Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #87 from Sephster/fix-sql-injection-attack
Security Fix
  • Loading branch information
Sephster committed Apr 22, 2021
2 parents 1093e77 + 5728981 commit 8836c4f
Show file tree
Hide file tree
Showing 175 changed files with 14,418 additions and 13,168 deletions.
26 changes: 26 additions & 0 deletions .env.example
@@ -0,0 +1,26 @@
APP_WWW=http://localhost
DOC_ROOT=/var/www/webpa/
DB_HOST=localhost
DB_USER=root
DB_PASS=password
DB_NAME=webpa
DB_PREFIX=pa2_
CUSTOM_CSS_PATH=
SESSION_NAME=WEBPA
ACADEMIC_YEAR_START_MONTH=9
HELP_EMAIL=someone@email.com
NO_REPLY_EMAIL=no-reply@email.com
LOGO_PATH=/images/logo.png
LOGO_ALT_TEXT="Your institution name"
LOGO_HEIGHT=25
LOGO_WIDTH=102
ALLOW_TEXT_INPUT=true
ENABLE_USER_DELETE=true
ENABLE_MODULE_DELETE=true
SMTP_HOST=localhost
SMTP_PORT=25
EMAIL_ADDRESS=someone@email.com
ENABLE_MOODLE_GRADEBOOK=false
SEND_OPENING_REMINDER=false
SEND_CLOSING_REMINDER=false
MARK_TERMINOLOGY=Scores(s)
2 changes: 2 additions & 0 deletions .gitignore
Expand Up @@ -2,3 +2,5 @@ vendor/
/composer.lock
.idea/
*.orig
.env
/src/mod/**
65 changes: 65 additions & 0 deletions .php_cs.dist
@@ -0,0 +1,65 @@
<?php

$finder = PhpCsFixer\Finder::create()
->exclude('mod')
->in(__DIR__ . '/src');

$config = new PhpCsFixer\Config();

return $config
->setRules([
'@PSR2' => true,
'@PHP74Migration' => true,
'array_syntax' => ['syntax' => 'short'],
'no_alias_language_construct_call' => true,
'no_mixed_echo_print' => true,
'no_multiline_whitespace_around_double_arrow' => true,
'no_trailing_comma_in_singleline_array' => true,
'no_whitespace_before_comma_in_array' => true,
'normalize_index_brace' => true,
'trailing_comma_in_multiline_array' => true,
'trim_array_spaces' => true,
'whitespace_after_comma_in_array' => true,
'lowercase_static_reference' => true,
'magic_constant_casing' => true,
'magic_method_casing' => true,
'native_function_casing' => true,
'native_function_type_declaration_casing' => true,
'cast_spaces' => true,
'lowercase_cast' => true,
'no_short_bool_cast' => true,
'no_unset_cast' => true,
'short_scalar_cast' => true,
'class_attributes_separation' => true,
'class_definition' => true,
'no_blank_lines_after_class_opening' => true,
'no_null_property_initialization' => true,
'protected_to_private' => true,
'self_static_accessor' => true,
'single_class_element_per_statement' => true,
'single_trait_insert_per_statement' => true,
'multiline_comment_opening_closing' => true,
'no_empty_comment' => true,
'single_line_comment_style' => true,
'include' => true,
'no_alternative_syntax' => true,
'no_superfluous_elseif' => true,
'no_trailing_comma_in_list_call' => true,
'no_unneeded_control_parentheses' => true,
'no_unneeded_curly_braces' => true,
'no_useless_else' => true,
'simplified_if_return' => true,
'switch_case_space' => true,
'switch_continue_to_break' => true,
'function_typehint_space' => true,
'method_argument_space' => true,
'nullable_type_declaration_for_default_null_value' => true,
'return_type_declaration' => true,
'fully_qualified_strict_types' => true,
'global_namespace_import' => true,
'no_leading_import_slash' => true,
'no_unused_imports' => true,
'ordered_imports' => true,
'single_quote' => true,
])
->setFinder($finder);
42 changes: 42 additions & 0 deletions .phpcs.xml.dist
@@ -0,0 +1,42 @@
<?xml version="1.0"?>
<ruleset xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="PHP_CodeSniffer" xsi:noNamespaceSchemaLocation="phpcs.xsd">
<description>WebPA Coding Standards</description>

