"contact form does not signal whether filed request is senstive or open"
This commit is contained in:
Wytze van der Raay 2013-01-17 15:08:07 +00:00
parent aff3516579
commit ac71b58807
5 changed files with 85 additions and 82 deletions

View file

@ -29,15 +29,26 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
<p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p> <p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p>
<form method="post" action="account.php" name="form1"> <form method="post" action="account.php" name="form1">
<input type="hidden" name="oldid" value="<?=$id?>"> <input type="hidden" name="oldid" value="<?=$id?>">
<input type="hidden" name="support" value="yes"> <!-- <input type="hidden" name="support" value="yes"> -->
<input type="hidden" name="secrethash2" value=""> <input type="hidden" name="secrethash2" value="">
<p class="robotic" id="pot">
<label>If you're human leave this blank:</label>
<input name="robotest" type="text" id="robotest" class="robotest" />
</p>
<table border="0"> <table border="0">
<tr><td width="90"><?=_("Your Name")?>:</td><td><input type="text" name="who"></td><td>&#160;</td></tr> <tr><td width="100"><?=_("Your Name")?>:</td><td width="100"><input type="text" name="who"></td><td width="100"></td><td width="100"></td>
<tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr> <tr><td width="100"><?=_("Your Email")?>:</td><td colspan="3"><input type="text" name="email"></td>
<tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr> <tr><td width="100"><?=_("Subject")?>:</td><td colspan="3"><input type="text" name="subject"></td></tr>
<tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr> <tr><td width="100" valign="top"><?=_("Message")?>:</td><td colspan="3"><textarea name="message" cols="70" rows="10"></textarea></td></tr>
<tr><td colspan="3"><font color="#ff0000"><?=_("Warning: Please do not enter confidential data into this form, it is being sent to a public mailinglist. Use the form further below instead.")?></font></td></tr>
<tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr> <tr>
<td colspan="2"><font color="#ff0000"><?=_("Warning: Please do not use \"send to mailing list\" when you entered confidential data. The request is being sent to a public mailinglist.")?></font></td>
<td colspan="2"><?=_("For confidential data use \"send to support\".")?></td>
</tr>
<tr>
<td colspan="2"><input type="submit" name="process[0]" value="<?=_("Send to mailing list")?>"></td>
<td colspan="2"><input type="submit" name="process[1]" value="<?=_("Send to support")?>"></td>
</tr>
</table> </table>
</form> </form>
@ -50,20 +61,6 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
<p><?=_("There are a number of other mailing lists CAcert runs, some are general discussion, others are technical (such as the development list) or platform specific help (such as the list for Apple Mac users)")?></p> <p><?=_("There are a number of other mailing lists CAcert runs, some are general discussion, others are technical (such as the development list) or platform specific help (such as the list for Apple Mac users)")?></p>
<p><a href="http://lists.cacert.org/"><?=_("Click here to view all lists available")?></a></p> <p><a href="http://lists.cacert.org/"><?=_("Click here to view all lists available")?></a></p>
<p><b><?=_("Sensitive Information")?></b></p>
<p><?=_("If you have questions, comments or otherwise and information you're sending to us contains sensitive details, you should use the contact form below. Due to the large amounts of support emails we receive, sending general questions via this contact form will generally take longer then using the support mailing list. Also sending queries in anything but english could cause delays in supporting you as we'd need to find a translator to help.")?></p>
<form method="post" action="account.php" name="form2">
<input type="hidden" name="secrethash2" value="">
<input type="hidden" name="oldid" value="<?=$id?>">
<table border="0">
<tr><td><?=_("Your Name")?>:</td><td><input type="text" name="who"></td></tr>
<tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
<tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
<tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
<tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
</table>
</form>
<p><b><?=_("Security Issues")?></b></p> <p><b><?=_("Security Issues")?></b></p>
<p><?=sprintf(_("Please use any of the following ways to report security ". <p><?=sprintf(_("Please use any of the following ways to report security ".
"issues: You can use the above contact form for sensitive information. ". "issues: You can use the above contact form for sensitive information. ".

