Change password fields to type='password' and store passwords properly to allow use of special characters.

2026-01-03 16:14:54 -06:00 · 2024-12-14 17:03:19 -06:00
parent 175d24afd2
commit 51e9caf2c2
4 changed files with 107 additions and 99 deletions
--- a/emhttp/plugins/dynamix/OutgoingProxy.page
+++ b/emhttp/plugins/dynamix/OutgoingProxy.page
@@ -15,15 +15,15 @@ Tag="icon-network"
 * all copies or substantial portions of the Software.
 */

-$opmPlugin		= "dynamix";
-require_once("plugins/".$opmPlugin."/include/OutgoingProxyLib.php");
+require_once("plugins/dynamix/include/OutgoingProxyLib.php");

 /* Parse the plugin config file. */
 $cfg = parse_plugin_config();

 /* Pid file used to track the Running/Stopped status. */
-$opm_pid		= "OutgoingProxy";
-$pid_file		= "/var/run/".$opm_pid.".pid";
+$opm_pid	= "OutgoingProxy";
+$pid_file	= OPM_PID_FILE; 
+
 $cfg['proxy_active']	= $cfg['proxy_active'] ?? "0";
 if ($cfg['proxy_active'] != "0") {
 	file_put_contents($pid_file, "running");
@@ -32,9 +32,9 @@ if ($cfg['proxy_active'] != "0") {
 }

 /* Be sure proxy_mames are defined */
-$cfg['proxy_name_1']	= $cfg['proxy_name_1'] ?? "";
-$cfg['proxy_name_2']	= $cfg['proxy_name_2'] ?? "";
-$cfg['proxy_name_3']	= $cfg['proxy_name_3'] ?? "";
+$cfg['proxy_name_1']	= htmlspecialchars($cfg['proxy_name_1']) ?? "";
+$cfg['proxy_name_2']	= htmlspecialchars($cfg['proxy_name_2']) ?? "";
+$cfg['proxy_name_3']	= htmlspecialchars($cfg['proxy_name_3']) ?? "";

 /* Parse the url, user, and password from the full url for proxy 1. */
 $url_array				= get_proxy_info($cfg['proxy_url_1'] ?? "", $cfg['proxy_user_1'] ?? "", $cfg['proxy_pass_1'] ?? "");
@@ -59,23 +59,20 @@ $proxy_3_url			= $url_array['full_url'];
 ?>

 <form markdown="1" name="outgoing_proxy_manager" method="POST" action="/update.php" target="progressFrame">
-<input type="hidden" name="#file" value="<?=$plg_config_file;?>">
-<input type="hidden" name="#command" value="/plugins/<?=$opmPlugin;?>/scripts/outgoingproxy">
+<input type="hidden" name="#file" value="<?=PLG_CONFIG_FILE;?>">
+<input type="hidden" name="#command" value="<?= OUTGOING_PROXY_SCRIPT; ?>">
 <input type="hidden" name="#arg[1]" value="apply">

 <p><strong>_(Enable Outgoing Proxy)_</strong></p>
 _(Select Proxy)_:
 : <select name="proxy_active" style="width:20%;" size="1">
 	<?=mk_option($cfg['proxy_active'], "0", "_(None)_");?>
-
 	<?if (($cfg['proxy_url_1']) && ($cfg['proxy_name_1'])):?>
 	<?=mk_option($cfg['proxy_active'], "1", $cfg['proxy_name_1'], "disabled");?>
 	<?endif;?>
-
 	<?if (($cfg['proxy_url_2']) && ($cfg['proxy_name_2'])):?>
 	<?=mk_option($cfg['proxy_active'], "2", $cfg['proxy_name_2'], "disabled");?>
 	<?endif;?>
-
 	<?if (($cfg['proxy_url_3']) && ($cfg['proxy_name_3'])):?>
 	<?=mk_option($cfg['proxy_active'], "3", $cfg['proxy_name_3'], "disabled");?>
 	<?endif;?>
@@ -93,14 +90,14 @@ _(Select Proxy)_:

 <p><strong>_(Outgoing Proxy)_ 1</strong></p>
 _(Name)_:
-: <input type="text" name="proxy_name_1" style="width:20%;" maxlength="25" value="<?=$cfg['proxy_name_1'];?>" placeholder="(_(Required)_)"><span id="proxy-status-1"></span>
+: <input type="text" name="proxy_name_1" style="width:20%;" maxlength="35" value="<?=$cfg['proxy_name_1'];?>" placeholder="(_(Required)_)"><span id="proxy-status-1"></span>

