Merge branch 'bug-1173' into release
[cacert-devel.git] / www / disputes.php
1 <? /*
2 LibreSSL - CAcert web application
3 Copyright (C) 2004-2008 CAcert Inc.
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; version 2 of the License.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */ ?>
18 <?
19 require_once("../includes/loggedin.php");
20
21 loadem("account");
22
23 $type=""; if(array_key_exists('type',$_REQUEST)) $type=$_REQUEST['type'];
24 $action=""; if(array_key_exists('action',$_REQUEST)) $action=sanitizeHTML($_REQUEST['action']);
25
26 if($type == "reallyemail")
27 {
28 $emailid = intval($_SESSION['_config']['emailid']);
29 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
30
31 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
32 if(mysql_num_rows($res) <= 0)
33 {
34 showheader(_("Email Dispute"));
35 echo _("This dispute no longer seems to be in the database, can't continue.");
36 showfooter();
37 exit;
38 }
39 $row = mysql_fetch_assoc($res);
40 $oldmemid = $row['oldmemid'];
41
42 if($action == "reject")
43 {
44 mysql_query("update `disputeemail` set hash='',action='reject' where `id`='".intval($emailid)."'");
45 showheader(_("Email Dispute"));
46 echo _("You have opted to reject this dispute and the request will be removed from the database");
47 showfooter();
48 exit;
49 }
50 if($action == "accept")
51 {
52 showheader(_("Email Dispute"));
53 echo "<p>"._("You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.")."</p>";
54 echo "<p>"._("The following accounts have been removed:")."<br>\n";
55 $query = "select * from `email` where `id`='".intval($emailid)."' and deleted=0";
56 $res = mysql_query($query);
57 if(mysql_num_rows($res) > 0)
58 {
59 $row = mysql_fetch_assoc($res);
60 echo $row['email']."<br>\n";
61 $query = "select `emailcerts`.`id`
62 from `emaillink`,`emailcerts` where
63 `emailid`='$emailid' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
64 `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
65 group by `emailcerts`.`id`";
66 $dres = mysql_query($query);
67 while($drow = mysql_fetch_assoc($dres))
68 mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($drow['id'])."'");
69
70 $do = `../scripts/runclient`;
71 $query = "update `email` set `deleted`=NOW() where `id`='".intval($emailid)."'";
72 mysql_query($query);
73 }
74 mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
75 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
76 $rc = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
77 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
78 $user = mysql_fetch_assoc($res);
79 if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
80 {
81 mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
82 echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
83 }
84
85 showfooter();
86 exit;
87 }
88 }
89
90 if($type == "email")
91 {
92 $emailid = intval($_REQUEST['emailid']);
93 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
94 if($emailid <= 0 || $hash == "")
95 {
96 showheader(_("Email Dispute"));
97 echo _("Invalid request. Can't continue.");
98 showfooter();
99 exit;
100 }
101
102 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
103 if(mysql_num_rows($res) <= 0)
104 {
105 $res = mysql_query("select * from `disputeemail` where `id`='$emailid' and hash!=''");
106 if(mysql_num_rows($res) > 0)
107 {
108 $row = mysql_fetch_assoc($res);
109 mysql_query("update `disputeemail` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
110 showheader(_("Email Dispute"));
111 if($row['attempts'] >= 3)
112 {
113 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID. Your attempt has been logged and the request will be removed from the system as a result.");
114 mysql_query("update `disputeemail` set hash='',action='failed' where `id`='$emailid'");
115 } else
116 echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID.");
117 showfooter();
118 exit;
119 } else {
120 showheader(_("Email Dispute"));
121 echo _("Invalid request. Can't continue.");
122 showfooter();
123 exit;
124 }
125 }
126 $_SESSION['_config']['emailid'] = $emailid;
127 $_SESSION['_config']['hash'] = $hash;
128 $row = mysql_fetch_assoc(mysql_query("select * from `disputeemail` where `id`='$emailid'"));
129 $_SESSION['_config']['email'] = $row['email'];
