From ed589ef65b96e7f10a5007ab6a0fa6e09e00cfd2 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 9 Oct 2025 12:28:38 -0400 Subject: [PATCH 001/112] Update Backup / Restore, now streams backup and restore to disk instead of memory causing memory to run out, sets timeout limit to unlimited, checks backup file contents for anything bad, use php instead shell exec for import of db, added .htaccess for apache to prevent php execution in /uploads/ directory as this is intended for file download only --- admin/post/backup.php | 349 +++++++++++++++++++++++++------------- setup/index.php | 283 ++++++++++++++++++++----------- setup/setup_functions.php | 347 +++++++++++++++++++++++++++++++++++++ uploads/.htaccess | 11 ++ 4 files changed, 780 insertions(+), 210 deletions(-) create mode 100644 setup/setup_functions.php create mode 100644 uploads/.htaccess diff --git a/admin/post/backup.php b/admin/post/backup.php index eac494cd..6abe4c67 100644 --- a/admin/post/backup.php +++ b/admin/post/backup.php @@ -2,185 +2,304 @@ /* * ITFlow - GET/POST request handler for DB / master key backup + * Rewritten with streaming SQL dump, component checksums, safer zipping, and better headers. */ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); require_once "../includes/app_version.php"; -if (isset($_GET['download_backup'])) { - - validateCSRFToken($_GET['csrf_token']); - - $timestamp = date('YmdHis'); - $baseName = "itflow_$timestamp"; +// --- Optional performance levers for big backups --- +@set_time_limit(0); +if (function_exists('ini_set')) { + @ini_set('memory_limit', '1024M'); +} - // === 0. Scoped cleanup === - $cleanupFiles = []; +/** + * Write a line to a file handle with newline. + */ +function fwrite_ln($fh, string $s): void { + fwrite($fh, $s); + fwrite($fh, PHP_EOL); +} - $registerTempFileForCleanup = function ($file) use (&$cleanupFiles) { - $cleanupFiles[] = $file; - }; - - register_shutdown_function(function () use (&$cleanupFiles) { - foreach ($cleanupFiles as $file) { - if (is_file($file)) { - @unlink($file); - } - } - }); - - // === 1. Local helper function: zipFolder - $zipFolder = function ($folderPath, $zipFilePath) { - $zip = new ZipArchive(); - if ($zip->open($zipFilePath, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) { - error_log("Failed to open zip file: $zipFilePath"); - http_response_code(500); - exit("Internal Server Error: Cannot open zip archive."); - } - - $folderPath = realpath($folderPath); - if (!$folderPath) { - error_log("Invalid folder path: $folderPath"); - http_response_code(500); - exit("Internal Server Error: Invalid folder path."); - } - - $files = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($folderPath), - RecursiveIteratorIterator::LEAVES_ONLY - ); - - foreach ($files as $file) { - if (!$file->isDir()) { - $filePath = $file->getRealPath(); - $relativePath = substr($filePath, strlen($folderPath) + 1); - $zip->addFile($filePath, $relativePath); - } - } - - $zip->close(); - }; - - // === 2. Create all temp files - $sqlFile = tempnam(sys_get_temp_dir(), $baseName . "_sql_"); - $uploadsZip = tempnam(sys_get_temp_dir(), $baseName . "_uploads_"); - $versionFile = tempnam(sys_get_temp_dir(), $baseName . "_version_"); - $finalZip = tempnam(sys_get_temp_dir(), $baseName . "_backup_"); - - foreach ([$sqlFile, $uploadsZip, $versionFile, $finalZip] as $f) { - $registerTempFileForCleanup($f); - chmod($f, 0600); +/** + * Stream a SQL dump of schema and data into $sqlFile. + * - Tables first (DROP + CREATE + INSERTs) + * - Views (DROP VIEW + CREATE VIEW) + * - Triggers (DROP TRIGGER + CREATE TRIGGER) + * + * NOTE: Routines/events are not dumped here. Add if needed. + */ +function dump_database_streaming(mysqli $mysqli, string $sqlFile): void { + $fh = fopen($sqlFile, 'wb'); + if (!$fh) { + http_response_code(500); + exit("Cannot open dump file"); } - // === 3. Generate SQL Dump - $sqlContent = "-- UTF-8 + Foreign Key Safe Dump\n"; - $sqlContent .= "SET NAMES 'utf8mb4';\n"; - $sqlContent .= "SET foreign_key_checks = 0;\n\n"; + // Preamble + fwrite_ln($fh, "-- UTF-8 + Foreign Key Safe Dump"); + fwrite_ln($fh, "SET NAMES 'utf8mb4';"); + fwrite_ln($fh, "SET FOREIGN_KEY_CHECKS = 0;"); + fwrite_ln($fh, "SET UNIQUE_CHECKS = 0;"); + fwrite_ln($fh, "SET AUTOCOMMIT = 0;"); + fwrite_ln($fh, ""); + // Gather tables and views $tables = []; - $res = $mysqli->query("SHOW TABLES"); + $views = []; + + $res = $mysqli->query("SHOW FULL TABLES"); if (!$res) { - error_log("MySQL Error: " . $mysqli->error); + fclose($fh); + error_log("MySQL Error (SHOW FULL TABLES): " . $mysqli->error); + http_response_code(500); exit("Error retrieving tables."); } + while ($row = $res->fetch_array(MYSQLI_NUM)) { + $name = $row[0]; + $type = strtoupper($row[1] ?? ''); + if ($type === 'VIEW') { + $views[] = $name; + } else { + $tables[] = $name; + } + } + $res->close(); - while ($row = $res->fetch_row()) { - $tables[] = $row[0]; + // --- TABLES: structure and data --- + foreach ($tables as $table) { + $createRes = $mysqli->query("SHOW CREATE TABLE `{$mysqli->real_escape_string($table)}`"); + if (!$createRes) { + error_log("MySQL Error (SHOW CREATE TABLE $table): " . $mysqli->error); + // continue to next table + continue; + } + $createRow = $createRes->fetch_assoc(); + $createSQL = array_values($createRow)[1] ?? ''; + $createRes->close(); + + fwrite_ln($fh, "-- ----------------------------"); + fwrite_ln($fh, "-- Table structure for `{$table}`"); + fwrite_ln($fh, "-- ----------------------------"); + fwrite_ln($fh, "DROP TABLE IF EXISTS `{$table}`;"); + fwrite_ln($fh, $createSQL . ";"); + fwrite_ln($fh, ""); + + // Dump data in a streaming fashion + $dataRes = $mysqli->query("SELECT * FROM `{$mysqli->real_escape_string($table)}`", MYSQLI_USE_RESULT); + if ($dataRes) { + $wroteHeader = false; + while ($row = $dataRes->fetch_assoc()) { + if (!$wroteHeader) { + fwrite_ln($fh, "-- Dumping data for table `{$table}`"); + $wroteHeader = true; + } + $cols = array_map(fn($c) => '`' . $mysqli->real_escape_string($c) . '`', array_keys($row)); + $vals = array_map( + function ($v) use ($mysqli) { + return is_null($v) ? "NULL" : "'" . $mysqli->real_escape_string($v) . "'"; + }, + array_values($row) + ); + fwrite_ln($fh, "INSERT INTO `{$table}` (" . implode(", ", $cols) . ") VALUES (" . implode(", ", $vals) . ");"); + } + $dataRes->close(); + if ($wroteHeader) fwrite_ln($fh, ""); + } } - foreach ($tables as $table) { - $createRes = $mysqli->query("SHOW CREATE TABLE `$table`"); - if (!$createRes) { - error_log("MySQL Error: " . $mysqli->error); + // --- VIEWS --- + foreach ($views as $view) { + $escView = $mysqli->real_escape_string($view); + $cRes = $mysqli->query("SHOW CREATE VIEW `{$escView}`"); + if ($cRes) { + $row = $cRes->fetch_assoc(); + $createView = $row['Create View'] ?? ''; + $cRes->close(); + + fwrite_ln($fh, "-- ----------------------------"); + fwrite_ln($fh, "-- View structure for `{$view}`"); + fwrite_ln($fh, "-- ----------------------------"); + fwrite_ln($fh, "DROP VIEW IF EXISTS `{$view}`;"); + // Ensure statement ends with semicolon + if (!str_ends_with($createView, ';')) $createView .= ';'; + fwrite_ln($fh, $createView); + fwrite_ln($fh, ""); + } + } + + // --- TRIGGERS --- + $tRes = $mysqli->query("SHOW TRIGGERS"); + if ($tRes) { + while ($t = $tRes->fetch_assoc()) { + $triggerName = $t['Trigger']; + $escTrig = $mysqli->real_escape_string($triggerName); + $crt = $mysqli->query("SHOW CREATE TRIGGER `{$escTrig}`"); + if ($crt) { + $row = $crt->fetch_assoc(); + $createTrig = $row['SQL Original Statement'] ?? ($row['Create Trigger'] ?? ''); + $crt->close(); + + fwrite_ln($fh, "-- ----------------------------"); + fwrite_ln($fh, "-- Trigger for `{$triggerName}`"); + fwrite_ln($fh, "-- ----------------------------"); + fwrite_ln($fh, "DROP TRIGGER IF EXISTS `{$triggerName}`;"); + if (!str_ends_with($createTrig, ';')) $createTrig .= ';'; + fwrite_ln($fh, $createTrig); + fwrite_ln($fh, ""); + } + } + $tRes->close(); + } + + // Postamble + fwrite_ln($fh, "SET FOREIGN_KEY_CHECKS = 1;"); + fwrite_ln($fh, "SET UNIQUE_CHECKS = 1;"); + fwrite_ln($fh, "COMMIT;"); + + fclose($fh); +} + +/** + * Zip a folder to $zipFilePath, skipping symlinks and dot-entries. + */ +function zipFolderStrict(string $folderPath, string $zipFilePath): void { + $zip = new ZipArchive(); + if ($zip->open($zipFilePath, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) { + error_log("Failed to open zip file: $zipFilePath"); + http_response_code(500); + exit("Internal Server Error: Cannot open zip archive."); + } + + $folderReal = realpath($folderPath); + if (!$folderReal || !is_dir($folderReal)) { + // Create an empty archive if uploads folder doesn't exist yet + $zip->close(); + return; + } + + $files = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($folderReal, FilesystemIterator::SKIP_DOTS), + RecursiveIteratorIterator::LEAVES_ONLY + ); + + foreach ($files as $file) { + /** @var SplFileInfo $file */ + if ($file->isDir()) continue; + if ($file->isLink()) continue; // skip symlinks + $filePath = $file->getRealPath(); + if ($filePath === false) continue; + + // ensure path is inside the folder boundary + if (strpos($filePath, $folderReal . DIRECTORY_SEPARATOR) !== 0 && $filePath !== $folderReal) { continue; } - $createRow = $createRes->fetch_assoc(); - $createSQL = array_values($createRow)[1]; - - $sqlContent .= "\n-- ----------------------------\n"; - $sqlContent .= "-- Table structure for `$table`\n"; - $sqlContent .= "-- ----------------------------\n"; - $sqlContent .= "DROP TABLE IF EXISTS `$table`;\n"; - $sqlContent .= $createSQL . ";\n\n"; - - $dataRes = $mysqli->query("SELECT * FROM `$table`"); - if ($dataRes && $dataRes->num_rows > 0) { - $sqlContent .= "-- Dumping data for table `$table`\n"; - while ($row = $dataRes->fetch_assoc()) { - $columns = array_map(fn($col) => '`' . $mysqli->real_escape_string($col) . '`', array_keys($row)); - $values = array_map(function ($val) use ($mysqli) { - return is_null($val) ? "NULL" : "'" . $mysqli->real_escape_string($val) . "'"; - }, array_values($row)); - $sqlContent .= "INSERT INTO `$table` (" . implode(", ", $columns) . ") VALUES (" . implode(", ", $values) . ");\n"; - } - $sqlContent .= "\n"; - } + $relativePath = substr($filePath, strlen($folderReal) + 1); + $zip->addFile($filePath, $relativePath); } - $sqlContent .= "SET foreign_key_checks = 1;\n"; - file_put_contents($sqlFile, $sqlContent); + $zip->close(); +} - // === 4. Zip the uploads folder - $zipFolder("../uploads", $uploadsZip); +if (isset($_GET['download_backup'])) { - // === 5. Create version.txt - $commitHash = trim(shell_exec('git log -1 --format=%H')) ?: 'N/A'; - $gitBranch = trim(shell_exec('git rev-parse --abbrev-ref HEAD')) ?: 'N/A'; + validateCSRFToken($_GET['csrf_token']); - $versionContent = "ITFlow Backup Metadata\n"; + $timestamp = date('YmdHis'); + $baseName = "itflow_{$timestamp}"; + $downloadName = $baseName . ".zip"; + + // === Scoped cleanup of temp files === + $cleanupFiles = []; + $registerTempFileForCleanup = function ($file) use (&$cleanupFiles) { + $cleanupFiles[] = $file; + }; + register_shutdown_function(function () use (&$cleanupFiles) { + foreach ($cleanupFiles as $file) { + if (is_file($file)) { @unlink($file); } + } + }); + + // === Create temp files === + $sqlFile = tempnam(sys_get_temp_dir(), $baseName . "_sql_"); + $uploadsZip = tempnam(sys_get_temp_dir(), $baseName . "_uploads_"); + $versionFile = tempnam(sys_get_temp_dir(), $baseName . "_version_"); + $finalZip = tempnam(sys_get_temp_dir(), $baseName . "_backup_"); + + foreach ([$sqlFile, $uploadsZip, $versionFile, $finalZip] as $f) { + $registerTempFileForCleanup($f); + @chmod($f, 0600); + } + + // === Generate SQL Dump (streaming) === + dump_database_streaming($mysqli, $sqlFile); + + // === Zip the uploads folder (strict) === + zipFolderStrict("../uploads", $uploadsZip); + + // === Gather metadata & checksums === + $commitHash = (function_exists('shell_exec') ? trim(shell_exec('git log -1 --format=%H 2>/dev/null')) : '') ?: 'N/A'; + $gitBranch = (function_exists('shell_exec') ? trim(shell_exec('git rev-parse --abbrev-ref HEAD 2>/dev/null')) : '') ?: 'N/A'; + + $dbSha = hash_file('sha256', $sqlFile) ?: 'N/A'; + $upSha = hash_file('sha256', $uploadsZip) ?: 'N/A'; + + $versionContent = "ITFlow Backup Metadata\n"; $versionContent .= "-----------------------------\n"; $versionContent .= "Generated: " . date('Y-m-d H:i:s') . "\n"; - $versionContent .= "Backup File: " . basename($finalZip) . "\n"; - $versionContent .= "Generated By: $session_name\n"; + $versionContent .= "Backup File: " . $downloadName . "\n"; + $versionContent .= "Generated By: " . ($session_name ?? 'Unknown User') . "\n"; $versionContent .= "Host: " . gethostname() . "\n"; $versionContent .= "Git Branch: $gitBranch\n"; $versionContent .= "Git Commit: $commitHash\n"; $versionContent .= "ITFlow Version: " . (defined('APP_VERSION') ? APP_VERSION : 'Unknown') . "\n"; $versionContent .= "Database Version: " . (defined('CURRENT_DATABASE_VERSION') ? CURRENT_DATABASE_VERSION : 'Unknown') . "\n"; - $versionContent .= "Checksum (SHA256): \n"; + $versionContent .= "Checksums (SHA256):\n"; + $versionContent .= " db.sql: $dbSha\n"; + $versionContent .= " uploads.zip: $upSha\n"; file_put_contents($versionFile, $versionContent); + @chmod($versionFile, 0600); - // === 6. Build final ZIP + // === Build final ZIP === $final = new ZipArchive(); if ($final->open($finalZip, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) { error_log("Failed to create final zip: $finalZip"); http_response_code(500); exit("Internal Server Error: Unable to create backup archive."); } - $final->addFile($sqlFile, "db.sql"); $final->addFile($uploadsZip, "uploads.zip"); $final->addFile($versionFile, "version.txt"); $final->close(); - chmod($finalZip, 0600); + @chmod($finalZip, 0600); - $checksum = hash_file('sha256', $finalZip); - file_put_contents($versionFile, $versionContent . "$checksum\n"); - - // === 7. Serve final ZIP + // === Serve final ZIP with a stable filename === header('Content-Type: application/zip'); - header('Content-Disposition: attachment; filename="' . basename($finalZip) . '"'); + header('X-Content-Type-Options: nosniff'); + header('Content-Disposition: attachment; filename="' . $downloadName . '"'); header('Content-Length: ' . filesize($finalZip)); header('Pragma: public'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Content-Transfer-Encoding: binary'); + // Push file flush(); $fp = fopen($finalZip, 'rb'); fpassthru($fp); fclose($fp); - logAction("System", "Backup Download", "$session_name downloaded full backup."); + // Log + UX + logAction("System", "Backup Download", ($session_name ?? 'Unknown User') . " downloaded full backup."); flash_alert("Full backup downloaded."); exit; } - if (isset($_POST['backup_master_key'])) { validateCSRFToken($_POST['csrf_token']); diff --git a/setup/index.php b/setup/index.php index bd30655c..112f402f 100644 --- a/setup/index.php +++ b/setup/index.php @@ -5,7 +5,8 @@ if (file_exists("../config.php")) { } -include "../functions.php"; +include "../functions.php"; // Global Functions +include "setup_functions.php"; // Setup Only Functions include "../includes/database_version.php"; if (!isset($config_enable_setup)) { @@ -127,134 +128,220 @@ if (isset($_POST['add_database'])) { if (isset($_POST['restore'])) { - // === 1. Validate uploaded file === + // --- CSRF check (add a token to the form; see form snippet below) --- + if (!hash_equals($_SESSION['csrf'] ?? '', $_POST['csrf'] ?? '')) { + http_response_code(403); + exit("Invalid CSRF token."); + } + + // --- Basic env guards for long operations --- + @set_time_limit(0); + if (function_exists('ini_set')) { @ini_set('memory_limit', '1024M'); } + + // --- 1) Validate uploaded file --- if (!isset($_FILES['backup_zip']) || $_FILES['backup_zip']['error'] !== UPLOAD_ERR_OK) { die("No backup file uploaded or upload failed."); } - $file = $_FILES['backup_zip']; - $fileExt = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION)); - if ($fileExt !== "zip") { + + // Size limit (e.g., 4 GB) + if ($file['size'] > 4 * 1024 * 1024 * 1024) { + die("Backup archive is too large."); + } + + // MIME check + $fi = new finfo(FILEINFO_MIME_TYPE); + $mime = $fi->file($file['tmp_name']); + if ($mime !== 'application/zip' && $mime !== 'application/x-zip-compressed') { + die("Invalid archive type; only .zip is supported."); + } + + // Extension check (defense in depth) + $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION)); + if ($ext !== 'zip') { die("Only .zip files are allowed."); } - // === 2. Move to secure temp location === - $tempZip = tempnam(sys_get_temp_dir(), "restore_"); + // --- 2) Move to secure temp location --- + $timestamp = date('YmdHis'); + $tempZip = tempnam(sys_get_temp_dir(), "restore_{$timestamp}_"); if (!move_uploaded_file($file["tmp_name"], $tempZip)) { die("Failed to save uploaded backup file."); } + @chmod($tempZip, 0600); + + // --- 3) Extract safely to unique temp dir --- + $tempDir = sys_get_temp_dir() . "/restore_temp_" . bin2hex(random_bytes(6)); + if (!mkdir($tempDir, 0700, true)) { + @unlink($tempZip); + die("Failed to create temp directory."); + } $zip = new ZipArchive; if ($zip->open($tempZip) !== TRUE) { - unlink($tempZip); + @unlink($tempZip); + deleteDir($tempDir); die("Failed to open backup zip file."); } - // === 3. Zip-slip protection and extract to unique dir === - $tempDir = sys_get_temp_dir() . "/restore_temp_" . uniqid(); - mkdir($tempDir, 0700, true); - - for ($i = 0; $i < $zip->numFiles; $i++) { - $stat = $zip->statIndex($i); - if (strpos($stat['name'], '..') !== false) { - $zip->close(); - unlink($tempZip); - die("Invalid file path in ZIP."); - } - } - - if (!$zip->extractTo($tempDir)) { + try { + safeExtractZip($zip, $tempDir); + } catch (Throwable $e) { $zip->close(); - unlink($tempZip); - die("Failed to extract backup contents."); + @unlink($tempZip); + deleteDir($tempDir); + die("Invalid backup archive: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); } - $zip->close(); - unlink($tempZip); + @unlink($tempZip); - // === 4. Restore SQL === - $sqlPath = "$tempDir/db.sql"; - if (file_exists($sqlPath)) { - mysqli_query($mysqli, "SET foreign_key_checks = 0"); - $tables = mysqli_query($mysqli, "SHOW TABLES"); - while ($row = mysqli_fetch_array($tables)) { - mysqli_query($mysqli, "DROP TABLE IF EXISTS `" . $row[0] . "`"); - } - mysqli_query($mysqli, "SET foreign_key_checks = 1"); + // Paths inside extracted archive + $sqlPath = $tempDir . "/db.sql"; + $uploadsZip = $tempDir . "/uploads.zip"; + $versionTxt = $tempDir . "/version.txt"; - // Use env var to avoid exposing password - putenv("MYSQL_PWD=$dbpassword"); - $command = sprintf( - 'mysql -h%s -u%s %s < %s', - escapeshellarg($dbhost), - escapeshellarg($dbusername), - escapeshellarg($database), - escapeshellarg($sqlPath) - ); - - exec($command, $output, $returnCode); - if ($returnCode !== 0) { - deleteDir($tempDir); - die("SQL import failed. Error code: $returnCode"); - } - } else { + if (!is_file($sqlPath) || !is_readable($sqlPath)) { deleteDir($tempDir); die("Missing db.sql in the backup archive."); } - - // === 5. Restore uploads directory === - $uploadDir = __DIR__ . "/../uploads/"; - $uploadsZip = "$tempDir/uploads.zip"; - - if (file_exists($uploadsZip)) { - $uploads = new ZipArchive; - if ($uploads->open($uploadsZip) === TRUE) { - // Clean existing uploads - foreach (new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($uploadDir, FilesystemIterator::SKIP_DOTS), - RecursiveIteratorIterator::CHILD_FIRST - ) as $item) { - $item->isDir() ? rmdir($item) : unlink($item); - } - - $uploads->extractTo($uploadDir); - $uploads->close(); - } else { - deleteDir($tempDir); - die("Failed to open uploads.zip in backup."); - } - } else { + if (!is_file($uploadsZip) || !is_readable($uploadsZip)) { deleteDir($tempDir); die("Missing uploads.zip in the backup archive."); } - // === 6. Read version.txt (optional display/logging) === - $versionTxt = "$tempDir/version.txt"; - if (file_exists($versionTxt)) { - $versionInfo = file_get_contents($versionTxt); - logAction("Backup Restore", "Version Info", $versionInfo); + // --- 4) Optional: check version compatibility --- + if (defined('LATEST_DATABASE_VERSION') && is_file($versionTxt)) { + $txt = @file_get_contents($versionTxt) ?: ''; + // Try to find line "Database Version: X" + if (preg_match('/^Database Version:\s*(.+)$/mi', $txt, $m)) { + $backupVersion = trim($m[1]); + $running = LATEST_DATABASE_VERSION; + // If backup schema is newer, abort with instruction + if (version_compare($backupVersion, $running, '>')) { + deleteDir($tempDir); + die("Backup schema ($backupVersion) is newer than this app ($running). Please upgrade ITFlow first, then retry restore."); + } + } } - // === 7. Clean up temp dir === - function deleteDir($dir) { - if (!is_dir($dir)) return; - $items = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS), - RecursiveIteratorIterator::CHILD_FIRST - ); - foreach ($items as $item) { - $item->isDir() ? rmdir($item) : unlink($item); + // --- 5) Restore SQL (drop + import) --- + // Drop all tables + mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 0"); + $tables = mysqli_query($mysqli, "SHOW TABLES"); + if ($tables) { + while ($row = mysqli_fetch_array($tables)) { + $tbl = $row[0]; + mysqli_query($mysqli, "DROP TABLE IF EXISTS `".$mysqli->real_escape_string($tbl)."`"); } - rmdir($dir); } + mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 1"); + + try { + importSqlFile($mysqli, $sqlPath); + } catch (Throwable $e) { + deleteDir($tempDir); + die("SQL import failed: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); + } + + // --- 6) Restore uploads via staging + atomic swap --- + $appRoot = realpath(__DIR__ . "/.."); + $uploadDir = realpath($appRoot . "/uploads"); + if ($uploadDir === false) { + // uploads might not exist yet + $uploadDir = $appRoot . "/uploads"; + if (!mkdir($uploadDir, 0750, true)) { + deleteDir($tempDir); + die("Failed to create uploads directory."); + } + $uploadDir = realpath($uploadDir); + } + + if ($uploadDir === false || str_starts_with($uploadDir, $appRoot) === false) { + deleteDir($tempDir); + die("Uploads directory path invalid."); + } + + $staging = $appRoot . "/uploads_restoring_" . bin2hex(random_bytes(4)); + if (!mkdir($staging, 0700, true)) { + deleteDir($tempDir); + die("Failed to create staging directory."); + } + + $uz = new ZipArchive; + if ($uz->open($uploadsZip) !== TRUE) { + deleteDir($staging); + deleteDir($tempDir); + die("Failed to open uploads.zip in backup."); + } + + // IMPORTANT: staging dir should be empty here (as in your existing flow) + $result = extractUploadsZipWithValidationReport($uz, $staging, [ + 'max_file_bytes' => 200 * 1024 * 1024, // adjust per-file size cap + 'blocked_exts' => [ + 'php','php3','php4','php5','php7','php8','phtml','phar', + 'cgi','pl','sh','bash','zsh','exe','dll','bat','cmd','com', + 'ps1','vbs','vb','jar','jsp','asp','aspx','so','dylib','bin' + ], + ]); + $uz->close(); + + if (!$result['ok']) { + // Build a user-friendly report + $lines = ["Unsafe file(s) detected in uploads.zip:"]; + foreach ($result['issues'] as $issue) { + $p = htmlspecialchars($issue['path'], ENT_QUOTES, 'UTF-8'); + $r = htmlspecialchars($issue['reason'], ENT_QUOTES, 'UTF-8'); + $lines[] = "• {$p} — {$r}"; + } + + // Clean staging and temp and show the report + deleteDir($staging); + deleteDir($tempDir); + + $_SESSION['alert_message'] = nl2br(implode("\n", $lines)); + header("Location: ?restore"); + exit; + + } + + // Rotate old uploads out, promote staging in + $backupOld = $appRoot . "/uploads_old_" . time(); + if (!rename($uploadDir, $backupOld)) { + deleteDir($staging); + deleteDir($tempDir); + die("Failed to rotate old uploads."); + } + if (!rename($staging, $uploadDir)) { + // try to revert + @rename($backupOld, $uploadDir); + deleteDir($tempDir); + die("Failed to promote restored uploads."); + } + // Optional: clean old uploads now or keep briefly for rollback + // deleteDir($backupOld); + + // --- 7) Log version info (optional) --- + if (is_file($versionTxt)) { + $versionInfo = @file_get_contents($versionTxt); + if ($versionInfo !== false) { + logAction("Backup Restore", "Version Info", $versionInfo); + } + } + + // --- 8) Cleanup temp dir --- deleteDir($tempDir); - // === 8. Optional: finalize setup flag === - $myfile = fopen("../config.php", "a"); - fwrite($myfile, "\$config_enable_setup = 0;\n\n"); - fclose($myfile); + // --- 9) Finalize setup flag (idempotent) --- + try { + setConfigFlag("../config.php", "config_enable_setup", 0); + } catch (Throwable $e) { + // Non-fatal; warn but continue to login + $_SESSION['alert_message'] = "Backup restored, but failed to finalize setup flag in config.php: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8'); + header("Location: ../login.php"); + exit; + } - // === 9. Done === + // --- 10) Done --- $_SESSION['alert_message'] = "Full backup restored successfully."; header("Location: ../login.php"); exit; @@ -1109,9 +1196,15 @@ if (isset($_POST['add_telemetry'])) {

Restore from Backup

-
+ + + +

Large restores may take several minutes. Do not close this page.

- -

Large restores may take several minutes. Do not close this page.

