pages.php: use link to create hardlinks isntead of full file copy for thread moving

Reviewed-on: leftypol/leftypol#142

.dockerignore

@@ -0,0 +1,4 @@
+**/.git
+**/.gitignore
+/local-instances
+**/.gitkeep

.gitignore

@@ -55,6 +55,7 @@ php_errors.log
 #vichan custom
 favicon.ico
 /static/spoiler.png
+/local-instances
 
 piwik/
 jwplayer/
@@ -70,8 +71,7 @@ tf/
 /random/
 
 # Banners
-banners/*
-!banners/lain-bottom.png
+static/banners/*
 
 #Fonts
 stylesheets/fonts

403.php

@@ -1,17 +0,0 @@
-<title>403</title>
-</head>
-<!-- <body style="background: black"> -->
-<body style="background-image:url(/static/system.gif)">
-<center><img height=480 width=640 src="/static/403.jpg"/>
-<marquee scrollamount="40"><h1><p style="font-family: sans-serif; font-size:30px; color: black;">WHOOPS</p></h1></marquee>
-<p style="color: blue;background:black">this isn't for you</p>
-<p style="color: red;background:black">it's a 403</p>
-<br /> <br />
-<param name="movie" value="/static/congrats.swf">
-</center>
-<audio autoplay loop>
-<source src="/static/cyberia.ogg" />
-</audio>
-</body>
-</html>
-

Dockerfile

@@ -0,0 +1,29 @@
+FROM php:8.1.8-fpm
+
+COPY . /code
+
+RUN docker-php-ext-install pdo pdo_mysql
+RUN apt-get update -y && apt-get install -y libpng-dev libjpeg-dev libonig-dev
+RUN docker-php-ext-install mbstring
+RUN apt-get update -y && apt-get install -y libmcrypt-dev
+# RUN docker-php-ext-install -j$(nproc) mcrypt
+RUN docker-php-ext-install iconv
+RUN apt-get update -y && apt-get install -y imagemagick
+RUN apt-get update -y && apt-get install -y graphicsmagick
+RUN apt-get update -y && apt-get install -y gifsicle
+# RUN docker-php-ext-configure gd
+#         --with-jpeg=/usr/include
+#         --with-png-dir=/usr \
+RUN docker-php-ext-install gd
+RUN apt-get update -y \
+  && apt-get install -y libmemcached11 libmemcachedutil2 build-essential libmemcached-dev libz-dev git \
+  && pecl install memcached \
+  && echo extension=memcached.so >> /usr/local/etc/php/conf.d/memcached.ini \
+  && apt-get remove -y build-essential libmemcached-dev libz-dev \
+  && apt-get autoremove -y \
+  && apt-get clean \
+  && rm -rf /tmp/pear \
+  && curl -sS https://getcomposer.org/installer -o composer-setup.php \
+  && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
+  && docker-php-ext-install bcmath \
+  && cd /code && composer install

banners.php

@@ -1,16 +1,8 @@
 <?php
-function getBannerSrc(){
-	$files = scandir(__dir__.'/banners/');
-	$files = array_diff($files, array('.', '..'));
-	return $files[array_rand($files)];
-}
 
-$filename = getBannerSrc();
-$filename = "banners/" . $filename;
-$fp = fopen($filename, 'rb');
+$files = scandir(__dir__ . '/static/banners/', SCANDIR_SORT_NONE);
+$files = array_diff($files, ['.', '..']);
 
-header("Content-Type: image/png");
-header("Content-Length: " . filesize($filename)); 
-
-fpassthru($fp);
-?>
+$filename = $files[array_rand($files)];
+header("Location: /static/banners/$filename", true, 307);
+header('Cache-Control: no-cache');

composer.json

@@ -22,7 +22,8 @@
             "inc/queue.php",
             "inc/polyfill.php",
             "inc/error.php",
-            "inc/functions.php"
+            "inc/functions.php",
+            "inc/functions/net.php"
         ]
     },
     "license": "Tinyboard + vichan",

docker-compose.yml

@@ -5,48 +5,36 @@ services:
       context: .
       dockerfile: ./docker/nginx/Dockerfile
     ports:
-        - "8080:80"
+      - "9091:80"
     depends_on:
-        - db
+      - leftypol-db
     volumes:
-          - ./:/code
+      - ./local-instances/1/www:/var/www/html
       - ./docker/nginx/leftypol.conf:/etc/nginx/conf.d/default.conf
       - ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf
       - ./docker/nginx/proxy.conf:/etc/nginx/conf.d/proxy.conf
-      networks:
-        leftchan_net:
-          ipv4_address: 172.20.0.3
     links:
       - php
+
   php:
     build:
       context: .
       dockerfile: ./docker/php/Dockerfile
     volumes:
-          - ./:/code
+      - ./local-instances/1/www:/var/www
       - ./docker/php/www.conf:/usr/local/etc/php-fpm.d/www.conf
-      networks:
-        leftchan_net:
-          ipv4_address: 172.20.0.4
+
   #MySQL Service
-  db:
+  leftypol-db:
     image: mysql:8.0.35
-    container_name: db
+    container_name: leftypol-db
     restart: unless-stopped
     tty: true
     ports:
       - "3306:3306"
     environment:
-      MYSQL_DATABASE: lainchan
-      MYSQL_ROOT_PASSWORD: M9q5lO0RxJVh
-    networks:
-        leftchan_net:
-            ipv4_address: 172.20.0.2
-
-#Docker Networks
-networks:
-    leftchan_net:
-        ipam:
-            driver: default
-            config:
-                - subnet: 172.20.0.0/16
+      MYSQL_DATABASE: vichan
+      MYSQL_ROOT_PASSWORD: password
+    command: "--default-authentication-plugin=mysql_native_password"
+    volumes:
+      - ./local-instances/1/mysql:/var/lib/mysql

