zorg Code v4.7.0

Merge pull request #70 from zorgch/develop
zorgch · Jun 22, 2023 · 07bc750 · 07bc750
2 parents 63e19b4 + a275312
commit 07bc750
Show file tree

Hide file tree

Showing 13 changed files with 571 additions and 504 deletions.
diff --git a/.env.example b/.env.example
@@ -1,6 +1,8 @@
 # PHP dotENV - https://github.com/vlucas/phpdotenv
 # Copy this file as new /.env & adjust all settings to the corresponging Environment!
 ENVIRONMENT="development" # Use "development" for any non-productive envs
+LOCALE="de_CH" # Required!
+TIMEZONE="Europe/Zurich" # Required!
 
 # Database connection (required):
 MYSQL_HOST="localhost" # Required! Use "localhost" or Docker service hostname
@@ -36,8 +38,6 @@ HOSTNAME=""
 HTTP_PROTOCOL="https" # https or http
 SITE_FQDN="${HTTP_PROTOCOL}://${HOSTNAME}" # No trailing slash
 PAGETITLE_SUFFIX=" - ${HOSTNAME}"
-LOCALE="de_CH"
-TIMEZONE="Europe/Zurich"
 ENCODING="UTF-8"
 EMAILS_FROM="info@${HOSTNAME}"
 ADMIN_EMAIL="root@${HOSTNAME}"
@@ -57,61 +57,61 @@ FACEBOOK_PAGENAME=""
 URLPATH_ACTIONS="/actions/"
 URLPATH_AJAX="${URLPATH_JS}ajax/"
 URLPATH_CSS="/css/"
-URLPATH_HZ_IMAGES="${URLPATH_IMAGES}hz/"
 URLPATH_IMAGES="/images/"
 URLPATH_JS="/js/"
 URLPATH_RSS="${SITE_FQDN}/?layout=rss"
 URLPATH_SCRIPTS="/scripts/"
 URLPATH_USERIMAGES="/data/userimages/"
 URLPATH_UTILS="/util/"
-USERLEVEL_ALLE="0"
-USERLEVEL_USER="1"
-USERLEVEL_MEMBER="2"
-USERLEVEL_ADMIN="3"
-USER_TIMEOUT="200" # In seconds: 3 Minutes
-USER_OLD_AFTER="94608000" # In seconds: 3 Jahre
-USER_USE_CURRENT_LOGIN="TRUE"
-USER_USE_REGISTRATION_CODE="TRUE"
-USER_USE_ONLINE_LIST="TRUE"
-USERIMAGE_ENABLED="TRUE"
+USERLEVEL_ALLE=
+USERLEVEL_USER=
+USERLEVEL_MEMBER=
+USERLEVEL_ADMIN=
+USER_TIMEOUT= # In seconds: 3 Minutes
+USER_OLD_AFTER= # In seconds: 3 Jahre
+USER_USE_CURRENT_LOGIN="true"
+USER_USE_REGISTRATION_CODE="true"
+USER_USE_ONLINE_LIST="true"
+USERIMAGE_ENABLED="true"
 USERIMAGE_EXTENSION=".jpg" # Extension with .-prefix
-USERIMAGE_SIZE_LARGE="500"
-USERIMAGE_SIZE_SMALL="150"
+USERIMAGE_SIZE_LARGE=
+USERIMAGE_SIZE_SMALL=
 USERIMAGE_DEFAULT="none${USERIMAGE_EXTENSION}" # Must be within USERIMAGES_DIR
-ADDLE_MAX_GAMES="1"
-ADDLE_BASE_POINTS="1600"
-ADDLE_MAX_POINTS_TRANSFERABLE="32"
-APOD_GALLERY_ID="41" # Match to gallery_albums-Table `id`
+ADDLE_MAX_GAMES=
+ADDLE_BASE_POINTS=
+ADDLE_MAX_POINTS_TRANSFERABLE=
+APOD_GALLERY_ID= # Match to gallery_albums-Table `id`
 BUGTRACKER_FILTER_DEFAULT="?show[]=open&show[]=notdenied&show[]=assigned&show[]=unassigned"
-CHESS_DWZ_BASE_POINTS="1600"
-CHESS_DWZ_MAX_POINTS_TRANSFERABLE="32"
-FORUM_DEFAULT_MAXDEPTH="10"
-FORUM_THREAD_CLEARCACHE_AFTER="30" # In Tagen
+CHESS_DWZ_BASE_POINTS=
+CHESS_DWZ_MAX_POINTS_TRANSFERABLE=
+FORUM_DEFAULT_MAXDEPTH=
+FORUM_THREAD_CLEARCACHE_AFTER= # In Tagen
 GALLERY_MAX_PIC_SIZE="['width'=>800, 'height'=>800]"
 GALLERY_MAX_THUMBNAIL_SIZE="['width'=>150, 'height'=>150]"
 GALLERY_THUMBPAGE="['width'=>4, 'height'=>3, 'padding'=>10]"
-GO_OFFSET_PIC="250"
-GO_LINKRADIUS="15"
-GO_FIELDSIZE="40"
-GO_LINEWIDTH="2"
-GO_STARDOTWIDTH="10"
-GO_STONEBIGWIDTH="190"
-GO_LASTSTONEWIDTH="10"
+GO_OFFSET_PIC=
+GO_LINKRADIUS=
+GO_FIELDSIZE=
+GO_LINEWIDTH=
+GO_STARDOTWIDTH=
+GO_STONEBIGWIDTH=
+GO_LASTSTONEWIDTH=
+URLPATH_HZ_IMAGES="${URLPATH_IMAGES}hz/"
 HZ_MAPS_EXTENSION=".gif"
-HZ_MAX_GAMES="5"
-HZ_TURN_TIME="259200" # In Sekunden: 3 Tage
-HZ_TURN_COUNT="4"
-HZ_TURN_ADD_MONEY="10"
+HZ_MAX_GAMES=
+HZ_TURN_TIME= # In Sekunden: 3 Tage
+HZ_TURN_COUNT=
+HZ_TURN_ADD_MONEY=
 SETI_TEAM_NAME=""
 SETI_EMAIL=""
 STRING_NOT_FOUND="Reference not found in String list"
 
