24.18

bigprof-software · Nov 3, 2024 · 6774a27 · 6774a27
1 parent 8305845
commit 6774a27
Show file tree

Hide file tree

Showing 44 changed files with 688 additions and 264 deletions.
diff --git a/app/admin/ajax-sql.php b/app/admin/ajax-sql.php
@@ -7,12 +7,9 @@
 	}
 
 	$sql = trim(Request::val('sql'));
-	if(
-		!preg_match('/^SELECT\s+.*?\s+FROM\s+\S+/i', $sql)
-		&& !preg_match('/^SHOW\s+/i', $sql)
-	) {
+	if(!preg_match('/^\s*(SELECT\s+.*?\s+FROM\s+\S+|SHOW\s+)/is', $sql)) {
 		@header('HTTP/1.0 404 Not Found');
-		die("Invalid query");
+		die('Invalid query');
 	}
 
 	// force a limit of 1000 to SELECT queries in case no limit specified

diff --git a/app/admin/incFunctions.php b/app/admin/incFunctions.php
@@ -87,7 +87,8 @@
 	########################################################################
 	function set_headers() {
 		@header('Content-Type: text/html; charset=' . datalist_db_encoding);
-		@header('X-Frame-Options: SAMEORIGIN'); // prevent iframing by other sites to prevent clickjacking
+		// @header('X-Frame-Options: SAMEORIGIN'); // deprecated
+		@header("Content-Security-Policy: frame-ancestors 'self' " . application_url()); // prevent iframing by other sites to prevent clickjacking
 	}
 	########################################################################
 	function get_tables_info($skip_authentication = false) {
@@ -424,7 +425,13 @@ function logSlowQuery($statement, $duration) {
 		$statement = makeSafe(trim(preg_replace('/^\s+/m', ' ', $statement)));
 		$duration = floatval($duration);
 		$memberID = makeSafe(getLoggedMemberID());
-		$uri = makeSafe($_SERVER['REQUEST_URI']);
+		$uri = $_SERVER['REQUEST_URI'];
+
+		// for 'admin/ajax-sql.php' strip sql and csrf_token params from uri
+		if(strpos($uri, 'admin/ajax-sql.php') !== false) {
+			$uri = stripParams($uri, ['sql', 'csrf_token']);
+		}
+		$uri = makeSafe($uri);
 
 		sql("INSERT INTO `appgini_query_log` SET
 			`statement`='$statement',
@@ -445,7 +452,13 @@ function logErrorQuery($statement, $error) {
 		$statement = makeSafe(trim(preg_replace('/^\s+/m', ' ', $statement)));
 		$error = makeSafe($error);
 		$memberID = makeSafe(getLoggedMemberID());
-		$uri = makeSafe($_SERVER['REQUEST_URI']);
+		$uri = $_SERVER['REQUEST_URI'];
+
+		// for 'admin/ajax-sql.php' strip sql and csrf_token params from uri
+		if(strpos($uri, 'admin/ajax-sql.php') !== false) {
+			$uri = stripParams($uri, ['sql', 'csrf_token']);
+		}
+		$uri = makeSafe($uri);
 
 		sql("INSERT INTO `appgini_query_log` SET
 			`statement`='$statement',
@@ -455,6 +468,42 @@ function logErrorQuery($statement, $error) {
 		", $o);
 	}
 
+	########################################################################
+	/**
+	 * Strip specified parameters from a URL
+	 * @param string $uri - the URL to strip parameters from, could be a full URL or just a URI
+	 * @param array $paramsToRemove - an array of parameter names to remove
+	 * @return string - the URL with specified parameters removed
+	 */
+	function stripParams($uri, $paramsToRemove) {
+		// Parse the URL and its components
+		$parsedUrl = parse_url($uri);
+
+		// Parse the query string into an associative array
+		parse_str($parsedUrl['query'] ?? '', $queryParams);
+
+		// Remove specified parameters
+		foreach ($paramsToRemove as $param) {
+			unset($queryParams[$param]);
+		}
+
+		// Reconstruct the query string
+		$newQuery = http_build_query($queryParams);
+
+		// Reconstruct the URL
+		$newUrl = $parsedUrl['scheme'] ?? '';
+		if (!empty($newUrl)) {
+			$newUrl .= '://';
+		}
+		$newUrl .= $parsedUrl['host'] ?? '';
+		$newUrl .= $parsedUrl['path'] ?? '';
+		if (!empty($newQuery)) {
+			$newUrl .= '?' . $newQuery;
+		}
+		$newUrl .= $parsedUrl['fragment'] ?? '';
+
+		return $newUrl;
+	}
 	########################################################################
 	function createQueryLogTable() {
 		static $created = false;
@@ -1719,7 +1768,7 @@ function get_table_fields($tn = null, $include_internal_tables = false) {
 					'done' => "INT DEFAULT '0'",
 				],
 				'appgini_query_log' => [
-					'datetime' => "TIMESTAMP DEFAULT CURRENT_TIMESTAMP",
+					'datetime' => "TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP",
 					'statement' => "LONGTEXT",
 					'duration' => "DECIMAL(10,2) UNSIGNED DEFAULT '0.00'",
 					'error' => "TEXT",

