/*
LibreSSL - CAcert web application
Copyright (C) 2004-2008 CAcert Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
session_name("cacert");
session_start();
session_register("_config");
session_register("profile");
session_register("signup");
session_register("lostpw");
// if($_SESSION['profile']['id'] > 0)
// session_regenerate_id();
$junk = array(_("Face to Face Meeting"), _("Trusted Third Parties"), _("Thawte Points Transfer"), _("Administrative Increase"),
_("CT Magazine - Germany"), _("Temporary Increase"), _("Unknown"));
$_SESSION['_config']['errmsg']="";
$id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
$oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
$_SESSION['_config']['filepath'] = "/www";
require_once($_SESSION['_config']['filepath']."/includes/mysql.php");
if(array_key_exists('HTTP_HOST',$_SERVER) &&
$_SERVER['HTTP_HOST'] != $_SESSION['_config']['normalhostname'] &&
$_SERVER['HTTP_HOST'] != $_SESSION['_config']['securehostname'] &&
$_SERVER['HTTP_HOST'] != $_SESSION['_config']['tverify'] &&
$_SERVER['HTTP_HOST'] != "stamp.cacert.org")
{
if(array_key_exists('HTTPS',$_SERVER) && $_SERVER['HTTPS'] == "on")
header("location: https://".$_SESSION['_config']['normalhostname']);
else
header("location: http://".$_SESSION['_config']['normalhostname']);
exit;
}
if(array_key_exists('HTTP_HOST',$_SERVER) &&
($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] ||
$_SERVER['HTTP_HOST'] == $_SESSION['_config']['tverify']))
{
if(array_key_exists('HTTPS',$_SERVER) && $_SERVER['HTTPS'] == "on")
{
}
else
{
if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
header("location: https://". $_SESSION['_config']['securehostname']);
if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['tverify'])
header("location: https://".$_SESSION['_config']['tverify']);
exit;
}
}
$lang = "";
if(array_key_exists("lang",$_REQUEST))
$lang=mysql_escape_string(substr(trim($_REQUEST['lang']), 0, 5));
if($lang != "")
$_SESSION['_config']['language'] = $lang;
//if($_SESSION['profile']['id'] == 1 && 1 == 2)
// echo $_SESSION['_config']['language'];
$_SESSION['_config']['translations'] = array(
"ar_JO" => "العربية",
"bg_BG" => "Български",
"cs_CZ" => "Čeština",
"da_DK" => "Dansk",
"de_DE" => "Deutsch",
"el_GR" => "Ελληνικά",
"en_AU" => "English",
"es_ES" => "Español",
"fi_FI" => "Suomi",
"fr_FR" => "Français",
"he_IL" => "עברית",
"hr_HR" => "Hrvatski",
"hu_HU" => "Magyar",
"is_IS" => "Íslenska",
"it_IT" => "Italiano",
"ja_JP" => "日本語",
"ka_GE" => "Georgian",
"nl_NL" => "Nederlands",
"pl_PL" => "Polski",
"pt_PT" => "Português",
"pt_BR" => "Português Brasileiro",
"ru_RU" => "Русский",
"ro_RO" => "Română",
"sv_SE" => "Svenska",
"tr_TR" => "Türkçe",
"zh_CN" => "中文(简体)");
$value=array();
if(!(array_key_exists('language',$_SESSION['_config']) && $_SESSION['_config']['language'] != ""))
{
$bits = explode(",", strtolower(str_replace(" ", "", mysql_real_escape_string(array_key_exists('HTTP_ACCEPT_LANGUAGE',$_SERVER)?$_SERVER['HTTP_ACCEPT_LANGUAGE']:""))));
foreach($bits as $lang)
{
$b = explode(";", $lang);
if(count($b)>1 && substr($b[1], 0, 2) == "q=")
$c = floatval(substr($b[1], 2));
else
$c = 1;
$value["$c"] = trim($b[0]);
}
krsort($value);
reset($value);
foreach($value as $key => $val)
{
$val = substr(escapeshellarg($val), 1, -1);
$short = substr($val, 0, 2);
if($val == "en" || $short == "en")
{
$_SESSION['_config']['language'] = "en";
