cacert-webdb/www/disputes.php

467 lines
19 KiB
PHP
Raw Normal View History

2005-03-12 19:40:24 +00:00
<? /*
2008-04-06 19:45:09 +00:00
LibreSSL - CAcert web application
Copyright (C) 2004-2008 CAcert Inc.
2005-03-12 19:40:24 +00:00
2008-04-06 19:45:09 +00:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
2005-03-12 19:40:24 +00:00
2008-04-06 19:45:09 +00:00
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
2005-03-12 19:40:24 +00:00
2008-04-06 19:45:09 +00:00
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
2005-03-12 19:40:24 +00:00
*/ ?>
<?
require_once("../includes/loggedin.php");
require_once("../includes/notary.inc.php");
2005-03-12 19:40:24 +00:00
loadem("account");
2008-09-01 22:06:26 +00:00
$type=""; if(array_key_exists('type',$_REQUEST)) $type=$_REQUEST['type'];
2009-01-16 16:09:03 +00:00
$action=""; if(array_key_exists('action',$_REQUEST)) $action=sanitizeHTML($_REQUEST['action']);
2008-09-01 22:06:26 +00:00
2005-03-12 19:40:24 +00:00
if($type == "reallyemail")
{
$emailid = intval($_SESSION['_config']['emailid']);
$hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
$res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
if(mysql_num_rows($res) <= 0)
{
showheader(_("Email Dispute"));
echo _("This dispute no longer seems to be in the database, can't continue.");
showfooter();
exit;
}
$row = mysql_fetch_assoc($res);
$oldmemid = $row['oldmemid'];
if($action == "reject")
{
2008-09-03 18:36:33 +00:00
mysql_query("update `disputeemail` set hash='',action='reject' where `id`='".intval($emailid)."'");
2005-03-12 19:40:24 +00:00
showheader(_("Email Dispute"));
echo _("You have opted to reject this dispute and the request will be removed from the database");
showfooter();
exit;
}
if($action == "accept")
{
showheader(_("Email Dispute"));
echo "<p>"._("You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.")."</p>";
echo "<p>"._("The following accounts have been removed:")."<br>\n";
2008-09-03 18:36:33 +00:00
$query = "select * from `email` where `id`='".intval($emailid)."' and deleted=0";
2005-03-12 19:40:24 +00:00
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$row = mysql_fetch_assoc($res);
echo $row['email']."<br>\n";
account_email_delete($row['id']);
2005-03-12 19:40:24 +00:00
}
mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
$rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
$rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
$res = mysql_query("select * from `users` where `id`='$oldmemid'");
$user = mysql_fetch_assoc($res);
2005-03-12 19:40:24 +00:00
if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
{
mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
}
showfooter();
exit;
}
}
if($type == "email")
{
2009-01-01 13:26:51 +00:00
$emailid = intval($_REQUEST['emailid']);
$hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
2005-03-12 19:40:24 +00:00
if($emailid <= 0 || $hash == "")
{
showheader(_("Email Dispute"));
echo _("Invalid request. Can't continue.");
showfooter();
exit;
}
$res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
if(mysql_num_rows($res) <= 0)
{
$res = mysql_query("select * from `disputeemail` where `id`='$emailid' and hash!=''");
if(mysql_num_rows($res) > 0)
{
$row = mysql_fetch_assoc($res);
mysql_query("update `disputeemail` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
showheader(_("Email Dispute"));
if($row['attempts'] >= 3)
{
echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID. Your attempt has been logged and the request will be removed from the system as a result.");
mysql_query("update `disputeemail` set hash='',action='failed' where `id`='$emailid'");
} else
echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID.");
showfooter();
exit;
} else {
showheader(_("Email Dispute"));
echo _("Invalid request. Can't continue.");
showfooter();
exit;
}
}
$_SESSION['_config']['emailid'] = $emailid;
