'application/');
+    // Start a session
+    session_start(); 
+
+    // Set variable for tracking the number of requests per session id
+    if(!isset($_SESSION['regen'])) {
+        $_SESSION['regen'] = 0;
+    }
+
+    // Rotate session id every N requests to protect from session fixation
+    if(++$_SESSION['regen'] > $config['rotation_interval']) {
+        $_SESSION['regen'] = 0;
+        session_regenerate_id(true);
+    }     
+
+    // PHP settings for dev mode 
+    if(!$config['production']) {
+        error_reporting(E_ALL);
+        ini_set('display_errors', 1);
+        ini_set('memory_limit', '-1');
+        set_time_limit(0);
+    }
 
-// Includes
-require(APP_DIR .'config/config.php');
-require(ROOT_DIR .'system/model.php');
-require(ROOT_DIR .'system/view.php');
-require(ROOT_DIR .'system/controller.php');
-require(ROOT_DIR .'system/pip.php');
-
-// Define base URL
-global $config;
-define('BASE_URL', $config['base_url']);
-
-pip();
+    // Base classes for application
+    require(ROOT_DIR .'system/model.php');
+    require(ROOT_DIR .'system/view.php');
+    require(ROOT_DIR .'system/controller.php');
+    require(ROOT_DIR .'system/pip.php');
 
+    // Call PIP
+    pip();
 ?>

static/css/style.css

@@ -1 +1,3 @@
-/* CSS Styles */
+p {
+    font-family: Arial;
+}

system/config.php

@@ -0,0 +1,25 @@
+<?php 
+    // Mode
+    $config['production'] = false;
+
+    // Session rotation interval
+    $config['rotation_interval'] = 20;    
+
+    // Session cookie settings
+    $config['session_name'] = 'pip'; // Change me
+    $config['http_only'] = true; // You really shouldn't change this
+    $config['cookie_lifetime'] = 3600; // 1 hour in seconds
+
+    // URL
+    if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443) {
+        $config['base_url'] = 'https://'.$_SERVER['HTTP_HOST'].'/';
+        $config['https_cookie'] = true;
+    } else {
+        $config['base_url'] = 'http://'.$_SERVER['HTTP_HOST'].'/';
+        $config['https_cookie'] = false;
+    }
+
+    // Database credentials and default/permitted controllers
+    require_once('db.php');
+    require_once('controllers.php');
+?>