major security update

2025-10-29 18:00:23 +00:00 · 2015-11-23 20:27:55 +01:00
parent 41158df022
commit abf77a27d6
40 changed files with 21014 additions and 23 deletions
--- a/static/dist/frontpage.min.js
+++ b/static/dist/frontpage.min.js
@@ -1 +1 @@
-!function(){var e,t,o={populate_channels:function(t){var n,a="",i=0;1==t[0][5]&&(n=t.shift()),t.sort(o.sortFunction),void 0!==n&&t.unshift(n),pre_card=$(e);for(x in t){var s=t[x][3];if(20>i){var l=t[x][1],r=t[x][0],c="background-image:url('https://img.youtube.com/vi/"+l+"/hqdefault.jpg');",d=t[x][4],u=pre_card;1==t[x][5]?(u.find(".pin").attr("style","display:block;"),u.find(".card").attr("title","Pinned!")):(u.find(".pin").attr("style","display:none;"),u.find(".card").attr("title","")),u.find(".chan-name").text(s),u.find(".chan-name").attr("title",s),u.find(".chan-views").text(r),u.find(".chan-songs").text(d),u.find(".chan-bg").attr("style",c),u.find(".chan-link").attr("href",s),$("#channels").append(u.html())}a+="<option value='"+s+"'> ",i++}document.getElementById("preloader").style.display="none",document.getElementById("searches").innerHTML=a,$("#channels").fadeIn(800),$("#search").focus()},sortFunction:function(e,t){var o=e[0],n=t[0],a=e[4],i=t[4];return n>o?1:o>n?-1:i>a?1:a>i?-1:0},getCookie:function(e){for(var t=e+"=",o=document.cookie.split(";"),n=0;n<o.length;n++){for(var a=o[n];" "==a.charAt(0);)a=a.substring(1);if(0==a.indexOf(t))return a.substring(t.length,a.length)}return""}};String.prototype.capitalizeFirstLetter=function(){return this.charAt(0).toUpperCase()+this.slice(1)},$(document).ready(function(){"#donation"==window.location.hash&&$("#donation").openModal(),e=$("#channel-list-container").html(),window.list_html=e,$("#channels").empty();var n=io.connect("//"+window.location.hostname+":8880");n.emit("frontpage_lists"),n.on("playlists",function(e){o.populate_channels(e)});var a=0;if(document.getElementById("zicon").addEventListener("click",function(){a+=10,document.getElementById("zicon").style.paddingLeft=a+"%",a>=100&&(window.location.href="https://www.youtube.com/v/0IGsNdVoEh0?autoplay=1&showinfo=0&autohide=1")}),navigator.userAgent.toLowerCase().indexOf("android")>-1&&""==o.getCookie("show_prompt")){var i=confirm("Do you want to download the native app for this webpage?");if(i)window.location.href="https://play.google.com/store/apps/details?id=no.lqasse.zoff";else{var s=new Date;s.setTime(s.getTime()+864e6);var l="expires="+s.toUTCString();document.cookie="show_prompt=false;"+l}}t=$.ajax({type:"GET",url:"https://api.github.com/repos/zoff-music/zoff/commits",async:!1}).responseText,t=$.parseJSON(t),$("#latest-commit").html("Latest Commit: <br>"+t[0].commit.author.date.substring(0,10)+": "+t[0].committer.login+"<br><a href='"+t[0].html_url+"'>"+t[0].sha.substring(0,10)+"</a>: "+t[0].commit.message+"<br")})}();
+!function(){var e,t,o={populate_channels:function(t){var n,a="",s=0;1==t[0][5]&&(n=t.shift()),t.sort(o.sortFunction),void 0!==n&&t.unshift(n),pre_card=$(e);for(x in t){var i=t[x][3];if(20>s){var l=t[x][1],r=t[x][0],c="background-image:url('https://img.youtube.com/vi/"+l+"/hqdefault.jpg');",d=t[x][4],u=pre_card;1==t[x][5]?(u.find(".pin").attr("style","display:block;"),u.find(".card").attr("title","Pinned!")):(u.find(".pin").attr("style","display:none;"),u.find(".card").attr("title","")),u.find(".chan-name").text(i),u.find(".chan-name").attr("title",i),u.find(".chan-views").text(r),u.find(".chan-songs").text(d),u.find(".chan-bg").attr("style",c),u.find(".chan-link").attr("href",i),$("#channels").append(u.html())}a+="<option value='"+i+"'> ",s++}document.getElementById("preloader").style.display="none",document.getElementById("searches").innerHTML=a,$("#channels").fadeIn(800),$("#search").focus()},sortFunction:function(e,t){var o=e[0],n=t[0],a=e[4],s=t[4];return n>o?1:o>n?-1:s>a?1:a>s?-1:0},getCookie:function(e){for(var t=e+"=",o=document.cookie.split(";"),n=0;n<o.length;n++){for(var a=o[n];" "==a.charAt(0);)a=a.substring(1);if(0==a.indexOf(t))return a.substring(t.length,a.length)}return""}};String.prototype.capitalizeFirstLetter=function(){return this.charAt(0).toUpperCase()+this.slice(1)},$(document).ready(function(){"#donation"==window.location.hash&&$("#donation").openModal(),e=$("#channel-list-container").html(),window.list_html=e,$("#channels").empty();var n=io.connect("//"+window.location.hostname+":8880");n.emit("frontpage_lists"),n.on("playlists",function(e){o.populate_channels(e)}),window.socket=n;var a=0;if(document.getElementById("zicon").addEventListener("click",function(){a+=10,document.getElementById("zicon").style.paddingLeft=a+"%",a>=100&&(window.location.href="https://www.youtube.com/v/0IGsNdVoEh0?autoplay=1&showinfo=0&autohide=1")}),navigator.userAgent.toLowerCase().indexOf("android")>-1&&""==o.getCookie("show_prompt")){var s=confirm("Do you want to download the native app for this webpage?");if(s)window.location.href="https://play.google.com/store/apps/details?id=no.lqasse.zoff";else{var i=new Date;i.setTime(i.getTime()+864e6);var l="expires="+i.toUTCString();document.cookie="show_prompt=false;"+l}}t=$.ajax({type:"GET",url:"https://api.github.com/repos/zoff-music/zoff/commits",async:!1}).responseText,t=$.parseJSON(t),$("#latest-commit").html("Latest Commit: <br>"+t[0].commit.author.date.substring(0,10)+": "+t[0].committer.login+"<br><a href='"+t[0].html_url+"'>"+t[0].sha.substring(0,10)+"</a>: "+t[0].commit.message+"<br")})}();
--- a/static/dist/main.min.js
+++ b/static/dist/main.min.js
--- a/static/js/admin.js
+++ b/static/js/admin.js
@@ -1,7 +1,10 @@
 var Admin = {