From b7e0e5c5eb79a83b9d64732ad6796b9f2614876a Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 9 Oct 2025 13:00:00 -0400 Subject: [PATCH 003/112] Fix setup complete flag --- setup/index.php | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/setup/index.php b/setup/index.php index 94d2f6dc..4846e981 100644 --- a/setup/index.php +++ b/setup/index.php @@ -325,15 +325,12 @@ if (isset($_POST['restore'])) { // --- 8) Cleanup temp dir --- deleteDir($tempDir); - // --- 9) Finalize setup flag (idempotent) --- - try { - setConfigFlag("../config.php", "config_enable_setup", 0); - } catch (Throwable $e) { - // Non-fatal; warn but continue to login - $_SESSION['alert_message'] = "Backup restored, but failed to finalize setup flag in config.php: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8'); - header("Location: ../login.php"); - exit; - } + // --- 9) Finalize setup flag --- + $myfile = fopen("../config.php", "a"); + $txt = "\$config_enable_setup = 0;\n\n"; + + fwrite($myfile, $txt); + fclose($myfile); // --- 10) Done --- $_SESSION['alert_message'] = "Full backup restored successfully."; From 2c534d4d20f8021ebfdc6a9c61df909609f391e3 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 9 Oct 2025 18:10:21 -0400 Subject: [PATCH 004/112] Attempt to fix uploads and writing to config file during setup --- setup/index.php | 233 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 195 insertions(+), 38 deletions(-) diff --git a/setup/index.php b/setup/index.php index 4846e981..71868d0e 100644 --- a/setup/index.php +++ b/setup/index.php @@ -126,8 +126,127 @@ if (isset($_POST['add_database'])) { } +isFile()) $count++; + } + return $count; + } + } + + if (!function_exists('setConfigFlagAtomic')) { + function setConfigFlagAtomic(string $file, string $key, $value): void { + clearstatcache(true, $file); + if (!file_exists($file)) throw new RuntimeException("config.php not found: $file"); + if (!is_readable($file)) throw new RuntimeException("config.php not readable: $file"); + if (!is_writable($file)) throw new RuntimeException("config.php not writable: $file"); + + $cfg = file_get_contents($file); + if ($cfg === false) throw new RuntimeException("Failed to read config.php"); + $cfg = str_replace("\r\n", "\n", $cfg); + + $scalar = is_bool($value) ? ($value ? 'true' : 'false') : var_export($value, true); + $line = '$' . $key . ' = ' . $scalar . ';'; + + $pattern = '/^\s*\$' . preg_quote($key, '/') . '\s*=\s*.*?;\s*$/m'; + if (preg_match($pattern, $cfg)) { + $cfg = preg_replace($pattern, $line, $cfg, 1); + } else { + if (preg_match('/\?>\s*$/', $cfg)) { + $cfg = preg_replace('/\?>\s*$/', "\n$line\n?>\n", $cfg, 1); + } else { + if ($cfg !== '' && substr($cfg, -1) !== "\n") $cfg .= "\n"; + $cfg .= $line . "\n"; + } + } + + $dir = dirname($file); + $temp = tempnam($dir, 'cfg_'); + if ($temp === false) throw new RuntimeException("Failed to create temp file in $dir"); + if (file_put_contents($temp, $cfg, LOCK_EX) === false) { + @unlink($temp); + throw new RuntimeException("Failed to write temp config"); + } + + $perms = @fileperms($file); + if ($perms !== false) { @chmod($temp, $perms & 0777); } + if (!@rename($temp, $file)) { + @unlink($temp); + throw new RuntimeException("Failed to atomically replace config.php"); + } + if (function_exists('opcache_invalidate')) { + @opcache_invalidate($file, true); + } + } + } + // ---------- /inline helpers ---------- + // --- Basic env guards for long operations --- @set_time_limit(0); if (function_exists('ini_set')) { @ini_set('memory_limit', '1024M'); } @@ -138,19 +257,16 @@ if (isset($_POST['restore'])) { } $file = $_FILES['backup_zip']; - // Size limit (e.g., 4 GB) if ($file['size'] > 4 * 1024 * 1024 * 1024) { die("Backup archive is too large."); } - // MIME check $fi = new finfo(FILEINFO_MIME_TYPE); $mime = $fi->file($file['tmp_name']); if ($mime !== 'application/zip' && $mime !== 'application/x-zip-compressed') { die("Invalid archive type; only .zip is supported."); } - // Extension check (defense in depth) $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION)); if ($ext !== 'zip') { die("Only .zip files are allowed."); @@ -164,7 +280,7 @@ if (isset($_POST['restore'])) { } @chmod($tempZip, 0600); - // --- 3) Extract safely to unique temp dir --- + // --- 3) Extract the OUTER backup zip to a unique temp dir --- $tempDir = sys_get_temp_dir() . "/restore_temp_" . bin2hex(random_bytes(6)); if (!mkdir($tempDir, 0700, true)) { @unlink($tempZip); @@ -189,9 +305,9 @@ if (isset($_POST['restore'])) { $zip->close(); @unlink($tempZip); - // Paths inside extracted archive + // --- Expected inner files --- $sqlPath = $tempDir . "/db.sql"; - $uploadsZip = $tempDir . "/uploads.zip"; + $uploadsZip = $tempDir . "/uploads.zip"; // <- inner uploads zip $versionTxt = $tempDir . "/version.txt"; if (!is_file($sqlPath) || !is_readable($sqlPath)) { @@ -203,14 +319,12 @@ if (isset($_POST['restore'])) { die("Missing uploads.zip in the backup archive."); } - // --- 4) Optional: check version compatibility --- + // --- 4) Optional: check DB version compatibility --- if (defined('LATEST_DATABASE_VERSION') && is_file($versionTxt)) { $txt = @file_get_contents($versionTxt) ?: ''; - // Try to find line "Database Version: X" if (preg_match('/^Database Version:\s*(.+)$/mi', $txt, $m)) { $backupVersion = trim($m[1]); $running = LATEST_DATABASE_VERSION; - // If backup schema is newer, abort with instruction if (version_compare($backupVersion, $running, '>')) { deleteDir($tempDir); die("Backup schema ($backupVersion) is newer than this app ($running). Please upgrade ITFlow first, then retry restore."); @@ -219,7 +333,6 @@ if (isset($_POST['restore'])) { } // --- 5) Restore SQL (drop + import) --- - // Drop all tables mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 0"); $tables = mysqli_query($mysqli, "SHOW TABLES"); if ($tables) { @@ -237,11 +350,10 @@ if (isset($_POST['restore'])) { die("SQL import failed: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); } - // --- 6) Restore uploads via staging + atomic swap --- + // --- 6) Restore UPLOADS (the inner uploads.zip) via staging + robust swap --- $appRoot = realpath(__DIR__ . "/.."); $uploadDir = realpath($appRoot . "/uploads"); if ($uploadDir === false) { - // uploads might not exist yet $uploadDir = $appRoot . "/uploads"; if (!mkdir($uploadDir, 0750, true)) { deleteDir($tempDir); @@ -249,13 +361,16 @@ if (isset($_POST['restore'])) { } $uploadDir = realpath($uploadDir); } - - if ($uploadDir === false || str_starts_with($uploadDir, $appRoot) === false) { + if ($uploadDir === false || strpos($uploadDir, $appRoot) !== 0) { deleteDir($tempDir); die("Uploads directory path invalid."); } + if (!is_writable(dirname($uploadDir))) { + deleteDir($tempDir); + die("Uploads restore failed: target parent dir is not writable by web server."); + } - $staging = $appRoot . "/uploads_restoring_" . bin2hex(random_bytes(4)); + $staging = $appRoot . "/uploads_restoring_" . bin2hex(random_bytes(4)); if (!mkdir($staging, 0700, true)) { deleteDir($tempDir); die("Failed to create staging directory."); @@ -268,9 +383,9 @@ if (isset($_POST['restore'])) { die("Failed to open uploads.zip in backup."); } - // IMPORTANT: staging dir should be empty here (as in your existing flow) + // Validate + buffer all entries; no writes if any issue (scan-report mode) $result = extractUploadsZipWithValidationReport($uz, $staging, [ - 'max_file_bytes' => 200 * 1024 * 1024, // adjust per-file size cap + 'max_file_bytes' => 200 * 1024 * 1024, 'blocked_exts' => [ 'php','php3','php4','php5','php7','php8','phtml','phar', 'cgi','pl','sh','bash','zsh','exe','dll','bat','cmd','com', @@ -280,38 +395,73 @@ if (isset($_POST['restore'])) { $uz->close(); if (!$result['ok']) { - // Build a user-friendly report $lines = ["Unsafe file(s) detected in uploads.zip:"]; foreach ($result['issues'] as $issue) { $p = htmlspecialchars($issue['path'], ENT_QUOTES, 'UTF-8'); $r = htmlspecialchars($issue['reason'], ENT_QUOTES, 'UTF-8'); $lines[] = "• {$p} — {$r}"; } - - // Clean staging and temp and show the report deleteDir($staging); deleteDir($tempDir); - $_SESSION['alert_message'] = nl2br(implode("\n", $lines)); header("Location: ?restore"); exit; - } - // Rotate old uploads out, promote staging in - $backupOld = $appRoot . "/uploads_old_" . time(); - if (!rename($uploadDir, $backupOld)) { + // If the inner zip has a single top-level folder (e.g., "uploads/"), promote it + $roots = listTopLevel($staging); + if (count($roots) === 1) { + $candidate = $staging . DIRECTORY_SEPARATOR . $roots[0]; + if (is_dir($candidate)) { + $stagingPromoted = $staging . "_promoted"; + if (!@rename($candidate, $stagingPromoted)) { + recursiveCopy($candidate, $stagingPromoted); // cross-FS fallback + deleteDir($candidate); + } + $old = $staging; + $staging = $stagingPromoted; + deleteDir($old); + } + } + + // Ensure staging has content + if (countFilesRecursive($staging) === 0) { deleteDir($staging); deleteDir($tempDir); - die("Failed to rotate old uploads."); + die("Uploads restore failed: extracted staging is empty. The inner uploads.zip may be malformed or all files were blocked."); } - if (!rename($staging, $uploadDir)) { - // try to revert - @rename($backupOld, $uploadDir); + + // Rotate current uploads out; robust moves on both steps + $backupOld = $appRoot . "/uploads_old_" . time(); + try { + if (is_dir($uploadDir)) { + if (!@rename($uploadDir, $backupOld)) { + recursiveCopy($uploadDir, $backupOld); // cross-FS fallback + deleteDir($uploadDir); + } + } + robustDirMove($staging, $uploadDir); + } catch (Throwable $e) { + // rollback if possible + if (is_dir($backupOld) && !is_dir($uploadDir)) { + @rename($backupOld, $uploadDir); + } + deleteDir($staging); deleteDir($tempDir); - die("Failed to promote restored uploads."); + die("Uploads restore failed during swap: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); } - // Optional: clean old uploads now or keep briefly for rollback + + // Verify restored uploads; rollback if empty + $restoredCount = countFilesRecursive($uploadDir); + if ($restoredCount === 0) { + if (is_dir($backupOld)) { + @rename($uploadDir, $uploadDir . "_bad_" . time()); + @rename($backupOld, $uploadDir); + } + deleteDir($tempDir); + die("Uploads restore appears empty after swap. Rolled back to old uploads."); + } + // Optionally delete the old uploads after a grace period: // deleteDir($backupOld); // --- 7) Log version info (optional) --- @@ -325,19 +475,26 @@ if (isset($_POST['restore'])) { // --- 8) Cleanup temp dir --- deleteDir($tempDir); - // --- 9) Finalize setup flag --- - $myfile = fopen("../config.php", "a"); - $txt = "\$config_enable_setup = 0;\n\n"; - - fwrite($myfile, $txt); - fclose($myfile); + // --- 9) Finalize setup flag atomically (and clear OPcache) --- + try { + setConfigFlagAtomic(__DIR__ . "/../config.php", "config_enable_setup", 0); + } catch (Throwable $e) { + // Fallback append (best-effort) and allow login + @file_put_contents(__DIR__ . "/../config.php", "\n\$config_enable_setup = 0;\n", FILE_APPEND); + $_SESSION['alert_message'] = + "Backup restored, but couldn’t finalize setup flag automatically: " . + htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8'); + header("Location: ../login.php"); + exit; + } // --- 10) Done --- - $_SESSION['alert_message'] = "Full backup restored successfully."; + $_SESSION['alert_message'] = "Full backup restored successfully. Restored {$restoredCount} upload file(s)."; header("Location: ../login.php"); exit; } + if (isset($_POST['add_user'])) { $user_count = mysqli_num_rows(mysqli_query($mysqli,"SELECT COUNT(*) FROM users")); if ($user_count < 0) { From d122d90a47a3c12e6a733ed649943fdbb625c488 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 9 Oct 2025 18:11:16 -0400 Subject: [PATCH 005/112] Remove CSRF check --- setup/index.php | 7 ------- 1 file changed, 7 deletions(-) diff --git a/setup/index.php b/setup/index.php index 71868d0e..8a8aaa47 100644 --- a/setup/index.php +++ b/setup/index.php @@ -126,15 +126,8 @@ if (isset($_POST['add_database'])) { } - Date: Thu, 9 Oct 2025 18:27:35 -0400 Subject: [PATCH 006/112] Another attempt at restore --- setup/index.php | 129 ++++++++++++++++++++++++++++++------------------ 1 file changed, 82 insertions(+), 47 deletions(-) diff --git a/setup/index.php b/setup/index.php index 8a8aaa47..83bfab17 100644 --- a/setup/index.php +++ b/setup/index.php @@ -155,14 +155,6 @@ if (isset($_POST['restore'])) { } } - if (!function_exists('robustDirMove')) { - function robustDirMove(string $src, string $dst): void { - if (@rename($src, $dst)) return; // fast path (same filesystem) - recursiveCopy($src, $dst); // cross-FS fallback - deleteDir($src); - } - } - if (!function_exists('listTopLevel')) { function listTopLevel(string $dir): array { if (!is_dir($dir)) return []; @@ -193,6 +185,46 @@ if (isset($_POST['restore'])) { } } + if (!function_exists('mergeCopyCount')) { + /** + * Merge-copy all files from $src into $dst, creating subdirs as needed. + * Overwrites same-named files. Returns number of files written/overwritten. + */ + function mergeCopyCount(string $src, string $dst): int { + if (!is_dir($src)) return 0; + if (!is_dir($dst) && !mkdir($dst, 0750, true)) { + throw new RuntimeException("Failed to create destination: $dst"); + } + $it = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($src, FilesystemIterator::SKIP_DOTS), + RecursiveIteratorIterator::SELF_FIRST + ); + + $written = 0; + foreach ($it as $item) { + $rel = substr($item->getPathname(), strlen($src) + 1); // relative path + $target = $dst . DIRECTORY_SEPARATOR . $rel; + + if ($item->isDir()) { + if (!is_dir($target) && !mkdir($target, 0750, true)) { + throw new RuntimeException("Failed to create directory: $target"); + } + } else { + $parent = dirname($target); + if (!is_dir($parent) && !mkdir($parent, 0750, true)) { + throw new RuntimeException("Failed to create directory: $parent"); + } + if (!copy($item->getPathname(), $target)) { + throw new RuntimeException("Failed to copy file: " . $item->getPathname()); + } + @chmod($target, 0640); + $written++; + } + } + return $written; + } + } + if (!function_exists('setConfigFlagAtomic')) { function setConfigFlagAtomic(string $file, string $key, $value): void { clearstatcache(true, $file); @@ -238,9 +270,9 @@ if (isset($_POST['restore'])) { } } } - // ---------- /inline helpers ---------- + // ---------- /helpers ---------- - // --- Basic env guards for long operations --- + // --- Long ops guard --- @set_time_limit(0); if (function_exists('ini_set')) { @ini_set('memory_limit', '1024M'); } @@ -273,7 +305,7 @@ if (isset($_POST['restore'])) { } @chmod($tempZip, 0600); - // --- 3) Extract the OUTER backup zip to a unique temp dir --- + // --- 3) Extract OUTER backup zip --- $tempDir = sys_get_temp_dir() . "/restore_temp_" . bin2hex(random_bytes(6)); if (!mkdir($tempDir, 0700, true)) { @unlink($tempZip); @@ -298,9 +330,9 @@ if (isset($_POST['restore'])) { $zip->close(); @unlink($tempZip); - // --- Expected inner files --- + // Expected paths inside extracted archive $sqlPath = $tempDir . "/db.sql"; - $uploadsZip = $tempDir . "/uploads.zip"; // <- inner uploads zip + $uploadsZip = $tempDir . "/uploads.zip"; // inner uploads zip $versionTxt = $tempDir . "/version.txt"; if (!is_file($sqlPath) || !is_readable($sqlPath)) { @@ -312,7 +344,7 @@ if (isset($_POST['restore'])) { die("Missing uploads.zip in the backup archive."); } - // --- 4) Optional: check DB version compatibility --- + // --- 4) Optional: version compatibility check --- if (defined('LATEST_DATABASE_VERSION') && is_file($versionTxt)) { $txt = @file_get_contents($versionTxt) ?: ''; if (preg_match('/^Database Version:\s*(.+)$/mi', $txt, $m)) { @@ -343,7 +375,7 @@ if (isset($_POST['restore'])) { die("SQL import failed: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); } - // --- 6) Restore UPLOADS (the inner uploads.zip) via staging + robust swap --- + // --- 6) Restore UPLOADS (inner uploads.zip) via VALIDATED MERGE --- $appRoot = realpath(__DIR__ . "/.."); $uploadDir = realpath($appRoot . "/uploads"); if ($uploadDir === false) { @@ -358,17 +390,20 @@ if (isset($_POST['restore'])) { deleteDir($tempDir); die("Uploads directory path invalid."); } - if (!is_writable(dirname($uploadDir))) { + if (!is_writable($uploadDir)) { + // We need to write *inside* uploads for merge; not just the parent. deleteDir($tempDir); - die("Uploads restore failed: target parent dir is not writable by web server."); + die("Uploads restore failed: uploads directory is not writable by web server."); } + // Prepare staging area to extract inner uploads.zip $staging = $appRoot . "/uploads_restoring_" . bin2hex(random_bytes(4)); if (!mkdir($staging, 0700, true)) { deleteDir($tempDir); die("Failed to create staging directory."); } + // Open inner uploads.zip $uz = new ZipArchive; if ($uz->open($uploadsZip) !== TRUE) { deleteDir($staging); @@ -376,7 +411,7 @@ if (isset($_POST['restore'])) { die("Failed to open uploads.zip in backup."); } - // Validate + buffer all entries; no writes if any issue (scan-report mode) + // Validate contents (scan report mode). On any issue, nothing is written. $result = extractUploadsZipWithValidationReport($uz, $staging, [ 'max_file_bytes' => 200 * 1024 * 1024, 'blocked_exts' => [ @@ -401,14 +436,15 @@ if (isset($_POST['restore'])) { exit; } - // If the inner zip has a single top-level folder (e.g., "uploads/"), promote it + // If inner zip has a single top-level folder (e.g., "uploads/"), promote it $roots = listTopLevel($staging); if (count($roots) === 1) { $candidate = $staging . DIRECTORY_SEPARATOR . $roots[0]; if (is_dir($candidate)) { $stagingPromoted = $staging . "_promoted"; if (!@rename($candidate, $stagingPromoted)) { - recursiveCopy($candidate, $stagingPromoted); // cross-FS fallback + // cross-FS fallback + recursiveCopy($candidate, $stagingPromoted); deleteDir($candidate); } $old = $staging; @@ -417,44 +453,44 @@ if (isset($_POST['restore'])) { } } - // Ensure staging has content + // Sanity: staging must have content if (countFilesRecursive($staging) === 0) { deleteDir($staging); deleteDir($tempDir); die("Uploads restore failed: extracted staging is empty. The inner uploads.zip may be malformed or all files were blocked."); } - // Rotate current uploads out; robust moves on both steps + // Snapshot current uploads for rollback, then MERGE staging -> uploads $backupOld = $appRoot . "/uploads_old_" . time(); try { - if (is_dir($uploadDir)) { - if (!@rename($uploadDir, $backupOld)) { - recursiveCopy($uploadDir, $backupOld); // cross-FS fallback - deleteDir($uploadDir); - } + // Full snapshot for safety + recursiveCopy($uploadDir, $backupOld); + + // Merge-copy into existing uploads (create dirs, overwrite same-named files) + $written = mergeCopyCount($staging, $uploadDir); + + if ($written <= 0) { + // No files written — something's off. Rollback. + throw new RuntimeException("No files were merged into uploads (written=$written)."); } - robustDirMove($staging, $uploadDir); + } catch (Throwable $e) { - // rollback if possible - if (is_dir($backupOld) && !is_dir($uploadDir)) { - @rename($backupOld, $uploadDir); + // Rollback to pre-merge state + try { + if (is_dir($backupOld)) { + // Restore snapshot over current uploads + deleteDir($uploadDir); + recursiveCopy($backupOld, $uploadDir); + } + } catch (\Throwable $rollbackErr) { + // Best effort rollback } deleteDir($staging); deleteDir($tempDir); - die("Uploads restore failed during swap: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); + die("Uploads restore failed during merge: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); } - // Verify restored uploads; rollback if empty - $restoredCount = countFilesRecursive($uploadDir); - if ($restoredCount === 0) { - if (is_dir($backupOld)) { - @rename($uploadDir, $uploadDir . "_bad_" . time()); - @rename($backupOld, $uploadDir); - } - deleteDir($tempDir); - die("Uploads restore appears empty after swap. Rolled back to old uploads."); - } - // Optionally delete the old uploads after a grace period: + // Optional: keep $backupOld for a while; or delete it once you confirm // deleteDir($backupOld); // --- 7) Log version info (optional) --- @@ -465,14 +501,14 @@ if (isset($_POST['restore'])) { } } - // --- 8) Cleanup temp dir --- + // --- 8) Cleanup temp dir + staging --- + deleteDir($staging); deleteDir($tempDir); // --- 9) Finalize setup flag atomically (and clear OPcache) --- try { setConfigFlagAtomic(__DIR__ . "/../config.php", "config_enable_setup", 0); } catch (Throwable $e) { - // Fallback append (best-effort) and allow login @file_put_contents(__DIR__ . "/../config.php", "\n\$config_enable_setup = 0;\n", FILE_APPEND); $_SESSION['alert_message'] = "Backup restored, but couldn’t finalize setup flag automatically: " . @@ -482,12 +518,11 @@ if (isset($_POST['restore'])) { } // --- 10) Done --- - $_SESSION['alert_message'] = "Full backup restored successfully. Restored {$restoredCount} upload file(s)."; + $_SESSION['alert_message'] = "Full backup restored successfully. Merged {$written} upload file(s)."; header("Location: ../login.php"); exit; } - if (isset($_POST['add_user'])) { $user_count = mysqli_num_rows(mysqli_query($mysqli,"SELECT COUNT(*) FROM users")); if ($user_count < 0) { From 986f6884689644ba0baf8defe08fc5256c63d4cc Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 9 Oct 2025 18:49:54 -0400 Subject: [PATCH 007/112] another Attempt at restore --- setup/index.php | 364 +++++++++--------- setup/setup_functions.php | 758 +++++++++++++++++++++++--------------- 2 files changed, 642 insertions(+), 480 deletions(-) diff --git a/setup/index.php b/setup/index.php index 83bfab17..c6883943 100644 --- a/setup/index.php +++ b/setup/index.php @@ -128,103 +128,7 @@ if (isset($_POST['add_database'])) { if (isset($_POST['restore'])) { - // ---------- Inline helpers (guarded) ---------- - if (!function_exists('recursiveCopy')) { - function recursiveCopy(string $src, string $dst): void { - if (!is_dir($src)) throw new RuntimeException("Source directory missing: $src"); - if (!is_dir($dst) && !mkdir($dst, 0750, true)) { - throw new RuntimeException("Failed to create destination: $dst"); - } - $dir = opendir($src); - if (!$dir) throw new RuntimeException("Failed to open source: $src"); - while (($file = readdir($dir)) !== false) { - if ($file === '.' || $file === '..') continue; - $from = $src . DIRECTORY_SEPARATOR . $file; - $to = $dst . DIRECTORY_SEPARATOR . $file; - if (is_dir($from)) { - recursiveCopy($from, $to); - } else { - if (!copy($from, $to)) { - closedir($dir); - throw new RuntimeException("Copy failed: $from → $to"); - } - @chmod($to, 0640); - } - } - closedir($dir); - } - } - - if (!function_exists('listTopLevel')) { - function listTopLevel(string $dir): array { - if (!is_dir($dir)) return []; - $items = []; - $dh = opendir($dir); - if (!$dh) return []; - while (($e = readdir($dh)) !== false) { - if ($e === '.' || $e === '..') continue; - $items[] = $e; - } - closedir($dh); - sort($items); - return $items; - } - } - - if (!function_exists('countFilesRecursive')) { - function countFilesRecursive(string $dir): int { - if (!is_dir($dir)) return 0; - $it = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS) - ); - $count = 0; - foreach ($it as $f) { - if ($f->isFile()) $count++; - } - return $count; - } - } - - if (!function_exists('mergeCopyCount')) { - /** - * Merge-copy all files from $src into $dst, creating subdirs as needed. - * Overwrites same-named files. Returns number of files written/overwritten. - */ - function mergeCopyCount(string $src, string $dst): int { - if (!is_dir($src)) return 0; - if (!is_dir($dst) && !mkdir($dst, 0750, true)) { - throw new RuntimeException("Failed to create destination: $dst"); - } - $it = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($src, FilesystemIterator::SKIP_DOTS), - RecursiveIteratorIterator::SELF_FIRST - ); - - $written = 0; - foreach ($it as $item) { - $rel = substr($item->getPathname(), strlen($src) + 1); // relative path - $target = $dst . DIRECTORY_SEPARATOR . $rel; - - if ($item->isDir()) { - if (!is_dir($target) && !mkdir($target, 0750, true)) { - throw new RuntimeException("Failed to create directory: $target"); - } - } else { - $parent = dirname($target); - if (!is_dir($parent) && !mkdir($parent, 0750, true)) { - throw new RuntimeException("Failed to create directory: $parent"); - } - if (!copy($item->getPathname(), $target)) { - throw new RuntimeException("Failed to copy file: " . $item->getPathname()); - } - @chmod($target, 0640); - $written++; - } - } - return $written; - } - } - + // ---------- Tiny atomic config helper (guarded) ---------- if (!function_exists('setConfigFlagAtomic')) { function setConfigFlagAtomic(string $file, string $key, $value): void { clearstatcache(true, $file); @@ -252,17 +156,16 @@ if (isset($_POST['restore'])) { } $dir = dirname($file); - $temp = tempnam($dir, 'cfg_'); - if ($temp === false) throw new RuntimeException("Failed to create temp file in $dir"); - if (file_put_contents($temp, $cfg, LOCK_EX) === false) { - @unlink($temp); + $tmp = tempnam($dir, 'cfg_'); + if ($tmp === false) throw new RuntimeException("Failed to create temp file in $dir"); + if (file_put_contents($tmp, $cfg, LOCK_EX) === false) { + @unlink($tmp); throw new RuntimeException("Failed to write temp config"); } - $perms = @fileperms($file); - if ($perms !== false) { @chmod($temp, $perms & 0777); } - if (!@rename($temp, $file)) { - @unlink($temp); + if ($perms !== false) @chmod($tmp, $perms & 0777); + if (!@rename($tmp, $file)) { + @unlink($tmp); throw new RuntimeException("Failed to atomically replace config.php"); } if (function_exists('opcache_invalidate')) { @@ -270,13 +173,37 @@ if (isset($_POST['restore'])) { } } } - // ---------- /helpers ---------- + if (!function_exists('setConfigFlag')) { + function setConfigFlag(string $file, string $key, $value): void { + $cfg = @file_get_contents($file); + if ($cfg === false) throw new RuntimeException("Cannot read $file"); + $cfg = str_replace("\r\n", "\n", $cfg); + $pattern = '/^\s*\$' . preg_quote($key, '/') . '\s*=\s*.*?;\s*$/m'; + $line = '$' . $key . ' = ' . (is_bool($value) ? ($value ? 'true' : 'false') : var_export($value, true)) . ';'; + if (preg_match($pattern, $cfg)) { + $cfg = preg_replace($pattern, $line, $cfg, 1); + } else { + if (preg_match('/\?>\s*$/', $cfg)) { + $cfg = preg_replace('/\?>\s*$/', "\n$line\n?>\n", $cfg, 1); + } else { + if ($cfg !== '' && substr($cfg, -1) !== "\n") $cfg .= "\n"; + $cfg .= $line . "\n"; + } + } + if (file_put_contents($file, $cfg, LOCK_EX) === false) { + throw new RuntimeException("Failed to update $file"); + } + if (function_exists('opcache_invalidate')) { + @opcache_invalidate($file, true); + } + } + } - // --- Long ops guard --- + // ---------- Environment guards ---------- @set_time_limit(0); if (function_exists('ini_set')) { @ini_set('memory_limit', '1024M'); } - // --- 1) Validate uploaded file --- + // ---------- 1) Validate uploaded file ---------- if (!isset($_FILES['backup_zip']) || $_FILES['backup_zip']['error'] !== UPLOAD_ERR_OK) { die("No backup file uploaded or upload failed."); } @@ -297,7 +224,7 @@ if (isset($_POST['restore'])) { die("Only .zip files are allowed."); } - // --- 2) Move to secure temp location --- + // ---------- 2) Save outer zip to temp ---------- $timestamp = date('YmdHis'); $tempZip = tempnam(sys_get_temp_dir(), "restore_{$timestamp}_"); if (!move_uploaded_file($file["tmp_name"], $tempZip)) { @@ -305,7 +232,7 @@ if (isset($_POST['restore'])) { } @chmod($tempZip, 0600); - // --- 3) Extract OUTER backup zip --- + // ---------- 3) Extract OUTER backup zip ---------- $tempDir = sys_get_temp_dir() . "/restore_temp_" . bin2hex(random_bytes(6)); if (!mkdir($tempDir, 0700, true)) { @unlink($tempZip); @@ -320,7 +247,7 @@ if (isset($_POST['restore'])) { } try { - safeExtractZip($zip, $tempDir); + safeExtractZip($zip, $tempDir); // helper (safe extraction) } catch (Throwable $e) { $zip->close(); @unlink($tempZip); @@ -330,9 +257,8 @@ if (isset($_POST['restore'])) { $zip->close(); @unlink($tempZip); - // Expected paths inside extracted archive $sqlPath = $tempDir . "/db.sql"; - $uploadsZip = $tempDir . "/uploads.zip"; // inner uploads zip + $uploadsZip = $tempDir . "/uploads.zip"; // inner uploads zip $versionTxt = $tempDir . "/version.txt"; if (!is_file($sqlPath) || !is_readable($sqlPath)) { @@ -344,7 +270,7 @@ if (isset($_POST['restore'])) { die("Missing uploads.zip in the backup archive."); } - // --- 4) Optional: version compatibility check --- + // ---------- 4) Optional: version compatibility ---------- if (defined('LATEST_DATABASE_VERSION') && is_file($versionTxt)) { $txt = @file_get_contents($versionTxt) ?: ''; if (preg_match('/^Database Version:\s*(.+)$/mi', $txt, $m)) { @@ -357,7 +283,7 @@ if (isset($_POST['restore'])) { } } - // --- 5) Restore SQL (drop + import) --- + // ---------- 5) Restore SQL ---------- mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 0"); $tables = mysqli_query($mysqli, "SHOW TABLES"); if ($tables) { @@ -369,41 +295,28 @@ if (isset($_POST['restore'])) { mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 1"); try { - importSqlFile($mysqli, $sqlPath); + importSqlFile($mysqli, $sqlPath); // helper } catch (Throwable $e) { deleteDir($tempDir); die("SQL import failed: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); } - // --- 6) Restore UPLOADS (inner uploads.zip) via VALIDATED MERGE --- + // ---------- 6) Restore UPLOADS: DELETE existing, then REPLACE ---------- $appRoot = realpath(__DIR__ . "/.."); - $uploadDir = realpath($appRoot . "/uploads"); - if ($uploadDir === false) { - $uploadDir = $appRoot . "/uploads"; - if (!mkdir($uploadDir, 0750, true)) { - deleteDir($tempDir); - die("Failed to create uploads directory."); - } - $uploadDir = realpath($uploadDir); - } - if ($uploadDir === false || strpos($uploadDir, $appRoot) !== 0) { + if ($appRoot === false) { deleteDir($tempDir); - die("Uploads directory path invalid."); - } - if (!is_writable($uploadDir)) { - // We need to write *inside* uploads for merge; not just the parent. - deleteDir($tempDir); - die("Uploads restore failed: uploads directory is not writable by web server."); + die("Failed to resolve app root."); } - // Prepare staging area to extract inner uploads.zip + $uploadDir = $appRoot . "/uploads"; + + // Extract inner uploads.zip to staging (with validation & scan report) $staging = $appRoot . "/uploads_restoring_" . bin2hex(random_bytes(4)); if (!mkdir($staging, 0700, true)) { deleteDir($tempDir); die("Failed to create staging directory."); } - // Open inner uploads.zip $uz = new ZipArchive; if ($uz->open($uploadsZip) !