RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1621 from xisi/sessions-mclimiter-fixes

Browse Source 
[UPDATE] Security updates and fixes
This commit is contained in:
Sebastian Grewe 2014-01-31 05:55:09 -08:00
commit 319d9439a4
131 changed files with 951 additions and 925 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,5 +1,6 @@
# Local Config
/public/include/config/global.inc.php
/public/include/config/security.inc.php
# Templates
/public/templates/compile/*.php

26
cronjobs/shared.inc.php
View File

@ -18,6 +18,21 @@ limitations under the License.
*/
define('SECURITY', '*)WT#&YHfd');
// Whether or not to check SECHASH for validity, still checks if SECURITY defined as before if disabled
define('SECHASH_CHECK', false);
// Nothing below here to configure, move along...
// change SECHASH every second, we allow up to 3 sec back for slow servers
if (SECHASH_CHECK) {
function fip($tr=0) { return md5(SECURITY.(time()-$tr).SECURITY); }
define('SECHASH', fip());
function cfip() { return (fip()==SECHASH||fip(1)==SECHASH||fip(2)==SECHASH) ? 1 : 0; }
} else {
function cfip() { return (@defined('SECURITY')) ? 1 : 0; }
}
// MODIFY THIS
// We need to find our include files so set this properly
define("BASEPATH", "../public/");
@ -32,14 +47,15 @@ $dStartTime = microtime(true);
// Our cron name
$cron_name = basename($_SERVER['PHP_SELF'], '.php');
// Our security check
define("SECURITY", 1);
// Include our configuration (holding defines for the requires)
require_once(BASEPATH . 'include/config/global.inc.dist.php');
require_once(BASEPATH . 'include/config/global.inc.php');
// We include all needed files here, even though our templates could load them themself
require_once(INCLUDE_DIR . '/autoloader.inc.php');
require_once(BASEPATH . 'include/config/security.inc.dist.php');
@include_once(BASEPATH . 'include/config/security.inc.php');
require_once(BASEPATH . 'include/bootstrap.php');
require_once(BASEPATH . 'include/version.inc.php');
// Command line switches
array_shift($argv);

130
public/include/admin_checks.php Normal file
View File

@ -0,0 +1,130 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if (@$_SESSION['USERDATA']['is_admin'] && $user->isAdmin(@$_SESSION['USERDATA']['id'])) {
if (!include_once(INCLUDE_DIR . '/lib/jsonRPCClient.php')) die('Unable to load libs');
$notice = array();
$enotice = array();
$error = array();
// setup some basic stuff for checking - getuid/getpwuid not available on mac/windows
$apache_user = 'unknown';
if (substr_count(strtolower(PHP_OS), 'nix') > 0) {
$apache_user = (function_exists('posix_getuid')) ? posix_getuid() : 'unknown';
$apache_user = (function_exists('posix_getpwuid')) ? posix_getpwuid($apache_user) : $apache_user;
}
// setup checks
// check if memcache isn't available but enabled in config -> error
if (!class_exists('Memcached') && $config['memcache']['enabled']) {
$error[] = "You have memcache enabled in your config and it's not available. Install the package on your system.";
}
// if it's not enabled, test it if it exists, if it works -> error tell them to enable, -> otherwise notice it's disabled
if (!$config['memcache']['enabled']) {
if (PHP_OS == 'WINNT') {
require_once(CLASS_DIR . 'memcached.class.php');
}
if (class_exists('Memcached')) {
$memcache_test = @new Memcached();
$memcache_test_add = @$memcache_test->addServer($config['memcache']['host'], $config['memcache']['port']);
$randmctv = rand(5,10);
$memcache_test_set = @$memcache_test->set('test_mpos_setval', $randmctv);
$memcache_test_get = @$memcache_test->get('test_mpos_setval');
}
if (class_exists('Memcached') && $memcache_test_get == $randmctv) {
$error[] = "You have memcache disabled in the config and it's available & works! Enable it.";
} else {
$notice[] = "Memcache is disabled; Almost every linux distro has packages for it, you should be using it if you can.";
}
}
// check if htaccess exists
if (!file_exists(BASEPATH.".htaccess")) {
$htaccess_link = "<a href='https://github.com/MPOS/php-mpos/blob/next/public/.htaccess'>.htaccess</a>";
$notice[] = "You don't seem to have a .htaccess in your public folder, if you're using apache set it up $htaccess_link";
}
// check if we can write templates/cache and templates/compile -> error
if (!is_writable(THEME_DIR.'/cache')) {
$error[] = "templates/cache folder is not writable for uid {$apache_user['name']}";
}
if (!is_writable(THEME_DIR.'/compile')) {
$error[] = "templates/compile folder is not writable for uid {$apache_user['name']}";
}
// check if we can write the config files, we should NOT be able to -> error
if (is_writable(INCLUDE_DIR.'/config/global.inc.php') || is_writable(INCLUDE_DIR.'/config/global.inc.dist.php') ||
is_writable(INCLUDE_DIR.'/config/security.inc.php') || is_writable(INCLUDE_DIR.'/config/security.inc.dist.php')) {
$error[] = "Your config files <b>SHOULD NOT be writable to this user</b>!";
}
// check if daemon can connect -> error
try {
if ($bitcoin->can_connect() !== true) {
$error[] = "Unable to connect to coin daemon using provided credentials";
}
} catch (Exception $e) {
}
// if coldwallet is not empty, check if the address is valid -> error
if (!empty($config['coldwallet']['address'])) {
try {
if ($bitcoin->can_connect() == true) {
$validate_cold_address = $bitcoin->validateaddress($config['coldwallet']['address']);
if (!$validate_cold_address['isvalid']) {
$error[] = "Your cold wallet address is <u>SET and INVALID</u>";
}
}
} catch (Exception $e) {
}
}
// if database connection fails -> error
$db_connect = new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
if (mysqli_connect_errno() || !array_key_exists('client_info', $db_connect)) {
$error[] = "Unable to connect to mysql using provided credentials";
}
if ($config['mc_antidos'] && !$config['memcache']['enabled']) {
$error[] = "mc_antidos is enabled and memcache is not, <u>memcache is required</u> to use this";
}
// poke stratum using gettingstarted details -> enotice
if (substr_count(strtolower(PHP_OS), 'nix') > 0) {
// unix *poke*
$socket = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket !== false) {
$address = @gethostbyname($config['gettingstarted']['stratumurl']);
$result = @socket_connect($socket, $address, $config['gettingstarted']['stratumport']);
if ($result !== 1) {
$enotice[] = "We tried to poke your Stratum server using config->gettingstarted details but it didn't respond";
}
$close = @socket_close($socket);
}
} else {
// mac/windows *poke*
if (! $fp = @fsockopen($config['gettingstarted']['stratumurl'],$config['gettingstarted']['stratumport'],$errCode,$errStr,1)) {
$enotice[] = "We tried to poke your Stratum server using config->gettingstarted details but it didn't respond";
}
@fclose($fp);
}
// security checks
// salts too short -> notice, salts default -> error
if ((strlen($config['SALT']) < 24) || (strlen($config['SALTY']) < 24) || $config['SALT'] == 'PLEASEMAKEMESOMETHINGRANDOM' || $config['SALTY'] == 'THISSHOULDALSOBERRAANNDDOOM') {
if ($config['SALT'] == 'PLEASEMAKEMESOMETHINGRANDOM' || $config['SALTY'] == 'THISSHOULDALSOBERRAANNDDOOM') {
$error[] = "You absolutely <u>SHOULD NOT leave your SALT or SALTY default</u> changing them will require registering again";
} else {
$notice[] = "SALT or SALTY is too short, they should be more than 24 characters and changing them will require registering again";
}
}
// display the errors
foreach ($enotice as $en) {
$_SESSION['POPUP'][] = array('CONTENT' => $en, 'TYPE' => 'info');
}
if (!count($notice) && !count($error)) {
$_SESSION['POPUP'][] = array('CONTENT' => 'The config options we checked seem OK', 'TYPE' => 'success');
} else {
foreach ($notice as $n) {
$_SESSION['POPUP'][] = array('CONTENT' => $n, 'TYPE' => 'warning');
}
foreach ($error as $e) {
$_SESSION['POPUP'][] = array('CONTENT' => $e, 'TYPE' => 'errormsg');
}
}
}
?>

