From 0ef2679808cac21f8dfa1d38b9ad2ba1bc0fc0ae Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 13:18:35 +0000
Subject: [PATCH 2/3] Harden controllers and password randomness
Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
controllers/d.admin.php | 77 ++++++++++++++++++++++++++++-----------
controllers/d.contact.php | 5 ++-
controllers/d.poi.php | 7 +++-
controllers/d.users.php | 24 +++++++++++-
models/d.users.php | 2 +-
5 files changed, 87 insertions(+), 28 deletions(-)
diff --git a/controllers/d.admin.php b/controllers/d.admin.php
index 06e3afd..4bf5473 100755
--- a/controllers/d.admin.php
+++ b/controllers/d.admin.php
@@ -22,9 +22,12 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
break;
case 'logs':
if ($user->rankIsHigher("moderator")) {
- $head['title'] = "Logs";
+ $head['title'] = "Logs";
- $files_list = scandir($config['logs_folder']);
+ $output = array();
+ $files_list = scandir($config['logs_folder']);
+ $logs_folder = realpath($config['logs_folder']);
+ $logs_folder_root = $logs_folder !== false ? rtrim($logs_folder, DIRECTORY_SEPARATOR) : null;
if (isset($controller->splitted_url[2]) && is_numeric($controller->splitted_url[2]) && intval($controller->splitted_url[2]) < count($files_list)-2) {
$filenb = $controller->splitted_url[2];
@@ -33,8 +36,15 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
$filenb = 0;
}
- chdir($config['logs_folder']);
- exec("tail -n 200 ".$files_list[$filenb+2]." | tac", $output);
+ $log_file = $files_list[$filenb+2] ?? null;
+ if ($logs_folder_root && $log_file) {
+ $log_file = basename($log_file);
+ $log_path = $logs_folder_root . DIRECTORY_SEPARATOR . $log_file;
+ $real_log_path = realpath($log_path);
+ if ($real_log_path && str_starts_with($real_log_path, $logs_folder_root . DIRECTORY_SEPARATOR)) {
+ exec("tail -n 200 ".escapeshellarg($real_log_path)." | tac", $output);
+ }
+ }
include ($config['views_folder']."d.admin.logs.html");
}
@@ -47,33 +57,38 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
$head['css'] = "d.index.css;d.admin.css";
$head['title'] = "Fichiers attachés au wiki";
$rows_per_pages = 50;
- $files_folder = $config['medias_folder']."wiki/";
+ $files_folder = $config['medias_folder']."wiki/";
+ $files_folder_real = realpath($files_folder);
+ $files_folder_root = $files_folder_real !== false ? rtrim($files_folder_real, DIRECTORY_SEPARATOR) : rtrim($files_folder, DIRECTORY_SEPARATOR);
// Delete a file
if ($user->rankIsHigher("administrator")) {
- if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
- $filename=$files_folder.$controller->splitted_url[3];
- if (file_exists($filename)) {
- unlink($filename);
- error_log(date('r')." \t".$user->name." (".$user->id.") \tDELETE \tDelete wiki file '".$controller->splitted_url[3]."'\r\n",3,$config['logs_folder'].'wiki-files.log');
- }
+ if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
+ $safe_name = basename($controller->splitted_url[3]);
+ $filename = $files_folder_root . DIRECTORY_SEPARATOR . $safe_name;
+ $real_filename = realpath($filename);
+ if ($real_filename && str_starts_with($real_filename, $files_folder_root . DIRECTORY_SEPARATOR)) {
+ unlink($real_filename);
+ error_log(date('r')." \t".$user->name." (".$user->id.") \tDELETE \tDelete wiki file '".$safe_name."'\r\n",3,$config['logs_folder'].'wiki-files.log');
}
+ }
}
// Add a file
if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='upload' && isset($_FILES['file'])) {
