summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormsquare <msquare@notrademark.de>2016-09-29 11:28:42 +0200
committermsquare <msquare@notrademark.de>2016-09-29 11:28:42 +0200
commit4c288e957ec4340af93f980c65eecea6d3a789f4 (patch)
treea438607b5a1974e86a7fdd6f5da50db6e5356c1c
parente965f8d04150fbd17ee1b5fcbca5ae85bbe6d6bd (diff)
prohibit inline control structures on includes and index
-rw-r--r--includes/engelsystem_provider.php3
-rw-r--r--includes/mysqli_provider.php43
-rw-r--r--includes/sys_auth.php48
-rw-r--r--includes/sys_menu.php69
-rw-r--r--includes/sys_page.php9
-rw-r--r--includes/sys_template.php66
-rw-r--r--public/index.php12
7 files changed, 150 insertions, 100 deletions
diff --git a/includes/engelsystem_provider.php b/includes/engelsystem_provider.php
index d0f1cbff..84a73275 100644
--- a/includes/engelsystem_provider.php
+++ b/includes/engelsystem_provider.php
@@ -54,8 +54,9 @@ require_once realpath(__DIR__ . '/../includes/mailer/shifts_mailer.php');
require_once realpath(__DIR__ . '/../includes/mailer/users_mailer.php');
require_once realpath(__DIR__ . '/../config/config.default.php');
-if (file_exists(realpath(__DIR__ . '/../config/config.php')))
+if (file_exists(realpath(__DIR__ . '/../config/config.php'))) {
require_once realpath(__DIR__ . '/../config/config.php');
+}
if ($maintenance_mode) {
echo file_get_contents(__DIR__ . '/../public/maintenance.html');
diff --git a/includes/mysqli_provider.php b/includes/mysqli_provider.php
index 7197b95a..0315c0f1 100644
--- a/includes/mysqli_provider.php
+++ b/includes/mysqli_provider.php
@@ -22,10 +22,11 @@ function sql_null($value = null) {
function sql_transaction_start() {
global $sql_nested_transaction_level;
- if ($sql_nested_transaction_level ++ == 0)
+ if ($sql_nested_transaction_level ++ == 0) {
return sql_query("BEGIN");
- else
- return true;
+ }
+
+ return true;
}
/**
@@ -34,10 +35,11 @@ function sql_transaction_start() {
function sql_transaction_commit() {
global $sql_nested_transaction_level;
- if (-- $sql_nested_transaction_level == 0)
+ if (-- $sql_nested_transaction_level == 0) {
return sql_query("COMMIT");
- else
- return true;
+ }
+
+ return true;
}
/**
@@ -46,10 +48,11 @@ function sql_transaction_commit() {
function sql_transaction_rollback() {
global $sql_nested_transaction_level;
- if (-- $sql_nested_transaction_level == 0)
+ if (-- $sql_nested_transaction_level == 0) {
return sql_query("ROLLBACK");
- else
+ } else {
return true;
+ }
}
/**
@@ -92,12 +95,14 @@ function sql_connect($host, $user, $pass, $db) {
}
$result = $sql_connection->query("SET CHARACTER SET utf8;");
- if (! $result)
+ if (! $result) {
return sql_error("Unable to set utf8 character set (" . $sql_connection->errno . ") " . $sql_connection->error);
+ }
$result = $sql_connection->set_charset('utf8');
- if (! $result)
+ if (! $result) {
return sql_error("Unable to set utf8 names (" . $sql_connection->errno . ") " . $sql_connection->error);
+ }
return $sql_connection;
}
@@ -111,8 +116,9 @@ function sql_connect($host, $user, $pass, $db) {
*/
function sql_select_db($db_name) {
global $sql_connection;
- if (! $sql_connection->select_db($db_name))
+ if (! $sql_connection->select_db($db_name)) {
return sql_error("No database selected.");
+ }
return true;
}
@@ -127,12 +133,14 @@ function sql_select($query) {
$result = $sql_connection->query($query);
if ($result) {
- $data = array();
- while ($line = $result->fetch_assoc())
+ $data = [];
+ while ($line = $result->fetch_assoc()) {
array_push($data, $line);
+ }
return $data;
- } else
- return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
+ }
+
+ return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
}
/**
@@ -147,8 +155,9 @@ function sql_query($query) {
$result = $sql_connection->query($query);
if ($result) {
return $result;
- } else
- return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
+ }
+
+ return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
}
/**
