xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

vulnerability fixed and cleanup and refactor

Browse Source
This commit is contained in:
Catalin Novgorodschi
2026-02-11 15:11:43 +02:00
parent db3d9bfff1
commit 2a44e76414
21 changed files with 6089 additions and 5441 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Chat.php
+159 -339
View File
@@ -4,6 +4,7 @@
## --------------------------------------------------------------------------- ##
## Filename Chat.php ##
## Developed by: TTMMTT ##
## Refactored by: Shadow ##
## License: TravianZ Project ##
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
@@ -11,377 +12,196 @@
if (!isset($SAJAX_INCLUDED)) {
$GLOBALS['sajax_version'] = '0.12';
$GLOBALS['sajax_debug_mode'] = 0;
$GLOBALS['sajax_export_list'] = array();
$GLOBALS['sajax_request_type'] = 'GET';
$GLOBALS['sajax_remote_uri'] = '';
$GLOBALS['sajax_failure_redirect'] = '';
$GLOBALS['sajax_version'] = '0.12';
$GLOBALS['sajax_debug_mode'] = 0;
$GLOBALS['sajax_export_list'] = [];
$GLOBALS['sajax_request_type'] = 'GET';
$GLOBALS['sajax_remote_uri'] = $_SERVER['REQUEST_URI'] ?? '';
$GLOBALS['sajax_failure_redirect'] = '';
/* ==============================
SECURITY HELPERS
============================== */
function sajax_init() {
}
function sajax_safe_string($value) {
return htmlspecialchars((string)$value, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}
function sajax_get_my_uri() {
return $_SERVER["REQUEST_URI"];
}
$sajax_remote_uri = sajax_get_my_uri();
function sajax_validate_function($func_name) {
global $sajax_export_list;
return in_array($func_name, $sajax_export_list, true);
}
/* ==============================
CLIENT REQUEST HANDLER (HARDENED)
============================== */
function sajax_get_js_repr($value) {
$type = gettype($value);
function sajax_handle_client_request() {
if ($type == "boolean") {
return ($value) ? "Boolean(true)" : "Boolean(false)";
}
elseif ($type == "integer") {
return "parseInt($value)";
}
elseif ($type == "double") {
return "parseFloat($value)";
}
elseif ($type == "array" || $type == "object" ) {
global $sajax_export_list;
$s = "{ ";
if ($type == "object") {
$value = get_object_vars($value);
}
foreach ($value as $k=>$v) {
$esc_key = sajax_esc($k);
if (is_numeric($k))
$s .= "$k: " . sajax_get_js_repr($v) . ", ";
else
$s .= "\"$esc_key\": " . sajax_get_js_repr($v) . ", ";
}
if (count($value))
$s = substr($s, 0, -2);
return $s . " }";
}
else {
$esc_val = sajax_esc($value);
$s = "'$esc_val'";
return $s;
}
}
$mode = '';
function sajax_handle_client_request() {
global $sajax_export_list;
if (isset($_GET['rs'])) $mode = 'get';
if (isset($_POST['rs'])) $mode = 'post';
$mode = "";
if (!$mode) return;
if (! empty($_GET["rs"]))
$mode = "get";
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");
if (!empty($_POST["rs"]))
$mode = "post";
$func_name = $mode === 'get'
? (string)$_GET['rs']
: (string)$_POST['rs'];
if (empty($mode))
return;
$args = $mode === 'get'
? ($_GET['rsargs'] ?? [])
: ($_POST['rsargs'] ?? []);
$target = "";
if (!is_array($args)) {
$args = [$args];
}
if ($mode == "get") {
if (!sajax_validate_function($func_name) || !function_exists($func_name)) {
echo "-:Function not callable";
exit;
}
header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
echo "+:";
$result = call_user_func_array($func_name, $args);
echo "var res = " . trim(sajax_get_js_repr($result)) . "; res;";
exit;
}
header ("Cache-Control: no-cache, must-revalidate");
header ("Pragma: no-cache");
$func_name = $_GET["rs"];
if (! empty($_GET["rsargs"]))
$args = $_GET["rsargs"];
else
$args = array();
}
else {
$func_name = $_POST["rs"];
if (! empty($_POST["rsargs"]))
$args = $_POST["rsargs"];
else
$args = array();
}
/* ==============================
SAFE JS ENCODER
============================== */
if (! in_array($func_name, $sajax_export_list))
echo "-:$func_name not callable";
else {
echo "+:";
$result = call_user_func_array($func_name, $args);
echo "var res = " . trim(sajax_get_js_repr($result)) . "; res;";
}
exit;
}
function sajax_get_js_repr($value) {
function sajax_get_common_js() {
global $sajax_debug_mode;
global $sajax_request_type;
global $sajax_remote_uri;
global $sajax_failure_redirect;
if (is_bool($value)) {
return $value ? "Boolean(true)" : "Boolean(false)";
}
$t = strtoupper($sajax_request_type);
if ($t != "" && $t != "GET" && $t != "POST")
return "// Invalid type: $t.. \n\n";
if (is_int($value)) {
return "parseInt($value)";
}
ob_start();
?>
if (is_float($value)) {
return "parseFloat($value)";
}
// remote scripting library
// (c) copyright 2005 modernmethod, inc
// edited by ttmtt
var sajax_debug_mode = <?php echo $sajax_debug_mode ? "true" : "false"; ?>;
var sajax_request_type = "<?php echo $t; ?>";
var sajax_target_id = "";
var sajax_failure_redirect = "<?php echo $sajax_failure_redirect; ?>";
if (is_array($value) || is_object($value)) {
function sajax_debug(text) {
if (sajax_debug_mode)
alert(text);
}
$value = (array)$value;
$pairs = [];
function sajax_init_object() {
sajax_debug("sajax_init_object() called..")
