hpr_hub/hub/request.php

210 lines
8.3 KiB
PHP

<?php
# request.php > request_confirm.php > upload.php > upload_confirm.php
require "/home/hpr/php/include.php";
$ip = $_SERVER["REMOTE_ADDR"];
$key = uniqid(md5(rand()));
# Remove any stale requests.
# This should be enough to deter attackers while been short enough to allow real hosts to request a show.
$query_delete_old = "DELETE FROM reservations WHERE reservations.timestamp + INTERVAL 1 DAY <= UTC_TIMESTAMP() AND reservations.verified = 0";
$result_delete_old = @mysqli_query($connection, $query_delete_old);
# Remove stale requests from this IP Address after 15 minutes.
# This should be enough to deter attackers while been short enough to allow real hosts to request a show.
$query_delete = "DELETE FROM reservations WHERE reservations.ip = '$ip' AND reservations.timestamp + INTERVAL 15 MINUTE <= UTC_TIMESTAMP() AND reservations.verified = 0";
$result_delete = @mysqli_query($connection, $query_delete);
# Check that this ip is not uploading in another session
$query_dupe = "SELECT COUNT(*), timestamp FROM `reservations` WHERE ip = '$ip' and verified = 0";
$result_dupe = mysqli_query($connection, "$query_dupe");
$row_dupe = mysqli_fetch_array($result_dupe, MYSQLI_NUM);
$num_from_this_ip = $row_dupe[0];
$show_timestamp = strtotime($row_dupe[1]);
if( !isset($row_dupe) or $num_from_this_ip != 0 ) {
header('Cache-Control: no-cache');
header('Pragma: no-cache');
header("Status: 412 Precondition Failed");
echo "<h1>Existing request detected: ";
$timestamp = time()+date("Z");
echo gmdate("Y-m-d\TH:i:s\Z",$timestamp);
echo "</h1>\n";
$localtime = date('l jS \of F Y h:i:s A', $show_timestamp);
echo "<p>It seems another request was made from this ip address\n (${ip}) on ${localtime}.</p>\n";
echo "<p>This lock is set for 15 minutes to deter attacks and will be released in about " . round(abs(16 - ( $timestamp - $show_timestamp ) / 60 ) ) . " minutes.</small></p>\n";
echo "<p>There are several reasons why you would see this page:</p>\n";
echo "<ul>";
echo "<li>You already made a request for a show.\n
<ul>\n
<li>Check your email inbox and <strong>spam</strong> folder to see if the message has arrived.<br />\n
We have had reports that sometimes gmail and hotmail consider the messages as spam. <br />\n
We recommend <a href=\"https://onlinegroups.net/blog/2014/02/25/how-to-whitelist-an-email-address\" target=\"_blank\">white listing</a> the email address <strong>robot@hackerpublicradio.org</strong>\n
</li>\n
<li>You may have typed the address into the browser and it \"autofilled\" this old address</li>\n
<li>You are using an old version of the <a href=\"${hubBaseurl}calendar.php\">calendar</a> page. Press F5 in the <a href=\"${hubBaseurl}calendar.php\">calendar</a> page to refresh.</li>\n
</ul>\n
</li>\n";
echo "<li>The show has already been allocated to another host. </li>\n";
echo "</ul>\n";
echo "</p>\n";
echo "<p>Return to the <a href=\"${hubBaseurl}calendar.php\">calendar</a> page.</p>\n";
echo "<!-- If you are attacking us why not record a show telling us about what you were trying to do :) -->\n";
echo "<hr />\n";
echo "<p>If you are having issues please send the following information to admin @ HPR to assist in troubleshooting the issue:</p>\n";
echo "<pre>\n";
echo "${timestamp}\n";
echo "${show_timestamp}\n";
$agent = $_SERVER['HTTP_USER_AGENT'];
$uri = $_SERVER['REQUEST_URI'];
print "${ip}\n";
print "${agent}\n";
print "${uri}\n";
echo "</pre>\n";
echo "<hr />\n";
file_put_contents($naughtyfile, date('Y-m-d\TH:i:s\Z') . "\t" . getUserIPAdress() . "\tExisting Request\t" . $_SERVER['REQUEST_URI'] . "\t" . $_SERVER["HTTP_USER_AGENT"] . "\n" , FILE_APPEND | LOCK_EX );
exit;