<file>src</file>

<exclude-pattern>*/src/*\.(inc|css|js)$</exclude-pattern>

<arg name="basepath" value="."/>
<arg name="colors"/>
<arg name="parallel" value="75"/>
<arg value="np"/>

<!-- Don't hide tokenizer exceptions -->
<rule ref="Internal.Tokenizer.Exception">
<type>error</type>
</rule>

<!-- Include the whole PEAR standard -->
<rule ref="PSR2" />

<!-- Check var names, but we don't want leading underscores for private vars -->
<rule ref="Squiz.NamingConventions.ValidVariableName"/>
<rule ref="Squiz.NamingConventions.ValidVariableName.PrivateNoUnderscore">
<severity>0</severity>
</rule>

<!-- Private methods MUST not be prefixed with an underscore -->
<rule ref="PSR2.Methods.MethodDeclaration.Underscore">
<type>error</type>
</rule>

<!-- Private properties MUST not be prefixed with an underscore -->
<rule ref="PSR2.Classes.PropertyDeclaration.Underscore">
<type>error</type>
</rule>

<!-- Side effects should be classed as an error because these break PHPStan checks -->
<rule ref="PSR1.Files.SideEffects">
<type>error</type>
</rule>
</ruleset>
16 changes: 14 additions & 2 deletions CHANGELOG.md
Expand Up @@ -4,7 +4,16 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [Unreleased]
## [3.1.2] - 2020-04-22
### Changed
- Emails are now triggered via a single script, `jobs/Email.php` instead of calling`tutors/asessments/email/ClosingReminder.php` and `tutors/assessments/email/TriggerReminder.php` directly.

### Removed
- Removed LDAP functionality and options as the implementation did not work.

### Security
- Fixed a large amount of SQL injection attacks
- Change password hashing to use the native password_hash() function in PHP instead of MD5 hashing which is insecure

## [3.1.1] - 2020-10-02
### Fixed
Expand All @@ -18,6 +27,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
### Fixed
- Change default authenticator to be database instead of SAML (PR #64)

## [Unreleased]

## [3.0.7] - 2020-01-20
### Fixed
- Remove a blank line at the top of a PHP class that was causing a fatal error
Expand Down Expand Up @@ -65,8 +76,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

## [1.1.0.1] - 2008-07-19

[Unreleased]: https://github.com/WebPA/WebPA/compare/v3.1.1...HEAD
[Unreleased]: https://github.com/WebPA/WebPA/compare/v3.1.2...HEAD

[3.1.2]: https://github.com/WebPA/WebPA/compare/v3.1.1...v3.1.2
[3.1.1]: https://github.com/WebPA/WebPA/compare/v3.1.0...v3.1.1
[3.1.0]: https://github.com/WebPA/WebPA/compare/v3.0.7...v3.1.0
[3.0.7]: https://github.com/WebPA/WebPA/compare/v3.0.6...v3.0.7
Expand Down
60 changes: 43 additions & 17 deletions README.md
Expand Up @@ -9,9 +9,8 @@ student with an individual grade. The individual grade reflects the students con

The following versions of PHP are supported for the latest version of WebPA:

* PHP 7.2
* PHP 7.3
* PHP 7.4
* PHP 8.0

Your PHP instance must also have the following extensions enabled:

Expand All @@ -32,30 +31,57 @@ composer create-project --prefer-dist --no-dev webpa/webpa webpa

Alternatively you can download the latest release from this repository's [release page](https://github.com/WebPA/WebPA/releases).

### Setup
### Configuration

Edit the includes/inc\_global.php file in the includes directory to configure the application; in particular:
WebPA has a number of configuration options allowing you to set your database credentials, SMTP mail host details and
various other options.

