From e4d344787e08fb60bfd27f7167cfa594fadad2fc Mon Sep 17 00:00:00 2001 From: Steven Soloff Date: Thu, 23 Nov 2017 23:33:27 -0500 Subject: [PATCH] Resync with latest production code Somehow the production code got out of sync with the version used to initialize this repository. This commit ensures the repo code is in sync with the latest production code while maintaining the changes previously applied to remove hard-coded sensitive information from the source code, as well as to allow MARTI to run from a Docker container. --- dice/.htaccess | 3 + dice/MARTI.php | 122 +++++++++++++++-------------- dice/MARTI_verify.php | 39 ++++------ dice/dice.class.php | 121 ++++++++++++++++++++++------- dice/index.php | 31 ++++---- dice/marti_mod.php | 82 ++++++++++++++++++++ dice/register.php | 174 +++++++++++++++++++++--------------------- dice/unsubscribe.php | 91 +++++++++++----------- dice/validate.php | 114 +++++++++++++-------------- 9 files changed, 467 insertions(+), 310 deletions(-) create mode 100644 dice/.htaccess create mode 100644 dice/marti_mod.php diff --git a/dice/.htaccess b/dice/.htaccess new file mode 100644 index 0000000..911b27c --- /dev/null +++ b/dice/.htaccess @@ -0,0 +1,3 @@ + + deny from all + diff --git a/dice/MARTI.php b/dice/MARTI.php index 7f87a4f..ac8c1b0 100644 --- a/dice/MARTI.php +++ b/dice/MARTI.php @@ -2,67 +2,77 @@ error_reporting(E_ALL); ini_set('display_errors', '1'); ?> + M.A.R.T.I. Server --> "more accurate rolls than irony"- server - checkIfMailsAreRegistered($output['emails']); - } catch(exception $e) { - exit($e->getMessage()); - } - - //create dice - $output['dice'] = $dice->createdice($numdice, $numsides); - - //encrypt the output array - $enc_array = $dice->encrypt_data($output); - - //send email; if delivery fails the script is aborted! - $dice->sendEmail($output['emails'], $output['subject'], $output['dice'], $enc_array['iv'], $enc_array['data']); - - //show dice - echo "your dice are: " . $output['dice'] . "

"; - ?> +checkIfMailsAreRegistered($output['emails']); +} +catch(exception $e) { + exit($e->getMessage()); +} + +//create dice +$output['dice'] = $dice->createdice($numdice, $numsides); + +//update the stats in the database: number of requests and dice rolled +//$dice->updateStats($numdice); + +//encrypt the output array +$enc_array = $dice->encrypt_data($output); + +//send email; if delivery fails the script is aborted! +$dice->sendEmail($output['emails'], $output['subject'], $output['dice'], $enc_array['iv'], $enc_array['data']); + +//show dice +echo "your dice are: " . $output['dice'] . "