View file

@ -29,15 +29,26 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
<p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p> <p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p>
<form method="post" action="index.php" name="form1"> <form method="post" action="index.php" name="form1">
<input type="hidden" name="oldid" value="<?=$id?>"> <input type="hidden" name="oldid" value="<?=$id?>">
<input type="hidden" name="support" value="yes"> <!-- <input type="hidden" name="support" value="yes"> -->
<input type="hidden" name="secrethash2" value=""> <input type="hidden" name="secrethash2" value="">
<p class="robotic" id="pot">
<label>If you're human leave this blank:</label>
<input name="robotest" type="text" id="robotest" class="robotest" />
</p>
<table border="0"> <table border="0">
<tr><td width="90"><?=_("Your Name")?>:</td><td><input type="text" name="who"></td><td>&#160;</td></tr> <tr><td width="100"><?=_("Your Name")?>:</td><td width="100"><input type="text" name="who"></td><td width="100"></td><td width="100"></td>
<tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr> <tr><td width="100"><?=_("Your Email")?>:</td><td colspan="3"><input type="text" name="email"></td>
<tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr> <tr><td width="100"><?=_("Subject")?>:</td><td colspan="3"><input type="text" name="subject"></td></tr>
<tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr> <tr><td width="100" valign="top"><?=_("Message")?>:</td><td colspan="3"><textarea name="message" cols="70" rows="10"></textarea></td></tr>
<tr><td colspan="3"><font color="#ff0000"><?=_("Warning: Please do not enter confidential data into this form, it is being sent to a public mailinglist. Use the form further below instead.")?></font></td></tr>
<tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr> <tr>
<td colspan="2"><font color="#ff0000"><?=_("Warning: Please do not use \"send to mailing list\" when you entered confidential data. The request is being sent to a public mailinglist.")?></font></td>
<td colspan="2"><?=_("For confidential data use \"send to support\".")?></td>
</tr>
<tr>
<td colspan="2"><input type="submit" name="process[0]" value="<?=_("Send to mailing list")?>"></td>
<td colspan="2"><input type="submit" name="process[1]" value="<?=_("Send to support")?>"></td>
</tr>
</table> </table>
</form> </form>
@ -50,20 +61,6 @@ if(!array_key_exists('secrethash',$_SESSION['_config'])) $_SESSION['_config']['s
<p><?=_("There are a number of other mailing lists CAcert runs, some are general discussion, others are technical (such as the development list) or platform specific help (such as the list for Apple Mac users)")?></p> <p><?=_("There are a number of other mailing lists CAcert runs, some are general discussion, others are technical (such as the development list) or platform specific help (such as the list for Apple Mac users)")?></p>
<p><a href="http://lists.cacert.org/"><?=_("Click here to view all lists available")?></a></p> <p><a href="http://lists.cacert.org/"><?=_("Click here to view all lists available")?></a></p>
<p><b><?=_("Sensitive Information")?></b></p>
<p><?=_("If you have questions, comments or otherwise and information you're sending to us contains sensitive details, you should use the contact form below. Due to the large amounts of support emails we receive, sending general questions via this contact form will generally take longer then using the support mailing list. Also sending queries in anything but english could cause delays in supporting you as we'd need to find a translator to help.")?></p>
<form method="post" action="index.php" name="form2">
<input type="hidden" name="secrethash2" value="">
<input type="hidden" name="oldid" value="<?=$id?>">
<table border="0">
<tr><td><?=_("Your Name")?>:</td><td><input type="text" name="who"></td></tr>
<tr><td><?=_("Your Email")?>:</td><td><input type="text" name="email"></td></tr>
<tr><td><?=_("Subject")?>:</td><td><input type="text" name="subject"></td></tr>
<tr><td colspan="2"><textarea name="message" cols="40" rows="10"></textarea></td></tr>
<tr><td colspan="2"><input type="submit" name="process" value="<?=_("Send")?>"></td></tr>
</table>
</form>
<p><b><?=_("Security Issues")?></b></p> <p><b><?=_("Security Issues")?></b></p>
<p><?=sprintf(_("Please use any of the following ways to report security issues: You can use the above contact form for sensitive information. You can email us to support@cacert.org. You can file a bugreport on %s and mark it as private."),"<a href='https://bugs.cacert.org/'>bugs.cacert.org</a>")?></p> <p><?=sprintf(_("Please use any of the following ways to report security issues: You can use the above contact form for sensitive information. You can email us to support@cacert.org. You can file a bugreport on %s and mark it as private."),"<a href='https://bugs.cacert.org/'>bugs.cacert.org</a>")?></p>

