fix score, submissions and cookies

5 files changed, 88 insertions, 16 deletions

diff --git a/src/admin/report/header.php b/src/admin/report/header.php
index 77e524a..50c36af 100644
--- a/src/admin/report/header.php
+++ b/src/admin/report/header.php
@@ -30,7 +30,7 @@ require_once($locr . "/globals.php");
 require_once($locr."/db.php");
 require_once($locr."/freport.php");
 
-if(isset($_POST['webcastcode']) && ctype_alnum($_POST['webcastcode'])) {
+if(isset($_GET['webcastcode']) && ctype_alnum($_GET['webcastcode'])) {
   header ("Content-transfer-encoding: binary\n");
   header ("Content-type: application/force-download");
   ob_end_flush();
diff --git a/src/admin/report/webcast.php b/src/admin/report/webcast.php
index a6aaceb..cf791a7 100644
--- a/src/admin/report/webcast.php
+++ b/src/admin/report/webcast.php
@@ -17,8 +17,8 @@
 ////////////////////////////////////////////////////////////////////////////////
 
 require('header.php');
-if(!isset($_POST['webcastcode']) || !ctype_alnum($_POST['webcastcode'])) exit;
-$webcastcode=$_POST['webcastcode'];
+if(!isset($_GET['webcastcode']) || !ctype_alnum($_GET['webcastcode'])) exit;
+$webcastcode=$_GET['webcastcode'];
 
 $ds = DIRECTORY_SEPARATOR;
 if($ds=="") $ds = "/";
@@ -39,7 +39,7 @@ for($i=0; $i<count($wcdata);$i++) {
   $wccode = explode(' ', $wcdata[$i]);
   if($wccode[0] == $webcastcode) {
     for($j=1; $j < count($wccode); $j++) {
-      $temp = explode('/', $wccode[$j]);
+      $temp = explode('/', trim($wccode[$j]));
       if(is_numeric($temp[0])) {
 	$wcsite[count($wcsite)] = $temp[0];
 	$wcloweruser[count($wcloweruser)] = 0;
@@ -59,17 +59,17 @@ if($i>=count($wcdata)) {
   exit;
 }
 
-cleardir($webcastdir);
+//cleardir($webcastdir);
 @mkdir($webcastdir);
 
-$contest = $_SESSION["usertable"]["contestnumber"];
-$site = $_SESSION["usertable"]["usersitenumber"];
+$contest = 1; //$_SESSION["usertable"]["contestnumber"];
+$site = 1; //$_SESSION["usertable"]["usersitenumber"];
 
 $ct = DBContestInfo($contest);
 if(($st =  DBSiteInfo($contest, $site)) == null)
 	ForceLoad("../index.php");
 
-if(isset($_POST['full']) && $_POST['full'] > 0)
+if(isset($_GET['full']) && $_GET['full'] > 0)
   $freezeTime = $st['siteduration'];
 else
   $freezeTime = $st['sitelastmilescore'];
@@ -87,12 +87,12 @@ $c = DBConnect();
 $r = DBExec($c,
 	'SELECT problemnumber FROM problemtable' .
 	' WHERE contestnumber = ' . $contest .
-	' AND problemnumber > 0');
+	    ' AND problemnumber > 0 AND not (problemfullname ~ \'(DEL)\')');
 $numProblems = DBnlines($r);
 
