mirror of
https://github.com/slawkens/myaac.git
synced 2025-09-14 20:43:34 +02:00
Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
016138ab55 | ||
|
|
77efb80a12 | ||
|
|
02eea950e4 | ||
|
|
2793c41655 | ||
|
|
62d3c198d5 | ||
|
|
ef62b53cec | ||
|
|
7181b988e9 | ||
|
|
8b0b123f42 | ||
|
|
f98332c698 | ||
|
|
b1660bf27a | ||
|
|
191ad25eb2 | ||
|
|
7469be6efb | ||
|
|
47a3bfd265 | ||
|
|
5ae0be2323 | ||
|
|
42154d55a0 | ||
|
|
9dcc08ee6e | ||
|
|
ba537b42bb | ||
|
|
9c318f9012 | ||
|
|
a88103a956 | ||
|
|
e26e6f3a1c | ||
|
|
08d67a07e0 | ||
|
|
6e9a89cb2e |
2
.gitignore
vendored
2
.gitignore
vendored
@@ -11,10 +11,12 @@ vendor
|
||||
|
||||
# npm
|
||||
node_modules
|
||||
tools/ext
|
||||
|
||||
# cypress
|
||||
cypress.env.json
|
||||
cypress/e2e/2-advanced-examples
|
||||
cypress/screenshots
|
||||
|
||||
# created by release.sh
|
||||
releases
|
||||
|
||||
21
CHANGELOG.md
21
CHANGELOG.md
@@ -1,5 +1,26 @@
|
||||
# Changelog
|
||||
|
||||
## [0.8.17 - 15.04.2024]
|
||||
|
||||
### Added
|
||||
* TwigTypeCastingExtension (https://github.com/slawkens/myaac/commit/7181b988e9518320d57486670ca4e2d3b2fe1cfa)
|
||||
|
||||
### Fixed
|
||||
* fix XSS in creatures.php (https://github.com/slawkens/myaac/commit/02eea950e4fd756e8d5c32e56181986d51f5ac70, @gesior)
|
||||
* don't allow redirect to external website (https://github.com/slawkens/myaac/commit/ef62b53cec5a479cc85aa15940ad9ebbcefde876)
|
||||
* change_info if account_country is disabled (https://github.com/slawkens/myaac/commit/62d3c198d567541a90900fe2d7ede070e7b1ff68)
|
||||
|
||||
### Changed
|
||||
* use word-break: break-all in guilds description + character comment (https://github.com/slawkens/myaac/commit/191ad25eb2d4c1cec6f6668da7a345fec0ad2a7f)
|
||||
* set default status_ip to 127.0.0.1, most server are hosted locally anyway (https://github.com/slawkens/myaac/commit/2793c41655b47f7db295143a298ccda70f11462b)
|
||||
|
||||
## [0.8.16 - 12.02.2024]
|
||||
|
||||
### Fixed
|
||||
* broken installation
|
||||
* database and finish step warnings/errors (https://github.com/slawkens/myaac/pull/245, @danilopucci)
|
||||
* silently ignore if the hook does not exist
|
||||
|
||||
## [0.8.15 - 09.12.2023]
|
||||
|
||||
More security fixes, especially in bugtracker.
