From 29a327e8090b55ff6d34997c22f5211344025047 Mon Sep 17 00:00:00 2001 From: Bruno Ribas Date: Thu, 5 Nov 2020 14:27:49 -0300 Subject: globals.php: More checks on multilogin These modifications make things easier to check when there are Multilogins and MultiIPS (common under CGNAT). Modification from 2018, merged now. Signed-off-by: Bruno Ribas --- src/globals.php | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) (limited to 'src/globals.php') diff --git a/src/globals.php b/src/globals.php index 45ac54e..da34c1a 100755 --- a/src/globals.php +++ b/src/globals.php @@ -229,9 +229,6 @@ function sanitizeFilename($text) function unsanitizeText($text) { $text = str_replace("<", "<", $text); $text = str_replace(">", ">", $text); - $text = str_replace("'", "'", $text); - $text = str_replace("`", "`", $text); - $text = str_replace(""", "\"", $text); $text = str_replace("&", "&", $text); return $text; } @@ -339,6 +336,8 @@ function ValidCookie($dolog=false,$gip='') { !ctype_alnum($coo[1])) $coo = array(); } + $_SESSION['onlycmd']=1; + $_SESSION['prevco']='none'; if(count($coo) == 2) { $ds = DIRECTORY_SEPARATOR; if($ds=="") $ds = "/"; @@ -353,16 +352,23 @@ function ValidCookie($dolog=false,$gip='') { } return false; } +$_SESSION['prevco']=$prevuser; +$tt=time(); if($prevuser != $coo[1]) { if($dolog) { - @file_put_contents($dircode . '.log', time() . '|' . $prevuser . '|' . $coo[0] . '|' . $coo[1] . '|' . $gip . "|invalid\n", FILE_APPEND | LOCK_EX); - LOGLevel("User $name contest $contest has invalid cookie.",2); + $ans='new'; + if($coo[0] < $tt-15) $ans='invalid'; + @file_put_contents($dircode . '.log', time() . '|' . $prevuser . '|' . $coo[0] . '|' . $coo[1] . '|' . $gip . "|" . $ans . "\n", FILE_APPEND | LOCK_EX); + LOGLevel("User $name contest $contest has $ans cookie.",2); } - if($_SESSION["usertable"]["usertype"] == 'team' && $coo[0] < time()-10) - return false; - @file_put_contents($dircode, $coo[1]); - } + if($_SESSION["usertable"]["usertype"] == 'team') { + if($coo[0] < $tt-15) return false; + } else + @file_put_contents($dircode, $coo[1]); + } else + $_SESSION['onlycmd']=0; } else { + $_SESSION['onlycmd']=0; @file_put_contents($dircode, $coo[1]); } } else { @@ -372,20 +378,20 @@ function ValidCookie($dolog=false,$gip='') { return true; } + // verifica se a sessao esta aberta e ok function ValidSession() { if (!isset($_SESSION["usertable"])) return(FALSE); if($_SESSION["usertable"]["usersession"] != session_id()) return(FALSE); $gip = getIP(); - if(!ValidCookie()) return false; - - + //if(!ValidCookie()) return false; + // cassiopc: sites that use multiple IP addresses to go out create a serious problem to check IPs... // if(substr($_SESSION["usertable"]["userip"],0,6) != '157.92') { // if ($_SESSION["usertable"]["userip"] != $gip || // $_SESSION["usertable"]["usersession"] != session_id()) return(FALSE); // } else { - if($_SESSION["usertable"]["usersession"] != session_id()) return(FALSE); +// if($_SESSION["usertable"]["usersession"] != session_id()) return(FALSE); // } $tmp = DBUserInfo($_SESSION["usertable"]["contestnumber"], $_SESSION["usertable"]["usersitenumber"], @@ -393,7 +399,10 @@ function ValidSession() { if($tmp['usersession']=='') return(FALSE); if($_SESSION["usertable"]["usermultilogin"] == 't') return(TRUE); - if ($tmp["userip"] != $gip) return(FALSE); //cassiopc: they may create a problem here too... + if ($tmp["userip"] != $gip) { + @file_put_contents("/tmp/bocalogin.log", $tmp["userip"] . "|" . $gip . '|' . $_SESSION["usertable"]["usersession"] . '|' . $_SESSION["usertable"]["usernumber"] . '|' . date(DATE_RFC2822) . "\n", LOCK_EX | FILE_APPEND); + // return(FALSE); //cassiopc: they may create a problem here too... + } return(TRUE); } // grava erro no arquivo de log -- cgit v1.2.3