}
# Create a temporary entry for this host.
$query_add = "INSERT INTO reservations VALUES ('$ip', UTC_TIMESTAMP(), '$key', '0', '1970-01-01', 'none@example.com', '0', 'REQUEST_UNVERIFIED' )";
$result = mysqli_query($connection, $query_add ) or die(mysqli_error());
# Check to see if we're under attack
$query = "SELECT COUNT(*) as total FROM `reservations` WHERE ep_num = 0";
$result = mysqli_query($connection, "$query");
$row = mysqli_fetch_array($result, MYSQLI_NUM);
$total = $row[0];
if( !isset($total) or $total > 150 ) {
header("Status: 412 Precondition Failed");
echo "<h1>Suspicious activity detected</h1>";
echo "<p>$total Uploads have temporarily been suspended due to suspicious activity.<br/>
If you are attacking us why not record a show telling us about what you were trying to do ?</p>";
echo "<p>While these people have their fun, can we ask you to send your show another way.<br />
Contact admin @ HPR for more information.</p>";
exit;
}
// Populate the list of posted shows
$show_array = array ();
$ep_retrieve = "(SELECT `id`, `date` FROM eps ) UNION (SELECT `ep_num` AS id, `ep_date` AS date FROM reservations WHERE `ep_num` >0) order by id";
if ($result = mysqli_query($connection, $ep_retrieve)) {
while ($row = mysqli_fetch_array($result)) {
$rowid = $row['id'];
$date = $row['date'];
$show_array[$rowid] = date('Y-m-d', strtotime($date) ) ;
}
}
/*
Entry is either to the page or with the id variable set (default selected)
*/
if (isset($_GET['id'])){
$id = $_GET['id'];
$id = intval($id);
$num_get_args=0;
foreach($_GET as $k => $v) {
++$num_get_args;
}
if ( strval( intval( $id ) ) != strval( $id ) ) {
naughty("e015b7c89da03385a9156d3e5d2eb25d");
}
if ( intval( $id ) <= 0 ) {
naughty("1493a07dec01a006d11bf43d2f17e5aa");
}
if ( $num_get_args > 2 ) {
naughty("79543dbb498ec47404aaed4d56bdc22b");
}
if ( intval($id) > 9999 ) {
naughty("f1f531c768f64404cb00437254b06d71");
}
if ( $id != 9999 ) {
if ( isset( $show_array[$id] ) ) {
naughty("2227263ac7171aca3214d155dec539ad");
}
}
}
else {
$id = "";
}
$query = mysqli_query($connection, "SELECT id, date FROM eps mo
WHERE NOT EXISTS
(
SELECT NULL
FROM eps mi
WHERE mi.id = mo.id + 1
)
ORDER BY
id
LIMIT 1");
$next_show_num_array = mysqli_fetch_row($query);
$next_show_num = $next_show_num_array[0] + 1;
$next_show_date = date('Y-m-d', strtotime($next_show_num_array[1] . ' + 1 weekday'));
$body="give";
//$body="index_full";
include 'header.html';
?>
<main id="maincontent">
<h1>Requesting a slot for your show.</h1>
<p>Please select your desired slot, and enter a valid email address.<br />
See our <a aria-label="Help on adding an episode" href="<?php echo "${baseurl}about.html#adding_an_episode"; ?>">help page</a> for more information</a>
</p>
<form method="POST" action="request_confirm.php">
<table>
<tr>
<td>Slot:</td>
<td>
<?php
echo "<select name=\"ep_num_date\">\n";
$this_episode_date = $next_show_date;
if ( $id == 9999 ) {
echo "<option value=\"9999_1970-01-01\" selected>Reserve Queue.</option>\n";
}
else {
echo "<option value=\"9999_1970-01-01\">Reserve Queue.</option>\n";
}
for ( $slot = $next_show_num; $slot<($next_show_num+365); $slot++ ) {
if (empty($show_array[$slot])) {
if ( $slot == $id ) {
echo "<option value=\"${slot}_${this_episode_date}\" selected>hpr${slot} " . date('Y-m-d D', strtotime($this_episode_date) ) . "</option>\n";
}
else {
}
echo "<option value=\"${slot}_${this_episode_date}\">hpr${slot} " . date('Y-m-d D', strtotime($this_episode_date) ) . "</option>\n";
}
$this_episode_date = date('Y-m-d', strtotime($this_episode_date . ' + 1 weekday'));
}
echo "</select>";
if ( ( $slot < $id ) AND ( $id != 9999 ) ) {
echo "<br />\n<span id=\"small\">Unfortunately it is not possible to schedule episode $id. Please select another slot or contact admin@hackerpublicradio.org for more assistance.</span>\n";
}
?>
</td>
</tr>
<tr>
<td>E-mail:</td>
<td><input required type="email" name="email" placeholder="To send you the upload link"></td>
</tr>
</table>
<p><em>You must have your audio recording ready to upload <a aria-label="Help on the reserving a slot" href="<?php echo "${baseurl}about.html#reserving"; ?>"><strong>before</strong> you pick a slot</a>.</em></p>
<input type="submit" value="Next">
</form>
<p>
We will send you an email with a link to where you can upload your show.
</p>
</main>
<?php
include 'footer.html';
?>