Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
BioTorrents.de’s version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1137 Commits
2 Branches
Tree: 48e3ea4aac
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '48e3ea4aac'
${ noResults }
Gazelle/classes/validate.class.php

validate.class.php 18KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543 
  1. <?php

  2. #declare(strict_types=1);

  3. 

  4. /**

  5.  * Validate

  6.  * CURRENTLY UNTESTED

  7.  *

  8.  * WCD/OT Gazelle contains two functions by default:

  9.  *  - SetFields()

  10.  *  - ValidateForm()

  11.  *

  12.  * The first is responsible for initializing a number of internal variables.

  13.  * The second does the actual validation with rather hideous and clumsy logic.

  14.  *

  15.  * Bio Gazelle seeks to improve this class and centralize site validation.

  16.  * The class should serve these common and use-dependent functions:

  17.  *

  18.  *  - Ensure that no malicious data enters the DB

  19.  *   - Prevent XSS and SQL injection via $_GET and $_POST

  20.  *   - Escape all text inputs and HTML outputs

  21.  *   - Generate secure input elements and DB outputs

  22.  *   - Enforce $_POST except when $_GET is necessary (e.g., search → RSS)

  23.  *

  24.  *  - Ensure that no junk data enters the DB

  25.  *   - Enforce HTML form element limits (generated by this class)

  26.  *   - Prove that a date is valid and output DB-safe datetimes

  27.  *   - Limit acceptable input to classes/config.php constants

  28.  *   - Provide structured ways to support user data (e.g., $x Samples)

  29.  *   - Autocomplete everywhere

  30.  *   - Enforce DBKEY on all encryped input

  31.  *

  32.  *  - Some more stuff, a running list

  33.  *   - Check if a successful function returns null, e.g.,

  34.  *     php > function test() { return; }

  35.  *     php > var_dump(test());

  36.  *     NULL

  37.  *

  38.  *   - Check if a failed function returns false, e.g.,

  39.  *     php > function orwell() { return (2 + 2 === 5); }

  40.  *     php > var_dump(orwell());

  41.  *     bool(false)

  42.  *

  43.  * todo: Support form ID checks

  44.  * todo: Number and date validation

  45.  */

  46. 

  47. class Validate

  48. {

  49.     /**

  50.      * mirrors

  51.      *

  52.      * @param string $String The raw textarea, e.g., from torrent_form.class.php

  53.      * @param string $Regex  The regex to test against, e.g., from $ENV

  54.      * @return array An array of unique values that match the regex

  55.      */

  56.     public function textarea2array(string $String, string $Regex)

  57.     {

  58.         $ENV = ENV::go();

  59. 

  60.         $String = array_map(

  61.             'trim',

  62.             explode(

  63.                 "\n",

  64.                 $String

  65.             )

  66.         );

  67.         

  68.         return array_unique(

  69.             preg_grep(

  70.                 "/^$Regex$/i",

  71.                 $String

  72.             )

  73.         );

  74.     }

  75. 

  76.     

  77.     /**

  78.      * title

  79.      *

  80.      * Check if a torrent title is valid.

  81.      * If so, return the sanitized title.

  82.      * If not, return an error.

  83.      */

  84.     public function textInput($String)

  85.     {

  86.         # Previously a constant

  87.         $MinLength = 10;

  88.         $MaxLength = 255;

  89. 

  90.         # Does it exist and is it valid?

  91.         if (!$String || !is_string($String)) {

  92.             error('No or invalid $String parameter.');

  93.         }

  94. 

  95.         # Is it too long or short?

  96.         if (count($String)) {

  97.         }

  98.     }

  99. 

  100. 

  101.     /**

  102.      * Torrent errors

  103.      *

  104.      * Responsible for the red error messages on bad upload attemps.

  105.      * todo: Test $this->TorrentError() on new file checker functions

  106.      */

  107.     public function TorrentError($Suspect)

  108.     {

  109.         global $Err;

  110. 

  111.         if (!$Suspect) {

  112.             error('No error source :^)');

  113.         }

  114. 

  115.         switch (false) {

  116.             case $this->HasExtensions($Suspect, 1):

  117.                 return $Err = "The torrent has one or more files without extensions:\n" . display_str($Suspect);

  118. 

