diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/admin/export.php | 2 | ||||
| -rw-r--r-- | src/admin/files.php | 1 | ||||
| -rw-r--r-- | src/admin/problem.php | 16 | ||||
| -rw-r--r-- | src/filedownload.php | 4 | ||||
| -rw-r--r-- | src/getcode.php | 10 | ||||
| -rwxr-xr-x | src/globals.php | 14 | ||||
| -rw-r--r-- | src/hex.php | 23 | ||||
| -rw-r--r-- | src/judge/runedit.php | 2 | ||||
| -rw-r--r-- | src/site/get.php | 2 | ||||
| -rw-r--r-- | src/system/importxml.php | 2 | ||||
| -rw-r--r-- | src/team/run.php | 9 | ||||
| -rw-r--r-- | src/version | 2 | ||||
| -rw-r--r-- | src/versionnum.php | 4 |
13 files changed, 58 insertions, 33 deletions
diff --git a/src/admin/export.php b/src/admin/export.php index 2682c94..10a595d 100644 --- a/src/admin/export.php +++ b/src/admin/export.php @@ -51,7 +51,7 @@ if(isset($_POST["Submit"]) || isset($_POST['Submit1'])) { if(isset($_POST['nopassword']) && $_POST['nopassword']=='true') echo $xml; else - echo rawurlencode($_POST['challenge']) . " " . encryptData($xml,($_POST['password'])); + echo myrawurlencode($_POST['challenge']) . " " . encryptData($xml,($_POST['password'])); exit; } } diff --git a/src/admin/files.php b/src/admin/files.php index 16f0f2d..30ce320 100644 --- a/src/admin/files.php +++ b/src/admin/files.php @@ -59,7 +59,6 @@ for ($i=0; $i<count($run); $i++) { echo " <td nowrap>" . dateconvsimple($run[$i]["timestamp"]) . "</td>\n"; echo " <td nowrap>" . $run[$i]["usernumber"] . " (" . $run[$i]["usersitenumber"] . ")</td>\n"; - $if = rawurlencode($run[$i]["filename"]); if($run[$i]["status"]=="active") { echo "<td nowrap><a href=\"../filedownload.php?". filedownload($run[$i]["oid"],$run[$i]["filename"]) . "\">"; echo $run[$i]["filename"] . "</a>"; diff --git a/src/admin/problem.php b/src/admin/problem.php index 39ce953..33e887c 100644 --- a/src/admin/problem.php +++ b/src/admin/problem.php @@ -26,7 +26,7 @@ if(($ct = DBContestInfo($_SESSION["usertable"]["contestnumber"])) == null) if (isset($_GET["delete"]) && is_numeric($_GET["delete"]) && isset($_GET["input"])) { $param = array(); $param['number']=$_GET["delete"]; - $param['inputfilename']=$_GET["input"]; + $param['inputfilename']=myrawurldecode($_GET["input"]); if(!DBDeleteProblem ($_SESSION["usertable"]["contestnumber"], $param)) { MSGError('Error deleting problem'); LogError('Error deleting problem'); @@ -94,9 +94,9 @@ if(isset($_POST['Submit5']) && $_POST['Submit5']=='Send') { @mkdir($dir . $ds . 'output'); @mkdir($dir . $ds . 'tests'); @mkdir($dir . $ds . 'description'); - $filea = array('compare' . $ds . 'c','compare' . $ds . 'cpp','compare' . $ds . 'java', - 'compile' . $ds . 'c','compile' . $ds . 'cpp','compile' . $ds . 'java', - 'run' . $ds . 'c','run' . $ds . 'cpp','run' . $ds . 'java'); + $filea = array('compare' . $ds . 'c','compare' . $ds . 'cc','compare' . $ds . 'java','compare' . $ds . 'py2','compare' . $ds . 'py3', + 'compile' . $ds . 'c','compile' . $ds . 'cc','compile' . $ds . 'java','compile' . $ds . 'py2','compile' . $ds . 'py3', + 'run' . $ds . 'c','run' . $ds . 'cc','run' . $ds . 'java','run' . $ds . 'py2','run' . $ds . 'py3'); foreach($filea as $file) { $rfile=$locr . $ds . '..' . $ds . 'doc' . $ds . 'problemexamples' . $ds . 