Source code taken from cacert-20141124.tar.bz2
[cacert-devel.git] / www / disputes.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20 require_once("../includes/notary.inc.php");
21 require_once("../includes/lib/l10n.php");
22
23 loadem("account");
24
25 $type=""; if(array_key_exists('type',$_REQUEST)) $type=$_REQUEST['type'];
26 $action=""; if(array_key_exists('action',$_REQUEST)) $action=sanitizeHTML($_REQUEST['action']);
27
28 if($type == "reallyemail")
29 {
30 $emailid = intval($_SESSION['_config']['emailid']);
31 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
32
33 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
34 if(mysql_num_rows($res) <= 0)
35 {
36 showheader(_("Email Dispute"));
37 echo _("This dispute no longer seems to be in the database, can't continue.");
38 showfooter();
39 exit;
40 }
41 $row = mysql_fetch_assoc($res);
42 $oldmemid = $row['oldmemid'];
43
44 if($action == "reject")
45 {
46 mysql_query("update `disputeemail` set hash='',action='reject' where `id`='".intval($emailid)."'");
47 showheader(_("Email Dispute"));
48 echo _("You have opted to reject this dispute and the request will be removed from the database");
49 showfooter();
50 exit;
51 }
52 if($action == "accept")
53 {
54 showheader(_("Email Dispute"));
55 echo "<p>"._("You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.")."</p>";
56 echo "<p>"._("The following accounts have been removed:")."<br>\n";
57 $query = "select * from `email` where `id`='".intval($emailid)."' and deleted=0";
58 $res = mysql_query($query);
59 if(mysql_num_rows($res) > 0)
60 {
61 $row = mysql_fetch_assoc($res);
62 echo $row['email']."<br>\n";
63 account_email_delete($row['id']);
64 }
65 mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
66 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
67 $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
68 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
69 $user = mysql_fetch_assoc($res);
70 if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
71 {
72 mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
73 echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
74 }
75
76 showfooter();
77 exit;
78 }
79 }
80
81 if($type == "email")
82 {
83 $emailid = intval($_REQUEST['emailid']);
84 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
85 if($emailid <= 0 || $hash == "")
86 {
87 showheader(_("Email Dispute"));
88 echo _("Invalid request. Can't continue.");
89 showfooter();
90 exit;
91 }
92
93 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
94 if(mysql_num_rows($res) <= 0)
95 {
96 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and hash!=''");
97 if(mysql_num_rows($res) > 0)
98 {
99 $row = mysql_fetch_assoc($res);
100 mysql_query("update `disputeemail` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
101 showheader(_("Email Dispute"));
102 if($row['attempts'] >= 3)
103 {
104 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID. Your attempt has been logged and the request will be removed from the system as a result.");
105 mysql_query("update `disputeemail` set hash='',action='failed' where `id`='$emailid'");
106 } else
107 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID.");
108 showfooter();
109 exit;
110 } else {
111 showheader(_("Email Dispute"));
112 echo _("Invalid request. Can't continue.");
113 showfooter();
114 exit;
115 }
116 }
117 $_SESSION['_config']['emailid'] = $emailid;
118 $_SESSION['_config']['hash'] = $hash;
119 $row = mysql_fetch_assoc(mysql_query("select * from `disputeemail` where `id`='$emailid'"));
120 $_SESSION['_config']['email'] = $row['email'];
121 showheader(_("Email Dispute"));
122 includeit("4", "disputes");
123 showfooter();
124 exit;
125 }
126
127 if($type == "reallydomain")
128 {
129 $domainid = intval($_SESSION['_config']['domainid']);
130 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
131
132 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
133 if(mysql_num_rows($res) <= 0)
134 {
135 showheader(_("Domain Dispute"));
136 echo _("This dispute no longer seems to be in the database, can't continue.");
137 showfooter();
138 exit;
139 }
140
141 if($action == "reject")
142 {
143 mysql_query("update `disputedomain` set hash='',action='reject' where `id`='$domainid'");
144 showheader(_("Domain Dispute"));
145 echo _("You have opted to reject this dispute and the request will be removed from the database");
146 showfooter();
147 exit;
148 }
149 if($action == "accept")
150 {
151 showheader(_("Domain Dispute"));
152 echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
153 echo "<p>"._("The following accounts have been removed:")."<br>\n";
154 //new account_domain_delete($domainid, $memberID)
155 $query = "select * from `domains` where `id`='$domainid' and deleted=0";
156 $res = mysql_query($query);
157 if(mysql_num_rows($res) > 0)
158 {
159 echo $_SESSION['_config']['domain']."<br>\n";
160 account_domain_delete($domainid);
161 }
162 mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
163 showfooter();
164 exit;
165 }
166 }
167
168 if($type == "domain")
169 {
170 $domainid = intval($_REQUEST['domainid']);
171 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
172 if($domainid <= 0 || $hash == "")
173 {
174 showheader(_("Domain Dispute"));
175 echo _("Invalid request. Can't continue.");
176 showfooter();
177 exit;
178 }
179
180 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
181 if(mysql_num_rows($res) <= 0)
182 {
