Timetracker upgrades

.gitignore

@@ -1,13 +1,23 @@
+# General
+.DS_Store
+._*
+_*
+*~
+*.sublime-project
+*.sublime-workspace
+.idea/
+.vscode/
+Thumbs.db
+nbproject/
+
+# Config
 config.php
+
+# WEB-INF
+WEB-INF/cache/
 WEB-INF/templates_c/*.*
 WEB-INF/templates_c/import_*
 WEB-INF/templates_c/tt*
 WEB-INF/lib/tcpdf/
-nbproject/
 upload/
-.vscode/
-Thumbs.db
-*.DS_Store
-*~
-.idea/
-api/
+api/

.htaccess

@@ -1,3 +1,4 @@
+Options -Indexes
 AddDefaultCharset utf-8
 
 # Restrict access to Time Tracker only from certain IPs.

2fa.php

@@ -18,9 +18,9 @@
 $cl_auth_code = $request->getParameter('auth_code');
 
 $form = new Form('twoFactorAuthForm');
-$form->addInput(array('type'=>'text','maxlength'=>'100','name'=>'login','value'=>$cl_login));
+$form->addInput(array('type'=>'text','maxlength'=>'80','name'=>'login','value'=>$cl_login));
 $form->getElement('login')->setEnabled(false);
-$form->addInput(array('type'=>'password','maxlength'=>'50','name'=>'password','value'=>$cl_password));
+$form->addInput(array('type'=>'password','maxlength'=>'128','name'=>'password','value'=>$cl_password));
 $form->addInput(array('type'=>'text','maxlength'=>'100','name'=>'auth_code','value'=>$cl_auth_code));
 $form->addInput(array('type'=>'submit','name'=>'btn_login','value'=>$i18n->get('button.login')));
 

WEB-INF/.htaccess

@@ -0,0 +1,4 @@
+<Files ~ "\.(jpg|jpeg|png|gif)$">
+   order deny,allow
+   allow from all
+</Files>

WEB-INF/config.php.dist

@@ -68,6 +68,13 @@ define('WEEKEND_START_DAY', 6);
 // define('PHP_SESSION_PATH', '/tmp/timetracker'); // Directory must exist and be writable.
 
 
+// SESSION_HANDLER
+// Set session storage.
+// 'file' : file stroage. Default value
+// 'db'   : db stroage
+define('SESSION_HANDLER', 'file');
+
+
 // LOGIN_COOKIE_NAME
 //
 // Cookie name for user login to remember it between browser sessions.
@@ -132,6 +139,26 @@ define('REPORT_FOOTER', true);
 //   ldap - authentication against an LDAP directory such as OpenLDAP or Windows Active Directory.
 define('AUTH_MODULE', 'db');
 
+// Password hash algorithm
+// Possible values
+//  - DEFAULT  ; bcrypt algorithm
+//  - BCRYPT   : crypt blowfish algorithm
+//  - ARGON2I  : Argon2i hashing algorithm (only available if PHP has been compiled with Argon2 support)
+//  - ARGON2ID : Argon2id hashing algorithm (only available if PHP has been compiled with Argon2 support)
+define('AUTH_DB_HASH_ALGORITHM', 'BCRYPT');
+
+// Password hash options
+// 
+define('AUTH_DB_HASH_ALGORITHM_OPTIONS', array('cost' => 10));
+
+// Login minlength
+//
+//define('AUTH_DB_LOGIN_MINLENGTH', 5);
+
+// Password minlength
+//
+//define('AUTH_DB_PWD_MINLENGTH', 12);
+
 // LDAP authentication examples.
 // Go to https://www.anuko.com/time-tracker/install-guide/ldap-auth/index.htm for detailed configuration instructions.
 

