Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
BioTorrents.de’s version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1065 Commits
2 Branches
Tree: b4fb8c0c52
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b4fb8c0c52'
${ noResults }
Gazelle/classes/validate.class.php

validate.class.php 18KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566 
  1. <?php

  2. 

  3. /**

  4.  * Validate

  5.  * CURRENTLY UNTESTED

  6.  *

  7.  * WCD/OT Gazelle contains two functions by default:

  8.  *  - SetFields()

  9.  *  - ValidateForm()

  10.  *

  11.  * The first is responsible for initializing a number of internal variables.

  12.  * The second does the actual validation with rather hideous and clumsy logic.

  13.  *

  14.  * Bio Gazelle seeks to improve this class and centralize site validation.

  15.  * The class should serve these common and use-dependent functions:

  16.  *

  17.  *  - Ensure that no malicious data enters the DB

  18.  *   - Prevent XSS and SQL injection via $_GET and $_POST

  19.  *   - Escape all text inputs and HTML outputs

  20.  *   - Generate secure input elements and DB outputs

  21.  *   - Enforce $_POST except when $_GET is necessary (e.g., search → RSS)

  22.  *

  23.  *  - Ensure that no junk data enters the DB

  24.  *   - Enforce HTML form element limits (generated by this class)

  25.  *   - Prove that a date is valid and output DB-safe datetimes

  26.  *   - Limit acceptable input to classes/config.php constants

  27.  *   - Provide structured ways to support user data (e.g., $x Samples)

  28.  *   - Autocomplete everywhere

  29.  *   - Enforce DBKEY on all encryped input

  30.  *

  31.  *  - Some more stuff, a running list

  32.  *   - Check if a successful function returns null, e.g.,

  33.  *     php > function test() { return; }

  34.  *     php > var_dump(test());

  35.  *     NULL

  36.  *

  37.  *   - Check if a failed function returns false, e.g.,

  38.  *     php > function orwell() { return (2 + 2 === 5); }

  39.  *     php > var_dump(orwell());

  40.  *     bool(false)

  41.  *

  42.  * todo: Support form ID checks

  43.  * todo: Number and date validation

  44.  */

  45. 

  46. class Validate

  47. {

  48.     /**

  49.      * title

  50.      *

  51.      * Check if a torrent title is valid.

  52.      * If so, return the sanitized title.

  53.      * If not, return an error.

  54.      */

  55.     public function textInput($String)

  56.     {

  57.         # Previously a constant

  58.         $MinLength = 10;

  59.         $MaxLength = 255;

  60. 

  61.         # Does it exist and is it valid?

  62.         if (!$String || !is_string($String)) {

  63.             error('No or invalid $String parameter.');

  64.         }

  65. 

  66.         # Is it too long or short?

  67.         if (count($String)) {

  68.         }

  69.     }

  70. 

  71. 

  72.     /**

  73.      * Torrent errors

  74.      *

  75.      * Responsible for the red error messages on bad upload attemps.

  76.      * todo: Test $this->TorrentError() on new file checker functions

  77.      */

  78.     public function TorrentError($Suspect)

  79.     {

  80.         global $Err;

  81. 

  82.         if (!$Suspect) {

  83.             error('No error source :^)');

  84.         }

  85. 

  86.         switch (false) {

  87.             case $this->HasExtensions($Suspect, 1):

  88.                 return $Err = "The torrent has one or more files without extensions:\n" . display_str($Suspect);

  89. 

  90.             case $this->CruftFree($Suspect):

  91.                 return $Err = "The torrent has one or more junk files:\n" . display_str($Suspect);

  92. 

  93.             case $this->SafeCharacters($Suspect):

  94.                 $BadChars = $this->SafeCharacters('', true);

  95.                 return $Err = "One or more files has the forbidden characters $BadChars:\n" . display_str($Suspect);

  96.             

  97.             default:

  98.                 return null;

  99.         }

  100. 

  101.         return null;

  102.     }

  103. 

  104.     /**

  105.      * Check if a file has no extension and return false.

  106.      * Otherwise, return an array of the last $x extensions.

  107.      */

  108.     private function HasExtensions($FileName, $x)

  109.     {

  110.         if (!is_int($x) || $x <= 0) {

  111.             error('Requested number of extensions must be <= 0');

  112.         }

  113. 

  114.         if (!strstr('.', $FileName)) {

  115.             return false;

  116.         }

  117. 

