From 2ce6eba811d1acf0adba609f5663264205c734a2 Mon Sep 17 00:00:00 2001 From: Floorb <132411956+Neetpone@users.noreply.github.com> Date: Mon, 12 Jul 2021 08:23:14 -0400 Subject: [PATCH] Clean up index.php a bunch --- includes/common.php | 7 + index.php | 326 +++++++++++++++++++++---------------------- login.php | 1 - theme/bulma/main.php | 2 +- 4 files changed, 165 insertions(+), 171 deletions(-) diff --git a/includes/common.php b/includes/common.php index 483b812..35e5c68 100644 --- a/includes/common.php +++ b/includes/common.php @@ -111,11 +111,18 @@ $site_permissions = getSitePermissions($conn); if ($site_permissions) { $siteprivate = $site_permissions['siteprivate']; + $disableguest = $site_permissions['disableguest']; } else { $siteprivate = 'off'; + $disableguest = 'off'; } $privatesite = $siteprivate; +$noguests = $disableguest; + +if (isset($_SESSION['username'])) { + $noguests = "off"; +} // Prevent a potential LFI (you never know :p) diff --git a/index.php b/index.php index 1dfdfdc..067cccf 100644 --- a/index.php +++ b/index.php @@ -7,7 +7,7 @@ * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 3 * of the License, or (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the @@ -28,34 +28,75 @@ require_once('includes/captcha.php'); require_once('includes/functions.php'); require_once('includes/password.php'); -function calculatePasteExpiry($p_expiry) { - switch ($p_expiry) { - case '10M': - $expires = mktime(date("H"), date("i") + "10", date("s"), date("n"), date("j"), date("Y")); - break; - case '1H': - $expires = mktime(date("H") + "1", date("i"), date("s"), date("n"), date("j"), date("Y")); - case '1D': - $expires = mktime(date("H"), date("i"), date("s"), date("n"), date("j") + "1", date("Y")); - break; - case '1W': - $expires = mktime(date("H"), date("i"), date("s"), date("n"), date("j") + "7", date("Y")); - break; - case '2W': - $expires = mktime(date("H"), date("i"), date("s"), date("n"), date("j") + "14", date("Y")); - break; - case '1M': - $expires = mktime(date("H"), date("i"), date("s"), date("n") + "1", date("j"), date("Y")); - break; - case 'self': - $expires = "SELF"; - break; - default: - $expires = "NULL"; - break; +function verifyCaptcha() : string | bool { + global $cap_e; + global $mode; + global $recaptcha_secretkey; + global $lang; + + if ($cap_e == "on" && !isset($_SESSION['username'])) { + if ($mode == "reCAPTCHA") { + $response = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=".$recaptcha_secretkey."&response=".$_POST['g-recaptcha-response']); + $response = json_decode($response, true); + if ($response["success"] == false) { + // reCAPTCHA Errors + return match ($response["error-codes"][0]) { + "missing-input-response" => $lang['missing-input-response'], + "missing-input-secret" => $lang['missing-input-secret'], + "invalid-input-secret" => $lang['invalid-input-secret'], + default => $lang['error'] + }; + } + } else { + $scode = strtolower(htmlentities(Trim($_POST['scode']))); + $cap_code = strtolower($_SESSION['captcha']['code']); + if ($cap_code !