prohibit inline control structures on includes and index

2016-09-29 11:28:42 +02:00 · 2016-09-29 11:28:42 +02:00 · 4c288e957e
parent e965f8d041
commit 4c288e957e
7 changed files with 150 additions and 100 deletions
--- a/includes/engelsystem_provider.php
+++ b/includes/engelsystem_provider.php
@ -54,8 +54,9 @@ require_once realpath(__DIR__ . '/../includes/mailer/shifts_mailer.php');
 require_once realpath(__DIR__ . '/../includes/mailer/users_mailer.php');
 require_once realpath(__DIR__ . '/../config/config.default.php');
-if (file_exists(realpath(__DIR__ . '/../config/config.php')))
+if (file_exists(realpath(__DIR__ . '/../config/config.php'))) {
  require_once realpath(__DIR__ . '/../config/config.php');
 }
 if ($maintenance_mode) {
  echo file_get_contents(__DIR__ . '/../public/maintenance.html');
--- a/includes/mysqli_provider.php
+++ b/includes/mysqli_provider.php
@ -22,10 +22,11 @@ function sql_null($value = null) {
 function sql_transaction_start() {
  global $sql_nested_transaction_level;
-  if ($sql_nested_transaction_level ++ == 0)
+  if ($sql_nested_transaction_level ++ == 0) {
    return sql_query("BEGIN");
-  else
+  }
-    return true;
+  
  return true;
 }
 /**
@ -34,10 +35,11 @@ function sql_transaction_start() {
 function sql_transaction_commit() {
  global $sql_nested_transaction_level;
-  if (-- $sql_nested_transaction_level == 0)
+  if (-- $sql_nested_transaction_level == 0) {
    return sql_query("COMMIT");
-  else
+  }
-    return true;
+  
  return true;
 }
 /**
@ -46,10 +48,11 @@ function sql_transaction_commit() {
 function sql_transaction_rollback() {
  global $sql_nested_transaction_level;
-  if (-- $sql_nested_transaction_level == 0)
+  if (-- $sql_nested_transaction_level == 0) {
    return sql_query("ROLLBACK");
-  else
+  } else {
    return true;
  }
 }
 /**
@ -92,12 +95,14 @@ function sql_connect($host, $user, $pass, $db) {
  }
  $result = $sql_connection->query("SET CHARACTER SET utf8;");
-  if (! $result)
+  if (! $result) {
    return sql_error("Unable to set utf8 character set (" . $sql_connection->errno . ") " . $sql_connection->error);
  }
  $result = $sql_connection->set_charset('utf8');
-  if (! $result)
+  if (! $result) {
    return sql_error("Unable to set utf8 names (" . $sql_connection->errno . ") " . $sql_connection->error);
  }
  return $sql_connection;
 }
@ -111,8 +116,9 @@ function sql_connect($host, $user, $pass, $db) {
 */
 function sql_select_db($db_name) {
  global $sql_connection;
-  if (! $sql_connection->select_db($db_name))
+  if (! $sql_connection->select_db($db_name)) {
    return sql_error("No database selected.");
  }
  return true;
 }
@ -127,12 +133,14 @@ function sql_select($query) {
  $result = $sql_connection->query($query);
  if ($result) {
-    $data = array();
+    $data = [];
-    while ($line = $result->fetch_assoc())
+    while ($line = $result->fetch_assoc()) {
      array_push($data, $line);
    }
    return $data;
-  } else
+  }
-    return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
+  
  return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
 }
 /**
@ -147,8 +155,9 @@ function sql_query($query) {
  $result = $sql_connection->query($query);
  if ($result) {
    return $result;
-  } else
+  }
-    return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
+  
  return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
 }
 /**
--- a/includes/sys_auth.php
+++ b/includes/sys_auth.php
@ -1,49 +1,59 @@
 <?php
-// Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien
+/**
 *  Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien
 */
 function load_auth() {
  global $user, $privileges;
-
+  
  $user = null;
  if (isset($_SESSION['uid'])) {
    $user = sql_select("SELECT * FROM `User` WHERE `UID`='" . sql_escape($_SESSION['uid']) . "' LIMIT 1");
    if (count($user) > 0) {
      // User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten
-      list ($user) = $user;
+      list($user) = $user;
      sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;");
-    } else
+    } else {
      unset($_SESSION['uid']);
    }
  }
-
+  
  $privileges = isset($user) ? privileges_for_user($user['UID']) : privileges_for_group(- 1);
 }
-// generate a salt (random string) of arbitrary length suitable for the use with crypt()
+/**
 * generate a salt (random string) of arbitrary length suitable for the use with crypt()
 */
 function generate_salt($length = 16) {
  $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
  $salt = "";
-  for($i = 0; $i < $length; $i ++) {
+  for ($i = 0; $i < $length; $i ++) {
    $salt .= $alphabet[rand(0, strlen($alphabet) - 1)];
  }
  return $salt;
 }
-// set the password of a user
+/**
 * set the password of a user
 */
 function set_password($uid, $password) {
  return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1");
 }
-// verify a password given a precomputed salt.
