summaryrefslogtreecommitdiff
path: root/www/index.php
diff options
context:
space:
mode:
Diffstat (limited to 'www/index.php')
-rw-r--r--www/index.php196
1 files changed, 45 insertions, 151 deletions
diff --git a/www/index.php b/www/index.php
index 161dadd..8c5560c 100644
--- a/www/index.php
+++ b/www/index.php
@@ -27,7 +27,6 @@ require_once('../includes/notary.inc.php');
$id = 0;
$_SESSION['_config']['errmsg'] = "";
- $ccatest=0;
if($id == 17 || $id == 20)
{
@@ -161,21 +160,12 @@ require_once('../includes/notary.inc.php');
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
"select * from `users` where
`id`='$user_id' and `deleted`=0 and `locked`=0"));
- $ccatest=get_user_agreement_status($user_id,'CCA');
if($_SESSION['profile']['id'] != 0)
{
- $cca=get_last_user_agreement($user_id);
- echo '###0###'.$cca['active'];
- if (!isset($cca['active'])){
- $id=52;
- $ccatest=TRUE;
- }else{
- $_SESSION['profile']['loggedin'] = 1;
- header('location: https://'.$_SERVER['HTTP_HOST'].'/account.php');
- echo '###1###'.$cca['active'];
- exit;
- }
+ $_SESSION['profile']['loggedin'] = 1;
+ header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
+ exit;
} else {
$_SESSION['profile']['loggedin'] = 0;
}
@@ -186,77 +176,9 @@ require_once('../includes/notary.inc.php');
if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
{
header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
- echo '###2###'.$cca['active'];
exit;
}
- function getOTP64($otp)
- {
- $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
-
- for($i = 0; $i < 6; $i++)
- $val[$i] = hexdec(substr($otp, $i * 2, 2));
-
- $tmp1 = $val[0] >> 2;
- $OTP = $lookupChar[$tmp1 & 63];
- $tmp2 = $val[0] - ($tmp1 << 2);
- $tmp1 = $val[1] >> 4;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
- $tmp2 = $val[1] - ($tmp1 << 4);
- $tmp1 = $val[2] >> 6;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
- $tmp2 = $val[2] - ($tmp1 << 6);
- $OTP .= $lookupChar[$tmp2 & 63];
- $tmp1 = $val[3] >> 2;
- $OTP .= $lookupChar[$tmp1 & 63];
- $tmp2 = $val[3] - ($tmp1 << 2);
- $tmp1 = $val[4] >> 4;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
- $tmp2 = $val[4] - ($tmp1 << 4);
- $tmp1 = $val[5] >> 6;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
- $tmp2 = $val[5] - ($tmp1 << 6);
- $OTP .= $lookupChar[$tmp2 & 63];
-
- return $OTP;
- }
-
- function getOTP32($otp)
- {
- $lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
-
- for($i = 0; $i < 7; $i++)
- $val[$i] = hexdec(substr($otp, $i * 2, 2));
-
- $tmp1 = $val[0] >> 3;
- $OTP = $lookupChar[$tmp1 & 31];
- $tmp2 = $val[0] - ($tmp1 << 3);
- $tmp1 = $val[1] >> 6;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
- $tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
- $OTP .= $lookupChar[$tmp2 & 31];
- $tmp2 = $val[1] - (($val[1] >> 1) << 1);
- $tmp1 = $val[2] >> 4;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
- $tmp2 = $val[2] - ($tmp1 << 4);
- $tmp1 = $val[3] >> 7;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
- $tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
- $OTP .= $lookupChar[$tmp2 & 31];
- $tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
- $tmp1 = $val[4] >> 5;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
- $tmp2 = $val[4] - ($tmp1 << 5);
- $OTP .= $lookupChar[$tmp2 & 31];
- $tmp1 = $val[5] >> 3;
- $OTP .= $lookupChar[$tmp1 & 31];
- $tmp2 = $val[5] - ($tmp1 << 3);
- $tmp1 = $val[6] >> 6;
- $OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
-
- return $OTP;
- }
-
if($oldid == 4)
{
$oldid = 0;
@@ -269,70 +191,26 @@ require_once('../includes/notary.inc.php');
$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
`password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
$res = mysql_query($query);
- if(mysql_num_rows($res) <= 0)
- {
- $otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
- $otpres = mysql_query($otpquery);
- if(mysql_num_rows($otpres) > 0)
- {
- $otp = mysql_fetch_assoc($otpres);
- $otphash = $otp['otphash'];
- $otppin = $otp['otppin'];
- if(strlen($pword) == 6)
- {
- $matchperiod = 18;
- $time = round(gmdate("U") / 10);
- } else {
- $matchperiod = 3;
- $time = round(gmdate("U") / 60);
- }
-
- $query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
- mysql_query($query);
-
- $query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
- if(mysql_num_rows(mysql_query($query)) <= 0)
- {
- $query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
- mysql_query($query);
- for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
- {
- if($otppin > 0)
- $tmpmd5 = md5("$i$otphash$otppin");
- else
- $tmpmd5 = md5("$i$otphash");
-
- if(strlen($pword) == 6)
- $md5 = substr(md5("$i$otphash"), 0, 6);
- else if(strlen($pword) == 8)
- $md5 = getOTP64(md5("$i$otphash"));
- else
- $md5 = getOTP32(md5("$i$otphash"));
-
- if($pword == $md5)
- $res = mysql_query($otpquery);
- }
- }
- }
- }
- if(mysql_num_rows($res) > 0)
+ $query = "SELECT 1 FROM `users` WHERE `email`='$email' and (UNIX_TIMESTAMP(`lastLoginAttempt`) < UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - 5 or `lastLoginAttempt` is NULL)" ;
+ $rateLimit = mysql_num_rows(mysql_query($query)) > 0;
+ if(mysql_num_rows($res) > 0 && $rateLimit)
{
$_SESSION['profile'] = "";
unset($_SESSION['profile']);
$_SESSION['profile'] = mysql_fetch_assoc($res);
- $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
+ $query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".intval($_SESSION['profile']['id'])."'";
mysql_query($query);
if($_SESSION['profile']['language'] == "")
{
$query = "update `users` set `language`='".L10n::get_translation()."'
