lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-03 14:10:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix some security issues + change username min length to 3

Browse Source
This commit is contained in:
xiaomlove
2022-12-08 20:43:33 +08:00
parent a0fb2c61d0
commit a39067021c
14 changed files with 83 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
composer.json
View File

@@ -40,7 +40,7 @@
"geoip2/geoip2": "~2.0",
"hashids/hashids": "^4.1",
"imdbphp/imdbphp": "^7.0",
"laravel/framework": "^9.0",
"laravel/framework": "9.20.0",
"laravel/octane": "^1.2",
"laravel/sanctum": "^2.10",
"laravel/tinker": "^2.5",

4
include/constants.php
View File

@@ -1,6 +1,6 @@
<?php
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.7.32');
defined('RELEASE_DATE') || define('RELEASE_DATE', '2022-12-05');
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.7.33');
defined('RELEASE_DATE') || define('RELEASE_DATE', '2022-12-08');
defined('IN_TRACKER') || define('IN_TRACKER', false);
defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");

2
include/functions.php
View File

@@ -3929,7 +3929,7 @@ function validusername($username)
if (strpos($allowedchars, $username[$i]) === false)
return false;
if ($length < 4 || $length > 20) {
if ($length < 3 || $length > 20) {
return false;
}

19
public/cheaterbox.php
View File

@@ -12,18 +12,25 @@ if (!empty($_POST['setdealt'])) {
if (empty($_POST['delcheater'])) {
stderr("Error", $lang_functions['select_at_least_one_record']);
}
$res = sql_query ("SELECT id FROM cheaters WHERE dealtwith=0 AND id IN (" . implode(", ", $_POST['delcheater']) . ")");
while ($arr = mysql_fetch_assoc($res))
sql_query ("UPDATE cheaters SET dealtwith=1, dealtby = {$CURUSER['id']} WHERE id = {$arr['id']}") or sqlerr();
// $res = sql_query ("SELECT id FROM cheaters WHERE dealtwith=0 AND id IN (" . implode(", ", $_POST['delcheater']) . ")");
// while ($arr = mysql_fetch_assoc($res))
// sql_query ("UPDATE cheaters SET dealtwith=1, dealtby = {$CURUSER['id']} WHERE id = {$arr['id']}") or sqlerr();
\App\Models\Cheater::query()->whereIn('id', $_POST['delcheater'])
->where('dealtwith', 0)
->update(['dealtwith' => 1, 'dealtby' => $CURUSER['id']])
;
$Cache->delete_value('staff_new_cheater_count');
}
elseif (!empty($_POST['delete'])) {
if (empty($_POST['delcheater'])) {
stderr("Error", $lang_functions['select_at_least_one_record']);
}
$res = sql_query ("SELECT id FROM cheaters WHERE id IN (" . implode(", ", $_POST['delcheater']) . ")");
while ($arr = mysql_fetch_assoc($res))
sql_query ("DELETE from cheaters WHERE id = {$arr['id']}") or sqlerr();
// $res = sql_query ("SELECT id FROM cheaters WHERE id IN (" . implode(", ", $_POST['delcheater']) . ")");
// while ($arr = mysql_fetch_assoc($res))
// sql_query ("DELETE from cheaters WHERE id = {$arr['id']}") or sqlerr();
\App\Models\Cheater::query()->whereIn('id', $_POST['delcheater'])->delete();
$Cache->delete_value('staff_new_cheater_count');
}

2
public/details.php
View File

@@ -243,7 +243,7 @@ JS;
while($a = mysql_fetch_assoc($r))
{
$lang = "<tr><td class=\"embedded\"><img border=\"0\" src=\"pic/flag/". $a["flagpic"] . "\" alt=\"" . $a["lang_name"] . "\" title=\"" . $a["lang_name"] . "\" style=\"padding-bottom: 4px\" /></td>";
$lang .= "<td class=\"embedded\">&nbsp;&nbsp;<a href=\"downloadsubs.php?torrentid=".$a['torrent_id']."&subid=".$a['id']."\"><u>". $a["title"]. "</u></a>".(user_can('submanage') || (user_can('delownsub') && $a["uppedby"] == $CURUSER["id"]) ? " <font class=\"small\"><a href=\"subtitles.php?delete=".$a['id']."\">[".$lang_details['text_delete']."</a>]</font>" : "")."</td><td class=\"embedded\">&nbsp;&nbsp;".($a["anonymous"] == 'yes' ? $lang_details['text_anonymous'] . (user_can('viewanonymous') ? get_username($a['uppedby'],false,true,true,false,true) : "") : get_username($a['uppedby']))."</td></tr>";
$lang .= "<td class=\"embedded\">&nbsp;&nbsp;<a href=\"downloadsubs.php?torrentid=".$a['torrent_id']."&subid=".$a['id']."\"><u>". htmlspecialchars($a["title"]) . "</u></a>".(user_can('submanage') || (user_can('delownsub') && $a["uppedby"] == $CURUSER["id"]) ? " <font class=\"small\"><a href=\"subtitles.php?delete=".$a['id']."\">[".$lang_details['text_delete']."</a>]</font>" : "")."</td><td class=\"embedded\">&nbsp;&nbsp;".($a["anonymous"] == 'yes' ? $lang_details['text_anonymous'] . (user_can('viewanonymous') ? get_username($a['uppedby'],false,true,true,false,true) : "") : get_username($a['uppedby']))."</td></tr>";
print($lang);
}
}