break;
}
if(file_exists($_SESSION['_config']['filepath']."/locale/$val/LC_MESSAGES/messages.mo"))
{
$_SESSION['_config']['language'] = $val;
break;
}
if(file_exists($_SESSION['_config']['filepath']."/locale/$short/LC_MESSAGES/messages.mo"))
{
$_SESSION['_config']['language'] = $short;
break;
}
}
}
if(!array_key_exists('_config',$_SESSION) || !array_key_exists('language',$_SESSION['_config']) || strlen($_SESSION['_config']['language']) != 5)
{
$lang = array_key_exists('language',$_SESSION['_config'])?$_SESSION['_config']['language']:"";
$_SESSION['_config']['language'] = "en_AU";
foreach($_SESSION['_config']['translations'] as $key => $val)
{
if(substr($lang, 0, 2) == substr($key, 0, 2))
{
$_SESSION['_config']['language'] = $val;
break;
}
}
}
$_SESSION['_config']['recode'] = "html..latin-1";
if($_SESSION['_config']['language'] == "zh_CN")
{
$_SESSION['_config']['recode'] = "html..gb2312";
} else if($_SESSION['_config']['language'] == "pl_PL" || $_SESSION['_config']['language'] == "hu_HU") {
$_SESSION['_config']['recode'] = "html..ISO-8859-2";
} else if($_SESSION['_config']['language'] == "ja_JP") {
$_SESSION['_config']['recode'] = "html..SHIFT-JIS";
} else if($_SESSION['_config']['language'] == "ru_RU") {
$_SESSION['_config']['recode'] = "html..ISO-8859-5";
} else if($_SESSION['_config']['language'] == "lt_LT") {
$_SESSION['_config']['recode'] = "html..ISO-8859-13";
}
putenv("LANG=".$_SESSION['_config']['language']);
setlocale(LC_ALL, $_SESSION['_config']['language']);
$domain = 'messages';
bindtextdomain($domain, $_SESSION['_config']['filepath']."/locale");
textdomain($domain);
//if($_SESSION['profile']['id'] == -1)
// echo $_SESSION['_config']['language']." - ".$_SESSION['_config']['filepath']."/locale";
if(array_key_exists('profile',$_SESSION) && is_array($_SESSION['profile']) && array_key_exists('id',$_SESSION['profile']) && $_SESSION['profile']['id'] > 0)
{
$locked = mysql_fetch_assoc(mysql_query("select `locked` from `users` where `id`='".$_SESSION['profile']['id']."'"));
if($locked['locked'] == 0)
{
$query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
$res = mysql_query($query);
$row = mysql_fetch_assoc($res);
$_SESSION['profile']['points'] = $row['total'];
} else {
$_SESSION['profile'] = "";
unset($_SESSION['profile']);
}
}
function loadem($section = "index")
{
if($section != "index" && $section != "account" && $section != "tverify")
{
$section = "index";
}
if($section == "account")
include_once($_SESSION['_config']['filepath']."/includes/account_stuff.php");
if($section == "index")
include_once($_SESSION['_config']['filepath']."/includes/general_stuff.php");
if($section == "tverify")
include_once($_SESSION['_config']['filepath']."/includes/tverify_stuff.php");
}
function includeit($id = "0", $section = "index")
{
$id = intval($id);
if($section != "index" && $section != "account" && $section != "wot" && $section != "help" && $section != "gpg" && $section != "disputes" && $section != "tverify" && $section != "advertising")
{
$section = "index";
}
if($section == "tverify" && file_exists($_SESSION['_config']['filepath']."/tverify/index/$id.php"))
include_once($_SESSION['_config']['filepath']."/tverify/index/$id.php");
else if(file_exists($_SESSION['_config']['filepath']."/pages/$section/$id.php"))
include_once($_SESSION['_config']['filepath']."/pages/$section/$id.php");
else {
$id = "0";
