diff options
Diffstat (limited to 'includes/account.php')
-rw-r--r-- | includes/account.php | 398 |
1 files changed, 262 insertions, 136 deletions
diff --git a/includes/account.php b/includes/account.php index a27c35c..76de567 100644 --- a/includes/account.php +++ b/includes/account.php @@ -17,8 +17,8 @@ */ require_once("../includes/loggedin.php"); require_once("../includes/lib/l10n.php"); - require_once('lib/check_weak_key.php'); - require_once("../includes/temp_functions.php"); + require_once("../includes/lib/check_weak_key.php"); + require_once("../includes/notary.inc.php"); loadem("account"); @@ -151,6 +151,9 @@ { foreach($_REQUEST['delid'] as $id) { + if (0==$delcount) { + echo _('The following email addresses have been removed:')."<br>\n"; + } $id = intval($id); $query = "select * from `email` where `id`='$id' and `memid`='".intval($_SESSION['profile']['id'])."' and `email`!='".$_SESSION['profile']['email']."'"; @@ -168,10 +171,8 @@ { echo _("You did not select any email accounts for removal."); } - if($delcount > 0) + if(0 == $delcount) { - echo _("The following accounts have been removed:")."<br>\n"; - } else { echo _("You failed to select any accounts to be removed, or you attempted to remove the default account. No action was taken."); } @@ -229,6 +230,11 @@ $_REQUEST['keytype'] = "MS"; $csr = clean_csr($_REQUEST['optionalCSR']); } + if(trim($_REQUEST['description']) != ""){ + $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description']))); + }else{ + $_SESSION['_config']['description']= ""; + } } if($oldid == 4) @@ -312,7 +318,8 @@ `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), `codesign`='".intval($_SESSION['_config']['codesign'])."', `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."', - `rootcert`='".intval($_SESSION['_config']['rootcert'])."'"; + `rootcert`='".intval($_SESSION['_config']['rootcert'])."', + `description`='".$_SESSION['_config']['description']."'"; mysql_query($query); $emailid = mysql_insert_id(); if(is_array($addys)) @@ -323,15 +330,15 @@ fputs($fp, $emails); fclose($fp); $challenge=$_SESSION['spkac_hash']; - $res=`openssl spkac -verify -in $CSRname`; - if(!strstr($res,"Challenge String: ".$challenge)) - { - $id = $oldid; - showheader(_("My CAcert.org Account!")); - echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest."); - showfooter(); - exit; - } + $res=`openssl spkac -verify -in $CSRname`; + if(!strstr($res,"Challenge String: ".$challenge)) + { + $id = $oldid; + showheader(_("My CAcert.org Account!")); + echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest."); + showfooter(); + exit; + } mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='".intval($emailid)."'"); } else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype'] == "VI") { if($csr == "") @@ -356,8 +363,8 @@ $csrsubject=""; $user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'")); - if(strlen($user['mname']) == 1) - $user['mname'] .= '.'; + if(strlen($user['mname']) == 1) + $user['mname'] .= '.'; if($_SESSION['_config']['incname'] <= 0 || $_SESSION['_config']['incname'] > 4) $csrsubject = "/CN=CAcert WoT User"; if($_SESSION['_config']['incname'] == 1) @@ -411,7 +418,9 @@ `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), `subject`='".mysql_real_escape_string($csrsubject)."', `codesign`='".$_SESSION['_config']['codesign']."', - `rootcert`='".$_SESSION['_config']['rootcert']."'"; + `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."', + `rootcert`='".$_SESSION['_config']['rootcert']."', + `description`='".$_SESSION['_config']['description']."'"; mysql_query($query); $emailid = mysql_insert_id(); if(is_array($addys)) @@ -445,10 +454,10 @@ csrf_check("adddomain"); if(strstr($_REQUEST['newdomain'],"\x00")) { - showheader(_("My CAcert.org Account!")); - echo _("Due to the possibility for nullbyte domain exploits we currently do not allow any domain names with nullbytes."); - showfooter(); - exit; + showheader(_("My CAcert.org Account!")); + echo _("Due to the possibility for nullbyte domain exploits we currently do not allow any domain names with nullbytes."); + showfooter(); + exit; } list($newdomain) = explode(" ", $_REQUEST['newdomain'], 2); // Ignore the rest @@ -629,8 +638,8 @@ $CSR = clean_csr($_REQUEST['CSR']); if(strpos($CSR,"---BEGIN")===FALSE) { - // In case the CSR is missing the ---BEGIN lines, add them automatically: - $CSR = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."\n-----END CERTIFICATE REQUEST-----\n"; + // In case the CSR is missing the ---BEGIN lines, add them automatically: + $CSR = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."\n-----END CERTIFICATE REQUEST-----\n"; } if (($weakKey = checkWeakKeyCSR($CSR)) !