== TRUE) { deleteDir($staging); @@ -411,8 +324,7 @@ if (isset($_POST['restore'])) { die("Failed to open uploads.zip in backup."); } - // Validate contents (scan report mode). On any issue, nothing is written. - $result = extractUploadsZipWithValidationReport($uz, $staging, [ + $scan = extractUploadsZipWithValidationReport($uz, $staging, [ 'max_file_bytes' => 200 * 1024 * 1024, 'blocked_exts' => [ 'php','php3','php4','php5','php7','php8','phtml','phar', @@ -422,9 +334,9 @@ if (isset($_POST['restore'])) { ]); $uz->close(); - if (!$result['ok']) { + if (!$scan['ok']) { $lines = ["Unsafe file(s) detected in uploads.zip:"]; - foreach ($result['issues'] as $issue) { + foreach ($scan['issues'] as $issue) { $p = htmlspecialchars($issue['path'], ENT_QUOTES, 'UTF-8'); $r = htmlspecialchars($issue['reason'], ENT_QUOTES, 'UTF-8'); $lines[] = "• {$p} — {$r}"; @@ -436,64 +348,131 @@ if (isset($_POST['restore'])) { exit; } - // If inner zip has a single top-level folder (e.g., "uploads/"), promote it - $roots = listTopLevel($staging); + // If inner zip has a single "uploads/" folder, promote its contents + $roots = []; + if ($dh = opendir($staging)) { + while (($e = readdir($dh)) !== false) { + if ($e === '.' || $e === '..') continue; + $roots[] = $e; + } + closedir($dh); + } + sort($roots); if (count($roots) === 1) { $candidate = $staging . DIRECTORY_SEPARATOR . $roots[0]; if (is_dir($candidate)) { - $stagingPromoted = $staging . "_promoted"; - if (!@rename($candidate, $stagingPromoted)) { - // cross-FS fallback - recursiveCopy($candidate, $stagingPromoted); - deleteDir($candidate); + $promoted = $staging . "_promoted"; + if (!@rename($candidate, $promoted)) { + // fallback to copy + $rit = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($candidate, FilesystemIterator::SKIP_DOTS), + RecursiveIteratorIterator::SELF_FIRST + ); + if (!mkdir($promoted, 0700, true)) { + deleteDir($staging); + deleteDir($tempDir); + die("Failed to create promoted staging directory."); + } + foreach ($rit as $it) { + $rel = substr($it->getPathname(), strlen($candidate) + 1); + $dst = $promoted . DIRECTORY_SEPARATOR . $rel; + if ($it->isDir()) { + if (!is_dir($dst) && !mkdir($dst, 0700, true)) { + deleteDir($staging); + deleteDir($tempDir); + die("Failed to create $dst"); + } + } else { + $pdir = dirname($dst); + if (!is_dir($pdir) && !mkdir($pdir, 0700, true)) { + deleteDir($staging); + deleteDir($tempDir); + die("Failed to create $pdir"); + } + if (!copy($it->getPathname(), $dst)) { + deleteDir($staging); + deleteDir($tempDir); + die("Failed to copy $rel into promoted staging"); + } + @chmod($dst, 0640); + } + } } - $old = $staging; - $staging = $stagingPromoted; - deleteDir($old); + deleteDir($staging); + $staging = isset($promoted) ? $promoted : $staging; } } - // Sanity: staging must have content - if (countFilesRecursive($staging) === 0) { + // Sanity: staging must contain files + $hasFiles = false; + $it = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($staging, FilesystemIterator::SKIP_DOTS) + ); + foreach ($it as $f) { if ($f->isFile()) { $hasFiles = true; break; } } + if (!$hasFiles) { deleteDir($staging); deleteDir($tempDir); - die("Uploads restore failed: extracted staging is empty. The inner uploads.zip may be malformed or all files were blocked."); + die("Uploads restore failed: staging is empty (inner uploads.zip may be malformed or fully blocked)."); } - // Snapshot current uploads for rollback, then MERGE staging -> uploads - $backupOld = $appRoot . "/uploads_old_" . time(); - try { - // Full snapshot for safety - recursiveCopy($uploadDir, $backupOld); - - // Merge-copy into existing uploads (create dirs, overwrite same-named files) - $written = mergeCopyCount($staging, $uploadDir); - - if ($written <= 0) { - // No files written — something's off. Rollback. - throw new RuntimeException("No files were merged into uploads (written=$written)."); + // --- DELETE existing /uploads first, then REPLACE with staging --- + if (is_dir($uploadDir)) { + deleteDir($uploadDir, $appRoot); // guarded delete (under app root) + } + if (!@rename($staging, $uploadDir)) { + // fallback: copy + if (!mkdir($uploadDir, 0750, true)) { + deleteDir($staging); + deleteDir($tempDir); + die("Failed to create uploads directory for placement."); } - - } catch (Throwable $e) { - // Rollback to pre-merge state - try { - if (is_dir($backupOld)) { - // Restore snapshot over current uploads - deleteDir($uploadDir); - recursiveCopy($backupOld, $uploadDir); + $rit = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($staging, FilesystemIterator::SKIP_DOTS), + RecursiveIteratorIterator::SELF_FIRST + ); + foreach ($rit as $it) { + $rel = substr($it->getPathname(), strlen($staging) + 1); + $dst = $uploadDir . DIRECTORY_SEPARATOR . $rel; + if ($it->isDir()) { + if (!is_dir($dst) && !mkdir($dst, 0750, true)) { + deleteDir($uploadDir); + deleteDir($staging); + deleteDir($tempDir); + die("Failed to create uploads subdir: $dst"); + } + } else { + $pdir = dirname($dst); + if (!is_dir($pdir) && !mkdir($pdir, 0750, true)) { + deleteDir($uploadDir); + deleteDir($staging); + deleteDir($tempDir); + die("Failed to create uploads parent dir: $pdir"); + } + if (!copy($it->getPathname(), $dst)) { + deleteDir($uploadDir); + deleteDir($staging); + deleteDir($tempDir); + die("Failed to place file into uploads: $rel"); + } + @chmod($dst, 0640); } - } catch (\Throwable $rollbackErr) { - // Best effort rollback } deleteDir($staging); - deleteDir($tempDir); - die("Uploads restore failed during merge: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); } - // Optional: keep $backupOld for a while; or delete it once you confirm - // deleteDir($backupOld); + // Verify uploads has files + $okFiles = false; + $it2 = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($uploadDir, FilesystemIterator::SKIP_DOTS) + ); + foreach ($it2 as $f) { if ($f->isFile()) { $okFiles = true; break; } } + if (!$okFiles) { + deleteDir($uploadDir); + deleteDir($tempDir); + die("Uploads replace failed: resulting directory is empty."); + } - // --- 7) Log version info (optional) --- + // ---------- 7) Log version info (optional) ---------- if (is_file($versionTxt)) { $versionInfo = @file_get_contents($versionTxt); if ($versionInfo !== false) { @@ -501,24 +480,29 @@ if (isset($_POST['restore'])) { } } - // --- 8) Cleanup temp dir + staging --- - deleteDir($staging); + // ---------- 8) Cleanup temp ---------- deleteDir($tempDir); - // --- 9) Finalize setup flag atomically (and clear OPcache) --- + // ---------- 9) Finalize setup flag ---------- try { setConfigFlagAtomic(__DIR__ . "/../config.php", "config_enable_setup", 0); } catch (Throwable $e) { - @file_put_contents(__DIR__ . "/../config.php", "\n\$config_enable_setup = 0;\n", FILE_APPEND); - $_SESSION['alert_message'] = - "Backup restored, but couldn’t finalize setup flag automatically: " . - htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8'); - header("Location: ../login.php"); - exit; + try { + setConfigFlag(__DIR__ . "/../config.php", "config_enable_setup", 0); + if (function_exists('opcache_invalidate')) { + @opcache_invalidate(__DIR__ . "/../config.php", true); + } + } catch (\Throwable $e2) { + $_SESSION['alert_message'] = + "Restore completed, but couldn’t finalize setup flag automatically: " . + htmlspecialchars($e2->getMessage(), ENT_QUOTES, 'UTF-8'); + header("Location: ../login.php"); + exit; + } } - // --- 10) Done --- - $_SESSION['alert_message'] = "Full backup restored successfully. Merged {$written} upload file(s)."; + // ---------- 10) Done ---------- + $_SESSION['alert_message'] = "Full backup restored successfully. Uploads directory was replaced."; header("Location: ../login.php"); exit; } diff --git a/setup/setup_functions.php b/setup/setup_functions.php index 02385b60..d575d577 100644 --- a/setup/setup_functions.php +++ b/setup/setup_functions.php @@ -1,118 +1,200 @@ isDir()) { @rmdir($item->getPathname()); } - else { @unlink($item->getPathname()); } - } - @rmdir($dir); -} +// ------------------------------ +// deleteDir +// ------------------------------ +if (!function_exists('deleteDir')) { + /** + * Delete a directory recursively. + * @param string $dir Path to delete + * @param string|null $mustBeUnder Optional root path guard; if set, $dir must be within this root + */ + function deleteDir(string $dir, ?string $mustBeUnder = null): void { + $dir = rtrim($dir, DIRECTORY_SEPARATOR); + if ($dir === '' || $dir === DIRECTORY_SEPARATOR) return; -/** Import a SQL file via mysqli, supporting custom DELIMITER and multi statements. */ -function importSqlFile(mysqli $mysqli, string $path): void { - if (!is_file($path) || !is_readable($path)) { - throw new RuntimeException("SQL file not found or unreadable: $path"); - } - $fh = fopen($path, 'r'); - if (!$fh) throw new RuntimeException("Failed to open SQL file"); - - $delimiter = ';'; - $statement = ''; - - while (($line = fgets($fh)) !== false) { - $trim = trim($line); - - // skip comments and empty lines - if ($trim === '' || str_starts_with($trim, '--') || str_starts_with($trim, '#')) { - continue; - } - - // handle DELIMITER changes - if (preg_match('/^DELIMITER\s+(.+)$/i', $trim, $m)) { - $delimiter = $m[1]; - continue; - } - - $statement .= $line; - - // end of statement? - if (substr(rtrim($statement), -strlen($delimiter)) === $delimiter) { - $sql = substr($statement, 0, -strlen($delimiter)); - if ($mysqli->multi_query($sql) === false) { - fclose($fh); - throw new RuntimeException("SQL error: ".$mysqli->error); + if ($mustBeUnder !== null) { + $root = realpath($mustBeUnder); + $real = realpath($dir); + if ($root === false || $real === false || strpos($real, $root) !== 0) { + // Refuse to delete if it's not under the allowed root + return; } - // flush any result sets - while ($mysqli->more_results() && $mysqli->next_result()) { /* discard */ } - $statement = ''; } + + if (!is_dir($dir)) return; + + $it = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS), + RecursiveIteratorIterator::CHILD_FIRST + ); + foreach ($it as $item) { + $path = $item->getPathname(); + if ($item->isDir()) { @rmdir($path); } + else { @unlink($path); } + } + @rmdir($dir); } - fclose($fh); } -/** Extract a zip safely to $destDir. Blocks absolute paths, drive letters, and symlinks. */ -function safeExtractZip(ZipArchive $zip, string $destDir): void { - $rootReal = realpath($destDir); - if ($rootReal === false) { - if (!mkdir($destDir, 0700, true)) { +// ------------------------------ +// importSqlFile +// ------------------------------ +if (!function_exists('importSqlFile')) { + /** + * Import a SQL file via mysqli, supporting custom DELIMITER and multi statements. + * Executes a trailing, non-delimited statement at EOF (if present). + */ + function importSqlFile(mysqli $mysqli, string $path): void { + if (!is_file($path) || !is_readable($path)) { + throw new RuntimeException("SQL file not found or unreadable: $path"); + } + $fh = fopen($path, 'r'); + if (!$fh) throw new RuntimeException("Failed to open SQL file"); + + $delimiter = ';'; + $statement = ''; + + while (($line = fgets($fh)) !== false) { + $trim = trim($line); + + // skip comments and empty lines + if ($trim === '' || str_starts_with($trim, '--') || str_starts_with($trim, '#')) { + continue; + } + + // handle DELIMITER changes + if (preg_match('/^DELIMITER\s+(.+)$/i', $trim, $m)) { + $delimiter = $m[1]; + continue; + } + + $statement .= $line; + + // end of statement? + if (substr(rtrim($statement), -strlen($delimiter)) === $delimiter) { + $sql = substr($statement, 0, -strlen($delimiter)); + if ($mysqli->multi_query($sql) === false) { + fclose($fh); + throw new RuntimeException("SQL error: " . $mysqli->error); + } + while ($mysqli->more_results() && $mysqli->next_result()) { /* flush */ } + $statement = ''; + } + } + + // Trailing statement at EOF (no delimiter) + $trimStmt = trim($statement); + if ($trimStmt !== '') { + if ($mysqli->multi_query($trimStmt) === false) { + fclose($fh); + throw new RuntimeException("SQL error (EOF): " . $mysqli->error); + } + while ($mysqli->more_results() && $mysqli->next_result()) { /* flush */ } + } + + fclose($fh); + } +} + +// ------------------------------ +// safeExtractZip +// ------------------------------ +if (!function_exists('safeExtractZip')) { + /** + * Extract a zip safely to $destDir. + * - Blocks absolute paths and drive letters + * - Normalizes ".." before writing anything + * - Skips junk (e.g., __MACOSX/, .DS_Store, Thumbs.db) + * - Verifies boundary after writes and blocks symlinks + */ + function safeExtractZip(ZipArchive $zip, string $destDir): void { + if (!is_dir($destDir) && !mkdir($destDir, 0700, true)) { throw new RuntimeException("Failed to create temp dir"); } $rootReal = realpath($destDir); - } - - for ($i = 0; $i < $zip->numFiles; $i++) { - $name = $zip->getNameIndex($i); - - // Reject absolute or drive-lettered paths - if (preg_match('#^(?:/|\\\\|[a-zA-Z]:[\\\\/])#', $name)) { - throw new RuntimeException("Invalid absolute path in zip: $name"); + if ($rootReal === false) { + throw new RuntimeException("Failed to resolve destination"); } - // Normalize components and skip traversal attempts - $target = $rootReal . DIRECTORY_SEPARATOR . $name; - $targetDir = dirname($target); - if (!is_dir($targetDir) && !mkdir($targetDir, 0700, true)) { - throw new RuntimeException("Failed to create $targetDir"); - } + for ($i = 0; $i < $zip->numFiles; $i++) { + $name = $zip->getNameIndex($i); - // Directories end with '/' - $isDir = str_ends_with($name, '/'); - - // Read entry - $fp = $zip->getStream($name); - if ($fp === false) { - if ($isDir) continue; - throw new RuntimeException("Failed to read $name from zip"); - } - - if ($isDir) { - if (!is_dir($target) && !mkdir($target, 0700, true)) { - fclose($fp); - throw new RuntimeException("Failed to mkdir $target"); + // Skip junk/system entries + if ($name === '' || + str_starts_with($name, '__MACOSX/') || + preg_match('#/\.DS_Store$#i', $name) || + preg_match('#/Thumbs\.db$#i', $name) + ) { + continue; + } + + // Reject absolute paths / drive letters + if (preg_match('#^(?:/|\\\\|[a-zA-Z]:[\\\\/])#', $name)) { + throw new RuntimeException("Invalid absolute/drive path in zip: $name"); + } + + // Normalize path segments (handle .. and .) + $norm = []; + foreach (preg_split('#[\\\\/]#', $name) as $seg) { + if ($seg === '' || $seg === '.') continue; + if ($seg === '..') { array_pop($norm); continue; } + $norm[] = $seg; + } + $safeRel = implode(DIRECTORY_SEPARATOR, $norm); + if ($safeRel === '') continue; + + $isDir = str_ends_with($name, '/'); + $target = $rootReal . DIRECTORY_SEPARATOR . $safeRel; + $parent = dirname($target); + + // Create parent and verify boundary + if (!is_dir($parent) && !mkdir($parent, 0700, true)) { + throw new RuntimeException("Failed to create $parent"); + } + $parentReal = realpath($parent); + if ($parentReal === false || strpos($parentReal, $rootReal) !== 0) { + throw new RuntimeException("Path traversal detected (parent) for $name"); + } + + if ($isDir) { + if (!is_dir($target) && !mkdir($target, 0700, true)) { + throw new RuntimeException("Failed to mkdir $target"); + } + $dirReal = realpath($target); + if ($dirReal === false || strpos($dirReal, $rootReal) !== 0) { + @rmdir($target); + throw new RuntimeException("Boundary check failed (dir) for $name"); + } + continue; + } + + // Regular file + $fp = $zip->getStream($name); + if ($fp === false) { + throw new RuntimeException("Failed to read $name from zip"); } - fclose($fp); - } else { $out = fopen($target, 'wb'); if (!$out) { fclose($fp); throw new RuntimeException("Failed to create $target"); } stream_copy_to_stream($fp, $out); fclose($fp); fclose($out); + @chmod($target, 0640); - // Final boundary check $real = realpath($target); - if ($real === false || str_starts_with($real, $rootReal) === false) { + if ($real === false || strpos($real, $rootReal) !== 0) { @unlink($target); - throw new RuntimeException("Path traversal detected for $name"); + throw new RuntimeException("Boundary check failed (file) for $name"); } - - // Disallow symlinks (in case zip contained one) if (is_link($real)) { @unlink($real); throw new RuntimeException("Symlink detected in archive: $name"); @@ -121,227 +203,323 @@ function safeExtractZip(ZipArchive $zip, string $destDir): void { } } -/** Idempotently set/append a PHP config flag like $config_enable_setup = 0; */ -function setConfigFlag(string $file, string $key, $value): void { - $cfg = @file_get_contents($file); - if ($cfg === false) throw new RuntimeException("Cannot read $file"); - $pattern = '/^\s*\$'.preg_quote($key, '/').'\s*=\s*.*?;\s*$/m'; - $line = '$'.$key.' = '.(is_bool($value)? ($value?'true':'false') : var_export($value,true)).";\n"; - if (preg_match($pattern, $cfg)) { - $cfg = preg_replace($pattern, $line, $cfg); - } else { - $cfg .= "\n".$line; - } - if (file_put_contents($file, $cfg, LOCK_EX) === false) { - throw new RuntimeException("Failed to update $file"); +// ------------------------------ +// setConfigFlag (idempotent) +// ------------------------------ +if (!function_exists('setConfigFlag')) { + /** + * Idempotently set/append a PHP config flag like $config_enable_setup = 0; + */ + function setConfigFlag(string $file, string $key, $value): void { + $cfg = @file_get_contents($file); + if ($cfg === false) throw new RuntimeException("Cannot read $file"); + $cfg = str_replace("\r\n", "\n", $cfg); + + $pattern = '/^\s*\$' . preg_quote($key, '/') . '\s*=\s*.*?;\s*$/m'; + $line = '$' . $key . ' = ' . (is_bool($value) ? ($value ? 'true' : 'false') : var_export($value, true)) . ';'; + + if (preg_match($pattern, $cfg)) { + $cfg = preg_replace($pattern, $line, $cfg, 1); + } else { + if (preg_match('/\?>\s*$/', $cfg)) { + $cfg = preg_replace('/\?>\s*$/', "\n$line\n?>\n", $cfg, 1); + } else { + if ($cfg !== '' && substr($cfg, -1) !== "\n") $cfg .= "\n"; + $cfg .= $line . "\n"; + } + } + + if (file_put_contents($file, $cfg, LOCK_EX) === false) { + throw new RuntimeException("Failed to update $file"); + } + if (function_exists('opcache_invalidate')) { + @opcache_invalidate($file, true); + } } } -/** - * Return true if a filename has a disallowed extension or looks like a double-extension trick. - */ -function hasDangerousExtension(string $name, array $blockedExts): bool { - $lower = strtolower($name); - // Quick reject on hidden PHP or dotfiles that may alter server behavior - if (preg_match('/(^|\/)\.(htaccess|user\.ini|env)$/i', $lower)) return true; +// ------------------------------ +// setConfigFlagAtomic (preferred) +// ------------------------------ +if (!function_exists('setConfigFlagAtomic')) { + /** + * Atomic variant of setConfigFlag to avoid partial writes. + */ + function setConfigFlagAtomic(string $file, string $key, $value): void { + clearstatcache(true, $file); + if (!file_exists($file)) throw new RuntimeException("config.php not found: $file"); + if (!is_readable($file)) throw new RuntimeException("config.php not readable: $file"); + if (!is_writable($file)) throw new RuntimeException("config.php not writable: $file"); - // Pull last extension - $ext = strtolower(pathinfo($lower, PATHINFO_EXTENSION)); - if (in_array($ext, $blockedExts, true)) return true; + $cfg = file_get_contents($file); + if ($cfg === false) throw new RuntimeException("Failed to read config.php"); + $cfg = str_replace("\r\n", "\n", $cfg); - // Double extension (e.g., .jpg.php, .png.sh) - if (preg_match('/\.(?:[a-z0-9]{1,5})\.(php[0-9]?|phtml|phar|cgi|pl|sh|exe|dll|bat|cmd|com|ps1|vb|vbs|jar|jsp|asp|aspx)$/i', $lower)) { - return true; + $scalar = is_bool($value) ? ($value ? 'true' : 'false') : var_export($value, true); + $line = '$' . $key . ' = ' . $scalar . ';'; + + $pattern = '/^\s*\$' . preg_quote($key, '/') . '\s*=\s*.*?;\s*$/m'; + if (preg_match($pattern, $cfg)) { + $cfg = preg_replace($pattern, $line, $cfg, 1); + } else { + if (preg_match('/\?>\s*$/', $cfg)) { + $cfg = preg_replace('/\?>\s*$/', "\n$line\n?>\n", $cfg, 1); + } else { + if ($cfg !== '' && substr($cfg, -1) !== "\n") $cfg .= "\n"; + $cfg .= $line . "\n"; + } + } + + $dir = dirname($file); + $tmp = tempnam($dir, 'cfg_'); + if ($tmp === false) throw new RuntimeException("Failed to create temp file in $dir"); + if (file_put_contents($tmp, $cfg, LOCK_EX) === false) { + @unlink($tmp); + throw new RuntimeException("Failed to write temp config"); + } + $perms = @fileperms($file); + if ($perms !== false) @chmod($tmp, $perms & 0777); + if (!@rename($tmp, $file)) { + @unlink($tmp); + throw new RuntimeException("Failed to atomically replace config.php"); + } + if (function_exists('opcache_invalidate')) { + @opcache_invalidate($file, true); + } } - - return false; } -/** - * Heuristic content scan for executable code. Reads head/tail of file. - */ -function contentLooksExecutable(string $tmpPath): bool { - // Use finfo to detect executable/script mimetypes - $fi = new finfo(FILEINFO_MIME_TYPE); - $mime = $fi->file($tmpPath) ?: ''; +// ------------------------------ +// hasDangerousExtension +// ------------------------------ +if (!function_exists('hasDangerousExtension')) { + /** + * Return true if a filename has a disallowed extension or looks like a double-extension trick. + */ + function hasDangerousExtension(string $name, array $blockedExts): bool { + $lower = strtolower($name); - // Quick MIME-based blocks (don’t rely solely on this) - if (preg_match('#^(application/x-(php|elf|sharedlib|mach-o)|text/x-(php|script|shell))#i', $mime)) { - return true; + // Block config-like dotfiles that can affect server behavior + if (preg_match('/(^|\/)\.(htaccess|user\.ini|env|apache2?\.conf|nginx\.conf)$/i', $lower)) return true; + + $ext = strtolower(pathinfo($lower, PATHINFO_EXTENSION)); + if ($ext === '') return false; + + // Merge user blocklist with common server-parsed types + $blocked = array_flip($blockedExts) + array_flip([ + 'shtml','stm','shtm', // server-parsed HTML (SSI) + 'ctp', // CakePHP template + 'pht','phtm', // treated as PHP on misconfigs + ]); + if (isset($blocked[$ext])) return true; + + // Double extension like .jpg.php or .png.sh (cap first ext to 10 chars) + if (preg_match('/\.[a-z0-9]{1,10}\.(php[0-9]?|phtml|phar|cgi|pl|sh|exe|dll|bat|cmd|com|ps1|vb|vbs|jar|jsp|asp|aspx|s?html)$/i', $lower)) { + return true; + } + + return false; } - - // Read first/last 4KB for signature checks without loading whole file - $fp = @fopen($tmpPath, 'rb'); - if (!$fp) return false; - - $head = fread($fp, 4096) ?: ''; - // Seek last 4KB if file >4KB - $tail = ''; - $stat = fstat($fp); - if ($stat && $stat['size'] > 4096) { - fseek($fp, -4096, SEEK_END); - $tail = fread($fp, 4096) ?: ''; - } - fclose($fp); - - $blob = $head . $tail; - - // Block common code markers / execution hints - $markers = [ - '} - */ -function extractUploadsZipWithValidationReport(ZipArchive $zip, string $destDir, array $options = []): array { - $maxFileBytes = $options['max_file_bytes'] ?? (200 * 1024 * 1024); // 200MB - $blockedExts = $options['blocked_exts'] ?? [ - 'php','php3','php4','php5','php7','php8','phtml','phar', - 'cgi','pl','sh','bash','zsh','exe','dll','bat','cmd','com', - 'ps1','vbs','vb','jar','jsp','asp','aspx','so','dylib','bin' - ]; +// ------------------------------ +// contentLooksExecutable +// ------------------------------ +if (!function_exists('contentLooksExecutable')) { + /** + * Heuristic content scan for executable code. Reads head/tail of file. + * Uses finfo when available; falls back to signature scan. + */ + function contentLooksExecutable(string $tmpPath): bool { + $mime = ''; + if (class_exists('finfo')) { + $fi = new finfo(FILEINFO_MIME_TYPE); + $mime = $fi->file($tmpPath) ?: ''; + if (preg_match('#^(application/x-(php|elf|sharedlib|mach-o)|text/x-(php|script|shell))#i', $mime)) { + return true; + } + } - $issues = []; - $staging = $destDir; // caller gives us a staging dir (empty) - $rootReal = realpath($staging); - if ($rootReal === false) { - if (!mkdir($staging, 0700, true)) { + $fp = @fopen($tmpPath, 'rb'); + if (!$fp) return false; + + $head = fread($fp, 4096) ?: ''; + $tail = ''; + $stat = fstat($fp); + if ($stat && ($stat['size'] ?? 0) > 4096) { + fseek($fp, -4096, SEEK_END); + $tail = fread($fp, 4096) ?: ''; + } + fclose($fp); + + $blob = $head . $tail; + + // Execution markers (limited to reduce false positives) + $markers = [ + '} + */ + function extractUploadsZipWithValidationReport(ZipArchive $zip, string $destDir, array $options = []): array { + $maxFileBytes = $options['max_file_bytes'] ?? (200 * 1024 * 1024); // 200MB per-file + $maxTotalBytes = $options['max_total_bytes'] ?? (4 * 1024 * 1024 * 1024); // 4GB per-archive + $blockedExts = $options['blocked_exts'] ?? [ + 'php','php3','php4','php5','php7','php8','phtml','phar', + 'cgi','pl','sh','bash','zsh','exe','dll','bat','cmd','com', + 'ps1','vbs','vb','jar','jsp','asp','aspx','so','dylib','bin' + ]; + + $issues = []; + if (!is_dir($destDir) && !mkdir($destDir, 0700, true)) { return ['ok' => false, 'issues' => [['path' => '(staging)', 'reason' => 'Failed to create staging directory']]]; } - $rootReal = realpath($staging); - } - - // First pass: validate all entries and write candidates to temp files only - // We keep a map of tmp files to final target paths; if any issue is found, we clean them and return - $pending = []; // [ [ 'tmp' => '/tmp/..', 'target' => '/final/path', 'name' => 'zip/path' ], ... ] - - for ($i = 0; $i < $zip->numFiles; $i++) { - $name = $zip->getNameIndex($i); - - // Reject absolute/drive-lettered paths - if (preg_match('#^(?:/|\\\\|[a-zA-Z]:[\\\\/])#', $name)) { - $issues[] = ['path' => $name, 'reason' => 'Invalid absolute or drive path']; - continue; + $rootReal = realpath($destDir); + if ($rootReal === false) { + return ['ok' => false, 'issues' => [['path' => '(staging)', 'reason' => 'Failed to resolve staging directory']]]; } - $isDir = str_ends_with($name, '/'); - if ($isDir) { - // We’ll create directories in the commit phase if no issues were found - continue; - } + $pending = []; // list of ['tmp','target','name'] + $totalBytes = 0; - $stream = $zip->getStream($name); - if ($stream === false) { - $issues[] = ['path' => $name, 'reason' => 'Unable to read entry from ZIP']; - continue; - } + for ($i = 0; $i < $zip->numFiles; $i++) { + $name = $zip->getNameIndex($i); - // 1) Extension and double-extension checks - if (hasDangerousExtension($name, $blockedExts)) { - fclose($stream); - $issues[] = ['path' => $name, 'reason' => 'Dangerous or disallowed file extension']; - continue; - } - - // 2) Stream into a temp file (size-capped) for MIME/signature checks - $tmp = tempnam(sys_get_temp_dir(), 'uplscan_'); - if ($tmp === false) { fclose($stream); $issues[] = ['path' => $name, 'reason' => 'Failed to create temp file']; continue; } - - $out = fopen($tmp, 'wb'); - if (!$out) { fclose($stream); @unlink($tmp); $issues[] = ['path' => $name, 'reason' => 'Failed to write temp file']; continue; } - - $bytes = 0; - $err = null; - while (!feof($stream)) { - $chunk = fread($stream, 1 << 15); - if ($chunk === false) { $err = 'Read error while extracting'; break; } - $bytes += strlen($chunk); - if ($bytes > $maxFileBytes) { $err = 'File exceeds per-file size limit'; break; } - if (fwrite($out, $chunk) === false) { $err = 'Write error while buffering'; break; } - } - fclose($stream); - fclose($out); - - if ($err !== null) { - @unlink($tmp); - $issues[] = ['path' => $name, 'reason' => $err]; - continue; - } - - // 3) MIME + signature checks - if (contentLooksExecutable($tmp)) { - @unlink($tmp); - $issues[] = ['path' => $name, 'reason' => 'Executable/script content detected']; - continue; - } - - // Record as candidate for commit - $target = $rootReal . DIRECTORY_SEPARATOR . $name; - $pending[] = ['tmp' => $tmp, 'target' => $target, 'name' => $name]; - } - - // If any issues, cleanup temps and return report - if (!empty($issues)) { - foreach ($pending as $p) { @unlink($p['tmp']); } - return ['ok' => false, 'issues' => $issues]; - } - - // Commit phase: create directories and move files into place - foreach ($pending as $p) { - $finalDir = dirname($p['target']); - if (!is_dir($finalDir) && !mkdir($finalDir, 0700, true)) { - // Rollback partially moved files - foreach ($pending as $r) { @unlink($r['tmp']); } - return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Failed to create destination directory']]]; - } - - // Boundary check again - $realFinalDir = realpath($finalDir); - if ($realFinalDir === false || strpos($realFinalDir, $rootReal) !== 0) { - foreach ($pending as $r) { @unlink($r['tmp']); } - return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Path traversal detected at commit phase']]]; - } - - if (!rename($p['tmp'], $p['target'])) { - if (!copy($p['tmp'], $p['target'])) { - @unlink($p['tmp']); - // Cleanup remaining temps - foreach ($pending as $r) { @unlink($r['tmp']); } - return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Failed to place file in destination']]]; + // Skip junk/system entries + if ($name === '' || + str_starts_with($name, '__MACOSX/') || + preg_match('#/\.DS_Store$#i', $name) || + preg_match('#/Thumbs\.db$#i', $name) + ) { + continue; } - @unlink($p['tmp']); + + // Absolute / drive-lettered paths + if (preg_match('#^(?:/|\\\\|[a-zA-Z]:[\\\\/])#', $name)) { + $issues[] = ['path' => $name, 'reason' => 'Invalid absolute or drive path']; + continue; + } + + // Directories: defer creation to commit phase + if (str_ends_with($name, '/')) continue; + + $stream = $zip->getStream($name); + if ($stream === false) { + $issues[] = ['path' => $name, 'reason' => 'Unable to read entry from ZIP']; + continue; + } + + // Extension/double-extension checks + if (hasDangerousExtension($name, $blockedExts)) { + fclose($stream); + $issues[] = ['path' => $name, 'reason' => 'Dangerous or disallowed file extension']; + continue; + } + + // Buffer to temp with per-file & total size caps + $tmp = tempnam(sys_get_temp_dir(), 'uplscan_'); + if ($tmp === false) { fclose($stream); $issues[] = ['path' => $name, 'reason' => 'Failed to create temp file']; continue; } + + $out = fopen($tmp, 'wb'); + if (!$out) { fclose($stream); @unlink($tmp); $issues[] = ['path' => $name, 'reason' => 'Failed to write temp file']; continue; } + + $bytes = 0; $err = null; + while (!feof($stream)) { + $chunk = fread($stream, 1 << 15); + if ($chunk === false) { $err = 'Read error while extracting'; break; } + $len = strlen($chunk); + $bytes += $len; + $totalBytes += $len; + + if ($bytes > $maxFileBytes) { $err = 'File exceeds per-file size limit'; break; } + if ($totalBytes > $maxTotalBytes) { $err = 'Archive exceeds total size limit'; break; } + if (fwrite($out, $chunk) === false) { $err = 'Write error while buffering'; break; } + } + fclose($stream); + fclose($out); + + if ($err !