EuskadiTech/Axia4
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance security and input sanitization across multiple files

Browse Source 
- Added a new tools.security.php file containing functions for sanitizing filenames, paths, and user inputs to prevent directory traversal and XSS attacks.
- Updated various files to utilize the new sanitization functions (Sf, Si) for user inputs and file operations, ensuring safer handling of data.
- Improved HTML output safety by applying htmlspecialchars to user-generated content in pre-body.php, cal.php, and other relevant files.
- Refactored user authentication and data retrieval processes in tools.auth.php and _login.php to enhance security and maintainability.
- Ensured consistent use of sanitization functions in API endpoints and admin functionalities to mitigate potential security vulnerabilities.
This commit is contained in:
naielv
2026-02-18 23:22:58 +01:00
parent a6ebede883
commit 98f430188c
17 changed files with 214 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
public_html/_incl/pre-body.php
View File

@@ -641,8 +641,8 @@ if (!empty($displayName)) {
<?php } ?>
<?php if (isset($_GET["_result"])) { ?>
<div class="card pad"
style="padding: 10px; background-color: <?php echo $_GET["_resultcolor"] ?? 'lightgreen'; ?>; text-align: center;">
<h3><?php echo $_GET["_result"]; ?></h3>
style="padding: 10px; background-color: <?php echo Si($_GET["_resultcolor"] ?? 'lightgreen'); ?>; text-align: center;">
<h3><?php echo htmlspecialchars($_GET["_result"]); ?></h3>
</div>
<?php } ?>
<!-- <div class="card pad" style="padding: 15px; background: #ffcc00; color: #000;">

15
public_html/_incl/tools.auth.php
View File

@@ -1,5 +1,6 @@
<?php
require_once "tools.session.php";
require_once "tools.security.php";
if (!isset($AuthConfig)) {
$AuthConfig = json_decode(file_get_contents("/DATA/AuthConfig.json"), true);
}
@@ -7,7 +8,7 @@ $ua = $_SERVER['HTTP_USER_AGENT'];
if (str_starts_with($ua, "Axia4Auth/")) {
$username = explode("/", $ua)[1];
$userpass = explode("/", $ua)[2];
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
if (!$userdata) {
header("HTTP/1.1 403 Forbidden");
die();
@@ -29,7 +30,7 @@ if ($_SESSION["auth_ok"] != true && isset($_COOKIE["auth_user"]) && isset($_COOK
$username = $_COOKIE["auth_user"];
$userpass_b64 = $_COOKIE["auth_pass_b64"];
$userpass = base64_decode($userpass_b64);
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
if ($userdata && password_verify($userpass, $userdata["password_hash"])) {
$_SESSION["auth_user"] = $username;
$_SESSION["auth_data"] = $userdata;
@@ -41,7 +42,7 @@ if ($_SESSION["auth_ok"] != true && isset($_COOKIE["auth_user"]) && isset($_COOK
if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth_user"])) {
if (isset($AuthConfig["session_load_mode"]) && $AuthConfig["session_load_mode"] === "force") {
$username = $_SESSION["auth_user"];
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
$_SESSION["auth_data"] = $userdata;
$_SESSION["last_reload_time"] = time();
} elseif (isset($AuthConfig["session_load_mode"]) && $AuthConfig["session_load_mode"] === "never") {
@@ -51,7 +52,7 @@ if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth
$last_reload = $_SESSION["last_reload_time"];
if (time() - $last_reload > 300) {
$username = $_SESSION["auth_user"];
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
$_SESSION["auth_data"] = $userdata;
$_SESSION["last_reload_time"] = time();
}
@@ -62,9 +63,11 @@ if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth
}
function user_is_authenticated() {
function user_is_authenticated()
{
return isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] === true;
}
function user_has_permission($perm) {
function user_has_permission($perm)
{
return in_array($perm, $_SESSION["auth_data"]["permissions"] ?? []);
}

