mirror of
https://github.com/DanielnetoDotCom/YouPHPTube
synced 2025-10-03 09:49:28 +02:00
TALOS Security Advisory for WWBN (TALOS-2022-1551, TALOS-2022-1550, TALOS-2022-1549, TALOS-2022-1548, TALOS-2022-1547, TALOS-2022-1546, TALOS-2022-1545, TALOS-2022-1542, TALOS-2022-1540 - TALOS-2022-1534)
Should all be good now
This commit is contained in:
DanieL
parent
68328cdd42
commit
21fed6e0b7
36 changed files with 3221 additions and 3091 deletions
|
|
@ -4,7 +4,7 @@ if (file_exists("../videos/configuration.php")) {
|
|||
exit;
|
||||
}
|
||||
|
||||
$installationVersion = "11.8";
|
||||
$installationVersion = "12.0";
|
||||
|
||||
error_log("Installation: ".__LINE__." ". json_encode($_POST));
|
||||
header('Content-Type: application/json');
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ if (!isCommandLineInterface()) {
|
|||
|
||||
AVideoPlugin::loadPlugin("Live");
|
||||
|
||||
$channelName = $global['mysqli']->real_escape_string($channelName);
|
||||
$channelName = ($channelName);
|
||||
$sql = "SELECT lt.*, u.* FROM users u LEFT JOIN live_transmitions lt ON users_id = u.id "
|
||||
. " WHERE canStream = 1 AND status = 'a' ORDER BY public DESC LIMIT 20";
|
||||
$res = sqlDAL::readSql($sql);
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ interface ObjectInterface
|
|||
{
|
||||
public static function getTableName();
|
||||
|
||||
public static function getSearchFieldsNames();
|
||||
}
|
||||
|
||||
$tableExists = [];
|
||||
|
|
@ -20,7 +19,11 @@ abstract class ObjectYPT implements ObjectInterface
|
|||
}
|
||||
}
|
||||
|
||||
protected function load($id)
|
||||
public static function getSearchFieldsNames(){
|
||||
return array();
|
||||
}
|
||||
|
||||
public function load($id)
|
||||
{
|
||||
$row = self::getFromDb($id);
|
||||
if (empty($row)) {
|
||||
|
|
@ -165,8 +168,8 @@ abstract class ObjectYPT implements ObjectInterface
|
|||
if (!empty($_POST['sort'])) {
|
||||
$orderBy = [];
|
||||
foreach ($_POST['sort'] as $key => $value) {
|
||||
$key = $global['mysqli']->real_escape_string($key);
|
||||
//$value = $global['mysqli']->real_escape_string($value);
|
||||
$key = ($key);
|
||||
//$value = ($value);
|
||||
$direction = "ASC";
|
||||
if (strtoupper($value) === "DESC") {
|
||||
$direction = "DESC";
|
||||
|
|
@ -253,7 +256,7 @@ abstract class ObjectYPT implements ObjectInterface
|
|||
}
|
||||
if (!empty($_GET['q'])) {
|
||||
global $global;
|
||||
$search = $global['mysqli']->real_escape_string(xss_esc($_GET['q']));
|
||||
$search = (xss_esc($_GET['q']));
|
||||
|
||||
$like = [];
|
||||
$searchFields = static::getSearchFieldsNames();
|
||||
|
|
@ -287,10 +290,13 @@ abstract class ObjectYPT implements ObjectInterface
|
|||
}
|
||||
global $global;
|
||||
$fieldsName = $this->getAllFields();
|
||||
$formats = '';
|
||||
$values = array();
|
||||
if (!empty($this->id)) {
|
||||
$sql = "UPDATE " . static::getTableName() . " SET ";
|
||||
$fields = [];
|
||||
foreach ($fieldsName as $value) {
|
||||
//$escapedValue = $global['mysqli']->real_escape_string($this->$value);
|
||||
if (strtolower($value) == 'created') {
|
||||
// do nothing
|
||||
} elseif (strtolower($value) == 'modified') {
|
||||
|
|
@ -299,17 +305,21 @@ abstract class ObjectYPT implements ObjectInterface
|
|||
if (empty($this->$value)) {
|
||||
$this->$value = date_default_timezone_get();
|
||||
}
|
||||
$fields[] = " `{$value}` = '{$this->$value}' ";
|
||||
} elseif (is_numeric($this->$value)) {
|
||||
$fields[] = " `{$value}` = {$this->$value} ";
|
||||
$formats .= 's';
|
||||
$values[] = $this->$value;
|
||||
$fields[] = " `{$value}` = ? ";
|
||||
} elseif (!isset($this->$value) || strtolower($this->$value) == 'null') {
|
||||
$fields[] = " `{$value}` = NULL ";
|
||||
} else {
|
||||
$fields[] = " `{$value}` = '{$this->$value}' ";
|
||||
$formats .= 's';
|
||||
$values[] = $this->$value;
|
||||
$fields[] = " `{$value}` = ? ";
|
||||
}
|
||||
}
|
||||
$sql .= implode(", ", $fields);
|
||||
$sql .= " WHERE id = {$this->id}";
|
||||
$formats .= 'i';
|
||||
$values[] = $this->id;
|
||||
$sql .= " WHERE id = ?";
|
||||
} else {
|
||||
$sql = "INSERT INTO " . static::getTableName() . " ( ";
|
||||
$sql .= "`" . implode("`,`", $fieldsName) . "` )";
|
||||
|
|
@ -321,20 +331,25 @@ abstract class ObjectYPT implements ObjectInterface
|
|||
if (empty($this->$value)) {
|
||||
$this->$value = date_default_timezone_get();
|
||||
}
|
||||
$fields[] = " '{$this->$value}' ";
|
||||
$formats .= 's';
|
||||
$values[] = $this->$value;
|
||||
$fields[] = " ? ";
|
||||
} elseif (!isset($this->$value) || (is_string($this->$value) && strtolower($this->$value) == 'null')) {
|
||||
$fields[] = " NULL ";
|
||||
} elseif (is_string($this->$value) || is_numeric($this->$value)) {
|
||||
$fields[] = " '{$this->$value}' ";
|
||||
$formats .= 's';
|
||||
$values[] = $this->$value;
|
||||
$fields[] = " ? ";
|
||||
} else {
|
||||
$fields[] = " NULL ";
|
||||
}
|
||||
}
|
||||
$sql .= " VALUES (" . implode(", ", $fields) . ")";
|
||||
}
|
||||
//if(static::getTableName() == 'Scheduler_commands'){ echo $sql;var_dump($this->parameters);exit;}
|
||||
//echo $sql;var_dump($this->parameters);exit;
|
||||
$insert_row = sqlDAL::writeSql($sql);
|
||||
//var_dump(static::getTableName(), $sql, $values);
|
||||
//if(static::getTableName() == 'videos'){ echo $sql;var_dump($values);exit;}return false;
|
||||
//echo $sql;var_dump($values);exit;
|
||||
$insert_row = sqlDAL::writeSql($sql, $formats, $values);
|
||||
|
||||
if ($insert_row) {
|
||||
if (empty($this->id)) {
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@ class BootGrid
|
|||
|
||||
if (!empty($_POST['searchPhrase'])) {
|
||||
global $global;
|
||||
$search = $global['mysqli']->real_escape_string(xss_esc($_POST['searchPhrase']));
|
||||
$search = (xss_esc($_POST['searchPhrase']));
|
||||
$search = str_replace('"', '"', $search);
|
||||
$like = [];
|
||||
foreach ($searchFieldsNames as $value) {
|
||||
|
|
|
|||
|
|
@ -98,7 +98,7 @@ class Category {
|
|||
}
|
||||
}
|
||||
|
||||
private function load($id) {
|
||||
