nincollin
/
minibord
1
0
Fork 0
Code Pull Requests Packages Projects Releases 4 Wiki Activity

update to v1.03

This commit is contained in:
NinCollin 2023-04-21 11:21:52 -05:00 committed by GitHub
parent a0fae0405f
commit 5dead3923e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 410 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
corefiles/auth.php Normal file
View File

@ -0,0 +1,144 @@
<?php
if(empty($run))
die('This file may not be run directly');
//Declare the variable for our user array
$user="";
//Lets make sure the user is authenticated correctly
if(!empty($_COOKIE['token']))
{
//First, lets check that their login token is in the system
$stmt = mysqli_prepare($sql,"SELECT `token`, `ipverification`, `ip`, `expires`, `userid` FROM `tokens` WHERE `token` = ?");
mysqli_stmt_bind_param($stmt, "s", $_COOKIE['token']);
mysqli_stmt_execute($stmt);
//and fetch the results
$token_query=mysqli_stmt_get_result($stmt);
//Unset our stmt variable to free memory
unset($stmt);
//If the token isn't in the system, clear the user's cookie
if(mysqli_num_rows($token_query) == 0)
{
setcookie("token", "");
}
//Otherwise, lets make sure its valid
else
{
//Lets fetch an array from our querried token data
$token_data=mysqli_fetch_array($token_query);
//Verify that the token hasn't expired and that the IP matched the user's IP (if IP verification is turned on)
$time=time();
if($token_data['expires'] > $time && ($_SERVER['REMOTE_ADDR'] == $token_data['ip'] || $token_data['ipverification'] == 0))
{
$user=mysqli_fetch_assoc(mysqli_query($sql, "SELECT * FROM `users` WHERE `id` = $token_data[userid]"));
$time=time();
mysqli_query($sql, "UPDATE `users` SET `lastview` = $time WHERE `id` = $user[id]");
}
//check if the IP is different and IP verification is enabled; if so, log as a failed verification
else if($_SERVER['REMOTE_ADDR'] != $token_data['ip'] && $token_data['ipverification'] == 1)
{
$stmt = mysqli_prepare($sql,"INSERT INTO `ipverificationfailures` (`originalip`, `failedip`, `userid`) VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, "ssi", $token_data['ip'], $_SERVER['REMOTE_ADDR'], $token_data['userid']);
mysqli_stmt_execute($stmt);
$stmt = mysqli_prepare($sql,"DELETE FROM `tokens` WHERE `token` = ?");
mysqli_stmt_bind_param($stmt, "s", $_COOKIE['token']);
mysqli_stmt_execute($stmt);
unset($stmt);
setcookie("token", "");
}
//If it doesn't, remove the token from the database and unset their cookie
else
{
$stmt = mysqli_prepare($sql,"DELETE FROM `tokens` WHERE `token` = ?");
mysqli_stmt_bind_param($stmt, "s", $_COOKIE['token']);
mysqli_stmt_execute($stmt);
unset($stmt);
setcookie("token", "");
}
}
unset($token_query);
unset($token_data);
}
//Now let's do some ip logging for security purposes
if(!empty($user))
{
//Let's log the IP the user is connecting from
$numberONE=1;
$stmt = mysqli_prepare($sql,"INSERT INTO `iphistory_user` (`userid`, `ip`, `views`) VALUES (?, ?, ?) ON DUPLICATE KEY UPDATE `views` = `views` + 1, `lastuseragent` = ?");
mysqli_stmt_bind_param($stmt, "isis", $user['id'], $_SERVER['REMOTE_ADDR'], $numberONE, $_SERVER['HTTP_USER_AGENT']);
mysqli_stmt_execute($stmt);
}
else
{
//lets do some guest loggin
//add a guest entry
$date=time();
$ip=mysqli_real_escape_string($sql, $_SERVER['REMOTE_ADDR']);
$numberONE=1;
$stmt = mysqli_prepare($sql,"INSERT INTO `guests` (`ip`, `firstview`, `lastview`, `views`, `lastuseragent`) VALUES (?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE `lastview` = ?, `views` = `views` + 1, `lastuseragent` = ?");
mysqli_stmt_bind_param($stmt, "siiisis", $_SERVER['REMOTE_ADDR'], $date, $date, $numberONE, $_SERVER['HTTP_USER_AGENT'], $date, $_SERVER['HTTP_USER_AGENT']);
mysqli_stmt_execute($stmt);
}
//Now let's do some more IP logging
if(empty($_COOKIE['sessiontoken']))
{
$sessiontoken=bin2hex(random_bytes(30));
//create a new persistant session cookie to track IP addresses
setcookie("sessiontoken", $sessiontoken, 0, "", "", false, true);
}
else
{
//Let's log the IP the user is connecting from
//we didnt want to do this up above because if a user has cookies disabled, it'll had a whole new row to the database on every page load
$numberONE=1;
$stmt = mysqli_prepare($sql,"INSERT INTO `iphistory_global` (`token`, `ip`, `views`, `lastuseragent`) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE `views` = `views` + 1, `lastuseragent` = ?");
mysqli_stmt_bind_param($stmt, "ssiss", $_COOKIE['sessiontoken'], $_SERVER['REMOTE_ADDR'], $numberONE, $_SERVER['HTTP_USER_AGENT'], $_SERVER['HTTP_USER_AGENT']);
mysqli_stmt_execute($stmt);
}
//Lastly, lets increment the view counter
mysqli_query($sql, "INSERT INTO `config` (`name`, `value`) VALUES ('views', 1) ON DUPLICATE KEY UPDATE `value` = `value` + 1");
?>

