iger
/
engelsystem
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

prohibit inline control structures on includes and index

This commit is contained in:
msquare 2016-09-29 11:28:42 +02:00
parent e965f8d041
commit 4c288e957e
7 changed files with 150 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
includes/engelsystem_provider.php
View File

@ -54,8 +54,9 @@ require_once realpath(__DIR__ . '/../includes/mailer/shifts_mailer.php');
require_once realpath(__DIR__ . '/../includes/mailer/users_mailer.php');
require_once realpath(__DIR__ . '/../config/config.default.php');
if (file_exists(realpath(__DIR__ . '/../config/config.php')))
if (file_exists(realpath(__DIR__ . '/../config/config.php'))) {
require_once realpath(__DIR__ . '/../config/config.php');
}
if ($maintenance_mode) {
echo file_get_contents(__DIR__ . '/../public/maintenance.html');

35
includes/mysqli_provider.php
View File

@ -22,9 +22,10 @@ function sql_null($value = null) {
function sql_transaction_start() {
global $sql_nested_transaction_level;
if ($sql_nested_transaction_level ++ == 0)
if ($sql_nested_transaction_level ++ == 0) {
return sql_query("BEGIN");
else
}
return true;
}
@ -34,9 +35,10 @@ function sql_transaction_start() {
function sql_transaction_commit() {
global $sql_nested_transaction_level;
if (-- $sql_nested_transaction_level == 0)
if (-- $sql_nested_transaction_level == 0) {
return sql_query("COMMIT");
else
}
return true;
}
@ -46,11 +48,12 @@ function sql_transaction_commit() {
function sql_transaction_rollback() {
global $sql_nested_transaction_level;
if (-- $sql_nested_transaction_level == 0)
if (-- $sql_nested_transaction_level == 0) {
return sql_query("ROLLBACK");
else
} else {
return true;
}
}
/**
* Logs an sql error.
@ -92,12 +95,14 @@ function sql_connect($host, $user, $pass, $db) {
}
$result = $sql_connection->query("SET CHARACTER SET utf8;");
if (! $result)
if (! $result) {
return sql_error("Unable to set utf8 character set (" . $sql_connection->errno . ") " . $sql_connection->error);
}
$result = $sql_connection->set_charset('utf8');
if (! $result)
if (! $result) {
return sql_error("Unable to set utf8 names (" . $sql_connection->errno . ") " . $sql_connection->error);
}
return $sql_connection;
}
@ -111,8 +116,9 @@ function sql_connect($host, $user, $pass, $db) {
*/
function sql_select_db($db_name) {
global $sql_connection;
if (! $sql_connection->select_db($db_name))
if (! $sql_connection->select_db($db_name)) {
return sql_error("No database selected.");
}
return true;
}
@ -127,11 +133,13 @@ function sql_select($query) {
$result = $sql_connection->query($query);
if ($result) {
$data = array();
while ($line = $result->fetch_assoc())
$data = [];
while ($line = $result->fetch_assoc()) {
array_push($data, $line);
}
return $data;
} else
}
return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
}
@ -147,7 +155,8 @@ function sql_query($query) {
$result = $sql_connection->query($query);
if ($result) {
return $result;
} else
}
return sql_error("MySQL-query error: " . $query . " (" . $sql_connection->errno . ") " . $sql_connection->error);
}

38
includes/sys_auth.php
View File

@ -1,6 +1,8 @@
<?php
// Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien
/**
* Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien
*/
function load_auth() {
global $user, $privileges;
@ -11,14 +13,17 @@ function load_auth() {
// User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten
list($user) = $user;
sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;");
} else
} else {
unset($_SESSION['uid']);
}
}
$privileges = isset($user) ? privileges_for_user($user['UID']) : privileges_for_group(- 1);
}
// generate a salt (random string) of arbitrary length suitable for the use with crypt()
/**
* generate a salt (random string) of arbitrary length suitable for the use with crypt()
*/
function generate_salt($length = 16) {
$alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
$salt = "";
@ -28,21 +33,26 @@ function generate_salt($length = 16) {
return $salt;
}
// set the password of a user
/**
* set the password of a user
*/
function set_password($uid, $password) {
return sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1");
}
// verify a password given a precomputed salt.
// if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
/**
* verify a password given a precomputed salt.
* if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
*/
function verify_password($password, $salt, $uid = false) {
$correct = false;
if (substr($salt, 0, 1) == '$') // new-style crypt()
if (substr($salt, 0, 1) == '$') { // new-style crypt()
$correct = crypt($password, $salt) == $salt;
elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore
} elseif (substr($salt, 0, 7) == '{crypt}') { // old-style crypt() with DES and static salt - not used anymore
$correct = crypt($password, '77') == $salt;
elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore
} elseif (strlen($salt) == 32) { // old-style md5 without salt - not used anymore
$correct = md5($password) == $salt;
}
if ($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) {
// this password is stored in another format than we want it to be.
@ -54,18 +64,20 @@ function verify_password($password, $salt, $uid = false) {
}
function privileges_for_user($user_id) {
$privileges = array ();
$privileges = [];
$user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`='" . sql_escape($user_id) . "'");
foreach ($user_privs as $user_priv)
foreach ($user_privs as $user_priv) {
$privileges[] = $user_priv['name'];
}
return $privileges;
}
function privileges_for_group($group_id) {
$privileges = array ();
$privileges = [];
$groups_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`='" . sql_escape($group_id) . "'");
foreach ($groups_privs as $guest_priv)
foreach ($groups_privs as $guest_priv) {
$privileges[] = $guest_priv['name'];
}
return $privileges;
}
?>