+/**
-// if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
+ * verify a password given a precomputed salt.
 * if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
 */
 function verify_password($password, $salt, $uid = false) {
  $correct = false;
-  if (substr($salt, 0, 1) == '$') // new-style crypt()
+  if (substr($salt, 0, 1) == '$') { // new-style crypt()
    $correct = crypt($password, $salt) == $salt;
-  elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore
+  } elseif (substr($salt, 0, 7) == '{crypt}') { // old-style crypt() with DES and static salt - not used anymore
    $correct = crypt($password, '77') == $salt;
-  elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore
+  } elseif (strlen($salt) == 32) { // old-style md5 without salt - not used anymore
    $correct = md5($password) == $salt;
-
+  }
  if ($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) {
    // this password is stored in another format than we want it to be.
    // let's update it!
@ -54,18 +64,20 @@ function verify_password($password, $salt, $uid = false) {
 }
 function privileges_for_user($user_id) {
-  $privileges = array ();
+  $privileges = [];
  $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`='" . sql_escape($user_id) . "'");
-  foreach ($user_privs as $user_priv)
+  foreach ($user_privs as $user_priv) {
    $privileges[] = $user_priv['name'];
  }
  return $privileges;
 }
 function privileges_for_group($group_id) {
-  $privileges = array ();
+  $privileges = [];
  $groups_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`='" . sql_escape($group_id) . "'");
-  foreach ($groups_privs as $guest_priv)
+  foreach ($groups_privs as $guest_priv) {
    $privileges[] = $guest_priv['name'];
  }
  return $privileges;
 }
 ?>
--- a/includes/sys_menu.php
+++ b/includes/sys_menu.php
@ -1,8 +1,9 @@
 <?php
 function page_link_to($page) {
-  if ($page == "")
+  if ($page == "") {
    return '?';
  }
  return '?p=' . $page;
 }
@ -18,17 +19,21 @@ function header_toolbar() {
  $toolbar_items = array();
-  if (isset($user))
+  if (isset($user)) {
    $toolbar_items[] = toolbar_item_link(page_link_to('shifts') . '&amp;action=next', 'time', User_shift_state_render($user));
  }
-  if (! isset($user) && in_array('register', $privileges))
+  if (! isset($user) && in_array('register', $privileges)) {
    $toolbar_items[] = toolbar_item_link(page_link_to('register'), 'plus', register_title(), $p == 'register');
  }
-  if (in_array('login', $privileges))
+  if (in_array('login', $privileges)) {
    $toolbar_items[] = toolbar_item_link(page_link_to('login'), 'log-in', login_title(), $p == 'login');
  }
-  if (isset($user) && in_array('user_messages', $privileges))
+  if (isset($user) && in_array('user_messages', $privileges)) {
    $toolbar_items[] = toolbar_item_link(page_link_to('user_messages'), 'envelope', user_unread_messages());
  }
  $hints = [];
  if (isset($user)) {
@ -37,20 +42,24 @@ function header_toolbar() {
    // Erzengel Hinweis für unbeantwortete Fragen
    if ($p != "admin_questions") {
      $new_questions = admin_new_questions();
-      if ($new_questions != "")
+      if ($new_questions != "") {
        $hints[] = $new_questions;
      }
    }
    $unconfirmed_hint = user_angeltypes_unconfirmed_hint();
-    if ($unconfirmed_hint != '')
+    if ($unconfirmed_hint != '') {
      $hints[] = $unconfirmed_hint;
    }
-    if (! isset($user['planned_departure_date']) || $user['planned_departure_date'] == null)
+    if (! isset($user['planned_departure_date']) || $user['planned_departure_date'] == null) {
      $hints[] = info(_("Please enter your planned date of departure on your settings page to give us a feeling for teardown capacities."), true);