130 showheader(_("Email Dispute"));
131 includeit("4", "disputes");
132 showfooter();
133 exit;
134 }
135
136 if($type == "reallydomain")
137 {
138 $domainid = intval($_SESSION['_config']['domainid']);
139 $hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
140
141 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
142 if(mysql_num_rows($res) <= 0)
143 {
144 showheader(_("Domain Dispute"));
145 echo _("This dispute no longer seems to be in the database, can't continue.");
146 showfooter();
147 exit;
148 }
149
150 if($action == "reject")
151 {
152 mysql_query("update `disputedomain` set hash='',action='reject' where `id`='$domainid'");
153 showheader(_("Domain Dispute"));
154 echo _("You have opted to reject this dispute and the request will be removed from the database");
155 showfooter();
156 exit;
157 }
158 if($action == "accept")
159 {
160 showheader(_("Domain Dispute"));
161 echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
162 echo "<p>"._("The following accounts have been removed:")."<br>\n";
163 $query = "select * from `domains` where `id`='$domainid' and deleted=0";
164 $res = mysql_query($query);
165 if(mysql_num_rows($res) > 0)
166 {
167 echo $_SESSION['_config']['domain']."<br>\n";
168 mysql_query("update `domains` set `deleted`=NOW() where `id`='$domainid'");
169 $query = "select * from `domlink` where `domid`='$domainid'";
170 $res = mysql_query($query);
171 while($row = mysql_fetch_assoc($res))
172 mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['certid']."' and `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0");
173 $do = `../scripts/runserver`;
174 }
175 mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
176 showfooter();
177 exit;
178 }
179 }
180
181 if($type == "domain")
182 {
183 $domainid = intval($_REQUEST['domainid']);
184 $hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
185 if($domainid <= 0 || $hash == "")
186 {
187 showheader(_("Domain Dispute"));
188 echo _("Invalid request. Can't continue.");
189 showfooter();
190 exit;
191 }
192
193 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
194 if(mysql_num_rows($res) <= 0)
195 {
196 $res = mysql_query("select * from `disputedomain` where `id`='$domainid' and hash!=''");
197 if(mysql_num_rows($res) > 0)
198 {
199 $row = mysql_fetch_assoc($res);
200 mysql_query("update `disputedomain` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
201 showheader(_("Domain Dispute"));
202 if($row['attempts'] >= 3)
203 {
204 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID. Your attempt has been logged and the request will be removed from the system as a result.");
205 mysql_query("update `disputedomain` set hash='',action='failed' where `id`='$domainid'");
206 } else
207 echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID.");
208 showfooter();
209 exit;
210 } else {
211 showheader(_("Domain Dispute"));
212 echo _("Invalid request. Can't continue.");
213 showfooter();
214 exit;
215 }
216 }
217 $_SESSION['_config']['domainid'] = $domainid;
218 $_SESSION['_config']['hash'] = $hash;
219 $row = mysql_fetch_assoc(mysql_query("select * from `disputedomain` where `id`='$domainid'"));
220 $_SESSION['_config']['domain'] = $row['domain'];
221 showheader(_("Domain Dispute"));
222 includeit("6", "disputes");
223 showfooter();
224 exit;
225 }
226
227 if($oldid == "1")
228 {
229 csrf_check('emaildispute');
230 $email = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
231 if($email == "")
232 {
233 showheader(_("Email Dispute"));
234 echo _("Not a valid email address. Can't continue.");
235 showfooter();
236 exit;
237 }
238
239 //check if email belongs to locked account
240 $res = mysql_query("select 1 from `email`, `users` where `email`.`email`='$email' and `email`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
241 if(mysql_num_rows($res) > 0)
242 {
243 showheader(_("Email Dispute"));
244 printf(_("Sorry, the email address '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($email),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
245 $duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
246 $body = sprintf("Someone has just attempted to dispute this email '%s', which belongs to a locked account:\n".
247 "Username(ID): %s (%s)\n".
