summaryrefslogtreecommitdiff
path: root/www
diff options
context:
space:
mode:
authorBenny Baumann <BenBE@geshi.org>2015-05-05 19:09:30 +0200
committerBenny Baumann <BenBE@geshi.org>2015-05-05 19:09:30 +0200
commit70f867dca49fa2f999470913ff75f816bcbb700d (patch)
treee8907b51235fe0c5e9d3d95defa61c685d5221b9 /www
parentaaffd10f8439c32bfbb8bfca83c08f98f23fb2c9 (diff)
parent77ed5c5b06c2dc8fafc74c1be5a6197bb45e0f11 (diff)
downloadcacert-devel-70f867dca49fa2f999470913ff75f816bcbb700d.tar.gz
cacert-devel-70f867dca49fa2f999470913ff75f816bcbb700d.tar.xz
cacert-devel-70f867dca49fa2f999470913ff75f816bcbb700d.zip
Merge branch 'bug-1042' into testserver-stable
Diffstat (limited to 'www')
-rw-r--r--www/api/ccsr.php109
-rw-r--r--www/api/cemails.php48
-rw-r--r--www/index.php6
-rw-r--r--www/wot.php48
4 files changed, 17 insertions, 194 deletions
diff --git a/www/api/ccsr.php b/www/api/ccsr.php
deleted file mode 100644
index 3bfe55a..0000000
--- a/www/api/ccsr.php
+++ /dev/null
@@ -1,109 +0,0 @@
-<? /*
- LibreSSL - CAcert web application
- Copyright (C) 2004-2008 CAcert Inc.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; version 2 of the License.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-*/
-
-require_once '../../includes/lib/check_weak_key.php';
-
- $username = mysql_real_escape_string($_REQUEST['username']);
- $password = mysql_real_escape_string($_REQUEST['password']);
-
- $query = "select * from `users` where `email`='$username' and (`password`=old_password('$password') or `password`=sha1('$password'))";
- $res = mysql_query($query);
- if(mysql_num_rows($res) != 1)
- die("403,That username couldn't be found\n");
- $user = mysql_fetch_assoc($res);
- $memid = $user['id'];
- $emails = array();
- foreach($_REQUEST['email'] as $email)
- {
- $email = mysql_real_escape_string(trim($email));
- $query = "select * from `email` where `memid`='".intval($memid)."' and `hash`='' and `deleted`=0 and `email`='$email'";
- $res = mysql_query($query);
- if(mysql_num_rows($res) > 0)
- {
- $row = mysql_fetch_assoc($res);
- $id = $row['id'];
- $emails[$id] = $email;
- }
- }
- if(count($emails) <= 0)
- die("404,Wasn't able to match any emails sent against your account");
- $query = "select sum(`points`) as `points` from `notary` where `to`='".intval($memid)."' and `notary`.`deleted`=0 group by `to`";
- $row = mysql_fetch_assoc(mysql_query($query));
- $points = $row['points'];
-
- $name = "CAcert WoT User\n";
- $newname = mysql_real_escape_string(trim($_REQUEST['name']));
- if($points >= 50)
- {
- if($newname == $user['fname']." ".$user['lname'] ||
- $newname == $user['fname']." ".$user['mname']." ".$user['lname'] ||
- $newname == $user['fname']." ".$user['lname']." ".$user['suffix'] ||
- $newname == $user['fname']." ".$user['mname']." ".$user['lname']." ".$user['suffix'])
- $name = $newname;
- }
-
- $codesign = 0;
- if($user['codesign'] == "1" && $_REQUEST['codesign'] == "1" && $points >= 100)
- $codesign = 1;
-
- $CSR = trim($_REQUEST['optionalCSR']);
-
- if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
- {
- die("403, $weakKey");
- }
-
- $incsr = tempnam("/tmp", "ccsrIn");
- $checkedcsr = tempnam("/tmp", "ccsrOut");
- $fp = fopen($incsr, "w");
- fputs($fp, $CSR);
- fclose($fp);
- $incsr_esc = escapeshellarg($incsr);
- $checkedcsr_esc = escapeshellarg($checkedcsr);
- $do = shell_exec("/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc");
- @unlink($incsr);
- if(filesize($checkedcsr) <= 0)
- die("404,Invalid or missing CSR");
-
- $csrsubject = "/CN=$name";
- foreach($emails as $id => $email)
- $csrsubject .= "/emailAddress=".$email;
-
- $query = "insert into `emailcerts` set `CN`='".mysql_real_escape_string($user['email'])."', `keytype`='MS',
- `memid`='".intval($user['id'])."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
- `subject`='".mysql_real_escape_string($csrsubject)."', `codesign`='".intval($codesign)."'";
- mysql_query($query);
- $certid = mysql_insert_id();
- $CSRname = generatecertpath("csr","client",$certid);
- rename($checkedcsr, $CSRname);
-
- mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$certid'");
-
- foreach($emails as $emailid => $email)
- mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='".intval($emailid)."'");
-
- $do = shell_exec("../../scripts/runclient");
- sleep(10); // THIS IS BROKEN AND SHOULD BE FIXED
- $query = "select * from `emailcerts` where `id`='$certid' and `crt_name` != ''";
- $res = mysql_query($query);
- if(mysql_num_rows($res) <= 0)
- die("404,Your certificate request has failed. ID: ".intval($certid));
- $cert = mysql_fetch_assoc($res);
- echo "200,Authentication Ok\n";
- readfile("../".$cert['crt_name']);
-?>
diff --git a/www/api/cemails.php b/www/api/cemails.php
deleted file mode 100644
index 6fceb04..0000000
--- a/www/api/cemails.php
+++ /dev/null
@@ -1,48 +0,0 @@
-<? /*
- LibreSSL - CAcert web application
- Copyright (C) 2004-2008 CAcert Inc.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; version 2 of the License.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-*/
- $username = mysql_real_escape_string($_REQUEST['username']);
- $password = mysql_real_escape_string($_REQUEST['password']);
-
- $query = "select * from `users` where `email`='$username' and (`password`=old_password('$password') or `password`=sha1('$password'))";
- $res = mysql_query($query);
- if(mysql_num_rows($res) != 1)
- die("403,That username couldn't be found\n");
- echo "200,Authentication Ok\n";
- $user = mysql_fetch_assoc($res);
- $memid = $user['id'];
- $query = "select sum(`points`) as `points` from `notary` where `to`='".intval($memid)."' and `notary`.`deleted`=0 group by `to`";
- $row = mysql_fetch_assoc(mysql_query($query));
- $points = $row['points'];
- echo "CS=".intval($user['codesign'])."\n";
- echo "NAME=CAcert WoT User\n";
- if($points >= 50)
- {
- echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['lname'])."\n";
- if($user['mname'] != "")
- echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['mname'])." ".sanitizeHTML($user['lname'])."\n";
- if($user['suffix'] != "")
- echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['lname'])." ".sanitizeHTML($user['suffix'])."\n";
- if($user['mname'] != "" && $user['suffix'] != "")
- echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['mname'])." ".sanitizeHTML($user['lname'])." ".sanitizeHTML($user['suffix'])."\n";
- }
- $query = "select * from `email` where `memid`='".intval($memid)."' and `hash`='' and `deleted`=0";
- $res = mysql_query($query);
- while($row = mysql_fetch_assoc($res)) {
- echo "EMAIL=".sanitizeHTML($row['email'])."\n";
- }
-?>
diff --git a/www/index.php b/www/index.php
index e7229c5..a3e4e14 100644
--- a/www/index.php
+++ b/www/index.php
@@ -217,10 +217,8 @@ require_once('../includes/notary.inc.php');
L10n::set_translation($_SESSION['profile']['language']);
L10n::init_gettext();
}
- $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 group by `to`";
- $res = mysql_query($query);
- $row = mysql_fetch_assoc($res);
- $_SESSION['profile']['points'] = $row['total'];
+ update_points_in_profile();
+
$_SESSION['profile']['loggedin'] = 1;
if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
$_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
diff --git a/www/wot.php b/www/wot.php
index 808d57f..cde3870 100644
--- a/www/wot.php
+++ b/www/wot.php
@@ -343,25 +343,13 @@ function send_reminder()
{
$max = maxpoints();
- $awarded = $newpoints = intval($_POST['points']);
- if($newpoints > $max)
- $newpoints = $awarded = $max;
- if($newpoints < 0)
- $newpoints = $awarded = 0;
+ $awarded = intval($_POST['points']);
+ if($awarded > $max)
+ $awarded = $max;
+ if($awarded < 0)
+ $awarded = 0;
- $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['_config']['notarise']['id'])."' and `deleted` = 0 group by `to`";
- $res = mysql_query($query);
- $drow = mysql_fetch_assoc($res);
- $oldpoints = intval($drow['total']);
-
- $_POST['expire'] = 0;
-
- if(($oldpoints + $newpoints) > 100 && $max < 100)
- $newpoints = 100 - $oldpoints;
- if(($oldpoints + $newpoints) > $max && $max >= 100)
- $newpoints = $max - $oldpoints;