diff --git a/includes/sys_auth.php b/includes/sys_auth.php
index d4f35fa6..39f4d4b0 100644
--- a/includes/sys_auth.php
+++ b/includes/sys_auth.php
@@ -1,49 +1,59 @@
<?php
-// Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien
+/**
+ * Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien
+ */
function load_auth() {
global $user, $privileges;
-
+
$user = null;
if (isset($_SESSION['uid'])) {
$user = sql_select("SELECT * FROM `User` WHERE `UID`='" . sql_escape($_SESSION['uid']) . "' LIMIT 1");
if (count($user) > 0) {
// User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten
- list ($user) = $user;
+ list($user) = $user;
sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;");
- } else
+ } else {
unset($_SESSION['uid']);
+ }
}
-
+
$privileges = isset($user) ? privileges_for_user($user['UID']) : privileges_for_group(- 1);
}
-// generate a salt (random string) of arbitrary length suitable for the use with crypt()
+/**
+ * generate a salt (random string) of arbitrary length suitable for the use with crypt()
+ */
function generate_salt($length = 16) {
$alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
$salt = "";
- for($i = 0; $i < $length; $i ++) {
+ for ($i = 0; $i < $length; $i ++) {
$salt .= $alphabet[rand(0, strlen($alphabet) - 1)];
}
return $salt;
}
-// set the password of a user
+/**
+ * set the password of a user
+ */
function set_password($uid, $password) {
return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1");
}
-// verify a password given a precomputed salt.
-// if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
+/**
+ * verify a password given a precomputed salt.
+ * if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
+ */
function verify_password($password, $salt, $uid = false) {
$correct = false;
- if (substr($salt, 0, 1) == '$') // new-style crypt()
+ if (substr($salt, 0, 1) == '$') { // new-style crypt()
$correct = crypt($password, $salt) == $salt;
- elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore
+ } elseif (substr($salt, 0, 7) == '{crypt}') { // old-style crypt() with DES and static salt - not used anymore
$correct = crypt($password, '77') == $salt;
- elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore
+ } elseif (strlen($salt) == 32) { // old-style md5 without salt - not used anymore
$correct = md5($password) == $salt;
-
+ }
+
if ($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) {
// this password is stored in another format than we want it to be.
// let's update it!
@@ -54,18 +64,20 @@ function verify_password($password, $salt, $uid = false) {
}
function privileges_for_user($user_id) {
- $privileges = array ();
+ $privileges = [];
$user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`='" . sql_escape($user_id) . "'");
- foreach ($user_privs as $user_priv)
+ foreach ($user_privs as $user_priv) {
$privileges[] = $user_priv['name'];
+ }
return $privileges;
}
function privileges_for_group($group_id) {
- $privileges = array ();
+ $privileges = [];
$groups_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`='" . sql_escape($group_id) . "'");
- foreach ($groups_privs as $guest_priv)
+ foreach ($groups_privs as $guest_priv) {
$privileges[] = $guest_priv['name'];
+ }
return $privileges;
}
?>
diff --git a/includes/sys_menu.php b/includes/sys_menu.php
index c6e916b4..6896194a 100644
--- a/includes/sys_menu.php
+++ b/includes/sys_menu.php
@@ -1,8 +1,9 @@
<?php
function page_link_to($page) {
- if ($page == "")
+ if ($page == "") {
return '?';
+ }
return '?p=' . $page;
}
@@ -18,17 +19,21 @@ function header_toolbar() {
$toolbar_items = array();
- if (isset($user))
+ if (isset($user)) {
$toolbar_items[] = toolbar_item_link(page_link_to('shifts') . '&amp;action=next', 'time', User_shift_state_render($user));
+ }
- if (! isset($user) && in_array('register', $privileges))
+ if (! isset($user) && in_array('register', $privileges)) {
$toolbar_items[] = toolbar_item_link(page_link_to('register'), 'plus', register_title(), $p == 'register');