View file

@ -25,34 +25,35 @@
} else if($id == 19) { } else if($id == 19) {
include_once("../pages/account/19.php"); include_once("../pages/account/19.php");
exit; exit;
} else if($oldid == 40 && $_REQUEST['process'] != "" && $_POST['support'] != "yes") { } else if($oldid == 40 && $_REQUEST['process'] != "") {
$who = stripslashes($_REQUEST['who']); $who = stripslashes($_REQUEST['who']);
$email = stripslashes($_REQUEST['email']); $email = stripslashes($_REQUEST['email']);
$subject = stripslashes($_REQUEST['subject']); $subject = stripslashes($_REQUEST['subject']);
$message = stripslashes($_REQUEST['message']); $message = stripslashes($_REQUEST['message']);
$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message; //check for spam via honeypot
if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, $email, "", "CAcert Website"); echo _("Form could not be sent.");
showheader(_("Welcome to CAcert.org"));
echo _("Your message has been sent.");
showfooter(); showfooter();
exit; exit;
} else if($oldid == 40 && $_REQUEST['process'] != "" && $_POST['support'] == "yes") { }
$who = stripslashes($_REQUEST['who']);
$email = stripslashes($_REQUEST['email']);
$subject = stripslashes($_REQUEST['subject']);
$message = stripslashes($_REQUEST['message']);
$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message; $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
if (isset($process[0])){
sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert Website"); sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
showheader(_("Welcome to CAcert.org")); showheader(_("Welcome to CAcert.org"));
echo _("Your message has been sent to the general support list."); echo _("Your message has been sent to the general support list.");
showfooter(); showfooter();
exit; exit;
}
if (isset($process[1])){
sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
showheader(_("Welcome to CAcert.org"));
echo _("Your message has been sent.");
showfooter();
exit;
}
} else if($id == 51 && $_GET['img'] == "show") { } else if($id == 51 && $_GET['img'] == "show") {
$query = "select * from `tverify` where `id`='".intval($_GET['photoid'])."' and `modified`=0"; $query = "select * from `tverify` where `id`='".intval($_GET['photoid'])."' and `modified`=0";
$res = mysql_query($query); $res = mysql_query($query);

View file

@ -564,6 +564,13 @@ require_once('../includes/lib/l10n.php');
$message = stripslashes($_REQUEST['message']); $message = stripslashes($_REQUEST['message']);
$secrethash = $_REQUEST['secrethash2']; $secrethash = $_REQUEST['secrethash2'];
//check for spam via honeypot
if(!isset($_REQUEST['robotest']) || !empty($_REQUEST['robotest'])){
echo _("Form could not be sent.");
showfooter();
exit;
}
if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "") if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "")
{ {
$id = $oldid; $id = $oldid;
@ -603,26 +610,23 @@ require_once('../includes/lib/l10n.php');
} }
} }
if($oldid == 11 && $process != "" && $_REQUEST['support'] != "yes") if($oldid == 11 && $process != "")
{ {
$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message; $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
if (isset($process[0])){
sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
showheader(_("Welcome to CAcert.org"));
echo _("Your message has been sent to the general support list.");
showfooter();
exit;
}
if (isset($process[1])){
sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support"); sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
showheader(_("Welcome to CAcert.org")); showheader(_("Welcome to CAcert.org"));
echo _("Your message has been sent."); echo _("Your message has been sent.");
showfooter(); showfooter();
exit; exit;
} }
if($oldid == 11 && $process != "" && $_REQUEST['support'] == "yes")
{
$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
showheader(_("Welcome to CAcert.org"));
echo _("Your message has been sent to the general support list.");
showfooter();
exit;
} }
if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900) if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)

View file

@ -651,3 +651,7 @@ div.footerbar {
padding: 10px 10px 10px 10px; padding: 10px 10px 10px 10px;
} }
/************ Honeypot ***********/
.robotic { display: none; }