docker/common-setup.sh

@@ -1,27 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol
-ln -s \
-   /code/banners/ \
-   /code/static/ \
-   /code/stylesheets/ \
-   /code/tools/ \
-   /code/walls/ \
-   /code/*.php \
-   /code/404.html \
-   /code/LICENSE.* \
-   /code/robots.txt \
-   /code/install.sql \
-   /var/www-leftypol/
-
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol/js
-ln -s /code/js/* /var/www-leftypol/js/
-
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol/templates
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol/templates/cache
-ln -s /code/templates/* /var/www-leftypol/templates/
-
-install -m 775 -o leftypol -g leftypol -d /var/www-leftypol/inc
-ln -s /code/inc/* /var/www-leftypol/inc/

docker/doc.md

@@ -0,0 +1,16 @@
+The `php-fpm` process runs containerized.
+The php application always uses `/var/www` as it's work directory and home folder, and if `/var/www` is bind mounted it
+is necessary to adjust the path passed via FastCGI to `php-fpm` by changing the root directory to `/var/www`.
+This can achieved in nginx by setting the `fastcgi_param SCRIPT_FILENAME` to `/var/www/$fastcgi_script_name;`
+
+The default docker compose settings are intended for development and testing purposes.
+The folder structure expected by compose is as follows
+
+```
+<vichan-project>
+└── local-instances
+    └── 1
+        ├── mysql
+        └── www
+```
+The vichan container is by itself much less rigid.

docker/nginx/Dockerfile

@@ -1,11 +1,8 @@
 FROM nginx:1.25.3-alpine
 
 COPY . /code
-RUN addgroup --system leftypol \
-   && adduser --system leftypol \
-   && adduser leftypol leftypol \
-   && /code/docker/common-setup.sh
+RUN adduser --system www-data \
+  && adduser www-data www-data
 
-
-CMD ["nginx", "-g", "daemon off;"]
-EXPOSE 80 443
+CMD [ "nginx", "-g", "daemon off;" ]
+EXPOSE 80

docker/nginx/leftypol.conf

@@ -6,7 +6,7 @@ server {
 	listen 80 default_server;
 	listen [::]:80 default_server ipv6only=on;
 	server_name leftypol;
-	root /var/www-leftypol;
+	root /var/www/html;
 	add_header X-Frame-Options "SAMEORIGIN";
 	add_header X-Content-Type-Options "nosniff";
 
@@ -20,18 +20,17 @@ server {
 
 	# Expire rules for static content
 	# Media: images, icons, video, audio, HTC
-	location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
-		expires 1M;
-		access_log off;
+	location ~* \.(?:jpg|jpeg|gif|png|webp|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
 		log_not_found off;
-		add_header Cache-Control "public";
+		# Public cache, never changes until max-age expires, max-age of 1 month, can still be served while being
+		# revalidated or if the server is erroring for 1 day.
+		add_header Cache-Control "public, immutable, max-age=2592000, stale-while-revalidate=86400, stale-if-error=86400";
 	}
 	# CSS and Javascript
 	location ~* \.(?:css|js)$ {
-		expires 1y;
-		access_log off;
 		log_not_found off;
-		add_header Cache-Control "public";
+		# Public cache, max-age of 1 year, can still be served while being revalidated or if the server is erroring for 1 day.
+		add_header Cache-Control "public, max-age=31536000, stale-while-revalidate=86400, stale-if-error=86400";
 	}
 
 	location ~* \.(html)$ {
@@ -56,7 +55,7 @@ server {
 		proxy_set_header Forwarded-Request-Id $x_request_id;
 		fastcgi_pass php-upstream;
 		fastcgi_index index.php;
-		fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+		fastcgi_param SCRIPT_FILENAME /var/www/$fastcgi_script_name;
 		fastcgi_read_timeout 600;
 		include fastcgi_params;
 	}

docker/nginx/nginx.conf

@@ -1,15 +1,17 @@
 # This and proxy.conf are based on
 # https://github.com/dead-guru/devichan/blob/master/nginx/nginx.conf
 
-user  leftypol;
+user www-data;
 worker_processes auto;
 # daemon off;
 # error_log  /var/log/nginx/error.log warn;
 error_log /dev/stdout warn;
 pid       /var/run/nginx.pid;
+
 events {
 	worker_connections  1024;
 }
+
 http {
 	include       /etc/nginx/mime.types;
 	default_type  application/octet-stream;

docker/nginx/proxy.conf

@@ -33,7 +33,7 @@ real_ip_header X-Forwarded-For;
 
 set_real_ip_from 10.0.0.0/8;
 set_real_ip_from 172.16.0.0/12;
-set_real_ip_from 172.18.0.0/12;
+set_real_ip_from 172.18.0.0;
 set_real_ip_from 192.168.0.0/24;
 set_real_ip_from 127.0.0.0/8;
 

docker/php/Dockerfile

@@ -1,47 +1,87 @@
 # Based on https://github.com/dead-guru/devichan/blob/master/php-fpm/Dockerfile
 
 FROM composer AS composer
-FROM php:8.1-fpm-bullseye
-COPY --from=composer /usr/bin/composer /usr/bin/composer
-COPY . /code
+FROM php:7.2-fpm-alpine
 
