From 9d6e7ed05eefa7f14dc0ea90950490950cf53702 Mon Sep 17 00:00:00 2001
From: Felix <felix@fae5.de>
Date: Tue, 19 Nov 2024 21:19:11 +0000
Subject: [PATCH] security measure

no more gooner rcds, mr (h)edgehog

Signed-off-by: Felix <felix@fae5.de>
---
 index.php | 55 ++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 38 insertions(+), 17 deletions(-)

diff --git a/index.php b/index.php
index 32eee6b..1756b3d 100644
--- a/index.php
+++ b/index.php
@@ -125,19 +125,40 @@ if ($current_user && isset($_POST['content'])) {
         $replying_to = null;
     }
     
+    // Rate limit check
     if (!checkRateLimit($current_user, $action, 5, 60)) {
         echo '<script>alert("An error occurred");</script>';
         die('Please wait before you do that action again.');
     }
 
+    // Function to validate user input
     function containsOnlyValidCharacters($string) {
-        // Prüfen, ob der String nur reguläre und lesbare Zeichen enthält.
-        // Dies schließt Buchstaben, Zahlen, Satzzeichen und typische Unicode-Zeichen ein.
+        // Check if the string contains only regular readable characters
         return preg_match('/^[\p{L}\p{N}\p{P}\p{S}\p{Zs}\p{M}]*$/u', $string);
     }
 
+    // Validate user and replying_to ID
+    function isValidUsername($username, $accounts) {
+        return isset($accounts[$username]);
+    }
+
+    function isValidPostID($post_id, $posts) {
+        return isset($posts[$post_id]);
+    }
+
     $content = substr($_POST['content'], 0, 280);
 
+    // Validate username
+    if (!isValidUsername($current_user, $accounts)) {
+        die('Error: Invalid user.');
+    }
+
+    // Validate the replying_to ID if it's a reply
+    if ($is_reply && !isValidPostID($replying_to, $posts)) {
+        die('Error: Invalid post ID for reply.');
+    }
+
+    // Validate content
     if (containsOnlyValidCharacters($content)) {
         $new_post = [
             'id' => uniqid(),
@@ -151,26 +172,26 @@ if ($current_user && isset($_POST['content'])) {
             'replying_to' => $replying_to,
             'image_url' => isset($_POST['image_url']) && preg_match('/\.(jpg|jpeg|png|gif|bmp)$/i', $_POST['image_url']) ? $_POST['image_url'] : null
         ];
+
+        // Add post to posts list
         $posts[$new_post['id']] = $new_post;
+
+        // If it's a reply, add the reply ID to the original post
+        if ($is_reply) {
+            $posts[$replying_to]['replies'][] = $new_post['id'];
+        }
+
+        // Save posts to file
+        file_put_contents($posts_file, json_encode($posts));
+
+        header('Location: /');
+        exit;
     } else {
-        // Fehlerbehandlung, wenn ungültige Zeichen gefunden wurden
-        echo "Error: Your tnyL contains invalid characters. Please re-create your tnyL with valid characters!";
+        // Handle error for invalid characters
+        echo "Error: Your post contains invalid characters. Please re-create your post with valid characters!";
     }
-
-
-
-    // If it's a reply, add the reply ID to the original post
-    if ($is_reply) {
-        $posts[$replying_to]['replies'][] = $new_post['id'];
-    }
-
-    file_put_contents($posts_file, json_encode($posts));
-
-    header('Location: /');
-    exit;
 }
 
-
 // Handle post deletion
 if ($current_user && isset($_GET['delete'])) {
     if (!checkRateLimit($current_user, 'delete_post', 5, 60)) {