 # Session settings:
 SESSION_ID="z"
-SESSION_LIFETIME="43200" # In seconds
-ENABLE_COOKIES="TRUE"
+SESSION_LIFETIME= # In seconds
+ENABLE_COOKIES="true"
 COOKIE_DOMAIN=".${HOSTNAME}" # Prefixed .-dot is recommended
-COOKIE_EXPIRATION="604800" # In seconds. Note: seconds to be added to current time()+COOKIE_EXPIRATION!
+COOKIE_EXPIRATION= # In seconds. Note: seconds to be added to current time()+COOKIE_EXPIRATION!
 COOKIE_PATH="/"
 COOKIE_SAMESITE="Lax" # Strict, None, or Lax (default/fallback)
 COOKIE_HTTPONLY="true" # true or false (true is strongly recommended)
@@ -128,7 +128,7 @@ SMARTY_TRUSTED_DIRS="${WWW_ROOT}/scripts/" # (array) with strings
 SMARTY_TEMPLATES_HTML="${VIEWS_DIR}" # (array) with strings
 SMARTY_PACKAGES_DIR="${WWW_ROOT}/packages/"
 SMARTY_PACKAGES_EXTENSION=".php"
-SMARTY_DEFAULT_TPL_ID="23"
+SMARTY_DEFAULT_TPL_ID=
 SMARTY_404PAGE_TPL_FILE="file:layout/pages/404_page.tpl"
 
 # Services, APIs, and API-Keys:
@@ -180,15 +180,15 @@ TWITTER_API_TOKENSECRET=""
 TWITTER_API_CALLBACK_URL=""
 
 # zorg settings:
-VORSTAND_USER="451" # Match to user-Table `id`
-BARBARA_HARRIS="59" # Match to user-Table `id`
-ROSENVERKAEUFER="439" # Match to user-Table `id`
-THE_ARCHITECT="582" # Match to user-Table `id`
-ANFICKER_USER_ID="9999"
+VORSTAND_USER= # Match to user-Table `id`
+BARBARA_HARRIS= # Match to user-Table `id`
+ROSENVERKAEUFER= # Match to user-Table `id`
+THE_ARCHITECT= # Match to user-Table `id`
+ANFICKER_USER_ID=
 ZORG_VEREIN_NAME="zorg Verein"
 ZORG_VEREIN_EMAIL=""
 ZORG_VEREIN_STRASSE=""
-ZORG_VEREIN_PLZ="9000"
+ZORG_VEREIN_PLZ=
 ZORG_VEREIN_ORT="St. Gallen"
 ZORG_VEREIN_LAND="Schweiz"
 ZORG_VEREIN_LAND_ISO2="CH"

diff --git a/www/frets_upload.php b/www/frets_upload.php
@@ -12,7 +12,7 @@
 require_once dirname(__FILE__).'/includes/config.inc.php';
 