+    beginning:true,
+
    admin_listener: function()
    {
+
    	socket.on("toast", function(msg)
    	{
    		switch(msg) {
@@ -13,9 +16,7 @@ var Admin = {
    		        break;
    		    case "wrongpass":
    		        msg=Helper.rnd(["That's not the right password!", "Wrong! Better luck next time...", "You seem to have mistyped the password", "Incorrect. Have you tried meditating?","Nope, wrong password!", "Wrong password. The authorities have been notified."])
-					if(localStorage[chan.toLowerCase()]){
-						localStorage.removeItem(chan.toLowerCase());
-					}
+					Crypt.remove_pass(chan.toLowerCase());
                    Admin.display_logged_out();
                    w_p = true;
 					break;
@@ -64,7 +65,7 @@ var Admin = {
    		names     = ["vote","addsongs","longsongs","frontpage", "allvideos", 
            "removeplay", "skip", "shuffle"];

-            localStorage.setItem(chan.toLowerCase(), msg);
+            Crypt.set_pass(chan.toLowerCase(), Crypt.decrypt_pass(msg))

    		for (var i = 0; i < names.length; i++) {
    				$("input[name="+names[i]+"]").attr("disabled", false);
@@ -82,20 +83,29 @@ var Admin = {
    	socket.on("conf", function(msg)
    	{
    		Admin.set_conf(msg[0]);
+            Crypt.init();
+            if(Crypt.get_pass(chan.toLowerCase()) !== undefined && Admin.beginning && Crypt.get_pass(chan.toLowerCase()) != ""){
+                socket.emit("password", [Crypt.crypt_pass(Crypt.get_pass(chan.toLowerCase())), chan.toLowerCase()]);
+                Admin.beginning = false;
+            }
    	});
    },

