michael.dollinger/mlmmj-light-web-ecg
1
0
Fork 0
forked from services/mlmmj-light-web-ecg
Code Issues Pull Requests Projects Releases Wiki Activity
Files
v1.1
mlmmj-light-web-ecg/save_list.php
Christian Süßenguth bbb3f35767 Fixed bug #5
2021-10-28 12:33:53 +02:00

217 lines
6.0 KiB
PHP
Raw Permalink Blame History

<?php
require("init.php");
function trim_array($arr)
{
// Trim each array element
$clean = array();
foreach($arr as $elem)
{
$elem = trim($elem);
if ( !empty($elem) )
{
$clean[] = $elem;
}
}
return $clean;
}
$list_name = isset( $_POST["list_name"] ) ? $_POST["list_name"] : NULL;
$prefix = isset ( $_POST["prefix"] ) ? $_POST["prefix"] : NULL;
$new_subscribers = isset ( $_POST["subscribers"] ) ? $_POST["subscribers"] : NULL;
$moderators = isset ( $_POST["moderators"] ) ? $_POST["moderators"] : NULL;
if ( !isset($_SESSION["auth"]) || $_SESSION["auth"] != 1 )
{
// If not authenticated, then redirect to login page
header("Location: login.php");
exit();
}
$domain = $_SESSION["domain"];
// We do not print any error in the next four cases, because a legitimate
// user will never produce such results, even with disabled javascript
if ( preg_match("/[^a-z0-9_-]/", $list_name) )
{
header("Location: error.php");
exit();
}
if ( strlen($list_name) > 30 )
{
header("Location: error.php");
exit();
}
// Test list existence
if( !is_dir("$lists_path/$domain/$list_name") )
{
header("Location: error.php");
exit();
}
# Check whether the user may edit this list as he owns it
if (!in_array($list_name, $_SESSION["array_lists_owned"]))
{
$_SESSION["error_code"] = 11;
header("Location: error.php");
exit;
}
if ( strlen($prefix) > 128 )
{
// Prefix must not be longer than 128 characters
$_SESSION["error_code"] = 7;
header("Location: error.php");
exit();
}
if ($new_subscribers != NULL)
{
// Subscribe new subscribers and unsubscribe who is not present in the new list of subscribers
$new_subscribers = explode("\n", $new_subscribers);
$new_subscribers = trim_array($new_subscribers);
$old_subscribers = shell_exec("/usr/bin/mlmmj-list -L $lists_path/$domain/$list_name");
$old_subscribers = explode("\n", $old_subscribers);
$old_subscribers = trim_array($old_subscribers);
foreach ($new_subscribers as $new_subscriber)
{
if ( !in_array($new_subscriber, $old_subscribers) )
{
if ( !filter_var($new_subscriber, FILTER_VALIDATE_EMAIL) )
{
// Incorrect email
$_SESSION["error_code"] = 9;
header("Location: error.php");
exit();
}
shell_exec("/usr/bin/mlmmj-sub -L $lists_path/$domain/$list_name -a $new_subscriber -fsq");
}
}
foreach ($old_subscribers as $old_subscriber)
{
if ( !in_array($old_subscriber, $new_subscribers) )
{
shell_exec("/usr/bin/mlmmj-unsub -L $lists_path/$domain/$list_name -a $old_subscriber -sq");
}
}
}
# --- SECURITY CHECK ---
# Check if someone sent a manipulated POST request
# Check whether there is a moderators file
if (file_exists("$lists_path/$domain/$list_name/control/moderators"))
{
// Get a moderators list
$moderators_check = file_get_contents("$lists_path/$domain/$list_name/control/moderators");
// Remove trailing empty symbols
$moderators_check = trim($moderators_check);
# If theres no @ inside the file it seems to be empty
if (!preg_match("/[@]/", $moderators_check))
{
$moderators = NULL;
}
}
else
{
$moderators = NULL;
}
# --- SECURITY CHECK ---
if ($moderators !== NULL)
{
# If theres an @ inside the new moderators variable it seems to be empty
if (preg_match("/[@]/", $moderators))
{
$moderators_array = explode("\n", $moderators);
$moderators_array = trim_array($moderators_array);
// Check moderators emails
foreach ($moderators_array as $moderator)
{
if ( !filter_var($moderator, FILTER_VALIDATE_EMAIL) )
{
// Incorrect email
$_SESSION["error_code"] = 10;
header("Location: error.php");
exit();
}
}
file_put_contents("$lists_path/$domain/$list_name/control/moderators", "$moderators");
}
else
{
# Someone wants to clear the moderators list which is not allowed (yet)
#$_SESSION["error_code"] = 12;
#header("Location: error.php");
#exit();
}
}
if ($prefix !== NULL)
{
file_put_contents("$lists_path/$domain/$list_name/control/prefix", "$prefix");
}
# The following code section is for audit log only
# -------------------------------------------------------------
# Check whether there is a moderators file
if (file_exists("$lists_path/$domain/$list_name/control/moderators"))
{
// Get a moderators list
$old_moderators = file_get_contents("$lists_path/$domain/$list_name/control/moderators");
// Remove trailing empty symbols
$old_moderators = trim($old_moderators);
# If theres no @ inside the file it seems to be empty
if (!preg_match("/[@]/", $old_moderators))
{
$old_moderators = NULL;
}
}
else
{
$old_moderators = NULL;
}
// Get old prefix
$old_prefix = file_get_contents("$lists_path/$domain/$list_name/control/prefix");
// Remove trailing empty symbols
$old_prefix = trim($old_prefix);
# -------------------------------------------------------------
shell_exec('curl -X POST -H \'Content-Type: application/json\' --data \'{"alias":"ECG Notification Bot","emoji":":ghost:","text":"' . $_SESSION["username"] . ' changed list ' . $list_name . '"}\' https://chat.ecogood.org/hooks/' . $rc_webhook);
$return = audit_log("save_list", "Old subscribers: " . json_encode($old_subscribers) . " - Old prefix: " . $old_prefix . " - Old moderators: " . json_encode($old_moderators));
if (!$return["success"])
{
# If debug mode is on show error message
if ($debug)
{
echo $return["message"];
}
else
{
shell_exec('curl -X POST -H \'Content-Type: application/json\' --data \'{"alias":"ECG Notification Bot","emoji":":ghost:","text":"' . $return["message"] . '"}\' https://chat.ecogood.org/hooks/' . $rc_webhook);
}
}
header("Location: edit_list.php?list_name=$list_name&success");
exit();
?>
Reference in New Issue View Git Blame Copy Permalink