public function load($id) {
|
||||
$row = self::getCategory($id);
|
||||
if (empty($row)) {
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ class Comment
|
|||
return $this->videos_id;
|
||||
}
|
||||
|
||||
private function load($id)
|
||||
public function load($id)
|
||||
{
|
||||
$row = $this->getComment($id);
|
||||
if (empty($row)) {
|
||||
|
|
@ -80,7 +80,7 @@ class Comment
|
|||
die('{"error":"'.__("Permission denied").'"}');
|
||||
}
|
||||
//$this->comment = htmlentities($this->comment);
|
||||
$this->comment = $global['mysqli']->real_escape_string($this->comment);
|
||||
$this->comment = ($this->comment);
|
||||
|
||||
if (empty($this->comment)) {
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ class CommentsLike
|
|||
$this->like = $like;
|
||||
}
|
||||
|
||||
private function load()
|
||||
public function load()
|
||||
{
|
||||
$like = $this->getLike();
|
||||
if (empty($like)) {
|
||||
|
|
|
|||
|
|
@ -5,42 +5,42 @@ if (!isset($global['systemRootPath'])) {
|
|||
}
|
||||
require_once $global['systemRootPath'] . 'objects/user.php';
|
||||
require_once $global['systemRootPath'] . 'objects/functions.php';
|
||||
require_once $global['systemRootPath'] . 'objects/Object.php';
|
||||
|
||||
class Configuration
|
||||
{
|
||||
private $id;
|
||||
private $video_resolution;
|
||||
private $webSiteTitle;
|
||||
private $language;
|
||||
private $contactEmail;
|
||||
private $users_id;
|
||||
private $version;
|
||||
private $authCanUploadVideos;
|
||||
private $authCanViewChart;
|
||||
private $authCanComment;
|
||||
private $head;
|
||||
private $logo;
|
||||
private $logo_small;
|
||||
private $adsense;
|
||||
private $mode;
|
||||
class Configuration extends ObjectYPT{
|
||||
protected $id;
|
||||
protected $video_resolution;
|
||||
protected $webSiteTitle;
|
||||
protected $language;
|
||||
protected $contactEmail;
|
||||
protected $users_id;
|
||||
protected $version;
|
||||
protected $authCanUploadVideos;
|
||||
protected $authCanViewChart;
|
||||
protected $authCanComment;
|
||||
protected $head;
|
||||
protected $logo;
|
||||
protected $logo_small;
|
||||
protected $adsense;
|
||||
protected $mode;
|
||||
// version 2.7
|
||||
private $disable_analytics;
|
||||
private $disable_youtubeupload;
|
||||
private $allow_download;
|
||||
private $session_timeout;
|
||||
private $autoplay;
|
||||
protected $disable_analytics;
|
||||
protected $disable_youtubeupload;
|
||||
protected $allow_download;
|
||||
protected $session_timeout;
|
||||
protected $autoplay;
|
||||
// version 3.1
|
||||
private $theme;
|
||||
protected $theme;
|
||||
//version 3.3
|
||||
private $smtp;
|
||||
private $smtpAuth;
|
||||
private $smtpSecure;
|
||||
private $smtpHost;
|
||||
private $smtpUsername;
|
||||
private $smtpPassword;
|
||||
private $smtpPort;
|
||||
protected $smtp;
|
||||
protected $smtpAuth;
|
||||
protected $smtpSecure;
|
||||
protected $smtpHost;
|
||||
protected $smtpUsername;
|
||||
protected $smtpPassword;
|
||||
protected $smtpPort;
|
||||
// version 4
|
||||
private $encoderURL;
|
||||
protected $encoderURL;
|
||||
|
||||
public function __construct($video_resolution = "")
|
||||
{
|
||||
|
|
@ -50,29 +50,13 @@ class Configuration
|
|||
}
|
||||
}
|
||||
|
||||
public function load()
|
||||
public function load($id='')
|
||||
{
|
||||
global $global;
|
||||
_mysql_connect();
|
||||
$sql = "SELECT * FROM configurations WHERE id = 1 LIMIT 1";
|
||||
//echo $sql;exit;
|
||||
// add true because I was not getting the SMTP configuration on function setSiteSendMessage(&$mail)
|
||||
$res = sqlDAL::readSql($sql, '', [], true);
|
||||
$result = sqlDAL::fetchAssoc($res);
|
||||
sqlDAL::close($res);
|
||||
if ($res && !empty($result)) {
|
||||
$config = $result;
|
||||
//var_dump($config);exit;
|
||||
foreach ($config as $key => $value) {
|
||||
$this->$key = $value;
|
||||
}
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
return parent::load(1);
|
||||
}
|
||||
|
||||
public function save()
|
||||
{
|
||||
public function save(){
|
||||
global $global;
|
||||
if (!User::isAdmin()) {
|
||||
header('Content-Type: application/json');
|
||||
|
|
@ -82,38 +66,7 @@ class Configuration
|
|||
|
||||
ObjectYPT::deleteCache("getEncoderURL");
|
||||
|
||||
$sql = "UPDATE configurations SET "
|
||||
. "video_resolution = '{$this->video_resolution}',"
|
||||
. "webSiteTitle = '{$this->webSiteTitle}',"
|
||||
. "language = '{$this->language}',"
|
||||
. "contactEmail = '{$this->contactEmail}',"
|
||||
. "users_id = '{$this->users_id}', "
|
||||
. "authCanUploadVideos = '{$this->authCanUploadVideos}',"
|
||||
. "authCanViewChart = '{$this->authCanViewChart}',"
|
||||
. "authCanComment = '{$this->authCanComment}',"
|
||||
. "encoderURL = '{$global['mysqli']->real_escape_string($this->_getEncoderURL())}',"
|
||||
. "head = '{$global['mysqli']->real_escape_string($this->getHead())}',"
|
||||
. "adsense = '{$global['mysqli']->real_escape_string($this->getAdsense())}',"
|
||||
. "mode = '{$this->getMode()}',"
|
||||
. "logo = '{$global['mysqli']->real_escape_string($this->getLogo())}',"
|
||||
. "logo_small = '{$global['mysqli']->real_escape_string($this->getLogo_small())}',"
|
||||
. "disable_analytics = '{$this->getDisable_analytics()}',"
|
||||
. "disable_youtubeupload = '{$this->getDisable_youtubeupload()}',"
|
||||
. "allow_download = '{$this->getAllow_download()}',"
|
||||
. "session_timeout = '{$this->getSession_timeout()}',"
|
||||
. "autoplay = '{$this->getAutoplay()}',"
|
||||
. "theme = '{$global['mysqli']->real_escape_string($this->getTheme())}',"
|
||||
. "smtp = '{$this->getSmtp()}',"
|
||||
. "smtpAuth = '{$this->getSmtpAuth()}',"
|
||||
. "smtpSecure = '{$global['mysqli']->real_escape_string($this->getSmtpSecure())}',"
|
||||
. "smtpHost = '{$global['mysqli']->real_escape_string($this->getSmtpHost())}',"
|
||||
. "smtpUsername = '{$global['mysqli']->real_escape_string($this->getSmtpUsername())}',"
|
||||
. "smtpPort = '{$global['mysqli']->real_escape_string($this->getSmtpPort())}',"
|
||||