== null) { + @unlink($tmp); + $issues[] = ['path' => $name, 'reason' => $err]; + continue; + } + + // MIME/signature check + if (contentLooksExecutable($tmp)) { + @unlink($tmp); + $issues[] = ['path' => $name, 'reason' => 'Executable/script content detected']; + continue; + } + + // Record as candidate + $target = $rootReal . DIRECTORY_SEPARATOR . $name; + $pending[] = ['tmp' => $tmp, 'target' => $target, 'name' => $name]; } - // Permissions & final checks - @chmod($p['target'], 0640); - $real = realpath($p['target']); - if ($real === false || strpos($real, $rootReal) !== 0) { - @unlink($p['target']); - foreach ($pending as $r) { @unlink($r['tmp']); } - return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Boundary check failed after write']]]; + // Any issues? clean up and report + if (!empty($issues)) { + foreach ($pending as $p) { @unlink($p['tmp']); } + return ['ok' => false, 'issues' => $issues]; } - if (is_link($real)) { - @unlink($real); - foreach ($pending as $r) { @unlink($r['tmp']); } - return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Symlink detected in destination']]]; + + // Commit: create dirs and move files + foreach ($pending as $p) { + $finalDir = dirname($p['target']); + if (!is_dir($finalDir) && !mkdir($finalDir, 0700, true)) { + foreach ($pending as $r) { @unlink($r['tmp']); } + return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Failed to create destination directory']]]; + } + + $realFinalDir = realpath($finalDir); + if ($realFinalDir === false || strpos($realFinalDir, $rootReal) !== 0) { + foreach ($pending as $r) { @unlink($r['tmp']); } + return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Path traversal detected at commit phase']]]; + } + + if (!rename($p['tmp'], $p['target'])) { + if (!copy($p['tmp'], $p['target'])) { + @unlink($p['tmp']); + foreach ($pending as $r) { @unlink($r['tmp']); } + return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Failed to place file in destination']]]; + } + @unlink($p['tmp']); + } + + @chmod($p['target'], 0640); + $real = realpath($p['target']); + if ($real === false || strpos($real, $rootReal) !== 0) { + @unlink($p['target']); + foreach ($pending as $r) { @unlink($r['tmp']); } + return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Boundary check failed after write']]]; + } + if (is_link($real)) { + @unlink($real); + foreach ($pending as $r) { @unlink($r['tmp']); } + return ['ok' => false, 'issues' => [['path' => $p['name'], 'reason' => 'Symlink detected in destination']]]; + } } + + return ['ok' => true]; } - - return ['ok' => true]; -} \ No newline at end of file +} From c77e1be1c3b97cbfc3d5791cbd518e88412c2661 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 9 Oct 2025 19:00:02 -0400 Subject: [PATCH 008/112] Try to fix uploads --- setup/index.php | 200 ++++++++++++++++++++++-------------------------- 1 file changed, 92 insertions(+), 108 deletions(-) diff --git a/setup/index.php b/setup/index.php index c6883943..b20799c6 100644 --- a/setup/index.php +++ b/setup/index.php @@ -302,136 +302,111 @@ if (isset($_POST['restore'])) { } // ---------- 6) Restore UPLOADS: DELETE existing, then REPLACE ---------- - $appRoot = realpath(__DIR__ . "/.."); - if ($appRoot === false) { - deleteDir($tempDir); - die("Failed to resolve app root."); +$appRoot = realpath(__DIR__ . "/.."); +if ($appRoot === false) { + deleteDir($tempDir); + die("Failed to resolve app root."); +} + +$uploadDir = $appRoot . "/uploads"; + +// 6.a Extract inner uploads.zip to staging (with validation & scan report) +$staging = $appRoot . "/uploads_restoring_" . bin2hex(random_bytes(4)); +if (!mkdir($staging, 0700, true)) { + deleteDir($tempDir); + die("Failed to create staging directory."); +} + +$uz = new ZipArchive; +if ($uz->open($uploadsZip) !== TRUE) { + deleteDir($staging); + deleteDir($tempDir); + die("Failed to open uploads.zip in backup."); +} + +$scan = extractUploadsZipWithValidationReport($uz, $staging, [ + 'max_file_bytes' => 200 * 1024 * 1024, + 'blocked_exts' => [ + 'php','php3','php4','php5','php7','php8','phtml','phar', + 'cgi','pl','sh','bash','zsh','exe','dll','bat','cmd','com', + 'ps1','vbs','vb','jar','jsp','asp','aspx','so','dylib','bin' + ], +]); +$uz->close(); + +if (!$scan['ok']) { + $lines = ["Unsafe file(s) detected in uploads.zip:"]; + foreach ($scan['issues'] as $issue) { + $p = htmlspecialchars($issue['path'], ENT_QUOTES, 'UTF-8'); + $r = htmlspecialchars($issue['reason'], ENT_QUOTES, 'UTF-8'); + $lines[] = "• {$p} — {$r}"; } + deleteDir($staging); + deleteDir($tempDir); + $_SESSION['alert_message'] = nl2br(implode("\n", $lines)); + header("Location: ?restore"); + exit; +} - $uploadDir = $appRoot . "/uploads"; - - // Extract inner uploads.zip to staging (with validation & scan report) - $staging = $appRoot . "/uploads_restoring_" . bin2hex(random_bytes(4)); - if (!mkdir($staging, 0700, true)) { - deleteDir($tempDir); - die("Failed to create staging directory."); - } - - $uz = new ZipArchive; - if ($uz->open($uploadsZip) !== TRUE) { - deleteDir($staging); - deleteDir($tempDir); - die("Failed to open uploads.zip in backup."); - } - - $scan = extractUploadsZipWithValidationReport($uz, $staging, [ - 'max_file_bytes' => 200 * 1024 * 1024, - 'blocked_exts' => [ - 'php','php3','php4','php5','php7','php8','phtml','phar', - 'cgi','pl','sh','bash','zsh','exe','dll','bat','cmd','com', - 'ps1','vbs','vb','jar','jsp','asp','aspx','so','dylib','bin' - ], - ]); - $uz->close(); - - if (!$scan['ok']) { - $lines = ["Unsafe file(s) detected in uploads.zip:"]; - foreach ($scan['issues'] as $issue) { - $p = htmlspecialchars($issue['path'], ENT_QUOTES, 'UTF-8'); - $r = htmlspecialchars($issue['reason'], ENT_QUOTES, 'UTF-8'); - $lines[] = "• {$p} — {$r}"; - } - deleteDir($staging); - deleteDir($tempDir); - $_SESSION['alert_message'] = nl2br(implode("\n", $lines)); - header("Location: ?restore"); - exit; - } - - // If inner zip has a single "uploads/" folder, promote its contents - $roots = []; +// 6.b Determine the actual content root inside staging + // If the inner archive’s top-level is exactly "uploads/", use that; otherwise use staging itself. + $contentRoot = $staging; + $topEntries = []; if ($dh = opendir($staging)) { while (($e = readdir($dh)) !== false) { if ($e === '.' || $e === '..') continue; - $roots[] = $e; + $topEntries[] = $e; } closedir($dh); } - sort($roots); - if (count($roots) === 1) { - $candidate = $staging . DIRECTORY_SEPARATOR . $roots[0]; - if (is_dir($candidate)) { - $promoted = $staging . "_promoted"; - if (!@rename($candidate, $promoted)) { - // fallback to copy - $rit = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($candidate, FilesystemIterator::SKIP_DOTS), - RecursiveIteratorIterator::SELF_FIRST - ); - if (!mkdir($promoted, 0700, true)) { - deleteDir($staging); - deleteDir($tempDir); - die("Failed to create promoted staging directory."); - } - foreach ($rit as $it) { - $rel = substr($it->getPathname(), strlen($candidate) + 1); - $dst = $promoted . DIRECTORY_SEPARATOR . $rel; - if ($it->isDir()) { - if (!is_dir($dst) && !mkdir($dst, 0700, true)) { - deleteDir($staging); - deleteDir($tempDir); - die("Failed to create $dst"); - } - } else { - $pdir = dirname($dst); - if (!is_dir($pdir) && !mkdir($pdir, 0700, true)) { - deleteDir($staging); - deleteDir($tempDir); - die("Failed to create $pdir"); - } - if (!copy($it->getPathname(), $dst)) { - deleteDir($staging); - deleteDir($tempDir); - die("Failed to copy $rel into promoted staging"); - } - @chmod($dst, 0640); - } - } - } - deleteDir($staging); - $staging = isset($promoted) ? $promoted : $staging; + sort($topEntries); + + if (count($topEntries) === 1) { + $candidate = $staging . DIRECTORY_SEPARATOR . $topEntries[0]; + if (is_dir($candidate) && strtolower($topEntries[0]) === 'uploads') { + // Use the "uploads" directory directly without moving/deleting staging yet + $contentRoot = $candidate; } } - // Sanity: staging must contain files + // 6.c Sanity check: content root must have files $hasFiles = false; - $it = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($staging, FilesystemIterator::SKIP_DOTS) + $ritCheck = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($contentRoot, FilesystemIterator::SKIP_DOTS) ); - foreach ($it as $f) { if ($f->isFile()) { $hasFiles = true; break; } } + foreach ($ritCheck as $f) { + if ($f->isFile()) { $hasFiles = true; break; } + } if (!$hasFiles) { deleteDir($staging); deleteDir($tempDir); - die("Uploads restore failed: staging is empty (inner uploads.zip may be malformed or fully blocked)."); + die("Uploads restore failed: extracted content is empty (inner uploads.zip may be malformed or fully blocked)."); } - // --- DELETE existing /uploads first, then REPLACE with staging --- + // 6.d Remove current /uploads and replace with restored content if (is_dir($uploadDir)) { - deleteDir($uploadDir, $appRoot); // guarded delete (under app root) + deleteDir($uploadDir, $appRoot); // guarded delete under app root } - if (!@rename($staging, $uploadDir)) { - // fallback: copy + + // If contentRoot IS the staging root, try a simple rename + $renameSource = ($contentRoot === $staging) ? $staging : $contentRoot; + $renameOk = @rename($renameSource, $uploadDir); + + // If we used the child "uploads" dir as contentRoot, staging still exists with an empty top; clean it later + if (!$renameOk) { + // Fallback: copy tree if (!mkdir($uploadDir, 0750, true)) { deleteDir($staging); deleteDir($tempDir); die("Failed to create uploads directory for placement."); } + $rit = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($staging, FilesystemIterator::SKIP_DOTS), + new RecursiveDirectoryIterator($contentRoot, FilesystemIterator::SKIP_DOTS), RecursiveIteratorIterator::SELF_FIRST ); foreach ($rit as $it) { - $rel = substr($it->getPathname(), strlen($staging) + 1); + $rel = substr($it->getPathname(), strlen($contentRoot) + 1); $dst = $uploadDir . DIRECTORY_SEPARATOR . $rel; if ($it->isDir()) { if (!is_dir($dst) && !mkdir($dst, 0750, true)) { @@ -457,17 +432,26 @@ if (isset($_POST['restore'])) { @chmod($dst, 0640); } } + // If we copied only the inner "uploads" folder, we still need to clean the top-level staging deleteDir($staging); + } else { + // rename succeeded; if we renamed the child "uploads", the original staging still exists – clean it + if ($contentRoot !== $staging) { + deleteDir($staging); + } } - // Verify uploads has files - $okFiles = false; - $it2 = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($uploadDir, FilesystemIterator::SKIP_DOTS) + // 6.e Verify uploads now has files and report counts + $fileCount = 0; $dirCount = 0; + $ritVerify = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($uploadDir, FilesystemIterator::SKIP_DOTS), + RecursiveIteratorIterator::SELF_FIRST ); - foreach ($it2 as $f) { if ($f->isFile()) { $okFiles = true; break; } } - if (!$okFiles) { - deleteDir($uploadDir); + foreach ($ritVerify as $it) { + if ($it->isDir()) $dirCount++; + else $fileCount++; + } + if ($fileCount === 0) { deleteDir($tempDir); die("Uploads replace failed: resulting directory is empty."); } From b336ec418895ee768f86aa3cd56027c17f5f1bde Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 9 Oct 2025 19:14:31 -0400 Subject: [PATCH 009/112] Revert setup restore to a saner version --- setup/index.php | 473 ++++++++++++++++++------------------------------ 1 file changed, 173 insertions(+), 300 deletions(-) diff --git a/setup/index.php b/setup/index.php index b20799c6..52d29482 100644 --- a/setup/index.php +++ b/setup/index.php @@ -6,7 +6,6 @@ if (file_exists("../config.php")) { } include "../functions.php"; // Global Functions -include "setup_functions.php"; // Setup Only Functions include "../includes/database_version.php"; if (!isset($config_enable_setup)) { @@ -128,365 +127,239 @@ if (isset($_POST['add_database'])) { if (isset($_POST['restore'])) { - // ---------- Tiny atomic config helper (guarded) ---------- - if (!function_exists('setConfigFlagAtomic')) { - function setConfigFlagAtomic(string $file, string $key, $value): void { - clearstatcache(true, $file); - if (!file_exists($file)) throw new RuntimeException("config.php not found: $file"); - if (!is_readable($file)) throw new RuntimeException("config.php not readable: $file"); - if (!is_writable($file)) throw new RuntimeException("config.php not writable: $file"); - - $cfg = file_get_contents($file); - if ($cfg === false) throw new RuntimeException("Failed to read config.php"); - $cfg = str_replace("\r\n", "\n", $cfg); - - $scalar = is_bool($value) ? ($value ? 'true' : 'false') : var_export($value, true); - $line = '$' . $key . ' = ' . $scalar . ';'; - - $pattern = '/^\s*\$' . preg_quote($key, '/') . '\s*=\s*.*?;\s*$/m'; - if (preg_match($pattern, $cfg)) { - $cfg = preg_replace($pattern, $line, $cfg, 1); - } else { - if (preg_match('/\?>\s*$/', $cfg)) { - $cfg = preg_replace('/\?>\s*$/', "\n$line\n?>\n", $cfg, 1); - } else { - if ($cfg !== '' && substr($cfg, -1) !== "\n") $cfg .= "\n"; - $cfg .= $line . "\n"; - } - } - - $dir = dirname($file); - $tmp = tempnam($dir, 'cfg_'); - if ($tmp === false) throw new RuntimeException("Failed to create temp file in $dir"); - if (file_put_contents($tmp, $cfg, LOCK_EX) === false) { - @unlink($tmp); - throw new RuntimeException("Failed to write temp config"); - } - $perms = @fileperms($file); - if ($perms !== false) @chmod($tmp, $perms & 0777); - if (!@rename($tmp, $file)) { - @unlink($tmp); - throw new RuntimeException("Failed to atomically replace config.php"); - } - if (function_exists('opcache_invalidate')) { - @opcache_invalidate($file, true); - } - } - } - if (!function_exists('setConfigFlag')) { - function setConfigFlag(string $file, string $key, $value): void { - $cfg = @file_get_contents($file); - if ($cfg === false) throw new RuntimeException("Cannot read $file"); - $cfg = str_replace("\r\n", "\n", $cfg); - $pattern = '/^\s*\$' . preg_quote($key, '/') . '\s*=\s*.*?;\s*$/m'; - $line = '$' . $key . ' = ' . (is_bool($value) ? ($value ? 'true' : 'false') : var_export($value, true)) . ';'; - if (preg_match($pattern, $cfg)) { - $cfg = preg_replace($pattern, $line, $cfg, 1); - } else { - if (preg_match('/\?>\s*$/', $cfg)) { - $cfg = preg_replace('/\?>\s*$/', "\n$line\n?>\n", $cfg, 1); - } else { - if ($cfg !== '' && substr($cfg, -1) !== "\n") $cfg .= "\n"; - $cfg .= $line . "\n"; - } - } - if (file_put_contents($file, $cfg, LOCK_EX) === false) { - throw new RuntimeException("Failed to update $file"); - } - if (function_exists('opcache_invalidate')) { - @opcache_invalidate($file, true); - } - } - } - - // ---------- Environment guards ---------- + // ---------- Long-running guards ---------- @set_time_limit(0); if (function_exists('ini_set')) { @ini_set('memory_limit', '1024M'); } - // ---------- 1) Validate uploaded file ---------- + // ---------- Minimal helpers (scoped) ---------- + if (!function_exists('deleteDir')) { + function deleteDir($dir) { + if (!is_dir($dir)) return; + $it = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS), + RecursiveIteratorIterator::CHILD_FIRST + ); + foreach ($it as $item) { + $item->isDir() ? @rmdir($item->getPathname()) : @unlink($item->getPathname()); + } + @rmdir($dir); + } + } + + if (!function_exists('importSqlFile')) { + /** + * Import a SQL file via mysqli, supports DELIMITER and multi statements. + */ + function importSqlFile(mysqli $mysqli, string $path): void { + if (!is_file($path) || !is_readable($path)) { + throw new RuntimeException("SQL file not found or unreadable: $path"); + } + $fh = fopen($path, 'r'); + if (!$fh) throw new RuntimeException("Failed to open SQL file"); + + $delimiter = ';'; + $statement = ''; + + while (($line = fgets($fh)) !== false) { + $trim = trim($line); + + // Skip comments/empty + if ($trim === '' || str_starts_with($trim, '--') || str_starts_with($trim, '#')) { + continue; + } + + // Handle DELIMITER changes + if (preg_match('/^DELIMITER\s+(.+)$/i', $trim, $m)) { + $delimiter = $m[1]; + continue; + } + + $statement .= $line; + + // End of statement? + if (substr(rtrim($statement), -strlen($delimiter)) === $delimiter) { + $sql = substr($statement, 0, -strlen($delimiter)); + if ($mysqli->multi_query($sql) === false) { + fclose($fh); + throw new RuntimeException("SQL error: " . $mysqli->error); + } + // Flush any result sets + while ($mysqli->more_results() && $mysqli->next_result()) { /* discard */ } + $statement = ''; + } + } + fclose($fh); + } + } + + // ---------- 1) Validate uploaded backup ---------- if (!isset($_FILES['backup_zip']) || $_FILES['backup_zip']['error'] !== UPLOAD_ERR_OK) { die("No backup file uploaded or upload failed."); } + $file = $_FILES['backup_zip']; - - if ($file['size'] > 4 * 1024 * 1024 * 1024) { - die("Backup archive is too large."); - } - - $fi = new finfo(FILEINFO_MIME_TYPE); - $mime = $fi->file($file['tmp_name']); - if ($mime !== 'application/zip' && $mime !== 'application/x-zip-compressed') { - die("Invalid archive type; only .zip is supported."); - } - - $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION)); - if ($ext !== 'zip') { + $fileExt = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION)); + if ($fileExt !== "zip") { die("Only .zip files are allowed."); } - // ---------- 2) Save outer zip to temp ---------- - $timestamp = date('YmdHis'); - $tempZip = tempnam(sys_get_temp_dir(), "restore_{$timestamp}_"); + // ---------- 2) Save to secure temp ---------- + $tempZip = tempnam(sys_get_temp_dir(), "restore_"); if (!move_uploaded_file($file["tmp_name"], $tempZip)) { die("Failed to save uploaded backup file."); } @chmod($tempZip, 0600); - // ---------- 3) Extract OUTER backup zip ---------- - $tempDir = sys_get_temp_dir() . "/restore_temp_" . bin2hex(random_bytes(6)); + $zip = new ZipArchive; + if ($zip->open($tempZip) !== TRUE) { + @unlink($tempZip); + die("Failed to open backup zip file."); + } + + // ---------- 3) Guard & extract OUTER zip ---------- + $tempDir = sys_get_temp_dir() . "/restore_temp_" . uniqid("", true); if (!mkdir($tempDir, 0700, true)) { + $zip->close(); @unlink($tempZip); die("Failed to create temp directory."); } - $zip = new ZipArchive; - if ($zip->open($tempZip) !== TRUE) { - @unlink($tempZip); - deleteDir($tempDir); - die("Failed to open backup zip file."); + // Zip-slip guard (outer) + for ($i = 0; $i < $zip->numFiles; $i++) { + $name = $zip->getNameIndex($i); + if ($name === false) continue; + if (strpos($name, '..') !== false || preg_match('#^(?:/|\\\\|[a-zA-Z]:[\\\\/])#', $name)) { + $zip->close(); + @unlink($tempZip); + deleteDir($tempDir); + die("Invalid file path in outer ZIP."); + } } - try { - safeExtractZip($zip, $tempDir); // helper (safe extraction) - } catch (Throwable $e) { + if (!$zip->extractTo($tempDir)) { $zip->close(); @unlink($tempZip); deleteDir($tempDir); - die("Invalid backup archive: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); + die("Failed to extract backup contents."); } + $zip->close(); @unlink($tempZip); - $sqlPath = $tempDir . "/db.sql"; - $uploadsZip = $tempDir . "/uploads.zip"; // inner uploads zip - $versionTxt = $tempDir . "/version.txt"; + // ---------- 4) Restore SQL (via PHP, no CLI) ---------- + $sqlPath = "$tempDir/db.sql"; + if (file_exists($sqlPath)) { + // Drop-all first (foreign key safe) + mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 0"); + $tables = mysqli_query($mysqli, "SHOW TABLES"); + if ($tables) { + while ($row = mysqli_fetch_array($tables)) { + mysqli_query($mysqli, "DROP TABLE IF EXISTS `" . $row[0] . "`"); + } + } + mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 1"); - if (!is_file($sqlPath) || !is_readable($sqlPath)) { + try { + importSqlFile($mysqli, $sqlPath); + } catch (Throwable $e) { + deleteDir($tempDir); + die("SQL import failed: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); + } + } else { deleteDir($tempDir); die("Missing db.sql in the backup archive."); } - if (!is_file($uploadsZip) || !is_readable($uploadsZip)) { + + // ---------- 5) Restore uploads directory ---------- + $uploadDir = rtrim(__DIR__ . "/../uploads", '/\\') . '/'; + $uploadsZip = "$tempDir/uploads.zip"; + + if (!file_exists($uploadsZip)) { deleteDir($tempDir); die("Missing uploads.zip in the backup archive."); } - // ---------- 4) Optional: version compatibility ---------- - if (defined('LATEST_DATABASE_VERSION') && is_file($versionTxt)) { - $txt = @file_get_contents($versionTxt) ?: ''; - if (preg_match('/^Database Version:\s*(.+)$/mi', $txt, $m)) { - $backupVersion = trim($m[1]); - $running = LATEST_DATABASE_VERSION; - if (version_compare($backupVersion, $running, '>')) { - deleteDir($tempDir); - die("Backup schema ($backupVersion) is newer than this app ($running). Please upgrade ITFlow first, then retry restore."); - } - } - } - - // ---------- 5) Restore SQL ---------- - mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 0"); - $tables = mysqli_query($mysqli, "SHOW TABLES"); - if ($tables) { - while ($row = mysqli_fetch_array($tables)) { - $tbl = $row[0]; - mysqli_query($mysqli, "DROP TABLE IF EXISTS `".$mysqli->real_escape_string($tbl)."`"); - } - } - mysqli_query($mysqli, "SET FOREIGN_KEY_CHECKS = 1"); - - try { - importSqlFile($mysqli, $sqlPath); // helper - } catch (Throwable $e) { + $uploads = new ZipArchive; + if ($uploads->open($uploadsZip) !== TRUE) { deleteDir($tempDir); - die("SQL import failed: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8')); + die("Failed to open uploads.zip in backup."); } - // ---------- 6) Restore UPLOADS: DELETE existing, then REPLACE ---------- -$appRoot = realpath(__DIR__ . "/.."); -if ($appRoot === false) { - deleteDir($tempDir); - die("Failed to resolve app root."); -} - -$uploadDir = $appRoot . "/uploads"; - -// 6.a Extract inner uploads.zip to staging (with validation & scan report) -$staging = $appRoot . "/uploads_restoring_" . bin2hex(random_bytes(4)); -if (!mkdir($staging, 0700, true)) { - deleteDir($tempDir); - die("Failed to create staging directory."); -} - -$uz = new ZipArchive; -if ($uz->open($uploadsZip) !== TRUE) { - deleteDir($staging); - deleteDir($tempDir); - die("Failed to open uploads.zip in backup."); -} - -$scan = extractUploadsZipWithValidationReport($uz, $staging, [ - 'max_file_bytes' => 200 * 1024 * 1024, - 'blocked_exts' => [ - 'php','php3','php4','php5','php7','php8','phtml','phar', - 'cgi','pl','sh','bash','zsh','exe','dll','bat','cmd','com', - 'ps1','vbs','vb','jar','jsp','asp','aspx','so','dylib','bin' - ], -]); -$uz->close(); - -if (!$scan['ok']) { - $lines = ["Unsafe file(s) detected in uploads.zip:"]; - foreach ($scan['issues'] as $issue) { - $p = htmlspecialchars($issue['path'], ENT_QUOTES, 'UTF-8'); - $r = htmlspecialchars($issue['reason'], ENT_QUOTES, 'UTF-8'); - $lines[] = "• {$p} — {$r}"; - } - deleteDir($staging); - deleteDir($tempDir); - $_SESSION['alert_message'] = nl2br(implode("\n", $lines)); - header("Location: ?restore"); - exit; -} - -// 6.b Determine the actual content root inside staging - // If the inner archive’s top-level is exactly "uploads/", use that; otherwise use staging itself. - $contentRoot = $staging; - $topEntries = []; - if ($dh = opendir($staging)) { - while (($e = readdir($dh)) !== false) { - if ($e === '.' || $e === '..') continue; - $topEntries[] = $e; - } - closedir($dh); - } - sort($topEntries); - - if (count($topEntries) === 1) { - $candidate = $staging . DIRECTORY_SEPARATOR . $topEntries[0]; - if (is_dir($candidate) && strtolower($topEntries[0]) === 'uploads') { - // Use the "uploads" directory directly without moving/deleting staging yet - $contentRoot = $candidate; - } - } - - // 6.c Sanity check: content root must have files - $hasFiles = false; - $ritCheck = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($contentRoot, FilesystemIterator::SKIP_DOTS) - ); - foreach ($ritCheck as $f) { - if ($f->isFile()) { $hasFiles = true; break; } - } - if (!$hasFiles) { - deleteDir($staging); - deleteDir($tempDir); - die("Uploads restore failed: extracted content is empty (inner uploads.zip may be malformed or fully blocked)."); - } - - // 6.d Remove current /uploads and replace with restored content - if (is_dir($uploadDir)) { - deleteDir($uploadDir, $appRoot); // guarded delete under app root - } - - // If contentRoot IS the staging root, try a simple rename - $renameSource = ($contentRoot === $staging) ? $staging : $contentRoot; - $renameOk = @rename($renameSource, $uploadDir); - - // If we used the child "uploads" dir as contentRoot, staging still exists with an empty top; clean it later - if (!$renameOk) { - // Fallback: copy tree - if (!mkdir($uploadDir, 0750, true)) { - deleteDir($staging); + // Zip-slip guard (inner) + for ($i = 0; $i < $uploads->numFiles; $i++) { + $name = $uploads->getNameIndex($i); + if ($name === false) continue; + if (strpos($name, '..') !== false || preg_match('#^(?:/|\\\\|[a-zA-Z]:[\\\\/])#', $name)) { + $uploads->close(); deleteDir($tempDir); - die("Failed to create uploads directory for placement."); + die("Invalid file path in uploads.zip."); } + } - $rit = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($contentRoot, FilesystemIterator::SKIP_DOTS), + // Ensure uploads dir exists then clean it + if (!is_dir($uploadDir)) { + if (!mkdir($uploadDir, 0750, true)) { + $uploads->close(); + deleteDir($tempDir); + die("Failed to create uploads directory."); + } + } else { + foreach (new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($uploadDir, FilesystemIterator::SKIP_DOTS), + RecursiveIteratorIterator::CHILD_FIRST + ) as $item) { + $item->isDir() ? @rmdir($item->getPathname()) : @unlink($item->getPathname()); + } + } + + // Extract uploads.zip directly into /uploads (your original, working behavior) + if (!$uploads->extractTo($uploadDir)) { + $uploads->close(); + deleteDir($tempDir); + die("Failed to extract uploads.zip into uploads directory."); + } + $uploads->close(); + + // Verify uploads isn’t empty + $hasFiles = false; + $fileCount = 0; $dirCount = 0; + if (is_dir($uploadDir)) { + $it = new RecursiveIteratorIterator( + new RecursiveDirectoryIterator($uploadDir, FilesystemIterator::SKIP_DOTS), RecursiveIteratorIterator::SELF_FIRST ); - foreach ($rit as $it) { - $rel = substr($it->getPathname(), strlen($contentRoot) + 1); - $dst = $uploadDir . DIRECTORY_SEPARATOR . $rel; - if ($it->isDir()) { - if (!is_dir($dst) && !mkdir($dst, 0750, true)) { - deleteDir($uploadDir); - deleteDir($staging); - deleteDir($tempDir); - die("Failed to create uploads subdir: $dst"); - } - } else { - $pdir = dirname($dst); - if (!is_dir($pdir) && !mkdir($pdir, 0750, true)) { - deleteDir($uploadDir); - deleteDir($staging); - deleteDir($tempDir); - die("Failed to create uploads parent dir: $pdir"); - } - if (!copy($it->getPathname(), $dst)) { - deleteDir($uploadDir); - deleteDir($staging); - deleteDir($tempDir); - die("Failed to place file into uploads: $rel"); - } - @chmod($dst, 0640); - } - } - // If we copied only the inner "uploads" folder, we still need to clean the top-level staging - deleteDir($staging); - } else { - // rename succeeded; if we renamed the child "uploads", the original staging still exists – clean it - if ($contentRoot !== $staging) { - deleteDir($staging); + foreach ($it as $node) { + if ($node->isDir()) $dirCount++; + else { $fileCount++; $hasFiles = true; } } } - - // 6.e Verify uploads now has files and report counts - $fileCount = 0; $dirCount = 0; - $ritVerify = new RecursiveIteratorIterator( - new RecursiveDirectoryIterator($uploadDir, FilesystemIterator::SKIP_DOTS), - RecursiveIteratorIterator::SELF_FIRST - ); - foreach ($ritVerify as $it) { - if ($it->isDir()) $dirCount++; - else $fileCount++; - } - if ($fileCount === 0) { + if (!$hasFiles) { deleteDir($tempDir); - die("Uploads replace failed: resulting directory is empty."); + die("Uploads restore appears empty after extraction."); } - // ---------- 7) Log version info (optional) ---------- - if (is_file($versionTxt)) { + // ---------- 6) Optional: version info ---------- + $versionTxt = "$tempDir/version.txt"; + if (file_exists($versionTxt)) { $versionInfo = @file_get_contents($versionTxt); if ($versionInfo !== false) { logAction("Backup Restore", "Version Info", $versionInfo); } } - // ---------- 8) Cleanup temp ---------- + // ---------- 7) Cleanup temp ---------- deleteDir($tempDir); - // ---------- 9) Finalize setup flag ---------- - try { - setConfigFlagAtomic(__DIR__ . "/../config.php", "config_enable_setup", 0); - } catch (Throwable $e) { - try { - setConfigFlag(__DIR__ . "/../config.php", "config_enable_setup", 0); - if (function_exists('opcache_invalidate')) { - @opcache_invalidate(__DIR__ . "/../config.php", true); - } - } catch (\Throwable $e2) { - $_SESSION['alert_message'] = - "Restore completed, but couldn’t finalize setup flag automatically: " . - htmlspecialchars($e2->getMessage(), ENT_QUOTES, 'UTF-8'); - header("Location: ../login.php"); - exit; - } + // ---------- 8) Finalize setup flag (append safely) ---------- + $configPath = __DIR__ . "/../config.php"; + $append = "\n\$config_enable_setup = 0;\n\n"; + if (!@file_put_contents($configPath, $append, FILE_APPEND | LOCK_EX)) { + $_SESSION['alert_message'] = "Backup restored ($fileCount files, $dirCount folders), but couldn't update setup flag — please set \$config_enable_setup = 0 in config.php."; + } else { + $_SESSION['alert_message'] = "Full backup restored successfully ($fileCount files, $dirCount folders)."; } - // ---------- 10) Done ---------- - $_SESSION['alert_message'] = "Full backup restored successfully. Uploads directory was replaced."; + // ---------- 9) Done ---------- header("Location: ../login.php"); exit; } From 2ee70fd3a84b4796bed175ec407ab4e4f24cb334 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 9 Oct 2025 19:23:48 -0400 Subject: [PATCH 010/112] Update .htaccess --- uploads/.htaccess | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/uploads/.htaccess b/uploads/.htaccess index 0c5dab21..da91030a 100644 --- a/uploads/.htaccess +++ b/uploads/.htaccess @@ -1,11 +1,7 @@ -php_flag engine off -RemoveHandler .php .phtml .php3 .php4 .php5 .php7 .php8 -RemoveType application/x-httpd-php - - Deny from all - Options -ExecCGI -AddHandler cgi-script .cgi .pl .sh .bash .zsh - - Deny from all - \ No newline at end of file +php_flag engine off +RemoveHandler .php .phtml .phar .phps +RemoveType .php .phtml .phar .phps + + Require all denied + From d97654581bf9bdd59552d2bbd5edffb691e1bcee Mon Sep 17 00:00:00 2001 From: johnnyq Date: Sun, 12 Oct 2025 13:34:27 -0400 Subject: [PATCH 011/112] Add 30 Day wording to Expiring Domain and Certificates in dashboard --- agent/dashboard.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/agent/dashboard.php b/agent/dashboard.php index 4f38035c..5a6223b4 100644 --- a/agent/dashboard.php +++ b/agent/dashboard.php @@ -660,7 +660,7 @@ if ($user_config_dashboard_technical_enable == 1) {

