From 23429b17b6993350877441f85470294fa3b73d68 Mon Sep 17 00:00:00 2001
From: Dmitri Popov <dmpop@linux.com>
Date: Tue, 5 Oct 2021 12:52:33 +0200
Subject: [PATCH] Fix vulnerabilities

---
 SECURITY.md |   9 +++++
 index.php   |  33 +++++++++-------
 upload.php  | 106 ----------------------------------------------------
 3 files changed, 28 insertions(+), 120 deletions(-)
 create mode 100644 SECURITY.md
 delete mode 100644 upload.php

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..dec815c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported versions
+
+The code in the `main` branch supported with security updates.
+
+## Reporting a vulnerability
+
+Please report security issues and vulnerabilities to dmpop@linux.com
diff --git a/index.php b/index.php
index db9254d..c18e07d 100644
--- a/index.php
+++ b/index.php
@@ -96,9 +96,14 @@ function read_gps_location($file)
 
 		// Check whether the required directories exist
 		if (!file_exists($photo_dir) || !file_exists($photo_dir . 'tims')) {
-			mkdir($photo_dir, 0777, true);
-			mkdir($photo_dir . 'tims', 0777, true);
-			echo ('<h3>Add photos to the <strong>photos</strong> directory, then refresh this page.</h3>');
+			echo ("<h1 style='margin-top: 2em;'><mark>Directory doesn't exist</mark></h1>
+			<div style='display: flex; justify-content: center; line-height: 1.5;'>
+			<ul>
+			<li>Create <u>$photo_dir</u> and <u>" . $photo_dir . "tims</u> directories.</li>
+			<li>Add photos to the <u>$photo_dir</u> directory.</li>
+			<li>Refresh this page.</li>
+			</ul></div>");
+			exit;
 		}
 
 		// Get file info
@@ -204,7 +209,7 @@ function read_gps_location($file)
 			}
 
 			if ($file_count < 1) {
-				echo ('<h3>Add photos to the <strong>photos</strong> directory, then refresh this page.</h3>');
+				echo ("<h2 style='margin-top: 2em;'>Add photos to the <u>photos</u> directory, then refresh this page.</h2>");
 			}
 
 			if (!isset($_GET["all"])) {
@@ -220,14 +225,14 @@ function read_gps_location($file)
 					$file = $files[$i];
 					$tim = $photo_dir . 'tims/' . basename($file);
 					$file_path = pathinfo($file);
-					echo '<a href="index.php?all=1&photo=' . $file . '&d=' . $sub_photo_dir . '"><img src="' . $tim . '" alt="' . $file_path['filename'] . '" title="' . $file_path['filename'] . '"></a>';
+					echo '<a href="index.php?all=1&photo=' . $file . '&d=' . strip_tags($sub_photo_dir) . '"><img src="' . $tim . '" alt="' . $file_path['filename'] . '" title="' . $file_path['filename'] . '"></a>';
 				}
 			} else {
 				for ($i = $offset; $i < $max; $i++) {
 					$file = $files[$i];
 					$tim = $photo_dir . 'tims/' . basename($file);
 					$file_path = pathinfo($file);
-					echo '<a href="index.php?all=1&photo=' . $file . '&d=' . $sub_photo_dir . '"><img src="' . $tim . '" alt="' . $file_path['filename'] . '" title="' . $file_path['filename'] . '"></a>';
+					echo '<a href="index.php?all=1&photo=' . $file . '&d=' . strip_tags($sub_photo_dir) . '"><img src="' . $tim . '" alt="' . $file_path['filename'] . '" title="' . $file_path['filename'] . '"></a>';
 				}
 			}
 			echo "</div>";
@@ -242,16 +247,16 @@ function show_pagination($current_page, $last_page, $sub_photo_dir)
 		{
 			echo '<div class="center">';
 			if ($current_page != 1 && isset($_GET["photo"]) == '') {
-				echo '<a color: #e3e3e3;" href="?page=' . "1" . '&d=' . $sub_photo_dir . '"><img style="margin-right:1em;" src="svg/arrow-top-left-o.svg"/></a> ';
+				echo '<a color: #e3e3e3;" href="?page=' . "1" . '&d=' . strip_tags($sub_photo_dir) . '"><img style="margin-right:1em;" src="svg/arrow-top-left-o.svg"/></a> ';
 			}
 			if ($current_page > 1 && isset($_GET["photo"]) == '') {
-				echo '<a color: #e3e3e3;" href="?page=' . ($current_page - 1) . '&d=' . $sub_photo_dir . '"><img style="margin-right:1em;" src="svg/arrow-left-o.svg"/></a> ';
+				echo '<a color: #e3e3e3;" href="?page=' . ($current_page - 1) . '&d=' . strip_tags($sub_photo_dir) . '"><img style="margin-right:1em;" src="svg/arrow-left-o.svg"/></a> ';
 			}
 			if ($current_page < $last_page && isset($_GET["photo"]) == '') {
-				echo '<a color: #e3e3e3;" href="?page=' . ($current_page + 1) . '&d=' . $sub_photo_dir . '"><img style="margin-right:1em;" src="svg/arrow-right-o.svg"/></a>';
+				echo '<a color: #e3e3e3;" href="?page=' . ($current_page + 1) . '&d=' . strip_tags($sub_photo_dir) . '"><img style="margin-right:1em;" src="svg/arrow-right-o.svg"/></a>';
 			}
 			if ($current_page != $last_page && isset($_GET["photo"]) == '') {
-				echo ' <a style="color: #e3e3e3;" href="?page=' . ($last_page) . '&d=' . $sub_photo_dir . '"><img src="svg/arrow-top-right-o.svg"/></a>';
+				echo ' <a style="color: #e3e3e3;" href="?page=' . ($last_page) . '&d=' . strip_tags($sub_photo_dir) . '"><img src="svg/arrow-top-right-o.svg"/></a>';
 			}
 			echo '</div>';
 		}
@@ -282,21 +287,21 @@ function show_pagination($current_page, $last_page, $sub_photo_dir)
 
