diff --git a/LICENSE b/LICENSE index aaf6fd6..9006be8 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 axtonprice.com +Copyright (c) 2022 Axtonprice, QuickBlaze Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +SOFTWARE. \ No newline at end of file diff --git a/Modules/Functions.php b/Modules/Functions.php index 6569814..22931c1 100644 --- a/Modules/Functions.php +++ b/Modules/Functions.php @@ -9,9 +9,17 @@ function sanitizeXSS() } /* Internal Script Functions */ +function get_string_between($string, $start, $end) +{ + $string = ' ' . $string; + $ini = strpos($string, $start); + if ($ini == 0) return ''; + $ini += strlen($start); + $len = strpos($string, $end, $ini) - $ini; + return substr($string, $ini, $len); +} function processData($data) { - sanitizeXSS(); // Sanitize Script $encryptionKey = generateKey(64); // Create new key $encryptedData = encryptData($data, $encryptionKey); // Encrypt data insertRecord($encryptedData, $encryptionKey); // Insert new database record @@ -19,37 +27,35 @@ function processData($data) } function ifTextBoxDisabled() { - sanitizeXSS(); // Sanitize Script if (isset($_GET["submitted"])) { echo "disabled"; } } function determineMessageContent() { - sanitizeXSS(); // Sanitize Script if (getRecord("encrypted_contents", htmlspecialchars($_GET["key"]), ENT_QUOTES, 'UTF-8') == null) { header("Location: 404"); } else { if (!isset($_GET["confirm"])) { echo '
- Decrypt & View Message? + ' . translate("Decrypt & View Message?", "en") . '
- View Message + ' . translate("View Message", "en") . ' '; } else { echo '
- This message has been destroyed! + ' . translate("This message has been destroyed!", "en") . '

- Return Home + ' . translate("Return Home", "en") . ' '; destroyRecord(htmlspecialchars($_GET["key"], ENT_QUOTES, 'UTF-8')); // destroy record } @@ -57,7 +63,6 @@ function determineMessageContent() } function getSubmittedKey() { - sanitizeXSS(); // Sanitize Script error_reporting(0); // disable error reporting if (isset($_GET["submitted"]) && $_GET["submitted"] != "") { $fullUrl = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]" . str_replace("?submitted=", "view?key=", htmlspecialchars($_SERVER['REQUEST_URI'])); @@ -71,26 +76,25 @@ function getSubmittedKey() } function determineSubmissionFooter() { - sanitizeXSS(); // Sanitize Script if (isset($_GET["submitted"])) { echo '

- Share this link anywhere on the internet. The message will be automatically destroyed once viewed. + ' . translate("Share this link anywhere on the internet. The message will be automatically destroyed once viewed.", "en") . '