183 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and hash!=''");
184 if(mysql_num_rows($res) > 0)
185 {
186 $row = mysql_fetch_assoc($res);
187 mysql_query("update `disputedomain` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
188 showheader(_("Domain Dispute"));
189 if($row['attempts'] >= 3)
190 {
191 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID. Your attempt has been logged and the request will be removed from the system as a result.");
192 mysql_query("update `disputedomain` set hash='',action='failed' where `id`='$domainid'");
193 } else
194 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID.");
195 showfooter();
196 exit;
197 } else {
198 showheader(_("Domain Dispute"));
199 echo _("Invalid request. Can't continue.");
200 showfooter();
201 exit;
202 }
203 }
204 $_SESSION['_config']['domainid'] = $domainid;
205 $_SESSION['_config']['hash'] = $hash;
206 $row = mysql_fetch_assoc(mysql_query("select * from `disputedomain` where `id`='$domainid'"));
207 $_SESSION['_config']['domain'] = $row['domain'];
208 showheader(_("Domain Dispute"));
209 includeit("6", "disputes");
210 showfooter();
211 exit;
212 }
213
214 if($oldid == "1")
215 {
216 csrf_check('emaildispute');
217 $email = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
218 if($email == "")
219 {
220 showheader(_("Email Dispute"));
221 echo _("Not a valid email address. Can't continue.");
222 showfooter();
223 exit;
224 }
225
226 //check if email belongs to locked account
227 $res = mysql_query("select 1 from `email`, `users` where `email`.`email`='$email' and `email`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
228 if(mysql_num_rows($res) > 0)
229 {
230 showheader(_("Email Dispute"));
231 printf(_("Sorry, the email address '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($email),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
232 $duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
233 $body = sprintf("Someone has just attempted to dispute this email '%s', which belongs to a locked account:\n".
234 "Username(ID): %s (%s)\n".
235 "email: %s\n".
236 "IP/Hostname: %s\n", $email, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
237 sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
238
239 showfooter();
240 exit;
241 }
242
243 $res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
244 if(mysql_num_rows($res) > 0)
245 {
246 showheader(_("Email Dispute"));
247 printf(_("The email address '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($email));
248 showfooter();
249 exit;
250 }
251
252 unset($oldid);
253 $query = "select * from `email` where `email`='$email' and `deleted`=0";
254 $res = mysql_query($query);
255 if(mysql_num_rows($res) <= 0)
256 {
257 showheader(_("Email Dispute"));
258 printf(_("The email address '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
259 showfooter();
260 exit;
261 }
262 $row = mysql_fetch_assoc($res);
263 $oldmemid = $row['memid'];
264 $emailid = $row['id'];
265 if($_SESSION['profile']['id'] == $oldmemid)
266 {
267 showheader(_("Email Dispute"));
268 echo _("You aren't allowed to dispute your own email addresses. Can't continue.");
269 showfooter();
270 exit;
271 }
272
273 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
274 $user = mysql_fetch_assoc($res);
275 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
276 $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
277 if($user['email'] == $email && ($rc > 0 || $rc2 > 0))
278 {
279 showheader(_("Email Dispute"));
280 echo _("You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.");
281 showfooter();
282 exit;
283 }
284
285 $hash = make_hash();
286 $query = "insert into `disputeemail` set `email`='$email',`memid`='".intval($_SESSION['profile']['id'])."',
287 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='".intval($emailid)."',
288 `IP`='".$_SERVER['REMOTE_ADDR']."'";
289 mysql_query($query);
290
291 $my_translation = L10n::get_translation();
292 L10n::set_recipient_language($oldmemid);
293
294 $body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
295 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
296 $body .= _("Best regards")."\n"._("CAcert.org Support!");
297
298 sendmail($email, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
299 L10n::set_translation($my_translation);
300
301 showheader(_("Email Dispute"));
302 printf(_("The email address '%s' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($email));
303 showfooter();
304 exit;
305 }
306
307 if($oldid == "2")
308 {
309 csrf_check('domaindispute');
310 $domain = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
311 if($domain == "")
312 {
313 showheader(_("Domain Dispute"));
314 echo _("Not a valid Domain. Can't continue.");
315 showfooter();
316 exit;
317 }
318
319 //check if domain belongs to locked account
320 $res = mysql_query("select 1 from `domains`, `users` where `domains`.`domain`='$domain' and `domains`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
321 if(mysql_num_rows($res) > 0)
322 {
323 showheader(_("Domain Dispute"));
324 printf(_("Sorry, the domain '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($domain),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
325 $duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
326 $body = sprintf("Someone has just attempted to dispute this domain '%s', which belongs to a locked account:\n".
327 "Username(ID): %s (%s)\n".
328 "email: %s\n".