WEB-INF/lib/Auth.class.php

@@ -31,16 +31,18 @@ class Auth {
   // isAuthenticated - checks authentication status for user.
   function isAuthenticated() {
     if (isset($_SESSION['authenticated'])) {
-// This check does not work properly because we are not getting here. Need to improve.
-//        if (!isset($_COOKIE[LOGIN_COOKIE_NAME])) {
-//          die ("Your browser's cookie functionality is turned off. Please turn it on.");
-//        }
+      // This check does not work properly because we are not getting here. Need to improve.
+      //        if (!isset($_COOKIE[LOGIN_COOKIE_NAME])) {
+      //          die ("Your browser's cookie functionality is turned off. Please turn it on.");
+      //        }
 
       global $smarty;
       $smarty->assign('authenticated', true); // Used in header.tpl for menu display.
       return true;
     }
     session_write_close();
+    global $smarty;
+    $smarty->assign('authenticated', false); // Used in header.tpl for menu display.
     return false;
   }
 

WEB-INF/lib/I18n.class.php

@@ -46,7 +46,7 @@ function get($key) {
       }
       eval("\$value = \$this->keys".$str.";");
     } else {
-      $value = $this->keys[$key];
+      $value = isset($this->keys[$key]) ? $this->keys[$key] : '';
     }
     return $value;
   }

WEB-INF/lib/auth/Auth_db.class.php

@@ -19,9 +19,41 @@ function authenticate($login, $password)
   {
     $mdb2 = getConnection();
 
+    if (AUTH_DB_HASH_ALGORITHM !== '') {
+      $sql = "SELECT id, password as hash FROM tt_users"." WHERE login = ".$mdb2->quote($login)." AND status = 1";
+      $res = $mdb2->query($sql);
+      if (is_a($res, 'PEAR_Error')) {
+        die($res->getMessage());
+      }
+      $val = $res->fetchRow();
+      if (isset($val['id']) && $val['id'] > 0) {
+        if (password_verify($password, $val['hash'])) {
+          if (password_needs_rehash($val['hash'], PASSWORD_ALGORITHM, AUTH_DB_HASH_ALGORITHM_OPTIONS)) {
+            $sql = "update `tt_users` set `password` = '".password_hash($password, PASSWORD_ALGORITHM, AUTH_DB_HASH_ALGORITHM_OPTIONS)."' where `id` = " . $mdb2->quote($val['id']);
+            $affected = $mdb2->exec($sql);
+            if (is_a($res, 'PEAR_Error')) die($res->getMessage());
+          }
+          return array('login'=>$login,'id'=>$val['id']);
+        }
+      }
+    }
+    else {
+      // md5 hash
+      $sql = "SELECT id FROM tt_users"." WHERE login = ".$mdb2->quote($login)." AND password = md5(".$mdb2->quote($password).") AND status = 1";
+      $res = $mdb2->query($sql);
+      if (is_a($res, 'PEAR_Error')) {
+        die($res->getMessage());
+      }
+      $val = $res->fetchRow();
+      if (isset($val['id']) && $val['id'] > 0) {
+        return array('login'=>$login,'id'=>$val['id']);
+      }
+    }
+    return false;
+
+    /*
     // Try md5 password match first.
-    $sql = "SELECT id FROM tt_users".
-      " WHERE login = ".$mdb2->quote($login)." AND password = md5(".$mdb2->quote($password).") AND status = 1";
+    $sql = "SELECT id FROM tt_users"." WHERE login = ".$mdb2->quote($login)." AND password = md5(".$mdb2->quote($password).") AND status = 1";
 
     $res = $mdb2->query($sql);
     if (is_a($res, 'PEAR_Error')) {
@@ -74,6 +106,7 @@ function authenticate($login, $password)
     }
 
     return false;
+    */
   }
 
   function isPasswordExternal() {

WEB-INF/lib/common.lib.php

@@ -150,7 +150,7 @@ function ttValidString($val, $emptyValid = false, $maxChars = 0)
 // ttValidCss is used to check user input for custom css.
 function ttValidCss($val)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0)
     return true;
 
@@ -169,7 +169,7 @@ function ttValidCss($val)
 // ttValidTranslation is used to check user input for custom translation.
 function ttValidTranslation($val)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0)
     return true;
 
@@ -186,7 +186,7 @@ function ttValidTranslation($val)
 // ttValidTranslationLine is used to check an individual line in custom translation.
 function ttValidTranslationLine($val)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0)
     return false; // Empty line is not valid.
 
