Skip to content

Commit

Permalink
24.18
Browse files Browse the repository at this point in the history
  • Loading branch information
bigprof committed Nov 3, 2024
1 parent 8305845 commit 6774a27
Show file tree
Hide file tree
Showing 44 changed files with 688 additions and 264 deletions.
7 changes: 2 additions & 5 deletions app/admin/ajax-sql.php
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,9 @@
}

$sql = trim(Request::val('sql'));
if(
!preg_match('/^SELECT\s+.*?\s+FROM\s+\S+/i', $sql)
&& !preg_match('/^SHOW\s+/i', $sql)
) {
if(!preg_match('/^\s*(SELECT\s+.*?\s+FROM\s+\S+|SHOW\s+)/is', $sql)) {
@header('HTTP/1.0 404 Not Found');
die("Invalid query");
die('Invalid query');
}

// force a limit of 1000 to SELECT queries in case no limit specified
Expand Down
57 changes: 53 additions & 4 deletions app/admin/incFunctions.php
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,8 @@
########################################################################
function set_headers() {
@header('Content-Type: text/html; charset=' . datalist_db_encoding);
@header('X-Frame-Options: SAMEORIGIN'); // prevent iframing by other sites to prevent clickjacking
// @header('X-Frame-Options: SAMEORIGIN'); // deprecated
@header("Content-Security-Policy: frame-ancestors 'self' " . application_url()); // prevent iframing by other sites to prevent clickjacking
}
########################################################################
function get_tables_info($skip_authentication = false) {
Expand Down Expand Up @@ -424,7 +425,13 @@ function logSlowQuery($statement, $duration) {
$statement = makeSafe(trim(preg_replace('/^\s+/m', ' ', $statement)));
$duration = floatval($duration);
$memberID = makeSafe(getLoggedMemberID());
$uri = makeSafe($_SERVER['REQUEST_URI']);
$uri = $_SERVER['REQUEST_URI'];

// for 'admin/ajax-sql.php' strip sql and csrf_token params from uri
if(strpos($uri, 'admin/ajax-sql.php') !== false) {
$uri = stripParams($uri, ['sql', 'csrf_token']);
}
$uri = makeSafe($uri);

sql("INSERT INTO `appgini_query_log` SET
`statement`='$statement',
Expand All @@ -445,7 +452,13 @@ function logErrorQuery($statement, $error) {
$statement = makeSafe(trim(preg_replace('/^\s+/m', ' ', $statement)));
$error = makeSafe($error);
$memberID = makeSafe(getLoggedMemberID());
$uri = makeSafe($_SERVER['REQUEST_URI']);
$uri = $_SERVER['REQUEST_URI'];

// for 'admin/ajax-sql.php' strip sql and csrf_token params from uri
if(strpos($uri, 'admin/ajax-sql.php') !== false) {
$uri = stripParams($uri, ['sql', 'csrf_token']);
}
$uri = makeSafe($uri);

sql("INSERT INTO `appgini_query_log` SET
`statement`='$statement',
Expand All @@ -455,6 +468,42 @@ function logErrorQuery($statement, $error) {
", $o);
}

########################################################################
/**
* Strip specified parameters from a URL
* @param string $uri - the URL to strip parameters from, could be a full URL or just a URI
* @param array $paramsToRemove - an array of parameter names to remove
* @return string - the URL with specified parameters removed
*/
function stripParams($uri, $paramsToRemove) {
// Parse the URL and its components
$parsedUrl = parse_url($uri);

// Parse the query string into an associative array
parse_str($parsedUrl['query'] ?? '', $queryParams);

// Remove specified parameters
foreach ($paramsToRemove as $param) {
unset($queryParams[$param]);
}

// Reconstruct the query string
$newQuery = http_build_query($queryParams);