80
corefiles/core.example.php Normal file
View File

@ -0,0 +1,80 @@
<?php
$starttime=hrtime(true);
//Disables all javascript using Content Security Policy; requires a CSP-compatible browser however
header('Content-Security-Policy: script-src \'self\';');
if(empty($run))
die('This file may not be run directly');
//BEGIN CONFIG
//Connect to mysql server
$sql=mysqli_connect( 'host', 'username', 'password', 'database') or die('Couldn\'t connect to database!');
mysqli_query($sql,"SET profiling = 1;");
//used for rss lol
$siteroot="http://mybord.example.fish/";
//Max number of posts to grab via RSS
$options['rssLimit'] = 20;
//Name of board
$boardname="mybord";
//Default theme id
$defaultThemeID=7;
//default scheme path
$defaultSchemePath="schemes/default.php";
//default banner
$defaultbanner="images/logoo.png";
//If true, please enable htmLawed, otherwise you will be vulnerable to XSS!!!!
$options['enableHTML'] = false; //If true, please enable htmLawed, otherwise you will be vulnerable to XSS!!!!
//If true, resanitizes existing HTML already in database when displayed (makes no changes to the database)
//Useful if HTML was enabled at one point, but later disabled (to prevent already stored HTML from rendering)
//Only takes effect if 'enableHTML' is false
//Note that this *will* be messy (especially if users had post layouts) so it's mostly useful for emergency purposes
$options['sanitizeExistingIfHTMLDisabled'] = true;
//Clean up and prevent HTML abuse; requires an external library
//Please read through the default htmLawed config below before enabling this
//If you follow the minibord installation instructions, the htmLawedPath should not need to be changed
$options['enablehtmLawed'] = true;
$options['htmLawedPath'] = 'lib/htmLawed.php';
//htmLawed config
//
//htmLawed has a variety of different options that it supports.
//Below are the default options for minibord. Please read through the explanations of each one.
//
//'safe'=>1 is what mitigates XSS in HTML. It is highly recommended to keep this
//
//'balance'=>0 disables balancing HTML. Without it, <divs> stretched between postheader and postfooter wouldn't work (since those are processed independently)
//
//'make_tag_strict'=>0 allows deprecated HTML elements. You can remove this if you want
//
//'style_pass'=>1 disables sanitizing inline styles. While I cannot find any information about true XSS through inline styles on modern browsers,
// there are some odd (and possibly no longer relevant [citation needed]) browser-specific extensions that may make this possible.
// Leave this in at your own risk, but removing it breaks URLs in inline styles. There are, however, CSS exploits that allow a CSRF token to
// be leaked, but minibord does not use them (it should and might in the future, however)
//
//'css_expression'=>1 disables some odd old IE-specific thing. Included just incase 'style_pass'=>1 disables this
//
$options['htmLawedconfig'] = array('safe'=>1, 'balance'=>0, 'make_tag_strict'=>0, 'style_pass'=>1, 'css_expression'=>1);
//Lets include our functions
require('corefiles/functions.php');
//Verify the user is logged in
require('corefiles/auth.php');
//Now lets include our script that generates the theme
require('corefiles/layoutgen.php');
?>

