Many fixes for security.

2026-01-24 03:50:19 +00:00 · 2024-01-13 13:14:13 -07:00
parent 6f5cc58c21
commit a0d32ba8fe
7 changed files with 367 additions and 172 deletions
--- a/includes/user_domains.php
+++ b/includes/user_domains.php
@@ -3,9 +3,35 @@ require_once 'initdb.php';

 session_start();

+// Initialize error messages array if not set
+if (!isset($_SESSION['error_messages'])) {
+    $_SESSION['error_messages'] = [];
+}
+
+// Session timeout logic
+$timeout = 1800; // 30 minutes in seconds
+if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $timeout)) {
+    // Last request was more than 30 minutes ago
+    session_unset(); // Unset $_SESSION variable
+    session_destroy(); // Destroy session data
+    header("Location: /?page=login"); // Redirect to login page
+    exit;
+}
+
+$_SESSION['last_activity'] = time(); // Update last activity time
+
+// Check if user IP or user agent has changed
+if ((isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR']) ||
+    (isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])) {
+    session_unset();
+    session_destroy();
+    header("Location: /?page=login");
+    exit;
+}
+
 // Redirect to login if not logged in
 if (!isset($_SESSION['username'])) {
-    header("Location: https://tildenic.org/?page=login");
+    header("Location: /?page=login");
    exit;
 }

@@ -24,31 +50,76 @@ function getUserDomains($userId, $pdo) {
 }

 // Function to remove a domain
-function removeDomain($domainId, $pdo) {
+function removeDomain($domainId, $userId, $pdo) {
+    // First, verify that the domain belongs to the user
+    $stmt = $pdo->prepare("SELECT COUNT(*) FROM domains WHERE id = ? AND user_id = ?");
+    $stmt->execute([$domainId, $userId]);
+    $count = $stmt->fetchColumn();
+
+    if ($count == 0) {
+        // The domain does not belong to the user
+        return false;
+    }
+
+    // Proceed with deletion since the domain belongs to the user
    $stmt = $pdo->prepare("DELETE FROM domains WHERE id = ?");
    $stmt->execute([$domainId]);
+    return true;
 }

+
 // Function to update domain's IP address
-function updateDomainIP($domainId, $ipAddress, $pdo) {
-    $stmt = $pdo->prepare("UPDATE domains SET ip_address = ? WHERE id = ?"); // Updating ip_address
+function updateDomainIP($domainId, $userId, $ipAddress, $pdo) {
+    // Validate the IP address
+    if (!filter_var($ipAddress, FILTER_VALIDATE_IP)) {
+        // The IP address is not valid
+        return false;
+    }
+
+    // Verify that the domain belongs to the user
+    $stmt = $pdo->prepare("SELECT COUNT(*) FROM domains WHERE id = ? AND user_id = ?");
+    $stmt->execute([$domainId, $userId]);
+    $count = $stmt->fetchColumn();
+
+    if ($count == 0) {
+        // The domain does not belong to the user
+        return false;
+    }
+
+    // Proceed with IP address update since the domain belongs to the user
+    $stmt = $pdo->prepare("UPDATE domains SET ip_address = ? WHERE id = ?");
    $stmt->execute([$ipAddress, $domainId]);
+    return true;
 }

 // Handle domain removal
 if (isset($_GET['remove'])) {
-    removeDomain($_GET['remove'], $pdo);
-    header("Location: https://tildenic.org/?page=user_domains");
-    exit;
+    $userId = getUserId($_SESSION['username'], $pdo);
+    $domainId = $_GET['remove'];
+
+    $result = removeDomain($domainId, $userId, $pdo);
+    if ($result !== true) {
+        $_SESSION['error_messages'][] = "Error: You do not have permission to delete this domain.";
+    } else {
+        header("Location: https://tildenic.org/?page=user_domains");
+        exit;
+    }
 }