== $scode) { + return $lang['image_wrong']; // Wrong captcha. + } + } } - return $expires; + return true; +} + +/** + * Calculate the expiry of a paste based on user input. + * + * @param string $expiry Expiry time. + * SELF means to expire upon one view. +10M, +1H, +1D, +1W, +2W, +1M all do the obvious. + * Anything unhandled means to expire never. + * @return string|null Expiry time, or NULL if expires never. + */ +function calculatePasteExpiry(string $expiry) { + // used to use mktime + if ($expiry === 'self') { + return 'SELF'; // What does this do? + } + + $valid_expiries = ['10M', '1H', '1D', '1W', '2W', '1M']; + + return in_array($expiry, $valid_expiries) + ? (new DateTime())->add(new DateInterval("P{$expiry}"))->format('U') + : null; +} + +function validatePasteFields() : string | null { + global $lang; + global $pastelimit; + + if (empty($_POST["paste_data"]) || trim($_POST['paste_data'] === '')) { /* Empty paste input */ + return $lang['empty_paste']; + } elseif(!isset($_POST['title'])) { /* No paste title POSTed */ + return $lang['error']; + } elseif (empty($_POST["tags"])) { /* No tags provided */ + return $lang['notags']; + } elseif (strlen($_POST["title"]) > 70) { /* Paste title too long */ + return $lang['titlelen']; + } elseif (mb_strlen($_POST["paste_data"], '8bit') > 1024 * 1024 * $pastelimit) { /* Paste size too big */ + return $lang['large_paste']; + } + + return null; } // UTF-8 @@ -66,15 +107,15 @@ $date = date('jS F Y'); $ip = $_SERVER['REMOTE_ADDR']; // Sitemap -$site_sitemap_rows = $conn->query('SELECT * FROM sitemap_options WHERE id="1"'); -while ($row = $site_sitemap_rows->fetch()) { +$site_sitemap_rows = $conn->query('SELECT * FROM sitemap_options LIMIT 1'); +if ($row = $site_sitemap_rows->fetch()) { $priority = $row['priority']; $changefreq = $row['changefreq']; } // Captcha -$site_captcha_rows = $conn->query("SELECT * FROM captcha where id='1'"); -while ($row = $site_captcha_rows->fetch()) { +$site_captcha_rows = $conn->query("SELECT * FROM captcha LIMIT 1"); +if ($row = $site_captcha_rows->fetch()) { $color = Trim($row['color']); $mode = Trim($row['mode']); $mul = Trim($row['mul']); @@ -83,8 +124,8 @@ while ($row = $site_captcha_rows->fetch()) { $recaptcha_sitekey = Trim($row['recaptcha_sitekey']); $recaptcha_secretkey = Trim($row['recaptcha_secretkey']); } -if ($_SERVER['REQUEST_METHOD'] == 'POST') { -} else { + +if ($_SERVER['REQUEST_METHOD'] !== 'POST') { if ($cap_e == "on") { if ($mode == "reCAPTCHA") { $_SESSION['captcha_mode'] = "recaptcha"; @@ -95,171 +136,118 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') { } } else { $_SESSION['captcha_mode'] = "none"; - } -} - - -if ($_SERVER['REQUEST_METHOD'] == 'POST') { -} else { - if ($disableguest == "on") { - $noguests = "on"; - } - if ($siteprivate =="on") { - $privatesite = "on"; } - if (isset($_SESSION['username'])) { - $noguests = "off"; - } } updatePageViews($conn); // POST Handler if ($_SERVER['REQUEST_METHOD'] == 'POST') { - // Check if fields are empty - if (empty($_POST["paste_data"]) || trim($_POST['paste_data'] === '')) { - $error = $lang['empty_paste']; - goto OutPut; - exit; - } + $error = validatePasteFields(); - if (empty($_POST["tags"])) { - $error = $lang['notags']; - goto OutPut; - exit; - } + if ($error !== null) { + goto OutPut; + } - if (strlen($_POST["title"]) > 70) { - $error = $lang['titlelen']; - goto OutPut; - exit; - } + $captchaResponse = verifyCaptcha(); + if ($captchaResponse !== true) { + $error = $captchaResponse; + goto OutPut; + } - // Set our limits - if (mb_strlen($_POST["paste_data"], '8bit') > 1024 * 1024 * $pastelimit) { - $error = $lang['large_paste']; - goto OutPut; - exit; - } - - // Check POST data status - if (isset($_POST['title']) && isset($_POST['paste_data'])) { - if ($cap_e == "on" && !isset($_SESSION['username'])) { - if ($mode == "reCAPTCHA") { - $response = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=".