HPR/hpr_hub
8
0
Fork 3
Code Issues 48 Pull Requests Packages Projects Releases Wiki Activity

2026-04-05_14-37-09Z_Sunday fix for status change on reclicking link

Browse Source
This commit is contained in:
Ken Fallon
2026-04-05 16:37:09 +02:00
parent c92a73ff4e
commit e59d26d0ea
2 changed files with 74 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
hub/calendar.php
View File

@@ -17,23 +17,64 @@ include 'header.php';
$ip = $_SERVER["REMOTE_ADDR"]; $ip = $_SERVER["REMOTE_ADDR"];
# Remove any stale requests. # Remove any stale REQUEST_UNVERIFIED requests.
# This should be enough to deter attackers while been short enough to allow real hosts to request a show. # This should be enough to deter attackers while been short enough to allow real hosts to request a show.
$query_delete_old = "DELETE $query_delete_old_REQUEST_UNVERIFIED = "DELETE
FROM FROM
reservations reservations
WHERE WHERE
reservations.timestamp + INTERVAL 1 HOUR <= UTC_TIMESTAMP() reservations.timestamp + INTERVAL 1 HOUR <= UTC_TIMESTAMP()
AND reservations.status = 'REQUEST_UNVERIFIED'"; AND reservations.status = 'REQUEST_UNVERIFIED'";
$result_delete_old = @mysqli_query($connection, $query_delete_old); $result_delete_old_REQUEST_UNVERIFIED = @mysqli_query($connection, $query_delete_old_REQUEST_UNVERIFIED);
logextra( "Deleting requests older than 1 hour" . $result_delete_old ); if(!$result_delete_old_REQUEST_UNVERIFIED) {
problem("ERROR: DB problem - The old REQUEST_UNVERIFIED records were not removed from the reservations db.");
}
else{
logextra( "mysql_query.result: \"$result\"\n" );
}
logextra( "Removed REQUEST_UNVERIFIED requests older than 1 hour " . $result_delete_old_REQUEST_UNVERIFIED );
# Remove any stale REQUEST_EMAIL_SENT requests.
# This should be enough for someone to acutally upload a show
$query_delete_old_REQUEST_EMAIL_SENT = "DELETE
FROM
reservations
WHERE
reservations.timestamp + INTERVAL 3 HOUR <= UTC_TIMESTAMP()
AND reservations.status = 'REQUEST_EMAIL_SENT'";
$result_delete_old_REQUEST_EMAIL_SENT = @mysqli_query($connection, $query_delete_old_REQUEST_EMAIL_SENT);
if(!$result_delete_old_REQUEST_EMAIL_SENT) {
problem("ERROR: DB problem - The old REQUEST_EMAIL_SENT records were not removed from the reservations db.");
}
else{
logextra( "mysql_query.result: \"$result\"\n" );
}
logextra( "Removed REQUEST_EMAIL_SENT requests older than 3 hours " . $result_delete_old_REQUEST_EMAIL_SENT );
# Remove stale requests from this IP Address after 15 minutes. # Remove stale requests from this IP Address after 15 minutes.
# This should be enough to deter attackers while been short enough to allow real hosts to request a show. # This should be enough to deter attackers while been short enough to allow real hosts to request a show.
$query_delete = "DELETE FROM reservations WHERE reservations.ip = '$ip' AND reservations.timestamp + INTERVAL 15 MINUTE <= UTC_TIMESTAMP() AND reservations.status = 'REQUEST_UNVERIFIED'"; $query_delete = "DELETE
FROM
reservations
WHERE
reservations.ip = '$ip'
AND
reservations.timestamp + INTERVAL 15 MINUTE <= UTC_TIMESTAMP()
AND
reservations.status = 'REQUEST_UNVERIFIED'";
$result_delete = @mysqli_query($connection, $query_delete); $result_delete = @mysqli_query($connection, $query_delete);
logextra( "Remove stale requests from this \"${ip}\" IP Address after 15 minutes. " . $result_delete_old ); if(!$result_delete) {
problem("ERROR: DB problem - The old REQUEST_UNVERIFIED records were not removed from this \"${ip}\" IP Address after 15 minutes.");
}
else{
logextra( "mysql_query.result: \"$result\"\n" );
}
logextra( "Remove REQUEST_UNVERIFIED stale requests from this \"${ip}\" IP Address after 15 minutes. " . $result_delete );
// -------------------------------------------- // --------------------------------------------
// Get first free slot // Get first free slot

