Merge branch 'bug-1394' into testserver-stable
authorBenny Baumann <BenBE@geshi.org>
Wed, 29 Jul 2015 17:28:04 +0000 (19:28 +0200)
committerBenny Baumann <BenBE@geshi.org>
Wed, 29 Jul 2015 17:28:04 +0000 (19:28 +0200)
1  2 
includes/account.php

diff --combined includes/account.php
@@@ -116,7 -116,8 +116,8 @@@ function buildSubjectFromSession() 
                if(strstr($_REQUEST['newemail'], "xn--") && $_SESSION['profile']['codesign'] <= 0)
                {
                        showheader(_("My CAcert.org Account!"));
-                       echo _("Due to the possibility for punycode domain exploits we currently do not allow any certificates to sign punycode domains or email addresses.");
+                       echo _("Due to the possibility for punycode domain exploits we currently only offer the use of IDN domains if your account has the code signing flag.") . "\n";
+                       printf(_("More information can be found %sin our wiki%s."), '<a href="//wiki.cacert.org/FAQ/Privilege">', '</a>');
                        showfooter();
                        exit;
                }
                if(strstr($newdomain, "xn--") && $_SESSION['profile']['codesign'] <= 0)
                {
                        showheader(_("My CAcert.org Account!"));
-                       echo _("Due to the possibility for punycode domain exploits we currently do not allow any certificates to sign punycode domains or email addresses.");
+                       echo _("Due to the possibility for punycode domain exploits we currently only offer the use of IDN domains if your account has the code signing flag.") . "\n";
+                       printf(_("More information can be found %sin our wiki%s."),'<a href="//wiki.cacert.org/FAQ/Privilege">', '</a>');
                        showfooter();
                        exit;
                }
                                                `rootcert`='".intval($row['rootcert'])."',
                                                `type`='".intval($row['type'])."',
                                                `pkhash`='".mysql_real_escape_string($row['pkhash'])."',
 -                                              `description`='".mysql_real_escape_string($row['description'])."'";
 +                                              `description`='".mysql_real_escape_string($row['description'])."',
 +                                              `md`='".HashAlgorithms::clean($row['md'])."'";
                                mysql_query($query);
                                $newid = mysql_insert_id();
                                $newfile=generatecertpath("csr","server",$newid);
                                                `disablelogin`='".intval($row['disablelogin'])."',
                                                `codesign`='".intval($row['codesign'])."',
                                                `rootcert`='".intval($row['rootcert'])."',
 -                                              `description`='".mysql_real_escape_string($row['description'])."'";
 +                                              `description`='".mysql_real_escape_string($row['description'])."',
 +                                              `md`='".HashAlgorithms::clean($row['md'])."'";
                                mysql_query($query);
                                $newid = mysql_insert_id();
                                $newfile=generatecertpath("csr","client",$newid);
                exit;
        }
  
 +      if($oldid == 6 && $_REQUEST['certid'] != "")
 +      {
 +              if(trim($_REQUEST['description']) != ""){
 +                      $description= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
 +              }else{
 +                      $description= "";
 +              }
 +
 +              if(trim($_REQUEST['disablelogin']) == "1"){
 +                      $disablelogin = 1;
 +              }else{
 +                      $disablelogin = 0;
 +              }
 +
 +              mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
 +      }
 +
        if($oldid == 13 && $process != "" && $showdetails!="")
        {
                csrf_check("perschange");
  
        if($oldid == 13 && $process != "")
        {
 -              $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`";
 -              $ddres = mysql_query($ddquery);
 -              $ddrow = mysql_fetch_assoc($ddres);
 -              $_SESSION['profile']['points'] = $ddrow['total'];
 +              update_points_in_profile();
  
                if($_SESSION['profile']['points'] == 0)
                {
                $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'"));
                $_SESSION['profile']['loggedin'] = 1;
  
 -              $ddquery = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`";
 -              $ddres = mysql_query($ddquery);
 -              $ddrow = mysql_fetch_assoc($ddres);
 -              $_SESSION['profile']['points'] = $ddrow['total'];
 +              update_points_in_profile();
  
  
                $id = 13;
                showheader(_("My CAcert.org Account!"));
                if($_SESSION['_config']['user']['pword1'] == "" || $_SESSION['_config']['user']['pword1'] != $_SESSION['_config']['user']['pword2'])
                {
 -                      echo '<h3 style="color:red">', _("Failure: Pass Phrase not Changed"),
 +                      echo '<h3 class="error_fatal">', _("Failure: Pass Phrase not Changed"),
                                '</h3>', "\n";
                        echo _("New Pass Phrases specified don't match or were blank.");
                } else {
                        }
  
