diff --git a/.gitignore b/.gitignore index 3151a19..f9acfcb 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ virtual.db checkupdate conf.php test* +var/database.sdb diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..76a1a7c --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,48 @@ +## 1.1 (future) + + - support postfix-mysql (not plain text virtual file) + - admin panel page with statistic + - add second table in database (for domain/checkupdate/intervale cron) + - send email for advertisement action ? + +## 1.0 (2013-10-02) + +Features: + + - add database with PDO (remove plain text) + support mysql, sqlite, postgresql... + - add multi-domain support + - add memory email (with cookies) + - add life for alias (optional) + - add comment for alias (optional) + - add template for example + - add javascript in form (noscript compatible) + - add cron for expir life email + - add maintenance mode + - add basic form anti-spam + - add disable/enable alias function + - pass UTF-8 encode + +## 0.3 (2013-08-08) (without database) + + - add blacklist.txt regex + - add function "alias list" + - add shell statistique script + - add readme + +## 0.2 (2012-08-05) + +Features: + + - add aliasdeny.txt regex + - migrate to Net_DNS2 + - check email exist with DNS (check MX) + +Bugfixes: + + - fixe http://forge.zici.fr/p/emailpoubelle-php/issues/4/ + +## 0.1b (2012-03-20) + + - start project + diff --git a/bin/migrate-0.3-1.0.php b/bin/migrate-0.3-1.0.php index fd0dd39..a3bdaef 100644 --- a/bin/migrate-0.3-1.0.php +++ b/bin/migrate-0.3-1.0.php @@ -1,6 +1,8 @@ #!/usr/bin/php prepare("SELECT alias, email @@ -39,7 +41,7 @@ function UpdateVirtualDB() { // add new alias -function AjouterAlias($status, $alias,$email, $life, $comment) { +function AjouterAlias_migrateTo10($status, $alias,$email, $life, $comment) { global $dbco; $dateCreat=date('Y-m-d H:i:s', 0); $dateExpir=NULL; @@ -67,12 +69,12 @@ while (!feof($handle)) { $bufferExplode = explode(' ', $buffer); if (!preg_match('/^(#|$|;)/', $buffer)) { echo $bufferExplode[0].' -> '.$bufferExplode[1]."\n"; - AjouterAlias(5, trim($bufferExplode[0]), trim($bufferExplode[1]), null, null); + AjouterAlias_migrateTo10(5, trim($bufferExplode[0]), trim($bufferExplode[1]), null, null); } } } fclose($handle); -UpdateVirtualDB(); +UpdateVirtualDB_migrateTo10(); ?> diff --git a/emailPoubelle.php b/emailPoubelle.php index c3da098..b577b36 100644 --- a/emailPoubelle.php +++ b/emailPoubelle.php @@ -65,15 +65,26 @@ try { } // Create DB if not exists try { -// status : 0=not verified - 3=disable - 5=active -$create = $dbco->query("CREATE TABLE IF NOT EXISTS ".DBTABLEPREFIX."alias ( - id INTEGER PRIMARY KEY AUTO_INCREMENT, - status INTEGER(1) NOT NULL, - alias CHAR(150) NOT NULL UNIQUE, - email CHAR(150) NOT NULL, - dateCreat DATETIME NOT NULL, - dateExpir DATETIME, - comment TEXT);"); + // status : 0=not verified - 3=disable - 5=active + if (preg_match('/^sqlite/', DB)) { + $create = $dbco->query("CREATE TABLE IF NOT EXISTS ".DBTABLEPREFIX."alias ( + id INTEGER PRIMARY KEY, + status INTEGER(1) NOT NULL, + alias CHAR(150) NOT NULL UNIQUE, + email CHAR(150) NOT NULL, + dateCreat DATETIME NOT NULL, + dateExpir DATETIME, + comment TEXT);"); + } else { + $create = $dbco->query("CREATE TABLE IF NOT EXISTS ".DBTABLEPREFIX."alias ( + id INTEGER PRIMARY KEY AUTO_INCREMENT, + status INTEGER(1) NOT NULL, + alias CHAR(150) NOT NULL UNIQUE, + email CHAR(150) NOT NULL, + dateCreat DATETIME NOT NULL, + dateExpir DATETIME, + comment TEXT);"); + } } catch ( PDOException $e ) { echo '
Erreur à l\'initialisation des tables. Merci de contacter l\'administrateur '; if (DEBUG) { $e->getMessage(); } @@ -85,12 +96,11 @@ $create = $dbco->query("CREATE TABLE IF NOT EXISTS ".DBTABLEPREFIX."alias ( // Start program ////////////////// -// get process act +// get process "act" (action) $action = isset($_GET['act']) ? $_GET['act'] : ''; switch ($action) { case "validemail" : $get_value = urlUnGen($_GET['value']); - echo $dbco->query("SELECT COUNT(*) FROM ".DBTABLEPREFIX."alias WHERE id = '".$get_value['id']."' AND status = 0")->fetchColumn(); if ($dbco->query("SELECT COUNT(*) FROM ".DBTABLEPREFIX."alias WHERE id = '".$get_value['id']."' AND status = 0")->fetchColumn() != 0) { UpdateStatusAlias($get_value['id'], $get_value['alias_full'], 5); echo '
Votre email poubelle '.$get_value['alias_full'].' est maintenant actif
