Encrypt Gazelle DB connections with client cert

classes/cookie.class.php

@@ -1,59 +1,60 @@
 <?php
 declare(strict_types=1);
 
-/**
- * Cookie
- *
- * This class handles cookies.
- * $Cookie->get() is user-provided and untrustworthy.
- */
-
 class COOKIE
 {
+    # If true, blocks JS cookie API access by default (can be overridden case by case)
+    const LIMIT_ACCESS = true;
+
     # In some cases you may desire to prefix your cookies
     const PREFIX = '';
 
+
+    /**
+     * get()
+     * Untrustworthy user input
+     */
     public function get($Key)
     {
-        return (!isset($_COOKIE[SELF::PREFIX.$Key]))
-            ? false
-            : $_COOKIE[SELF::PREFIX.$Key];
+        if (!isset($_COOKIE[SELF::PREFIX.$Key])) {
+            return false;
+        }
+        return $_COOKIE[SELF::PREFIX.$Key];
     }
 
-    // Pass the 4th optional param as false to allow JS access to the cookie
-    public function set($Key, $Value, $Seconds = 86400)
-    {
-        $ENV = ENV::go();
 
+    /**
+     * set()
+     * LimitAccess = false allows JS cookie access
+     */
+    public function set($Key, $Value, $Seconds = 86400, $LimitAccess = SELF::LIMIT_ACCESS)
+    {
         setcookie(
             SELF::PREFIX.$Key,
             $Value,
-            [
-                'expires' => time() + $Seconds,
-                'path' => '/',
-                'domain' => $ENV->SITE_DOMAIN,
-                'secure' => true,
-                'httponly' => true,
-                'samesite' => 'Strict',
-            ]
+            time() + $Seconds,
+            '/',
+            SITE_DOMAIN,
+            $_SERVER['SERVER_PORT'] === '443',
+            $LimitAccess,
+            false
         );
     }
 
+
+    /**
+     * del()
+     */
     public function del($Key)
     {
         # 3600s vs. 1s for potential clock desyncs
-        setcookie(
-            SELF::PREFIX.$Key,
-            '',
-            [
-                'expires' => time() - 24 * 3600,
-                'secure' => true,
-                'httponly' => true,
-                'samesite' => 'Strict',
-            ]
-        );
+        setcookie(SELF::PREFIX.$Key, '', time() - 24 * 3600);
     }
 
+
+    /**
+     * flush()
+     */
     public function flush()
     {
         $Cookies = array_keys($_COOKIE);

classes/mysql.class.php

@@ -115,6 +115,7 @@ if (!extension_loaded('mysqli')) {
     error('Mysqli Extension not loaded.');
 }
 
+
 /**
  * db_string
  * Handles escaping
@@ -143,6 +144,7 @@ function db_string($String, $DisableWildcards = false)
     return $String;
 }
 
+
 /**
  * db_array
  */
@@ -160,6 +162,7 @@ function db_array($Array, $DontEscape = [], $Quote = false)
     return $Array;
 }
 
+
 // todo: Revisit access levels once Drone is replaced by ZeRobot
 class DB_MYSQL
 {
@@ -182,20 +185,40 @@ class DB_MYSQL
     protected $Port = 0;
     protected $Socket = '';
 
+    protected $Key = '';
+    protected $Cert = '';
+    protected $CA = '';
+
+
     /**
      * __construct
      */
-    public function __construct($Database = null, $User = null, $Pass = null, $Server = null, $Port = null, $Socket = null)
-    {
+    public function __construct(
+        $Database = null,
+        $User = null,
+        $Pass = null,
+        $Server = null,
+        $Port = null,
+        $Socket = null,
+        $Key = null,
+        $Cert = null,
+        $CA = null
+    ) {
         $ENV = ENV::go();
+
         $this->Database = $ENV->getPriv('SQLDB');
         $this->User = $ENV->getPriv('SQLLOGIN');
         $this->Pass = $ENV->getPriv('SQLPASS');
         $this->Server = $ENV->getPriv('SQLHOST');
         $this->Port = $ENV->getPriv('SQLPORT');
         $this->Socket = $ENV->getPriv('SQLSOCK');
+
+        $this->Key = $ENV->getPriv('SQL_KEY');
+        $this->Cert = $ENV->getPriv('SQL_CERT');
+        $this->CA = $ENV->getPriv('SQL_CA');
     }
 
