From d7e2f811ed68ede626956560ef24ddd3a662e8bc Mon Sep 17 00:00:00 2001 From: flashwave Date: Mon, 18 Mar 2019 22:30:19 +0100 Subject: [PATCH] Dropkick RequestVar --- public/auth/login.php | 28 +++++----- public/auth/logout.php | 4 +- public/auth/password.php | 27 +++++----- public/auth/register.php | 32 +++++------- public/auth/twofactor.php | 19 ++++--- public/forum/forum.php | 4 +- src/Request/RequestVar.php | 102 ------------------------------------- 7 files changed, 52 insertions(+), 164 deletions(-) delete mode 100644 src/Request/RequestVar.php diff --git a/public/auth/login.php b/public/auth/login.php index ad47b59d..ed367138 100644 --- a/public/auth/login.php +++ b/public/auth/login.php @@ -1,6 +1,4 @@ resolve_user)) { +if (isset($_GET['resolve_user']) && is_string($_GET['resolve_user'])) { header('Content-Type: text/plain; charset=utf-8'); - echo user_id_from_username(RequestVar::get()->resolve_user->value('string')); + echo user_id_from_username($_GET['resolve_user']); return; } -$login = RequestVar::post()->login; $notices = []; $siteIsPrivate = boolval(config_get_default(false, 'Private', 'enabled')); $loginPermission = $siteIsPrivate ? intval(config_get_default(0, 'Private', 'permission')) : 0; $ipAddress = ip_remote_address(); $remainingAttempts = user_login_attempts_remaining($ipAddress); -while (!empty($login->value('array'))) { +while (!empty($_POST['login']) && is_array($_POST['login'])) { if (!csrf_verify('login', $_POST['csrf'] ?? '')) { $notices[] = 'Was unable to verify the request, please try again!'; break; } $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? ''; - $loginRedirect = $login->redirect->value('string', ''); + $loginRedirect = empty($_POST['login']['redirect']) || !is_string($_POST['login']['redirect']) ? '' : $_POST['login']['redirect']; - if ($login->username->empty() || $login->password->empty()) { + if (empty($_POST['login']['username']) || empty($_POST['login']['password']) + || !is_string($_POST['login']['username']) || !is_string($_POST['login']['password'])) { $notices[] = "You didn't fill in a username and/or password."; break; } @@ -40,8 +38,7 @@ while (!empty($login->value('array'))) { break; } - $loginUsername = $login->username->value('string', ''); - $userData = user_find_for_login($loginUsername); + $userData = user_find_for_login($_POST['login']['username']); $attemptsRemainingError = sprintf( "%d attempt%s remaining", $remainingAttempts - 1, @@ -55,8 +52,7 @@ while (!empty($login->value('array'))) { break; } - $loginPassword = $login->password->value('string', ''); - if (!password_verify($loginPassword, $userData['password'])) { + if (!password_verify($_POST['login']['password'], $userData['password'])) { user_login_attempt_record(false, $userData['user_id'], $ipAddress, $userAgent); $notices[] = $loginFailedError; break; @@ -101,9 +97,11 @@ while (!empty($login->value('array'))) { return; } -$welcomeMode = RequestVar::get()->welcome->value('bool', false); -$loginUsername = $login->username->value('string') ?? RequestVar::get()->username->value('string', ''); -$loginRedirect = $welcomeMode ? url('index') : RequestVar::get()->redirect->value('string') ?? $_SERVER['HTTP_REFERER'] ?? url('index'); +$welcomeMode = !empty($_GET['welcome']); +$loginUsername = !empty($_POST['login']['username']) && is_string($_POST['login']['username']) ? $_POST['login']['username'] : ( + !empty($_GET['username']) && is_string($_GET['username']) ? $_GET['username'] : '' +); +$loginRedirect = $welcomeMode ? url('index') : (!empty($_GET['redirect']) && is_string($_GET['redirect']) ? $_GET['redirect'] : null) ?? $_SERVER['HTTP_REFERER'] ?? url('index'); $sitePrivateMessage = $siteIsPrivate ? config_get_default('', 'Private', 'message') : ''; $canResetPassword = $siteIsPrivate ? boolval(config_get_default(false, 'Private', 'password_reset')) : true; $canRegisterAccount = !