-

Expiring Domains

+

Expiring Domains 30 Day

@@ -673,7 +673,7 @@ if ($user_config_dashboard_technical_enable == 1) {

-

Expiring Certificates

+

Expiring Certificates30 Day

From 39c9c695f177d6d6f15b53ecd60de7be96c1ad29 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Tue, 14 Oct 2025 15:59:29 -0400 Subject: [PATCH 012/112] Allow searching tickets with ticketprefix and number combo in Global search --- agent/global_search.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/agent/global_search.php b/agent/global_search.php index 527a34c5..e47a7113 100644 --- a/agent/global_search.php +++ b/agent/global_search.php @@ -85,6 +85,7 @@ if (isset($_GET['query'])) { LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id WHERE ticket_archived_at IS NULL AND (ticket_subject LIKE '%$query%' + OR CONCAT(ticket_prefix,ticket_number) LIKE '%$q%' OR ticket_number = '$ticket_num_query') $access_permission_query ORDER BY ticket_id DESC LIMIT 5" @@ -93,7 +94,8 @@ if (isset($_GET['query'])) { $sql_recurring_tickets = mysqli_query($mysqli, "SELECT * FROM recurring_tickets LEFT JOIN clients ON recurring_ticket_client_id = client_id WHERE (recurring_ticket_subject LIKE '%$query%' - OR recurring_ticket_details LIKE '%$query%') + OR recurring_ticket_details LIKE '%$query%' + CONCAT(recurring_ticket_prefix,recurring_ticket_number) LIKE '%$q%') $access_permission_query ORDER BY recurring_ticket_id DESC LIMIT 5" ); From 61d15cbf9ec02240d680b74351f2d7a0d01bae3b Mon Sep 17 00:00:00 2001 From: johnnyq Date: Tue, 14 Oct 2025 16:07:08 -0400 Subject: [PATCH 013/112] Remove non existent seatch column recurring ticket prefix --- agent/global_search.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/agent/global_search.php b/agent/global_search.php index e47a7113..758067bc 100644 --- a/agent/global_search.php +++ b/agent/global_search.php @@ -85,7 +85,7 @@ if (isset($_GET['query'])) { LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id WHERE ticket_archived_at IS NULL AND (ticket_subject LIKE '%$query%' - OR CONCAT(ticket_prefix,ticket_number) LIKE '%$q%' + OR CONCAT(ticket_prefix,ticket_number) LIKE '%$query%' OR ticket_number = '$ticket_num_query') $access_permission_query ORDER BY ticket_id DESC LIMIT 5" @@ -94,8 +94,7 @@ if (isset($_GET['query'])) { $sql_recurring_tickets = mysqli_query($mysqli, "SELECT * FROM recurring_tickets LEFT JOIN clients ON recurring_ticket_client_id = client_id WHERE (recurring_ticket_subject LIKE '%$query%' - OR recurring_ticket_details LIKE '%$query%' - CONCAT(recurring_ticket_prefix,recurring_ticket_number) LIKE '%$q%') + OR recurring_ticket_details LIKE '%$query%') $access_permission_query ORDER BY recurring_ticket_id DESC LIMIT 5" ); From db7f8501d01a3176a8cb03d1ae357fc1fcb18cd1 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 09:18:53 +0100 Subject: [PATCH 014/112] When archiving a client, cancel recurring invoices --- agent/post/client.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/agent/post/client.php b/agent/post/client.php index f34fcbba..d47b290a 100644 --- a/agent/post/client.php +++ b/agent/post/client.php @@ -171,11 +171,20 @@ if (isset($_GET['archive_client'])) { $client_id = intval($_GET['archive_client']); + // Archive client + mysqli_query($mysqli, "UPDATE clients SET client_archived_at = NOW() WHERE client_id = $client_id"); + + // Stop recurring invoices + $sql_recurring_invoices = mysqli_query($mysqli, "SELECT * FROM recurring_invoices WHERE recurring_invoice_client_id = $client_id AND recurring_invoice_status = 1"); + while ($row = mysqli_fetch_array($sql_recurring_invoices)) { + $recurring_invoice_id = intval($row['recurring_invoice_id']); + mysqli_query($mysqli,"UPDATE recurring_invoices SET recurring_invoice_status = 0 WHERE recurring_invoice_id = $recurring_invoice_id AND recurring_invoice_client_id = $client_id"); + mysqli_query($mysqli,"INSERT INTO history SET history_status = '$status', history_description = 'Recurring Invoice inactive as client archived', history_recurring_invoice_id = $recurring_invoice_id"); + } + // Get Client Name $client_name = sanitizeInput(getFieldById('clients', $client_id, 'client_name')); - mysqli_query($mysqli, "UPDATE clients SET client_archived_at = NOW() WHERE client_id = $client_id"); - logAction("Client", "Archive", "$session_name archived client $client_name", $client_id, $client_id); flash_alert("Client $client_name archived", 'error'); From 9a5a4be64af24d4168b3d6a3b06dfd373b63540e Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 09:20:08 +0100 Subject: [PATCH 015/112] When archiving a client, cancel recurring invoices --- agent/post/client.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/post/client.php b/agent/post/client.php index d47b290a..e1726f9b 100644 --- a/agent/post/client.php +++ b/agent/post/client.php @@ -179,7 +179,7 @@ if (isset($_GET['archive_client'])) { while ($row = mysqli_fetch_array($sql_recurring_invoices)) { $recurring_invoice_id = intval($row['recurring_invoice_id']); mysqli_query($mysqli,"UPDATE recurring_invoices SET recurring_invoice_status = 0 WHERE recurring_invoice_id = $recurring_invoice_id AND recurring_invoice_client_id = $client_id"); - mysqli_query($mysqli,"INSERT INTO history SET history_status = '$status', history_description = 'Recurring Invoice inactive as client archived', history_recurring_invoice_id = $recurring_invoice_id"); + mysqli_query($mysqli,"INSERT INTO history SET history_status = 0, history_description = 'Recurring Invoice inactive as client archived', history_recurring_invoice_id = $recurring_invoice_id"); } // Get Client Name From 21aee98f9f2191d01ade6f9cb21a134f53083169 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 09:57:32 +0100 Subject: [PATCH 016/112] Fix checkAll ticket box not showing when status wasn't set - should only be hidden for the closed view --- agent/ticket_list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/ticket_list.php b/agent/ticket_list.php index 80c891a1..c001a134 100644 --- a/agent/ticket_list.php +++ b/agent/ticket_list.php @@ -9,7 +9,7 @@ - +
From b7a9f9ea386b3e1424b5b5bb62d5ff565e6e5678 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 10:12:14 +0100 Subject: [PATCH 017/112] When exporting credential info, include the TOTP secret --- agent/post/credential.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/agent/post/credential.php b/agent/post/credential.php index 392aab9d..ce41fa56 100644 --- a/agent/post/credential.php +++ b/agent/post/credential.php @@ -317,8 +317,6 @@ if (isset($_POST['export_credentials_csv'])) { //get records from database $sql = mysqli_query($mysqli,"SELECT * FROM credentials LEFT JOIN clients ON client_id = credential_client_id WHERE credential_archived_at IS NULL $client_query ORDER BY credential_name ASC"); - $row = mysqli_fetch_array($sql); - $num_rows = mysqli_num_rows($sql); if ($num_rows > 0) { @@ -331,14 +329,14 @@ if (isset($_POST['export_credentials_csv'])) { $f = fopen('php://memory', 'w'); //set column headers - $fields = array('Name', 'Description', 'Username', 'Password', 'URI'); + $fields = array('Name', 'Description', 'Username', 'Password', 'TOTP', 'URI'); fputcsv($f, $fields, $delimiter, $enclosure, $escape); //output each row of the data, format line as csv and write to file pointer while($row = mysqli_fetch_assoc($sql)){ $credential_username = decryptCredentialEntry($row['credential_username']); $credential_password = decryptCredentialEntry($row['credential_password']); - $lineData = array($row['credential_name'], $row['credential_description'], $credential_username, $credential_password, $row['credential_uri']); + $lineData = array($row['credential_name'], $row['credential_description'], $credential_username, $credential_password, $row['credential_otp_secret'], $row['credential_uri']); fputcsv($f, $lineData, $delimiter, $enclosure, $escape); } From 0bb7d24e07f6660bb82c9103b9243d60dad6c1de Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 10:18:44 +0100 Subject: [PATCH 018/112] Allow importing TOTP credential info --- agent/post/credential.php | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/agent/post/credential.php b/agent/post/credential.php index ce41fa56..a701d125 100644 --- a/agent/post/credential.php +++ b/agent/post/credential.php @@ -388,7 +388,7 @@ if (isset($_POST["import_credentials_csv"])) { //(Else)Check column count $f = fopen($file_name, "r"); $f_columns = fgetcsv($f, 1000, ","); - if (!$error & count($f_columns) != 5) { + if (!$error & count($f_columns) != 6) { $error = true; flash_alert("Bad column count.", 'error'); } @@ -401,31 +401,40 @@ if (isset($_POST["import_credentials_csv"])) { $duplicate_count = 0; while(($column = fgetcsv($file, 1000, ",")) !== false){ $duplicate_detect = 0; + // Name if (isset($column[0])) { $name = sanitizeInput($column[0]); if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM credentials WHERE credential_name = '$name' AND credential_client_id = $client_id")) > 0){ $duplicate_detect = 1; } } + // Desc if (isset($column[1])) { $description = sanitizeInput($column[1]); } + // User if (isset($column[2])) { $username = sanitizeInput(encryptCredentialEntry($column[2])); } + // Pass if (isset($column[3])) { $password = sanitizeInput(encryptCredentialEntry($column[3])); } + // OTP if (isset($column[4])) { - $uri = sanitizeInput($column[4]); + $totp = sanitizeInput($column[4]); + } + // URL + if (isset($column[4])) { + $uri = sanitizeInput($column[5]); } // Check if duplicate was detected if ($duplicate_detect == 0){ //Add - mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_username = '$username', credential_password = '$password', credential_client_id = $client_id"); + mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$totp', credential_client_id = $client_id"); $row_count = $row_count + 1; - }else{ + } else { $duplicate_count = $duplicate_count + 1; } } @@ -453,7 +462,7 @@ if (isset($_GET['download_credentials_csv_template'])) { $f = fopen('php://memory', 'w'); //set column headers - $fields = array('Name', 'Description', 'Username', 'Password', 'URI'); + $fields = array('Name', 'Description', 'Username', 'Password', 'TOTP', 'URI'); fputcsv($f, $fields, $delimiter); //move back to beginning of file From 99ccb12b8cc7971463f914744632577d19894d0e Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 10:31:59 +0100 Subject: [PATCH 019/112] Allow importing TOTP credential info --- agent/modals/credential/credential_import.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/modals/credential/credential_import.php b/agent/modals/credential/credential_import.php index 68d0d5a3..f19e8b38 100644 --- a/agent/modals/credential/credential_import.php +++ b/agent/modals/credential/credential_import.php @@ -12,7 +12,7 @@
-

Format csv file with headings & data:
Name, Description, Username, Password, URL

+

Format csv file with headings & data:
Name, Description, Username, Password, TOTP, URI

From 079b0d502450025f08ffba2cc719ee3f2f566f12 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 10:32:16 +0100 Subject: [PATCH 020/112] Asset import - allow importing notes --- agent/modals/asset/asset_import.php | 2 +- agent/post/asset.php | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/agent/modals/asset/asset_import.php b/agent/modals/asset/asset_import.php index 764355ae..1218618c 100644 --- a/agent/modals/asset/asset_import.php +++ b/agent/modals/asset/asset_import.php @@ -14,7 +14,7 @@
-

Format csv file with headings & data:
Name, Description, Type, Make, Model, Serial, OS, Purchase Date, Assigned To, Location, Physical Location

+

Format csv file with headings & data:
Name, Description, Type, Make, Model, Serial, OS, Purchase Date, Assigned To, Location, Physical Location, Notes

diff --git a/agent/post/asset.php b/agent/post/asset.php index ca6b15f5..b22c8de5 100644 --- a/agent/post/asset.php +++ b/agent/post/asset.php @@ -787,10 +787,10 @@ if (isset($_POST["import_assets_csv"])) { flash_alert("Bad file size (empty?)", 'error'); } - //(Else)Check column count (name, desc, type, make, model, serial, os, purchase date, assigned to, location) + //(Else)Check column count (name, desc, type, make, model, serial, os, purchase date, assigned to, location, notes) $f = fopen($file_name, "r"); $f_columns = fgetcsv($f, 1000, ","); - if (!$error & count($f_columns) != 11) { + if (!$error & count($f_columns) != 12) { $error = true; flash_alert("Invalid column count.", 'error'); } @@ -884,10 +884,15 @@ if (isset($_POST["import_assets_csv"])) { $physical_location = sanitizeInput($column[10]); } + // Notes (varchar) + if (!empty($column[11])) { + $notes = sanitizeInput($column[11]); + } + // Check if duplicate was detected if ($duplicate_detect == 0) { //Add - mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_description = '$description', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_purchase_date = $purchase_date, asset_physical_location = '$physical_location', asset_contact_id = $contact_id, asset_location_id = $location_id, asset_client_id = $client_id"); + mysqli_query($mysqli,"INSERT INTO assets SET asset_name = '$name', asset_description = '$description', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_purchase_date = $purchase_date, asset_physical_location = '$physical_location', asset_notes = '$notes', asset_contact_id = $contact_id, asset_location_id = $location_id, asset_client_id = $client_id"); $asset_id = mysqli_insert_id($mysqli); @@ -932,7 +937,7 @@ if (isset($_GET['download_assets_csv_template'])) { $f = fopen('php://memory', 'w'); //set column headers - $fields = array('Name', 'Description', 'Type', 'Make', 'Model', 'Serial', 'OS', 'Purchase Date', 'Assigned To', 'Location', 'Physical Location'); + $fields = array('Name', 'Description', 'Type', 'Make', 'Model', 'Serial', 'OS', 'Purchase Date', 'Assigned To', 'Location', 'Physical Location', 'Notes'); fputcsv($f, $fields, $delimiter); //move back to beginning of file From 975b52a43d82c587bf7e2297c3c0c21af32e7133 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 12:29:26 +0100 Subject: [PATCH 021/112] Time tracking - show H/M/S placeholders if timer auto-start is disabled --- agent/js/ticket_time_tracking.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/agent/js/ticket_time_tracking.js b/agent/js/ticket_time_tracking.js index ea1b69f8..97081829 100644 --- a/agent/js/ticket_time_tracking.js +++ b/agent/js/ticket_time_tracking.js @@ -23,6 +23,15 @@ } function displayTime() { + + // Show hrs, mins, sec input placeholders if auto-start is off + if (elapsedSecs === 0) { + document.getElementById("hours").value = ""; + document.getElementById("minutes").value = ""; + document.getElementById("seconds").value = ""; + return; + } + let totalSeconds = elapsedSecs; let hours = Math.floor(totalSeconds / 3600); totalSeconds %= 3600; From f0c48d23fee969604c27fe5bbb6312e367d5ed48 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 15:27:56 +0100 Subject: [PATCH 022/112] Add html code plugin + button to tinymceticket --- js/app.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/js/app.js b/js/app.js index c3ce421d..e8e6b0fe 100644 --- a/js/app.js +++ b/js/app.js @@ -169,14 +169,15 @@ $(document).ready(function() { { name: 'lists', items: ['bullist', 'numlist'] }, { name: 'indentation', items: ['outdent', 'indent'] }, { name: 'ai', items: ['reword', 'undo', 'redo'] }, - { name: 'custom', items: ['redactButton'] } // Add custom redact button to toolbar + { name: 'custom', items: ['redactButton'] }, // Add custom redact button to toolbar + { name: 'code', items: ['code'] }, ], mobile: { menubar: false, toolbar: 'bold italic styles' }, convert_urls: false, - plugins: 'link image lists table code codesample fullscreen autoresize', + plugins: 'link image lists table code codesample fullscreen autoresize code', license_key: 'gpl', setup: function(editor) { var rewordButtonApi; From 65ff008ccf90d96f2331ab60b681d4082522c24b Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 15:36:07 +0100 Subject: [PATCH 023/112] Bugfix - Email not including ticket guest key --- agent/post/ticket.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/agent/post/ticket.php b/agent/post/ticket.php index e7dd756f..1d3782c2 100644 --- a/agent/post/ticket.php +++ b/agent/post/ticket.php @@ -131,10 +131,9 @@ if (isset($_POST['add_ticket'])) { $company_name = sanitizeInput($row['company_name']); $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone'], $row['company_phone_country_code'])); - // EMAILING - $subject = "Ticket created [$ticket_prefix$ticket_number] - $ticket_subject"; + $subject = "Ticket Created [$ticket_prefix$ticket_number] - $ticket_subject"; $body = "##- Please type your reply above this line -##

Hello $contact_name,

A ticket regarding \"$ticket_subject\" has been created for you.

--------------------------------
$ticket_details--------------------------------

Ticket: $ticket_prefix$ticket_number
Subject: $ticket_subject
Status: Open
Portal: View ticket

--
$company_name - Support
$config_ticket_from_email
$company_phone"; // Verify contact email is valid @@ -234,7 +233,7 @@ if (isset($_POST['edit_ticket'])) { } // Get contact/ticket details after update for logging / email purposes - $sql = mysqli_query($mysqli, "SELECT contact_name, contact_email, ticket_prefix, ticket_number, ticket_category, ticket_details, ticket_status_name, ticket_created_by, ticket_assigned_to, ticket_client_id FROM tickets + $sql = mysqli_query($mysqli, "SELECT contact_name, contact_email, ticket_prefix, ticket_number, ticket_category, ticket_details, ticket_status_name, ticket_created_by, ticket_assigned_to, ticket_url_key, ticket_client_id FROM tickets LEFT JOIN clients ON ticket_client_id = client_id LEFT JOIN contacts ON ticket_contact_id = contact_id LEFT JOIN ticket_statuses ON ticket_status = ticket_status_id @@ -251,6 +250,7 @@ if (isset($_POST['edit_ticket'])) { $ticket_status = sanitizeInput($row['ticket_status_name']); $ticket_created_by = intval($row['ticket_created_by']); $ticket_assigned_to = intval($row['ticket_assigned_to']); + $url_key = sanitizeInput($row['ticket_url_key']); $client_id = intval($row['ticket_client_id']); // Notify new contact if selected @@ -2402,7 +2402,7 @@ if (isset($_POST['bulk_force_recurring_tickets'])) { // Notify client by email their ticket has been raised, if general notifications are turned on & there is a valid contact email if (!empty($config_smtp_host) && $config_ticket_client_general_notifications == 1 && filter_var($contact_email, FILTER_VALIDATE_EMAIL)) { - $email_subject = "Ticket created - [$ticket_prefix$ticket_number] - $ticket_subject (scheduled)"; + $email_subject = "Ticket Created - [$ticket_prefix$ticket_number] - $ticket_subject (scheduled)"; $email_body = "##- Please type your reply above this line -##

Hello $contact_name,

A ticket regarding \"$ticket_subject\" has been automatically created for you.

--------------------------------
$ticket_details--------------------------------

Ticket: $ticket_prefix$ticket_number
Subject: $ticket_subject
Status: Open
Portal: https://$config_base_url/client/ticket.php?id=$id

--
$company_name - Support
$config_ticket_from_email
$company_phone"; $email = [ From 93bb5db01971e97b383a38ea7dda61b5500a33e1 Mon Sep 17 00:00:00 2001 From: wrongecho Date: Wed, 15 Oct 2025 21:56:21 +0100 Subject: [PATCH 024/112] typo --- agent/post/certificate.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/post/certificate.php b/agent/post/certificate.php index 60b4e4e7..6f33865a 100644 --- a/agent/post/certificate.php +++ b/agent/post/certificate.php @@ -120,7 +120,7 @@ if (isset($_GET['archive_certificate'])) { mysqli_query($mysqli,"UPDATE certificates SET certificate_archived_at = NOW() WHERE certificate_id = $certificate_id"); - logAction("Certificate", "Archive", "$session_name arhvived certificate $certificate_name", $client_id, $certificate_id); + logAction("Certificate", "Archive", "$session_name archived certificate $certificate_name", $client_id, $certificate_id); flash_alert("Certificate $certificate_name archived", 'alert'); From 5dd4f5ea62799260de98b24e25c7498b6874bf7b Mon Sep 17 00:00:00 2001 From: wrongecho Date: Thu, 16 Oct 2025 16:32:37 +0100 Subject: [PATCH 025/112] New mail parser: - bugfix .eml not being generated - include the message when notifying the tech of a reply --- cron/ticket_email_parser.php | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/cron/ticket_email_parser.php b/cron/ticket_email_parser.php index d82b115c..2c5e7b71 100644 --- a/cron/ticket_email_parser.php +++ b/cron/ticket_email_parser.php @@ -284,7 +284,7 @@ function addReply($from_email, $date, $subject, $ticket_number, $message, $attac $tech_name = sanitizeInput($tech_row['user_name']); $email_subject = "$config_app_name - Ticket updated - [$config_ticket_prefix$ticket_number] $ticket_subject"; - $email_body = "Hello $tech_name,

A new reply has been added to the below ticket, check ITFlow for full details.

Client: $client_name
Ticket: $config_ticket_prefix$ticket_number
Subject: $ticket_subject

https://$config_base_url/agent/ticket.php?ticket_id=$ticket_id"; + $email_body = "Hello $tech_name,

A new reply has been added to the below ticket.