|
||||
|
||||
24
README.md
24
README.md
@@ -10,21 +10,20 @@ Official website: https://my-aac.org
|
||||
[](https://discord.gg/2J39Wus)
|
||||
[](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
|
||||
|
||||
| Version | Status | Branch | Requirements |
|
||||
|:-----------|:------------------------------------------|:--------|:---------------|
|
||||
| **0.10.x** | **Active development** | develop | **PHP >= 8.0** |
|
||||
| 0.9.x | Active support | 0.9 | PHP >= 7.2.5 |
|
||||
| 0.8.x | Active support | master | PHP >= 7.2.5 |
|
||||
| 0.7.x | End Of Life | 0.7 | PHP >= 5.3.3 |
|
||||
| Version | Status | Branch | Requirements |
|
||||
|:--------|:-----------------------|:--------|:---------------|
|
||||
| **1.x** | **Active development** | develop | **PHP >= 8.1** |
|
||||
| 0.9.x | Not developed anymore | 0.9 | PHP >= 7.2.5 |
|
||||
| 0.8.x | Active support | master | PHP >= 7.2.5 |
|
||||
| 0.7.x | End Of Life | 0.7 | PHP >= 5.3.3 |
|
||||
|
||||
### Requirements
|
||||
|
||||
- PHP 7.2.5 or later
|
||||
- MySQL database
|
||||
- PDO PHP Extension
|
||||
- XML PHP Extension
|
||||
- ZIP PHP Extension
|
||||
- (optional) mod_rewrite to use friendly_urls
|
||||
- PHP Extensions: pdo, xml, json
|
||||
- (optional) apache2 mod_rewrite (to use friendly_urls)
|
||||
- (optional) zip PHP Extension (to install plugins)
|
||||
- (optional) gd PHP Extension (for generating signature images)
|
||||
|
||||
### Installation
|
||||
|
||||
@@ -48,7 +47,8 @@ Official website: https://my-aac.org
|
||||
|
||||
### Configuration
|
||||
|
||||
Check *config.php* to get more informations.
|
||||
Check *config.php* to get more informations. (Notice: MyAAC 1.0+ doesn't use config.php anymore, it has been moved to Admin Panel - Settings page).
|
||||
|
||||
Use *config.local.php* for your local configuration changes.
|
||||
|
||||
### Branches
|
||||
|
||||
16
SECURITY.md
Normal file
16
SECURITY.md
Normal file
@@ -0,0 +1,16 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 1.x.y | :white_check_mark: |
|
||||
| 0.9.x | :x: |
|
||||
| 0.8.x | :white_check_mark: |
|
||||
| < 0.7 | :x: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you found a security vulnerability, please write an email to security@my-aac.org
|
||||
|
||||
All reports will be taken very seriously, and a fix will be posted as soon as possible.
|
||||
@@ -26,7 +26,7 @@
|
||||
if (version_compare(phpversion(), '7.2.5', '<')) die('PHP version 7.2.5 or higher is required.');
|
||||
|
||||
define('MYAAC', true);
|
||||
define('MYAAC_VERSION', '0.8.15');
|
||||
define('MYAAC_VERSION', '0.8.17');
|
||||
define('DATABASE_VERSION', 33);
|
||||
define('TABLE_PREFIX', 'myaac_');
|
||||
define('START_TIME', microtime(true));
|
||||
@@ -100,7 +100,7 @@ for($i = 1; $i < $size; $i++)
|
||||
$basedir = str_replace(array('/admin', '/install', '/tools'), '', $basedir);
|
||||
define('BASE_DIR', $basedir);
|
||||
|
||||
if (file_exists(BASE . 'config.local.php')) {
|
||||
if (file_exists(BASE . 'config.local.php') && !defined('MYAAC_INSTALL')) {
|
||||
require BASE . 'config.local.php';
|
||||
}
|
||||
|
||||
|
||||
@@ -268,9 +268,9 @@ $config = array(
|
||||
|
||||
// status, took automatically from config file if empty
|
||||
'status_enabled' => true, // you can disable status checking by settings this to "false"
|
||||
'status_ip' => '',
|
||||
'status_ip' => '127.0.0.1',
|
||||
'status_port' => '',
|
||||
'status_timeout' => 2, // how long to wait for the initial response from the server (default: 2 seconds)
|
||||
'status_timeout' => 1.0, // how long to wait for the initial response from the server (default: 1 second)
|
||||
|
||||
// how often to connect to server and update status (default: every minute)
|
||||
// if your status timeout in config.lua is bigger, that it will be used instead
|
||||
|
||||
@@ -11,8 +11,10 @@ $error = false;
|
||||
require BASE . 'install/includes/config.php';
|
||||
|
||||
ini_set('max_execution_time', 300);
|
||||
|
||||
@ob_end_flush();
|
||||
ob_implicit_flush();
|
||||
ob_end_flush();
|
||||
|
||||
header('X-Accel-Buffering: no');
|
||||
|
||||
if(!$error) {
|
||||
|
||||
@@ -8,8 +8,10 @@ require BASE . 'install/includes/functions.php';
|
||||
require BASE . 'install/includes/locale.php';
|
||||
|
||||
ini_set('max_execution_time', 300);
|
||||
|
||||
@ob_end_flush();
|
||||
ob_implicit_flush();
|
||||
ob_end_flush();
|
||||
|
||||
header('X-Accel-Buffering: no');
|
||||
|
||||
if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['saved'])) {
|
||||
|
||||
@@ -13,9 +13,16 @@ server {
|
||||
return 404;
|
||||
}
|
||||
|
||||
# block .htaccess
|
||||
location ~ /\.ht {
|
||||
location /vendor {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# block .htaccess, CHANGELOG.md, composer.json etc.
