From 8b74a34117974f2dbe3e72b4e5b6d23651d0f5ba Mon Sep 17 00:00:00 2001
From: int2001 <joerg@dj7nt.de>
Date: Mon, 1 Jul 2024 14:16:42 +0000
Subject: [PATCH 1/2] Removes a security-issue around HRD-Marking and moves the
 function to Model

---
 application/controllers/Hrdlog.php  | 30 +++++++++++------------------
 application/models/Hrdlog_model.php | 20 +++++++++++++++++++
 2 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/application/controllers/Hrdlog.php b/application/controllers/Hrdlog.php
index 814f12810..eadb0e71b 100644
--- a/application/controllers/Hrdlog.php
+++ b/application/controllers/Hrdlog.php
@@ -83,25 +83,17 @@ class Hrdlog extends CI_Controller {
     }
 
     public function mark_hrdlog() {
-        // Set memory limit to unlimited to allow heavy usage
-        ini_set('memory_limit', '-1');
+	    // As far as i did research, this one is ONLY Called by "Mark-QSO" at the UI
+	    $this->load->model('hrdlog_model');
+	    $this->load->model('stations');
+	    $station_id = $this->security->xss_clean($this->input->post('station_profile'));
 
-        $station_id = $this->security->xss_clean($this->input->post('station_profile'));
-
-        $this->load->model('adif_data');
-        $this->load->model('logbook_model');
-
-        $data['qsos'] = $this->adif_data->export_custom($this->input->post('from'), $this->input->post('to'), $station_id);
-
-		if (isset($data['qsos'])) {
-			foreach ($data['qsos']->result() as $qso)
-			{
-				$this->logbook_model->mark_hrdlog_qsos_sent($qso->COL_PRIMARY_KEY);
-			}
-		}
-
-        $this->load->view('interface_assets/header', $data);
-        $this->load->view('hrdlog/mark_hrdlog', $data);
-        $this->load->view('interface_assets/footer');
+	    $data['qsos']=[];
+	    if ($this->stations->check_station_is_accessible($station_id)) {	// Hard Exit if station_profile not accessible
+		    $data['qsos']=$this->hrdlog_model->mass_mark_hrdlog_sent($station_id,$this->security->xss_clean($this->input->post('from')),$this->security->xss_clean($this->input->post('to')));
+	    }
+	    $this->load->view('interface_assets/header', $data);
+	    $this->load->view('hrdlog/mark_hrdlog', $data);
+	    $this->load->view('interface_assets/footer');
     }
 }
diff --git a/application/models/Hrdlog_model.php b/application/models/Hrdlog_model.php
index e39dce4df..246a84580 100644
--- a/application/models/Hrdlog_model.php
+++ b/application/models/Hrdlog_model.php
@@ -94,6 +94,26 @@ class Hrdlog_model extends CI_Model {
         return $result;
     }
 
+    function mass_mark_hrdlog_sent($station_id, $from, $till) {
+	    // Set memory limit to unlimited to allow heavy usage
+	    ini_set('memory_limit', '-1');
+
+	    $this->load->model('adif_data');
+	    $this->load->model('logbook_model');
+
+	    $qsos = $this->adif_data->export_custom($from, $till, $station_id);
+
+	    if (isset($qsos)) {
+		    foreach ($qsos->result() as $qso) {
+			    $mark_them[]=$qso->COL_PRIMARY_KEY;
+		    }
+		    $sql="update ".$this->config->item('table_name')." set COL_HRDLOG_QSO_UPLOAD_DATE='".date("Y-m-d H:i:s", strtotime("now"))."', COL_HRDLOG_QSO_UPLOAD_STATUS='Y'  where col_primary_key in (".implode(',', array_values($mark_them)).") and station_id=".$station_id;
+		    $query = $this->db->query($sql);
+		    return $this->db->affected_rows();
+	    }
+	    return 0;
+    }
+
     /*
      * Function marks QSO with given primarykey as uploaded to hrdlog
      */

From 31dcf8de7035fb783149c052d29eae28e6687f61 Mon Sep 17 00:00:00 2001
From: int2001 <joerg@dj7nt.de>
Date: Mon, 1 Jul 2024 15:17:22 +0000
Subject: [PATCH 2/2] Added COL_HRDLOG_QSO_UPLOAD_STATUS != 'Y' to the
 Update-query

---
 application/models/Hrdlog_model.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/application/models/Hrdlog_model.php b/application/models/Hrdlog_model.php
index 246a84580..6e44ea47b 100644
--- a/application/models/Hrdlog_model.php
+++ b/application/models/Hrdlog_model.php
@@ -107,7 +107,7 @@ class Hrdlog_model extends CI_Model {
 		    foreach ($qsos->result() as $qso) {
 			    $mark_them[]=$qso->COL_PRIMARY_KEY;
 		    }
-		    $sql="update ".$this->config->item('table_name')." set COL_HRDLOG_QSO_UPLOAD_DATE='".date("Y-m-d H:i:s", strtotime("now"))."', COL_HRDLOG_QSO_UPLOAD_STATUS='Y'  where col_primary_key in (".implode(',', array_values($mark_them)).") and station_id=".$station_id;
+		    $sql="update ".$this->config->item('table_name')." set COL_HRDLOG_QSO_UPLOAD_DATE='".date("Y-m-d H:i:s", strtotime("now"))."', COL_HRDLOG_QSO_UPLOAD_STATUS='Y'  where COL_HRDLOG_QSO_UPLOAD_STATUS != 'Y' and col_primary_key in (".implode(',', array_values($mark_them)).") and station_id=".$station_id;
 		    $query = $this->db->query($sql);
 		    return $this->db->affected_rows();
 	    }