$recaptcha_secretkey."&response=".$_POST['g-recaptcha-response']); - $response = json_decode($response, true); - if ( $response["success"] == false ) { - // reCAPTCHA Errors - switch( $response["error-codes"][0] ) { - case "missing-input-response": - $error = $lang['missing-input-response']; - break; - case "missing-input-secret": - $error = $lang['missing-input-secret']; - break; - case "invalid-input-response": - $error = $lang['missing-input-response']; - break; - case "invalid-input-secret": - $error = $lang['invalid-input-secret']; - break; - } - goto OutPut; - } - } else { - $scode = strtolower(htmlentities(Trim($_POST['scode']))); - $cap_code = strtolower($_SESSION['captcha']['code']); - if ($cap_code == $scode) { - } else { - $error = $lang['image_wrong']; // Wrong captcha. - goto OutPut; - } - } - } + $editing = isset($_POST['edit']); - $p_title = Trim(htmlspecialchars($_POST['title'])); - if (strlen($p_title)==0) $p_title='Untitled'; - $p_content = htmlspecialchars($_POST['paste_data']); - $p_visible = Trim(htmlspecialchars($_POST['visibility'])); - $p_code = Trim(htmlspecialchars($_POST['format'])); - $p_expiry = Trim(htmlspecialchars($_POST['paste_expire_date'])); - $p_tagsys = Trim(htmlspecialchars($_POST['tags'])); - $p_tagsys = rtrim($p_tagsys, ','); - $p_password = $_POST['pass']; - if ($p_password == "" || $p_password == null) { - $p_password = "NONE"; - } else { - $p_password = password_hash($p_password, PASSWORD_DEFAULT); - } - $p_encrypt = Trim(htmlspecialchars($_POST['encrypted'])); - - if (empty($p_encrypt)) { - $p_encrypt = "0"; - } else { - // Encrypt option - $p_encrypt = "1"; - $p_content = encrypt($p_content); - } - - if (isset($_SESSION['token'])) { - $p_member = Trim($_SESSION['username']); - } else { - $p_member = "Guest"; - } - // Set expiry time - $expires = calculatePasteExpiry($p_expiry); + $p_title = Trim(htmlspecialchars($_POST['title'])); - $p_date = date('jS F Y h:i:s A'); - $date = date('jS F Y'); - $now_time = mktime(date("H"), date("i"), date("s"), date("n"), date("j"), date("Y")); - $timeedit = gmmktime(date("H"), date("i"), date("s"), date("n"), date("j"), date("Y")); + if (empty($p_title)) { + $p_title = 'Untitled'; + } - // Edit existing paste or create new? - if ( isset($_POST['edit'] ) ) { - if (isset($_SESSION['username'])) { - $edit_paste_id = $_POST['paste_id']; + $p_content = htmlspecialchars($_POST['paste_data']); + $p_visible = Trim(htmlspecialchars($_POST['visibility'])); + $p_code = Trim(htmlspecialchars($_POST['format'])); + $p_expiry = Trim(htmlspecialchars($_POST['paste_expire_date'])); + $p_tagsys = Trim(htmlspecialchars($_POST['tags'])); + $p_tagsys = rtrim($p_tagsys, ','); + $p_password = $_POST['pass']; + if ($p_password == "" || $p_password == null) { + $p_password = "NONE"; + } else { + $p_password = password_hash($p_password, PASSWORD_DEFAULT); + } + $p_encrypt = Trim(htmlspecialchars($_POST['encrypted'])); + + if (empty($p_encrypt)) { + $p_encrypt = "0"; + } else { + // Encrypt option + $p_encrypt = "1"; + $p_content = encrypt($p_content); + } + + if (isset($_SESSION['token'])) { + $p_member = Trim($_SESSION['username']); + } else { + $p_member = "Guest"; + } + + // Set expiry time + $expires = calculatePasteExpiry($p_expiry); + + $p_date = date('jS F Y h:i:s A'); + $date = date('jS