248 "email: %s\n".
249 "IP/Hostname: %s\n", $email, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
250 sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
251
252 showfooter();
253 exit;
254 }
255
256 $res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
257 if(mysql_num_rows($res) > 0)
258 {
259 showheader(_("Email Dispute"));
260 printf(_("The email address '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($email));
261 showfooter();
262 exit;
263 }
264
265 unset($oldid);
266 $query = "select * from `email` where `email`='$email' and `deleted`=0";
267 $res = mysql_query($query);
268 if(mysql_num_rows($res) <= 0)
269 {
270 showheader(_("Email Dispute"));
271 printf(_("The email address '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
272 showfooter();
273 exit;
274 }
275 $row = mysql_fetch_assoc($res);
276 $oldmemid = $row['memid'];
277 $emailid = $row['id'];
278 if($_SESSION['profile']['id'] == $oldmemid)
279 {
280 showheader(_("Email Dispute"));
281 echo _("You aren't allowed to dispute your own email addresses. Can't continue.");
282 showfooter();
283 exit;
284 }
285
286 $res = mysql_query("select * from `users` where `id`='$oldmemid'");
287 $user = mysql_fetch_assoc($res);
288 $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
289 $rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
290 if($user['email'] == $email && ($rc > 0 || $rc2 > 0))
291 {
292 showheader(_("Email Dispute"));
293 echo _("You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.");
294 showfooter();
295 exit;
296 }
297
298 $hash = make_hash();
299 $query = "insert into `disputeemail` set `email`='$email',`memid`='".intval($_SESSION['profile']['id'])."',
300 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='".intval($emailid)."',
301 `IP`='".$_SERVER['REMOTE_ADDR']."'";
302 mysql_query($query);
303
304 $body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
305 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
306 $body .= _("Best regards")."\n"._("CAcert.org Support!");
307
308 sendmail($email, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
309
310 showheader(_("Email Dispute"));
311 printf(_("The email address '%s' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($email));
312 showfooter();
313 exit;
314 }
315
316 if($oldid == "2")
317 {
318 csrf_check('domaindispute');
319 $domain = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
320 if($domain == "")
321 {
322 showheader(_("Domain Dispute"));
323 echo _("Not a valid Domain. Can't continue.");
324 showfooter();
325 exit;
326 }
327
328 //check if domain belongs to locked account
329 $res = mysql_query("select 1 from `domains`, `users` where `domains`.`domain`='$domain' and `domains`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
330 if(mysql_num_rows($res) > 0)
331 {
332 showheader(_("Domain Dispute"));
333 printf(_("Sorry, the domain '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($domain),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
334 $duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
335 $body = sprintf("Someone has just attempted to dispute this domain '%s', which belongs to a locked account:\n".
336 "Username(ID): %s (%s)\n".
337 "email: %s\n".
