PurpleI2P/regi2p
1
0
Fork 0
mirror of https://github.com/PurpleI2P/regi2p.git synced 2025-02-06 06:44:14 +00:00
Code Issues Releases Activity

use binding for PDO and arguments escaping in verifier command

Browse Source
This commit is contained in:
R4SAS 2022-08-26 23:40:48 +00:00
parent 6e3ce2d992
commit 55460e36ee
10 changed files with 51 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/utils.php
View File

@ -47,7 +47,7 @@ class Utils {
* @return string * @return string
*/ */
private static function b64decode(string $data): string { private static function b64decode(string $data): string {
return base64_decode(strtr($data, static::b64Trans)); return base64_decode(strtr($data, static::b64Trans), true);
} }
/** /**
@ -182,7 +182,7 @@ class Utils {
if (strpos($data, "&") !== false) if (strpos($data, "&") !== false)
return false; // registration string can't have ampersands return false; // registration string can't have ampersands
$cmd = dirname(__FILE__) . "/../bin/verifyhost '" . $data . "'"; $cmd = dirname(__FILE__) . '/../bin/verifyhost ' . escapeshellarg($data);
exec($cmd, $output, $retval); exec($cmd, $output, $retval);
if (!$retval) if (!$retval)
@ -196,7 +196,7 @@ class Utils {
/* Return empty array if no data provided */ /* Return empty array if no data provided */
if(!strlen($data)) if(!strlen($data))
return $record; return [];
$data = trim($data); $data = trim($data);
@ -208,7 +208,11 @@ class Utils {
/* Return empty array if host or b64 is not set */ /* Return empty array if host or b64 is not set */
if(!isset($host[0]) || !isset($host[1])) if(!isset($host[0]) || !isset($host[1]))
return $record; return [];
/* Return if base64 can't be decoded */
if(self::b64decode($host[1]) === false)
return [];
$record["host"] = $host[0]; $record["host"] = $host[0];
$record["b64"] = $host[1]; $record["b64"] = $host[1];