-RUN apt-get update && apt-get upgrade -y && apt-get install -y \
-      zlib1g-dev libicu-dev g++ \
-      libjpeg62-turbo-dev \
-      libzip-dev \
+RUN apk add --no-cache \
+    zlib \
+    zlib-dev \
+    libpng \
     libpng-dev \
+    libjpeg-turbo \
+    libjpeg-turbo-dev \
+    libwebp \
     libwebp-dev \
-      libfreetype6-dev \
-      libxml2-dev \
-      git \
-      zip \
-      ffmpeg \
-      libonig-dev \
-      unzip \
-      libcurl4-openssl-dev \
-      libmagickwand-dev \
-      gifsicle \
-      graphicsmagick \
-      gettext \
+    libcurl \
+    curl-dev \
     imagemagick \
-      locales locales-all \
-      libmagickwand-dev \
+    graphicsmagick \
+    gifsicle \
+    ffmpeg \
+    bind-tools \
+    gettext \
+    gettext-dev \
+    icu-dev \
+    oniguruma \
+    oniguruma-dev \
+    libmcrypt \
     libmcrypt-dev \
+    lz4-libs \
+    lz4-dev \
+    imagemagick-dev \
+    pcre-dev \
+    $PHPIZE_DEPS \
     && docker-php-ext-configure gd \
-        --with-webp=/usr/include/webp \
-        --with-jpeg=/usr/include \
-        --with-freetype=/usr/include/freetype2/ \
+        --with-webp-dir=/usr/include/webp \
+        --with-jpeg-dir=/usr/include \
+    && docker-php-ext-install -j$(nproc) \
+        gd \
+        curl \
+        bcmath \
+        opcache \
+        pdo_mysql \
+        gettext \
+        intl \
+        mbstring \
+    && pecl update-channels \
+    && pecl install -o -f igbinary \
     && pecl install redis \
     && pecl install imagick \
-    && pecl install -o -f igbinary \
-    && docker-php-ext-install gd zip opcache intl pdo pdo_mysql mysqli bcmath gettext iconv mbstring curl \
-    && docker-php-ext-enable igbinary redis imagick \
-    && useradd -MU leftypol \
-    && /code/docker/common-setup.sh \
-    && ln -s /code/composer.json /code/composer.lock /var/www-leftypol/ \
-    && cd /var/www-leftypol && composer install
+    $$ docker-php-ext-enable \
+        igbinary \
+        redis \
+        imagick \
+    && apk del \
+        zlib-dev \
+        libpng-dev \
+        libjpeg-turbo-dev \
+        libwebp-dev \
+        curl-dev \
+        gettext-dev \
+        oniguruma-dev \
+        libmcrypt-dev \
+        lz4-dev \
+        imagemagick-dev \
+        pcre-dev \
+        $PHPIZE_DEPS \
+    && rm -rf /var/cache/*
+RUN rmdir /var/www/html \
+    && install -d -m 744 -o www-data -g www-data /var/www \
+    && install -d -m 700 -o www-data -g www-data /var/tmp/vichan \
+    && install -d -m 700 -o www-data -g www-data /var/cache/gen-cache \
+    && install -d -m 700 -o www-data -g www-data /var/cache/template-cache
 
-# RUN /code/docker/common-setup.sh php
-WORKDIR "/var/www-leftypol"
-CMD ["php-fpm"]
+# Copy the bootstrap script.
+COPY ./docker/php/bootstrap.sh /usr/local/bin/bootstrap.sh
+
+COPY --from=composer /usr/bin/composer /usr/local/bin/composer
+
+# Copy the actual project (use .dockerignore to exclude stuff).
+COPY . /code
+
+# Install the compose depedencies.
+RUN cd /code && composer install
+
+WORKDIR "/var/www"
+CMD [ "bootstrap.sh" ]
 EXPOSE 9000

docker/php/bootstrap.sh

@@ -0,0 +1,79 @@
+#!/bin/sh
+
+set -eu
+
+function set_cfg() {
+    if [ ! -f "/var/www/inc/$1" ]; then
+        echo "INFO: Resetting $1"
+        touch "/var/www/inc/$1"
+        chown www-data "/var/www/inc/$1"
+        chgrp www-data "/var/www/inc/$1"
+        chmod 600 "/var/www/inc/$1"
+    else
+        echo "INFO: Using existing $1"
+    fi
+}
+
+if ! mountpoint -q /var/www; then
+    echo "WARNING: '/var/www' is not a mountpoint. All the data will remain inside the container!"
+fi
+
+if [ ! -w /var/www ] ; then
+    echo "ERROR: '/var/www' is not writable. Closing."
+    exit 1
+fi
+
+# Link the entrypoints from the exposed directory.
+ln -nfs \
+    /code/tools/ \
+    /code/walls/ \
+    /code/*.php \
+    /code/LICENSE.* \
+    /code/404.html \
+    /code/install.sql \
+    /var/www/
+# Static files accessible from the webserver must be copied.
+cp -ur /code/static /var/www/
+cp -ur /code/stylesheets /var/www/
+
+# Ensure correct permissions are set, since this might be bind mount.
+chown www-data /var/www
+chgrp www-data /var/www
+
+# Initialize an empty robots.txt with the default if it doesn't exist.
+touch /var/www/robots.txt
+
+# Link the cache and tmp files directory.
+ln -nfs /var/tmp/vichan /var/www/tmp
+
+# Link the javascript directory.
+ln -nfs /code/js /var/www/
+
+# Link the html templates directory and it's cache.
+ln -nfs /code/templates /var/www/
+ln -nfs -T /var/cache/template-cache /var/www/templates/cache
+chown -h www-data /var/www/templates/cache
+chgrp -h www-data /var/www/templates/cache
+
+# Link the generic cache.
+ln -nfs -T /var/cache/gen-cache /var/www/tmp/cache
+chown -h www-data /var/www/tmp/cache
+chgrp -h www-data /var/www/tmp/cache
+
+# Create the included files directory and link them
+install -d -m 700 -o www-data -g www-data /var/www/inc
+for file in /code/inc/*; do
+    file="${file##*/}"
+    if [ ! -e /var/www/inc/$file ]; then
+        ln -s /code/inc/$file /var/www/inc/
+    fi
+done
+
+# Copy an empty instance configuration if the file is a link (it was linked because it did not exist before).
+set_cfg 'instance-config.php'
+
+# Link the composer dependencies.
+ln -nfs /code/vendor /var/www/
+
+# Start the php-fpm server.
+exec php-fpm