12
public/include/autoloader.inc.php
View File

@ -1,7 +1,6 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
(SECURITY == "*)WT#&YHfd" && SECHASH_CHECK) ? die("public/index.php -> Set a new SECURITY value to continue") : 0;
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// SHA/Scrypt check
if (empty($config['algorithm']) || $config['algorithm'] == 'scrypt') {
@ -9,9 +8,13 @@ if (empty($config['algorithm']) || $config['algorithm'] == 'scrypt') {
} else {
$config['target_bits'] = 32;
}
// Default classes
require_once(CLASS_DIR . '/debug.class.php');
require_once(INCLUDE_DIR . '/lib/KLogger.php');
if ($config['mysql_filter']) {
require_once(CLASS_DIR . '/strict.class.php');
}
require_once(INCLUDE_DIR . '/database.inc.php');
require_once(INCLUDE_DIR . '/config/memcache_keys.inc.php');
require_once(INCLUDE_DIR . '/config/error_codes.inc.php');
@ -65,7 +68,4 @@ require_once(CLASS_DIR . '/api.class.php');
require_once(INCLUDE_DIR . '/lib/Michelf/Markdown.php');
require_once(INCLUDE_DIR . '/lib/scrypt.php');
// Include our versions
require_once(INCLUDE_DIR . '/version.inc.php');
?>

28
public/include/bootstrap.php Normal file
View File

@ -0,0 +1,28 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Used for performance calculations
$dStartTime = microtime(true);
define('INCLUDE_DIR', BASEPATH . 'include');
define('CLASS_DIR', INCLUDE_DIR . '/classes');
define('PAGES_DIR', INCLUDE_DIR . '/pages');
define('THEME_DIR', BASEPATH . 'templates');
$quickstartlink = "<a href='https://github.com/MPOS/php-mpos/wiki/Quick-Start-Guide' title='MPOS Quick Start Guide'>Quick Start Guide</a>";
// Include our configuration (holding defines for the requires)
if (!include_once(BASEPATH . 'include/config/global.inc.dist.php')) die('Unable to load base global config - '.$quickstartlink);
if (!@include_once(BASEPATH . 'include/config/global.inc.php')) die('Unable to load your global config - '.$quickstartlink);
// load our security configs
if (!include_once(BASEPATH . 'include/config/security.inc.dist.php')) die('Unable to load base security config - '.$quickstartlink);
if (@file_exists(BASEPATH . 'include/config/security.inc.php')) include_once(BASEPATH . 'include/config/security.inc.php');
// Our default template to load, pages can overwrite this later
$master_template = 'master.tpl';
// Load Classes, they name defines the $ variable used
// We include all needed files here, even though our templates could load them themself
require_once(INCLUDE_DIR . '/autoloader.inc.php');
?>

4
public/include/classes/api.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* Helper class for our API

8
public/include/classes/base.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* Our base class that we extend our other classes from
@ -40,6 +37,9 @@ class Base {
public function setUser($user) {
$this->user = $user;
}
public function setSessionManager($session) {
$this->session = $session;
}
public function setConfig($config) {
$this->config = $config;
}

4
public/include/classes/bitcoin.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* Bitcoin classes

7
public/include/classes/bitcoinwrapper.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* We use a wrapper class around BitcoinClient to add
@ -76,4 +73,4 @@ class BitcoinWrapper extends BitcoinClient {
}
// Load this wrapper
$bitcoin = new BitcoinWrapper($config['wallet']['type'], $config['wallet']['username'], $config['wallet']['password'], $config['wallet']['host'], DEBUG, $debug, $memcache);
$bitcoin = new BitcoinWrapper($config['wallet']['type'], $config['wallet']['username'], $config['wallet']['password'], $config['wallet']['host'], $config['DEBUG'], $debug, $memcache);

4
public/include/classes/block.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Block extends Base {
protected $table = 'blocks';

8
public/include/classes/csrftoken.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class CSRFToken Extends Base {
public $valid = 0;
@ -99,8 +97,8 @@ class CSRFToken Extends Base {
$csrftoken = new CSRFToken();
$csrftoken->setDebug($debug);
$csrftoken->setMysql($mysqli);
$csrftoken->setSalt(SALT);
$csrftoken->setSalty(SALTY);
$csrftoken->setSalt($config['SALT']);
$csrftoken->setSalty($config['SALTY']);
$csrftoken->setMail($mail);
$csrftoken->setUser($user);
$csrftoken->setToken($oToken);

7
public/include/classes/debug.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* This file defines the debug class used in this site to enable
@ -111,5 +108,5 @@ class Debug {
}
// Instantiate this class
$debug = new Debug(DEBUG);
$debug = new Debug($config['DEBUG']);
?>

4
public/include/classes/invitation.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Invitation extends Base {
var $table = 'invitations';

5
public/include/classes/mail.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
(!cfip()) ? header('HTTP/1.1 401 Unauthorized') : 0;
class Mail extends Base {
/**