. "smtpPassword = '{$global['mysqli']->real_escape_string($this->getSmtpPassword())}'"
|
||||
. " WHERE id = 1";
|
||||
|
||||
|
||||
return sqlDAL::writeSql($sql);
|
||||
return parent::save();
|
||||
}
|
||||
|
||||
public function getVideo_resolution()
|
||||
|
|
@ -624,4 +577,9 @@ require_once \$global['systemRootPath'].'objects/include_config.php';
|
|||
}
|
||||
return " " . PAGE_TITLE_SEPARATOR . " ";
|
||||
}
|
||||
|
||||
public static function getTableName() {
|
||||
return 'configurations';
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,6 +24,14 @@ if (!function_exists('xss_esc')) {
|
|||
if (empty($text)) {
|
||||
return "";
|
||||
}
|
||||
if(!is_string($text)){
|
||||
if(is_array($text)){
|
||||
foreach ($text as $key => $value) {
|
||||
$text[$key] = xss_esc($value);
|
||||
}
|
||||
}
|
||||
return $text;
|
||||
}
|
||||
$result = @htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
|
||||
if (empty($result)) {
|
||||
$result = str_replace(['"', "'", "\\"], ["", "", ""], strip_tags($text));
|
||||
|
|
@ -2000,7 +2008,7 @@ function unzipDirectory($filename, $destination) {
|
|||
sleep(2);
|
||||
ini_set('memory_limit', '-1');
|
||||
ini_set('max_execution_time', 7200); // 2 hours
|
||||
$filename = escapeshellarg($filename);
|
||||
$filename = escapeshellarg(safeString($filename,true));
|
||||
$destination = escapeshellarg($destination);
|
||||
$cmd = "unzip -: {$filename} -d {$destination}" . " 2>&1";
|
||||
_error_log("unzipDirectory: {$cmd}");
|
||||
|
|
@ -2414,6 +2422,7 @@ function isValidM3U8Link($url, $timeout = 3) {
|
|||
function url_get_contents($url, $ctx = "", $timeout = 0, $debug = false) {
|
||||
global $global, $mysqlHost, $mysqlUser, $mysqlPass, $mysqlDatabase, $mysqlPort;
|
||||
if (!isValidURLOrPath($url)) {
|
||||
_error_log('url_get_contents Cannot download '.$url);
|
||||
return false;
|
||||
}
|
||||
if ($debug) {
|
||||
|
|
@ -3398,6 +3407,7 @@ function rrmdir($dir) {
|
|||
|
||||
function rrmdirCommandLine($dir, $async = false) {
|
||||
if (is_dir($dir)) {
|
||||
$dir = escapeshellarg($dir);
|
||||
if (isWindows()) {
|
||||
$command = ('rd /s /q ' . $dir);
|
||||
} else {
|
||||
|
|
@ -5010,12 +5020,13 @@ function isValidURLOrPath($str, $insideCacheOrTmpDirOnly = true) {
|
|||
}
|
||||
if (str_starts_with($str, '/') || str_starts_with($str, '../') || preg_match("/^[a-z]:.*/i", $str)) {
|
||||
if ($insideCacheOrTmpDirOnly) {
|
||||
$vroot = realpath($str);
|
||||
$ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
|
||||
$absolutePath = realpath($str);
|
||||
$ext = strtolower(pathinfo($absolutePath, PATHINFO_EXTENSION));
|
||||
if ($ext == 'php') {
|
||||
return false;
|
||||
}
|
||||
if (str_starts_with($vroot, getTmpDir()) || str_starts_with($vroot, $global['systemRootPath'])) {
|
||||
$cacheDir = "{$global['systemRootPath']}videos/cache/";
|
||||
if (str_starts_with($absolutePath, getTmpDir()) || str_starts_with($absolutePath, $cacheDir)) {
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
|
|
@ -5181,7 +5192,7 @@ function reloadSearchVar() {
|
|||
}
|
||||
|
||||
function wget($url, $filename, $debug = false) {
|
||||
if (empty($url) || $url == "php://input" || !preg_match("/^http/", $url)) {
|
||||
if (empty($url) || $url == "php://input" || !isValidURL($url)) {
|
||||
return false;
|
||||
}
|
||||
if ($lockfilename = wgetIsLocked($url)) {
|
||||
|
|
@ -6216,6 +6227,9 @@ function setToastMessage($msg) {
|
|||
}
|
||||
|
||||
function showAlertMessage() {
|
||||
if(!requestComesFromSafePlace()){
|
||||
return false;
|
||||
}
|
||||
if (!empty($_SESSION['YPTalertMessage'])) {
|
||||
foreach ($_SESSION['YPTalertMessage'] as $value) {
|
||||
if (!empty($value[0])) {
|
||||
|
|
@ -6229,9 +6243,10 @@ function showAlertMessage() {
|
|||
unset($_SESSION['YPTalertMessage']);
|
||||
}
|
||||
|
||||
$joinString = ['error', 'msg', 'success'];
|
||||
$joinString = ['error', 'msg', 'success', 'toast'];
|
||||
foreach ($joinString as $value) {
|
||||
if (!empty($_GET[$value]) && is_array($_GET[$value])) {
|
||||
if (!empty($_GET[$value]) ) {
|
||||
if (is_array($_GET[$value])) {
|
||||
$_GET[$value] = array_unique($_GET[$value]);
|
||||
$newStr = [];
|
||||
foreach ($_GET[$value] as $value2) {
|
||||
|
|
@ -6240,6 +6255,9 @@ function showAlertMessage() {
|
|||
}
|
||||
}
|
||||
$_GET[$value] = implode("<br>", $newStr);
|
||||
}else{
|
||||
$_GET[$value] = $_GET[$value];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -6290,7 +6308,7 @@ function showAlertMessage() {
|
|||
}
|
||||
|
||||
echo '$.toast({
|
||||
text: "' . $value . '",
|
||||
text: "' . strip_tags($value, $allowable_tags) . '",
|
||||
hideAfter: ' . $hideAfter . ' // in milli seconds
|
||||
});console.log("Toast Hide after ' . $hideAfter . '");';
|
||||
}
|
||||
|
|
@ -8803,3 +8821,23 @@ function _empty($html_string) {
|
|||
}
|
||||
return emptyHTML($html_string);
|
||||
}
|
||||
|
||||
function adminSecurityCheck($force=false){
|
||||
if(empty($force)){
|
||||
if(!empty($_SESSION['adminSecurityCheck'])){
|
||||
return false;
|
||||
}
|
||||
if(!User::isAdmin()){
|
||||
return false;
|
||||
}
|
||||
}
|
||||
global $global;
|
||||
$videosHtaccessFile = getVideosDir().'.htaccess';
|
||||
if(!file_exists($videosHtaccessFile)){
|
||||
$bytes = copy("{$global['systemRootPath']}objects/htaccess_for_videos.conf",$videosHtaccessFile);
|
||||
_error_log("adminSecurityCheck: file created {$videosHtaccessFile} {$bytes} bytes");
|
||||
}
|
||||
_session_start();
|
||||
$_SESSION['adminSecurityCheck'] = time();
|
||||
return true;
|
||||
}
|
||||
16
objects/htaccess_for_videos.conf
Normal file
16
objects/htaccess_for_videos.conf
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
<IfModule !authz_core_module>
|
||||
Order Allow,Deny
|
||||
Deny from all
|
||||
</IfModule>
|
||||
<IfModule authz_core_module>
|
||||
Require all denied
|
||||
</IfModule>
|
||||
<filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|ts|txt|mp4|mp3|m3u8|webp|key|css|tff|woff|woff2)$">
|
||||
<IfModule !authz_core_module>
|
||||
Order Allow,Deny
|
||||
Allow from all
