summaryrefslogtreecommitdiff
path: root/includes/account.php
diff options
context:
space:
mode:
Diffstat (limited to 'includes/account.php')
-rw-r--r--includes/account.php210
1 files changed, 96 insertions, 114 deletions
diff --git a/includes/account.php b/includes/account.php
index ce1673a..ec109ae 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -22,15 +22,71 @@
loadem("account");
- $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
- $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
- $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
+/**
+ * Build a subject string as needed by the signer
+ *
+ * @param array(string) $domains
+ * First domain is used as CN and repeated in subjectAltName. Duplicates
+ * should already been removed
+ *
+ * @param bool $include_xmpp_addr
+ * [default: true] Whether to include the XmppAddr in the subjectAltName.
+ * This is needed if the Jabber server is jabber.example.com but a Jabber ID
+ * on that server would be alice@example.com
+ *
+ * @return string
+ */
+function buildSubject(array $domains, $include_xmpp_addr = true) {
+ $subject = "/CN=${domains[0]}";
+
+ foreach ($domains as $domain) {
+ $subject .= "/subjectAltName=DNS:$domain";
+
+ if ($include_xmpp_addr) {
+ $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$domain";
+ }
+ }
+
+ return $subject;
+}
+
+/**
+ * Builds the subject string from the session variables
+ * $_SESSION['_config']['rows'] and $_SESSION['_config']['altrows']
+ *
+ * @return string
+ */
+function buildSubjectFromSession() {
+ $domains = array();
+
+ if (is_array($_SESSION['_config']['rows'])) {
+ $domains = array_merge($domains, $_SESSION['_config']['rows']);
+ }
+
+ if (is_array($_SESSION['_config']['altrows']))
+ foreach ($_SESSION['_config']['altrows'] as $row) {
+ if (substr($row, 0, 4) === "DNS:") {
+ $domains[] = substr($row, 4);
+ }
+ }
+
+ return buildSubject(array_unique($domains));
+}
+
+ $id = array_key_exists("id",$_REQUEST) ? intval($_REQUEST['id']) : 0;
+ $oldid = array_key_exists("oldid",$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
+ $process = array_key_exists("process",$_REQUEST) ? $_REQUEST['process'] : "";
+// $showdetalis refers to Secret Question and Answers from account/13.php
+ $showdetails = array_key_exists("showdetails",$_REQUEST) ? intval($_REQUEST['showdetails']) : 0;
+
+ $cert = array_key_exists('cert',$_REQUEST) ? intval($_REQUEST['cert']) : 0;
+ $orgid = array_key_exists('orgid',$_REQUEST) ? intval($_REQUEST['orgid']) : 0;
+ $memid = array_key_exists('memid',$_REQUEST) ? intval($_REQUEST['memid']) : 0;
+ $domid = array_key_exists('domid',$_REQUEST) ? intval($_REQUEST['domid']) : 0;
+ $ticketno = array_key_exists('ticketno',$_REQUEST) ? $_REQUEST['ticketno'] : "";
+ $ticketvalidation = FALSE;
+ $actionrequest = array_key_exists('action',$_REQUEST) ? $_REQUEST['action'] : "";
- $cert=0; if(array_key_exists('cert',$_REQUEST)) $cert=intval($_REQUEST['cert']);
- $orgid=0; if(array_key_exists('orgid',$_REQUEST)) $orgid=intval($_REQUEST['orgid']);
- $memid=0; if(array_key_exists('memid',$_REQUEST)) $memid=intval($_REQUEST['memid']);
- $domid=0; if(array_key_exists('domid',$_REQUEST)) $domid=intval($_REQUEST['domid']);
- $ticketno=""; if(array_key_exists('ticketno',$_REQUEST)) $ticketno=$_REQUEST['ticketno'];
if(!$_SESSION['mconn'])
{
@@ -739,35 +795,8 @@
exit;
}
- $subject = "";
- $count = 0;
- $supressSAN=0;
- if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
+ $subject = buildSubjectFromSession();