85
public/include/classes/memcache_ad.class.php Normal file
View File

@ -0,0 +1,85 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class MemcacheAntiDos
{
public $cache;
public $rate_limit_this_request = false;
public $rate_limit_api_request = false;
public $rate_limit_site_request = false;
public function __construct($config, &$memcache, $request='') {
$this->cache = $memcache;
// set our config options
$userORip = $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'];
// prep stuff we need to check this request
$key_md5 = $config['memcache']['keyprefix'].md5($userORip);
$request_data = $this->cache->get($key_md5);
$now = time();
$max_req_flush = max(array($config['mc_antidos']['flush_seconds_api'],$config['mc_antidos']['flush_seconds_site']));
// check the request
if (is_array($request_data)) {
// this request key already exists, update it
$request_data['la'] = $now;
if ($request == 'api') {
$request_data['ha'] += 1;
if ($config['mc_antidos']['ajax_hits_additive']) {
$request_data['hn'] += 1;
}
} else {
$request_data['hn'] += 1;
}
// not rate limited yet, update the rest of the object
if (($request_data['hn'] < $config['mc_antidos']['rate_limit_site']) && ($request_data['ha'] < $config['mc_antidos']['rate_limit_api'])) {
if (((($request_data['hnl'] + $config['mc_antidos']['flush_seconds_site']) <= $now) || ($request_data['hal'] + $config['mc_antidos']['flush_seconds_api']) <= $now) || (($request_data['la'] + $max_req_flush) <= $now)) {
// needs to be flushed & updated
$new = $this->getRequestBase();
$new['key'] = $key_md5;
$new['la'] = $now;
$new['hal'] = ((($request_data['hal'] + $config['mc_antidos']['flush_seconds_api']) <= $now)) ? $now : 1;
$new['hnl'] = ((($request_data['hnl'] + $config['mc_antidos']['flush_seconds_site']) <= $now)) ? $now : 1;
$this->cache->set($key_md5, $new, $config['memcache']['expiration']);
$this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
$this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
} else {
// no flush, just update
$new = $this->getRequestBase();
$new['key'] = $request_data['key'];
$new['la'] = time();
$new['ha'] = $request_data['ha'];
$new['hal'] = $request_data['hal'];
$new['hn'] = $request_data['hn'];
$new['hnl'] = $request_data['hnl'];
$this->cache->set($key_md5, $new, $config['memcache']['expiration']);
$this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
$this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
}
} else {
// too many hits, we should rate limit this
$this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
$this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
}
} else {
// doesn't exist for this request_key, create one
$new = $this->getRequestBase();
$new['key'] = $config['memcache']['keyprefix'].md5($userORip);
$new['la'] = time();
if ($request == 'api') {
$new['ha'] += 1;
if ($config['mc_antidos']['ajax_hits_additive']) {
$new['hn'] += 1;
}
} else {
$new['hn'] += 1;
}
$this->cache->set($key_md5, $new, $config['memcache']['expiration']);
$this->rate_limit_api_request = false;
$this->rate_limit_site_request = false;
}
}
public function getRequestBase() {
$new = array('key' => '','la' => 0,'hn' => 0,'hnl' => 0,'ha' => 0,'hal' => 0);
return $new;
}
}
?>

4
public/include/classes/memcached.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* A wrapper class which provides compatibility between Memcached and Memcache

4
public/include/classes/monitoring.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Monitoring extends Base {
protected $table = 'monitoring';

5
public/include/classes/news.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class News extends Base {
protected $table = 'news';

5
public/include/classes/notification.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Notification extends Mail {
var $table = 'notifications';

4
public/include/classes/payout.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Payout Extends Base {
protected $table = 'payouts';

5
public/include/classes/roundstats.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class RoundStats extends Base {
private $tableTrans = 'transactions';

4
public/include/classes/setting.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Setting extends Base {
protected $table = 'settings';

5
public/include/classes/share.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Share Extends Base {
protected $table = 'shares';

5
public/include/classes/statistics.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/*

5
public/include/classes/statscache.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* A wrapper class used to store values transparently in memcache

39
public/include/classes/strict.class.php Normal file
View File

@ -0,0 +1,39 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class mysqli_strict extends mysqli {
public function bind_param($paramTypes) {
if (!is_string($paramTypes)) {
return false;
} else {
$args = func_get_args();
$acopy = $args;
$nargs = count($args);
for($i=1;$i<$nargs;$i++) {
$ipos = ($i-1);
$pos = substr($paramTypes, $ipos, 1);
switch ($pos) {
case 's':
$return_str = filter_var($acopy[$i], FILTER_VALIDATE_STRING, FILTER_NULL_ON_FAILURE);
$acopy[$i] = ($return_str !== null) ? (string)$return_str : null;
break;
case 'i':
$return_int = filter_var($acopy[$i], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
$acopy[$i] = ($return_int !== null) ? (int)$return_int : null;
break;
case 'd':
$return_dbl = filter_var($acopy[$i], FILTER_VALIDATE_FLOAT, FILTER_NULL_ON_FAILURE);
$acopy[$i] = ($return_dbl !== null) ? (float)$return_dbl : null;
break;
case 'b':
$return_bool = filter_var($acopy[$i], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
$acopy[$i] = ($return_bool !== null) ? (bool)$return_bool : null;
break;
}
}
return (in_array(null, $acopy));
}
}
}
?>

5
public/include/classes/template.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Template extends Base {
protected $table = 'templates';

4
public/include/classes/token.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Token Extends Base {
protected $table = 'tokens';

17
public/include/classes/tokentype.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Token_Type Extends Base {
protected $table = 'token_types';
@ -36,6 +33,18 @@ class Token_Type Extends Base {
return $result->fetch_all(MYSQLI_ASSOC);
return $this->sqlError();
}
/**
* Fetch all tokens - used for unit tests
* @param none
* @return array All tokentypes
**/
public function getAll() {
$stmt = $this->mysqli->prepare("SELECT * FROM $this->table");
if ($this->checkStmt($stmt) && $stmt->execute() && $result = $stmt->get_result())
return $result->fetch_all(MYSQLI_ASSOC);
return $this->sqlError();
}
}
$tokentype = new Token_Type();

5
public/include/classes/tools.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* Helper class for our cronjobs

5
public/include/classes/transaction.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Transaction extends Base {
protected $table = 'transactions';

