summaryrefslogtreecommitdiff
path: root/includes/account.php
diff options
context:
space:
mode:
Diffstat (limited to 'includes/account.php')
-rw-r--r--includes/account.php499
1 files changed, 313 insertions, 186 deletions
diff --git a/includes/account.php b/includes/account.php
index cc2c581..54373b0 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -17,7 +17,8 @@
*/
require_once("../includes/loggedin.php");
require_once("../includes/lib/l10n.php");
- require_once('lib/check_weak_key.php');
+ require_once("../includes/lib/check_weak_key.php");
+ require_once("../includes/notary.inc.php");
loadem("account");
@@ -70,9 +71,7 @@
}
$oldid=0;
$_REQUEST['email'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['newemail'])));
- $query = "select * from `email` where `email`='".$_REQUEST['email']."' and `deleted`=0";
- $res = mysql_query($query);
- if(mysql_num_rows($res) > 0)
+ if(check_email_exists($_REQUEST['email'])==true)
{
showheader(_("My CAcert.org Account!"));
printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['email']));
@@ -160,17 +159,7 @@
{
$row = mysql_fetch_assoc($res);
echo $row['email']."<br>\n";
- $query = "select `emailcerts`.`id`
- from `emaillink`,`emailcerts` where
- `emailid`='$id' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
- `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
- group by `emailcerts`.`id`";
- $dres = mysql_query($query);
- while($drow = mysql_fetch_assoc($dres))
- mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$drow['id']."'");
-
- $query = "update `email` set `deleted`=NOW() where `id`='$id'";
- mysql_query($query);
+ account_email_delete($row['id']);
$delcount++;
}
}
@@ -192,6 +181,14 @@
if($process != "" && $oldid == 3)
{
+ if(!array_key_exists('CCA',$_REQUEST))
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not accept the CAcert Community Agreement (CCA), hit the back button and try again.");
+ showfooter();
+ exit;
+ }
+
if(!(array_key_exists('addid',$_REQUEST) && is_array($_REQUEST['addid'])) && $_REQUEST['SSO'] != '1')
{
showheader(_("My CAcert.org Account!"));
@@ -240,6 +237,11 @@
$_REQUEST['keytype'] = "MS";
$csr = clean_csr($_REQUEST['optionalCSR']);
}
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
}
if($oldid == 4)
@@ -316,6 +318,8 @@
exit;
}
+ write_user_agreement(intval($_SESSION['profile']['id']), "CCA", "certificate creation", "", 1);
+
$query = "insert into emailcerts set
`CN`='$defaultemail',
`keytype`='NS',
@@ -323,7 +327,8 @@
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`codesign`='".intval($_SESSION['_config']['codesign'])."',
`disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
- `rootcert`='".intval($_SESSION['_config']['rootcert'])."'";
+ `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
+ `description`='".$_SESSION['_config']['description']."'";
mysql_query($query);
$emailid = mysql_insert_id();
if(is_array($addys))
@@ -334,15 +339,15 @@
fputs($fp, $emails);
fclose($fp);
$challenge=$_SESSION['spkac_hash'];
- $res=`openssl spkac -verify -in $CSRname`;
- if(!strstr($res,"Challenge String: ".$challenge))
- {
- $id = $oldid;
- showheader(_("My CAcert.org Account!"));
- echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
- showfooter();
- exit;
- }
+ $res=`openssl spkac -verify -in $CSRname`;
+ if(!strstr($res,"Challenge String: ".$challenge))
+ {
+ $id = $oldid;
+ showheader(_("My CAcert.org Account!"));
+ echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
+ showfooter();
+ exit;
+ }
mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='".intval($emailid)."'");
} else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype'] == "VI") {
if($csr == "")
@@ -367,8 +372,8 @@
$csrsubject="";
$user = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'"));
- if(strlen($user['mname']) == 1)
- $user['mname'] .= '.';
+ if(strlen($user['mname']) == 1)
+ $user['mname'] .= '.';
if($_SESSION['_config']['incname'] <= 0 || $_SESSION['_config']['incname'] > 4)
$csrsubject = "/CN=CAcert WoT User";
if($_SESSION['_config']['incname'] == 1)
@@ -423,7 +428,8 @@
`subject`='".mysql_real_escape_string($csrsubject)."',
`codesign`='".$_SESSION['_config']['codesign']."',
`disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
- `rootcert`='".$_SESSION['_config']['rootcert']."'";
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `description`='".$_SESSION['_config']['description']."'";
