More security/sanitizing fixes
--- a/common.inc.php
+++ b/common.inc.php
@@ -5,7 +5,9 @@
$googleMapsAPIkey="ABQIAAAA95XYXN0cki3Yj_Sb71CFvBTPaLd08ONybQDjcH_VdYtHHLgZvRTw2INzI_m17_IoOUqH3RNNmlTk1Q";
$otpAPIurl = 'http://localhost:8080/opentripplanner-api-webapp/';
$owaSiteID = 'fe5b819fa8c424a99ff0764d955d23f3';
-if (isDebug()) error_reporting(E_ALL ^ E_NOTICE);
+//$debugOkay = Array("session","json","phperror","other");
+$debugOkay = Array("session","json","phperror");
+if (isDebug("phperror")) error_reporting(E_ALL ^ E_NOTICE);
// SELECT array_to_string(array(SELECT REPLACE(name_2006, ',', '\,') as name FROM suburbs order by name), ',')
$suburbs = explode(",","Acton,Ainslie,Amaroo,Aranda,Banks,Barton,Belconnen,Bonner,Bonython,Braddon,Bruce,Calwell,Campbell,Chapman,Charnwood,Chifley,Chisholm,City,Conder,Cook,Curtin,Deakin,Dickson,Downer,Duffy,Dunlop,Evatt,Fadden,Farrer,Fisher,Florey,Flynn,Forrest,Franklin,Fraser,Fyshwick,Garran,Gilmore,Giralang,Gordon,Gowrie,Greenway,Griffith,Gungahlin,Hackett,Hall,Harrison,Hawker,Higgins,Holder,Holt,Hughes,Hume,Isaacs,Isabella Plains,Kaleen,Kambah,Kingston,Latham,Lawson,Lyneham,Lyons,Macarthur,Macgregor,Macquarie,Mawson,McKellar,Melba,Mitchell,Monash,Narrabundah,Ngunnawal,Nicholls,Oaks Estate,O'Connor,O'Malley,Oxley,Page,Palmerston,Parkes,Pearce,Phillip,Pialligo,Red Hill,Reid,Richardson,Rivett,Russell,Scullin,Spence,Stirling,Symonston,Tharwa,Theodore,Torrens,Turner,Wanniassa,Waramanga,Watson,Weetangera,Weston,Yarralumla");
@@ -21,8 +23,8 @@
if (isset($_REQUEST['geolocate'])) {
$geocoded = false;
if (isset($_REQUEST['lat']) && isset($_REQUEST['lon'])) {
- $_SESSION['lat'] = $_REQUEST['lat'];
- $_SESSION['lon'] = $_REQUEST['lon'];
+ $_SESSION['lat'] = filter_var($_REQUEST['lat'],FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
+ $_SESSION['lon'] = filter_var($_REQUEST['lon'],FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
} else {
$contents = geocode(filter_var($_REQUEST['geolocate'],FILTER_SANITIZE_URL),true);
if (isset($contents[0]->centroid)) {
@@ -53,9 +55,10 @@
}
}
debug(print_r($_SESSION,true));
-function isDebug()
-{
- return $_SERVER['SERVER_NAME'] == "10.0.1.154" || $_SERVER['SERVER_NAME'] == "localhost" || $_SERVER['SERVER_NAME'] == "127.0.0.1" || !$_SERVER['SERVER_NAME'];
+function isDebug($debugReason = "other")
+{
+ global $debugOkay;
+ return in_array($debugReason,$debugOkay,false) && $_SERVER['SERVER_NAME'] == "10.0.1.154" || $_SERVER['SERVER_NAME'] == "localhost" || $_SERVER['SERVER_NAME'] == "127.0.0.1" || !$_SERVER['SERVER_NAME'];
}
function isMetricsOn()
@@ -63,8 +66,8 @@
return !isDebug();
}
-function debug($msg) {
- if (isDebug()) echo "\n<!-- ".date(DATE_RFC822)."\n $msg -->\n";
+function debug($msg, $debugReason = "other") {
+ if (isDebug($debugReason)) echo "\n<!-- ".date(DATE_RFC822)."\n $msg -->\n";
}
function isFastDevice() {
$ua = $_SERVER['HTTP_USER_AGENT'];
@@ -243,7 +246,15 @@
return $f;
}
-function staticmap($mapPoints, $zoom = 0, $markerImage = "iconb")
+function curPageURL() {
+$isHTTPS = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on");
+$port = (isset($_SERVER["SERVER_PORT"]) && ((!$isHTTPS && $_SERVER["SERVER_PORT"] != "80") || ($isHTTPS && $_SERVER["SERVER_PORT"] != "443")));
+$port = ($port) ? ':'.$_SERVER["SERVER_PORT"] : '';
+$url = ($isHTTPS ? 'https://' : 'http://').$_SERVER["SERVER_NAME"].$port.dirname($_SERVER['PHP_SELF'])."/";