$siteIsPrivate; diff --git a/public/auth/logout.php b/public/auth/logout.php index fa849a29..8fb3f52e 100644 --- a/public/auth/logout.php +++ b/public/auth/logout.php @@ -1,6 +1,4 @@ token->value('string', ''))) { +if (!empty($_GET['token']) && is_string($_GET['token']) && csrf_verify('logout', $_GET['token'])) { setcookie('msz_auth', '', -9001, '/', '', true, true); user_session_stop(true); header(sprintf('Location: %s', url('index'))); diff --git a/public/auth/password.php b/public/auth/password.php index 0ea445c9..f341b3b4 100644 --- a/public/auth/password.php +++ b/public/auth/password.php @@ -1,6 +1,4 @@ reset; -$forgot = RequestVar::post()->forgot; -$userId = $reset->user->value('int') ?? RequestVar::get()->user->value('int', 0); +$reset = !empty($_POST['reset']) && is_array($_POST['reset']) ? $_POST['reset'] : []; +$forgot = !empty($_POST['forgot']) && is_array($_POST['forgot']) ? $_POST['forgot'] : []; +$userId = !empty($reset['user']) ? (int)$reset['user'] : ( + !empty($_GET['user']) ? (int)$_GET['user'] : 0 +); $username = $userId > 0 ? user_username_from_id($userId) : ''; if ($userId > 0 && empty($username)) { @@ -25,21 +25,22 @@ $ipAddress = ip_remote_address(); $remainingAttempts = user_login_attempts_remaining($ipAddress); while ($canResetPassword) { - if (!empty($reset->value('array', null)) && $userId > 0) { + if (!empty($reset) && $userId > 0) { if (!csrf_verify('passreset', $_POST['csrf'] ?? '')) { $notices[] = 'Was unable to verify the request, please try again!'; break; } - $verificationCode = $reset->verification->value('string', ''); + $verificationCode = !empty($reset['verification']) && is_string($reset['verification']) ? $reset['verification'] : ''; if (!user_recovery_token_validate($userId, $verificationCode)) { $notices[] = 'Invalid verification code!'; break; } - $passwordNew = $reset->password->new->value('string', ''); - $passwordConfirm = $reset->password->confirm->value('string', ''); + $password = !empty($reset['password']) && is_array($reset['password']) ? $reset['password'] : []; + $passwordNew = !empty($password['new']) && is_string($password['new']) ? $password['new'] : ''; + $passwordConfirm = !empty($password['confirm']) && is_string($password['confirm']) ? $password['confirm'] : ''; if (empty($passwordNew) || empty($passwordConfirm) || $passwordNew !== $passwordConfirm) { @@ -67,13 +68,13 @@ while ($canResetPassword) { return; } - if (!empty($forgot->value('array', null))) { + if (!empty($forgot)) { if (!csrf_verify('passforgot', $_POST['csrf'] ?? '')) { $notices[] = 'Was unable to verify the request, please try again!'; break; } - if ($forgot->email->empty()) { + if (empty($forgot['email']) || !is_string($forgot['email'])) { $notices[] = "You didn't supply an e-mail address."; break; } @@ -83,7 +84,7 @@ while ($canResetPassword) { break; } - $forgotUser = user_find_for_reset($forgot->email->value('string')); + $forgotUser = user_find_for_reset($forgot['email']); if (empty($forgotUser)) { $notices[] = "This e-mail address is not registered with us."; @@ -129,7 +130,7 @@ MSG; echo tpl_render($userId > 0 ? 'auth.password_reset' : 'auth.password_forgot', [ 'password_notices' => $notices, - 'password_email' => $forgot->email->value('string', ''), + 'password_email' => !empty($forget['email']) && is_string($forget['email']) ? $forget['email'] : '', 'password_attempts_remaining' => $remainingAttempts, 'password_user_id' => $userId, 'password_username' => $username, diff --git a/public/auth/register.php b/public/auth/register.php index b1beafdf..1dd9879f 100644 --- a/public/auth/register.php +++ b/public/auth/register.php @@ -1,6 +1,4 @@ register; +$register = !empty($_POST['register']) && is_array($_POST['register']) ? $_POST['register'] : []; $notices = []; $ipAddress = ip_remote_address(); $remainingAttempts = user_login_attempts_remaining($ipAddress); $restricted = ip_blacklist_check(ip_remote_address()) ? 