From 791239bfb548b7524c309e7c6c522165875ae4ea Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Tue, 17 Nov 2015 15:46:05 +0100 Subject: report empty redir urls, they cause loops --- it_url.class | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/it_url.class b/it_url.class index fb5a1ff..2279659 100644 --- a/it_url.class +++ b/it_url.class @@ -793,8 +793,8 @@ static function absolute($url=null) function redirect($url = null, $type = "temporary") { $codes = array('permanent' => 301, 'temporary' => 303); # NOTE: HTTP 303 is called "See Other", rather than Temporary (which would be HTTP 307), but is the behaviour one usually wants for temporary redirects - if (!($code = $codes[$type])) - it::fatal("Invalid redirect type '$type', must be 'permanent' or 'temporary'"); + if (!($code = $codes[$type]) || !$url) + it::fatal("invalid redirect type or missing redirect url"); $url = preg_replace("/[\r\n].*/", '', it_url::absolute($url)); # Security: cut after CR/LF -- cgit v1.2.3 From b52db895457e3b2470409a892e0de944e23ea4be Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Wed, 18 Nov 2015 15:39:20 +0100 Subject: security: whitelist legal chars --- itjs.class | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/itjs.class b/itjs.class index c54abd3..8e79fad 100644 --- a/itjs.class +++ b/itjs.class @@ -134,9 +134,12 @@ static function filenames($filelist) "PIE.htc" => "$libsearch/doc/PIE.htc", ); - foreach (array_filter(explode(",", basename($filelist))) as $file) + if (it::match("[^-\w.=?&,]", basename($filelist))) + it::error("bad filelist $filelist"); + + foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file) { - $filenames = $special[$file] ?: (file_exists("$path/" . it::replace(array('[\?\x00].*' => ""), $file)) ? "$path/$file" : "$libsearch/itjs/$file"); + $filenames = $special[$file] ?: (file_exists("$path/$file") ? "$path/$file" : "$libsearch/itjs/$file"); foreach (explode(",", $filenames) as $filename) if (!$seen[$filename]++) -- cgit v1.2.3 From 7ec6608d170d61bee84768b3d7aa0186c21e7dd8 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Wed, 18 Nov 2015 15:43:45 +0100 Subject: it::sort docs --- it.class | 3 +++ 1 file changed, 3 insertions(+) diff --git a/it.class b/it.class index b097e60..d44d502 100644 --- a/it.class +++ b/it.class @@ -1030,6 +1030,9 @@ static function json_decode($json) return ($data = json_decode($json)) === null && $json != 'null' ? it::error(array('title' => "invalid json", 'body' => $json)) : $data; } +/** + * Retuns sorted array. mode string can contain combinations of a for assoc, k for key, r for reverse and n for numeric + */ static function sort($array, $mode = "") { $func = it::replace(array('n' => ""), count_chars($mode, 3)) . "sort"; # count_chars sorts flags -- cgit v1.2.3 From 5e6edc6bf5ba3d7dde7b861029ce6ac79787bb30 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Sun, 22 Nov 2015 23:56:15 +0100 Subject: currently generated filelists are fine --- itjs.class | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/itjs.class b/itjs.class index 8e79fad..539f97b 100644 --- a/itjs.class +++ b/itjs.class @@ -134,7 +134,7 @@ static function filenames($filelist) "PIE.htc" => "$libsearch/doc/PIE.htc", ); - if (it::match("[^-\w.=?&,]", basename($filelist))) + if (it::is_devel() && it::match("[^-\w.=?&,]", basename($filelist))) it::error("bad filelist $filelist"); foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file) -- cgit v1.2.3 From 2a9fe38e75a5a991981c5e6f4aa2e6f43c392b36 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Mon, 30 Nov 2015 14:02:24 +0100 Subject: adapt to new stackdump offsets --- it.class | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/it.class b/it.class index d44d502..8159dd5 100644 --- a/it.class +++ b/it.class @@ -262,9 +262,7 @@ static function error($p = array()) */ static function fatal($p) { - $p = is_array($p) ? $p : array('title' => $p); - $p['backtraceskip']++; - it::error($p); + it::error(array('backtraceskip' => 2) + (is_array($p) ? $p : array('title' => $p))); if ($_SERVER['REMOTE_ADDR']) header("HTTP/1.0 500 Internal Server Error"); exit(99); -- cgit v1.2.3 From 815aeeaff940a0981ecace49dc6353f35cf448a3 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Thu, 26 Nov 2015 18:47:28 +0100 Subject: correctly create checksums on devel, benefit from implied lib/itjs --- itjs.class | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/itjs.class