Merge branch 'main' into fix/char-bazaar

opentibiabr · Feb 9, 2024 · 1966a55 · 1966a55
2 parents ba526ea + fc52993
commit 1966a55
Show file tree

Hide file tree

Showing 32 changed files with 4,053 additions and 1,009 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -5,7 +5,7 @@ Please include a summary of the change and which issue is fixed. Please also inc
 ## Behaviour
 ### **Actual**
 
-Do this and that doesn't happens
+Do this and that doesn't happen
 
 ### **Expected**
 
@@ -19,24 +19,24 @@ Please delete options that are not relevant.
 
   - [ ] Bug fix (non-breaking change which fixes an issue)
   - [ ] New feature (non-breaking change which adds functionality)
-  - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+  - [ ] Breaking change (fix or feature that would cause existing functionality not to work as expected)
   - [ ] This change requires a documentation update
 
 ## How Has This Been Tested
 
 **Test Configuration**:
 
-  - MyAAC Version: (latest: 0.8.12)
+  - MyAAC Version: (latest: 0.8.15)
   - Browser:
   - Operating System:
 
 ## Checklist
 
   - [ ] My code follows the style guidelines of this project
-  - [ ] I followed project rules, best practices and code indentation
+  - [ ] I followed project rules, best practices, and code indentation
   - [ ] I have performed a self-review of my own code
   - [ ] I checked the PR checks reports 
-  - [ ] I have commented my code, particularly in hard-to-understand areas
+  - [ ] I have commented on my code, particularly in hard-to-understand areas
   - [ ] I have made corresponding changes to the documentation
   - [ ] My changes generate no new warnings
   - [ ] I have added tests that prove my fix is effective or that my feature works
diff --git a/.github/workflows/phplint.yml b/.github/workflows/phplint.yml
@@ -10,7 +10,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@v3
-            - uses: overtrue/phplint@7.4
+            - uses: overtrue/phplint@3.4.0
               with:
                   path: .
                   options: --exclude="system/libs/polyfill-mbstring/bootstrap80.php"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## [0.8.15 - 09.12.2023]
+
+More security fixes, especially in bugtracker.
+
 ## [0-8.14 - 29.11.2023]
 Security fixes.
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.8.14
+0.8.15
diff --git a/admin/pages/items.php b/admin/pages/items.php
@@ -25,10 +25,10 @@
         error(Items::getError());
     }
 
-    $weapons_start_time = microtime(true);
+    /*$weapons_start_time = microtime(true);
     if (Weapons::loadFromXML(true)) {
         success('Successfully loaded weapons (in ' . round(microtime(true) - $weapons_start_time, 4) . ' seconds).');
     } else {
         error(Weapons::getError());
-    }
+    }*/
 }
diff --git a/common.php b/common.php
@@ -28,7 +28,7 @@
 if (version_compare(phpversion(), '7.4', '<')) die('PHP version 7.4 or higher is required.');
 
 define('MYAAC', true);
-define('MYAAC_VERSION', '0.8.14');
+define('MYAAC_VERSION', '0.8.15');
 define('DATABASE_VERSION', 34);
 define('TABLE_PREFIX', 'myaac_');
 define('START_TIME', microtime(true));
@@ -90,6 +90,9 @@
 
 if (!IS_CLI) {
     session_save_path(SYSTEM . 'php_sessions');
+    session_set_cookie_params([
+        "httponly" => true
+    ]);
     session_start();
 }
 

diff --git a/config.php b/config.php
@@ -39,6 +39,7 @@
 
 	// what client version are you using on this OT?
 	// used for the Downloads page and some templates as well
+
 	'client' => 1321, // 1321 = client 13.21
 
 	'session_prefix' => 'myaac_', // must be unique for every site on your server
@@ -87,7 +88,7 @@
 	),
 
 	// images
-	'outfit_images_url' => 'outfit/animoutfit.php', // set to animoutfit.php for animated outfit
+	'outfit_images_url' => './outfit/animoutfit.php', // set to animoutfit.php for animated outfit
 	'item_images_url' => 'images/items/', // set to images/items if you host your own items in images folder
 
 	// account
@@ -115,16 +116,17 @@
 
     'site_coin_type' => 'coins_transferable', // coins or coins_transferable (which type of coin do you want to use at site)
     'account_change_character_name' => false, // can user change their character name for coins?
-	'account_change_character_name_coins' => 30, // cost of name change
+	'account_change_character_name_coins' => 250, // cost of name change
 	'account_change_character_sex' => false, // can user change their character sex for coins?
-	'account_change_character_sex_coins' => 30, // cost of sex change
+	'account_change_character_sex_coins' => 150, // cost of sex change
     'account_change_character_main' => true, // can user change their main character for coins?
     'account_change_character_main_coins' => 250, // cost of main change
 	'characters_per_account' => 10,	// max. number of characters per account
     'account_update_info_on_register' => true, // let player update your 'Public Information' when register at first time only
 