+ }
- if (in_array('login', $privileges))
+ if (in_array('login', $privileges)) {
$toolbar_items[] = toolbar_item_link(page_link_to('login'), 'log-in', login_title(), $p == 'login');
+ }
- if (isset($user) && in_array('user_messages', $privileges))
+ if (isset($user) && in_array('user_messages', $privileges)) {
$toolbar_items[] = toolbar_item_link(page_link_to('user_messages'), 'envelope', user_unread_messages());
+ }
$hints = [];
if (isset($user)) {
@@ -37,20 +42,24 @@ function header_toolbar() {
// Erzengel Hinweis für unbeantwortete Fragen
if ($p != "admin_questions") {
$new_questions = admin_new_questions();
- if ($new_questions != "")
+ if ($new_questions != "") {
$hints[] = $new_questions;
+ }
}
$unconfirmed_hint = user_angeltypes_unconfirmed_hint();
- if ($unconfirmed_hint != '')
+ if ($unconfirmed_hint != '') {
$hints[] = $unconfirmed_hint;
+ }
- if (! isset($user['planned_departure_date']) || $user['planned_departure_date'] == null)
+ if (! isset($user['planned_departure_date']) || $user['planned_departure_date'] == null) {
$hints[] = info(_("Please enter your planned date of departure on your settings page to give us a feeling for teardown capacities."), true);
+ }
$driver_license_required = user_driver_license_required_hint();
- if ($driver_license_required != '')
+ if ($driver_license_required != '') {
$hints[] = $driver_license_required;
+ }
if (User_is_freeloader($user)) {
$hints[] = error(sprintf(_("You freeloaded at least %s shifts. Shift signup is locked. Please go to heavens desk to be unlocked again."), $max_freeloadable_shifts), true);
@@ -77,22 +86,27 @@ function header_toolbar() {
$glyphicon = 'warning-sign';
}
}
- if (count($hints) > 0)
+ if (count($hints) > 0) {
$toolbar_items[] = toolbar_popover($glyphicon . ' text-' . $hint_class, '', $hints, 'bg-' . $hint_class);
+ }
$user_submenu = make_langselect();
$user_submenu[] = toolbar_item_divider();
- if (in_array('user_myshifts', $privileges))
+ if (in_array('user_myshifts', $privileges)) {
$toolbar_items[] = toolbar_item_link(page_link_to('users') . '&amp;action=view', ' icon-icon_angel', $user['Nick'], $p == 'users');
+ }
- if (in_array('user_settings', $privileges))
+ if (in_array('user_settings', $privileges)) {
$user_submenu[] = toolbar_item_link(page_link_to('user_settings'), 'list-alt', settings_title(), $p == 'user_settings');
+ }
- if (in_array('logout', $privileges))
+ if (in_array('logout', $privileges)) {
$user_submenu[] = toolbar_item_link(page_link_to('logout'), 'log-out', logout_title(), $p == 'logout');
+ }
- if (count($user_submenu) > 0)
+ if (count($user_submenu) > 0) {
$toolbar_items[] = toolbar_dropdown('', '', $user_submenu);
+ }
return toolbar($toolbar_items, true);
}
@@ -100,21 +114,23 @@ function header_toolbar() {
function make_navigation() {
global $p, $privileges;
- $menu = array();
- $pages = array(
+ $menu = [];
+ $pages = [
"news" => news_title(),
"user_meetings" => meetings_title(),
"user_shifts" => shifts_title(),
"angeltypes" => angeltypes_title(),
"user_questions" => questions_title()
- );
+ ];
- foreach ($pages as $page => $title)
- if (in_array($page, $privileges))
+ foreach ($pages as $page => $title) {
+ if (in_array($page, $privileges)) {
$menu[] = toolbar_item_link(page_link_to($page), '', $title, $page == $p);
+ }
+ }
- $admin_menu = array();
- $admin_pages = array(
+ $admin_menu = [];
+ $admin_pages = [
"admin_arrive" => admin_arrive_title(),
"admin_active" => admin_active_title(),
"admin_user" => admin_user_title(),
@@ -127,14 +143,17 @@ function make_navigation() {
"admin_import" => admin_import_title(),
"admin_log" => admin_log_title(),
"admin_event_config" => event_config_title()
- );
+ ];
- foreach ($admin_pages as $page => $title)
- if (in_array($page, $privileges))
+ foreach ($admin_pages as $page => $title) {
+ if (in_array($page, $privileges)) {
$admin_menu[] = toolbar_item_link(page_link_to($page), '', $title, $page == $p);
+ }
+ }