'blacklist' : (user_warning_check_ip(ip_remote_address()) ? 'ban' : ''); -while (!$restricted && !empty($register->value('array'))) { +while (!$restricted && !empty($register)) { if (!csrf_verify('register', $_POST['csrf'] ?? '')) { $notices[] = 'Was unable to verify the request, please try again!'; break; @@ -26,12 +24,13 @@ while (!$restricted && !empty($register->value('array'))) { break; } - if ($register->username->empty() || $register->password->empty() || $register->email->empty() || $register->question->empty()) { + if (empty($register['username']) || empty($register['password']) || empty($register['email']) || empty($register['question']) + || !is_string($register['username']) || !is_string($register['password']) || !is_string($register['email']) || !is_string($register['question'])) { $notices[] = "You haven't filled in all fields."; break; } - $checkSpamBot = mb_strtolower($register->question->value('string', '')); + $checkSpamBot = mb_strtolower($register['question']); $spamBotValid = [ '19', '21', 'nineteen', 'nine-teen', 'nine teen', 'twentyone', 'twenty-one', 'twenty one', ]; @@ -41,22 +40,19 @@ while (!$restricted && !empty($register->value('array'))) { break; } - $username = $register->username->value('string', ''); - $usernameValidation = user_validate_username($username, true); + $usernameValidation = user_validate_username($register['username'], true); if ($usernameValidation !== '') { $notices[] = MSZ_USER_USERNAME_VALIDATION_STRINGS[$usernameValidation]; } - $email = $register->email->value('string', ''); - $emailValidation = user_validate_email($email, true); + $emailValidation = user_validate_email($register['email'], true); if ($emailValidation !== '') { $notices[] = $emailValidation === 'in-use' ? 'This e-mail address has already been used!' : 'The e-mail address you entered is invalid!'; } - $password = $register->password->value('string', ''); - if (user_validate_password($password) !== '') { + if (user_validate_password($register['password']) !== '') { $notices[] = 'Your password is too weak!'; } @@ -65,9 +61,9 @@ while (!$restricted && !empty($register->value('array'))) { } $createUser = user_create( - $username, - $password, - $email, + $register['username'], + $register['password'], + $register['email'], $ipAddress ); @@ -77,13 +73,13 @@ while (!$restricted && !empty($register->value('array'))) { } user_role_add($createUser, MSZ_ROLE_MAIN); - header(sprintf('Location: %s', url('auth-login-welcome', ['username' => $username]))); + header(sprintf('Location: %s', url('auth-login-welcome', ['username' => $register['username']]))); return; } echo tpl_render('auth.register', [ 'register_notices' => $notices, - 'register_username' => $register->username->value('string', ''), - 'register_email' => $register->email->value('string', ''), + 'register_username' => !empty($register['username']) && is_string($register['username']) ? $register['username'] : '', + 'register_email' => !empty($register['email']) && is_string($register['email']) ? $register['email'] : '', 'register_restricted' => $restricted, ]); diff --git a/public/auth/twofactor.php b/public/auth/twofactor.php index 8174c75c..b7022975 100644 --- a/public/auth/twofactor.php +++ b/public/auth/twofactor.php @@ -1,6 +1,4 @@ twofactor; +$twofactor = !empty($_POST['twofactor']) && is_array($_POST['twofactor']) ? $_POST['twofactor'] : []; $notices = []; $ipAddress = ip_remote_address(); $remainingAttempts = user_login_attempts_remaining($ipAddress); $tokenInfo = user_auth_tfa_token_info( - RequestVar::get()->token->value('string') ?? $twofactor->token->value('string', '') + !empty($_GET['token']) && is_string($_GET['token']) ? $_GET['token'] : ( + !empty($twofactor['token']) && is_string($twofactor['token']) ? $twofactor['token'] : '' + ) ); // checking user_totp_key specifically because