// Reconstruct the URL
$newUrl = $parsedUrl['scheme'] ?? '';
if (!empty($newUrl)) {
$newUrl .= '://';
}
$newUrl .= $parsedUrl['host'] ?? '';
$newUrl .= $parsedUrl['path'] ?? '';
if (!empty($newQuery)) {
$newUrl .= '?' . $newQuery;
}
$newUrl .= $parsedUrl['fragment'] ?? '';

return $newUrl;
}
########################################################################
function createQueryLogTable() {
static $created = false;
Expand Down Expand Up @@ -1719,7 +1768,7 @@ function get_table_fields($tn = null, $include_internal_tables = false) {
'done' => "INT DEFAULT '0'",
],
'appgini_query_log' => [
'datetime' => "TIMESTAMP DEFAULT CURRENT_TIMESTAMP",
'datetime' => "TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP",
'statement' => "LONGTEXT",
'duration' => "DECIMAL(10,2) UNSIGNED DEFAULT '0.00'",
'error' => "TEXT",
Expand Down
3 changes: 2 additions & 1 deletion app/admin/incHeader.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@
<html class="no-js">
<head>
<meta charset="<?php echo datalist_db_encoding; ?>">
<meta name="description" content="">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<title><?php echo APP_TITLE . ' | ' . $Translation['admin area'] . (isset($GLOBALS['page_title']) ? html_attr(" | {$GLOBALS['page_title']}") : ''); ?></title>

<link id="browser_favicon" rel="shortcut icon" href="<?php echo PREPEND_PATH; ?>resources/table_icons/administrator.png">
Expand Down
19 changes: 12 additions & 7 deletions app/admin/pageInstallPlugin.php
Original file line number Diff line number Diff line change
Expand Up @@ -141,11 +141,16 @@ function showPage() {
function pageJS() {
global $Translation;

$pluginsOrderNum = getUserData('pluginsOrderNum');
$pluginsEmail = getUserData('pluginsEmail');

ob_start(); ?>
<script>
$j(() => {
const numSteps = $j('#accordion .panel').length;
const csrf_token = '<?php echo csrf_token(false, true); ?>';
const pluginsOrderNum = <?php echo json_encode($pluginsOrderNum); ?>;
const pluginsEmail = <?php echo json_encode($pluginsEmail); ?>;

const expandStep = (step) => {
$j(`#step${step}`).addClass('expanded').children('.panel-body').removeClass('hidden');
Expand Down Expand Up @@ -180,9 +185,9 @@ function pageJS() {
expandStep(2);
}

// if email and order number are stored in localStorage, populate form with them
$j('#email').val(localStorage.getItem('AppGini.plugins.email'));
$j('#orderNum').val(localStorage.getItem('AppGini.plugins.orderNum'));
// if email and order number are stored in user data, populate form with them
$j('#email').val(pluginsEmail);
$j('#orderNum').val(pluginsOrderNum);

// expand step 1 by default
expandStep(1);
Expand Down Expand Up @@ -251,10 +256,6 @@ function pageJS() {
// hide error message
$j('#order-login-error').addClass('hidden');

// store email and order number in localStorage for future use
localStorage.setItem('AppGini.plugins.email', email);
localStorage.setItem('AppGini.plugins.orderNum', orderNum);

populatePlugins(resp.data);
},
error: (xhr, status, error) => {
Expand Down Expand Up @@ -424,6 +425,10 @@ function handleOrderLogin() {
if(!count($links))
die(json_response($Translation['no plugins available'], true));

// store order num and email to user data
setUserData('pluginsOrderNum', $order);
setUserData('pluginsEmail', $email);

// parse plugin names from links
$plugins = [];
foreach($links as $link) {
Expand Down
1 change: 1 addition & 0 deletions app/admin/pageRebuildFields.php
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ function prepare_def($def) {