 			// If there is only one photo in the album, show the home navigation link
 			if ($file_count == 1) {
-				echo "<div class='center'><a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . $sub_photo_dir . "' accesskey='g'><img src='svg/home.svg'/></a></div>";
+				echo "<div class='center'><a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . strip_tags($sub_photo_dir) . "' accesskey='g'><img src='svg/home.svg'/></a></div>";
 			}
 			// Disable the Previous link if this is the FIRST photo
 			elseif (empty($files[$key - 1])) {
-				echo "<div class='center'><a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . $sub_photo_dir .  "' accesskey='g'><img style='margin-right:1em;' src='svg/home.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $files[$key + 1] . '&d=' . $sub_photo_dir . "' accesskey='n'><img style='margin-right:1em;' src='svg/arrow-right-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $last_photo . '&d=' . $sub_photo_dir .  "' accesskey='l'><img src='svg/arrow-top-right-o.svg'/></a></div>";
+				echo "<div class='center'><a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . strip_tags($sub_photo_dir) .  "' accesskey='g'><img style='margin-right:1em;' src='svg/home.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $files[$key + 1] . '&d=' . strip_tags($sub_photo_dir) . "' accesskey='n'><img style='margin-right:1em;' src='svg/arrow-right-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $last_photo . '&d=' . strip_tags($sub_photo_dir) .  "' accesskey='l'><img src='svg/arrow-top-right-o.svg'/></a></div>";
 			}
 			// Disable the Next link if this is the LAST photo
 			elseif (empty($files[$key + 1])) {
-				echo "<div class='center'><a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . $sub_photo_dir . "' accesskey='g'><img style='margin-right:1em;' src='svg/home.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $first_photo . '&d=' . $sub_photo_dir . "' accesskey='f'><img style='margin-right:1em;' src='svg/arrow-top-left-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . $sub_photo_dir .  "&photo=" . $files[$key - 1] . "' accesskey='p'><img style='margin-right:1em;' src='svg/arrow-left-o.svg'/></a></div>";
+				echo "<div class='center'><a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . strip_tags($sub_photo_dir) . "' accesskey='g'><img style='margin-right:1em;' src='svg/home.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $first_photo . '&d=' . strip_tags($sub_photo_dir) . "' accesskey='f'><img style='margin-right:1em;' src='svg/arrow-top-left-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . strip_tags($sub_photo_dir) .  "&photo=" . $files[$key - 1] . "' accesskey='p'><img style='margin-right:1em;' src='svg/arrow-left-o.svg'/></a></div>";
 			}
 			// Show all navigation links
 			else {
 