34
views/add.php
View File

@ -55,7 +55,8 @@ if (isset($_POST["record"]) && !empty($_POST["record"])) {
} else { } else {
if (isset($parsed["commands"]["action"])) { if (isset($parsed["commands"]["action"])) {
/* Check if such domain name already registered */ /* Check if such domain name already registered */
$STH = $pdo->query("SELECT COUNT(*) FROM `hosts` WHERE `host` = '" . $domain . "' LIMIT 1"); $STH = $pdo->prepare('SELECT COUNT(*) FROM `hosts` WHERE `host` = ? LIMIT 1');
$STH->execute([$domain]);
switch ($parsed["commands"]["action"]) { switch ($parsed["commands"]["action"]) {
case 'addsubdomain': case 'addsubdomain':
@ -75,18 +76,21 @@ if (isset($_POST["record"]) && !empty($_POST["record"])) {
if ((sizeof ($darr) - 1) != $i) $dtop .= "."; if ((sizeof ($darr) - 1) != $i) $dtop .= ".";
} }
$STH = $pdo->prepare('SELECT COUNT(*) FROM `hosts` WHERE `host` = ? AND `base64` = ? LIMIT 1');
if (sizeof($darr) < 3) { if (sizeof($darr) < 3) {
$result["error"] = "Error while validating: you can't register second level domain (example.i2p) using addsubdomain action."; $result["error"] = "Error while validating: you can't register second level domain (example.i2p) using addsubdomain action.";
} else if ($dtop != $parsed["commands"]["oldname"]) { } else if ($dtop != $parsed["commands"]["oldname"]) {
$result["error"] = "Error while validating: oldname value is not same as your higher level domain."; $result["error"] = "Error while validating: oldname value is not same as your higher level domain.";
} else if (!$pdo->query("SELECT COUNT(*) FROM `hosts` WHERE `host` = '" . $parsed["commands"]["oldname"] . "' AND `base64` = '" . $parsed["commands"]["olddest"] . "' LIMIT 1")->fetchColumn()) { } else if (!$STH->execute([$parsed["commands"]["oldname"], $parsed["commands"]["olddest"]]) || !$STH->fetchColumn()) {
$result["error"] = "Error while validating: can't find higher level domain with values from oldname and olddest."; $result["error"] = "Error while validating: can't find higher level domain with values from oldname and olddest.";
} else { } else {
$base32 = $util->b32from64($parsed["b64"]); $base32 = $util->b32from64($parsed["b64"]);
if (!$pdo->exec("INSERT INTO `hosts` (`host`, `base64`, `base32`) VALUES ('" . $domain . "', '" . $parsed["b64"] . "', '" . $base32 . "')")) {
if (!$pdo->prepare('INSERT INTO `hosts` (`host`, `base64`, `base32`) VALUES (?, ?, ?)')->execute([$domain, $parsed["b64"], $base32])) {
$result["error"] = "Error happened while inserting record to database. Please try again later."; $result["error"] = "Error happened while inserting record to database. Please try again later.";
} else { } else {
@ -107,12 +111,15 @@ if (isset($_POST["record"]) && !empty($_POST["record"])) {
$result["error"] = "Error while validating: required fields not found. Re-check your registration string."; $result["error"] = "Error while validating: required fields not found. Re-check your registration string.";
} else { } else {
if (!$pdo->query("SELECT COUNT(*) FROM `hosts` WHERE `host` = '" . $domain . "' AND `base64` = '" . $parsed["commands"]["olddest"] . "' LIMIT 1")->fetchColumn()) { $STH = $pdo->prepare('SELECT COUNT(*) FROM `hosts` WHERE `host` = ? AND `base64` = ? LIMIT 1');
if (!$STH->execute([$domain, $parsed["commands"]["olddest"]]) || !$STH->fetchColumn()) {
$result["error"] = "Error while validating: old base64 and value in olddest field does not match.."; $result["error"] = "Error while validating: old base64 and value in olddest field does not match..";
} else { } else {
$base32 = $util->b32from64($parsed["b64"]); $base32 = $util->b32from64($parsed["b64"]);
if (!$pdo->exec("UPDATE `hosts` SET `base64` = '" . $parsed["b64"] . "', `base32` = '" . $base32 . "' WHERE `host` = '" . $domain . "'")) {
if (!$pdo->prepare('UPDATE `hosts` SET `base64` = ?, `base32` = ? WHERE `host` = ?')->execute([$parsed["b64"], $base32, $domain])) {
$result["error"] = "Error happened while updating record in database. Please try again later."; $result["error"] = "Error happened while updating record in database. Please try again later.";
} else { } else {
@ -143,12 +150,15 @@ if (isset($_POST["record"]) && !empty($_POST["record"])) {