+
     /**
      * halt
      */
@@ -220,13 +243,35 @@ class DB_MYSQL
         }
     }
 
+
     /**
      * connect
      */
     public function connect()
     {
         if (!$this->LinkID) {
-            $this->LinkID = mysqli_connect($this->Server, $this->User, $this->Pass, $this->Database, $this->Port, $this->Socket); // defined in config.php
+            $this->LinkID = mysqli_init();
+
+            mysqli_ssl_set(
+                $this->LinkID,
+                $this->Key,
+                $this->Cert,
+                $this->Ca,
+                null,
+                null
+            );
+
+            mysqli_real_connect(
+                $this->LinkID,
+                $this->Server,
+                $this->User,
+                $this->Pass,
+                $this->Database,
+                $this->Port,
+                $this->Socket,
+                MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
+            );
+
             if (!$this->LinkID) {
                 $this->Errno = mysqli_connect_errno();
                 $this->Error = mysqli_connect_error();
@@ -235,7 +280,8 @@ class DB_MYSQL
         }
         mysqli_set_charset($this->LinkID, "utf8mb4");
     }
-     
+
+
     /**
      * prepare_query
      */
@@ -258,6 +304,7 @@ class DB_MYSQL
         return $this->StatementID;
     }
 
+
     /**
      * exec_prepared_query
      */
@@ -271,6 +318,7 @@ class DB_MYSQL
         $this->Time += $QueryRunTime;
     }
 
+
     /**
      * Runs a raw query assuming pre-sanitized input. However, attempting to self sanitize (such
      * as via db_string) is still not as safe for using prepared statements so for queries
@@ -360,6 +408,7 @@ class DB_MYSQL
         return $this->QueryID;
     }
 
+
     /**
      * inserted_id
      */
@@ -370,6 +419,7 @@ class DB_MYSQL
         }
     }
 
+
     /**
      * next_record
      */
@@ -388,6 +438,7 @@ class DB_MYSQL
         }
     }
 
+
     /**
      * close
      */
@@ -401,6 +452,7 @@ class DB_MYSQL
         }
     }
 
+
     /*
      * Returns an integer with the number of rows found
      * Returns a string if the number of rows found exceeds MAXINT
@@ -412,6 +464,7 @@ class DB_MYSQL
         }
     }
 
+
     /*
      * Returns true if the query exists and there were records found
      * Returns false if the query does not exist or if there were 0 records returned
@@ -421,6 +474,7 @@ class DB_MYSQL
         return ($this->QueryID && $this->record_count() !== 0);
     }
 
+
     /**
      * affected_rows
      */
@@ -431,6 +485,7 @@ class DB_MYSQL
         }
     }
 
+
     /**
      * info
      */
@@ -439,6 +494,7 @@ class DB_MYSQL
         return mysqli_get_host_info($this->LinkID);
     }
 
+
     // Creates an array from a result set
     // If $Key is set, use the $Key column in the result set as the array key
     // Otherwise, use an integer
@@ -461,6 +517,7 @@ class DB_MYSQL
         return $Return;
     }
 
+
     //  Loops through the result set, collecting the $ValField column into an array with $KeyField as keys
     public function to_pair($KeyField, $ValField, $Escape = true)
     {
@@ -480,6 +537,7 @@ class DB_MYSQL
         return $Return;
     }
 
+
     //  Loops through the result set, collecting the $Key column into an array
     public function collect($Key, $Escape = true)
     {
@@ -497,6 +555,7 @@ class DB_MYSQL
      * Useful extras from OPS
      */
 
+
     /**
      * Runs a prepared_query using placeholders and returns the matched row.
      * Stashes the current query id so that this can be used within a block
@@ -515,6 +574,7 @@ class DB_MYSQL
         return $result;
     }
 
