1<?php
2// checkupdates.php -- HotCRP update checker helper
3// Copyright (c) 2006-2018 Eddie Kohler; see LICENSE.
4
5require_once("src/initweb.php");
6header("Content-Type: " . ($Qreq->text ? "text/plain" : "application/json"));
7
8if ($Me->privChair && $Qreq->post_ok() && isset($Qreq->ignore)) {
9    $when = time() + 86400 * 2;
10    $Conf->qe("insert into Settings (name, value) values (?, ?) on duplicate key update value=?", "ignoreupdate_" . $Qreq->ignore, $when, $when);
11}
12
13$messages = array();
14if ($Me->privChair
15    && isset($Qreq->data)
16    && ($data = json_decode($Qreq->data, true))
17    && isset($data["updates"])
18    && is_array($data["updates"])) {
19    foreach ($data["updates"] as $update) {
20        $ok = true;
21        if (isset($update["opt"]) && is_array($update["opt"]))
22            foreach ($update["opt"] as $k => $v) {
23                $kk = ($k[0] == "-" ? substr($k, 1) : $k);
24                $test = $Conf->opt($kk, null) == $v;
25                $ok = $ok && ($k[0] == "-" ? !$test : $test);
26            }
27        if (isset($update["settings"]) && is_array($update["settings"]))
28            foreach ($update["settings"] as $k => $v) {
29                if (preg_match('/\A([!<>]?)(-?\d+|now)\z/', $v, $m)) {
30                    $setting = $Conf->setting($k, 0);
31                    if ($m[2] == "now")
32                        $m[2] = time();
33                    if ($m[1] == "!")
34                        $test = $setting != +$m[2];
35                    else if ($m[1] == ">")
36                        $test = $setting > +$m[2];
37                    else if ($m[1] == "<")
38                        $test = $setting < +$m[2];
39                    else
40                        $test = $setting == +$m[2];
41                    $ok = $ok && $test;
42                }
43            }
44        $errid = isset($update["errid"]) && ctype_alnum("" . $update["errid"]) ? $update["errid"] : false;
45        if ($errid && $Conf->setting("ignoreupdate_$errid", 0) > time())
46            $ok = false;
47        if ($ok) {
48            $m = "<div class='msg msg-error'";
49            if ($errid)
50                $m .= " id='softwareupdate_$errid'";
51            $m .= " style='font-size:smaller'><div class='dod'><strong>WARNING: Upgrade your HotCRP installation.</strong>";
52            if (isset($update["vulnid"]) && is_numeric($update["vulnid"]))
53                $m .= " (HotCRP-Vulnerability-" . $update["vulnid"] . ")";
54            $m .= "</div>";
55            if (isset($update["message"]) && is_string($update["message"]))
56                $m .= "<div class='bigid'>" . CleanHTML::clean($update["message"], $error) . "</div>";
57            if (isset($update["to"]) && is_string($update["to"])) {
58                $m .= "<div class='bigid'>First unaffected commit: " . htmlspecialchars($update["to"]);
59                if ($errid)
60                    $m .= ' <span class="barsep">·</span> '
61                        . '<a class="ui js-check-version-ignore" href="" data-version-id="' . $errid . '">Ignore for two days</a>';
62                $m .= "</div>";
63            }
64            $messages[] = $m . "</div>\n";
65            $_SESSION["updatecheck"] = 0;
66        }
67    }
68}
69
70json_exit($messages ? ["ok" => true] : ["ok" => true, "messages" => join("", $messages)]);
71