there's a fringe chance that @@ -23,16 +23,16 @@ if (empty($tokenInfo['user_totp_key'])) { return; } -while (!empty($twofactor->value('array'))) { +while (!empty($twofactor)) { if (!csrf_verify('twofactor', $_POST['csrf'] ?? '')) { $notices[] = 'Was unable to verify the request, please try again!'; break; } $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? ''; - $redirect = $twofactor->redirect->value('string', ''); + $redirect = !empty($twofactor['redirect']) && is_string($twofactor['redirect']) ? $twofactor['redirect'] : ''; - if ($twofactor->code->empty()) { + if (empty($twofactor['code']) || !is_string($twofactor['code'])) { $notices[] = 'Code field was empty.'; break; } @@ -42,11 +42,10 @@ while (!empty($twofactor->value('array'))) { break; } - $givenCode = $twofactor->code->value('string', ''); $currentCode = totp_generate($tokenInfo['user_totp_key']); $previousCode = totp_generate($tokenInfo['user_totp_key'], time() - 30); - if ($currentCode !== $givenCode && $previousCode !== $givenCode) { + if ($currentCode !== $twofactor['code'] && $previousCode !== $twofactor['code']) { $notices[] = sprintf( "Invalid two factor code, %d attempt%s remaining", $remainingAttempts - 1, @@ -81,7 +80,7 @@ while (!empty($twofactor->value('array'))) { echo tpl_render('auth.twofactor', [ 'twofactor_notices' => $notices, - 'twofactor_redirect' => RequestVar::get()->redirect->value('string') ?? url('index'), + 'twofactor_redirect' => !empty($_GET['redirect']) && is_string($_GET['redirect']) ? $_GET['redirect'] : url('index'), 'twofactor_attempts_remaining' => $remainingAttempts, 'twofactor_token' => $tokenInfo['tfa_token'], ]); diff --git a/public/forum/forum.php b/public/forum/forum.php index 11aa76e7..5f2e32bc 100644 --- a/public/forum/forum.php +++ b/public/forum/forum.php @@ -1,9 +1,7 @@ select('f')->value('int'); +$forumId = !empty($_GET['f']) && !is_array($_GET['f']) ? (int)$_GET['f'] : 0; $forumId = max($forumId, 0); if ($forumId === 0) { diff --git a/src/Request/RequestVar.php b/src/Request/RequestVar.php deleted file mode 100644 index 524abd7f..00000000 --- a/src/Request/RequestVar.php +++ /dev/null @@ -1,102 +0,0 @@ -value = $value; - $this->type = $type ?? gettype($value); - } - - public static function get(): RequestVar - { - return new static($_GET ?? []); - } - - public static function post(): RequestVar - { - return new static($_POST ?? []); - } - - public static function request(): RequestVar - { - return new static($_REQUEST); - } - - public function __get(string $name) - { - return $this->select($name); - } - - public function __isset(string $name): bool - { - return $this->isset($name); - } - - public function isset(string $name): bool - { - switch ($this->type) { - case 'array': - return isset($this->value[$name]); - - case 'object': - return isset($this->value->{$name}); - - default: - return !is_null($this->value); - } - } - - public function empty(): bool - { - return empty($this->value); - } - - public function select(string $name): RequestVar - { - switch ($this->type) { - case 'array': - return new static($this->value[$name] ?? []); - - case 'object': - return new static($this->value->{$name} ?? new \stdClass); - - default: - return new static(null); - } - } - - public function value(string $type = 'string', $default = null) - { - if (!is_null($this->valueCasted)) { - $this->valueCasted; - } - - if ($this->type === 'NULL' || (($type === 'object' || $type === 'array') && $this->type !== $type)) { - return $default; - } - - if ($type !== 'string' && $this->type === 'string') { - switch ($type) { - case 'boolean': - case 'bool': - return (bool)$this->value; - case 'integer': - case 'int': - return (int)$this->value; - case 'double': - case 'float': - return (float)$this->value; - } - } elseif ($type !== $this->type) { - return $default; - } - - return $this->valueCasted = $this->value; - } -}