diff options
author | msquare <msquare@notrademark.de> | 2016-09-29 11:28:42 +0200 |
---|---|---|
committer | msquare <msquare@notrademark.de> | 2016-09-29 11:28:42 +0200 |
commit | 4c288e957ec4340af93f980c65eecea6d3a789f4 (patch) | |
tree | a438607b5a1974e86a7fdd6f5da50db6e5356c1c | |
parent | e965f8d04150fbd17ee1b5fcbca5ae85bbe6d6bd (diff) |
prohibit inline control structures on includes and index
-rw-r--r-- | includes/engelsystem_provider.php | 3 | ||||
-rw-r--r-- | includes/mysqli_provider.php | 43 | ||||
-rw-r--r-- | includes/sys_auth.php | 48 | ||||
-rw-r--r-- | includes/sys_menu.php | 69 | ||||
-rw-r--r-- | includes/sys_page.php | 9 | ||||
-rw-r--r-- | includes/sys_template.php | 66 | ||||
-rw-r--r-- | public/index.php | 12 |
7 files changed, 150 insertions, 100 deletions
diff --git a/includes/engelsystem_provider.php b/includes/engelsystem_provider.php index d0f1cbff..84a73275 100644 --- a/includes/engelsystem_provider.php +++ b/includes/engelsystem_provider.php @@ -54,8 +54,9 @@ require_once realpath(__DIR__ . '/../includes/mailer/shifts_mailer.php'); require_once realpath(__DIR__ . '/../includes/mailer/users_mailer.php'); require_once realpath(__DIR__ . '/../config/config.default.php'); -if (file_exists(realpath(__DIR__ . '/../config/config.php'))) +if (file_exists(realpath(__DIR__ . '/../config/config.php'))) { require_once realpath(__DIR__ . '/../config/config.php'); +} if ($maintenance_mode) { echo file_get_contents(__DIR__ . '/../public/maintenance.html'); diff --git a/includes/mysqli_provider.php b/includes/mysqli_provider.php index 7197b95a..0315c0f1 100644 --- a/includes/mysqli_provider.php +++ b/includes/mysqli_provider.php @@ -22,10 +22,11 @@ function sql_null($value = null) { function sql_transaction_start() { global $sql_nested_transaction_level; - if ($sql_nested_transaction_level ++ == 0) + if ($sql_nested_transaction_level ++ == 0) { return sql_query("BEGIN"); - else - return true; + } + + return true; } /** @@ -34,10 +35,11 @@ function sql_transaction_start() { function sql_transaction_commit() { global $sql_nested_transaction_level; - if (-- $sql_nested_transaction_level == 0) + if (-- $sql_nested_transaction_level == 0) { return sql_query("COMMIT"); - else - return true; + } + + return true; } /** @@ -46,10 +48,11 @@ function sql_transaction_commit() { function sql_transaction_rollback() { global $sql_nested_transaction_level; - if (-- $sql_nested_transaction_level == 0) + if (-- $sql_nested_transaction_level == 0) { return sql_query("ROLLBACK"); - else + } else { return true; + } } /** @@ -92,12 +95,14 @@ function sql_connect($host, $user, $pass, $db) { } $result = $sql_connection->query("SET CHARACTER SET utf8;"); - if (! $result) + if (! $result) { return sql_error("Unable to set utf8 character set (" . $sql_connection->errno . ") " . $sql_connection->error); + } $result = $sql_connection->set_charset('utf8'); - if (! $result) + if (! $result) { return sql_error("Unable to set utf8 names (" . $sql_connection->errno . ") " . $sql_connection->error); + } return $sql_connection; } @@ -111,8 +116,9 @@ function sql_connect($host, $user, $pass, $db) { */ function sql_select_db($db_name) { global $sql_connection; - if (! $sql_connection->select_db($db_name)) + if (! $sql_connection->select_db($db_name)) { return sql_error("No database selected."); + } return true; } @@ -127,12 +133,14 @@ function sql_select($query) { $result = $sql_connection->query($query); if ($result) { - $data = array(); - while ($line = $result->fetch_assoc()) + $data = []; + while ($line = $result->fetch_assoc()) { array_push($data, $line); + } return $data; - } else - return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error); + } + + return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error); } /** @@ -147,8 +155,9 @@ function sql_query($query) { $result = $sql_connection->query($query); if ($result) { return $result; - } else - return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error); + } + + return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error); } /** diff --git a/includes/sys_auth.php b/includes/sys_auth.php index d4f35fa6..39f4d4b0 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -1,49 +1,59 @@ <?php -// Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien +/** + * Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien + */ function load_auth() { global $user, $privileges; - + $user = null; if (isset($_SESSION['uid'])) { $user = sql_select("SELECT * FROM `User` WHERE `UID`='" . sql_escape($_SESSION['uid']) . "' LIMIT 1"); if (count($user) > 0) { // User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten - list ($user) = $user; + list($user) = $user; sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;"); - } else + } else { unset($_SESSION['uid']); + } } - + $privileges = isset($user) ? privileges_for_user($user['UID']) : privileges_for_group(- 1); } -// generate a salt (random string) of arbitrary length suitable for the use with crypt() +/** + * generate a salt (random string) of arbitrary length suitable for the use with crypt() + */ function generate_salt($length = 16) { $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; $salt = ""; - for($i = 0; $i < $length; $i ++) { + for ($i = 0; $i < $length; $i ++) { $salt .= $alphabet[rand(0, strlen($alphabet) - 1)]; } return $salt; } -// set the password of a user +/** + * set the password of a user + */ function set_password($uid, $password) { return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1"); } -// verify a password given a precomputed salt. -// if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically +/** + * verify a password given a precomputed salt. + * if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically + */ function verify_password($password, $salt, $uid = false) { $correct = false; - if (substr($salt, 0, 1) == '$') // new-style crypt() + if (substr($salt, 0, 1) == '$') { // new-style crypt() $correct = crypt($password, $salt) == $salt; - elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore + } elseif (substr($salt, 0, 7) == '{crypt}') { // old-style crypt() with DES and static salt - not used anymore $correct = crypt($password, '77') == $salt; - elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore + } elseif (strlen($salt) == 32) { // old-style md5 without salt - not used anymore $correct = md5($password) == $salt; - + } + if ($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) { // this password is stored in another format than we want it to be. // let's update it! @@ -54,18 +64,20 @@ function verify_password($password, $salt, $uid = false) { } function privileges_for_user($user_id) { - $privileges = array (); + $privileges = []; $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`='" . sql_escape($user_id) . "'"); - foreach ($user_privs as $user_priv) + foreach ($user_privs as $user_priv) { $privileges[] = $user_priv['name']; + } return $privileges; } function privileges_for_group($group_id) { - $privileges = array (); + $privileges = []; $groups_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`='" . sql_escape($group_id) . "'"); - foreach ($groups_privs as $guest_priv) + foreach ($groups_privs as $guest_priv) { $privileges[] = $guest_priv['name']; + } return $privileges; } ?> diff --git a/includes/sys_menu.php b/includes/sys_menu.php index c6e916b4..6896194a 100644 --- a/includes/sys_menu.php +++ b/includes/sys_menu.php @@ -1,8 +1,9 @@ <?php function page_link_to($page) { - if ($page == "") + if ($page == "") { return '?'; + } return '?p=' . $page; } @@ -18,17 +19,21 @@ function header_toolbar() { $toolbar_items = array(); - if (isset($user)) + if (isset($user)) { $toolbar_items[] = toolbar_item_link(page_link_to('shifts') . '&action=next', 'time', User_shift_state_render($user)); + } - if (! isset($user) && in_array('register', $privileges)) + if (! isset($user) && in_array('register', $privileges)) { $toolbar_items[] = toolbar_item_link(page_link_to('register'), 