|
||||
# this is to prevent finding software versions
|
||||
location ~\.(ht|md|json|dist)$ {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# block git files and folders
|
||||
|
||||
@@ -1265,7 +1265,7 @@ function getCustomPage($page, &$success)
|
||||
}
|
||||
|
||||
function escapeHtml($html) {
|
||||
return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
|
||||
return htmlspecialchars($html);
|
||||
}
|
||||
|
||||
function displayErrorBoxWithBackButton($errors, $action = null) {
|
||||
|
||||
36
system/libs/TwigTypeCastingExtension.php
Normal file
36
system/libs/TwigTypeCastingExtension.php
Normal file
@@ -0,0 +1,36 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace MyAAC\Twig\Extension;
|
||||
|
||||
use Twig\Extension\AbstractExtension;
|
||||
use Twig\TwigFilter;
|
||||
|
||||
final class TwigTypeCastingExtension extends AbstractExtension
|
||||
{
|
||||
/** @return array<int, TwigFilter> */
|
||||
public function getFilters(): array
|
||||
{
|
||||
return [
|
||||
new TwigFilter('int', function ($value) {
|
||||
return (int)$value;
|
||||
}),
|
||||
new TwigFilter('float', function ($value) {
|
||||
return (float)$value;
|
||||
}),
|
||||
new TwigFilter('string', function ($value) {
|
||||
return (string)$value;
|
||||
}),
|
||||
new TwigFilter('bool', function ($value) {
|
||||
return (bool)$value;
|
||||
}),
|
||||
new TwigFilter('array', function (object $value) {
|
||||
return (array)$value;
|
||||
}),
|
||||
new TwigFilter('object', function (array $value) {
|
||||
return (object)$value;
|
||||
}),
|
||||
];
|
||||
}
|
||||
}
|
||||
@@ -42,12 +42,6 @@ if(ACTION === 'logout' && !isset($_REQUEST['account_login'])) {
|
||||
|
||||
$logged = false;
|
||||
unset($account_logged);
|
||||
|
||||
if(isset($_REQUEST['redirect']))
|
||||
{
|
||||
header('Location: ' . urldecode($_REQUEST['redirect']));
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,18 +1,3 @@
|
||||
<?php
|
||||
|
||||
if(!$db->hasColumn(TABLE_PREFIX . 'monsters', 'elements')) {
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `elements` TEXT NOT NULL AFTER `immunities`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `pushable` TINYINT(1) NOT NULL DEFAULT '0' AFTER `convinceable`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `canpushitems` TINYINT(1) NOT NULL DEFAULT '0' AFTER `pushable`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `canpushcreatures` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canpushitems`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `canwalkonenergy` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canpushitems`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `canwalkonpoison` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonenergy`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `canwalkonfire` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonpoison`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `runonhealth` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonfire`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `hostile` TINYINT(1) NOT NULL DEFAULT '0' AFTER `runonhealth`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `attackable` TINYINT(1) NOT NULL DEFAULT '0' AFTER `hostile`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `rewardboss` TINYINT(1) NOT NULL DEFAULT '0' AFTER `attackable`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `defense` INT(11) NOT NULL DEFAULT '0' AFTER `rewardboss`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `armor` INT(11) NOT NULL DEFAULT '0' AFTER `defense`;");
