diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/.htaccess | 12 | ||||
| -rw-r--r-- | src/admin/clar.php | 4 | ||||
| -rw-r--r-- | src/admin/claredit.php | 5 | ||||
| -rw-r--r-- | src/admin/export.php | 2 | ||||
| -rw-r--r-- | src/admin/files.php | 1 | ||||
| -rw-r--r-- | src/admin/problem.php | 6 | ||||
| -rw-r--r-- | src/admin/report/clar.php | 4 | ||||
| -rw-r--r-- | src/fcontest.php | 10 | ||||
| -rw-r--r-- | src/filedownload.php | 4 | ||||
| -rw-r--r-- | src/filewindow.php | 4 | ||||
| -rw-r--r-- | src/frun.php | 22 | ||||
| -rw-r--r-- | src/getcode.php | 20 | ||||
| -rwxr-xr-x | src/globals.php | 17 | ||||
| -rw-r--r-- | src/hex.php | 24 | ||||
| -rw-r--r-- | src/judge/clar.php | 4 | ||||
| -rw-r--r-- | src/judge/claredit.php | 4 | ||||
| -rw-r--r-- | src/judge/history.php | 4 | ||||
| -rw-r--r-- | src/judge/runedit.php | 2 | ||||
| -rw-r--r-- | src/judge/team.php | 2 | ||||
| -rw-r--r-- | src/logexternal.php | 35 | ||||
| -rw-r--r-- | src/scoretable.php | 7 | ||||
| -rw-r--r-- | src/site/get.php | 2 | ||||
| -rw-r--r-- | src/system/importxml.php | 2 | ||||
| -rw-r--r-- | src/team/clar.php | 4 | ||||
| -rw-r--r-- | src/team/header.php | 7 | ||||
| -rw-r--r-- | src/team/run.php | 11 | ||||
| -rw-r--r-- | src/version | 2 | ||||
| -rw-r--r-- | src/versionnum.php | 4 |
28 files changed, 141 insertions, 84 deletions
diff --git a/src/.htaccess b/src/.htaccess index 7c89b5b..99fda17 100644 --- a/src/.htaccess +++ b/src/.htaccess @@ -1,5 +1,7 @@ -php_flag output_buffering on -php_value memory_limit 1024M -php_value post_max_size 128M -php_flag magic_quotes_gpc off -php_value upload_max_filesize 128M +<IfModule !mod_proxy_fcgi.c> + php_flag output_buffering on + php_value memory_limit 1024M + php_value post_max_size 128M + php_flag magic_quotes_gpc off + php_value upload_max_filesize 128M +</IfModule> diff --git a/src/admin/clar.php b/src/admin/clar.php index 66a7b0d..9d02d11 100644 --- a/src/admin/clar.php +++ b/src/admin/clar.php @@ -92,13 +92,13 @@ for ($i=0; $i<count($clar); $i++) { echo " <td>"; // echo "<pre>" . $clar[$i]["question"] . "</pre>"; // echo $clar[$i]["question"]; - echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["question"]."</textarea>\n"; + echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["question"]) ."</textarea>\n"; echo "</td>\n"; if (trim($clar[$i]["answer"]) == "") $clar[$i]["answer"] = "Not answered yet"; echo " <td>"; // echo " <pre>" . $clar[$i]["answer"] . "</pre>"; // echo $clar[$i]["answer"]; - echo " <textarea name=\"a$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["answer"]."</textarea>\n"; + echo " <textarea name=\"a$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["answer"]) ."</textarea>\n"; echo "</td>\n"; echo " </tr>\n"; diff --git a/src/admin/claredit.php b/src/admin/claredit.php index 5eb812f..cf9785c 100644 --- a/src/admin/claredit.php +++ b/src/admin/claredit.php @@ -125,14 +125,13 @@ if (($a = DBChiefGetClarToAnswer($clarnumber, $clarsitenumber, <tr> <td width="20%" align=right><b>Clarification:</b></td> <td width="80%"> - <textarea name="message" readonly cols="60" rows="8"><?php echo $a["question"]; ?> - </textarea> + <textarea name="message" readonly cols="60" rows="8"><?php echo unsanitizeText($a["question"]); ?></textarea> </td> </tr> <tr> <td width="20%" align=right><b>Answer:</b></td> <td width="80%"> - <textarea name="answer" cols="60" rows="8"><?php echo $a["answer"]; ?></textarea> + <textarea name="answer" cols="60" rows="8"><?php echo unsanitizeText($a["answer"]); ?