'plus', register_title(), $p == 'register'); + } - if (in_array('login', $privileges)) + if (in_array('login', $privileges)) { $toolbar_items[] = toolbar_item_link(page_link_to('login'), 'log-in', login_title(), $p == 'login'); + } - if (isset($user) && in_array('user_messages', $privileges)) + if (isset($user) && in_array('user_messages', $privileges)) { $toolbar_items[] = toolbar_item_link(page_link_to('user_messages'), 'envelope', user_unread_messages()); + } $hints = []; if (isset($user)) { @@ -37,20 +42,24 @@ function header_toolbar() { // Erzengel Hinweis für unbeantwortete Fragen if ($p != "admin_questions") { $new_questions = admin_new_questions(); - if ($new_questions != "") + if ($new_questions != "") { $hints[] = $new_questions; + } } $unconfirmed_hint = user_angeltypes_unconfirmed_hint(); - if ($unconfirmed_hint != '') + if ($unconfirmed_hint != '') { $hints[] = $unconfirmed_hint; + } - if (! isset($user['planned_departure_date']) || $user['planned_departure_date'] == null) + if (! isset($user['planned_departure_date']) || $user['planned_departure_date'] == null) { $hints[] = info(_("Please enter your planned date of departure on your settings page to give us a feeling for teardown capacities."), true); + } $driver_license_required = user_driver_license_required_hint(); - if ($driver_license_required != '') + if ($driver_license_required != '') { $hints[] = $driver_license_required; + } if (User_is_freeloader($user)) { $hints[] = error(sprintf(_("You freeloaded at least %s shifts. Shift signup is locked. Please go to heavens desk to be unlocked again."), $max_freeloadable_shifts), true); @@ -77,22 +86,27 @@ function header_toolbar() { $glyphicon = 'warning-sign'; } } - if (count($hints) > 0) + if (count($hints) > 0) { $toolbar_items[] = toolbar_popover($glyphicon . ' text-' . $hint_class, '', $hints, 'bg-' . $hint_class); + } $user_submenu = make_langselect(); $user_submenu[] = toolbar_item_divider(); - if (in_array('user_myshifts', $privileges)) + if (in_array('user_myshifts', $privileges)) { $toolbar_items[] = toolbar_item_link(page_link_to('users') . '&action=view', ' icon-icon_angel', $user['Nick'], $p == 'users'); + } - if (in_array('user_settings', $privileges)) + if (in_array('user_settings', $privileges)) { $user_submenu[] = toolbar_item_link(page_link_to('user_settings'), 'list-alt', settings_title(), $p == 'user_settings'); + } - if (in_array('logout', $privileges)) + if (in_array('logout', $privileges)) { $user_submenu[] = toolbar_item_link(page_link_to('logout'), 'log-out', logout_title(), $p == 'logout'); + } - if (count($user_submenu) > 0) + if (count($user_submenu) > 0) { $toolbar_items[] = toolbar_dropdown('', '', $user_submenu); + } return toolbar($toolbar_items, true); } @@ -100,21 +114,23 @@ function header_toolbar() { function make_navigation() { global $p, $privileges; - $menu = array(); - $pages = array( + $menu = []; + $pages = [ "news" => news_title(), "user_meetings" => meetings_title(), "user_shifts" => shifts_title(), "angeltypes" => angeltypes_title(), "user_questions" => questions_title() - ); + ]; - foreach ($pages as $page => $title) - if (in_array($page, $privileges)) + foreach ($pages as $page => $title) { + if (in_array($page, $privileges)) { $menu[] = toolbar_item_link(page_link_to($page), '', $title, $page == $p); + } + } - $admin_menu = array(); - $admin_pages = array( + $admin_menu = []; + $admin_pages = [ "admin_arrive" => admin_arrive_title(), "admin_active" => admin_active_title(), "admin_user" => admin_user_title(), @@ -127,14 +143,17 @@ function make_navigation() { "admin_import" => admin_import_title(), "admin_log" => admin_log_title(), "admin_event_config" => event_config_title() - ); + ]; - foreach ($admin_pages as $page => $title) - if (in_array($page, $privileges)) + foreach ($admin_pages as $page => $title) { + if (in_array($page, $privileges)) { $admin_menu[] = toolbar_item_link(page_link_to($page), '', $title, $page == $p); + } + } - if (count($admin_menu) > 0) + if (count($admin_menu) > 0) { $menu[] = toolbar_dropdown('', _("Admin"), $admin_menu); + } return toolbar($menu); } diff --git a/includes/sys_page.php b/includes/sys_page.php index cbc18db8..6b71eb15 100644 --- a/includes/sys_page.php +++ b/includes/sys_page.php @@ -31,8 +31,9 @@ function raw_output($output) { * @return ValidationResult containing the parsed date */ function check_request_date($name, $error_message = null, $null_allowed = false) { - if (! isset($_REQUEST[$name])) + if (! isset($_REQUEST[$name])) { return new ValidationResult($null_allowed, null); + } return check_date($_REQUEST[$name], $error_message, $null_allowed); } @@ -49,10 +50,12 @@ function check_request_date($name, $error_message = null, $null_allowed = false) * @return ValidationResult containing the parsed date */ function check_date($input, $error_message = null, $null_allowed = false) { - if (DateTime::createFromFormat("Y-m-d", trim($input))) + if (DateTime::createFromFormat("Y-m-d", trim($input))) { return new ValidationResult(true, DateTime::createFromFormat("Y-m-d", trim($input))->getTimestamp()); - if ($null_allowed) + } + if ($null_allowed) { return new ValidationResult(true, null); + } error($error_message); return new ValidationResult(false, null); diff --git a/includes/sys_template.php b/includes/sys_template.php index 112bb483..23f4b77b 100644 --- a/includes/sys_template.php +++ b/includes/sys_template.php @@ -179,19 +179,10 @@ function form_date($name, $label, $value, $start_date = '') { */ function form_checkboxes($name, $label, $items, $selected) { $html = form_element($label, ''); - foreach ($items as $key => $item) - $html .= form_checkbox($name . '_' . $key, $item, array_search($key, $selected) !== false); - - return $html; - - $html = "<ul>"; foreach ($items as $key => $item) { - $id = $name . '_' . $key; - $sel = array_search($key, $selected) !== false ? ' checked="checked"' : ""; - $html .= '<li><input type="checkbox" id="' . $id . '" name="' . $id . '" value="checked"' . $sel . ' /><label for="' . $id . '">' . $item . '</label></li>'; + $html .= form_checkbox($name . '_' . $key, $item, array_search($key, $selected) !== false); } - $html .= "</ul>"; - return form_element($label, $html); + return $html; } /** @@ -210,16 +201,18 @@ function form_checkboxes($name, $label, $items, $selected) { */ function form_multi_checkboxes($names, $label, $items, $selected, $disabled = array()) { $html = "<table><thead><tr>"; - foreach ($names as $title) + foreach ($names as $title) { $html .= "<th>$title</th>"; + } $html .= "</tr></thead><tbody>"; foreach ($items as $key => $item) { $html .= "<tr>"; foreach ($names as $name => $title) { $id = $name . '_' . $key; $sel = array_search($key, $selected[$name]) !== false ? ' checked="checked"' : ""; - if (! empty($disabled) && ! empty($disabled[$name]) && array_search($key, $disabled[$name]) !== false) + if (! empty($disabled) && ! empty($disabled[$name]) && array_search($key, $disabled[$name]) !== false) { $sel .= ' disabled="disabled"'; + } $html .= '<td style="text-align: center;"><input type="checkbox" id="' . $id . '" name="' . $name . '[]" value="' . $key . '"' . $sel . ' /></td>'; } $html .= '<td><label for="' . $id . '">' . $item . '</label></td></tr>'; @@ -246,10 +239,12 @@ function form_radio($name, $label, $selected, $value) { * Rendert einen Infotext in das Formular */ function form_info($label, $text = "") { - if ($label == "") + if ($label == "") { return '<span class="help-block">' . glyph('info-sign') . $text . '</span>'; - if ($text == "") + } + if ($text == "") { return '<h4>' . $label . '</h4>'; + } return form_element($label, '<p class="form-control-static">' . $text . '</p>', ''); } @@ -312,9 +307,9 @@ function form_select($name, $label, $values, $selected) { function form_element($label, $input, $for = "") { if ($label == '') { return '<div class="form-group">' . $input . '</div>'; - } else { - return '<div class="form-group">' . '<label for="' . $for . '">' . $label . '</label>' . $input . '</div>'; } + + return '<div class="form-group">' . '<label for="' . $for . '">' . $label . '</label>' . $input . '</div>'; } /** @@ -346,34 +341,40 @@ function page_with_title($title, $elements) { function table($columns, $rows_raw, $data = true) { // If only one column is given if (! is_array($columns)) { - $columns = array( + $columns = [ 'col' => $columns - ); + ]; - $rows = array(); + $rows = []; foreach ($rows_raw as $row) - $rows[] = array( + $rows[] = [ 'col' => $row - ); - } else + ]; + } else { $rows = $rows_raw; + } - if (count($rows) == 0) + if (count($rows) == 0) { return info(_("No data found."), true); + } + $html = ""; $html .= '<table class="table table-striped' . ($data ? ' data' : '') . '">'; $html .= '<thead><tr>'; - foreach ($columns as $key => $column) + foreach ($columns as $key => $column) { $html .= '<th class="column_' . $key . '">' . $column . '</th>'; + } $html .= '</tr></thead>'; $html .= '<tbody>'; foreach ($rows as $row) { $html .= '<tr>'; - foreach ($columns as $key => $column) - if (isset($row[$key])) + foreach ($columns as $key => $column) { + if (isset($row[$key])) { $html .= '<td class="column_' . $key . '">' . $row[$key] . '</td>'; - else + } else { $html .= '<td class="column_' . $key . '"> </td>'; + } + } $html .= '</tr>'; } $html .= '</tbody>'; @@ -410,10 +411,11 @@ function table_buttons($buttons = array()) { function template_render($file, $data) { if (file_exists($file)) { $template = file_get_contents($file); - if (is_array($data)) + if (is_array($data)) { foreach ($data as $name => $content) { $template = str_replace("%" . $name . "%", $content, $template); } + } return $template; } engelsystem_error("Cannot find template file «" . $file . "»."); @@ -430,8 +432,9 @@ function table_body($array) { foreach ($array as $line) { $html .= "<tr>"; if (is_array($line)) { - foreach ($line as $td) + foreach ($line as $td) { $html .= "<td>" . $td . "</td>"; + } } else { $html .= "<td>" . $line . "</td>"; } @@ -442,8 +445,9 @@ function table_body($array) { function html_options($name, $options, $selected = "") { $html = ""; - foreach ($options as $value => $label) + foreach ($options as $value => $label) { $html .= '<input type="radio"' . ($value == $selected ? ' checked="checked"' : '') . ' name="' . $name . '" value="' . $value . '"> ' . $label; + } return $html; } diff --git a/public/index.php b/public/index.php index 7915e8a6..51c8e7eb 100644 --- a/public/index.php +++ b/public/index.php @@ -1,7 +1,7 @@ <?php require_once realpath(__DIR__ . '/../includes/engelsystem_provider.php'); -$free_pages = array( +$free_pages = [ 'admin_event_config', 'angeltypes', 'api', @@ -16,12 +16,14 @@ $free_pages = array( 'users', 'user_driver_licenses', 'user_password_recovery' -); +]; // Gewünschte Seite/Funktion $p = ""; -if (! isset($_REQUEST['p'])) +if (! isset($_REQUEST['p'])) { $_REQUEST['p'] = isset($user) ? "news" : "login"; +} + if (isset($_REQUEST['p']) && preg_match("/^[a-z0-9_]*$/i", $_REQUEST['p']) && (in_array($_REQUEST['p'], $free_pages) || in_array($_REQUEST['p'], $privileges))) { $p = $_REQUEST['p']; @@ -160,7 +162,7 @@ if ($event_config === false) { engelsystem_error("Unable to load event config."); } -echo template_render('../templates/layout.html', array( +echo template_render('../templates/layout.html', [ 'theme' => isset($user) ? $user['color'] : $default_theme, 'title' => $title, 'atom_link' => ($p == 'news' || $p == 'user_meetings') ? '<link href="' . page_link_to('atom') . (($p == 'user_meetings') ? '&meetings=1' : '') . '&key=' . $user['api_key'] . '" type="application/atom+xml" rel="alternate" title="Atom Feed">' : '', @@ -171,6 +173,6 @@ echo template_render('../templates/layout.html', array( 'contact_email' => $contact_email, 'locale' => locale(), 'event_info' => EventConfig_info($event_config) . '<br />' -)); +]); ?> |