== "") @@ -641,6 +650,12 @@ exit; } + if(trim($_REQUEST['description']) != ""){ + $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description']))); + }else{ + $_SESSION['_config']['description']= ""; + } + $_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id10CSR"); $fp = fopen($_SESSION['_config']['tmpfname'], "w"); fputs($fp, $CSR); @@ -707,7 +722,7 @@ $subject = ""; $count = 0; $supressSAN=0; - if($_SESSION["profile"]["id"] == 104074) $supressSAN=1; + if($_SESSION["profile"]["id"] == 104074) $supressSAN=1; if(is_array($_SESSION['_config']['rows'])) foreach($_SESSION['_config']['rows'] as $row) @@ -742,13 +757,15 @@ `CN`='".mysql_real_escape_string($_SESSION['_config']['rows']['0'])."', `domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."', `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."', - `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'"; + `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."', + `description`='".$_SESSION['_config']['description']."'"; } elseif(array_key_exists('0',$_SESSION['_config']['altid']) && $_SESSION['_config']['altid']['0'] > 0) { $query = "insert into `domaincerts` set `CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."', `domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."', `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."', - `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'"; + `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."', + `description`='".$_SESSION['_config']['description']."'"; } else { showheader(_("My CAcert.org Account!")); echo _("Domain not verified."); @@ -830,7 +847,8 @@ `modified`=NOW(), `rootcert`='".$row['rootcert']."', `type`='".$row['type']."', - `pkhash`='".$row['pkhash']."'"; + `pkhash`='".$row['pkhash']."', + `description`='".$row['description']."'"; mysql_query($query); $newid = mysql_insert_id(); $newfile=generatecertpath("csr","server",$newid); @@ -968,6 +986,24 @@ exit; } + if($oldid == 12 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "") + { + showheader(_("My CAcert.org Account!")); + foreach($_REQUEST as $id => $val) + { + if(substr($id,0,14)=="check_comment_") + { + $cid = intval(substr($id,14)); + $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); + mysql_query("update `domaincerts` set `description`='$comment' where `id`='$cid'"); + } + } + echo(_("Certificate settings have been changed.")."<br/>\n"); + showfooter(); + exit; + } + + if($oldid == 5 && array_key_exists('renew',$_REQUEST) && $_REQUEST['renew'] != "") { showheader(_("My CAcert.org Account!")); @@ -1006,7 +1042,8 @@ `modified`=NOW(), `disablelogin`='".$row['disablelogin']."', `codesign`='".$row['codesign']."', - `rootcert`='".$row['rootcert']."'"; + `rootcert`='".$row['rootcert']."', + `description`='".$row['description']."'"; mysql_query($query); $newid = mysql_insert_id(); $newfile=generatecertpath("csr","client",$newid); @@ -1105,26 +1142,47 @@ if($oldid == 5 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "") { - showheader(_("My CAcert.org Account!")); - //echo _("Now changing the settings for the following certificates:")."<br>\n"; - foreach($_REQUEST as $id => $val) - { - //echo $id."<br/>"; - if(substr($id,0,5)=="cert_") - { - $id = intval(substr($id,5)); - $dis=(array_key_exists('disablelogin_'.$id,$_REQUEST) && $_REQUEST['disablelogin_'.$id]=="1")?"0":"1"; - //echo "$id -> ".$_REQUEST['disablelogin_'.$id]."<br/>\n"; - mysql_query("update `emailcerts` set `disablelogin`='$dis' where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'"); - //$row = mysql_fetch_assoc($res); - } - } - echo(_("Certificate settings have been changed.")."<br/>\n"); - showfooter(); - exit; + showheader(_("My CAcert.org Account!")); + foreach($_REQUEST as $id => $val) + { + if(substr($id,0,5)=="cert_") + { + $cid = intval(substr($id,5)); + $dis=(array_key_exists('disablelogin_'.$cid,$_REQUEST) && $_REQUEST['disablelogin_'.$cid]=="1")?"0":"1"; + mysql_query("update `emailcerts` set `disablelogin`='$dis' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'"); + } + if(substr($id,0,14)=="check_comment_") + { + $cid = intval(substr($id,14)); + if(!empty($_REQUEST['check_comment_'.$cid])) { + $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); + mysql_query("update `emailcerts` set `description`='$comment' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'"); + } + } + } + echo(_("Certificate settings have been changed.")."