$olddomain = $parsed["commands"]["oldname"]; $olddomain = $parsed["commands"]["oldname"];
} }
if (!$pdo->query("SELECT COUNT(*) FROM `hosts` WHERE `host` = '" . $olddomain . "' AND `base64` = '" . parsed["b64"] . "' LIMIT 1")->fetchColumn()) { $STH = $pdo->prepare('SELECT COUNT(*) FROM `hosts` WHERE `host` = ? AND `base64` = ? LIMIT 1');
if (!$STH->execute([$olddomain, parsed["b64"]]) || !$STH->fetchColumn()) {
$result["error"] = "Error while validating: base64 does not match for domain in oldname field..."; $result["error"] = "Error while validating: base64 does not match for domain in oldname field...";
} else { } else {
$base32 = $util->b32from64($parsed["b64"]); $base32 = $util->b32from64($parsed["b64"]);
if (!$pdo->exec("INSERT INTO `hosts` (`host`, `base64`, `base32`) VALUES ('" . $domain . "', '" . $parsed["b64"] . "', '" . $base32 . "')")) {
if (!$pdo->prepare('INSERT INTO `hosts` (`host`, `base64`, `base32`) VALUES (?, ?, ?)')->execute([$domain, $parsed["b64"], $base32])) {
$result["error"] = "Error happened while updating record in database. Please try again later."; $result["error"] = "Error happened while updating record in database. Please try again later.";
} else { } else {
@ -167,7 +177,8 @@ if (isset($_POST["record"]) && !empty($_POST["record"])) {
} else { } else {
/* Check if such domain name already registered */ /* Check if such domain name already registered */
$STH = $pdo->query("SELECT `host`, `base32`, `base64`, `initial`, `disabled` FROM `hosts` WHERE `host` = '" . $domain . "' LIMIT 1"); $STH = $pdo->prepare('SELECT `host`, `base32`, `base64`, `initial`, `disabled` FROM `hosts` WHERE `host` = ? LIMIT 1');
$STH->execute([$domain]);
$row = $STH->fetch(PDO::FETCH_ASSOC); $row = $STH->fetch(PDO::FETCH_ASSOC);
if($row && !$row['disabled']) { if($row && !$row['disabled']) {
@ -189,7 +200,8 @@ if (isset($_POST["record"]) && !empty($_POST["record"])) {
$log = "[" . date("d-M-Y H:i:s e") . "] Re-registering attempt for " . $row['host'] . "! Next records will be deleted:" . PHP_EOL; $log = "[" . date("d-M-Y H:i:s e") . "] Re-registering attempt for " . $row['host'] . "! Next records will be deleted:" . PHP_EOL;
/* print all records, which will be deleted*/ /* print all records, which will be deleted*/
$STH = $pdo->query("SELECT `host`, `base32`, `base64` FROM `hosts` WHERE `host` = '" . $domain . "' OR `host` LIKE '%." . $domain . "'"); $STH = $pdo->prepare('SELECT `host`, `base32`, `base64` FROM `hosts` WHERE `host` = ? OR `host` LIKE ?');
$STH->execute(['%'.$domain, '%'.$domain]);
$hosts = $STH->fetchAll(PDO::FETCH_ASSOC); $hosts = $STH->fetchAll(PDO::FETCH_ASSOC);
foreach ($hosts as $host) { foreach ($hosts as $host) {
$log .= "Host: " . $host['host'] . PHP_EOL . "Base32: " . $host['base32'] . PHP_EOL . "Base64: " . $host['base64'] . PHP_EOL; $log .= "Host: " . $host['host'] . PHP_EOL . "Base32: " . $host['base32'] . PHP_EOL . "Base64: " . $host['base64'] . PHP_EOL;
@ -198,14 +210,14 @@ if (isset($_POST["record"]) && !empty($_POST["record"])) {
file_put_contents(__DIR__ . '/../logs/reg.log', $log, FILE_APPEND); file_put_contents(__DIR__ . '/../logs/reg.log', $log, FILE_APPEND);
/* remove domain and subdomains if any found */ /* remove domain and subdomains if any found */
$pdo->exec("DELETE FROM `hosts` WHERE `host` = '" . $domain . "' OR `host` LIKE '%." . $domain . "'"); $pdo->prepare('DELETE FROM `hosts` WHERE `host` = ? OR `host` LIKE %?')->execute(['%'.$domain, '%'.$domain]);
$result["reregister"] = true; $result["reregister"] = true;
} }
$base32 = $util->b32from64($parsed["b64"]); $base32 = $util->b32from64($parsed["b64"]);
/* Adding to database 2LD domain */ /* Adding to database 2LD domain */
if (!$pdo->exec("INSERT INTO `hosts` (`host`, `base64`, `base32`) VALUES ('" . $domain . "', '" . $parsed["b64"] . "', '" . $base32 . "')")) { if (!$pdo->prepare('INSERT INTO `hosts` (`host`, `base64`, `base32`) VALUES (?, ?, ?)')->execute([$domain, $parsed["b64"], $base32])) {
$result["error"] = "Error happened while inserting record to database. Please try again later."; $result["error"] = "Error happened while inserting record to database. Please try again later.";
} else { } else {

