Merge branch 'bug-1318' into testserver-stable
authorBenny Baumann <BenBE@geshi.org>
Sun, 30 Nov 2014 18:03:58 +0000 (19:03 +0100)
committerBenny Baumann <BenBE@geshi.org>
Sun, 30 Nov 2014 18:03:58 +0000 (19:03 +0100)
1  2 
includes/general.php

diff --combined includes/general.php
  //    if($_SESSION['profile']['id'] > 0)
  //            session_regenerate_id();
  
 +      //cf. http://stackoverflow.com/a/14532168
 +      if(!defined('ENT_HTML401'))     define('ENT_HTML401', 0);
 +      if(!defined('ENT_XML1'))        define('ENT_XML1', 16);
 +      if(!defined('ENT_XHTML'))       define('ENT_XHTML', 32);
 +      if(!defined('ENT_HTML5'))       define('ENT_HTML5', (32|16));
 +
        $pageLoadTime_Start = microtime(true);
  
        $junk = array(_("Face to Face Meeting"), _("Trusted Third Parties"), _("Thawte Points Transfer"), _("Administrative Increase"),
                }
        }
  
 +      function isValidWildcard($name){
 +              if(substr($name,0,2) == "*."){
 +                      $name = substr($name, 2);
 +              }
 +              if(!preg_match('/^(\\.(?!-)[a-z0-9_-]*[a-z0-9])+$/i','.'.$name)){
 +                      return false;
 +              }
 +              return strpos($name, "*") === false;
 +      }
 +
        function getcn()
        {
                unset($_SESSION['_config']['rows']);
                        $bits = explode(".", $CN);
                        $dom = "";
                        $cnok = 0;
 +
 +                      if(!isValidWildcard($CN)){
 +                              $_SESSION['_config']['rejected'][] = $CN;
 +                              continue;
 +                      }
 +
                        for($i = count($bits) - 1; $i >= 0; $i--)
                        {
                                if($dom)
                                        $dom = $bits[$i];
                                $_SESSION['_config']['row'] = "";
                                $dom = mysql_real_escape_string($dom);
 -                              $query = "select * from domains where `memid`='".intval($_SESSION['profile']['id'])."' and `domain` like '$dom' and `deleted`=0 and `hash`=''";
 +                              $query = "select * from domains where `memid`='".intval($_SESSION['profile']['id'])."' and `domain` = '$dom' and `deleted`=0 and `hash`=''";
                                $res = mysql_query($query);
                                if(mysql_num_rows($res) > 0)
                                {
                        else
                                continue;
  
 +                      if(!isValidWildcard($alt)){
 +                              $_SESSION['_config']['rejected'][] = $alt;
 +                              continue;
 +                      }
 +
                        $bits = explode(".", $alt);
                        $dom = "";
                        $altok = 0;
                                        $dom = $bits[$i];
                                $_SESSION['_config']['altrow'] = "";
                                $dom = mysql_real_escape_string($dom);
 -                              $query = "select * from domains where `memid`='".intval($_SESSION['profile']['id'])."' and `domain` like '$dom' and `deleted`=0 and `hash`=''";
 +                              $query = "select * from domains where `memid`='".intval($_SESSION['profile']['id'])."' and `domain` = '$dom' and `deleted`=0 and `hash`=''";
                                $res = mysql_query($query);
                                if(mysql_num_rows($res) > 0)
                                {
                        $CN = $_SESSION['_config']["$cnc.CN"];
                        $bits = explode(".", $CN);
                        $dom = "";
 +
 +                        if(!isValidWildcard($CN)){
 +                                $_SESSION['_config']['rejected'][] = $CN;
 +                                continue;
 +                        }
 +
                        for($i = count($bits) - 1; $i >= 0; $i--)
                        {
                                if($dom)
                        else
                                continue;
  
 +                        if(!isValidWildcard($alt)){
 +                                $_SESSION['_config']['rejected'][] = $alt;
 +                                continue;
 +                        }
 +
                        $bits = explode(".", $alt);
                        $dom = "";
                        for($i = count($bits) - 1; $i >= 0; $i--)
                if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\+\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/" , $email))
                {
                        list($username,$domain)=explode('@',$email,2);
-                       $mxhosts = array();
+                       $mxhostrr = array();
                        $mxweight = array();
                        if( !getmxrr($domain, $mxhostrr, $mxweight) ) {
                                $mxhostrr = array($domain);
                                $mx_host = trim($mxhostrr[$i], '.');
                                $mx_prio = $mxweight[$i];
                                if(empty($mxhostprio[$mx_prio])) {
-                                       $mxhostprio[$mx_prio] = arraY();
+                                       $mxhostprio[$mx_prio] = array();
                                }
                                $mxhostprio[$mx_prio][] = $mx_host;
                        }
  
                        foreach($mxhosts as $key => $domain)
                        {
 -                              $fp = @fsockopen($domain,25,$errno,$errstr,5);
 +                              $fp_opt = array(
 +                                      'ssl' => array(
 +                                              'verify_peer'   => false,       // Opportunistic Encryption
 +                                              )
 +                                      );
 +                              $fp_ctx = stream_context_create($fp_opt);
 +                              $fp = @stream_socket_client("tcp://$domain:25",$errno,$errstr,5,STREAM_CLIENT_CONNECT,$fp_ctx);
                                if($fp)
                                {
 +                                      stream_set_blocking($fp, true);
  