- if($newpoints < 0)
- $newpoints = 0;
+ $drow_points = get_received_total_points(intval($_SESSION['_config']['notarise']['id']));
if(mysql_real_escape_string(stripslashes($_POST['date'])) == "")
$_POST['date'] = date("Y-m-d H:i:s");
@@ -384,7 +372,7 @@ function send_reminder()
{
$query = "insert into `notary` set `from`='".intval($_SESSION['profile']['id'])."',
`to`='".intval($_SESSION['_config']['notarise']['id'])."',
- `points`='".intval($newpoints)."', `awarded`='".intval($awarded)."',
+ `points`='0', `awarded`='".intval($awarded)."',
`location`='".mysql_real_escape_string(stripslashes($_POST['location']))."',
`date`='".mysql_real_escape_string(stripslashes($_POST['date']))."',
`when`=NOW()";
@@ -426,19 +414,16 @@ function send_reminder()
$my_translation = L10n::get_translation();
L10n::set_translation($_SESSION['_config']['notarise']['language']);
- $assurer = $_SESSION['profile']['fname'].' '.$_SESSION['profile']['lname'];
- $body = sprintf(_("You are receiving this email because you have been assured by %s (%s)."), $assurer, $_SESSION['profile']['email'])."\n\n";
- if(($oldpoints + $newpoints) >= 100)
- $body .= sprintf(_("You were issued %s points. However the system only counts up to 100 assurance points."), $awarded)."\n\n";
- else
- $body .= sprintf(_("You were issued %s points and you now have %s points in total."), $awarded, ($newpoints + $oldpoints))."\n\n";
+ $body = sprintf(_("You are receiving this email because you have been assured by %s %s (%s)."), $_SESSION['profile']['fname'], $_SESSION['profile']['lname'], $_SESSION['profile']['email'])."\n\n";
+
+ $body .= sprintf(_("You were issued %s assurance points and you now have %s assurance points in total."), $awarded, ($awarded + $drow_total))."\n\n";
- if(($oldpoints + $newpoints) < 100 && ($oldpoints + $newpoints) >= 50)
+ if(($drow_total + $awarded) < 100 && ($drow_total + $awarded) >= 50)
{
$body .= _("You now have over 50 points, and can now have your name added to client certificates, and issue server certificates for up to 2 years.")."\n\n";
}
- if(($oldpoints + $newpoints) >= 100 && $newpoints > 0)
+ if(($drow_total + $awarded) >= 100 && $drow_total < 0 && !is_assurer(intval($_SESSION['_config']['notarise']['id'])) )
{
$body .= _("You have at least 100 Assurance Points, if you want to become an assurer try the Assurer Challenge")." ( https://cats.cacert.org )\n\n";
$body .= _("To make it easier for others in your area to find you, it's helpful to list yourself as an assurer (this is voluntary), as well as a physical location where you live or work the most. You can flag your account to be listed, and add a comment to the display by going to:")."\n";
@@ -454,9 +439,8 @@ function send_reminder()
L10n::set_translation($my_translation);
- $assuree = $_SESSION['_config']['notarise']['fname'].' '.$_SESSION['_config']['notarise']['lname'];
- $body = sprintf(_("You are receiving this email because you have assured %s (%s)."), $assuree, $_SESSION['_config']['notarise']['email'])."\n\n";
- $body .= sprintf(_("You issued %s points."), $awarded)."\n\n";
+ $body = sprintf(_("You are receiving this email because you have assured %s %s (%s)."), $_SESSION['_config']['notarise']['fname'], $_SESSION['_config']['notarise']['lname'], $_SESSION['_config']['notarise']['email'])."\n\n";
+ $body .= sprintf(_("You issued %s assurance points and they now have %s assurance points in total."), $awarded, ($awarded + $drow['total']))."\n\n";
$body .= _("Best regards")."\n";
$body .= _("CAcert Support Team");
@@ -501,9 +485,7 @@ function send_reminder()
$subject = $_REQUEST['subject'];
$userid = intval($_REQUEST['userid']);
$user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($userid)."' and `listme`=1"));
- $points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
- where `to`='".intval($user['id'])."' and `deleted` = 0 group by `to` HAVING SUM(`points`) > 0"));
- if($points > 0)
+ if(is_assurer($userid) > 0)
{
$my_translation = L10n::get_translation();
L10n::set_translation($user['language']);