From 913751a5124106c879804adbc928ff766dcae0ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20D=C3=B6rre?= Date: Sun, 23 Nov 2014 01:52:27 +0100 Subject: bug-1341: add the db_migration script for the new column --- scripts/db_migrations/version6.sh | 70 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100755 scripts/db_migrations/version6.sh diff --git a/scripts/db_migrations/version6.sh b/scripts/db_migrations/version6.sh new file mode 100755 index 0000000..dcba365 --- /dev/null +++ b/scripts/db_migrations/version6.sh @@ -0,0 +1,70 @@ +#!/bin/sh +# LibreSSL - CAcert web application +# Copyright (C) 2004-2011 CAcert Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + + + +# script to do database migrations + +set -e # script fails if any command fails + +STDIN=0 +STDOUT=1 +STDERR=2 + +if [ "$1" = "--help" ]; then + cat >&$STDERR <<- USAGE + Usage: $0 [MYSQL_OPTIONS] + You have to specify all options needed by "mysql" as if you had started + the MySQL command line client directly (including the name of the + database to operate on). The MySQL user used has to have enough + privileges to do all necessary operations (among others CREATE, ALTER, + DROP, UPDATE, INSERT, DELETE). + You might need to enter the mysql password multiple times if you + specify the -p option. + USAGE + exit 1 +fi + +mysql_opt=" --batch --skip-column-names $@" + +schema_version=$( mysql $mysql_opt <<- 'SQL' + + SELECT MAX(`version`) FROM `schema_version`; +SQL +) +if [ $schema_version != 5 ]; then + cat >&$STDERR <<- ERROR + Error: database schema is not in the right version to do the migration! + Expected version: 5 + ERROR + exit 2 +fi + +mysql $mysql_opt <<- 'SQL' +ALTER TABLE `users` ADD `lastLoginAttempt` DATETIME NULL; +system echo "added user column" + + -- Update schema version number + INSERT INTO `schema_version` + (`version`, `when`) VALUES + ('6' , NOW() ); +SQL + + +echo "Database successfully migrated to version 6" +exit 0 + -- cgit v1.2.1 From 85b24e6a28ed5cf2534a7d5a6039d5560c7f3dbf Mon Sep 17 00:00:00 2001 From: Benny Baumann Date: Wed, 3 Dec 2014 00:37:54 +0100 Subject: bug-1341: Restrict to 1 login per 5 seconds --- www/index.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/www/index.php b/www/index.php index e6fc06a..2247b68 100644 --- a/www/index.php +++ b/www/index.php @@ -191,7 +191,9 @@ require_once('../includes/notary.inc.php'); $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or `password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0"; $res = mysql_query($query); - if(mysql_num_rows($res) > 0) + $query = "SELECT 1 FROM `users` WHERE `email`='$email' and (UNIX_TIMESTAMP(`lastLoginAttempt`) < UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - 5 or `lastLoginAttempt` is NULL)" ; + $rateLimit = mysql_num_rows(mysql_query($query)) > 0; + if(mysql_num_rows($res) > 0 && $rateLimit) { $_SESSION['profile'] = ""; unset($_SESSION['profile']); @@ -231,13 +233,17 @@ require_once('../includes/notary.inc.php'); header("location: https://".$_SERVER['HTTP_HOST']."/account.php"); } exit; + } else if($rateLimit){ + $query = "update `users` set `lastLoginAttempt`=CURRENT_TIMESTAMP WHERE `email`='$email'"; + mysql_query($query); } $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or `password`=password('$pword')) and `verified`=0 and `deleted`=0"; $res = mysql_query($query); - if(mysql_num_rows($res) <= 0) - { + if(!$rateLimit) { + $_SESSION['_config']['errmsg'] = _("You hit the login rate limit of 1 login per 5 seconds."); + } else if(mysql_num_rows($res) <= 0) { $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase."); } else { $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages."); -- cgit v1.2.1 From 0e14ede2f690be0df938ef2e98b974f60882612f Mon Sep 17 00:00:00 2001 From: Benny Baumann Date: Wed, 11 Mar 2015 23:28:11 +0100 Subject: bug 1341: Avoid a privacy issue leaking information if an account exists. --- www/index.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/www/index.php b/www/index.php index 2247b68..8c5560c 100644 --- a/www/index.php +++ b/www/index.php @@ -241,10 +241,8 @@ require_once('../includes/notary.inc.php'); $query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or `password`=password('$pword')) and `verified`=0 and `deleted`=0"; $res = mysql_query($query); - if(!$rateLimit) { - $_SESSION['_config']['errmsg'] = _("You hit the login rate limit of 1 login per 5 seconds."); - } else if(mysql_num_rows($res) <= 0) { - $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase."); + if(!$rateLimit || mysql_num_rows($res) <= 0) { + $_SESSION['_config']['errmsg'] = _("Login failed due to incorrect email address, wrong passphrase or because the rate limit of one login per 5 seconds was hit."); } else { $_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages."); } -- cgit v1.2.1 From b024b3419ef256089515143d7cc668395430bd7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20D=C3=B6rre?