From 8d1b9fd052024691a056393e35d728d700e5282c Mon Sep 17 00:00:00 2001
From: Clement Desmidt <clement@desmidt.fr>
Date: Mon, 6 May 2019 15:20:22 +0200
Subject: [PATCH] :lock: Ajoute un mail de confirmation de token

Fix #4
---
 index.php | 93 +++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 69 insertions(+), 24 deletions(-)

diff --git a/index.php b/index.php
index 695427c..03f57da 100644
--- a/index.php
+++ b/index.php
@@ -1,13 +1,14 @@
 <?php
-ini_set("display_errors", "off");
-ini_set("log_errors", "on");
-ini_set('error_log', dirname(__FILE__) . '/log.log');
 
-$config = include dirname(__FILE__) . '/config.php';
+ini_set('display_errors', 'off');
+ini_set('log_errors', 'on');
+ini_set('error_log', __DIR__ . '/log.log');
+
+$config = include __DIR__ . '/config.php';
 
 // launch by bookmarklet
 if (isset($_GET['v'])) {
-    header("Content-type: text/javascript");
+    header('Content-type: text/javascript');
     echo 'function loadScript( url, callback ) {
   var script = document.createElement("script");
   script.type = "text/javascript";
@@ -41,21 +42,22 @@ if (isset($_GET['v'])) {
     $filtered_url       = filter_var($url, FILTER_VALIDATE_URL);
     if ($filtered_version !== false && $filtered_url !== false) {
         //ADDING STATS
-        include "XMLSQL.php";
+        include 'XMLSQL.php';
         $stats = new XMLSQL('emails.xml');
-        $filtered_email = $stats->select(['email'])->from('email')->where(null, ['token' => $email])->query();
+        $filtered_email = $stats->select(['email'])->from('emails')->where(null, ['token' => $email, 'confirmed' => 1])->query();
         if (empty($filtered_email)) {
             echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Invalid token"); });', $_SERVER['HTTP_HOST']);
             // TODO log for fail2ban
             exit;
-        } else {
-            $filtered_email = current($filtered_email);
         }
+
+        $filtered_email = current($filtered_email);
+        $doc = new DOMDocument();
         $content = '';
-        $f = $xpath != '' ? @DomDocument::loadHTMLFile($url) : false;
-        if ($f) {
-            $xp = new DomXPath($f);
-            $content = $xp->query($xpath) != false ? $f->saveXML($xp->query($xpath)->item(0)) : '';
+        $f = $xpath !== '' ? @$doc->loadHTMLFile($url) : false;
+        if ($f !== false) {
+            $xp = new DomXPath($doc);
+            $content = $xp->query($xpath) !== false ? $doc->saveXML($xp->query($xpath)->item(0)) : '';
         }
 