- Create New + ' . translate("Create New", "en") . ' '; } else { echo '
'; } } @@ -98,11 +102,11 @@ function determineSystemVersion() { if (!file_exists("./.version")) { touch("./.version"); - $latestVersion = json_decode(file_get_contents("https://raw.githubusercontent.com/axtonprice-dev/quickblaze-encrypt/main/.version", true), true); - file_put_contents("./.version", json_encode(array("BRANCH" => $latestVersion["BRANCH"], "VERSION" => $latestVersion["VERSION"]))); + $latestVersion = json_decode(file_get_contents("https://raw.githubusercontent.com/axtonprice-dev/quickblaze-encrypt/main/.version?cacheUpdate=" . rand(0, 100), true), true); + file_put_contents("./.version", json_encode(array("BRANCH" => $latestVersion["BRANCH"], "VERSION" => $latestVersion["VERSION"], "LANGUAGE" => "auto"))); } $thisVersion = json_decode(file_get_contents("./.version", true), true); - $latestVersion = json_decode(file_get_contents("https://raw.githubusercontent.com/axtonprice-dev/quickblaze-encrypt/" . filter_var(htmlspecialchars($thisVersion["BRANCH"]), FILTER_SANITIZE_FULL_SPECIAL_CHARS) . "/.version", true), true); + $latestVersion = json_decode(file_get_contents("https://raw.githubusercontent.com/axtonprice-dev/quickblaze-encrypt/" . filter_var(htmlspecialchars($thisVersion["BRANCH"]), FILTER_SANITIZE_FULL_SPECIAL_CHARS) . "/.version?cacheUpdate=" . rand(0, 100), true), true); if ($thisVersion["VERSION"] != $latestVersion["VERSION"]) { return 'v' . $thisVersion["VERSION"] . ' (Outdated!)'; } else { @@ -113,7 +117,6 @@ function determineSystemVersion() /* Database Interaction Functions */ function generateKey($length) { - sanitizeXSS(); // Sanitize Script $length = 16; $bytes = openssl_random_pseudo_bytes($length); $hex = bin2hex($bytes); @@ -123,14 +126,12 @@ function generateKey($length) /* Data Conversion Functions */ function encryptData($data, $encryption_key) { - sanitizeXSS(); // Sanitize Script $encryption_iv = hex2bin($encryption_key); return openssl_encrypt($data, "AES-128-CTR", $encryption_key, 0, $encryption_iv); } function decryptData($encryption_key) // getRecord("encrypted_contents", $dataKey) { - sanitizeXSS(); // Sanitize Script $encryption_iv = hex2bin($encryption_key); return openssl_decrypt(getRecord("encrypted_contents", $encryption_key), "AES-128-CTR", $encryption_key, 0, $encryption_iv); } @@ -138,7 +139,6 @@ function decryptData($encryption_key) // getRecord("encrypted_contents", $dataKe /* Database Interaction Functions */ function setupDatabase() { - sanitizeXSS(); // Sanitize Script error_reporting(0); // disable error reporting if (!file_exists("./Modules/InstallationStatus.json")) { touch("./Modules/InstallationStatus.json"); @@ -150,7 +150,8 @@ function setupDatabase() try { // attempt database connection $mysqli = new mysqli($json["HOSTNAME"], $json["USERNAME"], $json["PASSWORD"], $json["DATABASE"]); } catch (mysqli_sql_exception $e) { - die(file_get_contents("./Public/Error/DatabaseCredentials.html")); // throw error page if invalid credentials + require "./Public/Error/DatabaseCredentials.php"; // throw error page if invalid credentials + die(); } $tableCreateSQL = "CREATE TABLE IF NOT EXISTS `quickblaze_records` (`record_id` int(11) NOT NULL,`encrypted_contents` longtext NOT NULL,`encryption_token` varchar(128) NOT NULL,`source_ip` varchar(100) NOT NULL, `record_date` timestamp(5) NOT NULL DEFAULT current_timestamp(5)) ENGINE=InnoDB DEFAULT CHARSET=utf8;"; $addPrimaryKeySQL = "ALTER TABLE `quickblaze_records` ADD PRIMARY KEY (`record_id`);"; @@ -161,13 +162,16 @@ function setupDatabase() file_put_contents("./Modules/InstallationStatus.json", json_encode(array("INSTALLED" => "true"))); return true; } else { - die($mysqli->error); + require "./Public/Error/DatabaseCredentials.php"; // throw error page if invalid credentials + die(); } } else { - die($mysqli->error); + require "./Public/Error/DatabaseCredentials.php"; // throw error page if invalid credentials + die(); } } else { - die($mysqli->error); + require "./Public/Error/DatabaseCredentials.php"; // throw error page if invalid credentials + die(); } $mysqli->close(); @@ -176,23 +180,32 @@ function setupDatabase() } function checkDatabase() { + error_reporting(0); // disable error reporting if (!file_exists("./Modules/Database.env")) { - die(file_get_contents("./Public/Error/DatabaseConfig.html")); + touch("./Modules/Database.env"); + require "./Public/Error/DatabaseConfig.php"; + die(); } else { $json = json_decode(file_get_contents("./Modules/Database.env", true), true); if ($json["DATABASE"] == "" || $json["HOSTNAME"] == "") { - die(file_get_contents("./Public/Error/DatabaseConfig.html")); + require "./Public/Error/DatabaseConfig.php"; + die(); } } + $status = json_decode(file_get_contents("./Modules/InstallationStatus.json", true), true); + if ($status["INSTALLED"] == "false") { + setupDatabase(); + } + error_reporting(E_ALL); // enable error reporting } function insertRecord($encrypted_contents, $encryption_token) { - sanitizeXSS(); // Sanitize Script $json = json_decode(file_get_contents("./Modules/Database.env", true), true); $mysqli = new mysqli($json["HOSTNAME"], $json["USERNAME"], $json["PASSWORD"], $json["DATABASE"]); if ($mysqli->connect_errno) { - return $mysqli->connect_errno; + require "./Public/Error/DatabaseCredentials.php"; + die(); } $source_ip = filter_var($_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP) ?? filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP); $record_date = date("Y-m-d H:i:s"); @@ -206,11 +219,11 @@ function insertRecord($encrypted_contents, $encryption_token) function destroyRecord($token) { - sanitizeXSS(); // Sanitize Script $json = json_decode(file_get_contents("./Modules/Database.env", true), true); $mysqli = new mysqli($json["HOSTNAME"], $json["USERNAME"], $json["PASSWORD"], $json["DATABASE"]); if ($mysqli->connect_errno) { - return $mysqli->connect_errno; + require "./Public/Error/DatabaseCredentials.php"; + die(); } $token = filter_var($token, FILTER_SANITIZE_FULL_SPECIAL_CHARS); if ($mysqli->query("DELETE FROM `quickblaze_records` WHERE `encryption_token` = '$token';") === TRUE) { @@ -223,11 +236,11 @@ function destroyRecord($token) function getRecord($dataToFetch, $encryption_token) { - sanitizeXSS(); // Sanitize Script $json = json_decode(file_get_contents("./Modules/Database.env", true), true); $mysqli = new mysqli($json["HOSTNAME"], $json["USERNAME"], $json["PASSWORD"], $json["DATABASE"]); if ($mysqli->connect_errno) { - return $mysqli->connect_errno; + require "./Public/Error/DatabaseCredentials.php"; + die(); } $encryption_token = filter_var($encryption_token, FILTER_SANITIZE_FULL_SPECIAL_CHARS); $result = $mysqli->query("SELECT `$dataToFetch` FROM `quickblaze_records` WHERE `encryption_token` = '$encryption_token'"); @@ -240,3 +253,21 @@ function getRecord($dataToFetch, $encryption_token) } $mysqli->close(); } + +/* Translation Feature */ +function translate($q, $sl) +{ + $config = json_decode(file_get_contents("./.version", true), true); + if ($config["LANGUAGE"] == "auto") { + $tl = substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2); + } else { + if ($config["LANGUAGE"] != "") { + $tl = $config["LANGUAGE"]; + } else { + $tl = "en"; + } + } + $res = file_get_contents("https://translate.googleapis.com/translate_a/single?client=gtx&ie=UTF-8&oe=UTF-8&dt=bd&dt=ex&dt=ld&dt=md&dt=qca&dt=rw&dt=rm&dt=ss&dt=t&dt=at&sl=" . $sl . "&tl=" . $tl . "&hl=hl&q=" . urlencode($q), $_SERVER['DOCUMENT_ROOT'] . "/transes.html"); + $res = json_decode($res); + return $res[0][0][0]; +} diff --git a/Public/Error/403.php b/Public/Error/403.php new file mode 100644 index 0000000..27de482 --- /dev/null +++ b/Public/Error/403.php @@ -0,0 +1,126 @@ + + + + + + + + "> + QuickBlaze + + + + + + + + + + +
+
+