42
public/include/classes/user.class.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class User extends Base {
protected $table = 'accounts';
@ -46,6 +43,9 @@ class User extends Base {
public function getUserIp($id) {
return $this->getSingle($id, 'loggedIp', 'id');
}
public function getLastLogin($id) {
return $this->getSingle($id, 'last_login', 'id');
}
public function getEmail($email) {
return $this->getSingle($email, 'email', 'email', 's');
}
@ -141,9 +141,13 @@ class User extends Base {
return false;
}
if ($this->checkUserPassword($username, $password)) {
$this->updateLoginTimestamp($this->getUserId($username));
$this->createSession($username);
if ($this->setUserIp($this->getUserId($username), $_SERVER['REMOTE_ADDR'])) {
$uid = $this->getUserId($username);
$lastLoginTime = $this->getLastLogin($uid);
$this->updateLoginTimestamp($uid);
$getIPAddress = $this->getUserIp($uid);
$setIPAddress = $this->setUserIp($uid, $_SERVER['REMOTE_ADDR']);
$this->createSession($username, $getIPAddress, $lastLoginTime);
if ($setIPAddress) {
// send a notification if success_login is active
$uid = $this->getUserId($username);
$notifs = new Notification();
@ -493,9 +497,12 @@ class User extends Base {
* @param username string Username to create session for
* @return none
**/
private function createSession($username) {
private function createSession($username, $lastIP='', $lastLoginTime='') {
$this->debug->append("STA " . __METHOD__, 4);
$this->debug->append("Log in user to _SESSION", 2);
if (!empty($lastIP) && (!empty($lastLoginTime))) {
$_SESSION['last_ip_pop'] = array($lastIP, $lastLoginTime);
}
session_regenerate_id(true);
$_SESSION['AUTHENTICATED'] = '1';
// $this->user from checkUserPassword
@ -517,7 +524,7 @@ class User extends Base {
* @param none
* @return true
**/
public function logoutUser($from="") {
public function logoutUser() {
$this->debug->append("STA " . __METHOD__, 4);
// Unset all of the session variables
$_SESSION = array();
@ -530,10 +537,11 @@ class User extends Base {
session_destroy();
// Enforce generation of a new Session ID and delete the old
session_regenerate_id(true);
// Enforce a page reload and point towards login with referrer included, if supplied
$port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
$location = @$_SERVER['HTTPS'] ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'] : 'http://' . $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'];
if (!empty($from)) $location .= '?page=login&to=' . urlencode($from);
$port = ($_SERVER["SERVER_PORT"] == "80" || $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
$pushto = $_SERVER['SCRIPT_NAME'].'?page=login';
$location = (@$_SERVER['HTTPS'] == 'on') ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $pushto : 'http://' . $_SERVER['SERVER_NAME'] . $port . $pushto;
// if (!headers_sent()) header('Location: ' . $location);
exit('<meta http-equiv="refresh" content="0; url=' . $location . '"/>');
}
@ -797,12 +805,12 @@ class User extends Base {
* @param none
* @return bool
**/
public function isAuthenticated($logout=true) {
public function isAuthenticated($logout=true) {
$this->debug->append("STA " . __METHOD__, 4);
if (@$_SESSION['AUTHENTICATED'] == true &&
!$this->isLocked($_SESSION['USERDATA']['id']) &&
$this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']
) return true;
!$this->isLocked($_SESSION['USERDATA']['id']) &&
$this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']
) return true;
// Catchall
if ($logout == true) $this->logoutUser($_SERVER['REQUEST_URI']);
return false;
@ -846,7 +854,7 @@ class User extends Base {
$user = new User();
$user->setDebug($debug);
$user->setMysql($mysqli);
$user->setSalt(SALT);
$user->setSalt($config['SALT']);
$user->setSmarty($smarty);
$user->setConfig($config);
$user->setMail($mail);

4
public/include/classes/worker.class.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
class Worker extends Base {
protected $table = 'pool_worker';

4
public/include/config/admin_settings.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
$aThemes = $template->getThemes();

4
public/include/config/error_codes.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
$aErrorCodes['OK'] = 'OK';
$aErrorCodes['E0001'] = 'Out of Order Share Detected';