 $sql = 'SELECT username, userfullname, userdesc FROM usertable' .
   ' WHERE contestnumber = ' . $contest .
-  ' AND userenabled = \'t\' AND usertype = \'team\' AND ((0 = 1)';
+  ' AND userenabled = \'t\' AND not (usericpcid = \'\') AND not (usericpcid = \'000000\') AND not (usericpcid = \'0\') AND usertype = \'team\' AND ((0 = 1)';
 for($i=0; $i < count($wcloweruser); $i++)
   $sql .= ' OR (usersitenumber = ' . $wcsite[$i] . ' AND usernumber >= ' . $wcloweruser[$i] . ' AND usernumber <= ' . $wcupperuser[$i] . ')';
 $sql .= ')';
@@ -149,6 +149,7 @@ $run = DBAllRunsInSites($contest, $site, 'run');
 $numRuns = count($run);
 $runfile = '';
 for ($i = 0; $i < $numRuns; $i++) {
+  if($run[$i]['status'] == 'deleted') continue;
 	$u = DBUserInfo($contest, $site, $run[$i]['user']);
 	$runID = $run[$i]['number'];
 	$runTime = dateconvminutes($run[$i]['timestamp']);
@@ -182,11 +183,12 @@ if(is_writable($webcastdir)) {
 	@file_put_contents($webcastdir . $ds . 'contest',$contestfile);
 	@file_put_contents($webcastdir . $ds . 'version',$versionfile);
 	@file_put_contents($webcastdir . $ds . 'time',$timefile);
-	if(@create_zip($webcastparentdir,array('webcast'),$webcastdir . ".zip") != 1) {
-		LOGError("Cannot create score webcast.tmp file");
-		MSGError("Cannot create score webcast.tmp file");
+	if(@create_zip($webcastdir,array('.'),$webcastdir . ".zip") != 1) {
+		LOGError("Cannot create score webcast.zip file");
+		MSGError("Cannot create score webcast.zip file");
 	} else {
 	  echo file_get_contents($webcastdir . ".zip");
+	  exit;
 	}
 } else {
 	LOGError('Error creating the folder for the ZIP file: '. $webcastdir);
diff --git a/src/flog.php b/src/flog.php
index 1e6e6cb..9ff6357 100644
--- a/src/flog.php
+++ b/src/flog.php
@@ -187,8 +187,14 @@ function DBLogInContest($name,$pass,$contest,$msg=true) {
 	  if($a["usertype"] == "team")
 	    @file_put_contents($dircode, $ccode);
 	}
-			  
+	
 	$gip=getIP();
+	if(!ValidCookie(true,$gip)) {
+	  if($msg) MSGError("Invalid computer (4).");
+	  unset($_SESSION["usertable"]);
+	  return false;
+	}
+
 	if ($a["userip"] != $gip && $a["userip"] != "" && $a["usertype"] != "score") {
 		LOGLevel("User $name is using two different IPs: " . $a["userip"] . 
 			 "(" . dateconv($a["userlastlogin"]) .") and " . $gip,1);
diff --git a/src/globals.php b/src/globals.php
index 5c2a46b..45ac54e 100755
--- a/src/globals.php
+++ b/src/globals.php
@@ -325,10 +325,61 @@ function IntrusionNotify($where) {
 	LOGLevel($msg,1);
 	MSGError("Violation ($where). Admin warned.");
 }
+
+function ValidCookie($dolog=false,$gip='') {
+  if (!isset($_SESSION["usertable"])) return(FALSE);
+  $contest = $_SESSION["usertable"]["contestnumber"];
+  $name = $_SESSION["usertable"]["username"];
+  $coo = array();
+  if(isset($_COOKIE['biscoitobocabombonera'])) {
+    $coo = explode('-',$_COOKIE['biscoitobocabombonera']);
+    if(count($coo) != 2 ||
+       strlen($coo[1])!=strlen(myhash('xxx')) ||
+       !is_numeric($coo[0]) ||
+       !ctype_alnum($coo[1]))
+      $coo = array();
+  }
+  if(count($coo) == 2) {
+    $ds = DIRECTORY_SEPARATOR;
+    if($ds=="") $ds = "/";
+    $dircode=$_SESSION["locr"] . $ds . "private" . $ds . "cookies";  
+    @mkdir($dircode);
+    $dircode .= $ds . $contest  . '-' . $name;
+    if(@file_exists($dircode)) {
+      if(($prevuser = @file_get_contents($dircode)) === false) {
+	if($dolog) {
+	  @file_put_contents($dircode . '.log', time() . '|' . $prevuser . '|' . $coo[0] . '|' . $coo[1] . '|' . $gip . "|file\n", FILE_APPEND | LOCK_EX);
+	  LOGLevel("User $name contest $contest has a cookie file problem.",2);
+	}
+	return false;
+      }
+      if($prevuser != $coo[1]) {
+	if($dolog) {
+	  @file_put_contents($dircode . '.log', time() . '|' . $prevuser . '|' . $coo[0] . '|' . $coo[1] . '|' . $gip . "|invalid\n", FILE_APPEND | LOCK_EX);
+	  LOGLevel("User $name contest $contest has invalid cookie.",2);
+	}
+	if($_SESSION["usertable"]["usertype"] == 'team' && $coo[0] < time()-10)
+	  return false;
+	@file_put_contents($dircode, $coo[1]);
+      }
+    } else {
+      @file_put_contents($dircode, $coo[1]);
+    }
+  } else {
+    LOGLevel("User $name contest $contest has bad cookie.",2);
+    return false;
+  }
+  return true;
+}
+
 // verifica se a sessao esta aberta e ok
 function ValidSession() {
-	if (!isset($_SESSION["usertable"])) return(FALSE);
-	$gip = getIP();
+  if (!isset($_SESSION["usertable"])) return(FALSE);
+  if($_SESSION["usertable"]["usersession"] != session_id()) return(FALSE);
+  $gip = getIP();
+  if(!ValidCookie()) return false;
+  
+  
 	// cassiopc: sites that use multiple IP addresses to go out create a serious problem to check IPs...
 //	if(substr($_SESSION["usertable"]["userip"],0,6) != '157.92') {
 //	if ($_SESSION["usertable"]["userip"] != $gip ||
diff --git a/src/index.php b/src/index.php
index 7b162bd..7bdbb81 100644
--- a/src/index.php
+++ b/src/index.php
@@ -49,6 +49,19 @@ if(isset($_GET["getsessionid"])) {
 	echo session_id();
 	exit;
 }
+
+$coo = array();
+if(isset($_COOKIE['biscoitobocabombonera'])) {
+  $coo = explode('-',$_COOKIE['biscoitobocabombonera']);
+  if(count($coo) != 2 ||
+     strlen($coo[1])!=strlen(myhash('xxx')) ||
+     !is_numeric($coo[0]) ||
+     !ctype_alnum($coo[1]))
+    $coo = array();
+}
+if(count($coo) != 2)
+  setcookie('biscoitobocabombonera',time() . '-' . myhash(time() . rand() . time() . rand()),time() + 240*3600);
+
 ob_end_flush();
 
 require_once('version.php');