Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
BioTorrents.de’s version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1097 Commits
2 Branches
Tree: cfaf71c803
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cfaf71c803'
${ noResults }
Gazelle/classes/validate.class.php

validate.class.php 18KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567 
  1. <?php

  2. #declare(strict_types=1);

  3. 

  4. /**

  5.  * Validate

  6.  * CURRENTLY UNTESTED

  7.  *

  8.  * WCD/OT Gazelle contains two functions by default:

  9.  *  - SetFields()

  10.  *  - ValidateForm()

  11.  *

  12.  * The first is responsible for initializing a number of internal variables.

  13.  * The second does the actual validation with rather hideous and clumsy logic.

  14.  *

  15.  * Bio Gazelle seeks to improve this class and centralize site validation.

  16.  * The class should serve these common and use-dependent functions:

  17.  *

  18.  *  - Ensure that no malicious data enters the DB

  19.  *   - Prevent XSS and SQL injection via $_GET and $_POST

  20.  *   - Escape all text inputs and HTML outputs

  21.  *   - Generate secure input elements and DB outputs

  22.  *   - Enforce $_POST except when $_GET is necessary (e.g., search → RSS)

  23.  *

  24.  *  - Ensure that no junk data enters the DB

  25.  *   - Enforce HTML form element limits (generated by this class)

  26.  *   - Prove that a date is valid and output DB-safe datetimes

  27.  *   - Limit acceptable input to classes/config.php constants

  28.  *   - Provide structured ways to support user data (e.g., $x Samples)

  29.  *   - Autocomplete everywhere

  30.  *   - Enforce DBKEY on all encryped input

  31.  *

  32.  *  - Some more stuff, a running list

  33.  *   - Check if a successful function returns null, e.g.,

  34.  *     php > function test() { return; }

  35.  *     php > var_dump(test());

  36.  *     NULL

  37.  *

  38.  *   - Check if a failed function returns false, e.g.,

  39.  *     php > function orwell() { return (2 + 2 === 5); }

  40.  *     php > var_dump(orwell());

  41.  *     bool(false)

  42.  *

  43.  * todo: Support form ID checks

  44.  * todo: Number and date validation

  45.  */

  46. 

  47. class Validate

  48. {

  49.     /**

  50.      * title

  51.      *

  52.      * Check if a torrent title is valid.

  53.      * If so, return the sanitized title.

  54.      * If not, return an error.

  55.      */

  56.     public function textInput($String)

  57.     {

  58.         # Previously a constant

  59.         $MinLength = 10;

  60.         $MaxLength = 255;

  61. 

  62.         # Does it exist and is it valid?

  63.         if (!$String || !is_string($String)) {

  64.             error('No or invalid $String parameter.');

  65.         }

  66. 

  67.         # Is it too long or short?

  68.         if (count($String)) {

  69.         }

  70.     }

  71. 

  72. 

  73.     /**

  74.      * Torrent errors

  75.      *

  76.      * Responsible for the red error messages on bad upload attemps.

  77.      * todo: Test $this->TorrentError() on new file checker functions

  78.      */

  79.     public function TorrentError($Suspect)

  80.     {

  81.         global $Err;

  82. 

  83.         if (!$Suspect) {

  84.             error('No error source :^)');

  85.         }

  86. 

  87.         switch (false) {

  88.             case $this->HasExtensions($Suspect, 1):

  89.                 return $Err = "The torrent has one or more files without extensions:\n" . display_str($Suspect);

  90. 

  91.             case $this->CruftFree($Suspect):

  92.                 return $Err = "The torrent has one or more junk files:\n" . display_str($Suspect);

  93. 

  94.             case $this->SafeCharacters($Suspect):

  95.                 $BadChars = $this->SafeCharacters('', true);

  96.                 return $Err = "One or more files has the forbidden characters $BadChars:\n" . display_str($Suspect);

  97.             

  98.             default:

  99.                 return;

  100.         }

  101. 

  102.         return;

  103.     }

  104. 

  105.     /**

  106.      * Check if a file has no extension and return false.

  107.      * Otherwise, return an array of the last $x extensions.

  108.      */

  109.     private function HasExtensions($FileName, $x)

  110.     {

  111.         if (!is_int($x) || $x <= 0) {

  112.             error('Requested number of extensions must be <= 0');

  113.         }

  114. 

  115.         if (!strstr('.', $FileName)) {

  116.             return false;

  117.         }

  118. 