+
 // Handle IP address update
 if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['update_ip'])) {
    $domainId = $_POST['domain_id'];
+    $userId = getUserId($_SESSION['username'], $pdo);
    $ipAddress = $_POST['ip_address'];
-    updateDomainIP($domainId, $ipAddress, $pdo);
-    header("Location: https://tildenic.org/?page=user_domains");
-    exit;
+
+    $result = updateDomainIP($domainId, $userId, $ipAddress, $pdo);
+    if ($result !== true) {
+        $_SESSION['error_messages'][] = "Error: Invalid IP address or you do not have permission to update the IP address for this domain.";
+    } else {
+        header("Location: https://tildenic.org/?page=user_domains");
+        exit;
+    }
 }
 // Handle logout
 if (isset($_POST['logout'])) {
@@ -56,23 +127,62 @@ if (isset($_POST['logout'])) {
    header("Location: https://tildenic.org/?page=login");
    exit;
 }
-// Handle form submission
-if ($_SERVER["REQUEST_METHOD"] == "POST") {
+// Handle form submission for domain removal
+if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['remove_domain'])) {
    $domainId = $_POST['domain_id'];
+    $userId = getUserId($_SESSION['username'], $pdo);

-    if (isset($_POST['update_ip'])) {
-        // Update IP address
-        $ipAddress = $_POST['ip_address'];
-        updateDomainIP($domainId, $ipAddress, $pdo);
-    } elseif (isset($_POST['remove_domain'])) {
-        // Remove domain
-        removeDomain($domainId, $pdo);
+    if (!removeDomain($domainId, $userId, $pdo)) {
+        $_SESSION['error_messages'][] = "Error: You do not have permission to delete this domain.";
+    } else {
+        header("Location: https://tildenic.org/?page=user_domains");
+        exit;
    }
+}

+// Redirect to the user domains page after processing the form
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
    header("Location: https://tildenic.org/?page=user_domains");
    exit;
 }

+// Function to validate and update IP addresses for a user's domains
+function validateAndUpdateIPs($userId, $pdo) {
+    // Fetch all domains for the user
+    $stmt = $pdo->prepare("SELECT id, ip_address FROM domains WHERE user_id = ?");
+    $stmt->execute([$userId]);
+    $domains = $stmt->fetchAll();
+
+    $invalidIPs = [];
+
+    foreach ($domains as $domain) {
+        $domainId = $domain['id'];
+        $ipAddress = $domain['ip_address'];
+
+        // Check if the IP address is valid
+        if (!empty($ipAddress) && !filter_var($ipAddress, FILTER_VALIDATE_IP)) {
+            // IP address is invalid, update the domain to remove the IP address
+            $updateStmt = $pdo->prepare("UPDATE domains SET ip_address = NULL WHERE id = ?");
+            $updateStmt->execute([$domainId]);
+
+            // Add to the list of domains with invalid IPs
+            $invalidIPs[] = $domainId;
+        }
+    }
+
+    return $invalidIPs;
+}
+
+
+// When the user accesses their domain management page
+$userId = getUserId($_SESSION['username'], $pdo);
+$invalidIPDomains = validateAndUpdateIPs($userId, $pdo);
+
+if (!empty($invalidIPDomains)) {
+    // Inform the user that some IP addresses were invalid and have been removed
+    echo "Invalid IP addresses were found and removed from the following domains: " . implode(", ", $invalidIPDomains) . ". Please update them.";
+}
+
 $userId = getUserId($_SESSION['username'], $pdo);
 $domains = getUserDomains($userId, $pdo);
 ?>
@@ -99,6 +209,15 @@ $domains = getUserDomains($userId, $pdo);
            <?php endif; ?>
      </nav>
    </header>
+  <!-- Error message display -->
+<?php if (!empty($_SESSION['error_messages'])): ?>
+    <div class="error-messages">
+        <?php foreach ($_SESSION['error_messages'] as $message): ?>
+            <p><?php echo htmlspecialchars($message); ?></p>
+        <?php endforeach; ?>
+        <?php $_SESSION['error_messages'] = []; // Clear error messages after displaying ?>
+    </div>
+<?php endif; ?><br>
      <h2>Your Domains</h2>
    <ul>
        <?php foreach ($domains as $domain): ?>