From b01cfec9301e221f0bb5a581b1775dba5be562a2 Mon Sep 17 00:00:00 2001 From: Matthew C Date: Wed, 4 May 2022 11:23:43 +0200 Subject: [PATCH 1/7] Started update --- plugin.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/plugin.php b/plugin.php index a3209c4..265f0e3 100644 --- a/plugin.php +++ b/plugin.php @@ -1,11 +1,11 @@ Date: Wed, 4 May 2022 11:40:00 +0200 Subject: [PATCH 2/7] Updated to 1.7.3 --- plugin.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugin.php b/plugin.php index 265f0e3..f23b929 100644 --- a/plugin.php +++ b/plugin.php @@ -230,7 +230,8 @@ function matthew_pwprotection_process_display() { global $ydb; $table = YOURLS_DB_TABLE_URL; - $query = $ydb->get_results( "SELECT * FROM `$table` WHERE 1=1" ); + $sql = "SELECT * FROM `$table` WHERE 1=1"; + $query = $ydb->fetchAll( $sql ); $matthew_su = yourls__( "Short URL" , "matthew_pwp" ); //Translate "Short URL" $matthew_ou = yourls__( "Original URL", "matthew_pwp" ); //Translate "Original URL" From d461378547ee8924dfc44e77f83d72f98c8e7345 Mon Sep 17 00:00:00 2001 From: Matthew C Date: Wed, 4 May 2022 11:47:56 +0200 Subject: [PATCH 3/7] Fixed db issues --- plugin.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugin.php b/plugin.php index f23b929..ac850d8 100644 --- a/plugin.php +++ b/plugin.php @@ -227,7 +227,7 @@ function matthew_pwprotection_process_new() { //Display Form function matthew_pwprotection_process_display() { - global $ydb; + $ydb = yourls_get_db(); $table = YOURLS_DB_TABLE_URL; $sql = "SELECT * FROM `$table` WHERE 1=1"; @@ -261,6 +261,7 @@ function matthew_pwprotection_process_display() { $matthew_pw TB; +var_dump($query); foreach( $query as $link ) { // Displays all shorturls in the YOURLS DB $short = $link->keyword; $url = $link->url; From 307a7ba2975254ef277d275ecc1f3552d7dea763 Mon Sep 17 00:00:00 2001 From: Matthew C Date: Wed, 4 May 2022 12:05:34 +0200 Subject: [PATCH 4/7] Added nonce support --- plugin.php | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/plugin.php b/plugin.php index ac850d8..1d13ce4 100644 --- a/plugin.php +++ b/plugin.php @@ -31,17 +31,17 @@ function warning_redirection( $args ) { $matthew_pwprotection_short = end( $matthew_pwprotection_pathFragments ); if( array_key_exists( $matthew_pwprotection_short, (array)$matthew_pwprotection_array ) ){ - if( isset( $_POST[ 'password' ] ) && $_POST[ 'password' ] == $matthew_pwprotection_array[ $matthew_pwprotection_short ] ){ //Check if password is submited, and if it matches the DB + if( isset( $_POST[ 'password' ] ) && $_POST[ 'password' ] == $matthew_pwprotection_array[ $matthew_pwprotection_short ] ){ // Check if password is submited, and if it matches the DB $url = $args[ 0 ]; header("Location: $url"); //Redirects client die(); } else { $error = ( isset( $_POST[ 'password' ] ) ? "" : ""); - $matthew_ppu = yourls__( "Password Protected URL", "matthew_pwp" ); //Translate Password Title - $matthew_ph = yourls__( "Password" , "matthew_pwp" ); //Translate the word Password - $matthew_sm = yourls__( "Please enter the password below to continue.", "matthew_pwp" ); //Translate the main message - $matthew_submit = yourls__( "Send!" , "matthew_pwp" ); //Translate the Submit button - //Displays main "Insert Password" area + $matthew_ppu = yourls__( "Password Protected URL", "matthew_pwp" ); // Translate Password Title + $matthew_ph = yourls__( "Password" , "matthew_pwp" ); // Translate the word Password + $matthew_sm = yourls__( "Please enter the password below to continue.", "matthew_pwp" ); // Translate the main message + $matthew_submit = yourls__( "Send!" , "matthew_pwp" ); // Translate the Submit button + // Displays main "Insert Password" area echo << @@ -211,11 +211,15 @@ function matthew_pwprotection_display_page() { // Set/Delete password from DB function matthew_pwprotection_process_new() { + // Verify nonce token. + yourls_verify_nonce( "matthew_pwprotection_update" ); + if( isset( $_POST[ 'checked' ] ) ){ yourls_update_option( 'matthew_pwprotection', json_encode( $_POST[ 'password' ] ) ); } if( isset( $_POST[ 'unchecked' ] ) ){ - $matthew_pwprotection_array = json_decode(yourls_get_option('matthew_pwprotection'), true); //Get's array of currently active Password Protected URLs + // Get array of currently active Password Protected URLs + $matthew_pwprotection_array = json_decode(yourls_get_option('matthew_pwprotection'), true); foreach ( $_POST[ 'unchecked' ] as $matthew_pwprotection_unchecked ){ $matthew_pwprotection_array[ $matthew_pwprotection_unchecked ] = ""; unset($matthew_pwprotection_array[ $matthew_pwprotection_unchecked ]); @@ -225,7 +229,7 @@ function matthew_pwprotection_process_new() { echo "

Success!