+
     /**
      * Runs a prepared_query using placeholders and returns the first element
      * of the first row.
@@ -545,6 +605,7 @@ class DB_MYSQL
         $this->Row = 0;
     }
 
+
     /**
      * get_query_id
      */
@@ -553,6 +614,7 @@ class DB_MYSQL
         return $this->QueryID;
     }
 
+
     /**
      * beginning
      */
@@ -562,6 +624,7 @@ class DB_MYSQL
         $this->Row = 0;
     }
 
+
     /**
      * This function determines whether the last query caused warning messages
      * and stores them in $this->Queries
@@ -581,76 +644,4 @@ class DB_MYSQL
         }
         $this->Queries[count($this->Queries) - 1][2] = $Warnings;
     }
-
-
-    /**
-     * todo: Work this into Bio Gazelle
-     * @see https://github.com/OPSnet/Gazelle/blob/master/app/DB.php
-     */
-
-    /**
-     * Soft delete a row from a table <t> by inserting it into deleted_<t> and then delete from <t>
-     * @param string $schema the schema name
-     * @param string $table the table name
-     * @param array $condition Must be an array of arrays, e.g. [[column_name, column_value]] or [[col1, val1], [col2, val2]]
-     *                         Will be used to identify the row (or rows) to delete
-     * @param boolean $delete whether to delete the matched rows
-     * @return array 2 elements, true/false and message if false
-     * /
-    public function softDelete($schema, $table, array $condition, $delete = true)
-    {
-        $sql = 'SELECT column_name, column_type FROM information_schema.columns WHERE table_schema = ? AND table_name = ? ORDER BY 1';
-        $this->db->prepared_query($sql, $schema, $table);
-        $t1 = $this->db->to_array();
-        $n1 = count($t1);
-
-        $softDeleteTable = 'deleted_' . $table;
-        $this->db->prepared_query($sql, $schema, $softDeleteTable);
-        $t2 = $this->db->to_array();
-        $n2 = count($t2);
-
-        if (!$n1) {
-            return [false, "No such table $table"];
-        } elseif (!$n2) {
-            return [false, "No such table $softDeleteTable"];
-        } elseif ($n1 != $n2) {
-            // tables do not have the same number of columns
-            return [false, "$table and $softDeleteTable column count mismatch ($n1 != $n2)"];
-        }
-
-        $column = [];
-        for ($i = 0; $i < $n1; ++$i) {
-            // a column does not have the same name or datatype
-            if (strtolower($t1[$i][0]) != strtolower($t2[$i][0]) || $t1[$i][1] != $t2[$i][1]) {
-                return [false, "{$table}: column {$t1[$i][0]} name or datatype mismatch {$t1[$i][0]}:{$t2[$i][0]} {$t1[$i][1]}:{$t2[$i][1]}"];
-            }
-            $column[] = $t1[$i][0];
-        }
-        $columnList = implode(', ', $column);
-        $conditionList = implode(' AND ', array_map(function ($c) {
-            return "{$c[0]} = ?";
-        }, $condition));
-        $argList = array_map(function ($c) {
-            return $c[1];
-        }, $condition);
-
-        $sql = "INSERT INTO $softDeleteTable
-                  ($columnList)
-            SELECT $columnList
-            FROM $table
-            WHERE $conditionList";
-        $this->db->prepared_query($sql, ...$argList);
-        if ($this->db->affected_rows() == 0) {
-            return [false, "condition selected 0 rows"];
-        }
-
-        if (!$delete) {
-            return [true, "rows affected: " . $this->db->affected_rows()];
-        }
-
-        $sql = "DELETE FROM $table WHERE $conditionList";
-        $this->db->prepared_query($sql, ...$argList);
-        return [true, "rows deleted: " . $this->db->affected_rows()];
-    }
-    */
 }

design/privateheader.php

@@ -49,7 +49,7 @@ $Styles = array_filter(
     array_merge(
         [
           'vendor/jquery-ui.min',
-          'assets/fonts/fa/css/all.min',
+          #'assets/fonts/fa/css/all.min',
           'global'
         ],
         explode(',', $CSSIncludes)

design/publicfooter.php

@@ -1,3 +1,9 @@
+<?php
+declare(strict_types=1);
+
+$ENV = ENV::go();
+
+echo <<<HTML
 </main>
 
