Multiple Security Headers (#123)

- separate controller and view (all html output is now free from program logic) this makes the code more **readable**. It should now be easier to spot security issues and write **clean code**. - separate javascript from html. This partly belongs to the first point but I list it extra because this allows us to introduce a `Content-Security-Policy` which should **remove any threat of Cross-Site-Scripting** - Introduced header `X-Frame-Options` to prevent **clickjacking**. - Fix a small information disclosure vulnerability (finding out which users exist)
zeruniverse · Feb 4, 2017 · 9898201 · 9898201
1 parent ad7f2bf
commit 9898201
Show file tree

Hide file tree

Showing 17 changed files with 1,862 additions and 1,675 deletions.
diff --git a/src/check.php b/src/check.php
@@ -58,7 +58,7 @@ function loghistory($link,$userid,$ip,$ua,$outcome)
         $sql="INSERT INTO `blockip` VALUES (?,CURRENT_TIMESTAMP)";
         $res=sqlexec($sql,array(getUserIP()),$link);
     }
-    die("1");
+    die("0");
 }
 $_SESSION['loginok']=1;
 $_SESSION['user']=$usr;

diff --git a/src/css/style.css b/src/css/style.css
@@ -1,4 +1,5 @@
-body {padding-top: 50px; width:100%;}
+body {padding-top: 50px; width:100%; color:#666666;}
+a { cursor:pointer; }
 /*.theme-showcase{max-width:100%;}*/
 .cellOptionButton {float:right; }
 /* Tags */
@@ -21,7 +22,7 @@ body {padding-top: 50px; width:100%;}
     .pull-right-sm {
         float: right;
     }
-    
+
 }
 @media (max-width: 992px) {
     .namecell, .usercell { max-width:360px; }
@@ -32,9 +33,17 @@ body {padding-top: 50px; width:100%;}
 @media (max-width: 500px) {
     .namecell, .usercell { max-width:170px;}
 }
-
-
+@font-face {
+    font-family: 'passwordshow';
+    src:url('../pw.ttf');
+}
+.theme-showcase {
+    margin-top:10px !important;
+}
 /*Login form */
+#loginform, #signupform{
+    max-width:300px;
+}
 #loginform #user { 
     margin-bottom: -1px;
     border-bottom-right-radius: 0;
@@ -49,4 +58,47 @@ body {padding-top: 50px; width:100%;}
     font-size: 16px; 
     height: auto;
 }
-
+.footer {
+    color: #777;
+    text-align: center;
+    padding: 30px 0;
+    margin-top: 70px;
+    border-top: 1px solid #e5e5e5;
+    background-color: #f5f5f5;
+}
+.textbold {
+    font-weight:bold;
+}
+.textred {
+    color:red;
+}
+/* Detail View */
+#details {
+    height:230px;
+    background:#efefef;
+    overflow:auto;
+}
+.blocklabel{
+    display:block;
+    clear:both;
+}
+/* Nav */
+.navbar-toggle{
+    margin-left:10px;
+}
+#navbar{
+    min-width:100px;
+}
+#tagCloud p {
+    margin-bottom:0;
+}
+#orderTags, #orderTagsDisable{
+    padding-left:10px;
+}
+/* dialogs */
+#backuppwdpb{
+    width:0%;
+}
+#fieldsz{
+    height:100px;
+}
diff --git a/src/function/ajax.php b/src/function/ajax.php
@@ -0,0 +1,12 @@
+<?php
+header('X-Content-Type-Options: nosniff');
+header('Content-Type: application/json');
+header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
+function error($msg) {
+    echo json_encode(array("status" => "error", "message" => $msg));
+    die();
+}
+if ($_SERVER['REQUEST_METHOD'] !== 'POST'){
+    error('Wrong method');
+}
+?>
diff --git a/src/function/basic.php b/src/function/basic.php
@@ -9,16 +9,22 @@ function echofooter()
 }
 function echoheader()
 {
-echo '<!DOCTYPE html>
+    header('X-Frame-Options: DENY');
+    header("Content-Security-Policy: default-src 'self';");
+    header("Pragma: public");
+    $expires = ONE_DAY;
+    header("Cache-Control: max-age=".$expires.", must-revalidate");
+    header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$expires) . ' GMT');
+    echo '<!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="utf-8">
     <title>Password Manager</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
     <meta name="description" content="Password Manager">
     <meta name="author" content="Jeffery">
-	<link href="css/bootstrap.min.css" rel="stylesheet">
-	<link href="css/style.css" rel="stylesheet">
+    <link href="css/bootstrap.min.css" rel="stylesheet">
+    <link href="css/style.css" rel="stylesheet">
     <!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
     <!--[if lt IE 9]>
     <script src="js/html5shiv.js"></script>
@@ -27,18 +33,8 @@ function echoheader()
     <!-- Fav and touch icons -->
     <link rel="shortcut icon" href="favicon.ico">
     <script type="text/javascript" src="js/jquery.min.js"></script>
-	<script type="text/javascript" src="js/bootstrap.min.js"></script>
-    <style>
-    .footer {