@@ -211,14 +211,15 @@ function ttValidTranslationLine($val)
 // We identify these parts by 3 "stop sign" emojis (aka "octagonal sign" U+1F6D1).
 function ttValidTemplateText($val)
 {
-  $valid = strpos($val, '🛑🛑🛑') === false; // no 3 "stop sign" emojis in a row.
+
+  $valid = (is_null($val) ? false : strpos($val, '🛑🛑🛑') === false); // no 3 "stop sign" emojis in a row.
   return $valid;
 }
 
 // ttValidEmail is used to check user input to validate an email string.
 function ttValidEmail($val, $emptyValid = false)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0)
     return ($emptyValid ? true : false);
 
@@ -236,7 +237,7 @@ function ttValidEmail($val, $emptyValid = false)
 // ttValidEmailList is used to check user input to validate an email string.
 function ttValidEmailList($val, $emptyValid = false)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0)
     return ($emptyValid ? true : false);
 
@@ -254,7 +255,7 @@ function ttValidEmailList($val, $emptyValid = false)
 // ttValidFloat is used to check user input to validate a float value.
 function ttValidFloat($val, $emptyValid = false)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0)
     return ($emptyValid ? true : false);
 
@@ -368,7 +369,7 @@ function ttValidTime($val)
 // ttValidInteger is used to check user input to validate an integer.
 function ttValidInteger($val, $emptyValid = false)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0)
     return ($emptyValid ? true : false);
 
@@ -424,7 +425,7 @@ function ttValidCronSpec($val)
 
   // But this works.
   $regexp = '/^'.$fields_re.'$/';
-
+	if (is_null($val)) return false;
   if (!preg_match($regexp, $val))
     return false;
 
@@ -434,7 +435,7 @@ function ttValidCronSpec($val)
 // ttValidCondition is used to check user input to validate a notification condition.
 function ttValidCondition($val, $emptyValid = true)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0)
     return ($emptyValid ? true : false);
 
@@ -455,7 +456,7 @@ function ttValidCondition($val, $emptyValid = true)
 // For example, IPv4-mapped IPv6 addresses will fail. This may need to be fixed.
 function ttValidIP($val, $emptyValid = false)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0 && $emptyValid)
     return true;
 
@@ -475,7 +476,7 @@ function ttValidIP($val, $emptyValid = false)
 // The above means Jan 1 and Dec 31 are holidays in all years, while Apr 20 is only in 2019.
 function ttValidHolidays($val)
 {
-  $val = trim($val);
+  $val = is_null($val) ? '' : trim($val);
   if (strlen($val) == 0) return true;
 
   $dates = explode(',', $val);
@@ -660,6 +661,6 @@ function ttRandomString($length = 32) {
 // This mitigates a risk of CSV injection, see https://owasp.org/www-community/attacks/CSV_Injection
 // Additionally, it replaces each quote character with a double quote.
 function ttNeutralizeForCsv($val) {
-  $result = ltrim($val, '=+-@');
+  $result = is_null($val) ? '' : ltrim($val, '=+-@');
   return str_replace('"', '""', $result);
 }

WEB-INF/lib/form/ActionForm.class.php

@@ -12,6 +12,7 @@ class ActionForm {
     var $mVariables = array();
     var $mForm		= null;
     var $mInitForm	= false;
+    var $name       = "";
 
     function __construct($name, &$form, $request=null) {
     	$this->setName($name);

WEB-INF/lib/form/DateField.class.php

@@ -9,6 +9,8 @@ class DateField extends TextField {
   var $mWeekStartDay = 0;
   var $mDateFormat  = "d/m/Y";
   var $lToday      = "Today";
+  var $mMonthNames;
+  var $mWeekDayShortNames;
 
   var $lCalendarButtons = array('today'=>'Today', 'close'=>'Close');
 
@@ -382,9 +384,9 @@ function adjustiFrame(pickerDiv, iFrameDiv) {
       if (defined('DIR_NAME'))
         $dir_name = trim(constant('DIR_NAME'), '/');
       if (!empty($dir_name))
-        $app_root = '/'.$dir_name;
+        $app_root = '/'.$dir_name.'/';
 
-      $html .= "&nbsp;<img src=\"".$app_root."/img/calendar.gif\" width=\"16\" height=\"16\" onclick=\"displayDatePicker('".$this->name."');\">\n";
+      $html .= "&nbsp;<img src=\"".$app_root."img/calendar.gif\" width=\"16\" height=\"16\" onclick=\"displayDatePicker('".$this->name."');\">\n";
     }
 
     return $html;

