diff --git a/hub/calendar.php b/hub/calendar.php index bb664d2..5237696 100644 --- a/hub/calendar.php +++ b/hub/calendar.php @@ -17,23 +17,64 @@ include 'header.php'; $ip = $_SERVER["REMOTE_ADDR"]; -# Remove any stale requests. +# Remove any stale REQUEST_UNVERIFIED requests. # This should be enough to deter attackers while been short enough to allow real hosts to request a show. -$query_delete_old = "DELETE +$query_delete_old_REQUEST_UNVERIFIED = "DELETE FROM reservations WHERE reservations.timestamp + INTERVAL 1 HOUR <= UTC_TIMESTAMP() AND reservations.status = 'REQUEST_UNVERIFIED'"; -$result_delete_old = @mysqli_query($connection, $query_delete_old); -logextra( "Deleting requests older than 1 hour" . $result_delete_old ); +$result_delete_old_REQUEST_UNVERIFIED = @mysqli_query($connection, $query_delete_old_REQUEST_UNVERIFIED); +if(!$result_delete_old_REQUEST_UNVERIFIED) { + problem("ERROR: DB problem - The old REQUEST_UNVERIFIED records were not removed from the reservations db."); +} +else{ + logextra( "mysql_query.result: \"$result\"\n" ); +} + +logextra( "Removed REQUEST_UNVERIFIED requests older than 1 hour " . $result_delete_old_REQUEST_UNVERIFIED ); + + +# Remove any stale REQUEST_EMAIL_SENT requests. +# This should be enough for someone to acutally upload a show +$query_delete_old_REQUEST_EMAIL_SENT = "DELETE +FROM + reservations +WHERE + reservations.timestamp + INTERVAL 3 HOUR <= UTC_TIMESTAMP() + AND reservations.status = 'REQUEST_EMAIL_SENT'"; +$result_delete_old_REQUEST_EMAIL_SENT = @mysqli_query($connection, $query_delete_old_REQUEST_EMAIL_SENT); +if(!$result_delete_old_REQUEST_EMAIL_SENT) { + problem("ERROR: DB problem - The old REQUEST_EMAIL_SENT records were not removed from the reservations db."); +} +else{ + logextra( "mysql_query.result: \"$result\"\n" ); +} + +logextra( "Removed REQUEST_EMAIL_SENT requests older than 3 hours " . $result_delete_old_REQUEST_EMAIL_SENT ); + # Remove stale requests from this IP Address after 15 minutes. # This should be enough to deter attackers while been short enough to allow real hosts to request a show. -$query_delete = "DELETE FROM reservations WHERE reservations.ip = '$ip' AND reservations.timestamp + INTERVAL 15 MINUTE <= UTC_TIMESTAMP() AND reservations.status = 'REQUEST_UNVERIFIED'"; +$query_delete = "DELETE +FROM + reservations +WHERE + reservations.ip = '$ip' +AND + reservations.timestamp + INTERVAL 15 MINUTE <= UTC_TIMESTAMP() +AND + reservations.status = 'REQUEST_UNVERIFIED'"; $result_delete = @mysqli_query($connection, $query_delete); -logextra( "Remove stale requests from this \"${ip}\" IP Address after 15 minutes. " . $result_delete_old ); +if(!$result_delete) { + problem("ERROR: DB problem - The old REQUEST_UNVERIFIED records were not removed from this \"${ip}\" IP Address after 15 minutes."); +} +else{ + logextra( "mysql_query.result: \"$result\"\n" ); +} +logextra( "Remove REQUEST_UNVERIFIED stale requests from this \"${ip}\" IP Address after 15 minutes. " . $result_delete ); // -------------------------------------------- // Get first free slot diff --git a/hub/upload.php b/hub/upload.php index 5e49334..e438e07 100644 --- a/hub/upload.php +++ b/hub/upload.php @@ -10,18 +10,23 @@ if ( $_SERVER['REQUEST_METHOD'] !