19
public/forums.php
View File

@@ -376,9 +376,13 @@ if ($action == "post")
//------ Make sure sure user has write access in forum
$arr = get_forum_row($forumid) or die($lang_forums['std_bad_forum_id']);
if (get_user_class() < $arr["minclasswrite"] || ($type =='new' && get_user_class() < $arr["minclasscreate"]))
permissiondenied();
if (
get_user_class() < $arr["minclassread"]
|| get_user_class() < $arr["minclasswrite"]
|| ($type =='new' && get_user_class() < $arr["minclasscreate"])
) {
permissiondenied();
}
if ($body == "")
stderr($lang_forums['std_error'], $lang_forums['std_no_body_text']);
@@ -396,6 +400,12 @@ if ($action == "post")
if ($type == 'edit')
{
$postid = $id;
$topicInfo = \App\Models\Topic::query()->findOrFail($topicid);
$postInfo = \App\Models\Post::query()->findOrFail($id);
if ($postInfo->userid != $CURUSER['id'] && !is_forum_moderator($postid, 'post') && !user_can('postmanage')) {
permissiondenied();
}
if ($hassubject){
sql_query("UPDATE topics SET subject=".sqlesc($subject)." WHERE id=".sqlesc($topicid)) or sqlerr(__FILE__, __LINE__);
$forum_last_replied_topic_row = $Cache->get_value('forum_'.$forumid.'_last_replied_topic_content');
@@ -403,11 +413,8 @@ if ($action == "post")
$Cache->delete_value('forum_'.$forumid.'_last_replied_topic_content');
}
sql_query("UPDATE posts SET body=".sqlesc($body).", editdate=".sqlesc($date).", editedby=".sqlesc($CURUSER['id'])." WHERE id=".sqlesc($id)) or sqlerr(__FILE__, __LINE__);
$postid = $id;
$Cache->delete_value('post_'.$postid.'_content');
//send pm
$topicInfo = \App\Models\Topic::query()->findOrFail($topicid);
$postInfo = \App\Models\Post::query()->findOrFail($id);
$postUrl = sprintf('[url=forums.php?action=viewtopic&topicid=%s&page=p%s#pid%s]%s[/url]', $topicid, $id, $id, $topicInfo->subject);
if ($postInfo->userid != $CURUSER['id']) {
$receiver = $postInfo->user;

14
public/log.php
View File

@@ -8,6 +8,8 @@ if (!user_can('log'))
stderr($lang_log['std_sorry'],$lang_log['std_permission_denied_only'].get_user_class_name($log_class,false,true,true).$lang_log['std_or_above_can_view'],false);
}
$q = htmlspecialchars(trim($_GET['query'] ?? ''));
function permissiondeny(){
global $lang_log;
stderr($lang_log['std_sorry'],$lang_log['std_permission_denied'],false);
@@ -29,11 +31,11 @@ function logmenu($selected = "dailylog"){
}
function searchtable($title, $action, $opts = array()){
global $lang_log;
global $lang_log, $q;
print("<table border=1 cellspacing=0 width=940 cellpadding=5>\n");
print("<tr><td class=colhead align=left>".$title."</td></tr>\n");
print("<tr><td class=toolbox align=left><form method=\"get\" action='" . $_SERVER['REQUEST_URI'] . "'>\n");
print("<input type=\"text\" name=\"query\" style=\"width:500px\" value=\"".($_GET['query'] ?? '')."\">\n");
print("<input type=\"text\" name=\"query\" style=\"width:500px\" value=\"".$q."\">\n");
if ($opts) {
print($lang_log['text_in']."<select name=search>");
foreach($opts as $value => $text)
@@ -84,7 +86,7 @@ else {
case "dailylog":
stdhead($lang_log['head_site_log']);
$query = mysql_real_escape_string(trim($_GET["query"] ?? ''));
$query = mysql_real_escape_string($q);
$search = $_GET["search"] ?? '';
$addparam = "";
@@ -151,7 +153,7 @@ else {
break;
case "chronicle":
stdhead($lang_log['head_chronicle']);
$query = mysql_real_escape_string(trim($_GET["query"] ?? ''));
$query = mysql_real_escape_string($q);
if($query){
$wherea=" WHERE txt LIKE '%$query%' ";
$addparam = "query=".rawurlencode($query)."&";
@@ -222,7 +224,7 @@ else {
break;
case "funbox":
stdhead($lang_log['head_funbox']);
$query = mysql_real_escape_string(trim($_GET["query"] ?? ''));
$query = mysql_real_escape_string($q);
$search = $_GET["search"] ?? '';
if($query){
switch ($search){
@@ -267,7 +269,7 @@ else {
break;
case "news":
stdhead($lang_log['head_news']);
$query = mysql_real_escape_string(trim($_GET["query"] ?? ''));
$query = mysql_real_escape_string($q);
$search = $_GET["search"] ?? '';
if($query){
switch ($search){