- where `id`='".$_SESSION['profile']['id']."'";
+ where `id`='".intval($_SESSION['profile']['id'])."'";
mysql_query($query);
} else {
L10n::set_translation($_SESSION['profile']['language']);
L10n::init_gettext();
}
- $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+ $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 group by `to`";
$res = mysql_query($query);
$row = mysql_fetch_assoc($res);
$_SESSION['profile']['points'] = $row['total'];
@@ -344,46 +222,63 @@ require_once('../includes/notary.inc.php');
$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
$_SESSION['_config']['oldlocation'] = "account.php?id=13";
}
+ if (!isset($_SESSION['_config']['oldlocation'])){
+ $_SESSION['_config']['oldlocation']='';
+ }
if (checkpwlight($pword) < 3)
$_SESSION['_config']['oldlocation'] = "account.php?id=14&force=1";
- $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
if($_SESSION['_config']['oldlocation'] != ""){
header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
}else{
- if (0==$ccatest) {
- $id=52;
- header("location: https://".$_SERVER['HTTP_HOST']."/index.php?id=52");
- }else{
- header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
- }
+ header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
}
exit;
+ } else if($rateLimit){
+ $query = "update `users` set `lastLoginAttempt`=CURRENT_TIMESTAMP WHERE `email`='$email'";
+ mysql_query($query);
}
$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
`password`=password('$pword')) and `verified`=0 and `deleted`=0";
$res = mysql_query($query);
- if(mysql_num_rows($res) <= 0)
- {
- $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
+ if(!$rateLimit || mysql_num_rows($res) <= 0) {
+ $_SESSION['_config']['errmsg'] = _("Login failed due to incorrect email address, wrong passphrase or because the rate limit of one login per 5 seconds was hit.");
} else {
$_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
}
}
// check for CCA acceptance prior to login
-if ($id == 52 )
+if ($oldid == 52 )
{
- $ccatest=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
- $agree = ""; if(array_key_exists('agree',$_REQUEST)) $agree=$_REQUEST['agree'];
- if (!$agree) {
- $_SESSION['profile']['loggedin'] = 0;
- }else{
- write_user_agreement($memid, "CCA", "Login acception", "", 1);
- $_SESSION['profile']['loggedin'] = 1;
- header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
+ // Check if the user is already authenticated
+ if (!array_key_exists('profile',$_SESSION)
+ || !array_key_exists('loggedin',$_SESSION['profile'])
+ || $_SESSION['profile']['loggedin'] != 1)
+ {
+ header("Location: https://{$_SERVER['HTTP_HOST']}/index.php?id=4");
exit;
}
+
+ if (array_key_exists('agree',$_REQUEST) && $_REQUEST['agree'] != "")
+ {
+ write_user_agreement($_SESSION['profile']['id'], "CCA", "Login acception", "", 1);
+ $_SESSION['profile']['ccaagreement']=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
+
+ if (array_key_exists("oldlocation",$_SESSION['_config'])
+ && $_SESSION['_config']['oldlocation']!="")
+ {
+ header("Location: https://{$_SERVER['HTTP_HOST']}/{$_SESSION['_config']['oldlocation']}");
+ exit;
+ } else {
+ header("Location: https://{$_SERVER['HTTP_HOST']}/account.php");
+ exit;
+ }
+ }
+
+ // User didn't agree
+ header("Location: https://{$_SERVER['HTTP_HOST']}/index.php?id=4");
+ exit;
}
@@ -691,7 +586,6 @@ if ($id == 52 )
header('Location: '.$newUrl, true, 301); // 301 = Permanently Moved
}
-
showheader(_("Welcome to CAcert.org"));
includeit($id);
showfooter();