servnest/fn/common.php

<?php

function output($code, $msg = '', $logs = [''], $data = []) {
	http_response_code($code);
	$shortCode = intval($code / 100);
	if ($shortCode === 5)
		error_log('Internal error: ' . strip_tags($msg) . implode(LF, $logs));
	$final_message = match ($shortCode) {
		2 => ($msg === '') ? '' : '<p><output>' . _('<strong>Success</strong>: ') . '<em>' . $msg . '</em></output></p>' . LF,
		4 => '<p><output>' . _('<strong>User error</strong>: ') . '<em>' . $msg . '</em></output></p>' . LF,
		5 => '<p><output>' . _('<strong>Server error</strong>: ') . '<em>' . $msg . '</em></output></p>' . LF,
	};
	if (is_callable('displayPage'))
		displayPage(array_merge(['final_message' => $final_message], $data));
	echo $final_message;
	exit();
}

function exescape(array $args, array &$output = NULL, int &$result_code = NULL): int {
	exec('2>&1 ' . implode(' ', array_map('escapeshellarg', $args)), $output, $result_code);
	return $result_code;
}

function insert($table, $values) {
	$query = 'INSERT INTO "' . $table . '"(';

	foreach ($values as $key => $val) {
		if ($key === array_key_last($values))
			$query .= "$key";
		else
			$query .= "$key, ";
	}

	$query .= ') VALUES(';
	foreach ($values as $key => $val) {
		if ($key === array_key_last($values))
			$query .= ":$key";
		else
			$query .= ":$key, ";
	}
	$query .= ')';

	DB->prepare($query)
	->execute($values);
}

function query($action, $table, $conditions = [], $column = NULL) {

	$query = match ($action) {
		'select' => 'SELECT *',
		'delete' => 'DELETE',
	};

	$query .= ' FROM "' . $table . '"';

	foreach ($conditions as $key => $val) {
		if ($key === array_key_first($conditions))
			$query .= " WHERE $key = :$key";
		else
			$query .= " AND $key = :$key";
	}

	$stmt = DB->prepare($query);
	$stmt->execute($conditions);

	return array_column($stmt->fetchAll(PDO::FETCH_ASSOC), $column);
}

function displayIndex() { ?>
<nav>
	<dl>
<?php foreach (PAGES[SERVICE] as $pageId => $page) {
	if ($pageId === 'index') continue;
?>
		<dt><a href="<?= $pageId ?>"><?= $page['title'] ?></a></dt>
		<dd>
			<?= $page['description'] ?>
		</dd>
<?php } ?>
	</dl>
</nav>
<?php
}

function redirUrl($pageId) {
	return CONF['common']['prefix'] . '/' . $pageId . '?redir=' . PAGE_URL;
}

function redir($redir_to = NULL) {
	$redir_to ??= $_GET['redir'] ?? NULL;

	if ($redir_to === NULL) {
		header('Location: ' . CONF['common']['prefix'] . '/');
		exit();
	}
	if (preg_match('/^[0-9a-z\/-]{0,128}$/D', $redir_to) !== 1)
		output(403, 'Wrong character in <code>redir</code>.');
	header('Location: ' . CONF['common']['prefix'] . '/' . $redir_to);
	exit();
}

// PHP rmdir() only works on empty directories
function removeDirectory($dir) {
	$dirObj = new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS);
	$files = new RecursiveIteratorIterator($dirObj, RecursiveIteratorIterator::CHILD_FIRST);
	foreach ($files as $file)
		$file->isDir() && !$file->isLink() ? rmdir($file->getPathname()) : unlink($file->getPathname());
	if (rmdir($dir) !== true)
		output(500, 'Unable to remove directory.');
}

function equalArrays($a, $b) {
	return array_diff($a, $b) === [] AND array_diff($b, $a) === [];
}