6
public/login.php
View File

@@ -23,7 +23,7 @@ cur_user_check () ;
stdhead($lang_login['head_login']);
$s = "<select name=\"sitelanguage\" onchange='submit()'>\n";
$secret = htmlspecialchars($_GET['secret'] ?? '');
$langs = langlist("site_lang", true);
foreach ($langs as $row)
{
@@ -33,7 +33,7 @@ foreach ($langs as $row)
$s .= "\n</select>";
?>
<form method="get" action="<?php echo $_SERVER['REQUEST_URI'] ?>">
<input type="hidden" name="secret" value="<?php echo $_GET['secret'] ?? '' ?>">
<input type="hidden" name="secret" value="<?php echo $secret ?>">
<?php
print("<div align=\"right\">".$lang_login['text_select_lang']. $s . "</div>");
?>
@@ -50,7 +50,7 @@ if (!empty($_GET["returnto"])) {
}
?>
<form method="post" action="takelogin.php">
<input type="hidden" name="secret" value="<?php echo $_GET['secret'] ?? ''?>">
<input type="hidden" name="secret" value="<?php echo $secret?>">
<p><?php echo $lang_login['p_need_cookies_enables']?><br /> [<b><?php echo $maxloginattempts;?></b>] <?php echo $lang_login['p_fail_ban']?></p>
<p><?php echo $lang_login['p_you_have']?> <b><?php echo remaining ();?></b> <?php echo $lang_login['p_remaining_tries']?></p>
<table border="0" cellpadding="5">

2
public/moresmilies.php
View File

@@ -29,7 +29,7 @@ for($i=1; $i<192; $i++) {
if ($count % 3==0)
print("\n<tr>");
print("\n\t<td class=\"lista\" align=\"center\"><a href=\"javascript: SmileIT('[em$i]','".$_GET["form"]."','".$_GET["text"]."')\"><img src=\"pic/smilies/$i.gif\" alt=\"\" ></a></td>");
print("\n\t<td class=\"lista\" align=\"center\"><a href=\"javascript: SmileIT('[em$i]','".htmlspecialchars($_GET["form"])."','".htmlspecialchars($_GET["text"])."')\"><img src=\"pic/smilies/$i.gif\" alt=\"\" ></a></td>");
$count++;
if ($count % 3==0)

2
public/myhr.php
View File

@@ -34,7 +34,7 @@ foreach ($allStatus as $key => $value) {
}
print("<p>" . implode(' | ', $headerFilters) . "</p>");
$q = $_GET['q'] ?? '';
$q = htmlspecialchars($_GET['q'] ?? '');
$filterForm = <<<FORM
<form id="filterForm" action="{$_SERVER['REQUEST_URI']}" method="get">
<input id="q" type="text" name="q" value="{$q}" placeholder="{$lang_myhr['th_hr_id']}">