Client: $client_name
Ticket: $config_ticket_prefix$ticket_number
Subject: $ticket_subject
Link: https://$config_base_url/agent/ticket.php?ticket_id=$ticket_id

--------------------------------
$message_esc"; $data = [ [ @@ -546,17 +546,10 @@ $unprocessed_count = 0; foreach ($messages as $message) { $email_processed = false; - // Save original RFC822 message as .eml + // Save original message as .eml (getRawMessage() doesn't seem to work properly) mkdirMissing('../uploads/tmp/'); $original_message_file = "processed-eml-" . randomString(200) . ".eml"; - - try { - // getRawMessage() available in v3; for v2 use getHeader()->raw or getStructure()? We'll try getRawMessage() - $raw_message = $message->getRawMessage(); - } catch (\Throwable $e) { - // Fallback to rebuilding from headers + body if raw not available - $raw_message = (string)$message->getHeader()->raw . "\r\n\r\n" . ($message->getRawBody() ?? $message->getHTMLBody() ?? $message->getTextBody()); - } + $raw_message = (string)$message->getHeader()->raw . "\r\n\r\n" . ($message->getRawBody() ?? $message->getHTMLBody() ?? $message->getTextBody()); file_put_contents("../uploads/tmp/{$original_message_file}", $raw_message); // From From ecce9949211bc0745593816b5a5c3606fbdc7be5 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 16 Oct 2025 11:43:26 -0400 Subject: [PATCH 026/112] Used status var unstead of get status var for checkall --- agent/ticket_list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/ticket_list.php b/agent/ticket_list.php index c001a134..9ac24ea5 100644 --- a/agent/ticket_list.php +++ b/agent/ticket_list.php @@ -9,7 +9,7 @@ - +
From ab77705ca238bceb43daeb19c5b0a6316c6dd24f Mon Sep 17 00:00:00 2001 From: johnnyq Date: Mon, 20 Oct 2025 18:04:00 -0400 Subject: [PATCH 027/112] Feature: Replace old date range to Date Range Picker JS for better date from/to handling --- agent/clients.php | 49 +++++----------- agent/expenses.php | 33 +++-------- agent/invoices.php | 33 +++-------- agent/payments.php | 33 +++-------- agent/projects.php | 33 +++-------- agent/quotes.php | 33 +++-------- agent/recurring_expenses.php | 33 +++-------- agent/recurring_invoices.php | 33 +++-------- agent/revenues.php | 33 +++-------- agent/tickets.php | 61 +++----------------- agent/transfers.php | 33 +++-------- agent/trips.php | 33 +++-------- includes/filter_header.php | 8 ++- includes/footer.php | 1 + js/date_filter.js | 108 +++++++++++++++++++++++++++++++++++ 15 files changed, 206 insertions(+), 351 deletions(-) create mode 100644 js/date_filter.js diff --git a/agent/clients.php b/agent/clients.php index 2dbd32af..08aa960f 100644 --- a/agent/clients.php +++ b/agent/clients.php @@ -178,49 +178,28 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
" id="advancedFilter" >
-
+
- - + + + + +
-
-
- - -
-
-
-
- - -
-
-
+ +
- - - - - - - - - - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/invoices.php b/agent/invoices.php index 995d837a..d988f095 100644 --- a/agent/invoices.php +++ b/agent/invoices.php @@ -230,34 +230,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/payments.php b/agent/payments.php index 6f00c86e..5604b0ac 100644 --- a/agent/payments.php +++ b/agent/payments.php @@ -123,34 +123,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/projects.php b/agent/projects.php index 6e20f694..b80401cc 100644 --- a/agent/projects.php +++ b/agent/projects.php @@ -94,34 +94,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/quotes.php b/agent/quotes.php index eeb65d54..2e82774f 100644 --- a/agent/quotes.php +++ b/agent/quotes.php @@ -75,34 +75,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/recurring_expenses.php b/agent/recurring_expenses.php index b03224ba..79e115a4 100644 --- a/agent/recurring_expenses.php +++ b/agent/recurring_expenses.php @@ -51,34 +51,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/recurring_invoices.php b/agent/recurring_invoices.php index abfe3a49..67b6e037 100644 --- a/agent/recurring_invoices.php +++ b/agent/recurring_invoices.php @@ -76,34 +76,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/revenues.php b/agent/revenues.php index 5e501ed6..da524287 100644 --- a/agent/revenues.php +++ b/agent/revenues.php @@ -46,34 +46,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/tickets.php b/agent/tickets.php index f4e12581..f1e73b14 100644 --- a/agent/tickets.php +++ b/agent/tickets.php @@ -306,8 +306,7 @@ $sql_categories_filter = mysqli_query(
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/transfers.php b/agent/transfers.php index 632d9441..6ebcfb0b 100644 --- a/agent/transfers.php +++ b/agent/transfers.php @@ -69,34 +69,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/agent/trips.php b/agent/trips.php index 9414342b..b7792f17 100644 --- a/agent/trips.php +++ b/agent/trips.php @@ -70,34 +70,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/includes/filter_header.php b/includes/filter_header.php index 1008ef2f..cc31ef9c 100644 --- a/includes/filter_header.php +++ b/includes/filter_header.php @@ -98,9 +98,13 @@ if ($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])) { } elseif ($_GET['canned_date'] == "lastyear") { $dtf = date('Y-m-d', strtotime("first day of january last year")); $dtt = date('Y-m-d', strtotime("last day of december last year")); +}elseif (isset($_GET['canned_date']) && $_GET['canned_date'] === "alltime") { + $dtf = '1970-01-01'; + $dtt = '2099-12-31'; } else { - $dtf = "NULL"; - $dtt = '2035-12-31'; + // Fallback acts like all time + $dtf = '1970-01-01'; + $dtt = '2099-12-31'; } // Archived diff --git a/includes/footer.php b/includes/footer.php index c90d42bc..ce5b8bf2 100644 --- a/includes/footer.php +++ b/includes/footer.php @@ -51,6 +51,7 @@ if (basename(dirname($_SERVER['REQUEST_URI'])) === 'guest') { ?> + diff --git a/js/date_filter.js b/js/date_filter.js new file mode 100644 index 00000000..502710f6 --- /dev/null +++ b/js/date_filter.js @@ -0,0 +1,108 @@ +(function ($, window) { + "use strict"; + + $(function () { + var $input = $('#dateFilter'); + if (!$input.length) return; // nothing to initialize + + var $canned = $('#canned_date'); + var $dtf = $('#dtf'); + var $dtt = $('#dtt'); + + // Default to "All Time" if nothing provided + var hasValues = + ($dtf.val() && $dtt.val()) || + ($canned.val() && $canned.val() !== ''); + + if (!hasValues) { + $canned.val('alltime'); + $dtf.val('1970-01-01'); + $dtt.val('2099-12-31'); + } + + var initialStart = moment($dtf.val(), "YYYY-MM-DD"); + var initialEnd = moment($dtt.val(), "YYYY-MM-DD"); + + function setDisplay(start, end, label) { + // Special display for All Time + if ( + label === 'All Time' || + (start.format('YYYY-MM-DD') === '1970-01-01' && + end.format('YYYY-MM-DD') === '2099-12-31') + ) { + $input.val('All Time'); + } else { + $input.val(start.format('YYYY-MM-DD') + " — " + end.format('YYYY-MM-DD')); + } + } + + var cannedMap = { + "Today": "today", + "Yesterday": "yesterday", + "This Week": "thisweek", + "Last Week": "lastweek", + "This Month": "thismonth", + "Last Month": "lastmonth", + "This Year": "thisyear", + "Last Year": "lastyear", + "All Time": "alltime" + }; + + $input.daterangepicker({ + startDate: initialStart, + endDate: initialEnd, + autoUpdateInput: true, + opens: 'left', + locale: { + format: 'YYYY-MM-DD', + firstDay: 1 + }, + ranges: { + 'Today': [moment(), moment()], + 'Yesterday': [moment().subtract(1, 'day'), moment().subtract(1, 'day')], + 'This Week': [moment().startOf('isoWeek'), moment()], + 'Last Week': [ + moment().subtract(1, 'week').startOf('isoWeek'), + moment().subtract(1, 'week').endOf('isoWeek') + ], + 'This Month': [moment().startOf('month'), moment()], + 'Last Month': [ + moment().subtract(1, 'month').startOf('month'), + moment().subtract(1, 'month').endOf('month') + ], + 'This Year': [moment().startOf('year'), moment()], + 'Last Year': [ + moment().subtract(1, 'year').startOf('year'), + moment().subtract(1, 'year').endOf('year') + ], + 'All Time': [ + moment('1970-01-01', 'YYYY-MM-DD'), + moment('2099-12-31', 'YYYY-MM-DD') + ] + } + }, setDisplay); + + // Show initial label + setDisplay(initialStart, initialEnd); + + $input.on('apply.daterangepicker', function (ev, picker) { + var label = picker.chosenLabel || ''; + var canned = cannedMap[label]; + + if (canned) { + $canned.val(canned); + $dtf.val(''); + $dtt.val(''); + } else { + $canned.val('custom'); + $dtf.val(picker.startDate.format('YYYY-MM-DD')); + $dtt.val(picker.endDate.format('YYYY-MM-DD')); + } + + setDisplay(picker.startDate, picker.endDate, label); + + // Auto-submit form + this.form.submit(); + }); + }); +})(jQuery, window); \ No newline at end of file From c5dd5f2b6f626b037a5168f3e1e2027af295e017 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Mon, 20 Oct 2025 18:16:39 -0400 Subject: [PATCH 028/112] Add Clause to not collapse advanced filter on all time aka if date from is set to the default 1970-01-01 --- agent/clients.php | 3 +-- agent/expenses.php | 2 +- agent/invoices.php | 2 +- agent/payments.php | 2 +- agent/projects.php | 2 +- agent/quotes.php | 2 +- agent/recurring_expenses.php | 2 +- agent/recurring_invoices.php | 2 +- agent/revenues.php | 2 +- agent/tickets.php | 3 +-- agent/transfers.php | 2 +- agent/trips.php | 2 +- 12 files changed, 12 insertions(+), 14 deletions(-) diff --git a/agent/clients.php b/agent/clients.php index 08aa960f..a7c512cc 100644 --- a/agent/clients.php +++ b/agent/clients.php @@ -178,7 +178,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
diff --git a/agent/expenses.php b/agent/expenses.php index e1929823..8c07f446 100644 --- a/agent/expenses.php +++ b/agent/expenses.php @@ -117,7 +117,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/invoices.php b/agent/invoices.php index d988f095..2c4aa0dd 100644 --- a/agent/invoices.php +++ b/agent/invoices.php @@ -230,7 +230,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/payments.php b/agent/payments.php index 5604b0ac..106f88a1 100644 --- a/agent/payments.php +++ b/agent/payments.php @@ -123,7 +123,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/projects.php b/agent/projects.php index b80401cc..1c80b8d4 100644 --- a/agent/projects.php +++ b/agent/projects.php @@ -94,7 +94,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/quotes.php b/agent/quotes.php index 2e82774f..dee85a2e 100644 --- a/agent/quotes.php +++ b/agent/quotes.php @@ -75,7 +75,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/recurring_expenses.php b/agent/recurring_expenses.php index 79e115a4..2aee8993 100644 --- a/agent/recurring_expenses.php +++ b/agent/recurring_expenses.php @@ -51,7 +51,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/recurring_invoices.php b/agent/recurring_invoices.php index 67b6e037..633644a0 100644 --- a/agent/recurring_invoices.php +++ b/agent/recurring_invoices.php @@ -76,7 +76,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/revenues.php b/agent/revenues.php index da524287..a48ce8a2 100644 --- a/agent/revenues.php +++ b/agent/revenues.php @@ -46,7 +46,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/tickets.php b/agent/tickets.php index f1e73b14..3442e1f6 100644 --- a/agent/tickets.php +++ b/agent/tickets.php @@ -306,8 +306,7 @@ $sql_categories_filter = mysqli_query(
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/agent/trips.php b/agent/trips.php index b7792f17..40f6ea23 100644 --- a/agent/trips.php +++ b/agent/trips.php @@ -70,7 +70,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
From 303f9174c99e2f101ec85de9005849db41c48eed Mon Sep 17 00:00:00 2001 From: johnnyq Date: Wed, 22 Oct 2025 14:50:50 -0400 Subject: [PATCH 029/112] Added Bulk Create Tickets for Clients --- agent/clients.php | 7 +- .../modals/client/client_bulk_add_ticket.php | 137 ++++++++++++++++++ agent/post/client.php | 114 +++++++++++++++ agent/post/ticket.php | 1 - 4 files changed, 257 insertions(+), 2 deletions(-) create mode 100644 agent/modals/client/client_bulk_add_ticket.php diff --git a/agent/clients.php b/agent/clients.php index a7c512cc..eb931760 100644 --- a/agent/clients.php +++ b/agent/clients.php @@ -137,6 +137,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); Action (0)
+ + Open Tickets + +
Set Hourly Rate @@ -600,7 +604,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); require_once "modals/client/client_bulk_edit_industry.php"; require_once "modals/client/client_bulk_edit_referral.php"; require_once "modals/client/client_bulk_edit_hourly_rate.php"; - require_once "modals/client/client_bulk_assign_tags.php"; + require_once "modals/client/client_bulk_assign_tags.php"; + require_once "modals/client/client_bulk_add_ticket.php"; require_once "modals/client/client_bulk_email.php"; ?> diff --git a/agent/modals/client/client_bulk_add_ticket.php b/agent/modals/client/client_bulk_add_ticket.php new file mode 100644 index 00000000..311f0356 --- /dev/null +++ b/agent/modals/client/client_bulk_add_ticket.php @@ -0,0 +1,137 @@ + diff --git a/agent/post/client.php b/agent/post/client.php index e1726f9b..601f8e0e 100644 --- a/agent/post/client.php +++ b/agent/post/client.php @@ -598,6 +598,120 @@ if (isset($_GET['download_clients_csv_template'])) { } +if (isset($_POST['bulk_add_client_ticket'])) { + + validateCSRFToken($_POST['csrf_token']); + + enforceUserPermission('module_support', 2); + + $assigned_to = intval($_POST['bulk_assigned_to']); + if ($assigned_to == 0) { + $ticket_status = 1; + } else { + $ticket_status = 2; + } + $subject = sanitizeInput($_POST['bulk_subject']); + $priority = sanitizeInput($_POST['bulk_priority']); + $category_id = intval($_POST['bulk_category']); + $details = mysqli_real_escape_string($mysqli, $_POST['bulk_details']); + $project_id = intval($_POST['bulk_project']); + $use_primary_contact = intval($_POST['use_primary_contact']); + $ticket_template_id = intval($_POST['bulk_ticket_template_id']); + $billable = intval($_POST['bulk_billable'] ?? 0); + + // Check to see if adding a ticket by template + if($ticket_template_id) { + $sql = mysqli_query($mysqli, "SELECT * FROM ticket_templates WHERE ticket_template_id = $ticket_template_id"); + $row = mysqli_fetch_array($sql); + + // Override Template Subject + if(empty($subject)) { + $subject = sanitizeInput($row['ticket_template_subject']); + } + $details = mysqli_escape_string($mysqli, $row['ticket_template_details']); + + // Get Associated Tasks from the ticket template + $sql_task_templates = mysqli_query($mysqli, "SELECT * FROM task_templates WHERE task_template_ticket_template_id = $ticket_template_id"); + + } + + // Create ticket for each selected asset + if (isset($_POST['client_ids'])) { + + // Get a Asset Count + $client_count = count($_POST['client_ids']); + + foreach ($_POST['client_ids'] as $client_id) { + $client_id = intval($client_id); + + $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = $client_id"); + $row = mysqli_fetch_array($sql); + + $client_name = sanitizeInput($row['client_name']); + + // Get the next Ticket Number and update the config + $sql_ticket_number = mysqli_query($mysqli, "SELECT config_ticket_next_number FROM settings WHERE company_id = 1"); + $ticket_number_row = mysqli_fetch_array($sql_ticket_number); + $ticket_number = intval($ticket_number_row['config_ticket_next_number']); + + // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php + $config_ticket_prefix = sanitizeInput($config_ticket_prefix); + $config_ticket_from_name = sanitizeInput($config_ticket_from_name); + $config_ticket_from_email = sanitizeInput($config_ticket_from_email); + $config_base_url = sanitizeInput($config_base_url); + + //Generate a unique URL key for clients to access + $url_key = randomString(156); + + // Increment the config ticket next number + $new_config_ticket_next_number = $ticket_number + 1; + + mysqli_query($mysqli, "UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = 1"); + + mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_category = $category_id, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_billable = $billable, ticket_status = $ticket_status, ticket_created_by = $session_user_id, ticket_assigned_to = $assigned_to, ticket_url_key = '$url_key', ticket_client_id = $client_id, ticket_project_id = $project_id"); + + $ticket_id = mysqli_insert_id($mysqli); + + // Update the next ticket number in the database + mysqli_query($mysqli, "UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = 1"); + + // Add Tasks + if (!empty($_POST['tasks'])) { + foreach ($_POST['tasks'] as $task) { + $task_name = sanitizeInput($task); + // Check that task_name is not-empty (For some reason the !empty on the array doesnt work here like in watchers) + if (!empty($task_name)) { + mysqli_query($mysqli,"INSERT INTO tasks SET task_name = '$task_name', task_ticket_id = $ticket_id"); + } + } + } + + // Add Tasks from Template if Template was selected + if($ticket_template_id) { + if (mysqli_num_rows($sql_task_templates) > 0) { + while ($row = mysqli_fetch_array($sql_task_templates)) { + $task_order = intval($row['task_template_order']); + $task_name = sanitizeInput($row['task_template_name']); + + mysqli_query($mysqli,"INSERT INTO tasks SET task_name = '$task_name', task_order = $task_order, task_ticket_id = $ticket_id"); + } + } + } + + // Custom action/notif handler + customAction('ticket_create', $ticket_id); + } + + logAction("Ticket", "Bulk Create", "$session_name created $client_count tickets for $client_name"); + + flash_alert("$client_count tickets created for selected clients"); + + } + + redirect(); + +} + if (isset($_POST['bulk_edit_client_industry'])) { validateCSRFToken($_POST['csrf_token']); diff --git a/agent/post/ticket.php b/agent/post/ticket.php index 1d3782c2..281ec9f4 100644 --- a/agent/post/ticket.php +++ b/agent/post/ticket.php @@ -1561,7 +1561,6 @@ if (isset($_POST['bulk_add_asset_ticket'])) { } - if (isset($_POST['add_ticket_reply'])) { enforceUserPermission('module_support', 2); From 10dc8ea2bf21f9022f6b96fa411679f255557fbc Mon Sep 17 00:00:00 2001 From: johnnyq Date: Wed, 22 Oct 2025 14:53:43 -0400 Subject: [PATCH 030/112] Wording update for client bulk modals --- agent/modals/client/client_bulk_edit_hourly_rate.php | 2 +- agent/modals/client/client_bulk_edit_industry.php | 2 +- agent/modals/client/client_bulk_edit_referral.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/agent/modals/client/client_bulk_edit_hourly_rate.php b/agent/modals/client/client_bulk_edit_hourly_rate.php index ed1b53db..9db103ed 100644 --- a/agent/modals/client/client_bulk_edit_hourly_rate.php +++ b/agent/modals/client/client_bulk_edit_hourly_rate.php @@ -23,7 +23,7 @@
- +
diff --git a/agent/modals/client/client_bulk_edit_industry.php b/agent/modals/client/client_bulk_edit_industry.php index 8211e54e..1b46e708 100644 --- a/agent/modals/client/client_bulk_edit_industry.php +++ b/agent/modals/client/client_bulk_edit_industry.php @@ -23,7 +23,7 @@
- +
diff --git a/agent/modals/client/client_bulk_edit_referral.php b/agent/modals/client/client_bulk_edit_referral.php index 768357e6..dbdd4dba 100644 --- a/agent/modals/client/client_bulk_edit_referral.php +++ b/agent/modals/client/client_bulk_edit_referral.php @@ -41,7 +41,7 @@
- +
From 2dc66b329bb4ea4d8ef5ebc886233fd145d19ba5 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Wed, 22 Oct 2025 15:26:15 -0400 Subject: [PATCH 031/112] Fix Ajax Modal Link to referral category in Add Bulk Referral --- agent/modals/client/client_bulk_edit_referral.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/agent/modals/client/client_bulk_edit_referral.php b/agent/modals/client/client_bulk_edit_referral.php index dbdd4dba..4c6cd248 100644 --- a/agent/modals/client/client_bulk_edit_referral.php +++ b/agent/modals/client/client_bulk_edit_referral.php @@ -28,10 +28,8 @@
-
From 0cacf83ae59014a6af9681d271f54a450b044443 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Wed, 22 Oct 2025 16:28:53 -0400 Subject: [PATCH 032/112] Fix Sending Email when Forcing a Recurring Invoice into an Invoice --- agent/post/invoice.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/post/invoice.php b/agent/post/invoice.php index 069fe47e..d6061460 100644 --- a/agent/post/invoice.php +++ b/agent/post/invoice.php @@ -1798,7 +1798,7 @@ if (isset($_GET['force_recurring'])) { //Also update the newly created invoice with the new amounts mysqli_query($mysqli,"UPDATE invoices SET invoice_amount = $new_recurring_invoice_amount WHERE invoice_id = $new_invoice_id"); - if ($config_recurring_invoice_auto_send_invoice == 1) { + if ($config_recurring_auto_send_invoice == 1) { $sql = mysqli_query($mysqli,"SELECT * FROM invoices LEFT JOIN clients ON invoice_client_id = client_id LEFT JOIN contacts ON clients.client_id = contacts.contact_client_id AND contact_primary = 1 From e24ef68d8d999267b79c4107d9b7977e68f668a4 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Wed, 22 Oct 2025 17:11:26 -0400 Subject: [PATCH 033/112] Fix Deleting Recurring Ticket from asset details page due to missing CSRF Check token --- agent/asset_details.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/asset_details.php b/agent/asset_details.php index ac4ec904..26fa998f 100644 --- a/agent/asset_details.php +++ b/agent/asset_details.php @@ -1001,7 +1001,7 @@ if (isset($_GET['asset_id'])) {
- + Delete
From c66aa92365832e951e159b3b0d29aea9575a6779 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 23 Oct 2025 13:07:02 -0400 Subject: [PATCH 034/112] Update All Side Nav Links to be absolute so the side bar includes can be navigatable when navs are included in custom code --- admin/includes/side_nav.php | 76 ++++++++++----------- agent/includes/client_side_nav.php | 48 ++++++------- agent/includes/side_nav.php | 42 ++++++------ agent/reports/includes/reports_side_nav.php | 28 ++++---- agent/user/includes/user_side_nav.php | 10 +-- 5 files changed, 102 insertions(+), 102 deletions(-) diff --git a/admin/includes/side_nav.php b/admin/includes/side_nav.php index 89b06517..9dccd526 100644 --- a/admin/includes/side_nav.php +++ b/admin/includes/side_nav.php @@ -16,19 +16,19 @@
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/admin/audit_log.php b/admin/audit_log.php index 33b58ac0..06a11e13 100644 --- a/admin/audit_log.php +++ b/admin/audit_log.php @@ -159,34 +159,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
diff --git a/admin/mail_queue.php b/admin/mail_queue.php index 13d489f5..c5be2441 100644 --- a/admin/mail_queue.php +++ b/admin/mail_queue.php @@ -53,34 +53,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
" id="advancedFilter"> +
" id="advancedFilter">
-
+
- - -
-
-
-
- - -
-
-
-
- - + + + + +
From 559506fc9096fcd3824160b15694452f368e1858 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 23 Oct 2025 15:55:54 -0400 Subject: [PATCH 036/112] Added Access Modules to view current modules and to allow custom modules for the future for use in custom code directories --- admin/includes/side_nav.php | 8 ++- admin/modules.php | 113 ++++++++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 admin/modules.php diff --git a/admin/includes/side_nav.php b/admin/includes/side_nav.php index 9dccd526..cf4a7f15 100644 --- a/admin/includes/side_nav.php +++ b/admin/includes/side_nav.php @@ -14,7 +14,7 @@
-
+
@@ -290,7 +291,7 @@ ob_start();
- +
@@ -315,7 +316,7 @@ ob_start(); $location_name_select_display = $location_name_select; } ?> - + @@ -343,8 +344,8 @@ ob_start(); $contact_name_select_display = $contact_name_select; } ?> - @@ -360,7 +361,7 @@ ob_start();
@@ -368,7 +369,7 @@ ob_start();
-
+
@@ -391,7 +392,7 @@ ob_start(); $vendor_name_select_display = $vendor_name_select; } ?> - + @@ -405,7 +406,7 @@ ob_start();
- +
@@ -415,7 +416,7 @@ ob_start();
- +
@@ -426,7 +427,7 @@ ob_start();
- +
@@ -437,18 +438,18 @@ ob_start();
- +
-
+
- asset_photo"> + asset_photo">
@@ -458,7 +459,7 @@ ob_start();
- +

Asset ID:

@@ -466,7 +467,7 @@ ob_start();
-
+
diff --git a/agent/modals/contact/contact_add.php b/agent/modals/contact/contact_add.php index 4316776c..6c503027 100644 --- a/agent/modals/contact/contact_add.php +++ b/agent/modals/contact/contact_add.php @@ -350,5 +350,3 @@ $(document).ready(function() { From 24d8635dacbf76707bac1bea4ffbab7cf577d8da Mon Sep 17 00:00:00 2001 From: wrongecho Date: Sat, 1 Nov 2025 17:59:12 +0000 Subject: [PATCH 058/112] Invoice product autocomplete - search product code as well as name --- agent/invoice.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/agent/invoice.php b/agent/invoice.php index 106b7765..15e3d609 100644 --- a/agent/invoice.php +++ b/agent/invoice.php @@ -163,7 +163,9 @@ if (isset($_GET['invoice_id'])) { //Product autocomplete $products_sql = mysqli_query($mysqli, " SELECT - product_name AS label, + CONCAT(product_code, ' - ', product_name) AS label, + product_name, + product_code, product_type AS type, product_description AS description, product_price AS price, @@ -747,12 +749,20 @@ require_once "../includes/footer.php"; + + Date: Sat, 1 Nov 2025 16:17:11 -0400 Subject: [PATCH 060/112] Add Recurring Invoice Reference along with a link in Invoices --- agent/invoices.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/agent/invoices.php b/agent/invoices.php index 9a86a1b3..9423c58d 100644 --- a/agent/invoices.php +++ b/agent/invoices.php @@ -97,6 +97,7 @@ $sql = mysqli_query( "SELECT SQL_CALC_FOUND_ROWS * FROM invoices LEFT JOIN clients ON invoice_client_id = client_id LEFT JOIN categories ON invoice_category_id = category_id + LEFT JOIN recurring_invoices ON invoice_recurring_invoice_id = recurring_invoice_id WHERE ($status_query) $overdue_query $category_query @@ -298,6 +299,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); Status + Recurring Action @@ -330,6 +332,16 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); if ($client_net_terms == 0) { $client_net_terms = $config_default_net_terms; } + $recurring_invoice_id = intval($row['recurring_invoice_id']); + $recurring_invoice_prefix = nullable_htmlentities($row['recurring_invoice_prefix']); + $recurring_invoice_number = nullable_htmlentities($row['recurring_invoice_number']); + if($recurring_invoice_id) { + $recurring_invoice_display = "$recurring_invoice_prefix$recurring_invoice_number"; + } else { + $recurring_invoice_display = "-"; + } + + $now = time(); @@ -367,6 +379,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); +
-

- - asset_photo"> - - -
- -
-
- -
- -
- -
- -
- -
- -
- -
- -
-
- -
-
-
Primary Network Interface
-
-
- -
- - -
- -
- -
- -
- - -
Client URI:
- -
-
- - -
-
-
Assignment
-
-
- -
- -
- -
- -
- -
- - -
-
- -
-
-
Additional Notes
-
- -
- -
- -
- -
    -
  1. - Clients -
    2. -
  2. - -
    3. -
  3. - Assets -
    4. -
    5. -
- -
-
- -
- - New Ticket - -
- - New Recurring Ticket - -
- - New Credential - -
- - New Document - -
- - Upload file(s) - +
+
+ +

+ + asset_photo"> + + +
+ +
+
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+
-
- -
- - License - -
- - Credential - -
- - Service - -
- - Document - -
- - File - +
+
+
Primary Network Interface
+
+
+ +
+ + +
+ +
+ +
+ +
+ + +
Client URI:
+
+ + +
+
+
Assignment
+
+
+ +
+ +
+ +
+ +
+ +
+ + +
+
+ +
+
+
Additional Notes
+
+ +
+
-
-
-

Interfaces

-
-
- - -
- - Add Multiple - -
- - Import - -
- - Export - -
+
- + +
+ +
+ + License + +
+ + Credential + +
+ + Service + +
+ + Document + +
+ + File + +
+
+
+ +
+
+

Interfaces

+
+
+ +
- - Assign Network + + Add Multiple
- - Set Type + + Import
-
+ +
+
+ + +
+ + "> + + + + + + + + + + + + + + $network_name" + : '-'; + + // Connected interface details + $connected_asset_id = intval($row['connected_asset_id']); + $connected_asset_name = nullable_htmlentities($row['connected_asset_name']); + $connected_asset_type = nullable_htmlentities($row['connected_asset_type']); + $connected_asset_icon = getAssetIcon($connected_asset_type); + $connected_interface_name = nullable_htmlentities($row['connected_interface_name']); + + + // Show either "-" or "AssetName - Port" + if ($connected_asset_name) { + $connected_to_display = " + $connected_asset_name - $connected_interface_name + "; + } else { + $connected_to_display = "-"; + } + ?> + + + + + + + + + + + + +
+
+ +
+ 		Name / PortTypeMACIPNetworkConnected ToAction
+
+ +
+ 		+ + + (Primary)"; } ?> + + +
+ +
+ + Edit + + +
+ + Delete + + +
+
+
+
+ + + +
-
-
- -
- - "> - - - - - - - - - - + +
"> +
+

Credentials

+
+
+
+
-
- -
- 		Name / PortTypeMACIPNetworkConnected ToAction
+ + + + + + + + + + - - $network_name" - : '-'; + while ($row = mysqli_fetch_array($sql_related_credentials)) { + $credential_id = intval($row['credential_id']); + $credential_name = nullable_htmlentities($row['credential_name']); + $credential_description = nullable_htmlentities($row['credential_description']); + $credential_uri = nullable_htmlentities($row['credential_uri']); + if (empty($credential_uri)) { + $credential_uri_display = "-"; + } else { + $credential_uri_display = "$credential_uri"; + } + $credential_username = nullable_htmlentities(decryptCredentialEntry($row['credential_username'])); + if (empty($credential_username)) { + $credential_username_display = "-"; + } else { + $credential_username_display = "$credential_username"; + } + $credential_password = nullable_htmlentities(decryptCredentialEntry($row['credential_password'])); + $credential_otp_secret = nullable_htmlentities($row['credential_otp_secret']); + $credential_id_with_secret = '"' . $row['credential_id'] . '","' . $row['credential_otp_secret'] . '"'; + if (empty($credential_otp_secret)) { + $otp_display = "-"; + } else { + $otp_display = " Hover.."; + } + $credential_note = nullable_htmlentities($row['credential_note']); + $credential_important = intval($row['credential_important']); + $credential_contact_id = intval($row['credential_contact_id']); + $credential_asset_id = intval($row['credential_asset_id']); - // Connected interface details - $connected_asset_id = intval($row['connected_asset_id']); - $connected_asset_name = nullable_htmlentities($row['connected_asset_name']); - $connected_asset_type = nullable_htmlentities($row['connected_asset_type']); - $connected_asset_icon = getAssetIcon($connected_asset_type); - $connected_interface_name = nullable_htmlentities($row['connected_interface_name']); + // Tags + $credential_tag_name_display_array = array(); + $credential_tag_id_array = array(); + $sql_credential_tags = mysqli_query($mysqli, "SELECT * FROM credential_tags LEFT JOIN tags ON credential_tags.tag_id = tags.tag_id WHERE credential_id = $credential_id ORDER BY tag_name ASC"); + while ($row = mysqli_fetch_array($sql_credential_tags)) { - - // Show either "-" or "AssetName - Port" - if ($connected_asset_name) { - $connected_to_display = " - $connected_asset_name - $connected_interface_name - "; - } else { - $connected_to_display = "-"; + $credential_tag_id = intval($row['tag_id']); + $credential_tag_name = nullable_htmlentities($row['tag_name']); + $credential_tag_color = nullable_htmlentities($row['tag_color']); + if (empty($credential_tag_color)) { + $credential_tag_color = "dark"; } + $credential_tag_icon = nullable_htmlentities($row['tag_icon']); + if (empty($credential_tag_icon)) { + $credential_tag_icon = "tag"; + } + + $credential_tag_id_array[] = $credential_tag_id; + $credential_tag_name_display_array[] = "$credential_tag_name"; + } + $credential_tags_display = implode('', $credential_tag_name_display_array); + ?> - - - - - - + + + + + - + + +
NameDescriptionUsernamePasswordOTPURIAction
-
- -
- 		- - - (Primary)"; } ?> + + + + +
+ data-modal-url="modals/credential/credential_edit.php?id="> Edit - + )"> + Share + +
+ + Unlink + +
- + Delete - +
- - -
+ +
-
-
"> -
-