  118.         $Extensions = array_slice(explode('.', strtolower($FileName)), -$x, $x);

  119.         return (!empty($Extensions)) ? $Extensions : false;

  120.     }

  121. 

  122.     /**

  123.      * Check if a file is junk according to a filename blacklist.

  124.      * todo: Change $Keywords into an array of regexes

  125.      */

  126.     public function CruftFree($FileName)

  127.     {

  128.         $Keywords = [

  129.             'ahashare.com',

  130.             'demonoid.com',

  131.             'demonoid.me',

  132.             'djtunes.com',

  133.             'h33t',

  134.             'housexclusive.net',

  135.             'limetorrents.com',

  136.             'mixesdb.com',

  137.             'mixfiend.blogstop',

  138.             'mixtapetorrent.blogspot',

  139.             'plixid.com',

  140.             'reggaeme.com',

  141.             'scc.nfo',

  142.             'thepiratebay.org',

  143.             'torrentday',

  144.         ];

  145.         

  146.         # $Keywords match

  147.         foreach ($Keywords as &$Value) {

  148.             if (strpos(strtolower($FileName), $Value) !== false) {

  149.                 return false;

  150.             }

  151.         }

  152.     

  153.         # Incomplete data

  154.         if (preg_match('/INCOMPLETE~\*/i', $FileName)) {

  155.             return false;

  156.         }

  157. 

  158.         return true;

  159.     }

  160.       

  161.     /*

  162.      * These characters are invalid on Windows NTFS:

  163.      *   : ? / < > \ * | "

  164.      *

  165.      * If no $FileName, return the list of bad characters.

  166.      * If $FileName contains, a bad character, return false.

  167.      * Otherwise, return true.

  168.      *

  169.      * todo: Add "/" to the blacklist. This causes problems with nested dirs, apparently

  170.      * todo: Make possible preg_match($AllBlockedChars, $Name, $Matches)

  171.      */

  172.     public function SafeCharacters($FileName, $Pretty = false)

  173.     {

  174.         $InvalidChars = ':?<>\*|"';

  175. 

  176.         if (empty($FileName)) {

  177.             return (!$Pretty) ? $InvalidChars : implode(' ', str_split($InvalidChars));

  178.         }

  179. 

  180.         # todo: Regain functionality to return the invalid character

  181.         if (preg_match(implode('\\', str_split($InvalidChars)), $Name, $Matches)) {

  182.             return false;

  183.         }

  184. 

  185.         return true;

  186.     }

  187. 

  188.     /**

  189.      * Extension Parser

  190.      *

  191.      * Takes an associative array of file types and extension, e.g.,

  192.      * $Archives = [

  193.      *   '7z'     => ['7z'],

  194.      *   'bzip2'  => ['bz2', 'bzip2'],

  195.      *   'gzip'   => ['gz', 'gzip', 'tgz', 'tpz'],

  196.      *   ...

  197.      * ];

  198.      *

  199.      * Then it finds all the extensions in a torrent file list,

  200.      * organizes them by file size, and returns the heaviest match.

  201.      *

  202.      * That way, you can have, e.g., 5 GiB FASTQ sequence data in one file,

  203.      * and 100 other small files, and get the format of the actual data.

  204.      */

  205.     public function ParseExtensions($FileList, $Category, $FileTypes)

  206.     {

  207.         # Sort $Tor->file_list() output by size

  208.         $UnNested = array_values($FileList[1]);

  209.         $Sorted = (usort($UnNested, function ($a, $b) {

  210.             return $b <=> $a;

  211.         })) ? $UnNested : null;  # Ternary wrap because &uarr; returns true

  212.         

  213.         # Harvest the wheat

  214.         # todo: Entries seem duplicated here

  215.         $Heaviest = array_slice($Sorted, 0, 20);

  216.         $Matches = [];

  217. 

  218.         # Distill the file format

  219.         $FileTypes = $FileTypes[$Category];

  220.         $FileTypeNames = array_keys($FileTypes);

  221. 

  222.         foreach ($Heaviest as $Heaviest) {

  223.             # Collect the last 2 period-separated tokens

  224.             $Extensions = array_slice(explode('.', strtolower($Heaviest[1])), -2, 2);

  225.             $Matches = array_merge($Extensions);

  226. 

  227.             # todo: Reduce nesting by one level

  228.             foreach ($Matches as $Match) {

  229.                 $Match = strtolower($Match);

  230.         