                        if(strlen($_SESSION['_config']['user']['pword1']) < 6) {
 -                              echo '<h3 style="color:red">',
 +                              echo '<h3 class="error_fatal">',
                                        _("Failure: Pass Phrase not Changed"), '</h3>', "\n";
                                echo _("The Pass Phrase you submitted was too short.");
                        } else if($score < 3) {
 -                              echo '<h3 style="color:red">',
 +                              echo '<h3 class="error_fatal">',
                                        _("Failure: Pass Phrase not Changed"), '</h3>', "\n";
                                printf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
                        } else if($rc <= 0) {
 -                              echo '<h3 style="color:red">',
 +                              echo '<h3 class="error_fatal">',
                                        _("Failure: Pass Phrase not Changed"), '</h3>', "\n";
                                echo _("You failed to correctly enter your current Pass Phrase.");
                        } else {
                                                `modified`=NOW(),
                                                `codesign`='".intval($row['codesign'])."',
                                                `rootcert`='".intval($row['rootcert'])."',
 -                                              `description`='".mysql_real_escape_string($row['description'])."'";
 +                                              `description`='".mysql_real_escape_string($row['description'])."',
 +                                              `md`='".HashAlgorithms::clean($row['md'])."'";
                                mysql_query($query);
                                $newid = mysql_insert_id();
                                $newfile=generatecertpath("csr","orgclient",$newid);
                                                `subject`='".mysql_real_escape_string($row['subject'])."',
                                                `type`='".intval($row['type'])."',
                                                `rootcert`='".intval($row['rootcert'])."',
 -                                              `description`='".mysql_real_escape_string($row['description'])."'";
 +                                              `description`='".mysql_real_escape_string($row['description'])."',
 +                                              `md`='".HashAlgorithms::clean($row['md'])."'";
                                mysql_query($query);
                                $newid = mysql_insert_id();
                                //echo "NewID: $newid<br/>\n";
                                                `contact`='".$_SESSION['_config']['contact']."',
                                                `L`='".$_SESSION['_config']['L']."',
                                                `ST`='".$_SESSION['_config']['ST']."',
 -                                              `C`='".$_SESSION['_config']['C']."',
 +                                              `C`='".strtoupper($_SESSION['_config']['C'])."',
                                                `comments`='".$_SESSION['_config']['comments']."'");
                        showheader(_("My CAcert.org Account!"));
                        printf(_("'%s' has just been successfully added as an organisation to the database."), sanitizeHTML($_SESSION['_config']['O']));
                                                `contact`='".$_SESSION['_config']['contact']."',
                                                `L`='".$_SESSION['_config']['L']."',
                                                `ST`='".$_SESSION['_config']['ST']."',
 -                                              `C`='".$_SESSION['_config']['C']."',
 +                                              `C`='".strtoupper($_SESSION['_config']['C'])."',
                                                `comments`='".$_SESSION['_config']['comments']."'
                                        where `id`='".intval($_SESSION['_config']['orgid'])."'");
                        showheader(_("My CAcert.org Account!"));
                        $row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'"));
                        printf(_("The password for %s has been updated successfully in the system."), sanitizeHTML($row['email']));
  
 -              $my_translation = L10n::get_translation();
 -              L10n::set_recipient_language(intval($_REQUEST['userid']));
 +                      $my_translation = L10n::get_translation();
 +                      L10n::set_recipient_language(intval($_REQUEST['userid']));
                        $body  = sprintf(_("Hi %s,"),$row['fname'])."\n\n";
                        $body .= _("You are receiving this email because a CAcert administrator ".
                                        "has changed the password on your account.")."\n\n";
  
                        sendmail($row['email'], "[CAcert.org] "._("Password Update Notification"), $body,
                                                "support@cacert.org", "", "", "CAcert Support");
 -              L10n::set_translation($my_translation);
 +                      L10n::set_translation($my_translation);
                }
  
                showfooter();
                }
        }
  
 -      /* presently not needed
 -      if($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0 && $ticketvalidation==TRUE)
 -      {
 -              $memid = $_REQUEST['userid'] = intval($_REQUEST['tverify']);
 -              if (!write_se_log($memid, $_SESSION['profile']['id'],'SE Change tverify status',$ticketno)) {
 -                      showheader(_("Something went wrong"));
 -                      echo _("Writing to the admin log failed. Can't continue.");
 -                      showfooter();
 -                      exit;
 -              }
 -              $query = "select * from `users` where `id`='$memid'";
 -              $row = mysql_fetch_assoc(mysql_query($query));
 -              $ver = !$row['tverify'];
 -              mysql_query("update `users` set `tverify`='$ver' where `id`='$memid'");
 -      }elseif($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0 && $ticketvalidation==FALSE){
 -              $_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
 -      }
 -      */
 -
        if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0 && $ticketvalidation == TRUE)
        {
                csrf_check('admsetassuret');