></textarea> </td> </tr> <tr> diff --git a/src/admin/export.php b/src/admin/export.php index 2682c94..10a595d 100644 --- a/src/admin/export.php +++ b/src/admin/export.php @@ -51,7 +51,7 @@ if(isset($_POST["Submit"]) || isset($_POST['Submit1'])) { if(isset($_POST['nopassword']) && $_POST['nopassword']=='true') echo $xml; else - echo rawurlencode($_POST['challenge']) . " " . encryptData($xml,($_POST['password'])); + echo myrawurlencode($_POST['challenge']) . " " . encryptData($xml,($_POST['password'])); exit; } } diff --git a/src/admin/files.php b/src/admin/files.php index 16f0f2d..30ce320 100644 --- a/src/admin/files.php +++ b/src/admin/files.php @@ -59,7 +59,6 @@ for ($i=0; $i<count($run); $i++) { echo " <td nowrap>" . dateconvsimple($run[$i]["timestamp"]) . "</td>\n"; echo " <td nowrap>" . $run[$i]["usernumber"] . " (" . $run[$i]["usersitenumber"] . ")</td>\n"; - $if = rawurlencode($run[$i]["filename"]); if($run[$i]["status"]=="active") { echo "<td nowrap><a href=\"../filedownload.php?". filedownload($run[$i]["oid"],$run[$i]["filename"]) . "\">"; echo $run[$i]["filename"] . "</a>"; diff --git a/src/admin/problem.php b/src/admin/problem.php index a01bd35..33e887c 100644 --- a/src/admin/problem.php +++ b/src/admin/problem.php @@ -26,7 +26,7 @@ if(($ct = DBContestInfo($_SESSION["usertable"]["contestnumber"])) == null) if (isset($_GET["delete"]) && is_numeric($_GET["delete"]) && isset($_GET["input"])) { $param = array(); $param['number']=$_GET["delete"]; - $param['inputfilename']=$_GET["input"]; + $param['inputfilename']=myrawurldecode($_GET["input"]); if(!DBDeleteProblem ($_SESSION["usertable"]["contestnumber"], $param)) { MSGError('Error deleting problem'); LogError('Error deleting problem'); @@ -262,11 +262,11 @@ for ($i=0; $i<count($prob); $i++) { echo " <tr>\n"; if($prob[$i]["fake"]!='t') { if(strpos($prob[$i]["fullname"],"(DEL)") !== false) { - echo " <td nowrap><a href=\"javascript: conf3('problem.php?delete=" . $prob[$i]["number"] . "&input=" . rawurlencode($prob[$i]["inputfilename"]) . + echo " <td nowrap><a href=\"javascript: conf3('problem.php?delete=" . $prob[$i]["number"] . "&input=" . myrawurlencode($prob[$i]["inputfilename"]) . "')\">" . $prob[$i]["number"]; echo "(deleted)"; } else { - echo " <td nowrap><a href=\"javascript: conf2('problem.php?delete=" . $prob[$i]["number"] . "&input=" . rawurlencode($prob[$i]["inputfilename"]) . + echo " <td nowrap><a href=\"javascript: conf2('problem.php?delete=" . $prob[$i]["number"] . "&input=" . myrawurlencode($prob[$i]["inputfilename"]) . "')\">" . $prob[$i]["number"]; } echo "</a></td>\n"; diff --git a/src/admin/report/clar.php b/src/admin/report/clar.php index 61816d9..27616d5 100644 --- a/src/admin/report/clar.php +++ b/src/admin/report/clar.php @@ -63,13 +63,13 @@ for ($i=0; $i<count($clar); $i++) { echo " <td>"; // echo "<pre>" . $clar[$i]["question"] . "</pre>"; // echo $clar[$i]["question"]; - echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["question"]."</textarea>\n"; + echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["question"]) ."</textarea>\n"; echo "</td>\n"; if (trim($clar[$i]["answer"]) == "") $clar[$i]["answer"] = "Not answered yet"; echo " <td>"; // echo " <pre>" . $clar[$i]["answer"] . "</pre>"; // echo $clar[$i]["answer"]; - echo " <textarea name=\"a$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["answer"]."</textarea>\n"; + echo " <textarea name=\"a$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["answer"]) ."</textarea>\n"; echo "</td>\n"; echo " </tr>\n"; diff --git a/src/fcontest.php b/src/fcontest.php index e61631b..ccd3e11 100644 --- a/src/fcontest.php +++ b/src/fcontest.php @@ -125,7 +125,7 @@ CREATE TABLE \"sitetimetable\" ( $r = DBexec($c, "CREATE INDEX \"sitetimesite_index\" ON \"sitetimetable\" USING btree ". "(\"contestnumber\" int4_ops, \"sitenumber\" int4_ops)", "DBCreateSiteTimeTable(create site_index)"); } -// begin; update answertable set updatetime=EXTRACT(EPOCH FROM now()); +// begin; update answertable set updatetime=EXTRACT(EPOCH FROM now()); select * from answertable; // begin; update langtable set updatetime=EXTRACT(EPOCH FROM now()); select * from langtable; // begin; update problemtable set updatetime=EXTRACT(EPOCH FROM now()); select * from problemtable; @@ -1387,6 +1387,10 @@ function siteclock() { return array("contest not running",-1000000000); if ($s["currenttime"]<0) { $t = - $s["currenttime"]; + if($t>3600*24) { + $t = ((int) ($t/(360*24)))/10; + return array("> ". $t . " day(s) to start",$s["currenttime"]); + } if($t>3600) { $t = ((int) ($t/360))/10; return array("> ". $t . " hour(s) to start",$s["currenttime"]); @@ -1401,6 +1405,10 @@ function siteclock() { if ($s["currenttime"]>=0) { $t = $s["siteduration"] - $s["currenttime"]; $str = ''; + if($t >= 3600*24) { + $str .