  119.         $Extensions = array_slice(explode('.', strtolower($FileName)), -$x, $x);

  120.         return (!empty($Extensions)) ? $Extensions : false;

  121.     }

  122. 

  123.     /**

  124.      * Check if a file is junk according to a filename blacklist.

  125.      * todo: Change $Keywords into an array of regexes

  126.      */

  127.     public function CruftFree($FileName)

  128.     {

  129.         $Keywords = [

  130.             'ahashare.com',

  131.             'demonoid.com',

  132.             'demonoid.me',

  133.             'djtunes.com',

  134.             'h33t',

  135.             'housexclusive.net',

  136.             'limetorrents.com',

  137.             'mixesdb.com',

  138.             'mixfiend.blogstop',

  139.             'mixtapetorrent.blogspot',

  140.             'plixid.com',

  141.             'reggaeme.com',

  142.             'scc.nfo',

  143.             'thepiratebay.org',

  144.             'torrentday',

  145.         ];

  146.         

  147.         # $Keywords match

  148.         foreach ($Keywords as &$Value) {

  149.             if (strpos(strtolower($FileName), $Value) !== false) {

  150.                 return false;

  151.             }

  152.         }

  153.     

  154.         # Incomplete data

  155.         if (preg_match('/INCOMPLETE~\*/i', $FileName)) {

  156.             return false;

  157.         }

  158. 

  159.         return true;

  160.     }

  161.       

  162.     /**

  163.      * These characters are invalid on Windows NTFS:

  164.      *   : ? / < > \ * | "

  165.      *

  166.      * If no $FileName, return the list of bad characters.

  167.      * If $FileName contains, a bad character, return false.

  168.      * Otherwise, return true.

  169.      *

  170.      * todo: Add "/" to the blacklist. This causes problems with nested dirs, apparently

  171.      * todo: Make possible preg_match($AllBlockedChars, $Name, $Matches)

  172.      */

  173.     public function SafeCharacters($FileName, $Pretty = false)

  174.     {

  175.         $InvalidChars = ':?<>\*|"';

  176. 

  177.         if (empty($FileName)) {

  178.             return (!$Pretty) ? $InvalidChars : implode(' ', str_split($InvalidChars));

  179.         }

  180. 

  181.         # todo: Regain functionality to return the invalid character

  182.         if (preg_match(implode('\\', str_split($InvalidChars)), $Name, $Matches)) {

  183.             return false;

  184.         }

  185. 

  186.         return true;

  187.     }

  188. 

  189.     /**

  190.      * Extension Parser

  191.      *

  192.      * Takes an associative array of file types and extension, e.g.,

  193.      * $Archives = [

  194.      *   '7z'     => ['7z'],

  195.      *   'bzip2'  => ['bz2', 'bzip2'],

  196.      *   'gzip'   => ['gz', 'gzip', 'tgz', 'tpz'],

  197.      *   ...

  198.      * ];

  199.      *

  200.      * Then it finds all the extensions in a torrent file list,

  201.      * organizes them by file size, and returns the heaviest match.

  202.      *

  203.      * That way, you can have, e.g., 5 GiB FASTQ sequence data in one file,

  204.      * and 100 other small files, and get the format of the actual data.

  205.      */

  206.     public function ParseExtensions($FileList, $Category, $FileTypes)

  207.     {

  208.         # Sort $Tor->file_list() output by size

  209.         $UnNested = array_values($FileList[1]);

  210.         $Sorted = (usort($UnNested, function ($a, $b) {

  211.             return $b <=> $a;

  212.         })) ? $UnNested : null;  # Ternary wrap because &uarr; returns true

  213.         

  214.         # Harvest the wheat

  215.         # todo: Entries seem duplicated here

  216.         $Heaviest = array_slice($Sorted, 0, 20);

  217.         $Matches = [];

  218. 

  219.         # Distill the file format

  220.         $FileTypes = $FileTypes[$Category];

  221.         $FileTypeNames = array_keys($FileTypes);

  222. 

  223.         foreach ($Heaviest as $Heaviest) {

  224.             # Collect the last 2 period-separated tokens

  225.             $Extensions = array_slice(explode('.', strtolower($Heaviest[1])), -2, 2);

  226.             $Matches = array_merge($Extensions);

  227. 

  228.             # todo: Reduce nesting by one level

  229.             foreach ($Matches as $Match) {

  230.                 $Match = strtolower($Match);

  231.         

