From 019e3c8082a9e0a2592e3a5f7f16f10d071c78b9 Mon Sep 17 00:00:00 2001 From: Joey Date: Thu, 19 Dec 2013 05:59:23 -0500 Subject: [PATCH 1/7] Update worker.class.php Fix for issue #957 --- public/include/classes/worker.class.php | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/public/include/classes/worker.class.php b/public/include/classes/worker.class.php index 0caa9f4b..9f66e6b3 100644 --- a/public/include/classes/worker.class.php +++ b/public/include/classes/worker.class.php @@ -21,14 +21,24 @@ class Worker extends Base { $username = $this->user->getUserName($account_id); $iFailed = 0; foreach ($data as $key => $value) { + $validWorker = 1; if ('' === $value['username'] || '' === $value['password']) { $iFailed++; } else { // Prefix the WebUser to Worker name $value['username'] = "$username." . $value['username']; - $stmt = $this->mysqli->prepare("UPDATE $this->table SET password = ?, username = ?, monitor = ? WHERE account_id = ? AND id = ?"); - if ( ! ( $this->checkStmt($stmt) && $stmt->bind_param('ssiii', $value['password'], $value['username'], $value['monitor'], $account_id, $key) && $stmt->execute()) ) + // Ensure we have a sane worker name + $wData = explode('.', $value['username']); + if (!preg_match('/[a-z_\-0-9]/i', $wData[1]) || strlen($value['username']) > 50) { + $validWorker = 0; + } + if ($validWorker) { + $stmt = $this->mysqli->prepare("UPDATE $this->table SET password = ?, username = ?, monitor = ? WHERE account_id = ? AND id = ?"); + if ( ! ( $this->checkStmt($stmt) && $stmt->bind_param('ssiii', $value['password'], $value['username'], $value['monitor'], $account_id, $key) && $stmt->execute()) ) + $iFailed++; + } else { $iFailed++; + } } } if ($iFailed == 0) @@ -225,8 +235,16 @@ class Worker extends Base { $this->setErrorMessage($this->getErrorMsg('E0058')); return false; } + if (!preg_match('/[a-z_\-0-9]i/', $workerName)) { + $this->setErrorMessage($this->getErrorMsg('E0072')); + return false; + } $username = $this->user->getUserName($account_id); $workerName = "$username.$workerName"; + if (strlen($workerName) > 50) { + $this->setErrorMessage($this->getErrorMessage('E0073')); + return false; + } $stmt = $this->mysqli->prepare("INSERT INTO $this->table (account_id, username, password) VALUES(?, ?, ?)"); if ($this->checkStmt($stmt) && $stmt->bind_param('iss', $account_id, $workerName, $workerPassword)) { if (!$stmt->execute()) { From 722432fecc4131346192da88d8905fb115a3e32e Mon Sep 17 00:00:00 2001 From: Joey Date: Thu, 19 Dec 2013 06:00:55 -0500 Subject: [PATCH 2/7] Update error_codes.inc.php Fix to issue #957 --- public/include/config/error_codes.inc.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/public/include/config/error_codes.inc.php b/public/include/config/error_codes.inc.php index 80078f3d..1c5eee85 100644 --- a/public/include/config/error_codes.inc.php +++ b/public/include/config/error_codes.inc.php @@ -69,4 +69,6 @@ $aErrorCodes['E0062'] = 'Block has no share_id, not running payouts'; $aErrorCodes['E0063'] = 'Upstream share already assigned to previous block'; $aErrorCodes['E0064'] = 'Failed to create transaction record'; $aErrorCodes['E0065'] = 'Remaining balance is greater than 0'; +$aErrorCodes['E0072'] = 'Worker names must be alphanumeric'; +$aErrorCodes['E0073'] = 'Worker name is too long; try entering a shorter name' ?> From fcebc8eb2b23e3c5a36a9631984fd0faaa4e31d3 Mon Sep 17 00:00:00 2001 From: Joey Date: Thu, 19 Dec 2013 06:48:00 -0500 Subject: [PATCH 3/7] Update worker.class.php Fix for issue #957 --- public/include/classes/worker.class.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/public/include/classes/worker.class.php b/public/include/classes/worker.class.php index 9f66e6b3..f8a8ce31 100644 --- a/public/include/classes/worker.class.php +++ b/public/include/classes/worker.class.php @@ -29,7 +29,8 @@ class Worker extends Base { $value['username'] = "$username." . $value['username']; // Ensure we have a sane worker name $wData = explode('.', $value['username']); - if (!preg_match('/[a-z_\-0-9]/i', $wData[1]) || strlen($value['username']) > 50) { + $validName = (bool) preg_match("/^[0-9a-zA-Z_\-]*$/", $wData[1]); + if ($validName === false || strlen($value['username']) > 50) { $validWorker = 0; } if ($validWorker) { @@ -235,7 +236,8 @@ class Worker extends Base { $this->setErrorMessage($this->getErrorMsg('E0058')); return false; } - if (!preg_match('/[a-z_\-0-9]i/', $workerName)) { + $validName = (bool) preg_match("/^[0-9a-zA-Z_\-]*$/", $wData[1]); + if ($validName === false) { $this->setErrorMessage($this->getErrorMsg('E0072')); return false; } From d85ae9bd7cafc381ec90015a5ef93713476e82d9 Mon Sep 17 00:00:00 2001 From: Joey Date: Thu, 19 Dec 2013 06:51:28 -0500 Subject: [PATCH 4/7] Update worker.class.php [UPDATE] Fix for issue #957 --- public/include/classes/worker.