From afb82c4072de796b5c452f73b3e0dbea527a29ca Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Mon, 17 Dec 2018 19:06:57 -0700 Subject: [PATCH] Prevent loading public parts outside of index.php, remove unused code from requiredpublic.php --- lib/requiredpublic.php | 94 ++++------------------------------------- public/parts/entry.php | 4 ++ public/parts/renew.php | 4 ++ public/parts/signup.php | 8 +++- public/parts/thanks.php | 6 ++- public/parts/verify.php | 7 +-- 6 files changed, 31 insertions(+), 92 deletions(-) diff --git a/lib/requiredpublic.php b/lib/requiredpublic.php index 8f6fe5b..2bb771b 100644 --- a/lib/requiredpublic.php +++ b/lib/requiredpublic.php @@ -18,6 +18,13 @@ if (!DEBUG) { ini_set('display_errors', 'On'); } +$libs = glob(__DIR__ . "/*.lib.php"); +foreach ($libs as $lib) { + require_once $lib; +} + +$IN_SITE = true; + ini_set('session.gc_maxlifetime', 3600 * 2); session_set_cookie_params(0); @@ -80,89 +87,4 @@ try { } catch (Exception $ex) { //header('HTTP/1.1 500 Internal Server Error'); sendError("Database error. Try again later. $ex"); -} - -function getdatabase() { - global $database; - return $database; -} - -function getsiteid() { - global $database; - if (isset($_GET['siteid'])) { - $id = preg_replace("/[^0-9]/", '', $_GET['siteid']); - if ($database->has('sites', ["siteid" => $id])) { - return $id; - } - } - $host = $_SERVER['HTTP_HOST']; - $args = $_SERVER['QUERY_STRING']; - $path = str_replace("?$args", "", $_SERVER['REQUEST_URI']); - $dir = str_replace("index.php", "", $path); - $sites = $database->select("sites", ["siteid", "url"], ["OR" => ["url[~]" => $host, "url" => $dir]]); - //var_dump($sites); - if (count($sites) == 1) { - return $sites[0]["siteid"]; - } - if (count($sites) > 1) { - //var_dump($sites); - //die(); - return $sites[0]['siteid']; - } - return $database->get("sites", "siteid"); -} - -function getpageslug() { - global $database; - if (isset($_GET['id'])) { - $id = $_GET['id']; - } else { - $id = "index"; - } - if ($database->has("pages", ["AND" => ["slug" => $id, "siteid" => getsiteid()]])) { - return $id; - } - return null; -} - -function getpageid() { - global $database; - if (isset($_GET['id'])) { - $id = $_GET['id']; - } else { - $id = "index"; - } - $siteid = getsiteid(); - if ($database->has("pages", ["AND" => ["slug" => $id, "siteid" => $siteid]])) { - return $database->get("pages", "pageid", ["AND" => ["slug" => $id, "siteid" => $siteid]]); - } - return null; -} - -function getpagetemplate() { - global $database; - $slug = getpageslug(); - if (isset($_GET['template'])) { - return preg_replace("/[^A-Za-z0-9]/", '', $_GET['template']); - } - if (!is_null($slug)) { - return $database->get("pages", "template", ["AND" => ["slug" => $slug, "siteid" => getsiteid()]]); - } - return "404"; -} - -function formatsiteurl($url) { - if (substr($url, 0) != "/") { - if (strpos($url, "http://") !== 0 && strpos($url, "https://") !== 0) { - if (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "off") { - $url = "http://$url"; - } else { - $url = "https://$url"; - } - } - } - if (substr($url, -1) != "/") { - $url = $url . "/"; - } - return $url; -} +} \ No newline at end of file diff --git a/public/parts/entry.php b/public/parts/entry.php index 79c7735..6c6e613 100644 --- a/public/parts/entry.php +++ b/public/parts/entry.php @@ -5,6 +5,10 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +if (empty($IN_SITE)) { + die("Access denied."); +} + session_destroy(); ?>
diff --git a/public/parts/renew.php b/public/parts/renew.php index 5ada2f2..248b393 100644 --- a/public/parts/renew.php +++ b/public/parts/renew.php @@ -4,6 +4,10 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +if (empty($IN_SITE)) { + die("Access denied."); +} ?>
diff --git a/public/parts/signup.php b/public/parts/signup.php index f539ec8..5f9c7b1 100644 --- a/public/parts/signup.php +++ b/public/parts/signup.php @@ -5,6 +5,10 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +if (empty($IN_SITE)) { + die("Access denied."); +} + $familyname = ""; $fathername = ""; $mothername = ""; @@ -40,8 +44,8 @@ if (isset($_SESSION['familyid']) && $database->has('families', ['familyid' => $_ // expired before we submitted the thing if (isset($_SESSION['familyid'])) { ?> - - +
diff --git a/public/parts/thanks.php b/public/parts/thanks.php index 3ef84ec..cf89925 100644 --- a/public/parts/thanks.php +++ b/public/parts/thanks.php @@ -4,6 +4,10 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +if (empty($IN_SITE)) { + die("Access denied."); +} ?>
@@ -23,7 +27,7 @@ echo "

Your membership has been submitted and paid for. We'll be in touch soon!

"; } ?> - +

You may now close this page.

diff --git a/public/parts/verify.php b/public/parts/verify.php index 2d294b6..e9daf1e 100644 --- a/public/parts/verify.php +++ b/public/parts/verify.php @@ -5,8 +5,9 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -require_once __DIR__ . "/../../lib/Email.lib.php"; - +if (empty(IN_SITE)) { + die("Access denied."); +} $badcode = false; if (!empty($_POST['email'])) { if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) { @@ -20,7 +21,7 @@ if (!empty($_POST['email'])) { $code = mt_rand(100000, 999999); $_SESSION['code'] = $code; - $_SESSION['maybefamily'] = $database->get('families', 'familyid', ['email' => strtolower($_POST['email'])]); + $_SESSION['maybefamily'] = $familyid; try { $verification = new Email();