<br/>\n"); + showfooter(); + exit; } + if($oldid == 6 && $_REQUEST['certid'] != "") + { + if(trim($_REQUEST['description']) != ""){ + $description= trim(mysql_real_escape_string(stripslashes($_REQUEST['description']))); + }else{ + $description= ""; + } + + if(trim($_REQUEST['disablelogin']) == "1"){ + $disablelogin = 1; + }else{ + $disablelogin = 0; + } + + mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'"); + } + if($oldid == 13 && $process != "") { csrf_check("perschange"); @@ -1141,42 +1199,42 @@ $_SESSION['_config']['user']['A4'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A4'])))); $_SESSION['_config']['user']['A5'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A5'])))); - if($_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q2'] || - $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q3'] || - $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q4'] || - $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q5'] || - $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q3'] || - $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q4'] || - $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q5'] || - $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q4'] || - $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q5'] || - $_SESSION['_config']['user']['Q4'] == $_SESSION['_config']['user']['Q5'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q1'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q2'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q3'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q4'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q5'] || - $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q3'] || - $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q4'] || - $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q5'] || - $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q4'] || - $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q5'] || - $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['Q5'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A2'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A3'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A4'] || - $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A5'] || - $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A3'] || - $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A4'] || - $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A5'] || - $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A4'] || - $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A5'] || - $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['A5']) - { - $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n"; - $id = $oldid; + if($_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q2'] || + $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q3'] || + $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q4'] || + $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q5'] || + $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q3'] || + $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q4'] || + $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q5'] || + $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q4'] || + $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q5'] || + $_SESSION['_config']['user']['Q4'] == $_SESSION['_config']['user']['Q5'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q1'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q2'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q3'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q4'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q5'] || + $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q3'] || + $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q4'] || + $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q5'] || + $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q4'] || + $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q5'] || + $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['Q5'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A2'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A3'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A4'] || + $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A5'] || + $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A3'] || + $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A4'] || + $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A5'] || + $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A4'] || + $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A5'] || + $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['A5']) + { + $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n"; + $id = $oldid; $oldid=0; - } + } if($_SESSION['_config']['user']['Q1'] == "" || $_SESSION['_config']['user']['Q2'] == "" || $_SESSION['_config']['user']['Q3'] == "" || $_SESSION['_config']['user']['Q4'] == "" || @@ -1359,6 +1417,13 @@ } $_SESSION['_config']['name'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['name']))); $_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU']))); + + + if(trim($_REQUEST['description']) != ""){ + $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description']))); + }else{ + $_SESSION['_config']['description']= ""; + } } if($oldid == 16 && (intval(count($_SESSION['_config']['emails'])) + 0) <= 0) @@ -1388,6 +1453,12 @@ if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2) $_SESSION['_config']['rootcert'] = 1; + if(trim($_REQUEST['description']) != ""){ + $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description']))); + }else{ + $_SESSION['_config']['description']= ""; + } + if(@count($_SESSION['_config']['emails']) > 0) $id = 17; } @@ -1434,6 +1505,7 @@ if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2) $_SESSION['_config']['rootcert'] = 1; + $emails .= "SPKAC = $spkac"; if (($weakKey = checkWeakKeySPKAC($emails)) !== "") { @@ -1450,7 +1522,8 @@ `orgid`='".$org['orgid']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), `codesign`='".$_SESSION['_config']['codesign']."', - `rootcert`='".$_SESSION['_config']['rootcert']."'"; + `rootcert`='".$_SESSION['_config']['rootcert']."', + `description`='".$_SESSION['_config']['description']."'"; mysql_query($query); $emailid = mysql_insert_id(); @@ -1462,15 +1535,15 @@ fputs($fp, $emails); fclose($fp); $challenge=$_SESSION['spkac_hash']; - $res=`openssl spkac -verify -in $CSRname`; - if(!strstr($res,"Challenge String: ".$challenge)) - { - $id = $oldid; - showheader(_("My CAcert.org Account!")); - echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest."); - showfooter(); - exit; - } + $res=`openssl spkac -verify -in $CSRname`; + if(!strstr($res,"Challenge String: ".$challenge)) + { + $id = $oldid; + showheader(_("My CAcert.org Account!")); + echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest."); + showfooter(); + exit; + } mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'"); } else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype']=="VI") { $csr = "-----BEGIN CERTIFICATE REQUEST-----\n".clean_csr($_REQUEST['CSR'])."-----END CERTIFICATE REQUEST-----\n"; @@ -1540,7 +1613,8 @@ `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()), `subject`='$csrsubject', `codesign`='".$_SESSION['_config']['codesign']."', - `rootcert`='".$_SESSION['_config']['rootcert']."'"; + `rootcert`='".$_SESSION['_config']['rootcert']."', + `description`='".$_SESSION['_config']['description']."'"; mysql_query($query); $emailid = mysql_insert_id(); @@ -1615,7 +1689,8 @@ `created`='".$row['created']."', `modified`=NOW(), `codesign`='".$row['codesign']."', - `rootcert`='".$row['rootcert']."'"; + `rootcert`='".$row['rootcert']."', + `description`='".$row['description']."'"; mysql_query($query); $newid = mysql_insert_id(); $newfile=generatecertpath("csr","orgclient",$newid); @@ -1707,6 +1782,24 @@ exit; } + if($oldid == 18 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "") + { + showheader(_("My CAcert.org Account!")); + foreach($_REQUEST as $id => $val) + { + if(substr($id,0,14)=="check_comment_") + { + $cid = intval(substr($id,14)); + $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); + mysql_query("update `orgemailcerts` set `description`='$comment' where `id`='$cid'"); + } + } + echo(_("Certificate settings have been changed.")."<br/>\n"); + showfooter(); + exit; + } + + if($process != "" && $oldid == 20) { $CSR = clean_csr($_REQUEST['CSR']); @@ -1720,6 +1813,12 @@ exit; } + if(trim($_REQUEST['description']) != ""){ + $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description']))); + }else{ + $_SESSION['_config']['description']= ""; + } + $_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id20CSR"); $fp = fopen($_SESSION['_config']['tmpfname'], "w"); fputs($fp, $CSR); @@ -1795,8 +1894,8 @@ exit; } - if($_SESSION['_config']['rowid']['0'] > 0) - { + if($_SESSION['_config']['rowid']['0'] > 0) + { $query = "select * from `org`,`orginfo` where `orginfo`.`id`='".$_SESSION['_config']['rowid']['0']."' and `orginfo`.`id`=`org`.`orgid` and @@ -1843,25 +1942,27 @@ if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2) $_SESSION['_config']['rootcert'] = 1; - if($_SESSION['_config']['rowid']['0'] > 0) - { - $query = "insert into `orgdomaincerts` set - `CN`='".$_SESSION['_config']['rows']['0']."', - `orgid`='".$org['id']."', - `created`=NOW(), - `subject`='$csrsubject', - `rootcert`='".$_SESSION['_config']['rootcert']."', - `type`='$type'"; - } else { - $query = "insert into `orgdomaincerts` set - `CN`='".$_SESSION['_config']['altrows']['0']."', - `orgid`='".$org['id']."', - `created`=NOW(), - `subject`='$csrsubject', - `rootcert`='".$_SESSION['_config']['rootcert']."', - `type`='$type'"; - } - mysql_query($query); + if($_SESSION['_config']['rowid']['0'] > 0) + { + $query = "insert into `orgdomaincerts` set + `CN`='".$_SESSION['_config']['rows']['0']."', + `orgid`='".