Implemented ID obfuscation in telemetry.php and results/index.php

.gitignore

@@ -1,2 +1 @@
-ugly.bat
-wishlist.txt
+telemetry/idObfuscation_salt.php

example-telemetry-resultSharing.html

@@ -190,8 +190,8 @@ function startStop(){
 				if(status==4){
 					//if testId is present, show sharing panel, otherwise do nothing
 					try{
-						var testId=Number(data.testId);
-						if(!isNaN(testId)){
+						var testId=data.testId;
+						if(testId!=null){
 							var shareURL=window.location.href.substring(0,window.location.href.lastIndexOf("/"))+"/results/?id="+testId;
 							I("resultsImg").src=shareURL;
 							I("resultsURL").value=shareURL;

results/index.php

@@ -52,6 +52,8 @@ $WATERMARK_TEXT="HTML5 Speedtest";
 
 $id=$_GET["id"];
 include_once('../telemetry/telemetry_settings.php');
+require '../telemetry/idObfuscation.php';
+if($enable_id_obfuscation) $id=deobfuscateId($id);
 $conn=null; $q=null;
 $ispinfo=null; $dl=null; $ul=null; $ping=null; $jit=null;
 if($db_type=="mysql"){

speedtest_worker.js

@@ -173,7 +173,7 @@ this.addEventListener("message", function(e) {
 				if (settings.telemetry_level > 0)
 					sendTelemetry(function(id) {
 						testStatus = 4;
-						if (id != -1) testId = id;
+						if (id != null) testId = id;
 					});
 				else testStatus = 4;
 				return;
@@ -662,15 +662,14 @@ function sendTelemetry(done) {
 			var parts = xhr.responseText.split(" ");
 			if (parts[0] == "id") {
 				try {
-					var id = Number(parts[1]);
-					if (!isNaN(id)) done(id);
-					else done(-1);
+					var id = parts[1];
+					done(id);
 				} catch (e) {
-					done(-1);
+					done(null);
 				}
-			} else done(-1);
+			} else done(null);
 		} catch (e) {
-			done(-1);
+			done(null);
 		}
 	};
 	xhr.onerror = function() {

telemetry/idObfuscation.php

@@ -0,0 +1,34 @@
+<?php
+function getObfuscationSalt(){
+	if(file_exists("idObfuscation_salt.php")){
+		require "idObfuscation_salt.php";
+	}else{
+		$bytes=openssl_random_pseudo_bytes(4);
+		$sf=fopen("idObfuscation_salt.php","w");
+		fwrite($sf,chr(60)."?php\n");
+		fwrite($sf,'$OBFUSCATION_SALT=0x'.bin2hex($bytes).";\n");
+		fwrite($sf,"?".chr(62));
+		fclose($sf);
+		require "idObfuscation_salt.php";
+	}
+	return isset($OBFUSCATION_SALT)?$OBFUSCATION_SALT:0;
+}
+function obfdeobf($id){
+	$salt=getObfuscationSalt()&0xFFFFFFFF;
+	$id=$id&0xFFFFFFFF;
+	for($i=0;$i<16;$i++){
+		$id=$id^$salt;
+		$id=(($id>>1)&0xFFFFFFFF)|(($id&0x00000001)<<31);
+		$salt=(($salt<<1)&0xFFFFFFFF)|(($salt&0xA0000000)>>31);
+	}
+	return $id;
+}
+function obfuscateId($id){
+	return base_convert(obfdeobf($id),10,36);
+}
+function deobfuscateId($id){
+	return obfdeobf(base_convert($id,36,10));
+}
+
+//IMPORTANT: DO NOT ADD ANYTHING BELOW THE PHP CLOSING TAG, NOT EVEN EMPTY LINES!
+?>

telemetry/telemetry.php

@@ -1,5 +1,6 @@
 <?php
 include_once('telemetry_settings.php');
+require 'idObfuscation.php';
 
 $ip=($_SERVER['REMOTE_ADDR']);
 $ispinfo=($_POST["ispinfo"]);
@@ -18,7 +19,8 @@ if($db_type=="mysql"){
     $stmt->bind_param("ssssssssss",$ip,$ispinfo,$extra,$ua,$lang,$dl,$ul,$ping,$jitter,$log) or die("3");
 	$stmt->execute() or die("4");
     $stmt->close() or die("5");
-	echo "id ".$conn->insert_id;
+	$id=$conn->insert_id;
+	echo "id ".($enable_id_obfuscation?obfuscateId($id):$id);
     $conn->close() or die("6");
 
 }elseif($db_type=="sqlite"){
@@ -41,7 +43,8 @@ if($db_type=="mysql"){
     ");
     $stmt = $conn->prepare("INSERT INTO speedtest_users (ip,ispinfo,extra,ua,lang,dl,ul,ping,jitter,log) VALUES (?,?,?,?,?,?,?,?,?,?)") or die("2");
     $stmt->execute(array($ip,$ispinfo,$extra,$ua,$lang,$dl,$ul,$ping,$jitter,$log)) or die("3");
-	echo "id ".$conn->lastInsertId();
+	$id=$conn->lastInsertId();
+	echo "id ".($enable_id_obfuscation?obfuscateId($id):$id);
     $conn = null;
 }elseif($db_type=="postgresql"){
     // Prepare connection parameters for db connection
@@ -53,7 +56,8 @@ if($db_type=="mysql"){
     $conn = new PDO("pgsql:$conn_host;$conn_db;$conn_user;$conn_password") or die("1");
     $stmt = $conn->prepare("INSERT INTO speedtest_users (ip,ispinfo,extra,ua,lang,dl,ul,ping,jitter,log) VALUES (?,?,?,?,?,?,?,?,?,?)") or die("2");
     $stmt->execute(array($ip,$ispinfo,$extra,$ua,$lang,$dl,$ul,$ping,$jitter,$log)) or die("3");
-	echo "id ".$conn->lastInsertId();
+	$id=$conn->lastInsertId();
+	echo "id ".($enable_id_obfuscation?obfuscateId($id):$id);
     $conn = null;
 }
 else die("-1");

telemetry/telemetry_settings.php

@@ -2,6 +2,7 @@
 
 $db_type="mysql"; //Type of db: "mysql", "sqlite" or "postgresql"
 $stats_password="PASSWORD"; //password to login to stats.php. Change this!!!
+$enable_id_obfuscation=true; //if set to true, test IDs will be obfuscated to prevent users from guessing URLs of other tests
 
 // Sqlite3 settings
 $Sqlite_db_file = "../../telemetry.sql";