Merge pull request #2463 from Leantime/fileUploadBugs

Fixes projectCalendar and comment dates.

.dev/error_reporting.ini

@@ -1,2 +1,3 @@
 error_reporting=E_ALL
 display_errors=On
+phar.readonly=Off

app/Core/Fileupload.php

@@ -97,15 +97,18 @@ public function __construct(Environment $config)
                 ],
             ];
 
-            if ($this->config->s3EndPoint != "" && $this->config->s3EndPoint !== false && $this->config->s3EndPoint != null) {
+            if (
+                !empty($this->config->s3EndPoint)
+                && $this->config->s3EndPoint != "null"
+                && $this->config->s3EndPoint != "false"
+            ) {
                 $s3Config['endpoint'] = $this->config->s3EndPoint;
             }
 
             if ($this->config->s3UsePathStyleEndpoint === true || $this->config->s3UsePathStyleEndpoint === "true") {
                 $s3Config['use_path_style_endpoint'] = true;
             }
 
-
             // Instantiate the S3 client with your AWS credentials
             $this->s3Client = new S3Client($s3Config);
         }
@@ -429,14 +432,14 @@ public function displayImageFile(string $imageName, string $fullPath = ''): Resp
         $sFileSize = filesize($fullPath);
 
         $oStreamResponse = new BinaryFileResponse($fullPath);
-        $oStreamResponse->headers->set("Content-Type", $mimes[$ext] );
+        $oStreamResponse->headers->set("Content-Type", $mimes[$ext]);
         //$oStreamResponse->headers->set("Content-Length", $sFileSize);
         //$oStreamResponse->headers->set("ETag", $sEtag);
 
-        if(app()->make(Environment::class)->debug == false) {
+        if (app()->make(Environment::class)->debug == false) {
             $oStreamResponse->headers->set("Pragma", 'public');
             $oStreamResponse->headers->set("Cache-Control", 'max-age=86400');
-            $oStreamResponse->headers->set("Last-Modified", gmdate("D, d M Y H:i:s", $sLastModified)." GMT");
+            $oStreamResponse->headers->set("Last-Modified", gmdate("D, d M Y H:i:s", $sLastModified) . " GMT");
         }
         //$oStreamResponse->setCallback(function() use ($fullPath) {readfile($fullPath);});
 

app/Core/Session.php

@@ -67,14 +67,31 @@ public function __construct(
 
         if (isset($_COOKIE['sid']) === true) {
             self::$sid = htmlspecialchars($_COOKIE['sid']);
+
+            //Part 0 random string without session pw
+            //Part 1 remote adds + host with session pw
+            //Part 2 random string with session pw
             $testSession = explode('-', self::$sid);
         }
 
         //Don't allow session ids from user.
         if (is_array($testSession) === true && count($testSession) > 1) {
-            $testMD5 = hash('sha1', $testSession[0] . $this->sessionpassword);
+            $testSessionPw = hash('sha1', $testSession[0] . $this->sessionpassword);
+
+            if ($testSessionPw !== $testSession[2]) {
+                error_log("failed session pw test of tmp");
+                self::makeSID();
+            }
+
+            //test remote host info
+            $session_string = ! $this->request instanceof CliRequest
+                ? self::get_client_ip() . $_SERVER['HTTP_HOST']
+                : 'cli';
+
+            $testSessionHost = hash('sha1', $session_string . $this->sessionpassword);
 
-            if ($testMD5 !== $testSession[1]) {
+            if ($testSessionHost !== $testSession[1]) {
+                error_log("failed ip and host check");
                 self::makeSID();
             }
         } else {
@@ -89,11 +106,11 @@ public function __construct(
             'leantime.core.httpkernel.handle.beforeSendResponse',
             fn ($response) => tap($response, fn (Response $response) => $response->headers->setCookie(
                 Cookie::create('sid')
-                ->withValue(self::$sid)
-                ->withExpires(time() + $config->sessionExpiration)
-                ->withPath('/')
-                ->withSameSite('Lax')
-                ->withSecure(true)
+                    ->withValue(self::$sid)
+                    ->withExpires(time() + $config->sessionExpiration)
+                    ->withPath('/')
+                    ->withSameSite('Strict')
+                    ->withSecure(true)
             ))
         );
     }
@@ -119,12 +136,12 @@ public static function getSID(): string
     private function makeSID(): void
     {
         $session_string = ! $this->request instanceof CliRequest
-            ? $_SERVER['REMOTE_ADDR']
+            ? self::get_client_ip() . $_SERVER['HTTP_HOST']
             : 'cli';
 
         $tmp = hash('sha1', mt_rand(32, 32) . $session_string . time());
 
-        self::$sid = $tmp . '-' . hash('sha1', $tmp . $this->sessionpassword);
+        self::$sid = $tmp . '-' . hash('sha1', $session_string . $this->sessionpassword) . '-'  . hash('sha1', $tmp . $this->sessionpassword);
     }
 