3
views/all.php
View File

@ -29,8 +29,7 @@ $pages = intdiv($records, $options["tableitems"]) + 1;
/* Get records with limit */ /* Get records with limit */
$STH = $pdo->query ("SELECT `host`, `base64`, `base32`, `last_seen` FROM `hosts` LIMIT " . $offset . ", " . $options["tableitems"]); $STH = $pdo->query ("SELECT `host`, `base64`, `base32`, `last_seen` FROM `hosts` LIMIT " . $offset . ", " . $options["tableitems"]);
$STH->setFetchMode(PDO::FETCH_ASSOC); $rows = $STH->fetchAll(PDO::FETCH_ASSOC);
$rows = $STH->fetchAll();
$template = $twig->load('all.twig'); $template = $twig->load('all.twig');
echo $template->render(['current' => $page, 'total' => $pages, 'hosts' => $rows, 'all' => $all]); echo $template->render(['current' => $page, 'total' => $pages, 'hosts' => $rows, 'all' => $all]);

6
views/api.php
View File

@ -17,8 +17,7 @@ switch ($command) {
$STH = $pdo->query ("SELECT `base32`, UNIX_TIMESTAMP(`last_seen`) as `last_seen` FROM `hosts` " . $STH = $pdo->query ("SELECT `base32`, UNIX_TIMESTAMP(`last_seen`) as `last_seen` FROM `hosts` " .
"WHERE `approved` = 1 AND `disabled` = 0" . "WHERE `approved` = 1 AND `disabled` = 0" .
($all ? " " : " AND `blacklisted` = 0 ")); ($all ? " " : " AND `blacklisted` = 0 "));
$STH->setFetchMode(PDO::FETCH_ASSOC); $rows = $STH->fetchAll(PDO::FETCH_ASSOC);
$rows = $STH->fetchAll();
foreach($rows as $row) { foreach($rows as $row) {
$data[$row["base32"] . ".b32.i2p"] = $row["last_seen"]; $data[$row["base32"] . ".b32.i2p"] = $row["last_seen"];
@ -31,7 +30,8 @@ switch ($command) {
} }
$q = htmlspecialchars($query); $q = htmlspecialchars($query);
$STH = $pdo->query("SELECT `host` AS `hostname`, `base64`, `base32`, UNIX_TIMESTAMP(`last_seen`) as `last_seen` FROM `hosts` WHERE `host` = '" . $q . "' LIMIT 1"); $STH = $pdo->prepare('SELECT `host` AS `hostname`, `base64`, `base32`, UNIX_TIMESTAMP(`last_seen`) as `last_seen` FROM `hosts` WHERE `host` = ? LIMIT 1');
$STH->execute([$q]);
$row = $STH->fetch(PDO::FETCH_ASSOC); $row = $STH->fetch(PDO::FETCH_ASSOC);
if (empty($row)) { if (empty($row)) {

6
views/autojump.php
View File

@ -40,9 +40,9 @@ else if(!empty($domain) && $utils->isValidDomain($domain, $error)) {
$pdo = (new App\DB($options))->pdo; $pdo = (new App\DB($options))->pdo;
$STH = $pdo->query("SELECT `host`, `base64`, `base32`, `last_seen`, `blacklisted` FROM `hosts` WHERE `host` = '" . $domain . "' LIMIT 1"); $STH = $pdo->prepare('SELECT `host`, `base64`, `base32`, `last_seen`, `blacklisted` FROM `hosts` WHERE `host` = ? LIMIT 1');
$STH->setFetchMode(PDO::FETCH_ASSOC); $STH->execute([$domain]);
$row = $STH->fetchAll(); $row = $STH->fetchAll(PDO::FETCH_ASSOC);
if (empty($row)) { if (empty($row)) {
$result["error"] = "No such host is found"; $result["error"] = "No such host is found";

3
views/hidden.php
View File

@ -35,8 +35,7 @@ $pages = intdiv($records, $options["tableitems"]) + 1;
$STH = $pdo->query ("SELECT `host`, `base64`, `base32`, `last_seen` FROM `hosts` " . $STH = $pdo->query ("SELECT `host`, `base64`, `base32`, `last_seen` FROM `hosts` " .
"WHERE `approved` = 1 AND `disabled` = 0 AND `hidden` = 0 AND `blacklisted` = 1 " . "WHERE `approved` = 1 AND `disabled` = 0 AND `hidden` = 0 AND `blacklisted` = 1 " .
"LIMIT " . $offset . ", " . $options["tableitems"]); "LIMIT " . $offset . ", " . $options["tableitems"]);
$STH->setFetchMode(PDO::FETCH_ASSOC); $rows = $STH->fetchAll(PDO::FETCH_ASSOC);
$rows = $STH->fetchAll();
$template = $twig->load('hidden.twig'); $template = $twig->load('hidden.twig');
echo $template->render(['current' => $page, 'total' => $pages, 'hosts' => $rows, 'all' => $all]); echo $template->render(['current' => $page, 'total' => $pages, 'hosts' => $rows, 'all' => $all]);

