fixed arbitrary file read and XSS vulnerabilities, fixed some issues with settings

2025-04-29 14:09:27 -04:00 · 2022-05-15 10:34:46 +02:00 · 2022-05-15 10:34:46 +02:00 · 61240bcd79
commit 61240bcd79
parent e9652789f5
14 changed files with 70 additions and 59 deletions
--- a/config.php.example
+++ b/config.php.example
@ -39,9 +39,13 @@
            // CURLOPT_PROXYTYPE => CURLPROXY_HTTP,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => "",
-            CURLOPT_USERAGENT => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36",
+            CURLOPT_USERAGENT => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36",
            CURLOPT_IPRESOLVE => CURL_IPRESOLVE_V4,
            CURLOPT_CUSTOMREQUEST => "GET",
+            CURLOPT_PROTOCOLS => CURLPROTO_HTTPS | CURLPROTO_HTTP,
+            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTPS | CURLPROTO_HTTP,
+            CURLOPT_MAXREDIRS => 5,
+            CURLOPT_TIMEOUT => 8,
            CURLOPT_VERBOSE => false
        )

--- a/engines/bittorrent/nyaa.php
+++ b/engines/bittorrent/nyaa.php
@ -20,11 +20,11 @@

            array_push($results, 
                array (
-                    "name" => $name,
+                    "name" => htmlspecialchars($name),
                    "seeders" => (int) $seeders,
                    "leechers" => (int) $leechers,
-                    "magnet" => $magnet,
-                    "size" => $size,
+                    "magnet" => htmlspecialchars($magnet),
+                    "size" => htmlspecialchars($size),
                    "source" => "nyaa.si"
                )
            );
--- a/engines/bittorrent/rutor.php
+++ b/engines/bittorrent/rutor.php
@ -21,11 +21,11 @@

            array_push($results, 
                array (
-                    "name" => $name,
+                    "name" => htmlspecialchars($name),
                    "seeders" => (int) remove_special($seeders),
                    "leechers" => (int) remove_special($leechers),
-                    "magnet" => $magnet,
-                    "size" => $size,
+                    "magnet" => htmlspecialchars($magnet),
+                    "size" => htmlspecialchars($size),
                    "source" => "rutor.info"
                )
            );
--- a/engines/bittorrent/thepiratebay.php
+++ b/engines/bittorrent/thepiratebay.php
@ -24,11 +24,11 @@

            array_push($results, 
                array (
-                    "size" => $size,
-                    "name" => $name,
-                    "seeders" => $seeders,
-                    "leechers" => $leechers,
-                    "magnet" => $magnet,
+                    "size" => htmlspecialchars($size),
+                    "name" => htmlspecialchars($name),
+                    "seeders" => htmlspecialchars($seeders),
+                    "leechers" => htmlspecialchars($leechers),
+                    "magnet" => htmlspecialchars($magnet),
                    "source" => "thepiratebay.org"
                )
            );
--- a/engines/bittorrent/torrentgalaxy.php
+++ b/engines/bittorrent/torrentgalaxy.php
@ -19,11 +19,11 @@

            array_push($results, 
                array (
-                    "name" => $name,
+                    "name" => htmlspecialchars($name),
                    "seeders" => (int) $seeders,
                    "leechers" => (int) $leechers,
-                    "magnet" => $magnet,
-                    "size" => $size,
+                    "magnet" => htmlspecialchars($magnet),
+                    "size" => htmlspecialchars($size),
                    "source" => "torrentgalaxy.to"
                )
            );
--- a/engines/bittorrent/yts.php
+++ b/engines/bittorrent/yts.php
@ -26,11 +26,11 @@

