diff --git a/counter.php b/counter.php index 619400d..e5778d4 100644 --- a/counter.php +++ b/counter.php @@ -19,7 +19,8 @@ */ //prepare -include_once('counter_config.php'); +require_once('counter_config.php'); +send_headers(); $time=time(); $update_time=$time-($time%3600); try{ @@ -37,16 +38,15 @@ if(!$id=$stmt->fetch(PDO::FETCH_NUM)){ } //headers -header('Pragma: no-cache'); -header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0'); -header('Expires: 0'); +header_remove('X-Frame-Options'); +header("Content-Security-Policy: base-uri 'self'; default-src 'none'; frame-ancestors '*'"); header('Content-Type: image/gif'); //add visitor to db if(isSet($_COOKIE["counted$_REQUEST[id]"])){ $stmt=$db->prepare('INSERT INTO ' . PREFIX . 'visitors (id, time, count, unique_count) VALUES (?, ?, 1, 1) ON DUPLICATE KEY UPDATE count=count+1;'); }else{ - setcookie("counted$_REQUEST[id]", 1, $time+3600); + set_secure_cookie("counted$_REQUEST[id]", 1); $stmt=$db->prepare('INSERT INTO ' . PREFIX . 'visitors (id, time, count, unique_count) VALUES (?, ?, 1, 1) ON DUPLICATE KEY UPDATE count=count+1, unique_count=unique_count+1;'); } $stmt->execute([$id[0], $update_time]); @@ -95,4 +95,3 @@ if(isset($_REQUEST['tr']) && $_REQUEST['tr']==1){ imagestring($im, 5, 5, 5, $num[0], $fg); imagegif($im); imagedestroy($im); -?> diff --git a/counter_config.php b/counter_config.php index b3ff4af..57d46af 100644 --- a/counter_config.php +++ b/counter_config.php @@ -31,6 +31,8 @@ const VERSION='1.0'; // Script version const DBVERSION=1; // Database layout version // Language selection +$I = $T = []; +$language=LANG; $L=[ 'de' => 'Deutsch', 'en' => 'English', @@ -39,17 +41,14 @@ $L=[ if(isSet($_REQUEST['lang']) && isSet($L[$_REQUEST['lang']])){ $language=$_REQUEST['lang']; if(!isSet($_COOKIE['language']) || $_COOKIE['language']!==$language){ - setcookie('language', $language); + set_secure_cookie('language', $language); } }elseif(isSet($_COOKIE['language']) && isSet($L[$_COOKIE['language']])){ $language=$_COOKIE['language']; -}else{ - $language=LANG; } -include_once('counter_lang_en.php'); //always include English +require_once('counter_lang_en.php'); //always include English if($language!=='en'){ - $T=[]; - include_once("counter_lang_$language.php"); //replace with translation if available + require_once("counter_lang_$language.php"); //replace with translation if available foreach($T as $name=>$translation){ $I[$name]=$translation; } @@ -58,15 +57,55 @@ if($language!=='en'){ function print_langs(){ global $I, $L; echo "$I[language]: "; - $query=preg_replace('/(&?lang=[a-z_\-]*)/i', '', $_SERVER['QUERY_STRING']); + $query=ltrim(preg_replace('/&?lang=[a-z_\-]*/i', '', $_SERVER['QUERY_STRING']), '&'); foreach($L as $code=>$name){ if($query===''){ $uri="?lang=$code"; }else{ $uri='?'.htmlspecialchars($query)."&lang=$code"; } - echo " $name"; + echo " $name"; } echo ''; } -?