diff --git a/app/admin/incHeader.php b/app/admin/incHeader.php
@@ -6,8 +6,9 @@
 <html class="no-js">
 	<head>
 		<meta charset="<?php echo datalist_db_encoding; ?>">
-		<meta name="description" content="">
+		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1.0">
+		<meta name="description" content="">
 		<title><?php echo APP_TITLE . ' | ' . $Translation['admin area'] . (isset($GLOBALS['page_title']) ? html_attr(" | {$GLOBALS['page_title']}") : ''); ?></title>
 
 		<link id="browser_favicon" rel="shortcut icon" href="<?php echo PREPEND_PATH; ?>resources/table_icons/administrator.png">

diff --git a/app/admin/pageInstallPlugin.php b/app/admin/pageInstallPlugin.php
@@ -141,11 +141,16 @@ function showPage() {
 	function pageJS() {
 		global $Translation;
 
+		$pluginsOrderNum = getUserData('pluginsOrderNum');
+		$pluginsEmail = getUserData('pluginsEmail');
+
 		ob_start(); ?>
 		<script>
 			$j(() => {
 				const numSteps = $j('#accordion .panel').length;
 				const csrf_token = '<?php echo csrf_token(false, true); ?>';
+				const pluginsOrderNum = <?php echo json_encode($pluginsOrderNum); ?>;
+				const pluginsEmail = <?php echo json_encode($pluginsEmail); ?>;
 
 				const expandStep = (step) => {
 					$j(`#step${step}`).addClass('expanded').children('.panel-body').removeClass('hidden');
@@ -180,9 +185,9 @@ function pageJS() {
 					expandStep(2);
 				}
 
-				// if email and order number are stored in localStorage, populate form with them
-				$j('#email').val(localStorage.getItem('AppGini.plugins.email'));
-				$j('#orderNum').val(localStorage.getItem('AppGini.plugins.orderNum'));
+				// if email and order number are stored in user data, populate form with them
+				$j('#email').val(pluginsEmail);
+				$j('#orderNum').val(pluginsOrderNum);
 
 				// expand step 1 by default
 				expandStep(1);
@@ -251,10 +256,6 @@ function pageJS() {
 							// hide error message
 							$j('#order-login-error').addClass('hidden');
 
-							// store email and order number in localStorage for future use
-							localStorage.setItem('AppGini.plugins.email', email);
-							localStorage.setItem('AppGini.plugins.orderNum', orderNum);
-
 							populatePlugins(resp.data);
 						},
 						error: (xhr, status, error) => {
@@ -424,6 +425,10 @@ function handleOrderLogin() {
 		if(!count($links))
 			die(json_response($Translation['no plugins available'], true));
 
+		// store order num and email to user data
+		setUserData('pluginsOrderNum', $order);
+		setUserData('pluginsEmail', $email);
+
 		// parse plugin names from links
 		$plugins = [];
 		foreach($links as $link) {

diff --git a/app/admin/pageRebuildFields.php b/app/admin/pageRebuildFields.php
@@ -49,6 +49,7 @@ function prepare_def($def) {
 