 				echo "<div class='center'>
-			<a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . $sub_photo_dir . "' accesskey='g'><img style='margin-right:1em;' src='svg/home.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $first_photo . '&d=' . $sub_photo_dir . "' accesskey='f'><img style='margin-right:1em;' src='svg/arrow-top-left-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $files[$key - 1] . '&d=' . $sub_photo_dir . "' accesskey='p'><img style='margin-right:1em;' src='svg/arrow-left-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $files[$key + 1] . '&d=' . $sub_photo_dir . "' accesskey='n'><img style='margin-right:1em;' src='svg/arrow-right-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $last_photo . '&d=' . $sub_photo_dir . "' accesskey='l'><img src='svg/arrow-top-right-o.svg'/></a></div>";
+			<a href='" . basename($_SERVER['PHP_SELF']) . '?d=' . strip_tags($sub_photo_dir) . "' accesskey='g'><img style='margin-right:1em;' src='svg/home.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $first_photo . '&d=' . strip_tags($sub_photo_dir) . "' accesskey='f'><img style='margin-right:1em;' src='svg/arrow-top-left-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $files[$key - 1] . '&d=' . strip_tags($sub_photo_dir) . "' accesskey='p'><img style='margin-right:1em;' src='svg/arrow-left-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $files[$key + 1] . '&d=' . strip_tags($sub_photo_dir) . "' accesskey='n'><img style='margin-right:1em;' src='svg/arrow-right-o.svg'/></a><a href='" . basename($_SERVER['PHP_SELF']) . "?photo=" . $last_photo . '&d=' . strip_tags($sub_photo_dir) . "' accesskey='l'><img src='svg/arrow-top-right-o.svg'/></a></div>";
 			}
 
 			// Check whether the localized description file matching the browser language exists
diff --git a/upload.php b/upload.php
deleted file mode 100644
index d64ac28..0000000
--- a/upload.php
+++ /dev/null
@@ -1,106 +0,0 @@
-<?php
-include('config.php');
-include('protect.php');
-// Upload directory
-$upload_dir = "photos";
-?>
-
-<html lang="en">
-<!-- Author: Dmitri Popov, dmpop@linux.com
-         License: GPLv3 https://www.gnu.org/licenses/gpl-3.0.txt -->
-
-<head>
-	<title>Upload</title>
-	<meta charset="utf-8">
-	<link rel="shortcut icon" href="favicon.png" />
-	<meta name="viewport" content="width=device-width, initial-scale=1">
-	<style>
-		body {
-			font-family: 'Barlow', sans-serif;
-			font-size: 1em;
-			text-align: justify;
-			background-color: #303030;
-		}
-
-		h1 {
-			color: #e3e3e3;
-			font-family: 'Barlow', sans-serif;
-			font-size: 2.5em;
-			font-weight: 400;
-			text-align: center;
-			margin-top: 0.3em;
-			margin-bottom: 0.5em;
-			line-height: 100%;
-			letter-spacing: 1px;
-		}
-
-		p {
-			font-size: 1em;
-			text-align: center;
-		}
-
-		form {
-			margin-left: auto;
-			margin-right: auto;
-			margin-bottom: 0px;
-			margin-top: 0.5em;
-			border-radius: 5px;
-			width: 25em;
-			border-width: 1px;
-			font-size: 1em;
-			letter-spacing: 3px;
-			padding: 5px;
-			color: #ffffff;
-			background: #3399ff;
-			text-align: center;
-		}
-
-		#content {
-			color: #e3e3e3;
-		}
-
-		.text {
-			text-align: center;
-			padding: 0px;
-			color: inherit;
-			float: left;
-		}
-
-		.center {
-			font-size: 1em;
-			padding: 1px;
-			height: auto;
-			text-align: center;
-			padding: 0px;
-			margin-top: 20%;
-			margin-bottom: 2em;
-		}
-	</style>
-</head>
-
-<body>
-	<div id='content'>
-		<div class='center'>
-			<?php
-			if (isset($_POST['submit'])) {
-				// count total files
-				$countfiles = count($_FILES['file']['name']);
-				// looping all files
-				for ($i = 0; $i < $countfiles; $i++) {
-					$filename = $_FILES['file']['name'][$i];
-					// upload file
-					move_uploaded_file($_FILES['file']['tmp_name'][$i], $upload_dir . DIRECTORY_SEPARATOR . $filename);
-				}
-			}
-			?>
-			<h1>Upload</h1>
-			<form method='post' action='' enctype='multipart/form-data'>
-				<input class="uk-input" type="file" name="file[]" id="file" multiple>
-				<button type='submit' role='button' name='submit'>Upload</button>
-				<input type="button" onclick="window.location.href='index.php';" value="Back" />
-			</form>
-		</div>
-	</div>
-</body>
-
-</html>
\ No newline at end of file