    pass_save: function()
    {
        if(!w_p)
-    	   socket.emit('password', [CryptoJS.SHA256(document.getElementById("password").value).toString(), chan.toLowerCase(), localStorage[chan.toLowerCase()]]);
+        {
+    	   socket.emit('password', [Crypt.crypt_pass(CryptoJS.SHA256(document.getElementById("password").value).toString()), chan.toLowerCase(), Crypt.crypt_pass(Crypt.get_pass(chan.toLowerCase()))]);
+        }
        else
-            socket.emit('password', [CryptoJS.SHA256(document.getElementById("password").value).toString(), chan.toLowerCase()]);
+        {
+            socket.emit('password', [Crypt.crypt_pass(CryptoJS.SHA256(document.getElementById("password").value).toString()), chan.toLowerCase()]);
+        }
    },

    log_out: function(){
-    	if(localStorage[chan.toLowerCase()]){
-    		localStorage.removeItem(chan.toLowerCase());
+    	if(Crypt.get_pass(chan.toLowerCase())){
+            Crypt.remove_pass(chan.toLowerCase());
    		Admin.display_logged_out();
    		Materialize.toast("Logged out", 4000);
    	}else{
@@ -151,9 +161,9 @@ var Admin = {
            $("input[name="+names[i]+"]").attr("disabled", hasadmin);
        }

-        if((hasadmin && !localStorage[chan.toLowerCase()])){
+        if((hasadmin)){
            Admin.display_logged_out();
-        }else if(!hasadmin && !localStorage[chan.toLowerCase()]){
+        }else if(!hasadmin){
            $("#password").attr("placeholder", "Create channel password");
        }

--- a/static/js/crypt.js
+++ b/static/js/crypt.js
@@ -0,0 +1,131 @@
+var Crypt = {
+
+	conf_arr: {},
+
+	init: function(){
+		
+		
+        conf_arr = Crypt.decrypt(Crypt.getCookie("_opts"));
+        Hostcontroller.change_enabled(conf_arr.remote);
+	},
+
+	decrypt: function(cookie){
+
+		if(Crypt.getCookie("_opts") === undefined) {
+			cookie = Crypt.create_cookie();
+		}
+
+		var decrypted = CryptoJS.AES.decrypt(
+        cookie,navigator.userAgent+navigator.languages,
+        {
+            mode: CryptoJS.mode.CBC,
+            padding: CryptoJS.pad.Pkcs7
+        }
+    	);
+
+    	return $.parseJSON(decrypted.toString(CryptoJS.enc.Utf8));
+	},
+
+	decrypt_pass: function(pass){
+		var decrypted = CryptoJS.AES.decrypt(
+        pass,socket.io.engine.id,
+        {
+            mode: CryptoJS.mode.CBC,
+            padding: CryptoJS.pad.Pkcs7
+        }
+    	);
+
+    	return decrypted.toString(CryptoJS.enc.Utf8);
+	},
+
+	encrypt: function(json_formated){
+		var to_encrypt = JSON.stringify(json_formated);
+
+        var encrypted = CryptoJS.AES.encrypt(
+		  to_encrypt,
+		  navigator.userAgent+navigator.languages,
+		  {
+		    mode: CryptoJS.mode.CBC,
+		    padding: CryptoJS.pad.Pkcs7
+		  }
+		);
+		
+        var CookieDate = new Date;
+        CookieDate.setFullYear(CookieDate.getFullYear( ) +1);
+
+        document.cookie = "_opts="+encrypted.toString()+";expires="+CookieDate.toGMTString()+";path=/;"
+	},
+
+	get_volume: function(){
+		return Crypt.decrypt(Crypt.getCookie("_opts")).volume;
+		//return conf_arr.volume;
+	},
+
+	set_volume: function(val){
+		conf_arr.volume = val;
+		Crypt.encrypt(conf_arr);
+	},
+
+	create_cookie: function(){
+		cookie_object = {volume: 100, width: 100, remote: true, passwords: {}};
+
+        var string_it = JSON.stringify(cookie_object);
+
+        var encrypted = CryptoJS.AES.encrypt(
+		  string_it,
+		  navigator.userAgent+navigator.languages,
+		  {
+		    mode: CryptoJS.mode.CBC,
+		    padding: CryptoJS.pad.Pkcs7
+		  }
+		);
+
+        var CookieDate = new Date;
+        CookieDate.setFullYear(CookieDate.getFullYear( ) +1);
+
+
+        document.cookie = "_opts="+encrypted.toString()+";expires="+CookieDate.toGMTString()+";path=/;"
+        return Crypt.getCookie("_opts");
+	},
+
+	set_pass: function(chan, pass){
+		conf_arr.passwords[chan] = pass;
+		Crypt.encrypt(conf_arr);
+	},
+
+	remove_pass:function(chan){
+		delete conf_arr.passwords[chan];
+		Crypt.encrypt(conf_arr);
+	},
+
+	get_pass: function(chan){
+		return conf_arr.passwords[chan];
+	},
+
+	set_remote: function(val){
+		conf_arr.remote = val;
+		Crypt.encrypt(conf_arr);
+	},
+
+	get_remote: function(val){
+		return conf_arr.remote;
+	},
+
+	crypt_pass: function(pass){
+        var encrypted = CryptoJS.AES.encrypt(
+		  pass,
+		  socket.io.engine.id,
+		  {
+		    mode: CryptoJS.mode.CBC,
+		    padding: CryptoJS.pad.Pkcs7
+		  }
+		);
+		return encrypted.toString();
+	},
+
+	getCookie: function(name) {
+	  	var value = "; " + document.cookie;
+	  	var parts = value.split("; " + name + "=");
+	  	if (parts.length == 2) return parts.pop().split(";").shift();
+	}
+}
--- a/static/js/hostcontroller.js
+++ b/static/js/hostcontroller.js
@@ -1,10 +1,10 @@
 var Hostcontroller = {