docker/php/www.conf

@@ -1,6 +1,12 @@
 [www]
-user = leftypol
-group = leftypol
+access.log = /proc/self/fd/2
+
+; Ensure worker stdout and stderr are sent to the main error log.
+catch_workers_output = yes
+
+user = www-data
+group = www-data
+
 listen = 127.0.0.1:9000
 pm = static
 pm.max_children = 16

inc/bans.php

@@ -12,12 +12,14 @@ class Bans {
 			return $ipstr;
 		}
 
-		if (strlen($ipstart) != strlen($ipend))
+		if (strlen($ipstart) != strlen($ipend)) {
 			return '???'; // What the fuck are you doing, son?
+		}
 
 		$range = CIDR::range_to_cidr(inet_ntop($ipstart), inet_ntop($ipend));
-		if ($range !== false)
+		if ($range !== false) {
 			return $range;
+		}
 
 		return '???';
 	}
@@ -101,12 +103,12 @@ class Bans {
 			list($ipstart, $ipend) = self::calc_cidr($mask);
 		} elseif (preg_match('@^[:a-z\d]+/\d+$@i', $mask)) {
 			list($ipv6, $bits) = explode('/', $mask);
-			if ($bits > 128)
+			if ($bits > 128) {
 				return false;
+			}
 
 			list($ipstart, $ipend) = self::calc_cidr($mask);
-		} else {
-			if (($ipstart = @inet_pton($mask)) === false)
+		} elseif (($ipstart = @inet_pton($mask)) === false) {
 			return false;
 		}
 
@@ -135,8 +137,9 @@ class Bans {
 			if ($ban['expires'] && ($ban['seen'] || !$config['require_ban_view']) && $ban['expires'] < time()) {
 				self::delete($ban['id']);
 			} else {
-				if ($ban['post'])
+				if ($ban['post']) {
 					$ban['post'] = json_decode($ban['post'], true);
+				}
 				$ban['mask'] = self::range_to_string(array($ban['ipstart'], $ban['ipend']));
 				$ban_list[] = $ban;
 			}
@@ -151,7 +154,9 @@ class Bans {
  			ORDER BY `created` DESC") or error(db_error());
 			$bans = $query->fetchAll(PDO::FETCH_ASSOC);
 
-		if ($board_access && $board_access[0] == '*') $board_access = false;
+		if ($board_access && $board_access[0] == '*') {
+			$board_access = false;
+		}
 
 		$out ? fputs($out, "[") : print("[");
 
@@ -205,23 +210,24 @@ class Bans {
 		}
 
 		$out ? fputs($out, "]") : print("]");
-
 	}
 
 	static public function seen($ban_id) {
-		$query = query("UPDATE ``bans`` SET `seen` = 1 WHERE `id` = " . (int)$ban_id) or error(db_error());
+		query("UPDATE ``bans`` SET `seen` = 1 WHERE `id` = " . (int)$ban_id) or error(db_error());
 		rebuildThemes('bans');
 	}
 
 	static public function purge() {
-		$query = query("DELETE FROM ``bans`` WHERE `expires` IS NOT NULL AND `expires` < " . time() . " AND `seen` = 1") or error(db_error());
+		query("DELETE FROM ``bans`` WHERE `expires` IS NOT NULL AND `expires` < " . time() . " AND `seen` = 1") or error(db_error());
 		rebuildThemes('bans');
 	}
 
 	static public function delete($ban_id, $modlog = false, $boards = false, $dont_rebuild = false) {
 		global $config;
 
-		if ($boards && $boards[0] == '*') $boards = false;
+		if ($boards && $boards[0] == '*') {
+			$boards = false;
+		}
 
 		if ($modlog) {
 			$query = query("SELECT `ipstart`, `ipend`, `board` FROM ``bans`` WHERE `id` = " . (int)$ban_id) or error(db_error());
@@ -230,8 +236,9 @@ class Bans {
 				return false;
 			}
 
-			if ($boards !== false && !in_array($ban['board'], $boards))
+			if ($boards !== false && !in_array($ban['board'], $boards)) {
 				error($config['error']['noaccess']);
+			}
 
 			$mask = self::range_to_string(array($ban['ipstart'], $ban['ipend']));
 
@@ -241,7 +248,9 @@ class Bans {
 
 		query("DELETE FROM ``bans`` WHERE `id` = " . (int)$ban_id) or error(db_error());
 
-		if (!$dont_rebuild) rebuildThemes('bans');
+		if (!$dont_rebuild) {
+			rebuildThemes('bans');
+		}
 
 		return true;
 	}
@@ -259,10 +268,11 @@ class Bans {
 		$query = prepare("INSERT INTO ``bans`` VALUES (NULL, :ipstart, :ipend, :time, :expires, :board, :mod, :reason, 0, :post)");
 
 		$query->bindValue(':ipstart', $range[0]);
-		if ($range[1] !== false && $range[1] != $range[0])
+		if ($range[1] !== false && $range[1] != $range[0]) {
 			$query->bindValue(':ipend', $range[1]);
-		else
+		} else {
 			$query->bindValue(':ipend', null, PDO::PARAM_NULL);
+		}
 
