2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
19 require_once("../includes/loggedin.php");
20 require_once("../includes/notary.inc.php");
24 $type=""; if(array_key_exists('type',$_REQUEST)) $type=$_REQUEST['type'];
25 $action=""; if(array_key_exists('action',$_REQUEST)) $action=sanitizeHTML($_REQUEST['action']);
27 if($type == "reallyemail")
29 $emailid = intval($_SESSION['_config']['emailid']);
30 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
32 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
33 if(mysql_num_rows($res) <= 0)
35 showheader(_("Email Dispute"));
36 echo _("This dispute no longer seems to be in the database, can't continue.");
40 $row = mysql_fetch_assoc($res);
41 $oldmemid = $row['oldmemid'];
43 if($action == "reject")
45 mysql_query("update `disputeemail` set hash='',action='reject' where `id`='".intval($emailid)."'");
46 showheader(_("Email Dispute"));
47 echo _("You have opted to reject this dispute and the request will be removed from the database");
51 if($action == "accept")
53 showheader(_("Email Dispute"));
54 echo "<p>"._("You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.")."</p>";
55 echo "<p>"._("The following accounts have been removed:")."<br>\n";
56 $query = "select * from `email` where `id`='".intval($emailid)."' and deleted=0";
57 $res = mysql_query($query);
58 if(mysql_num_rows($res) > 0)
60 $row = mysql_fetch_assoc($res);
61 echo $row['email']."<br>\n";
62 account_email_delete($row['id']);
64 mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
65 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
66 $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
67 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
68 $user = mysql_fetch_assoc($res);
69 if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
71 mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
72 echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
82 $emailid = intval($_REQUEST['emailid']);
83 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
84 if($emailid <= 0 ||
$hash == "")
86 showheader(_("Email Dispute"));
87 echo _("Invalid request. Can't continue.");
92 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
93 if(mysql_num_rows($res) <= 0)
95 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and hash!=''");
96 if(mysql_num_rows($res) > 0)
98 $row = mysql_fetch_assoc($res);
99 mysql_query("update `disputeemail` set `attempts`='".intval($row['attempts'] +
1)."' where `id`='".$row['id']."'");
100 showheader(_("Email Dispute"));
101 if($row['attempts'] >= 3)
103 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID. Your attempt has been logged and the request will be removed from the system as a result.");
104 mysql_query("update `disputeemail` set hash='',action='failed' where `id`='$emailid'");
106 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID.");
110 showheader(_("Email Dispute"));
111 echo _("Invalid request. Can't continue.");
116 $_SESSION['_config']['emailid'] = $emailid;
117 $_SESSION['_config']['hash'] = $hash;
118 $row = mysql_fetch_assoc(mysql_query("select * from `disputeemail` where `id`='$emailid'"));
119 $_SESSION['_config']['email'] = $row['email'];
120 showheader(_("Email Dispute"));
121 includeit("4", "disputes");
126 if($type == "reallydomain")
128 $domainid = intval($_SESSION['_config']['domainid']);
129 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
131 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
132 if(mysql_num_rows($res) <= 0)
134 showheader(_("Domain Dispute"));
135 echo _("This dispute no longer seems to be in the database, can't continue.");
140 if($action == "reject")
142 mysql_query("update `disputedomain` set hash='',action='reject' where `id`='$domainid'");
143 showheader(_("Domain Dispute"));
144 echo _("You have opted to reject this dispute and the request will be removed from the database");
148 if($action == "accept")
150 showheader(_("Domain Dispute"));
151 echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
152 echo "<p>"._("The following accounts have been removed:")."<br>\n";
153 //new account_domain_delete($domainid, $memberID)
154 $query = "select * from `domains` where `id`='$domainid' and deleted=0";
155 $res = mysql_query($query);
156 if(mysql_num_rows($res) > 0)
158 echo $_SESSION['_config']['domain']."<br>\n";
159 account_domain_delete($domainid);
161 mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
167 if($type == "domain")
169 $domainid = intval($_REQUEST['domainid']);
170 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
171 if($domainid <= 0 ||
$hash == "")
173 showheader(_("Domain Dispute"));
174 echo _("Invalid request. Can't continue.");
179 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