- APP\_\_WWW: URL to the instance of WebPA (without a closing "/");
- DOC\_\_ROOT: directory path to the WebPA files (with a closing "/" or "\\");
- database settings:
- APP\_\_DB\_HOST: host name
- APP\_\_DB\_USERNAME: username
- APP\_\_DB\_PASSWORD: password
- APP\_\_DB\_DATABASE: database name
- APP\_\_DB\_TABLE\_PREFIX: table prefix (default is `pa2_` which means that the new version can share the same database as the old version if required)
- Configure the LDAP settings if you wish to authenticate via LDAP.
The application comes bundled with a `.env.example` file which lists all of the configuation key-value pairs you can
set.

For speedy development, you can copy this `.env.example` file to a file called `.env` and change the values to suit your
environment. The path of this file can be set in the `includes/inc_global.php` file.

For production environments, please *avoid* using the `.env` file as storing sensitive credentials in a file could be a
security risk. Instead you should set these key-pairs as environment variables. In Apache, you can set these in your
`.htaccess` file as follows:

```
SetEnv DB_HOST localhost
```

At a minimum, you should set the following environmental variables to let WebPA function:

* APP_WWW - URL to your instance of WebPA (set without a closing '/')
* DOC_ROOT - Directory path to the WebPA files (set with a closing '/')
* DB_HOST - Database host
* DB_USER - Database username
* DB_PASS - Database password
* DB_NAME - Database name
* DB_PREFIX - Database table prefix. Usually set to 'pa2_'

For more information on the dotenv file please visit the
[dotenv package's repository](https://github.com/vlucas/phpdotenv). For more information on setting environmental
variables in Apache, please [visit Apache's website](https://httpd.apache.org/docs/2.4/mod/mod_env.html#setenv).

### Initialise the Database

Run the following scripts to initialise the database (edit the files to change the names and password as reqired):

- install/webpa2\_database.sql: create the database schema and user account;
- install/webpa2\_tables.sql: create the database tables;
- install/webpa2\_administrator.sql: create an administrator account and sample module.

#### Upgrading an Existing Installation

If you already have WebPA installed and are upgrading from version 3.1.0 or below, please run:

- install/webpa\_security\_update.sql

Login to WebPA:
### Login to WebPA

- navigate to root of WebPA application;
- enter a username of "admin" and a password of "admin"
- navigate to root of WebPA application
- enter a username of _admin_ and a password of _admin_
- change the password to something more secure after logging in

Delete the _install_ folder when you're finished.
Expand Down Expand Up @@ -94,4 +120,4 @@ install instructions.

WebPA was originally developed by the Centre for Engineering and Design Education at [Loughborough University](http://www.lboro.ac.uk/) with financial support from [JISC](https://www.jisc.ac.uk/)'s e-Learning Capital Programme.

It continues to be mainted by a number of [open source contributors](https://github.com/WebPA/WebPA/graphs/contributors). We thank them for their time and effort supporting this system.
It continues to be maintained by a number of [open source contributors](https://github.com/WebPA/WebPA/graphs/contributors). We thank them for their time and effort supporting this system.
10 changes: 7 additions & 3 deletions composer.json
Expand Up @@ -24,10 +24,12 @@
}
],
"require": {
"php": ">=7.2",
"php": ">=7.4",
"ext-xml": "*",
"ext-session": "*",
"ext-mysqli": "*"
"ext-mysqli": "*",
"doctrine/dbal": "^3.0",
"vlucas/phpdotenv": "^5.3"
},
"support": {
"email": "andrew@noexceptions.io",
Expand All @@ -39,6 +41,8 @@
"psr-4": {"WebPA\\": "src/"}
},
"require-dev": {
"phpstan/phpstan": "^0.12.25"
"phpstan/phpstan": "^0.12.25",
"friendsofphp/php-cs-fixer": "^2.18",
"squizlabs/php_codesniffer": "^3.5"
}
}
6 changes: 6 additions & 0 deletions phpstan.neon
@@ -0,0 +1,6 @@
parameters:
level: 0
paths:
- src
excludePaths:
- src/mod/*

0 comments on commit 8836c4f

Please sign in to comment.