 		$query->bindValue(':mod', $mod_id);
 		$query->bindValue(':time', time());
@@ -271,8 +281,9 @@ class Bans {
 			$reason = escape_markup_modifiers($reason);
 			markup($reason);
 			$query->bindValue(':reason', $reason);
-		} else
+		} else {
 			$query->bindValue(':reason', null, PDO::PARAM_NULL);
+		}
 
 		if ($length) {
 			if (is_int($length) || ctype_digit($length)) {
@@ -285,29 +296,28 @@ class Bans {
 			$query->bindValue(':expires', null, PDO::PARAM_NULL);
 		}
 
-		if ($ban_board)
+		if ($ban_board) {
 			$query->bindValue(':board', $ban_board);
-		else
+		} else {
 			$query->bindValue(':board', null, PDO::PARAM_NULL);
+		}
 
 		if ($post) {
 			$post['board'] = $board['uri'];
 			$query->bindValue(':post', json_encode($post));
-		} else
+		} else {
 			$query->bindValue(':post', null, PDO::PARAM_NULL);
+		}
 
 		$query->execute() or error(db_error($query));
 
-		if (isset($mod['id']) && $mod['id'] == $mod_id) {
-			modLog('Created a new ' .
-				($length > 0 ? preg_replace('/^(\d+) (\w+?)s?$/', '$1-$2', until($length)) : 'permanent') .
-				' ban on ' .
-				($ban_board ? '/' . $ban_board . '/' : 'all boards') .
-				' for ' .
-				(filter_var($mask, FILTER_VALIDATE_IP) !== false ? "<a href=\"?/IP/$mask\">$mask</a>" : $mask) .
-				' (<small>#' . $pdo->lastInsertId() . '</small>)' .
-				' with ' . ($reason ? 'reason: ' . utf8tohtml($reason) . '' : 'no reason'));
-		}
+		$ban_len = $length > 0 ? preg_replace('/^(\d+) (\w+?)s?$/', '$1-$2', until($length)) : 'permanent';
+		$ban_board = $ban_board ? "/$ban_board/" : 'all boards';
+		$ban_ip = filter_var($mask, FILTER_VALIDATE_IP) !== false ? "<a href=\"?/IP/$mask\">$mask</a>" : $mask;
+		$ban_id = $pdo->lastInsertId();
+		$ban_reason = $reason ? 'reason: ' . utf8tohtml($reason) : 'no reason';
+
+		modLog("Created a new $ban_len ban on $ban_board for $ban_ip (<small># $ban_id </small>) with $ban_reason");
 
 		rebuildThemes('bans');
 

inc/config.php

@@ -172,7 +172,7 @@
 
     // How long should the cookies last (in seconds). Defines how long should moderators should remain logged
     // in (0 = browser session).
-    $config['cookies']['expire'] = 60 * 60 * 24 * 30 * 6; // ~6 months
+    $config['cookies']['expire'] = 60 * 60 * 24 * 7; // 1 week.
 
     // Make this something long and random for security.
     $config['cookies']['salt'] = 'abcdefghijklmnopqrstuvwxyz09123456789!@#$%^&*()';
@@ -180,6 +180,10 @@
     // Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
     $config['cookies']['httponly'] = true;
 
+    // Do not allow logins via unencrypted HTTP. Should only be changed in testing environments or if you connect to a
+    // load-balancer without encryption.
+    $config['cookies']['secure_login_only'] = true;
+
     // Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
     $config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
 
@@ -1170,6 +1174,7 @@
     $config['error']['fileext']     = _('Unsupported image format.');
     $config['error']['noboard']     = _('Invalid board!');
     $config['error']['nonexistant']     = _('Thread specified does not exist.');
+    $config['error']['nopost']     = _('Post specified does not exist.');
     $config['error']['locked']      = _('Thread locked. You may not reply at this time.');
     $config['error']['reply_hard_limit']    = _('Thread has reached its maximum reply limit.');
     $config['error']['image_hard_limit']    = _('Thread has reached its maximum image limit.');
@@ -1215,6 +1220,7 @@
     // Moderator errors
     $config['error']['toomanyunban']    = _('You are only allowed to unban %s users at a time. You tried to unban %u users.');
     $config['error']['invalid']     = _('Invalid username and/or password.');
+    $config['error']['insecure']    = _('Login on insecure connections is disabled.');
     $config['error']['notamod']     = _('You are not a mod…');
     $config['error']['invalidafter']    = _('Invalid username and/or password. Your user may have been deleted or changed.');
     $config['error']['malformed']       = _('Invalid/malformed cookies.');
@@ -1991,4 +1997,3 @@
 
     //Logo location for themes
     $config['logo'] = 'static/logo.png';
-

inc/functions/net.php

@@ -0,0 +1,17 @@
+<?php
+namespace Vichan\Functions\Net;
+
+
+/**
+ * @return bool Returns if the client-server connection is an HTTPS one.
+ */
+function is_connection_https(): bool {
+	return !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
+}
+
+/**
+ * @return bool Returns if the client-server connection is an encrypted one (HTTPS or Tor loopback).
+ */
+function is_connection_secure(): bool {
+	return is_connection_https() || (!empty($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] === '127.0.0.1');
+}

inc/image.php

@@ -497,6 +497,11 @@ class ImageBMP extends ImageBase {
 	}
 }
 
-
-
-
+class ImageWEBP extends ImageBase {
+	public function from() {
+		$this->image = @imagecreatefromwebp($this->src);
+	}
+	public function to($src) {
+		imagewebp($this->image, $src);
+	}
+}

inc/mod/auth.php

@@ -4,6 +4,8 @@
  *  Copyright (c) 2010-2013 Tinyboard Development Group
  */
 
+use Vichan\Functions\Net;
+
 defined('TINYBOARD') or exit;
 
 // create a hash/salt pair for validate logins
@@ -37,12 +39,6 @@ function mkhash($username, $password, $salt = false) {
 		return $hash;
 }
 