82
public_html/_incl/tools.security.php Normal file
View File

@@ -0,0 +1,82 @@
<?php
function Sf($filename) {
/**
* Sanitize a filename by removing any path information, null bytes, and replacing any characters that are not alphanumeric, dot, hyphen, or underscore with an underscore.
*
* This function is designed to prevent directory traversal attacks and ensure that the filename is safe to use in file operations.
*
* @param string $filename The input filename to sanitize.
* @return string The sanitized filename.
*/
// Remove any path information and null bytes
$filename = realpath($filename);
if ($filename === false) {
$filename = "";
}
$filename = str_replace("\0", "", $filename);
// Replace any characters that are not alphanumeric, dot, hyphen, or underscore with an underscore
$filename = preg_replace("/[^a-zA-Z0-9._-]/", "_", $filename);
return $filename;
}
function Sp($path) {
/**
* Sanitize a file path by removing any null bytes, normalizing directory separators, and preventing directory traversal.
*
* This function is designed to ensure that the file path is safe to use in file operations and does not allow for directory traversal attacks.
*
* @param string $path The input file path to sanitize.
* @return string The sanitized file path.
*/
// Remove any null bytes
$path = str_replace("\0", "", $path);
// Normalize directory separators
$path = str_replace(["/", "\\"], DIRECTORY_SEPARATOR, $path);
// Remove any instances of ".." to prevent directory traversal
$path = str_replace("..", "", $path);
// Remove any leading directory separators
$path = ltrim($path, DIRECTORY_SEPARATOR);
return $path;
}
function Si($input) {
/**
* Sanitize a string input by removing null bytes, trimming whitespace, and converting special characters to HTML entities.
*
* This function is designed to prevent XSS attacks and ensure that the input string is safe to use in HTML contexts.
*
* @param string $input The input string to sanitize.
* @return string The sanitized string.
*/
// Remove any null bytes
$input = str_replace("\0", "", $input);
// Trim whitespace from the beginning and end of the input
$input = trim($input);
// Convert special characters to HTML entities to prevent XSS
$input = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
return $input;
}
function Sb($input) {
/**
* Sanitize a boolean input by converting it to a boolean value.
*
* This function is designed to ensure that the input is treated as a boolean value, which can be useful for configuration settings or form inputs.
*
* @param mixed $input The input value to sanitize.
* @return bool The sanitized boolean value.
*/
if (is_bool($input)) {
return $input;
}
if (is_string($input)) {
$input = strtolower($input);
if (in_array($input, ["true", "1", "yes", "on"])) {
return true;
} elseif (in_array($input, ["false", "0", "no", "off"])) {
return false;
}
}
return (bool)$input;
}

9
public_html/_login.php
View File

@@ -1,12 +1,13 @@
<?php
session_start();
require_once "_incl/tools.session.php";
require_once "_incl/tools.security.php";
if (!isset($AuthConfig)) {
$AuthConfig = json_decode(file_get_contents("/DATA/AuthConfig.json"), true);
}
$DOMAIN = $_SERVER["HTTP_X_FORWARDED_HOST"] ?? $_SERVER["HTTP_HOST"];
if ($_GET["reload_user"] == "1") {
$user = str_replace("@", "__", $_SESSION["auth_user"]);
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$user.json"), true);
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($user) . ".json"), true);
$_SESSION['auth_data'] = $userdata;
$redir = $_GET["redir"] ?? "/";
header("Location: $redir");
@@ -55,7 +56,7 @@ if ($_GET["google_callback"] == "1") {
$email = $user_info["email"];
$name = $user_info["name"] ?? explode("@", $email)[0];
$userfile = "/DATA/Usuarios/" . strtolower(str_replace("@", "__", $email)) . ".json";
$userfile = "/DATA/Usuarios/" . Sf(strtolower(str_replace("@", "__", $email))) . ".json";
$password = bin2hex(random_bytes(16)); // Generar una contraseña aleatoria para el usuario, aunque no se usará para iniciar sesión
if (file_exists($userfile)) {
$userdata = json_decode(file_get_contents($userfile), true);
@@ -123,7 +124,7 @@ if (isset($_POST["user"])) {
$valid = "";
$user = trim(strtolower($_POST["user"]));
$password = $_POST["password"];
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$user.json"), true);
$userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($user) . ".json"), true);
if (!isset($userdata["password_hash"])) {
$_GET["_result"] = "El usuario no existe.";
}