 /** fetch GET Data */
-$scores_frets = isset($_GET['scores']) ? htmlspecialchars(preg_match('/^[a-fA-F0-9]+$/', $_GET['scores']) ? $_GET['scores'] : '', ENT_QUOTES, 'UTF-8') : '';
+$scores_frets = isset($_GET['scores']) ? htmlspecialchars((preg_match('/^[a-fA-F0-9]+$/', $_GET['scores']) ? $_GET['scores'] : ''), ENT_QUOTES, 'UTF-8') : '';
 $songName = isset($_GET['songName']) ? htmlspecialchars($_GET['songName'], ENT_QUOTES, 'UTF-8') : '';
 $songHash = isset($_GET['songHash']) ? htmlspecialchars($_GET['songHash'], ENT_QUOTES, 'UTF-8') : '';
 
@@ -21,7 +21,8 @@
 
 if (!empty($scores_frets))
 {
-	$output = shell_exec('python ../scripts/fretsonfire/fretsonzorg.py '.$scores_frets);
+	$sanitized_scores_frets = escapeshellarg($scores_frets); // Mitigates risk of command injection (CWE-78)
+	$output = shell_exec('python ../scripts/fretsonfire/fretsonzorg.py '.$sanitized_scores_frets);
 	if (!$output)
 	{
 		http_response_code(500); // Set response code 500 (Internal Server Error) and exit.