  231.                 foreach ($FileTypeNames as $FileTypeName) {

  232.                     $SearchMe = [ $FileTypeName, $FileTypes[$FileTypeName] ];

  233.         

  234.                     if (in_array($Match, $SearchMe[1])) {

  235.                         return $SearchMe[0];

  236.                         break;

  237.                     }

  238.                 }

  239. 

  240.                 # Return the last element (Other or None)

  241.                 return array_key_last($FileTypes);

  242.             }

  243.         }

  244.     }

  245. 

  246. 

  247.     /**

  248.      * Make input

  249.      * https://www.w3schools.com/html/html_form_input_types.asp

  250.      *

  251.      * Generate a secure HTML input element.

  252.      * Takes $Type, $Name (also used for id), and $Classes.

  253.      * Outputs a hardened input with the requested attributes.

  254.      *

  255.      * todo: See if this could work, one ugly switch for all forms in sections/

  256.      */

  257. 

  258.     public function MakeInput($Type = 'text', $Name = '', $Classes = [])

  259.     {

  260.         if (!is_str($Type) || !is_str($Name)) {

  261.             error('$Type and $Name must be strings');

  262.         }

  263. 

  264.         # Intentionally double quoted PHP constructing $HTML

  265.         # <input type='text' id='title_jp' name='title_jp' class='one two'

  266.         $HTML  = "";

  267.         $HTML .= "<input type='$Type' id='$Name' name='$Name'";

  268.         $HTML .= (!empty($Classes)) ? " class='" . implode(' ', $Classes) . "'" : "";

  269. 

  270.         /*

  271.         'button'

  272.         'checkbox'

  273.         'color'

  274.         'date'

  275.         'datetime-local'

  276.         'email'

  277.         'file'

  278.         'hidden'

  279.         'image'

  280.         'month'

  281.         'number'

  282.         'password'

  283.         'radio'

  284.         'range'

  285.         'reset'

  286.         'search'

  287.         'submit'

  288.         'tel'

  289.         'text'

  290.         'time'

  291.         'url'

  292.         'week'

  293.         */

  294.                 

  295.         return null;

  296.     }

  297.     

  298. 

  299.     /**

  300.      * Legacy class

  301.      */

  302.     public $Fields = [];

  303.     public function SetFields($FieldName, $Required, $FieldType, $ErrorMessage, $Options = [])

  304.     {

  305.         $this->Fields[$FieldName]['Type'] = strtolower($FieldType);

  306.         $this->Fields[$FieldName]['Required'] = $Required;

  307.         $this->Fields[$FieldName]['ErrorMessage'] = $ErrorMessage;

  308. 

  309.         if (!empty($Options['maxlength'])) {

  310.             $this->Fields[$FieldName]['MaxLength'] = $Options['maxlength'];

  311.         }

  312. 

  313.         if (!empty($Options['minlength'])) {

  314.             $this->Fields[$FieldName]['MinLength'] = $Options['minlength'];

  315.         }

  316. 

  317.         if (!empty($Options['comparefield'])) {

  318.             $this->Fields[$FieldName]['CompareField'] = $Options['comparefield'];

  319.         }

  320. 

  321.         if (!empty($Options['allowperiod'])) {

  322.             $this->Fields[$FieldName]['AllowPeriod'] = $Options['allowperiod'];

  323.         }

  324. 

  325.         if (!empty($Options['allowcomma'])) {

  326.             $this->Fields[$FieldName]['AllowComma'] = $Options['allowcomma'];

  327.         }

  328. 

  329.         if (!empty($Options['inarray'])) {

  330.             $this->Fields[$FieldName]['InArray'] = $Options['inarray'];

  331.         }

  332. 

  333.         if (!empty($Options['regex'])) {

  334.             $this->Fields[$FieldName]['Regex'] = $Options['regex'];

  335.         }

  336.     }

  337. 

  338.     public function ValidateForm($ValidateArray)

  339.     {

  340.         reset($this->Fields);

  341.         foreach ($this->Fields as $FieldKey => $Field) {

  342.             $ValidateVar = $ValidateArray[$FieldKey];

  343. 

  344.             # todo: Change this to a switch statement

  345.             if ($ValidateVar !== '' || !empty($Field['Required']) || $Field['Type'] === 'date') {

  346.                 if ($Field['Type'] === 'string') {

  347.                     if (isset($Field['MaxLength'])) {

  348.                         $MaxLength = $Field['MaxLength'];

  349.                     } else {

  350.                         $MaxLength = 255;

  351.                     }

  352. 