"; + +?> diff --git a/dice/MARTI_verify.php b/dice/MARTI_verify.php index c4a9dc4..0977215 100644 --- a/dice/MARTI_verify.php +++ b/dice/MARTI_verify.php @@ -1,24 +1,15 @@ - - - - MARTI Verifyer - - - decrypt_data(null, $iv, $enc); - - echo "Dice were authentic: " . $outputArray['dice']; - ?> - - \ No newline at end of file +decrypt_data(null, $iv, $enc); + +echo "Dice were authentic: " . $outputArray['dice']; +?> \ No newline at end of file diff --git a/dice/dice.class.php b/dice/dice.class.php index 881cfe9..cf8bacb 100644 --- a/dice/dice.class.php +++ b/dice/dice.class.php @@ -3,19 +3,18 @@ class dice { var $domain; var $dbconn; var $db = null; - var $enc = []; + var $enc = array(); // constructor function __construct() { $this->domain = self::getBaseUri(); - $this->connectDatabase(); + $this->connectDatabase(); } // destructor function __destruct() { - if(! is_null($this->db)){ + if(! is_null($this->db)) $this->disconnectDatabase(); - } } /** @@ -28,13 +27,12 @@ static function getBaseUri() { return $_SERVER['REQUEST_SCHEME'] . "://" . $_SERVER['HTTP_HOST'] . $pathWithoutLastSegment; } - //////////////////////////////// - // database // - //////////////////////////////// +//////////////////////////////// +// database // +//////////////////////////////// function connectDatabase() { - if(! is_null($this->db)){ - return; - } + if(! is_null($this->db)) + return; $host = getenv("MARTI_DB_HOST"); $user = getenv("MARTI_DB_USERNAME"); @@ -61,6 +59,10 @@ function getStats() { $sql = "SELECT * FROM stats"; $result = $this->dbconn->query($sql) or exit("fatal error: data connection lost @getStats!"); $stats = mysqli_fetch_array($result); + + + // print_r($stats); + return $stats; } @@ -75,19 +77,18 @@ function checkIfMailsAreRegistered(array $emails) { $result = $this->dbconn->query($sql) or exit("fatal error: data connection lost @checkIfMailsAreRegistered!"); $registered_mails = mysqli_fetch_array($result); $num_emails = $result->num_rows; - if($num_emails == count($emails)){ + if($num_emails == count($emails)) return true; // all emails are registered - } - if($registered_mails == false){ + + if($registered_mails == false) throw new exception("fatal error: none of the emails is registered. Please register emails at ".$this->domain."/register.php !"); - } foreach($emails as $email) { - if(! in_array($email, $registered_mails)){ + if(! in_array($email, $registered_mails)) throw new exception("fatal error: email $email is not registered. Please register email at ".$this->domain."/register.php !"); - } } throw new exception("fatal error: unknown error with email adresses!"); + return false; } /** @@ -101,7 +102,10 @@ function checkIfMailIsRegistered($email) { $result = $this->dbconn->query($sql) or exit("fatal error: data connection error " . $this->dbconn->error . "!"); $num_emails = $result->num_rows; - return ($num_emails == 1); + if($num_emails == 1) + return true; + + return false; } /** @@ -125,14 +129,19 @@ function disconnectDatabase() { mysqli_close($this->dbconn); } - //////////////////////////////// - // Encryption // - //////////////////////////////// + + + +//////////////////////////////// +// Encryption // +//////////////////////////////// + /** * returns the date and key * if no date is specified the latest key in key.dat will be returned */ function getEncryptionKey($date = null) { + // get old key if($date) { $dir = dirname(__FILE__); @@ -145,14 +154,18 @@ function getEncryptionKey($date = null) { $keyfile = fopen("key.dat", "r"); } + if ($keyfile) { $data = fread($keyfile, 8192); $this->enc = unserialize($data); fclose($keyfile); + // echo "
unserialized data:" . $this->enc . "
"; + // print_r($this->enc); return $this->enc; - } else { + } + else { exit("fatal error: Wrong date!"); } } @@ -198,6 +211,7 @@ function encrypt_data($input) { $out['data'] = rawurlencode(base64_encode($encrypted_data)); $out['iv'] = rawurlencode(base64_encode($out['iv'])); +// echo "
encrypted data:". $out['data'] . ", iv:" . $out['iv'] ."
"; return $out; } @@ -208,7 +222,8 @@ function decrypt_data($date, $iv, $encrypted_data) { if ($date != $this->getDate()) { $encrypt_key = $this->getEncryptionKey($date); - } else { + } + else { $encrypt_key = $this->getEncryptionKey(); } @@ -218,7 +233,10 @@ function decrypt_data($date, $iv, $encrypted_data) { mcrypt_generic_deinit($td); mcrypt_module_close($td); +// echo "
decrypted data: $decrypted_data
"; $output = unserialize($decrypted_data); +// print_r($output); + return $output; } @@ -228,14 +246,18 @@ function checkNewKeyNeeded() { $current_key = $this->getEncryptionKey(); if ($now != $current_key['date']) { return true; - } else { + } + else { return false; } } - //////////////////////////////// - // dice and mail // - //////////////////////////////// + + +//////////////////////////////// +// dice and mail // +//////////////////////////////// + function createdice($numdice, $numsides) { $i = 0; while ($i <= $numdice-1) { @@ -247,11 +269,42 @@ function createdice($numdice, $numsides) { return $dicestring; } + /** + * check if email adress is in a valid format + * @return bool +* feb 27 2016, using php's filter_input, sanitize filters now + */ + static function checkEmail($email) { + return true; +// if (!ereg("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+\.([a-zA-Z0-9-]{2,3})$",$email)) { + $regex = "/^[_a-zA-Z0-9]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]{2,}(\.[_a-zA-Z0-9-]+)?\.([a-zA-Z0-9-]{2,3})$/"; + /* legal examples: name@domain.com, my.name@domain.net, name@subdomain.domain.de, my.name@subdomain.domain.org + * + * /^[_a-zA-Z0-9-]+ begins with letter or number + * (\.[_a-zA-Z0-9-]+)* none or multiple letters or numbers which begins with a . + * @ @ + * [a-zA-Z0-9-]{2,} at least two more letters or numbers + * (\.[_a-zA-Z0-9-]+)? optional: at least one more char or num which begins with a . + * \. . + * ([a-zA-Z0-9-]{2,3})$/ 2-3 chars or numbers and end of expression + */ + if (!preg_match($regex,$email)) { + echo "fatal error: email $email has wrong format!"; + return false; + } + + //echo "email $email is ok
"; + return true; + } + + + function getDate() { return date("Y-m"); } function sendEmail($emails, $subject, $dice, $iv, $encrypted_data) { + $to = implode (", ", $emails); $date = $this->getDate(); @@ -275,13 +328,25 @@ function sendEmail($emails, $subject, $dice, $iv, $encrypted_data) { $subj = "$subject"; $mailsend= @mail($to,$subj,$message,$ehead); - + + /*$fd = popen("/usr/sbin/sendmail -t","w") or die("Couldn't Open Sendmail"); + fputs($fd, "To: ".$to." \n"); + fputs($fd, "From: \"MARTI\" \n"); + fputs($fd, "Subject: ".$subject." \n"); + fputs($fd, "X-Mailer: PHP3 \n\n"); + fputs($fd, $message); + pclose($fd);*/ + if ($mailsend) { echo("