- $filename=$config['medias_folder']."wiki/".$_FILES['file']['name'];
- if(move_uploaded_file($_FILES['file']['tmp_name'], $filename)) {
- error_log(date('r')." \t".$user->name." (".$user->id.") \tUPLOAD Upload wiki file '".$_FILES['file']['name']."'\r\n",3,$config['logs_folder'].'wiki-files.log');
+ $safe_name = basename($_FILES['file']['name']);
+ $filename = $files_folder_root . DIRECTORY_SEPARATOR . $safe_name;
+ if($safe_name !== '' && move_uploaded_file($_FILES['file']['tmp_name'], $filename)) {
+ error_log(date('r')." \t".$user->name." (".$user->id.") \tUPLOAD Upload wiki file '".$safe_name."'\r\n",3,$config['logs_folder'].'wiki-files.log');
}
}
// Get the file list
- $files_list = scandir($files_folder);
+ $files_list = scandir($files_folder_root);
// Populate table
foreach ($files_list as $file) {
- $file_path = $files_folder.$file;
+ $file_path = $files_folder_root . DIRECTORY_SEPARATOR . $file;
if (is_file($file_path)) {
$file_info = [
@@ -157,11 +172,20 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
if ($user->rankIsHigher("administrator")) {
$head['title'] = "Export SQL";
- if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
- unlink($config['abs_root_folder'].'tmp/'.$controller->splitted_url[3]);
- $output = Array();
- $backup_file = Array();
+ if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
+ $tmp_folder = realpath($config['abs_root_folder'].'tmp');
+ if ($tmp_folder !== false) {
+ $safe_name = basename($controller->splitted_url[3]);
+ $tmp_folder_root = rtrim($tmp_folder, DIRECTORY_SEPARATOR);
+ $delete_path = $tmp_folder_root . DIRECTORY_SEPARATOR . $safe_name;
+ $real_delete_path = realpath($delete_path);
+ if ($real_delete_path && str_starts_with($real_delete_path, $tmp_folder_root . DIRECTORY_SEPARATOR)) {
+ unlink($real_delete_path);
+ }
}
+ $output = Array();
+ $backup_file = Array();
+ }
else {
// Nom du fichier de sauvegarde
$timestamp = date('Ymd_His');
@@ -190,9 +214,18 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
$output = Array();
$backup_file = Array();
- if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
- unlink($config['abs_root_folder'].'tmp/'.$controller->splitted_url[3]);
+ if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
+ $tmp_folder = realpath($config['abs_root_folder'].'tmp');
+ if ($tmp_folder !== false) {
+ $safe_name = basename($controller->splitted_url[3]);
+ $tmp_folder_root = rtrim($tmp_folder, DIRECTORY_SEPARATOR);
+ $delete_path = $tmp_folder_root . DIRECTORY_SEPARATOR . $safe_name;
+ $real_delete_path = realpath($delete_path);
+ if ($real_delete_path && str_starts_with($real_delete_path, $tmp_folder_root . DIRECTORY_SEPARATOR)) {
+ unlink($real_delete_path);
+ }
}
+ }
else {
// Nom du fichier de sauvegarde
$timestamp = date('Ymd_His');
diff --git a/controllers/d.contact.php b/controllers/d.contact.php
index f4a250e..42b73eb 100755
--- a/controllers/d.contact.php
+++ b/controllers/d.contact.php
@@ -11,8 +11,9 @@ if(isset($_POST['submit'])) {
$message .= "
\r\n";
$message .= "".strip_tags(post('message'))."
\r\n";
- $headers = 'From: '. post('email') . "\r\n" .
- 'Reply-To: '. post('email') . "\r\n" .
+ $sender = str_replace(["\r", "\n"], '', post('email'));
+ $headers = 'From: '. $sender . "\r\n" .
+ 'Reply-To: '. $sender . "\r\n" .
'X-Mailer: PHP/' . phpversion() . "\r\n" .
'MIME-Version: 1.0' . "\r\n" .