= ((int)($t/(3600*24))) . 'd '; + $t = $t % (3600*24); + } if($t >= 3600) { $str .= ((int)($t/3600)) . 'h '; $t = $t % 3600; diff --git a/src/filedownload.php b/src/filedownload.php index 6b56ca9..e1ef6b9 100644 --- a/src/filedownload.php +++ b/src/filedownload.php @@ -34,10 +34,10 @@ if(!isset($_GET["oid"]) || !is_numeric($_GET["oid"]) || !isset($_GET["filename"] } $cf = globalconf(); -$fname = decryptData(rawurldecode($_GET["filename"]), session_id() . $cf["key"]); +$fname = decryptData(myrawurldecode($_GET["filename"]), session_id() . $cf["key"]); if(isset($_GET["msg"])) - $p = myhash($_GET["oid"] . $fname . rawurldecode($_GET["msg"]) . session_id() . $cf["key"]); + $p = myhash($_GET["oid"] . $fname . myrawurldecode($_GET["msg"]) . session_id() . $cf["key"]); else $p = myhash($_GET["oid"] . $fname . session_id() . $cf["key"]); diff --git a/src/filewindow.php b/src/filewindow.php index 64bd1ec..375fac0 100644 --- a/src/filewindow.php +++ b/src/filewindow.php @@ -36,10 +36,10 @@ if(!isset($_GET["oid"]) || !is_numeric($_GET["oid"]) || !isset($_GET["filename"] } $cf = globalconf(); -$fname = decryptData(rawurldecode($_GET["filename"]), session_id() . $cf["key"]); +$fname = decryptData(myrawurldecode($_GET["filename"]), session_id() . $cf["key"]); $msg = ''; if(isset($_GET["msg"])) - $msg = rawurldecode($_GET["msg"]); + $msg = myrawurldecode($_GET["msg"]); $p = myhash($_GET["oid"] . $fname . $msg . session_id() . $cf["key"]); diff --git a/src/frun.php b/src/frun.php index a2efb73..bbb20e9 100644 --- a/src/frun.php +++ b/src/frun.php @@ -166,9 +166,10 @@ function DBUpdateRunC($contest, $usersite, $usernumber, $runsite, $runnumber, $a if($chief == 1 || ($outra != 0 && $outra == $answer && $temp["runstatus"] != "judged+") || ($outra != 0 && $outra == $answer && $temp["runanswer"]==$answer)) { $newstatus = 'judged'; + $tans = max($t,$temp['rundatediff']); DBExec($c, "update runtable set runstatus='judged', " . "runjudge=$usernumber, runjudgesite=$usersite, " . - "runanswer=$answer, rundatediffans=$t, updatetime=".time()." " . + "runanswer=$answer, rundatediffans=$tans, updatetime=".time()." " . "where contestnumber=$contest and runnumber=$runnumber and runsitenumber=$runsite", "DBUpdateRunC(update run)"); @@ -359,13 +360,14 @@ function DBGetRunToAnswerC($number,$site,$contest,$chief) { "r.runnumber=$number"; if ($chief != 1) { $sql .= " and (r.runstatus='openrun' or " . - "(r.runstatus='judged+' and r.runjudge is NULL) or " . - "((r.runstatus='judging' or r.runstatus='judged+') and " . - " (r.runjudge1 is null or r.runjudge2 is null or " . - " ((r.runjudge1=" . $_SESSION["usertable"]["usernumber"] . " and " . - " r.runjudgesite1=" . $_SESSION["usertable"]["usersitenumber"] . ") or " . - " (r.runjudge2=" . $_SESSION["usertable"]["usernumber"] . " and " . - " r.runjudgesite2=" . $_SESSION["usertable"]["usersitenumber"] . ")))))"; + "(r.runstatus='judged+' and r.runjudge is NULL) or " . + "((r.runstatus='judging' or r.runstatus='judged+') and " . + " (r.runjudge1 is null or " . + " (r.runjudge2 is null)" . // " and (" . $_SESSION["usertable"]["usernumber"] . ">=120000 or r.runjudge1>=120000))" . + " or ((r.runjudge1=" . $_SESSION["usertable"]["usernumber"] . " and " . + " r.runjudgesite1=" . $_SESSION["usertable"]["usersitenumber"] . ") or " . + " (r.runjudge2=" . $_SESSION["usertable"]["usernumber"] . " and " . + " r.runjudgesite2=" . $_SESSION["usertable"]["usersitenumber"] . ")))))"; $tx = "Judge"; } else $tx = "Chief"; $r = DBExec ($c, $sql . " for update", "DBGetRunToAnswerC(get run/prob/lang for update)"); @@ -505,8 +507,8 @@ function DBUpdateRunAutojudging($contest, $site, $number, $ip, $answer, $stdout, DBExec($c, "commit work", "DBUpdateRunAutojudging(commit)"); LOGLevel("Autojudging answered a run (run=$number, site=$site, contest=$contest, answer='$answer', retval=$retval)", 3); return true; - //} - } + } + //} } //echo "DEBUG: $contest, $site, " .