'problemtemplate' . $ds . $file; if(is_readable($rfile)) { @@ -113,8 +113,10 @@ if(isset($_POST['Submit5']) && $_POST['Submit5']=='Send') { if(!isset($tl[1]) || !is_numeric(trim($tl[1]))) $tl[1]='1'; $str = "echo " . trim($tl[0]) . "\necho " . trim($tl[1]) . "\necho 512\necho " . floor(10 + $size1 / 512) . "\nexit 0\n"; file_put_contents($dir . $ds . 'limits' . $ds . 'c',$str); - file_put_contents($dir . $ds . 'limits' . $ds . 'cpp',$str); + file_put_contents($dir . $ds . 'limits' . $ds . 'cc',$str); file_put_contents($dir . $ds . 'limits' . $ds . 'java',$str); + file_put_contents($dir . $ds . 'limits' . $ds . 'py2',$str); + file_put_contents($dir . $ds . 'limits' . $ds . 'py3',$str); $str = "basename=" . trim($_POST['basename']) . "\nfullname=" . trim($_POST['fullname']); if($name2) { @copy($temp2, $dir . $ds . 'description' . $ds . $name2); @@ -260,11 +262,11 @@ for ($i=0; $i<count($prob); $i++) { echo " <tr>\n"; if($prob[$i]["fake"]!='t') { if(strpos($prob[$i]["fullname"],"(DEL)") !== false) { - echo " <td nowrap><a href=\"javascript: conf3('problem.php?delete=" . $prob[$i]["number"] . "&input=" . rawurlencode($prob[$i]["inputfilename"]) . + echo " <td nowrap><a href=\"javascript: conf3('problem.php?delete=" . $prob[$i]["number"] . "&input=" . myrawurlencode($prob[$i]["inputfilename"]) . "')\">" . $prob[$i]["number"]; echo "(deleted)"; } else { - echo " <td nowrap><a href=\"javascript: conf2('problem.php?delete=" . $prob[$i]["number"] . "&input=" . rawurlencode($prob[$i]["inputfilename"]) . + echo " <td nowrap><a href=\"javascript: conf2('problem.php?delete=" . $prob[$i]["number"] . "&input=" . myrawurlencode($prob[$i]["inputfilename"]) . "')\">" . $prob[$i]["number"]; } echo "</a></td>\n"; diff --git a/src/filedownload.php b/src/filedownload.php index 6b56ca9..e1ef6b9 100644 --- a/src/filedownload.php +++ b/src/filedownload.php @@ -34,10 +34,10 @@ if(!isset($_GET["oid"]) || !is_numeric($_GET["oid"]) || !isset($_GET["filename"] } $cf = globalconf(); -$fname = decryptData(rawurldecode($_GET["filename"]), session_id() . $cf["key"]); +$fname = decryptData(myrawurldecode($_GET["filename"]), session_id() . $cf["key"]); if(isset($_GET["msg"])) - $p = myhash($_GET["oid"] . $fname . rawurldecode($_GET["msg"]) . session_id() . $cf["key"]); + $p = myhash($_GET["oid"] . $fname . myrawurldecode($_GET["msg"]) . session_id() . $cf["key"]); else $p = myhash($_GET["oid"] . $fname . session_id() . $cf["key"]); diff --git a/src/getcode.php b/src/getcode.php index 407a00b..677aeeb 100644 --- a/src/getcode.php +++ b/src/getcode.php @@ -25,7 +25,13 @@ srand(make_seed()); function myhash($k) { return hash('sha256',$k); } -$iv = "1234567812345678"; +if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + return ""; +} +$clen = openssl_cipher_iv_length('aes-256-cbc'); +$iv = substr(myhash(openssl_random_pseudo_bytes($clen)),0,$clen); if(isset($_GET["name"]) && $_GET["name"] != "" ) { $name = $_GET["name"]; @@ -46,7 +52,7 @@ if(isset($_GET["name"]) && $_GET["name"] != "" ) { "chmod 600 /root/submissions/code\n"; if(($str = @file_get_contents("/var/www/boca/src/private/run-past.code")) !== false) $txt .