Business/ManagePanel
2
0
Fork 1
Code Issues 1 Pull Requests Releases Wiki Activity

Refactor and enforce Content-Security-Policy

Browse Source
This commit is contained in:
Skylar Ittner 2017-11-13 16:26:29 -07:00
parent 2322962b8e
commit 30874ca14a
19 changed files with 119 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app.php
View File

@ -71,7 +71,7 @@ if (!is_empty($_GET['page'])) {
} }
?> ?>
<a class="navbar-brand" href="app.php"> <a class="navbar-brand" href="app.php">
<img style="height: 35px; padding-bottom: 12px; padding-left: 5px;" src="<?php echo $src; ?>" /> <img src="<?php echo $src; ?>" />
</a> </a>
<?php <?php
} }

3
lib/reports.php
View File

@ -208,6 +208,7 @@ function dataToODS($data, $name = "report") {
} }
function dataToHTML($data, $name = "report") { function dataToHTML($data, $name = "report") {
global $SECURE_NONCE;
// HTML exporter doesn't like null values // HTML exporter doesn't like null values
for ($i = 0; $i < count($data); $i++) { for ($i = 0; $i < count($data); $i++) {
for ($j = 0; $j < count($data[$i]); $j++) { for ($j = 0; $j < count($data[$i]); $j++) {
@ -223,7 +224,7 @@ function dataToHTML($data, $name = "report") {
. "<meta name=\"viewport\" content=\"width=device-width\">\n" . "<meta name=\"viewport\" content=\"width=device-width\">\n"
. "<title>" . $name . "_" . date("Y-m-d_Hi") . "</title>\n" . "<title>" . $name . "_" . date("Y-m-d_Hi") . "</title>\n"
. <<<STYLE . <<<STYLE
<style> <style nonce="$SECURE_NONCE">
.table-csv-data { .table-csv-data {
border-collapse: collapse; border-collapse: collapse;
} }

1
mobile/index.php
View File

@ -90,6 +90,7 @@ switch ($VARS['action']) {
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) { if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
if (account_has_permission($VARS['username'], "ADMIN")) { if (account_has_permission($VARS['username'], "ADMIN")) {
doLoginUser($VARS['username'], $VARS['password']); doLoginUser($VARS['username'], $VARS['password']);
$_SESSION['mobile'] = TRUE;
exit(json_encode(["status" => "OK"])); exit(json_encode(["status" => "OK"]));
} else { } else {
exit(json_encode(["status" => "ERROR", "msg" => lang("no admin permission", false)])); exit(json_encode(["status" => "ERROR", "msg" => lang("no admin permission", false)]));

5
pages.php
View File

@ -91,7 +91,10 @@ define("PAGES", [
"export" => [ "export" => [
"title" => "report export", "title" => "report export",
"navbar" => true, "navbar" => true,
"icon" => "download" "icon" => "download",
"scripts" => [
"static/js/export.js"
]
], ],
"404" => [ "404" => [
"title" => "404 error" "title" => "404 error"

2
pages/authlog.php
View File

@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin(); redirectifnotloggedin();
?> ?>
<div class="btn-group" style="margin-bottom: 10px;"> <div class="btn-group mgn-btm-10px">
<a href="app.php?page=clearlog" class="btn btn-warning"><i class="fa fa-times"></i> <?php lang("clear log"); ?></a> <a href="app.php?page=clearlog" class="btn btn-warning"><i class="fa fa-times"></i> <?php lang("clear log"); ?></a>
</div> </div>
<table id="logtable" class="table table-bordered table-striped"> <table id="logtable" class="table table-bordered table-striped">

2
pages/clearlog.php
View File

@ -12,7 +12,7 @@ redirectifnotloggedin();
</h3> </h3>
</div> </div>
<div class="panel-body"> <div class="panel-body">
<div style="text-align: center;"> <div class="center-text">
<p><i class="fa fa-exclamation-triangle fa-5x"></i></p> <p><i class="fa fa-exclamation-triangle fa-5x"></i></p>
<h4><?php lang("really clear log") ?></h4> <h4><?php lang("really clear log") ?></h4>
</div> </div>

2
pages/delpermission.php
View File

@ -21,7 +21,7 @@ if (!$database->has('permissions', ['permid' => $VARS['pid']])) {
</h3> </h3>
</div> </div>
<div class="panel-body"> <div class="panel-body">
<div style="text-align: center;"> <div class="center-text">
<p><i class="fa fa-exclamation-triangle fa-5x"></i></p> <p><i class="fa fa-exclamation-triangle fa-5x"></i></p>
<h4><?php lang("really delete permission") ?></h4> <h4><?php lang("really delete permission") ?></h4>
<?php <?php