 -                                      $line = fgets($fp, 4096);
 -                                        while(substr($line, 0, 4) == "220-")
 -                                               $line = fgets($fp, 4096);
 -                                      if(substr($line, 0, 3) != "220")
 +                                      $has_starttls = false;
 +
 +                                      do {
 +                                              $line = fgets($fp, 4096);
 +                                      } while(substr($line, 0, 4) == "220-");
 +                                      if(substr($line, 0, 3) != "220") {
 +                                              fclose($fp);
                                                continue;
 -                                      fputs($fp, "HELO www.cacert.org\r\n");
 -                                      $line = fgets($fp, 4096);
 -                                      while(substr($line, 0, 3) == "220")
 +                                      }
 +
 +                                      fputs($fp, "EHLO www.cacert.org\r\n");
 +                                      do {
                                                $line = fgets($fp, 4096);
 -                                      if(substr($line, 0, 3) != "250")
 +                                              $has_starttls |= substr(trim($line),4) == "STARTTLS";
 +                                      } while(substr($line, 0, 4) == "250-");
 +                                      if(substr($line, 0, 3) != "250") {
 +                                              fclose($fp);
                                                continue;
 -                                      fputs($fp, "MAIL FROM:<returns@cacert.org>\r\n");
 -                                      $line = fgets($fp, 4096);
 +                                      }
 +
 +                                      if($has_starttls) {
 +                                              fputs($fp, "STARTTLS\r\n");
 +                                              do {
 +                                                      $line = fgets($fp, 4096);
 +                                              } while(substr($line, 0, 4) == "220-");
 +                                              if(substr($line, 0, 3) != "220") {
 +                                                      fclose($fp);
 +                                                      continue;
 +                                              }
 +
 +                                              stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
 +
 +                                              fputs($fp, "EHLO www.cacert.org\r\n");
 +                                              do {
 +                                                      $line = fgets($fp, 4096);
 +                                              } while(substr($line, 0, 4) == "250-");
 +                                              if(substr($line, 0, 3) != "250") {
 +                                                      fclose($fp);
 +                                                      continue;
 +                                              }
 +                                      }
  
 -                                      if(substr($line, 0, 3) != "250")
 +                                      fputs($fp, "MAIL FROM:<returns@cacert.org>\r\n");
 +                                      do {
 +                                              $line = fgets($fp, 4096);
 +                                      } while(substr($line, 0, 4) == "250-");
 +                                      if(substr($line, 0, 3) != "250") {
 +                                              fclose($fp);
                                                continue;
 +                                      }
 +
                                        fputs($fp, "RCPT TO:<$email>\r\n");
 -                                      $line = trim(fgets($fp, 4096));
 +                                      do {
 +                                              $line = fgets($fp, 4096);
 +                                      } while(substr($line, 0, 4) == "250-");
 +                                      if(substr($line, 0, 3) != "250") {
 +                                              fclose($fp);
 +                                              continue;
 +                                      }
 +
                                        fputs($fp, "QUIT\r\n");
                                        fclose($fp);
  
                                        $line = mysql_real_escape_string(trim(strip_tags($line)));
                                        $query = "insert into `pinglog` set `when`=NOW(), `email`='$myemail', `result`='$line'";
 -                                      if(is_array($_SESSION['profile'])) $query.=", `uid`='".intval($_SESSION['profile']['id'])."'";
 +                                      if(isset($_SESSION['profile']) && is_array($_SESSION['profile']) && isset($_SESSION['profile']['id'])) $query.=", `uid`='".intval($_SESSION['profile']['id'])."'";
                                        mysql_query($query);
  
                                        if(substr($line, 0, 3) != "250")
                        $subject="";
                        if(mysql_num_rows($res) > 0)
                        {
 -                              printf(_("Your certificate request is still queued and hasn't been processed yet. Please wait, and go to Certificates -> View to see it's status."));
 +                              printf('<p>' . _("Your certificate request is still queued and hasn't been processed yet. Please wait, and go to Certificates -> View to see it's status." . '</p>'));
                                $subject="[CAcert.org] Certificate TIMEOUT";
                                $body = "A certificate has timed out!\n\n";
                        }
                        else
                        {
 -                              printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." certid:$table:".intval($certid), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 +                              printf('<p>' . _("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.") . " certid:$table:".intval($certid) . '</p>', "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
                                $subject="[CAcert.org] Certificate FAILURE";
                                $body = "A certificate has failed: $table $certid $id $show\n\n";
                        }
  
                        $body .= _("Best regards")."\n"._("CAcert.org Support!");
  
 -                      sendmail("philipp@cacert.org", $subject, $body, "returns@cacert.org", "", "", "CAcert Support");
 +                      sendmail("sw-message@cacert.org", $subject, $body, "returns@cacert.org", "", "", "CAcert Support");
  
                        if($show) showfooter();
                        if($show) exit;
                return $res;
        }
  
 +      /**
 +        * Returns the given ip address truncated to /16 (ipv4) or to /48 (ipv6)
 +        */
 +      function anonymizeIP($ip){
 +              $bits = @inet_pton($ip);
 +              if($bits === false) {
 +                      return false;
 +              }
  
 -?>
 +              if(strlen($bits) == 4) {
 +                      $bits[2] = "\0";
 +                      $bits[3] = "\0";
 +                      $newIP = @inet_ntop($bits);
 +                      if($newIP !== false) {
 +                              $newIP .= "/16";
 +                      }
 +                      return $newIP;
 +              } else if(strlen($bits) == 16) {
 +                      for($i=6;$i<16;$i++){
 +                              $bits[$i]="\0";
 +                      }
 +                      $newIP = @inet_ntop($bits);
 +                      if($newIP !== false) {
 +                              $newIP .= "/48";
 +                      }
 +                      return $newIP;
 +              }
 +              return false;
 +      }