+  enabled: true,

  host_listener: function() {
    
    var old_id;
-    var enabled = true;

    socket.on("id", function(id)
    {
@@ -63,6 +63,12 @@ var Hostcontroller = {
    $('input[class=remote_switch_class]').change(function()
    {
      enabled = document.getElementsByName("remote_switch")[0].checked;
+      Crypt.set_remote(enabled);
    });
+  },
+
+  change_enabled:function(val){
+    enabled = val;
+    document.getElementsByName("remote_switch")[0].checked = enabled;
  }
 }
--- a/static/js/listeners.js
+++ b/static/js/listeners.js
@@ -80,14 +80,14 @@ $(document).ready(function()
        handles: "e",
        minWidth: 350
    });
-
+    /*
 	if(localStorage[chan.toLowerCase()])
 	{
 		if(localStorage[chan.toLowerCase()].length != 64)
 			localStorage.removeItem(chan.toLowerCase());
 		else
 			socket.emit("password", [localStorage[chan.toLowerCase()], chan.toLowerCase()]);
-	}
+	}*/

 	if(window.mobilecheck()){
 		document.getElementById("search").blur();
--- a/static/js/nochan.js
+++ b/static/js/nochan.js
@@ -127,7 +127,9 @@ $(document).ready(function (){
    socket.emit('frontpage_lists');
    socket.on('playlists', function(msg){
        Nochan.populate_channels(msg);
-    })
+    });
+
+    window.socket = socket;

    var pad = 0;
    document.getElementById("zicon").addEventListener("click", function(){
--- a/static/js/playercontrols.js
+++ b/static/js/playercontrols.js
@@ -15,12 +15,14 @@ var Playercontrols = {

    initSlider: function()
    {
-    	if(localStorage.volume)
+    	if(Crypt.getCookie("_opts"))
    	{
-    		vol = localStorage.getItem("volume");
+    		//vol = localStorage.getItem("volume");
+            vol = (Crypt.get_volume());
    	}else{
    		vol = 100;
-    		localStorage.setItem("volume", vol);
+    		//localStorage.setItem("volume", vol);
+            Crypt.set_volume(vol);
    	}
    	$("#volume").slider({
    	    min: 0,
@@ -30,7 +32,8 @@ var Playercontrols = {
    			animate: true,
    	    slide: function(event, ui) {
            Playercontrols.setVolume(ui.value);
-    				localStorage.setItem("volume", ui.value);
+    				//localStorage.setItem("volume", ui.value);
+                    Crypt.set_volume(ui.value);
    	    }
    	});
      Playercontrols.choose_button(vol, false);