- if (count($admin_menu) > 0)
+ if (count($admin_menu) > 0) {
$menu[] = toolbar_dropdown('', _("Admin"), $admin_menu);
+ }
return toolbar($menu);
}
diff --git a/includes/sys_page.php b/includes/sys_page.php
index cbc18db8..6b71eb15 100644
--- a/includes/sys_page.php
+++ b/includes/sys_page.php
@@ -31,8 +31,9 @@ function raw_output($output) {
* @return ValidationResult containing the parsed date
*/
function check_request_date($name, $error_message = null, $null_allowed = false) {
- if (! isset($_REQUEST[$name]))
+ if (! isset($_REQUEST[$name])) {
return new ValidationResult($null_allowed, null);
+ }
return check_date($_REQUEST[$name], $error_message, $null_allowed);
}
@@ -49,10 +50,12 @@ function check_request_date($name, $error_message = null, $null_allowed = false)
* @return ValidationResult containing the parsed date
*/
function check_date($input, $error_message = null, $null_allowed = false) {
- if (DateTime::createFromFormat("Y-m-d", trim($input)))
+ if (DateTime::createFromFormat("Y-m-d", trim($input))) {
return new ValidationResult(true, DateTime::createFromFormat("Y-m-d", trim($input))->getTimestamp());
- if ($null_allowed)
+ }
+ if ($null_allowed) {
return new ValidationResult(true, null);
+ }
error($error_message);
return new ValidationResult(false, null);
diff --git a/includes/sys_template.php b/includes/sys_template.php
index 112bb483..23f4b77b 100644
--- a/includes/sys_template.php
+++ b/includes/sys_template.php
@@ -179,19 +179,10 @@ function form_date($name, $label, $value, $start_date = '') {
*/
function form_checkboxes($name, $label, $items, $selected) {
$html = form_element($label, '');
- foreach ($items as $key => $item)
- $html .= form_checkbox($name . '_' . $key, $item, array_search($key, $selected) !== false);
-
- return $html;
-
- $html = "<ul>";
foreach ($items as $key => $item) {
- $id = $name . '_' . $key;
- $sel = array_search($key, $selected) !== false ? ' checked="checked"' : "";
- $html .= '<li><input type="checkbox" id="' . $id . '" name="' . $id . '" value="checked"' . $sel . ' /><label for="' . $id . '">' . $item . '</label></li>';
+ $html .= form_checkbox($name . '_' . $key, $item, array_search($key, $selected) !== false);
}
- $html .= "</ul>";
- return form_element($label, $html);
+ return $html;
}
/**
@@ -210,16 +201,18 @@ function form_checkboxes($name, $label, $items, $selected) {
*/
function form_multi_checkboxes($names, $label, $items, $selected, $disabled = array()) {
$html = "<table><thead><tr>";
- foreach ($names as $title)
+ foreach ($names as $title) {
$html .= "<th>$title</th>";
+ }
$html .= "</tr></thead><tbody>";
foreach ($items as $key => $item) {
$html .= "<tr>";
foreach ($names as $name => $title) {
$id = $name . '_' . $key;
$sel = array_search($key, $selected[$name]) !== false ? ' checked="checked"' : "";
- if (! empty($disabled) && ! empty($disabled[$name]) && array_search($key, $disabled[$name]) !== false)
+ if (! empty($disabled) && ! empty($disabled[$name]) && array_search($key, $disabled[$name]) !== false) {
$sel .= ' disabled="disabled"';
+ }
$html .= '<td style="text-align: center;"><input type="checkbox" id="' . $id . '" name="' . $name . '[]" value="' . $key . '"' . $sel . ' /></td>';
}
$html .= '<td><label for="' . $id . '">' . $item . '</label></td></tr>';
@@ -246,10 +239,12 @@ function form_radio($name, $label, $selected, $value) {
* Rendert einen Infotext in das Formular
*/
function form_info($label, $text = "") {
- if ($label == "")
+ if ($label == "") {
return '<span class="help-block">' . glyph('info-sign') . $text . '</span>';
- if ($text == "")
+ }
+ if ($text == "") {
return '<h4>' . $label . '</h4>';
+ }
return form_element($label, '<p class="form-control-static">' . $text . '</p>', '');
}
@@ -312,9 +307,9 @@ function form_select($name, $label, $values, $selected) {
function form_element($label, $input, $for = "") {
if ($label == '') {
return '<div class="form-group">' . $input . '</div>';
- } else {