     // recovery key
     'recovery_key_length' => 15,                // length of recovery key code
+    'account_show_rk' => false,
     'generate_new_reckey' => true,				// let player generate new recovery key, he will receive e-mail with new rec key (not display on page, hacker can't generate rec key)
     'generate_new_reckey_price' => 250,			// coins price for new recovery key
 
@@ -271,14 +273,14 @@
 		'frags' => true,
 		'deleted' => false, // should deleted characters from same account be still listed on the list of characters? When enabled it will show that character is "[DELETED]"
 	),
-	'quests' => array(
-		'Demon Helmet' => 100,
-		'Anihilation' => 101,
-		'Pits Of Inferno' => 102,
-		'Inquisition' => 103,
-		'Demon Oak' => 104,
-		'SoulWar Quest' => 105,
-		'Yalahar Quest' => 106,
+	'quests' => array( // Canary Storages
+		'Demon Helmet' => 40077, // Storage.Quest.U6_4.DemonHelmet.Rewards.DemonHelmet
+		'Annihilator' => 10102,
+		'Pits Of Inferno' => 52003, // Storage.PitsOfInferno.WeaponReward
+		'Inquisition' => 51127, // Storage.TheInquisition.Reward
+		'Demon Oak' => 51700,// Maybe 51700
+		'SoulWar Quest' => 47223, // Storage.Quest.U12_40.SoulWar.QuestReward
+		'Yalahar Quest' => 51249, // Storage.InServiceofYalahar.DoorToReward
 		//'Some Quest' => 123,
 		//'Some Quest Two' => 456,
 	), // quests list (displayed in character view), name => storage
@@ -305,7 +307,7 @@
 
 	// status bar
 	'status_bar' => true,
-	'client_link' => 'https://codeload.github.com/dudantas/tibia-client/zip/refs/tags/13.20.13560', // link to download tibia client
+	'client_link' => 'https://github.com/dudantas/tibia-client/releases/tag/13.21.13839', // link to download tibia client
 	'discord_link' => 'https://discord.com/invite/gvTj5sh9Mp', // link to join discord channel
 	'whatsapp_link' => '5511912345678', // wa.me/5511912345678
 	'instagram_link' => 'profile', // www.instagram.com/profile

diff --git a/images/global/general/favicon.ico → images/favicon.ico b/images/global/general/favicon.ico → images/favicon.ico
diff --git a/system/libs/phpmailer/get_oauth_token.php b/system/libs/phpmailer/get_oauth_token.php
@@ -22,6 +22,9 @@
 use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
 use Psr\Http\Message\ResponseInterface;
 
+session_set_cookie_params([
+    "httponly" => true
+]);
 session_start();
 
 //If this automatic URL doesn't work, set it yourself manually
@@ -68,24 +71,24 @@ public function getBaseAccessTokenUrl(array $params)
 
     public function getResourceOwnerDetailsUrl(AccessToken $token)
     {
-	return ' ';
+        return ' ';
     }
 
     protected function getAuthorizationParameters(array $options)
     {
-	if (is_array($this->scope)) {
+        if (is_array($this->scope)) {
             $separator = $this->getScopeSeparator();
             $this->scope = implode($separator, $this->scope);
         }
 
         $params = array_merge(
             parent::getAuthorizationParameters($options),
             array_filter([
-                'hd'          => $this->hostedDomain,
+                'hd' => $this->hostedDomain,
                 'access_type' => $this->accessType,
-		'scope'       => $this->scope,
+                'scope' => $this->scope,
                 // if the user is logged in with more than one account ask which one to use for the login!
-                'authuser'    => '-1'
+                'authuser' => '-1'
             ])
         );
         return $params;
@@ -108,11 +111,11 @@ protected function getScopeSeparator()
     protected function checkResponse(ResponseInterface $response, $data)
     {
         if (!empty($data['error'])) {
-            $code  = 0;
+            $code = 0;
             $error = $data['error'];
 
             if (is_array($error)) {
-                $code  = $error['code'];
+                $code = $error['code'];
                 $error = $error['message'];
             }
 
@@ -134,7 +137,7 @@ protected function createResourceOwner(array $response, AccessToken $token)
         'clientSecret' => $clientSecret,
         'redirectUri' => $redirectUri,
         'scope' => array('https://mail.google.com/'),
-	'accessType' => 'offline'
+        'accessType' => 'offline'
     )
 );
 

diff --git a/system/pages/bugtracker.php b/system/pages/bugtracker.php
@@ -65,7 +65,7 @@
 
                 echo '</td></tr>';
                 echo '<TR BGCOLOR="'.$dark.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$light.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$light.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                 echo '</TABLE>';
 