|
||||
</IfModule>
|
||||
<IfModule authz_core_module>
|
||||
Require all granted
|
||||
</IfModule>
|
||||
</filesMatch>
|
||||
|
|
@ -148,6 +148,7 @@ require_once $global['systemRootPath'] . 'objects/user.php';
|
|||
require_once $global['systemRootPath'] . 'objects/video.php';
|
||||
require_once $global['systemRootPath'] . 'plugin/AVideoPlugin.php';
|
||||
|
||||
adminSecurityCheck();
|
||||
setSiteLang();
|
||||
fixSystemPath();
|
||||
ObjectYPT::checkSessionCacheBasedOnLastDeleteALLCacheTime();
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ class Like
|
|||
$this->like = $like;
|
||||
}
|
||||
|
||||
private function load()
|
||||
public function load()
|
||||
{
|
||||
$like = $this->getLike();
|
||||
if (empty($like)) {
|
||||
|
|
|
|||
|
|
@ -427,7 +427,7 @@ class Plugin extends ObjectYPT
|
|||
public static function deleteByUUID($uuid)
|
||||
{
|
||||
global $global;
|
||||
$uuid = $global['mysqli']->real_escape_string($uuid);
|
||||
$uuid = ($uuid);
|
||||
if (!empty($uuid)) {
|
||||
_error_log("Plugin:deleteByUUID {$uuid}");
|
||||
$sql = "DELETE FROM " . static::getTableName() . " ";
|
||||
|
|
@ -442,7 +442,7 @@ class Plugin extends ObjectYPT
|
|||
public static function deleteByName($name)
|
||||
{
|
||||
global $global;
|
||||
$name = $global['mysqli']->real_escape_string($name);
|
||||
$name = ($name);
|
||||
if (!empty($name)) {
|
||||
_error_log("Plugin:deleteByName {$name}");
|
||||
$sql = "DELETE FROM " . static::getTableName() . " ";
|
||||
|
|
@ -482,7 +482,7 @@ class Plugin extends ObjectYPT
|
|||
return false;
|
||||
}
|
||||
global $global;
|
||||
$this->object_data = $global['mysqli']->real_escape_string($this->object_data);
|
||||
$this->object_data = ($this->object_data);
|
||||
if (empty($this->object_data)) {
|
||||
$this->object_data = 'null';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
<?php
|
||||
require_once $global['systemRootPath'] . 'objects/functions.php';
|
||||
|
||||
// filter some security here
|
||||
$securityFilter = ['jump','videoDownloadedLink','duration','error', 'msg', 'info', 'warning', 'success','toast', 'catName', 'type', 'channelName', 'captcha', 'showOnly', 'key', 'link', 'email', 'country', 'region', 'videoName'];
|
||||
$securityFilterInt = ['isAdmin', 'priority', 'totalClips', 'rowCount'];
|
||||
|
|
|
|||
|
|
@ -6,8 +6,7 @@ if (!isset($global['systemRootPath'])) {
|
|||
require_once $global['systemRootPath'] . 'objects/bootGrid.php';
|
||||
require_once $global['systemRootPath'] . 'objects/user.php';
|
||||
|
||||
class Subscribe
|
||||
{
|
||||
class Subscribe extends ObjectYPT{
|
||||
private $id;
|
||||
private $email;
|
||||
private $status;
|
||||
|
|
@ -31,7 +30,7 @@ class Subscribe
|
|||
}
|
||||
}
|
||||
|
||||
private function load($id)
|
||||
public function load($id)
|
||||
{
|
||||
$obj = self::getSubscribe($id);
|
||||
if (empty($obj)) {
|
||||
|
|
@ -433,4 +432,9 @@ class Subscribe
|
|||
{
|
||||
$this->users_id = $users_id;
|
||||
}
|
||||
|
||||
public static function getTableName() {
|
||||
return 'subscribes';
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -220,7 +220,7 @@ if (typeof gtag !== \"function\") {
|
|||
return $eo[$id];
|
||||
}
|
||||
|
||||
private function load($id) {
|
||||
public function load($id) {
|
||||
$id = intval($id);
|
||||
if (empty($id)) {
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ class UserGroups
|
|||
}
|
||||
}
|
||||
|
||||
private function load($id)
|
||||
public function load($id)
|
||||
{
|
||||
$user = self::getUserGroupsDb($id);
|
||||
if (empty($user)) {
|
||||
|
|
|
|||
|
|
@ -19,50 +19,50 @@ require_once $global['systemRootPath'] . 'objects/Object.php';
|
|||
|
||||
if (!class_exists('Video')) {
|
||||
|
||||
class Video {
|
||||
class Video extends ObjectYPT {
|
||||
|
||||
private $id;
|
||||
private $title;
|
||||
private $clean_title;
|
||||
private $filename;
|
||||
private $description;
|
||||
private $views_count;
|
||||
private $status;
|
||||
private $duration;
|
||||
private $users_id;
|
||||
private $categories_id;
|
||||
private $old_categories_id;
|
||||
private $type;
|
||||
private $rotation;
|
||||
private $zoom;
|
||||
private $videoDownloadedLink;
|
||||
private $videoLink;
|
||||
private $next_videos_id;
|
||||
private $isSuggested;
|
||||
protected $id;
|
||||
protected $title;
|
||||
protected $clean_title;
|
||||
protected $filename;
|
||||
protected $description;
|
||||
protected $views_count;
|
||||
protected $status;
|
||||
protected $duration;
|
||||
protected $users_id;
|
||||
protected $categories_id;
|
||||
protected $old_categories_id;
|
||||
protected $type;
|
||||
protected $rotation;
|
||||
protected $zoom;
|
||||
protected $videoDownloadedLink;
|
||||
protected $videoLink;
|
||||
protected $next_videos_id;
|
||||
protected $isSuggested;
|
||||
public static $types = ['webm', 'mp4', 'mp3', 'ogg', 'pdf', 'jpg', 'jpeg', 'gif', 'png', 'webp', 'zip'];
|
||||
private $videoGroups;
|
||||
private $trailer1;
|
||||
private $trailer2;
|
||||
private $trailer3;
|
||||
private $rate;
|
||||
private $can_download;
|
||||
private $can_share;
|
||||
private $only_for_paid;
|
||||
private $rrating;
|
||||
private $externalOptions;
|
||||
private $sites_id;
|
||||
private $serie_playlists_id;
|
||||
private $video_password;
|
||||
private $encoderURL;
|
||||
private $filepath;
|
||||
private $filesize;
|
||||
private $live_transmitions_history_id;
|
||||
private $total_seconds_watching;
|
||||
private $duration_in_seconds;
|
||||
private $likes;
|
||||
private $dislikes;
|
||||
private $users_id_company;
|
||||
private $created;
|
||||
protected $videoGroups;
|
||||
protected $trailer1;
|
||||
protected $trailer2;
|
||||
protected $trailer3;
|
||||
protected $rate;
|
||||
protected $can_download;
|
||||
protected $can_share;
|
||||
protected $only_for_paid;
|
||||
protected $rrating;
|
||||
protected $externalOptions;
|
||||
protected $sites_id;
|
||||
protected $serie_playlists_id;
|
||||
protected $video_password;
|
||||
protected $encoderURL;
|
||||