F Y'); + $now_time = mktime(date("H"), date("i"), date("s"), date("n"), date("j"), date("Y")); + $timeedit = gmmktime(date("H"), date("i"), date("s"), date("n"), date("j"), date("Y")); + + // Edit existing paste or create new? + if ($editing) { + if (isset($_SESSION['username'])) { + $paste_id = intval($_POST['paste_id']); $statement = $conn->prepare( - "UPDATE pastes SET title = ?,content = ?,visible = ?,code=?,expiry=?,password=?,encrypt=?,member=?,ip=?,tagsys=?,now_time=? ,timeedit=? WHERE id = '?'" + "UPDATE pastes SET title = ?, content = ?, visible = ?, code = ?, expiry = ?, password = ?, encrypt = ?, member = ?, ip = ?, tagsys = ?, now_time = ?, timeedit = ? + WHERE id = ?" ); - $statement->execute([$p_title,$p_content,$p_visible,$p_code,$expires,$p_password,$p_encrypt,$p_member,$ip,$p_tagsys,$now_time,$timeedit,$edit_paste_id]); - }} - else { - $statement = $conn->prepare("INSERT INTO pastes (title,content,visible,code,expiry,password,encrypt,member,date,ip,now_time,views,s_date,tagsys) VALUES - (?,?,?,?,?,?,?,?,?,?,?,'0',?,?)"); - $statement->execute([$p_title,$p_content,$p_visible,$p_code,$expires,$p_password,$p_encrypt,$p_member,$p_date,$ip,$now_time,$date,$p_tagsys]); - - } - $paste_id = $conn->query('SELECT MAX(id) FROM pastes')->fetch(PDO::FETCH_NUM)[0]; + $statement->execute([ + $p_title, $p_content, $p_visible, $p_code, $expires, $p_password, $p_encrypt, $p_member, $ip, $p_tagsys, $now_time, $timeedit, $edit_paste_id + ]); $success = $paste_id; - - if ($p_visible == '0') { - addToSitemap($paste_id, $priority, $changefreq, $mod_rewrite); - } - - + } else { + $error = 'You must be logged in to do that.'; // TODO: Lang? + } } else { - $error = $lang['error']; // "Something went wrong"; + $statement = $conn->prepare( + "INSERT INTO pastes (title, content, visible, code, expiry, password, encrypt, member, date, ip, now_time, views, s_date, tagsys) VALUES + (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, '0', ?, ?)" + ); + $statement->execute([$p_title,$p_content,$p_visible,$p_code,$expires,$p_password,$p_encrypt,$p_member,$p_date,$ip,$now_time,$date,$p_tagsys]); + $paste_id = intval($conn->lastInsertId()); /* returns the last inserted ID as per the query above */ + if ($p_visible == '0') { + addToSitemap($paste_id, $priority, $changefreq, $mod_rewrite); + } + $success = $paste_id; } - - // Redirect to paste on successful entry, or on successful edit redirect back to edited paste - if ( isset( $success ) ) { - if ( $mod_rewrite == '1' ) { - if ( isset( $_POST['edit'] ) ) { + + // Redirect to paste on successful entry, or on successful edit redirect back to edited paste + if (isset($success)) { + if ($mod_rewrite == '1') { + if ($editing) { $paste_url = "$edit_paste_id"; } else { - $paste_url = "$success"; + $paste_url = "$success"; } } else { - if ( $_POST['edit'] ) { + if ($editing) { $paste_url = "paste.php?id=$edit_paste_id"; } else { $paste_url = "paste.php?id=$success"; } } - header("Location: ".$paste_url.""); - } + + header("Location: ${paste_url}"); + die(); + } } diff --git a/login.php b/login.php index dbfb888..7d1251d 100644 --- a/login.php +++ b/login.php @@ -150,7 +150,6 @@ if (isset($_GET['forgot'])) { } else { $error = $lang['email_not']; //"Email not found"; } - } } diff --git a/theme/bulma/main.php b/theme/bulma/main.php index 96ac934..f4c336f 100644 --- a/theme/bulma/main.php +++ b/theme/bulma/main.php @@ -332,7 +332,7 @@