338 "IP/Hostname: %s\n", $domain, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
339 sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
340
341 showfooter();
342 exit;
343 }
344
345 $query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
346 $res = mysql_query($query);
347 if(mysql_num_rows($res) > 0)
348 {
349 showheader(_("Domain Dispute"));
350 printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
351 showfooter();
352 exit;
353 }
354 unset($oldid);
355 $query = "select * from `domains` where `domain`='$domain' and `deleted`=0";
356 $res = mysql_query($query);
357 if(mysql_num_rows($res) <= 0)
358 {
359 $query = "select 1 from `orgdomains` where `domain`='$domain'";
360 $res = mysql_query($query);
361 if(mysql_num_rows($res) > 0)
362 {
363 showheader(_("Domain Dispute"));
364 printf(_("The domain '%s' is included in an organisation account. Please send a mail to %s to dispute this domain."), sanitizeHTML($domain),'<a href="mailto:support@cacert.org">support@cacert.org</a>');
365 showfooter();
366 exit;
367 }
368 showheader(_("Domain Dispute"));
369 printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($domain));
370 showfooter();
371 exit;
372 }
373 $row = mysql_fetch_assoc($res);
374 $oldmemid = $row['memid'];
375 if($_SESSION['profile']['id'] == $oldmemid)
376 {
377 showheader(_("Domain Dispute"));
378 echo _("You aren't allowed to dispute your own domains. Can't continue.");
379 showfooter();
380 exit;
381 }
382
383 $domainid = $row['id'];
384 $_SESSION['_config']['domainid'] = $domainid;
385 $_SESSION['_config']['memid'] = array_key_exists('memid',$_REQUEST)?intval($_REQUEST['memid']):0;
386 $_SESSION['_config']['domain'] = $domain;
387 $_SESSION['_config']['oldmemid'] = $oldmemid;
388
389 $addy = array();
390 $domtmp = escapeshellarg($domain);
391 if(strtolower(substr($domtmp, -4, 3)) != ".jp")
392 $adds = explode("\n", trim(`whois $domtmp|grep \@`));
393 if(substr($domain, -4) == ".org" || substr($domain, -5) == ".info")
394 {
395 if(is_array($adds))
396 foreach($adds as $line)
397 {
398 $bits = explode(":", $line, 2);
399 $line = trim($bits[1]);
400 if(!in_array($line, $addy) && $line != "")
401 $addy[] = trim(mysql_escape_string(stripslashes($line)));
402 }
403 } else {
404 if(is_array($adds))
405 foreach($adds as $line)
406 {
407 $line = trim(str_replace("\t", " ", $line));
408 $line = trim(str_replace("(", "", $line));
409 $line = trim(str_replace(")", " ", $line));
410
411 $bits = explode(" ", $line);
412 foreach($bits as $bit)
413 {
414 if(strstr($bit, "@"))
415 $line = $bit;
416 }
417 if(!in_array($line, $addy) && $line != "")
418 $addy[] = trim(mysql_escape_string(stripslashes($line)));
419 }
420 }
421
422 $rfc = array("root@$domain", "hostmaster@$domain", "postmaster@$domain", "admin@$domain", "webmaster@$domain");
423 foreach($rfc as $sub)
424 if(!in_array($sub, $addy))
425 $addy[] = $sub;
426 $_SESSION['_config']['addy'] = $addy;
427 showheader(_("Domain Dispute"));
428 includeit("5", "disputes");
429 showfooter();
430 exit;
431 }
432
433 if($oldid == "5")
434 {
435 $authaddy = trim(mysql_escape_string(stripslashes($_REQUEST['authaddy'])));
436
437 if(!in_array($authaddy, $_SESSION['_config']['addy']) || $authaddy == "")
438 {
439 showheader(_("My CAcert.org Account!"));
440 echo _("The address you submitted isn't a valid authority address for the domain.");
441 showfooter();
442 exit;
443 }
444
445 $query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
446 $res = mysql_query($query);
447 if(mysql_num_rows($res) <= 0)
448 {
449 showheader(_("Domain Dispute!"));
450 printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
451 showfooter();
452 exit;
453 }
454
455 $domainid = intval($_SESSION['_config']['domainid']);
456 $memid = intval($_SESSION['_config']['memid']);
457 $oldmemid = intval($_SESSION['_config']['oldmemid']);
458 $domain = mysql_escape_string($_SESSION['_config']['domain']);
459
460 $hash = make_hash();
461 $query = "insert into `disputedomain` set `domain`='$domain',`memid`='".$_SESSION['profile']['id']."',
462 `oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='$domainid'";
463 mysql_query($query);
464
465 $body = sprintf(_("You have been sent this email as the domain '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $domain)."\n\n";
466 $body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=domain&domainid=$domainid&hash=$hash\n\n";
467 $body .= _("Best regards")."\n"._("CAcert.org Support!");
468
469 sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
470
471 showheader(_("Domain Dispute"));
472 printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
473 showfooter();
474 exit;
475 }
476
477 showheader(_("Domain and Email Disputes"));
478 includeit($id, "disputes");
479 showfooter();
480 ?>