                        array_push($results, 
                        array (
-                            "size" => $size,
-                            "name" => $name,
-                            "seeders" => $seeders,
-                            "leechers" => $leechers,
-                            "magnet" => $magnet,
+                            "size" => htmlspecialchars($size),
+                            "name" => htmlspecialchars($name),
+                            "seeders" => htmlspecialchars($seeders),
+                            "leechers" => htmlspecialchars($leechers),
+                            "magnet" => htmlspecialchars($magnet),
                            "source" => "yts.mx"
                        )
                    );
--- a/engines/special/currency.php
+++ b/engines/special/currency.php
@ -22,7 +22,7 @@
            $source = "https://moneyconvert.net/";
            return array(
                "special_response" => array(
-                    "response" => $formatted_response,
+                    "response" => htmlspecialchars($formatted_response),
                    "source" => $source
                )
            );
--- a/engines/special/definition.php
+++ b/engines/special/definition.php
@ -14,7 +14,7 @@
                $source = "https://dictionaryapi.dev";
                return array(
                    "special_response" => array(
-                        "response" => $definition,
+                        "response" => htmlspecialchars($definition),
                        "source" => $source
                    )
                );
--- a/engines/special/wikipedia.php
+++ b/engines/special/wikipedia.php
@ -14,7 +14,7 @@
            $source = check_for_privacy_frontend("https://wikipedia.org/wiki/$query");
            $response = array(
                "special_response" => array(
-                    "response" => $description,
+                    "response" => htmlspecialchars($description),
                    "source" => $source
                )
            );
--- a/misc/header.php
+++ b/misc/header.php
@ -11,7 +11,7 @@
        <link rel="stylesheet" type="text/css" href="<?php
                echo "static/css/";
                if (isset($_COOKIE["theme"]) || isset($_REQUEST["theme"]))
-                    echo (isset($_COOKIE["theme"]) ? $_COOKIE["theme"] : $_REQUEST["theme"]) . ".css";
+                    echo htmlspecialchars((isset($_COOKIE["theme"]) ? $_COOKIE["theme"] : $_REQUEST["theme"]) . ".css");
                else
                echo "dark.css";
        ?>"/>
--- a/search.php
+++ b/search.php
@ -7,7 +7,7 @@
            <a href="./"><img class="logo" src="static/images/librex.png" alt="librex logo"></a>
            <input type="text" name="q" 
                <?php
-                    $query = trim($_REQUEST["q"]);
+                    $query = htmlspecialchars(trim($_REQUEST["q"]));
                    $query_encoded = urlencode($query);

                    if (1 > strlen($query) || strlen($query) > 256)
--- a/settings.php
+++ b/settings.php
@ -1,18 +1,34 @@
-
 <?php
-                require "misc/header.php";
                $config = require "config.php";
                
+                
+                if (isset($_REQUEST["save"]) || isset($_REQUEST["reset"]))
+                {
+                    if (isset($_SERVER["HTTP_COOKIE"])) 
+                    {
+                            $cookies = explode(";", $_SERVER["HTTP_COOKIE"]);
+                            foreach($cookies as $cookie) 
+                            {
+                                $parts = explode("=", $cookie);
+                                $name = trim($parts[0]);
+                                setcookie($name, "", time() - 1000);
+                            }
+                    }
+                    
+                } 
+                
                function better_setcookie($name)
                {
                    if (!empty($_REQUEST[$name]))
-                        setcookie($name, $_REQUEST[$name], time() + (86400 * 90));
-                    else if (isset($_COOKIE[$name]))
-                        setcookie($name, "", time() - 1000); 
+                    {
+                        setcookie($name, $_REQUEST[$name], time() + (86400 * 90), '/');
+                        $_COOKIE[$name] = $_REQUEST[$name];
+                    }
                }
                
                if (isset($_REQUEST["save"]))
                {
+                
                    better_setcookie("theme");
                    
                    better_setcookie("disable_special");
@ -23,25 +39,16 @@
                    better_setcookie("libreddit");
                    better_setcookie("proxitok");
                    better_setcookie("wikiless");
-                    
-                    header("Location: ./settings.php");
-                    die();
                }
-                else if (isset($_REQUEST["reset"]))
+               
+                if (isset($_REQUEST["save"]) || isset($_REQUEST["reset"]))
                {
-                    if (isset($_SERVER["HTTP_COOKIE"])) {
-                        $cookies = explode(";", $_SERVER["HTTP_COOKIE"]);
-                        foreach($cookies as $cookie) {
-                            $parts = explode("=", $cookie);
-                            $name = trim($parts[0]);
-                            setcookie($name, "", time() - 1000);
-                        }
-
                    header("Location: ./settings.php");
                    die();
                }
-                }
-            ?>
+                
+                require "misc/header.php";
+?>

    <title>LibreX - Settings</title>
    </head>