  353.                     if (isset($Field['MinLength'])) {

  354.                         $MinLength = $Field['MinLength'];

  355.                     } else {

  356.                         $MinLength = 1;

  357.                     }

  358. 

  359.                     if (strlen($ValidateVar) > $MaxLength) {

  360.                         return $Field['ErrorMessage'];

  361.                     } elseif (strlen($ValidateVar) < $MinLength) {

  362.                         return $Field['ErrorMessage'];

  363.                     }

  364.                 } elseif ($Field['Type'] === 'number') {

  365.                     if (isset($Field['MaxLength'])) {

  366.                         $MaxLength = $Field['MaxLength'];

  367.                     } else {

  368.                         $MaxLength = '';

  369.                     }

  370. 

  371.                     if (isset($Field['MinLength'])) {

  372.                         $MinLength = $Field['MinLength'];

  373.                     } else {

  374.                         $MinLength = 0;

  375.                     }

  376. 

  377.                     $Match = '0-9';

  378.                     if (isset($Field['AllowPeriod'])) {

  379.                         $Match .= '.';

  380.                     }

  381. 

  382.                     if (isset($Field['AllowComma'])) {

  383.                         $Match .= ',';

  384.                     }

  385. 

  386.                     if (preg_match('/[^'.$Match.']/', $ValidateVar) || strlen($ValidateVar) < 1) {

  387.                         return $Field['ErrorMessage'];

  388.                     } elseif ($MaxLength !== '' && $ValidateVar > $MaxLength) {

  389.                         return $Field['ErrorMessage'].'!!';

  390.                     } elseif ($ValidateVar < $MinLength) {

  391.                         return $Field['ErrorMessage']."$MinLength";

  392.                     }

  393.                 } elseif ($Field['Type'] === 'email') {

  394.                     if (isset($Field['MaxLength'])) {

  395.                         $MaxLength = $Field['MaxLength'];

  396.                     } else {

  397.                         $MaxLength = 255;

  398.                     }

  399. 

  400.                     if (isset($Field['MinLength'])) {

  401.                         $MinLength = $Field['MinLength'];

  402.                     } else {

  403.                         $MinLength = 6;

  404.                     }

  405. 

  406.                     if (!preg_match("/^".EMAIL_REGEX."$/i", $ValidateVar)) {

  407.                         return $Field['ErrorMessage'];

  408.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  409.                         return $Field['ErrorMessage'];

  410.                     } elseif (strlen($ValidateVar) < $MinLength) {

  411.                         return $Field['ErrorMessage'];

  412.                     }

  413.                 } elseif ($Field['Type'] === 'link') {

  414.                     if (isset($Field['MaxLength'])) {

  415.                         $MaxLength = $Field['MaxLength'];

  416.                     } else {

  417.                         $MaxLength = 255;

  418.                     }

  419. 

  420.                     if (isset($Field['MinLength'])) {

  421.                         $MinLength = $Field['MinLength'];

  422.                     } else {

  423.                         $MinLength = 10;

  424.                     }

  425. 

  426.                     if (!preg_match('/^'.URL_REGEX.'$/i', $ValidateVar)) {

  427.                         return $Field['ErrorMessage'];

  428.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  429.                         return $Field['ErrorMessage'];

  430.                     } elseif (strlen($ValidateVar) < $MinLength) {

  431.                         return $Field['ErrorMessage'];

  432.                     }

  433.                 } elseif ($Field['Type'] === 'username') {

  434.                     if (isset($Field['MaxLength'])) {

  435.                         $MaxLength = $Field['MaxLength'];

  436.                     } else {

  437.                         $MaxLength = 20;

  438.                     }

  439.                     

  440.                     if (isset($Field['MinLength'])) {

  441.                         $MinLength = $Field['MinLength'];

  442.                     } else {

  443.                         $MinLength = 1;

  444.                     }

  445. 