$_SESSION['_config']['hash'] = $hash;
$row = mysql_fetch_assoc(mysql_query("select * from `disputeemail` where `id`='$emailid'"));
$_SESSION['_config']['email'] = $row['email'];
showheader(_("Email Dispute"));
includeit("4", "disputes");
showfooter();
exit;
}
if($type == "reallydomain")
{
$domainid = intval($_SESSION['_config']['domainid']);
$hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
$res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
if(mysql_num_rows($res) <= 0)
{
showheader(_("Domain Dispute"));
echo _("This dispute no longer seems to be in the database, can't continue.");
showfooter();
exit;
}
if($action == "reject")
{
mysql_query("update `disputedomain` set hash='',action='reject' where `id`='$domainid'");
showheader(_("Domain Dispute"));
echo _("You have opted to reject this dispute and the request will be removed from the database");
showfooter();
exit;
}
if($action == "accept")
{
showheader(_("Domain Dispute"));
echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
echo "<p>"._("The following accounts have been removed:")."<br>\n";
//new account_domain_delete($domainid, $memberID)
2005-03-12 19:40:24 +00:00
$query = "select * from `domains` where `id`='$domainid' and deleted=0";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
echo $_SESSION['_config']['domain']."<br>\n";
account_domain_delete($domainid);
2005-03-12 19:40:24 +00:00
}
mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
showfooter();
exit;
}
}
if($type == "domain")
{
2009-01-01 13:26:51 +00:00
$domainid = intval($_REQUEST['domainid']);
$hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
2005-03-12 19:40:24 +00:00
if($domainid <= 0 || $hash == "")
{
showheader(_("Domain Dispute"));
echo _("Invalid request. Can't continue.");
showfooter();
exit;
}
$res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
if(mysql_num_rows($res) <= 0)
{
$res = mysql_query("select * from `disputedomain` where `id`='$domainid' and hash!=''");
if(mysql_num_rows($res) > 0)
{
$row = mysql_fetch_assoc($res);
mysql_query("update `disputedomain` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
showheader(_("Domain Dispute"));
if($row['attempts'] >= 3)
{
echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID. Your attempt has been logged and the request will be removed from the system as a result.");
mysql_query("update `disputedomain` set hash='',action='failed' where `id`='$domainid'");
} else
echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID.");
showfooter();
exit;
} else {
showheader(_("Domain Dispute"));
echo _("Invalid request. Can't continue.");
showfooter();
exit;
}
}
$_SESSION['_config']['domainid'] = $domainid;
$_SESSION['_config']['hash'] = $hash;
$row = mysql_fetch_assoc(mysql_query("select * from `disputedomain` where `id`='$domainid'"));
$_SESSION['_config']['domain'] = $row['domain'];
showheader(_("Domain Dispute"));
includeit("6", "disputes");
showfooter();
exit;
}
if($oldid == "1")
{
2009-09-20 17:32:57 +00:00
csrf_check('emaildispute');
2008-09-01 22:19:28 +00:00
$email = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
2005-03-12 19:40:24 +00:00
if($email == "")
{
showheader(_("Email Dispute"));
echo _("Not a valid email address. Can't continue.");
showfooter();
exit;
}
//check if email belongs to locked account
$res = mysql_query("select 1 from `email`, `users` where `email`.`email`='$email' and `email`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
if(mysql_num_rows($res) > 0)
{
showheader(_("Email Dispute"));
printf(_("Sorry, the email address '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($email),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
$duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
$body = sprintf("Someone has just attempted to dispute this email '%s', which belongs to a locked account:\n".
"Username(ID): %s (%s)\n".
"email: %s\n".