if(file_exists($_SESSION['_config']['filepath']."/pages/$section/$id.php"))
include_once($_SESSION['_config']['filepath']."/pages/$section/$id.php");
else {
$section = "index";
$id = "0";
if(file_exists($_SESSION['_config']['filepath']."/pages/$section/$id.php"))
include_once($_SESSION['_config']['filepath']."/pages/$section/$id.php");
else
include_once($_SESSION['_config']['filepath']."/www/error404.php");
}
}
}
function checkpw($pwd, $email, $fname, $mname, $lname, $suffix)
{
$points = 0;
if(strlen($pwd) > 15)
$points++;
if(strlen($pwd) > 20)
$points++;
if(strlen($pwd) > 25)
$points++;
if(strlen($pwd) > 30)
$points++;
//echo "Points due to length: $points
";
if(preg_match("/\d/", $pwd))
$points++;
if(preg_match("/[a-z]/", $pwd))
$points++;
if(preg_match("/[A-Z]/", $pwd))
$points++;
if(preg_match("/\W/", $pwd))
$points++;
if(preg_match("/\s/", $pwd))
$points++;
//echo "Points due to length and charset: $points
";
if(@strstr(strtolower($pwd), strtolower($email)))
$points--;
if(@strstr(strtolower($email), strtolower($pwd)))
$points--;
if(@strstr(strtolower($pwd), strtolower($fname)))
$points--;
if(@strstr(strtolower($fname), strtolower($pwd)))
$points--;
if($mname)
if(@strstr(strtolower($pwd), strtolower($mname)))
$points--;
if($mname)
if(@strstr(strtolower($mname), strtolower($pwd)))
$points--;
if(@strstr(strtolower($pwd), strtolower($lname)))
$points--;
if(@strstr(strtolower($lname), strtolower($pwd)))
$points--;
if($suffix)
if(@strstr(strtolower($pwd), strtolower($suffix)))
$points--;
if($suffix)
if(@strstr(strtolower($suffix), strtolower($pwd)))
$points--;
//echo "Points due to name matches: $points
";
$do = `grep '$pwd' /usr/share/dict/american-english`;
if($do)
$points--;
//echo "Points due to wordlist: $points
";
return($points);
}
function extractit()
{
$bits = explode(": ", $_SESSION['_config']['subject'], 2);
$bits = str_replace(", ", "|", str_replace("/", "|", array_key_exists('1',$bits)?$bits['1']:""));
$bits = explode("|", $bits);
$_SESSION['_config']['cnc'] = $_SESSION['_config']['subaltc'] = 0;
$_SESSION['_config']['OU'] = "";
if(is_array($bits))
foreach($bits as $val)
{
if(!strstr($val, "="))
continue;
$split = explode("=", $val);
$k = $split[0];
$split['1'] = trim($split['1']);
if($k == "CN" && $split['1'])
{
$k = $_SESSION['_config']['cnc'].".".$k;
$_SESSION['_config']['cnc']++;
$_SESSION['_config'][$k] = $split['1'];
}
if($k == "OU" && $split['1'] && $_SESSION['_config']['OU'] == "")
{
$_SESSION['_config']['OU'] = $split['1'];
}
if($k == "subjectAltName" && $split['1'])
{
$k = $_SESSION['_config']['subaltc'].".".$k;
$_SESSION['_config']['subaltc']++;
$_SESSION['_config'][$k] = $split['1'];
}
}
}
function getcn()
{
unset($_SESSION['_config']['rows']);
unset($_SESSION['_config']['rowid']);
unset($_SESSION['_config']['rejected']);
$rows=array();
$rowid=array();
for($cnc = 0; $cnc < $_SESSION['_config']['cnc']; $cnc++)
{
$CN = $_SESSION['_config']["$cnc.CN"];
$bits = explode(".", $CN);
$dom = "";
$cnok = 0;
for($i = count($bits) - 1; $i >= 0; $i--)
{
if($dom)
$dom = $bits[$i].".".$dom;
else
$dom = $bits[$i];
$_SESSION['_config']['row'] = "";
$dom = mysql_real_escape_string($dom);
$query = "select * from domains where `memid`='".$_SESSION['profile']['id']."' and `domain` like '$dom' and `deleted`=0 and `hash`=''";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$cnok = 1;
$_SESSION['_config']['row'] = mysql_fetch_assoc($res);