-function crypt_password_old($password) {
-	$salt = generate_salt();
-	$password = hash('sha256', $salt . sha1($password));
-	return array($salt, $password);
-}
-
 function crypt_password($password) {
 	global $config;
 	// `salt` database field is reused as a version value. We don't want it to be 0.
@@ -69,12 +65,6 @@ function test_password($password, $salt, $test) {
 }
 
 function generate_salt() {
-	// mcrypt_create_iv() was deprecated in PHP 7.1.0, only use it if we're below that version number.
-	if (PHP_VERSION_ID < 70100) {
-		// 128 bits of entropy
-		return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
-	}
-	// Otherwise, use random_bytes()
 	return strtr(base64_encode(random_bytes(16)), '+', '.');
 }
 
@@ -117,19 +107,22 @@ function setCookies() {
 	if (!$mod)
 		error('setCookies() was called for a non-moderator!');
 
+	$is_https = Net\is_connection_https();
+
 	setcookie($config['cookies']['mod'],
 			$mod['username'] . // username
 			':' .
 			$mod['hash'][0] . // password
 			':' .
 			$mod['hash'][1], // salt
-		time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', $config['cookies']['httponly']);
+		time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, $is_https, $config['cookies']['httponly']);
 }
 
 function destroyCookies() {
 	global $config;
+	$is_https = Net\is_connection_https();
 	// Delete the cookies
-	setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
+	setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, $is_https, true);
 }
 
 function modLog($action, $_board=null) {
@@ -186,6 +179,7 @@ function make_secure_link_token($uri) {
 
 function check_login($prompt = false) {
 	global $config, $mod;
+
 	// Validate session
 	if (isset($_COOKIE[$config['cookies']['mod']])) {
 		// Should be username:hash:salt

inc/mod/pages.php

@@ -4,8 +4,11 @@
  *  Copyright (c) 2010-2013 Tinyboard Development Group
  */
 
+use Vichan\Functions\Net;
+
 defined('TINYBOARD') or exit;
 
+
 function mod_page($title, $template, $args, $subtitle = false) {
     global $config, $mod;
 
@@ -35,9 +38,11 @@ function clone_wrapped_with_exist_check($clonefn, $src, $dest) {
 function mod_login($redirect = false) {
     global $config;
 
-    $args = array();
+    $args = [];
 
-    if (isset($_POST['login'])) {
+    if ($config['cookies']['secure_login_only'] && !Net\is_connection_secure()) {
+        $args['error'] = $config['error']['insecure'];
+    } elseif (isset($_POST['login'])) {
         // Check if inputs are set and not empty
         if (!isset($_POST['username'], $_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') {
             $args['error'] = $config['error']['invalid'];
@@ -858,7 +863,7 @@ function mod_page_ip($ip) {
     if (filter_var($ip, FILTER_VALIDATE_IP) === false)
         error("Invalid IP address.");
 
-    if (isset($_POST['ban_id'], $_POST['unban_mask'])) {
+    if (isset($_POST['ban_id'], $_POST['unban'])) {
         if (!hasPermission($config['mod']['unban']))
             error($config['error']['noaccess']);
 
@@ -1340,8 +1345,8 @@ function mod_move($originBoard, $postID) {
         if ($targetBoard === $originBoard)
             error(_('Target and source board are the same.'));
 
-        // copy() if leaving a shadow thread behind; else, rename().
-        $clone = $shadow ? 'copy' : 'rename';
+        // link() if leaving a shadow thread behind; else, rename().
+        $clone = $shadow ? 'link' : 'rename';
 
         // indicate that the post is a thread
         $post['op'] = true;
@@ -1634,7 +1639,7 @@ function mod_merge($originBoard, $postID) {
             $op = $post;
             $op['id'] = $newID;
 
-            $clone = $shadow ? 'copy' : 'rename';
+            $clone = $shadow ? 'link' : 'rename';
 
             if ($post['has_file']) {
                 // copy image

inc/template.php

@@ -13,12 +13,15 @@ $twig = false;
 
 function load_twig() {
 	global $twig, $config;
+
+	$cache_dir = "{$config['dir']['template']}/cache/";
+
 	$loader = new Twig_Loader_Filesystem($config['dir']['template']);
 	$loader->setPaths($config['dir']['template']);
 	$twig = new Twig_Environment($loader, array(
 		'autoescape' => false,
-		'cache' => is_writable('templates') || (is_dir('templates/cache') && is_writable('templates/cache')) ?
-			"{$config['dir']['template']}/cache" : false,
+		'cache' => is_writable('templates/') || (is_dir($cache_dir) && is_writable($cache_dir)) ?
+			$cache_dir : false,
 		'debug' => $config['debug']
 	));
 	$twig->addExtension(new Twig_Extensions_Extension_Tinyboard());
@@ -69,4 +72,3 @@ function Element($templateFile, array $options) {
 		throw new Exception("Template file '${templateFile}' does not exist or is empty in '{$config['dir']['template']}'!");
 	}
 }
-

install.php

@@ -3,7 +3,7 @@
 // Installation/upgrade file
 define('VERSION', '5.1.3');
 