607
public/include/config/global.inc.dist.php
View File

@ -1,58 +1,38 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* Do not edit this unless you have confirmed that your config has been updated!
* This is used in the version check to ensure you run the latest version of the configuration file.
* Once you upgraded your config, change the version here too.
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-config-version
**/
$config['version'] = '0.0.6';
// Our include directory for additional features
define('INCLUDE_DIR', BASEPATH . 'include');
// Our class directory
define('CLASS_DIR', INCLUDE_DIR . '/classes');
// Our pages directory which takes care of
define('PAGES_DIR', INCLUDE_DIR . '/pages');
// Our theme folder holding all themes
define('THEME_DIR', BASEPATH . 'templates');
// Set debugging level for our debug class
// Values valid from 0 (disabled) to 5 (most verbose)
define('DEBUG', 0);
// SALT used to hash passwords
define('SALT', 'PLEASEMAKEMESOMETHINGRANDOM');
define('SALTY', 'THISSHOULDALSOBERRAANNDDOOM');
$config['version'] = '0.0.7';
/**
* Underlying coin algorithm that you are mining on. Set this to whatever your coin needs:
*
* Options:
* sha256d : SHA coins like Bitcoin
* scrypt : Scrypt based coins like Litecoin
* Default:
* scrypt : Scrypt is default
* Unless you disable this, we'll do a quick check on your config first.
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-config-check
*/
$config['skip_config_tests'] = false;
/**
* Defines
* Debug setting and salts for hashing passwords
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-defines--salts
*/
$config['DEBUG'] = 0;
$config['SALT'] = 'PLEASEMAKEMESOMETHINGRANDOM';
$config['SALTY'] = 'THISSHOULDALSOBERRAANNDDOOM';
/**
* Coin Algorithm
* Algorithm used by this coin, sha256d or scrypt
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-algorithm
**/
$config['algorithm'] = 'scrypt';
/**
* Database configuration
*
* A MySQL database backend is required for MPOS.
* Also ensure the database structure is imported!
* The SQL file should be included in this project under the `sql` directory
*
* Default:
* host = 'localhost'
* port = 3306
* user = 'someuser'
* pass = 'somepass'
* name = 'mpos'
* MySQL database configuration
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-database-configuration
**/
$config['db']['host'] = 'localhost';
$config['db']['user'] = 'someuser';
@ -61,17 +41,9 @@ $config['db']['port'] = 3306;
$config['db']['name'] = 'mpos';
/**
* Local wallet RPC configuration
*
* MPOS uses the RPC backend to fetch transactions, blocks
* and various other things. They need to match your coind RPC
* configuration.
*
* Default:
* type = 'http'
* host = 'localhost:19334'
* username = 'testnet'
* password = 'testnet'
* Local wallet RPC
* RPC configuration for your daemon/wallet
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-local-wallet-rpc
**/
$config['wallet']['type'] = 'http';
$config['wallet']['host'] = 'localhost:19334';
@ -79,93 +51,18 @@ $config['wallet']['username'] = 'testnet';
$config['wallet']['password'] = 'testnet';
/**
* Payout of liquid assets
*
* Explanation:
* Running pools, especially those with active fees, will build up a good
* amount of liquid assets that can be used by pool operators. If you wish
* to automatically send your assets to a offline wallet, set your account
* address, reserves and thresholds here.
*
* Options:
* address : The address of the wallet to the address you'd like to receive the coins in
* reserve : The amount you'd like to remain in the wallet. Recommended is at least 1 block value
* threshold : The amount of coins you'd like to send per batch minimum. Once exceeded, this is sent
* to the offline wallet address specified.
* Default:
* addresss : empty
* reserve : 50
* threshold : 25
* Cold Wallet / Liquid Assets
* Automatically send liquid assets to a cold wallet
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-liquid-assets--cold-wallet
**/
$config['coldwallet']['address'] = '';
$config['coldwallet']['reserve'] = 50;
$config['coldwallet']['threshold'] = 5;
/**
* E-mail confirmations for user actions
*
* Explanation:
* To increase security for users, account detail changes can require
* an e-mail confirmation prior to performing certain actions.
*
* Options:
* enabled : Whether or not to require e-mail confirmations
* details : Require confirmation to change account details
* withdraw : Require confirmation to manually withdraw/payout
* changepw : Require confirmation to change password
*
* Default:
* enabled = true
* details = true
* withdraw = true
* changepw = true
*/
$config['twofactor']['enabled'] = true;
$config['twofactor']['options']['details'] = true;
$config['twofactor']['options']['withdraw'] = true;
$config['twofactor']['options']['changepw'] = true;
/**
* CSRF protection
*
* Explanation:
* To help protect against CSRF, we can generate a hash that changes every minute
* and is unique for each user/IP and page or use, and check against that when a
* form is submitted.
*
* Options:
* enabled = Whether or not we will generate & check for valid CSRF tokens
* Default:
* enabled = true
*/
$config['csrf']['enabled'] = true;
/**
* Lock account after maximum failed logins
*
* Explanation:
* To avoid accounts being hacked by brute force attacks,
* set a maximum amount of failed login or pin entry attempts before locking
* the account. They will need to contact site support to re-enable the account.
*
* This also applies for invalid PIN entries, which is covered by the pin option.
*
* Workers are not affected by this lockout, mining will continue as usual.
*
* Default:
* login = 3
* pin = 3
**/
$config['maxfailed']['login'] = 3;
$config['maxfailed']['pin'] = 3;
/**
* Getting Started Config
*
* This is displayed on GettingStarted Page
* to make it more dynamic
*
*
* Shown to users in the 'Getting Started' section
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-getting-started
**/
$config['gettingstarted']['coinname'] = 'Litecoin';
$config['gettingstarted']['coinurl'] = 'http://www.litecoin.org';
@ -173,401 +70,163 @@ $config['gettingstarted']['stratumurl'] = '';
$config['gettingstarted']['stratumport'] = '3333';
/**
* API configuration to fetch prices for set currency
*
* Explanation:
* MPOS will try to fetch the current exchange rates
* from this API URL/target. Currently btc-e and coinchoose
* are supported in MPOS. If you want to remove the trade
* header just set currency to an empty string.
*
* Default (btc-e.com):
* url = `https://btc-e.com`
* target = `/api/2/ltc_usd/ticker`
* currency = `USD`
*
* Optional (coinchoose.com):
* url = `http://www.coinchoose.com`
* target = `/api.php`
* currency = `BTC`
*
* Optional (cryptsy.com):
* url = `http://pubapi.cryptsy.com`
* currency = `BTC`
* target = `/api.php?method=marketdata`
* Ticker API
* Fetch exchange rates via an API
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-ticker-api
**/
$config['price']['url'] = 'https://btc-e.com';
$config['price']['target'] = '/api/2/ltc_usd/ticker';
$config['price']['currency'] = 'USD';
/**
* Automatic payout thresholds
*
* These values define the min and max settings
* that can be entered by a user.
* Defaults:
* `min` = `1`
* `max` = `250`
* Automatic Payout Thresholds
* Minimum and Maximum auto payout amount
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-automatic-payout-thresholds
**/
$config['ap_threshold']['min'] = 1;
$config['ap_threshold']['max'] = 250;
/**
* Donation thresholds
*
* You can define a min and max values for you users
* donation settings here.
*
* Defaults:
* `min` = `1`
* Minimum donation amount in percent
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-donation-thresholds
**/
$config['donate_threshold']['min'] = 1;
/**
* Account specific settings
*
* Explanation
* Invitations will allow your users to invite new members to join the pool.
* After sending a mail to the invited user, they can register using the token
* created. Invitations can be enabled and disabled through the admin panel.
* Sent invitations are listed on the account invitations page.
*
* You can limit the number of registrations send per account via configuration
* variable.
*
* Options:
* count : Maximum invitations a user is able to send
*
* Defaults:
* count : 5
* Account Specific Settings
* Settings for each user account
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-account-specific-settings
**/
$config['accounts']['invitations']['count'] = 5;
// Currency system used in this pool, default: `LTC`
/**
* Currency
* Shorthand name for the currency
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-currency
*/
$config['currency'] = 'LTC';
/**
* Coin Target in seconds
*
* Explanation
* Target time for coins to be generated
*
* Fastcoin: 12 seconds
* Litecoin: 2,5 minutes = 150 seconds
* Feathercoin: 2,5 minutes = 150 seconds
* Bitcoin: 10 minutes = 600 seconds
*
* Coin Target
* Target time for coins to be generated
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-coin-target
**/
$config['cointarget'] = '150';
/**
* Diff change every X Blocks
*
* Explanation
* Amount of Blocks until Difficulty change
*
* Fastcoin: 300 Blocks
* Litecoin: 2016 Blocks
* Bitcoin: 2016 Blocks
*
* Coin Diff Change
* Amount of blocks between difficulty changes
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-coin-diff-change
**/
$config['coindiffchangetarget'] = 2016;
/**
* Default transaction fee to apply to user transactions
*
* Explanation
* The coin daemon applies transaction fees to young coins.
* Since we are unable to find out what the exact fee was we set
* a default value here which is applied to both manual and auto payouts.
* If this is not set, no fee is applied in the transactions history but
* the user might still see them when the coins arrive.
* You can set two different transaction fees for manual and auto payouts.
*
* Default:
* txfee_auto = 0.1
* txfee_manual = 0.1
*
* TX Fees
* Fees applied to transactions
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-tx-fees
**/
$config['txfee_auto'] = 0.1;
$config['txfee_manual'] = 0.1;
// Payout a block bonus to block finders, default: 0 (disabled)
// This bonus is paid by the pool operator, it is not deducted from the block payout!
/**
* Block Bonus
* Bonus in coins of block bonus
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-block-bonus
*/
$config['block_bonus'] = 0;
/**
* Payout system in use
*
* This will modify some templates and activate the
* appropriate crons. Only ONE payout system at a time
* is supported!
*
* Available options:
* prop: Proportional payout system
* pps : Pay Per Share payout system
* pplns : Pay Per Last N Shares payout system
*
* Default:
* prop
**/
* Payout System
* Payout system chosen
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-payout-system
**/
$config['payout_system'] = 'prop';
/**
* Round purging
*
* Explanation:
* As soon as a round is finished, shares of that rate are archived (see below)
* and deleted from the `shares` table. Due to a large amount of shares in a
* single round, this can take a very long time. To reduce server load and allow
* other systems to access the DB during this high-load time, the DELETE
* calls are being limited to a number of rows. Then the process sleeps and
* continues to delete shares until all shares have been purged.
*
* You can adjust some purging settings here in order to improve your overall
* site performance during round ends. Keep in mind that decreasing shares/time
* will make the cron run longer but at least keeps your site active. Vice versa
* higher numbers allow for a faster deletion but might affect the live site.
*
* This system is also used when purging archived shares.
*
* Available Options:
* sleep : Time to sleep between delete calls
* shares : How many shares to delete at one time
*
* Default:
* sleep : 5 seconds
* shares : 500000
* Round Purging
* Round share purging configuration
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-round-purging
**/
$config['purge']['sleep'] = 1;
$config['purge']['shares'] = 25000;
/**
* Archiving configuration for debugging
*
* Explanation:
* By default, we don't need to archive for a long time. PPLNS and Hashrate
* calculations rely on this archive, but all shares past a certain point can
* safely be deleted.
*
* To ensure we have enough shares on stack for PPLNS, this
* is set to the past 10 rounds. Even with lucky ones in between those should
* fit the PPLNS target. On top of that, even if we have more than 10 rounds,
* we still keep the last maxage shares to ensure we can calculate hashrates.
* Both conditions need to be met in order for shares to be purged from archive.
*
* Proportional mode will only keep the past 24 hours. These are required for
* hashrate calculations to work past a round, hence 24 hours was selected as
* the default. You may want to increase the time for debugging, then add any
* integer reflecting minutes of shares to keep.
*
* Availabe Options:
* maxrounds : PPLNS, keep shares for maxrounds
* maxage : PROP and PPLNS, delete shares older than maxage minutes
*
* Default:
* maxrounds = 10
* maxage = 60 * 24 (24h)
* Share Archiving
* Share archiving configuration details
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-archiving
**/
$config['archive']['maxrounds'] = 10;
$config['archive']['maxage'] = 60 * 24;
// Pool fees applied to users in percent, default: 0 (disabled)
/**
* Pool Fees
* Fees applied to users
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-pool-fees
*/
$config['fees'] = 0;
/**
* PPLNS requires some settings to run properly. First we need to define
* a default shares count that is applied if we don't have a proper type set.
* Different dynamic types can be applied, or you can run a fixed scheme.
*
* Explanation
*
* PPLNS can run on two different payouts: fixed and blockavg. Each one
* defines a different PPLNS target.
*
* Fixed means we will be looking at the shares setup in the default
* setting. There is no automatic adjustments to the PPLNS target,
* all users will be paid out proportionally to that target.
*
* Blockavg will look at the last blockcount blocks shares and take
* the average as the PPLNS target. This will be automatically adjusted
* when difficulty changes and more blocks are available. This keeps the
* target dynamic but still traceable.
*
* If you use the fixed type it will use $config['pplns']['shares']['default']
* for target calculations, if you use blockavg type it will use
* $config['pplns']['blockavg']['blockcount'] blocks average for target
* calculations.
*
* default : Default target shares for PPLNS
* type : Payout type used in PPLNS
* blockcount : Amount of blocks to check for avg shares
*
* Available Options:
* default : amount of shares, integeger
* type : blockavg or fixed
* blockcount : amount of blocks, any integer
*
* Defaults:
* default = 4000000
* type = `blockavg`
* blockcount = 10
**/
/**
* $config['pplns']['shares']['type'] = 'dynamic';
* Dynamic target adjustment allows the blockavg target to adjust faster to share counts
* while still tracking round share averages by using a percentage of the current round shares
* to alter the pplns blockavg target this is useful with the nature of many alt coins low and fast
* adjusting difficulties and quick round times
* reverse_payout is useful to even out payouts for fast round times when even steady miners
* are missing share submissions for the current round
**/
* PPLNS
* Pay Per Last N Shares
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-pplns-settings
*/
$config['pplns']['shares']['default'] = 4000000;
$config['pplns']['shares']['type'] = 'blockavg';
$config['pplns']['blockavg']['blockcount'] = 10;
$config['pplns']['reverse_payout'] = false; // add user shares from archive even if user not in current round
$config['pplns']['dynamic']['percent'] = 30; // percentage of round shares factored into block average when using dynamic type
// Pool target difficulty as set in pushpoold configuration file
// Please also read this for stratum: https://github.com/TheSerapher/php-mpos/wiki/FAQ
$config['difficulty'] = 20;
$config['pplns']['reverse_payout'] = false;
$config['pplns']['dynamic']['percent'] = 30;
/**
* This defines how rewards are paid to users.
*
* Explanation:
*
* Proportional + PPLNS Payout System
* When running a pool on fixed mode, each block will be paid
* out as defined in `reward`. If you wish to pass transaction
* fees inside discovered blocks on to user, set this to `block`.
* This is really helpful for altcoins with dynamic block values!
*
* PPS Payout System
* If set to `fixed`, all PPS values are based on the `reward` setting.
* If you set it to `block` you will calculate the current round based
* on the previous block value. The idea is to pass the block of the
* last round on to the users. If no previous block is found, PPS value
* will fall back to the fixed value set in `reward`. Ensure you don't
* overpay users in the first round!
*
* Available options:
* reward_type:
* fixed : Fixed value according to `reward` setting
* block : Dynamic value based on block amount
* reward:
* float value : Any value of your choice but should reflect base block values
*
* Default:
* reward_type = `fixed`
* reward = 50
*
* Difficulty
* Difficulty setting for stratum/pushpool
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-pool-target-difficulty
*/
$config['difficulty'] = 20;
/**
* Block Reward
* Block reward configuration details
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-reward-settings
**/
$config['reward_type'] = 'block';
$config['reward'] = 50;
// Confirmations per block required to credit transactions, default: 120
// Do NOT touch this unless you know what you are doing! Please check your coin for the
// appropriate value here, but most should work with this.
/**
* Confirmations
* Credit and Network confirmation settings
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-confirmations
*/
$config['confirmations'] = 120;
// Confirmations per block required in network to confirm its transactions, default: 120
// Do NOT touch this unless you know what you are doing! Please check your coin for the
// appropriate value here, but most should work with this.
$config['network_confirmations'] = 120;
/**
* Available pps options:
* reward_type:
* fixed : Fixed value according to `reward` setting
* blockavg : Dynamic value based on average of x number of block rewards
* block : Dynamic value based on LAST block amount
* reward:
* float value : Any value of your choice but should reflect base block values
* blockcount : amount of blocks to average, any integer
* Default:
* pps_reward_type = `fixed` default $config['pps']['reward']['default']
* reward = 50
*
/**
* PPS
* Pay Per Share configuration details
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-pps-settings
**/
$config['pps']['reward']['default'] = 50;
$config['pps']['reward']['type'] = 'blockavg';
$config['pps']['blockavg']['blockcount'] = 10;
/**
* Memcache configuration
*
* To disable memcache set option $config['memcache']['enabled'] = false
* After disable memcache installation of memcache is not required.
*
* Please note that a memcache is greatly increasing performance
* when combined with the `statistics.php` cronjob. Disabling this
* is not recommended in a live environment!
*
* Explanations
* enabled : Disable (false) memcache for debugging or enable (true) it
* host : Host IP or hostname
* port : memcache port
* keyprefix : Must be changed for multiple MPOS instances on one host
* expiration : Default expiration time in seconds of all cached keys.
* Increase if caches expire too fast.
* splay : Default randomizer for expiration times.
* This will spread expired keys across `splay` seconds.
*
* Default:
* enabled = `true`
* host = `localhost`
* port = 11211
* keyprefix = `mpos_`
* expiration = 90
* splay = 15
* Memcache
* Memcache configuration details
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-memcache
**/
$config['memcache']['enabled'] = true;
$config['memcache']['host'] = 'localhost';
$config['memcache']['port'] = 11211;
$config['memcache']['keyprefix'] = 'mpos_';
$config['memcache']['keyprefix'] = 'mpos_'.$config['currency'].'_';
$config['memcache']['expiration'] = 90;
$config['memcache']['splay'] = 15;
/**
* Cookie configuration
*
* You can configure the cookie behaviour to secure your cookies more than the PHP defaults
*
* For multiple installations of MPOS on the same domain you must change the cookie path.
*
* Explanation:
* duration:
* the amount of time, in seconds, that a cookie should persist in the users browser.
* 0 = until closed; 1440 = 24 minutes. Check your php.ini 'session.gc_maxlifetime' value
* and ensure that it is at least the duration specified here.
*
* domain:
* the only domain name that may access this cookie in the browser
*
* path:
* the highest path on the domain that can access this cookie; i.e. if running two pools
* from a single domain you might set the path /ltc/ and /ftc/ to separate user session
* cookies between the two.
*
* httponly:
* marks the cookie as accessible only through the HTTP protocol. The cookie can't be
* accessed by scripting languages, such as JavaScript. This can help to reduce identity
* theft through XSS attacks in most browsers.
*
* secure:
* marks the cookie as accessible only through the HTTPS protocol. If you have a SSL
* certificate installed on your domain name then this will stop a user accidentally
* accessing the site over a HTTP connection, without SSL, exposing their session cookie.
*
* Default:
* duration = '1440'
* domain = ''
* path = '/'
* httponly = true
* secure = false
* Cookies
* Cookie configuration details
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-cookies
**/
$config['cookie']['duration'] = '1440';
$config['cookie']['domain'] = '';
@ -576,50 +235,18 @@ $config['cookie']['httponly'] = true;
$config['cookie']['secure'] = false;
/**
* Enable or disable the Smarty cache
*
* Explanation:
* Smarty implements a file based cache for all HTML output generated
* from dynamic scripts. It can be enabled to cache the HTML data on disk,
* future request are served from those cache files.
*
* This may or may not work as expected, in general Memcache is used to cache
* all data so rendering the page should not take too long anyway.
*
* You can test this out and enable (1) this setting but it's not guaranteed to
* work with MPOS.
*
* Ensure that the folder `templates/cache` is writeable by the web server!
*
* cache = Enable/Disable the cache
* cache_lifetime = Time to keep files in seconds before updating them
*
* Options:
* cache:
* 0 = disabled
* 1 = enabled
* cache_lifetime:
* time in seconds
*
* Defaults:
* cache = 0, disabled
* cache_lifetime = 30 seconds
* Smarty Cache
* Enable smarty cache and cache length
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-smarty-cache
**/
$config['smarty']['cache'] = 0;
$config['smarty']['cache_lifetime'] = 30;
/**
* System load setting
*
* This will disable loading of some API calls in case the system
* loads exceeds the defined max setting. Useful to temporarily suspend
* live statistics on a server that is too busy to deal with requests.
*
* Options
* max = float, maximum system load
*
* Defaults:
* max = 10.0
* System load
* Disable some calls when high system load
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-system-load
**/
$config['system']['load']['max'] = 10.0;
?>
?>