'Content-type: text/html; charset=UTF-8' . "\r\n";
diff --git a/controllers/d.poi.php b/controllers/d.poi.php
index 245cd17..e8c35af 100755
--- a/controllers/d.poi.php
+++ b/controllers/d.poi.php
@@ -93,8 +93,13 @@ switch ($controller->splitted_url[1]) {
case "elevation_proxy":
if (isset($_GET['location'])) {
+ if (!preg_match('/^[0-9,\.\|\-]+$/', $_GET['location'])) {
+ $notfound = 1;
+ break;
+ }
+ $location = urlencode($_GET['location']);
header("Content-Type: application/json;charset=utf-8");
- echo(file_get_contents("https://api.opentopodata.org/v1/mapzen?locations=".$_GET['location']));
+ echo(file_get_contents("https://api.opentopodata.org/v1/mapzen?locations=".$location));
break;
} else {
$notfound = 1;
diff --git a/controllers/d.users.php b/controllers/d.users.php
index 4d3a69b..6bce8a6 100755
--- a/controllers/d.users.php
+++ b/controllers/d.users.php
@@ -16,7 +16,17 @@ if(isset($controller->splitted_url[1])) {
if($user->login($_POST['login'], $_POST['password'])) {
// SUCESSFULL LOGIN
$_SESSION['userid'] = $user->id;
- header('Location: '.$_SERVER['HTTP_REFERER']);
+ $redirect = $config['rel_root_folder'];
+ if (!empty($_SERVER['HTTP_REFERER'])) {
+ $referer = $_SERVER['HTTP_REFERER'];
+ $parts = parse_url($referer);
+ $host = $_SERVER['HTTP_HOST'] ?? '';
+ if ($parts !== false && ((empty($parts['host']) && empty($parts['scheme'])) || (!empty($host) && isset($parts['host']) && $parts['host'] === $host))) {
+ $redirect = $referer;
+ }
+ }
+ header('Location: '.$redirect);
+ exit;
}
else {
header('Location: '.$config['rel_root_folder'].'user/login?error=1');
@@ -29,7 +39,17 @@ if(isset($controller->splitted_url[1])) {
break;
case 'logout':
session_destroy();
- header('Location: '.$_SERVER['HTTP_REFERER']);
+ $redirect = $config['rel_root_folder'];
+ if (!empty($_SERVER['HTTP_REFERER'])) {
+ $referer = $_SERVER['HTTP_REFERER'];
+ $parts = parse_url($referer);
+ $host = $_SERVER['HTTP_HOST'] ?? '';
+ if ($parts !== false && ((empty($parts['host']) && empty($parts['scheme'])) || (!empty($host) && isset($parts['host']) && $parts['host'] === $host))) {
+ $redirect = $referer;
+ }
+ }
+ header('Location: '.$redirect);
+ exit;
break;
case 'signin':
$head['js'] = "d.captcha.js";
diff --git a/models/d.users.php b/models/d.users.php
index 5284ca9..96d658b 100755
--- a/models/d.users.php
+++ b/models/d.users.php
@@ -408,7 +408,7 @@ function randomPassword() {
$pass = array(); //remember to declare $pass as an array
$alphaLength = strlen($alphabet) - 1; //put the length -1 in cache
for ($i = 0; $i < 8; $i++) {
- $n = rand(0, $alphaLength);
+ $n = random_int(0, $alphaLength);
$pass[] = $alphabet[$n];
}
return implode($pass); //turn the array into a string
From c84ee486f3997fcb8c7126d6f301338d5b7f72d2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 13:19:20 +0000
Subject: [PATCH 3/3] Guard admin deletes against missing files
Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
controllers/d.admin.php | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/controllers/d.admin.php b/controllers/d.admin.php
index 4bf5473..8ca7a46 100755
--- a/controllers/d.admin.php
+++ b/controllers/d.admin.php
@@ -68,7 +68,9 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
$filename = $files_folder_root . DIRECTORY_SEPARATOR . $safe_name;
$real_filename = realpath($filename);
if ($real_filename && str_starts_with($real_filename, $files_folder_root . DIRECTORY_SEPARATOR)) {
- unlink($real_filename);
+ if (file_exists($real_filename)) {
+ unlink($real_filename);
+ }
error_log(date('r')." \t".$user->name." (".$user->id.") \tDELETE \tDelete wiki file '".$safe_name."'\r\n",3,$config['logs_folder'].'wiki-files.log');
}
}
@@ -180,7 +182,9 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
$delete_path = $tmp_folder_root . DIRECTORY_SEPARATOR . $safe_name;
$real_delete_path = realpath($delete_path);
if ($real_delete_path && str_starts_with($real_delete_path, $tmp_folder_root . DIRECTORY_SEPARATOR)) {
- unlink($real_delete_path);
+ if (file_exists($real_delete_path)) {
+ unlink($real_delete_path);
+ }
}
}
$output = Array();
@@ -222,7 +226,9 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
$delete_path = $tmp_folder_root . DIRECTORY_SEPARATOR . $safe_name;
$real_delete_path = realpath($delete_path);
if ($real_delete_path && str_starts_with($real_delete_path, $tmp_folder_root . DIRECTORY_SEPARATOR)) {
- unlink($real_delete_path);
+ if (file_exists($real_delete_path)) {
+ unlink($real_delete_path);
+ }
}
}
}