  119.             case $this->CruftFree($Suspect):

  120.                 return $Err = "The torrent has one or more junk files:\n" . display_str($Suspect);

  121. 

  122.             case $this->SafeCharacters($Suspect):

  123.                 $BadChars = $this->SafeCharacters('', true);

  124.                 return $Err = "One or more files has the forbidden characters $BadChars:\n" . display_str($Suspect);

  125.             

  126.             default:

  127.                 return;

  128.         }

  129. 

  130.         return;

  131.     }

  132. 

  133.     /**

  134.      * Check if a file has no extension and return false.

  135.      * Otherwise, return an array of the last $x extensions.

  136.      */

  137.     private function HasExtensions($FileName, $x)

  138.     {

  139.         if (!is_int($x) || $x <= 0) {

  140.             error('Requested number of extensions must be <= 0');

  141.         }

  142. 

  143.         if (!strstr('.', $FileName)) {

  144.             return false;

  145.         }

  146. 

  147.         $Extensions = array_slice(explode('.', strtolower($FileName)), -$x, $x);

  148.         return (!empty($Extensions)) ? $Extensions : false;

  149.     }

  150. 

  151.     /**

  152.      * Check if a file is junk according to a filename blacklist.

  153.      * todo: Change $Keywords into an array of regexes

  154.      */

  155.     public function CruftFree($FileName)

  156.     {

  157.         $Keywords = [

  158.             'ahashare.com',

  159.             'demonoid.com',

  160.             'demonoid.me',

  161.             'djtunes.com',

  162.             'h33t',

  163.             'housexclusive.net',

  164.             'limetorrents.com',

  165.             'mixesdb.com',

  166.             'mixfiend.blogstop',

  167.             'mixtapetorrent.blogspot',

  168.             'plixid.com',

  169.             'reggaeme.com',

  170.             'scc.nfo',

  171.             'thepiratebay.org',

  172.             'torrentday',

  173.         ];

  174.         

  175.         # $Keywords match

  176.         foreach ($Keywords as &$Value) {

  177.             if (strpos(strtolower($FileName), $Value) !== false) {

  178.                 return false;

  179.             }

  180.         }

  181.     

  182.         # Incomplete data

  183.         if (preg_match('/INCOMPLETE~\*/i', $FileName)) {

  184.             return false;

  185.         }

  186. 

  187.         return true;

  188.     }

  189.       

  190.     /**

  191.      * These characters are invalid on Windows NTFS:

  192.      *   : ? / < > \ * | "

  193.      *

  194.      * If no $FileName, return the list of bad characters.

  195.      * If $FileName contains, a bad character, return false.

  196.      * Otherwise, return true.

  197.      *

  198.      * todo: Add "/" to the blacklist. This causes problems with nested dirs, apparently

  199.      * todo: Make possible preg_match($AllBlockedChars, $Name, $Matches)

  200.      */

  201.     public function SafeCharacters($FileName, $Pretty = false)

  202.     {

  203.         $InvalidChars = ':?<>\*|"';

  204. 

  205.         if (empty($FileName)) {

  206.             return (!$Pretty) ? $InvalidChars : implode(' ', str_split($InvalidChars));

  207.         }

  208. 

  209.         # todo: Regain functionality to return the invalid character

  210.         if (preg_match(implode('\\', str_split($InvalidChars)), $Name, $Matches)) {

  211.             return false;

  212.         }

  213. 

  214.         return true;

  215.     }

  216. 

  217.     /**

  218.      * Extension Parser

  219.      *

  220.      * Takes an associative array of file types and extension, e.g.,

  221.      * $ENV->META->Archives = [

  222.      *   '7z'     => ['7z'],

  223.      *   'bzip2'  => ['bz2', 'bzip2'],

  224.      *   'gzip'   => ['gz', 'gzip', 'tgz', 'tpz'],

  225.      *   ...

  226.      * ];

  227.      *

  228.      * Then it finds all the extensions in a torrent file list,

  229.      * organizes them by file size, and returns the heaviest match.

  230.      *

  231.      * That way, you can have, e.g., 5 GiB FASTQ sequence data in one file,

  232.      * and 100 other small files, and get the format of the actual data.