> + +function send_headers(array $styles = []){ + header('Content-Type: text/html; charset=UTF-8'); + header('Pragma: no-cache'); + header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private'); + header('Expires: 0'); + header('Referrer-Policy: no-referrer'); + header("Permissions-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; cross-origin-isolated 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; geolocation 'none'; fullscreen 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; screen-wake-lock 'none'; sync-xhr 'none'; usb 'none'; web-share 'none'; xr-spatial-tracking 'none'; clipboard-read 'none'; clipboard-write 'none'; gamepad 'none'; speaker-selection 'none'; conversion-measurement 'none'; focus-without-user-activation 'none'; hid 'none'; idle-detection 'none'; sync-script 'none'; vertical-scroll 'none'; serial 'none'; trust-token-redemption 'none';"); + $style_hashes = ''; + foreach($styles as $style) { + $style_hashes .= " 'sha256-".base64_encode(hash('sha256', $style, true))."'"; + } + header("Content-Security-Policy: base-uri 'self'; default-src 'none'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:; style-src $style_hashes"); + header('X-Content-Type-Options: nosniff'); + header('X-Frame-Options: sameorigin'); + header('X-XSS-Protection: 1; mode=block'); + if($_SERVER['REQUEST_METHOD'] === 'HEAD'){ + exit; // headers sent, no further processing needed + } +} + +function set_secure_cookie(string $name, string $value){ + if (version_compare(PHP_VERSION, '7.3.0') >= 0) { + setcookie($name, $value, ['expires' => 0, 'path' => '/', 'domain' => '', 'secure' => is_definitely_ssl(), 'httponly' => true, 'samesite' => 'Strict']); + }else{ + setcookie($name, $value, 0, '/', '', is_definitely_ssl(), true); + } +} + +function is_definitely_ssl() : bool { + if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { + return true; + } + if (isset($_SERVER['SERVER_PORT']) && ('443' == $_SERVER['SERVER_PORT'])) { + return true; + } + if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && ('https' === $_SERVER['HTTP_X_FORWARDED_PROTO'])) { + return true; + } + return false; +} diff --git a/counter_lang_de.php b/counter_lang_de.php index dacad66..f3d0843 100644 --- a/counter_lang_de.php +++ b/counter_lang_de.php @@ -57,4 +57,3 @@ $T=[ 'statusok' => 'Status: OK', 'nodb' => 'Keine Datenbankverbindung!', ]; -?> diff --git a/counter_lang_en.php b/counter_lang_en.php index 64cc00e..11d0553 100644 --- a/counter_lang_en.php +++ b/counter_lang_en.php @@ -57,4 +57,3 @@ $I=[ 'statusok' => 'Status: OK', 'nodb' => 'No database connection!', ]; -?> diff --git a/counter_lang_ja.php b/counter_lang_ja.php index 3aa7136..f74ed74 100644 --- a/counter_lang_ja.php +++ b/counter_lang_ja.php @@ -56,4 +56,3 @@ $T=[ 'statusok' => '状態: OK', 'nodb' => 'データベースへの接続がありません!', ]; -?> diff --git a/counter_reg.php b/counter_reg.php index cee4d72..f05ccc0 100644 --- a/counter_reg.php +++ b/counter_reg.php @@ -18,14 +18,18 @@ * along with this program. If not, see . */ -include_once('counter_config.php'); -header('Content-Type: text/html; charset=UTF-8'); -echo ''; -echo "$I[titlereg]"; -echo ''; -echo ''; -echo ''; -echo "