$a["usernumber"].", $site, $number, $retval\n"; if(DBUpdateRunO($contest, $site, $a["usernumber"], $site, $number, $retval, $c)==false) { diff --git a/src/getcode.php b/src/getcode.php index 407a00b..fcc45cd 100644 --- a/src/getcode.php +++ b/src/getcode.php @@ -1,5 +1,6 @@ <?php ob_start(); +require_once('globals.php'); header ("Expires: " . gmdate("D, d M Y H:i:s") . " GMT"); header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header ("Cache-Control: no-cache, must-revalidate"); @@ -22,10 +23,16 @@ function make_seed() } srand(make_seed()); -function myhash($k) { - return hash('sha256',$k); +//function myhash($k) { +// return hash('sha256',$k); +//} +if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + return ""; } -$iv = "1234567812345678"; +$clen = openssl_cipher_iv_length('aes-256-cbc'); +$iv = substr(myhash(openssl_random_pseudo_bytes($clen)),0,$clen); if(isset($_GET["name"]) && $_GET["name"] != "" ) { $name = $_GET["name"]; @@ -36,7 +43,8 @@ if(isset($_GET["name"]) && $_GET["name"] != "" ) { $p = myhash($secret[1] . session_id()); if($name == $secret[0] && $p == $password) { $cc = md5(rand() . rand() . @file_get_contents('/proc/uptime') . rand() . rand()); - $txt = "#!/bin/bash\n" . + $txt = "#!/bin/bash\n" . + "## " . $iv . "\n" . "mkdir -p /root/submissions\n" . "chown root.root /root/submissions\n" . "chmod 700 /root/submissions\n" . @@ -46,8 +54,8 @@ if(isset($_GET["name"]) && $_GET["name"] != "" ) { "chmod 600 /root/submissions/code\n"; if(($str = @file_get_contents("/var/www/boca/src/private/run-past.code")) !== false) $txt .= $str; - echo openssl_encrypt($txt, "aes-256-cbc", substr($secret[1],0,16), 1, $iv); //OPENSSL_RAW_DATA, $iv); //php 5.4.0 - @file_put_contents("/var/www/boca/src/private/run-past.log", $name . "|" . $cc . "|" . date(DATE_RFC2822) . "\n", LOCK_EX | FILE_APPEND); + echo $iv . ":" . $clen . ":\n" . openssl_encrypt($txt, "aes-256-cbc", substr($secret[1],0,32), OPENSSL_RAW_DATA, $iv); + @file_put_contents("/var/www/boca/src/private/run-past.log", $name . "|" . $cc . "|" . getIP() . "|" . date(DATE_RFC2822) . "\n", LOCK_EX | FILE_APPEND); exit; } } diff --git a/src/globals.php b/src/globals.php index fbbecce..5183040 100755 --- a/src/globals.php +++ b/src/globals.php @@ -32,12 +32,20 @@ function sanitizeVariables(&$item, $key) } } +function myrawurlencode($txt) { + return(rawurlencode(base64_encode($txt))); +} + +function myrawurldecode($txt) { + return(base64_decode(rawurldecode($txt))); +} + function filedownload($oid,$fname,$msg='') { $cf = globalconf(); - $if = rawurlencode(encryptData($fname, session_id() . $cf['key'],false)); + $if = myrawurlencode(encryptData($fname, session_id() . $cf['key'],false)); $p = myhash($oid . $fname . $msg . session_id() . $cf["key"]); $str = "oid=". $oid . "&filename=". $if . "&check=" . $p; - if($msg != '') $str .= "&msg=" . rawurlencode($msg); + if($msg != '') $str .