180 if(mysql_num_rows($res) <= 0)
182 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and hash!=''");
183 if(mysql_num_rows($res) > 0)
185 $row = mysql_fetch_assoc($res);
186 mysql_query("update `disputedomain` set `attempts`='".intval($row['attempts'] +
1)."' where `id`='".$row['id']."'");
187 showheader(_("Domain Dispute"));
188 if($row['attempts'] >= 3)
190 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID. Your attempt has been logged and the request will be removed from the system as a result.");
191 mysql_query("update `disputedomain` set hash='',action='failed' where `id`='$domainid'");
193 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID.");
197 showheader(_("Domain Dispute"));
198 echo _("Invalid request. Can't continue.");
203 $_SESSION['_config']['domainid'] = $domainid;
204 $_SESSION['_config']['hash'] = $hash;
205 $row = mysql_fetch_assoc(mysql_query("select * from `disputedomain` where `id`='$domainid'"));
206 $_SESSION['_config']['domain'] = $row['domain'];
207 showheader(_("Domain Dispute"));
208 includeit("6", "disputes");
215 csrf_check('emaildispute');
216 $email = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
219 showheader(_("Email Dispute"));
220 echo _("Not a valid email address. Can't continue.");
225 //check if email belongs to locked account
226 $res = mysql_query("select 1 from `email`, `users` where `email`.`email`='$email' and `email`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
227 if(mysql_num_rows($res) > 0)
229 showheader(_("Email Dispute"));
230 printf(_("Sorry, the email address '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($email),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
231 $duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
232 $body = sprintf("Someone has just attempted to dispute this email '%s', which belongs to a locked account:\n".
233 "Username(ID): %s (%s)\n".
235 "IP/Hostname: %s\n", $email, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?
"/".$_SERVER['REMOTE_HOST']:""));
236 sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
242 $res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
243 if(mysql_num_rows($res) > 0)
245 showheader(_("Email Dispute"));
246 printf(_("The email address '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($email));
252 $query = "select * from `email` where `email`='$email' and `deleted`=0";
253 $res = mysql_query($query);
254 if(mysql_num_rows($res) <= 0)
256 showheader(_("Email Dispute"));
257 printf(_("The email address '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
261 $row = mysql_fetch_assoc($res);
262 $oldmemid = $row['memid'];
263 $emailid = $row['id'];
264 if($_SESSION['profile']['id'] == $oldmemid)
266 showheader(_("Email Dispute"));
267 echo _("You aren't allowed to dispute your own email addresses. Can't continue.");
272 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
273 $user = mysql_fetch_assoc($res);
274 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
275 $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
276 if($user['email'] == $email && ($rc > 0 ||
$rc2 > 0))
278 showheader(_("Email Dispute"));
279 echo _("You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.");
285 $query = "insert into `disputeemail` set `email`='$email',`memid`='".intval($_SESSION['profile']['id'])."',
286 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='".intval($emailid)."',
287 `IP`='".$_SERVER['REMOTE_ADDR']."'";
290 $body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
291 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
292 $body .= _("Best regards")."\n"._("CAcert.org Support!");
294 sendmail($email, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
296 showheader(_("Email Dispute"));
297 printf(_("The email address '%s' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($email));
304 csrf_check('domaindispute');
305 $domain = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
308 showheader(_("Domain Dispute"));
309 echo _("Not a valid Domain. Can't continue.");
314 //check if domain belongs to locked account
315 $res = mysql_query("select 1 from `domains`, `users` where `domains`.`domain`='$domain' and `domains`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
316 if(mysql_num_rows($res) > 0)
318 showheader(_("Domain Dispute"));
319 printf(_("Sorry, the domain '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($domain),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
320 $duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
321 $body = sprintf("Someone has just attempted to dispute this domain '%s', which belongs to a locked account:\n".
322 "Username(ID): %s (%s)\n".
324 "IP/Hostname: %s\n", $domain, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?