= $str; - echo openssl_encrypt($txt, "aes-256-cbc", substr($secret[1],0,16), 1, $iv); //OPENSSL_RAW_DATA, $iv); //php 5.4.0 + echo $iv . ":\n" . openssl_encrypt($txt, "aes-256-cbc", substr($secret[1],0,32), OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv); //OPENSSL_RAW_DATA, $iv); //php 5.4.0 @file_put_contents("/var/www/boca/src/private/run-past.log", $name . "|" . $cc . "|" . date(DATE_RFC2822) . "\n", LOCK_EX | FILE_APPEND); exit; } diff --git a/src/globals.php b/src/globals.php index fbbecce..f49d26b 100755 --- a/src/globals.php +++ b/src/globals.php @@ -32,12 +32,20 @@ function sanitizeVariables(&$item, $key) } } +function myrawurlencode($txt) { + return(rawurlencode(base64_encode($txt))); +} + +function myrawurldecode($txt) { + return(rawurldecode(base64_encode($txt))); +} + function filedownload($oid,$fname,$msg='') { $cf = globalconf(); - $if = rawurlencode(encryptData($fname, session_id() . $cf['key'],false)); + $if = myrawurlencode(encryptData($fname, session_id() . $cf['key'],false)); $p = myhash($oid . $fname . $msg . session_id() . $cf["key"]); $str = "oid=". $oid . "&filename=". $if . "&check=" . $p; - if($msg != '') $str .= "&msg=" . rawurlencode($msg); + if($msg != '') $str .= "&msg=" . myrawurlencode($msg); return $str; } function dirrec($dir, $user, $group, $dirPermissions, $filePermissions, $avoid=array()) { @@ -217,6 +225,8 @@ function sanitizeFilename($text) } function unsanitizeText($text) { + $text = str_replace("<", "<", $text); + $text = str_replace(">", ">", $text); $text = str_replace("&", "&", $text); return $text; } diff --git a/src/hex.php b/src/hex.php index 104b331..2062d69 100644 --- a/src/hex.php +++ b/src/hex.php @@ -15,7 +15,7 @@ // You should have received a copy of the GNU General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. //////////////////////////////////////////////////////////////////////////////// -// Last modified: 21/july/2012 by cassio@ime.usp.br +// Last modified: 22/aug/2018 by cassio@ime.usp.br function myshorthash($k) { return hash('sha1',$k); } @@ -27,26 +27,30 @@ function myhmac($k,$d) { } function encryptData($text,$key,$compress=true) { - if(!function_exists('mcrypt_get_iv_size')) { - MSGError("Encryption error -- mcrypt not installed -- contact an admin (" . getFunctionName() .")"); - LogError("Encryption error -- mcrypt not installed -- contact an admin (" . getFunctionName() .")"); + if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); return ""; } - $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); - $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); + $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); $key = myhash($key . "123456789012345678901234567890"); // . myhash($key); $grade='##'; if($compress) { $text = zipstr($text); $grade = '@#'; } - $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, substr(pack("H*", $key),0,32), $text . myshorthash($text) . $grade, MCRYPT_MODE_CBC, $iv); + $crypttext = openssl_encrypt($text . myshorthash($text) . $grade, 'aes-256-cbc', substr(pack("H*", $key),0,32), OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv); return base64_encode($crypttext . $iv); } function decryptData($crypttext,$key,$txt='') { + if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + return ""; + } $crypttext = base64_decode($crypttext); - $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); + $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); $test1=''; $test2='x'; $clen = strlen($crypttext); @@ -54,7 +58,8 @@ function decryptData($crypttext,$key,$txt='') { $iv = substr($crypttext, $clen-$iv_size, $iv_size); $crypttext = substr($crypttext, 0, $clen-$iv_size); $key = myhash($key . "123456789012345678901234567890"); // . myhash($key); - $decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, substr(pack("H*", $key),0,32), $crypttext, MCRYPT_MODE_CBC, $iv); + + $decrypttext = openssl_decrypt($crypttext, 'aes-256-cbc', substr(pack("H*", $key),0,32), OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv); $pos = strrpos($decrypttext,"#"); $iscompressed=false; if(substr($decrypttext,$pos-1,1)=='@') $iscompressed=true; diff --git a/src/judge/runedit.php b/src/judge/runedit.php index e53b3a3..c77f26e 100644 --- a/src/judge/runedit.php +++ b/src/judge/runedit.php @@ -101,8 +101,6 @@ $b = DBGetProblemData($_SESSION["usertable"]["contestnumber"], $a["problemnumber <td width="83%"> <?php for ($i=0;$i<count($b);$i++) { - $if = rawurlencode($b[$i]["inputfilename"]); - echo "<a href=\"../filedownload.php?". filedownload($b[$i]["inputoid"],$b[$i]["inputfilename"]) . "\">"; echo basename($b[$i]["inputfilename"]) . "</a>"; } diff --git a/src/site/get.php b/src/site/get.php index 81ede0d..45efd68 100644 --- a/src/site/get.php +++ b/src/site/get.php @@ -46,7 +46,7 @@ if($ct["contestlocalsite"]==$ct["contestmainsite"]) { } if(isset($_POST) && isset($_POST['xml'])) { // $fp=fopen('/tmp/aaa',"w"); fwrite($fp,$_POST['xml']); fclose($fp); - $s = decryptData(rawurldecode($_POST['xml']),myhash($_SESSION["usertable"]["userpassword"])); + $s = decryptData($_POST['xml'],myhash($_SESSION["usertable"]["userpassword"])); // $fp=fopen('/tmp/aaa1',"w"); fwrite($fp,$s); fclose($fp); $ac=array(); diff --git a/src/system/importxml.php b/src/system/importxml.php index 5fcaef3..6e6107e 100644 --- a/src/system/importxml.php +++ b/src/system/importxml.php @@ -156,7 +156,7 @@ if(isset($_POST["Submit"])) { exit; } else - $id = rawurldecode(strtok($ar," \n\t")); + $id = myrawurldecode(strtok($ar," \n\t")); } } } else { diff --git a/src/team/run.php b/src/team/run.php index 077b76c..10e7c76 100644 --- a/src/team/run.php +++ b/src/team/run.php @@ -295,7 +295,9 @@ if(!isset($_SESSION['forceredo']) || $_SESSION['forceredo']==false) { list($d) = sscanf($strtmp,"%*s %d"); if($d > time() - $actualdelay) { $conf=globalconf(); - $strtmp = decryptData(substr($strtmp,strpos($strtmp,"\n")+1),$conf["key"],'runtmp'); + if(isset($conf['doenc']) && $conf['doenc']) + $strtmp = decryptData(substr($strtmp,strpos($strtmp,"\n")+1),$conf["key"],'runtmp'); + else $strtmp = substr($strtmp,strpos($strtmp,"\n")+1); if($strtmp !== false) $redo = FALSE; } @@ -416,7 +418,10 @@ if($redo) { "</form>\n"; } $conf=globalconf(); - $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . encryptData($strcolors,$conf["key"],false) . "\n" . encryptData($strtmp,$conf["key"],false); + if(isset($conf['doenc']) && $conf['doenc']) + $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . encryptData($strcolors,$conf["key"],false) . "\n" . encryptData($strtmp,$conf["key"],false); + else + $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . $strcolors . "\n" . $strtmp; $randnum = session_id() . "_" . rand(); if(file_put_contents($runtmp . "_" . $randnum, $strtmp1,LOCK_EX)===FALSE) { if(!isset($_SESSION['writewarn'])) { diff --git a/src/version b/src/version index e466e5e..99637e4 100644 --- a/src/version +++ b/src/version @@ -1 +1 @@ -boca-1.5.13 +boca-1.5.14 diff --git a/src/versionnum.php b/src/versionnum.php index a833695..fc9810f 100644 --- a/src/versionnum.php +++ b/src/versionnum.php @@ -1,5 +1,5 @@ <?php -$BOCAVERSION='boca-1.5.13'; -$YEAR='2017'; +$BOCAVERSION='boca-1.5.14'; +$YEAR='2018'; ?> |