= "&msg=" . myrawurlencode($msg); return $str; } function dirrec($dir, $user, $group, $dirPermissions, $filePermissions, $avoid=array()) { @@ -217,6 +225,11 @@ function sanitizeFilename($text) } function unsanitizeText($text) { + $text = str_replace("<", "<", $text); + $text = str_replace(">", ">", $text); + $text = str_replace("'", "'", $text); + $text = str_replace("`", "`", $text); + $text = str_replace(""", "\"", $text); $text = str_replace("&", "&", $text); return $text; } diff --git a/src/hex.php b/src/hex.php index 104b331..4e9111d 100644 --- a/src/hex.php +++ b/src/hex.php @@ -15,7 +15,7 @@ // You should have received a copy of the GNU General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. //////////////////////////////////////////////////////////////////////////////// -// Last modified: 21/july/2012 by cassio@ime.usp.br +// Last modified: 22/aug/2018 by cassio@ime.usp.br function myshorthash($k) { return hash('sha1',$k); } @@ -27,26 +27,31 @@ function myhmac($k,$d) { } function encryptData($text,$key,$compress=true) { - if(!function_exists('mcrypt_get_iv_size')) { - MSGError("Encryption error -- mcrypt not installed -- contact an admin (" . getFunctionName() .")"); - LogError("Encryption error -- mcrypt not installed -- contact an admin (" . getFunctionName() .")"); + if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); return ""; } - $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); - $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); + $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); $key = myhash($key . "123456789012345678901234567890"); // . myhash($key); $grade='##'; if($compress) { $text = zipstr($text); $grade = '@#'; } - $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, substr(pack("H*", $key),0,32), $text . myshorthash($text) . $grade, MCRYPT_MODE_CBC, $iv); + $crypttext = openssl_encrypt($text . myshorthash($text) . $grade, 'aes-256-cbc', substr(pack("H*", $key),0,32), OPENSSL_RAW_DATA, $iv); return base64_encode($crypttext . $iv); } function decryptData($crypttext,$key,$txt='') { + if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + return ""; + } $crypttext = base64_decode($crypttext); - $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); + $iv_size = openssl_cipher_iv_length('aes-256-cbc'); + $iv = openssl_random_pseudo_bytes($iv_size); $test1=''; $test2='x'; $clen = strlen($crypttext); @@ -54,7 +59,8 @@ function decryptData($crypttext,$key,$txt='') { $iv = substr($crypttext, $clen-$iv_size, $iv_size); $crypttext = substr($crypttext, 0, $clen-$iv_size); $key = myhash($key . "123456789012345678901234567890"); // . myhash($key); - $decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, substr(pack("H*", $key),0,32), $crypttext, MCRYPT_MODE_CBC, $iv); + + $decrypttext = openssl_decrypt($crypttext, 'aes-256-cbc', substr(pack("H*", $key),0,32), OPENSSL_RAW_DATA, $iv); $pos = strrpos($decrypttext,"#"); $iscompressed=false; if(substr($decrypttext,$pos-1,1)=='@') $iscompressed=true; diff --git a/src/judge/clar.php b/src/judge/clar.php index a5d56ce..a195af8 100644 --- a/src/judge/clar.php +++ b/src/judge/clar.php @@ -49,7 +49,7 @@ $clar = DBOpenClarsInSites($_SESSION["usertable"]["contestnumber"], $s["sitejudg for ($i=0; $i<count($clar); $i++) { echo " <tr>\n"; - if (strpos($clar[$i]["status"], "answered") === false) + if (strpos($clar[$i]["status"], "answered") === false) // && strpos($_SESSION["usertable"]['username'], "setter") !== false) echo " <td nowrap><a href=\"claredit.php?clarnumber=".$clar[$i]["number"]."&clarsitenumber=".$clar[$i]["site"] . "\">" . $clar[$i]["number"] . "</td>\n"; else @@ -71,7 +71,7 @@ for ($i=0; $i<count($clar); $i++) { echo " <td>"; // echo "<pre>" . $clar[$i]["question"] . "</pre>"; // echo $clar[$i]["question"]; - echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["question"]."</textarea>\n"; + echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["question"]) ."</textarea>\n"; echo "</td>\n"; echo " </tr>\n"; diff --git a/src/judge/claredit.php b/src/judge/claredit.php index c459747..a5c3265 100644 --- a/src/judge/claredit.php +++ b/src/judge/claredit.php @@ -111,13 +111,13 @@ if (($a = DBGetClarToAnswer($clarnumber, $clarsitenumber, <tr> <td width="20%" align=right><b>Clarification:</b></td> <td width="80%"> - <textarea name="message" readonly cols="60" rows="8"><?php echo $a["question"]; ?