3
views/home.php
View File

@ -19,8 +19,7 @@ if (isset($_GET["all"]))
if ($options['fetcher']) { if ($options['fetcher']) {
$STH = $pdo->query ("SELECT `name` FROM `subscriptions` WHERE `active` = 1"); $STH = $pdo->query ("SELECT `name` FROM `subscriptions` WHERE `active` = 1");
$STH->setFetchMode(PDO::FETCH_ASSOC); $subscrs = $STH->fetchAll(PDO::FETCH_ASSOC);
$subscrs = $STH->fetchAll();
} }
$STH = $pdo->query ("SELECT COUNT(*) FROM `hosts` WHERE `blacklisted` = 1"); $STH = $pdo->query ("SELECT COUNT(*) FROM `hosts` WHERE `blacklisted` = 1");

6
views/jump.php
View File

@ -50,9 +50,9 @@ else if(!empty($domain) && $utils->isValidDomain($domain, $error)) {
$pdo = (new App\DB($options))->pdo; $pdo = (new App\DB($options))->pdo;
$STH = $pdo->query("SELECT `host`, `base64`, `base32`, `add_date`, `last_seen`, `blacklisted` FROM `hosts` WHERE `host` = '" . $domain . "' LIMIT 1"); $STH = $pdo->prepare('SELECT `host`, `base64`, `base32`, `add_date`, `last_seen`, `blacklisted` FROM `hosts` WHERE `host` = ? LIMIT 1');
$STH->setFetchMode(PDO::FETCH_ASSOC); $STH->execute([$domain]);
$row = $STH->fetchAll(); $row = $STH->fetchAll(PDO::FETCH_ASSOC);
if (empty($row)) { if (empty($row)) {
$result["error"] = "No such host is found"; $result["error"] = "No such host is found";

3
views/latest.php
View File

@ -19,8 +19,7 @@ if (isset($_GET["all"]))
/* Get records with limit */ /* Get records with limit */
$STH = $pdo->query ("SELECT `host`, `base64`, `base32`, `add_date`, `last_seen` FROM `hosts` WHERE `disabled` = 0" . ($all ? "" : " AND `blacklisted` = 0") . " ORDER BY `add_date` DESC LIMIT " . $options["tableitems"]); $STH = $pdo->query ("SELECT `host`, `base64`, `base32`, `add_date`, `last_seen` FROM `hosts` WHERE `disabled` = 0" . ($all ? "" : " AND `blacklisted` = 0") . " ORDER BY `add_date` DESC LIMIT " . $options["tableitems"]);
$STH->setFetchMode(PDO::FETCH_ASSOC); $rows = $STH->fetchAll(PDO::FETCH_ASSOC);
$rows = $STH->fetchAll();
$template = $twig->load('latest.twig'); $template = $twig->load('latest.twig');
echo $template->render(['limit' => $options["tableitems"], 'hosts' => $rows, 'all' => $all]); echo $template->render(['limit' => $options["tableitems"], 'hosts' => $rows, 'all' => $all]);

13
views/search.php
View File

@ -34,13 +34,14 @@ if (isset($_POST["all"]) || isset($_GET["all"]))
if(!empty($q)) { if(!empty($q)) {
$pdo = (new App\DB($options))->pdo; $pdo = (new App\DB($options))->pdo;
if ($a) if($a) {
$STH = $pdo->query("SELECT `host`, `base64`, `base32`, `last_seen` FROM `hosts` WHERE (`host` LIKE '%" . $q . "%' OR `base32` LIKE '%" . $q . "%') AND `disabled` = 0 LIMIT " . $options["tableitems"]); $STH = $pdo->prepare('SELECT `host`, `base64`, `base32`, `last_seen` FROM `hosts` WHERE (`host` LIKE ? OR `base32` LIKE ?) AND `disabled` = 0 LIMIT ' . $options["tableitems"]);
else } else {
$STH = $pdo->query("SELECT `host`, `base64`, `base32`, `last_seen` FROM `hosts` WHERE `host` LIKE '%" . $q . "%' OR `base32` LIKE '%" . $q . "%' LIMIT " . $options["tableitems"]); $STH = $pdo->prepare('SELECT `host`, `base64`, `base32`, `last_seen` FROM `hosts` WHERE (`host` LIKE ? OR `base32` LIKE ?) LIMIT ' . $options["tableitems"]);
}
$STH->setFetchMode(PDO::FETCH_ASSOC); $STH->execute(['%'.$q.'%', '%'.$q.'%']);
$row = $STH->fetchAll(); $row = $STH->fetchAll(PDO::FETCH_ASSOC);
if (empty($row)) if (empty($row))
$result["error"] = "Nothing was found"; $result["error"] = "Nothing was found";