+return $url;
+}
+
+function staticmap($mapPoints, $zoom = 0, $markerImage = "iconb", $collapsible = true)
{
$width = 300;
$height = 300;
@@ -267,7 +278,7 @@
if (sizeof($mapPoints) === 1) {
if ($zoom == 0) $zoom = 14;
$markers .= "{$mapPoints[0][0]},{$mapPoints[0][1]},$markerimage";
- $center = "{$mapPoints[0][0]},{$mapPoints[0][1]}";
+ $center = "{$mapPoints[0][0]},{$mapPoints[0][1]}";
} else {
foreach ($mapPoints as $index => $mapPoint) {
$markers .= $mapPoint[0].",".$mapPoint[1].",".$markerImage.($index+1);
@@ -289,9 +300,9 @@
$center = $totalLat/sizeof($mapPoints).",".$totalLon/sizeof($mapPoints);
}
$output = "";
- if(basename($_SERVER['PHP_SELF']) != "tripPlanner.php") $output .= '<div data-role="collapsible" data-collapsed="true"><h3>Open Map...</h3>';
- $output .= '<center><img src="staticmaplite/staticmap.php?center='.$center.'&zoom='.$zoom.'&size='.$width.'x'.$height.'&maptype=mapnik&markers='.$markers.'" width='.$width.' height='.$height.'></center>';
- if(basename($_SERVER['PHP_SELF']) != "tripPlanner.php") $output .= '</div>';
+ if ($collapsible) $output .= '<div data-role="collapsible" data-collapsed="true"><h3>Open Map...</h3>';
+ $output .= '<center><img src="'.curPageURL().'staticmaplite/staticmap.php?center='.$center.'&zoom='.$zoom.'&size='.$width.'x'.$height.'&maptype=mapnik&markers='.$markers.'" width='.$width.' height='.$height.'></center>';
+ if ($collapsible) $output .= '</div>';
return $output;
}
@@ -497,5 +508,7 @@
</form>
</div></div>';
}
+
+
?>
--- a/layar_api.php
+++ b/layar_api.php
@@ -6,10 +6,14 @@
$max_page = 10;
$max_results = 50;
-$page_start = 0+$_REQUEST['pageKey'];
-$page_end = $max_page+$_REQUEST['pageKey'];
+$page_start = 0+filter_var($_REQUEST['pageKey'],FILTER_SANITIZE_NUMBER_INT);
+$page_end = $max_page+filter_var($_REQUEST['pageKey'],FILTER_SANITIZE_NUMBER_INT);
-$url = $APIurl."/json/neareststops?lat={$_REQUEST['lat']}&lon={$_REQUEST['lon']}&limit=50";
+$lat = filter_var($_REQUEST['lat'],FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
+$lon = filter_var($_REQUEST['lon'],FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
+if (isset($_REQUEST['radius'])) $radius = filter_var($_REQUEST['radius'],FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
+
+$url = $APIurl."/json/neareststops?lat=$lat&lon=$lon&limit=50";
$contents = json_decode(getPage($url));
debug(print_r($contents,true));
$stopNum = 0;
@@ -24,7 +28,7 @@
$hotspot['lat'] = floor($row[2]*1000000);
$hotspot['lon'] = floor($row[3]*1000000);
$hotspot['distance'] = distance($row[2], $row[3], $_REQUEST['lat'], $_REQUEST['lon']);
- if (!isset($_REQUEST['radius']) || $hotspot['distance'] < $_REQUEST['radius']) {
+ if (!isset($_REQUEST['radius']) || $hotspot['distance'] < $radius) {
$hotspot['actions'] = Array(Array("label" => 'View more trips/information', 'uri' => 'http://bus.lambdacomplex.org/'.'stop.php?stopid='.$row[0]));
$url = $APIurl."/json/stoptrips?stop=".$row[0]."&time=".midnight_seconds()."&service_period=".service_period()."&limit=4&time_range=".str(90*60);
$trips = json_decode(getPage($url));
--- a/schedule_viewer.py
+++ b/schedule_viewer.py
@@ -421,6 +421,18 @@
if s.stop_id.lower() == query:
return StopToTuple(s)
return []
+ def handle_json_GET_stoproutes(self, params):
+ """Given a stop_id return all routes to visit the stop."""
