cant decode uri :(

2025-02-06 00:18:36 +01:00 · 2025-02-06 00:18:36 +01:00 · e2239d3894
commit e2239d3894
parent b03c6a42ae
6 changed files with 124 additions and 99 deletions
--- a/index.php
+++ b/index.php
@ -54,8 +54,8 @@ Exemples: <?= $_SERVER['REMOTE_ADDR']; ?>/24 <?= $_SERVER['SERVER_NAME']; ?> 10.
            <div class="field">
              <label for="nameInput">Enregistrer sous le nom (optionnel)</label>
              <div class="ui small input">
-                <input id="nameInput" type="text" name="name" placeholder="Réseau local"
-                  pattern='[^&lt;&gt;:&quot;\\\/\|@?]+' title="Caractères interdits :  &lt;&gt;:&quot;\/|@?">
+                <input id="nameInput" type="text" name="name" placeholder="Reseau local"
+                  pattern='[0-9a-zA-Z\-_\. ]+' title="Caractères autorisés: a-z A-Z 0-9 - _ ."/>
              </div>
            </div>
            <div class="ui error message"></div>
@ -78,7 +78,7 @@ Exemples: <?= $_SERVER['REMOTE_ADDR']; ?>/24 <?= $_SERVER['SERVER_NAME']; ?> 10.
                    foreach (scandir($SCANSDIR) as $filename) {
                      if (substr($filename, -4) == '.xml') {
                        $name = str_replace('!', '/', substr_replace($filename, '', -4));
-                        echo "<tr><td class='selectable'><a href='$SCANSDIR/" . rawurlencode($filename) . "'><i class='tasks icon'></i>$name</a></td><td class='collapsing'><a href='rescan.php?name=$name' class='ui mini labelled button' onclick='rescan(this)'><i class='sync icon'></i>Rescanner</a></td></tr>\n";
+                        echo "<tr><td class='selectable'><a href='$SCANSDIR/" . rawurlencode($filename) . "'><i class='tasks icon'></i>$name</a></td><td class='collapsing'><a href='rescan.php?name=$name' class='ui mini labelled button' onclick='rescan(this)'><i class='sync icon'></i>Rescanner</a></td><td class='collapsing'><a href='rm.php?name=$name' class='ui mini negative icon button'><i class='trash icon'></i></a></td></td></tr>\n";
                      }
                    }
                    ?>
--- a/rm.php
+++ b/rm.php
@ -0,0 +1,23 @@
+<?php
+
+error_reporting(E_ALL);
+ini_set('display_errors', '1');
+ini_set('display_startup_errors', '1');
+
+include_once 'config.php';
+
+$fileNameRegex = '/^[0-9a-zA-Z-_. ]+$/';
+
+$name = filter_input(INPUT_GET, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => $fileNameRegex], "flags" => FILTER_NULL_ON_FAILURE]);
+if (!$name) {
+  die("Paramètre manquant ou incorrect : name");
+}
+
+$path = "$SCANSDIR/$name.xml";
+if (!file_exists($path)) {
+  die("Scan inconnu : $name");
+}
+
+unlink($path);
+
+header('Location: .');
--- a/scan.php
+++ b/scan.php
@ -2,20 +2,20 @@

 include_once 'config.php';

-$fileNameRegex = '/^[^<>:\/|?]+$/';
+$fileNameRegex = '/^[0-9a-zA-Z-_. ]+$/';
 $targetsListRegex = '/^[\da-zA-Z-. \/]+$/';

 $name = filter_input(INPUT_GET, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => $fileNameRegex], "flags" => FILTER_NULL_ON_FAILURE]);

 $lan = filter_input(INPUT_GET, 'lan', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => $targetsListRegex], "flags" => FILTER_NULL_ON_FAILURE]);
 if ($lan) {
-    $cmd = "$NMAP $LANSCANOPTIONS --stylesheet '$BASEDIR/$STYLESHEETSDIR/lanScan.xsl?name=$name&' -oX - $lan";
+    $cmd = "$NMAP $LANSCANOPTIONS --stylesheet '$BASEDIR/$STYLESHEETSDIR/lanScan.xsl?name=$name' -oX - $lan";
    $filename = str_replace("/", "!", $lan);
 }

 $host = filter_input(INPUT_GET, 'host', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => $targetsListRegex], "flags" => FILTER_NULL_ON_FAILURE]);
 if ($host) {
-    $cmd = "$NMAP $HOSTSCANOPTIONS --stylesheet '$BASEDIR/$STYLESHEETSDIR/hostScan.xsl?name=$name&' -oX - $host";
+    $cmd = "$NMAP $HOSTSCANOPTIONS --stylesheet '$BASEDIR/$STYLESHEETSDIR/hostScan.xsl?name=$name' -oX - $host";
    $filename = str_replace("/", "!", $host);
 }