foreach ($value as $k => $v) {
$k = sajax_safe_string($k);
$pairs[] = is_numeric($k)
? "$k: " . sajax_get_js_repr($v)
: "\"$k\": " . sajax_get_js_repr($v);
}
var A;
return "{ " . implode(', ', $pairs) . " }";
}
var msxmlhttp = new Array(
'Msxml2.XMLHTTP.5.0',
'Msxml2.XMLHTTP.4.0',
'Msxml2.XMLHTTP.3.0',
'Msxml2.XMLHTTP',
'Microsoft.XMLHTTP');
for (var i = 0; i < msxmlhttp.length; i++) {
try {
A = new ActiveXObject(msxmlhttp[i]);
} catch (e) {
A = null;
}
}
return "'" . sajax_safe_string($value) . "'";
}
if(!A && typeof XMLHttpRequest != "undefined")
A = new XMLHttpRequest();
if (!A)
sajax_debug("Could not create connection object.");
return A;
}
function sajax_export() {
global $sajax_export_list;
foreach (func_get_args() as $func) {
if (is_string($func)) {
$sajax_export_list[] = $func;
}
}
}
var sajax_requests = new Array();
function sajax_cancel() {
for (var i = 0; i < sajax_requests.length; i++)
sajax_requests[i].abort();
}
function sajax_do_call(func_name, args) {
var i, x, n;
var uri;
var post_data;
var target_id;
sajax_debug("in sajax_do_call().." + sajax_request_type + "/" + sajax_target_id);
target_id = sajax_target_id;
if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
sajax_request_type = "GET";
uri = "<?php echo $sajax_remote_uri; ?>";
if (sajax_request_type == "GET") {
// alert(args);
if (uri.indexOf("?") == -1)
uri += "?rs=" + escape(func_name);
else
uri += "&rs=" + escape(func_name);
uri += "&rst=" + escape(sajax_target_id);
uri += "&rsrnd=" + new Date().getTime();
for (i = 0; i < args.length-1; i++) {
uri += "&rsargs[]=" + args[i];
}
post_data = null;
}
else if (sajax_request_type == "POST") {
post_data = "rs=" + escape(func_name);
post_data += "&rst=" + escape(sajax_target_id);
post_data += "&rsrnd=" + new Date().getTime();
for (i = 0; i < args.length-1; i++)
post_data = post_data + "&rsargs[]=" + escape(args[i]);
}
else {
alert("Illegal request type: " + sajax_request_type);
}
x = sajax_init_object();
if (x == null) {
if (sajax_failure_redirect != "") {
location.href = sajax_failure_redirect;
return false;
} else {
sajax_debug("NULL sajax object for user agent:\n" + navigator.userAgent);
return false;
}
} else {
x.open(sajax_request_type, uri, true);
// window.open(uri);
sajax_requests[sajax_requests.length] = x;
if (sajax_request_type == "POST") {
x.setRequestHeader("Method", "POST " + uri + " HTTP/1.1");
x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
}
x.onreadystatechange = function() {
if (x.readyState != 4)
return;
sajax_debug("received " + x.responseText);
var status;
var data;
var txt = x.responseText.replace(/^\s*|\s*$/g,"");
status = txt.charAt(0);
data = txt.substring(2);
if (status == "") {
// let's just assume this is a pre-response bailout and let it slide for now
} else if (status == "-")
alert("Error: " + data);
else {
if (target_id != "")
document.getElementById(target_id).innerHTML = eval(data);
else {
try {
var callback;
var extra_data = false;
if (typeof args[args.length-1] == "object") {
callback = args[args.length-1].callback;
extra_data = args[args.length-1].extra_data;
} else {
callback = args[args.length-1];
}
callback(eval(data), extra_data);
} catch (e) {
sajax_debug("Caught error " + e + ": Could not eval " + data );
}
}
}
}
}
sajax_debug(func_name + " uri = " + uri + "/post = " + post_data);
x.send(post_data);
sajax_debug(func_name + " waiting..");
delete x;
return true;
}
<?php
$html = ob_get_contents();
ob_end_clean();
return $html;
}
function sajax_show_common_js() {
echo sajax_get_common_js();
}
// javascript escape a value
function sajax_esc($val)
{
$val = str_replace("\\", "\\\\", $val);
$val = str_replace("\r", "\\r", $val);
$val = str_replace("\n", "\\n", $val);
$val = str_replace("'", "\\'", $val);