18
public_html/club/cal.php
View File

@@ -1,6 +1,8 @@
<?php
require_once "../_incl/tools.session.php";
require_once "../_incl/tools.security.php";
ini_set("display_errors", 0);
$file = str_replace('/', '_', $_GET["f"]);
$file = Sf($_GET["f"]);
$date = implode("/", array_reverse(explode("-", $file)));
$val = json_decode(file_get_contents("/DATA/club/IMG/$file/data.json"), true);
@@ -15,10 +17,10 @@ require_once "../_incl/pre-body.php"; ?>
<h1><?php echo $date; ?> - <?php echo $val["title"] ?: "Por definir"; ?></h1>
<span>
<a href="/club/" class="btn btn-secondary">Volver a Inicio</a>
<a href="/club/edit_data.php?f=<?php echo $file; ?>" class="btn btn-secondary">Cambiar datos</a>
<a href="/club/upload/index.php?f=<?php echo $file; ?>" class="btn btn-primary">Subir fotos</a>
<a href="/club/edit_data.php?f=<?php echo htmlspecialchars($file); ?>" class="btn btn-secondary">Cambiar datos</a>
<a href="/club/upload/index.php?f=<?php echo htmlspecialchars($file); ?>" class="btn btn-primary">Subir fotos</a>
<?php if (isset($val["mapa"]["url"]) and $val["mapa"]["url"] != ""): ?>
<a class="btn btn-secondary" href="<?php echo $val["mapa"]["url"]; ?>" target="_blank">Abrir ruta interactiva</a>
<a class="btn btn-secondary" href="<?php echo htmlspecialchars($val["mapa"]["url"]); ?>" target="_blank">Abrir ruta interactiva</a>
<?php endif; ?>
</span>
@@ -44,14 +46,14 @@ require_once "../_incl/pre-body.php"; ?>
} ?>
<div style="width: 240px; display: inline-block; margin-bottom: 10px; border: 3px solid black; border-radius: 6.5px; box-sizing: content-box;"
class="grid-item">
<?php $dl_url = "foto_dl.php?f=$file/$pname/" . str_replace($persona, "", $foto); ?>
<?php $dl_url = "foto_dl.php?f=" . urlencode("$file/$pname/" . str_replace($persona, "", $foto)); ?>
<img class="stack" width="240px" loading="lazy" src="<?php echo $dl_url; ?>&thumbnail=1"
alt="Foto de <?php echo $pname . " - " . str_replace($persona, "", $foto); ?>">
alt="Foto de <?php echo htmlspecialchars($pname . " - " . str_replace($persona, "", $foto)); ?>">
<div style="padding: 5px; text-align: center;">
Subido por <?php echo $pname; ?><br>
Subido por <?php echo htmlspecialchars($pname); ?><br>
<a href="<?php echo $dl_url; ?>" target="_blank" class="btn btn-secondary">Abrir</a>
<a href="<?php echo $dl_url; ?>"
download="<?php echo "CLUB-NK5-$file-$pname-" . str_replace($persona, "", $foto); ?>"
download="<?php echo "CLUB-" . htmlspecialchars($file) . "-" . htmlspecialchars($pname) . "-" . htmlspecialchars(str_replace($persona, "", $foto)); ?>"
class="btn btn-secondary">Descargar</a>
</div>
</div>

2
public_html/club/edit_data.php
View File

@@ -1,6 +1,6 @@
<?php
ini_set("display_errors", 0);
$file = str_replace('/', '_', $_GET["f"]);
$file = Sf($_GET["f"]);
$date = implode("/", array_reverse(explode("-", $file)));
$val = json_decode(file_get_contents("/DATA/club/IMG/$file/data.json"), true);
$config = json_decode(file_get_contents("/DATA/club/config.json"), true);

10
public_html/club/upload/index.php
View File

@@ -2,21 +2,23 @@
$APP_CODE = "club";
$APP_NAME = "La web del Club<sup>3</sup>";
$APP_TITLE = "La web del Club";
require_once "../../_incl/pre-body.php"; ?>
require_once "../../_incl/pre-body.php";
require_once "../../_incl/tools.security.php";
?>
<div class="card pad">
<h1>Subir fotos</h1>
<form action="form.php" method="get">
<div class="mb-3">
<label for="n" class="form-label"><b>Tu nombre:</b></label>
<input required type="text" id="n" name="n" class="form-control" value="<?php echo $_GET["n"] ?: "";?>" placeholder="Nombre...">
<input required type="text" id="n" name="n" class="form-control" value="<?php echo htmlspecialchars($_GET["n"] ?? "");?>" placeholder="Nombre...">
</div>
<div class="mb-3">
<label for="f" class="form-label"><b>Fecha:</b></label>
<input required type="date" id="f" name="f" class="form-control" value="<?php echo $_GET["f"] ?: "";?>" placeholder="Fecha...">
<input required type="date" id="f" name="f" class="form-control" value="<?php echo htmlspecialchars($_GET["f"] ?? "");?>" placeholder="Fecha...">
</div>
<div class="mb-3">
<label for="p" class="form-label"><b>La contraseña:</b></label>
<input required type="text" id="p" name="p" class="form-control" value="" placeholder="Contraseña...">
<input required type="text" id="p" name="p" class="form-control" value="<?php echo htmlspecialchars($_GET["p"] ?? "");?>" placeholder="Contraseña...">
</div>
<button type="submit" class="btn btn-primary">Continuar...</button>
</form>

