Skip to content

Commit

Permalink
3.1.1
Browse files Browse the repository at this point in the history 
Several code fixes
  • Loading branch information
@nilsteampassnet
nilsteampassnet committed Jan 8, 2024
1 parent c68de5c commit 8f09d9c
Show file tree
Hide file tree
Showing 10 changed files with 52 additions and 37 deletions.
9 changes: 9 additions & 0 deletions .dcignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
vendor/
includes/libraries/cryptojs
includes/libraries/csrfp
includes/libraries/ezimuel
includes/libraries/plupload
includes/libraries/yubico
/install1/
/install/
/plugins/
2 changes: 1 addition & 1 deletion includes/config/include.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
*/
define('TP_VERSION', '3.1.1');
define("UPGRADE_MIN_DATE", "1702452416");
define('TP_VERSION_MINOR', '22');
define('TP_VERSION_MINOR', '23');
define('TP_TOOL_NAME', 'Teampass');
define('TP_ONE_DAY_SECONDS', 86400);
define('TP_ONE_WEEK_SECONDS', 604800);
Expand Down
16 changes: 8 additions & 8 deletions includes/core/login.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,16 +77,16 @@
if (
isset($SETTINGS['enable_http_request_login']) === true
&& (int) $SETTINGS['enable_http_request_login'] === 1
&& $request->server->get('PHP_AUTH_USER') !== null
&& $request->getUser() !== null
&& ! (isset($SETTINGS['maintenance_mode']) === true
&& (int) $SETTINGS['maintenance_mode'] === 1)
) {
if (strpos($request->server->get('PHP_AUTH_USER'), '@') !== false) {
$username = explode('@', $request->server->get('PHP_AUTH_USER'))[0];
} elseif (strpos($request->server->get('PHP_AUTH_USER'), '\\') !== false) {
$username = explode('\\', $request->server->get('PHP_AUTH_USER'))[1];
if (strpos($request->getUser(), '@') !== false) {
$username = explode('@', $request->getUser())[0];
} elseif (strpos($request->getUser(), '\\') !== false) {
$username = explode('\\', $request->getUser())[1];
} else {
$username = $request->server->get('PHP_AUTH_USER');
$username = $request->getUser();
}
echo '
<input type="text" id="login" class="form-control" placeholder="', filter_var($username, FILTER_SANITIZE_FULL_SPECIAL_CHARS), '" readonly>';
Expand All @@ -99,7 +99,7 @@
</div>';
if (! (isset($SETTINGS['enable_http_request_login']) === true
&& (int) $SETTINGS['enable_http_request_login'] === 1
&& $request->server->get('PHP_AUTH_USER') !== null
&& $request->getUser() !== null
&& ! (isset($SETTINGS['maintenance_mode']) === true
&& (int) $SETTINGS['maintenance_mode'] === 1))) {
echo '
Expand Down Expand Up @@ -178,7 +178,7 @@

if (isset($SETTINGS['enable_http_request_login']) === true
&& (int) $SETTINGS['enable_http_request_login'] === 1
&& $request->server->get('PHP_AUTH_USER') !== null
&& $request->getUser() !== null
&& (isset($SETTINGS['maintenance_mode']) === false
&& (int) $SETTINGS['maintenance_mode'] === 1)
) {
Expand Down
33 changes: 18 additions & 15 deletions index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
* @see https://www.teampass.net
*/

use voku\helper\AntiXSS;
use TeampassClasses\SessionManager\SessionManager;
use Symfony\Component\HttpFoundation\Request as SymfonyRequest;
use TeampassClasses\Language\Language;
Expand Down Expand Up @@ -85,6 +86,7 @@
$session = SessionManager::getSession();
$request = SymfonyRequest::createFromGlobals();
$session->set('key', SessionManager::getCookieValue('PHPSESSID'));
$antiXss = new AntiXSS();