|
||||
$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters` ADD `summons` TEXT NOT NULL AFTER `loot`;");
|
||||
}
|
||||
// removed, but kept for compatibility
|
||||
|
||||
@@ -11,19 +11,28 @@
|
||||
defined('MYAAC') or die('Direct access not allowed!');
|
||||
|
||||
$show_form = true;
|
||||
$new_rlname = isset($_POST['info_rlname']) ? htmlspecialchars(stripslashes($_POST['info_rlname'])) : NULL;
|
||||
$new_location = isset($_POST['info_location']) ? htmlspecialchars(stripslashes($_POST['info_location'])) : NULL;
|
||||
$new_country = isset($_POST['info_country']) ? htmlspecialchars(stripslashes($_POST['info_country'])) : NULL;
|
||||
$new_rlname = isset($_POST['info_rlname']) ? htmlspecialchars(stripslashes($_POST['info_rlname'])) : '';
|
||||
$new_location = isset($_POST['info_location']) ? htmlspecialchars(stripslashes($_POST['info_location'])) : '';
|
||||
$new_country = isset($_POST['info_country']) ? htmlspecialchars(stripslashes($_POST['info_country'])) : '';
|
||||
if(isset($_POST['changeinfosave']) && $_POST['changeinfosave'] == 1) {
|
||||
if(!isset($config['countries'][$new_country]))
|
||||
if(config('account_country') && !isset($config['countries'][$new_country])) {
|
||||
$errors[] = 'Country is not correct.';
|
||||
}
|
||||
|
||||
if(empty($errors)) {
|
||||
//save data from form
|
||||
$account_logged->setCustomField("rlname", $new_rlname);
|
||||
$account_logged->setCustomField("location", $new_location);
|
||||
$account_logged->setCustomField("country", $new_country);
|
||||
$account_logged->logAction('Changed Real Name to <b>' . $new_rlname . '</b>, Location to <b>' . $new_location . '</b> and Country to <b>' . $config['countries'][$new_country] . '</b>.');
|
||||
|
||||
$log = 'Changed Real Name to <b>' . $new_rlname . '</b>, Location to <b>' . $new_location . '</b>';
|
||||
if (config('account_country')) {
|
||||
$log .= ' and Country to <b>' . $config['countries'][$new_country] . '</b>';
|
||||
}
|
||||
$log .= '.';
|
||||
|
||||
$account_logged->logAction($log);
|
||||
|
||||
$twig->display('success.html.twig', array(
|
||||
'title' => 'Public Information Changed',
|
||||
'description' => 'Your public information has been changed.'
|
||||
|
||||
@@ -52,9 +52,16 @@ $errors = array();
|
||||
{
|
||||
$redirect = urldecode($_REQUEST['redirect']);
|
||||
|
||||
// should never happen, unless hacker modify the URL
|
||||
if (strpos($_REQUEST['redirect'], BASE_URL) === false) {
|
||||
error('Fatal error: Cannot redirect outside the website.');
|
||||
return;
|
||||
}
|
||||
|
||||
$twig->display('account.redirect.html.twig', array(
|
||||
'redirect' => $redirect
|
||||
));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
@@ -400,7 +400,7 @@ WHERE killers.death_id = '".$death['id']."' ORDER BY killers.final_hit DESC, kil
|
||||
'rank' => isset($guild_name) ? $rank_of_player->getName() : null,
|
||||
'link' => isset($guild_name) ? getGuildLink($guild_name) : null
|
||||
),
|
||||
'comment' => !empty($comment) ? wordwrap(nl2br($comment), 60, "<br/>", true) : null,
|
||||
'comment' => !empty($comment) ? nl2br($comment) : null,
|
||||
'skills' => isset($skills) ? $skills : null,
|
||||
'quests_enabled' => $quests_enabled,
|
||||
