Point808/LobbySIO
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CSP tweaks again, login uid fix, mild cleanup

Browse Source
This commit is contained in:
Josh North
2021-08-11 20:12:35 -04:00
parent 0b45ed9e02
commit ff621bce35
7 changed files with 90 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
inc/footer.inc.php
View File

@@ -31,14 +31,14 @@
<?php } ?>
</div>
</div>
<script nonce="<?=$_SESSION['nonce']?>">window.jQuery || document.write('<script src="js/jquery.min.js"><\/script>')</script>
<script nonce="<?=$_SESSION['nonce']?>">
<script nonce="<?=$_SESSION['nonceStr']?>">window.jQuery || document.write('<script src="js/jquery.min.js"><\/script>')</script>
<script nonce="<?=$_SESSION['nonceStr']?>">
var popoverTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="popover"]'))
var popoverList = popoverTriggerList.map(function (popoverTriggerEl) {
return new bootstrap.Popover(popoverTriggerEl)
})
</script>
<script src="js/bootstrap.min.js" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/bootstrap.min.js" nonce="<?=$_SESSION['nonceStr']?>"></script>
<!-- END FOOTER CONTENT -->
</body>
</html>

80
inc/header.inc.php
View File

@@ -57,7 +57,8 @@
} else {
$sessuserid='2';
}
$session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
}
$session_user = $Users->getUserInfo((int)$sessuserid, "1", "0");
if (isset($session_user)) { // GET UID OR SET TO KIOSK
$uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
$app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang'); // SETUP LANGUAGE
@@ -80,18 +81,15 @@
$timeplus = new DateTime($StaticFunctions->getUTC(), new DateTimeZone('UTC')); // DUMB WAY TO CALCULATE SOME TIMES
$timeplus->setTimezone(new DateTimeZone("$timezone"));
$timenow = $timeplus->format('Y-m-d H:i:s');
$_SESSION['nonce']= base64_encode(random_bytes(32));
$noncestring="nonce-".$_SESSION['nonce'];
$urlsrc=basename($_SERVER['PHP_SELF']);
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
//header("Content-Security-Policy: default-src '$urlsrc'; script-src '$urlsrc'");
header("Content-Security-Policy: default-src '$noncestring' 'self'; script-src '$noncestring' 'self' ; script-src-elem '$noncestring' 'self'; script-src-attr '$noncestring' 'self'; style-src '$noncestring' 'self'; style-src-elem '$noncestring' 'self'; style-src-attr '$noncestring' 'self'; img-src '$noncestring' 'self' data:; connect-src '$noncestring' 'self'; frame-src '$noncestring' 'self'; font-src '$noncestring' 'self'; media-src '$noncestring' 'self'; object-src '$noncestring' 'self'; manifest-src '$noncestring' 'self'; worker-src '$noncestring' 'self'; prefetch-src '$noncestring' 'self'; form-action '$noncestring' 'self'; frame-ancestors '$noncestring' 'self'");
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
}
$_SESSION['nonceStr'] = base64_encode(random_bytes(32));
$nonceHeader="nonce-".$_SESSION['nonceStr'];
$urlsrc=basename(filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL));
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: default-src '$nonceHeader' 'self'; script-src '$nonceHeader' 'self' ; script-src-elem '$nonceHeader' 'self'; script-src-attr '$nonceHeader' 'self'; style-src '$nonceHeader' 'self'; style-src-elem '$nonceHeader' 'self'; style-src-attr '$nonceHeader' 'self'; img-src '$nonceHeader' 'self' data:; connect-src '$nonceHeader' 'self'; frame-src '$nonceHeader' 'self'; font-src '$nonceHeader' 'self'; media-src '$nonceHeader' 'self'; object-src '$nonceHeader' 'self'; manifest-src '$nonceHeader' 'self'; worker-src '$nonceHeader' 'self'; prefetch-src '$nonceHeader' 'self'; form-action '$nonceHeader' 'self'; frame-ancestors '$nonceHeader' 'self'");
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); }
?>
<!doctype html>
<html lang="<?php echo $app_disp_lang; ?>">
@@ -102,33 +100,33 @@
<link rel="manifest" href="manifest.webmanifest">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-title" content="<?php echo $transLang['APP_NAME']; ?>">
<link rel="apple-touch-icon" href="assets/touch-logo.png?v3" nonce="<?=$_SESSION['nonce']?>">
<link rel="apple-touch-icon" href="assets/touch-logo.png?v3" nonce="<?=$_SESSION['nonceStr']?>">
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<?php if (basename($_SERVER['PHP_SELF']) == 'signin_display.php'): ?> <meta http-equiv="refresh" content="5; url=index.php" /><?php endif; ?>
<link rel="stylesheet" href="css/bootstrap.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/sticky-footer-navbar.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/all.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/fontawesome.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/brands.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/regular.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/animate.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/datatables.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/styles.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/tempusdominus-bootstrap-4.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<?php if (basename(filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL)) == 'signin_display.php'): ?> <meta http-equiv="refresh" content="5; url=index.php" /><?php endif; ?>
<link rel="stylesheet" href="css/bootstrap.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/sticky-footer-navbar.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/all.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/fontawesome.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/brands.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/regular.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/animate.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/datatables.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/styles.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<link rel="stylesheet" href="css/tempusdominus-bootstrap-4.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
<meta name="description" content="<?php echo $transLang['META_DESC']; ?>" />
<script src="js/jquery.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/bootstrap.bundle.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/datatables.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/buttons.flash.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/buttons.html5.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/buttons.print.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/dataTables.buttons.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/jszip.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/pdfmake.min.js?v46" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/vfs_fonts.js?v4" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/moment.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/tempusdominus-bootstrap-4.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/jSignature.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/jquery.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/bootstrap.bundle.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/datatables.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/buttons.flash.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/buttons.html5.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/buttons.print.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/dataTables.buttons.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/jszip.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/pdfmake.min.js?v46" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/vfs_fonts.js?v4" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/moment.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/tempusdominus-bootstrap-4.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<script src="js/jSignature.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
<title><?php echo $StaticFunctions->getTitle($app_current_pagename, $app_disp_lang); ?></title>
</head>
<!-- END HEAD -->
@@ -137,7 +135,7 @@
<!-- START NAVBAR -->
<nav class="navbar navbar-expand-lg navbar-light bg-light mb-2">
<div class="container-fluid">
<a class="navbar-brand" href="index.php"><img src="<?php echo $StaticFunctions->getLogo(); ?>" width="120" height="60" alt="" nonce="<?=$_SESSION['nonce']?>"></a>
<a class="navbar-brand" href="index.php"><img src="<?php echo $StaticFunctions->getLogo(); ?>" width="120" height="60" alt="" nonce="<?=$_SESSION['nonceStr']?>"></a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbar"><span class="navbar-toggler-icon"></span></button>
<div class="collapse navbar-collapse" id="navbar">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
@@ -225,13 +223,13 @@
</div>
</div>
</div>
<script nonce="<?=$_SESSION['nonce']?>">
<script nonce="<?=$_SESSION['nonceStr']?>">
$(".changelang").change(function(e){
e.preventDefault();
$(this).closest("form").submit();
});
</script>
<script nonce="<?=$_SESSION['nonce']?>">
<script nonce="<?=$_SESSION['nonceStr']?>">
$(document).ready(function () {
//POP MODAL IF NO COOKIE
if ( document.cookie.indexOf("app_site=") < 0) {