  233.      */

  234.     public function ParseExtensions($FileList, $Category, $FileTypes)

  235.     {

  236.         # Sort $Tor->file_list() output by size

  237.         $UnNested = array_values($FileList[1]);

  238.         $Sorted = (usort($UnNested, function ($a, $b) {

  239.             return $b <=> $a;

  240.         })) ? $UnNested : null;  # Ternary wrap because &uarr; returns true

  241.         

  242.         # Harvest the wheat

  243.         # todo: Entries seem duplicated here

  244.         $Heaviest = array_slice($Sorted, 0, 20);

  245.         $Matches = [];

  246. 

  247.         # Distill the file format

  248.         $FileTypes = $FileTypes[$Category];

  249.         $FileTypeNames = array_keys($FileTypes);

  250. 

  251.         foreach ($Heaviest as $Heaviest) {

  252.             # Collect the last 2 period-separated tokens

  253.             $Extensions = array_slice(explode('.', strtolower($Heaviest[1])), -2, 2);

  254.             $Matches = array_merge($Extensions);

  255. 

  256.             # todo: Reduce nesting by one level

  257.             foreach ($Matches as $Match) {

  258.                 $Match = strtolower($Match);

  259.         

  260.                 foreach ($FileTypeNames as $FileTypeName) {

  261.                     $SearchMe = [ $FileTypeName, $FileTypes[$FileTypeName] ];

  262.         

  263.                     if (in_array($Match, $SearchMe[1])) {

  264.                         return $SearchMe[0];

  265.                         break;

  266.                     }

  267.                 }

  268. 

  269.                 # Return the last element (Other or None)

  270.                 return array_key_last($FileTypes);

  271.             }

  272.         }

  273.     }

  274. 

  275. 

  276.     /**

  277.      * Legacy class

  278.      */

  279.     public $Fields = [];

  280.     public function SetFields($FieldName, $Required, $FieldType, $ErrorMessage, $Options = [])

  281.     {

  282.         $this->Fields[$FieldName]['Type'] = strtolower($FieldType);

  283.         $this->Fields[$FieldName]['Required'] = $Required;

  284.         $this->Fields[$FieldName]['ErrorMessage'] = $ErrorMessage;

  285. 

  286.         if (!empty($Options['maxlength'])) {

  287.             $this->Fields[$FieldName]['MaxLength'] = $Options['maxlength'];

  288.         }

  289. 

  290.         if (!empty($Options['minlength'])) {

  291.             $this->Fields[$FieldName]['MinLength'] = $Options['minlength'];

  292.         }

  293. 

  294.         if (!empty($Options['comparefield'])) {

  295.             $this->Fields[$FieldName]['CompareField'] = $Options['comparefield'];

  296.         }

  297. 

  298.         if (!empty($Options['allowperiod'])) {

  299.             $this->Fields[$FieldName]['AllowPeriod'] = $Options['allowperiod'];

  300.         }

  301. 

  302.         if (!empty($Options['allowcomma'])) {

  303.             $this->Fields[$FieldName]['AllowComma'] = $Options['allowcomma'];

  304.         }

  305. 

  306.         if (!empty($Options['inarray'])) {

  307.             $this->Fields[$FieldName]['InArray'] = $Options['inarray'];

  308.         }

  309. 

  310.         if (!empty($Options['regex'])) {

  311.             $this->Fields[$FieldName]['Regex'] = $Options['regex'];

  312.         }

  313.     }

  314. 

  315.     public function ValidateForm($ValidateArray)

  316.     {

  317.         reset($this->Fields);

  318.         foreach ($this->Fields as $FieldKey => $Field) {

  319.             $ValidateVar = $ValidateArray[$FieldKey];

  320. 

  321.             # todo: Change this to a switch statement

  322.             if ($ValidateVar !== '' || !empty($Field['Required']) || $Field['Type'] === 'date') {

  323.                 if ($Field['Type'] === 'string') {

  324.                     if (isset($Field['MaxLength'])) {

  325.                         $MaxLength = $Field['MaxLength'];

  326.                     } else {

  327.                         $MaxLength = 255;

  328.                     }

  329. 

  330.                     if (isset($Field['MinLength'])) {

  331.                         $MinLength = $Field['MinLength'];

  332.                     } else {

  333.                         $MinLength = 1;

  334.                     }

  335. 