  232.                 foreach ($FileTypeNames as $FileTypeName) {

  233.                     $SearchMe = [ $FileTypeName, $FileTypes[$FileTypeName] ];

  234.         

  235.                     if (in_array($Match, $SearchMe[1])) {

  236.                         return $SearchMe[0];

  237.                         break;

  238.                     }

  239.                 }

  240. 

  241.                 # Return the last element (Other or None)

  242.                 return array_key_last($FileTypes);

  243.             }

  244.         }

  245.     }

  246. 

  247. 

  248.     /**

  249.      * Make input

  250.      * https://www.w3schools.com/html/html_form_input_types.asp

  251.      *

  252.      * Generate a secure HTML input element.

  253.      * Takes $Type, $Name (also used for id), and $Classes.

  254.      * Outputs a hardened input with the requested attributes.

  255.      *

  256.      * todo: See if this could work, one ugly switch for all forms in sections/

  257.      */

  258. 

  259.     public function MakeInput($Type = 'text', $Name = '', $Classes = [])

  260.     {

  261.         if (!is_str($Type) || !is_str($Name)) {

  262.             error('$Type and $Name must be strings');

  263.         }

  264. 

  265.         # Intentionally double quoted PHP constructing $HTML

  266.         # <input type='text' id='title_jp' name='title_jp' class='one two'

  267.         $HTML  = "";

  268.         $HTML .= "<input type='$Type' id='$Name' name='$Name'";

  269.         $HTML .= (!empty($Classes)) ? " class='" . implode(' ', $Classes) . "'" : "";

  270. 

  271.         /*

  272.         'button'

  273.         'checkbox'

  274.         'color'

  275.         'date'

  276.         'datetime-local'

  277.         'email'

  278.         'file'

  279.         'hidden'

  280.         'image'

  281.         'month'

  282.         'number'

  283.         'password'

  284.         'radio'

  285.         'range'

  286.         'reset'

  287.         'search'

  288.         'submit'

  289.         'tel'

  290.         'text'

  291.         'time'

  292.         'url'

  293.         'week'

  294.         */

  295.                 

  296.         return;

  297.     }

  298.     

  299. 

  300.     /**

  301.      * Legacy class

  302.      */

  303.     public $Fields = [];

  304.     public function SetFields($FieldName, $Required, $FieldType, $ErrorMessage, $Options = [])

  305.     {

  306.         $this->Fields[$FieldName]['Type'] = strtolower($FieldType);

  307.         $this->Fields[$FieldName]['Required'] = $Required;

  308.         $this->Fields[$FieldName]['ErrorMessage'] = $ErrorMessage;

  309. 

  310.         if (!empty($Options['maxlength'])) {

  311.             $this->Fields[$FieldName]['MaxLength'] = $Options['maxlength'];

  312.         }

  313. 

  314.         if (!empty($Options['minlength'])) {

  315.             $this->Fields[$FieldName]['MinLength'] = $Options['minlength'];

  316.         }

  317. 

  318.         if (!empty($Options['comparefield'])) {

  319.             $this->Fields[$FieldName]['CompareField'] = $Options['comparefield'];

  320.         }

  321. 

  322.         if (!empty($Options['allowperiod'])) {

  323.             $this->Fields[$FieldName]['AllowPeriod'] = $Options['allowperiod'];

  324.         }

  325. 

  326.         if (!empty($Options['allowcomma'])) {

  327.             $this->Fields[$FieldName]['AllowComma'] = $Options['allowcomma'];

  328.         }

  329. 

  330.         if (!empty($Options['inarray'])) {

  331.             $this->Fields[$FieldName]['InArray'] = $Options['inarray'];

  332.         }

  333. 

  334.         if (!empty($Options['regex'])) {

  335.             $this->Fields[$FieldName]['Regex'] = $Options['regex'];

  336.         }

  337.     }

  338. 

  339.     public function ValidateForm($ValidateArray)

  340.     {

  341.         reset($this->Fields);

  342.         foreach ($this->Fields as $FieldKey => $Field) {

  343.             $ValidateVar = $ValidateArray[$FieldKey];

  344. 

  345.             # todo: Change this to a switch statement

  346.             if ($ValidateVar !== '' || !empty($Field['Required']) || $Field['Type'] === 'date') {

  347.                 if ($Field['Type'] === 'string') {

  348.                     if (isset($Field['MaxLength'])) {

  349.                         $MaxLength = $Field['MaxLength'];

  350.                     } else {

  351.                         $MaxLength = 255;

  352.                     }

  353. 