@ -138,20 +138,23 @@ if ($targets) {
                if ($value === true) {
                    $options .= " $option";
                } else {
-                    if (substr($option, 0, 2) == '--') $options .= " $option " . escapeshellarg($value);
-                    else $options .= " $option" . escapeshellarg($value);
+                    if (substr($option, 0, 2) == '--')
+                        $options .= " $option " . escapeshellarg($value);
+                    else
+                        $options .= " $option" . escapeshellarg($value);
                }
            }
        }
    }

-    $cmd = "$NMAP$options $CUSTOMSCANOPTIONS --stylesheet $BASEDIR/$STYLESHEETSDIR/lanScan.xsl?name=$name&' -oX - $targets";
+    $cmd = "$NMAP$options $CUSTOMSCANOPTIONS --stylesheet $BASEDIR/$STYLESHEETSDIR/lanScan.xsl?name=$name' -oX - $targets";
    $filename = str_replace("/", "!", $targets);
 }

 if ($cmd) {
    if ($name) {
-        if (!file_exists($SCANSDIR)) mkdir($SCANSDIR);
+        if (!file_exists($SCANSDIR))
+            mkdir($SCANSDIR);

        $path = "$SCANSDIR/$name.xml";
        $cmd .= " | tee " . escapeshellarg($path);
--- a/stylesheets/hostScan.xsl
+++ b/stylesheets/hostScan.xsl
@ -13,7 +13,7 @@

  <xsl:variable name="stylesheetURL" select="substring-before(substring-after(processing-instruction('xml-stylesheet'),'href=&quot;'), '?')" />
  <xsl:variable name="base" select="concat($stylesheetURL, '/../../')" />
-  <xsl:variable name="name" select="substring-before(substring-after(processing-instruction('xml-stylesheet'),'name='), '&amp;')" />
+  <xsl:variable name="name" select="substring-before(substring-after(processing-instruction('xml-stylesheet'),'name='), '&quot;')" />

  <xsl:template match="nmaprun">
    <xsl:variable name="targets" select="substring-after(@args, '-oX - ')" />
--- a/stylesheets/lanScan.xsl
+++ b/stylesheets/lanScan.xsl
@ -7,13 +7,12 @@
  <xsl:import href="services.xsl" />
  <xsl:import href="toast.xsl" />

-  <xsl:output method="html" encoding="UTF-8" />
-  <xsl:output indent="yes" />
+  <xsl:output method="html" encoding="UTF-8" indent="yes" escape-uri-attributes="no" />
  <xsl:strip-space elements='*' />

  <xsl:variable name="stylesheetURL" select="substring-before(substring-after(processing-instruction('xml-stylesheet'),'href=&quot;'), '?')" />
  <xsl:variable name="base" select="concat($stylesheetURL, '/../../')" />
-  <xsl:variable name="name" select="substring-before(substring-after(processing-instruction('xml-stylesheet'),'name='), '&amp;')" />
+  <xsl:variable name="name" select="substring-before(substring-after(processing-instruction('xml-stylesheet'),'name='), '&quot;')" disable-output-escaping="no"/>

  <xsl:template match="nmaprun">
    <xsl:variable name="targets" select="substring-after(@args, '-oX - ')" />
--- a/stylesheets/toast.xsl
+++ b/stylesheets/toast.xsl
@ -7,6 +7,16 @@
    <xsl:template match="runstats">
        <xsl:param name="init"/>
        <script>
+            <xsl:if test="$init/runstats/finished">
+$.toast({
+    message    : 'Comparaison avec les résultats du ' + new Date("<xsl:value-of select="$init/runstats/finished/@timestr"/>").toLocaleString(),
+    class      : 'info',
+    showIcon   : 'calendar',
+    displayTime: 0,
+    closeIcon  : true,
+    position   : 'bottom right',
+})
+            </xsl:if>
            <xsl:if test="finished/@summary">
 $.toast({
    title      : '<xsl:value-of select="finished/@exit"/>',
@ -26,16 +36,6 @@ $.toast({
    displayTime: 0,
    closeIcon  : true,
    position   : 'bottom right',
-})
-            </xsl:if>
-            <xsl:if test="$init/runstats/finished">
-$.toast({
-    message    : 'Comparaison avec les résultats du ' + new Date("<xsl:value-of select="$init/runstats/finished/@timestr"/>").toLocaleString(),
-    class      : 'info',
-    showIcon   : 'calendar',
-    displayTime: 0,
-    closeIcon  : true,
-    position   : 'bottom right',
 })
            </xsl:if>
        </script>