+ schedule = self.server.schedule
+ stop = schedule.GetStop(params.get('stop', None))
+ service_period = params.get('service_period', None)
+ trips = stop.GetTrips(schedule)
+ result = {}
+ for trip in trips:
+ route = schedule.GetRoute(trip.route_id)
+ if not trip.route_id in result:
+ result[trip.route_id] = (route.route_id, route.route_short_name, route.route_long_name, trip.trip_id)
+ return result
def handle_json_GET_stopalltrips(self, params):
"""Given a stop_id return all trips to visit the stop."""
--- a/stop.pdf.php
+++ b/stop.pdf.php
@@ -1,19 +1,20 @@
<?php
include('common.inc.php');
-$url = $APIurl."/json/stop?stop_id=".$_REQUEST['stopid'];
+$stopid = filter_var($_REQUEST['stopid'],FILTER_SANITIZE_NUMBER_INT);
+$url = $APIurl."/json/stop?stop_id=".$stopid;
$stop = json_decode(getPage($url));
$html .= '<div data-role="content" class="ui-content" role="main"><p>'.staticmap(Array(0 => Array($stop[2],$stop[3])), 0,"iconb", false).'</p>';
$html .= ' <ul data-role="listview" data-inset="true">';
-$url = $APIurl."/json/stoptrips?stop=".$_REQUEST['stopid']."&time=".midnight_seconds()."&service_period=".service_period();
+$url = $APIurl."/json/stoptrips?stop=".$stopid."&time=".midnight_seconds()."&service_period=".service_period();
$trips = json_decode(getPage($url));
debug(print_r($trips,true));
foreach ($trips as $row)
{
$html .= '<li>';
-$html .= '<h3><a href="trip.php?stopid='.$_REQUEST['stopid'].'&tripid='.$row[1][0].'">'.$row[1][1];
+$html .= '<h3><a href="trip.php?stopid='.$stopid.'&tripid='.$row[1][0].'">'.$row[1][1];
if (isFastDevice()) {
- $viaPoints = viaPointNames($row[1][0],$_REQUEST['stopid']);
+ $viaPoints = viaPointNames($row[1][0],$stopid);
if ($viaPoints != "") $html .= '<br><small>Via: '.$viaPoints.'</small> </a></h3>';
}
$html .= '<p class="ui-li-aside"><strong>'.midnight_seconds_to_time($row[0]).'</strong></p>';
--- a/stop.php
+++ b/stop.php
@@ -1,6 +1,7 @@
<?php
include('common.inc.php');
-$url = $APIurl."/json/stop?stop_id=".$_REQUEST['stopid'];
+$stopid = filter_var($_REQUEST['stopid'],FILTER_SANITIZE_NUMBER_INT);
+$url = $APIurl."/json/stop?stop_id=".$stopid;
$stop = json_decode(getPage($url));
include_header($stop[1],"stop");
@@ -14,22 +15,22 @@
// Set the Event Type, in this case a "video_play"
$event->setEventType('view_stop');
// Set a property
-$event->set('stop_id',$_REQUEST['stopid']);
+$event->set('stop_id',$stopid);
// Track the event
$owa->trackEvent($event);
}
timePlaceSettings();
echo '<div data-role="content" class="ui-content" role="main"><p>'.staticmap(Array(0 => Array($stop[2],$stop[3]))).'</p>';
echo ' <ul data-role="listview" data-inset="true">';
-$url = $APIurl."/json/stoptrips?stop=".$_REQUEST['stopid']."&time=".midnight_seconds()."&service_period=".service_period();
+$url = $APIurl."/json/stoptrips?stop=".$stopid."&time=".midnight_seconds()."&service_period=".service_period();
$trips = json_decode(getPage($url));
debug(print_r($trips,true));
foreach ($trips as $row)
{
echo '<li>';
-echo '<h3><a href="trip.php?stopid='.$_REQUEST['stopid'].'&tripid='.$row[1][0].'">'.$row[1][1];
+echo '<h3><a href="trip.php?stopid='.$stopid.'&tripid='.$row[1][0].'">'.$row[1][1];