329 "IP/Hostname: %s\n", $domain, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
330 sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
331
332 showfooter();
333 exit;
334 }
335
336 $query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
337 $res = mysql_query($query);
338 if(mysql_num_rows($res) > 0)
339 {
340 showheader(_("Domain Dispute"));
341 printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
342 showfooter();
343 exit;
344 }
345 unset($oldid);
346 $query = "select * from `domains` where `domain`='$domain' and `deleted`=0";
347 $res = mysql_query($query);
348 if(mysql_num_rows($res) <= 0)
349 {
350 $query = "select 1 from `orgdomains` where `domain`='$domain'";
351 $res = mysql_query($query);
352 if(mysql_num_rows($res) > 0)
353 {
354 showheader(_("Domain Dispute"));
355 printf(_("The domain '%s' is included in an organisation account. Please send a mail to %s to dispute this domain."), sanitizeHTML($domain),'<a href="mailto:support@cacert.org">support@cacert.org</a>');
356 showfooter();
357 exit;
358 }
359 showheader(_("Domain Dispute"));
360 printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($domain));
361 showfooter();
362 exit;
363 }
364 $row = mysql_fetch_assoc($res);
365 $oldmemid = $row['memid'];
366 if($_SESSION['profile']['id'] == $oldmemid)
367 {
368 showheader(_("Domain Dispute"));
369 echo _("You aren't allowed to dispute your own domains. Can't continue.");
370 showfooter();
371 exit;
372 }
373
374 $domainid = $row['id'];
375 $_SESSION['_config']['domainid'] = $domainid;
376 $_SESSION['_config']['memid'] = array_key_exists('memid',$_REQUEST)?intval($_REQUEST['memid']):0;
377 $_SESSION['_config']['domain'] = $domain;
378 $_SESSION['_config']['oldmemid'] = $oldmemid;
379
380 $addy = array();
381 $domtmp = escapeshellarg($domain);
382 if(strtolower(substr($domtmp, -4, 3)) != ".jp")
383 $adds = explode("\n", trim(`whois $domtmp|grep \@`));
384 if(substr($domain, -4) == ".org" || substr($domain, -5) == ".info")
385 {
386 if(is_array($adds))
387 foreach($adds as $line)
388 {
389 $bits = explode(":", $line, 2);
390 $line = trim($bits[1]);
391 if(!in_array($line, $addy) && $line != "")
392 $addy[] = trim(mysql_escape_string(stripslashes($line)));
393 }
394 } else {
395 if(is_array($adds))
396 foreach($adds as $line)
397 {
398 $line = trim(str_replace("\t", " ", $line));
399 $line = trim(str_replace("(", "", $line));
400 $line = trim(str_replace(")", " ", $line));
401
402 $bits = explode(" ", $line);
403 foreach($bits as $bit)
404 {
405 if(strstr($bit, "@"))
406 $line = $bit;
407 }
408 if(!in_array($line, $addy) && $line != "")
409 $addy[] = trim(mysql_escape_string(stripslashes($line)));
410 }
411 }
412
413 $rfc = array("root@$domain", "hostmaster@$domain", "postmaster@$domain", "admin@$domain", "webmaster@$domain");
414 foreach($rfc as $sub)
415 if(!in_array($sub, $addy))
416 $addy[] = $sub;
417 $_SESSION['_config']['addy'] = $addy;
418 showheader(_("Domain Dispute"));
419 includeit("5", "disputes");
420 showfooter();
421 exit;
422 }
423
424 if($oldid == "5")
425 {
426 $authaddy = trim(mysql_escape_string(stripslashes($_REQUEST['authaddy'])));
427
428 if(!in_array($authaddy, $_SESSION['_config']['addy']) || $authaddy == "")
429 {
430 showheader(_("My CAcert.org Account!"));
431 echo _("The address you submitted isn't a valid authority address for the domain.");
432 showfooter();
433 exit;
434 }
435
436 $query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
437 $res = mysql_query($query);
438 if(mysql_num_rows($res) <= 0)
439 {
440 showheader(_("Domain Dispute!"));
441 printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
442 showfooter();
443 exit;
444 }
445
446 $domainid = intval($_SESSION['_config']['domainid']);
447 $memid = intval($_SESSION['_config']['memid']);
448 $oldmemid = intval($_SESSION['_config']['oldmemid']);
449 $domain = mysql_escape_string($_SESSION['_config']['domain']);
450
451 $hash = make_hash();
452 $query = "insert into `disputedomain` set `domain`='$domain',`memid`='".$_SESSION['profile']['id']."',
453 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='$domainid'";
454 mysql_query($query);
455 $my_translation = L10n::get_translation();
456 L10n::set_recipient_language($oldmemid);
457
458 $body = sprintf(_("You have been sent this email as the domain '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $domain)."\n\n";
459 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=domain&domainid=$domainid&hash=$hash\n\n";
460 $body .= _("Best regards")."\n"._("CAcert.org Support!");
461 L10n::set_recipient_language($my_translation);
462
463 sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
464
465 showheader(_("Domain Dispute"));
466 printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
467 showfooter();
468 exit;
469 }
470
471 showheader(_("Domain and Email Disputes"));
472 includeit($id, "disputes");
473 showfooter();
474 ?>