 :outgoing_proxy_name_plug:
 > Outgoing Proxy name for this Proxy.
 :end

 _(URL)_:
-: <input type="text" name="proxy_url_1" style="width:30%;" maxlength="100" value="<?=$cfg['proxy_url_1'];?>" onchange="verifyUrl(this)" placeholder="_(http://IP:port or http://host:port)_">
+: <input type="text" name="proxy_url_1" style="width:30%;" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_url_1']);?>" onchange="verifyUrl(this)" placeholder="_(http://IP:port or http://host:port)_">

 :outgoing_proxy_url_plug:
 > Outgoing Proxy URL for this Proxy.  The URL can be entered with or without credentials.  The credentials will be parsed from the URL.
@@ -109,14 +106,14 @@ _(URL)_:
 :end

 _(User)_:
-: <input type="text" name="proxy_user_1" class="wide" maxlength="100" value="<?=$cfg['proxy_user_1'];?>" placeholder="(_(Optional)_)">
+: <input type="text" name="proxy_user_1" class="wide" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_user_1']);?>" placeholder="(_(Optional)_)">

 :outgoing_proxy_user_plug:
 > Outgoing Proxy User Name for this Proxy.
 :end

 _(Password)_:
-: <input type="text" name="proxy_pass_1" class="wide" maxlength="100" value="<?=$cfg['proxy_pass_1'];?>" placeholder="(_(Optional)_)">
+: <input type="password" name="proxy_pass_1" class="wide" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_pass_1']);?>" placeholder="(_(Optional)_)">

 :outgoing_proxy_password_plug:
 > Outgoing Proxy Password for this Proxy.
@@ -124,14 +121,14 @@ _(Password)_:

 <p><strong>_(Outgoing Proxy)_ 2</strong></p>
 _(Name)_:
-: <input type="text" name="proxy_name_2" style="width:20%;" maxlength="25" value="<?=$cfg['proxy_name_2'];?>" placeholder="(_(Required)_)"><span id="proxy-status-2"></span>
+: <input type="text" name="proxy_name_2" style="width:20%;" maxlength="35" value="<?=$cfg['proxy_name_2'];?>" placeholder="(_(Required)_)"><span id="proxy-status-2"></span>

 :outgoing_proxy_name_plug:
 > Outgoing Proxy name for this Proxy.
 :end

 _(URL)_:
-: <input type="text" name="proxy_url_2" style="width:30%;" maxlength="100" value="<?=$cfg['proxy_url_2'];?>"  onchange="verifyUrl(this)" placeholder="_(http://IP:port or http://host:port)_">
+: <input type="text" name="proxy_url_2" style="width:30%;" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_url_2']);?>"  onchange="verifyUrl(this)" placeholder="_(http://IP:port or http://host:port)_">

 :outgoing_proxy_url_plug:
 > Outgoing Proxy URL for this Proxy.  The URL can be entered with or without credentials.  The credentials will be parsed from the URL.
@@ -140,14 +137,14 @@ _(URL)_:
 :end

 _(User)_:
-: <input type="text" name="proxy_user_2" class="wide" maxlength="100" value="<?=$cfg['proxy_user_2'];?>" placeholder="(_(Optional)_)">
+: <input type="text" name="proxy_user_2" class="wide" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_user_2']);?>" placeholder="(_(Optional)_)">

 :outgoing_proxy_user_plug:
 > Outgoing Proxy User Name for this Proxy.
 :end

 _(Password)_:
-: <input type="text" name="proxy_pass_2" class="wide" maxlength="100" value="<?=$cfg['proxy_pass_2'];?>" placeholder="(_(Optional)_)">
+: <input type="password" name="proxy_pass_2" class="wide" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_pass_2']);?>" placeholder="(_(Optional)_)">

 :outgoing_proxy_password_plug:
 > Outgoing Proxy Password for this Proxy.
@@ -155,14 +152,14 @@ _(Password)_:

 <p><strong>_(Outgoing Proxy)_ 3</strong></p>
 _(Name)_:
-: <input type="text" name="proxy_name_3" style="width:20%;" maxlength="25" value="<?=$cfg['proxy_name_3'];?>" placeholder="(_(Required)_)"><span id="proxy-status-3"></span>
+: <input type="text" name="proxy_name_3" style="width:20%;" maxlength="35" value="<?=$cfg['proxy_name_3'];?>" placeholder="(_(Required)_)"><span id="proxy-status-3"></span>