Credentials

-
-
-
- - - - - - - - - - - - - - "> +
+

Licenses

+
+ +
+
+
+
+
NameDescriptionUsernamePasswordOTPURIAction
+ + + + + + + + + + + "; - } - $credential_username = nullable_htmlentities(decryptCredentialEntry($row['credential_username'])); - if (empty($credential_username)) { - $credential_username_display = "-"; - } else { - $credential_username_display = "$credential_username"; - } - $credential_password = nullable_htmlentities(decryptCredentialEntry($row['credential_password'])); - $credential_otp_secret = nullable_htmlentities($row['credential_otp_secret']); - $credential_id_with_secret = '"' . $row['credential_id'] . '","' . $row['credential_otp_secret'] . '"'; - if (empty($credential_otp_secret)) { - $otp_display = "-"; - } else { - $otp_display = " Hover.."; - } - $credential_note = nullable_htmlentities($row['credential_note']); - $credential_important = intval($row['credential_important']); - $credential_contact_id = intval($row['credential_contact_id']); - $credential_asset_id = intval($row['credential_asset_id']); + while ($row = mysqli_fetch_array($sql_related_software)) { + $software_id = intval($row['software_id']); + $software_name = nullable_htmlentities($row['software_name']); + $software_version = nullable_htmlentities($row['software_version']); + $software_type = nullable_htmlentities($row['software_type']); + $software_license_type = nullable_htmlentities($row['software_license_type']); + $software_key = nullable_htmlentities($row['software_key']); + $software_seats = nullable_htmlentities($row['software_seats']); + $software_purchase = nullable_htmlentities($row['software_purchase']); + $software_expire = nullable_htmlentities($row['software_expire']); + $software_notes = nullable_htmlentities($row['software_notes']); - // Tags - $credential_tag_name_display_array = array(); - $credential_tag_id_array = array(); - $sql_credential_tags = mysqli_query($mysqli, "SELECT * FROM credential_tags LEFT JOIN tags ON credential_tags.tag_id = tags.tag_id WHERE credential_id = $credential_id ORDER BY tag_name ASC"); - while ($row = mysqli_fetch_array($sql_credential_tags)) { + $seat_count = 0; - $credential_tag_id = intval($row['tag_id']); - $credential_tag_name = nullable_htmlentities($row['tag_name']); - $credential_tag_color = nullable_htmlentities($row['tag_color']); - if (empty($credential_tag_color)) { - $credential_tag_color = "dark"; - } - $credential_tag_icon = nullable_htmlentities($row['tag_icon']); - if (empty($credential_tag_icon)) { - $credential_tag_icon = "tag"; + // Asset Licenses + $asset_licenses_sql = mysqli_query($mysqli, "SELECT asset_id FROM software_assets WHERE software_id = $software_id"); + $asset_licenses_array = array(); + while ($row = mysqli_fetch_array($asset_licenses_sql)) { + $asset_licenses_array[] = intval($row['asset_id']); + $seat_count = $seat_count + 1; } + $asset_licenses = implode(',', $asset_licenses_array); + + // Contact Licenses + $contact_licenses_sql = mysqli_query($mysqli, "SELECT contact_id FROM software_contacts WHERE software_id = $software_id"); + $contact_licenses_array = array(); + while ($row = mysqli_fetch_array($contact_licenses_sql)) { + $contact_licenses_array[] = intval($row['contact_id']); + $seat_count = $seat_count + 1; + } + $contact_licenses = implode(',', $contact_licenses_array); + + $linked_software[] = $software_id; + + ?> + + + + + + + + + $credential_tag_name"; } - $credential_tags_display = implode('', $credential_tag_name_display_array); ?> + + +
SoftwareTypeLicense TypeSeatsAction
+ + $software_version"; ?> + + + +
+
+
+
+ +
"> +
+

Documents

+
+ +
+
+
+
+ + - - - - - - - + + + + + + + + + + + + + + + + + + + + +
- - - - - - - -
- -
- - Edit - - )"> - Share - -
- - Unlink - - +
Document TitleByCreatedUpdatedAction
+
+
+ 		+ + + + +
+
+
+
+ +
"> +
+

Files

+
+
+ + + + + + + +
+ +
+
+
+
+ + + + + + + + + + + + + + + + + + + +
NameUploadedAction
" target="_blank" >$file_description"; ?> + +
+
+
+
+ +
"> +
+

Recurring Tickets

+
+
+
+ + + + + + + + + + + + + + + + + + + + + + - + + - - } - - ?> - - -
SubjectPriorityFrequencyNext Run
+ + + + +
+ +
+ + Edit +
- + + Force Reoccur + + +
+ Delete +
- -
-
- -
-
- -
"> -
-

Licenses

-
- -
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - -
SoftwareTypeLicense TypeSeatsAction
- - $software_version"; ?> - - - -
-
-
-
- -
"> -
-

Documents

-
- -
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - -
Document TitleByCreatedUpdatedAction
-
-
- 		- - - - -
-
-
-
- -
"> -
-

Files

-
-
- - - - - - - + +
-
-
-
- - - - - - - - - - +
"> +
+

Tickets

+
+
+
+
NameUploadedAction
+ - - - + + + + + + + - + + - - -
" target="_blank" >$file_description"; ?> - - NumberSubjectPriorityStatusAssignedLast ResponseCreated
-
-
-
- -
"> -
-

Recurring Tickets

-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
SubjectPriorityFrequencyNext Run
- - - - -
- -
- - Edit - -
- - Force Reoccur - - -
- - Delete - -
- -
-
-
-
-
- -
"> -
-

Tickets

-
-
-
- - - - - - - - - - - - - - Never

"; + while ($row = mysqli_fetch_array($sql_related_tickets)) { + $ticket_id = intval($row['ticket_id']); + $ticket_prefix = nullable_htmlentities($row['ticket_prefix']); + $ticket_number = intval($row['ticket_number']); + $ticket_subject = nullable_htmlentities($row['ticket_subject']); + $ticket_priority = nullable_htmlentities($row['ticket_priority']); + $ticket_status_id = intval($row['ticket_status_id']); + $ticket_status_name = nullable_htmlentities($row['ticket_status_name']); + $ticket_status_color = nullable_htmlentities($row['ticket_status_color']); + $ticket_created_at = nullable_htmlentities($row['ticket_created_at']); + $ticket_updated_at = nullable_htmlentities($row['ticket_updated_at']); + if (empty($ticket_updated_at)) { + if ($ticket_status_name == "Closed") { + $ticket_updated_at_display = "

Never

"; + } else { + $ticket_updated_at_display = "

Never

"; + } } else { - $ticket_updated_at_display = "

Never

"; + $ticket_updated_at_display = $ticket_updated_at; } - } else { - $ticket_updated_at_display = $ticket_updated_at; - } - $ticket_closed_at = nullable_htmlentities($row['ticket_closed_at']); + $ticket_closed_at = nullable_htmlentities($row['ticket_closed_at']); - if ($ticket_priority == "High") { - $ticket_priority_display = "$ticket_priority"; - } elseif ($ticket_priority == "Medium") { - $ticket_priority_display = "$ticket_priority"; - } elseif ($ticket_priority == "Low") { - $ticket_priority_display = "$ticket_priority"; - } else { - $ticket_priority_display = "-"; - } - $ticket_assigned_to = intval($row['ticket_assigned_to']); - if (empty($ticket_assigned_to)) { - if ($ticket_status_id == 5) { - $ticket_assigned_to_display = "

Not Assigned

"; + if ($ticket_priority == "High") { + $ticket_priority_display = "$ticket_priority"; + } elseif ($ticket_priority == "Medium") { + $ticket_priority_display = "$ticket_priority"; + } elseif ($ticket_priority == "Low") { + $ticket_priority_display = "$ticket_priority"; } else { - $ticket_assigned_to_display = "

Not Assigned

"; + $ticket_priority_display = "-"; } - } else { - $ticket_assigned_to_display = nullable_htmlentities($row['user_name']); + $ticket_assigned_to = intval($row['ticket_assigned_to']); + if (empty($ticket_assigned_to)) { + if ($ticket_status_id == 5) { + $ticket_assigned_to_display = "

Not Assigned

"; + } else { + $ticket_assigned_to_display = "

Not Assigned

"; + } + } else { + $ticket_assigned_to_display = nullable_htmlentities($row['user_name']); + } + + ?> + + + + + + + + + + + + - - - - - - - - - + +
NumberSubjectPriorityStatusAssignedLast ResponseCreated
+ +
- -
+
+
+
+
"> +
+

Linked Services

+
+ +
+
+
+
+ + + + + + + + + + + $linked_services[] = $service_id; - -
ServiceCategoryImportanceAction
-
-
-
+ ?> -
"> -
-

Linked Services

-
- -
-
-
-
- - - - - - - - - - - + + + + + - while ($row = mysqli_fetch_array($sql_linked_services)) { - $service_id = intval($row['service_id']); - $service_name = nullable_htmlentities($row['service_name']); - $service_description = nullable_htmlentities($row['service_description']); - $service_category = nullable_htmlentities($row['service_category']); - $service_importance = nullable_htmlentities($row['service_importance']); + - - - - - - - - - - -
ServiceCategoryImportanceAction
+
+
+ 		+ +
-
-
- 		- -
+ + +
+
-
+ + + + + + + + + + + - - - - - - - - - - - - Date: Sun, 2 Nov 2025 17:14:01 +0000 Subject: [PATCH 064/112] Better error handling for undefined/non-existent asset IDs --- agent/asset_details.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/asset_details.php b/agent/asset_details.php index 2025ec7f..d241f091 100644 --- a/agent/asset_details.php +++ b/agent/asset_details.php @@ -25,7 +25,7 @@ if (isset($_GET['asset_id'])) { "); if (mysqli_num_rows($sql) == 0) { - echo "

Nothing to see here

Go Back
"; + echo "

Nothing to see here

Go Back
"; } else { From 3917e66fd858478d3fba158898f286fb204f2bcb Mon Sep 17 00:00:00 2001 From: wrongecho Date: Sun, 2 Nov 2025 17:17:37 +0000 Subject: [PATCH 065/112] Better error handling for undefined/non-existent asset IDs --- agent/asset_details.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/asset_details.php b/agent/asset_details.php index d241f091..2ade057b 100644 --- a/agent/asset_details.php +++ b/agent/asset_details.php @@ -25,7 +25,7 @@ if (isset($_GET['asset_id'])) { "); if (mysqli_num_rows($sql) == 0) { - echo "

Nothing to see here

Go Back
"; + echo "

Nothing to see here

Go Back
"; } else { From 519975f3cf97dc9dca4c372dc8a32417a0877c31 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Sun, 2 Nov 2025 12:49:24 -0500 Subject: [PATCH 066/112] Fix Include footer link in project details when no record exists --- agent/project_details.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/project_details.php b/agent/project_details.php index 0b96afdf..aae859fa 100644 --- a/agent/project_details.php +++ b/agent/project_details.php @@ -41,7 +41,7 @@ if (isset($_GET['project_id'])) { if (mysqli_num_rows($sql_project) == 0) { echo "

Nothing to see here

Go Back
"; - include_once "footer.php"; + include_once "../includes/footer.php"; exit; } From a85f898ef53fa29a8e26524335ffe467d2f95cb4 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Sun, 2 Nov 2025 13:13:51 -0500 Subject: [PATCH 067/112] Fix No records exist if client_id in the uri is non existent --- agent/includes/inc_all_client.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/agent/includes/inc_all_client.php b/agent/includes/inc_all_client.php index f2324474..55e6e3c2 100644 --- a/agent/includes/inc_all_client.php +++ b/agent/includes/inc_all_client.php @@ -37,7 +37,8 @@ if (isset($_GET['client_id'])) { if (mysqli_num_rows($sql) == 0) { require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/header.php'; - echo "

Nothing to see here

"; + echo "

Nothing to see here

Go Back
"; + exit; } else { $row = mysqli_fetch_array($sql); From 7ea39eb545a025fe9e51693917d48580d7df30ad Mon Sep 17 00:00:00 2001 From: johnnyq Date: Sun, 2 Nov 2025 13:32:44 -0500 Subject: [PATCH 068/112] Fix non existent record in contact details, document details, document template, ticket template also add limit 1 --- admin/document_template_details.php | 8 +++++++- admin/project_template_details.php | 4 ++-- admin/ticket_template_details.php | 10 ++++++++-- agent/contact_details.php | 7 +++++++ agent/document_details.php | 9 ++++++++- 5 files changed, 32 insertions(+), 6 deletions(-) diff --git a/admin/document_template_details.php b/admin/document_template_details.php index 1b8ffe7d..47cc9876 100644 --- a/admin/document_template_details.php +++ b/admin/document_template_details.php @@ -15,7 +15,13 @@ if (isset($_GET['document_template_id'])) { $document_template_id = intval($_GET['document_template_id']); } -$sql_document = mysqli_query($mysqli, "SELECT * FROM document_templates WHERE document_template_id = $document_template_id"); +$sql_document = mysqli_query($mysqli, "SELECT * FROM document_templates WHERE document_template_id = $document_template_id LIMIT 1"); + +if (mysqli_num_rows($sql_document) == 0) { + echo "

Nothing to see here

Go Back
"; + require_once "../includes/footer.php"; + exit(); +} $row = mysqli_fetch_array($sql_document); diff --git a/admin/project_template_details.php b/admin/project_template_details.php index 857f1a7b..e8b6a2c6 100644 --- a/admin/project_template_details.php +++ b/admin/project_template_details.php @@ -13,9 +13,9 @@ if (isset($_GET['project_template_id'])) { ); if (mysqli_num_rows($sql_project_templates) == 0) { - echo "

Nothing to see here

Go Back
"; + echo "

Nothing to see here

Go Back
"; - include_once "footer.php"; + require_once "../includes/footer.php"; exit; } diff --git a/admin/ticket_template_details.php b/admin/ticket_template_details.php index 75a7995a..a978fce5 100644 --- a/admin/ticket_template_details.php +++ b/admin/ticket_template_details.php @@ -15,9 +15,15 @@ if (isset($_GET['ticket_template_id'])) { $ticket_template_id = intval($_GET['ticket_template_id']); } -$sql_ticket_templates = mysqli_query($mysqli, "SELECT * FROM ticket_templates WHERE ticket_template_id = $ticket_template_id"); +$sql_ticket_template = mysqli_query($mysqli, "SELECT * FROM ticket_templates WHERE ticket_template_id = $ticket_template_id LIMIT 1"); -$row = mysqli_fetch_array($sql_ticket_templates); +if (mysqli_num_rows($sql_ticket_template) == 0) { + echo "

Nothing to see here

Go Back
"; + require_once "../includes/footer.php"; + exit(); +} + +$row = mysqli_fetch_array($sql_ticket_template); $ticket_template_name = nullable_htmlentities($row['ticket_template_name']); $ticket_template_description = nullable_htmlentities($row['ticket_template_description']); diff --git a/agent/contact_details.php b/agent/contact_details.php index 707e2052..a3420b8c 100644 --- a/agent/contact_details.php +++ b/agent/contact_details.php @@ -20,8 +20,15 @@ if (isset($_GET['contact_id'])) { LEFT JOIN users ON user_id = contact_user_id WHERE contact_id = $contact_id $client_query + LIMIT 1 "); + if (mysqli_num_rows($sql) == 0) { + echo "

Nothing to see here

Go Back
"; + require_once "../includes/footer.php"; + exit(); + } + $row = mysqli_fetch_array($sql); $client_id = intval($row['client_id']); $client_name = nullable_htmlentities($row['client_name']); diff --git a/agent/document_details.php b/agent/document_details.php index ad86884d..db6d150e 100644 --- a/agent/document_details.php +++ b/agent/document_details.php @@ -20,9 +20,16 @@ $folder_location = 0; $sql_document = mysqli_query($mysqli, "SELECT * FROM documents LEFT JOIN folders ON document_folder_id = folder_id LEFT JOIN users ON document_created_by = user_id - WHERE document_client_id = $client_id AND document_id = $document_id" + WHERE document_client_id = $client_id AND document_id = $document_id + LIMIT 1" ); +if (mysqli_num_rows($sql_document) == 0) { + echo "