mysql_query($query);
$emailid = mysql_insert_id();
if(is_array($addys))
@@ -457,10 +463,10 @@
csrf_check("adddomain");
if(strstr($_REQUEST['newdomain'],"\x00"))
{
- showheader(_("My CAcert.org Account!"));
- echo _("Due to the possibility for nullbyte domain exploits we currently do not allow any domain names with nullbytes.");
- showfooter();
- exit;
+ showheader(_("My CAcert.org Account!"));
+ echo _("Due to the possibility for nullbyte domain exploits we currently do not allow any domain names with nullbytes.");
+ showfooter();
+ exit;
}
list($newdomain) = explode(" ", $_REQUEST['newdomain'], 2); // Ignore the rest
@@ -622,32 +628,9 @@
{
$row = mysql_fetch_assoc($res);
echo $row['domain']."<br>\n";
-
- $dres = mysql_query(
- "select `domaincerts`.`id`
- from `domaincerts`
- where `domaincerts`.`domid` = '$id'
- union distinct
- select `domaincerts`.`id`
- from `domaincerts`, `domlink`
- where `domaincerts`.`id` = `domlink`.`certid`
- and `domlink`.`domid` = '$id'");
- while($drow = mysql_fetch_assoc($dres))
- {
- mysql_query(
- "update `domaincerts`
- set `revoked`='1970-01-01 10:00:01'
- where `id` = '".$drow['id']."'
- and `revoked` = 0
- and UNIX_TIMESTAMP(`expire`) -
- UNIX_TIMESTAMP() > 0");
- }
-
- mysql_query(
- "update `domains`
- set `deleted`=NOW()
- where `id` = '$id'");
+ account_domain_delete($row['id']);
}
+
}
}
else
@@ -661,11 +644,19 @@
if($process != "" && $oldid == 10)
{
+ if(!array_key_exists('CCA',$_REQUEST))
+ {
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not accept the CAcert Community Agreement (CCA), hit the back button and try again.");
+ showfooter();
+ exit;
+ }
+
$CSR = clean_csr($_REQUEST['CSR']);
if(strpos($CSR,"---BEGIN")===FALSE)
{
- // In case the CSR is missing the ---BEGIN lines, add them automatically:
- $CSR = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."\n-----END CERTIFICATE REQUEST-----\n";
+ // In case the CSR is missing the ---BEGIN lines, add them automatically:
+ $CSR = "-----BEGIN CERTIFICATE REQUEST-----\n".$CSR."\n-----END CERTIFICATE REQUEST-----\n";
}
if (($weakKey = checkWeakKeyCSR($CSR)) !== "")
@@ -676,6 +667,12 @@
exit;
}
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
+
$_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id10CSR");
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
@@ -742,7 +739,7 @@
$subject = "";
$count = 0;
$supressSAN=0;
- if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
+ if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
if(is_array($_SESSION['_config']['rows']))
foreach($_SESSION['_config']['rows'] as $row)
@@ -771,19 +768,23 @@
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
+ write_user_agreement(intval($_SESSION['profile']['id']), "CCA", "certificate creation", "", 1);
+
if(array_key_exists('0',$_SESSION['_config']['rowid']) && $_SESSION['_config']['rowid']['0'] > 0)
{
$query = "insert into `domaincerts` set
`CN`='".mysql_real_escape_string($_SESSION['_config']['rows']['0'])."',
`domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."',
`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
- `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'";
+ `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+ `description`='".$_SESSION['_config']['description']."'";
} elseif(array_key_exists('0',$_SESSION['_config']['altid']) && $_SESSION['_config']['altid']['0'] > 0) {
$query = "insert into `domaincerts` set
`CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."',
`domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."',
`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
- `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'";
+ `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+ `description`='".$_SESSION['_config']['description']."'";
} else {
showheader(_("My CAcert.org Account!"));
echo _("Domain not verified.");
@@ -865,7 +866,8 @@
`modified`=NOW(),
`rootcert`='".$row['rootcert']."',
`type`='".$row['type']."',
- `pkhash`='".$row['pkhash']."'";
+ `pkhash`='".$row['pkhash']."',
+ `description`='".$row['description']."'";
mysql_query($query);
$newid = mysql_insert_id();
$newfile=generatecertpath("csr","server",$newid);
@@ -1003,6 +1005,24 @@
exit;
}
+ if($oldid == 12 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ foreach($_REQUEST as $id => $val)
+ {
+ if(substr($id,0,14)=="check_comment_")