// Quick major version check -> upgrade needed?
if (isset($SETTINGS['teampass_version']) === true && version_compare(TP_VERSION, $SETTINGS['teampass_version']) > 0) {
Expand All @@ -99,9 +101,11 @@
}

if (isset($SETTINGS['cpassman_url']) === false || $SETTINGS['cpassman_url'] === '') {
$SETTINGS['cpassman_url'] = $request->server->get('REQUEST_URI');
$SETTINGS['cpassman_url'] = $request->getRequestUri();
}

$SETTINGS = $antiXss->xss_clean($SETTINGS);

// Load Core library
require_once $SETTINGS['cpassman_dir'] . '/sources/core.php';
// Prepare POST variables
Expand All @@ -117,12 +121,12 @@
$session_auth_type = $session->get('user-auth_type');

$server = [];
$server['request_uri'] = (string) $request->server->get('REQUEST_URI');
$server['request_uri'] = (string) $request->getRequestUri();
$server['request_time'] = (int) $request->server->get('REQUEST_TIME');

$get = [];
$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
$get['otv'] = $request->query->get('otv') === null ? '' : $request->query->get('otv');
$get['page'] = $request->query->get('page') === null ? '' : $antiXss->xss_clean($request->query->get('page'));
$get['otv'] = $request->query->get('otv') === null ? '' : $antiXss->xss_clean($request->query->get('otv'));

/* DEFINE WHAT LANGUAGE TO USE */
if (null === $session->get('user-validite_pw') && $post_language === null && $session_user_language === null) {
Expand Down Expand Up @@ -948,13 +952,11 @@
} elseif (in_array($get['page'], array_keys($mngPages)) === true) {
// Define if user is allowed to see management pages
if ($session_user_admin === 1) {
include $SETTINGS['cpassman_dir'] . '/pages/' . $mngPages[$get['page']];
// deepcode ignore FileInclusion: $get['page'] is secured through usage of array_keys test bellow
include $SETTINGS['cpassman_dir'] . '/pages/' . basename($mngPages[$get['page']]);
} elseif ($session_user_manager === 1 || $session_user_human_resources === 1) {
if ($get['page'] !== 'manage_main'
&& $get['page'] !== 'manage_settings'
if ($get['page'] === 'manage_main' || $get['page'] === 'manage_settings'
) {
//include $SETTINGS['cpassman_dir'] . '/pages/' . $mngPages[$_GET['page']];
} else {
$session->set('system-error_code', ERR_NOT_ALLOWED);
//not allowed page
include $SETTINGS['cpassman_dir'] . '/error.php';
Expand All @@ -964,8 +966,9 @@
//not allowed page
include $SETTINGS['cpassman_dir'] . '/error.php';
}
} elseif (empty($get['page']) === false) {
include $SETTINGS['cpassman_dir'] . '/pages/' . $get['page'] . '.php';
} elseif (empty($get['page']) === false && file_exists($SETTINGS['cpassman_dir'] . '/pages/' . $get['page'] . '.php') === true) {
// deepcode ignore FileInclusion: $get['page'] is tested against file_exists just below
include $SETTINGS['cpassman_dir'] . '/pages/' . basename($get['page'] . '.php');
} else {
$session->set('system-array_roles', ERR_NOT_EXIST);
//page doesn't exist
Expand Down Expand Up @@ -1147,8 +1150,8 @@ function(teampassSettings) {}
<script type="text/javascript" src="plugins/DOMPurify/purify.min.js"></script>

<?php
$get = [];
$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
//$get = [];
//$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
if ($menuAdmin === true) {
?>
<link rel="stylesheet" href="./plugins/toggles/css/toggles.css" />
Expand Down Expand Up @@ -1279,8 +1282,8 @@ function(teampassSettings) {}


<?php
$get = [];
$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');
//$get = [];
//$get['page'] = $request->query->get('page') === null ? '' : $request->query->get('page');

// Load links, css and javascripts
if (isset($SETTINGS['cpassman_dir']) === true) {
Expand Down
5 changes: 4 additions & 1 deletion pages/items.js.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3358,7 +3358,10 @@ function(data) {
icon_favorite;

data = prepareExchangedData(data, 'decode', '<?php echo $session->get('key'); ?>', 'find.queries.php', type);
if (debugJavascript === true) console.log(data);
if (debugJavascript === true) {
console.log('CE que nous avons trouvé');
console.log(data);
}