+

+
+ + + \ No newline at end of file diff --git a/Public/Error/404.php b/Public/Error/404.php new file mode 100644 index 0000000..60b6445 --- /dev/null +++ b/Public/Error/404.php @@ -0,0 +1,52 @@ + + + + + + + + "> + QuickBlaze + + + + + + + + + + +
+

404

+
+ +
+ + +

+ GitHub • + Discord • + +

+
+ + + + + + + + \ No newline at end of file diff --git a/Public/Error/500.php b/Public/Error/500.php new file mode 100644 index 0000000..0287c04 --- /dev/null +++ b/Public/Error/500.php @@ -0,0 +1,52 @@ + + + + + + + + "> + QuickBlaze + + + + + + + + + + +
+

500

+
+ +
+ + +

+ GitHub • + Discord • + +

+
+ + + + + + + + \ No newline at end of file diff --git a/Public/Error/DatabaseConfig.php b/Public/Error/DatabaseConfig.php new file mode 100644 index 0000000..af273f7 --- /dev/null +++ b/Public/Error/DatabaseConfig.php @@ -0,0 +1,52 @@ + + + + + + + + "> + QuickBlaze + + + + + + + + + + +
+

+
+
+

+ +
+ +

+ GitHub • + Discord +

+
+ + + + + + + + \ No newline at end of file diff --git a/Public/Error/DatabaseCredentials.php b/Public/Error/DatabaseCredentials.php new file mode 100644 index 0000000..ac0c5ec --- /dev/null +++ b/Public/Error/DatabaseCredentials.php @@ -0,0 +1,52 @@ + + + + + + + + "> + QuickBlaze + + + + + + + + + + +
+

+
+
+

+ +
+ +

+ GitHub • + Discord +

+
+ + + + + + + + \ No newline at end of file diff --git a/Public/index.php b/Public/index.php index bb0ff51..3a4e359 100644 --- a/Public/index.php +++ b/Public/index.php @@ -5,7 +5,7 @@ - + "> QuickBlaze @@ -20,10 +20,10 @@

QuickBlaze

-
One time view encrypted message sharing system
+


- + @@ -36,9 +36,8 @@
- -
✅ URL has been copied to clipboard!
+
diff --git a/Public/view.php b/Public/view.php index a3580be..3cc0c2c 100644 --- a/Public/view.php +++ b/Public/view.php @@ -5,7 +5,7 @@ - + "> QuickBlaze @@ -20,7 +20,7 @@

QuickBlaze

-
One time view encrypted message sharing system
+


@@ -35,7 +35,7 @@
-
✅ Message has been copied to clipboard!
+
diff --git a/README.md b/README.md index c39b1f3..657f1cc 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,6 @@