6
public_html/entreaulas/api/comedor.php
View File

@@ -1,6 +1,6 @@
<?php
header("Content-Type: application/json; charset=utf-8");
require_once __DIR__ . "/../_incl/tools.security.php";
require_once __DIR__ . "/../_incl/auth_redir.php";
// Check permissions
@@ -16,7 +16,7 @@ if ($centro_id === "") {
}
$action = $_GET["action"] ?? ($_POST["action"] ?? "");
$aulario_id = $_GET["aulario"] ?? $_POST["aulario"] ?? "";
$aulario_id = Sf($_GET["aulario"] ?? $_POST["aulario"] ?? "");
// Validate aulario_id
if ($aulario_id === "") {
@@ -41,7 +41,7 @@ if ($aulario && !empty($aulario["shared_comedor_from"])) {
$shared_from = $aulario["shared_comedor_from"];
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
if (file_exists($shared_aulario_path)) {
$source_aulario_id = $shared_from;
$source_aulario_id = Sf($shared_from);
$is_shared = true;
}
}

4
public_html/entreaulas/aulario.php
View File

@@ -1,7 +1,9 @@
<?php
require_once "_incl/auth_redir.php";
require_once "_incl/pre-body.php";
$aulario_id = $_GET["id"];
require_once "_incl/tools.security.php";
$aulario_id = Sf($_GET["id"]);
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"];
$aulario = json_decode(file_get_contents("/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json"), true);
?>

4
public_html/entreaulas/comedor.php
View File

@@ -5,7 +5,7 @@ if (in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])
die("Access denied");
}
$aulario_id = $_GET["aulario"] ?? "";
$aulario_id = Sf($_GET["aulario"] ?? "");
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
if ($aulario_id === "" || $centro_id === "") {
@@ -30,7 +30,7 @@ if ($aulario && !empty($aulario["shared_comedor_from"])) {
$shared_from = $aulario["shared_comedor_from"];
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
if (file_exists($shared_aulario_path)) {
$source_aulario_id = $shared_from;
$source_aulario_id = Sf($shared_from);
$source_aulario_name = file_exists($shared_aulario_path) ? json_decode(file_get_contents($shared_aulario_path), true)["name"] ?? $shared_from : $shared_from;
$is_shared = true;
}

11
public_html/entreaulas/diario.php
View File

@@ -1,5 +1,6 @@
<?php
require_once "_incl/auth_redir.php";
require_once "_incl/tools.security.php";
// Check if user has docente permission
if (!in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])) {
@@ -7,9 +8,9 @@ if (!in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])
die("Acceso denegado");
}
$aulario_id = $_GET["aulario"] ?? "";
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
$alumno = $_GET["alumno"] ?? "";
$aulario_id = Sf($_GET["aulario"] ?? "");
$centro_id = Sf($_SESSION["auth_data"]["entreaulas"]["centro"] ?? "");
$alumno = Sf($_GET["alumno"] ?? "");
if (empty($aulario_id) || empty($centro_id)) {
require_once "_incl/pre-body.php";
@@ -213,8 +214,8 @@ require_once "_incl/pre-body.php";
<?php
// Show specific diary entry if requested
$type = $_GET["type"] ?? "Panel";
$date = $_GET["date"] ?? date("Y-m-d");
$type = Sf($_GET["type"] ?? "");
$date = Sf($_GET["date"] ?? date("Y-m-d"));
if (!empty($type) && !empty($date)) {
$date = preg_replace('/[^0-9-]/', '', $date); // Sanitize date

5
public_html/entreaulas/paneldiario.php
View File

@@ -1,5 +1,6 @@
<?php
require_once "_incl/auth_redir.php";
require_once "_incl/tools.security.php";
ini_set("display_errors", "0");
// Funciones auxiliares para el diario
function getDiarioPath($alumno, $centro_id, $aulario_id) {
@@ -749,7 +750,7 @@ switch ($_GET["action"]) {
break;
case "menu":
// Menú del comedor (nuevo sistema, vista simplificada)
$aulario_id = $_GET["aulario"] ?? "";
$aulario_id = Sf($_GET["aulario"] ?? '');
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
$source_aulario_id = $aulario_id;
@@ -758,7 +759,7 @@ switch ($_GET["action"]) {
$aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
$aulario = file_exists($aulario_path) ? json_decode(file_get_contents($aulario_path), true) : null;
if ($aulario && !empty($aulario["shared_comedor_from"])) {
$shared_from = $aulario["shared_comedor_from"];
$shared_from = Sf($aulario["shared_comedor_from"]);
$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
if (file_exists($shared_aulario_path)) {
$source_aulario_id = $shared_from;