/*
	This token authenticates the user to the server through a public communication (the DNS).
	It is therefore also designed to keep private:
	- the user's id
	- that a same user used a token multiple times (by using a unique salt for each token)
*/
if (time() - query('select', 'params', ['name' => 'secret_key_last_change'], 'value')[0] >= 86400 * 20) {
	DB->prepare("UPDATE params SET value = :secret_key WHERE name = 'secret_key';")
	->execute([':secret_key' => bin2hex(random_bytes(32))]);
	DB->prepare("UPDATE params SET value = :last_change WHERE name = 'secret_key_last_change';")
	->execute([':last_change' => time()]);
}
define('SECRET_KEY', hex2bin(query('select', 'params', ['name' => 'secret_key'], 'value')[0]));
function getAuthToken() {
	$salt = bin2hex(random_bytes(4));
	$hash = hash_hmac('sha256', $salt . ($_SESSION['id'] ?? ''), SECRET_KEY);
	return $salt . '-' .  substr($hash, 0, 32);
}
function checkAuthToken($salt, $hash) {
	$correctProof = substr(hash_hmac('sha256', $salt . $_SESSION['id'], SECRET_KEY), 0, 32);
	if (hash_equals($correctProof, $hash) !== true)
		output(403, _('Wrong proof.'));
}
Create fn/ directory 2022-05-31 17:12:14 +00:00			`<?php`

reg/register: add "Check availability" feature 2023-03-19 21:22:34 +00:00			`function output($code, $msg = '', $logs = [''], $data = []) {`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00			`http_response_code($code);`
Fix deprecation notices 2023-02-07 21:25:16 +00:00			`$shortCode = intval($code / 100);`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 20:17:03 +00:00			`if ($shortCode === 5)`
Niver > ServNest 2023-01-29 20:09:00 +00:00			`error_log('Internal error: ' . strip_tags($msg) . implode(LF, $logs));`
fn success/userError/serverError > output($code) 2022-09-15 17:17:48 +00:00			`$final_message = match ($shortCode) {`
Gettext internationalization and english translation 2023-01-21 00:27:52 +00:00			`2 => ($msg === '') ? '' : '<p><output>' . _('<strong>Success</strong>: ') . '<em>' . $msg . '</em></output></p>' . LF,`
			`4 => '<p><output>' . _('<strong>User error</strong>: ') . '<em>' . $msg . '</em></output></p>' . LF,`
			`5 => '<p><output>' . _('<strong>Server error</strong>: ') . '<em>' . $msg . '</em></output></p>' . LF,`
fn success/userError/serverError > output($code) 2022-09-15 17:17:48 +00:00			`};`
init.php + jobs + job to delete old testing accounts 2023-06-08 15:36:44 +00:00			`if (is_callable('displayPage'))`
			`displayPage(array_merge(['final_message' => $final_message], $data));`
			`echo $final_message;`
			`exit();`
Create fn/ directory 2022-05-31 17:12:14 +00:00			`}`
del-http-onion.php + query() 2022-06-11 21:42:48 +00:00
Fix important vulnerability in reg/ds.php + exescape In page reg/ds.php, POST parameter 'key' was directly sent to shell, allowing for remote arbitrary commands execution. This commit fixes this vulnerability, and uses a new function to automatically escape every shell command arguments as an additional generic protection. 2023-06-19 00:15:43 +00:00			`function exescape(array $args, array &$output = NULL, int &$result_code = NULL): int {`
			`exec('2>&1 ' . implode(' ', array_map('escapeshellarg', $args)), $output, $result_code);`
			`return $result_code;`
			`}`

Factorize "INSERT INTO" SQL queries with insert() 2022-09-14 15:19:17 +00:00			`function insert($table, $values) {`
Trusted > approved, add approval.php, DB_PATH > DB 2022-12-10 17:19:37 +00:00			`$query = 'INSERT INTO "' . $table . '"(';`
Factorize "INSERT INTO" SQL queries with insert() 2022-09-14 15:19:17 +00:00
			`foreach ($values as $key => $val) {`
			`if ($key === array_key_last($values))`
			`$query .= "$key";`
			`else`
			`$query .= "$key, ";`
			`}`