 :outgoing_proxy_name_plug:
 > Outgoing Proxy name for this Proxy.
 :end

 _(URL)_:
-: <input type="text" name="proxy_url_3" style="width:30%;" maxlength="100" value="<?=$cfg['proxy_url_3'];?>"  onchange="verifyUrl(this)" placeholder="_(http://IP:port or http://host:port)_">
+: <input type="text" name="proxy_url_3" style="width:30%;" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_url_3']);?>"  onchange="verifyUrl(this)" placeholder="_(http://IP:port or http://host:port)_">

 :outgoing_proxy_url_plug:
 > Outgoing Proxy URL for this Proxy.  The URL can be entered with or without credentials.  The credentials will be parsed from the URL.
@@ -171,14 +168,14 @@ _(URL)_:
 :end

 _(User)_:
-: <input type="text" name="proxy_user_3" class="wide" maxlength="100" value="<?=$cfg['proxy_user_3'];?>" placeholder="(_(Optional)_)">
+: <input type="text" name="proxy_user_3" class="wide" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_user_3']);?>" placeholder="(_(Optional)_)">

 :outgoing_proxy_user_plug:
 > Outgoing Proxy User Name for this Proxy.
 :end

 _(Password)_:
-: <input type="text" name="proxy_pass_3" class="wide" maxlength="100" value="<?=$cfg['proxy_pass_3'];?>" placeholder="(_(Optional)_)">
+: <input type="password" name="proxy_pass_3" class="wide" maxlength="100" value="<?=htmlspecialchars($cfg['proxy_pass_3']);?>" placeholder="(_(Optional)_)">

 :outgoing_proxy_password_plug:
 > Outgoing Proxy Password for this Proxy.
@@ -190,13 +187,20 @@ _(Password)_:

 <script>
 	/* Refresh Proxy Manager page showing updated proxy status. */
+    const proxyUrls = <?= json_encode([
+        'proxy_1_url' => $proxy_1_url,
+        'proxy_2_url' => $proxy_2_url,
+        'proxy_3_url' => $proxy_3_url,
+        'proxy_active' => $cfg['proxy_active']
+    ]) ?>;
+
 	function refreshPage() {
 		$.post(OPMURL, {
 			action: "proxy_status",
-			proxy_1_url: "<?=$proxy_1_url;?>",
-			proxy_2_url: "<?=$proxy_2_url;?>",
-			proxy_3_url: "<?=$proxy_3_url;?>",
-			proxy_active: "<?=$cfg['proxy_active'];?>"
+			proxy_1_url: proxyUrls.proxy_1_url,
+			proxy_2_url: proxyUrls.proxy_2_url,
+			proxy_3_url: proxyUrls.proxy_3_url,
+			proxy_active: proxyUrls.proxy_active
 		}, function(data) {
 			/* Refresh the proxy status. */
 			/* Update the proxy status div */
@@ -307,5 +311,5 @@ _(Password)_:
 	});

 	/* URL for Outgoing Proxy PHP file. */
-	const OPMURL = '/plugins/<?=$opmPlugin;?>/include/OutgoingProxy.php';
+	const OPMURL = '<?= OUTGOING_PROXY_INCLUDE; ?>';
 </script>
--- a/emhttp/plugins/dynamix/include/OutgoingProxy.php
+++ b/emhttp/plugins/dynamix/include/OutgoingProxy.php
@@ -9,42 +9,42 @@
 * all copies or substantial portions of the Software.
 */

-$opmPlugin	= "dynamix";
-require_once("plugins/".$opmPlugin."/include/OutgoingProxyLib.php");
+require_once("plugins/dynamix/include/OutgoingProxyLib.php");

-switch ($_POST['action']) {
+function get_proxy_status($proxy_url, $proxy_active, $index) {
+    if (!$proxy_url) {
+        return "";
+    }
+
+    return proxy_online($proxy_url) 
+        ? ($proxy_active == $index ? "Active" : "") 
+        : ($proxy_active == $index ? "Offline" : "Not Available");
+}
+
+$action = htmlspecialchars($_POST['action'] ?? '', ENT_QUOTES, 'UTF-8');
+
+switch ($action) {
 	case 'proxy_status':
-		/* Get the active proxy. */
-		$proxy_active		= urldecode($_POST['proxy_active']);
+		/* Sanitize inputs. */
+		$proxy_active = htmlspecialchars($_POST['proxy_active'] ?? '', ENT_QUOTES, 'UTF-8');
+		$proxy_urls = [
+			'1' => filter_var($_POST['proxy_1_url'] ?? '', FILTER_SANITIZE_URL),
+			'2' => filter_var($_POST['proxy_2_url'] ?? '', FILTER_SANITIZE_URL),
+			'3' => filter_var($_POST['proxy_3_url'] ?? '', FILTER_SANITIZE_URL),
+		];