89
public_html/entreaulas/proyectos.php
View File

@@ -1,12 +1,13 @@
<?php
require_once "_incl/auth_redir.php";
require_once "_incl/tools.security.php";
if (in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? []) === false) {
header("HTTP/1.1 403 Forbidden");
die("Access denied");
}
$aulario_id = $_GET["aulario"] ?? "";
$aulario_id = Sf($_GET["aulario"] ?? "");
$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
if ($aulario_id === "" || $centro_id === "") {
@@ -406,8 +407,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
}
if ($action === "share_project") {
$project_id = $_POST["project_id"] ?? "";
$target_aulario = $_POST["target_aulario"] ?? "";
$project_id = Sf($_POST["project_id"] ?? "");
$target_aulario = Sf($_POST["target_aulario"] ?? "");
if ($project_id !== "" && $target_aulario !== "" && $target_aulario !== $aulario_id) {
// Only allow sharing local projects
@@ -457,7 +458,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
if (in_array("entreaulas:proyectos:delete", $_SESSION["auth_data"]["permissions"] ?? []) === false) {
$error = "No tienes permisos para borrar proyectos.";
} else {
$project_id = $_POST["project_id"] ?? "";
$project_id = Sf($_POST["project_id"] ?? "");
if ($project_id !== "") {
$project = load_project($proyectos_dir, $project_id);
$project_dir = find_project_path($proyectos_dir, $project_id);
@@ -483,7 +484,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
}
if ($action === "edit_project") {
$project_id = $_POST["project_id"] ?? "";
$project_id = Sf($_POST["project_id"] ?? "");
$name = trim($_POST["name"] ?? "");
$description = sanitize_html($_POST["description"] ?? "");
@@ -504,15 +505,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
}
if ($action === "add_item") {
$project_id = $_POST["project_id"] ?? "";
$item_type = $_POST["item_type"] ?? "link";
$item_name = trim($_POST["item_name"] ?? "");
$item_url = trim($_POST["item_url"] ?? "");
$item_content = sanitize_html($_POST["item_content"] ?? "");
$videocall_platform = $_POST["videocall_platform"] ?? "jitsi";
$videocall_room = trim($_POST["videocall_room"] ?? "");
$videocall_url = trim($_POST["videocall_url"] ?? "");
$source_aulario_param = $_POST["source_aulario"] ?? "";
$project_id = Sf($_POST["project_id"] ?? "");
$item_type = Sf($_POST["item_type"] ?? "link");
$item_name = trim(Sf($_POST["item_name"] ?? ""));
$item_url = trim(Sf($_POST["item_url"] ?? ""));
$item_content = sanitize_html(Sf($_POST["item_content"] ?? ""));
$videocall_platform = Sf($_POST["videocall_platform"] ?? "jitsi");
$videocall_room = trim(Sf($_POST["videocall_room"] ?? ""));
$videocall_url = trim(Sf($_POST["videocall_url"] ?? ""));
$source_aulario_param = Sf($_POST["source_aulario"] ?? "");
// Determine which directory to use and permission level
$working_dir = $proyectos_dir;
@@ -524,10 +525,10 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
// Validate the link
$linked_projects = $aulario["linked_projects"] ?? [];
foreach ($linked_projects as $link) {
if (($link["source_aulario"] ?? "") === $source_aulario_param &&
($link["project_id"] ?? "") === $project_id
if ((Sf($link["source_aulario"] ?? "") === $source_aulario_param) &&
(Sf($link["project_id"] ?? "") === $project_id)
) {
$permission = $link["permission"] ?? "read_only";
$permission = Sf($link["permission"] ?? "read_only");
if ($permission === "full_edit") {
$working_dir = $proyectos_dir;
} elseif ($permission === "request_edit") {
@@ -722,8 +723,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
}
if ($action === "approve_change" || $action === "reject_change") {
$change_id = $_POST["change_id"] ?? "";
$project_id = $_POST["project_id"] ?? "";
$change_id = Sf($_POST["change_id"] ?? "");
$project_id = Sf($_POST["project_id"] ?? "");
if (!empty($change_id) && !empty($project_id)) {
$project_dir = find_project_path($proyectos_dir, $project_id);
@@ -786,15 +787,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
}
if (in_array(($item["type"] ?? ""), ["file", "pdf_secure"], true) && !empty($change_data["pending_filename"])) {
$pending_file = "$pending_dir/" . $change_data["pending_filename"];
$target_file = "$project_dir/" . $change_data["pending_filename"];
$pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
$target_file = "$project_dir/" . Sf($change_data["pending_filename"]);
if (file_exists($pending_file)) {
if (!is_dir($project_dir)) {
mkdir($project_dir, 0755, true);
}
rename($pending_file, $target_file);
if (!empty($item["filename"])) {
$old_path = "$project_dir/" . $item["filename"];
$old_path = "$project_dir/" . Sf($item["filename"]);
if (file_exists($old_path)) {
unlink($old_path);
if (file_exists($old_path . ".eadat")) {
@@ -802,8 +803,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
}
}
}
$item["filename"] = $change_data["pending_filename"];
$item["original_name"] = $change_data["original_filename"] ?? $change_data["pending_filename"];
$item["filename"] = Sf($change_data["pending_filename"]);
$item["original_name"] = Sf($change_data["original_filename"] ?? $change_data["pending_filename"]);
$file_meta = [
"id" => $item_id,
@@ -851,21 +852,21 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
$item["room"] = $change_data["item_room"] ?? "";
} elseif (in_array($change_data["item_type"], ["file", "pdf_secure"], true) && !empty($change_data["pending_filename"])) {
// Move file from pending to project directory
$pending_file = "$pending_dir/" . $change_data["pending_filename"];
$target_file = "$project_dir/" . $change_data["pending_filename"];
$pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
$target_file = "$project_dir/" . Sf($change_data["pending_filename"]);
if (file_exists($pending_file)) {
if (!is_dir($project_dir)) {
mkdir($project_dir, 0755, true);
}
rename($pending_file, $target_file);
$item["filename"] = $change_data["pending_filename"];
$item["original_name"] = $change_data["original_filename"] ?? $change_data["pending_filename"];
$item["filename"] = Sf($change_data["pending_filename"]);
$item["original_name"] = Sf($change_data["original_filename"] ?? $change_data["pending_filename"]);
$file_meta = [
"id" => $item_id,
"name" => $change_data["item_name"],
"type" => $change_data["item_type"],
"name" => Sf($change_data["item_name"]),
"type" => Sf($change_data["item_type"]),
"original_name" => $item["original_name"],
"created_at" => $item["created_at"]
];
@@ -886,7 +887,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
} else {
// Reject - just delete pending file if exists
if (!empty($change_data["pending_filename"])) {
$pending_file = "$pending_dir/" . $change_data["pending_filename"];
$pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
if (file_exists($pending_file)) {
unlink($pending_file);
}
@@ -901,9 +902,9 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
}
if ($action === "delete_item") {
$project_id = $_POST["project_id"] ?? "";
$item_id = $_POST["item_id"] ?? "";
$source_aulario_param = $_POST["source_aulario"] ?? "";
$project_id = Sf($_POST["project_id"] ?? "");
$item_id = Sf($_POST["item_id"] ?? "");
$source_aulario_param = Sf($_POST["source_aulario"] ?? "");
// Determine which directory to use based on whether this is a linked project
$working_dir = $proyectos_dir;
@@ -1010,15 +1011,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
}
if ($action === "edit_item") {
$project_id = $_POST["project_id"] ?? "";
$item_id = $_POST["item_id"] ?? "";
$item_name = trim($_POST["item_name"] ?? "");
$item_url = trim($_POST["item_url"] ?? "");
$item_content = sanitize_html($_POST["item_content"] ?? "");
$videocall_platform = $_POST["edit_videocall_platform"] ?? "jitsi";
$videocall_room = trim($_POST["edit_videocall_room"] ?? "");
$videocall_url = trim($_POST["edit_videocall_url"] ?? "");
$source_aulario_param = $_POST["source_aulario"] ?? "";
$project_id = Sf($_POST["project_id"] ?? "");
$item_id = Sf($_POST["item_id"] ?? "");
$item_name = Sf(trim($_POST["item_name"] ?? ""));
$item_url = Sf(trim($_POST["item_url"] ?? ""));
$item_content = Sf(sanitize_html($_POST["item_content"] ?? ""));
$videocall_platform = Sf($_POST["edit_videocall_platform"] ?? "jitsi");
$videocall_room = Sf(trim($_POST["edit_videocall_room"] ?? ""));
$videocall_url = Sf(trim($_POST["edit_videocall_url"] ?? ""));
$source_aulario_param = Sf($_POST["source_aulario"] ?? "");
$working_dir = $proyectos_dir;
$permission = "full_edit";