"IP/Hostname: %s\n", $email, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
showfooter();
exit;
}
2005-03-12 19:40:24 +00:00
$res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
if(mysql_num_rows($res) > 0)
{
showheader(_("Email Dispute"));
2008-11-24 20:49:09 +00:00
printf(_("The email address '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($email));
2005-03-12 19:40:24 +00:00
showfooter();
exit;
}
unset($oldid);
$query = "select * from `email` where `email`='$email' and `deleted`=0";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
showheader(_("Email Dispute"));
2008-11-24 20:49:09 +00:00
printf(_("The email address '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
2005-03-12 19:40:24 +00:00
showfooter();
exit;
}
$row = mysql_fetch_assoc($res);
$oldmemid = $row['memid'];
$emailid = $row['id'];
if($_SESSION['profile']['id'] == $oldmemid)
{
showheader(_("Email Dispute"));
echo _("You aren't allowed to dispute your own email addresses. Can't continue.");
showfooter();
exit;
}
2005-03-12 19:40:24 +00:00
$res = mysql_query("select * from `users` where `id`='$oldmemid'");
$user = mysql_fetch_assoc($res);
2005-07-01 13:12:14 +00:00
$rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
$rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
2005-03-12 19:40:24 +00:00
if($user['email'] == $email && ($rc > 0 || $rc2 > 0))
{
showheader(_("Email Dispute"));
echo _("You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.");
showfooter();
exit;
}
2006-04-30 08:30:54 +00:00
$hash = make_hash();
2008-12-28 12:33:29 +00:00
$query = "insert into `disputeemail` set `email`='$email',`memid`='".intval($_SESSION['profile']['id'])."',
`oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='".intval($emailid)."',
2005-03-12 19:40:24 +00:00
`IP`='".$_SERVER['REMOTE_ADDR']."'";
mysql_query($query);
2008-11-24 20:55:23 +00:00
$body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
2005-03-12 19:40:24 +00:00
$body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!");
2005-05-23 01:53:59 +00:00
sendmail($email, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
2005-03-12 19:40:24 +00:00
showheader(_("Email Dispute"));
2008-11-24 20:49:09 +00:00
printf(_("The email address '%s' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($email));
2005-03-12 19:40:24 +00:00
showfooter();
exit;
}
if($oldid == "2")
{
2009-09-20 17:32:57 +00:00
csrf_check('domaindispute');
2008-09-01 22:19:28 +00:00
$domain = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
2005-03-12 19:40:24 +00:00
if($domain == "")
{
showheader(_("Domain Dispute"));
echo _("Not a valid Domain. Can't continue.");
showfooter();
exit;
}
//check if domain belongs to locked account
$res = mysql_query("select 1 from `domains`, `users` where `domains`.`domain`='$domain' and `domains`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
if(mysql_num_rows($res) > 0)
{
showheader(_("Domain Dispute"));
printf(_("Sorry, the domain '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($domain),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
$duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
$body = sprintf("Someone has just attempted to dispute this domain '%s', which belongs to a locked account:\n".
"Username(ID): %s (%s)\n".
"email: %s\n".