         $body = "\n" . $title;
@@ -73,10 +75,11 @@ if (isset($_GET['v'])) {
             if (!empty($config['bcc'])) {
                 $mail->addBCC($config['bcc']);
             }
-            if ($xpath == '')
+            if ($xpath === '') {
                 $mail->Body = $body;
-            else
+            } else {
                 $mail->Body = '<hr/>' . nl2br($body) . '<hr/>';
+            }
             if ($mail->send()) {
                 echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Email Sent."); });', $_SERVER['HTTP_HOST']);
             } else {
@@ -101,20 +104,62 @@ if (isset($_GET['v'])) {
 } else if (isset($_POST['email'])) {
     $filtered_email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
     if ($filtered_email !== false) {
-        $token = bin2hex(random_bytes(72));
-        //ADDING STATS
-        include "XMLSQL.php";
-        $stats = new XMLSQL('emails.xml');
-        $stats->insert(array('ip' => getenv('REMOTE_ADDR'), 'date' => date('d/m/Y'), 'token' => $token, 'email' => $_POST['email']))->into('emails')->query();
-        if ($_POST['html'] == 'on') { // bookmarklet pour l'envoi en HTML
-            $include = '<a href="javascript:void((function(){if(typeof(jQuery)!=\'function\'){var%20n=document.createElement(\'script\');n.setAttribute(\'src\',\'//ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js\');document.getElementsByTagName(\'head\')[0].appendChild(n);}function%20v(){if(typeof(jQuery)==\'function\'){clearInterval(i);c();}}var%20i=window.setInterval(v,100);function%20c(){q=\'\';function%20gx(el){el=el.get(0);xp=\'\';for(;el&&el.nodeType==1;el=el.parentNode){id=jQuery(el.parentNode).children(el.tagName).index(el)+1;id>1?(id=\'[\'+id+\']\'):(id=\'\');xp=\'/\'+el.tagName.toLowerCase()+id+xp;}return%20xp;}jQuery(\'*\').bind(\'mouseenter\',function(){jQuery(\'*\').removeClass(\'shikihover\');jQuery(\'*\').css(\'border\',\'\');jQuery(this).css(\'border\',\'3px%20solid%20yellow\');jQuery(this).addClass(\'shikihover\');});jQuery(\'.shikihover\').live(\'click\',function(){jQuery(\'*\').unbind(\'mouseenter\').removeClass(\'shikihover\');jQuery(this).css(\'border\',\'\');var%20q=\'&q=\'+gx(jQuery(this)),d=document,t=d.title,f=\'//' . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, -9) . '\',m=\'' . $token . '\',l=d.location,e=encodeURIComponent,p=\'?v=1&u=\'+e(l.href)+\'&t=\'+e(t)+\'&m=\'+e(m),u=f+p+q;newScript=d.createElement(\'script\');newScript.type=\'text/javascript\';newScript.src=u;d.body.appendChild(newScript);});}})())">Bookmark by email</a>';
-        } else { // bookmarklet pour l'envoi normal
-            $include = "<a href='javascript:var%20d=document,t=d.title,f=\"//" . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, -9) . "\",m=\"" . $token . "\",l=d.location,e=encodeURIComponent,p=\"?v=1&u=\"+e(l.href)+\"&t=\"+e(t)+\"&m=\"+e(m),u=f+p;var%20ns=document.createElement(\"script\");ns.type=\"text/javascript\";ns.src=u;document.body.appendChild(ns);void(0)'>Bookmark by email</a>";
+        try {
+            $token = bin2hex(random_bytes(72));
+            //ADDING STATS
+            include 'XMLSQL.php';
+            $stats = new XMLSQL('emails.xml');
+            $stats->insert(['ip' => getenv('REMOTE_ADDR'), 'date' => date('d/m/Y'), 'token' => $token, 'email' => $_POST['email'], 'confirmed' => 0])->into('emails')->query();
+            $body = "\nHi,";
+            $body .= "\nSomeone registered this email on our service.";
+            $body .= "\n";
+            $body .= "\nIf it's you, please <a href=\"" . (((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] === 443) ? 'https:' : 'http:') . '//' . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, -9) . '?confirm=1&t=' . $token . '">click this link to confirm</a>.';
+            $body .= "\nElse, please ignore this mail.";
+            $body .= "\nRegards,";
+            $body .= "\n\nShikiryu";
+            $body .= "\n\nAny complain or advise? http://shikiryu.com/contact/";
+            include 'phpmailer.php';
+
+            $mail = new PHPMailer(true);
+            $mail->setFrom($config['from_email'], $config['from_name']);
+            $mail->Subject = 'Please confirm your address';
+            $mail->Body = $body;
+            $mail->addAddress($filtered_email);
+            if (!empty($config['bcc'])) {
+                $mail->addBCC($config['bcc']);
+            }
+            if ($mail->send()) {
+                if (isset($_POST['html']) && $_POST['html'] === 'on') { // bookmarklet pour l'envoi en HTML
+                    $include = '<a href="javascript:void((function(){if(typeof(jQuery)!=\'function\'){var%20n=document.createElement(\'script\');n.setAttribute(\'src\',\'//ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js\');document.getElementsByTagName(\'head\')[0].appendChild(n);}function%20v(){if(typeof(jQuery)==\'function\'){clearInterval(i);c();}}var%20i=window.setInterval(v,100);function%20c(){q=\'\';function%20gx(el){el=el.get(0);xp=\'\';for(;el&&el.nodeType==1;el=el.parentNode){id=jQuery(el.parentNode).children(el.tagName).index(el)+1;id>1?(id=\'[\'+id+\']\'):(id=\'\');xp=\'/\'+el.tagName.toLowerCase()+id+xp;}return%20xp;}jQuery(\'*\').bind(\'mouseenter\',function(){jQuery(\'*\').removeClass(\'shikihover\');jQuery(\'*\').css(\'border\',\'\');jQuery(this).css(\'border\',\'3px%20solid%20yellow\');jQuery(this).addClass(\'shikihover\');});jQuery(\'.shikihover\').live(\'click\',function(){jQuery(\'*\').unbind(\'mouseenter\').removeClass(\'shikihover\');jQuery(this).css(\'border\',\'\');var%20q=\'&q=\'+gx(jQuery(this)),d=document,t=d.title,f=\'//' . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, -9) . '\',m=\'' . $token . '\',l=d.location,e=encodeURIComponent,p=\'?v=1&u=\'+e(l.href)+\'&t=\'+e(t)+\'&m=\'+e(m),u=f+p+q;newScript=d.createElement(\'script\');newScript.type=\'text/javascript\';newScript.src=u;d.body.appendChild(newScript);});}})())">Bookmark by email</a>';
+                } else { // bookmarklet pour l'envoi normal
+                    $include = "<a href='javascript:var%20d=document,t=d.title,f=\"//" . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, -9) . "\",m=\"" . $token . "\",l=d.location,e=encodeURIComponent,p=\"?v=1&u=\"+e(l.href)+\"&t=\"+e(t)+\"&m=\"+e(m),u=f+p;var%20ns=document.createElement(\"script\");ns.type=\"text/javascript\";ns.src=u;document.body.appendChild(ns);void(0)'>Bookmark by email</a>";
+                }
+            } else {
+                $include = 'Can\'t send mail.';
+            }
+        } catch (Exception $e) {
+            $include = 'An error occured ('.$e->getMessage().')';
         }
     } else {
         $include = '<p class="error">Invalid email. Please <a href="javascript:history.go(-1);">go back</a></p>';
     }
     include 'template.php';
+} elseif (isset($_GET['confirm'])) {
+    include 'XMLSQL.php';
+    $stats = new XMLSQL(__DIR__.'/emails.xml');
+    $filtered_email = $stats->select()->from('emails')->where(null, ['token' => $_GET['t'], 'confirmed' => 0])->query();
+    if (empty($filtered_email)) {
+        $filtered_email = $stats->select(['email'])->from('emails')->where(null, ['token' => $_GET['t'], 'confirmed' => 1])->query();
+        if (!empty($filtered_email)) {
+            $include = 'Your email has already been confirmed.';
+        } else {
+            $include = 'Your token is inexistant.';
+        }
+    } else {
+        $stats->update('emails')->set(['confirmed' => '1'])->where($filtered_email[0]['attributes']['id'])->query();
+        $include = 'Your email has been confirmed. Enjoy!';
+    }
+    include 'template.php';
 } else {
     $include = '<form name="bookmarkletGenerator" action="" method="POST">
 			<input type="email" name="email" id="email" value="" placeholder="email@example.com" />