+ {
+ $cid = intval(substr($id,14));
+ $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
+ mysql_query("update `domaincerts` set `description`='$comment' where `id`='$cid'");
+ }
+ }
+ echo(_("Certificate settings have been changed.")."<br/>\n");
+ showfooter();
+ exit;
+ }
+
+
if($oldid == 5 && array_key_exists('renew',$_REQUEST) && $_REQUEST['renew'] != "")
{
showheader(_("My CAcert.org Account!"));
@@ -1041,7 +1061,8 @@
`modified`=NOW(),
`disablelogin`='".$row['disablelogin']."',
`codesign`='".$row['codesign']."',
- `rootcert`='".$row['rootcert']."'";
+ `rootcert`='".$row['rootcert']."',
+ `description`='".$row['description']."'";
mysql_query($query);
$newid = mysql_insert_id();
$newfile=generatecertpath("csr","client",$newid);
@@ -1140,26 +1161,47 @@
if($oldid == 5 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "")
{
- showheader(_("My CAcert.org Account!"));
- //echo _("Now changing the settings for the following certificates:")."<br>\n";
- foreach($_REQUEST as $id => $val)
- {
- //echo $id."<br/>";
- if(substr($id,0,5)=="cert_")
- {
- $id = intval(substr($id,5));
- $dis=(array_key_exists('disablelogin_'.$id,$_REQUEST) && $_REQUEST['disablelogin_'.$id]=="1")?"0":"1";
- //echo "$id -> ".$_REQUEST['disablelogin_'.$id]."<br/>\n";
- mysql_query("update `emailcerts` set `disablelogin`='$dis' where `id`='$id' and `memid`='".$_SESSION['profile']['id']."'");
- //$row = mysql_fetch_assoc($res);
- }
- }
- echo(_("Certificate settings have been changed.")."<br/>\n");
- showfooter();
- exit;
+ showheader(_("My CAcert.org Account!"));
+ foreach($_REQUEST as $id => $val)
+ {
+ if(substr($id,0,5)=="cert_")
+ {
+ $cid = intval(substr($id,5));
+ $dis=(array_key_exists('disablelogin_'.$cid,$_REQUEST) && $_REQUEST['disablelogin_'.$cid]=="1")?"0":"1";
+ mysql_query("update `emailcerts` set `disablelogin`='$dis' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'");
+ }
+ if(substr($id,0,14)=="check_comment_")
+ {
+ $cid = intval(substr($id,14));
+ if(!empty($_REQUEST['check_comment_'.$cid])) {
+ $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
+ mysql_query("update `emailcerts` set `description`='$comment' where `id`='$cid' and `memid`='".$_SESSION['profile']['id']."'");
+ }
+ }
+ }
+ echo(_("Certificate settings have been changed.")."<br/>\n");
+ showfooter();
+ exit;
}
+ if($oldid == 6 && $_REQUEST['certid'] != "")
+ {
+ if(trim($_REQUEST['description']) != ""){
+ $description= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $description= "";
+ }
+
+ if(trim($_REQUEST['disablelogin']) == "1"){
+ $disablelogin = 1;
+ }else{
+ $disablelogin = 0;
+ }
+
+ mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
+ }
+
if($oldid == 13 && $process != "")
{
csrf_check("perschange");
@@ -1176,42 +1218,42 @@
$_SESSION['_config']['user']['A4'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
$_SESSION['_config']['user']['A5'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
- if($_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q2'] ||
- $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q3'] ||
- $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q3'] ||
- $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['Q4'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q1'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q2'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q3'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q3'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q4'] ||
- $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['Q5'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A2'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A3'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A4'] ||
- $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A5'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A3'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A4'] ||
- $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A5'] ||
- $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A4'] ||
- $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A5'] ||
- $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['A5'])
- {
- $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
- $id = $oldid;
+ if($_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q2'] ||
+ $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q3'] ||