4
public/include/config/memcache_keys.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
define('STATISTICS_ALL_USER_SHARES', 'STATISTICS_ALL_USER_SHARES');
define('STATISTICS_ALL_USER_HASHRATES', 'STATISTICS_ALL_USER_HASHRATES');

52
public/include/config/security.inc.dist.php Normal file
View File

@ -0,0 +1,52 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* Misc
* Extra security settings
*
**/
$config['https_only'] = false;
$config['mysql_filter'] = true;
/**
* Memcache Rate Limiting
* Rate limit requests using Memcache
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-memcache-rate-limiting
*/
$config['mc_antidos']['enabled'] = true;
$config['mc_antidos']['protect_ajax'] = true;
$config['mc_antidos']['ajax_hits_additive'] = false;
$config['mc_antidos']['flush_seconds_api'] = 60;
$config['mc_antidos']['rate_limit_api'] = 20;
$config['mc_antidos']['flush_seconds_site'] = 60;
$config['mc_antidos']['rate_limit_site'] = 30;
$config['mc_antidos']['ignore_admins'] = true;
$config['mc_antidos']['error_push_page'] = array('page' => 'error', 'action' => 'ratelimit');
/**
* CSRF Protection
* Enable or disable CSRF protection
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-csrf-protection
*/
$config['csrf']['enabled'] = true;
/**
* E-mail confirmations for user actions
* Two-factor confirmation for user actions
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-e-mail-confirmations
*/
$config['twofactor']['enabled'] = true;
$config['twofactor']['options']['details'] = true;
$config['twofactor']['options']['withdraw'] = true;
$config['twofactor']['options']['changepw'] = true;
/**
* Lock account after X
* Lock accounts after X invalid logins or pins
* https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-lock-accounts-after-failed-logins
**/
$config['maxfailed']['login'] = 3;
$config['maxfailed']['pin'] = 3;
?>

12
public/include/database.inc.php
View File

@ -1,11 +1,12 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Instantiate class, we are using mysqlng
$mysqli = new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
if ($config['mysql_filter']) {
$mysqli = new mysqli_strict($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
} else {
$mysqli = new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
}
// Check if read-only and quit if it is on
if ($mysqli->query('/* MYSQLND_MS_MASTER_SWITCH */SELECT @@global.read_only AS read_only')->fetch_object()->read_only == 1) {
@ -16,4 +17,5 @@ if ($mysqli->query('/* MYSQLND_MS_MASTER_SWITCH */SELECT @@global.read_only AS r
if (mysqli_connect_errno()) {
die("Failed to connect to database");
}
?>

5
public/include/pages/about.inc.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Tempalte specifics
$smarty->assign("CONTENT", "default.tpl");

4
public/include/pages/about/api.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Tempalte specifics
$smarty->assign("CONTENT", "default.tpl");

4
public/include/pages/about/donors.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($setting->getValue('disable_donors')) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Donors are currently disabled. Please try again later.', 'TYPE' => 'errormsg');

5
public/include/pages/about/pool.inc.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($setting->getValue('disable_about')) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Donors are currently disabled. Please try again later.', 'TYPE' => 'errormsg');

5
public/include/pages/about/pplns.inc.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Tempalte specifics
$smarty->assign("CONTENT", "default.tpl");

4
public/include/pages/account.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($user->isAuthenticated()) {
// Tempalte specifics

4
public/include/pages/account/confirm.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Confirm an account by token
if (!isset($_GET['token']) || empty($_GET['token'])) {

