* Simplify vnc.php

php/validate.php

@@ -0,0 +1,147 @@
+<?php
+
+class Validate {
+
+	private $f;
+
+	function __construct(array $pool)
+	{
+		$this->f = $pool;
+	}
+
+	public static function short_string($string, $exact_len = 0)
+	{
+		if (filter_var($string, FILTER_SANITIZE_STRING) != $string){
+			throw new Exception($string." string did not pass the validation");
+		}
+		$len = strlen($string);
+		if ($exact_len > 0){
+			if ($len != $exact_len) {
+				throw new Exception($string." string did not pass the lenght validation");
+			}
+		} else {
+			if ($len < 1 || $len > 34){
+				throw new Exception($string." string did not pass the lenght validation");
+			}
+		}
+	}
+
+	public static function url($url)
+	{
+		if (filter_var($url, FILTER_SANITIZE_URL) != $url){
+			throw new Exception($string." string did not pass the validation");
+		}
+	}
+
+	public static function long_string($string)
+	{
+		if (filter_var($string, FILTER_SANITIZE_STRING) != $string){
+			throw new Exception($string." string did not pass the validation");
+		}
+		$len = strlen($string);
+		if ($len < 1 || $len > 150){
+			throw new Exception($string." string did not pass the lenght validation");
+		}
+	}
+
+	public function exists($key)
+	{
+		return isset($this->f[$key]);
+	}
+
+	public function add_default($key, $val)
+	{
+		// NOTE this appends to f and it will stay there
+		if (!isset($this->f[$key])){
+			$this->f[$key] = $val;
+		}
+	}
+
+	public function all()
+	{
+		foreach($this->f as $f){
+			if (filter_var($f, FILTER_SANITIZE_STRING) != $f){
+				throw new Exception($f." string did not pass the validation");
+			}
+		}
+
+		return $this->f;
+	}
+
+	public function these(array $list)
+	{
+		if (empty($this->f)) {
+			throw new Exception("Validation data pool is empty");
+		}
+
+		foreach($list as $e => $type){
+			if (!isset($this->f[$e])){
+				throw new Exception($e.' is not set in form');
+			}
+		}
+
+		$r = [];
+
+		foreach($list as $e => $type){
+
+			switch($type){
+				case 1: # INT
+					$r[$e] = (int)$this->f[$e];
+					break;
+				case 2: # INT 0 not accepted
+					$r[$e] = (int)$this->f[$e];
+					if($r[$e] == 0){
+						throw new Exception($e." can't be 0");
+					}
+					break;
+				case 3: # SHORT STRING
+					if (filter_var($e, FILTER_SANITIZE_STRING) != $e){
+						throw new Exception($e." string did not pass the validation");
+					}
+					$len = strlen($this->f[$e]);
+					if ($len < 1 || $len > 34){
+						throw new Exception($e." string did not pass the lenght validation");
+					}
+					$r[$e] = $this->f[$e];
+					break;
+				case 4: # LONG STRING
+					if (filter_var($e, FILTER_SANITIZE_STRING) != $e){
+						throw new Exception($e." string did not pass the validation");
+					}
+					$len = strlen($this->f[$e]);
+					if ($len < 1 || $len > 150){
+						throw new Exception($e." string did not pass the lenght validation");
+					}
+					$r[$e] = $this->f[$e];
+					break;
+				case 5: # STRING WITH SPECIAL CHARS
+					if (filter_var($e, FILTER_SANITIZE_SPECIAL_CHARS) != $e){
+						throw new Exception($e." string did not pass the validation");
+					}
+					$len = strlen($this->f[$e]);
+					if ($len < 1 || $len > 20){
+						throw new Exception($e." string did not pass the lenght validation");
+					}
+					$r[$e] = $this->f[$e];
+					break;
+				case 6: # IP v4
+					if (filter_var($e, FILTER_FLAG_IPV4) != $e){
+						throw new Exception($e." string did not pass the validation");
+					}
+					$r[$e] = $this->f[$e];
+					break;
+			}
+
+			switch($e){
+				case 'password':
+					if ($len < 6){
+						throw new Exception("Minimal password lenght is 6");
+					}
+					break;
+			}
+		}
+
+		return $r;
+	}
+
+}

public/vnc.php

@@ -7,55 +7,39 @@ if(!isset($_GET['jname'])){
 
 function runVNC($jname)
 {
-	$res=(new Db('base','local'))->selectOne("SELECT vnc_password FROM bhyve WHERE jname=?", array([$jname]));
+	$res = (new Db('base','local'))->selectOne("SELECT vnc_password FROM bhyve WHERE jname=?", array([$jname]));
 
-	$pass='cbsd';
+	$pass = ($res !== false) ? $res['vnc_password'] : 'cbsd';
-	if($res!==false) $pass=$res['vnc_password'];
 
-	$remote_ip=$_SERVER['REMOTE_ADDR'];
+	CBSD::run("vm_vncwss jname=%s permit=%s", array($jname, $_SERVER['REMOTE_ADDR']));
-
-	CBSD::run("vm_vncwss jname=%s permit=%s", array($jname,$remote_ip));
 
 	// HTTP_HOST is preferred for href
 	if (isset($_SERVER['HTTP_HOST']) && !empty(trim($_SERVER['HTTP_HOST']))){
-		$nodeip=$_SERVER['HTTP_HOST'];
+		$nodeip = $_SERVER['HTTP_HOST'];
-	}
+	} else {
-
+		# use localhost as fallback in case the HTTP_HOST header is not set
-	if (filter_var($nodeip, FILTER_VALIDATE_IP)) {
+		$nodeip = '127.0.0.1';
-		$is_ip4=true;
-	} else {
-		$is_ip4=false;
-	}
-
-	if ($is_ip4 == false) {
-		if (filter_var($nodeip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
-			$is_ip6=true;
-		} else {
-			$is_ip6=false;
-		}
 	}
 
 	// HTTP_HOST is IP, try to check SERVER_NAME
-	if (($is_ip4==true)||($is_ip6==true)) {
+	if (filter_var($nodeip, FILTER_VALIDATE_IP)) {
-		if(isset($_SERVER['SERVER_NAME']) && !empty(trim($_SERVER['SERVER_NAME']))){
+		$nodeip = $_SERVER['SERVER_ADDR'];
-			$nodeip=$_SERVER['SERVER_NAME'];
+		// https://www.php.net/manual/en/reserved.variables.server.php
-		} else {
+		// Note: Under Apache 2, you must set UseCanonicalName = On and ServerName. 
-			$nodeip=$_SERVER['SERVER_ADDR'];
+		// handle when 'server_name _;' - use IP instead
+		if(isset($_SERVER['SERVER_NAME']) && !empty(trim($_SERVER['SERVER_NAME'])) && (strcmp($_SERVER['SERVER_NAME'], "_") != 0)){
+			$nodeip = $_SERVER['SERVER_NAME'];
 		}
 	}
 
-	// handle when 'server_name _;' - use IP instead
-	if (strcmp($nodeip, "_") == 0) {
-		$nodeip=$_SERVER['SERVER_ADDR'];
-	}
-
 	# TODO: This will send the pass in clear text
 	header('Location: http://'.$nodeip.':6081/vnc_lite.html?scale=true&host='.$nodeip.'&port=6081?password='.$pass);
 	exit;
 }
 
-$rp=realpath('../');
+$rp = realpath('../');
 require_once($rp.'/php/db.php');
 require_once($rp.'/php/cbsd.php');
+require_once($rp.'/php/validate.php');
 
-runVNC($_GET['jname']);
+runVNC(Validate::short_string($_GET['jname'], 32));