 <footer>
@@ -9,4 +15,5 @@
 <script src="$ENV->STATIC_SERVER/functions/vendor/instantpage.js" type="module"></script>
 </body>
 
-</html>
+</html>
+HTML;

sections/donate/donate.php

@@ -50,32 +50,22 @@ View::show_header('Donate');
     <ul>
       <li>
         <strong>Server.</strong>
-        We use one budget VPS at 2.50€ per month and may add more as needed.
+        We use two budget VPS at 2.50€ per month each.
         Please consider using our
         <a href="https://hetzner.cloud/?ref=mzIDQWTHipNB" target="_blank">affiliate link</a>.
-        You'd receive 20€ credit, effectively paying your server for 8 months.
-        BioTorrents would receive 10€ credit after a year, paying our server for 4 months.
-      </li>
-
-      <li>
-        <strong>Seedbox.</strong>
-        A dedicated seedbox from
-        <a href="https://pulsedmedia.com/clients/aff.php?aff=1275" target="_blank">Pulsed Media (affiliate link)</a>
-        is 75€ per year.
-        Please see the <a href="/user.php?id=28">seedbox user account stats</a>.
+        You'd receive 20€ credit, and BioTorrents.de would receive 10€ credit after that.
       </li>
 
       <li>
         <strong>Domain.</strong>
         The domain name is $15 per year.
-        The SSL certificate is gratis.
+        The TLS certificates are gratis.
       </li>
 
       <li>
         <strong>Company.</strong>
         Omics Tools LLC is <?= $ENV->SITE_NAME ?>'s parent company.
         It's $50 per year for annual reports and $125 for resident agent services.
-        Also, DMCA agent registration is $6.
       </li>
     </ul>
   </div>

sections/index/private.php

@@ -34,11 +34,12 @@ if ($LoggedUser['LastReadNews'] !== $News[0][0] && count($News) > 0) {
     $LoggedUser['LastReadNews'] = $News[0][0];
 }
 
-View::show_header('News', 'bbcode,news_ajax');
+View::show_header('News', 'news_ajax');
+#View::show_header('News', 'bbcode,news_ajax');
 ?>
 <div>
   <div class="sidebar">
-    <?php #include 'connect.php'; ?>
+    <?php #include 'connect.php';?>
 
     <?php
     # Staff blog
@@ -49,7 +50,7 @@ if (check_perms('users_mod')) { ?>
       </div>
       <?php
 if (($Blog = $Cache->get_value('staff_blog')) === false) {
-        $DB->query("
+    $DB->query("
     SELECT
       b.ID,
       um.Username,
@@ -59,9 +60,9 @@ if (($Blog = $Cache->get_value('staff_blog')) === false) {
     FROM staff_blog AS b
       LEFT JOIN users_main AS um ON b.UserID = um.ID
     ORDER BY Time DESC");
-        $Blog = $DB->to_array(false, MYSQLI_NUM);
-        $Cache->cache_value('staff_blog', $Blog, 1209600);
-    }
+    $Blog = $DB->to_array(false, MYSQLI_NUM);
+    $Cache->cache_value('staff_blog', $Blog, 1209600);
+}
     if (($SBlogReadTime = $Cache->get_value('staff_blog_read_'.$LoggedUser['ID'])) === false) {
         $DB->query("
     SELECT Time

sections/login/index.php

@@ -10,7 +10,7 @@ Add the JavaScript validation into the display page using the class
 //-----------------------------------*/
 
 // Allow users to reset their password while logged in
-if (!empty($LoggedUser['ID']) && $_REQUEST['act'] != 'recover') {
+if (!empty($LoggedUser['ID']) && $_REQUEST['act'] !== 'recover') {
     header('Location: index.php');
     error();
 }
@@ -24,6 +24,7 @@ if (Tools::site_ban_ip($_SERVER['REMOTE_ADDR'])) {
     error('Your IP address has been banned.');
 }
 