// Ensure correct div is not hidden
$('#info_teampass_items_list').addClass('hidden');
Expand Down
9 changes: 4 additions & 5 deletions sources/core.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,9 @@ function teampassRedirect($url)

// Prepare GET variables
$server = [];
$server['https'] = $request->server->get('HTTPS');
$server['request_uri'] = $request->server->get('REQUEST_URI');
$server['http_host'] = $request->server->get('HTTP_HOST');
$server['https'] = $request->isSecure();
$server['request_uri'] = $request->getRequestUri();
$server['http_host'] = $request->getHttpHost();
$server['ssl_server_cert'] = $request->server->get('ssl_server_cert');
$server['remote_addr'] = $request->server->get('remote_addr');
$server['http_user_agent'] = $request->server->get('http_user_agent');
Expand Down Expand Up @@ -204,7 +204,6 @@ function delTree($dir)
|| (filter_input(INPUT_POST, 'session', FILTER_SANITIZE_FULL_SPECIAL_CHARS) !== null
&& filter_input(INPUT_POST, 'session', FILTER_SANITIZE_FULL_SPECIAL_CHARS) === 'expired')
) {
error_log('EXPIRED SESSION');
// Clear User tempo key
if ($session->has('user-id') && null !== $session->get('user-id')) {
DB::update(
Expand Down Expand Up @@ -374,7 +373,7 @@ function() {
}
}
if (isset($cert_name) === true && empty($cert_name) === false && $cert_name !== $cert_issuer) {
if (isset($server['HTTPS'])) {
if (isset($server['https'])) {
header('Strict-Transport-Security: max-age=500');
$session->set('system-error_sts', 0);
}
Expand Down
6 changes: 3 additions & 3 deletions sources/find.queries.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,9 +175,9 @@
// Define criteria
$search_criteria = '';
$searchParam = $request->query->all()['search'] ?? null;
if (isset($searchParam) && is_array($searchParam)) {
if (empty($searchParam['value']) === false) {
$search_criteria = filter_var($searchParam['value'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
if (isset($searchParam)) {
if (empty($searchParam) === false) {
$search_criteria = filter_var($searchParam, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
}

Expand Down
4 changes: 2 additions & 2 deletions sources/identify.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,8 +234,8 @@ function identifyUser(string $sentData, array $SETTINGS): bool
$sessionPwdAttempts = $session->get('pwd_attempts');
$sessionUrl = $session->get('user-initial_url');
$server = [];
$server['PHP_AUTH_USER'] = $request->server->get('PHP_AUTH_USER');
$server['PHP_AUTH_PW'] = $request->server->get('PHP_AUTH_PW');
$server['PHP_AUTH_USER'] = $request->getUser();
$server['PHP_AUTH_PW'] = $request->getPassword();

// decrypt and retreive data in JSON format
if ($session->get('key') === null) {
Expand Down
1 change: 1 addition & 0 deletions sources/items.queries.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2220,6 +2220,7 @@
// Check if file still exists
if (file_exists($SETTINGS['path_to_upload_folder'] . DIRECTORY_SEPARATOR . TP_FILE_PREFIX . base64_decode($record['file'])) === true) {
// Step1 - decrypt the file
// deepcode ignore PT: path is sanitized inside decryptFile()
$fileContent = decryptFile(
$record['file'],
$SETTINGS['path_to_upload_folder'],
Expand Down
4 changes: 2 additions & 2 deletions sources/main.functions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4220,8 +4220,8 @@ function getCurrectPage($SETTINGS)
// Parse the url
parse_str(
substr(
(string) $request->server->get('REQUEST_URI'),
strpos((string) $request->server->get('REQUEST_URI'), '?') + 1
(string) $request->getRequestUri(),
strpos((string) $request->getRequestUri(), '?') + 1
),
$result
);
Expand Down

0 comments on commit 8f09d9c

Please sign in to comment.