22
public/include/pages/account/edit.inc.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// twofactor stuff
$cp_editable = $wf_editable = $ea_editable = $wf_sent = $ea_sent = $cp_sent = 0;
@ -153,7 +150,7 @@ if ($user->isAuthenticated()) {
// 2fa - one last time so we can sync with changes we made during this page
if ($user->isAuthenticated() && $config['twofactor']['enabled']) {
if ($config['twofactor']['enabled'] && $user->isAuthenticated()) {
// set the token to be the old token, just in case an error occured
$ea_token = (@$oldtoken_ea !== '') ? $oldtoken_ea : @$ea_token;
$wf_token = (@$oldtoken_wf !== '') ? $oldtoken_wf : @$wf_token;
@ -178,14 +175,15 @@ if ($user->isAuthenticated() && $config['twofactor']['enabled']) {
(!empty($wfprep_sent) && empty($wfprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $message_tokensent_invalid.$messages_tokensent_status['wf'], 'TYPE' => 'success'):"";
(!empty($cpprep_sent) && !empty($cpprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $cpprep_sent, 'TYPE' => 'success'):"";
(!empty($cpprep_sent) && empty($cpprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $message_tokensent_invalid.$messages_tokensent_status['cp'], 'TYPE' => 'success'):"";
// two-factor stuff
$smarty->assign("CHANGEPASSUNLOCKED", $cp_editable);
$smarty->assign("WITHDRAWUNLOCKED", $wf_editable);
$smarty->assign("DETAILSUNLOCKED", $ea_editable);
$smarty->assign("CHANGEPASSSENT", $cp_sent);
$smarty->assign("WITHDRAWSENT", $wf_sent);
$smarty->assign("DETAILSSENT", $ea_sent);
}
// two-factor stuff
$smarty->assign("CHANGEPASSUNLOCKED", $cp_editable);
$smarty->assign("WITHDRAWUNLOCKED", $wf_editable);
$smarty->assign("DETAILSUNLOCKED", $ea_editable);
$smarty->assign("CHANGEPASSSENT", $cp_sent);
$smarty->assign("WITHDRAWSENT", $wf_sent);
$smarty->assign("DETAILSSENT", $ea_sent);
$smarty->assign("DONATE_THRESHOLD", $config['donate_threshold']);
// Tempalte specifics

4
public/include/pages/account/invitations.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($user->isAuthenticated()) {
if (!$setting->getValue('disable_invitations')) {

3
public/include/pages/account/notifications.inc.php
View File

@ -1,7 +1,6 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
if ($user->isAuthenticated()) {
if ($setting->getValue('disable_notifications') == 1) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Notification system disabled by admin.', 'TYPE' => 'info');

3
public/include/pages/account/qrcode.inc.php
View File

@ -1,6 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($user->isAuthenticated()) $smarty->assign("CONTENT", "default.tpl");
?>

4
public/include/pages/account/reset_failed.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($user->isAuthenticated()) {
// Reset failed login counter

3
public/include/pages/account/transactions.inc.php
View File

@ -1,7 +1,6 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
if ($user->isAuthenticated()) {
$iLimit = 30;
empty($_REQUEST['start']) ? $start = 0 : $start = $_REQUEST['start'];

4
public/include/pages/account/unlock.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Confirm an account by token
if (!isset($_GET['token']) || empty($_GET['token'])) {

13
public/include/pages/account/workers.inc.php
View File

@ -1,18 +1,13 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($user->isAuthenticated()) {
switch (@$_REQUEST['do']) {
case 'delete':
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
}
if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
}
break;

4
public/include/pages/admin.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/dashboard.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/monitoring.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/news.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/news_edit.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

3
public/include/pages/admin/poolworkers.inc.php
View File

@ -1,6 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/reports.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/settings.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/templates.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/transactions.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/user.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/admin/wallet.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user to ensure they are admin
if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {

4
public/include/pages/api.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getblockcount.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getblocksfound.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getblockstats.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getcronjobstatus.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getcurrentworkers.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getdashboarddata.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the system is enabled
if ($setting->getValue('disable_dashboard_api')) {

4
public/include/pages/api/getdifficulty.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getestimatedtime.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/gethourlyhashrates.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getnavbardata.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the system is enabled
if ($setting->getValue('disable_navbar_api')) {

4
public/include/pages/api/getpoolhashrate.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getpoolinfo.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getpoolsharerate.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getpoolstatus.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/gettimesincelastblock.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/gettopcontributors.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check user token and access level permissions
$user_id = $api->checkAccess($user->checkApiKey($_REQUEST['api_key']), @$_REQUEST['id']);

4
public/include/pages/api/getuserbalance.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getuserhashrate.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getusersharerate.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getuserstatus.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getusertransactions.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/getuserworkers.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/api/public.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Check if the API is activated
$api->isActive();

4
public/include/pages/contactform.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($setting->getValue('disable_contactform')) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is currently disabled. Please try again later.', 'TYPE' => 'errormsg');

4
public/include/pages/contactform/contactform.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($setting->getValue('recaptcha_enabled')) {
// Load re-captcha specific data

4
public/include/pages/dashboard.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($user->isAuthenticated()) {
if (! $interval = $setting->getValue('statistics_ajax_data_interval')) $interval = 300;

5
public/include/pages/error.inc.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Tempalte specifics
$smarty->assign("CONTENT", "default.tpl");

5
public/include/pages/error/404.inc.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Tempalte specifics
$smarty->assign("CONTENT", "default.tpl");

6
public/include/pages/error/ratelimit.inc.php Normal file
View File

@ -0,0 +1,6 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Tempalte specifics
$smarty->assign("CONTENT", "default.tpl");
?>

5
public/include/pages/gettingstarted.inc.php
View File

@ -1,8 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
$smarty->assign("SITESTRATUMURL", $config['gettingstarted']['stratumurl']);
$smarty->assign("SITESTRATUMPORT", $config['gettingstarted']['stratumport']);

4
public/include/pages/home.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Include markdown library
use \Michelf\Markdown;

14
public/include/pages/login.inc.php
View File

@ -1,7 +1,5 @@
<?php
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// ReCaptcha handling if enabled
if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins')) {
@ -26,10 +24,12 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
// Check if recaptcha is enabled, process form data if valid
if (!$setting->getValue('recaptcha_enabled') || !$setting->getValue('recaptcha_enabled_logins') || ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins') && $rsp->is_valid)) {
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
// check if login is correct
if ($user->checkLogin(@$_POST['username'], @$_POST['password']) ) {
$port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
$location = @$_SERVER['HTTPS'] ? 'https://' : 'http://';
$location .= $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'] . '?page=dashboard';
$port = ($_SERVER["SERVER_PORT"] == "80" || $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
$location = (@$_SERVER['HTTPS'] == "on") ? 'https://' : 'http://';
$location .= $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'];
$location.= '?page=dashboard';
if (!headers_sent()) header('Location: ' . $location);
exit('<meta http-equiv="refresh" content="0; url=' . htmlspecialchars($location) . '"/>');
} else {
@ -42,7 +42,7 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
$_SESSION['POPUP'][] = array('CONTENT' => 'Invalid Captcha, please try again.', 'TYPE' => 'errormsg');
}
}
// Load login template
$smarty->assign('CONTENT', 'default.tpl');
?>

7
public/include/pages/logout.inc.php
View File

@ -1,10 +1,7 @@
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
// Make sure we are called from index.php
if (!defined('SECURITY'))
die('Hacking attempt');
// This probably (?) never fails
$user->logoutUser();
$smarty->assign("CONTENT", "default.tpl");
?>

Some files were not shown because too many files have changed in this diff Show More