if (isFastDevice()) {
- $viaPoints = viaPointNames($row[1][0],$_REQUEST['stopid']);
+ $viaPoints = viaPointNames($row[1][0],$stopid);
if ($viaPoints != "") echo '<br><small>Via: '.$viaPoints.'</small> </a></h3>';
}
echo '<p class="ui-li-aside"><strong>'.midnight_seconds_to_time($row[0]).'</strong></p>';
--- a/stopList.php
+++ b/stopList.php
@@ -36,8 +36,9 @@
navbar();
timePlaceSettings(true);
} else if ($_REQUEST['suburb']) {
- $url = $APIurl."/json/stopzonesearch?q=".filter_var($_REQUEST['suburb'], FILTER_SANITIZE_STRING);
-include_header("Stops in ".ucwords(filter_var($_REQUEST['suburb'], FILTER_SANITIZE_STRING)),"stopList");
+ $suburb = filter_var($_REQUEST['suburb'], FILTER_SANITIZE_STRING);
+ $url = $APIurl."/json/stopzonesearch?q=".$suburb;
+include_header("Stops in ".ucwords($suburb),"stopList");
if (isMetricsOn()) {
// Create a new Instance of the tracker
$owa = new owa_php($config);
@@ -48,7 +49,7 @@
// Set the Event Type, in this case a "video_play"
$event->setEventType('view_stop_list_suburb');
// Set a property
-$event->set('stop_list_suburb',$_REQUEST['suburb']);
+$event->set('stop_list_suburb',$suburb);
// Track the event
$owa->trackEvent($event);
}
--- a/trip.php
+++ b/trip.php
@@ -2,8 +2,9 @@
include('common.inc.php');
$tripid = filter_var($_REQUEST['tripid'],FILTER_SANITIZE_NUMBER_INT);
$stopid = filter_var($_REQUEST['stopid'],FILTER_SANITIZE_NUMBER_INT);
+$routeid = filter_var($_REQUEST['routeid'],FILTER_SANITIZE_NUMBER_INT);
if ($_REQUEST['routeid']) {
- $url = $APIurl."/json/routetrips?route_id=".filter_var($_REQUEST['routeid'],FILTER_SANITIZE_NUMBER_INT);
+ $url = $APIurl."/json/routetrips?route_id=".$routeid;
$trips = json_decode(getPage($url));
debug(print_r($trips,true));
foreach ($trips as $trip)
@@ -31,6 +32,7 @@
// Set a property
$event->set('trip_id',$tripid);
$event->set('route_id',$routeid);
+$event->set('stop_id',$stopid);
// Track the event
$owa->trackEvent($event);
}
--- a/tripPlanner.php
+++ b/tripPlanner.php
@@ -54,7 +54,7 @@
foreach ($itinerary->legs->leg as $legNumber => $leg) {
$legMarkers[] = array($leg->from->lat, $leg->from->lon);
}
- echo '' . staticmap($legMarkers) . "<br>\n";
+ echo '' . staticmap($legMarkers, 0,"iconb", false) . "<br>\n";
echo '<ul>';
foreach ($itinerary->legs->leg as $legNumber => $leg) {
echo '<li>';
@@ -63,7 +63,7 @@
}
echo "</ul>";
} else {
- echo '' . staticmap(array(array($itinerary->legs->leg->from->lat, $itinerary->legs->leg->from->lon))) . "<br>\n";
+ echo '' . staticmap(array(array($itinerary->legs->leg->from->lat, $itinerary->legs->leg->from->lon)), 0,"iconb", false) . "<br>\n";
processLeg(0, $itinerary->legs->leg);
}
@@ -80,7 +80,7 @@
foreach ($leg->steps->walkSteps as $stepNumber => $step) {
$walkStepMarkers[] = array($step->lat, $step->lon);
}
- echo "" . staticmap($walkStepMarkers, "icong") . "<br>\n";
+ echo "" . staticmap($walkStepMarkers, 0,"icong", false) . "<br>\n";
foreach ($leg->steps->walkSteps as $stepNumber => $step) {
echo "Walking step " . ($stepNumber + 1) . " $step->absoluteDirection / $step->relativeDirection on $step->streetName for " . floor($step->distance) . " meters<br>\n";
}