+# Initialize
 require_once SERVER_ROOT.'/classes/twofa.class.php';
 require_once SERVER_ROOT.'/classes/u2f.class.php';
 require_once SERVER_ROOT.'/classes/validate.class.php';
@@ -33,28 +34,28 @@ $TwoFA = new TwoFactorAuth($ENV->SITE_NAME);
 $U2F = new u2f\U2F('https://'.SITE_DOMAIN);
 
 # todo: Test strict equality very gently here
-if (array_key_exists('action', $_GET) && $_GET['action'] == 'disabled') {
+if (array_key_exists('action', $_GET) && $_GET['action'] === 'disabled') {
     require('disabled.php');
     error();
 }
 
-if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'recover') {
+if (isset($_REQUEST['act']) && $_REQUEST['act'] === 'recover') {
     // Recover password
     if (!empty($_REQUEST['key'])) {
         // User has entered a new password, use step 2
         $DB->query("
         SELECT
-          m.ID,
-          m.Email,
-          i.ResetExpires
-        FROM users_main AS m
-          INNER JOIN users_info AS i ON i.UserID = m.ID
-          WHERE i.ResetKey = ?
-          AND i.ResetKey != ''", $_REQUEST['key']);
+          m.`ID`,
+          m.`Email`,
+          i.`ResetExpires`
+        FROM `users_main` AS m
+          INNER JOIN `users_info` AS i ON i.`UserID` = m.`ID`
+          WHERE i.`ResetKey` = ?
+          AND i.`ResetKey` != ''", $_REQUEST['key']);
         list($UserID, $Email, $Country, $Expires) = $DB->next_record();
 
         if (!apcu_exists('DBKEY')) {
-            error('Database not fully decrypted. Please wait for staff to fix this and try again later');
+            error('Database not fully decrypted. Please wait for staff to fix this and try again later.');
         }
 
         $Email = Crypto::decrypt($Email);
@@ -65,27 +66,33 @@ if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'recover') {
             $Validate->SetFields('verifypassword', '1', 'compare', 'Your passwords did not match.', array('comparefield' => 'password'));
 
             if (!empty($_REQUEST['password'])) {
-                // If the user has entered a password.
-                // If the user has not entered a password, $PassWasReset is not set to 1, and the success message is not shown
+                // If the user entered a password.
+                // If not, $PassWasReset !== 1, success message hidden.
                 $Err = $Validate->ValidateForm($_REQUEST);
                 if ($Err == '') {
                     // Form validates without error, set new secret and password.
-                    $DB->query("
+                    $DB->query(
+                        "
                     UPDATE
-                      users_main AS m,
-                      users_info AS i
+                      `users_main` AS m,
+                      `users_info` AS i
                     SET
-                      m.PassHash = ?,
-                      i.ResetKey = '',
-                      m.LastLogin = NOW(),
-                      i.ResetExpires = NULL
-                      WHERE m.ID = ?
-                      AND i.UserID = m.ID", Users::make_sec_hash($_REQUEST['password']), $UserID);
+                      m.`PassHash` = ?,
+                      i.`ResetKey` = '',
+                      m.`LastLogin` = NOW(),
+                      i.`ResetExpires` = NULL
+                      WHERE m.`ID` = ?
+                      AND i.`UserID` = m.`ID`",
+                        Users::make_sec_hash($_REQUEST['password']),
+                        $UserID
+                    );
+
                     $DB->query("
-                    INSERT INTO users_history_passwords
-                      (UserID, ChangerIP, ChangeTime)
+                    INSERT INTO `users_history_passwords`
+                      (`UserID`, `ChangerIP`, `ChangeTime`)
                     VALUES
                       (?, ?, NOW())", $UserID, Crypto::encrypt($_SERVER['REMOTE_ADDR']));
+
                     $PassWasReset = true;
                     $LoggedUser['ID'] = $UserID; // Set $LoggedUser['ID'] for logout_all_sessions() to work
                     logout_all_sessions();
@@ -193,7 +200,7 @@ if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'recover') {
                       AND `Active` = 1
                     ");
                 } else {
-                    $Err = 'There is no user with that email address';
+                    $Err = 'There is no user with that email address.';
                 }
             }
         } elseif (!empty($_SESSION['reseterr'])) {
@@ -209,7 +216,7 @@ if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'recover') {
     }
 } // End password recovery
 