    }
    $driver_license_required = user_driver_license_required_hint();
-    if ($driver_license_required != '')
+    if ($driver_license_required != '') {
      $hints[] = $driver_license_required;
    }
    if (User_is_freeloader($user)) {
      $hints[] = error(sprintf(_("You freeloaded at least %s shifts. Shift signup is locked. Please go to heavens desk to be unlocked again."), $max_freeloadable_shifts), true);
@ -77,22 +86,27 @@ function header_toolbar() {
      $glyphicon = 'warning-sign';
    }
  }
-  if (count($hints) > 0)
+  if (count($hints) > 0) {
    $toolbar_items[] = toolbar_popover($glyphicon . ' text-' . $hint_class, '', $hints, 'bg-' . $hint_class);
  }
  $user_submenu = make_langselect();
  $user_submenu[] = toolbar_item_divider();
-  if (in_array('user_myshifts', $privileges))
+  if (in_array('user_myshifts', $privileges)) {
    $toolbar_items[] = toolbar_item_link(page_link_to('users') . '&amp;action=view', ' icon-icon_angel', $user['Nick'], $p == 'users');
  }
-  if (in_array('user_settings', $privileges))
+  if (in_array('user_settings', $privileges)) {
    $user_submenu[] = toolbar_item_link(page_link_to('user_settings'), 'list-alt', settings_title(), $p == 'user_settings');
  }
-  if (in_array('logout', $privileges))
+  if (in_array('logout', $privileges)) {
    $user_submenu[] = toolbar_item_link(page_link_to('logout'), 'log-out', logout_title(), $p == 'logout');
  }
-  if (count($user_submenu) > 0)
+  if (count($user_submenu) > 0) {
    $toolbar_items[] = toolbar_dropdown('', '', $user_submenu);
  }
  return toolbar($toolbar_items, true);
 }
@ -100,21 +114,23 @@ function header_toolbar() {
 function make_navigation() {
  global $p, $privileges;
-  $menu = array();
+  $menu = [];
-  $pages = array(
+  $pages = [
      "news" => news_title(),
      "user_meetings" => meetings_title(),
      "user_shifts" => shifts_title(),
      "angeltypes" => angeltypes_title(),
      "user_questions" => questions_title() 
-  );
+  ];
-  foreach ($pages as $page => $title)
+  foreach ($pages as $page => $title) {
-    if (in_array($page, $privileges))
+    if (in_array($page, $privileges)) {
      $menu[] = toolbar_item_link(page_link_to($page), '', $title, $page == $p);
    }
  }
-  $admin_menu = array();
+  $admin_menu = [];
-  $admin_pages = array(
+  $admin_pages = [
      "admin_arrive" => admin_arrive_title(),
      "admin_active" => admin_active_title(),
      "admin_user" => admin_user_title(),
@ -127,14 +143,17 @@ function make_navigation() {
      "admin_import" => admin_import_title(),
      "admin_log" => admin_log_title(),
      "admin_event_config" => event_config_title() 
-  );
+  ];
-  foreach ($admin_pages as $page => $title)
+  foreach ($admin_pages as $page => $title) {
-    if (in_array($page, $privileges))
+    if (in_array($page, $privileges)) {
      $admin_menu[] = toolbar_item_link(page_link_to($page), '', $title, $page == $p);
    }
  }
-  if (count($admin_menu) > 0)
+  if (count($admin_menu) > 0) {
    $menu[] = toolbar_dropdown('', _("Admin"), $admin_menu);
  }
  return toolbar($menu);
 }
--- a/includes/sys_page.php
+++ b/includes/sys_page.php
@ -31,8 +31,9 @@ function raw_output($output) {
 * @return ValidationResult containing the parsed date
 */
 function check_request_date($name, $error_message = null, $null_allowed = false) {
-  if (! isset($_REQUEST[$name]))
+  if (! isset($_REQUEST[$name])) {
    return new ValidationResult($null_allowed, null);
  }
  return check_date($_REQUEST[$name], $error_message, $null_allowed);
 }
@ -49,10 +50,12 @@ function check_request_date($name, $error_message = null, $null_allowed = false)