$rowid[] = $_SESSION['_config']['row']['id'];
break;
}
}
if($cnok == 0)
$_SESSION['_config']['rejected'][] = $CN;
if($_SESSION['_config']['row'] != "")
$rows[] = $CN;
}
// if(count($rows) <= 0)
// {
// echo _("There were no valid CommonName fields on the CSR, or I was unable to match any of these against your account. Please review your CSR, or add and verify domains contained in it to your account before trying again.");
// exit;
// }
$_SESSION['_config']['rows'] = $rows;
$_SESSION['_config']['rowid'] = $rowid;
}
function getalt()
{
unset($_SESSION['_config']['altrows']);
unset($_SESSION['_config']['altid']);
$altrows=array();
$altid=array();
for($altc = 0; $altc < $_SESSION['_config']['subaltc']; $altc++)
{
$subalt = $_SESSION['_config']["$altc.subjectAltName"];
if(substr($subalt, 0, 4) == "DNS:")
$alt = substr($subalt, 4);
else
continue;
$bits = explode(".", $alt);
$dom = "";
$altok = 0;
for($i = count($bits) - 1; $i >= 0; $i--)
{
if($dom)
$dom = $bits[$i].".".$dom;
else
$dom = $bits[$i];
$_SESSION['_config']['altrow'] = "";
$dom = mysql_real_escape_string($dom);
$query = "select * from domains where `memid`='".$_SESSION['profile']['id']."' and `domain` like '$dom' and `deleted`=0 and `hash`=''";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$altok = 1;
$_SESSION['_config']['altrow'] = mysql_fetch_assoc($res);
$altid[] = $_SESSION['_config']['altrow']['id'];
break;
}
}
if($altok == 0)
$_SESSION['_config']['rejected'][] = $alt;
if($_SESSION['_config']['altrow'] != "")
$altrows[] = $subalt;
}
$_SESSION['_config']['altrows'] = $altrows;
$_SESSION['_config']['altid'] = $altid;
}
function getcn2()
{
$rows=array();
$rowid=array();
for($cnc = 0; $cnc < $_SESSION['_config']['cnc']; $cnc++)
{
$CN = $_SESSION['_config']["$cnc.CN"];
$bits = explode(".", $CN);
$dom = "";
for($i = count($bits) - 1; $i >= 0; $i--)
{
if($dom)
$dom = $bits[$i].".".$dom;
else
$dom = $bits[$i];
$_SESSION['_config']['row'] = "";
$dom = mysql_real_escape_string($dom);
$query = "select *, `orginfo`.`id` as `id` from `orginfo`,`orgdomains`,`org` where
`org`.`memid`='".$_SESSION['profile']['id']."' and
`org`.`orgid`=`orginfo`.`id` and
`orgdomains`.`orgid`=`orginfo`.`id` and
`orgdomains`.`domain`='$dom'";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$_SESSION['_config']['row'] = mysql_fetch_assoc($res);
$rowid[] = $_SESSION['_config']['row']['id'];
break;
}
}
if($_SESSION['_config']['row'] != "")
$rows[] = $CN;
}
// if(count($rows) <= 0)
// {
// echo _("There were no valid CommonName fields on the CSR, or I was unable to match any of these against your account. Please review your CSR, or add and verify domains contained in it to your account before trying again.");
// exit;
// }
$_SESSION['_config']['rows'] = $rows;
$_SESSION['_config']['rowid'] = $rowid;
}
function getalt2()
{
$altrows=array();
$altid=array();
for($altc = 0; $altc < $_SESSION['_config']['subaltc']; $altc++)
{
$subalt = $_SESSION['_config']["$altc.subjectAltName"];
if(substr($subalt, 0, 4) == "DNS:")
$alt = substr($subalt, 4);
else
continue;
$bits = explode(".", $alt);
$dom = "";
for($i = count($bits) - 1; $i >= 0; $i--)
{
if($dom)
$dom = $bits[$i].".".$dom;
else
$dom = $bits[$i];
$_SESSION['_config']['altrow'] = "";
$dom = mysql_real_escape_string($dom);
$query = "select * from `orginfo`,`orgdomains`,`org` where
`org`.`memid`='".$_SESSION['profile']['id']."' and
`org`.`orgid`=`orginfo`.`id` and