+ $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['Q1'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q3'] ||
+ $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['Q2'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['Q3'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['Q4'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q1'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q2'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q3'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q3'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q4'] ||
+ $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['Q5'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A2'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A3'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A4'] ||
+ $_SESSION['_config']['user']['A1'] == $_SESSION['_config']['user']['A5'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A3'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A4'] ||
+ $_SESSION['_config']['user']['A2'] == $_SESSION['_config']['user']['A5'] ||
+ $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A4'] ||
+ $_SESSION['_config']['user']['A3'] == $_SESSION['_config']['user']['A5'] ||
+ $_SESSION['_config']['user']['A4'] == $_SESSION['_config']['user']['A5'])
+ {
+ $_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
+ $id = $oldid;
$oldid=0;
- }
+ }
if($_SESSION['_config']['user']['Q1'] == "" || $_SESSION['_config']['user']['Q2'] == "" ||
$_SESSION['_config']['user']['Q3'] == "" || $_SESSION['_config']['user']['Q4'] == "" ||
@@ -1394,6 +1436,13 @@
}
$_SESSION['_config']['name'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['name'])));
$_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU'])));
+
+
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
}
if($oldid == 16 && (intval(count($_SESSION['_config']['emails'])) + 0) <= 0)
@@ -1423,6 +1472,12 @@
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
+
if(@count($_SESSION['_config']['emails']) > 0)
$id = 17;
}
@@ -1469,6 +1524,7 @@
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
+
$emails .= "SPKAC = $spkac";
if (($weakKey = checkWeakKeySPKAC($emails)) !== "")
{
@@ -1485,7 +1541,8 @@
`orgid`='".$org['orgid']."',
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`codesign`='".$_SESSION['_config']['codesign']."',
- `rootcert`='".$_SESSION['_config']['rootcert']."'";
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `description`='".$_SESSION['_config']['description']."'";
mysql_query($query);
$emailid = mysql_insert_id();
@@ -1497,15 +1554,15 @@
fputs($fp, $emails);
fclose($fp);
$challenge=$_SESSION['spkac_hash'];
- $res=`openssl spkac -verify -in $CSRname`;
- if(!strstr($res,"Challenge String: ".$challenge))
- {
- $id = $oldid;
- showheader(_("My CAcert.org Account!"));
- echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
- showfooter();
- exit;
- }
+ $res=`openssl spkac -verify -in $CSRname`;
+ if(!strstr($res,"Challenge String: ".$challenge))
+ {
+ $id = $oldid;
+ showheader(_("My CAcert.org Account!"));
+ echo _("The challenge-response code of your certificate request did not match. Can't continue with certificaterequest.");
+ showfooter();
+ exit;
+ }
mysql_query("update `orgemailcerts` set `csr_name`='$CSRname' where `id`='$emailid'");
} else if($_REQUEST['keytype'] == "MS" || $_REQUEST['keytype']=="VI") {
$csr = "-----BEGIN CERTIFICATE REQUEST-----\n".clean_csr($_REQUEST['CSR'])."-----END CERTIFICATE REQUEST-----\n";
@@ -1575,7 +1632,8 @@
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`subject`='$csrsubject',
`codesign`='".$_SESSION['_config']['codesign']."',
- `rootcert`='".$_SESSION['_config']['rootcert']."'";
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `description`='".$_SESSION['_config']['description']."'";
mysql_query($query);
$emailid = mysql_insert_id();
@@ -1650,7 +1708,8 @@
`created`='".$row['created']."',
`modified`=NOW(),
`codesign`='".$row['codesign']."',
- `rootcert`='".$row['rootcert']."'";
+ `rootcert`='".$row['rootcert']."',
+ `description`='".$row['description']."'";
mysql_query($query);
$newid = mysql_insert_id();
$newfile=generatecertpath("csr","orgclient",$newid);
@@ -1742,6 +1801,24 @@
exit;
}
+ if($oldid == 18 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ foreach($_REQUEST as $id => $val)
+ {