                 $answers = $db->query('SELECT * FROM '.$db->tableName(TABLE_PREFIX . 'bugtracker').' where `account` = '.$_REQUEST['acc'].' and `id` = '.$_REQUEST['id'].' and `type` = 2 order by `reply`');
@@ -76,10 +76,10 @@
                     else
                         $who = '<span style="color: green">[PLAYER]</span>';
 
-                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.$answer['reply'].'</B></TD></TR>';
+                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.escapeHtml($answer['reply']).'</B></TD></TR>';
                     echo '<TR BGCOLOR="'.$dark.'"><td width=70%><i><b>Posted by</b></i></td><td>'.$who.'</td></tr>';
                     echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($answer['text']).'</td></tr>';
+                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($answer['text'])).'</td></tr>';
                     echo '</TABLE>';
                 }
                 if($bug[2]['status'] != 3)
@@ -138,7 +138,7 @@
                 elseif($report['status'] == 1)
                     $value = '<span style="color: blue">[NEW ANSWER]</span>';
 
-                echo '<TR BGCOLOR="' . getStyle($i) . '"><td width=75%><a href="?subtopic=bugtracker&control=true&id='.$report['id'].'&acc='.$report['account'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                echo '<TR BGCOLOR="' . getStyle($i) . '"><td width=75%><a href="?subtopic=bugtracker&control=true&id='.$report['id'].'&acc='.$report['account'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';
 
                 $showed=true;
                 $i++;
@@ -182,7 +182,7 @@
                     $value = '<span style="color: red">[CLOSED]</span>';
 
                 echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                 echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
                 echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                 echo '</TABLE>';
@@ -195,10 +195,10 @@
                     else
                         $who = '<span style="color: green">[YOU]</span>';
 
-                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.$answer['reply'].'</B></TD></TR>';
+                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.escapeHtml($answer['reply']).'</B></TD></TR>';
                     echo '<TR BGCOLOR="'.$dark.'"><td width=70%><i><b>Posted by</b></i></td><td>'.$who.'</td></tr>';
                     echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($answer['text']).'</td></tr>';
+                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($answer['text'])).'</td></tr>';
                     echo '</TABLE>';
                 }
                 if($bug[2]['status'] != 3)

diff --git a/system/pages/characters.php b/system/pages/characters.php
@@ -67,6 +67,7 @@
     }
 </style>
 
+<?php global $db, $config, $template_path, $twig, $achievements ?>
 <?php
 /**
  * Characters
@@ -466,24 +467,22 @@ public static function getExpForLevel($lv)
     require_once BASE . '/tools/achievements.php';
     foreach ($achievements as $achievement => $value) {
         $achievementStorage = $config['achievements_base'] + $achievement;
-        $searchAchievementsbyStorage = $db->query('SELECT `key`, `value` FROM `player_storage` WHERE `key` = ' . $achievementStorage . ' AND `player_id` = ' . $player->getId() . '');
-        $achievementsPlayer = $searchAchievementsbyStorage->fetch();
+        $achievementsPlayer = $db->query("SELECT `key`, `value` FROM `player_storage` WHERE `key` = {$achievementStorage} AND `player_id` = {$player->getId()}")->fetch();
         if ($achievementsPlayer && $achievementsPlayer['key'] == $achievementStorage) {
             $achievementPoints = $achievementPoints + $value['points'];
-
             $insertAchievement = [
                 'BASE_URL' => BASE_URL,
                 'PATH_URL' => $template_path,
-                'name' => $value['name'],
-                'grade' => $value['grade'],
-                'secret' => $value['secret'],
+                'name'     => $value['name'],
+                'grade'    => $value['grade'],
+                'secret'   => $value['secret'] ?? false,
             ];
         }
     }
-    array_push($listAchievement, $insertAchievement ?? []);
+    $listAchievement[] = $insertAchievement ?? [];
 
     $twig->display('characters.html.twig', array(
-        'outfit' => isset($outfit) ? $outfit : null,
+        'outfit' => $outfit ?? null,
         'player' => $player,
         'achievementPoints' => $achievementPoints,
         'achievements' => $listAchievement,
@@ -517,6 +516,7 @@ public static function getExpForLevel($lv)
             'name' => isset($house['id']) ? (isset($house['name']) ? $house['name'] : $house['id']) : null,
             'town' => isset($house['town']) ? ' (' . $config['towns'][$house['town']] . ')' : ''
         ),
+        'balance' => number_format($player->getBalance(), 0, ',', ','),
         'guild' => array(
             'rank' => isset($guild_name) ? $rank_of_player->getName() : null,
             'link' => isset($guild_name) ? getGuildLink($guild_name) : null