"; } -//Display Form +// Display Form function matthew_pwprotection_process_display() { $ydb = yourls_get_db(); @@ -233,9 +237,12 @@ function matthew_pwprotection_process_display() { $sql = "SELECT * FROM `$table` WHERE 1=1"; $query = $ydb->fetchAll( $sql ); - $matthew_su = yourls__( "Short URL" , "matthew_pwp" ); //Translate "Short URL" - $matthew_ou = yourls__( "Original URL", "matthew_pwp" ); //Translate "Original URL" - $matthew_pw = yourls__( "Password" , "matthew_pwp" ); //Translate "Password" + $matthew_su = yourls__( "Short URL" , "matthew_pwp" ); // Translate "Short URL" + $matthew_ou = yourls__( "Original URL", "matthew_pwp" ); // Translate "Original URL" + $matthew_pw = yourls__( "Password" , "matthew_pwp" ); // Translate "Password" + + // Protect action with nonce + $matthew_pwprotection_noncefield = yourls_nonce_field( "matthew_pwprotection_update" ); echo << @@ -261,17 +268,17 @@ function matthew_pwprotection_process_display() { $matthew_pw TB; -var_dump($query); + foreach( $query as $link ) { // Displays all shorturls in the YOURLS DB - $short = $link->keyword; - $url = $link->url; - $matthew_pwprotection_array = json_decode(yourls_get_option('matthew_pwprotection'), true); //Get's array of currently active Password Protected URLs - if( strlen( $url ) > 51 ) { //If URL is too long it will shorten it + $short = $link["keyword"]; + $url = $link["url"]; + $matthew_pwprotection_array = json_decode(yourls_get_option('matthew_pwprotection'), true); // Get array of currently active Password Protected URLs + if( strlen( $url ) > 51 ) { // If URL is too long, shorten it with '...' $sURL = substr( $url, 0, 30 ). "..."; } else { $sURL = $url; } - if( array_key_exists( $short, (array)$matthew_pwprotection_array ) ){ //Check's if URL is currently password protected or not + if( array_key_exists( $short, (array)$matthew_pwprotection_array ) ){ // Check if URL is currently password protected or not $text = yourls__( "Enable?" ); $password = $matthew_pwprotection_array[ $short ]; $checked = " checked"; @@ -301,6 +308,7 @@ function matthew_pwprotection_process_display() { } echo << + $matthew_pwprotection_noncefield From e3411fdd9c3b40c3f5cfbdf4e2248a6bd6bc5a5f Mon Sep 17 00:00:00 2001 From: Matthew C Date: Wed, 4 May 2022 12:29:16 +0200 Subject: [PATCH 5/7] Added password hashing --- plugin.php | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/plugin.php b/plugin.php index 1d13ce4..642d478 100644 --- a/plugin.php +++ b/plugin.php @@ -31,9 +31,13 @@ function warning_redirection( $args ) { $matthew_pwprotection_short = end( $matthew_pwprotection_pathFragments ); if( array_key_exists( $matthew_pwprotection_short, (array)$matthew_pwprotection_array ) ){ - if( isset( $_POST[ 'password' ] ) && $_POST[ 'password' ] == $matthew_pwprotection_array[ $matthew_pwprotection_short ] ){ // Check if password is submited, and if it matches the DB + // Check if password is submited, and if it matches the DB + if( isset( $_POST[ 'password' ] ) && password_verify( $_POST[ 'password' ], $matthew_pwprotection_array[ $matthew_pwprotection_short ]) ){ $url = $args[ 0 ]; - header("Location: $url"); //Redirects client + + // Redirect client + header("Location: $url"); + die(); } else { $error = ( isset( $_POST[ 'password' ] ) ? "" : ""); @@ -214,18 +218,15 @@ function matthew_pwprotection_process_new() { // Verify nonce token. yourls_verify_nonce( "matthew_pwprotection_update" ); - if( isset( $_POST[ 