Nothing to see here

Go Back
"; + require_once "../includes/footer.php"; + exit(); +} + $row = mysqli_fetch_array($sql_document); $folder_name = nullable_htmlentities($row['folder_name']); From f733a27ad7f34c20c7b793280a19e61772eb5a87 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Sun, 2 Nov 2025 16:44:59 -0500 Subject: [PATCH 069/112] Bump DataTable from 2.3.3 to 2.3.4, TinyMCE 8.0.2 to 8.2.0, Stripe-PHP 17.6.0 to 18.1.0, PHPMailer from 6.10.0 to 7.0.0, chartjs from 4.5.0 to 4.5.1 --- plugins/DataTables/datatables.min.css | 4 +- plugins/DataTables/datatables.min.js | 8 +- plugins/PHPMailer/README.md | 2 +- plugins/PHPMailer/VERSION | 2 +- plugins/PHPMailer/composer.json | 6 +- .../PHPMailer/language/phpmailer.lang-es.php | 6 +- plugins/PHPMailer/src/PHPMailer.php | 374 +++++--- plugins/PHPMailer/src/POP3.php | 2 +- plugins/PHPMailer/src/SMTP.php | 53 +- plugins/chart.js/chart.umd.min.js | 4 +- plugins/stripe-php/API_VERSION | 2 +- plugins/stripe-php/CHANGELOG.md | 112 +++ plugins/stripe-php/OPENAPI_VERSION | 2 +- plugins/stripe-php/README.md | 5 + plugins/stripe-php/VERSION | 2 +- plugins/stripe-php/init.php | 22 +- plugins/stripe-php/lib/Account.php | 8 +- plugins/stripe-php/lib/AccountSession.php | 4 +- plugins/stripe-php/lib/BalanceSettings.php | 61 ++ plugins/stripe-php/lib/BaseStripeClient.php | 59 +- .../lib/BaseStripeClientInterface.php | 21 + .../stripe-php/lib/Billing/CreditGrant.php | 2 +- .../lib/BillingPortal/Configuration.php | 8 +- plugins/stripe-php/lib/Card.php | 2 +- plugins/stripe-php/lib/Charge.php | 5 +- plugins/stripe-php/lib/Checkout/Session.php | 11 +- plugins/stripe-php/lib/ConfirmationToken.php | 2 +- plugins/stripe-php/lib/CreditNote.php | 4 +- plugins/stripe-php/lib/Customer.php | 8 +- plugins/stripe-php/lib/CustomerSession.php | 4 +- plugins/stripe-php/lib/Discount.php | 2 +- plugins/stripe-php/lib/Dispute.php | 3 +- plugins/stripe-php/lib/ErrorObject.php | 3 + plugins/stripe-php/lib/Event.php | 4 + .../lib/Events/UnknownEventNotification.php | 25 + ...1BillingMeterErrorReportTriggeredEvent.php | 13 +- ...rErrorReportTriggeredEventNotification.php | 38 + .../V1BillingMeterNoMeterFoundEvent.php | 2 +- ...lingMeterNoMeterFoundEventNotification.php | 22 + .../V2CoreEventDestinationPingEvent.php | 15 +- ...eEventDestinationPingEventNotification.php | 38 + plugins/stripe-php/lib/ExchangeRate.php | 16 + plugins/stripe-php/lib/File.php | 1 + plugins/stripe-php/lib/Invoice.php | 2 +- plugins/stripe-php/lib/InvoiceItem.php | 2 + plugins/stripe-php/lib/InvoiceLineItem.php | 2 +- plugins/stripe-php/lib/InvoicePayment.php | 4 +- plugins/stripe-php/lib/Issuing/Card.php | 1 + .../stripe-php/lib/PaymentAttemptRecord.php | 80 ++ plugins/stripe-php/lib/PaymentIntent.php | 26 +- .../PaymentIntentAmountDetailsLineItem.php | 22 + plugins/stripe-php/lib/PaymentLink.php | 5 +- plugins/stripe-php/lib/PaymentMethod.php | 8 +- .../lib/PaymentMethodConfiguration.php | 6 +- plugins/stripe-php/lib/PaymentRecord.php | 179 ++++ plugins/stripe-php/lib/PromotionCode.php | 12 +- plugins/stripe-php/lib/Quote.php | 4 +- plugins/stripe-php/lib/Reason.php | 35 +- plugins/stripe-php/lib/Refund.php | 2 +- plugins/stripe-php/lib/RelatedObject.php | 11 +- plugins/stripe-php/lib/Review.php | 2 + .../stripe-php/lib/Service/AccountService.php | 4 +- .../lib/Service/AccountSessionService.php | 2 +- .../lib/Service/BalanceSettingsService.php | 45 + .../Service/Billing/CreditGrantService.php | 2 +- .../BillingPortal/ConfigurationService.php | 4 +- .../lib/Service/Checkout/SessionService.php | 2 +- .../lib/Service/CoreServiceFactory.php | 6 + .../lib/Service/CreditNoteService.php | 6 +- .../lib/Service/CustomerService.php | 4 +- .../lib/Service/CustomerSessionService.php | 2 +- .../lib/Service/ExchangeRateService.php | 14 + .../FinancialConnections/AccountService.php | 3 +- .../lib/Service/InvoicePaymentService.php | 2 +- .../stripe-php/lib/Service/InvoiceService.php | 10 +- .../Service/PaymentAttemptRecordService.php | 44 + .../lib/Service/PaymentIntentService.php | 26 +- .../lib/Service/PaymentLinkService.php | 4 +- .../PaymentMethodConfigurationService.php | 4 +- .../lib/Service/PaymentMethodService.php | 4 +- .../lib/Service/PaymentRecordService.php | 148 ++++ .../stripe-php/lib/Service/PayoutService.php | 4 +- .../lib/Service/PromotionCodeService.php | 6 +- .../stripe-php/lib/Service/QuoteService.php | 2 +- .../lib/Service/SetupIntentService.php | 6 +- .../Service/SubscriptionScheduleService.php | 4 +- .../lib/Service/SubscriptionService.php | 4 +- .../lib/Service/Tax/RegistrationService.php | 2 +- .../Service/Terminal/ConfigurationService.php | 4 +- .../lib/Service/Terminal/LocationService.php | 4 +- .../lib/Service/Terminal/ReaderService.php | 31 +- .../TestHelpers/ConfirmationTokenService.php | 2 +- .../Issuing/AuthorizationService.php | 2 +- .../stripe-php/lib/Service/TokenService.php | 2 +- .../V2/Core/EventDestinationService.php | 16 +- .../lib/Service/V2/Core/EventService.php | 6 +- plugins/stripe-php/lib/SetupIntent.php | 5 +- plugins/stripe-php/lib/Stripe.php | 2 +- plugins/stripe-php/lib/StripeClient.php | 3 + plugins/stripe-php/lib/StripeContext.php | 97 +++ plugins/stripe-php/lib/Subscription.php | 4 +- .../stripe-php/lib/SubscriptionSchedule.php | 6 +- plugins/stripe-php/lib/Tax/Registration.php | 4 +- plugins/stripe-php/lib/Tax/Settings.php | 2 +- .../stripe-php/lib/Terminal/Configuration.php | 7 +- plugins/stripe-php/lib/Terminal/Location.php | 9 +- plugins/stripe-php/lib/Terminal/Reader.php | 1 + plugins/stripe-php/lib/ThinEvent.php | 27 - plugins/stripe-php/lib/Token.php | 2 +- plugins/stripe-php/lib/Util/ApiVersion.php | 4 +- .../lib/Util/EventNotificationTypes.php | 14 + plugins/stripe-php/lib/Util/EventTypes.php | 2 +- plugins/stripe-php/lib/Util/ObjectTypes.php | 8 +- .../stripe-php/lib/Util/RequestOptions.php | 13 +- plugins/stripe-php/lib/Util/Util.php | 70 +- .../stripe-php/lib/V2/{ => Core}/Event.php | 4 +- .../lib/V2/{ => Core}/EventDestination.php | 6 +- .../lib/V2/Core/EventNotification.php | 131 +++ plugins/stripe-php/lib/V2/DeletedObject.php | 14 + plugins/tinymce/icons/default/icons.min.js | 2 +- plugins/tinymce/models/dom/model.min.js | 2 +- .../tinymce/plugins/accordion/plugin.min.js | 2 +- plugins/tinymce/plugins/advlist/plugin.min.js | 2 +- .../tinymce/plugins/autolink/plugin.min.js | 2 +- .../tinymce/plugins/autoresize/plugin.min.js | 2 +- .../tinymce/plugins/autosave/plugin.min.js | 2 +- plugins/tinymce/plugins/charmap/plugin.min.js | 2 +- .../tinymce/plugins/codesample/plugin.min.js | 4 +- .../plugins/directionality/plugin.min.js | 2 +- .../tinymce/plugins/emoticons/plugin.min.js | 2 +- .../tinymce/plugins/fullscreen/plugin.min.js | 2 +- plugins/tinymce/plugins/help/plugin.min.js | 2 +- plugins/tinymce/plugins/image/plugin.min.js | 2 +- .../tinymce/plugins/importcss/plugin.min.js | 2 +- .../plugins/insertdatetime/plugin.min.js | 2 +- plugins/tinymce/plugins/link/plugin.min.js | 2 +- plugins/tinymce/plugins/lists/plugin.min.js | 2 +- plugins/tinymce/plugins/media/plugin.min.js | 2 +- plugins/tinymce/plugins/preview/plugin.min.js | 2 +- .../tinymce/plugins/quickbars/plugin.min.js | 2 +- .../plugins/searchreplace/plugin.min.js | 2 +- plugins/tinymce/plugins/table/plugin.min.js | 2 +- .../tinymce/plugins/visualchars/plugin.min.js | 2 +- .../skins/ui/oxide-dark/content.inline.js | 2 +- .../ui/oxide-dark/content.inline.min.css | 2 +- .../tinymce/skins/ui/oxide-dark/content.js | 2 +- .../skins/ui/oxide-dark/content.min.css | 2 +- plugins/tinymce/skins/ui/oxide-dark/skin.js | 2 +- .../tinymce/skins/ui/oxide-dark/skin.min.css | 2 +- .../tinymce/skins/ui/oxide/content.inline.js | 2 +- .../skins/ui/oxide/content.inline.min.css | 2 +- plugins/tinymce/skins/ui/oxide/content.js | 2 +- .../tinymce/skins/ui/oxide/content.min.css | 2 +- plugins/tinymce/skins/ui/oxide/skin.js | 2 +- plugins/tinymce/skins/ui/oxide/skin.min.css | 2 +- .../skins/ui/tinymce-5-dark/content.inline.js | 2 +- .../ui/tinymce-5-dark/content.inline.min.css | 2 +- .../skins/ui/tinymce-5-dark/content.js | 2 +- .../skins/ui/tinymce-5-dark/content.min.css | 2 +- .../tinymce/skins/ui/tinymce-5-dark/skin.js | 2 +- .../skins/ui/tinymce-5-dark/skin.min.css | 2 +- .../skins/ui/tinymce-5/content.inline.js | 2 +- .../skins/ui/tinymce-5/content.inline.min.css | 2 +- plugins/tinymce/skins/ui/tinymce-5/content.js | 2 +- .../skins/ui/tinymce-5/content.min.css | 2 +- plugins/tinymce/skins/ui/tinymce-5/skin.js | 2 +- .../tinymce/skins/ui/tinymce-5/skin.min.css | 2 +- plugins/tinymce/themes/silver/theme.min.js | 2 +- plugins/tinymce/tinymce.d.ts | 805 +++++++++--------- plugins/tinymce/tinymce.min.js | 4 +- 170 files changed, 2280 insertions(+), 885 deletions(-) create mode 100644 plugins/stripe-php/lib/BalanceSettings.php create mode 100644 plugins/stripe-php/lib/Events/UnknownEventNotification.php create mode 100644 plugins/stripe-php/lib/Events/V1BillingMeterErrorReportTriggeredEventNotification.php create mode 100644 plugins/stripe-php/lib/Events/V1BillingMeterNoMeterFoundEventNotification.php create mode 100644 plugins/stripe-php/lib/Events/V2CoreEventDestinationPingEventNotification.php create mode 100644 plugins/stripe-php/lib/PaymentAttemptRecord.php create mode 100644 plugins/stripe-php/lib/PaymentIntentAmountDetailsLineItem.php create mode 100644 plugins/stripe-php/lib/PaymentRecord.php create mode 100644 plugins/stripe-php/lib/Service/BalanceSettingsService.php create mode 100644 plugins/stripe-php/lib/Service/PaymentAttemptRecordService.php create mode 100644 plugins/stripe-php/lib/Service/PaymentRecordService.php create mode 100644 plugins/stripe-php/lib/StripeContext.php delete mode 100644 plugins/stripe-php/lib/ThinEvent.php create mode 100644 plugins/stripe-php/lib/Util/EventNotificationTypes.php rename plugins/stripe-php/lib/V2/{ => Core}/Event.php (90%) rename plugins/stripe-php/lib/V2/{ => Core}/EventDestination.php (86%) create mode 100644 plugins/stripe-php/lib/V2/Core/EventNotification.php create mode 100644 plugins/stripe-php/lib/V2/DeletedObject.php diff --git a/plugins/DataTables/datatables.min.css b/plugins/DataTables/datatables.min.css index 96561ad7..ee624ea7 100644 --- a/plugins/DataTables/datatables.min.css +++ b/plugins/DataTables/datatables.min.css @@ -4,10 +4,10 @@ * * To rebuild or modify this file with the latest versions of the included * software please visit: - * https://datatables.net/download/#bs4/dt-2.3.3 + * https://datatables.net/download/#bs4/dt-2.3.4 * * Included libraries: - * DataTables 2.3.3 + * DataTables 2.3.4 */ :root{--dt-row-selected: 2, 117, 216;--dt-row-selected-text: 255, 255, 255;--dt-row-selected-link: 228, 228, 228;--dt-row-stripe: 0, 0, 0;--dt-row-hover: 0, 0, 0;--dt-column-ordering: 0, 0, 0;--dt-header-align-items: center;--dt-header-vertical-align: middle;--dt-html-background: white}:root.dark{--dt-html-background: rgb(33, 37, 41)}table.dataTable tbody td.dt-control{text-align:center;cursor:pointer}table.dataTable tbody td.dt-control:before{display:inline-block;box-sizing:border-box;content:"";border-top:5px solid transparent;border-left:10px solid rgba(0, 0, 0, 0.5);border-bottom:5px solid transparent;border-right:0px solid transparent}table.dataTable tbody tr.dt-hasChild td.dt-control:before{border-top:10px solid rgba(0, 0, 0, 0.5);border-left:5px solid transparent;border-bottom:0px solid transparent;border-right:5px solid transparent}table.dataTable tfoot:empty{display:none}html.dark table.dataTable td.dt-control:before,:root[data-bs-theme=dark] table.dataTable td.dt-control:before,:root[data-theme=dark] table.dataTable td.dt-control:before{border-left-color:rgba(255, 255, 255, 0.5)}html.dark table.dataTable tr.dt-hasChild td.dt-control:before,:root[data-bs-theme=dark] table.dataTable tr.dt-hasChild td.dt-control:before,:root[data-theme=dark] table.dataTable tr.dt-hasChild td.dt-control:before{border-top-color:rgba(255, 255, 255, 0.5);border-left-color:transparent}div.dt-scroll{width:100%}div.dt-scroll-body thead tr,div.dt-scroll-body tfoot tr{height:0}div.dt-scroll-body thead tr th,div.dt-scroll-body thead tr td,div.dt-scroll-body tfoot tr th,div.dt-scroll-body tfoot tr td{height:0 !important;padding-top:0px !important;padding-bottom:0px !important;border-top-width:0px !important;border-bottom-width:0px !important}div.dt-scroll-body thead tr th div.dt-scroll-sizing,div.dt-scroll-body thead tr td div.dt-scroll-sizing,div.dt-scroll-body tfoot tr th div.dt-scroll-sizing,div.dt-scroll-body tfoot tr td div.dt-scroll-sizing{height:0 !important;overflow:hidden !important}table.dataTable thead>tr>th:active,table.dataTable thead>tr>td:active{outline:none}table.dataTable thead>tr>th.dt-orderable-asc span.dt-column-order:before,table.dataTable thead>tr>th.dt-ordering-asc span.dt-column-order:before,table.dataTable thead>tr>td.dt-orderable-asc span.dt-column-order:before,table.dataTable thead>tr>td.dt-ordering-asc span.dt-column-order:before{position:absolute;display:block;bottom:50%;content:"▲";content:"▲"/""}table.dataTable thead>tr>th.dt-orderable-desc span.dt-column-order:after,table.dataTable thead>tr>th.dt-ordering-desc span.dt-column-order:after,table.dataTable thead>tr>td.dt-orderable-desc span.dt-column-order:after,table.dataTable thead>tr>td.dt-ordering-desc span.dt-column-order:after{position:absolute;display:block;top:50%;content:"▼";content:"▼"/""}table.dataTable thead>tr>th.dt-orderable-asc span.dt-column-order,table.dataTable thead>tr>th.dt-orderable-desc span.dt-column-order,table.dataTable thead>tr>th.dt-ordering-asc span.dt-column-order,table.dataTable thead>tr>th.dt-ordering-desc span.dt-column-order,table.dataTable thead>tr>td.dt-orderable-asc span.dt-column-order,table.dataTable thead>tr>td.dt-orderable-desc span.dt-column-order,table.dataTable thead>tr>td.dt-ordering-asc span.dt-column-order,table.dataTable thead>tr>td.dt-ordering-desc span.dt-column-order{position:relative;width:12px;height:20px}table.dataTable thead>tr>th.dt-orderable-asc span.dt-column-order:before,table.dataTable thead>tr>th.dt-orderable-asc span.dt-column-order:after,table.dataTable thead>tr>th.dt-orderable-desc span.dt-column-order:before,table.dataTable thead>tr>th.dt-orderable-desc span.dt-column-order:after,table.dataTable thead>tr>th.dt-ordering-asc span.dt-column-order:before,table.dataTable thead>tr>th.dt-ordering-asc span.dt-column-order:after,table.dataTable thead>tr>th.dt-ordering-desc span.dt-column-order:before,table.dataTable thead>tr>th.dt-ordering-desc span.dt-column-order:after,table.dataTable thead>tr>td.dt-orderable-asc span.dt-column-order:before,table.dataTable thead>tr>td.dt-orderable-asc span.dt-column-order:after,table.dataTable thead>tr>td.dt-orderable-desc span.dt-column-order:before,table.dataTable thead>tr>td.dt-orderable-desc span.dt-column-order:after,table.dataTable thead>tr>td.dt-ordering-asc span.dt-column-order:before,table.dataTable thead>tr>td.dt-ordering-asc span.dt-column-order:after,table.dataTable thead>tr>td.dt-ordering-desc span.dt-column-order:before,table.dataTable thead>tr>td.dt-ordering-desc span.dt-column-order:after{left:0;opacity:.125;line-height:9px;font-size:.8em}table.dataTable thead>tr>th.dt-orderable-asc,table.dataTable thead>tr>th.dt-orderable-desc,table.dataTable thead>tr>td.dt-orderable-asc,table.dataTable thead>tr>td.dt-orderable-desc{cursor:pointer}table.dataTable thead>tr>th.dt-orderable-asc:hover,table.dataTable thead>tr>th.dt-orderable-desc:hover,table.dataTable thead>tr>td.dt-orderable-asc:hover,table.dataTable thead>tr>td.dt-orderable-desc:hover{outline:2px solid rgba(0, 0, 0, 0.05);outline-offset:-2px}table.dataTable thead>tr>th.dt-ordering-asc span.dt-column-order:before,table.dataTable thead>tr>th.dt-ordering-desc span.dt-column-order:after,table.dataTable thead>tr>td.dt-ordering-asc span.dt-column-order:before,table.dataTable thead>tr>td.dt-ordering-desc span.dt-column-order:after{opacity:.6}table.dataTable thead>tr>th.dt-orderable-none:not(.dt-ordering-asc,.dt-ordering-desc) span.dt-column-order:empty,table.dataTable thead>tr>th.sorting_desc_disabled span.dt-column-order:after,table.dataTable thead>tr>th.sorting_asc_disabled span.dt-column-order:before,table.dataTable thead>tr>td.dt-orderable-none:not(.dt-ordering-asc,.dt-ordering-desc) span.dt-column-order:empty,table.dataTable thead>tr>td.sorting_desc_disabled span.dt-column-order:after,table.dataTable thead>tr>td.sorting_asc_disabled span.dt-column-order:before{display:none}table.dataTable thead>tr>th:active,table.dataTable thead>tr>td:active{outline:none}table.dataTable thead>tr>th div.dt-column-header,table.dataTable thead>tr>th div.dt-column-footer,table.dataTable thead>tr>td div.dt-column-header,table.dataTable thead>tr>td div.dt-column-footer,table.dataTable tfoot>tr>th div.dt-column-header,table.dataTable tfoot>tr>th div.dt-column-footer,table.dataTable tfoot>tr>td div.dt-column-header,table.dataTable tfoot>tr>td div.dt-column-footer{display:flex;justify-content:space-between;align-items:var(--dt-header-align-items);gap:4px}table.dataTable thead>tr>th div.dt-column-header span.dt-column-title,table.dataTable thead>tr>th div.dt-column-footer span.dt-column-title,table.dataTable thead>tr>td div.dt-column-header span.dt-column-title,table.dataTable thead>tr>td div.dt-column-footer span.dt-column-title,table.dataTable tfoot>tr>th div.dt-column-header span.dt-column-title,table.dataTable tfoot>tr>th div.dt-column-footer span.dt-column-title,table.dataTable tfoot>tr>td div.dt-column-header span.dt-column-title,table.dataTable tfoot>tr>td div.dt-column-footer span.dt-column-title{flex-grow:1}table.dataTable thead>tr>th div.dt-column-header span.dt-column-title:empty,table.dataTable thead>tr>th div.dt-column-footer span.dt-column-title:empty,table.dataTable thead>tr>td div.dt-column-header span.dt-column-title:empty,table.dataTable thead>tr>td div.dt-column-footer span.dt-column-title:empty,table.dataTable tfoot>tr>th div.dt-column-header span.dt-column-title:empty,table.dataTable tfoot>tr>th div.dt-column-footer span.dt-column-title:empty,table.dataTable tfoot>tr>td div.dt-column-header span.dt-column-title:empty,table.dataTable tfoot>tr>td div.dt-column-footer span.dt-column-title:empty{display:none}div.dt-scroll-body>table.dataTable>thead>tr>th,div.dt-scroll-body>table.dataTable>thead>tr>td{overflow:hidden}:root.dark table.dataTable thead>tr>th.dt-orderable-asc:hover,:root.dark table.dataTable thead>tr>th.dt-orderable-desc:hover,:root.dark table.dataTable thead>tr>td.dt-orderable-asc:hover,:root.dark table.dataTable thead>tr>td.dt-orderable-desc:hover,:root[data-bs-theme=dark] table.dataTable thead>tr>th.dt-orderable-asc:hover,:root[data-bs-theme=dark] table.dataTable thead>tr>th.dt-orderable-desc:hover,:root[data-bs-theme=dark] table.dataTable thead>tr>td.dt-orderable-asc:hover,:root[data-bs-theme=dark] table.dataTable thead>tr>td.dt-orderable-desc:hover{outline:2px solid rgba(255, 255, 255, 0.05)}div.dt-processing{position:absolute;top:50%;left:50%;width:200px;margin-left:-100px;margin-top:-22px;text-align:center;padding:2px;z-index:10}div.dt-processing>div:last-child{position:relative;width:80px;height:15px;margin:1em auto}div.dt-processing>div:last-child>div{position:absolute;top:0;width:13px;height:13px;border-radius:50%;background:rgb(2, 117, 216);background:rgb(var(--dt-row-selected));animation-timing-function:cubic-bezier(0, 1, 1, 0)}div.dt-processing>div:last-child>div:nth-child(1){left:8px;animation:datatables-loader-1 .6s infinite}div.dt-processing>div:last-child>div:nth-child(2){left:8px;animation:datatables-loader-2 .6s infinite}div.dt-processing>div:last-child>div:nth-child(3){left:32px;animation:datatables-loader-2 .6s infinite}div.dt-processing>div:last-child>div:nth-child(4){left:56px;animation:datatables-loader-3 .6s infinite}@keyframes datatables-loader-1{0%{transform:scale(0)}100%{transform:scale(1)}}@keyframes datatables-loader-3{0%{transform:scale(1)}100%{transform:scale(0)}}@keyframes datatables-loader-2{0%{transform:translate(0, 0)}100%{transform:translate(24px, 0)}}table.dataTable.nowrap th,table.dataTable.nowrap td{white-space:nowrap}table.dataTable th,table.dataTable td{box-sizing:border-box}table.dataTable th.dt-type-numeric,table.dataTable th.dt-type-date,table.dataTable td.dt-type-numeric,table.dataTable td.dt-type-date{text-align:right}table.dataTable th.dt-type-numeric div.dt-column-header,table.dataTable th.dt-type-numeric div.dt-column-footer,table.dataTable th.dt-type-date div.dt-column-header,table.dataTable th.dt-type-date div.dt-column-footer,table.dataTable td.dt-type-numeric div.dt-column-header,table.dataTable td.dt-type-numeric div.dt-column-footer,table.dataTable td.dt-type-date div.dt-column-header,table.dataTable td.dt-type-date div.dt-column-footer{flex-direction:row-reverse}table.dataTable th.dt-left,table.dataTable td.dt-left{text-align:left}table.dataTable th.dt-left div.dt-column-header,table.dataTable th.dt-left div.dt-column-footer,table.dataTable td.dt-left div.dt-column-header,table.dataTable td.dt-left div.dt-column-footer{flex-direction:row}table.dataTable th.dt-center,table.dataTable td.dt-center{text-align:center}table.dataTable th.dt-right,table.dataTable td.dt-right{text-align:right}table.dataTable th.dt-right div.dt-column-header,table.dataTable th.dt-right div.dt-column-footer,table.dataTable td.dt-right div.dt-column-header,table.dataTable td.dt-right div.dt-column-footer{flex-direction:row-reverse}table.dataTable th.dt-justify,table.dataTable td.dt-justify{text-align:justify}table.dataTable th.dt-justify div.dt-column-header,table.dataTable th.dt-justify div.dt-column-footer,table.dataTable td.dt-justify div.dt-column-header,table.dataTable td.dt-justify div.dt-column-footer{flex-direction:row}table.dataTable th.dt-nowrap,table.dataTable td.dt-nowrap{white-space:nowrap}table.dataTable th.dt-empty,table.dataTable td.dt-empty{text-align:center;vertical-align:top}table.dataTable thead th,table.dataTable thead td,table.dataTable tfoot th,table.dataTable tfoot td{text-align:left;vertical-align:var(--dt-header-vertical-align)}table.dataTable thead th.dt-head-left,table.dataTable thead td.dt-head-left,table.dataTable tfoot th.dt-head-left,table.dataTable tfoot td.dt-head-left{text-align:left}table.dataTable thead th.dt-head-left div.dt-column-header,table.dataTable thead th.dt-head-left div.dt-column-footer,table.dataTable thead td.dt-head-left div.dt-column-header,table.dataTable thead td.dt-head-left div.dt-column-footer,table.dataTable tfoot th.dt-head-left div.dt-column-header,table.dataTable tfoot th.dt-head-left div.dt-column-footer,table.dataTable tfoot td.dt-head-left div.dt-column-header,table.dataTable tfoot td.dt-head-left div.dt-column-footer{flex-direction:row}table.dataTable thead th.dt-head-center,table.dataTable thead td.dt-head-center,table.dataTable tfoot th.dt-head-center,table.dataTable tfoot td.dt-head-center{text-align:center}table.dataTable thead th.dt-head-right,table.dataTable thead td.dt-head-right,table.dataTable tfoot th.dt-head-right,table.dataTable tfoot td.dt-head-right{text-align:right}table.dataTable thead th.dt-head-right div.dt-column-header,table.dataTable thead th.dt-head-right div.dt-column-footer,table.dataTable thead td.dt-head-right div.dt-column-header,table.dataTable thead td.dt-head-right div.dt-column-footer,table.dataTable tfoot th.dt-head-right div.dt-column-header,table.dataTable tfoot th.dt-head-right div.dt-column-footer,table.dataTable tfoot td.dt-head-right div.dt-column-header,table.dataTable tfoot td.dt-head-right div.dt-column-footer{flex-direction:row-reverse}table.dataTable thead th.dt-head-justify,table.dataTable thead td.dt-head-justify,table.dataTable tfoot th.dt-head-justify,table.dataTable tfoot td.dt-head-justify{text-align:justify}table.dataTable thead th.dt-head-justify div.dt-column-header,table.dataTable thead th.dt-head-justify div.dt-column-footer,table.dataTable thead td.dt-head-justify div.dt-column-header,table.dataTable thead td.dt-head-justify div.dt-column-footer,table.dataTable tfoot th.dt-head-justify div.dt-column-header,table.dataTable tfoot th.dt-head-justify div.dt-column-footer,table.dataTable tfoot td.dt-head-justify div.dt-column-header,table.dataTable tfoot td.dt-head-justify div.dt-column-footer{flex-direction:row}table.dataTable thead th.dt-head-nowrap,table.dataTable thead td.dt-head-nowrap,table.dataTable tfoot th.dt-head-nowrap,table.dataTable tfoot td.dt-head-nowrap{white-space:nowrap}table.dataTable tbody th.dt-body-left,table.dataTable tbody td.dt-body-left{text-align:left}table.dataTable tbody th.dt-body-center,table.dataTable tbody td.dt-body-center{text-align:center}table.dataTable tbody th.dt-body-right,table.dataTable tbody td.dt-body-right{text-align:right}table.dataTable tbody th.dt-body-justify,table.dataTable tbody td.dt-body-justify{text-align:justify}table.dataTable tbody th.dt-body-nowrap,table.dataTable tbody td.dt-body-nowrap{white-space:nowrap}table.dataTable.table{clear:both;max-width:none;border-spacing:0;margin-bottom:0}table.dataTable.table.table-striped>tbody>tr:nth-of-type(2n+1){background-color:transparent}table.dataTable.table>tbody>tr{background-color:transparent}table.dataTable.table>tbody>tr.selected>*{box-shadow:inset 0 0 0 9999px rgb(2, 117, 216);box-shadow:inset 0 0 0 9999px rgb(var(--dt-row-selected));color:rgb(255, 255, 255);color:rgb(var(--dt-row-selected-text))}table.dataTable.table>tbody>tr.selected a{color:rgb(228, 228, 228);color:rgb(var(--dt-row-selected-link))}table.dataTable.table.table-striped>tbody>tr:nth-of-type(2n+1)>*{box-shadow:inset 0 0 0 9999px rgba(var(--dt-row-stripe), 0.05)}table.dataTable.table.table-striped>tbody>tr:nth-of-type(2n+1).selected>*{box-shadow:inset 0 0 0 9999px rgba(2, 117, 216, 0.95);box-shadow:inset 0 0 0 9999px rgba(var(--dt-row-selected), 0.95)}table.dataTable.table.table-hover>tbody>tr:hover>*{box-shadow:inset 0 0 0 9999px rgba(var(--dt-row-hover), 0.075)}table.dataTable.table.table-hover>tbody>tr.selected:hover>*{box-shadow:inset 0 0 0 9999px rgba(2, 117, 216, 0.975);box-shadow:inset 0 0 0 9999px rgba(var(--dt-row-selected), 0.975)}div.dt-container div.dt-layout-start>*:not(:last-child){margin-right:1em}div.dt-container div.dt-layout-end>*:not(:first-child){margin-left:1em}div.dt-container div.dt-layout-full{width:100%}div.dt-container div.dt-layout-full>*:only-child{margin-left:auto;margin-right:auto}div.dt-container div.dt-layout-table>div{display:block !important}@media screen and (max-width: 767px){div.dt-container div.dt-layout-start>*:not(:last-child){margin-right:0}div.dt-container div.dt-layout-end>*:not(:first-child){margin-left:0}}div.dt-container{position:relative}div.dt-container>div.row{margin-bottom:.5rem}div.dt-container>div.row:last-child{margin-bottom:0}div.dt-container div.dt-length label{font-weight:normal;text-align:left;white-space:nowrap;margin-bottom:0}div.dt-container div.dt-length select{width:auto;display:inline-block;margin-right:.5em}div.dt-container div.dt-search label{font-weight:normal;white-space:nowrap;text-align:left;margin-bottom:0}div.dt-container div.dt-search input{margin-left:.5em;display:inline-block;width:auto}div.dt-container div.dt-info{white-space:nowrap}div.dt-container div.dt-paging{margin:0}div.dt-container div.dt-paging ul.pagination{margin:0;flex-wrap:wrap}div.dt-container div.dt-processing{position:absolute;top:50%;left:50%;width:200px;margin-left:-100px;margin-top:-26px;text-align:center;padding:1em 0}div.dt-container div.dt-scroll-body{border-bottom:1px solid #dee2e6}div.dt-container div.dt-scroll-body table,div.dt-container div.dt-scroll-body tbody>tr:last-child>*{border-bottom:none}div.dt-scroll-head table.dataTable{margin-bottom:0 !important}div.dt-scroll-body>table{border-top:none;margin-top:0 !important;margin-bottom:0 !important}div.dt-scroll-body>table thead .dt-orderable-asc:before,div.dt-scroll-body>table thead .dt-orderable-desc:after{display:none}div.dt-scroll-body>table>tbody tr:first-child th,div.dt-scroll-body>table>tbody tr:first-child td{border-top:none}div.dt-scroll-foot>.dt-scroll-footInner{box-sizing:content-box}div.dt-scroll-foot>.dt-scroll-footInner>table{margin-top:0 !important;border-top:none}@media screen and (max-width: 767px){div.dt-container div.dt-length,div.dt-container div.dt-search,div.dt-container div.dt-info,div.dt-container div.dt-paging{text-align:center}div.dt-container div.row{margin-bottom:0}div.dt-container div.row>*{margin-bottom:.5rem}div.dt-container div.dt-paging ul.pagination{justify-content:center !important}}table.dataTable.table-sm>thead>tr th.dt-orderable-asc,table.dataTable.table-sm>thead>tr th.dt-orderable-desc,table.dataTable.table-sm>thead>tr th.dt-ordering-asc,table.dataTable.table-sm>thead>tr th.dt-ordering-desc,table.dataTable.table-sm>thead>tr td.dt-orderable-asc,table.dataTable.table-sm>thead>tr td.dt-orderable-desc,table.dataTable.table-sm>thead>tr td.dt-ordering-asc,table.dataTable.table-sm>thead>tr td.dt-ordering-desc{padding-right:4px}table.dataTable.table-sm>thead>tr th.dt-orderable-asc span.dt-column-order,table.dataTable.table-sm>thead>tr th.dt-orderable-desc span.dt-column-order,table.dataTable.table-sm>thead>tr th.dt-ordering-asc span.dt-column-order,table.dataTable.table-sm>thead>tr th.dt-ordering-desc span.dt-column-order,table.dataTable.table-sm>thead>tr td.dt-orderable-asc span.dt-column-order,table.dataTable.table-sm>thead>tr td.dt-orderable-desc span.dt-column-order,table.dataTable.table-sm>thead>tr td.dt-ordering-asc span.dt-column-order,table.dataTable.table-sm>thead>tr td.dt-ordering-desc span.dt-column-order{right:4px}table.dataTable.table-sm>thead>tr th.dt-type-date span.dt-column-order,table.dataTable.table-sm>thead>tr th.dt-type-numeric span.dt-column-order,table.dataTable.table-sm>thead>tr td.dt-type-date span.dt-column-order,table.dataTable.table-sm>thead>tr td.dt-type-numeric span.dt-column-order{left:4px}div.dt-scroll-head table.table-bordered{border-bottom-width:0}div.table-responsive>div.dt-container>div.row{margin:0}div.table-responsive>div.dt-container>div.row>div[class^=col-]:first-child{padding-left:0}div.table-responsive>div.dt-container>div.row>div[class^=col-]:last-child{padding-right:0} diff --git a/plugins/DataTables/datatables.min.js b/plugins/DataTables/datatables.min.js index b63c2318..8632b1ce 100644 --- a/plugins/DataTables/datatables.min.js +++ b/plugins/DataTables/datatables.min.js @@ -4,16 +4,16 @@ * * To rebuild or modify this file with the latest versions of the included * software please visit: - * https://datatables.net/download/#bs4/dt-2.3.3 + * https://datatables.net/download/#bs4/dt-2.3.4 * * Included libraries: - * DataTables 2.3.3 + * DataTables 2.3.4 */ -/*! DataTables 2.3.3 +/*! DataTables 2.3.4 * © SpryMedia Ltd - datatables.net/license */ -!function(n){"use strict";var r;"function"==typeof define&&define.amd?define(["jquery"],function(e){return n(e,window,document)}):"object"==typeof exports?(r=require("jquery"),"undefined"==typeof window?module.exports=function(e,t){return e=e||window,t=t||r(e),n(t,e,e.document)}:module.exports=n(r,window,window.document)):window.DataTable=n(jQuery,window,document)}(function(H,W,S){"use strict";function f(e){var t=parseInt(e,10);return!isNaN(t)&&isFinite(e)?t:null}function c(e,t,n,r){var a=typeof e,o="string"==a;return"number"==a||"bigint"==a||!(!r||!_(e))||(t&&o&&(e=E(e,t)),n&&o&&(e=e.replace(P,"")),!isNaN(parseFloat(e))&&isFinite(e))}function n(e,t,n,r){var a;return!(!r||!_(e))||("string"!=typeof e||!e.match(/<(input|select)/i))&&(_(a=e)||"string"==typeof a)&&!!c(w(e),t,n,r)||null}function v(e,t,n,r){var a=[],o=0,i=t.length;if(void 0!==r)for(;o").prependTo(this),fastData:function(e,t,n){return q(c,e,t,n)}}),n=(c.nTable=this,c.oInit=t,o.push(c),c.api=new X(c),c.oInstance=1===E.length?E:a.dataTable(),Q(t),t.aLengthMenu&&!t.iDisplayLength&&(t.iDisplayLength=Array.isArray(t.aLengthMenu[0])?t.aLengthMenu[0][0]:H.isPlainObject(t.aLengthMenu[0])?t.aLengthMenu[0].value:t.aLengthMenu[0]),t=tt(H.extend(!0,{},r),t),$(c.oFeatures,t,["bPaginate","bLengthChange","bFilter","bSort","bSortMulti","bInfo","bProcessing","bAutoWidth","bSortClasses","bServerSide","bDeferRender"]),$(c,t,["ajax","fnFormatNumber","sServerMethod","aaSorting","aaSortingFixed","aLengthMenu","sPaginationType","iStateDuration","bSortCellsTop","iTabIndex","sDom","fnStateLoadCallback","fnStateSaveCallback","renderer","searchDelay","rowId","caption","layout","orderDescReverse","orderIndicators","orderHandler","titleRow","typeDetect",["iCookieDuration","iStateDuration"],["oSearch","oPreviousSearch"],["aoSearchCols","aoPreSearchCols"],["iDisplayLength","_iDisplayLength"]]),$(c.oScroll,t,[["sScrollX","sX"],["sScrollXInner","sXInner"],["sScrollY","sY"],["bScrollCollapse","bCollapse"]]),$(c.oLanguage,t,"fnInfoCallback"),Y(c,"aoDrawCallback",t.fnDrawCallback),Y(c,"aoStateSaveParams",t.fnStateSaveParams),Y(c,"aoStateLoadParams",t.fnStateLoadParams),Y(c,"aoStateLoaded",t.fnStateLoaded),Y(c,"aoRowCallback",t.fnRowCallback),Y(c,"aoRowCreatedCallback",t.fnCreatedRow),Y(c,"aoHeaderCallback",t.fnHeaderCallback),Y(c,"aoFooterCallback",t.fnFooterCallback),Y(c,"aoInitComplete",t.fnInitComplete),Y(c,"aoPreDrawCallback",t.fnPreDrawCallback),c.rowIdFn=U(t.rowId),t.on&&Object.keys(t.on).forEach(function(e){lt(a,e,t.on[e])}),c),d=(V.__browser||(f={},V.__browser=f,p=H("
").css({position:"fixed",top:0,left:-1*W.pageXOffset,height:1,width:1,overflow:"hidden"}).append(H("
").css({position:"absolute",top:1,left:1,width:100,overflow:"scroll"}).append(H("
").css({width:"100%",height:10}))).appendTo("body"),d=p.children(),u=d.children(),f.barWidth=d[0].offsetWidth-d[0].clientWidth,f.bScrollbarLeft=1!==Math.round(u.offset().left),p.remove()),H.extend(n.oBrowser,V.__browser),n.oScroll.iBarWidth=V.__browser.barWidth,c.oClasses),f=(H.extend(d,V.ext.classes,t.oClasses),a.addClass(d.table),c.oFeatures.bPaginate||(t.iDisplayStart=0),void 0===c.iInitDisplayStart&&(c.iInitDisplayStart=t.iDisplayStart,c._iDisplayStart=t.iDisplayStart),t.iDeferLoading),h=(null!==f&&(c.deferLoading=!0,u=Array.isArray(f),c._iRecordsDisplay=u?f[0]:f,c._iRecordsTotal=u?f[1]:f),[]),p=this.getElementsByTagName("thead"),n=Ne(c,p[0]);if(t.aoColumns)h=t.aoColumns;else if(n.length)for(j=n[e=0].length;e").appendTo(a):n).html(c.caption),n.length&&(n[0]._captionSide=n.css("caption-side"),c.captionNode=n[0]),0===p.length&&(p=H("").appendTo(a)),c.nTHead=p[0],a.children("tbody")),n=(0===n.length&&(n=H("").insertAfter(p)),c.nTBody=n[0],a.children("tfoot")),R=(0===n.length&&(n=H("").appendTo(a)),c.nTFoot=n[0],c.aiDisplay=c.aiDisplayMaster.slice(),c.bInitialised=!0,c.oLanguage);H.extend(!0,R,t.oLanguage),R.sUrl?H.ajax({dataType:"json",url:R.sUrl,success:function(e){B(r.oLanguage,e),H.extend(!0,R,e,c.oInit.oLanguage),G(c,null,"i18n",[c],!0),He(c)},error:function(){z(c,0,"i18n file loading error",21),He(c)}}):(G(c,null,"i18n",[c],!0),He(c))}}),E=null,this)},d=(V.ext=T={builder:"bs4/dt-2.3.3",buttons:{},ccContent:{},classes:{},errMode:"alert",escape:{attributes:!1},feature:[],features:{},search:[],selector:{cell:[],column:[],row:[]},legacy:{ajax:null},pager:{},renderer:{pageButton:{},header:{}},order:{},type:{className:{},detect:[],render:{},search:{},order:{}},_unique:0,fnVersionCheck:V.fnVersionCheck,iApiIndex:0,sVersion:V.version},H.extend(T,{afnFiltering:T.search,aTypes:T.type.detect,ofnSearch:T.type.search,oSort:T.type.order,afnSortData:T.order,aoFeatures:T.feature,oStdClasses:T.classes,oPagination:T.pager}),H.extend(V.ext.classes,{container:"dt-container",empty:{row:"dt-empty"},info:{container:"dt-info"},layout:{row:"dt-layout-row",cell:"dt-layout-cell",tableRow:"dt-layout-table",tableCell:"",start:"dt-layout-start",end:"dt-layout-end",full:"dt-layout-full"},length:{container:"dt-length",select:"dt-input"},order:{canAsc:"dt-orderable-asc",canDesc:"dt-orderable-desc",isAsc:"dt-ordering-asc",isDesc:"dt-ordering-desc",none:"dt-orderable-none",position:"sorting_"},processing:{container:"dt-processing"},scrolling:{body:"dt-scroll-body",container:"dt-scroll",footer:{self:"dt-scroll-foot",inner:"dt-scroll-footInner"},header:{self:"dt-scroll-head",inner:"dt-scroll-headInner"}},search:{container:"dt-search",input:"dt-input"},table:"dataTable",tbody:{cell:"",row:""},thead:{cell:"",row:""},tfoot:{cell:"",row:""},paging:{active:"current",button:"dt-paging-button",container:"dt-paging",disabled:"disabled",nav:""}}),{}),N=/[\r\n\u2028]/g,F=/<([^>]*>)/g,O=Math.pow(2,28),j=/^\d{2,4}[./-]\d{1,2}[./-]\d{1,2}([T ]{1}\d{1,2}[:.]\d{2}([.:]\d{2})?)?$/,R=new RegExp("(\\"+["/",".","*","+","?","|","(",")","[","]","{","}","\\","$","^","-"].join("|\\")+")","g"),P=/['\u00A0,$£€¥%\u2009\u202F\u20BD\u20a9\u20BArfkɃΞ]/gi,_=function(e){return!e||!0===e||"-"===e},E=function(e,t){return d[t]||(d[t]=new RegExp(Ee(t),"g")),"string"==typeof e&&"."!==t?e.replace(/\./g,"").replace(d[t],"."):e},b=function(e,t,n){var r=[],a=0,o=e.length;if(void 0!==n)for(;aO)throw new Error("Exceeded max str len");var t;for(e=e.replace(F,"");(e=(t=e).replace(/ - -New Asset
- + New Credential
@@ -1182,7 +1182,6 @@ if (isset($_GET['contact_id'])) { require_once "modals/ticket/ticket_add.php"; require_once "modals/recurring_ticket/recurring_ticket_add.php"; -require_once "modals/credential/credential_add.php"; require_once "modals/document/document_add.php"; require_once "modals/file/file_upload.php"; diff --git a/agent/credentials.php b/agent/credentials.php index 5589bd51..a26820aa 100644 --- a/agent/credentials.php +++ b/agent/credentials.php @@ -106,7 +106,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
= 2) { ?>
- @@ -534,7 +534,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); Domains
- + 0) { ?>
@@ -361,7 +361,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
diff --git a/agent/modals/certificate/certificate_add.php b/agent/modals/certificate/certificate_add.php index 32522bfc..457a2583 100644 --- a/agent/modals/certificate/certificate_add.php +++ b/agent/modals/certificate/certificate_add.php @@ -1,166 +1,175 @@ -