From fe79d6a28a47007976d444346fd0334dce6bdce4 Mon Sep 17 00:00:00 2001 From: Devops Date: Mon, 15 May 2017 00:35:48 +0100 Subject: [PATCH] www/dbq/dbq.php --- www/dbq/dbq.php | 180 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 127 insertions(+), 53 deletions(-) diff --git a/www/dbq/dbq.php b/www/dbq/dbq.php index 8d8f1904..b01a5414 100644 --- a/www/dbq/dbq.php +++ b/www/dbq/dbq.php @@ -27,6 +27,9 @@ class DbQ extends nb { public $format_html = 'table'; public $format_html_ua_exp = '/^\S+\s+.Windows|iPhone|Android|Macintosh|Linux/'; + public $hide_keys_exp = 'PHP_AUTH_DIGEST|PHP_AUTH_PW|PHP_AUTH_USER|REMOTE_PASSWORD|Authorization|HTTP_AUTHORIZATION'; + public $hide_keys_value = '****************'; + public $uri; public $uri_params; public $param_args_sep = '|'; @@ -79,6 +82,7 @@ class DbQ extends nb { 'format_html_ua_exp' ] as $k) { $env = 'DBQ_'.strtoupper($k); + if (isset($_SERVER[$env])) $this->$k = $_SERVER[$env]; } @@ -95,6 +99,12 @@ class DbQ extends nb { $run = isset($opt['run']) ? $opt['run'] : false; unset($opt['run']); + // Format perm into int value + $perm = strtolower($this->perm); + if (isset($this->perms[$perm])) { + $this->perm = $this->perms[$perm]; + } + parent::__construct($opt); // @@ -156,14 +166,17 @@ class DbQ extends nb { ]; $this->page->js_code = 'window._dbq = '.json_encode($this->json); - list($title,$nav) = $this->title_nav(); - $this->page->title = join($this->sep_title,$title); - $this->page->nav = $nav; + if (is_scalar($obj) and $obj != 'logout') { + list($title,$nav) = $this->title_nav(); + $this->page->title = join($this->sep_title,$title); + $this->page->nav = $nav; + } $this->page->body_class = '' .(empty($this->params['db']) ? '' : ' db-'.$this->params['db']) .(empty($this->params['table']) ? '' : ' table-'.$this->params['table']) .(empty($this->params['action']) ? ' action-'.self::PARAM_DB_DEFAULT : ' action-'.$this->params['action']) + ; $this->page->begin(); } @@ -271,6 +284,7 @@ class DbQ extends nb { and ( strpos('table view',$this->table->type()) !== false ) ); } + public function table_rows($fct=null) { $this->db->limit = $this->limit(); @@ -481,6 +495,13 @@ EOF; return $this->db->ssha_password($password); } + public function perm2h() { + foreach ($this->perms as $k => $v) { + if ( strtolower($this->perm) === strtolower($v) ) return $k; + } + return $this->perm; + } + public function status() { #$this->perm--; $rows = []; @@ -489,6 +510,7 @@ EOF; 'addr', 'port', 'software', + 'remote_user', ] as $k) { if ($this->perm < self::ADMIN and $k == 'software') continue; @@ -499,14 +521,24 @@ EOF; $rows[] = [ 'name' => 'server.'.$k, 'value' => $v ]; } + // User + if ($user = $this->logged()) { + $rows[] = [ 'name' => 'user.name', 'value' => $user ]; + $rows[] = [ 'name' => 'user.perm', 'value' => $this->perm2h() ]; + } + // Client headers - foreach ($this->client_header() as $k=>$v) $rows[] = [ - 'name' => 'client.header.'.$k, - 'value' => ( is_scalar($v) ? $v : json_encode($v) ), - ]; + foreach ($this->client_header() as $k=>$v) { + if ( preg_match('/^(' . $this->hide_keys_exp . ')$/', $k)) $v = $this->hide_keys_value; + + $rows[] = [ + 'name' => 'client.header.'.$k, + 'value' => ( is_scalar($v) ? $v : json_encode($v) ), + ]; + } // Admin or bye ! - if ($this->perm < self::ADMIN) return $rows; + #if ($this->perm < self::ADMIN) return $rows; /* // Headers sent @@ -540,7 +572,8 @@ EOF; // Machine #if ($this->perm >= self::ADMIN) {} if (function_exists('posix_uname')) { - foreach (posix_uname() as $k=>$v) { + foreach (posix_uname() as $k => $v) { + if ($k == 'domainname' and $v == '(none)') continue; $rows[] = [ 'name' => 'posix.uname.'.$k, 'value' => $v ]; } } @@ -626,6 +659,12 @@ EOF; if ($p['value'] and !$this->str_match($value,$p['value'])) continue; if ($p['section'] and !$this->str_match($_section,$p['section'])) continue; + if ($_section == 'PHP_VARIABLES' + and preg_match('/^(.?_SERVER\[.)?(.' . $this->hide_keys_exp . ')(.\])?$/', $name) + ) { + $value = $this->hide_keys_value; + } + $rows[] = [ 'section' => $_section, 'name' => $name, @@ -665,6 +704,73 @@ EOF; } + public function logged() { + if (!empty($_SERVER['PHP_AUTH_USER'])) return $_SERVER['PHP_AUTH_USER']; + if (!empty($_SERVER['REMOTE_USER'])) return $_SERVER['REMOTE_USER']; + return ''; + } + + public function logout() { + + if (0) { + unset($_SERVER["PHP_AUTH_DIGEST"]); + unset($_SERVER['PHP_AUTH_PW']); + unset($_SERVER['PHP_AUTH_USER']); + unset($_SERVER['REMOTE_PASSWORD']); + unset($_SERVER['REMOTE_USER']); + + #header('Content-type: text/html'); + if (empty($_REQUEST['realm'])) header('WWW-Authenticate: Basic'); + else header('WWW-Authenticate: Basic realm="'.$_REQUEST['realm'].'"'); + + header('HTTP/1.1 401 Access Denied'); + header('HTTP/1.1 401 Unauthorized'); + } + + if (1) echo << +document.addEventListener("DOMContentLoaded", function(event){ +function dbq_logout(referrer='') { + + if (referrer == '') referrer = document.referrer; + var userAgent = navigator.userAgent.toLowerCase(); + + if (userAgent.indexOf("msie") != -1) { + document.execCommand("ClearAuthenticationCache", false); + } + + var http; + if (window.XMLHttpRequest) { + http = new XMLHttpRequest(); + } else if(window.ActiveXObject) { + http = new ActiveXObject("Microsoft.XMLHTTP"); + } else { + alert ("Your browser is too old, please close your browser to logout."); + return false; + } + + /* + if (referrer) document.location = referrer; + return; + */ + var url = '/logout/'; + http.open("GET", url, true, '\\0', 'password'); + http.onload = function() { + if (!this.status || this.readyState != 4) return; + if (referrer) document.location = referrer; + }; + http.send(); + +} + +dbq_logout(); +}); + +EOF; + + #exit; + } + public function run_root() { $action = $this->params['db']; if (!$action and self::PARAM_DB_DEFAULT) $action = self::PARAM_DB_DEFAULT; @@ -696,45 +802,9 @@ EOF; }); } elseif ($action == 'logout') { - unset($_SERVER['PHP_AUTH_USER']); - unset($_SERVER['PHP_AUTH_PW']); - unset($_SERVER['REMOTE_USER']); - unset($_SERVER['REMOTE_PASSWORD']); - unset($_SERVER["PHP_AUTH_DIGEST"]); - #header('Content-type: text/html'); - if (empty($_REQUEST['realm'])) header('WWW-Authenticate: Basic'); - else header('WWW-Authenticate: Basic realm="'.$_REQUEST['realm'].'"'); - header('HTTP/1.1 401 Access Denied'); - header('HTTP/1.1 401 Unauthorized'); - if (0) echo << - - -401 - - - -EOF; - #echo '401 Unauthorized'; - #javascript:(function(c){var a,b="You should be logged out now.";try{a=document.execCommand("ClearAuthenticationCache")}catch(d){}a||((a=window.XMLHttpRequest?new window.XMLHttpRequest:window.ActiveXObject?new ActiveXObject("Microsoft.XMLHTTP"):void 0)?(a.open("HEAD",c||location.href,!0,"logout",(new Date).getTime().toString()),a.send(""),a=1):a=void 0);a||(b="Your browser is too old or too weird to support log out functionality. Close all windows and restart the browser.");alert(b)})(/*pass safeLocation here if you need*/);uI# - #echo '401 Unauthorized