$I[titlereg]

"; +require_once('counter_config.php'); +$style = '.green{color:green} .software-link{text-align:center;font-size:small}'; +send_headers([$style]); +?> + +<?php echo $I['titlereg']; ?> + + + + +

+$I[descriptionreg]

"; echo "
"; @@ -56,7 +60,7 @@ if($_SERVER['REQUEST_METHOD']==='POST'){ $stmt->execute([$key, $_REQUEST['preload']]); } } - echo '

'.sprintf($I['regsuccess'], $key).'

'; + echo ''; }else{ $key='YOUR_API_KEY'; } @@ -75,8 +79,8 @@ echo "
  • $I[modmode1]
    • "; echo "
  • $I[modmode2]
    • "; echo "
  • $I[modmode3]
    • "; echo "
  • $I[modmode4]
    • "; -echo ''; -echo ''; -echo '

    Hit Counter - ' . VERSION . '

    '; -echo ''; ?> + + +

    Hit Counter -

    + diff --git a/lang_update.php b/lang_update.php index 639e62b..78187c2 100644 --- a/lang_update.php +++ b/lang_update.php @@ -28,7 +28,7 @@ echo "$value){ @@ -39,7 +39,6 @@ foreach($T as $id=>$value){ foreach($I as $id=>$value){ echo "\t'$id' => '".str_replace("'", "\'", $value)."',\n"; } -echo "];\n?>\n"; +echo "];\n"; $file=ob_get_clean(); file_put_contents("counter_lang_$code.php", $file); -?> diff --git a/setup.php b/setup.php index fde1f54..766b0f7 100644 --- a/setup.php +++ b/setup.php @@ -18,7 +18,7 @@ * along with this program. If not, see . */ -include('counter_config.php'); +require_once('counter_config.php'); if(!extension_loaded('pdo_mysql')){ die($I['pdo_mysqlextrequired']); } @@ -54,4 +54,3 @@ if(!@$db->query('SELECT * FROM ' . PREFIX . 'settings LIMIT 1;')){ }else{ echo "$I[statusok]\n"; } -?> diff --git a/visits.php b/visits.php index 64ef3da..16879c5 100644 --- a/visits.php +++ b/visits.php @@ -18,7 +18,7 @@ * along with this program. If not, see . */ -include_once('counter_config.php'); +require_once('counter_config.php'); try{ $db=new PDO('mysql:host=' . DBHOST . ';dbname=' . DBNAME, DBUSER, DBPASS, [PDO::ATTR_ERRMODE=>PDO::ERRMODE_WARNING, PDO::ATTR_PERSISTENT=>PERSISTENT]); }catch(PDOException $e){ @@ -29,7 +29,7 @@ if(isset($_REQUEST['id'])){ $stmt=$db->prepare('SELECT * FROM ' . PREFIX . 'registered WHERE api_key=?;'); $stmt->execute([$_REQUEST['id']]); if($id=$stmt->fetch(PDO::FETCH_NUM)){ - $id=$id[0]; + $id=(int) $id[0]; }else{ $fallback=true; $id=1; @@ -40,19 +40,23 @@ if(isset($_REQUEST['id'])){ } $stmt=$db->prepare('SELECT SUM(count) FROM ' . PREFIX . 'visitors WHERE id=? AND time>=? AND timeprepare('SELECT SUM(unique_count) FROM ' . PREFIX . 'visitors WHERE id=? AND time>=? AND time'; -echo "$I[titlestat]"; -echo ''; -echo ''; -echo ''; -echo "

    $I[titlestat]

    "; +$style = '.red{color:red} .software-link{text-align:center;font-size:small}'; +send_headers([$style]); +?> + +<?php echo $I['titlestat']; ?> + + + + +

    +$I[descriptionstat]

    "; if($fallback){ - echo "

    $I[fallback]

    "; + echo "

    $I[fallback]

    "; } echo ''; echo ""; @@ -162,10 +166,10 @@ ob_start(); imagegif($im); imagedestroy($im); echo base64_encode(ob_get_clean()).'">'; -echo '

    Hit Counter - ' . VERSION . '

    '; +echo '

    Hit Counter - ' . VERSION . '

    '; echo ''; -function fetch_numbers($id, $start, $end){ +function fetch_numbers(int $id, int $start, int $end) : array { global $stmt, $stmt2, $num, $num2; $stmt->execute([$id, $start, $end]); $num=$stmt->fetch(PDO::FETCH_NUM); @@ -179,4 +183,3 @@ function fetch_numbers($id, $start, $end){ } return [number_format($num[0]), number_format($num2[0])]; } -?>
    $I[when]$I[count]$I[unique]