  354.                     if (isset($Field['MinLength'])) {

  355.                         $MinLength = $Field['MinLength'];

  356.                     } else {

  357.                         $MinLength = 1;

  358.                     }

  359. 

  360.                     if (strlen($ValidateVar) > $MaxLength) {

  361.                         return $Field['ErrorMessage'];

  362.                     } elseif (strlen($ValidateVar) < $MinLength) {

  363.                         return $Field['ErrorMessage'];

  364.                     }

  365.                 } elseif ($Field['Type'] === 'number') {

  366.                     if (isset($Field['MaxLength'])) {

  367.                         $MaxLength = $Field['MaxLength'];

  368.                     } else {

  369.                         $MaxLength = '';

  370.                     }

  371. 

  372.                     if (isset($Field['MinLength'])) {

  373.                         $MinLength = $Field['MinLength'];

  374.                     } else {

  375.                         $MinLength = 0;

  376.                     }

  377. 

  378.                     $Match = '0-9';

  379.                     if (isset($Field['AllowPeriod'])) {

  380.                         $Match .= '.';

  381.                     }

  382. 

  383.                     if (isset($Field['AllowComma'])) {

  384.                         $Match .= ',';

  385.                     }

  386. 

  387.                     if (preg_match('/[^'.$Match.']/', $ValidateVar) || strlen($ValidateVar) < 1) {

  388.                         return $Field['ErrorMessage'];

  389.                     } elseif ($MaxLength !== '' && $ValidateVar > $MaxLength) {

  390.                         return $Field['ErrorMessage'].'!!';

  391.                     } elseif ($ValidateVar < $MinLength) {

  392.                         return $Field['ErrorMessage']."$MinLength";

  393.                     }

  394.                 } elseif ($Field['Type'] === 'email') {

  395.                     if (isset($Field['MaxLength'])) {

  396.                         $MaxLength = $Field['MaxLength'];

  397.                     } else {

  398.                         $MaxLength = 255;

  399.                     }

  400. 

  401.                     if (isset($Field['MinLength'])) {

  402.                         $MinLength = $Field['MinLength'];

  403.                     } else {

  404.                         $MinLength = 6;

  405.                     }

  406. 

  407.                     if (!preg_match("/^".EMAIL_REGEX."$/i", $ValidateVar)) {

  408.                         return $Field['ErrorMessage'];

  409.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  410.                         return $Field['ErrorMessage'];

  411.                     } elseif (strlen($ValidateVar) < $MinLength) {

  412.                         return $Field['ErrorMessage'];

  413.                     }

  414.                 } elseif ($Field['Type'] === 'link') {

  415.                     if (isset($Field['MaxLength'])) {

  416.                         $MaxLength = $Field['MaxLength'];

  417.                     } else {

  418.                         $MaxLength = 255;

  419.                     }

  420. 

  421.                     if (isset($Field['MinLength'])) {

  422.                         $MinLength = $Field['MinLength'];

  423.                     } else {

  424.                         $MinLength = 10;

  425.                     }

  426. 

  427.                     if (!preg_match('/^'.URL_REGEX.'$/i', $ValidateVar)) {

  428.                         return $Field['ErrorMessage'];

  429.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  430.                         return $Field['ErrorMessage'];

  431.                     } elseif (strlen($ValidateVar) < $MinLength) {

  432.                         return $Field['ErrorMessage'];

  433.                     }

  434.                 } elseif ($Field['Type'] === 'username') {

  435.                     if (isset($Field['MaxLength'])) {

  436.                         $MaxLength = $Field['MaxLength'];

  437.                     } else {

  438.                         $MaxLength = 20;

  439.                     }

  440.                     

  441.                     if (isset($Field['MinLength'])) {

  442.                         $MinLength = $Field['MinLength'];

  443.                     } else {

  444.                         $MinLength = 1;

  445.                     }

  446. 

