mirror of
https://github.com/joshp23/PEWS.git
synced 2024-12-22 02:20:18 +01:00
clean up redundacies + path traversal protection
This commit is contained in:
parent
01648de510
commit
c86a4dfd28
1 changed files with 58 additions and 91 deletions
|
@ -2,7 +2,7 @@
|
|||
/*
|
||||
------------------------------------------------------------
|
||||
* *
|
||||
* PEWS (pew! pew!) - PHP Easy WebFinger Server 1.5.1 *
|
||||
* PEWS (pew! pew!) - PHP Easy WebFinger Server 1.5.2 *
|
||||
* *
|
||||
* This script enables webfinger support on a server that *
|
||||
* handles one or more domains. *
|
||||
|
@ -160,21 +160,9 @@ if ($req === 'GET') {
|
|||
die();
|
||||
}
|
||||
|
||||
function pews_auth( $acct, $key, $admin ) {
|
||||
if(strpos($acct, '@')) {
|
||||
$acct = explode('@', $acct);
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $acct[0]);
|
||||
$host = preg_replace('/^((\.*)(\/*))*/', '', $acct[1]);
|
||||
if(!$admin && $host !== $_SERVER['HTTP_HOST']) {
|
||||
$return['is'] = false;
|
||||
$return['info'] = 'This is not your account';
|
||||
return $return;
|
||||
}
|
||||
} else {
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $acct);
|
||||
$host = $_SERVER['HTTP_HOST'];
|
||||
}
|
||||
$acct_file = PEWS_DATA_STORE."/".$host."/".$user.".json";
|
||||
function pews_auth( $resource, $key, $admin ) {
|
||||
$resource = pews_parse_account_string( $resource );
|
||||
$acct_file = PEWS_DATA_STORE ."/". $resource['host'] . "/" . $resource['user'].".json";
|
||||
// is there an account on file?
|
||||
if(file_exists($acct_file)) {
|
||||
$data = json_decode(file_get_contents($acct_file), true);
|
||||
|
@ -247,8 +235,8 @@ function pews_manager( $auth, $password ) {
|
|||
// add a new host to the server TODO url validations, etc
|
||||
if(isset($_POST['addHost'])) {
|
||||
if($auth) {
|
||||
$host = $_POST['addHost'];
|
||||
$new = PEWS_DATA_STORE . '/' . $host;
|
||||
$resource = pews_parse_account_string( $_POST['addHost'] );
|
||||
$new = PEWS_DATA_STORE . '/' . $resource['host'];
|
||||
if (!file_exists($new)){
|
||||
$make = mkdir($new);
|
||||
if(!$make) {
|
||||
|
@ -259,7 +247,7 @@ function pews_manager( $auth, $password ) {
|
|||
chmod( $new, 0755 );
|
||||
http_response_code(201);
|
||||
$return['statusCode'] = 201;
|
||||
$return['message'] = 'host: '.$host.' successfully added';
|
||||
$return['message'] = 'host: '. $resource['host'] .' successfully added';
|
||||
}
|
||||
} else {
|
||||
http_response_code(200);
|
||||
|
@ -274,8 +262,8 @@ function pews_manager( $auth, $password ) {
|
|||
// delete a host AND all resources
|
||||
} elseif(isset($_POST['delHost'])) {
|
||||
if($auth) {
|
||||
$host = $_POST['delHost'];
|
||||
$old = PEWS_DATA_STORE . '/' . $host;
|
||||
$resource = pews_parse_account_string( $_POST['delHost'] );
|
||||
$old = PEWS_DATA_STORE . '/' . $resource['host'];
|
||||
if (file_exists($old)) {
|
||||
$files = glob($old.'/*');
|
||||
foreach($files as $file) {
|
||||
|
@ -290,7 +278,7 @@ function pews_manager( $auth, $password ) {
|
|||
} else {
|
||||
http_response_code(200);
|
||||
$return['statusCode'] = 200;
|
||||
$return['message'] = 'host: '.$host.' successfully removed';
|
||||
$return['message'] = 'host: '.$resource['host'].' successfully removed';
|
||||
}
|
||||
} else {
|
||||
http_response_code(200);
|
||||
|
@ -305,30 +293,21 @@ function pews_manager( $auth, $password ) {
|
|||
// Add a new resource account!