  336.                     if (strlen($ValidateVar) > $MaxLength) {

  337.                         return $Field['ErrorMessage'];

  338.                     } elseif (strlen($ValidateVar) < $MinLength) {

  339.                         return $Field['ErrorMessage'];

  340.                     }

  341.                 } elseif ($Field['Type'] === 'number') {

  342.                     if (isset($Field['MaxLength'])) {

  343.                         $MaxLength = $Field['MaxLength'];

  344.                     } else {

  345.                         $MaxLength = '';

  346.                     }

  347. 

  348.                     if (isset($Field['MinLength'])) {

  349.                         $MinLength = $Field['MinLength'];

  350.                     } else {

  351.                         $MinLength = 0;

  352.                     }

  353. 

  354.                     $Match = '0-9';

  355.                     if (isset($Field['AllowPeriod'])) {

  356.                         $Match .= '.';

  357.                     }

  358. 

  359.                     if (isset($Field['AllowComma'])) {

  360.                         $Match .= ',';

  361.                     }

  362. 

  363.                     if (preg_match('/[^'.$Match.']/', $ValidateVar) || strlen($ValidateVar) < 1) {

  364.                         return $Field['ErrorMessage'];

  365.                     } elseif ($MaxLength !== '' && $ValidateVar > $MaxLength) {

  366.                         return $Field['ErrorMessage'].'!!';

  367.                     } elseif ($ValidateVar < $MinLength) {

  368.                         return $Field['ErrorMessage']."$MinLength";

  369.                     }

  370.                 } elseif ($Field['Type'] === 'email') {

  371.                     if (isset($Field['MaxLength'])) {

  372.                         $MaxLength = $Field['MaxLength'];

  373.                     } else {

  374.                         $MaxLength = 255;

  375.                     }

  376. 

  377.                     if (isset($Field['MinLength'])) {

  378.                         $MinLength = $Field['MinLength'];

  379.                     } else {

  380.                         $MinLength = 6;

  381.                     }

  382. 

  383.                     if (!preg_match("/^".EMAIL_REGEX."$/i", $ValidateVar)) {

  384.                         return $Field['ErrorMessage'];

  385.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  386.                         return $Field['ErrorMessage'];

  387.                     } elseif (strlen($ValidateVar) < $MinLength) {

  388.                         return $Field['ErrorMessage'];

  389.                     }

  390.                 } elseif ($Field['Type'] === 'link') {

  391.                     if (isset($Field['MaxLength'])) {

  392.                         $MaxLength = $Field['MaxLength'];

  393.                     } else {

  394.                         $MaxLength = 255;

  395.                     }

  396. 

  397.                     if (isset($Field['MinLength'])) {

  398.                         $MinLength = $Field['MinLength'];

  399.                     } else {

  400.                         $MinLength = 10;

  401.                     }

  402. 

  403.                     if (!preg_match('/^'.URL_REGEX.'$/i', $ValidateVar)) {

  404.                         return $Field['ErrorMessage'];

  405.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  406.                         return $Field['ErrorMessage'];

  407.                     } elseif (strlen($ValidateVar) < $MinLength) {

  408.                         return $Field['ErrorMessage'];

  409.                     }

  410.                 } elseif ($Field['Type'] === 'username') {

  411.                     if (isset($Field['MaxLength'])) {

  412.                         $MaxLength = $Field['MaxLength'];

  413.                     } else {

  414.                         $MaxLength = 20;

  415.                     }

  416.                     

  417.                     if (isset($Field['MinLength'])) {

  418.                         $MinLength = $Field['MinLength'];

  419.                     } else {

  420.                         $MinLength = 1;

  421.                     }

  422. 

  423.                     if (!preg_match(USERNAME_REGEX, $ValidateVar)) {

  424.                         return $Field['ErrorMessage'];

  425.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  426.                         return $Field['ErrorMessage'];

  427.                     } elseif (strlen($ValidateVar) < $MinLength) {

  428.                         return $Field['ErrorMessage'];

  429.                     }

  430.                 } elseif ($Field['Type'] === 'checkbox') {

  431.                     if (!isset($ValidateArray[$FieldKey])) {

  432.                         return $Field['ErrorMessage'];

  433.                     }

  434.                 } elseif ($Field['Type'] === 'compare') {

  435.                     if ($ValidateArray[$Field['CompareField']] !== $ValidateVar) {

  436.                         return $Field['ErrorMessage'];

  437.                     }

  438.                 } elseif ($Field['Type'] === 'inarray') {

  439.                     if (array_search($ValidateVar, $Field['InArray']) === false) {

  440.                         return $Field['ErrorMessage'];

  441.                     }

  442.                 } elseif ($Field['Type'] === 'regex') {

  443.                     if (!preg_match($Field['Regex'], $ValidateVar)) {

  444.                         return $Field['ErrorMessage'];

  445.                     }

  446.                 }

  447.             }

  448.         } // while

  449.     } // function

  450. } // class

  451. 