'; @@ -123,7 +133,7 @@ switch ($action) { if (isset($_POST['username']) && $_POST['username'] != '') { // minimal anti-spam echo 'Hello you'; } else if (isset($_POST['list'])) { - $email=strtolower($_POST['email']); + $email=strtolower(StripCleanToHtml($_POST['email'])); if (! filter_var($email, FILTER_VALIDATE_EMAIL)) { echo '
Erreur : Adresse email incorrect
'; } else if (! VerifMXemail($email)) { @@ -134,11 +144,11 @@ if (isset($_POST['username']) && $_POST['username'] != '') { // minimal anti-spa echo '
Erreur : aucun email actif connu
'; } } else if (isset($_POST['email']) && isset($_POST['alias'])) { - $alias=strtolower($_POST['alias']); - $email=strtolower($_POST['email']); - $domain=$_POST['domain']; + $alias=strtolower(StripCleanToHtml($_POST['alias'])); + $email=strtolower(StripCleanToHtml($_POST['email'])); + $domain=StripCleanToHtml($_POST['domain']); $life=$_POST['life']; - $comment=$_POST['comment']; + $comment=StripCleanToHtml($_POST['comment']); $alias_full=$alias.'@'.$domain; // Check form if (! filter_var($email, FILTER_VALIDATE_EMAIL)) { @@ -167,8 +177,9 @@ if (isset($_POST['username']) && $_POST['username'] != '') { // minimal anti-spa $message= $alias_full.' => '.$email."\n"; $message= "Cliquer sur le lien ci-dessous pour confirmer : \n"; $message.= "\t * ".urlGen('validemail',$lastId,$alias_full)."\n"; + $message.= "\n"; $message.= "Pour supprimer cet email poubelle vous pouvez vous rendre sur le lien ci-dessou : \n"; - $message.= "\t * ".urlGen('del',$lastId,$alias_full)."\n"; + $message.= "\t * ".urlGen('delete',$lastId,$alias_full)."\n"; $message.= "\n"; $message.= "Après confirmation, vous pourez suspendre temporairement cet email poubelle vous pouvez vous rendre sur le lien ci-dessou : \n"; $message.= "\t * ".urlGen('disable',$lastId,$alias_full)."\n"; @@ -182,7 +193,7 @@ if (isset($_POST['username']) && $_POST['username'] != '') { // minimal anti-spa $message= "Confirmation de la création de votre redirection email poubelle : "; $message= $alias_full.' => '.$email."\n"; $message= "Cliquer sur le lien ci-dessous pour confirmer la suppression : \n"; - $message.= "\t * ".urlGen('del',$id,$alias_full)."\n\n"; + $message.= "\t * ".urlGen('delete',$id,$alias_full)."\n\n"; $message.= "Sinon pour suspendre temporairement cet email poubelle vous pouvez vous rendre sur le lien ci-dessou : \n"; $message.= "\t * ".urlGen('disable',$id,$alias_full)."\n"; SendEmail($email,'Suppression de l\'alias '.$alias,$message); @@ -200,7 +211,7 @@ if (isset($_POST['username']) && $_POST['username'] != '') { // minimal anti-spa // memory email if (isset($_POST['memory'])) { - setcookie ("email", $email, time() + 31536000); + setcookie ("email", StripCleanToHtml($email), time() + 31536000); } else if (isset($_COOKIE['email'])) { unset($_COOKIE['email']); } @@ -364,3 +375,15 @@ if (!CRON) { LifeExpire(); } echo CheckUpdate(); } // end maintenance mod ?> + + + + + + + + + + + + diff --git a/lib/ep_admin.php b/lib/ep_admin.php deleted file mode 100644 index acb6c35..0000000 --- a/lib/ep_admin.php +++ /dev/null @@ -1,2 +0,0 @@ - diff --git a/lib/ep_function.php b/lib/ep_function.php index caa2d92..adeb7fa 100644 --- a/lib/ep_function.php +++ b/lib/ep_function.php @@ -278,6 +278,22 @@ function urlUnGen($get_value) { return $return; } +// Source http://css-tricks.com/serious-form-security/ +function StripCleanToHtml($s){ + // Restores the added slashes (ie.: " I\'m John " for security in output, and escapes them in htmlentities(ie.: " etc.) + // Also strips any tags it may encouter + // Use: Anything that shouldn't contain html (pretty much everything that is not a textarea) + return htmlentities(trim(strip_tags(stripslashes($s))), ENT_NOQUOTES, "UTF-8"); +} +function CleanToHtml($s){ + // Restores the added slashes (ie.: " I\'m John " for security in output, and escapes them in htmlentities(ie.: " etc.) + // It preserves any tags in that they are encoded aswell (like <html>) + // As an extra security, if people would try to inject tags that would become tags after stripping away bad characters, + // we do still strip tags but only after htmlentities, so any genuine code examples will stay + // Use: For input fields that may contain html, like a textarea + return strip_tags(htmlentities(trim(stripslashes($s))), ENT_NOQUOTES, "UTF-8"); +} + ////////////////// // Admin function //////////////////