"/".$_SERVER['REMOTE_HOST']:""));
325 sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
331 $query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
332 $res = mysql_query($query);
333 if(mysql_num_rows($res) > 0)
335 showheader(_("Domain Dispute"));
336 printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
341 $query = "select * from `domains` where `domain`='$domain' and `deleted`=0";
342 $res = mysql_query($query);
343 if(mysql_num_rows($res) <= 0)
345 $query = "select 1 from `orgdomains` where `domain`='$domain'";
346 $res = mysql_query($query);
347 if(mysql_num_rows($res) > 0)
349 showheader(_("Domain Dispute"));
350 printf(_("The domain '%s' is included in an organisation account. Please send a mail to %s to dispute this domain."), sanitizeHTML($domain),'<a href="mailto:support@cacert.org">support@cacert.org</a>');
354 showheader(_("Domain Dispute"));
355 printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($domain));
359 $row = mysql_fetch_assoc($res);
360 $oldmemid = $row['memid'];
361 if($_SESSION['profile']['id'] == $oldmemid)
363 showheader(_("Domain Dispute"));
364 echo _("You aren't allowed to dispute your own domains. Can't continue.");
369 $domainid = $row['id'];
370 $_SESSION['_config']['domainid'] = $domainid;
371 $_SESSION['_config']['memid'] = array_key_exists('memid',$_REQUEST)?
intval($_REQUEST['memid']):0;
372 $_SESSION['_config']['domain'] = $domain;
373 $_SESSION['_config']['oldmemid'] = $oldmemid;
376 $domtmp = escapeshellarg($domain);
377 if(strtolower(substr($domtmp, -4, 3)) != ".jp")
378 $adds = explode("\n", trim(`whois
$domtmp|grep \
@`
));
379 if(substr($domain, -4) == ".org" ||
substr($domain, -5) == ".info")
382 foreach($adds as $line)
384 $bits = explode(":", $line, 2);
385 $line = trim($bits[1]);
386 if(!in_array($line, $addy) && $line != "")
387 $addy[] = trim(mysql_escape_string(stripslashes($line)));
391 foreach($adds as $line)
393 $line = trim(str_replace("\t", " ", $line));
394 $line = trim(str_replace("(", "", $line));
395 $line = trim(str_replace(")", " ", $line));
397 $bits = explode(" ", $line);
398 foreach($bits as $bit)
400 if(strstr($bit, "@"))
403 if(!in_array($line, $addy) && $line != "")
404 $addy[] = trim(mysql_escape_string(stripslashes($line)));
408 $rfc = array("root@$domain", "hostmaster@$domain", "postmaster@$domain", "admin@$domain", "webmaster@$domain");
409 foreach($rfc as $sub)
410 if(!in_array($sub, $addy))
412 $_SESSION['_config']['addy'] = $addy;
413 showheader(_("Domain Dispute"));
414 includeit("5", "disputes");
421 $authaddy = trim(mysql_escape_string(stripslashes($_REQUEST['authaddy'])));
423 if(!in_array($authaddy, $_SESSION['_config']['addy']) ||
$authaddy == "")
425 showheader(_("My CAcert.org Account!"));
426 echo _("The address you submitted isn't a valid authority address for the domain.");
431 $query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
432 $res = mysql_query($query);
433 if(mysql_num_rows($res) <= 0)
435 showheader(_("Domain Dispute!"));
436 printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
441 $domainid = intval($_SESSION['_config']['domainid']);
442 $memid = intval($_SESSION['_config']['memid']);
443 $oldmemid = intval($_SESSION['_config']['oldmemid']);
444 $domain = mysql_escape_string($_SESSION['_config']['domain']);
447 $query = "insert into `disputedomain` set `domain`='$domain',`memid`='".$_SESSION['profile']['id']."',
448 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='$domainid'";
451 $body = sprintf(_("You have been sent this email as the domain '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $domain)."\n\n";
452 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=domain&domainid=$domainid&hash=$hash\n\n";
453 $body .= _("Best regards")."\n"._("CAcert.org Support!");
455 sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
457 showheader(_("Domain Dispute"));
458 printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
463 showheader(_("Domain and Email Disputes"));
464 includeit($id, "disputes");