69
includes/sys_menu.php
View File

@ -1,8 +1,9 @@
<?php
function page_link_to($page) {
if ($page == "")
if ($page == "") {
return '?';
}
return '?p=' . $page;
}
@ -18,17 +19,21 @@ function header_toolbar() {
$toolbar_items = array();
if (isset($user))
if (isset($user)) {
$toolbar_items[] = toolbar_item_link(page_link_to('shifts') . '&amp;action=next', 'time', User_shift_state_render($user));
}
if (! isset($user) && in_array('register', $privileges))
if (! isset($user) && in_array('register', $privileges)) {
$toolbar_items[] = toolbar_item_link(page_link_to('register'), 'plus', register_title(), $p == 'register');
}
if (in_array('login', $privileges))
if (in_array('login', $privileges)) {
$toolbar_items[] = toolbar_item_link(page_link_to('login'), 'log-in', login_title(), $p == 'login');
}
if (isset($user) && in_array('user_messages', $privileges))
if (isset($user) && in_array('user_messages', $privileges)) {
$toolbar_items[] = toolbar_item_link(page_link_to('user_messages'), 'envelope', user_unread_messages());
}
$hints = [];
if (isset($user)) {
@ -37,20 +42,24 @@ function header_toolbar() {
// Erzengel Hinweis für unbeantwortete Fragen
if ($p != "admin_questions") {
$new_questions = admin_new_questions();
if ($new_questions != "")
if ($new_questions != "") {
$hints[] = $new_questions;
}
}
$unconfirmed_hint = user_angeltypes_unconfirmed_hint();
if ($unconfirmed_hint != '')
if ($unconfirmed_hint != '') {
$hints[] = $unconfirmed_hint;
}
if (! isset($user['planned_departure_date']) || $user['planned_departure_date'] == null)
if (! isset($user['planned_departure_date']) || $user['planned_departure_date'] == null) {
$hints[] = info(_("Please enter your planned date of departure on your settings page to give us a feeling for teardown capacities."), true);
}
$driver_license_required = user_driver_license_required_hint();
if ($driver_license_required != '')
if ($driver_license_required != '') {
$hints[] = $driver_license_required;
}
if (User_is_freeloader($user)) {
$hints[] = error(sprintf(_("You freeloaded at least %s shifts. Shift signup is locked. Please go to heavens desk to be unlocked again."), $max_freeloadable_shifts), true);
@ -77,22 +86,27 @@ function header_toolbar() {
$glyphicon = 'warning-sign';
}
}
if (count($hints) > 0)
if (count($hints) > 0) {
$toolbar_items[] = toolbar_popover($glyphicon . ' text-' . $hint_class, '', $hints, 'bg-' . $hint_class);
}
$user_submenu = make_langselect();
$user_submenu[] = toolbar_item_divider();
if (in_array('user_myshifts', $privileges))
if (in_array('user_myshifts', $privileges)) {
$toolbar_items[] = toolbar_item_link(page_link_to('users') . '&amp;action=view', ' icon-icon_angel', $user['Nick'], $p == 'users');
}
if (in_array('user_settings', $privileges))
if (in_array('user_settings', $privileges)) {
$user_submenu[] = toolbar_item_link(page_link_to('user_settings'), 'list-alt', settings_title(), $p == 'user_settings');
}
if (in_array('logout', $privileges))
if (in_array('logout', $privileges)) {
$user_submenu[] = toolbar_item_link(page_link_to('logout'), 'log-out', logout_title(), $p == 'logout');
}
if (count($user_submenu) > 0)
if (count($user_submenu) > 0) {
$toolbar_items[] = toolbar_dropdown('', '', $user_submenu);
}
return toolbar($toolbar_items, true);
}
@ -100,21 +114,23 @@ function header_toolbar() {
function make_navigation() {
global $p, $privileges;
$menu = array();
$pages = array(
$menu = [];
$pages = [
"news" => news_title(),
"user_meetings" => meetings_title(),
"user_shifts" => shifts_title(),
"angeltypes" => angeltypes_title(),
"user_questions" => questions_title()
);
];
foreach ($pages as $page => $title)
if (in_array($page, $privileges))
foreach ($pages as $page => $title) {
if (in_array($page, $privileges)) {
$menu[] = toolbar_item_link(page_link_to($page), '', $title, $page == $p);
}
}
$admin_menu = array();
$admin_pages = array(
$admin_menu = [];
$admin_pages = [
"admin_arrive" => admin_arrive_title(),
"admin_active" => admin_active_title(),
"admin_user" => admin_user_title(),
@ -127,14 +143,17 @@ function make_navigation() {
"admin_import" => admin_import_title(),
"admin_log" => admin_log_title(),
"admin_event_config" => event_config_title()
);
];
foreach ($admin_pages as $page => $title)
if (in_array($page, $privileges))
foreach ($admin_pages as $page => $title) {
if (in_array($page, $privileges)) {
$admin_menu[] = toolbar_item_link(page_link_to($page), '', $title, $page == $p);
}
}
if (count($admin_menu) > 0)
if (count($admin_menu) > 0) {
$menu[] = toolbar_dropdown('', _("Admin"), $admin_menu);
}
return toolbar($menu);
}

