Merge branch 'release' of ssh://git-cacert.it-sls.de/var/cache/git/cacert-devel into bug-846

6 files changed, 66 insertions, 18 deletions

diff --git a/includes/account.php b/includes/account.php
index 14702b9..24c61d8 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -1290,6 +1290,8 @@
 		showheader(_("My CAcert.org Account!"));
 		if($_SESSION['_config']['user']['pword1'] == "" || $_SESSION['_config']['user']['pword1'] != $_SESSION['_config']['user']['pword2'])
 		{
+			echo '<h3 style="color:red">', _("Failure: Pass Phrase not Changed"),
+				'</h3>', "\n";
 			echo _("New Pass Phrases specified don't match or were blank.");
 		} else {
 			$score = checkpw($_SESSION['_config']['user']['pword1'], $_SESSION['profile']['email'], $_SESSION['profile']['fname'],
@@ -1306,14 +1308,21 @@
 			}
 
 			if(strlen($_SESSION['_config']['user']['pword1']) < 6) {
+				echo '<h3 style="color:red">',
+					_("Failure: Pass Phrase not Changed"), '</h3>', "\n";
 				echo _("The Pass Phrase you submitted was too short.");
 			} else if($score < 3) {
+				echo '<h3 style="color:red">',
+					_("Failure: Pass Phrase not Changed"), '</h3>', "\n";
 				printf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
 			} else if($rc <= 0) {
+				echo '<h3 style="color:red">',
+					_("Failure: Pass Phrase not Changed"), '</h3>', "\n";
 				echo _("You failed to correctly enter your current Pass Phrase.");
 			} else {
 				mysql_query("update `users` set `password`=sha1('".$_SESSION['_config']['user']['pword1']."')
 						where `id`='".$_SESSION['profile']['id']."'");
+				echo '<h3>', _("Pass Phrase Changed Successfully"), '</h3>', "\n";
 				echo _("Your Pass Phrase has been updated and your primary email account has been notified of the change.");
 				$body  = sprintf(_("Hi %s,"),$_SESSION['profile']['fname'])."\n";
 				$body .= _("You are receiving this email because you or someone else")."\n";
diff --git a/includes/general.php b/includes/general.php
index cb17e63..ebdf20e 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -38,6 +38,7 @@
 	$_SESSION['_config']['filepath'] = "/www";
 
 	require_once($_SESSION['_config']['filepath']."/includes/mysql.php");
+	require_once($_SESSION['_config']['filepath'].'/includes/lib/account.php');
 
 	if(array_key_exists('HTTP_HOST',$_SERVER) &&
 			$_SERVER['HTTP_HOST'] != $_SESSION['_config']['normalhostname'] &&
@@ -847,19 +848,6 @@
 		$text=preg_replace("/[^\w-.@]/","",$text);
 		return($text);
 	}
-
-	function fix_assurer_flag($userID)
-	{
-		// Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
-		$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).
-			 '\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = `u`.`id`)'.
-			 ' AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100'); // Challenge has been passed and non-expired points >= 100
-	 
-		// Reset flag if requirements are not met
-		$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 0 WHERE `u`.`id` = \''.(int)intval($userID).
-			'\' AND (NOT EXISTS(SELECT 1 FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = `u`.`id`)'.
-			 ' OR (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `n`.`expire` < now()) < 100)');
-	}
 	
 	// returns 0 if $userID is an Assurer
 	// Otherwise :
diff --git a/includes/lib/account.php b/includes/lib/account.php
new file mode 100644
index 0000000..f7a24fa
--- /dev/null
+++ b/includes/lib/account.php
@@ -0,0 +1,51 @@
+<?php
+/*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+function fix_assurer_flag($userID)
+{
+	// Update Assurer-Flag on users table if 100 points.
+	// Should the number of points be SUM(points) or SUM(awarded)?
+	$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE '.
+		'`u`.`id` = \''.(int)intval($userID).'\' AND '.
+		'EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS `cv` '.
+			'WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND '.
+			'`cp`.`user_id` = `u`.`id`) AND '.
+		'(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '.
+			'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) >= 100');
+	// Challenge has been passed and non-expired points >= 100
+	
+	if (!$query) {
+		return false;
+	}
+ 
+	// Reset flag if requirements are not met
+	$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 0 WHERE '.
+		'`u`.`id` = \''.(int)intval($userID).'\' AND '.
+		'(NOT EXISTS(SELECT 1 FROM `cats_passed` AS `cp`, `cats_variant` AS '.
+			'`cv` WHERE `cp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 '.
+			'AND `cp`.`user_id` = `u`.`id`) OR '.
+		'(SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` '.
+			'AND (`n`.`expire` > now() OR `n`.`expire` IS NULL)) < 100)');
+	
+	if (!$query) {
+		return false;
+	}
+	
+	return true;
+}
\ No newline at end of file
diff --git a/includes/loggedin.php b/includes/loggedin.php
index 355527f..640bc6c 100644
--- a/includes/loggedin.php
+++ b/includes/loggedin.php
@@ -131,13 +131,12 @@
 		$normalhost=$_SESSION['_config']['normalhostname'];
 		$_SESSION['profile']['loggedin'] = 0;
 		$_SESSION['profile'] = "";
-		foreach($_SESSION as $key)
+		foreach($_SESSION as $key => $value)
 		{
 	                unset($_SESSION[$key]);
 	                unset($$key);
         	        session_unregister($key);
 		}
-                unset($_SESSION);
 
 		header("location: https://".$normalhost."/index.php");
 		exit;
diff --git a/scripts/assurer.php b/scripts/assurer.php
index c649fbf..d85a2a6 100644
--- a/scripts/assurer.php
+++ b/scripts/assurer.php
@@ -30,7 +30,7 @@
 	$query = "
 select u.email, fname, lname, sum(n.points) from users u, notary n
  where n.to=u.id
-   and not exists(select 1 from cats_passed cp where cp.user_id=u.id)
+   and not EXISTS(SELECT 1 FROM `cats_passed` AS `tp`, `cats_variant` AS `cv` WHERE `tp`.`variant_id` = `cv`.`id` AND `cv`.`type_id` = 1 AND `tp`.`user_id` = `u`.`id`)
    and exists(select 1 from notary n2 where n2.from=u.id and year(n2.`when`)>2007)
    and (select count(*) from notary n3 where n3.from=u.id) > 1
  group by email, fname, lname
diff --git a/www/cats/cats_import.php b/www/cats/cats_import.php
index 6d77a75..56dd0cf 100644
--- a/www/cats/cats_import.php
+++ b/www/cats/cats_import.php
@@ -24,6 +24,8 @@
    API for CATS to import passed tests into main CAcert database.
 */
 
+require_once('../../includes/lib/account.php');
+
 function sanitize_string($buffer) {
  return htmlentities(utf8_decode($buffer), (int)ENQ_QUOTES);
 }
@@ -154,8 +156,7 @@ if (!$query) {
 }
 
 // Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
-$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).'\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp` WHERE `tp`.`user_id` = `u`.`id`) AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100;'); // Challenge has been passed and non-expired points >= 100
-if (!$query) {
+if (!fix_assurer_flag($userID)) {
   echo 'Invalid query'."\r\n";
   trigger_error('Invalid query', E_USER_ERROR);
   exit();