From a25eb0b39efb9a7bd0c895b8340751f899a5d057 Mon Sep 17 00:00:00 2001 From: Miguel Ribeiro Date: Mon, 9 Jun 2025 13:51:33 +0200 Subject: [PATCH] V3.2.1 (#845) --- Dockerfile | 4 ++++ endpoints/settings/colortheme.php | 9 +++++++++ endpoints/settings/convert_currency.php | 8 ++++++++ endpoints/settings/customtheme.php | 8 ++++++++ endpoints/settings/disabled_to_bottom.php | 8 ++++++++ endpoints/settings/hide_disabled.php | 8 ++++++++ endpoints/settings/mobile_navigation.php | 8 ++++++++ endpoints/settings/monthly_price.php | 8 ++++++++ endpoints/settings/remove_background.php | 8 ++++++++ endpoints/settings/show_original_price.php | 8 ++++++++ endpoints/settings/subscription_progress.php | 8 ++++++++ endpoints/settings/theme.php | 10 +++++++++- includes/version.php | 2 +- index.php | 6 +----- styles/styles.css | 20 -------------------- 15 files changed, 96 insertions(+), 27 deletions(-) diff --git a/Dockerfile b/Dockerfile index 314d9a1..67c19ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,6 +23,10 @@ COPY . . COPY nginx.conf /etc/nginx/nginx.conf COPY nginx.default.conf /etc/nginx/http.d/default.conf +# Remove nginx conf files from webroot +RUN rm -rf /var/www/html/nginx.conf && \ + rm -rf /var/www/html/nginx.default.conf + # Copy the custom crontab file COPY cronjobs /etc/cron.d/cronjobs diff --git a/endpoints/settings/colortheme.php b/endpoints/settings/colortheme.php index c8632ac..98daf94 100644 --- a/endpoints/settings/colortheme.php +++ b/endpoints/settings/colortheme.php @@ -13,6 +13,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $postData = file_get_contents("php://input"); $data = json_decode($postData, true); + // Valiudate input, should be a color from the allowed list + $allowedColors = ['blue', 'red', 'green', 'yellow', 'purple']; + if (!isset($data['color']) || !in_array($data['color'], $allowedColors)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $color = $data['color']; $stmt = $db->prepare('UPDATE settings SET color_theme = :color WHERE user_id = :userId'); diff --git a/endpoints/settings/convert_currency.php b/endpoints/settings/convert_currency.php index a847016..b6a2ef3 100644 --- a/endpoints/settings/convert_currency.php +++ b/endpoints/settings/convert_currency.php @@ -14,6 +14,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $convert_currency = $data['value']; + // Validate input + if (!isset($convert_currency) || !is_bool($convert_currency)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $stmt = $db->prepare('UPDATE settings SET convert_currency = :convert_currency WHERE user_id = :userId'); $stmt->bindParam(':convert_currency', $convert_currency, SQLITE3_INTEGER); $stmt->bindParam(':userId', $userId, SQLITE3_INTEGER); diff --git a/endpoints/settings/customtheme.php b/endpoints/settings/customtheme.php index 96eba70..74b9622 100644 --- a/endpoints/settings/customtheme.php +++ b/endpoints/settings/customtheme.php @@ -17,6 +17,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $accent_color = $data['accentColor']; $hover_color = $data['hoverColor']; + // Validate input, should be a color in #RRGGBB format + if (!preg_match('/^#[0-9A-Fa-f]{6}$/', $main_color) || !preg_match('/^#[0-9A-Fa-f]{6}$/', $accent_color) || !preg_match('/^#[0-9A-Fa-f]{6}$/', $hover_color)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + if ($main_color == $accent_color) { die(json_encode([ "success" => false, diff --git a/endpoints/settings/disabled_to_bottom.php b/endpoints/settings/disabled_to_bottom.php index 722a7eb..208a195 100644 --- a/endpoints/settings/disabled_to_bottom.php +++ b/endpoints/settings/disabled_to_bottom.php @@ -14,6 +14,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $disabled_to_bottom = $data['value']; + // Validate input + if (!isset($disabled_to_bottom) || !is_bool($disabled_to_bottom)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $stmt = $db->prepare('UPDATE settings SET disabled_to_bottom = :disabled_to_bottom WHERE user_id = :userId'); $stmt->bindParam(':disabled_to_bottom', $disabled_to_bottom, SQLITE3_INTEGER); $stmt->bindParam(':userId', $userId, SQLITE3_INTEGER); diff --git a/endpoints/settings/hide_disabled.php b/endpoints/settings/hide_disabled.php index bf07b42..9bac679 100644 --- a/endpoints/settings/hide_disabled.php +++ b/endpoints/settings/hide_disabled.php @@ -14,6 +14,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $hide_disabled = $data['value']; + // Validate input + if (!isset($hide_disabled) || !is_bool($hide_disabled)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $stmt = $db->prepare('UPDATE settings SET hide_disabled = :hide_disabled WHERE user_id = :userId'); $stmt->bindParam(':hide_disabled', $hide_disabled, SQLITE3_INTEGER); $stmt->bindParam(':userId', $userId, SQLITE3_INTEGER); diff --git a/endpoints/settings/mobile_navigation.php b/endpoints/settings/mobile_navigation.php index 4d9ee75..9cd1bfb 100644 --- a/endpoints/settings/mobile_navigation.php +++ b/endpoints/settings/mobile_navigation.php @@ -15,6 +15,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $mobile_nav = $data['value']; + // Validate input + if (!isset($mobile_nav) || !is_bool($mobile_nav)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $stmt = $db->prepare('UPDATE settings SET mobile_nav = :mobile_nav WHERE user_id = :userId'); $stmt->bindParam(':mobile_nav', $mobile_nav, SQLITE3_INTEGER); $stmt->bindParam(':userId', $userId, SQLITE3_INTEGER); diff --git a/endpoints/settings/monthly_price.php b/endpoints/settings/monthly_price.php index a3410ce..716d2a0 100644 --- a/endpoints/settings/monthly_price.php +++ b/endpoints/settings/monthly_price.php @@ -14,6 +14,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $monthly_price = $data['value']; + // Validate input + if (!isset($monthly_price) || !is_bool($monthly_price)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $stmt = $db->prepare('UPDATE settings SET monthly_price = :monthly_price WHERE user_id = :userId'); $stmt->bindParam(':monthly_price', $monthly_price, SQLITE3_INTEGER); $stmt->bindParam(':userId', $userId, SQLITE3_INTEGER); diff --git a/endpoints/settings/remove_background.php b/endpoints/settings/remove_background.php index 92badd4..87e4363 100644 --- a/endpoints/settings/remove_background.php +++ b/endpoints/settings/remove_background.php @@ -14,6 +14,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $remove_background = $data['value']; + // Validate input + if (!isset($remove_background) || !is_bool($remove_background)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $stmt = $db->prepare('UPDATE settings SET remove_background = :remove_background WHERE user_id = :userId'); $stmt->bindParam(':remove_background', $remove_background, SQLITE3_INTEGER); $stmt->bindParam(':userId', $userId, SQLITE3_INTEGER); diff --git a/endpoints/settings/show_original_price.php b/endpoints/settings/show_original_price.php index c961c84..d23b94c 100644 --- a/endpoints/settings/show_original_price.php +++ b/endpoints/settings/show_original_price.php @@ -14,6 +14,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $show_original_price = $data['value']; + // Validate input + if (!isset($show_original_price) || !is_bool($show_original_price)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $stmt = $db->prepare('UPDATE settings SET show_original_price = :show_original_price WHERE user_id = :userId'); $stmt->bindParam(':show_original_price', $show_original_price, SQLITE3_INTEGER); $stmt->bindParam(':userId', $userId, SQLITE3_INTEGER); diff --git a/endpoints/settings/subscription_progress.php b/endpoints/settings/subscription_progress.php index 373afd2..e44e09e 100644 --- a/endpoints/settings/subscription_progress.php +++ b/endpoints/settings/subscription_progress.php @@ -14,6 +14,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $show_subscription_progress = $data['value']; + // Validate input + if (!isset($show_subscription_progress) || !is_bool($show_subscription_progress)) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } + $stmt = $db->prepare('UPDATE settings SET show_subscription_progress = :show_subscription_progress WHERE user_id = :userId'); $stmt->bindParam(':show_subscription_progress', $show_subscription_progress, SQLITE3_INTEGER); $stmt->bindParam(':userId', $userId, SQLITE3_INTEGER); diff --git a/endpoints/settings/theme.php b/endpoints/settings/theme.php index bcc1967..74c7197 100644 --- a/endpoints/settings/theme.php +++ b/endpoints/settings/theme.php @@ -12,7 +12,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { $postData = file_get_contents("php://input"); $data = json_decode($postData, true); - $theme = $data['theme']; + $theme = (int)$data['theme']; + + // Validate input, should be an integer (0, 1 or 2) + if (!isset($theme) || !is_int($theme) || $theme < 0 || $theme > 2) { + die(json_encode([ + "success" => false, + "message" => translate("error", $i18n) + ])); + } $stmt = $db->prepare('UPDATE settings SET dark_theme = :theme WHERE user_id = :userId'); $stmt->bindParam(':theme', $theme, SQLITE3_INTEGER); diff --git a/includes/version.php b/includes/version.php index 8187927..4c5ec8b 100644 --- a/includes/version.php +++ b/includes/version.php @@ -1,3 +1,3 @@ \ No newline at end of file diff --git a/index.php b/index.php index 313ff79..64a8ffd 100644 --- a/index.php +++ b/index.php @@ -387,14 +387,10 @@ $headerClass = count($subscriptions) > 0 ? "main-actions" : "main-actions hidden -