></textarea> + <textarea name="message" readonly cols="60" rows="8"><?php echo unsanitizeText($a["question"]); ?></textarea> </td> </tr> <tr> <td width="20%" align=right><b>Answer:</b></td> <td width="80%"> - <textarea name="answer" cols="60" rows="8"><?php echo $a["answer"]; ?></textarea> + <textarea name="answer" cols="60" rows="8"><?php echo unsanitizeText($a["answer"]); ?></textarea> </td> </tr> <tr> diff --git a/src/judge/history.php b/src/judge/history.php index b612f9a..a6bcc79 100644 --- a/src/judge/history.php +++ b/src/judge/history.php @@ -54,13 +54,13 @@ for ($i=0; $i<count($clar); $i++) { echo " <td>"; // echo "<pre>" . $clar[$i]["question"] . "</pre>"; // echo $clar[$i]["question"]; - echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["question"]."</textarea>\n"; + echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["question"]) ."</textarea>\n"; echo "</td>\n"; if (trim($clar[$i]["answer"]) == "") $clar[$i]["answer"] = "Not answered yet"; echo " <td>"; // echo " <pre>" . $clar[$i]["answer"] . "</pre>"; // echo $clar[$i]["answer"]; - echo " <textarea name=\"a$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["answer"]."</textarea>\n"; + echo " <textarea name=\"a$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["answer"]) ."</textarea>\n"; echo "</td>\n"; echo " </tr>\n"; diff --git a/src/judge/runedit.php b/src/judge/runedit.php index e53b3a3..c77f26e 100644 --- a/src/judge/runedit.php +++ b/src/judge/runedit.php @@ -101,8 +101,6 @@ $b = DBGetProblemData($_SESSION["usertable"]["contestnumber"], $a["problemnumber <td width="83%"> <?php for ($i=0;$i<count($b);$i++) { - $if = rawurlencode($b[$i]["inputfilename"]); - echo "<a href=\"../filedownload.php?". filedownload($b[$i]["inputoid"],$b[$i]["inputfilename"]) . "\">"; echo basename($b[$i]["inputfilename"]) . "</a>"; } diff --git a/src/judge/team.php b/src/judge/team.php index 745380a..13e3e4e 100644 --- a/src/judge/team.php +++ b/src/judge/team.php @@ -75,7 +75,7 @@ $redo = TRUE; if(!isset($_SESSION['forceredo']) || $_SESSION['forceredo']==false) { $actualdelay = 30; if(file_exists($runtmp)) { - if(isset($strtmp) || (($strtmp = file_get_contents($runtmp,FALSE,NULL,-1,1000000)) !== FALSE)) { + if(isset($strtmp) || (($strtmp = file_get_contents($runtmp,FALSE,NULL,0,1000000)) !== FALSE)) { list($d) = sscanf($strtmp,"%*s %d"); if($d > time() - $actualdelay) { $conf=globalconf(); diff --git a/src/logexternal.php b/src/logexternal.php index b85aaef..114c1d9 100644 --- a/src/logexternal.php +++ b/src/logexternal.php @@ -17,17 +17,17 @@ ob_end_flush(); function sanitizeFilename($text) { - $text = str_replace("*", "", $text); - $text = str_replace("$", "", $text); - $text = str_replace(")", "", $text); - $text = str_replace("(", "", $text); - $text = str_replace(";", "", $text); - $text = str_replace("&", "", $text); - $text = str_replace("<", "", $text); - $text = str_replace(">", "", $text); - $text = str_replace("\"", "", $text); - $text = str_replace("'", "", $text); - $text = str_replace("`", "", $text); + $text = str_replace("*", "_", $text); + $text = str_replace("$", "_", $text); + $text = str_replace(")", "_", $text); + $text = str_replace("(", "_", $text); + $text = str_replace(";", "_", $text); + $text = str_replace("&", "_", $text); + $text = str_replace("<", "_", $text); + $text = str_replace(">", "_", $text); + $text = str_replace("\"", "_", $text); + $text = str_replace("'", "_", $text); + $text = str_replace("`", "_", $text); $text = addslashes($text); return $text; } @@ -45,7 +45,18 @@ if(isset($_POST["comp"]) && $_POST["comp"] != "" ) { $p = myhash($secret[2] . session_id()); if($p == $password) { @mkdir('/var/www/boca/src/private/logexternal/',0770,true); - @file_put_contents("/var/www/boca/src/private/logexternal/" . $secret[0] . '.' . $name, '\nbegin ' . time() . ' ' . base64_decode($_POST['data']), LOCK_EX | FILE_APPEND); + if(isset($_POST['logsession'])) + @file_put_contents("/var/www/boca/src/private/logexternal/" . $secret[0] . '.' . $name . '.logsession', "\nbegin(" . time() . ',' . date(DATE_RFC2822) . ")\n" . base64_decode($_POST['logsession']), LOCK_EX | FILE_APPEND); + if(isset($_POST['logfs'])) + @file_put_contents("/var/www/boca/src/private/logexternal/" . $secret[0] . '.' . $name . '.logfs', "\nbegin(" . time() . ',' . date(DATE_RFC2822) . ")\n" . base64_decode($_POST['logfs']), LOCK_EX | FILE_APPEND); + if(isset($_POST['loglshw'])) + @file_put_contents("/var/www/boca/src/private/logexternal/" . $secret[0] . '.' . $name . '.loglshw', "\nbegin(" . time() . ',' . date(DATE_RFC2822) . ")\n" . base64_decode($_POST['loglshw']), LOCK_EX | FILE_APPEND); + if(isset($_POST['logupd'])) + @file_put_contents("/var/www/boca/src/private/logexternal/" . $secret[0] . '.' . $name . '.logupd', "\nbegin(" . time() . ',' . date(DATE_RFC2822) . ")\n" . base64_decode($_POST['logupd']), LOCK_EX | FILE_APPEND); + if(isset($_POST['logkfs'])) + @file_put_contents("/var/www/boca/src/private/logexternal/" . $secret[0] . '.' . $name . '.logkfs', "\nbegin(" . time() . ',' . date(DATE_RFC2822) . ")\n" . base64_decode($_POST['logkfs']), LOCK_EX | FILE_APPEND); + if(isset($_POST['logkeys'])) + @file_put_contents("/var/www/boca/src/private/logexternal/" . $secret[0] . '.' . $name . '.logkeys', "\nbegin(" . time() . ',' . date(DATE_RFC2822) . ")\n" . base64_decode($_POST['logkeys']), LOCK_EX | FILE_APPEND); @file_put_contents("/var/www/boca/src/private/logexternal/logexternal.log", $name . "|" . $secret[0] . '|' . date(DATE_RFC2822) . "\n", LOCK_EX | FILE_APPEND); echo "ok\n"; exit; diff --git a/src/scoretable.php b/src/scoretable.php index 3f785f3..2010bc1 100644 --- a/src/scoretable.php +++ b/src/scoretable.php @@ -91,7 +91,7 @@ if($ds=="") $ds = "/"; $scoretmp = $_SESSION["locr"] . $ds . "private" . $ds . "scoretmp" . $ds . $_SESSION["usertable"]["usertype"] . '-' . $_SESSION["usertable"]["username"] . ".php"; $redo = TRUE; if(file_exists($scoretmp)) { - if(($strtmp = file_get_contents($scoretmp,FALSE,NULL,-1,100000)) !== FALSE) { + if(($strtmp = file_get_contents($scoretmp,FALSE,NULL,0,5000000)) !== FALSE) { list($d) = sscanf($strtmp,"%*s %d"); if($d > time() - $actualdelay) { $redo = FALSE; @@ -398,11 +398,14 @@ if($redo) { if(isset($conf['doenc']) && $conf['doenc']) $strtmp = "<!-- " . time() . " --> <?php exit; ?>\n" . encryptData($strtmp,$conf["key"],false); else $strtmp = "<!-- " . time() . " --> <?php exit; ?>\n" . $strtmp; - if(file_put_contents($scoretmp, $strtmp,LOCK_EX)===FALSE) { + $randnum = session_id() . "_" . rand(); + if(file_put_contents($scoretmp . "_" . $randnum, $strtmp,LOCK_EX)===FALSE) { if($_SESSION["usertable"]["usertype"] == 'admin') { MSGError("Cannot write to the score cache file -- performance might be compromised"); } LOGError("Cannot write to the ".$_SESSION["usertable"]["usertype"]."-score cache file -- performance might be compromised"); + } else { + @rename($scoretmp . "_" . $randnum, $scoretmp); } $conf=globalconf(); if(isset($conf['doenc']) && $conf['doenc']) diff --git a/src/site/get.php b/src/site/get.php index 81ede0d..45efd68 100644 --- a/src/site/get.php +++ b/src/site/get.php @@ -46,7 +46,7 @@ if($ct["contestlocalsite"]==$ct["contestmainsite"]) { } if(isset($_POST) && isset($_POST['xml'])) { // $fp=fopen('/tmp/aaa',"w"); fwrite($fp,$_POST['xml']); fclose($fp); - $s = decryptData(rawurldecode($_POST['xml']),myhash($_SESSION["usertable"]["userpassword"])); + $s = decryptData($_POST['xml'],myhash($_SESSION["usertable"]["userpassword"])); // $fp=fopen('/tmp/aaa1',"w"); fwrite($fp,$s); fclose($fp); $ac=array(); diff --git a/src/system/importxml.php b/src/system/importxml.php index 5fcaef3..6e6107e 100644 --- a/src/system/importxml.php +++ b/src/system/importxml.php @@ -156,7 +156,7 @@ if(isset($_POST["Submit"])) { exit; } else - $id = rawurldecode(strtok($ar," \n\t")); + $id = myrawurldecode(strtok($ar," \n\t")); } } } else { diff --git a/src/team/clar.php b/src/team/clar.php index a1e3972..c763c2c 100644 --- a/src/team/clar.php +++ b/src/team/clar.php @@ -56,13 +56,13 @@ for ($i=0; $i<count($clar); $i++) { if ($clar[$i]["question"] == "") $clar[$i]["question"] = " "; echo " <td>"; // echo "<pre>" . $clar[$i]["question"] . "</pre>"; - echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["question"]."