= Date: Thu, 2 Apr 2015 01:49:37 +0200 Subject: bug 1047: removing old points calculation from www/index.php and using the notary functions now --- includes/notary.inc.php | 37 +++++++++++++++++++++++++++++++++++-- www/index.php | 5 +---- 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/includes/notary.inc.php b/includes/notary.inc.php index 3b8e736..c68e7f2 100644 --- a/includes/notary.inc.php +++ b/includes/notary.inc.php @@ -322,6 +322,39 @@ define('THAWTE_REVOCATION_DATETIME', '2010-11-16 00:00:00'); $rank_of_assuree = get_top_assuree_position($num_of_assurees); } + /** + * Helper function to sum all assurance points received by the user + * @param int $userid + */ + function get_received_assurance_points($userid) + { + $sum_points = 0; + $sum_experience = 0; + $res = get_received_assurances(intval($userid), $log); + while($row = mysql_fetch_assoc($res)) + { + $fromuser = get_user(intval($row['from'])); + calc_assurances($row, $sum_points, $sum_experience); + } + return $sum_points; + } + + /** + * Helper function to sum all assurance points received by the user + * @param int $userid + */ + function get_received_experience_points($userid) + { + $sum_points = 0; + $sum_experience = 0; + $res = get_received_assurances(intval($userid), $log); + while($row = mysql_fetch_assoc($res)) + { + $fromuser = get_user(intval($row['from'])); + calc_assurances($row, $sum_points, $sum_experience); + } + return $sum_experience; + } // ************* html table definitions ****************** @@ -585,7 +618,7 @@ define('THAWTE_REVOCATION_DATETIME', '2010-11-16 00:00:00'); $log) { $sum_points = 0; - $sumexperience = 0; + $sum_experience = 0; $res = get_given_assurances(intval($userid), $log); while($row = mysql_fetch_assoc($res)) { @@ -615,7 +648,7 @@ define('THAWTE_REVOCATION_DATETIME', '2010-11-16 00:00:00'); $log) { $sum_points = 0; - $sumexperience = 0; + $sum_experience = 0; $res = get_received_assurances(intval($userid), $log); while($row = mysql_fetch_assoc($res)) { diff --git a/www/index.php b/www/index.php index 8c5560c..6c1eca4 100644 --- a/www/index.php +++ b/www/index.php @@ -210,10 +210,7 @@ require_once('../includes/notary.inc.php'); L10n::set_translation($_SESSION['profile']['language']); L10n::init_gettext(); } - $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 group by `to`"; - $res = mysql_query($query); - $row = mysql_fetch_assoc($res); - $_SESSION['profile']['points'] = $row['total']; + $_SESSION['profile']['points'] = get_received_assurance_points($_SESSION['profile']['id']); $_SESSION['profile']['loggedin'] = 1; if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" || $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" || -- cgit v1.2.1 From 374c9be790b852ee2d40d61b242ced5732a5487d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20D=C3=B6rre?= Date: Tue, 7 Apr 2015 21:48:20 +0200 Subject: bug 1047: Add notary function for all total points --- includes/notary.inc.php | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/includes/notary.inc.php b/includes/notary.inc.php index c68e7f2..954029b 100644 --- a/includes/notary.inc.php +++ b/includes/notary.inc.php @@ -356,6 +356,30 @@ define('THAWTE_REVOCATION_DATETIME', '2010-11-16 00:00:00'); return $sum_experience; } + /** + * Helper function to sum all points received by the user + * @param int $userid + */ + function get_received_total_points($userid) + { + $sum_points = 0; + $sum_experience = 0; + $res = get_received_assurances(intval($userid), $log); + while($row = mysql_fetch_assoc($res)) + { + $fromuser = get_user(intval($row['from'])); + calc_assurances($row, $sum_points, $sum_experience); + } + return $sum_experience + $sum_points; + } + + /** + * Updates the assurance points in $_SESSION['profile'] + */ + function update_points_in_profile(){ + $_SESSION['profile']['points'] = get_received_total_points($_SESSION['profile']['id']); + } + // ************* html table definitions ****************** function output_ranking($userid) -- cgit v1.2.1 From 16cb7044fa31e618f969d6104d976a7bc087e1be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20D=C3=B6rre?= Date: Tue, 7 Apr 2015 21:51:48 +0200 Subject: bug 1047: refix www/index.php --- www/index.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/www/index.php b/www/index.php index 6c1eca4..b54eb2f 100644 --- a/www/index.php +++ b/www/index.php @@ -210,7 +210,8 @@ require_once('../includes/notary.inc.php'); L10n::set_translation($_SESSION['profile']['language']); L10n::init_gettext(); } - $_SESSION['profile']['points'] = get_received_assurance_points($_SESSION['profile']['id']); + update_points_in_profile(); + $_SESSION['profile']['loggedin'] = 1; if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" || $_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" || -- cgit v1.2.1