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/include/classes/worker.class.php b/public/include/classes/worker.class.php index f8a8ce31..19c5558b 100644 --- a/public/include/classes/worker.class.php +++ b/public/include/classes/worker.class.php @@ -236,7 +236,7 @@ class Worker extends Base { $this->setErrorMessage($this->getErrorMsg('E0058')); return false; } - $validName = (bool) preg_match("/^[0-9a-zA-Z_\-]*$/", $wData[1]); + $validName = (bool) preg_match("/^[0-9a-zA-Z_\-]*$/", $workerName); if ($validName === false) { $this->setErrorMessage($this->getErrorMsg('E0072')); return false; From 47a13f937b08def765affef5d1f65badaaaac397 Mon Sep 17 00:00:00 2001 From: Joey Date: Thu, 19 Dec 2013 09:11:59 -0500 Subject: [PATCH 5/7] Update worker.class.php Cleaned up code --- public/include/classes/worker.class.php | 35 ++++++++++--------------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/public/include/classes/worker.class.php b/public/include/classes/worker.class.php index 19c5558b..66a14365 100644 --- a/public/include/classes/worker.class.php +++ b/public/include/classes/worker.class.php @@ -21,25 +21,19 @@ class Worker extends Base { $username = $this->user->getUserName($account_id); $iFailed = 0; foreach ($data as $key => $value) { - $validWorker = 1; - if ('' === $value['username'] || '' === $value['password']) { + if ('' === $value['username'] || '' === $value['password']) { + $iFailed++; + } else { + // Check worker name first + if (! preg_match("/^[0-9a-zA-Z_\-]*$/", $value['username'])) { + $iFailed++; + continue; + } + // Prefix the WebUser to Worker name + $value['username'] = "$username." . $value['username']; + $stmt = $this->mysqli->prepare("UPDATE $this->table SET password = ?, username = ?, monitor = ? WHERE account_id = ? AND id = ?"); + if ( ! ( $this->checkStmt($stmt) && $stmt->bind_param('ssiii', $value['password'], $value['username'], $value['monitor'], $account_id, $key) && $stmt->execute()) ) $iFailed++; - } else { - // Prefix the WebUser to Worker name - $value['username'] = "$username." . $value['username']; - // Ensure we have a sane worker name - $wData = explode('.', $value['username']); - $validName = (bool) preg_match("/^[0-9a-zA-Z_\-]*$/", $wData[1]); - if ($validName === false || strlen($value['username']) > 50) { - $validWorker = 0; - } - if ($validWorker) { - $stmt = $this->mysqli->prepare("UPDATE $this->table SET password = ?, username = ?, monitor = ? WHERE account_id = ? AND id = ?"); - if ( ! ( $this->checkStmt($stmt) && $stmt->bind_param('ssiii', $value['password'], $value['username'], $value['monitor'], $account_id, $key) && $stmt->execute()) ) - $iFailed++; - } else { - $iFailed++; - } } } if ($iFailed == 0) @@ -236,15 +230,14 @@ class Worker extends Base { $this->setErrorMessage($this->getErrorMsg('E0058')); return false; } - $validName = (bool) preg_match("/^[0-9a-zA-Z_\-]*$/", $workerName); - if ($validName === false) { + if (!preg_match("/^[0-9a-zA-Z_\-]*$/", $workerName)) { $this->setErrorMessage($this->getErrorMsg('E0072')); return false; } $username = $this->user->getUserName($account_id); $workerName = "$username.$workerName"; if (strlen($workerName) > 50) { - $this->setErrorMessage($this->getErrorMessage('E0073')); + $this->setErrorMessage($this->getErrorMsg('E0073')); return false; } $stmt = $this->mysqli->prepare("INSERT INTO $this->table (account_id, username, password) VALUES(?, ?, ?)"); From a51d19514145f61e4a9df59faf6dc932ec60d3e7 Mon Sep 17 00:00:00 2001 From: xisi Date: Thu, 19 Dec 2013 09:20:15 -0500 Subject: [PATCH 6/7] Cleanup code for update/add --- public/include/classes/worker.class.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/public/include/classes/worker.class.php b/public/include/classes/worker.class.php index 66a14365..eaabdd21 100644 --- a/public/include/classes/worker.class.php +++ b/public/include/classes/worker.class.php @@ -13,6 +13,8 @@ class Worker extends Base { * @return bool **/ public function updateWorkers($account_id, $data) { + $this->debug->append("STA " . __METHOD__, 4); + if (!public function updateWorkers($account_id, $data) { $this->debug->append("STA " . __METHOD__, 4); if (!is_array($data)) { $this->setErrorMessage('No workers to update'); From fd98a9bfaa95adce3ed941994b3100a919feee9c Mon Sep 17 00:00:00 2001 From: xisi Date: Thu, 19 Dec 2013 09:25:20 -0500 Subject: [PATCH 7/7] Actually fixing the code this time? --- public/include/classes/worker.class.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/public/include/classes/worker.class.php b/public/include/classes/worker.class.php index eaabdd21..66a14365 100644 --- a/public/include/classes/worker.class.php +++ b/public/include/classes/worker.class.php @@ -13,8 +13,6 @@ class Worker extends Base { * @return bool **/ public function updateWorkers($account_id, $data) { - $this->debug->append("STA " . __METHOD__, 4); - if (!public function updateWorkers($account_id, $data) { $this->debug->append("STA " . __METHOD__, 4); if (!is_array($data)) { $this->setErrorMessage('No workers to update');