b/itjs.class index 539f97b..903f9bc 100644 --- a/itjs.class +++ b/itjs.class @@ -115,7 +115,7 @@ static function encode($values) static function filenames($filelist) { $result = array(); - $path = $GLOBALS['ULTRAHOME'] . "/itjs"; + $local = $GLOBALS['ULTRAHOME'] . "/itjs"; $itjs = "/www/server/phpinclude/itools/itjs"; $libsearch = strlen($GLOBALS['debug_lib']) > 1 ? "/www/lib-" . $GLOBALS['debug_lib'] . ".search.ch" : "/www/lib.search.ch"; $special = array( @@ -124,22 +124,13 @@ static function filenames($filelist) "state.html" => "$itjs/state.html", "error.gif" => "$itjs/error.gif", "search.css" => "$libsearch/doc/search.css", - "searchlib.js" => "$libsearch/itjs/searchlib.js", - "sl_state.js" => "$libsearch/itjs/sl_state.js", - "sl_dropdown.js" => "$libsearch/itjs/sl_dropdown.js", - "sl_collapse.js" => "$libsearch/itjs/sl_collapse.js", - "sl_adid_debug.js" => "$libsearch/itjs/sl_adid_debug.js", - "locateme.js" => "$libsearch/itjs/locateme.js", "prettyprint.css" => "$libsearch/doc/prettyprint.css", "PIE.htc" => "$libsearch/doc/PIE.htc", ); - if (it::is_devel() && it::match("[^-\w.=?&,]", basename($filelist))) - it::error("bad filelist $filelist"); - - foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file) + foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file) # split by comma but ignore illegal chars { - $filenames = $special[$file] ?: (file_exists("$path/$file") ? "$path/$file" : "$libsearch/itjs/$file"); + $filenames = $special[$file] ?: (file_exists("$local/$file") ? "$local/$file" : "$libsearch/itjs/$file"); foreach (explode(",", $filenames) as $filename) if (!$seen[$filename]++) @@ -201,7 +192,7 @@ static function checksum($fnlist, $p = array()) { $p += array('short_expire' => true); - $filenames = array_merge(is_array($fnlist) ? $fnlist : itjs::filenames($fnlist), array("/www/lib.search.ch/var/jquery-ui/dist/minified/jquery.ui.core.min.js", "/www/lib.search.ch/var/jquery/dist/jquery.min.js")); # jquery files included by lib/jquery.js + $filenames = array_merge(itjs::filenames(join(",", (array)$fnlist)), array("/www/lib.search.ch/var/jquery-ui/dist/minified/jquery.ui.core.min.js", "/www/lib.search.ch/var/jquery/dist/jquery.min.js")); # jquery files included by lib/jquery.js $key = "itjs_" . md5(join("", it::map('"$v" . @filemtime("$v")', $filenames))); if ($p['short_expire'] && (time() - max(@array_map('filemtime', $filenames)) < 60)) -- cgit v1.2.3 From 382b4c87a721464a2521ca66414d2eccce6d4636 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Mon, 7 Dec 2015 15:19:20 +0100 Subject: docs --- it_url.class | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/it_url.class b/it_url.class index 2279659..ab1f90f 100644 --- a/it_url.class +++ b/it_url.class @@ -529,10 +529,10 @@ function get_cache_filename($p) /** * Store contents of url in a file and return file name. Threadsafe: Provides locking. Called statically. * Requires webserver writeable directory in $p['cachdedir']. Params in associative array p: + * @param $p['id'] RECOMMENDED: If you need more than one type of cache (e.g. different maxage) you should specify an id * @param $p['url'] url to get * @param $p['headers'] optional array of HTTP headers to send * @param $p['cachedir'] directory to store cache files in, @see get_cache_dir - * @param $p['id'] If you need more than one type of cache (e.g. different maxage) you can specify an id * @param $p['timeout'] timeout in seconds, default 10. fractions allowed * @param $p['maxage'] maximum age of cache entries in seconds, default 86400 * @param $p['cleanbefore'] maximum daytime when attempting cleanup, default 7200 -- cgit v1.2.3 From 17131f9ef8dfb33271a031978d66a2cde1d6f18e Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Mon, 7 Dec 2015 15:25:58 +0100 Subject: separate directory to avoid permission and expiration problems --- itjs.class | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/itjs.class b/itjs.class index 903f9bc..18c7a18 100644 --- a/itjs.class +++ b/itjs.class @@ -204,7 +204,7 @@ static function checksum($fnlist, $p = array()) function crcurl($url, $p = array()) { if (it::match('^http', $url)) # remote url, must fetch to crc - list($fn, $short_expire) = array(it_url::get_cache(array('url' => $url, 'maxage' => 3600) + $p), false); + list($fn, $short_expire) = array(it_url::get_cache(array('url' => $url, 'maxage' => 3600, 'id' => "itjs_crcurl") + $p), false); else list($fn, $short_expire) = array(($m = it::match("^//(\w+)(/.