- return '<div class="form-group">' . '<label for="' . $for . '">' . $label . '</label>' . $input . '</div>';
}
+
+ return '<div class="form-group">' . '<label for="' . $for . '">' . $label . '</label>' . $input . '</div>';
}
/**
@@ -346,34 +341,40 @@ function page_with_title($title, $elements) {
function table($columns, $rows_raw, $data = true) {
// If only one column is given
if (! is_array($columns)) {
- $columns = array(
+ $columns = [
'col' => $columns
- );
+ ];
- $rows = array();
+ $rows = [];
foreach ($rows_raw as $row)
- $rows[] = array(
+ $rows[] = [
'col' => $row
- );
- } else
+ ];
+ } else {
$rows = $rows_raw;
+ }
- if (count($rows) == 0)
+ if (count($rows) == 0) {
return info(_("No data found."), true);
+ }
+
$html = "";
$html .= '<table class="table table-striped' . ($data ? ' data' : '') . '">';
$html .= '<thead><tr>';
- foreach ($columns as $key => $column)
+ foreach ($columns as $key => $column) {
$html .= '<th class="column_' . $key . '">' . $column . '</th>';
+ }
$html .= '</tr></thead>';
$html .= '<tbody>';
foreach ($rows as $row) {
$html .= '<tr>';
- foreach ($columns as $key => $column)
- if (isset($row[$key]))
+ foreach ($columns as $key => $column) {
+ if (isset($row[$key])) {
$html .= '<td class="column_' . $key . '">' . $row[$key] . '</td>';
- else
+ } else {
$html .= '<td class="column_' . $key . '">&nbsp;</td>';
+ }
+ }
$html .= '</tr>';
}
$html .= '</tbody>';
@@ -410,10 +411,11 @@ function table_buttons($buttons = array()) {
function template_render($file, $data) {
if (file_exists($file)) {
$template = file_get_contents($file);
- if (is_array($data))
+ if (is_array($data)) {
foreach ($data as $name => $content) {
$template = str_replace("%" . $name . "%", $content, $template);
}
+ }
return $template;
}
engelsystem_error("Cannot find template file &laquo;" . $file . "&raquo;.");
@@ -430,8 +432,9 @@ function table_body($array) {
foreach ($array as $line) {
$html .= "<tr>";
if (is_array($line)) {
- foreach ($line as $td)
+ foreach ($line as $td) {
$html .= "<td>" . $td . "</td>";
+ }
} else {
$html .= "<td>" . $line . "</td>";
}
@@ -442,8 +445,9 @@ function table_body($array) {
function html_options($name, $options, $selected = "") {
$html = "";
- foreach ($options as $value => $label)
+ foreach ($options as $value => $label) {
$html .= '<input type="radio"' . ($value == $selected ? ' checked="checked"' : '') . ' name="' . $name . '" value="' . $value . '"> ' . $label;
+ }
return $html;
}
diff --git a/public/index.php b/public/index.php
index 7915e8a6..51c8e7eb 100644
--- a/public/index.php
+++ b/public/index.php
@@ -1,7 +1,7 @@
<?php
require_once realpath(__DIR__ . '/../includes/engelsystem_provider.php');
-$free_pages = array(
+$free_pages = [
'admin_event_config',
'angeltypes',
'api',
@@ -16,12 +16,14 @@ $free_pages = array(
'users',
'user_driver_licenses',
'user_password_recovery'
-);
+];
// Gewünschte Seite/Funktion
$p = "";
-if (! isset($_REQUEST['p']))
+if (! isset($_REQUEST['p'])) {
$_REQUEST['p'] = isset($user) ? "news" : "login";
+}
+
if (isset($_REQUEST['p']) && preg_match("/^[a-z0-9_]*$/i", $_REQUEST['p']) && (in_array($_REQUEST['p'], $free_pages) || in_array($_REQUEST['p'], $privileges))) {
$p = $_REQUEST['p'];
@@ -160,7 +162,7 @@ if ($event_config === false) {
engelsystem_error("Unable to load event config.");
}
-echo template_render('../templates/layout.html', array(
+echo template_render('../templates/layout.html', [
'theme' => isset($user) ? $user['color'] : $default_theme,
'title' => $title,
'atom_link' => ($p == 'news' || $p == 'user_meetings') ? '<link href="' . page_link_to('atom') . (($p == 'user_meetings') ? '&amp;meetings=1' : '') . '&amp;key=' . $user['api_key'] . '" type="application/atom+xml" rel="alternate" title="Atom Feed">' : '',
@@ -171,6 +173,6 @@ echo template_render('../templates/layout.html', array(
'contact_email' => $contact_email,
'locale' => locale(),
'event_info' => EventConfig_info($event_config) . '<br />'
-));
+]);
?>