protected $filepath;
|
||||
protected $filesize;
|
||||
protected $live_transmitions_history_id;
|
||||
protected $total_seconds_watching;
|
||||
protected $duration_in_seconds;
|
||||
protected $likes;
|
||||
protected $dislikes;
|
||||
protected $users_id_company;
|
||||
protected $created;
|
||||
public static $statusDesc = [
|
||||
'a' => 'Active',
|
||||
'k' => 'Active and Encoding',
|
||||
|
|
@ -102,7 +102,7 @@ if (!class_exists('Video')) {
|
|||
public static $statusBrokenMissingFiles = 'b';
|
||||
public static $rratingOptions = ['', 'g', 'pg', 'pg-13', 'r', 'nc-17', 'ma'];
|
||||
//ver 3.4
|
||||
private $youtubeId;
|
||||
protected $youtubeId;
|
||||
public static $typeOptions = ['audio', 'video', 'embed', 'linkVideo', 'linkAudio', 'torrent', 'pdf', 'image', 'gallery', 'article', 'serie', 'image', 'zip', 'notfound', 'blockedUser'];
|
||||
public static $searchFieldsNames = ['v.title', 'v.description', 'c.name', 'c.description', 'v.id', 'v.filename'];
|
||||
public static $searchFieldsNamesLabels = ['Video Title', 'Video Description', 'Channel Name', 'Channel Description', 'Video ID', 'Video Filename'];
|
||||
|
|
@ -349,9 +349,9 @@ if (!class_exists('Video')) {
|
|||
$catDefault = Category::getCategoryDefault();
|
||||
$this->categories_id = $catDefault['id'];
|
||||
}
|
||||
//$this->setTitle($global['mysqli']->real_escape_string(trim($this->title)));
|
||||
$this->title = ($global['mysqli']->real_escape_string(safeString($this->title)));
|
||||
$this->description = ($global['mysqli']->real_escape_string($this->description));
|
||||
//$this->setTitle((trim($this->title)));
|
||||
$this->title = ((safeString($this->title)));
|
||||
$this->description = (($this->description));
|
||||
|
||||
if (forbiddenWords($this->title) || forbiddenWords($this->description)) {
|
||||
return false;
|
||||
|
|
@ -412,31 +412,16 @@ if (!class_exists('Video')) {
|
|||
header('Content-Type: application/json');
|
||||
die('{"error":"3 ' . __("Permission denied") . '"}');
|
||||
}
|
||||
$sql = "UPDATE videos SET title = '{$this->title}',clean_title = '{$this->clean_title}',"
|
||||
. " filename = '{$this->filename}', categories_id = '{$this->categories_id}', status = '{$this->status}',"
|
||||
. " description = '{$this->description}', duration = '{$this->duration}', type = '{$this->type}', videoDownloadedLink = '{$this->videoDownloadedLink}', youtubeId = '{$this->youtubeId}', videoLink = '{$this->videoLink}', next_videos_id = {$this->next_videos_id}, isSuggested = {$this->isSuggested}, users_id = {$this->users_id}, "
|
||||
. " trailer1 = '{$this->trailer1}', trailer2 = '{$this->trailer2}', trailer3 = '{$this->trailer3}', rate = '{$this->rate}', can_download = '{$this->can_download}', can_share = '{$this->can_share}', only_for_paid = '{$this->only_for_paid}', rrating = '{$this->rrating}', externalOptions = '{$this->externalOptions}', sites_id = {$this->sites_id}, serie_playlists_id = {$this->serie_playlists_id} ,live_transmitions_history_id = {$this->live_transmitions_history_id} , video_password = '{$this->video_password}', "
|
||||
. " encoderURL = '{$this->encoderURL}', filepath = '{$this->filepath}' , filesize = '{$this->filesize}' , duration_in_seconds = '{$this->duration_in_seconds}' , modified = now(), users_id_company = ".(empty($this->users_id_company)?'NULL':intval($this->users_id_company))." "
|
||||
. " WHERE id = {$this->id}";
|
||||
|
||||
$saved = sqlDAL::writeSql($sql);
|
||||
if ($saved) {
|
||||
$insert_row = $this->id;
|
||||
$insert_row = parent::save();
|
||||
if ($insert_row) {
|
||||
AVideoPlugin::onUpdateVideo($insert_row);
|
||||
_error_log('onUpdateVideo $insert_row = '.$insert_row);
|
||||
}else{
|
||||
_error_log('onUpdateVideo error $saved is empty');
|
||||
}
|
||||
} else {
|
||||
if(empty($this->created)){
|
||||
$this->created = 'now()';
|
||||
}
|
||||
$sql = "INSERT INTO videos "
|
||||
. "(duration_in_seconds, title,clean_title, filename, users_id, categories_id, status, description, duration,type,videoDownloadedLink, next_videos_id, created, modified, videoLink, can_download, can_share, only_for_paid, rrating, externalOptions, sites_id, serie_playlists_id,live_transmitions_history_id, video_password, encoderURL, filepath , filesize, users_id_company) values "
|
||||
. "('{$this->duration_in_seconds}','{$this->title}','{$this->clean_title}', '{$this->filename}', {$this->users_id},{$this->categories_id}, '{$this->status}', '{$this->description}', '{$this->duration}', '{$this->type}', '{$this->videoDownloadedLink}', {$this->next_videos_id},{$this->created}, now(), '{$this->videoLink}', '{$this->can_download}', '{$this->can_share}','{$this->only_for_paid}', '{$this->rrating}', '$this->externalOptions', {$this->sites_id}, {$this->serie_playlists_id},{$this->live_transmitions_history_id}, '{$this->video_password}', '{$this->encoderURL}', '{$this->filepath}', '{$this->filesize}', ".(empty($this->users_id_company)?'NULL':intval($this->users_id_company)).")";
|
||||
|
||||
//_error_log("Video::save ".$sql);
|
||||
$insert_row = sqlDAL::writeSql($sql);
|
||||
$insert_row = parent::save();
|
||||
if(!empty($insert_row)){
|
||||
AVideoPlugin::onNewVideo($insert_row);
|
||||
_error_log('onNewVideo $insert_row = '.$insert_row);
|
||||
|
|
@ -444,6 +429,7 @@ if (!class_exists('Video')) {
|
|||
_error_log('onNewVideo error $insert_row is empty');
|
||||
}
|
||||
}
|
||||
//var_dump($this->title, $insert_row);exit;
|
||||
if ($insert_row) {
|
||||
_error_log("Video::save ({$this->title}) Saved id = {$insert_row} ");
|
||||
Category::clearCacheCount();
|
||||
|
|
@ -512,8 +498,10 @@ if (!class_exists('Video')) {
|
|||
return false;
|
||||
}
|
||||
_error_log("Video::updateDurationInSeconds update duration {$videos_id}, {$duration}, {$duration_in_seconds}");
|
||||
$sql = "UPDATE videos SET duration_in_seconds = '{$duration_in_seconds}' , modified = now() WHERE id = {$videos_id}";
|
||||
$saved = sqlDAL::writeSql($sql);
|
||||
$formats = 'si';
|
||||
$values = [$duration_in_seconds, $videos_id];
|
||||