"IP/Hostname: %s\n", $domain, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
showfooter();
exit;
}
2005-03-12 19:40:24 +00:00
$query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
showheader(_("Domain Dispute"));
2008-11-24 20:55:23 +00:00
printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
2005-03-12 19:40:24 +00:00
showfooter();
exit;
}
unset($oldid);
$query = "select * from `domains` where `domain`='$domain' and `deleted`=0";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
$query = "select 1 from `orgdomains` where `domain`='$domain'";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
showheader(_("Domain Dispute"));
printf(_("The domain '%s' is included in an organisation account. Please send a mail to %s to dispute this domain."), sanitizeHTML($domain),'<a href="mailto:support@cacert.org">support@cacert.org</a>');
showfooter();
exit;
}
2005-03-12 19:40:24 +00:00
showheader(_("Domain Dispute"));
printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($domain));
2005-03-12 19:40:24 +00:00
showfooter();
exit;
}
$row = mysql_fetch_assoc($res);
$oldmemid = $row['memid'];
if($_SESSION['profile']['id'] == $oldmemid)
{
showheader(_("Domain Dispute"));
2008-09-05 15:56:40 +00:00
echo _("You aren't allowed to dispute your own domains. Can't continue.");
2005-03-12 19:40:24 +00:00
showfooter();
exit;
}
2005-03-12 19:40:24 +00:00
$domainid = $row['id'];
$_SESSION['_config']['domainid'] = $domainid;
2008-11-14 23:39:35 +00:00
$_SESSION['_config']['memid'] = array_key_exists('memid',$_REQUEST)?intval($_REQUEST['memid']):0;
2005-03-12 19:40:24 +00:00
$_SESSION['_config']['domain'] = $domain;
$_SESSION['_config']['oldmemid'] = $oldmemid;
$addy = array();
$domtmp = escapeshellarg($domain);
2005-07-01 13:12:14 +00:00
if(strtolower(substr($domtmp, -4, 3)) != ".jp")
$adds = explode("\n", trim(`whois $domtmp|grep \@`));
2005-03-12 19:40:24 +00:00
if(substr($domain, -4) == ".org" || substr($domain, -5) == ".info")
{
if(is_array($adds))
foreach($adds as $line)
{
$bits = explode(":", $line, 2);
$line = trim($bits[1]);
if(!in_array($line, $addy) && $line != "")
$addy[] = trim(mysql_escape_string(stripslashes($line)));
}
} else {
if(is_array($adds))
foreach($adds as $line)
{
$line = trim(str_replace("\t", " ", $line));
$line = trim(str_replace("(", "", $line));
$line = trim(str_replace(")", " ", $line));
$bits = explode(" ", $line);
foreach($bits as $bit)
{
if(strstr($bit, "@"))
$line = $bit;
}
if(!in_array($line, $addy) && $line != "")
$addy[] = trim(mysql_escape_string(stripslashes($line)));
}
}
$rfc = array("root@$domain", "hostmaster@$domain", "postmaster@$domain", "admin@$domain", "webmaster@$domain");
foreach($rfc as $sub)
if(!in_array($sub, $addy))
$addy[] = $sub;
$_SESSION['_config']['addy'] = $addy;
showheader(_("Domain Dispute"));
includeit("5", "disputes");
showfooter();
exit;
}
if($oldid == "5")
{
2006-08-16 03:45:18 +00:00
$authaddy = trim(mysql_escape_string(stripslashes($_REQUEST['authaddy'])));
2005-03-12 19:40:24 +00:00
if(!in_array($authaddy, $_SESSION['_config']['addy']) || $authaddy == "")
{
showheader(_("My CAcert.org Account!"));
echo _("The address you submitted isn't a valid authority address for the domain.");
showfooter();
exit;
}
$query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
showheader(_("Domain Dispute!"));
2008-11-24 20:55:23 +00:00
printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
2005-03-12 19:40:24 +00:00
showfooter();
exit;
}
$domainid = intval($_SESSION['_config']['domainid']);
$memid = intval($_SESSION['_config']['memid']);
$oldmemid = intval($_SESSION['_config']['oldmemid']);
$domain = mysql_escape_string($_SESSION['_config']['domain']);
2006-04-30 08:30:54 +00:00
$hash = make_hash();
2005-03-12 19:40:24 +00:00
$query = "insert into `disputedomain` set `domain`='$domain',`memid`='".$_SESSION['profile']['id']."',
`oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='$domainid'";
mysql_query($query);
$body = sprintf(_("You have been sent this email as the domain '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $domain)."\n\n";
$body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=domain&domainid=$domainid&hash=$hash\n\n";
$body .= _("Best regards")."\n"._("CAcert.org Support!");
2005-05-23 01:53:59 +00:00
sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
2005-03-12 19:40:24 +00:00
showheader(_("Domain Dispute"));
2008-11-24 20:55:23 +00:00
printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
2005-03-12 19:40:24 +00:00
showfooter();
exit;
}
showheader(_("Domain and Email Disputes"));
includeit($id, "disputes");
showfooter();
?>