Account recovery still broken (server sessions?)

classes/config.template

@@ -421,7 +421,7 @@ ENV::setPub('BLOCK_OPERA_MINI', true);
 # Misc stuff like generic reusable snippets
 # Example of a variable using heredoc syntax
 ENV::setPub(
-    'PASSWORD_ADVICE',
+    'PW_ADVICE',
     <<<HTML
     <p>
       Any password 15 characters or longer is accepted, but a strong password

classes/input.class.php

@@ -0,0 +1,44 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Input class
+ * 
+ * An attempt to normalize and secure form inputs.
+ */
+
+class Input {
+
+    /**
+     * passphrase
+     */
+    function passphrase(
+        string $Name = 'password',
+        string $ID = 'password',
+        string $Placeholder = 'Passphrase',
+        bool $Advice = false) {
+        $ENV = ENV::go();
+
+        # Input validation
+        if (!is_string($Name) || empty($Name)) {
+            error("Expected non-empty string, got \$Name = $Name in Input::passphrase.");
+        }
+
+        if (!empty($Advice) && $Advice !== true || $Advice !== false) {
+            error("Expected true|false, got \$Advice = $Advice in Input::passphrase.");
+        }
+
+        $Field = <<<HTML
+        <input type="password" name="$Name" id="$ID" placeholder="$Placeholder"
+          minlength="$ENV->PW_MIN" maxlength="$ENV->PW_MAX"
+          class="inputtext" autocomplete="off" required="required" />
+HTML;
+
+if ($Advice) {
+    return $Field . $ENV->PW_ADVICE;
+} else {
+    return $Field;
+}
+
+    }
+}

classes/mysql.class.php

@@ -270,6 +270,7 @@ class DB_MYSQL
                 $this->Database,
                 $this->Port,
                 $this->Socket,
+                # Needed for self-signed certs
                 MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
             );
 
@@ -289,8 +290,8 @@ class DB_MYSQL
     public function prepare_query($Query, &...$BindVars)
     {
         $this->connect();
-
         $this->StatementID = mysqli_prepare($this->LinkID, $Query);
+
         if (!empty($BindVars)) {
             $Types = '';
             $TypeMap = ['string'=>'s', 'double'=>'d', 'integer'=>'i', 'boolean'=>'i'];

sections/login/index.php

@@ -1,8 +1,6 @@
 <?php
 #declare(strict_types=1);
 
-# Unsure if require_once is needed here
-require_once 'classes/env.class.php';
 $ENV = ENV::go();
 
 /*-- todo ---------------------------//
@@ -33,7 +31,6 @@ $Validate = new Validate;
 $TwoFA = new TwoFactorAuth($ENV->SITE_NAME);
 $U2F = new u2f\U2F('https://'.SITE_DOMAIN);
 
-# todo: Test strict equality very gently here
 if (array_key_exists('action', $_GET) && $_GET['action'] === 'disabled') {
     require('disabled.php');
     error();

sections/login/login.php

@@ -47,8 +47,7 @@ if (!$Banned) { ?>
 
     <tr>
       <td>
-        <input type="password" minlength="15" name="password" id="password" class="inputtext" required="required"
-          maxlength="307200" pattern=".{15,307200}" placeholder="Password" autocomplete="current-password" />
+        <?= Input::passphrase() ?>
       </td>
 
       <td>

sections/login/recover_step2.php

@@ -9,10 +9,7 @@ echo '<h2>Reset your password</h2>';
 if (empty($PassWasReset)) {
     if (!empty($Err)) { ?>
 <strong class="important_text"><?=display_str($Err)?></strong><br /><br />
-<?php
-}
-    
-    echo $ENV->PASSWORD_ADVICE; ?>
+<?php } ?>
 
 <form class="auth_form" name="recovery" id="recoverform" method="post" action="" onsubmit="return formVal();">
   <input type="hidden" name="key"
@@ -25,8 +22,11 @@ if (empty($PassWasReset)) {
       </td>
 
       <td>
+        <?= Input::passphrase($Name = 'password', $ID='new_pass_1', $Placeholder = 'New passphrase') ?>
+        <!--
         <input type="password" minlength="15" name="password" id="new_pass_1" class="inputtext" size="40"
           placeholder="New Password" pattern=".{15,307200}" required style="width: 250px !important;">
+        -->
       </td>
     </tr>
 
@@ -35,8 +35,11 @@ if (empty($PassWasReset)) {
         <strong id="pass_match"></strong>
       </td>
       <td>
+        <?= Input::passphrase($Name = 'verifypassword', $ID='new_pass_2', $Placeholder = 'Confirm passphrase') ?>
+        <!--
         <input type="password" minlength="15" name="verifypassword" id="new_pass_2" class="inputtext" size="40"
           placeholder="Confirm Password" pattern=".{15,307200}" required style="width: 250px !important;">
+        -->
       </td>
     </tr>
 

sections/register/step1.php

@@ -65,7 +65,7 @@ if (empty($Sent)) { ?>
         <input type="password" minlength="15" name="confirm_password" id="new_pass_2" class="inputtext"
           placeholder="Confirm Password" />
         <strong id="pass_match"></strong>
-        <?= $ENV->PASSWORD_ADVICE ?>
+        <?= $ENV->PW_ADVICE ?>
       </td>
     </tr>
 

sections/torrents/download.php

@@ -67,22 +67,23 @@ if (Misc::in_array_partial($_SERVER['HTTP_USER_AGENT'], $ScriptUAs)) {
 