$org['id']."', + `created`=NOW(), + `subject`='$csrsubject', + `rootcert`='".$_SESSION['_config']['rootcert']."', + `type`='$type', + `description`='".$_SESSION['_config']['description']."'"; + } else { + $query = "insert into `orgdomaincerts` set + `CN`='".$_SESSION['_config']['altrows']['0']."', + `orgid`='".$org['id']."', + `created`=NOW(), + `subject`='$csrsubject', + `rootcert`='".$_SESSION['_config']['rootcert']."', + `type`='$type', + `description`='".$_SESSION['_config']['description']."'"; + } + mysql_query($query); $CSRid = mysql_insert_id(); $CSRname=generatecertpath("csr","orgserver",$CSRid); @@ -1935,7 +2036,8 @@ `modified`=NOW(), `subject`='".$row['subject']."', `type`='".$row['type']."', - `rootcert`='".$row['rootcert']."'"; + `rootcert`='".$row['rootcert']."', + `description`='".$row['description']."'"; mysql_query($query); $newid = mysql_insert_id(); //echo "NewID: $newid<br/>\n"; @@ -2036,6 +2138,24 @@ exit; } + if($oldid == 22 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "") + { + showheader(_("My CAcert.org Account!")); + foreach($_REQUEST as $id => $val) + { + if(substr($id,0,14)=="check_comment_") + { + $cid = intval(substr($id,14)); + $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid]))); + mysql_query("update `orgdomaincerts` set `description`='$comment' where `id`='$cid'"); + } + } + echo(_("Certificate settings have been changed.")."<br/>\n"); + showfooter(); + exit; + } + + if(($id == 24 || $oldid == 24 || $id == 25 || $oldid == 25 || $id == 26 || $oldid == 26 || $id == 27 || $oldid == 27 || $id == 28 || $oldid == 28 || $id == 29 || $oldid == 29 || $id == 30 || $oldid == 30 || $id == 31 || $oldid == 31) && @@ -2427,7 +2547,7 @@ } if($oldid == 54 || ($id == 53 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "") || - ($id == 54 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "" && + ($id == 54 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "" && $_REQUEST['action'] != "aliases" && $_REQUEST['action'] != "edit" && $_REQUEST['action'] != "add")) { $id = 53; @@ -2437,7 +2557,7 @@ $locid = intval(array_key_exists('locid',$_REQUEST)?$_REQUEST['locid']:0); $name = array_key_exists('name',$_REQUEST)?mysql_real_escape_string(strip_tags($_REQUEST['name'])):""; $long = array_key_exists('longitude',$_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['longitude']):""; - $lat = array_key_exists('latitude', $_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['latitude']):""; + $lat = array_key_exists('latitude', $_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['latitude']):""; $action = array_key_exists('action',$_REQUEST)?$_REQUEST['action']:""; if($locid > 0 && $action == "edit") @@ -2702,24 +2822,24 @@ mysql_query("update `users` set `tverify`='$ver' where `id`='$memid'"); } - if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0) - { - csrf_check('admsetassuret'); - $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer']); - $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); - $ver = !$row['assurer']; - mysql_query("update `users` set `assurer`='$ver' where `id`='$memid'"); - } - - if($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0) - { - $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']); - $query = "select * from `users` where `id`='$memid'"; - $row = mysql_fetch_assoc(mysql_query($query)); - $ver = !$row['assurer_blocked']; - mysql_query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'"); - } + if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0) + { + csrf_check('admsetassuret'); + $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer']); + $query = "select * from `users` where `id`='$memid'"; + $row = mysql_fetch_assoc(mysql_query($query)); + $ver = !$row['assurer']; + mysql_query("update `users` set `assurer`='$ver' where `id`='$memid'"); + } + + if($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0) + { + $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']); + $query = "select * from `users` where `id`='$memid'"; + $row = mysql_fetch_assoc(mysql_query($query)); + $ver = !$row['assurer_blocked']; + mysql_query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'"); + } if($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0) { @@ -2850,7 +2970,13 @@ $_REQUEST['userid'] = intval($_REQUEST['userid']); if (trim($_REQUEST['arbitrationno'])==""){ showheader(_("My CAcert.org Account!")); - echo _("You did not enter an arbitration number."); + echo _("You did not enter an arbitration number entry."); + showfooter(); + exit; + } + if ( 1 !== preg_match('/^[a-z]\d{8}\.\d+\.\d+$/i',trim($_REQUEST['arbitrationno'])) ) { + showheader(_("My CAcert.org Account!")); + echo _("You did not enter an arbitration number entry."); showfooter(); exit; } |