+ if(substr($id,0,14)=="check_comment_")
+ {
+ $cid = intval(substr($id,14));
+ $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
+ mysql_query("update `orgemailcerts` set `description`='$comment' where `id`='$cid'");
+ }
+ }
+ echo(_("Certificate settings have been changed.")."<br/>\n");
+ showfooter();
+ exit;
+ }
+
+
if($process != "" && $oldid == 20)
{
$CSR = clean_csr($_REQUEST['CSR']);
@@ -1755,6 +1832,12 @@
exit;
}
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
+
$_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id20CSR");
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
@@ -1830,8 +1913,8 @@
exit;
}
- if($_SESSION['_config']['rowid']['0'] > 0)
- {
+ if($_SESSION['_config']['rowid']['0'] > 0)
+ {
$query = "select * from `org`,`orginfo` where
`orginfo`.`id`='".$_SESSION['_config']['rowid']['0']."' and
`orginfo`.`id`=`org`.`orgid` and
@@ -1878,25 +1961,27 @@
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
- if($_SESSION['_config']['rowid']['0'] > 0)
- {
- $query = "insert into `orgdomaincerts` set
- `CN`='".$_SESSION['_config']['rows']['0']."',
- `orgid`='".$org['id']."',
- `created`=NOW(),
- `subject`='$csrsubject',
- `rootcert`='".$_SESSION['_config']['rootcert']."',
- `type`='$type'";
- } else {
- $query = "insert into `orgdomaincerts` set
- `CN`='".$_SESSION['_config']['altrows']['0']."',
- `orgid`='".$org['id']."',
- `created`=NOW(),
- `subject`='$csrsubject',
- `rootcert`='".$_SESSION['_config']['rootcert']."',
- `type`='$type'";
- }
- mysql_query($query);
+ if($_SESSION['_config']['rowid']['0'] > 0)
+ {
+ $query = "insert into `orgdomaincerts` set
+ `CN`='".$_SESSION['_config']['rows']['0']."',
+ `orgid`='".$org['id']."',
+ `created`=NOW(),
+ `subject`='$csrsubject',
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `type`='$type',
+ `description`='".$_SESSION['_config']['description']."'";
+ } else {
+ $query = "insert into `orgdomaincerts` set
+ `CN`='".$_SESSION['_config']['altrows']['0']."',
+ `orgid`='".$org['id']."',
+ `created`=NOW(),
+ `subject`='$csrsubject',
+ `rootcert`='".$_SESSION['_config']['rootcert']."',
+ `type`='$type',
+ `description`='".$_SESSION['_config']['description']."'";
+ }
+ mysql_query($query);
$CSRid = mysql_insert_id();
$CSRname=generatecertpath("csr","orgserver",$CSRid);
@@ -1970,7 +2055,8 @@
`modified`=NOW(),
`subject`='".$row['subject']."',
`type`='".$row['type']."',
- `rootcert`='".$row['rootcert']."'";
+ `rootcert`='".$row['rootcert']."',
+ `description`='".$row['description']."'";
mysql_query($query);
$newid = mysql_insert_id();
//echo "NewID: $newid<br/>\n";
@@ -2071,6 +2157,24 @@
exit;
}
+ if($oldid == 22 && array_key_exists('change',$_REQUEST) && $_REQUEST['change'] != "")
+ {
+ showheader(_("My CAcert.org Account!"));
+ foreach($_REQUEST as $id => $val)
+ {
+ if(substr($id,0,14)=="check_comment_")
+ {
+ $cid = intval(substr($id,14));
+ $comment=trim(mysql_real_escape_string(stripslashes($_REQUEST['comment_'.$cid])));
+ mysql_query("update `orgdomaincerts` set `description`='$comment' where `id`='$cid'");
+ }
+ }
+ echo(_("Certificate settings have been changed.")."<br/>\n");
+ showfooter();
+ exit;
+ }
+
+
if(($id == 24 || $oldid == 24 || $id == 25 || $oldid == 25 || $id == 26 || $oldid == 26 ||
$id == 27 || $oldid == 27 || $id == 28 || $oldid == 28 || $id == 29 || $oldid == 29 ||
$id == 30 || $oldid == 30 || $id == 31 || $oldid == 31) &&
@@ -2462,7 +2566,7 @@
}
if($oldid == 54 || ($id == 53 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "") ||
- ($id == 54 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "" &&
+ ($id == 54 && array_key_exists('action',$_REQUEST) && $_REQUEST['action'] != "" &&
$_REQUEST['action'] != "aliases" && $_REQUEST['action'] != "edit" && $_REQUEST['action'] != "add"))
{
$id = 53;
@@ -2472,7 +2576,7 @@
$locid = intval(array_key_exists('locid',$_REQUEST)?$_REQUEST['locid']:0);
$name = array_key_exists('name',$_REQUEST)?mysql_real_escape_string(strip_tags($_REQUEST['name'])):"";
$long = array_key_exists('longitude',$_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['longitude']):"";
- $lat = array_key_exists('latitude', $_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['latitude']):"";
+ $lat = array_key_exists('latitude', $_REQUEST)?ereg_replace("[^-0-9\.]","",$_REQUEST['latitude']):"";
$action = array_key_exists('action',$_REQUEST)?$_REQUEST['action']:"";