9
includes/sys_page.php
View File

@ -31,8 +31,9 @@ function raw_output($output) {
* @return ValidationResult containing the parsed date
*/
function check_request_date($name, $error_message = null, $null_allowed = false) {
if (! isset($_REQUEST[$name]))
if (! isset($_REQUEST[$name])) {
return new ValidationResult($null_allowed, null);
}
return check_date($_REQUEST[$name], $error_message, $null_allowed);
}
@ -49,10 +50,12 @@ function check_request_date($name, $error_message = null, $null_allowed = false)
* @return ValidationResult containing the parsed date
*/
function check_date($input, $error_message = null, $null_allowed = false) {
if (DateTime::createFromFormat("Y-m-d", trim($input)))
if (DateTime::createFromFormat("Y-m-d", trim($input))) {
return new ValidationResult(true, DateTime::createFromFormat("Y-m-d", trim($input))->getTimestamp());
if ($null_allowed)
}
if ($null_allowed) {
return new ValidationResult(true, null);
}
error($error_message);
return new ValidationResult(false, null);

66
includes/sys_template.php
View File

@ -179,19 +179,10 @@ function form_date($name, $label, $value, $start_date = '') {
*/
function form_checkboxes($name, $label, $items, $selected) {
$html = form_element($label, '');
foreach ($items as $key => $item)
$html .= form_checkbox($name . '_' . $key, $item, array_search($key, $selected) !== false);
return $html;
$html = "<ul>";
foreach ($items as $key => $item) {
$id = $name . '_' . $key;
$sel = array_search($key, $selected) !== false ? ' checked="checked"' : "";
$html .= '<li><input type="checkbox" id="' . $id . '" name="' . $id . '" value="checked"' . $sel . ' /><label for="' . $id . '">' . $item . '</label></li>';
$html .= form_checkbox($name . '_' . $key, $item, array_search($key, $selected) !== false);
}
$html .= "</ul>";
return form_element($label, $html);
return $html;
}
/**
@ -210,16 +201,18 @@ function form_checkboxes($name, $label, $items, $selected) {
*/
function form_multi_checkboxes($names, $label, $items, $selected, $disabled = array()) {
$html = "<table><thead><tr>";
foreach ($names as $title)
foreach ($names as $title) {
$html .= "<th>$title</th>";
}
$html .= "</tr></thead><tbody>";
foreach ($items as $key => $item) {
$html .= "<tr>";
foreach ($names as $name => $title) {
$id = $name . '_' . $key;
$sel = array_search($key, $selected[$name]) !== false ? ' checked="checked"' : "";
if (! empty($disabled) && ! empty($disabled[$name]) && array_search($key, $disabled[$name]) !== false)
if (! empty($disabled) && ! empty($disabled[$name]) && array_search($key, $disabled[$name]) !== false) {
$sel .= ' disabled="disabled"';
}
$html .= '<td style="text-align: center;"><input type="checkbox" id="' . $id . '" name="' . $name . '[]" value="' . $key . '"' . $sel . ' /></td>';
}
$html .= '<td><label for="' . $id . '">' . $item . '</label></td></tr>';
@ -246,10 +239,12 @@ function form_radio($name, $label, $selected, $value) {
* Rendert einen Infotext in das Formular
*/
function form_info($label, $text = "") {
if ($label == "")
if ($label == "") {
return '<span class="help-block">' . glyph('info-sign') . $text . '</span>';
if ($text == "")
}
if ($text == "") {
return '<h4>' . $label . '</h4>';
}
return form_element($label, '<p class="form-control-static">' . $text . '</p>', '');
}
@ -312,9 +307,9 @@ function form_select($name, $label, $values, $selected) {
function form_element($label, $input, $for = "") {
if ($label == '') {
return '<div class="form-group">' . $input . '</div>';
} else {
return '<div class="form-group">' . '<label for="' . $for . '">' . $label . '</label>' . $input . '</div>';
}