$sql = "UPDATE videos SET duration_in_seconds = ? , modified = now() WHERE id = ?";
|
||||
$saved = sqlDAL::writeSql($sql, $formats, $values);
|
||||
self::clearCache($videos_id);
|
||||
return $duration_in_seconds;
|
||||
}
|
||||
|
|
@ -663,8 +651,10 @@ if (!class_exists('Video')) {
|
|||
|
||||
if (!empty($this->id)) {
|
||||
global $global;
|
||||
$sql = "UPDATE videos SET rotation = '{$saneRotation}', modified = now() WHERE id = {$this->id} ";
|
||||
$res = sqlDAL::writeSql($sql);
|
||||
$sql = "UPDATE videos SET rotation = ?, modified = now() WHERE id = ? ";
|
||||
$formats = 'si';
|
||||
$values = [$saneRotation, $this->id];
|
||||
$res = sqlDAL::writeSql($sql, $formats, $values);
|
||||
if ($global['mysqli']->errno !== 0) {
|
||||
die('Error on update Rotation: (' . $global['mysqli']->errno . ') ' . $global['mysqli']->error);
|
||||
}
|
||||
|
|
@ -689,8 +679,10 @@ if (!class_exists('Video')) {
|
|||
|
||||
if (!empty($this->id)) {
|
||||
global $global;
|
||||
$sql = "UPDATE videos SET zoom = '{$saneZoom}', modified = now() WHERE id = {$this->id} ";
|
||||
$res = sqlDAL::writeSql($sql);
|
||||
$sql = "UPDATE videos SET zoom = ?, modified = now() WHERE id = ? ";
|
||||
$formats = 'si';
|
||||
$values = [$saneZoom, $this->id];
|
||||
$res = sqlDAL::writeSql($sql, $formats, $values);
|
||||
if ($global['mysqli']->errno !== 0) {
|
||||
die('Error on update Zoom: (' . $global['mysqli']->errno . ') ' . $global['mysqli']->error);
|
||||
}
|
||||
|
|
@ -826,7 +818,7 @@ if (!class_exists('Video')) {
|
|||
}
|
||||
|
||||
if (!empty($_GET['catName'])) {
|
||||
$catName = $global['mysqli']->real_escape_string($_GET['catName']);
|
||||
$catName = ($_GET['catName']);
|
||||
$sql .= " AND (c.clean_name = '{$catName}' OR c.parentId IN (SELECT cs.id from categories cs where cs.clean_name = '{$catName}' ))";
|
||||
}
|
||||
|
||||
|
|
@ -1231,7 +1223,7 @@ if (!class_exists('Video')) {
|
|||
}
|
||||
|
||||
if (!empty($_GET['catName'])) {
|
||||
$catName = $global['mysqli']->real_escape_string($_GET['catName']);
|
||||
$catName = ($_GET['catName']);
|
||||
$sql .= " AND (c.clean_name = '{$catName}' OR c.parentId IN (SELECT cs.id from categories cs where cs.clean_name = '{$catName}' ))";
|
||||
}
|
||||
|
||||
|
|
@ -1752,7 +1744,7 @@ if (!class_exists('Video')) {
|
|||
}
|
||||
|
||||
if (!empty($_GET['catName'])) {
|
||||
$catName = $global['mysqli']->real_escape_string($_GET['catName']);
|
||||
$catName = ($_GET['catName']);
|
||||
$sql .= " AND (c.clean_name = '{$catName}' OR c.parentId IN (SELECT cs.id from categories cs where cs.clean_name = '{$catName}' ))";
|
||||
}
|
||||
|
||||
|
|
@ -4881,7 +4873,7 @@ if (!class_exists('Video')) {
|
|||
|
||||
private static function getFullTextSearch($columnsArray, $search, $connection = "OR") {
|
||||
global $global;
|
||||
$search = $global['mysqli']->real_escape_string(xss_esc($search));
|
||||
$search = (xss_esc($search));
|
||||
$search = str_replace('"', '"', $search);
|
||||
if (empty($columnsArray) || empty($search)) {
|
||||
return "";
|
||||
|
|
@ -5294,6 +5286,10 @@ if (!class_exists('Video')) {
|
|||
return !$found;
|
||||
}
|
||||
|
||||
public static function getTableName() {
|
||||
return 'videos';
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -123,7 +123,7 @@ class VideoStatistic extends ObjectYPT {
|
|||
|
||||
$this->seconds_watching_video = intval($this->seconds_watching_video);
|
||||
|
||||
$this->json = $global['mysqli']->real_escape_string($this->json);
|
||||
$this->json = ($this->json);
|
||||
|
||||
return parent::save();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ class AD_Overlay_Code extends ObjectYPT {
|
|||
//$data = htmlentities($data);
|
||||
|
||||
// mysql escape string
|
||||
$data = $global['mysqli']->real_escape_string($data);
|
||||
$data = ($data);
|
||||
|
||||
return $data;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,19 +33,19 @@ class CampaignLocations extends ObjectYPT {
|
|||
|
||||
function setCountry_name($country_name) {
|
||||
global $global;
|
||||
$country_name = $global['mysqli']->real_escape_string($country_name);
|
||||
$country_name = ($country_name);
|
||||
$this->country_name = $country_name;
|
||||
}
|
||||
|
||||
function setRegion_name($region_name) {
|
||||
global $global;
|
||||
$region_name = $global['mysqli']->real_escape_string($region_name);
|
||||
$region_name = ($region_name);
|
||||
$this->region_name = $region_name;
|
||||
}
|
||||
|
||||
function setCity_name($city_name) {
|
||||
global $global;
|
||||
$city_name = $global['mysqli']->real_escape_string($city_name);
|
||||
$city_name = ($city_name);
|
||||
$this->city_name = $city_name;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -55,8 +55,10 @@ class Clones extends ObjectYPT
|
|||
}
|
||||
}
|
||||
|
||||
public function loadFromURL($url)
|
||||
{
|
||||
public function loadFromURL($url){
|
||||
if(!isValidURL($url)){
|
||||
return false;
|
||||
}
|
||||
$row = self::getFromURL($url);
|
||||
if (empty($row)) {
|
||||
return false;
|
||||
|
|
@ -73,7 +75,10 @@ class Clones extends ObjectYPT
|
|||
$resp->canClone = false;
|
||||
$resp->clone = null;
|
||||
$resp->msg = "";
|
||||
|
||||
if(!isValidURL($url)){
|
||||
$resp->msg = "Invalid URL";
|
||||
return $resp;
|
||||
}
|
||||
$clone = new Clones(0);
|
||||
$clone->loadFromURL($url);
|
||||
if (empty($clone->getId())) {
|
||||
|
|
@ -115,9 +120,11 @@ class Clones extends ObjectYPT
|
|||
if (empty($this->last_clone_request)) {
|
||||
$this->last_clone_request = 'null';
|
||||
}
|
||||
|
||||
$this->key = $global['mysqli']->real_escape_string($this->key);
|
||||
$this->url = $global['mysqli']->real_escape_string($this->url);
|
||||
if(!isValidURL($this->url)){
|
||||
return false;
|
||||
}
|
||||
$this->key = safeString($this->key, true);
|
||||
$this->url = $this->url;
|
||||
return parent::save();
|
||||
}
|
||||
|
||||
|
|
@ -151,10 +158,11 @@ class Clones extends ObjectYPT
|
|||
$this->id = $id;
|
||||
}
|
||||
|
||||
public function setUrl($url)
|
||||
{
|
||||
public function setUrl($url){
|
||||