</textarea>\n"; + echo " <textarea name=\"m$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["question"]) ."</textarea>\n"; echo "</td>\n"; if (trim($clar[$i]["answer"]) == "") $clar[$i]["answer"] = "Not answered yet"; echo " <td>"; // echo " <pre>" . $clar[$i]["answer"] . "</pre>"; - echo " <textarea name=\"a$i\" cols=\"60\" rows=\"8\" readonly>".$clar[$i]["answer"]."</textarea>\n"; + echo " <textarea name=\"a$i\" cols=\"60\" rows=\"8\" readonly>". unsanitizeText($clar[$i]["answer"]) ."</textarea>\n"; echo "</td>\n"; echo " </tr>\n"; } diff --git a/src/team/header.php b/src/team/header.php index ec7352a..a7e8168 100644 --- a/src/team/header.php +++ b/src/team/header.php @@ -60,10 +60,13 @@ $runtmp = $_SESSION["locr"] . $ds . "private" . $ds . "runtmp" . $ds . "run-cont "-site". $_SESSION["usertable"]["usersitenumber"] . "-user" . $_SESSION["usertable"]["usernumber"] . ".php"; $doslow=true; if(file_exists($runtmp)) { - if(($strtmp = file_get_contents($runtmp,FALSE,NULL,-1,1000000)) !== FALSE) { + if(($strtmp = file_get_contents($runtmp,FALSE,NULL,0,1000000)) !== FALSE) { $postab=strpos($strtmp,"\t"); $conf=globalconf(); - $strcolors = decryptData(substr($strtmp,$postab+1,strpos($strtmp,"\n")-$postab-1),$conf['key'],''); + if(isset($conf['doenc']) && $conf['doenc']) + $strcolors = decryptData(substr($strtmp,$postab+1,strpos($strtmp,"\n")-$postab-1),$conf['key'],''); + else + $strcolors = substr($strtmp,$postab+1,strpos($strtmp,"\n")-$postab-1); $doslow=false; $rn=explode("\t",$strcolors); $n=count($rn); diff --git a/src/team/run.php b/src/team/run.php index 077b76c..32c0d25 100644 --- a/src/team/run.php +++ b/src/team/run.php @@ -291,11 +291,13 @@ $redo = TRUE; if(!isset($_SESSION['forceredo']) || $_SESSION['forceredo']==false) { $actualdelay = 15; if(file_exists($runtmp)) { - if(isset($strtmp) || (($strtmp = file_get_contents($runtmp,FALSE,NULL,-1,1000000)) !== FALSE)) { + if(isset($strtmp) || (($strtmp = file_get_contents($runtmp,FALSE,NULL,0,1000000)) !== FALSE)) { list($d) = sscanf($strtmp,"%*s %d"); if($d > time() - $actualdelay) { $conf=globalconf(); - $strtmp = decryptData(substr($strtmp,strpos($strtmp,"\n")+1),$conf["key"],'runtmp'); + if(isset($conf['doenc']) && $conf['doenc']) + $strtmp = decryptData(substr($strtmp,strpos($strtmp,"\n")+1),$conf["key"],'runtmp'); + else $strtmp = substr($strtmp,strpos($strtmp,"\n")+1); if($strtmp !== false) $redo = FALSE; } @@ -416,7 +418,10 @@ if($redo) { "</form>\n"; } $conf=globalconf(); - $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . encryptData($strcolors,$conf["key"],false) . "\n" . encryptData($strtmp,$conf["key"],false); + if(isset($conf['doenc']) && $conf['doenc']) + $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . encryptData($strcolors,$conf["key"],false) . "\n" . encryptData($strtmp,$conf["key"],false); + else + $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . $strcolors . "\n" . $strtmp; $randnum = session_id() . "_" . rand(); if(file_put_contents($runtmp . "_" . $randnum, $strtmp1,LOCK_EX)===FALSE) { if(!isset($_SESSION['writewarn'])) { diff --git a/src/version b/src/version index e466e5e..99637e4 100644 --- a/src/version +++ b/src/version @@ -1 +1 @@ -boca-1.5.13 +boca-1.5.14 diff --git a/src/versionnum.php b/src/versionnum.php index a833695..fc9810f 100644 --- a/src/versionnum.php +++ b/src/versionnum.php @@ -1,5 +1,5 @@ <?php -$BOCAVERSION='boca-1.5.13'; -$YEAR='2017'; +$BOCAVERSION='boca-1.5.14'; +$YEAR='2018'; ?> |