|
||||
} elseif(isset($_POST['addResource'])) {
|
||||
if($auth) {
|
||||
$acct = $_POST['addResource'];
|
||||
if(strpos($acct, '@')) {
|
||||
$part = explode('@', $acct);
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $part[0]);
|
||||
$host = preg_replace('/^((\.*)(\/*))*/', '', $part[1]);
|
||||
} else {
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $acct);
|
||||
$host = $_SERVER['HTTP_HOST'];
|
||||
$acct = $user.'@'.$host;
|
||||
}
|
||||
$newHost = PEWS_DATA_STORE . '/' . $host;
|
||||
$resource = pews_parse_account_string( $_POST['addResource'] );
|
||||
$newHost = PEWS_DATA_STORE . '/' . $resource['host'];
|
||||
if (!file_exists($newHost)){
|
||||
http_response_code(404);
|
||||
$response['statusCode'] = ['404'];
|
||||
$response['message'] = ['Host '.$host.' is not present on this system. Create that first, then add resource accounts to it.'];
|
||||
$response['statusCode'] = '404';
|
||||
$response['message'] = 'The host '. $resource['host'] .' is not present, and must be on this system before resource accounts are added to it.';
|
||||
} else {
|
||||
$newUser = $newHost.'/'.$user.'.json';
|
||||
$newUser = $newHost .'/'. $resource['user'] .'.json';
|
||||
if (!file_exists($newUser)){
|
||||
$class = isset($_POST['setClass']) && ($_POST['setClass'] === 'admin' || $_POST['setClass'] === 'user') ?
|
||||
$_POST['setClass'] :
|
||||
'user';
|
||||
$pass= isset($_POST['setPass']) ? 'pews-hashed:'.password_hash($_POST['setPass'], PASSWORD_DEFAULT) : 'pewpewpassword';
|
||||
$data['PEWS'] = array( 'class' => $class, 'pass' => $pass );
|
||||
$data['subject'] = 'acct:'.$acct;
|
||||
$data['subject'] = 'acct:'. $resource['acct'];
|
||||
if(isset($_POST['setAliases'])) {
|
||||
$aliases = $_POST['setAliases'];
|
||||
$data['aliases'] = is_array($aliases) ? $aliases : array($aliases);
|
||||
|
@ -374,7 +353,7 @@ function pews_manager( $auth, $password ) {
|
|||
chmod( $newUser, 0755 );
|
||||
http_response_code(201);
|
||||
$return['statusCode'] = 201;
|
||||
$return['message'] = 'Resource: '.$acct.' successfully added';
|
||||
$return['message'] = 'Resource: '.$resource['acct'].' successfully added';
|
||||
}
|
||||
} else {
|
||||
http_response_code(200);
|
||||
|
@ -390,17 +369,8 @@ function pews_manager( $auth, $password ) {
|
|||
// Remove a resource/account from the server
|
||||
} elseif(isset($_POST['delResource'])) {
|
||||
if($auth) {
|
||||
$acct = $_POST['delResource'];
|
||||
if(strpos($acct, '@')) {
|
||||
$part = explode('@', $acct);
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $part[0]);
|
||||
$host = preg_replace('/^((\.*)(\/*))*/', '', $part[1]);
|
||||
} else {
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $acct);
|
||||
$host = $_SERVER['HTTP_HOST'];
|
||||
$acct = $user.'@'.$host;
|
||||
}
|
||||
$acct_file = PEWS_DATA_STORE."/".$host."/".$user.".json";
|
||||
$resource = pews_parse_account_string( $_POST['delResource'] );
|
||||
$acct_file = PEWS_DATA_STORE ."/". $resource['host'] ."/". $resource['user'] .".json";
|
||||
if (file_exists($acct_file)) {
|
||||
$destroy = unlink($acct_file);
|
||||
if(!$destroy) {
|
||||
|
@ -410,7 +380,7 @@ function pews_manager( $auth, $password ) {
|
|||
} else {
|
||||
http_response_code(200);
|
||||
$return['statusCode'] = 200;
|
||||
$return['message'] = 'Acct: '.$acct.' successfully removed';