== 'GET' and empty($_SERVER["REMOTE_ADDR"]) and call412("9a77e4ab24410cbf68a3a05ba97221e4 Not a GET request"); } +logextra( "Is a GET Request" ); + if ( isset( $_GET['key'] ) and strlen( $_GET['key'] ) === 45 and strlen( htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) ) ) === 45 and ctype_xdigit( $_GET['key'] ) ) { $key = htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) ); } else { if ( isset( $_GET['delete'] ) and strlen( $_GET['delete'] ) === 45 and strlen( htmlspecialchars( stripslashes( strip_tags( $_GET['delete'] ) ) ) ) === 45 and ctype_xdigit( $_GET['delete'] ) ) { $key = htmlspecialchars( stripslashes( strip_tags( $_GET['delete'] ) ) ); + logextra( "Is delete request" ); } else { call412("e8ac90fc2a8996e5fb7a83e73e636e80 Invalid key"); } } +logextra( "Key is valid" ); + $ip = $_SERVER["REMOTE_ADDR"]; $query = "select * FROM reservations WHERE reservations.ip = '$ip' AND reservations.key = '$key' "; @@ -29,6 +34,8 @@ $result = mysqli_query($connection, $query); if($result === FALSE) { call412("91432866e3c9c36a9c4884345d578761 Could not find ip=\"$ip\" AND key=\"$key\" in the database. Did your IP address change ? Was the removed after 15 Munites ?"); } +logextra( "Found ip=\"$ip\" AND key=\"$key\" in the database" ); + $db = mysqli_fetch_array($result, MYSQLI_ASSOC); if ( empty($db) or empty( $db['timestamp'] ) or empty( $db['key'] ) or empty( $db['ep_num'] ) or empty( $db['ep_date'] ) or empty( $db['email'] ) ) { call412("b019bd29c1fe5b756e4b620a5428f730 The information for this reservation is not correct in the database."); @@ -41,8 +48,11 @@ else { $ep_num = $db['ep_num']; $ep_date = $db['ep_date']; $db_ip = $db['ip']; + $status = $db['status']; } +logextra( "The information for this reservation is correct in the database." ); + // User selects delete if ( isset( $_GET['delete'] ) ) { $query = "DELETE FROM reservations WHERE reservations.ip = '$ip' AND reservations.key = '$key' "; @@ -54,10 +64,24 @@ if ( isset( $_GET['delete'] ) ) { header( "Location: ${hubBaseurl}calendar.php" ) ; $dir_structure = "/home/hpr/upload/" . strtotime($db_timestamp) . "_${ep_num}_${ep_date}_${db_key}/"; rrmdir("$dir_structure"); + logextra( "Removed the reservation" ); exit; } } +logextra( "Not a delete" ); + +if ( empty($status) ) { + naughty("317be55a55a82110b2836499580be486 did not find a status \"$status\" in the db."); +} + +logextra( "Found the status $status" ); + +if ($status !== 'REQUEST_EMAIL_SENT' && $status !== 'EMAIL_LINK_CLICKED') { + naughty("65743c3fb8a2e171f56ec514ec45c1bc The status \"$status\" is not expected, should be REQUEST_EMAIL_SENT or EMAIL_LINK_CLICKED in the db."); +} +logextra( "The status \"$status\" is expected, should be either REQUEST_EMAIL_SENT or EMAIL_LINK_CLICKED." ); + // Set the show to verified so that we can remove the temporary lock $status = strtotime("now") . ".EMAIL_LINK_CLICKED." . date('Y-m-d\TH:i:s\Z'); $query = "UPDATE reservations SET `verified` = '1', `status` = 'EMAIL_LINK_CLICKED' WHERE `ip` = '$db_ip' AND `timestamp` = '$db_timestamp' AND `key` = '$db_key'"; @@ -66,6 +90,8 @@ if(!isset($result)) { naughty("066c518314f0d3b1ad3e4af60fcf36ce Could not change status to EMAIL_LINK_CLICKED"); } +logextra( "Updated status to EMAIL_LINK_CLICKED" ); + // Display host information /* */ @@ -354,5 +380,6 @@ include 'header.php';