`orgdomains`.`orgid`=`orginfo`.`id` and
`orgdomains`.`domain`='$dom'";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$_SESSION['_config']['altrow'] = mysql_fetch_assoc($res);
$altid[] = $_SESSION['_config']['altrow']['id'];
break;
}
}
if($_SESSION['_config']['altrow'] != "")
$altrows[] = $subalt;
}
$_SESSION['_config']['altrows'] = $altrows;
$_SESSION['_config']['altid'] = $altid;
}
function checkownership($hostname)
{
$bits = explode(".", $hostname);
$dom = "";
for($i = count($bits) - 1; $i >= 0; $i--)
{
if($dom)
$dom = $bits[$i].".".$dom;
else
$dom = $bits[$i];
$dom = mysql_real_escape_string($dom);
$query = "select * from `org`,`orgdomains`,`orginfo`
where `org`.`memid`='".$_SESSION['profile']['id']."'
and `orgdomains`.`orgid`=`org`.`orgid`
and `orginfo`.`id`=`org`.`orgid`
and `orgdomains`.`domain`='$dom'";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$_SESSION['_config']['row'] = mysql_fetch_assoc($res);
return(true);
}
}
return(false);
}
function maxpoints($id = 0)
{
if($id <= 0)
$id = $_SESSION['profile']['id'];
$query = "select sum(`points`) as `points` from `notary` where `to`='$id' group by `to`";
$row = mysql_fetch_assoc(mysql_query($query));
$points = $row['points'];
$dob = date("Y-m-d", mktime(0,0,0,date("m"),date("d"),date("Y")-18));
$query = "select * from `users` where `id`='".$_SESSION['profile']['id']."' and `dob` < '$dob'";
if(mysql_num_rows(mysql_query($query)) < 1)
{
if($points >= 100)
return(10);
else
return(0);
}
if($points >= 300)
return(200);
if($points >= 200)
return(150);
if($points >= 150)
return(35);
if($points >= 140)
return(30);
if($points >= 130)
return(25);
if($points >= 120)
return(20);
if($points >= 110)
return(15);
if($points >= 100)
return(10);
return(0);
}
function hex2bin($data)
{
while(strstr($data, "\\x"))
{
$pos = strlen($data) - strlen(strstr($data, "\\x"));
$before = substr($data, 0, $pos);
$char = chr(hexdec(substr($data, $pos + 2, 2)));
$after = substr($data, $pos + 4);
$data = $before.$char.$after;
}
return(utf8_decode($data));
}
function screenshot($img)
{
if(file_exists("../screenshots/".$_SESSION['_config']['language']."/$img"))
return("/screenshots/".$_SESSION['_config']['language']."/$img");
else
return("/screenshots/en/$img");
}
function signmail($to, $subject, $message, $from, $replyto = "")
{
if($replyto == "")
$replyto = $from;
$tmpfname = tempnam("/tmp", "CSR");
$fp = fopen($tmpfname, "w");
fputs($fp, $message);
fclose($fp);
$do = `/usr/bin/gpg --homedir /home/gpg --clearsign "$tmpfname"|/usr/sbin/sendmail "$to"`;
@unlink($tmpfname);
}
function checkEmail($email)
{
$myemail = mysql_real_escape_string($email);
if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\+\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/" , $email))
{
list($username,$domain)=split('@',$email);
$dom = escapeshellarg($domain);
$line = trim(`dig +short MX $dom 2>&1`);
#echo $email."-$dom-$line-\n";
#echo `dig +short mx heise.de 2>&1`."-
\n";
$list = explode("\n", $line);
foreach($list as $row)
list($pri, $mxhosts[]) = explode(" ", substr(trim($row), 0, -1));
$mxhosts[] = $domain;
#print_r($mxhosts); die;
foreach($mxhosts as $key => $domain)
{
$fp = @fsockopen($domain,25,$errno,$errstr,5);
if($fp)
{
$line = fgets($fp, 4096);
if(substr($line, 0, 3) != "220")
continue;
fputs($fp, "HELO hlin.cacert.org\r\n");
$line = fgets($fp, 4096);
while(substr($line, 0, 3) == "220")