Use single quotes instead of double quotes 2022-11-20 14:11:54 +00:00			`$query .= ') VALUES(';`
Factorize "INSERT INTO" SQL queries with insert() 2022-09-14 15:19:17 +00:00			`foreach ($values as $key => $val) {`
			`if ($key === array_key_last($values))`
			`$query .= ":$key";`
			`else`
			`$query .= ":$key, ";`
			`}`
Use single quotes instead of double quotes 2022-11-20 14:11:54 +00:00			`$query .= ')';`
Factorize "INSERT INTO" SQL queries with insert() 2022-09-14 15:19:17 +00:00
Simplify PDO use 2022-12-13 16:38:54 +00:00			`DB->prepare($query)`
			`->execute($values);`
Factorize "INSERT INTO" SQL queries with insert() 2022-09-14 15:19:17 +00:00			`}`

del-http-onion.php + query() 2022-06-11 21:42:48 +00:00			`function query($action, $table, $conditions = [], $column = NULL) {`

			`$query = match ($action) {`
			`'select' => 'SELECT *',`
			`'delete' => 'DELETE',`
			`};`

Trusted > approved, add approval.php, DB_PATH > DB 2022-12-10 17:19:37 +00:00			`$query .= ' FROM "' . $table . '"';`
del-http-onion.php + query() 2022-06-11 21:42:48 +00:00
			`foreach ($conditions as $key => $val) {`
			`if ($key === array_key_first($conditions))`
			`$query .= " WHERE $key = :$key";`
			`else`
			`$query .= " AND $key = :$key";`
			`}`

Trusted > approved, add approval.php, DB_PATH > DB 2022-12-10 17:19:37 +00:00			`$stmt = DB->prepare($query);`
Simplify PDO use 2022-12-13 16:38:54 +00:00			`$stmt->execute($conditions);`
del-http-onion.php + query() 2022-06-11 21:42:48 +00:00
Simplify PDO use 2022-12-13 16:38:54 +00:00			`return array_column($stmt->fetchAll(PDO::FETCH_ASSOC), $column);`
del-http-onion.php + query() 2022-06-11 21:42:48 +00:00			`}`
More emojis, displayIndex, descriptions in pages.php 2022-06-14 16:21:09 +00:00
			`function displayIndex() { ?>`
Use <nav> for indexes 2022-08-11 14:39:31 +00:00			`<nav>`
			`<dl>`
Merge TITLES and DESCRIPTIONS into PAGES 2022-09-15 19:23:49 +00:00			`<?php foreach (PAGES[SERVICE] as $pageId => $page) {`
More emojis, displayIndex, descriptions in pages.php 2022-06-14 16:21:09 +00:00			`if ($pageId === 'index') continue;`
			`?>`
Merge TITLES and DESCRIPTIONS into PAGES 2022-09-15 19:23:49 +00:00			`<dt><a href="<?= $pageId ?>"><?= $page['title'] ?></a></dt>`
Use <nav> for indexes 2022-08-11 14:39:31 +00:00			`<dd>`
Merge TITLES and DESCRIPTIONS into PAGES 2022-09-15 19:23:49 +00:00			`<?= $page['description'] ?>`
Use <nav> for indexes 2022-08-11 14:39:31 +00:00			`</dd>`
			`<?php } ?>`
			`</dl>`
			`</nav>`
More emojis, displayIndex, descriptions in pages.php 2022-06-14 16:21:09 +00:00			`<?php`
			`}`
redirUrl() and warning when not logged in on a form 2022-06-15 10:42:30 +00:00
			`function redirUrl($pageId) {`
Use more PAGE_URL 2022-09-12 23:09:40 +00:00			`return CONF['common']['prefix'] . '/' . $pageId . '?redir=' . PAGE_URL;`
redirUrl() and warning when not logged in on a form 2022-06-15 10:42:30 +00:00			`}`
redir() 2022-06-17 13:45:52 +00:00
Encrypt display username, with key in cookie 2023-01-07 22:11:44 +00:00			`function redir($redir_to = NULL) {`
			`$redir_to ??= $_GET['redir'] ?? NULL;`