     /**
@@ -143,12 +160,33 @@ public static function destroySession(): void
             'leantime.core.httpkernel.handle.beforeSendResponse',
             fn ($response) => tap($response, fn (Response $response) => $response->headers->setCookie(
                 Cookie::create('sid')
-                ->withValue('')
-                ->withExpires(time() - 42000)
-                ->withPath('/')
-                ->withSameSite('Strict')
-                ->withSecure(true)
+                    ->withValue('')
+                    ->withExpires(time() - 42000)
+                    ->withPath('/')
+                    ->withSameSite('Strict')
+                    ->withSecure(true)
             ))
         );
     }
+
+    private static function get_client_ip()
+    {
+        $ipaddress = '';
+        if (getenv('HTTP_CLIENT_IP')) {
+            $ipaddress = getenv('HTTP_CLIENT_IP');
+        } elseif (getenv('HTTP_X_FORWARDED_FOR')) {
+            $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
+        } elseif (getenv('HTTP_X_FORWARDED')) {
+            $ipaddress = getenv('HTTP_X_FORWARDED');
+        } elseif (getenv('HTTP_FORWARDED_FOR')) {
+            $ipaddress = getenv('HTTP_FORWARDED_FOR');
+        } elseif (getenv('HTTP_FORWARDED')) {
+            $ipaddress = getenv('HTTP_FORWARDED');
+        } elseif (getenv('REMOTE_ADDR')) {
+            $ipaddress = getenv('REMOTE_ADDR');
+        } else {
+            $ipaddress = 'UNKNOWN';
+        }
+        return $ipaddress;
+    }
 }

app/Domain/Auth/Controllers/Login.php

@@ -53,7 +53,12 @@ public function get(array $params): Response
         $redirectUrl = BASE_URL . "/dashboard/home";
 
         if (isset($_GET['redirect']) && trim($_GET['redirect']) !== '' && trim($_GET['redirect']) !== '/') {
-            $redirectUrl = BASE_URL . urldecode($_GET['redirect']);
+            $url = urldecode($_GET['redirect']);
+
+            //Check for open redirects, don't allow redirects to external sites.
+            if (filter_var($url, FILTER_VALIDATE_URL) === false) {
+                $redirectUrl = BASE_URL ."/" . $url;
+            }
         }
 
         if ($this->config->useLdap) {

app/Domain/Comments/Repositories/Comments.php

@@ -203,7 +203,7 @@ public function addComment($values, $module): false|string
             $stmn->bindValue(':commentParent', $values['commentParent'], PDO::PARAM_INT);
             $stmn->bindValue(':text', $values['text'], PDO::PARAM_STR);
             $stmn->bindValue(':module', $module, PDO::PARAM_STR);
-            $stmn->bindValue(':date', date("Y-m-d H:i:s"), PDO::PARAM_STR);
+            $stmn->bindValue(':date', $values["date"], PDO::PARAM_STR);
             $stmn->bindValue(':status', $values['status'] ?? '', PDO::PARAM_STR);
 
             $result = $stmn->execute();

app/Domain/Comments/Services/Comments.php

@@ -64,7 +64,7 @@ public function addComment($values, $module, $entityId, $entity): bool
             if (isset($values['text']) && $values['text'] != '' && isset($values['father']) && isset($module) &&  isset($entityId) &&  isset($entity)) {
                 $mapper = array(
                     'text' => $values['text'],
-                    'date' => date("Y-m-d H:i:s"),
+                    'date' => $values["date"] ?? dtHelper()->dbNow()->formatDateTimeForDb(),
                     'userId' => ($_SESSION['userdata']['id']),
                     'moduleId' => $entityId,
                     'commentParent' => ($values['father']),

app/Domain/Files/Repositories/Files.php

@@ -303,7 +303,9 @@ public function upload($file, $module, $moduleId): false|array
                         $return = false;
                     }
                 } else {
-                    return $upload->error;
+
+                    error_log($upload->error);
+                    return false;
                 }
             }
 

app/Domain/Plugins/Services/Plugins.php

@@ -98,6 +98,7 @@ public function getAllPlugins(bool $enabledOnly = false): false|array
                     : $plugin->type = $this->pluginTypes['custom'];
 