  452. 

  453. /**

  454.  * File checker stub class

  455.  *

  456.  * Not technically part of the Validate class (yet).

  457.  * Useful torrent file functions such as finding disallowed characters.

  458.  * This will eventually move inside Validate for upload_handle.php.

  459.  */

  460. 

  461. $Keywords = array(

  462.   'ahashare.com', 'demonoid.com', 'demonoid.me', 'djtunes.com', 'h33t', 'housexclusive.net',

  463.   'limetorrents.com', 'mixesdb.com', 'mixfiend.blogstop', 'mixtapetorrent.blogspot',

  464.   'plixid.com', 'reggaeme.com' , 'scc.nfo', 'thepiratebay.org', 'torrentday');

  465. 

  466. function check_file($Type, $Name)

  467. {

  468.     check_name($Name);

  469.     check_extensions($Type, $Name);

  470. }

  471. 

  472. function check_name($Name)

  473. {

  474.     global $Keywords;

  475.     $NameLC = strtolower($Name);

  476. 

  477.     foreach ($Keywords as &$Value) {

  478.         if (strpos($NameLC, $Value) !== false) {

  479.             forbidden_error($Name);

  480.         }

  481.     }

  482. 

  483.     if (preg_match('/INCOMPLETE~\*/i', $Name)) {

  484.         forbidden_error($Name);

  485.     }

  486. 

  487.     /*

  488.      * These characters are invalid in NTFS on Windows systems:

  489.      *    : ? / < > \ * | "

  490.      *

  491.      * todo: Add "/" to the blacklist. This causes problems with nested dirs, apparently

  492.      * todo: Make possible preg_match($AllBlockedChars, $Name, $Matches)

  493.      *

  494.      * Only the following characters need to be escaped (see the link below):

  495.      *    \ - ^ ]

  496.      *

  497.      * http://www.php.net/manual/en/regexp.reference.character-classes.php

  498.      */

  499.     $AllBlockedChars = ' : ? < > \ * | " ';

  500.     if (preg_match('/[\\:?<>*|"]/', $Name, $Matches)) {

  501.         character_error($Matches[0], $AllBlockedChars);

  502.     }

  503. }

  504. 

  505. function check_extensions($Type, $Name)

  506. {

  507.     # todo: Make generic or subsume into Validate->ParseExtensions()

  508.     /*

  509.     if (!isset($MusicExtensions[get_file_extension($Name)])) {

  510.         invalid_error($Name);

  511.     }

  512.     */

  513. }

  514. 

  515. function get_file_extension($FileName)

  516. {

  517.     return strtolower(substr(strrchr($FileName, '.'), 1));

  518. }

  519. 

  520. /**

  521.  * Error functions

  522.  *

  523.  * Responsible for the red error messages on bad upload attemps.

  524.  * todo: Make one function, e.g., Validate->error($type)

  525.  */

  526. 

  527. function invalid_error($Name)

  528. {

  529.     global $Err;

  530.     $Err = 'The torrent contained one or more invalid files (' . display_str($Name) . ')';

  531. }

  532. 

  533. function forbidden_error($Name)

  534. {

  535.     global $Err;

  536.     $Err = 'The torrent contained one or more forbidden files (' . display_str($Name) . ')';

  537. }

  538. 

  539. function character_error($Character, $AllBlockedChars)

  540. {

  541.     global $Err;

  542.     $Err = "One or more of the files or folders in the torrent has a name that contains the forbidden character '$Character'. Please rename the files as necessary and recreate the torrent.<br /><br />\nNote: The complete list of characters that are disallowed are shown below:<br />\n\t\t$AllBlockedChars";

  543. }