27
hub/upload.php
View File

@@ -10,18 +10,23 @@ if ( $_SERVER['REQUEST_METHOD'] !== 'GET' and empty($_SERVER["REMOTE_ADDR"]) and
call412("9a77e4ab24410cbf68a3a05ba97221e4 Not a GET request"); call412("9a77e4ab24410cbf68a3a05ba97221e4 Not a GET request");
} }
logextra( "Is a GET Request" );
if ( isset( $_GET['key'] ) and strlen( $_GET['key'] ) === 45 and strlen( htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) ) ) === 45 and ctype_xdigit( $_GET['key'] ) ) { if ( isset( $_GET['key'] ) and strlen( $_GET['key'] ) === 45 and strlen( htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) ) ) === 45 and ctype_xdigit( $_GET['key'] ) ) {
$key = htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) ); $key = htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) );
} }
else { else {
if ( isset( $_GET['delete'] ) and strlen( $_GET['delete'] ) === 45 and strlen( htmlspecialchars( stripslashes( strip_tags( $_GET['delete'] ) ) ) ) === 45 and ctype_xdigit( $_GET['delete'] ) ) { if ( isset( $_GET['delete'] ) and strlen( $_GET['delete'] ) === 45 and strlen( htmlspecialchars( stripslashes( strip_tags( $_GET['delete'] ) ) ) ) === 45 and ctype_xdigit( $_GET['delete'] ) ) {
$key = htmlspecialchars( stripslashes( strip_tags( $_GET['delete'] ) ) ); $key = htmlspecialchars( stripslashes( strip_tags( $_GET['delete'] ) ) );
logextra( "Is delete request" );
} }
else { else {
call412("e8ac90fc2a8996e5fb7a83e73e636e80 Invalid key"); call412("e8ac90fc2a8996e5fb7a83e73e636e80 Invalid key");
} }
} }
logextra( "Key is valid" );
$ip = $_SERVER["REMOTE_ADDR"]; $ip = $_SERVER["REMOTE_ADDR"];
$query = "select * FROM reservations WHERE reservations.ip = '$ip' AND reservations.key = '$key' "; $query = "select * FROM reservations WHERE reservations.ip = '$ip' AND reservations.key = '$key' ";
@@ -29,6 +34,8 @@ $result = mysqli_query($connection, $query);
if($result === FALSE) { if($result === FALSE) {
call412("91432866e3c9c36a9c4884345d578761 Could not find ip=\"$ip\" AND key=\"$key\" in the database. Did your IP address change ? Was the removed after 15 Munites ?"); call412("91432866e3c9c36a9c4884345d578761 Could not find ip=\"$ip\" AND key=\"$key\" in the database. Did your IP address change ? Was the removed after 15 Munites ?");
} }
logextra( "Found ip=\"$ip\" AND key=\"$key\" in the database" );
$db = mysqli_fetch_array($result, MYSQLI_ASSOC); $db = mysqli_fetch_array($result, MYSQLI_ASSOC);
if ( empty($db) or empty( $db['timestamp'] ) or empty( $db['key'] ) or empty( $db['ep_num'] ) or empty( $db['ep_date'] ) or empty( $db['email'] ) ) { if ( empty($db) or empty( $db['timestamp'] ) or empty( $db['key'] ) or empty( $db['ep_num'] ) or empty( $db['ep_date'] ) or empty( $db['email'] ) ) {
call412("b019bd29c1fe5b756e4b620a5428f730 The information for this reservation is not correct in the database."); call412("b019bd29c1fe5b756e4b620a5428f730 The information for this reservation is not correct in the database.");
@@ -41,8 +48,11 @@ else {
$ep_num = $db['ep_num']; $ep_num = $db['ep_num'];
$ep_date = $db['ep_date']; $ep_date = $db['ep_date'];
$db_ip = $db['ip']; $db_ip = $db['ip'];
$status = $db['status'];
} }
logextra( "The information for this reservation is correct in the database." );
// User selects delete // User selects delete
if ( isset( $_GET['delete'] ) ) { if ( isset( $_GET['delete'] ) ) {
$query = "DELETE FROM reservations WHERE reservations.ip = '$ip' AND reservations.key = '$key' "; $query = "DELETE FROM reservations WHERE reservations.ip = '$ip' AND reservations.key = '$key' ";
@@ -54,10 +64,24 @@ if ( isset( $_GET['delete'] ) ) {
header( "Location: ${hubBaseurl}calendar.php" ) ; header( "Location: ${hubBaseurl}calendar.php" ) ;
$dir_structure = "/home/hpr/upload/" . strtotime($db_timestamp) . "_${ep_num}_${ep_date}_${db_key}/"; $dir_structure = "/home/hpr/upload/" . strtotime($db_timestamp) . "_${ep_num}_${ep_date}_${db_key}/";
rrmdir("$dir_structure"); rrmdir("$dir_structure");
logextra( "Removed the reservation" );
exit; exit;
} }
} }
logextra( "Not a delete" );
if ( empty($status) ) {
naughty("317be55a55a82110b2836499580be486 did not find a status \"$status\" in the db.");
}
logextra( "Found the status $status" );
if ($status !== 'REQUEST_EMAIL_SENT' && $status !== 'EMAIL_LINK_CLICKED') {
naughty("65743c3fb8a2e171f56ec514ec45c1bc The status \"$status\" is not expected, should be REQUEST_EMAIL_SENT or EMAIL_LINK_CLICKED in the db.");
}
logextra( "The status \"$status\" is expected, should be either REQUEST_EMAIL_SENT or EMAIL_LINK_CLICKED." );
// Set the show to verified so that we can remove the temporary lock // Set the show to verified so that we can remove the temporary lock
$status = strtotime("now") . ".EMAIL_LINK_CLICKED." . date('Y-m-d\TH:i:s\Z'); $status = strtotime("now") . ".EMAIL_LINK_CLICKED." . date('Y-m-d\TH:i:s\Z');
$query = "UPDATE reservations SET `verified` = '1', `status` = 'EMAIL_LINK_CLICKED' WHERE `ip` = '$db_ip' AND `timestamp` = '$db_timestamp' AND `key` = '$db_key'"; $query = "UPDATE reservations SET `verified` = '1', `status` = 'EMAIL_LINK_CLICKED' WHERE `ip` = '$db_ip' AND `timestamp` = '$db_timestamp' AND `key` = '$db_key'";
@@ -66,6 +90,8 @@ if(!isset($result)) {
naughty("066c518314f0d3b1ad3e4af60fcf36ce Could not change status to EMAIL_LINK_CLICKED"); naughty("066c518314f0d3b1ad3e4af60fcf36ce Could not change status to EMAIL_LINK_CLICKED");
} }
logextra( "Updated status to EMAIL_LINK_CLICKED" );
// Display host information // Display host information
/* /*
*/ */
@@ -354,5 +380,6 @@ include 'header.php';
</script> </script>
</form> </form>
<?php <?php
logextra( "Form displayed" );
include 'footer.php'; include 'footer.php';
?> ?>