- if(is_array($_SESSION['_config']['rows']))
- foreach($_SESSION['_config']['rows'] as $row)
- {
- $count++;
- if($count <= 1)
- {
- $subject .= "/CN=$row";
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- } else {
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- }
- }
- if(is_array($_SESSION['_config']['altrows']))
- foreach($_SESSION['_config']['altrows'] as $row)
- {
- if(substr($row, 0, 4) == "DNS:")
- {
- $row = substr($row, 4);
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- }
- }
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
@@ -793,7 +822,6 @@
echo _("Domain not verified.");
showfooter();
exit;
-
}
mysql_query($query);
@@ -892,29 +920,7 @@
continue;
}
- $subject = "";
- $count = 0;
- if(is_array($_SESSION['_config']['rows']))
- foreach($_SESSION['_config']['rows'] as $row)
- {
- $count++;
- if($count <= 1)
- {
- $subject .= "/CN=$row";
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
- } else {
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
- }
- }
- if(is_array($_SESSION['_config']['altrows']))
- foreach($_SESSION['_config']['altrows'] as $row)
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
+ $subject = buildSubjectFromSession();
$subject = mysql_real_escape_string($subject);
mysql_query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'");
@@ -936,6 +942,7 @@
{
echo _("You did not select any certificates for renewal.");
}
+
showfooter();
exit;
}
@@ -1187,25 +1194,7 @@
exit;
}
-
- if($oldid == 6 && $_REQUEST['certid'] != "")
- {
- if(trim($_REQUEST['description']) != ""){
- $description= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
- }else{
- $description= "";
- }
-
- if(trim($_REQUEST['disablelogin']) == "1"){
- $disablelogin = 1;
- }else{
- $disablelogin = 0;
- }
-
- mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
- }
-
- if($oldid == 13 && $process != "")
+ if($oldid == 13 && $process != "" && $showdetails!="")
{
csrf_check("perschange");
$_SESSION['_config']['user'] = $_SESSION['profile'];
@@ -1270,7 +1259,7 @@
if($oldid == 13 && $process != "")
{
- $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
$ddres = mysql_query($ddquery);
$ddrow = mysql_fetch_assoc($ddres);
$_SESSION['profile']['points'] = $ddrow['total'];
@@ -1313,18 +1302,20 @@
where `id`='".$_SESSION['profile']['id']."'";
mysql_query($query);
}
- $query = "update `users` set `Q1`='".$_SESSION['_config']['user']['Q1']."',
- `Q2`='".$_SESSION['_config']['user']['Q2']."',
- `Q3`='".$_SESSION['_config']['user']['Q3']."',
- `Q4`='".$_SESSION['_config']['user']['Q4']."',
- `Q5`='".$_SESSION['_config']['user']['Q5']."',
- `A1`='".$_SESSION['_config']['user']['A1']."',
- `A2`='".$_SESSION['_config']['user']['A2']."',
- `A3`='".$_SESSION['_config']['user']['A3']."',
- `A4`='".$_SESSION['_config']['user']['A4']."',
- `A5`='".$_SESSION['_config']['user']['A5']."'
- where `id`='".$_SESSION['profile']['id']."'";
- mysql_query($query);
+ if ($showdetails!="") {
+ $query = "update `users` set `Q1`='".$_SESSION['_config']['user']['Q1']."',
+ `Q2`='".$_SESSION['_config']['user']['Q2']."',
+ `Q3`='".$_SESSION['_config']['user']['Q3']."',
+ `Q4`='".$_SESSION['_config']['user']['Q4']."',
+ `Q5`='".$_SESSION['_config']['user']['Q5']."',
+ `A1`='".$_SESSION['_config']['user']['A1']."',
+ `A2`='".$_SESSION['_config']['user']['A2']."',
+ `A3`='".$_SESSION['_config']['user']['A3']."',
+ `A4`='".$_SESSION['_config']['user']['A4']."',
+ `A5`='".$_SESSION['_config']['user']['A5']."'