Dice results were sent via email!


click here to verify the roll
"); - } else { + } + else { echo("

Email delivery failed...

Dice results were not sent.
Please try it later again."); exit("

fatal error: email delivery failed!"); } + } + + } ?> diff --git a/dice/index.php b/dice/index.php index d8f8075..f78ce25 100644 --- a/dice/index.php +++ b/dice/index.php @@ -1,16 +1,15 @@ - - - - Register your email for MARTI services - - -

- Enter your email here to register for using the MARTI dice server: -
- -
- -
- - - + + + Register your email for MARTI services + + +
+ Enter your email here to register for using the MARTI dice server: +
+ +
+ +
+ + + diff --git a/dice/marti_mod.php b/dice/marti_mod.php new file mode 100644 index 0000000..5e98a0b --- /dev/null +++ b/dice/marti_mod.php @@ -0,0 +1,82 @@ + + + + + + + M.A.R.T.I. Server --> "more accurate rolls than irony"- server + + +checkIfMailsAreRegistered($output['emails']); +} +catch(exception $e) { + exit($e->getMessage()); +} + + + +//create dice +$output['dice'] = $dice->createdice($numdice, $numsides); + +//update the stats in the database: number of requests and dice rolled +//$dice->updateStats($numdice); + +//encrypt the output array +$enc_array = $dice->encrypt_data($output); + +//send email; if delivery fails the script is aborted! +$dice->sendEmail($output['emails'], $output['subject'], $output['dice'], $enc_array['iv'], $enc_array['data']); + +//show dice +echo "your dice are: " . $output['dice'] . "

"; + +?> + + + diff --git a/dice/register.php b/dice/register.php index 71025b6..08b9510 100644 --- a/dice/register.php +++ b/dice/register.php @@ -1,85 +1,89 @@ - - - - Register your email for MARTI services - - - -