-		/* Get the proxy 1 status. */
-		$proxy_1_url	= urldecode($_POST['proxy_1_url']);
-		if ($proxy_1_url) {
-			$proxy_1_status	= proxy_online($proxy_1_url) ? ($proxy_active == "1" ? "Active" : "") : ($proxy_active == "1" ? "Offline" : "Not Available");
-		} else {
-			$proxy_1_status = "";
+		/* Generate response. */
+		$response = [];
+		foreach ($proxy_urls as $key => $url) {
+			$response["proxy_status_{$key}"] = get_proxy_status($url, $proxy_active, $key);
 		}

-		/* Get the proxy 2 status. */
-		$proxy_2_url	= urldecode($_POST['proxy_2_url']);
-		if ($proxy_2_url) {
-			$proxy_2_status	= proxy_online($proxy_2_url) ? ($proxy_active == "2" ? "Active" : "") : ($proxy_active == "2" ? "Offline" : "Not Available");
-		} else {
-			$proxy_2_status = "";
-		}
-		/* Get the proxy 3 status. */
-		$proxy_3_url	= urldecode($_POST['proxy_3_url']);
-		if ($proxy_3_url) {
-			$proxy_3_status	= proxy_online($proxy_3_url) ? ($proxy_active == "3" ? "Active" : "") : ($proxy_active == "3" ? "Offline" : "Not Available");
-		} else {
-			$proxy_3_status = "";
-		}
-
-		echo json_encode(array( 'proxy_status_1' => $proxy_1_status, 'proxy_status_2' => $proxy_2_status, 'proxy_status_3' => $proxy_3_status ));
+		/* Output response as JSON. */
+		echo json_encode($response);
 		break;

 	default:
-		outgoingproxy_log("Undefined POST action - ".$_POST['action'].".");
+		outgoingproxy_log("Undefined POST action - " . htmlspecialchars($action, ENT_QUOTES, 'UTF-8') . ".");
 		break;
 }
 ?>
--- a/emhttp/plugins/dynamix/include/OutgoingProxyLib.php
+++ b/emhttp/plugins/dynamix/include/OutgoingProxyLib.php
@@ -9,38 +9,39 @@
 * all copies or substantial portions of the Software.
 */

-$opmPlugin			= "dynamix";
+/* Base paths */
+define('BASE_RUN_PATH', '/var/run');
+define('PLUGIN_SCRIPTS_PATH', '/plugins/dynamix/scripts');
+define('PLUGIN_INCLUDE_PATH', '/plugins/dynamix/include');
+
+/* Specific paths */
+define('OPM_PID_FILE', BASE_RUN_PATH . '/OutgoingProxy.pid');
+define('OUTGOING_PROXY_SCRIPT', PLUGIN_SCRIPTS_PATH . '/outgoingproxy');
+define('OUTGOING_PROXY_INCLUDE', PLUGIN_INCLUDE_PATH . '/OutgoingProxy.php');

 /* UI config file location. */
-$plg_config_file	= "/boot/config/plugins/".$opmPlugin."/outgoingproxy.cfg";
+define('PLG_CONFIG_FILE', '/boot/config/plugins/dynamix/outgoingproxy.cfg');

 /* Outgoing Proxy Manager logging tag. */
-$opm_log	= "Outgoing Proxy Manager";
+DEFINE('OPM_LOG', '"Outgoing Proxy Manager"');

 /* Outgoing Proxy logging. */
 function outgoingproxy_log($m) {
-	global $opm_log;
-
 	$m		= print_r($m,true);
 	$m		= str_replace("\n", " ", $m);
 	$m		= str_replace('"', "'", $m);
-	exec("/usr/bin/logger"." ".escapeshellarg($m)." -t ".escapeshellarg($opm_log));
+	exec("/usr/bin/logger"." ".escapeshellarg($m)." -t ".OPM_LOG);
 }

 /* Parse plugin config file. */
 function parse_plugin_config() {
-	global $plg_config_file;
-
-	$cfg = is_file($plg_config_file) ? @parse_ini_file($plg_config_file, true) : array();
+	$cfg = is_file(PLG_CONFIG_FILE) ? @parse_ini_file(PLG_CONFIG_FILE, true) : array();

 	return($cfg);
 }

 /* Write values to plugin config file. */
 function write_plugin_config($config) {
-	global $plg_config_file;
-
-	/* Rewrite config file. */
 	/* Convert the array to an INI string. */
 	$iniString = '';
 	foreach ($config as $key => $value) {
@@ -48,7 +49,7 @@ function write_plugin_config($config) {
 	}