2
pages/deluser.php
View File

@ -33,7 +33,7 @@ if (!is_empty($VARS['id'])) {
</h3> </h3>
</div> </div>
<div class="panel-body"> <div class="panel-body">
<div style="text-align: center;"> <div class="center-text">
<p><i class="fa fa-exclamation-triangle fa-5x"></i></p> <p><i class="fa fa-exclamation-triangle fa-5x"></i></p>
<h4><?php lang("really delete user") ?></h4> <h4><?php lang("really delete user") ?></h4>
</div> </div>

4
pages/edituser.php
View File

@ -140,11 +140,11 @@ if ($userdata['typecode'] != "LOCAL") {
echo "<span class=\"pull-right\">"; echo "<span class=\"pull-right\">";
if (!is_empty($userdata['authsecret'])) { if (!is_empty($userdata['authsecret'])) {
?> ?>
<a href="action.php?action=rmtotp&source=users&id=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-warning btn-xs"><i class="fa fa-unlock"></i> <?php lang('remove 2fa'); ?></a> &nbsp; &nbsp; <a href="action.php?action=rmtotp&source=users&id=<?php echo htmlspecialchars($VARS['id']); ?>" class="btn btn-warning btn-xs mgn-top-8px"><i class="fa fa-unlock"></i> <?php lang('remove 2fa'); ?></a> &nbsp; &nbsp;
<?php <?php
} }
?> ?>
<a href="app.php?page=deluser&id=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs"><i class="fa fa-times"></i> <?php lang('delete'); ?></a> <a href="app.php?page=deluser&id=<?php echo htmlspecialchars($VARS['id']); ?>" class="btn btn-danger btn-xs mgn-top-8px"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
<?php <?php
echo "</span>"; echo "</span>";
} }

2
pages/export.php
View File

@ -31,5 +31,5 @@ redirectifnotloggedin();
?> ?>
<input type="hidden" name="code" value="<?php echo $code; ?>" /> <input type="hidden" name="code" value="<?php echo $code; ?>" />
<button type="submit" class="btn btn-success" onclick="setTimeout(function () {window.location.reload();}, 1000)"><i class="fa fa-download"></i> <?php lang("generate report"); ?></button> <button type="submit" class="btn btn-success" id="genrptbtn"><i class="fa fa-download"></i> <?php lang("generate report"); ?></button>
</form> </form>

6
pages/home.php
View File

@ -11,7 +11,7 @@ redirectifnotloggedin();
<h1><i class="fa fa-fw fa-users"></i> <?php echo $database->count('accounts'); ?></h1> <h1><i class="fa fa-fw fa-users"></i> <?php echo $database->count('accounts'); ?></h1>
</div> </div>
<div class="panel-footer"> <div class="panel-footer">
<a style="color: black;" href="app.php?page=users"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view users'); ?></a> <a href="app.php?page=users" class="black-text"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view users'); ?></a>
</div> </div>
</div> </div>
</div> </div>
@ -22,7 +22,7 @@ redirectifnotloggedin();
<h1><i class="fa fa-fw fa-user-times"></i> <?php echo $database->count('accounts', ['OR' => ['acctstatus #LOCKED_OR_DISABLED' => 2, 'acctstatus #CHANGE_PASSWORD' => 3]]); ?></h1> <h1><i class="fa fa-fw fa-user-times"></i> <?php echo $database->count('accounts', ['OR' => ['acctstatus #LOCKED_OR_DISABLED' => 2, 'acctstatus #CHANGE_PASSWORD' => 3]]); ?></h1>
</div> </div>
<div class="panel-footer"> <div class="panel-footer">
<a style="color: black;" href="app.php?page=users"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view users'); ?></a> <a href="app.php?page=users" class="black-text"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view users'); ?></a>
</div> </div>
</div> </div>
</div> </div>
@ -33,7 +33,7 @@ redirectifnotloggedin();
<h1><i class="fa fa-fw fa-list"></i> <?php echo $database->count('authlog'); ?></h1> <h1><i class="fa fa-fw fa-list"></i> <?php echo $database->count('authlog'); ?></h1>
</div> </div>
<div class="panel-footer"> <div class="panel-footer">
<a style="color: black;" href="app.php?page=authlog"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view security log'); ?></a> <a href="app.php?page=authlog" class="black-text"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view security log'); ?></a>
</div> </div>
</div> </div>
</div> </div>