- Enter your email here to register for using the MARTI dice server: -
- -
- -
- checkIfMailIsRegistered($email)) - exit("This email is already registered"); - - // collecting information for validation - $time = time(); // in unix format - $validation = md5($email . $time . rand()); - $IP = ip2long($_SERVER['REMOTE_ADDR']); - - $sql = "SELECT email FROM pending_validations WHERE email=?"; - $rows = []; - if( $sth = $dice->dbconn->prepare( $sql ) ){ - $sth->bind_param('s',$email); - $sth->execute() or trigger_error($mysqli->error); - $sth->bind_result($emailColumn);//Read below V - while($sth->fetch()){ - $rows[] = $emailColumn;//RoiEX (Me) Changed this variable name from $email to $emailColumn - }//bind_result changed the var to something unreadable wich prevented emails from being sent after registration! - } else { - echo "A DB error has occured, please contact an admin. ("; var_dump( $dice->dbconn->errno ); - echo ")"; - exit; - } - - // insert or update pending validation - if( empty($rows)) { - $sql = "INSERT INTO pending_validations (email, validation_key, time_stamp, IP) VALUES (?, ?, FROM_UNIXTIME(?), ?)"; - $sth = $dice->dbconn->prepare( $sql ); - $sth->bind_param('ssss', $email, $validation, $time, $IP ); - $sth->execute(); - } - else { - $sql = "UPDATE pending_validations SET validation_key=?, time_stamp= FROM_UNIXTIME(?), IP=? WHERE email=?"; - $sth = $dice->dbconn->prepare( $sql ); - $sth->bind_param('ssss', $validation, $time, $IP, $email ); - $sth->execute(); - } - - // sending email - $to = $email; - $email_enc = urlencode($email); - $subj = "Registration for MARTI dice server"; - $from = "marti@tripleawarclub.org"; - $ehead= "From: MARTI<".$from.">\r\n"; - $ehead .= "List-Unsubscribe:<$dice->domain/unsubscribe.php?email=$email_enc>\r\n"; - $message = "To validate your email click this link: $dice->domain/validate.php?email=$email_enc&val=$validation"; - $message .= "\r\n\r\nTo unsubscribe from this service go to $dice->domain/unsubscribe.php?email=$email_enc"; - $mailsend= @mail($to,$subj,$message,$ehead,"-f $from -r no-reply@tripleawarclub.org"); - - if ($mailsend) { - echo("

You should receive an email in your postbox with a validation link soon.

After validating your email you can use the MARTI dice server"); - } - else { - echo("

Email delivery failed...

Please try it later again."); - } - } - ?> - - + + + Register your email for MARTI services + + + +
+ Enter your email here to register for using the MARTI dice server: +
+ +
+ +
+checkIfMailIsRegistered($email)) + exit("This email is already registered"); + + // collecting information for validation + $time = time(); // in unix format + $validation = md5($email . $time . rand()); + $IP = ip2long($_SERVER['REMOTE_ADDR']); + + $sql = "SELECT email FROM pending_validations WHERE email=?"; + $rows = array(); + if( $sth = $dice->dbconn->prepare( $sql ) ){ + $sth->bind_param('s',$email); + $sth->execute() or trigger_error($mysqli->error); + $sth->bind_result($emailColumn); + while($sth->fetch()){ + $rows[] = $emailColumn; + } + } else { + echo "A DB error has occured, please contact an admin. ("; var_dump( $dice->dbconn->errno ); echo ")";exit; + } + + // insert or update pending validation + if( empty($rows)) { + $sql = "INSERT INTO pending_validations (email, validation_key, time_stamp, IP) VALUES (?, ?, FROM_UNIXTIME(?), ?)"; + $sth = $dice->dbconn->prepare( $sql ); + $sth->bind_param('ssss', $email, $validation, $time, $IP ); + $sth->execute(); + } + else { + $sql = "UPDATE pending_validations SET validation_key=?, time_stamp= FROM_UNIXTIME(?), IP=? WHERE email=?"; + $sth = $dice->dbconn->prepare( $sql ); + $sth->bind_param('ssss', $validation, $time, $IP, $email ); + $sth->execute(); + } + + // sending email + $to = $email; + $email_enc = urlencode($email); + $subj = "Registration for MARTI dice server"; + $from = "marti@tripleawarclub.org"; + $ehead= "From: MARTI<".$from.">\r\n"; + $ehead .= "List-Unsubscribe:<$dice->domain/unsubscribe.php?email=$email_enc>\r\n"; + $message = "To validate your email click this link: $dice->domain/validate.php?email=$email_enc&val=$validation"; + $message .= "\r\n\r\nTo unsubscribe from this service go to $dice->domain/unsubscribe.php?email=$email_enc"; + $mailsend= @mail($to,$subj,$message,$ehead,"-f $from -r no-reply@tripleawarclub.org"); + + if ($mailsend) { + echo("

You should receive an email in your postbox with a validation link soon.

After validating your email you can use the MARTI dice server"); + } + else { + echo("

Email delivery failed...