'checked' ] ) ){ - yourls_update_option( 'matthew_pwprotection', json_encode( $_POST[ 'password' ] ) ); - } - if( isset( $_POST[ 'unchecked' ] ) ){ - // Get array of currently active Password Protected URLs - $matthew_pwprotection_array = json_decode(yourls_get_option('matthew_pwprotection'), true); - foreach ( $_POST[ 'unchecked' ] as $matthew_pwprotection_unchecked ){ - $matthew_pwprotection_array[ $matthew_pwprotection_unchecked ] = ""; - unset($matthew_pwprotection_array[ $matthew_pwprotection_unchecked ]); + foreach( $_POST[ 'password' ] as $url => $url_password) { + if($url_password != "DONOTCHANGE") { + $_POST[ 'password' ][ $url ] = password_hash($url_password, PASSWORD_BCRYPT); } - yourls_update_option( 'matthew_pwprotection', json_encode( $_POST[ 'password' ] ) ); } + + // Update database + yourls_update_option( 'matthew_pwprotection', json_encode( $_POST[ 'password' ] ) ); + echo "

Success!

"; } @@ -280,7 +281,7 @@ function matthew_pwprotection_process_display() { } if( array_key_exists( $short, (array)$matthew_pwprotection_array ) ){ // Check if URL is currently password protected or not $text = yourls__( "Enable?" ); - $password = $matthew_pwprotection_array[ $short ]; + $password = "DONOTCHANGE"; $checked = " checked"; $unchecked = ''; $style = ''; From 664f1d7b1ff836aeb61e8daaf8a5fb2c71db6c47 Mon Sep 17 00:00:00 2001 From: Matthew C Date: Wed, 4 May 2022 12:32:58 +0200 Subject: [PATCH 6/7] Fixed hashing --- plugin.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/plugin.php b/plugin.php index 642d478..0be3625 100644 --- a/plugin.php +++ b/plugin.php @@ -37,7 +37,7 @@ function warning_redirection( $args ) { // Redirect client header("Location: $url"); - + die(); } else { $error = ( isset( $_POST[ 'password' ] ) ? "" : ""); @@ -218,9 +218,13 @@ function matthew_pwprotection_process_new() { // Verify nonce token. yourls_verify_nonce( "matthew_pwprotection_update" ); + $matthew_pwprotection_array = json_decode(yourls_get_option('matthew_pwprotection'), true); + foreach( $_POST[ 'password' ] as $url => $url_password) { if($url_password != "DONOTCHANGE") { $_POST[ 'password' ][ $url ] = password_hash($url_password, PASSWORD_BCRYPT); + } else { + $_POST[ 'password' ][ $url ] = $matthew_pwprotection_array[ $url ]; } } From 5a2bf85a2ee9c51846d80fd226e3a8b17b288fc6 Mon Sep 17 00:00:00 2001 From: Matthew C Date: Wed, 4 May 2022 12:38:23 +0200 Subject: [PATCH 7/7] Final touches --- plugin.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugin.php b/plugin.php index 0be3625..a70130b 100644 --- a/plugin.php +++ b/plugin.php @@ -221,7 +221,7 @@ function matthew_pwprotection_process_new() { $matthew_pwprotection_array = json_decode(yourls_get_option('matthew_pwprotection'), true); foreach( $_POST[ 'password' ] as $url => $url_password) { - if($url_password != "DONOTCHANGE") { + if($url_password != "DONOTCHANGE_8fggwrFrRXvqndzw") { $_POST[ 'password' ][ $url ] = password_hash($url_password, PASSWORD_BCRYPT); } else { $_POST[ 'password' ][ $url ] = $matthew_pwprotection_array[ $url ]; @@ -285,7 +285,7 @@ function matthew_pwprotection_process_display() { } if( array_key_exists( $short, (array)$matthew_pwprotection_array ) ){ // Check if URL is currently password protected or not $text = yourls__( "Enable?" ); - $password = "DONOTCHANGE"; + $password = "DONOTCHANGE_8fggwrFrRXvqndzw"; $checked = " checked"; $unchecked = ''; $style = '';