/* if default is CURRENT_TIMESTAMP, remove single quotes */
$def = preg_replace("/default\s*'CURRENT_TIMESTAMP'/i", "default current_timestamp", $def);
$def = preg_replace("/default\s*'CURRENT_TIMESTAMP\(\)'/i", "default current_timestamp", $def);

return trim($def);
}
Expand Down
5 changes: 3 additions & 2 deletions app/admin/pageSQL.js
Original file line number Diff line number Diff line change
Expand Up @@ -131,9 +131,10 @@ $j(function() {
}

var validSql = function(sql) {
const regex = /^\s*(SELECT\s+.*?\s+FROM\s+\S+|SHOW\s+)/is;
if(sql === undefined) sql = $j('#sql').val();
$j('#sql-begins-not-with-select').toggleClass('hidden', /^\s*(SELECT|SHOW)\s+/i.test(sql));
return /^\s*SELECT\s+.*?\s+FROM\s+\S+/i.test(sql) || /^\s*SHOW\s+/i.test(sql);
$j('#sql-begins-not-with-select').toggleClass('hidden', regex.test(sql));
return regex.test(sql);
}

var resetResults = function() {
Expand Down
2 changes: 1 addition & 1 deletion app/admin/pageSQL.php
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@
?>
</div>

<script src="pageSQL.js"></script>
<script src="pageSQL.js?<?php echo filemtime(__DIR__ . '/pageSQL.js'); ?>"></script>
<style>
#sql { font-family: monospace; font-size: large; }
</style>
Expand Down
4 changes: 2 additions & 2 deletions app/admin/pageServerStatus.php
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?php
$appgini_version = '24.15.1697';
$generated_ts = '04/07/2024 16:23:15';
$appgini_version = '24.18.1766';
$generated_ts = '03/11/2024 12:08:33';

require(__DIR__ . '/incCommon.php');

Expand Down
2 changes: 1 addition & 1 deletion app/admin/pageSettings.php
Original file line number Diff line number Diff line change
Expand Up @@ -400,7 +400,7 @@ function settings_checkbox($name, $label, $value, $set_value, $hint = '') {
<?php echo settings_textbox('MySQLDateFormat', $Translation['MySQL date'], $adminConfig['MySQLDateFormat'], $Translation['MySQL reference']); ?>
<?php echo settings_textbox('PHPDateFormat', $Translation['PHP short date'], $adminConfig['PHPDateFormat'], $Translation['PHP manual']); ?>
<?php echo settings_textbox('PHPDateTimeFormat', $Translation['PHP long date'], $adminConfig['PHPDateTimeFormat'], $Translation['PHP manual']); ?>
<?php echo settings_textbox('googleAPIKey', $Translation['google API key'], $adminConfig['googleAPIKey'], "<a target=\"_blank\" href=\"https://bigprof.com/appgini/google-maps-api-key\">{$Translation['google API key instructions']}</a>"); ?>
<?php echo settings_textbox('googleAPIKey', $Translation['google API key'], $adminConfig['googleAPIKey'], "<a target=\"_blank\" href=\"https://bigprof.com/appgini/google-maps-api-key\">{$Translation['google API key instructions']}</a> <div class=\"text-danger\">{$Translation['restrict API key']}</div>"); ?>

<?php echo settings_textbox(
'baseUploadPath',
Expand Down
11 changes: 9 additions & 2 deletions app/admin/pageViewGroups.php
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,16 @@
<tbody>
<?php

$res = sql("select groupID, name, description from membership_groups $where limit $start, ".$adminConfig['groupsPerPage'], $eo);
// get count of members of each group
$countMembers = [];
$res = sql("SELECT groupID, count(1) FROM membership_users GROUP BY groupID", $eo);
while($row = db_fetch_row($res)) {
$countMembers[$row[0]] = $row[1];
}

$res = sql("SELECT groupID, name, description FROM membership_groups $where /* LIMIT $start, {$adminConfig['groupsPerPage']} */", $eo);
while( $row = db_fetch_row($res)) {
$groupMembersCount = sqlValue("select count(1) from membership_users where groupID='$row[0]'");
$groupMembersCount = $countMembers[$row[0]] ?? 0;
$isAnonGroup = ($row[1] == $adminConfig['anonymousGroup']);
?>
<tr>
Expand Down
Loading

0 comments on commit 6774a27

Please sign in to comment.