From 059a0860af2cd4d1e352076b1ea8134b10596955 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Krac=C3=ADk?= <petrkr@petrkr.net>
Date: Sun, 27 Aug 2023 14:53:57 +0200
Subject: [PATCH] eSQL: Security fix, use HTTPS to send password over the
 internet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Petr Kracík <petrkr@petrkr.net>
---
 application/config/migration.php               |  2 +-
 application/controllers/Eqsl.php               |  4 ++--
 application/libraries/EqslImporter.php         |  2 +-
 application/migrations/139_modify_eQSL_url.php | 16 ++++++++++++++++
 application/models/Eqslmethods_model.php       |  4 ++--
 application/views/eqsl/import.php              |  2 +-
 6 files changed, 23 insertions(+), 7 deletions(-)
 create mode 100644 application/migrations/139_modify_eQSL_url.php

diff --git a/application/config/migration.php b/application/config/migration.php
index 51eebc64..e4c7db9a 100644
--- a/application/config/migration.php
+++ b/application/config/migration.php
@@ -22,7 +22,7 @@ $config['migration_enabled'] = TRUE;
 |
 */
 
-$config['migration_version'] = 138;
+$config['migration_version'] = 139;
 
 /*
 |--------------------------------------------------------------------------
diff --git a/application/controllers/Eqsl.php b/application/controllers/Eqsl.php
index 8bb72380..f6a29e6b 100644
--- a/application/controllers/Eqsl.php
+++ b/application/controllers/Eqsl.php
@@ -277,13 +277,13 @@ class eqsl extends CI_Controller {
 		return $table;
 	}
 
-	// Build out the ADIF info string according to specs http://eqsl.cc/qslcard/ADIFContentSpecs.cfm
+	// Build out the ADIF info string according to specs https://eqsl.cc/qslcard/ADIFContentSpecs.cfm
 	function generateAdif($qsl, $data) {
 		$COL_QSO_DATE = date('Ymd',strtotime($qsl['COL_TIME_ON']));
 		$COL_TIME_ON = date('Hi',strtotime($qsl['COL_TIME_ON']));
 		
 		# Set up the single record file
-		$adif = "http://www.eqsl.cc/qslcard/importADIF.cfm?";
+		$adif = "https://www.eqsl.cc/qslcard/importADIF.cfm?";
 		$adif .= "ADIFData=CloudlogUpload%20";
 		
 		/* Handy reference of escaping chars
diff --git a/application/libraries/EqslImporter.php b/application/libraries/EqslImporter.php
index 087ca036..2ca8ff4b 100644
--- a/application/libraries/EqslImporter.php
+++ b/application/libraries/EqslImporter.php
@@ -111,7 +111,7 @@ class EqslImporter
 							foreach ($matches[2] as $match) {
 								// Look for the link that has the .adi file, and download it to $file
 								if (substr($match, -4, 4) == ".adi") {
-									file_put_contents($this->adif_file, file_get_contents("http://eqsl.cc/qslcard/" . $match));
+									file_put_contents($this->adif_file, file_get_contents("https://eqsl.cc/qslcard/" . $match));
 									return $this->import();
 								}
 							}
diff --git a/application/migrations/139_modify_eQSL_url.php b/application/migrations/139_modify_eQSL_url.php
new file mode 100644
index 00000000..ab8cbba4
--- /dev/null
+++ b/application/migrations/139_modify_eQSL_url.php
@@ -0,0 +1,16 @@
+<?php defined('BASEPATH') OR exit('No direct script access allowed');
+
+class Migration_modify_eQSL_url extends CI_Migration {
+
+	public function up()
+	{
+		$sql = "UPDATE config SET eqsl_download_url = 'https://www.eqsl.cc/qslcard/DownloadInBox.cfm' WHERE id=1";
+		$this->db->query($sql);
+	}
+
+	public function down()
+	{
+		// Will not go back to insecure connections
+	}
+}
+?>
diff --git a/application/models/Eqslmethods_model.php b/application/models/Eqslmethods_model.php
index 5ad652dd..5972bd5d 100644
--- a/application/models/Eqslmethods_model.php
+++ b/application/models/Eqslmethods_model.php
@@ -154,8 +154,8 @@ class Eqslmethods_model extends CI_Model {
     }
 
     // Update a QSO with eQSL QSL info
-    // We could also probably use this use this: http://eqsl.cc/qslcard/VerifyQSO.txt
-    // http://www.eqsl.cc/qslcard/ImportADIF.txt
+    // We could also probably use this use this: https://eqsl.cc/qslcard/VerifyQSO.txt
+    // https://www.eqsl.cc/qslcard/ImportADIF.txt
     function eqsl_update($datetime, $callsign, $band, $mode, $qsl_status,$station_callsign) {
         $data = array(
             'COL_EQSL_QSLRDATE' => date('Y-m-d H:i:s'), // eQSL doesn't give us a date, so let's use current
diff --git a/application/views/eqsl/import.php b/application/views/eqsl/import.php
index 2c9edf72..f0167906 100644
--- a/application/views/eqsl/import.php
+++ b/application/views/eqsl/import.php
@@ -30,7 +30,7 @@
 			    Import from file...
 			  </label>
  			  <br><br>
-			  <p>Upload the Exported ADIF file from eQSL from the <a href="http://eqsl.cc/qslcard/DownloadInBox.cfm" target="_blank">Download Inbox</a> page, to mark QSOs as confirmed on eQSL.</p>
+			  <p>Upload the Exported ADIF file from eQSL from the <a href="https://eqsl.cc/qslcard/DownloadInBox.cfm" target="_blank">Download Inbox</a> page, to mark QSOs as confirmed on eQSL.</p>
 					<p><span class="label important">Important</span> Log files must have the file type .adi</p>
 					<input type="file" name="userfile" size="20" />
 			  <br/><br/>