35
public_html/sysadmin/aularios.php
View File

@@ -1,9 +1,10 @@
<?php
require_once "_incl/auth_redir.php";
require_once "_incl/tools.security.php";
switch ($_GET["form"]) {
case "delete":
$aulario_id = $_POST["aulario_id"];
$centro_id = $_POST["centro_id"];
$aulario_id = Sf($_POST["aulario_id"] ?? "");
$centro_id = Sf($_POST["centro_id"] ?? "");
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
if (!file_exists($aulario_file)) {
die("Aulario no encontrado.");
@@ -34,14 +35,14 @@ switch ($_GET["form"]) {
break;
case "create":
$user_data = $_SESSION["auth_data"];
$centro_id = $_POST["centro"];
$centro_id = Sf($_POST["centro"] ?? "");
if (empty($centro_id) || !is_dir("/DATA/entreaulas/Centros/$centro_id")) {
die("Centro no válido.");
}
$aulario_id = strtolower(preg_replace("/[^a-zA-Z0-9_-]/", "_", $_POST["name"]));
$aulario_id = strtolower(preg_replace("/[^a-zA-Z0-9_-]/", "_", Sf($_POST["name"] ?? "")));
$aulario_data = [
"name" => $_POST["name"],
"icon" => $_POST["icon"] ?? "/static/logo-entreaulas.png"
"name" => Sf($_POST["name"] ?? ""),
"icon" => Sf($_POST["icon"] ?? "/static/logo-entreaulas.png")
];
// Make path recursive (mkdir -p equivalent)
@mkdir("/DATA/entreaulas/Centros/$centro_id/Aularios/", 0777, true);
@@ -53,18 +54,18 @@ switch ($_GET["form"]) {
exit();
break;
case "save_edit":
$aulario_id = $_POST["aulario_id"];
$centro_id = $_POST["centro_id"];
$aulario_id = Sf($_POST["aulario_id"] ?? "");
$centro_id = Sf($_POST["centro_id"] ?? "");
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
if (!file_exists($aulario_file)) {
die("Aulario no encontrado.");
}
$aulario_data = json_decode(file_get_contents($aulario_file), true);
$aulario_data["name"] = $_POST["name"];
$aulario_data["icon"] = $_POST["icon"];
$aulario_data["name"] = Sf($_POST["name"] ?? "");
$aulario_data["icon"] = Sf($_POST["icon"] ?? "/static/logo-entreaulas.png");
// Handle shared comedor configuration
$share_comedor_from = $_POST["share_comedor_from"] ?? "";
$share_comedor_from = Sf($_POST["share_comedor_from"] ?? "");
if (!empty($share_comedor_from) && $share_comedor_from !== "none") {
$aulario_data["shared_comedor_from"] = $share_comedor_from;
@@ -74,9 +75,9 @@ switch ($_GET["form"]) {
// Handle linked projects configuration
$linked_projects = [];
$linked_aularios = $_POST["linked_aulario"] ?? [];
$linked_project_ids = $_POST["linked_project_id"] ?? [];
$linked_permissions = $_POST["linked_permission"] ?? [];
$linked_aularios = Sf($_POST["linked_aulario"] ?? []);
$linked_project_ids = Sf($_POST["linked_project_id"] ?? []);
$linked_permissions = Sf($_POST["linked_permission"] ?? []);
for ($i = 0; $i < count($linked_aularios); $i++) {
if (!empty($linked_aularios[$i]) && !empty($linked_project_ids[$i])) {
@@ -140,8 +141,8 @@ switch ($_GET["action"]) {
<?php
break;
case "edit":
$aulario_id = $_GET["aulario"];
$centro_id = $_GET["centro"];
$aulario_id = Sf($_GET["aulario"] ?? "");
$centro_id = Sf($_GET["centro"] ?? "");
$aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
if (!file_exists($aulario_file)) {
die("Aulario no encontrado.");
@@ -384,7 +385,7 @@ switch ($_GET["action"]) {
<tbody>
<?php
$user_data = $_SESSION["auth_data"];
$centro_filter = $_GET['centro'] ?? "*";
$centro_filter = Sf($_GET['centro'] ?? "*");
$aulas_filelist = glob("/DATA/entreaulas/Centros/$centro_filter/Aularios/*.json");
foreach ($aulas_filelist as $aula_file) {
$aula_data = json_decode(file_get_contents($aula_file), true);