|
||||
$return['message'] = 'Acct: '. $resource['acct'] .' successfully removed';
|
||||
}
|
||||
} else {
|
||||
http_response_code(200);
|
||||
|
@ -424,24 +394,15 @@ function pews_manager( $auth, $password ) {
|
|||
return $return;
|
||||
// adding an alias to a resource
|
||||
} elseif(isset($_POST['addAlias'])) {
|
||||
$acct = $_POST['addAlias'];
|
||||
if(strpos($acct, '@')) {
|
||||
$part = explode('@', $acct);
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $part[0]);
|
||||
$host = preg_replace('/^((\.*)(\/*))*/', '', $part[1]);
|
||||
} else {
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $acct);
|
||||
$host = $_SERVER['HTTP_HOST'];
|
||||
$acct = $user.'@'.$host;
|
||||
}
|
||||
$resource = pews_parse_account_string( $_POST['addAlias'] );
|
||||
switch ($auth) {
|
||||
case false:
|
||||
$reauth = pews_auth( $acct, $password, false );
|
||||
$reauth = pews_auth( $resource['acct'], $password, false );
|
||||
$auth = $reauth['is'];
|
||||
case true:
|
||||
if(isset($_POST['newAlias'])) {
|
||||
$newAlias = $_POST['newAlias'];
|
||||
$acct_file = PEWS_DATA_STORE . '/' . $host .'/'. $user . '.json';
|
||||
$acct_file = PEWS_DATA_STORE . '/' . $resource['host'] .'/'. $resource['user'] . '.json';
|
||||
if (file_exists($acct_file)) {
|
||||
$data = json_decode(file_get_contents($acct_file), true);
|
||||
$aliases = isset($data['aliases']) ? $data['aliases'] : array();
|
||||
|
@ -454,12 +415,12 @@ function pews_manager( $auth, $password ) {
|
|||
$return['info'] = 'Could not write to resource file';
|
||||
} else {
|
||||
$return['is'] = true;
|
||||
$return['info'] = 'Alias: '.$newAlias.' added to '.$acct;
|
||||
$return['info'] = 'Alias: '.$newAlias.' added to '.$resource['acct'];
|
||||
}
|
||||
} else {
|
||||
http_response_code(404);
|
||||
$return['statusCode'] = 404;
|
||||
$return['message'] = 'Account ['.$acct.'] not found.';
|
||||
$return['message'] = 'Account: '.$resource['acct'].' not found.';
|
||||
}
|
||||
} else {
|
||||
http_response_code(400);
|
||||
|
@ -475,24 +436,15 @@ function pews_manager( $auth, $password ) {
|
|||
}
|
||||
// remove an alias from a resource
|
||||
} elseif(isset($_POST['delAlias'])) {
|
||||
$acct = $_POST['delAlias'];
|
||||
if(strpos($acct, '@')) {
|
||||
$part = explode('@', $acct);
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $part[0]);
|
||||
$host = preg_replace('/^((\.*)(\/*))*/', '', $part[1]);
|
||||
} else {
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $acct);
|
||||
$host = $_SERVER['HTTP_HOST'];
|
||||
$acct = $user.'@'.$host;
|
||||
}
|
||||
$resource = pews_parse_account_string( $_POST['delAlias'] );
|
||||
switch ($auth) {
|
||||
case false:
|
||||
$reauth = pews_auth( $acct, $password, false );
|
||||
$reauth = pews_auth( $resource['acct'], $password, false );
|
||||
$auth = $reauth['is'];
|
||||
case true:
|
||||
if(isset($_POST['oldAlias'])) {
|
||||
$oldAlias = $_POST['oldAlias'];
|
||||
$acct_file = PEWS_DATA_STORE . '/' . $host .'/'. $user . '.json';
|
||||
$acct_file = PEWS_DATA_STORE . '/' . $resource['host'] .'/'. $resource['user'] . '.json';
|
||||
if (file_exists($acct_file)) {
|
||||
$data = json_decode(file_get_contents($acct_file), true);
|
||||
$aliases = isset($data['aliases']) ? $data['aliases'] : null;
|
||||
|
@ -512,7 +464,7 @@ function pews_manager( $auth, $password ) {