'quests' => isset($quests) ? $quests : null,
|
||||
|
||||
@@ -157,7 +157,7 @@ if (empty($_REQUEST['creature'])) {
|
||||
echo '</td></tr>';
|
||||
echo '</TABLE>';
|
||||
} else {
|
||||
echo "Monster with name <b>" . $monster_name . "</b> doesn't exist.";
|
||||
echo "Monster with name <b>" . htmlspecialchars($monster_name) . "</b> doesn't exist.";
|
||||
}
|
||||
|
||||
//back button
|
||||
|
||||
@@ -25,7 +25,7 @@ if(count($guilds_list) > 0)
|
||||
$description = $guild->getCustomField('description');
|
||||
$description_with_lines = str_replace(array("\r\n", "\n", "\r"), '<br />', $description, $count);
|
||||
if ($count < $config['guild_description_lines_limit'])
|
||||
$description = wordwrap(nl2br($description), 60, "<br />", true);
|
||||
$description = nl2br($description);
|
||||
|
||||
$guildName = $guild->getName();
|
||||
$guilds[] = array('name' => $guildName, 'logo' => $guild_logo, 'link' => getGuildLink($guildName, false), 'description' => $description);
|
||||
|
||||
@@ -83,7 +83,7 @@ if(empty($guild_logo) || !file_exists('images/guilds/' . $guild_logo))
|
||||
$description = $guild->getCustomField('description');
|
||||
$description_with_lines = str_replace(array("\r\n", "\n", "\r"), '<br />', $description, $count);
|
||||
if($count < $config['guild_description_lines_limit'])
|
||||
$description = wordwrap(nl2br($description), 60, "<br />", true);
|
||||
$description = nl2br($description);
|
||||
//$description = $description_with_lines;
|
||||
|
||||
$guild_owner = $guild->getOwner();
|
||||
|
||||
@@ -142,7 +142,7 @@
|
||||
{% set rows = rows + 1 %}
|
||||
<tr bgcolor="{{ getStyle(rows) }}">
|
||||
<td valign="top">Comment:</td>
|
||||
<td>{{ comment|raw }}</td>
|
||||
<td style="word-break: break-all">{{ comment|raw }}</td>
|
||||
</tr>
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -44,7 +44,7 @@
|
||||
<img src="images/guilds/{{ guild.logo }}" width="64" height="64">
|
||||
</td>
|
||||
|
||||
<td>
|
||||
<td style="word-break: break-all">
|
||||
<span{% if guild.description is not empty %} valign="top"{% endif %}>
|
||||
<b>{{ guild.name }}</b>{% if isAdmin %}<a href="?subtopic=guilds&action=delete_by_admin&guild={{ guild.name }}"> - Delete this guild (for ADMIN only!)</a>{% endif %}
|
||||
</span>
|
||||
|
||||
@@ -47,7 +47,7 @@
|
||||
<table style="width:100%;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<td style="word-break: break-all">
|
||||
<div id="GuildInformationContainer">
|
||||
{% if description is not empty %}
|
||||
{{ description|raw }}
|
||||
|
||||
@@ -24,6 +24,9 @@ if($dev_mode) {
|
||||
}
|
||||
unset($dev_mode);
|
||||
|
||||
require LIBS . 'TwigTypeCastingExtension.php';
|
||||
$twig->addExtension(new MyAAC\Twig\Extension\TwigTypeCastingExtension());
|
||||
|
||||
$function = new TwigFunction('getStyle', function ($i) {
|
||||
return getStyle($i);
|
||||
});
|
||||
@@ -48,7 +51,14 @@ $function = new TwigFunction('hook', function ($context, $hook, array $params =
|
||||
global $hooks;
|
||||
|
||||
if(is_string($hook)) {
|
||||
$hook = constant($hook);
|
||||
if (defined($hook)) {
|
||||
$hook = constant($hook);
|
||||
}
|
||||
else {
|
||||
// plugin/template has a hook that this version of myaac does not support
|
||||
// just silently return
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
$params['context'] = $context;
|
||||
|
||||
Reference in New Issue
Block a user