25
public_html/sysadmin/centros.php
View File

@@ -1,8 +1,9 @@
<?php
require_once "_incl/auth_redir.php";
require_once "_incl/tools.security.php";
switch ($_GET["form"]) {
case "create":
$centro_id = $_POST["name"];
$centro_id = Sf($_POST["name"] ?? "");
if (empty($centro_id)) {
die("Nombre del centro no proporcionado.");
}
@@ -19,12 +20,12 @@ switch ($_GET["form"]) {
ini_set("display_errors", 1);
ini_set('upload_max_filesize', '256M');
ini_set('post_max_size', '256M');
$centro_id = $_GET['centro'] ?? '';
$centro_id = Sf($_GET['centro'] ?? '');
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
if (!is_dir($centro_path)) {
die("Centro no válido.");
}
$activity_name = $_POST["name"] ?? '';
$activity_name = Sf($_POST["name"] ?? '');
if (empty($activity_name)) {
die("Nombre de la actividad no proporcionado.");
}
@@ -47,8 +48,8 @@ switch ($_GET["form"]) {
ini_set("display_errors", 1);
ini_set('upload_max_filesize', '256M');
ini_set('post_max_size', '256M');
$centro_id = $_GET['centro'] ?? '';
$activity_name = $_GET['activity'] ?? '';
$centro_id = Sf($_GET['centro'] ?? '');
$activity_name = Sf($_GET['activity'] ?? '');
$activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$activity_name";
if (!is_dir($activity_path)) {
die("Actividad no válida.");
@@ -58,8 +59,8 @@ switch ($_GET["form"]) {
$photo_path = "$activity_path/photo.jpg";
move_uploaded_file($activity_photo["tmp_name"], $photo_path);
}
if ($_POST['nombre'] != $_GET['activity']) {
$new_activity_name = $_POST['nombre'];
if (Sf($_POST['nombre'] ?? '') != $activity_name) {
$new_activity_name = Sf($_POST['nombre'] ?? '');
$new_activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$new_activity_name";
if (is_dir($new_activity_path)) {
die("Ya existe una actividad con ese nombre.");
@@ -74,8 +75,8 @@ switch ($_GET["form"]) {
require_once "_incl/pre-body.php";
switch ($_GET["action"]) {
case "edit_activity":
$centro_id = $_GET['centro'] ?? '';
$activity_name = $_GET['activity'] ?? '';
$centro_id = Sf($_GET['centro'] ?? '');
$activity_name = Sf($_GET['activity'] ?? '');
$activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$activity_name";
if (!is_dir($activity_path)) {
die("Actividad no válida.");
@@ -111,7 +112,7 @@ switch ($_GET["action"]) {
<?php
break;
case "new_activity":
$centro_id = $_GET['centro'] ?? '';
$centro_id = Sf($_GET['centro'] ?? '');
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
if (!is_dir($centro_path)) {
die("Centro no válido.");
@@ -159,7 +160,7 @@ switch ($_GET["action"]) {
<?php
break;
case "edit":
$centro_id = $_GET['centro'] ?? '';
$centro_id = Sf($_GET['centro'] ?? '');
$centro_path = "/DATA/entreaulas/Centros/$centro_id";
if (!is_dir($centro_path)) {
die("Centro no válido.");
@@ -221,7 +222,7 @@ switch ($_GET["action"]) {
foreach ($activities as $activity_path) {
$activity_name = basename($activity_path);
$image_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/" . basename($activity_name) . "/photo.jpg";
$image_fetchpath = file_exists($image_path) ? "/entreaulas/_filefetch.php?type=panel_actividades&centro=" . urlencode($centro_id) . "&activity=" . urlencode(basename($activity_name)) : '/static/logo-entreaulas.png';
$image_fetchpath = file_exists($image_path) ? "/entreaulas/_filefetch.php?type=panel_actividades&centro=" . urlencode($centro_id) . "&activity=" . urlencode($activity_name) : '/static/logo-entreaulas.png';
echo '<tr>';
echo '<td><img src="' . htmlspecialchars($image_fetchpath) . '" alt="Foto" style="height: 50px;"></td>';
echo '<td>' . htmlspecialchars($activity_name) . '</td>';

4
public_html/sysadmin/reset_password.php
View File

@@ -1,9 +1,9 @@
<?php
require_once "_incl/auth_redir.php";
require_once "_incl/tools.security.php";
switch ($_GET['form'] ?? '') {
case 'save_password':
$username = $_POST['username'] ?? '';
$username = Sf($_POST['username'] ?? '');
$new_password = $_POST['new_password'] ?? '';
$confirm_password = $_POST['confirm_password'] ?? '';

6
public_html/sysadmin/users.php
View File

@@ -1,9 +1,9 @@
<?php
require_once "_incl/auth_redir.php";
require_once "_incl/tools.security.php";
switch ($_GET['form'] ?? '') {
case 'save_edit':
$username = $_POST['username'] ?? '';
$username = Sf($_POST['username'] ?? '');
if (empty($username)) {
die("Nombre de usuario no proporcionado.");
}
@@ -104,7 +104,7 @@ switch ($_GET['action'] ?? '') {
break;
case 'edit':
require_once "_incl/pre-body.php";
$username = $_GET['user'] ?? '';
$username = Sf($_GET['user'] ?? '');
$userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
?>
<form method="post" action="?form=save_edit">