 $Info = $Cache->get_value('torrent_download_'.$TorrentID);
 if (!is_array($Info) || !array_key_exists('PlainArtists', $Info) || empty($Info[10])) {
-    $DB->query("
+    $DB->prepare_query("
       SELECT
-        t.Media,
-        t.Version,
-        t.Codec,
-        tg.Year,
-        tg.ID AS GroupID,
-        COALESCE(NULLIF(tg.Name,''), NULLIF(tg.Title2,''), tg.NameJP) AS Name,
-        tg.WikiImage,
-        tg.CategoryID,
-        t.Size,
-        t.FreeTorrent,
-        HEX(t.info_hash)
-      FROM torrents AS t
-        INNER JOIN torrents_group AS tg ON tg.ID = t.GroupID
-      WHERE t.ID = '".db_string($TorrentID)."'");
+        t.`Media`,
+        t.`Version`,
+        t.`Codec`,
+        tg.`year`,
+        tg.`id` AS GroupID,
+        COALESCE(NULLIF(tg.`title`,''), NULLIF(tg.`subject`,''), tg.`object`) AS Name,
+        tg.`picture`,
+        tg.`category_id`,
+        t.`Size`,
+        t.`FreeTorrent`,
+        HEX(t.`info_hash`)
+      FROM `torrents` AS t
+        INNER JOIN `torrents_group` AS tg ON tg.`id` = t.`GroupID`
+      WHERE t.`ID` = '".db_string($TorrentID)."'");
+      $DB->exec_prepared_query();
 
     if (!$DB->has_results()) {
         error(404);

sections/upload/upload_handle.php

@@ -793,7 +793,10 @@ if ($T['FreeLeechType'] === 3) {
 //******************************************************************************//
 //--------------- Write torrent file -------------------------------------------//
 
-file_put_contents(TORRENT_STORE.$TorrentID.'.torrent', $Tor->encode());
+$FileName = "$ENV->TORRENT_STORE/$TorrentID.torrent";
+file_put_contents($FileName, $Tor->encode());
+chmod($FileName, 0400);
+
 Misc::write_log("Torrent $TorrentID ($LogName) (".number_format($TotalSize / (1024 * 1024), 2).' MB) was uploaded by ' . $LoggedUser['Username']);
 Torrents::write_group_log($GroupID, $TorrentID, $LoggedUser['ID'], 'uploaded ('.number_format($TotalSize / (1024 * 1024), 2).' MB)', 0);
 

sections/user/edit.php

@@ -1398,7 +1398,7 @@ list($ArtistsAdded) = $DB->next_record();
             </div>
 
             <p class="setting_description">
-              <?= $ENV->PASSWORD_ADVICE ?>
+              <?= $ENV->PW_ADVICE ?>
             </p>
           </td>
         </tr>

static/functions/password_validate.js

@@ -57,6 +57,10 @@
 
   });
 
+
+  /**
+   * calculateComplexity
+   */
   function calculateComplexity(password) {
     var length = password.length;
     var username;
@@ -103,10 +107,20 @@
     }
   }
 
+
+  /**
+   * isStrongPassword
+   * 
+   * $ENV-PW_MIN is still harcoded here.
+   */
   function isStrongPassword(password) {
-    return /(?=^.{6,}$).*$/.test(password);
+    return /(?=^.{15,}$).*$/.test(password);
   }
 
+
+  /**
+   * checkMatching
+   */
   function checkMatching(password1, password2) {
     if (password2.length > 0) {
       if (password1 == password2 && getStrong() == true) {
@@ -124,10 +138,18 @@
     }
   }
 
+
+  /**
+   * getStrong
+   */
   function getStrong() {
     return $("#pass_strength").text() == "Strong";
   }
 
+
+  /**
+   * setStatus
+   */
   function setStatus(strength) {
     if (strength == WEAK) {
       disableSubmit();
@@ -164,14 +186,26 @@
     }
   }
 
+
+  /**
+   * disableSubmit
+   */
   function disableSubmit() {
     $('input[type="submit"]').attr('disabled', 'disabled');
   }
 
+
+  /**
+   * enableSubmit
+   */
   function enableSubmit() {
     $('input[type="submit"]').removeAttr('disabled');
   }
 
+
+  /**
+   * isUserPage
+   */
   function isUserPage() {
     return window.location.pathname.indexOf(USER_PATH) != -1;
   }