+ where `id`='".$_SESSION['profile']['id']."'";
+ mysql_query($query);
+ }
//!!!Should be rewritten
$_SESSION['_config']['user']['otphash'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['otphash']))));
@@ -1340,7 +1331,7 @@
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_SESSION['profile']['id']."'"));
$_SESSION['profile']['loggedin'] = 1;
- $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted`=0 group by `to`";
$ddres = mysql_query($ddquery);
$ddrow = mysql_fetch_assoc($ddres);
$_SESSION['profile']['points'] = $ddrow['total'];
@@ -1459,7 +1450,6 @@
if($oldid == 16 && $process != "")
{
-
if(array_key_exists('codesign',$_REQUEST) && $_REQUEST['codesign'] && $_SESSION['profile']['codesign'] && ($_SESSION['profile']['points'] >= 100))
{
$_REQUEST['codesign'] = 1;
@@ -1962,20 +1952,7 @@
//if($org['contact'])
// $csrsubject .= "/emailAddress=".trim($org['contact']);
- if(is_array($_SESSION['_config']['rows']))
- foreach($_SESSION['_config']['rows'] as $row)
- $csrsubject .= "/commonName=$row";
- $SAN="";
- if(is_array($_SESSION['_config']['altrows']))
- foreach($_SESSION['_config']['altrows'] as $subalt)
- {
- if($SAN != "")
- $SAN .= ",";
- $SAN .= "$subalt";
- }
-
- if($SAN != "")
- $csrsubject .= "/subjectAltName=".$SAN;
+ $csrsubject .= buildSubjectFromSession();
$type="";
if($_REQUEST["ocspcert"]!="" && $_SESSION['profile']['admin'] == 1) $type="8";
@@ -2701,8 +2678,7 @@
}
//check if ticket number was entered
- if ( $id == 43 || $oldid == 43 || $id == 44 || $oldid == 44) {
- $ticketvalidation = FALSE;
+ if ( $id == 43 || $oldid == 43 || $id == 44 || $oldid == 44 ) {
if ($ticketno != "" ) {
$ticketno = mysql_real_escape_string(trim($_REQUEST['ticketno']));
$ticketvalidation = valid_ticket_number($ticketno);
@@ -2711,7 +2687,7 @@
$_SESSION['ticketno'] = $ticketno;
}
- if($oldid == 43 && $_REQUEST['action'] == "updatedob" && $ticketvalidation == TRUE)
+ if($oldid == 43 && $actionrequest == "updatedob" && $ticketvalidation == TRUE)
{
$id = 43;
$oldid=0;
@@ -2726,19 +2702,19 @@
$query = "update `users` set `fname`='$fname',`mname`='$mname',`lname`='$lname',`suffix`='$suffix',`dob`='$year-$month-$day' where `id`='$userid'";
mysql_query($query);
write_se_log($userid, $_SESSION['profile']['id'],'SE Name/DOB Change',$ticketno);
- }elseif($oldid == 43 && $_REQUEST['action'] == "updatedob" && $ticketvalidation == FALSE){
+ }elseif($oldid == 43 && $actionrequest == "updatedob" && $ticketvalidation == FALSE){
$id = 43;
$oldid=0;
$_SESSION['ticketmsg']='No action (name/dob change) taken. Ticket number is missing!';
}
- if($oldid == 43 && $_REQUEST['action'] == 'revokecert' && $ticketvalidation==TRUE)
+ if($oldid == 43 && $actionrequest == 'revokecert' && $ticketvalidation == TRUE)
{
$userid = intval($_REQUEST['userid']);
revoke_all_private_cert($userid);
write_se_log($userid, $_SESSION['profile']['id'], 'SE Revoke all certificates',$ticketno);
$id=43;
- }elseif($oldid == 43 && $_REQUEST['action'] == "revokecert" && $ticketvalidation == FALSE){
+ }elseif($oldid == 43 && $actionrequest == "revokecert" && $ticketvalidation == FALSE){
$id = 43;
$oldid=0;
$_SESSION['ticketmsg']='No certificates revokes. Ticket number is missing!';
@@ -2789,6 +2765,7 @@
"support@cacert.org", "", "", "CAcert Support");
write_se_log(intval($_REQUEST['userid']), $_SESSION['profile']['id'],'SE reset password',$ticketno);
}
+
showfooter();
exit;
}elseif($oldid == 44 && $ticketvalidation == FALSE){
@@ -3102,18 +3079,21 @@
if (trim($_REQUEST['arbitrationno'])==""){
showheader(_("My CAcert.org Account!"));
echo _("You did not enter an arbitration number entry.");
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
showfooter();
exit;
}
if ( 1 !== preg_match('/^[a-z]\d{8}\.\d+\.\d+$/i',trim($_REQUEST['arbitrationno'])) ) {
showheader(_("My CAcert.org Account!"));
printf(_("'%s' is not a valid arbitration number entry."), sanitizeHTML(trim($_REQUEST['arbitrationno'])));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
showfooter();
exit;
}
if (check_email_exists(trim($_REQUEST['arbitrationno']).'@cacert.org')) {
showheader(_("My CAcert.org Account!"));
printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['arbitrationno'].'@cacert.org'));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
showfooter();
exit;
}
@@ -3122,12 +3102,14 @@
check_gpg_cert_running($_REQUEST['userid'],1)) {
showheader(_("My CAcert.org Account!"));
printf(_("The CCA retention time for at least one certificate is not over. Can't continue."));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
showfooter();
exit;
}
if (check_is_orgadmin($_REQUEST['userid'],1)) {
showheader(_("My CAcert.org Account!"));
printf(_("The user is listed as Organisation Administrator. Can't continue."));
+ printf('<br/><a href="account.php?id=43&amp;userid=' . $_REQUEST['userid'] . '">' . _('Back to previous page.') .'</a>');
showfooter();
exit;
}