*)", $url)) ? "/www/$m[0].search.ch" . $m[1] : $GLOBALS['ULTRAHOME'] . $url, true);; -- cgit v1.2.3 From 81cf679bdb76ca49364bae20ff9a90f52a8cf07a Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Thu, 7 Jan 2016 17:11:18 +0100 Subject: allow setting of exact timestamp to late add old entries --- it.class | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/it.class b/it.class index 8159dd5..39a1372 100644 --- a/it.class +++ b/it.class @@ -70,14 +70,18 @@ static function &cloneobj(&$object) /** * Append all arguments to a logfile (tab separated). Date will be added to filename and line * @param $name Name of logfile. Will be in log/ of service unless it starts with / - * @param $line1 Line to append (varargs) + * @param $args... Varargs to log, will be tab separated. datetime => ... can be in first arg (dangerous) */ static function log($name /* ... */) { $args = func_get_args(); - $line = date("Y-m-d H:i:s") . "\t" . implode("\t", array_slice($args, 1)) . "\n"; + $name = array_shift($args); + if (is_array($args[0])) + $p = array_shift($args); + $timestamp = $p['datetime'] ? strtotime($p['datetime']) : time(); + $line = date("Y-m-d H:i:s", $timestamp) . "\t" . implode("\t", $args) . "\n"; $basefn = substr($name, 0, 1) == "/" ? $name : $GLOBALS['ULTRAHOME'] . "/log/$name"; - $fullfn = $basefn . "-" . date('Ymd'); + $fullfn = $basefn . "-" . date('Ymd', $timestamp); if (substr($fullfn, 0, 1) == "/") { -- cgit v1.2.3 From 14675eb397487df6ffa55e399fa585fee7f41da1 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Thu, 7 Jan 2016 17:35:57 +0100 Subject: more compact code, correctly maintain link --- it.class | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/it.class b/it.class index 39a1372..3c9c46c 100644 --- a/it.class +++ b/it.class @@ -76,9 +76,7 @@ static function log($name /* ... */) { $args = func_get_args(); $name = array_shift($args); - if (is_array($args[0])) - $p = array_shift($args); - $timestamp = $p['datetime'] ? strtotime($p['datetime']) : time(); + $timestamp = is_array($args[0]) && ($p = array_shift($args)) && $p['datetime'] ? strtotime($p['datetime']) : time(); $line = date("Y-m-d H:i:s", $timestamp) . "\t" . implode("\t", $args) . "\n"; $basefn = substr($name, 0, 1) == "/" ? $name : $GLOBALS['ULTRAHOME'] . "/log/$name"; $fullfn = $basefn . "-" . date('Ymd', $timestamp); @@ -93,7 +91,8 @@ static function log($name /* ... */) @chmod("$fullfn.$tmp", 0664); @rename("$fullfn.$tmp", $fullfn); @unlink($basefn); - @symlink($fullfn, $basefn); + if (@readlink($basefn) < basename($fullfn)) + @symlink($fullfn, $basefn); } file_put_contents($fullfn, $line, FILE_APPEND); -- cgit v1.2.3 From 7c4ad5b54006acc27b6dc22d3d746d15a2d14520 Mon Sep 17 00:00:00 2001 From: Urban Müller Date: Thu, 7 Jan 2016 17:56:14 +0100 Subject: rely on $GLOBALS["debug_time"] --- it.class | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/it.class b/it.class index 3c9c46c..6840eaa 100644 --- a/it.class +++ b/it.class @@ -70,16 +70,14 @@ static function &cloneobj(&$object) /** * Append all arguments to a logfile (tab separated). Date will be added to filename and line * @param $name Name of logfile. Will be in log/ of service unless it starts with / - * @param $args... Varargs to log, will be tab separated. datetime => ... can be in first arg (dangerous) + * @param $args... Varargs to log, will be tab separated. */ static function log($name /* ... */) { $args = func_get_args(); - $name = array_shift($args); - $timestamp = is_array($args[0]) && ($p = array_shift($args)) && $p['datetime'] ? strtotime($p['datetime']) : time(); - $line = date("Y-m-d H:i:s", $timestamp) . "\t" . implode("\t", $args) . "\n"; + $line = it::date("Y-m-d H:i:s") . "\t" . implode("\t", array_slice($args, 1)) . "\n"; $basefn = substr($name, 0, 1) == "/" ? $name : $GLOBALS['ULTRAHOME'] . "/log/$name"; - $fullfn = $basefn . "-" . date('Ymd', $timestamp); + $fullfn = $basefn . "-" . it::date('Ymd'); if (substr($fullfn, 0, 1) == "/") { @@ -91,7 +89,7 @@ static function log($name /* ... */) @chmod("$fullfn.$tmp", 0664); @rename("$fullfn.$tmp", $fullfn); @unlink($basefn); - if (@readlink($basefn) < basename($fullfn)) + if (@readlink($basefn) < basename($fullfn)) # may be older due to $GLOBALS['debug_time'] @symlink($fullfn, $basefn); } -- cgit v1.2.3