Merge branch 'develop'

Author: JVMerkle

README.md

@@ -5,7 +5,9 @@
 
 System that automatically grants ranks in the form of server groups for online time or online activity to users, using the given server groups of the TS3 server.
 
-This is a modified fork of the TSN-Ranksystem which is updated irregularly to a stable version.
+This is a modified fork of the TSN-Ranksystem which is updated irregularly to a stable version. It is intended to be fully compatible to TSN-Ranksystem at all times. The changeset on branch `develop` is always rebased onto TSN-Ranksystem and later on merged into `master`.
+
+Please make sure that your TSN-Ranksystem database version is not above the database version of this fork (downgrade).
 
 ## Docker
 You can find the docker images on [docker hub](https://hub.docker.com/r/jvmerkle/ts3-ranksystem).
@@ -43,6 +45,8 @@ Additions and (security) improvements to [Newcomer1989/TSN-Ranksystem](https://g
   - Teamspeak hostname and port (e.g. localhost / abc.xyz)
   - ...
   - The update __check__ does __not__ enforce SSL peer verification and is therefore insecure
+- Secure api key comparison
+- No unnecessary webinterface HTTPS warning for rank systems behind a proxy
 - Docker-Ready
 - Aesthetics:
   - Website title is set to "TS3 Ranksystem"

api/index.php

@@ -14,7 +14,7 @@
 if (isset($_GET['apikey'])) {
 	$matchkey = 0;
 	foreach($cfg['stats_api_keys'] as $apikey => $desc) {
-		if ($apikey == $_GET['apikey']) $matchkey = 1;
+		if (hash_equals($apikey, $_GET['apikey'])) $matchkey = 1;
 	}
 	if ($matchkey == 0) {
 		$json = array(
@@ -442,4 +442,4 @@
 }
 
 echo json_encode($json);
-?>
+?>

other/_functions.php

@@ -55,33 +55,39 @@ function enter_logfile($cfg,$loglevel,$logtext,$norotate = false) {
 	}
 }
 
-function error_handling($msg,$type = NULL) {
+function error_handling_str_builder($msg,$type = NULL) {
+    $string = '';
 	if(strstr($type, '#') && strstr($msg, '#####')) {
 		$type_arr = explode('#', $type);
 		$msg_arr = explode('#####', $msg);
 		$cnt = 0;
-		
+
 		foreach($msg_arr as $msg) {
 			switch ($type_arr[$cnt]) {
-				case NULL: echo '<div class="alert alert-success alert-dismissible">'; break;
-				case 0: echo '<div class="alert alert-success alert-dismissible">'; break;
-				case 1: echo '<div class="alert alert-info alert-dismissible">'; break;
-				case 2: echo '<div class="alert alert-warning alert-dismissible">'; break;
-				case 3: echo '<div class="alert alert-danger alert-dismissible">'; break;
+				case NULL: $string .= '<div class="alert alert-success alert-dismissible">'; break;
+				case 0: $string .= '<div class="alert alert-success alert-dismissible">'; break;
+				case 1: $string .= '<div class="alert alert-info alert-dismissible">'; break;
+				case 2: $string .= '<div class="alert alert-warning alert-dismissible">'; break;
+				case 3: $string .= '<div class="alert alert-danger alert-dismissible">'; break;
 			}
-			echo '<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>',$msg_arr[$cnt],'</div>';
+			$string .= '<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>' . $msg_arr[$cnt] . '</div>';
 			$cnt++;
 		}
 	} else {
 		switch ($type) {
-			case NULL: echo '<div class="alert alert-success alert-dismissible">'; break;
-			case 0: echo '<div class="alert alert-success alert-dismissible">'; break;
-			case 1: echo '<div class="alert alert-info alert-dismissible">'; break;
-			case 2: echo '<div class="alert alert-warning alert-dismissible">'; break;
-			case 3: echo '<div class="alert alert-danger alert-dismissible">'; break;
+			case NULL: $string .= '<div class="alert alert-success alert-dismissible">'; break;
+			case 0: $string .= '<div class="alert alert-success alert-dismissible">'; break;
+			case 1: $string .= '<div class="alert alert-info alert-dismissible">'; break;
+			case 2: $string .= '<div class="alert alert-warning alert-dismissible">'; break;
+			case 3: $string .= '<div class="alert alert-danger alert-dismissible">'; break;
 		}
-		echo '<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>',$msg,'</div>';
+		$string .= '<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>' . $msg . '</div>';
 	}
+	return $string;
+}
+
+function error_handling($msg,$type = NULL) {
+	echo error_handling_str_builder($msg,$type);
 }
 
 function getclientip() {
@@ -480,4 +486,4 @@ function start_session($cfg) {
 	session_start();
 	return $prot;
 }
-?>
+?>

webinterface/_nav.php

@@ -269,8 +269,12 @@
 	$err_msg = $lang['winav11']; $err_lvl = 2;
 }
 
-if((!isset($_SERVER['HTTPS']) || isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != "on") && !isset($err_msg) && basename($_SERVER['SCRIPT_NAME']) == "index.php") {
+$js_test_https = '';
+if(!isset($err_msg) && basename($_SERVER['SCRIPT_NAME']) == "index.php") {
 	$host = "<a href=\"https://".$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\')."\">";
-	$err_msg = sprintf($lang['winav10'], $host,'</a>!<br>', '<br>'); $err_lvl = 2;
+	$msg = sprintf($lang['winav10'], $host,'</a>!<br>', '<br>');
+	$js_test_https  = '<script> if (location.protocol !== \'https:\') {';
+	$js_test_https .= 'document.write(\'' . error_handling_str_builder($msg, 2) . '\')';
+	$js_test_https .= '} </script>';
 }
-?>
+?>

webinterface/index.php

@@ -102,6 +102,7 @@
 	?>
 			<div id="page-wrapper">
 	<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
+	<?PHP echo $js_test_https ?>
 				<div class="container-fluid">
 					<div id="login-overlay" class="modal-dialog">
 						<div class="modal-content">
@@ -152,4 +153,4 @@
 	</html>
 <?PHP
 } catch(Throwable $ex) { }
-?>
+?>