4
pages/managers.php
View File

@ -38,13 +38,13 @@ if ($VARS['man'] && $database->has('accounts', ['username' => $VARS['man']])) {
<button class="btn btn-default" type="button" id="addpersonbtn"><i class="fa fa-plus"></i> <?php lang("add") ?></button> <button class="btn btn-default" type="button" id="addpersonbtn"><i class="fa fa-plus"></i> <?php lang("add") ?></button>
</div> </div>
</div> </div>
<div class="panel" style="max-height: 700px; overflow-y: scroll;"> <div class="panel" id="peoplelist-panel">
<div class="list-group" id="peoplelist"> <div class="list-group" id="peoplelist">
<?php <?php
foreach ($assigned as $user) { foreach ($assigned as $user) {
?> ?>
<div class="list-group-item" data-user="<?php echo $user; ?>"> <div class="list-group-item" data-user="<?php echo $user; ?>">
<?php echo $user; ?> <div onclick="removePerson('<?php echo $user; ?>')" class="btn btn-danger btn-sm pull-right"><i class="fa fa-trash-o"></i></div><input type="hidden" name="employees[]" value="<?php echo $user; ?>" /> <?php echo $user; ?> <div class="btn btn-danger btn-sm pull-right rmperson"><i class="fa fa-trash-o"></i></div><input type="hidden" name="employees[]" value="<?php echo $user; ?>" />
</div> </div>
<?php <?php
} }

2
pages/permissions.php
View File

@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin(); redirectifnotloggedin();
?> ?>
<div class="btn-group" style="margin-bottom: 10px;"> <div class="btn-group mgn-btm-10px">
<a href="app.php?page=addpermission" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new permission"); ?></a> <a href="app.php?page=addpermission" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new permission"); ?></a>
</div> </div>
<table id="permtable" class="table table-bordered table-striped"> <table id="permtable" class="table table-bordered table-striped">

34
pages/users.php
View File

@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin(); redirectifnotloggedin();
?> ?>
<div class="btn-group" style="margin-bottom: 10px;"> <div class="btn-group mgn-btm-10px">
<a href="app.php?page=edituser" class="btn btn-success"><i class="fa fa-user-plus"></i> <?php lang("new user"); ?></a> <a href="app.php?page=edituser" class="btn btn-success"><i class="fa fa-user-plus"></i> <?php lang("new user"); ?></a>
</div> </div>
<table id="usertable" class="table table-bordered table-striped"> <table id="usertable" class="table table-bordered table-striped">
@ -20,36 +20,6 @@ redirectifnotloggedin();
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<?php
/* $users = $database->select('accounts', [
"[>]acctstatus" => ['acctstatus' => 'statusid'],
"[>]accttypes" => ['accttype' => 'typeid']
], [
'uid',
'username',
'realname',
'email',
'acctstatus',
'statuscode',
'accttype',
'typecode'
]);
foreach ($users as $u) {
?>
<tr>
<td></td>
<td>
<a class="btn btn-blue btn-xs" href="app.php?page=edituser&id=<?php echo $u['uid']; ?>"><i class="fa fa-pencil-square-o"></i> <?php lang("edit"); ?></a>
</td>
<td><?php echo $u['realname']; ?></td>
<td><?php echo $u['username']; ?></td>
<td><?php echo ($u['email'] == "NOEMAIL@EXAMPLE.COM" ? "" : $u['email']); ?></td>
<td><?php echo $u['statuscode']; ?></td>
<td><?php echo $u['typecode']; ?></td>
</tr>
<?php
} */
?>
</tbody> </tbody>
<tfoot> <tfoot>
<tr> <tr>
@ -63,7 +33,7 @@ redirectifnotloggedin();
<th data-priority="4"><i class="fa fa-fw fa-server hidden-xs"></i> <?php lang('type'); ?></th> <th data-priority="4"><i class="fa fa-fw fa-server hidden-xs"></i> <?php lang('type'); ?></th>
</tfoot> </tfoot>
</table> </table>
<script> <script nonce="<?php echo $SECURE_NONCE; ?>">
/* Give JavaScript access to the lang string /* Give JavaScript access to the lang string
* it needs to inject the show deleted checkbox * it needs to inject the show deleted checkbox
*/ */