                 $installedPluginsById[$plugin->foldername] = $plugin;
+
             }
 
             // Gets plugins from the config, which are automatically enabled

app/Domain/Plugins/Templates/myapps.blade.php

@@ -20,9 +20,9 @@
                         {{ __("text.installed_plugins") }}
                     </h5>
                     <div class="row sortableTicketList">
-                        @foreach($tpl->get("installedPlugins") as $installedPlugins)
-                               @include('plugins::partials.plugin', ["plugin" => $installedPlugins])
-                        @endforeach
+                        @each('plugins::partials.plugin', $tpl->get("installedPlugins"), 'plugin')
+
+
                         @if ($tpl->get("installedPlugins") === false || count($tpl->get("installedPlugins")) == 0)
                                 <span class="tw-block tw-px-4 tw-mb-4">{{ __("text.no_plugins_activated") }}</span>
                         @endif

app/Domain/Plugins/Templates/partials/plugin.blade.php

@@ -22,7 +22,7 @@ class="certififed label-default tw-absolute tw-top-[10px] tw-right-[10px] tw-tex
         @if (! empty($plugin->name))
             <div class="row">
                 <div class="col-md-12">
-                    <h5 class="subtitle">{{ $plugin->name }}<br /></h5>
+                    <h5 class="subtitle">{{ $plugin->name }} {{ $plugin->version ? "(v".$plugin->version.")" : "" }}<br /></h5>
                 </div>
             </div>
         @endif
@@ -32,6 +32,7 @@ class="certififed label-default tw-absolute tw-top-[10px] tw-right-[10px] tw-tex
                 @if (! empty($desc = $plugin->getCardDesc()))
                     <p>{{ $desc }}</p>
                 @endif
+
             </div>
         </div>
         <div class="row tw-border-t tw-border-[var(--main-border-color)] tw-px-base">

app/Domain/Projects/Templates/showProject.tpl.php

@@ -434,6 +434,8 @@
 <script type='text/javascript'>
 
     jQuery(document).ready(function() {
+        jQuery("#projectdetails select").chosen();
+
         <?php if (isset($_GET['integrationSuccess'])) {?>
             window.history.pushState({},document.title, '<?=BASE_URL ?>/projects/showProject/<?php echo (int)$project['id']; ?>');
         <?php } ?>

app/Domain/Tickets/Templates/calendar.tpl.php

@@ -125,16 +125,15 @@
 
             title: <?php echo json_encode($headline); ?>,
 
-            start: <?php echo "'" . (($mlst->editFrom != '0000-00-00 00:00:00' && !str_starts_with(
-                $mlst->editFrom,
-                '1969-12-31'
-            )) ? $mlst->editFrom :  date('Y-m-d', strtotime("+1 day", time()))) . "',"; ?>
-            <?php if (isset($mlst->editTo)) : ?>
-            end: <?php echo "'" . (($mlst->editTo != '0000-00-00 00:00:00' && !str_starts_with(
-                $mlst->editTo,
-                '1969-12-31'
-            )) ? $mlst->editTo :  date('Y-m-d', strtotime("+1 day", time()))) . "',"; ?>
-            <?php endif; ?>
+            <?php if(dtHelper()->isValidDateString($mlst->dateToFinish)){ ?>
+                start: new Date(<?php echo format($mlst->dateToFinish)->jsTimestamp() ?>),
+                end: new Date(<?php echo format(dtHelper()->parseDbDateTime($mlst->dateToFinish)->addHour(1))->jsTimestamp() ?>),
+            <?php } elseif(dtHelper()->isValidDateString($mlst->editFrom)){ ?>
+                start: new Date(<?php echo format($mlst->editFrom)->jsTimestamp() ?>),
+                end: new Date(<?php echo format($mlst->editTo)->jsTimestamp() ?>),
+            <?php } ?>
+
+
             enitityId: <?php echo $mlst->id ?>,
             <?php if ($mlst->type == "milestone") { ?>
             url: '#/tickets/editMilestone/<?php echo $mlst->id ?>',
@@ -160,13 +159,18 @@
         const calendarEl = document.getElementById('calendar');
 
         const calendar = new FullCalendar.Calendar(calendarEl, {
+                timeZone: leantime.i18n.__("usersettings.timezone"),
+
                 height:heightWindow,
                 initialView: '<?=$_SESSION['submenuToggle']["myProjectCalendarView"] ?>',
                 events: events,
                 editable: true,
                 headerToolbar: false,
+                dayHeaderFormat: leantime.dateHelper.getFormatFromSettings("dateformat", "luxon"),
+                eventTimeFormat: leantime.dateHelper.getFormatFromSettings("timeformat", "luxon"),
+                slotLabelFormat: leantime.dateHelper.getFormatFromSettings("timeformat", "luxon"),
 
-                nowIndicator: true,
+            nowIndicator: true,
                 bootstrapFontAwesome: {
                     close: 'fa-times',
                     prev: 'fa-chevron-left',

phpstan.neon

@@ -5,8 +5,11 @@ parameters:
         - app/Command
         - app/Core
         - app/Domain
+        - app/Plugins
         - app/Views
         - bin/
+    excludes_analyse:
+        - app/Plugins/*/vendor/*
     scanDirectories:
         - vendor
         - config