|
|||
$return['info'] = 'Could not write to resource file';
|
||||
} else {
|
||||
$return['is'] = true;
|
||||
$return['info'] = 'Alias: '.$oldAlias.' removed '.$acct;
|
||||
$return['info'] = 'Alias: '.$oldAlias.' removed '.$resource['acct'];
|
||||
}
|
||||
} else {
|
||||
http_response_code(100);
|
||||
|
@ -522,7 +474,7 @@ function pews_manager( $auth, $password ) {
|
|||
} else {
|
||||
http_response_code(404);
|
||||
$return['statusCode'] = 404;
|
||||
$return['message'] = 'Account ['.$acct.'] not found.';
|
||||
$return['message'] = 'Account: '.$resource['acct'].' not found.';
|
||||
}
|
||||
} else {
|
||||
http_response_code(400);
|
||||
|
@ -549,24 +501,15 @@ function pews_manager( $auth, $password ) {
|
|||
} elseif(isset($_POST['delLink'])) {
|
||||
// Update a Password
|
||||
} elseif(isset($_POST['updatePass'])) {
|
||||
$acct = $_POST['updatePass'];
|
||||
if(strpos($acct, '@')) {
|
||||
$part = explode('@', $acct);
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $part[0]);
|
||||
$host = preg_replace('/^((\.*)(\/*))*/', '', $part[1]);
|
||||
} else {
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $acct);
|
||||
$host = $_SERVER['HTTP_HOST'];
|
||||
$acct = $user.'@'.$host;
|
||||
}
|
||||
$resource = pews_parse_account_string( $_POST['updatePass'] );
|
||||
switch ($auth) {
|
||||
case false:
|
||||
$reauth = pews_auth( $acct, $password, false );
|
||||
$reauth = pews_auth( $resource['acct'], $password, false );
|
||||
$auth = $reauth['is'];
|
||||
case true:
|
||||
if(isset($_POST['newPass'])) {
|
||||
$newPass = $_POST['newPass'];
|
||||
$acct_file = PEWS_DATA_STORE . '/' . $host .'/'. $user . '.json';
|
||||
$acct_file = PEWS_DATA_STORE .'/'. $resource['host'] .'/'. $resource['user'] .'.json';
|
||||
if (file_exists($acct_file)) {
|
||||
$data = json_decode(file_get_contents($acct_file), true);
|
||||
$userData = $data['PEWS'];
|
||||
|
@ -585,7 +528,7 @@ function pews_manager( $auth, $password ) {
|
|||
} else {
|
||||
http_response_code(404);
|
||||
$return['statusCode'] = 404;
|
||||
$return['message'] = 'Account ['.$acct.'] not found.';
|
||||
$return['message'] = 'Account ['. $resource['acct'] .'] not found.';
|
||||
}
|
||||
} else {
|
||||
http_response_code(400);
|
||||
|
@ -606,4 +549,28 @@ function pews_manager( $auth, $password ) {
|
|||
}
|
||||
return $return;
|
||||
}
|
||||
function pews_parse_account_string ( $acct ) {
|
||||
if(strpos($acct, '@')) {
|
||||
$parts = explode('@', $acct[1]);
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $parts[0]);
|
||||
$host = preg_replace('/^((\.*)(\/*))*/', '', $parts[1]);
|
||||
// if(PEWS_DOMAIN_STRICT && $host !== $_SERVER['HTTP_HOST']) {
|
||||
// http_response_code(400);
|
||||
// header("Content-Type: application/json");
|
||||
// print json_encode(array(
|
||||
// 'statusCode' => 400,
|
||||
// 'message' => "Query and server hosts do not match."
|
||||
// ), JSON_UNESCAPED_SLASHES);
|
||||
// die();
|
||||
// }
|
||||
} else {
|
||||
$user = preg_replace('/^((\.*)(\/*))*/', '', $str);
|
||||
$host = $_SERVER['HTTP_HOST'];
|
||||
$acct = $user . '@' . $host;
|
||||
}
|
||||
$return['user'] = $user;
|
||||
$return['host'] = $host;
|
||||
$return['acct'] = $acct;
|
||||
return $return;
|
||||
}
|
||||
?>
|
||||
|
|
Loading…
Reference in a new issue