if(isValidURL($url)){
|
||||
$this->url = $url;
|
||||
}
|
||||
}
|
||||
|
||||
public function setStatus($status)
|
||||
{
|
||||
|
|
@ -163,7 +171,7 @@ class Clones extends ObjectYPT
|
|||
|
||||
public function setKey($key)
|
||||
{
|
||||
$this->key = $key;
|
||||
$this->key = safeString($key);
|
||||
}
|
||||
|
||||
public function setLast_clone_request($last_clone_request)
|
||||
|
|
|
|||
|
|
@ -3040,7 +3040,7 @@ Click <a href=\"{link}\">here</a> to join our live.";
|
|||
}
|
||||
|
||||
if (!empty($_GET['catName'])) {
|
||||
$catName = $global['mysqli']->real_escape_string($_GET['catName']);
|
||||
$catName = ($_GET['catName']);
|
||||
$sql .= " AND (c.clean_name = '{$catName}' OR c.parentId IN (SELECT cs.id from categories cs where cs.clean_name = '{$catName}' ))";
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ class LiveTransmition extends ObjectYPT
|
|||
public function setTitle($title)
|
||||
{
|
||||
global $global;
|
||||
//$title = $global['mysqli']->real_escape_string($title);
|
||||
//$title = ($title);
|
||||
$this->title = xss_esc($title);
|
||||
}
|
||||
|
||||
|
|
@ -107,7 +107,7 @@ class LiveTransmition extends ObjectYPT
|
|||
public function setDescription($description)
|
||||
{
|
||||
global $global;
|
||||
//$description = $global['mysqli']->real_escape_string($description);
|
||||
//$description = ($description);
|
||||
$this->description = xss_esc($description);
|
||||
}
|
||||
|
||||
|
|
@ -204,7 +204,7 @@ class LiveTransmition extends ObjectYPT
|
|||
{
|
||||
global $global;
|
||||
_mysql_connect();
|
||||
$userName = $global['mysqli']->real_escape_string($userName);
|
||||
$userName = ($userName);
|
||||
$sql = "SELECT * FROM users WHERE user = ? LIMIT 1";
|
||||
$res = sqlDAL::readSql($sql, "s", [$userName], true);
|
||||
$data = sqlDAL::fetchAssoc($res);
|
||||
|
|
@ -224,7 +224,7 @@ class LiveTransmition extends ObjectYPT
|
|||
{
|
||||
global $global;
|
||||
_mysql_connect();
|
||||
$channelName = $global['mysqli']->real_escape_string($channelName);
|
||||
$channelName = ($channelName);
|
||||
$sql = "SELECT * FROM users WHERE channelName = ? LIMIT 1";
|
||||
$res = sqlDAL::readSql($sql, "s", [$channelName], true);
|
||||
$data = sqlDAL::fetchAssoc($res);
|
||||
|
|
|
|||
|
|
@ -93,13 +93,13 @@ class LiveTransmitionHistory extends ObjectYPT {
|
|||
global $global;
|
||||
$Char = "‌";
|
||||
$title = str_replace($Char, '', $title);
|
||||
$title = $global['mysqli']->real_escape_string($title);
|
||||
$title = ($title);
|
||||
$this->title = $title;
|
||||
}
|
||||
|
||||
public function setDescription($description) {
|
||||
global $global;
|
||||
$description = $global['mysqli']->real_escape_string($description);
|
||||
$description = ($description);
|
||||
$this->description = $description;
|
||||
}
|
||||
|
||||
|
|
@ -354,7 +354,7 @@ class LiveTransmitionHistory extends ObjectYPT {
|
|||
|
||||
public static function getLatest($key, $live_servers_id = null, $active=false) {
|
||||
global $global;
|
||||
$key = $global['mysqli']->real_escape_string($key);
|
||||
$key = ($key);
|
||||
|
||||
if (empty($key)) {
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -358,7 +358,7 @@ class Live_schedule extends ObjectYPT
|
|||
$this->key = uniqid();
|
||||
}
|
||||
|
||||
$this->description = $global['mysqli']->real_escape_string($this->description);
|
||||
$this->description = ($this->description);
|
||||
|
||||
$this->_setTimeZone(date_default_timezone_get());
|
||||
|
||||
|
|
|
|||
|
|
@ -239,7 +239,7 @@ class Live_servers extends ObjectYPT
|
|||
$host = trim($rtmpHostURI);
|
||||
$parts = parse_url($host);
|
||||
$host = "rtmp://{$parts["host"]}{$parts["path"]}";
|
||||
$host = $global['mysqli']->real_escape_string($host);
|
||||
$host = ($host);
|
||||
$sql = "SELECT * FROM " . static::getTableName() . " WHERE rtmp_server LIKE '%{$host}%' AND status = 'a' ";
|
||||
$res = sqlDAL::readSql($sql);
|
||||
$data = sqlDAL::fetchAssoc($res);
|
||||
|
|
|
|||
|
|
@ -304,7 +304,7 @@ class LiveLinks extends PluginAbstract {
|
|||
}
|
||||
|
||||
if (!empty($_GET['catName'])) {
|
||||
$catName = $global['mysqli']->real_escape_string($_GET['catName']);
|
||||
$catName = ($_GET['catName']);
|
||||
$sql .= " AND (c.clean_name = '{$catName}' OR c.parentId IN (SELECT cs.id from categories cs where cs.clean_name = '{$catName}' ))";
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -174,7 +174,7 @@ class PayPalYPT_log extends ObjectYPT
|
|||
public function save()
|
||||
{
|
||||
global $global;
|
||||
$this->json = $global['mysqli']->real_escape_string($this->json);
|
||||
$this->json = ($this->json);
|
||||
|
||||
return parent::save();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ class Scheduler_commands extends ObjectYPT {
|
|||
global $global;
|
||||
if(!is_string($parameters)){
|
||||
$parameters = _json_encode($parameters);
|
||||
$parameters = $global['mysqli']->real_escape_string($parameters);
|
||||
$parameters = ($parameters);
|
||||
}
|
||||
|
||||
$this->parameters = $parameters;
|
||||
|
|
@ -158,7 +158,7 @@ class Scheduler_commands extends ObjectYPT {
|
|||
function setExecuted($callbackResponse) {
|
||||
if (!is_string($callbackResponse)) {
|
||||
$callbackResponse = json_encode($callbackResponse);
|
||||
$callbackResponse = $global['mysqli']->real_escape_string($callbackResponse);
|
||||
$callbackResponse = ($callbackResponse);
|
||||
}
|
||||
$this->setExecuted_in(date('Y-m-d H:i:s'));
|
||||
$this->setCallbackResponse($callbackResponse);
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ class Menu extends ObjectYPT {
|
|||
$this->menuSeoUrl=$this->menuName;
|
||||
}
|
||||
|
||||
$this->menuSeoUrl=$global['mysqli']->real_escape_string(preg_replace('/[^a-z0-9]+/', '_', strtolower($this->menuSeoUrl)));
|
||||
$this->menuSeoUrl=(preg_replace('/[^a-z0-9]+/', '_', strtolower($this->menuSeoUrl)));
|
||||
|
||||
return parent::save();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -119,10 +119,10 @@ class MenuItem extends ObjectYPT {
|
|||
if (empty($this->menuSeoUrlItem)) {
