diff --git a/php/validate.php b/php/validate.php new file mode 100644 index 00000000..95870fc5 --- /dev/null +++ b/php/validate.php @@ -0,0 +1,147 @@ +f = $pool; + } + + public static function short_string($string, $exact_len = 0) + { + if (filter_var($string, FILTER_SANITIZE_STRING) != $string){ + throw new Exception($string." string did not pass the validation"); + } + $len = strlen($string); + if ($exact_len > 0){ + if ($len != $exact_len) { + throw new Exception($string." string did not pass the lenght validation"); + } + } else { + if ($len < 1 || $len > 34){ + throw new Exception($string." string did not pass the lenght validation"); + } + } + } + + public static function url($url) + { + if (filter_var($url, FILTER_SANITIZE_URL) != $url){ + throw new Exception($string." string did not pass the validation"); + } + } + + public static function long_string($string) + { + if (filter_var($string, FILTER_SANITIZE_STRING) != $string){ + throw new Exception($string." string did not pass the validation"); + } + $len = strlen($string); + if ($len < 1 || $len > 150){ + throw new Exception($string." string did not pass the lenght validation"); + } + } + + public function exists($key) + { + return isset($this->f[$key]); + } + + public function add_default($key, $val) + { + // NOTE this appends to f and it will stay there + if (!isset($this->f[$key])){ + $this->f[$key] = $val; + } + } + + public function all() + { + foreach($this->f as $f){ + if (filter_var($f, FILTER_SANITIZE_STRING) != $f){ + throw new Exception($f." string did not pass the validation"); + } + } + + return $this->f; + } + + public function these(array $list) + { + if (empty($this->f)) { + throw new Exception("Validation data pool is empty"); + } + + foreach($list as $e => $type){ + if (!isset($this->f[$e])){ + throw new Exception($e.' is not set in form'); + } + } + + $r = []; + + foreach($list as $e => $type){ + + switch($type){ + case 1: # INT + $r[$e] = (int)$this->f[$e]; + break; + case 2: # INT 0 not accepted + $r[$e] = (int)$this->f[$e]; + if($r[$e] == 0){ + throw new Exception($e." can't be 0"); + } + break; + case 3: # SHORT STRING + if (filter_var($e, FILTER_SANITIZE_STRING) != $e){ + throw new Exception($e." string did not pass the validation"); + } + $len = strlen($this->f[$e]); + if ($len < 1 || $len > 34){ + throw new Exception($e." string did not pass the lenght validation"); + } + $r[$e] = $this->f[$e]; + break; + case 4: # LONG STRING + if (filter_var($e, FILTER_SANITIZE_STRING) != $e){ + throw new Exception($e." string did not pass the validation"); + } + $len = strlen($this->f[$e]); + if ($len < 1 || $len > 150){ + throw new Exception($e." string did not pass the lenght validation"); + } + $r[$e] = $this->f[$e]; + break; + case 5: # STRING WITH SPECIAL CHARS + if (filter_var($e, FILTER_SANITIZE_SPECIAL_CHARS) != $e){ + throw new Exception($e." string did not pass the validation"); + } + $len = strlen($this->f[$e]); + if ($len < 1 || $len > 20){ + throw new Exception($e." string did not pass the lenght validation"); + } + $r[$e] = $this->f[$e]; + break; + case 6: # IP v4 + if (filter_var($e, FILTER_FLAG_IPV4) != $e){ + throw new Exception($e." string did not pass the validation"); + } + $r[$e] = $this->f[$e]; + break; + } + + switch($e){ + case 'password': + if ($len < 6){ + throw new Exception("Minimal password lenght is 6"); + } + break; + } + } + + return $r; + } + +} \ No newline at end of file diff --git a/public/vnc.php b/public/vnc.php index 13a3e03b..f2999a4a 100644 --- a/public/vnc.php +++ b/public/vnc.php @@ -7,55 +7,39 @@ if(!isset($_GET['jname'])){ function runVNC($jname) { - $res=(new Db('base','local'))->selectOne("SELECT vnc_password FROM bhyve WHERE jname=?", array([$jname])); + $res = (new Db('base','local'))->selectOne("SELECT vnc_password FROM bhyve WHERE jname=?", array([$jname])); - $pass='cbsd'; - if($res!==false) $pass=$res['vnc_password']; + $pass = ($res !== false) ? $res['vnc_password'] : 'cbsd'; - $remote_ip=$_SERVER['REMOTE_ADDR']; - - CBSD::run("vm_vncwss jname=%s permit=%s", array($jname,$remote_ip)); + CBSD::run("vm_vncwss jname=%s permit=%s", array($jname, $_SERVER['REMOTE_ADDR'])); // HTTP_HOST is preferred for href if (isset($_SERVER['HTTP_HOST']) && !empty(trim($_SERVER['HTTP_HOST']))){ - $nodeip=$_SERVER['HTTP_HOST']; - } - - if (filter_var($nodeip, FILTER_VALIDATE_IP)) { - $is_ip4=true; - } else { - $is_ip4=false; - } - - if ($is_ip4 == false) { - if (filter_var($nodeip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { - $is_ip6=true; - } else { - $is_ip6=false; - } + $nodeip = $_SERVER['HTTP_HOST']; + } else { + # use localhost as fallback in case the HTTP_HOST header is not set + $nodeip = '127.0.0.1'; } // HTTP_HOST is IP, try to check SERVER_NAME - if (($is_ip4==true)||($is_ip6==true)) { - if(isset($_SERVER['SERVER_NAME']) && !empty(trim($_SERVER['SERVER_NAME']))){ - $nodeip=$_SERVER['SERVER_NAME']; - } else { - $nodeip=$_SERVER['SERVER_ADDR']; + if (filter_var($nodeip, FILTER_VALIDATE_IP)) { + $nodeip = $_SERVER['SERVER_ADDR']; + // https://www.php.net/manual/en/reserved.variables.server.php + // Note: Under Apache 2, you must set UseCanonicalName = On and ServerName. + // handle when 'server_name _;' - use IP instead + if(isset($_SERVER['SERVER_NAME']) && !empty(trim($_SERVER['SERVER_NAME'])) && (strcmp($_SERVER['SERVER_NAME'], "_") != 0)){ + $nodeip = $_SERVER['SERVER_NAME']; } } - // handle when 'server_name _;' - use IP instead - if (strcmp($nodeip, "_") == 0) { - $nodeip=$_SERVER['SERVER_ADDR']; - } - # TODO: This will send the pass in clear text header('Location: http://'.$nodeip.':6081/vnc_lite.html?scale=true&host='.$nodeip.'&port=6081?password='.$pass); exit; } -$rp=realpath('../'); +$rp = realpath('../'); require_once($rp.'/php/db.php'); require_once($rp.'/php/cbsd.php'); +require_once($rp.'/php/validate.php'); -runVNC($_GET['jname']); +runVNC(Validate::short_string($_GET['jname'], 32)); \ No newline at end of file