  446.                     if (!preg_match(USERNAME_REGEX, $ValidateVar)) {

  447.                         return $Field['ErrorMessage'];

  448.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  449.                         return $Field['ErrorMessage'];

  450.                     } elseif (strlen($ValidateVar) < $MinLength) {

  451.                         return $Field['ErrorMessage'];

  452.                     }

  453.                 } elseif ($Field['Type'] === 'checkbox') {

  454.                     if (!isset($ValidateArray[$FieldKey])) {

  455.                         return $Field['ErrorMessage'];

  456.                     }

  457.                 } elseif ($Field['Type'] === 'compare') {

  458.                     if ($ValidateArray[$Field['CompareField']] !== $ValidateVar) {

  459.                         return $Field['ErrorMessage'];

  460.                     }

  461.                 } elseif ($Field['Type'] === 'inarray') {

  462.                     if (array_search($ValidateVar, $Field['InArray']) === false) {

  463.                         return $Field['ErrorMessage'];

  464.                     }

  465.                 } elseif ($Field['Type'] === 'regex') {

  466.                     if (!preg_match($Field['Regex'], $ValidateVar)) {

  467.                         return $Field['ErrorMessage'];

  468.                     }

  469.                 }

  470.             }

  471.         } // while

  472.     } // function

  473. } // class

  474. 

  475. 

  476. /**

  477.  * File checker stub class

  478.  *

  479.  * Not technically part of the Validate class (yet).

  480.  * Useful torrent file functions such as finding disallowed characters.

  481.  * This will eventually move inside Validate for upload_handle.php.

  482.  */

  483. 

  484. $Keywords = array(

  485.   'ahashare.com', 'demonoid.com', 'demonoid.me', 'djtunes.com', 'h33t', 'housexclusive.net',

  486.   'limetorrents.com', 'mixesdb.com', 'mixfiend.blogstop', 'mixtapetorrent.blogspot',

  487.   'plixid.com', 'reggaeme.com' , 'scc.nfo', 'thepiratebay.org', 'torrentday');

  488. 

  489. function check_file($Type, $Name)

  490. {

  491.     check_name($Name);

  492.     check_extensions($Type, $Name);

  493. }

  494. 

  495. function check_name($Name)

  496. {

  497.     global $Keywords;

  498.     $NameLC = strtolower($Name);

  499. 

  500.     foreach ($Keywords as &$Value) {

  501.         if (strpos($NameLC, $Value) !== false) {

  502.             forbidden_error($Name);

  503.         }

  504.     }

  505. 

  506.     if (preg_match('/INCOMPLETE~\*/i', $Name)) {

  507.         forbidden_error($Name);

  508.     }

  509. 

  510.     /*

  511.      * These characters are invalid in NTFS on Windows systems:

  512.      *    : ? / < > \ * | "

  513.      *

  514.      * todo: Add "/" to the blacklist. This causes problems with nested dirs, apparently

  515.      * todo: Make possible preg_match($AllBlockedChars, $Name, $Matches)

  516.      *

  517.      * Only the following characters need to be escaped (see the link below):

  518.      *    \ - ^ ]

  519.      *

  520.      * http://www.php.net/manual/en/regexp.reference.character-classes.php

  521.      */

  522.     $AllBlockedChars = ' : ? < > \ * | " ';

  523.     if (preg_match('/[\\:?<>*|"]/', $Name, $Matches)) {

  524.         character_error($Matches[0], $AllBlockedChars);

  525.     }

  526. }

  527. 

  528. function check_extensions($Type, $Name)

  529. {

  530.     # todo: Make generic or subsume into Validate->ParseExtensions()

  531.     /*

  532.     if (!isset($MusicExtensions[get_file_extension($Name)])) {

  533.         invalid_error($Name);

  534.     }

  535.     */

  536. }

  537. 

  538. function get_file_extension($FileName)

  539. {

  540.     return strtolower(substr(strrchr($FileName, '.'), 1));

  541. }

  542. 

  543. /**

  544.  * Error functions

  545.  *

  546.  * Responsible for the red error messages on bad upload attemps.

  547.  * todo: Make one function, e.g., Validate->error($type)

  548.  */

  549. 

  550. function invalid_error($Name)

  551. {

  552.     global $Err;

  553.     $Err = 'The torrent contained one or more invalid files (' . display_str($Name) . ')';

  554. }

  555. 

  556. function forbidden_error($Name)

  557. {

  558.     global $Err;

  559.     $Err = 'The torrent contained one or more forbidden files (' . display_str($Name) . ')';

  560. }

  561. 

  562. function character_error($Character, $AllBlockedChars)

  563. {

  564.     global $Err;

  565.     $Err = "One or more of the files or folders in the torrent has a name that contains the forbidden character '$Character'. Please rename the files as necessary and recreate the torrent.<br /><br />\nNote: The complete list of characters that are disallowed are shown below:<br />\n\t\t$AllBlockedChars";

  566. }