Please try it later again."); + } + + +} +?> + + + + diff --git a/dice/unsubscribe.php b/dice/unsubscribe.php index 1c6bb12..be69359 100644 --- a/dice/unsubscribe.php +++ b/dice/unsubscribe.php @@ -1,45 +1,46 @@ - - - - Unsubscribe from MARTI dice services - - - -
- Enter your email here to unsubscribe your email from MARTI dice services: -
- -
- -
- checkIfMailIsRegistered($email)){ - exit("This email is not registered, or was never validated."); - } - - $sql = "DELETE FROM dice_emails WHERE registered_email=?"; - - if( $sth = $dice->dbconn->prepare( $sql ) ){ - $sth->bind_param('s',$email); - $sth->execute() or trigger_error($mysqli->error); - } else { - echo "A DB error has occured, please contact an admin. (2-"; var_dump( $dice->dbconn->errno ); - echo ")"; - exit; - } - echo "Your email was successfully removed. You will no longer receive dice emails."; - } - ?> - - + + + Unsubscribe from MARTI dice services + + + +
+ Enter your email here to unsubscribe your email from MARTI dice services: +
+ +
+ +
+checkIfMailIsRegistered($email)) + exit("This email is not registered, or was never validated."); + + $sql = "DELETE FROM dice_emails WHERE registered_email=?"; + +if( $sth = $dice->dbconn->prepare( $sql ) ){ + $sth->bind_param('s',$email); + $sth->execute() or trigger_error($mysqli->error); +} else { + echo "A DB error has occured, please contact an admin. (2-"; var_dump( $dice->dbconn->errno ); echo ")";exit; +} + + echo "Your email was successfully removed. You will no longer receive dice emails."; +} +?> + + + diff --git a/dice/validate.php b/dice/validate.php index f114f64..4797924 100644 --- a/dice/validate.php +++ b/dice/validate.php @@ -1,56 +1,58 @@ - - - - Validation site for MARTI dice services - - - dbconn->prepare( $sql ) ){ - $sth->bind_param('ss',$email,$validation); - $sth->execute() or trigger_error($mysqli->error); - $sth->bind_result($r_email,$r_validation); - while($sth->fetch()){ - $rows[] = array( $r_email, $r_validation ); - } - } else { - echo "A DB error has occured, please contact an admin. (1-"; var_dump( $dice->dbconn->errno ); echo ")";exit; - } - - if(empty($rows)) - exit("Could not verify the data. Please check the link you have received in your email"); - - $sql = "INSERT INTO dice_emails (registered_email) VALUES (?)"; - - if( $sth = $dice->dbconn->prepare( $sql ) ){ - $sth->bind_param('s',$email); - $sth->execute() or trigger_error($mysqli->error); - } else { - echo "A DB error has occured, please contact an admin. (2-"; var_dump( $dice->dbconn->errno ); echo ")";exit; - } - - $sql = "DELETE FROM pending_validations WHERE email=?"; - - if( $sth = $dice->dbconn->prepare( $sql ) ){ - $sth->bind_param('s',$email); - $sth->execute() or trigger_error($mysqli->error); - } else { - echo "A DB error has occured, please contact an admin. (3-"; var_dump( $dice->dbconn->errno ); echo ")";exit; - } - - echo "Registration was successfull. You can now use the MARTI dice server."; - - ?> - - - + + + Validation site for MARTI dice services + + +dbconn->prepare( $sql ) ){ + $sth->bind_param('ss',$email,$validation); + $sth->execute() or trigger_error($mysqli->error); + $sth->bind_result($r_email,$r_validation); + while($sth->fetch()){ + $rows[] = array( $r_email, $r_validation ); + } + } else { + echo "A DB error has occured, please contact an admin. (1-"; var_dump( $dice->dbconn->errno ); echo ")";exit; + } + +if(empty($rows)) + exit("Could not verify the data. Please check the link you have received in your email"); + +$sql = "INSERT INTO dice_emails (registered_email) VALUES (?)"; + +if( $sth = $dice->dbconn->prepare( $sql ) ){ + $sth->bind_param('s',$email); + $sth->execute() or trigger_error($mysqli->error); +} else { + echo "A DB error has occured, please contact an admin. (2-"; var_dump( $dice->dbconn->errno ); echo ")";exit; +} + +$sql = "DELETE FROM pending_validations WHERE email=?"; + +if( $sth = $dice->dbconn->prepare( $sql ) ){ + $sth->bind_param('s',$email); + $sth->execute() or trigger_error($mysqli->error); +} else { + echo "A DB error has occured, please contact an admin. (3-"; var_dump( $dice->dbconn->errno ); echo ")";exit; +} + +echo "Registration was successfull. You can now use the MARTI dice server."; + +?> + + +