46
required.php
View File

@ -10,12 +10,42 @@ header('Content-Type: text/html; charset=utf-8');
// l33t $ecurity h4x // l33t $ecurity h4x
header('X-Content-Type-Options: nosniff'); header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block'); header('X-XSS-Protection: 1; mode=block');
header('X-Powered-By: PHP'); // no versions makes it harder to find vulns
header('X-Frame-Options: "DENY"');
header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
$SECURE_NONCE = base64_encode(random_bytes(8));
$session_length = 60 * 60; // 1 hour $session_length = 60 * 60; // 1 hour
session_set_cookie_params($session_length, "/", null, false, false); session_set_cookie_params($session_length, "/", null, false, false);
session_start(); // stick some cookies in it session_start(); // stick some cookies in it
// renew session cookie // renew session cookie
setcookie(session_name(), session_id(), time() + $session_length); setcookie(session_name(), session_id(), time() + $session_length);
if ($_SESSION['mobile'] === TRUE) {
header("Content-Security-Policy: "
. "default-src 'self';"
. "object-src 'none'; "
. "img-src * data:; "
. "media-src 'self'; "
. "frame-src 'none'; "
. "font-src 'self'; "
. "connect-src *; "
. "style-src 'self' 'unsafe-inline'; "
. "script-src 'self' 'unsafe-inline'");
} else {
header("Content-Security-Policy: "
. "default-src 'self';"
. "object-src 'none'; "
. "img-src * data:; "
. "media-src 'self'; "
. "frame-src 'none'; "
. "font-src 'self'; "
. "connect-src *; "
. "style-src 'self' 'nonce-$SECURE_NONCE'; "
. "script-src 'self' 'nonce-$SECURE_NONCE'");
}
// //
// Composer // Composer
require __DIR__ . '/vendor/autoload.php'; require __DIR__ . '/vendor/autoload.php';
@ -32,7 +62,21 @@ require __DIR__ . '/lang/' . LANGUAGE . ".php";
* @param string $error error message * @param string $error error message
*/ */
function sendError($error) { function sendError($error) {
die("<!DOCTYPE html><html><head><title>Error</title></head><body><h1 style='color: red; font-family: sans-serif; font-size:100%;'>" . htmlspecialchars($error) . "</h1></body></html>"); global $SECURE_NONCE;
die("<!DOCTYPE html>"
. "<meta charset=\"UTF-8\">"
. "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">"
. "<title>Error</title>"
. "<style nonce=\"" . $SECURE_NONCE . "\">"
. "h1 {color: red; font-family: sans-serif; font-size: 20px; margin-bottom: 0px;} "
. "h2 {font-family: sans-serif; font-size: 16px;} "
. "p {font-family: monospace; font-size: 14px; width: 100%; wrap-style: break-word;} "
. "i {font-size: 12px;}"
. "</style>"
. "<h1>A fatal application error has occurred.</h1>"
. "<i>(This isn't your fault.)</i>"
. "<h2>Details:</h2>"
. "<p>". htmlspecialchars($error) . "</p>");
} }
date_default_timezone_set(TIMEZONE); date_default_timezone_set(TIMEZONE);

35
static/css/app.css
View File

@ -9,6 +9,41 @@
font-size: 110%; font-size: 110%;
} }
.navbar-brand img {
height: 35px;
padding-bottom: 12px;
padding-left: 5px;
}
.pad-75px {
height: 75px;
}
.mgn-btm-10px {
margin-bottom: 10px;
}
.mgn-top-8px {
margin-top: 8px;
}
.black-text {
color: black !important;
}
.center-text {
text-align: center;
}
#peoplelist-panel {
max-height: 700px;
overflow-y: scroll;
}
.inblock {
display: inline-block;
}
.footer { .footer {
margin-top: 10em; margin-top: 10em;
text-align: center; text-align: center;

5
static/js/export.js Normal file
View File

@ -0,0 +1,5 @@
$("#genrptbtn").click(function () {
setTimeout(function () {
window.location.reload();
}, 1000)
});

8
static/js/managers.js
View File

@ -95,10 +95,14 @@ function addPerson(p) {
}); });
return false; return false;
} }
$('#peoplelist').append("<div class=\"list-group-item\" data-user=\"" + p + "\">" + p + "<div onclick=\"removePerson('" + p + "')\" class=\"btn btn-danger btn-sm pull-right\"><i class=\"fa fa-trash-o\"></i></div><input type=\"hidden\" name=\"employees[]\" value=\"" + p + "\" /></div>"); $('#peoplelist').append("<div class=\"list-group-item\" data-user=\"" + p + "\">" + p + "<div class=\"btn btn-danger btn-sm pull-right rmperson\"><i class=\"fa fa-trash-o\"></i></div><input type=\"hidden\" name=\"employees[]\" value=\"" + p + "\" /></div>");
$("#people-box").val(""); $("#people-box").val("");
} }
function removePerson(p) { function removePerson(p) {
$("#peoplelist div[data-user=" + p + "]").remove(); $("#peoplelist div[data-user=" + p + "]").remove();
} }
$('#peoplelist').on("click", ".rmperson", function () {
removePerson($(this).parent().data("user"));
});

6
static/js/users.js
View File

@ -55,4 +55,8 @@ var usertable = $('#usertable').DataTable({
} }
}); });
$('#usertable_filter').append("<div class=\"checkbox\" style=\"display: inline-block\"><label><input type=\"checkbox\" id=\"show_deleted_checkbox\" onclick=\"usertable.ajax.reload()\"> " + lang_show_deleted + "</label></div>"); $('#usertable_filter').append("<div class=\"checkbox inblock\"><label><input type=\"checkbox\" id=\"show_deleted_checkbox\"> " + lang_show_deleted + "</label></div>");
$('#show_deleted_checkbox').click(function () {
usertable.ajax.reload();
});