diff --git a/www/includes/config.inc.php b/www/includes/config.inc.php
@@ -29,10 +29,53 @@
 	try {
 		$dotenv = Dotenv\Dotenv::createImmutable(APP_ROOT);
 		$dotenv->load();
+        /** Variable validations: required variables */
 		$dotenv->required(['MYSQL_HOST', 'MYSQL_DATABASE', 'MYSQL_USER'])->notEmpty();
 		$dotenv->required(['HOSTNAME', 'HTTP_PROTOCOL', 'SITE_FQDN'])->notEmpty();
 		$dotenv->required(['LOCALE'])->allowedRegexValues('([[:lower:]]{2}_[[:upper:]]{2})');
 		$dotenv->required(['TIMEZONE'])->allowedRegexValues('([a-zA-Z0-9]+([\/|+-][a-zA-Z0-9_]+)?(\/[a-zA-Z0-9_]+)?)');
+        /** Variable validations: Integers */
+        $dotenv->ifPresent('USER_TIMEOUT')->isInteger();
+        $dotenv->ifPresent('USER_OLD_AFTER')->isInteger();
+        $dotenv->ifPresent('USERIMAGE_SIZE_LARGE')->isInteger();
+        $dotenv->ifPresent('USERIMAGE_SIZE_SMALL')->isInteger();
+        $dotenv->ifPresent('ADDLE_MAX_GAMES')->isInteger();
+        $dotenv->ifPresent('ADDLE_BASE_POINTS')->isInteger();
+        $dotenv->ifPresent('ADDLE_MAX_POINTS_TRANSFERABLE')->isInteger();
+        $dotenv->ifPresent('APOD_GALLERY_ID')->isInteger();
+        $dotenv->ifPresent('CHESS_DWZ_BASE_POINTS')->isInteger();
+        $dotenv->ifPresent('CHESS_DWZ_MAX_POINTS_TRANSFERABLE')->isInteger();
+        $dotenv->ifPresent('FORUM_DEFAULT_MAXDEPTH')->isInteger();
+        $dotenv->ifPresent('FORUM_THREAD_CLEARCACHE_AFTER')->isInteger();
+        $dotenv->ifPresent('GO_OFFSET_PIC')->isInteger();
+        $dotenv->ifPresent('GO_LINKRADIUS')->isInteger();
+        $dotenv->ifPresent('GO_FIELDSIZE')->isInteger();
+        $dotenv->ifPresent('GO_LINEWIDTH')->isInteger();
+        $dotenv->ifPresent('GO_STARDOTWIDTH')->isInteger();
+        $dotenv->ifPresent('GO_STONEBIGWIDTH')->isInteger();
+        $dotenv->ifPresent('GO_LASTSTONEWIDTH')->isInteger();
+        $dotenv->ifPresent('HZ_MAX_GAMES')->isInteger();
+        $dotenv->ifPresent('HZ_TURN_TIME')->isInteger();
+        $dotenv->ifPresent('HZ_TURN_COUNT')->isInteger();
+        $dotenv->ifPresent('HZ_TURN_ADD_MONEY')->isInteger();
+        $dotenv->ifPresent('SESSION_LIFETIME')->isInteger();
+        $dotenv->ifPresent('COOKIE_EXPIRATION')->isInteger();
+        $dotenv->ifPresent('SMARTY_DEFAULT_TPL_ID')->isInteger();
+        $dotenv->ifPresent('VORSTAND_USER')->isInteger();
+        $dotenv->ifPresent('BARBARA_HARRIS')->isInteger();
+        $dotenv->ifPresent('ROSENVERKAEUFER')->isInteger();
+        $dotenv->ifPresent('THE_ARCHITECT')->isInteger();
+        $dotenv->ifPresent('ANFICKER_USER_ID')->isInteger();
+        $dotenv->ifPresent('ZORG_VEREIN_PLZ')->isInteger();
+        /** Variable validations: Booleans */
+        $dotenv->ifPresent('TELEGRAM_DISABLE_WEBPAGE_PREVIEW')->isBoolean();
+        $dotenv->ifPresent('TELEGRAM_DISABLE_NOTIFICATION')->isBoolean();
+        $dotenv->ifPresent('USER_USE_CURRENT_LOGIN')->isBoolean();
+        $dotenv->ifPresent('USER_USE_REGISTRATION_CODE')->isBoolean();
+        $dotenv->ifPresent('USER_USE_ONLINE_LIST')->isBoolean();
+        $dotenv->ifPresent('USERIMAGE_ENABLED')->isBoolean();
+        $dotenv->ifPresent('ENABLE_COOKIES')->isBoolean();
+        $dotenv->ifPresent('COOKIE_HTTPONLY')->isBoolean();
 	} catch (Exception $e) {
 		exit(sprintf('[ERROR] <%s:%d> %s', __FILE__, __LINE__, $e->getMessage()));
 	}
@@ -236,7 +279,7 @@
  * @const APOD_API NASA APOD API-URL von wo das tägliche APOD-Bild mit dem NASA_API_KEY geholt werden kann, mittels ?apod_date=yyyy-mm-dd kann ein spezifisches APOD geholt werden
  */
 if (!defined('NASA_API_KEY') && isset($_ENV['NASA_API_KEY'])) define('NASA_API_KEY', $_ENV['NASA_API_KEY']);
-if (!defined('APOD_GALLERY_ID')) define('APOD_GALLERY_ID', (isset($_ENV['APOD_GALLERY_ID']) ? $_ENV['APOD_GALLERY_ID'] : null));
+if (!defined('APOD_GALLERY_ID')) define('APOD_GALLERY_ID', (isset($_ENV['APOD_GALLERY_ID']) ? (int)$_ENV['APOD_GALLERY_ID'] : null));
 if (!defined('APOD_TEMP_IMGPATH')) define('APOD_TEMP_IMGPATH', (isset($_ENV['APOD_TEMP_IMAGE_DIR']) ? $_ENV['APOD_TEMP_IMAGE_DIR'] : null));
 if (!defined('APOD_SOURCE')) define('APOD_SOURCE', (isset($_ENV['NASA_APOD_SOURCE']) ? $_ENV['NASA_APOD_SOURCE'] : null));
 if (!defined('APOD_API')) define('APOD_API', (isset($_ENV['NASA_APOD_API']) ? $_ENV['NASA_APOD_API'] : null));

diff --git a/www/includes/forum.inc.php b/www/includes/forum.inc.php
@@ -609,29 +609,20 @@ static function markasunread($comment_id) {
 