-        color: #777;
-        text-align: center;
-        padding: 30px 0;
-        margin-top: 70px;
-        border-top: 1px solid #e5e5e5;
-        background-color: #f5f5f5;
-        }
-    </style>
+    <script type="text/javascript" src="js/bootstrap.min.js"></script>
 </head>
-<body style="color:#666666">';
+<body>';
 }
-?>
+?>
diff --git a/src/history.php b/src/history.php
@@ -1,32 +1,17 @@
 <?php
-require_once("function/sqllink.php");
 require_once("function/basic.php");
-$link=sqllink();
-if(!checksession($link)){header("Location: ./");die();}
-$id = $_SESSION['userid'];
-$usr=$_SESSION['user'];
 echoheader();
 ?>
 <link rel="stylesheet" type="text/css" href="css/dataTables.bootstrap.min.css">
 <link rel="stylesheet" type="text/css" href="css/responsive.dataTables.min.css">
-<div class="container theme-showcase" style="margin-top:-30px;">
+<div class="container theme-showcase">
     <p id="placeholder">PLEASE WAIT...</p>
-    <div id="maindiv" style="display:none">
+    <div id="maindiv collapse">
     <div class="page-header">
         <h1>Trusted Devices</h1>
     </div>
-    <table class="table">
+    <table class="table" id="pinTable">
     <tr><th>Device Type</th><th>Set Time</th><th>Untrust (Disable PIN)</th></tr>
-    <?php
-        $sql="SELECT `device`,UNIX_TIMESTAMP(`createtime`) AS `createtime`,`ua` FROM `pin` WHERE `userid`= ?";
-        $res=sqlexec($sql,array($id),$link);
-		while ($i = $res->fetch(PDO::FETCH_ASSOC)){ 
-            $did=$i['device'];
-            $ctime=(int)$i['createtime'];
-            $ua=$i['ua'];
-            echo "<tr><td class='uacell'>".$ua."</td><td class='timestampcell' atttimestamp='".$ctime."'></td><td><a href='javascript: unsetpin(\"".$did."\")'>Untrust this device</a></td></tr>";
-		}
-    ?>
     </table>
     <div class="page-header">
         <h1>Login History</h1>
@@ -37,64 +22,13 @@
     <tr><th>Device Type</th><th>Login IP</th><th>Login Time</th></tr>
 	</thead>
 	<tbody>
-    <?php
-        $sql="SELECT `ip`,`ua`,`outcome`,UNIX_TIMESTAMP(`time`) AS `time` FROM `history` WHERE `userid`= ? ORDER BY `id` DESC LIMIT 60";
-        $res=sqlexec($sql,array($id),$link);
-		while ($i = $res->fetch(PDO::FETCH_ASSOC)){ 
-            $ip=$i['ip'];
-            $ua=$i['ua'];
-            $ctime=(int)$i['time'];
-            if((int)$i['outcome']==0)
-                $color=' style="color:red"';
-            else
-                $color='';
-            echo "<tr".$color."><td class='uacell'>".$ua."</td><td>".$ip."<td class='timestampcell' atttimestamp='".$ctime."'></td></tr>";
-		}
-    ?>
 	</tbody>
-    </table>   
+    </table>
     </div>
 </div>
 <script type="text/javascript" src="ua-parser.min.js"></script>
 <script type="text/javascript" src="js/jquery.dataTables.min.js"></script>
 <script type="text/javascript" src="js/dataTables.bootstrap.min.js"></script>
 <script type="text/javascript" src="js/dataTables.responsive.min.js"></script>
-<script type="text/javascript">
-function timeConverter(utctime){
-  var a = new Date(utctime * 1000);
-  var months = ['Jan','Feb','Mar','Apr','May','Jun','Jul','Aug','Sep','Oct','Nov','Dec']; 
-  var year = String(a.getFullYear());
-  var month = months[a.getMonth()];
-  var date = String(a.getDate());
-  var hour = String(a.getHours());
-  var min = String(a.getMinutes());
-  var sec = String(a.getSeconds());
-  if(hour.length==1) hour = '0'+hour;
-  if(min.length==1) min = '0'+min;
-  if(sec.length==1) sec = '0'+sec;
-  var time = month + ' '+date + ', ' + year + ' ' + hour + ':' + min + ':' + sec ;
-  return time;
-}
-$(document).ready(function(){
-    var parser = new UAParser();
-    var uastring;
-    var nowtime;
-    $( ".uacell" ).each(function() {
-       uastring=$(this).html();
-       parser.setUA(uastring);
-       $(this).html(parser.getBrowser().name+' '+parser.getBrowser().version+'; '+parser.getOS().name+' '+parser.getOS().version+'; '+parser.getDevice().model+' '+parser.getCPU().architecture);
-    });
-    $( ".timestampcell" ).each(function(){
-       nowtime=timeConverter($(this).attr('atttimestamp'));
-       $(this).html(nowtime);
-    });
-    $("#placeholder").hide();
-	$("#loginhistorytable").DataTable({ordering:false, searching:false});
-    $("#maindiv").show();
-});
-function unsetpin(devicex)
-{
-    $.post("deletepin.php",{user:"<?php echo $usr;?>",device:devicex},function(msg){location.reload(true);});
-}
-</script>
+<script type="text/javascript" src="js/history.js"></script>
 <?php echofooter();?>