|
||||
$this->menuSeoUrlItem = $this->title;
|
||||
}
|
||||
$this->menuSeoUrlItem = $global['mysqli']->real_escape_string(preg_replace('/[^a-z0-9]+/', '_', strtolower($this->title)));
|
||||
$this->menuSeoUrlItem = (preg_replace('/[^a-z0-9]+/', '_', strtolower($this->title)));
|
||||
|
||||
$this->title = $global['mysqli']->real_escape_string($this->title);
|
||||
$this->text = $global['mysqli']->real_escape_string($this->text);
|
||||
$this->title = ($this->title);
|
||||
$this->text = ($this->text);
|
||||
|
||||
return parent::save();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -91,7 +91,7 @@ class TopMenu extends PluginAbstract {
|
|||
public function getidBySeoUrl($menuSeoUrlItem) {
|
||||
global $global;
|
||||
$sql="select id from topMenu_items where menuSeoUrlItem= ?";
|
||||
$res=sqlDal::readSql($sql, "s", array($global['mysqli']->real_escape_string($menuSeoUrlItem)));
|
||||
$res=sqlDal::readSql($sql, "s", array(($menuSeoUrlItem)));
|
||||
$menuId=sqlDAL::fetchAssoc($res);
|
||||
if(!isset($menuId['id']))
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -98,7 +98,7 @@ class Wallet extends ObjectYPT {
|
|||
public function save() {
|
||||
global $global;
|
||||
$this->balance = floatval($this->balance);
|
||||
$this->crypto_wallet_address = $global['mysqli']->real_escape_string($this->crypto_wallet_address);
|
||||
$this->crypto_wallet_address = ($this->crypto_wallet_address);
|
||||
ObjectYPT::clearSessionCache();
|
||||
return parent::save();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -171,8 +171,8 @@ class WalletLog extends ObjectYPT {
|
|||
|
||||
function save() {
|
||||
global $global;
|
||||
$this->description = $global['mysqli']->real_escape_string($this->description);
|
||||
$this->information = $global['mysqli']->real_escape_string($this->information);
|
||||
$this->description = ($this->description);
|
||||
$this->information = ($this->information);
|
||||
return parent::save();
|
||||
}
|
||||
|
||||
|
|
|
|||
95
updatedb/updateDb.v12.0.sql
Normal file
95
updatedb/updateDb.v12.0.sql
Normal file
|
|
@ -0,0 +1,95 @@
|
|||
-- ### Credit
|
||||
--
|
||||
-- Discovered by Claudio Bozzato of Cisco Talos.
|
||||
--
|
||||
-- TALOS-2022-1534
|
||||
--
|
||||
-- Now the userUpdate.json.php requires a request from the same domain as the AVideo site
|
||||
-- in aditional all save and delete database calls requires the same by default (a whitelist can be builded hardcoding it in the objects/Object.php file)
|
||||
--
|
||||
-- TALOS-2022-1535
|
||||
--
|
||||
-- Session ID will only change if you are not logged in
|
||||
-- In case the session ID changed we will regenerate it with a new name avoiding reuse it
|
||||
--
|
||||
-- TALOS-2022-1536
|
||||
--
|
||||
-- plugin/Live/view/Live_schedule/add.json.php and objects/playlistAddNew.json.php will deny to update if the users_id is not = as the original record when it is editing
|
||||
--
|
||||
-- TALOS-2022-1537
|
||||
--
|
||||
-- Add a sanitize rule on the security file
|
||||
--
|
||||
--
|
||||
-- TALOS-2022-1539
|
||||
--
|
||||
-- Add a sanitize rule on the view/img/image403.php file itself
|
||||
--
|
||||
-- TALOS-2022-1540
|
||||
--
|
||||
-- Video title and filename will always be sanitized on the setTitle method (sometimes more than once)
|
||||
--
|
||||
--
|
||||
-- TALOS-2022-1542
|
||||
--
|
||||
-- httponly set to true
|
||||
-- we are now using the passhash instead of the database pass in all site
|
||||
-- the passhash is totally different than the original DB password, it a encrypted json and has an expiration time and also will be automatically rejected if the original password is updated
|
||||
-- the login with the pass hash (database password field) directly will be disabled soon, for now it is only enabled to buy some time to update the other third parties apps
|
||||
--
|
||||
-- TALOS-2022-1545
|
||||
--
|
||||
-- Fixed on TALOS-2022-1542
|
||||
--
|
||||
-- TALOS-2022-1546
|
||||
--
|
||||
-- Filename is now sanitized with escapeshellarg(safeString($filename,true));
|
||||
--
|
||||
-- TALOS-2022-1538
|
||||
--
|
||||
-- all 4 parameters are sanitized now
|
||||
-- also if the request does not come from the same site, the showAlertMessage() function will not be executed
|
||||
--
|
||||
-- TALOS-2022-1547
|
||||
--
|
||||
-- Now every time the admin login we will check if the new videos/.htaccess is there, and create it if it is not
|
||||
-- <IfModule !authz_core_module>
|
||||
-- Order Allow,Deny
|
||||
-- Deny from all
|
||||
-- </IfModule>
|
||||
-- <IfModule authz_core_module>
|
||||
-- Require all denied
|
||||
-- </IfModule>
|
||||
-- <filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|ts|txt|mp4|mp3|m3u8|webp|key|css|tff|woff|woff2)$">
|
||||
-- <IfModule !authz_core_module>
|
||||
-- Order Allow,Deny
|
||||
-- Allow from all
|
||||
-- </IfModule>
|
||||
-- <IfModule authz_core_module>
|
||||
-- Require all granted
|
||||
-- </IfModule>
|
||||
-- </filesMatch>
|
||||
--
|
||||
-- this will only allow access to only some specific file types inside videos folder
|
||||
--
|
||||
-- TALOS-2022-1548
|
||||
--
|
||||
-- we now verify if is a valid URL properly, also we are using the escapeshellarg for URL and destination filename
|
||||
--
|
||||
-- TALOS-2022-1549
|
||||
--
|
||||
-- We now only download the downloadURL_image if it is a valid URL NOT localfiles any more
|
||||
--
|
||||
-- TALOS-2022-1551
|
||||
--
|
||||
-- All our classes were updated using the prepare statement to avoid sql injection
|
||||
-- also `videoDownloadedLink` and `duration` are now sanitized
|
||||
-- if you are editing anything we now "forbidIfItIsNotMyUsersId"
|
||||
-- key and URL are now sanitized Clone plugin
|
||||
--
|
||||
-- TALOS-2022-1550
|
||||
--
|
||||
-- the url_get_contents now only download files from valid URLs or files from inside the cache folder
|
||||
|
||||
|
||||
UPDATE configurations SET version = '12.0', modified = now() WHERE id = 1;
|
||||
Loading…
Add table
Add a link
Reference in a new issue