 * @return ValidationResult containing the parsed date
 */
 function check_date($input, $error_message = null, $null_allowed = false) {
-  if (DateTime::createFromFormat("Y-m-d", trim($input)))
+  if (DateTime::createFromFormat("Y-m-d", trim($input))) {
    return new ValidationResult(true, DateTime::createFromFormat("Y-m-d", trim($input))->getTimestamp());
-  if ($null_allowed)
+  }
  if ($null_allowed) {
    return new ValidationResult(true, null);
  }
  error($error_message);
  return new ValidationResult(false, null);
--- a/includes/sys_template.php
+++ b/includes/sys_template.php
@ -179,19 +179,10 @@ function form_date($name, $label, $value, $start_date = '') {
 */
 function form_checkboxes($name, $label, $items, $selected) {
  $html = form_element($label, '');
  foreach ($items as $key => $item)
    $html .= form_checkbox($name . '_' . $key, $item, array_search($key, $selected) !== false);
  return $html;
  $html = "<ul>";
  foreach ($items as $key => $item) {
-    $id = $name . '_' . $key;
+    $html .= form_checkbox($name . '_' . $key, $item, array_search($key, $selected) !== false);
    $sel = array_search($key, $selected) !== false ? ' checked="checked"' : "";
    $html .= '<li><input type="checkbox" id="' . $id . '" name="' . $id . '" value="checked"' . $sel . ' /><label for="' . $id . '">' . $item . '</label></li>';
  }
-  $html .= "</ul>";
+  return $html;
  return form_element($label, $html);
 }
 /**
@ -210,16 +201,18 @@ function form_checkboxes($name, $label, $items, $selected) {
 */
 function form_multi_checkboxes($names, $label, $items, $selected, $disabled = array()) {
  $html = "<table><thead><tr>";
-  foreach ($names as $title)
+  foreach ($names as $title) {
    $html .= "<th>$title</th>";
  }
  $html .= "</tr></thead><tbody>";
  foreach ($items as $key => $item) {
    $html .= "<tr>";
    foreach ($names as $name => $title) {
      $id = $name . '_' . $key;
      $sel = array_search($key, $selected[$name]) !== false ? ' checked="checked"' : "";
-      if (! empty($disabled) && ! empty($disabled[$name]) && array_search($key, $disabled[$name]) !== false)
+      if (! empty($disabled) && ! empty($disabled[$name]) && array_search($key, $disabled[$name]) !== false) {
        $sel .= ' disabled="disabled"';
      }
      $html .= '<td style="text-align: center;"><input type="checkbox" id="' . $id . '" name="' . $name . '[]" value="' . $key . '"' . $sel . ' /></td>';
    }
    $html .= '<td><label for="' . $id . '">' . $item . '</label></td></tr>';
@ -246,10 +239,12 @@ function form_radio($name, $label, $selected, $value) {
 * Rendert einen Infotext in das Formular
 */
 function form_info($label, $text = "") {
-  if ($label == "")
+  if ($label == "") {
    return '<span class="help-block">' . glyph('info-sign') . $text . '</span>';
-  if ($text == "")
+  }
  if ($text == "") {
    return '<h4>' . $label . '</h4>';
  }
  return form_element($label, '<p class="form-control-static">' . $text . '</p>', '');
 }
@ -312,9 +307,9 @@ function form_select($name, $label, $values, $selected) {
 function form_element($label, $input, $for = "") {
  if ($label == '') {
    return '<div class="form-group">' . $input . '</div>';
  } else {
    return '<div class="form-group">' . '<label for="' . $for . '">' . $label . '</label>' . $input . '</div>';
  }
  return '<div class="form-group">' . '<label for="' . $for . '">' . $label . '</label>' . $input . '</div>';
 }
 /**
@ -346,34 +341,40 @@ function page_with_title($title, $elements) {
 function table($columns, $rows_raw, $data = true) {
  // If only one column is given
  if (! is_array($columns)) {
-    $columns = array(
+    $columns = [
        'col' => $columns 
-    );
+    ];