$line = fgets($fp, 4096);
if(substr($line, 0, 3) != "250")
continue;
fputs($fp, "MAIL FROM: \r\n");
$line = fgets($fp, 4096);
if(substr($line, 0, 3) != "250")
continue;
fputs($fp, "RCPT TO: <$email>\r\n");
$line = trim(fgets($fp, 4096));
fputs($fp, "QUIT\r\n");
fclose($fp);
$line = mysql_real_escape_string(trim(strip_tags($line)));
$query = "insert into `pinglog` set `when`=NOW(), `email`='$myemail', `result`='$line'";
if(is_array($_SESSION['profile'])) $query.=", `uid`='".$_SESSION['profile']['id']."'";
mysql_query($query);
if(substr($line, 0, 3) != "250")
return $line;
else
return "OK";
}
}
}
$query = "insert into `pinglog` set `when`=NOW(), `uid`='".$_SESSION['profile']['id']."',
`email`='$myemail', `result`='Failed to make a connection to the mail server'";
mysql_query($query);
return _("Failed to make a connection to the mail server");
}
function waitForResult($table, $certid, $id = 0, $show = 1)
{
$found = $trycount = 0;
if($certid<=0)
{
if($show) showheader(_("My CAcert.org Account!"));
echo "ERROR: The new Certificate ID is wrong. Please contact support.\n";
if($show) showfooter();
if($show) exit;
return;
}
while($trycount++ <= 40)
{
if($table == "gpg")
$query = "select * from `$table` where `id`='".intval($certid)."' and `crt` != ''";
else
$query = "select * from `$table` where `id`='".intval($certid)."' and `crt_name` != ''";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$found = 1;
break;
}
sleep(2);
}
if(!$found)
{
if($show) showheader(_("My CAcert.org Account!"));
$query = "select * from `$table` where `id`='".intval($certid)."' ";
$res = mysql_query($query);
$body="";
$subject="";
if(mysql_num_rows($res) > 0)
{
printf(_("Your certificate request is still queued and hasn't been processed yet. Please wait, and go to Certificates -> View to see it's status."));
$subject="[CAcert.org] Certificate TIMEOUT";
$body = "A certificate has timed out!\n\n";
}
else
{
printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." certid:$table:".intval($certid), "", "");
$subject="[CAcert.org] Certificate FAILURE";
$body = "A certificate has failed: $table $certid $id $show\n\n";
}
$body .= _("Best regards")."\n"._("CAcert.org Support!");
sendmail("philipp@cacert.org", $subject, $body, "philipp@cacert.org", "", "", "CAcert Support");
if($show) showfooter();
if($show) exit;
}
}
function generateTicket()
{
$query = "insert into tickets (timestamp) values (now()) ";
mysql_query($query);
$ticket = mysql_insert_id();
return $ticket;
}
function sanitizeHTML($input)
{
return htmlentities(strip_tags($input), ENT_QUOTES);
//In case of problems, please use the following line again:
//return htmlentities(strip_tags(utf8_decode($input)), ENT_QUOTES);
//return htmlspecialchars(strip_tags($input));
}
function make_hash()
{
if(function_exists("dio_open"))
{
$rnd = dio_open("/dev/urandom",O_RDONLY);
$hash = md5(dio_read($rnd,64));
dio_close($rnd);
} else {
$rnd = fopen("/dev/urandom", "r");
$hash = md5(fgets($rnd, 64));
fclose($rnd);
}
return($hash);
}
function csrf_check($nam, $show=1)
{
if(!array_key_exists('csrf',$_REQUEST) || !array_key_exists('csrf_'.$nam,$_SESSION))
{
showheader(_("My CAcert.org Account!"));
echo _("CSRF Hash is missing. Please try again.")."\n";
showfooter();
exit();
}
if(strlen($_REQUEST['csrf'])!=32)
{
showheader(_("My CAcert.org Account!"));
echo _("CSRF Hash is wrong. Please try again.")."\n";
showfooter();
exit();