if($locid > 0 && $action == "edit")
@@ -2580,6 +2684,13 @@
mysql_query($query);
}
+ if($oldid == 43 && $_REQUEST['action'] == 'revokecert')
+ {
+ $userid = intval($_REQUEST['userid']);
+ revoke_all_private_cert($userid);
+ $id=43;
+ }
+
if($oldid == 48 && $_REQUEST['domain'] == "")
{
$id = $oldid;
@@ -2730,24 +2841,24 @@
mysql_query("update `users` set `tverify`='$ver' where `id`='$memid'");
}
- if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0)
- {
- csrf_check('admsetassuret');
- $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer']);
- $query = "select * from `users` where `id`='$memid'";
- $row = mysql_fetch_assoc(mysql_query($query));
- $ver = !$row['assurer'];
- mysql_query("update `users` set `assurer`='$ver' where `id`='$memid'");
- }
-
- if($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0)
- {
- $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']);
- $query = "select * from `users` where `id`='$memid'";
- $row = mysql_fetch_assoc(mysql_query($query));
- $ver = !$row['assurer_blocked'];
- mysql_query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'");
- }
+ if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0)
+ {
+ csrf_check('admsetassuret');
+ $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer']);
+ $query = "select * from `users` where `id`='$memid'";
+ $row = mysql_fetch_assoc(mysql_query($query));
+ $ver = !$row['assurer'];
+ mysql_query("update `users` set `assurer`='$ver' where `id`='$memid'");
+ }
+
+ if($id == 43 && array_key_exists('assurer_blocked',$_REQUEST) && $_REQUEST['assurer_blocked'] > 0)
+ {
+ $memid = $_REQUEST['userid'] = intval($_REQUEST['assurer_blocked']);
+ $query = "select * from `users` where `id`='$memid'";
+ $row = mysql_fetch_assoc(mysql_query($query));
+ $ver = !$row['assurer_blocked'];
+ mysql_query("update `users` set `assurer_blocked`='$ver' where `id`='$memid'");
+ }
if($id == 43 && array_key_exists('locked',$_REQUEST) && $_REQUEST['locked'] > 0)
{
@@ -2876,23 +2987,39 @@
if($oldid == 50 && $process != "")
{
$_REQUEST['userid'] = intval($_REQUEST['userid']);
- $res = mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'");
- if(mysql_num_rows($res) > 0)
- {
- $query = "update `domaincerts`,`domains` SET `domaincerts`.`revoked`='1970-01-01 10:00:01'
- WHERE `domaincerts`.`domid` = `domains`.`id` AND `domains`.`memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `domains` SET `deleted`=NOW() WHERE `domains`.`memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `emailcerts` SET `revoked`='1970-01-01 10:00:01' WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `email` SET `deleted`=NOW() WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "delete from `org` WHERE `memid`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
- $query = "update `users` SET `deleted`=NOW() WHERE `id`='".intval($_REQUEST['userid'])."'";
- mysql_query($query);
+ if (trim($_REQUEST['arbitrationno'])==""){
+ showheader(_("My CAcert.org Account!"));
+ echo _("You did not enter an arbitration number entry.");
+ showfooter();
+ exit;
+ }
+ if ( 1 !== preg_match('/^[a-z]\d{8}\.\d+\.\d+$/i',trim($_REQUEST['arbitrationno'])) ) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("'%s' is not a valid arbitration number entry."), sanitizeHTML(trim($_REQUEST['arbitrationno'])));
+ showfooter();
+ exit;
+ }
+ if (check_email_exists(trim($_REQUEST['arbitrationno']).'@cacert.org')) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The email address '%s' is already in a different account. Can't continue."), sanitizeHTML($_REQUEST['arbitrationno'].'@cacert.org'));
+ showfooter();
+ exit;
+ }
+ if (check_client_cert_running($_REQUEST['userid'],1) ||
+ check_server_cert_running($_REQUEST['userid'],1) ||
+ check_gpg_cert_running($_REQUEST['userid'],1)) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The CCA retention time for at least one certificate is not over. Can't continue."));
+ showfooter();
+ exit;
+ }
+ if (check_is_orgadmin($_REQUEST['userid'],1)) {
+ showheader(_("My CAcert.org Account!"));
+ printf(_("The user is listed as Organisation Administrator. Can't continue."));
+ showfooter();
+ exit;
}
+ account_delete($_REQUEST['userid'], trim($_REQUEST['arbitrationno']), $_SESSION['profile']['id']);
}
if(($id == 51 || $id == 52 || $oldid == 52) && $_SESSION['profile']['tverify'] <= 0)