-if (fopen('inc/instance-config.php' , 'a') === false) {
+if (!is_writable('inc/instance-config.php') || !is_writable('inc/')) {
 	print('install.php does not have permission to write to /inc/, without permission the installer cannot continue');
 	exit();
 }
@@ -818,14 +818,14 @@ if ($step == 0) {
 		array(
 			'category' => 'File permissions',
 			'name' => getcwd() . '/templates/cache',
-			'result' => is_writable('templates') || (is_dir('templates/cache') && is_writable('templates/cache')),
+			'result' => is_dir('templates/cache/') && is_writable('templates/cache/'),
 			'required' => true,
 			'message' => 'You must give vichan permission to create (and write to) the <code>templates/cache</code> directory or performance will be drastically reduced.'
 		),
 		array(
 			'category' => 'File permissions',
 			'name' => getcwd() . '/tmp/cache',
-			'result' => is_dir('tmp/cache') && is_writable('tmp/cache'),
+			'result' => is_dir('tmp/cache/') && is_writable('tmp/cache/'),
 			'required' => true,
 			'message' => 'You must give vichan permission to write to the <code>tmp/cache</code> directory.'
 		),
@@ -945,12 +945,16 @@ if ($step == 0) {
 	$queries[] = Element('posts.sql', array('board' => 'b'));
 
 	$sql_errors = '';
+	$sql_err_count = 0;
 	foreach ($queries as $query) {
 		if ($mysql_version < 50503)
 			$query = preg_replace('/(CHARSET=|CHARACTER SET )utf8mb4/', '$1utf8', $query);
 		$query = preg_replace('/^([\w\s]*)`([0-9a-zA-Z$_\x{0080}-\x{FFFF}]+)`/u', '$1``$2``', $query);
-		if (!query($query))
-			$sql_errors .= '<li>' . db_error() . '</li>';
+		if (!query($query)) {
+			$sql_err_count++;
+			$error = db_error();
+			$sql_errors .= "<li>$sql_err_count<ul><li>$query</li><li>$error</li></ul></li>";
+		}
 	}
 
 	$page['title'] = 'Installation complete';
@@ -989,4 +993,3 @@ if ($step == 0) {
 
 	echo Element('page.html', $page);
 }
-

install.sql

@@ -313,7 +313,7 @@ CREATE TABLE `pages` (
   `content` text,
   PRIMARY KEY (`id`),
   UNIQUE KEY `u_pages` (`name`,`board`)
-) ENGINE=MyISAM DEFAULT CHARSET=utf8mb4;
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 
 -- --------------------------------------------------------
 

js/hud-pinning.js

@@ -0,0 +1,54 @@
+/*
+ * hud-pinning.js
+ * https://git.leftypol.org/leftypol/leftypol
+ *
+ * Released under the MIT license
+ * Copyright (c) 2024 Zankaria <zankaria (dot) auxa (at) mailu (dot) io>
+ *
+ * Usage:
+ *   $config['additional_javascript'][] = 'js/jquery.min.js';
+ *   $config['additional_javascript'][] = 'js/hud-pinning.js';
+ */
+
+/**
+ * You know the bar on the top of the page that is created if you specify the $config['boards'] array? That one.
+ * Also know the bottom bar with the "Return" button and thread update controls? Also that one.
+ *
+ * Both bars are pinned on the top and bottom of the page. This script adds an option to unpin them.
+ */
+$(document).ready(function() {
+	'use strict';
+
+	if (window.Options && Options.get_tab('general') && window.jQuery) {
+		function setHudPinning(pin) {
+			let style = pin ? '' : 'initial';
+			$('#top-hud').css('position', style);
+			$('#bottom-hud').css('position', style);
+		}
+
+		// Insert the option in the panel.
+		Options.extend_tab('general', '<label id="hud-pinning"><input type="checkbox">' + _('Unpin the top and bottom bars') + '</label>');
+
+		// Trigger if the panel's checkbox is toggled.
+		$('#hud-pinning>input').on('change', function() {
+			if (this.checked) {
+				localStorage.hud_pinning = 'false';
+				setHudPinning(false);
+			} else {
+				localStorage.hud_pinning = 'true';
+				setHudPinning(true);
+			}
+		});
+
+		// Reload on new post: allows it to work with auto-reload.js etc.
+		$(document).on('new_post', function(e, post) {
+			setHudPinning(localStorage.hud_pinning !== 'false');
+		});
+
+		// Enforce the setting on loading.
+		if (localStorage.hud_pinning === 'false') {
+			$('#hud-pinning>input').attr('checked', 'checked');
+			setHudPinning(false);
+		}
+	}
+});

post.php

@@ -123,24 +123,24 @@ function db_select_thread_with_attributes($board, $thread_id)
 }
 
 /**
- * Get the threads with the given id in the given board.
+ * Get the post with the given id in the given board.
  *
  * @param string $board Board to search in. MUST ALREADY BE SANITIZED.
- * @param int $thread_id Id of the thread.
- * @return false|array Returns false if no thread exists. Otherwise, an array of arrays with the threads 'id', 'thread'
- * and 'body_nomarkup' properties.
+ * @param int $id Id of the post.
+ * @return false|array Returns false if no post exists. Otherwise, an array with the post's 'id', 'thread' and
+ * 'body_nomarkup' keys.
  */
-function db_select_threads_minimal($board, $thread_id)
+function db_select_post_minimal($board, $id)
 {
     $query = prepare(sprintf("SELECT `id`, `thread`, `body_nomarkup` FROM ``posts_%s`` WHERE `id` = :id", $board));
-    $query->bindValue(':id', $thread_id, PDO::PARAM_INT);
+    $query->bindValue(':id', $id, PDO::PARAM_INT);
     $query->execute() or error(db_error($query));
-    $threads = $query->fetch(PDO::FETCH_ASSOC);
+    $post = $query->fetch(PDO::FETCH_ASSOC);
 
-    if (!$threads) {
+    if (!$post) {
         return false;
     }
-    return $threads;
+    return $post;
 }
 
 /**
@@ -537,9 +537,21 @@ function handle_report()
     markup($reason);
 
     foreach ($report as $id) {
-        $thread = db_select_threads_minimal($board['uri'], $id);
+        $post = db_select_post_minimal($board['uri'], $id);
+        if ($post === false) {
+            if ($config['syslog']) {
+                _syslog(LOG_INFO, "Failed to report non-existing post #{$id} in {$board['dir']}");
+            }
+            error($config['error']['nopost']);
+        }
 