}
if(!array_key_exists($_REQUEST['csrf'],$_SESSION['csrf_'.$nam]))
{
showheader(_("My CAcert.org Account!"));
echo _("CSRF Hash is wrong. Please try again.")."\n";
showfooter();
exit();
}
}
function make_csrf($nam)
{
$hash=make_hash();
$_SESSION['csrf_'.$nam][$hash]=1;
return($hash);
}
function clean_csr($CSR)
{
$newcsr = str_replace("\r\n","\n",trim($CSR));
$newcsr = str_replace("\n\n","\n",$newcsr);
return(preg_replace("/[^A-Za-z0-9\n\r\-\:\=\+\/ ]/","",$newcsr));
}
function sanitizeFilename($text)
{
$text=preg_replace("/[^\w-.@]/","",$text);
return($text);
}
function fix_assurer_flag($userID)
{
// Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).
'\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = `u`.`id`)'.
' AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100'); // Challenge has been passed and non-expired points >= 100
// Reset flag if requirements are not met
$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 0 WHERE `u`.`id` = \''.(int)intval($userID).
'\' AND (NOT EXISTS(SELECT 1 FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = `u`.`id`)'.
' OR (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `n`.`expire` < now()) < 100)');
}
// returns 0 if $userID is an Assurer
// Otherwise :
// Bit 0 is always set
// Bit 1 is set if 100 Assurance Points are not reached
// Bit 2 is set if Assurer Test is missing
// Bit 3 is set if the user is not allowed to be an Assurer (assurer_blocked > 0)
function get_assurer_status($userID)
{
$Result = 0;
$query = mysql_query('SELECT * FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` '.
' WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = \''.(int)intval($userID).'\'');
if(mysql_num_rows($query) < 1)
{
$Result |= 5;
}
$query = mysql_query('SELECT SUM(`points`) AS `points` FROM `notary` AS `n` WHERE `n`.`to` = \''.(int)intval($userID).'\' AND `n`.`expire` < now()');
$row = mysql_fetch_assoc($query);
if ($row['points'] < 100) {
$Result |= 3;
}
$query = mysql_query('SELECT `assurer_blocked` FROM `users` WHERE `id` = \''.(int)intval($userID).'\'');
$row = mysql_fetch_assoc($query);
if ($row['assurer_blocked'] > 0) {
$Result |= 9;
}
return $Result;
}
// returns text message to be shown to the user given the result of is_no_assurer
function no_assurer_text($Status)
{
if ($Status == 0) {
$Result = _("You have passed the Assurer Challenge and collected at least 100 Assurance Points, you are an Assurer.");
} elseif ($Status == 3) {
$Result = _("You have passed the Assurer Challenge, but to become an Assurer you still have to reach 100 Assurance Points!");
} elseif ($Status == 5) {
$Result = _("You have at least 100 Assurance Points, if you want to become an assurer try the ").'Assurer Challenge!';
} elseif ($Status == 7) {
$Result = _("To become an Assurer have to collect 100 Assurance Points and pass the ").'Assurer Challenge!';
} elseif ($Status & 8 > 0) {
$Result = _("Sorry, you are not allowed to be an Assurer. Please contact ").'cacert-support@lists.cacert.org'._(" if you feel that this is not corect.");
} else {
$Result = _("You are not an Assurer, but the reason is not stored in the database. Please contact ").'cacert-support@lists.cacert.org.';
}
return $Result;
}
function is_assurer($userID)
{
if (get_assurer_status($userID))
return 0;
else
return 1;
}
function get_assurer_reason($userID)
{
return no_assurer_text(get_assurer_status($userID));
}
?>