diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/admin/report/header.php | 2 | ||||
| -rw-r--r-- | src/admin/report/webcast.php | 26 | ||||
| -rw-r--r-- | src/flog.php | 8 | ||||
| -rwxr-xr-x | src/globals.php | 55 | ||||
| -rw-r--r-- | src/index.php | 13 |
5 files changed, 88 insertions, 16 deletions
diff --git a/src/admin/report/header.php b/src/admin/report/header.php index 77e524a..50c36af 100644 --- a/src/admin/report/header.php +++ b/src/admin/report/header.php @@ -30,7 +30,7 @@ require_once($locr . "/globals.php"); require_once($locr."/db.php"); require_once($locr."/freport.php"); -if(isset($_POST['webcastcode']) && ctype_alnum($_POST['webcastcode'])) { +if(isset($_GET['webcastcode']) && ctype_alnum($_GET['webcastcode'])) { header ("Content-transfer-encoding: binary\n"); header ("Content-type: application/force-download"); ob_end_flush(); diff --git a/src/admin/report/webcast.php b/src/admin/report/webcast.php index a6aaceb..cf791a7 100644 --- a/src/admin/report/webcast.php +++ b/src/admin/report/webcast.php @@ -17,8 +17,8 @@ //////////////////////////////////////////////////////////////////////////////// require('header.php'); -if(!isset($_POST['webcastcode']) || !ctype_alnum($_POST['webcastcode'])) exit; -$webcastcode=$_POST['webcastcode']; +if(!isset($_GET['webcastcode']) || !ctype_alnum($_GET['webcastcode'])) exit; +$webcastcode=$_GET['webcastcode']; $ds = DIRECTORY_SEPARATOR; if($ds=="") $ds = "/"; @@ -39,7 +39,7 @@ for($i=0; $i<count($wcdata);$i++) { $wccode = explode(' ', $wcdata[$i]); if($wccode[0] == $webcastcode) { for($j=1; $j < count($wccode); $j++) { - $temp = explode('/', $wccode[$j]); + $temp = explode('/', trim($wccode[$j])); if(is_numeric($temp[0])) { $wcsite[count($wcsite)] = $temp[0]; $wcloweruser[count($wcloweruser)] = 0; @@ -59,17 +59,17 @@ if($i>=count($wcdata)) { exit; } -cleardir($webcastdir); +//cleardir($webcastdir); @mkdir($webcastdir); -$contest = $_SESSION["usertable"]["contestnumber"]; -$site = $_SESSION["usertable"]["usersitenumber"]; +$contest = 1; //$_SESSION["usertable"]["contestnumber"]; +$site = 1; //$_SESSION["usertable"]["usersitenumber"]; $ct = DBContestInfo($contest); if(($st = DBSiteInfo($contest, $site)) == null) ForceLoad("../index.php"); -if(isset($_POST['full']) && $_POST['full'] > 0) +if(isset($_GET['full']) && $_GET['full'] > 0) $freezeTime = $st['siteduration']; else $freezeTime = $st['sitelastmilescore']; @@ -87,12 +87,12 @@ $c = DBConnect(); $r = DBExec($c, 'SELECT problemnumber FROM problemtable' . ' WHERE contestnumber = ' . $contest . - ' AND problemnumber > 0'); + ' AND problemnumber > 0 AND not (problemfullname ~ \'(DEL)\')'); $numProblems = DBnlines($r); $sql = 'SELECT username, userfullname, userdesc FROM usertable' . ' WHERE contestnumber = ' . $contest . - ' AND userenabled = \'t\' AND usertype = \'team\' AND ((0 = 1)'; + ' AND userenabled = \'t\' AND not (usericpcid = \'\') AND not (usericpcid = \'000000\') AND not (usericpcid = \'0\') AND usertype = \'team\' AND ((0 = 1)'; for($i=0; $i < count($wcloweruser); $i++) $sql .= ' OR (usersitenumber = ' . $wcsite[$i] . ' AND usernumber >= ' . $wcloweruser[$i] . ' AND usernumber <= ' . $wcupperuser[$i] . ')'; $sql .= ')'; @@ -149,6 +149,7 @@ $run = DBAllRunsInSites($contest, $site, 'run'); $numRuns = count($run); $runfile = ''; for ($i = 0; $i < $numRuns; $i++) { + if($run[$i]['status'] == 'deleted') continue; $u = DBUserInfo($contest, $site, $run[$i]['user']); $runID = $run[$i]['number']; $runTime = dateconvminutes($run[$i]['timestamp']); @@ -182,11 +183,12 @@ if(is_writable($webcastdir)) { @file_put_contents($webcastdir . $ds . 'contest',$contestfile); @file_put_contents($webcastdir . $ds . 'version',$versionfile); @file_put_contents($webcastdir . $ds . 