 		/* if default is CURRENT_TIMESTAMP, remove single quotes */
 		$def = preg_replace("/default\s*'CURRENT_TIMESTAMP'/i", "default current_timestamp", $def);
+		$def = preg_replace("/default\s*'CURRENT_TIMESTAMP\(\)'/i", "default current_timestamp", $def);
 
 		return trim($def);
 	}

diff --git a/app/admin/pageSQL.js b/app/admin/pageSQL.js
@@ -131,9 +131,10 @@ $j(function() {
 	}
 
 	var validSql = function(sql) {
+		const regex = /^\s*(SELECT\s+.*?\s+FROM\s+\S+|SHOW\s+)/is;
 		if(sql === undefined) sql = $j('#sql').val();
-		$j('#sql-begins-not-with-select').toggleClass('hidden', /^\s*(SELECT|SHOW)\s+/i.test(sql));
-		return /^\s*SELECT\s+.*?\s+FROM\s+\S+/i.test(sql) || /^\s*SHOW\s+/i.test(sql);
+		$j('#sql-begins-not-with-select').toggleClass('hidden', regex.test(sql));
+		return regex.test(sql);
 	}
 
 	var resetResults = function() {

diff --git a/app/admin/pageSQL.php b/app/admin/pageSQL.php
@@ -115,7 +115,7 @@
 	?>
 </div>
 
-<script src="pageSQL.js"></script>
+<script src="pageSQL.js?<?php echo filemtime(__DIR__ . '/pageSQL.js'); ?>"></script>
 <style>
 	#sql { font-family: monospace; font-size: large; }
 </style>

diff --git a/app/admin/pageServerStatus.php b/app/admin/pageServerStatus.php
@@ -1,6 +1,6 @@
 <?php
-	$appgini_version = '24.15.1697';
-	$generated_ts = '04/07/2024 16:23:15';
+	$appgini_version = '24.18.1766';
+	$generated_ts = '03/11/2024 12:08:33';
 
 	require(__DIR__ . '/incCommon.php');
 

diff --git a/app/admin/pageSettings.php b/app/admin/pageSettings.php
@@ -400,7 +400,7 @@ function settings_checkbox($name, $label, $value, $set_value, $hint = '') {
 			<?php echo settings_textbox('MySQLDateFormat', $Translation['MySQL date'], $adminConfig['MySQLDateFormat'], $Translation['MySQL reference']); ?>
 			<?php echo settings_textbox('PHPDateFormat', $Translation['PHP short date'], $adminConfig['PHPDateFormat'], $Translation['PHP manual']); ?>
 			<?php echo settings_textbox('PHPDateTimeFormat', $Translation['PHP long date'], $adminConfig['PHPDateTimeFormat'], $Translation['PHP manual']); ?>
-			<?php echo settings_textbox('googleAPIKey', $Translation['google API key'], $adminConfig['googleAPIKey'], "<a target=\"_blank\" href=\"https://bigprof.com/appgini/google-maps-api-key\">{$Translation['google API key instructions']}</a>"); ?>
+			<?php echo settings_textbox('googleAPIKey', $Translation['google API key'], $adminConfig['googleAPIKey'], "<a target=\"_blank\" href=\"https://bigprof.com/appgini/google-maps-api-key\">{$Translation['google API key instructions']}</a> <div class=\"text-danger\">{$Translation['restrict API key']}</div>"); ?>
 
 			<?php echo settings_textbox(
 				'baseUploadPath', 

diff --git a/app/admin/pageViewGroups.php b/app/admin/pageViewGroups.php
@@ -68,9 +68,16 @@
 	<tbody>
 		<?php
 
-			$res = sql("select groupID, name, description from membership_groups $where limit $start, ".$adminConfig['groupsPerPage'], $eo);
+			// get count of members of each group
+			$countMembers = [];
+			$res = sql("SELECT groupID, count(1) FROM membership_users GROUP BY groupID", $eo);
+			while($row = db_fetch_row($res)) {
+				$countMembers[$row[0]] = $row[1];
+			}
+
+			$res = sql("SELECT groupID, name, description FROM membership_groups $where /* LIMIT $start, {$adminConfig['groupsPerPage']} */", $eo);
 			while( $row = db_fetch_row($res)) {
-				$groupMembersCount = sqlValue("select count(1) from membership_users where groupID='$row[0]'");
+				$groupMembersCount = $countMembers[$row[0]] ?? 0;
 				$isAnonGroup = ($row[1] == $adminConfig['anonymousGroup']);
 				?>
 				<tr>