  447.                     if (!preg_match(USERNAME_REGEX, $ValidateVar)) {

  448.                         return $Field['ErrorMessage'];

  449.                     } elseif (strlen($ValidateVar) > $MaxLength) {

  450.                         return $Field['ErrorMessage'];

  451.                     } elseif (strlen($ValidateVar) < $MinLength) {

  452.                         return $Field['ErrorMessage'];

  453.                     }

  454.                 } elseif ($Field['Type'] === 'checkbox') {

  455.                     if (!isset($ValidateArray[$FieldKey])) {

  456.                         return $Field['ErrorMessage'];

  457.                     }

  458.                 } elseif ($Field['Type'] === 'compare') {

  459.                     if ($ValidateArray[$Field['CompareField']] !== $ValidateVar) {

  460.                         return $Field['ErrorMessage'];

  461.                     }

  462.                 } elseif ($Field['Type'] === 'inarray') {

  463.                     if (array_search($ValidateVar, $Field['InArray']) === false) {

  464.                         return $Field['ErrorMessage'];

  465.                     }

  466.                 } elseif ($Field['Type'] === 'regex') {

  467.                     if (!preg_match($Field['Regex'], $ValidateVar)) {

  468.                         return $Field['ErrorMessage'];

  469.                     }

  470.                 }

  471.             }

  472.         } // while

  473.     } // function

  474. } // class

  475. 

  476. 

  477. /**

  478.  * File checker stub class

  479.  *

  480.  * Not technically part of the Validate class (yet).

  481.  * Useful torrent file functions such as finding disallowed characters.

  482.  * This will eventually move inside Validate for upload_handle.php.

  483.  */

  484. 

  485. $Keywords = array(

  486.   'ahashare.com', 'demonoid.com', 'demonoid.me', 'djtunes.com', 'h33t', 'housexclusive.net',

  487.   'limetorrents.com', 'mixesdb.com', 'mixfiend.blogstop', 'mixtapetorrent.blogspot',

  488.   'plixid.com', 'reggaeme.com' , 'scc.nfo', 'thepiratebay.org', 'torrentday');

  489. 

  490. function check_file($Type, $Name)

  491. {

  492.     check_name($Name);

  493.     check_extensions($Type, $Name);

  494. }

  495. 

  496. function check_name($Name)

  497. {

  498.     global $Keywords;

  499.     $NameLC = strtolower($Name);

  500. 

  501.     foreach ($Keywords as &$Value) {

  502.         if (strpos($NameLC, $Value) !== false) {

  503.             forbidden_error($Name);

  504.         }

  505.     }

  506. 

  507.     if (preg_match('/INCOMPLETE~\*/i', $Name)) {

  508.         forbidden_error($Name);

  509.     }

  510. 

  511.     /*

  512.      * These characters are invalid in NTFS on Windows systems:

  513.      *    : ? / < > \ * | "

  514.      *

  515.      * todo: Add "/" to the blacklist. This causes problems with nested dirs, apparently

  516.      * todo: Make possible preg_match($AllBlockedChars, $Name, $Matches)

  517.      *

  518.      * Only the following characters need to be escaped (see the link below):

  519.      *    \ - ^ ]

  520.      *

  521.      * http://www.php.net/manual/en/regexp.reference.character-classes.php

  522.      */

  523.     $AllBlockedChars = ' : ? < > \ * | " ';

  524.     if (preg_match('/[\\:?<>*|"]/', $Name, $Matches)) {

  525.         character_error($Matches[0], $AllBlockedChars);

  526.     }

  527. }

  528. 

  529. function check_extensions($Type, $Name)

  530. {

  531.     # todo: Make generic or subsume into Validate->ParseExtensions()

  532.     /*

  533.     if (!isset($MusicExtensions[get_file_extension($Name)])) {

  534.         invalid_error($Name);

  535.     }

  536.     */

  537. }

  538. 

  539. function get_file_extension($FileName)

  540. {

  541.     return strtolower(substr(strrchr($FileName, '.'), 1));

  542. }

  543. 

  544. /**

  545.  * Error functions

  546.  *

  547.  * Responsible for the red error messages on bad upload attemps.

  548.  * todo: Make one function, e.g., Validate->error($type)

  549.  */

  550. 

  551. function invalid_error($Name)

  552. {

  553.     global $Err;

  554.     $Err = 'The torrent contained one or more invalid files (' . display_str($Name) . ')';

  555. }

  556. 

  557. function forbidden_error($Name)

  558. {

  559.     global $Err;

  560.     $Err = 'The torrent contained one or more forbidden files (' . display_str($Name) . ')';

  561. }

  562. 

  563. function character_error($Character, $AllBlockedChars)

  564. {

  565.     global $Err;

  566.     $Err = "One or more of the files or folders in the torrent has a name that contains the forbidden character '$Character'. Please rename the files as necessary and recreate the torrent.<br /><br />\nNote: The complete list of characters that are disallowed are shown below:<br />\n\t\t$AllBlockedChars";

  567. }