39
public/nowarn.php
View File

@@ -19,23 +19,34 @@ if (empty($_POST["usernw"]) && empty($_POST["desact"]) && empty($_POST["delete"]
if (!empty($_POST["usernw"]))
{
$msg = sqlesc("Your Warning Has Been Removed By: " . $CURUSER['username'] . ".");
$added = sqlesc(date("Y-m-d H:i:s"));
$userid = implode(", ", $_POST['usernw']);
//sql_query("INSERT INTO messages (sender, receiver, msg, added) VALUES (0, $userid, $msg, $added)") or sqlerr(__FILE__, __LINE__);
//$msg = sqlesc("Your Warning Has Been Removed By: " . $CURUSER['username'] . ".");
//$added = sqlesc(date("Y-m-d H:i:s"));
//$userid = implode(", ", $_POST['usernw']);
////sql_query("INSERT INTO messages (sender, receiver, msg, added) VALUES (0, $userid, $msg, $added)") or sqlerr(__FILE__, __LINE__);
//
//$r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST['usernw']) . ")")or sqlerr(__FILE__, __LINE__);
//$user = mysql_fetch_array($r);
//$exmodcomment = $user["modcomment"];
//$modcomment = date("Y-m-d") . " - Warning Removed By " . $CURUSER['username'] . ".\n". $modcomment . $exmodcomment;
//sql_query("UPDATE users SET modcomment=" . sqlesc($modcomment) . " WHERE id IN (" . implode(", ", $_POST['usernw']) . ")") or sqlerr(__FILE__, __LINE__);
//
//$do="UPDATE users SET warned='no', warneduntil=null WHERE id IN (" . implode(", ", $_POST['usernw']) . ")";
//$res=sql_query($do);
$r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST['usernw']) . ")")or sqlerr(__FILE__, __LINE__);
$user = mysql_fetch_array($r);
$exmodcomment = $user["modcomment"];
$modcomment = date("Y-m-d") . " - Warning Removed By " . $CURUSER['username'] . ".\n". $modcomment . $exmodcomment;
sql_query("UPDATE users SET modcomment=" . sqlesc($modcomment) . " WHERE id IN (" . implode(", ", $_POST['usernw']) . ")") or sqlerr(__FILE__, __LINE__);
$do="UPDATE users SET warned='no', warneduntil=null WHERE id IN (" . implode(", ", $_POST['usernw']) . ")";
$res=sql_query($do);}
$modcomment = date("Y-m-d") . " - Warning Removed By " . $CURUSER['username'];
\App\Models\User::query()->whereIn('id', $_POST['usernw'])
->update([
'warned' => 'no',
'warneduntil' => null,
'modcomment' => \Nexus\Database\NexusDB::raw("if(modcomment = '', '$modcomment', concat_ws('\n', '$modcomment', modcomment))")
]);
}
if (!empty($_POST["desact"])){
$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['desact']) . ")";
$res=sql_query($do);}
//$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['desact']) . ")";
//$res=sql_query($do);
\App\Models\User::query()->whereIn('id', $_POST['desact'])->update(['enabled' => 'no']);
}
}
}
header("Refresh: 0; url=warned.php");

16
public/takeconfirm.php
View File

@@ -5,12 +5,16 @@ require_once(get_langfile_path());
$id = isset($_POST['id']) ? intval($_POST['id']) : (isset($_GET['id']) ? intval($_GET['id']) : die());
int_check($id,true);
$email = unesc(htmlspecialchars(trim($_POST["email"])));
if(isset($_POST['conusr']))
sql_query("UPDATE users SET status = 'confirmed', editsecret = '' WHERE id IN (" . implode(", ", $_POST['conusr']) . ") AND status='pending'");
else
stderr($lang_takeconfirm['std_sorry'],$lang_takeconfirm['std_no_buddy_to_confirm'].
"<a class=altlink href=invite.php?id={$CURUSER['id']}>".$lang_takeconfirm['std_here_to_go_back'],false);
if(!empty($_POST['conusr'])) {
// sql_query("UPDATE users SET status = 'confirmed', editsecret = '' WHERE id IN (" . implode(", ", $_POST['conusr']) . ") AND status='pending'");
\App\Models\User::query()->whereIn('id', $_POST['conusr'])
->where('status', 'pending')
->update(['status' => 'confirmed', 'editsecret' => ''])
;
} else {
stderr($lang_takeconfirm['std_sorry'],$lang_takeconfirm['std_no_buddy_to_confirm'].
"<a class=altlink href=invite.php?id={$CURUSER['id']}>".$lang_takeconfirm['std_here_to_go_back'],false);
}
$title = $SITENAME.$lang_takeconfirm['mail_title'];
$baseUrl = getSchemeAndHttpHost();
$body = <<<EOD

2
public/user-ban-log.php
View File

@@ -2,7 +2,7 @@
require "../include/bittorrent.php";
$query = \App\Models\UserBanLog::query();
$q = $_REQUEST['q'] ?? '';
$q = htmlspecialchars($_REQUEST['q'] ?? '');
if (!empty($q)) {
$query->where('username', 'like', "%{$q}%");
}

4
public/viewrequests.php
View File

@@ -6,7 +6,9 @@ require_once(get_langfile_path('details.php'));
loggedinorreturn();
parked();
if (isset($_GET['id'])) {
$_GET['id'] = htmlspecialchars($_GET['id']);
}
$action = isset($_POST['action']) ? htmlspecialchars($_POST['action']) : (isset($_GET['action']) ? htmlspecialchars($_GET['action']) : '');
$allowed_actions = array("list", "new", "newmessage", "view", "edit", "takeedit", "takeadded", "res", "takeres", "addamount", "delete", "confirm", "message", "search");
if (!$action)