mafiasource / mafiasource Goto Github PK

Auto https redirect in Edge not working since public release changes.

Mafiasource simplified installer is broken (.htaccess replaces) after applying this fix. If possible use simplified installer first or see temp. fix below.

Solution is to replace the following in /.htaccess with older lines after a successful installation:
## Non www to www redirect and vice versa for subdomains
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^static\. [NC]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^static\. [NC]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

http without www example:
## Non www to www redirect and vice versa for subdomains
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]

##Note that comments don't align anymore, only refers to the piece of code. replace whole code block. (any blank line should define a 'block seperator')

Temp. fix installer alongside this redirect solution comment out line self::replaceLinesByLineNumbers($htaccessFile, $htaccessReplacesMap); in install/config/InstallService.php
After fix and successful installation 2 more crucial .htaccess edit needed replace static.mafiasource.nl with static.domainname.ex and mafiasource.nl with domainname.ex

Wil be working on a fixed installer compatible solution. Looking through my options.
Still troubleshooting on different server environments to try and get rid of as many server errors as possible.
Missing resources won't be taken into consideration but some .htaccess files might get a rework as my tests have shown some conflicting or misplaced lines on some environments.

https://stackoverflow.com/questions/33324947/how-to-separate-microsoft-edge-from-chrome-in-htaccess

Admin & out-game ckeditor won't allow userfriendly image insertion and much more due to jquery or bootstrap and or custom code.
Bugged tabs would only be possible in code view with plain HTML. Always switch back to browser view before saving.

If after an ckeditor update the problem still persist we might move on to a BBcodes solution like the previous versions of the game.

When ckeditor would work again we need to tighten an XSS vulnerability with the style attibute in elements.
Implement a solution to add css classes instead of inline styles.
Update voku anti xss.~

I'll do my best to fix the ckeditor toolbar buttons loaded alongside jquery and bootstrap.
Ckeditor, jquery and bootstrap updates to latest (test) didn't resolve issue, most likely some custom code interference from my end.
Root cause still unknown.
Once fixed i'll push the tested new resources as well, they didn't cause any major issues right away.

See commit 495536eed3468d73389942a3e889fb842a765533 for applied solution.

Describe the bug
/install/ loads and works fine, but when I go to /web/ the error log says:

2023/09/03 13:29:30 [error] 19747#19747: *117 FastCGI sent in stderr: "PHP message: PDOException: SQLSTATE[42S02]: Base table or view not found: 1146 Table 'mafia.seo' doesn't exist in /var/www/html/public_html/src/Data/SeoDAO.php:43
Stack trace:
#0 /var/www/html/public_html/src/Data/SeoDAO.php(43): PDOStatement->execute()
#1 /var/www/html/public_html/src/Business/SeoService.php(47): src\Data\SeoDAO->getSeoDataByRouteName()
#2 /var/www/html/public_html/src/Controllers/.inc.head.php(21): src\Business\SeoService->getSeoDataByRouteName()
#3 /var/www/html/public_html/src/Controllers/notfound.php(3): require_once('...')
#4 /var/www/html/public_html/web/index.php(127): include_once('...')
#5 {main}" while reading response header from upstream, client: x, server: _, request: "GET /web/ HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "x"

The database is also completely empty.

To Reproduce
Steps to reproduce the behavior:

1. Go to '/web/' after visiting '/install'
2. See error

Expected behavior
It should work.

Desktop (please complete the following information):
PHP 8.2 with nginx.

Cronjobs not guaranteed to work during install due to hardcoded binary location for my preferred web server.

Fixed in production, to be pushed soon
2 serious bugs yet to be fully disclosed were fixed recently. If you wish to patch your copy keep an eye out the next few days for a commit regarding this bugfix.

Describe the bug
Registration after initial installation is not working with custom error message shown and full error logged to php's error_log. This bug affects quite a few systems, though not all. Exact cause is also not clear yet.

To Reproduce
Steps to reproduce the behavior:

1. Go to /install and finish with a successful installation.
2. Edit your IP adres in the user table to anything not your current IP.
3. Go to /register and register in-game.
4. See custom "Unexpected error occured" message and retrieve full error from php's error_log.

Expected behavior
Registration should work fine

Desktop (please complete the following information):

• OS: ALL
• Browser ALL
• Version ALL

Smartphone (please complete the following information):

• Device: ALL
• OS: ALL
• Browser ALL
• Version ALL

Additional context
This bug could be caused by a corrupted MASTER_IV and or MASTER_KEY during initial installation. Some recent server moving and testing various file systems might have pointed me to these values being saved improperly for both MASTER encrypted and user encrypted key values. These key values are saved raw to text files in UTF 8 format which might explain issues arising from them. Will be running some more tests and keep you updated though this post. Any help is appreciated in fixing this long lasting bug.

