diff --git a/src/Site/Controller/User.php b/src/Site/Controller/User.php
index c2a4898..2c7d33c 100644
--- a/src/Site/Controller/User.php
+++ b/src/Site/Controller/User.php
@@ -20,6 +20,7 @@ class User {
$doLogin = $_SERVER['REQUEST_METHOD'] === 'POST';
$error = '';
+ $nyuU = '';
if ($doLogin) {
if (!\verify_csrf_token($_POST['csrf_token'])) {
@@ -29,13 +30,21 @@ class User {
unset($_POST['csrf_token']);
$a = [];
- if (count($_POST) === 2) {
+ $isBot = false;
+ if (count($_POST) === 4) {
$i = 0;
foreach ($_POST as $p) {
$a[(int)$i] = $p;
+ if ($i >= 2 && $p != '') $isBot = true;
$i++;
}
}
+
+ if ($isBot) {
+ header('Location: /');
+ exit();
+ }
+
$auth = new Auth($a[0]);
$res = $auth->isUserExist($a[0]);
if (!$res->isSuccess) {
@@ -43,6 +52,7 @@ class User {
} else {
$result = $auth->setToken($a[0], $a[1]);
if (!$result->isSuccess) {
+ $nyuU = $a[0];
$error = $result->message;
} else {
header('Location: /');
@@ -60,6 +70,7 @@ class User {
$tmpl->assign('menu', $this->getMenu());
$tmpl->assign('description', $description);
$tmpl->assign('error', $error);
+ $tmpl->assign('nyuU', $nyuU);
$tmpl->render('login');
} catch (\Exception $e) {
@@ -108,14 +119,21 @@ class User {
unset($_POST['csrf_token']);
$a = [];
- if (count($_POST) === 4) {
+ $isBot = false;
+ if (count($_POST) === 8) {
$i = 0;
foreach ($_POST as $p) {
$a[(int)$i] = $p;
+ if ($i >= 4 && $p != '') $isBot = true;
$i++;
}
}
+ if ($isBot) {
+ header('Location: /');
+ exit();
+ }
+
$auth = new Auth;
$res = $auth->mkUser($a[0], $a[1], $a[2], $a[3]);
if (!$res->isSuccess) {
diff --git a/util.php b/util.php
index 85d0ae8..50c4409 100644
--- a/util.php
+++ b/util.php
@@ -44,6 +44,46 @@ function kys(mixed $arg): void {
die();
}
+function ffs(): void {
+ echo '';
+ echo '';
+
+ $stack = debug_backtrace(DEBUG_BACKTRACE_PROVIDE_OBJECT, 50);
+ $st = [];
+ unset($stack[0]);
+ $i = 0;
+
+ echo '';
+ print_r($stack);
+ echo '';
+ foreach ($stack as $s) {
+ if (isset($s['file'])) $st[$i]['file'] = $s['file'].(isset($s['line']) ? ':'.$s['line'] : '');
+ else $st[$i]['file'] = '';
+ if (isset($s['function'])) $st[$i]['func'] = (isset($s['class']) ? $s['class'].(isset($s['type']) ? $s['type'] : '::') : '').$s['function'];
+ else $st[$i]['func'] = '';
+ if (isset($s['object'])) $st[$i]['objs'] = $s['object'];
+ else $st[$i]['objs'] = new \stdClass;
+ if (isset($s['args'])) $st[$i]['args'] = $s['args'];
+ else $st[$i]['args'] = [];
+ $i++;
+ }
+ unset($stack[$i]);
+
+ foreach ($st as $s) {
+ echo '';
+ echo 'ファイル:';
+ echo $s['file'].'
';
+ echo '関数:';
+ echo $s['func'].'
';
+ echo 'オブジェクト:';
+ echo print_r($s['objs']).'
';
+ echo 'その他:';
+ echo print_r($s['args']).'
';
+ echo '
';
+ }
+ die();
+}
+
function base58btc_encode(string $bin): string {
$a = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
$base = 58;
@@ -113,8 +153,7 @@ function to_money($amount, $lang) {
}
function randstr(): string {
- srand((int)floor(time() / (60*60*24)));
- $len = rand(1, 20);
+ $len = random_int(1, 20);
return bin2hex(random_bytes($len));
}
@@ -178,7 +217,7 @@ if (AUTH_ENABLED) {
}
function verify_csrf_token(string $token): bool {
- return hash_equals(getcookie('csrf_token'), $token);
+ return null !== getcookie('csrf_token') && hash_equals(getcookie('csrf_token'), $token);
}
}
diff --git a/view/login.maron b/view/login.maron
index 35860a5..ba3a701 100644
--- a/view/login.maron
+++ b/view/login.maron
@@ -16,19 +16,27 @@