return '<div class="form-group">' . '<label for="' . $for . '">' . $label . '</label>' . $input . '</div>';
}
/**
@ -346,34 +341,40 @@ function page_with_title($title, $elements) {
function table($columns, $rows_raw, $data = true) {
// If only one column is given
if (! is_array($columns)) {
$columns = array(
$columns = [
'col' => $columns
);
];
$rows = array();
$rows = [];
foreach ($rows_raw as $row)
$rows[] = array(
$rows[] = [
'col' => $row
);
} else
];
} else {
$rows = $rows_raw;
}
if (count($rows) == 0)
if (count($rows) == 0) {
return info(_("No data found."), true);
}
$html = "";
$html .= '<table class="table table-striped' . ($data ? ' data' : '') . '">';
$html .= '<thead><tr>';
foreach ($columns as $key => $column)
foreach ($columns as $key => $column) {
$html .= '<th class="column_' . $key . '">' . $column . '</th>';
}
$html .= '</tr></thead>';
$html .= '<tbody>';
foreach ($rows as $row) {
$html .= '<tr>';
foreach ($columns as $key => $column)
if (isset($row[$key]))
foreach ($columns as $key => $column) {
if (isset($row[$key])) {
$html .= '<td class="column_' . $key . '">' . $row[$key] . '</td>';
else
} else {
$html .= '<td class="column_' . $key . '">&nbsp;</td>';
}
}
$html .= '</tr>';
}
$html .= '</tbody>';
@ -410,10 +411,11 @@ function table_buttons($buttons = array()) {
function template_render($file, $data) {
if (file_exists($file)) {
$template = file_get_contents($file);
if (is_array($data))
if (is_array($data)) {
foreach ($data as $name => $content) {
$template = str_replace("%" . $name . "%", $content, $template);
}
}
return $template;
}
engelsystem_error("Cannot find template file &laquo;" . $file . "&raquo;.");
@ -430,8 +432,9 @@ function table_body($array) {
foreach ($array as $line) {
$html .= "<tr>";
if (is_array($line)) {
foreach ($line as $td)
foreach ($line as $td) {
$html .= "<td>" . $td . "</td>";
}
} else {
$html .= "<td>" . $line . "</td>";
}
@ -442,8 +445,9 @@ function table_body($array) {
function html_options($name, $options, $selected = "") {
$html = "";
foreach ($options as $value => $label)
foreach ($options as $value => $label) {
$html .= '<input type="radio"' . ($value == $selected ? ' checked="checked"' : '') . ' name="' . $name . '" value="' . $value . '"> ' . $label;
}
return $html;
}

12
public/index.php
View File

@ -1,7 +1,7 @@
<?php
require_once realpath(__DIR__ . '/../includes/engelsystem_provider.php');
$free_pages = array(
$free_pages = [
'admin_event_config',
'angeltypes',
'api',
@ -16,12 +16,14 @@ $free_pages = array(
'users',
'user_driver_licenses',
'user_password_recovery'
);
];
// Gewünschte Seite/Funktion
$p = "";
if (! isset($_REQUEST['p']))
if (! isset($_REQUEST['p'])) {
$_REQUEST['p'] = isset($user) ? "news" : "login";
}
if (isset($_REQUEST['p']) && preg_match("/^[a-z0-9_]*$/i", $_REQUEST['p']) && (in_array($_REQUEST['p'], $free_pages) || in_array($_REQUEST['p'], $privileges))) {
$p = $_REQUEST['p'];
@ -160,7 +162,7 @@ if ($event_config === false) {
engelsystem_error("Unable to load event config.");
}
echo template_render('../templates/layout.html', array(
echo template_render('../templates/layout.html', [
'theme' => isset($user) ? $user['color'] : $default_theme,
'title' => $title,
'atom_link' => ($p == 'news' || $p == 'user_meetings') ? '<link href="' . page_link_to('atom') . (($p == 'user_meetings') ? '&amp;meetings=1' : '') . '&amp;key=' . $user['api_key'] . '" type="application/atom+xml" rel="alternate" title="Atom Feed">' : '',
@ -171,6 +173,6 @@ echo template_render('../templates/layout.html', array(
'contact_email' => $contact_email,
'locale' => locale(),
'event_info' => EventConfig_info($event_config) . '<br />'
));
]);
?>