 
 		if($rs['rights'] < USER_SPECIAL) {
-			$sql =
-				"
-				REPLACE INTO comments_unread (user_id, comment_id)
-					SELECT
-						id,
-						".$comment_id."
-
-
+			$sql = "REPLACE INTO comments_unread (user_id, comment_id)
+					SELECT id, ".$comment_id."
 					FROM user
-
-					WHERE user.usertype >= ".$rs['rights']."
+					WHERE user.usertype >= ?
 					AND (UNIX_TIMESTAMP(lastlogin)+".USER_OLD_AFTER.") > UNIX_TIMESTAMP(NOW())
-					AND forum_boards_unread LIKE '%".$rs['board']."%'
-					"
+					AND forum_boards_unread LIKE CONCAT('%', ?, '%')"
 					/*AND ISNULL(
 						SELECT tignore.thread_id, tignore.user_id
 						FROM comments_threads_ignore tignore
 						WHERE tignore.thread_id = ".$rs['thread_id']."
 						AND tignore.user_id = user.id
 						)*/
-
 			;
-			$data = $db->fetch($db->query($sql, __FILE__, __LINE__));
+			$data = $db->fetch($db->query($sql, __FILE__, __LINE__, __METHOD__, [$rs['rights'], $rs['board']]));
 		} else {
 			$sql =
 				"
@@ -1380,9 +1371,10 @@ static function getQueryString($qstr='') {
 	 *
 	 * @TODO implement $keyword highlighting in ouput via $smarty->display()
 	 *
-	 * @version 1.1
+	 * @version 2.1
 	 * @since 1.0 Method added
 	 * @since 2.0 `07.03.2020` `IneX` Code optimizations
+	 * @since 2.1 `14.06.2023` `IneX` SQL-Query optimizations
 	 *
 	 * @param string $keyword Search-Text for LIKE %...% search
 	 * @return void
@@ -1393,9 +1385,9 @@ static function printSearchedComments($keyword)
 
 		$sql = 'SELECT id, text, UNIX_TIMESTAMP(date) as date
 				FROM comments
-				WHERE text LIKE "%'.$keyword.'%"
+				WHERE text LIKE CONCAT("%", ?, "%")
 				ORDER by date DESC';
-		$result = $db->query($sql, __FILE__, __LINE__, __METHOD__);
+		$result = $db->query($sql, __FILE__, __LINE__, __METHOD__, [$keyword]);
 		$num = $db->num($result);
 		if ($num > 0)
 		{

diff --git a/www/includes/hz_game.inc.php b/www/includes/hz_game.inc.php
@@ -19,27 +19,21 @@
 /**
  * File includes
  * @include main.inc.php 		Main Functions
- * @include activities.inc.php 	(DEPRECATED) Activities Functions and Stream
- * @include messagesystem.inc.php (DEPRECATED) Messagesystem einbinden für Funktionen die Benachrichtigungen absetzen
- * @include usersystem.inc.php 	(DEPRECATED) Usersystem einbinden für alle Benutzerbezogenen Funktionen (z.B. UserID -> Username umwandeln)
- * @include util.inc.php		(DEPRECATED) Utilities einbinden für Handling diverser Spezialfunktionen (z.B. URLs erzeugen)
- * @include forum.inc.php		(DEPRECATED) Forum einbinden für Handling der Commenting Funktionalität einzelner Hunting z Spiele
- * @include strings.inc.php		(DEPRECATED) Strings die im Zorg Code benutzt werden
  */
 require_once dirname(__FILE__).'/main.inc.php';
 