-        $error = event('report', array('ip' => $_SERVER['REMOTE_ADDR'], 'board' => $board['uri'], 'post' => $post, 'reason' => $reason, 'link' => link_for($thread)));
+        $error = event('report', [
+            'ip' => $_SERVER['REMOTE_ADDR'],
+            'board' => $board['uri'],
+            'post' => $post,
+            'reason' => $reason,
+            'link' => link_for($post)
+        ]);
         if ($error) {
             error($error);
         }
@@ -548,7 +560,7 @@ function handle_report()
             _syslog(
                 LOG_INFO,
                 'Reported post: ' .
-                    '/' . $board['dir'] . $config['dir']['res'] . link_for($thread) . ($thread['thread'] ? '#' . $id : '') .
+                    '/' . $board['dir'] . $config['dir']['res'] . link_for($post) . ($post['thread'] ? '#' . $id : '') .
                     ' for "' . $reason . '"'
             );
 
@@ -579,20 +591,20 @@ function handle_report()
                 return $result;
             }
 
-            $postcontent = mb_substr($thread['body_nomarkup'], 0, 120) . '...  _*(POST TRIMMED)*_';
-            $slackmessage = '<' . $config['domain'] . "/mod.php?/" . $board['dir'] . $config['dir']['res'] . ($thread['thread'] ? $thread['thread'] : $id) . ".html" . ($thread['thread'] ? '#' . $id : '') . '> \n ' . $reason . '\n ' . $postcontent . '\n';
+            $postcontent = mb_substr($post['body_nomarkup'], 0, 120) . '...  _*(POST TRIMMED)*_';
+            $slackmessage = '<' . $config['domain'] . "/mod.php?/" . $board['dir'] . $config['dir']['res'] . ($post['thread'] ? $post['thread'] : $id) . ".html" . ($post['thread'] ? '#' . $id : '') . '> \n ' . $reason . '\n ' . $postcontent . '\n';
 
             $slackresult = slack($slackmessage, $config['slack_channel']);
         }
 
 
         if (isset($config['matrix'])) {
-            $reported_post_url = $config['domain'] . "/mod.php?/" . $board['dir'] . $config['dir']['res'] . ($thread['thread'] ? $thread['thread'] : $id) . ".html";
+            $reported_post_url = $config['domain'] . "/mod.php?/" . $board['dir'] . $config['dir']['res'] . ($post['thread'] ? $post['thread'] : $id) . ".html";
             $post_url = $config['matrix']['host'] . "/_matrix/client/r0/rooms/" . $config['matrix']['room_id'] . "/send/m.room.message?access_token=" . $config['matrix']['access_token'];
 
-            $trimmed_post = strlen($thread['body_nomarkup']) > $config['matrix']['max_message_length'] ? ' [...]' : '';
-            $postcontent = mb_substr($thread['body_nomarkup'], 0, $config['matrix']['max_message_length']) . $trimmed_post;
-            $matrix_message = $reported_post_url . ($thread['thread'] ? '#' . $id : '') . " \nReason:\n" . $reason . " \nPost:\n" . $postcontent . " \n";
+            $trimmed_post = strlen($post['body_nomarkup']) > $config['matrix']['max_message_length'] ? ' [...]' : '';
+            $postcontent = mb_substr($post['body_nomarkup'], 0, $config['matrix']['max_message_length']) . $trimmed_post;
+            $matrix_message = $reported_post_url . ($post['thread'] ? '#' . $id : '') . " \nReason:\n" . $reason . " \nPost:\n" . $postcontent . " \n";
             $post_data = json_encode(
                 array(
                     "msgtype" => "m.text",
@@ -1147,7 +1159,7 @@ function handle_post()
                 if (!$size = @getimagesize($file['tmp_name'])) {
                     error($config['error']['invalidimg']);
                 }
-                if (!in_array($size[2], array(IMAGETYPE_PNG, IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_BMP))) {
+                if (!in_array($size[2], [IMAGETYPE_PNG, IMAGETYPE_GIF, IMAGETYPE_WEBP, IMAGETYPE_JPEG, IMAGETYPE_BMP])) {
                     error($config['error']['invalidimg']);
                 }
                 if ($size[0] > $config['max_width'] || $size[1] > $config['max_height']) {
@@ -1240,10 +1252,10 @@ function handle_post()
                     $thumb->_destroy();
                 }
 
-                if ($config['redraw_image'] || (!@$file['exif_stripped'] && $config['strip_exif'] && ($file['extension'] == 'jpg' || $file['extension'] == 'jpeg'))) {
+                if ($config['redraw_image'] || (!@$file['exif_stripped'] && $config['strip_exif'] && ($file['extension'] == 'jpg' || $file['extension'] == 'jpeg' || $file['extension'] == 'webp' || $file['extension'] == 'png'))) {
                     if (!$config['redraw_image'] && $config['use_exiftool']) {
                         if (
-                            $error = shell_exec_error('exiftool -overwrite_original -ignoreMinorErrors -q -q -all= ' .
+                            $error = shell_exec_error('exiftool -overwrite_original -ignoreMinorErrors -q -q -all= -Orientation ' .
                                 escapeshellarg($file['tmp_name']))
                         ) {
                             error(_('Could not strip EXIF metadata!'), null, $error);

site.conf

@@ -1,16 +0,0 @@
-server {
-    index index.php index.html;
-    error_log  /var/log/nginx/error.log;
-    access_log /var/log/nginx/access.log;
-    root /code;
-
-    location ~ \.php$ {
-        try_files $uri =404;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass php:9000;
-        fastcgi_index index.php;
-        include fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
-    }
-}