-    $rows = array();
+    $rows = [];
    foreach ($rows_raw as $row)
-      $rows[] = array(
+      $rows[] = [
          'col' => $row 
-      );
+      ];
-  } else
+  } else {
    $rows = $rows_raw;
  }
-  if (count($rows) == 0)
+  if (count($rows) == 0) {
    return info(_("No data found."), true);
  }
  $html = "";
  $html .= '<table class="table table-striped' . ($data ? ' data' : '') . '">';
  $html .= '<thead><tr>';
-  foreach ($columns as $key => $column)
+  foreach ($columns as $key => $column) {
    $html .= '<th class="column_' . $key . '">' . $column . '</th>';
  }
  $html .= '</tr></thead>';
  $html .= '<tbody>';
  foreach ($rows as $row) {
    $html .= '<tr>';
-    foreach ($columns as $key => $column)
+    foreach ($columns as $key => $column) {
-      if (isset($row[$key]))
+      if (isset($row[$key])) {
        $html .= '<td class="column_' . $key . '">' . $row[$key] . '</td>';
-      else
+      } else {
        $html .= '<td class="column_' . $key . '">&nbsp;</td>';
      }
    }
    $html .= '</tr>';
  }
  $html .= '</tbody>';
@ -410,10 +411,11 @@ function table_buttons($buttons = array()) {
 function template_render($file, $data) {
  if (file_exists($file)) {
    $template = file_get_contents($file);
-    if (is_array($data))
+    if (is_array($data)) {
      foreach ($data as $name => $content) {
        $template = str_replace("%" . $name . "%", $content, $template);
      }
    }
    return $template;
  }
  engelsystem_error("Cannot find template file &laquo;" . $file . "&raquo;.");
@ -430,8 +432,9 @@ function table_body($array) {
  foreach ($array as $line) {
    $html .= "<tr>";
    if (is_array($line)) {
-      foreach ($line as $td)
+      foreach ($line as $td) {
        $html .= "<td>" . $td . "</td>";
      }
    } else {
      $html .= "<td>" . $line . "</td>";
    }
@ -442,8 +445,9 @@ function table_body($array) {
 function html_options($name, $options, $selected = "") {
  $html = "";
-  foreach ($options as $value => $label)
+  foreach ($options as $value => $label) {
    $html .= '<input type="radio"' . ($value == $selected ? ' checked="checked"' : '') . ' name="' . $name . '" value="' . $value . '"> ' . $label;
  }
  return $html;
 }
--- a/public/index.php
+++ b/public/index.php
@ -1,7 +1,7 @@
 <?php
 require_once realpath(__DIR__ . '/../includes/engelsystem_provider.php');
-$free_pages = array(
+$free_pages = [
    'admin_event_config',
    'angeltypes',
    'api',
@ -16,12 +16,14 @@ $free_pages = array(
    'users',
    'user_driver_licenses',
    'user_password_recovery' 
-);
+];
 // Gewünschte Seite/Funktion
 $p = "";
-if (! isset($_REQUEST['p']))
+if (! isset($_REQUEST['p'])) {
  $_REQUEST['p'] = isset($user) ? "news" : "login";
 }
 if (isset($_REQUEST['p']) && preg_match("/^[a-z0-9_]*$/i", $_REQUEST['p']) && (in_array($_REQUEST['p'], $free_pages) || in_array($_REQUEST['p'], $privileges))) {
  $p = $_REQUEST['p'];
@ -160,7 +162,7 @@ if ($event_config === false) {
  engelsystem_error("Unable to load event config.");
 }
-echo template_render('../templates/layout.html', array(
+echo template_render('../templates/layout.html', [
    'theme' => isset($user) ? $user['color'] : $default_theme,
    'title' => $title,
    'atom_link' => ($p == 'news' || $p == 'user_meetings') ? '<link href="' . page_link_to('atom') . (($p == 'user_meetings') ? '&amp;meetings=1' : '') . '&amp;key=' . $user['api_key'] . '" type="application/atom+xml" rel="alternate" title="Atom Feed">' : '',
@ -171,6 +173,6 @@ echo template_render('../templates/layout.html', array(
    'contact_email' => $contact_email,
    'locale' => locale(),
    'event_info' => EventConfig_info($event_config) . '<br />' 
-));
+]);
 ?>