 /**
- * @const IMGPATH			Pfad zu den Bildern fürs Hunting Z
- * @const MAX_HZ_GAMES		In sovielen Hz-Spielen kann ein Spieler maximal gleichzeitig teilnehmen
- * @const TURN_TIME			So lange haben Spieler Zeit für ihren Spielzug
- * @const TURN_COUNT		Nach so vielen Zügen gibts neues Geld
- * @const TURN_ADD_MONEY	So viel Geld gibts nach TURN_COUNT Spielzügen
+ * @const URLPATH_HZ_IMAGES	Pfad zu den Bildern fürs Hunting Z
+ * @const HZ_MAX_GAMES		In sovielen Hz-Spielen kann ein Spieler maximal gleichzeitig teilnehmen
+ * @const HZ_TURN_TIME		So lange haben Spieler Zeit für ihren Spielzug
+ * @const HZ_TURN_COUNT		Nach so vielen Zügen gibts neues Geld
+ * @const HZ_TURN_ADD_MONEY	So viel Geld gibts nach TURN_COUNT Spielzügen
  */
-define('IMGPATH', '/images/hz/');
-define('MAX_HZ_GAMES', 5);
-define('TURN_TIME', 60*60*24*3);
-define('TURN_COUNT', 4);
-define('TURN_ADD_MONEY', 10);
+if (!defined('URLPATH_HZ_IMAGES')) define('URLPATH_HZ_IMAGES', (isset($_ENV['URLPATH_HZ_IMAGES']) ? $_ENV['URLPATH_HZ_IMAGES'] : null));
+if (!defined('HZ_MAX_GAMES')) define('HZ_MAX_GAMES', (isset($_ENV['HZ_MAX_GAMES']) ? (int)$_ENV['HZ_MAX_GAMES'] : 5));
+if (!defined('HZ_TURN_TIME')) define('HZ_TURN_TIME', (isset($_ENV['HZ_TURN_TIME']) ? (int)$_ENV['HZ_TURN_TIME'] : 60*60*24*3));
+if (!defined('HZ_TURN_COUNT')) define('HZ_TURN_COUNT', (isset($_ENV['HZ_TURN_COUNT']) ? (int)$_ENV['HZ_TURN_COUNT'] : 4));
+if (!defined('HZ_TURN_ADD_MONEY')) define('HZ_TURN_ADD_MONEY', (isset($_ENV['HZ_TURN_ADD_MONEY']) ? (int)$_ENV['HZ_TURN_ADD_MONEY'] : 10));
 
 /**
  * Hunting z Spiel löschen
@@ -93,7 +87,7 @@ function start_new_game ($map) {
 	));
 
 	/** too many games open already */
-	if (isset($own_games['anz']) && $own_games['anz'] >= MAX_HZ_GAMES) {
+	if (isset($own_games['anz']) && $own_games['anz'] >= HZ_MAX_GAMES) {
 		user_error(t('error-game-max-limit-reached'), E_USER_ERROR);
 	}
 	/** user can still open new games */
@@ -406,7 +400,7 @@ function hz_turn_passing()
 					 JOIN hz_players p
 					  ON p.game=g.id
 					 WHERE g.state="running"
-					  AND UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(g.turndate) > '.TURN_TIME.'
+					  AND UNIX_TIMESTAMP(NOW())-UNIX_TIMESTAMP(g.turndate) > '.HZ_TURN_TIME.'
 					  AND if(g.nextturn="z" && p.type="z"
 						OR g.nextturn="players" && p.type!="z" && p.turndone="0", "1", "0") = "1"',
 					__FILE__, __LINE__, __FUNCTION__);
@@ -495,12 +489,12 @@ function turn_finalize ($game, $uid=null)
 		elseif ($d['nextturn'] === 'players' && $d['totalplayers'] === $turndone['num'] && $d['finished'] === 'false')
 		{
 			$query = $db->query('UPDATE hz_games SET
-								 round=(round+1), nextturn="z", turndate=NOW(), turncount=(turncount+1)%'.TURN_COUNT.'
+								 round=(round+1), nextturn="z", turndate=NOW(), turncount=(turncount+1)%'.HZ_TURN_COUNT.'
 								 WHERE id='.$game, __FILE__, __LINE__, __FUNCTION__);
 			if (DEVELOPMENT) error_log(sprintf('[DEBUG] <%s:%d> update(hz_games(%s)): game=%d | nextturn=z | turndate=%s', __FUNCTION__, __LINE__, $query, $game, timestamp(true)));
 
 			/** add money and reset 'turndone' */
-			if ($d['turncount']+1 == TURN_COUNT) $add = TURN_ADD_MONEY;
+			if ($d['turncount']+1 == HZ_TURN_COUNT) $add = HZ_TURN_ADD_MONEY;
 			else $add = 0;
 
 			$db->query('UPDATE hz_players SET turndone="0", money=money+'.$add.' WHERE game='.$game, __FILE__, __LINE__, __FUNCTION__);