			`if ($redir_to === NULL) {`
redir() 2022-06-17 13:45:52 +00:00			`header('Location: ' . CONF['common']['prefix'] . '/');`
Encrypt display username, with key in cookie 2023-01-07 22:11:44 +00:00			`exit();`
redir() 2022-06-17 13:45:52 +00:00			`}`
Encrypt display username, with key in cookie 2023-01-07 22:11:44 +00:00			`if (preg_match('/^[0-9a-z\/-]{0,128}$/D', $redir_to) !== 1)`
			`output(403, 'Wrong character in <code>redir</code>.');`
			`header('Location: ' . CONF['common']['prefix'] . '/' . $redir_to);`
fn success/userError/serverError > output($code) 2022-09-15 17:17:48 +00:00			`exit();`
redir() 2022-06-17 13:45:52 +00:00			`}`
Store Tor config and keys in $username/$dir 2022-06-21 22:37:06 +00:00
			`// PHP rmdir() only works on empty directories`
			`function removeDirectory($dir) {`
			`$dirObj = new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS);`
			`$files = new RecursiveIteratorIterator($dirObj, RecursiveIteratorIterator::CHILD_FIRST);`
			`foreach ($files as $file)`
			`$file->isDir() && !$file->isLink() ? rmdir($file->getPathname()) : unlink($file->getPathname());`
			`if (rmdir($dir) !== true)`
fn success/userError/serverError > output($code) 2022-09-15 17:17:48 +00:00			`output(500, 'Unable to remove directory.');`
Store Tor config and keys in $username/$dir 2022-06-21 22:37:06 +00:00			`}`
Add linkToDocs() 2022-07-20 18:03:45 +00:00
Use kdig for zone-add dns check + add equalArrays() 2022-09-03 16:12:49 +00:00			`function equalArrays($a, $b) {`
			`return array_diff($a, $b) === [] AND array_diff($b, $a) === [];`
			`}`

Use a token to link account to external resource 2022-10-06 11:12:04 +00:00			`/*`
			`This token authenticates the user to the server through a public communication (the DNS).`
			`It is therefore also designed to keep private:`
			`- the user's id`
			`- that a same user used a token multiple times (by using a unique salt for each token)`
			`*/`
Store secret key in DB + autorotate it 2022-12-20 23:14:55 +00:00			`if (time() - query('select', 'params', ['name' => 'secret_key_last_change'], 'value')[0] >= 86400 * 20) {`
			`DB->prepare("UPDATE params SET value = :secret_key WHERE name = 'secret_key';")`
			`->execute([':secret_key' => bin2hex(random_bytes(32))]);`
			`DB->prepare("UPDATE params SET value = :last_change WHERE name = 'secret_key_last_change';")`
			`->execute([':last_change' => time()]);`
Use a token to link account to external resource 2022-10-06 11:12:04 +00:00			`}`
Store secret key in DB + autorotate it 2022-12-20 23:14:55 +00:00			`define('SECRET_KEY', hex2bin(query('select', 'params', ['name' => 'secret_key'], 'value')[0]));`
Use a token to link account to external resource 2022-10-06 11:12:04 +00:00			`function getAuthToken() {`
			`$salt = bin2hex(random_bytes(4));`
Internal ID, Argon2 for usernames, username changes 2022-11-30 22:12:42 +00:00			`$hash = hash_hmac('sha256', $salt . ($_SESSION['id'] ?? ''), SECRET_KEY);`
Use a token to link account to external resource 2022-10-06 11:12:04 +00:00			`return $salt . '-' . substr($hash, 0, 32);`
			`}`
			`function checkAuthToken($salt, $hash) {`
Internal ID, Argon2 for usernames, username changes 2022-11-30 22:12:42 +00:00			`$correctProof = substr(hash_hmac('sha256', $salt . $_SESSION['id'], SECRET_KEY), 0, 32);`
Use a token to link account to external resource 2022-10-06 11:12:04 +00:00			`if (hash_equals($correctProof, $hash) !== true)`
Gettext internationalization and english translation 2023-01-21 00:27:52 +00:00			`output(403, _('Wrong proof.'));`
Use a token to link account to external resource 2022-10-06 11:12:04 +00:00			`}`