diff --git a/api.php b/api.php index 545d20b..8ab02ed 100755 --- a/api.php +++ b/api.php @@ -71,7 +71,7 @@ OR OTHER DEALINGS IN THE SOFTWARE. require_once("include/init.inc.php"); error_reporting(0); -$ip=$_SERVER['REMOTE_ADDR']; +$ip=san_ip($_SERVER['REMOTE_ADDR']); $ip=filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE); if($_config['public_api']==false&&!in_array($ip,$_config['allowed_hosts'])){ diff --git a/include/functions.inc.php b/include/functions.inc.php index fc3ad0e..b059bbf 100755 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -7,6 +7,17 @@ function san($a,$b=""){ return $a; } + +function san_ip($a){ + $a = preg_replace("/[^a-fA-F0-9\[\]\.\:]/", "", $a); + return $a; +} + +function san_host($a){ + $a = preg_replace("/[^a-zA-Z0-9\.\-\:\/]/", "", $a); + return $a; +} + // api error and exit function api_err($data){ global $_config; diff --git a/include/init.inc.php b/include/init.inc.php index b0d5a3a..245e920 100755 --- a/include/init.inc.php +++ b/include/init.inc.php @@ -1,6 +1,6 @@ run("UPDATE config SET val=:hostname WHERE cfg='hostname' LIMIT 1",array(":hostname"=>$hostname)); diff --git a/mine.php b/mine.php index 641657f..cffd3c7 100755 --- a/mine.php +++ b/mine.php @@ -29,7 +29,7 @@ $acc=new Account(); set_time_limit(360); $q=$_GET['q']; -$ip=$_SERVER['REMOTE_ADDR']; +$ip=san_ip($_SERVER['REMOTE_ADDR']); $ip=filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE); // in case of testnet, all IPs are accepted for mining diff --git a/peer.php b/peer.php index fd770aa..2b2f6a9 100755 --- a/peer.php +++ b/peer.php @@ -34,7 +34,7 @@ if(!empty($_POST['data'])){ // make sure it's the same coin and not testnet if($_POST['coin']!=$_config['coin']) api_err("Invalid coin"); -$ip=$_SERVER['REMOTE_ADDR']; +$ip=san_ip($_SERVER['REMOTE_ADDR']); $ip=filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE); // peer with the current node @@ -43,7 +43,7 @@ if($q=="peer"){ $hostname = filter_var($data['hostname'], FILTER_SANITIZE_URL); if (!filter_var($hostname, FILTER_VALIDATE_URL)) api_err("invalid-hostname"); - + $hostname=san_host($hostname); // if it's already peered, only repeer on request $res=$db->single("SELECT COUNT(1) FROM peers WHERE hostname=:hostname AND ip=:ip",array(":hostname"=>$hostname,":ip"=>$ip)); if($res==1){ @@ -156,7 +156,7 @@ elseif($q=="submitBlock"){ $pr=$db->row("SELECT * FROM peers WHERE ip=:ip",array(":ip"=>$ip)); if(!$pr) api_err("block-too-old"); $peer_host=base58_encode($pr['hostname']); - $pr['ip']=escapeshellcmd($pr['ip']); + $pr['ip']=escapeshellcmd(san_ip($pr['ip'])); system("php propagate.php block current '$peer_host' '$pr[ip]' > /dev/null 2>&1 &"); _log('['.$ip."] block too old, sending our current block - $data[height]"); diff --git a/sanity.php b/sanity.php index 0f4a197..cefaa87 100755 --- a/sanity.php +++ b/sanity.php @@ -81,6 +81,8 @@ do { $data=peer_post($url."getBlock",array("height"=>$current['height'])); if(!$data) {echo "Invalid getBlock result\n"; break; } + $data['id']=san($data['id']); + $data['height']=san($data['height']); // nothing to be done, same blockchain if($data['id']==$current['id']) {echo "Same block\n"; break;} @@ -166,8 +168,8 @@ if($total_peers==0&&$_config['testnet']==false){ if(count($f)<2){ @unlink("tmp/sanity-lock"); die("Could nto connect to arionum.com! Will try later!\n"); } foreach($f as $peer){ //peer with all until max_peers, this will ask them to send a peering request to our peer.php where we add their peer to the db. - $peer=trim($peer); - $bad_peers=array("127.0.0.1","localhost"); + $peer=trim(san_host($peer)); + $bad_peers=array("127.0.0.1","localhost","10.0.0","192.168.0"); if(str_replace($bad_peers,"",$peer)!=$peer) continue; $peer = filter_var($peer, FILTER_SANITIZE_URL); if (!filter_var($peer, FILTER_VALIDATE_URL)) continue; @@ -207,11 +209,13 @@ foreach($r as $x){ $i=0; foreach($data as $peer){ // store the hostname as md5 hash, for easier checking + $peer['hostname']=san_host($peer['hostname']); + $peer['ip']=san_ip($peer['ip']); $pid=md5($peer['hostname']); // do not peer if we are already peered if($peered[$pid]==1) continue; $peered[$pid]=1; - $bad_peers=array("127.0.0.1","localhost"); + $bad_peers=array("127.0.0.1","localhost","10.0.0.","192.168.0."); if(str_replace($bad_peers,"",$peer['hostname'])!=$peer['hostname']) continue; // if it's our hostname, ignore if($peer['hostname']==$_config['hostname']) continue; @@ -242,6 +246,9 @@ foreach($r as $x){ if($data===false) continue; // peer was responsive, mark it as good if($x['fails']>0) $db->run("UPDATE peers SET fails=0 WHERE id=:id",array(":id"=>$x['id'])); + $data['id']=san($data['id']); + $data['height']=san($data['height']); + if($data['height']<$current['height']-500) { $db->run("UPDATE peers SET stuckfail=stuckfail+1, blacklisted=UNIX_TIMESTAMP()+7200 WHERE id=:id",array(":id"=>$x['id'])); continue; @@ -318,6 +325,9 @@ if($current['height']<$largest_height&&$largest_height>1){ $data=peer_post($url."getBlock",array("height"=>$current['height']),60); // invalid data if($data===false){ _log("Could not get block from $host - $current[height]"); continue; } + $data['id']=san($data['id']); + $data['height']=san($data['height']); + // if we're not on the same blockchain but the blockchain is most common with over 90% of the peers, delete the last 3 blocks and retry if($data['id']!=$current['id']&&$data['id']==$most_common&&($most_common_size/$total_active_peers)>0.90){ $block->delete($current['height']-3); @@ -369,6 +379,9 @@ if($current['height']<$largest_height&&$largest_height>1){ if($data===false){_log("Could not get blocks from $host - height: $current[height]"); break; } $good_peer=true; foreach($data as $b){ + $b['id']=san($b['id']); + $b['height']=san($b['height']); + if(!$block->check($b)){ _log("Block check: could not add block - $b[id] - $b[height]"); $good_peer=false;