CSP tweaks again, login uid fix, mild cleanup

2021-08-12 14:49:45 -04:00 · 2021-08-12 14:49:45 -04:00 · 125441933c
commit 125441933c
parent ff621bce35
10 changed files with 12 additions and 11 deletions
--- a/changelang.php
+++ b/changelang.php
@ -16,7 +16,7 @@
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

-    $app_disp_lang = filter_input(INPUT_POST, 'app_disp_lang', FILTER_SANITIZE_STRING);                 // GET SANITARY LANG CHOICE
+    $app_disp_lang = filter_input(INPUT_POST, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);                 // GET SANITARY LANG CHOICE
    // only works with new php?
    // setcookie ( 'app_disp_lang', $app_disp_lang, [
    //    'expires' => time() + 60*60*24*90,
--- a/inc/header.inc.php
+++ b/inc/header.inc.php
@ -61,7 +61,7 @@
    $session_user = $Users->getUserInfo((int)$sessuserid, "1", "0"); 
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE
@ -86,7 +86,8 @@
    $urlsrc=basename(filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL));
    header("X-Frame-Options: SAMEORIGIN");
    header("X-Content-Type-Options: nosniff");
-    header("Content-Security-Policy: default-src '$nonceHeader' 'self'; script-src '$nonceHeader' 'self' ; script-src-elem '$nonceHeader' 'self'; script-src-attr '$nonceHeader' 'self'; style-src '$nonceHeader' 'self'; style-src-elem '$nonceHeader' 'self'; style-src-attr '$nonceHeader' 'self'; img-src '$nonceHeader' 'self' data:; connect-src '$nonceHeader' 'self'; frame-src '$nonceHeader' 'self'; font-src '$nonceHeader' 'self'; media-src '$nonceHeader' 'self'; object-src '$nonceHeader' 'self'; manifest-src '$nonceHeader' 'self'; worker-src '$nonceHeader' 'self'; prefetch-src '$nonceHeader' 'self'; form-action '$nonceHeader' 'self'; frame-ancestors '$nonceHeader' 'self'");
+    //oldheader("Content-Security-Policy: default-src '$nonceHeader' 'self'; script-src '$nonceHeader' 'self' ; script-src-elem '$nonceHeader' 'self'; script-src-attr '$nonceHeader' 'self'; style-src '$nonceHeader' 'self'; style-src-elem '$nonceHeader' 'self'; style-src-attr '$nonceHeader' 'self'; img-src '$nonceHeader' 'self' data:; connect-src '$nonceHeader' 'self'; frame-src '$nonceHeader' 'self'; font-src '$nonceHeader' 'self'; media-src '$nonceHeader' 'self'; object-src '$nonceHeader' 'self'; manifest-src '$nonceHeader' 'self'; worker-src '$nonceHeader' 'self'; prefetch-src '$nonceHeader' 'self'; form-action '$nonceHeader' 'self'; frame-ancestors '$nonceHeader' 'self'");
+    header("Content-Security-Policy: default-src '$nonceHeader' 'self'; script-src '$nonceHeader' 'self' ; style-src '$nonceHeader' 'self'; img-src '$nonceHeader' 'self' data:; connect-src '$nonceHeader' 'self'; frame-src '$nonceHeader' 'self'; font-src '$nonceHeader' 'self'; media-src '$nonceHeader' 'self'; object-src '$nonceHeader' 'self'; manifest-src '$nonceHeader' 'self'; worker-src '$nonceHeader' 'self'; prefetch-src '$nonceHeader' 'self'; form-action '$nonceHeader' 'self'; frame-ancestors 'self'");
    if (!empty($_GET['a'])) {
      echo '<pre>' . print_r($_POST, true) . '</pre>';
      echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); }
--- a/logout.php
+++ b/logout.php
@ -34,7 +34,7 @@
        $session_user = $Users->getUserInfo($_SESSION['user_id'], "1", "0"); }
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE
--- a/printvwf.php
+++ b/printvwf.php
@ -63,7 +63,7 @@
    $session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE
--- a/profile.php
+++ b/profile.php
@ -63,7 +63,7 @@
    $session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE
--- a/reports.php
+++ b/reports.php
@ -63,7 +63,7 @@
    $session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE
--- a/signin.php
+++ b/signin.php
@ -35,7 +35,7 @@
        $session_user = $Users->getUserInfo($_SESSION['user_id'], "1", "0"); }
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE
--- a/signin_display.php
+++ b/signin_display.php
@ -35,7 +35,7 @@
        $session_user = $Users->getUserInfo($_SESSION['user_id'], "1", "0"); }
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE
--- a/signout.php
+++ b/signout.php
@ -35,7 +35,7 @@
        $session_user = $Users->getUserInfo($_SESSION['user_id'], "1", "0"); }
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE
--- a/users.php
+++ b/users.php
@ -63,7 +63,7 @@
    $session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
    if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
        $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
-    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
+    $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS);               // SETUP LANGUAGE
    if(!isset($app_disp_lang)) {
        $app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
    $siteidcookie = filter_input(INPUT_COOKIE, 'app_site');                     // SETUP SITE