Temporarily fix this bug

• Temporarily fixing this bug is straightforward but will not yet fix user email encryptions on affected systems.
• Edit /../credentials.php and manually input your MASTER_IV being 16 bytes long and your MASTER_KEY ranging anywhere starting from 32 bytes using only utf-8 compatible characters.
• Retry "To Reproduce" and finish with a successful registration instead of an error.

Other issues related to registration after installation are most likely caused by improper permissions, see the following discussion: #16 if permission denied / failed to open errors are present in your php's error_log.

Experimenting with storing the IV's, Key's and encryptions into base64 format for both master and user based encryptions. (filesystem + db)

Describe the bug
Logging in on a localhost environment will always yield the following message since latest login hardening commits:
Invalid security token, please refresh the page (F5) and try again. If you block essential cookies, no valid security token can be granted.

This message shouldn't be mistaken with other issues related to it where almost none of the images will load. Would yield that same message due to a missing GD PHP Extension. I digress:

To Reproduce
Steps to reproduce the behavior:

1. Go to 'localhost'
2. Insert your username and password and login
3. Notice the security-token message

Expected behavior
Being able to login locally

Additional context
Hardened login security blocks non-valid IP address logins, locally we're trying to login from 127.0.0.1 which is a localhost address and in a reserved range. (non-valid for production)

Temporarily fix this bug untill a solution is found, not needed for production environments
Edit /src/Business/UserService.php line 123 and remove: " || !$this->ipValid"
Edit /src/Business/UserCoreService.php line 63 and remove: " || !$this->ipValid"

[Sat Jul 17 10:00:06.057379 2021] [access_compat:error] [pid 8392:tid 1864] [client ::1:61835] AH01797: client denied by server configuration: C:/xampp/htdocs/web/public/images/favicon.ico, referer: http://localhost/
[Sat Jul 17 09:56:43.881831 2021] [php:error] [pid 8712:tid 1856] [client ::1:56552] PHP Fatal error: Uncaught Error: Call to undefined function imagecreate() in C:\xampp\htdocs\web\public\foto.php:883\nStack trace:\n#0 C:\xampp\htdocs\web\public\foto.php(66): display_error('GD Library Erro...')\n#1 {main}\n thrown in C:\xampp\htdocs\web\public\foto.php on line 883, referer: http://localhost/install/encryption.php

Edit: Issue 2 foto.php imagecreate() not found is due to the library (Image)GD not being activated.

Will be working to resolve these issues soon.

Describe the bug
Initial visit to base domain (localhost) and without https enabled will throw internal server error.
Root /.htaccess still not functioning correctly without https.

To Reproduce
Steps to reproduce the behavior:

1. Disable HTTPS
2. Visit base domain (without protocol and www)

Temp. fix
Only for servers without HTTPS Find / replace https instances with http on lines 91, 95 and 112 in public_html/.htaccess

Describe the bug
mafiasource.nl Missing resources download ends up on white empty page

To Reproduce
Steps to reproduce the behavior:

1. Go to https://download.mafiasource.nl/web/downloads/public_html.zip
2. See 404 Not Found

Expected behavior
A download starts immediately

Desktop (please complete the following information):

• OS: ALL
• Browser ALL
• Version ALL

Smartphone (please complete the following information):

• Device: ALL
• OS: ALL
• Browser ALL
• Version ALL

Additional context
Bug is known and a result of a recent transfer of servers. Please hold as we'll update the missing resources again to fix our broken URL.

hello
can you tell me how i can install it at subfolder at localhost to be like this
http://localhost/mafia
i dont want to use virtual host

Fatal error: Uncaught Error: Class "install\config\InstallService" not found in /var/www/html/public_html/install/index.php:107 Stack trace: #0 {main} thrown in /var/www/html/public_html/install/index.php on line 107

can some one help me out

Won't work out of the box. Not sure if I should integrate this into the simplified installer or not.
Don't want to end up with too much fields either (Mailserver host, email address, password, optional port)
Could move email credentials to /../security.php and force a no-reply@ setting (fewer field)
This still urges user to create mail user straight away..

Making mailing work with same mailserver on installed webserver:
1) Create the user [email protected], note your settings. (yourdomain.ex must match your website address)
2) In /src/Data/UserDAO.php match these settings on lines 295, 298 and optinally 300 (SMTP port)
Moved to app/config/config.php, settings are initialized for SMTP. No SMTP? Change email() function in UserDAO.php

Good practice might be to troubleshoot your [email protected] first without the application. Can you send (/receive)?