 	/* Write the INI string to a file. */
-	file_put_contents($plg_config_file, $iniString);
+	file_put_contents(PLG_CONFIG_FILE, $iniString);
 }

 /* Check to see if the proxy is online and available. */
@@ -153,39 +154,43 @@ function set_config($variable, $value) {
 	write_plugin_config($config);
 }

-/* Encrypt data. */
 function encrypt_data($data) {
-	$key	= get_config("key");
-	if ((! $key) || strlen($key) != 32) {
-		$key = substr(base64_encode(openssl_random_pseudo_bytes(32)), 0, 32);
-		set_config("key", $key);
-	}
-	$iv		= get_config("iv");
-	if ((! $iv) || strlen($iv) != 16) {
-		$iv = substr(base64_encode(openssl_random_pseudo_bytes(16)), 0, 16);
-		set_config("iv", $iv);
-	}
+    $key = get_config("key");
+    if (!$key || strlen($key) != 32) {
+        $key = substr(base64_encode(openssl_random_pseudo_bytes(32)), 0, 32);
+        set_config("key", $key);
+    }
+    $iv = get_config("iv");
+    if (!$iv || strlen($iv) != 16) {
+        $iv = substr(base64_encode(openssl_random_pseudo_bytes(16)), 0, 16);
+        set_config("iv", $iv);
+    }

-	/* Encrypt the data using aes256. */
-	$value	= trim(openssl_encrypt($data, 'aes256', $key, $options=0, $iv));
+    /* Encrypt the data using aes-256-cbc (ensure mode and padding are specified). */
+    $encrypted = openssl_encrypt($data, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv);

-	return $value;
+    /* Base64 encode the encrypted data. */
+    $value = base64_encode($encrypted);
+
+    return $value;
 }

-/* Decrypt data. */
 function decrypt_data($data) {
-	$key	= get_config("key");
-	$iv		= get_config("iv");
+    $key = get_config("key");
+    $iv  = get_config("iv");

-    /* Decrypt the data using aes256. */
-	$value = openssl_decrypt($data, 'aes256', $key, $options=0, $iv);
+    /* Base64 decode before decryption. */
+    $encrypted_data = base64_decode(stripslashes($data));

-	/* Make sure the data is UTF-8 encoded. */
-	if (! mb_check_encoding($value, 'UTF-8')) {
-		outgoingproxy_log("Warning: Data is not UTF-8 encoded");
-		$value = "";
-	}
+    /* Decrypt the data using aes-256-cbc. */
+    $decrypted = openssl_decrypt($encrypted_data, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv);

-	return $value;
+    /* Ensure the decrypted data is UTF-8 encoded. */
+    if (!mb_check_encoding($decrypted, 'UTF-8')) {
+        unassigned_log("Warning: Data is not UTF-8 encoded");
+        $decrypted = "";
+    }
+
+    return $decrypted;
 }
 ?>
--- a/emhttp/plugins/dynamix/scripts/outgoingproxy
+++ b/emhttp/plugins/dynamix/scripts/outgoingproxy
@@ -10,8 +10,7 @@
 * all copies or substantial portions of the Software.
 */

-$opmPlugin	= "dynamix";
-require_once("plugins/".$opmPlugin."/include/OutgoingProxyLib.php");
+require_once("plugins/dynamix/include/OutgoingProxyLib.php");

 /* Save settings and update config. */
 function apply() {
@@ -63,7 +62,7 @@ function apply() {
 				$cfg_pass			= $cfg[$proxy_pass] ?? "";
 				$cfg[$proxy_pass]	= $cfg_pass ? $cfg_pass : urldecode($pass);
 				$encodedPass		= (strpos($cfg[$proxy_pass], '%') === false) ? urlencode($cfg[$proxy_pass]) : $cfg[$proxy_pass];
-				$cfg[$proxy_pass]	= encrypt_data($cfg[$proxy_pass]);
+				$cfg[$proxy_pass]	= addslashes(encrypt_data($cfg[$proxy_pass]));
 			} else {
 				/* The string does not contain 'http://' and/or a port designation at the end */
 				$cfg[$proxy_url]	= "";
@@ -81,7 +80,7 @@ function apply() {
 	}

 	/* Write the INI string to the plugin config file. */
-	file_put_contents($plg_config_file, $iniString);
+	file_put_contents(PLG_CONFIG_FILE, $iniString);

 	/* Let things settle. */
 	sleep(1);