89
corefiles/functions.php Normal file
View File

@ -0,0 +1,89 @@
<?php
if(empty($run))
die('This file may not be run directly');
//This file stores (almost) all the custom functions for the bord
//print site footer
function printfooter()
{
global $starttime;
global $themesettings;
global $sql;
$endtime = hrtime(true);
$rendertime = ($endtime - $starttime) / 1e+9;
//$exec_time_result=mysqli_query($sql,"SELECT query_id, SUM(duration) FROM information_schema.profiling GROUP BY query_id ORDER BY query_id DESC LIMIT 1;");
//$exec_time_row = mysqli_fetch_array($exec_time_result);
//echo "<p>Query executed in ".$exec_time_row[1].' seconds';
print "</div><div class=\"footer\">minibord v1.03 - lots 'o junkz plus optional html after a decent hiatus edition <a href=https://github.com/NinCollin/minibord>(github)</a><br>PHP execution time: $rendertime</div>";
}
//Get username
function getusername($userid)
{
global $sql;
$userdata=mysqli_fetch_array(mysqli_query($sql, "SELECT `name`, `id`, `minipicurl`, `namecolor` FROM `users` WHERE `id` = $userid"));
if($userdata['namecolor'] == 0)
$namecolor = "#9da4f5";
elseif($userdata['namecolor'] == 1)
$namecolor = "#f59de5";
elseif($userdata['namecolor'] == 2)
$namecolor = "#c69df5";
return "<b><a href=profile.php?id=$userdata[id]><font color=$namecolor>$userdata[name]</font></a></b>";
}
//convert text to smilies
function showsmilies($text)
{
global $sql;
$smiliequery = mysqli_query($sql, "SELECT * FROM `smilies`");
while($smilie=mysqli_fetch_array($smiliequery))
{
$text=str_replace($smilie['code'], "<img src=\"$smilie[image]\" alt=\"$smilie[code]\">", $text);
}
return $text;
}
//print a message
function printmessage($string)
{
global $themesettings;
print "<table width=345 $themesettings[tableAttributes] class=\"table\"><tr><td align=center $themesettings[tdStyle1Attributes] class=\"tdStyle1\">$string</td></tr></table><br>
";
}
//print a message and die
function printdiemessage($string)
{
global $themesettings;
printmessage($string);
printfooter();
die();
}
?>

97
corefiles/layoutgen.php Normal file
View File

@ -0,0 +1,97 @@
<?php
if(empty($run))
die('This file may not be run directly');
//Let's populate the theme array with the default settings
$themesettings = array(
//You can overwrite the default banner with a special one if you choose
"useCustomImageBanner" => false,
"banner" => NULL,
//Most styling should be done through CSS
"styletag" => "<style>
.body;
.header;
.tableHeader;
.tdBanner;
.tdHeaderLinks1;
.tdHeaderLinks2;
.tdHeaderViewCounter;
.tdHeaderTime;
.tdHeaderSpacer;
.content;
.table;
.thRegular;
.thCategory;
.tdStyle1;
.tdStyle2;
.smallText;
.footer;
</style>",
//Use only if necessary; CSS for styling is preferred
//Attributes to inject into the <body> tag
"bodyAttributes" => "",
//Attributes to inject into <table> <td> and <th> tags
"tableAttributes" => "",
"thRegularAttributes" => "",
"thCategoryAttributes" => "",
"tdStyle1Attributes" => "",
"tdStyle2Attributes" => "",
//Atributes to inject into the header table tags
"tableHeaderAttributes" => "",
"tdBannerAttributes" => "",
"tdHeaderLinks1Attributes" => "",
"tdHeaderLinks2Attributes" => "",
"tdHeaderViewCounterAttributes" => "",
"tdHeaderTimeAttributes" => "",
"tdHeaderSpacerAttributes" => ""
);
$isCookieThemeIDValid=0;
$cookieThemeID=0;
if(!empty($_COOKIE['theme']) && empty($user['theme']))
{
$cookieThemeID=intval($_COOKIE['theme']);
$isCookieThemeIDValid=mysqli_num_rows(mysqli_query($sql,"SELECT `id` FROM `themes` WHERE `id` = $cookieThemeID"));
}
if(!empty($user['theme']))
{
$themeArray=mysqli_fetch_array(mysqli_query($sql,"SELECT `path` FROM `themes` WHERE `id` = $user[theme]"));
include($themeArray['path']);
}
elseif(!empty($isCookieThemeIDValid))
{
$themeArray=mysqli_fetch_array(mysqli_query($sql,"SELECT `path` FROM `themes` WHERE `id` = $cookieThemeID"));
include($themeArray['path']);
}
else
{
$themeArray=mysqli_fetch_array(mysqli_query($sql,"SELECT `path` FROM `themes` WHERE `id` = $defaultThemeID"));
include($themeArray['path']);
}
if(!empty($themesettings['schemePath']))
{
include($themesettings['schemePath']);
}
else
{
include($defaultSchemePath);
}
?>