GitHub release (latest by date) - GitHub all releases License: MIT @@ -19,18 +18,20 @@ ## Requirements - Accessible webserver with PHP support. -- PHP v7 or higher version. +- PHP v7 or higher. +- PHP composer `v2.0.11` or later. - PHP [MBSTRING](http://php.net/manual/en/book.mbstring.php) module for full UTF-8 support. - PHP [JSON](http://php.net/manual/en/book.json.php) module for JSON manipulation ## Installation 1. Download the latest version from the releases page. -2. Upload and extract the file to your web server or hosting subdomain. -3. Update the database information in `/modules/Database_example.env`. -4. Rename the configuration file to `Database.env` [(Example configuration)](#configuration). -5. Visit your domain installation directory https://example.com/quickblaze-encrypt/ -6. Enjoy! +2. Upload and extract the file to your web server. +3. Install composer requirements with ```composer install```. +4. Update the database information in `/modules/Database_example.env`. +5. Rename the configuration file to `Database.env` [(Example configuration)](#configuration). +6. Visit your domain installation directory or subdomain https://example.com/quickblaze-encrypt/ +7. **Enjoy!** ⚠️ *Don't delete the `.version` file! It contains necessary version data, and modifying it may cause issues!* diff --git a/SECURITY.md b/SECURITY.md index 994a5dc..51e6238 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,16 +1,23 @@ -# Security Policy +# QuickBlaze Security Policy ## Supported Versions -| Version | Supported | -| -------- | ------------------ | -| 1.0.4> | :white_check_mark: | +| Version | Supported | +| ---------- | ------------------ | +| v1.0.8 > | :white_check_mark: | +| v1.0.7 | :white_check_mark: | +| v1.0.6 | :white_check_mark: | +| v1.0.5 | :white_check_mark: | +| v1.0.4 | :white_check_mark: | +| <= v1.0.3 | :x: | -*We only support versions above v1.0.4! Versions below this are not considered "stable", and we will not be providing support for them!* +*Versions below v1.0.4 are not supported, as they are not stable releases. We will not be providing support for them and suggestions, bug reports and other requests will automatically be ignored* -## Reporting a Vulnerability +## Reports & Submissions -Please report all security vulnerabilities to the lead project developer @axtonprice. -You can also contact via Discord: *Axton P.#1234*. +Please report all security vulnerabilities, bug reports, as well as suggestions to either the GitHub [issues](https://github.com/axtonprice-dev/quickblaze-encrypt/issues) page, [discussion](https://github.com/axtonprice-dev/quickblaze-encrypt/discussions) page, or the community [Discord server](https://discord.gg/dP3MuBATGc). +You can also directly contact the project lead developer via Discord, in order to submit reports or suggestions. -Thank you. +*[@axtonprice](https://github.com/axtonprice): Axton P.#1234* + +Thank you. \ No newline at end of file diff --git a/composer.json b/composer.json new file mode 100644 index 0000000..26d7c4d --- /dev/null +++ b/composer.json @@ -0,0 +1,11 @@ +{ + "name": "axtonprice/quickblaze-encrypt", + "description": "An extremely simple, one-time view encryption message system. Send anybody passwords, or secret messages on a one-time view basis.", + "type": "project", + "license": "MIT", + "minimum-stability": "stable", + "require": { + "delfimov/translate": "^2.6", + "monolog/monolog": "^2.5" + } +} diff --git a/index.php b/index.php index e127a57..8c4872f 100644 --- a/index.php +++ b/index.php @@ -4,7 +4,7 @@ $url = substr($url, strrpos($url, '/') + 1); if (strpos($url, '?') !== false) $url = substr($url, 0, strpos($url, "?")); -// /* Initialise Displays */ +/* Initialise Displays */ if ($url == "processForm") { /* Form Submission Handler */ require("./Modules/Functions.php"); @@ -28,23 +28,19 @@ } elseif ($url == "404") { /* Not Found Page */ require("./Modules/Functions.php"); - require("./Public/Error/404.html"); - return; + return require("./Public/Error/404.php"); } elseif ($url == "403") { /* Not Found Page */ - require("./Modules/Functions.php"); - require("./Public/Error/403.html"); - return; + require("./Modules/Functions.php"); + return require("./Public/Error/403.php"); } else { if ($url == "500") { /* Server Error Page */ require("./Modules/Functions.php"); - require("./Public/Error/500.html"); - return; + return require("./Public/Error/500.php"); } else { /* Not Found Page */ require("./Modules/Functions.php"); - require("./Public/Error/404.html"); - return; + return require("./Public/Error/404.php"); } } diff --git a/snyk.sarif b/snyk.sarif index 37f9936..043c8d7 100644 --- a/snyk.sarif +++ b/snyk.sarif @@ -1,26 +1,26 @@ -{ - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "SnykCode", - "semanticVersion": "1.0.0", - "version": "1.0.0", - "rules": [] - } - }, - "results": [], - "properties": { - "coverage": [ - { - "files": 5, - "isSupported": true, - "lang": "PHP (beta)" - } - ] - } - } - ] -} +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [] + } + }, + "results": [], + "properties": { + "coverage": [ + { + "files": 5, + "isSupported": true, + "lang": "PHP (beta)" + } + ] + } + } + ] +}