-elseif (isset($_REQUEST['act']) && $_REQUEST['act'] == 'newlocation') {
+elseif (isset($_REQUEST['act']) && $_REQUEST['act'] === 'newlocation') {
     if (isset($_REQUEST['key'])) {
         if ($ASNCache = $Cache->get_value('new_location_'.$_REQUEST['key'])) {
             $Cache->cache_value('new_location_'.$ASNCache['UserID'].'_'.$ASNCache['ASN'], true);
@@ -226,7 +233,7 @@ elseif (isset($_REQUEST['act']) && $_REQUEST['act'] == 'newlocation') {
 // Normal login
 else {
     $Validate->SetFields('username', true, 'regex', 'You did not enter a valid username', array('regex' => USERNAME_REGEX));
-    $Validate->SetFields('password', '1', 'string', 'You entered an invalid password', array('minlength' => '6', 'maxlength' => '307200'));
+    $Validate->SetFields('password', '1', 'string', 'You entered an invalid password', array('minlength' => '15', 'maxlength' => '307200'));
 
     list($Attempts, $Banned) = $Cache->get_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']));
 
@@ -306,12 +313,10 @@ else {
                                         $QueryParts[] = "(StartIP<=INET6_ATON('$IP') AND EndIP>=INET6_ATON('$IP'))";
                                     }
 
-                                    /*
                                     $DB->query('SELECT ASN FROM geoip_asn WHERE '.implode(' OR ', $QueryParts));
                                     $PastASNs = array_column($DB->to_array(false, MYSQLI_NUM), 0);
                                     $DB->query("SELECT ASN FROM geoip_asn WHERE StartIP<=INET6_ATON('$_SERVER[REMOTE_ADDR]') AND EndIP>=INET6_ATON('$_SERVER[REMOTE_ADDR]')");
                                     list($CurrentASN) = $DB->next_record();
-                                    */
 
                                     // If FEATURE_ENFORCE_LOCATIONS is enabled, require users to confirm new logins
                                     if (!in_array($CurrentASN, $PastASNs) && $ENV->FEATURE_ENFORCE_LOCATIONS) {

sections/login/login.php

@@ -1,8 +1,7 @@
 <?php
 declare(strict_types=1);
 
-View::show_header('Login');
-?>
+View::show_header('Login'); ?>
 
 <p class="center mouseless">
   A platform to share <strong>biological sequence</strong><br />
@@ -51,6 +50,7 @@ if (!$Banned) { ?>
         <input type="password" minlength="15" name="password" id="password" class="inputtext" required="required"
           maxlength="307200" pattern=".{15,307200}" placeholder="Password" autocomplete="current-password" />
       </td>
+
       <td>
         <input type="text" name="twofa" id="twofa" class="inputtext" maxlength="6" pattern="[0-9]{6}"
           inputmode="numeric" placeholder="2FA" size="6" title="Leave blank if you have not enabled 2FA"
@@ -70,7 +70,7 @@ if (!$Banned) { ?>
 } # if !$Banned
 else { ?>
 <p class="error">
-  You are banned from logging in for a few hours.
+  You're banned from logging in for a few hours.
 </p>
 <?php
   }

sections/login/recover_step2.php

@@ -2,18 +2,10 @@
 declare(strict_types=1);
 
 $ENV = ENV::go();
-View::show_header('Recover Password');
-?>
+View::show_header('Recover Password', 'validate,password_validate');
 
-<h2>Reset your password</h2>
+echo '<h2>Reset your password</h2>';
 
-<script src="<?=(STATIC_SERVER)?>functions/validate.js" type="text/javascript">
-</script>
-
-<script src="<?=(STATIC_SERVER)?>functions/password_validate.js"
-  type="text/javascript"></script>
-
-<?php
 if (empty($PassWasReset)) {
     if (!empty($Err)) { ?>
 <strong class="important_text"><?=display_str($Err)?></strong><br /><br />