'time',$timefile); - if(@create_zip($webcastparentdir,array('webcast'),$webcastdir . ".zip") != 1) { - LOGError("Cannot create score webcast.tmp file"); - MSGError("Cannot create score webcast.tmp file"); + if(@create_zip($webcastdir,array('.'),$webcastdir . ".zip") != 1) { + LOGError("Cannot create score webcast.zip file"); + MSGError("Cannot create score webcast.zip file"); } else { echo file_get_contents($webcastdir . ".zip"); + exit; } } else { LOGError('Error creating the folder for the ZIP file: '. $webcastdir); diff --git a/src/flog.php b/src/flog.php index 1e6e6cb..9ff6357 100644 --- a/src/flog.php +++ b/src/flog.php @@ -187,8 +187,14 @@ function DBLogInContest($name,$pass,$contest,$msg=true) { if($a["usertype"] == "team") @file_put_contents($dircode, $ccode); } - + $gip=getIP(); + if(!ValidCookie(true,$gip)) { + if($msg) MSGError("Invalid computer (4)."); + unset($_SESSION["usertable"]); + return false; + } + if ($a["userip"] != $gip && $a["userip"] != "" && $a["usertype"] != "score") { LOGLevel("User $name is using two different IPs: " . $a["userip"] . "(" . dateconv($a["userlastlogin"]) .") and " . $gip,1); diff --git a/src/globals.php b/src/globals.php index 5c2a46b..45ac54e 100755 --- a/src/globals.php +++ b/src/globals.php @@ -325,10 +325,61 @@ function IntrusionNotify($where) { LOGLevel($msg,1); MSGError("Violation ($where). Admin warned."); } + +function ValidCookie($dolog=false,$gip='') { + if (!isset($_SESSION["usertable"])) return(FALSE); + $contest = $_SESSION["usertable"]["contestnumber"]; + $name = $_SESSION["usertable"]["username"]; + $coo = array(); + if(isset($_COOKIE['biscoitobocabombonera'])) { + $coo = explode('-',$_COOKIE['biscoitobocabombonera']); + if(count($coo) != 2 || + strlen($coo[1])!=strlen(myhash('xxx')) || + !is_numeric($coo[0]) || + !ctype_alnum($coo[1])) + $coo = array(); + } + if(count($coo) == 2) { + $ds = DIRECTORY_SEPARATOR; + if($ds=="") $ds = "/"; + $dircode=$_SESSION["locr"] . $ds . "private" . $ds . "cookies"; + @mkdir($dircode); + $dircode .= $ds . $contest . '-' . $name; + if(@file_exists($dircode)) { + if(($prevuser = @file_get_contents($dircode)) === false) { + if($dolog) { + @file_put_contents($dircode . '.log', time() . '|' . $prevuser . '|' . $coo[0] . '|' . $coo[1] . '|' . $gip . "|file\n", FILE_APPEND | LOCK_EX); + LOGLevel("User $name contest $contest has a cookie file problem.",2); + } + return false; + } + if($prevuser != $coo[1]) { + if($dolog) { + @file_put_contents($dircode . '.log', time() . '|' . $prevuser . '|' . $coo[0] . '|' . $coo[1] . '|' . $gip . "|invalid\n", FILE_APPEND | LOCK_EX); + LOGLevel("User $name contest $contest has invalid cookie.",2); + } + if($_SESSION["usertable"]["usertype"] == 'team' && $coo[0] < time()-10) + return false; + @file_put_contents($dircode, $coo[1]); + } + } else { + @file_put_contents($dircode, $coo[1]); + } + } else { + LOGLevel("User $name contest $contest has bad cookie.",2); + return false; + } + return true; +} + // verifica se a sessao esta aberta e ok function ValidSession() { - if (!isset($_SESSION["usertable"])) return(FALSE); - $gip = getIP(); + if (!isset($_SESSION["usertable"])) return(FALSE); + if($_SESSION["usertable"]["usersession"] != session_id()) return(FALSE); + $gip = getIP(); + if(!ValidCookie()) return false; + + // cassiopc: sites that use multiple IP addresses to go out create a serious problem to check IPs... // if(substr($_SESSION["usertable"]["userip"],0,6) != '157.92') { // if ($_SESSION["usertable"]["userip"] != $gip || diff --git a/src/index.php b/src/index.php index 7b162bd..7bdbb81 100644 --- a/src/index.php +++ b/src/index.php @@ -49,6 +49,19 @@ if(isset($_GET["getsessionid"])) { echo session_id(); exit; } + +$coo = array(); +if(isset($_COOKIE['biscoitobocabombonera'])) { + $coo = explode('-',$_COOKIE['biscoitobocabombonera']); + if(count($coo) != 2 || + strlen($coo[1])!=strlen(myhash('xxx')) || + !is_numeric($coo[0]) || + !ctype_alnum($coo[1])) + $coo = array(); +} +if(count($coo) != 2) + setcookie('biscoitobocabombonera',time() . '-' . myhash(time() . rand() . time() . rand()),time() + 240*3600); + ob_end_flush(); require_once('version.php'); |