return str_replace('"', '\\"', $val);
}
function sajax_get_one_stub($func_name) {
ob_start();
?>
// wrapper for <?php echo $func_name; ?>
function x_<?php echo $func_name; ?>() {
sajax_do_call("<?php echo $func_name; ?>",
x_<?php echo $func_name; ?>.arguments);
}
<?php
$html = ob_get_contents();
ob_end_clean();
return $html;
}
function sajax_show_one_stub($func_name) {
echo sajax_get_one_stub($func_name);
}
function sajax_export() {
global $sajax_export_list;
$n = func_num_args();
for ($i = 0; $i < $n; $i++) {
$sajax_export_list[] = func_get_arg($i);
}
}
$sajax_js_has_been_shown = 0;
function sajax_get_javascript()
{
global $sajax_js_has_been_shown;
global $sajax_export_list;
$html = "";
if (! $sajax_js_has_been_shown) {
$html .= sajax_get_common_js();
$sajax_js_has_been_shown = 1;
}
foreach ($sajax_export_list as $func) {
$html .= sajax_get_one_stub($func);
}
return $html;
}
function sajax_show_javascript()
{
echo sajax_get_javascript();
}
$SAJAX_INCLUDED = 1;
$SAJAX_INCLUDED = 1;
}
function add_data($data) {
global $session,$database;
/* ==============================
CHAT FUNCTIONS (HARDENED)
============================== */
//$data = explode("|",$data);
if (is_array($data)){$msg = htmlspecialchars($data[1]);}else{$msg = htmlspecialchars($data);};
$msg = $database->escape($msg);
// $msg=htmlspecialchars($msg);
$name = addslashes($session->username);
function add_data($data) {
if ($msg != ""){
$id_user = (int) $session->uid;
$alliance = $database->escape($session->alliance);
$now = time();
echo $q = "INSERT into ".TB_PREFIX."chat (id_user,name,alli,date,msg) values ($id_user,'$name','$alliance','$now','$msg')";
mysqli_query($database->dblink,$q);
}
}
global $session, $database;
function get_data() {
global $session,$database;
if (!$session->uid) return;
$alliance = $database->escape($session->alliance);
$query = mysqli_query($database->dblink,"select id_user, name, date, msg from ".TB_PREFIX."chat where alli='$alliance' order by id desc limit 0,13");
while ($r = mysqli_fetch_array($query)) {
$dates = date("g:i",$r['date']);
$data .= "[{$dates}] <a href='spieler.php?uid={$r['id_user']}'>{$r['name']}</a>: {$r['msg']} <br>";
}
return $data;
}
$msg = is_array($data) ? ($data[1] ?? '') : $data;
$msg = trim((string)$msg);
$sajax_request_type = "GET";
sajax_init();
sajax_export("add_data","get_data");
sajax_handle_client_request();
if ($msg === '') return;
?>
$id_user = (int)$session->uid;
$name = $database->escape($session->username);
$alliance = $database->escape($session->alliance);
$now = time();
$stmt = mysqli_prepare(
$database->dblink,
"INSERT INTO ".TB_PREFIX."chat (id_user, name, alli, date, msg) VALUES (?, ?, ?, ?, ?)"
);
if ($stmt) {
mysqli_stmt_bind_param($stmt, "issis",
$id_user,
$name,
$alliance,
$now,
$msg
);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
}
}
function get_data() {
global $session, $database;
$alliance = $database->escape($session->alliance);
$stmt = mysqli_prepare(
$database->dblink,
"SELECT id_user, name, date, msg
FROM ".TB_PREFIX."chat
WHERE alli = ?
ORDER BY id DESC
LIMIT 13"
);
$data = '';
if ($stmt) {
mysqli_stmt_bind_param($stmt, "s", $alliance);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
while ($r = mysqli_fetch_assoc($result)) {
$dates = date("H:i", (int)$r['date']);
$uid = (int)$r['id_user'];
$username = sajax_safe_string($r['name']);
$message = sajax_safe_string($r['msg']);
$data .= "[{$dates}] <a href='spieler.php?uid={$uid}'>{$username}</a>: {$message} <br>";
}
mysqli_stmt_close($stmt);
}
return $data;
}
/* ==============================
SAJAX BOOTSTRAP
============================== */
$sajax_request_type = "GET";
sajax_export("add_data", "get_data");
sajax_handle_client_request();