WEB-INF/lib/form/Form.class.php

@@ -30,6 +30,7 @@ function addInput($params) {
         import('form.TextField');
         $el = new TextField($params['name']);
         if (isset($params['class'])) $el->setCssClass($params['class']);
+        if (isset($params['minlength'])) $el->setMinLength($params['minlength']);
         if (isset($params['maxlength'])) $el->setMaxLength($params['maxlength']);
         if (isset($params['placeholder'])) $el->setPLaceholder($params['placeholder']);
         break;
@@ -38,7 +39,8 @@ function addInput($params) {
         import('form.PasswordField');
         $el = new PasswordField($params['name']);
         if (isset($params['class'])) $el->setCssClass($params['class']);
-        if (isset($params['maxlength'])) $el->setMaxLength($params['maxlength']);
+        if (isset($params['minlength'])) $el->setMinLength($params['minlength']);
+        if (isset($params['maxlength'])) $el->setMaxLength($params['maxlength']);        
         break;
 
       case 'datefield':

WEB-INF/lib/form/FormElement.class.php

@@ -11,6 +11,7 @@ class FormElement {
   var $placeholder = ''; // placeholder
   var $size = '';        // control size
   var $max_length = '';  // max length of text in control
+  var $min_length = '';  // min length of text in control
   var $on_change = '';   // what happens when value of control changes
   var $on_click = '';    // what happens when the control is clicked
   var $label = '';       // optional label for control
@@ -52,6 +53,9 @@ function getLabel() { return $this->label; }
   function setMaxLength($value) { $this->max_length = $value; }
   function getMaxLength() { return $this->max_length; }
 
+  function setMinLength($value) { $this->min_length = $value; }
+  function getMinLength() { return $this->min_length; }
+
   function setStyle($value) { $this->style = $value; }
   function getStyle() { return $this->style; }
 

WEB-INF/lib/form/PasswordField.class.php

@@ -27,6 +27,9 @@ function getHtml() {
     if ($this->style != '')
       $html.= ' style="'.$this->style.'"';
 
+    if ($this->min_length != '')
+      $html.= ' minlength="'.$this->min_length.'"';
+
     if ($this->max_length != '')
       $html.= ' maxlength="'.$this->max_length.'"';
 

WEB-INF/lib/form/Submit.class.php

@@ -39,6 +39,9 @@ function getHtml() {
     if (empty($this->id))
       $this->id = $this->name;
 
+    if (is_array($this->value))
+      return '';
+
     // Output HTML.
     $html = "\n\t<input type=\"submit\" name=\"$this->name\" id=\"$this->id\"";
     $html .= " value=\"$this->value\"";

WEB-INF/lib/form/Table.class.php

@@ -157,8 +157,9 @@ function getHtml() {
 
     // Print rows.
     if (is_array($this->mData)) {
+      $rowHoverBackgroundColor = ($this->isInteractive() ? "onmouseover=\"setRowBackground(this, '".$this->mBgColorOver."')\" onmouseout=\"setRowBackground(this, null)\"" : "");
       for ($row = 0; $row < count($this->mData); $row++) {
-        $html .= "\n<tr bgcolor=\"".$this->mBgColor."\" onmouseover=\"setRowBackground(this, '".$this->mBgColorOver."')\" onmouseout=\"setRowBackground(this, null)\">\n";
+        $html .= "\n<tr bgcolor=\"".$this->mBgColor."\" ".$rowHoverBackgroundColor.">\n";
         for ($col = 0; $col < $this->getColumnCount(); $col++) {
           if (0 == $col && strtolower(get_class($this->mColumns[$col]->getRenderer())) == 'checkboxcellrenderer') {
             // Checkbox for the row. Determine if selected.

WEB-INF/lib/form/TextArea.class.php

@@ -46,7 +46,6 @@ function getHtml() {
 		$html .= " name=\"$this->name\" id=\"$this->id\"";
 
 		if ($this->max_length!="") {
-			if ($this->mOnKeyPress) $this->mOnKeyPress .= ";";
 			$html .= " maxlength=\"$this->max_length\"";
 		}