401 Unauthorized

You are not allowed to see this page. Reload the page to try again.

'; - #if (empty($_REQUEST['user'])) header('Location: '.str_replace('//','//'.$_REQUEST['user'].'@',(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'))); - #header('Location: '.(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/')); - echo ''; - #if (!empty($_SERVER['PHP_AUTH_USER'])) header('Location: '.str_replace('//','//@',(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'))); - exit; + + #$this->logout(); + $this->page($this,'logout'); } elseif ($action == 'ssha_password') { $this->page($this,'ssha_password'); @@ -755,17 +825,21 @@ EOF; $this->rows_table($action,$this->phpinfo_rows()); #$this->page(['phpinfo'=>$this->page->phpinfo(true)]); #$this->page($this->page->phpinfo()); - $this->page($this,'phpinfo_rows'); + #$this->page($this,'phpinfo_rows'); #$this->phpinfo_rows(); } elseif (0 or $action == '_SERVER' or $action == '_REQUEST' ) { - $rows = []; foreach ($GLOBALS[$action] as $k=>$v) $rows[] = [ - 'name' => $k, - 'value' => ( is_scalar($v) ? $v : json_encode($v) ), - ]; + $rows = []; + foreach ($GLOBALS[$action] as $k=>$v) { + if (preg_match('/^(' . $this->hide_keys_exp . ')/', $k)) $v = $this->hide_keys_value; + $rows[] = [ + 'name' => $k, + 'value' => ( is_scalar($v) ? $v : json_encode($v) ), + ]; + } $this->page($rows); } -- 2.47.3