Merge branch 'release' into bug-807
authorBenny Baumann <BenBE@geshi.org>
Fri, 13 Jun 2014 07:19:57 +0000 (09:19 +0200)
committerBenny Baumann <BenBE@geshi.org>
Fri, 13 Jun 2014 07:19:57 +0000 (09:19 +0200)
Conflicts:
includes/account.php
includes/lib/account.php
pages/account/16.php

1  2 
includes/account.php
includes/lib/account.php
pages/account/16.php
www/styles/default.css

@@@ -387,8 -386,7 +389,8 @@@ function buildSubjectFromSession() 
                                                `codesign`='".intval($_SESSION['_config']['codesign'])."',
                                                `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
                                                `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
-                                               `description`='".$_SESSION['_config']['description']."'";
 +                                              `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
+                                               `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
                        mysql_query($query);
                        $emailid = mysql_insert_id();
                        if(is_array($addys))
                        $query = "insert into emailcerts set
                                                `CN`='$defaultemail',
                                                `keytype`='".sanitizeHTML($_REQUEST['keytype'])."',
-                                               `memid`='".$_SESSION['profile']['id']."',
+                                               `memid`='".intval($_SESSION['profile']['id'])."',
                                                `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
                                                `subject`='".mysql_real_escape_string($csrsubject)."',
-                                               `codesign`='".$_SESSION['_config']['codesign']."',
+                                               `codesign`='".intval($_SESSION['_config']['codesign'])."',
                                                `disablelogin`='".($_SESSION['_config']['disablelogin']?1:0)."',
-                                               `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                               `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
 +                                              `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
-                                               `description`='".$_SESSION['_config']['description']."'";
+                                               `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
                        mysql_query($query);
                        $emailid = mysql_insert_id();
                        if(is_array($addys))
                                                `domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."',
                                                `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
                                                `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
-                                               `description`='".$_SESSION['_config']['description']."'";
 +                                              `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
+                                               `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
                } elseif(array_key_exists('0',$_SESSION['_config']['altid']) && $_SESSION['_config']['altid']['0'] > 0) {
                        $query = "insert into `domaincerts` set
                                                `CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."',
                                                `domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."',
                                                `created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
                                                `rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
-                                               `description`='".$_SESSION['_config']['description']."'";
 +                                              `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
+                                               `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
                } else {
                        showheader(_("My CAcert.org Account!"));
                        echo _("Domain not verified.");
                if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
                        $_SESSION['_config']['rootcert'] = 1;
  
-               if(trim($_REQUEST['description']) != ""){
-                       $_SESSION['_config']['description']= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
-               }else{
-                       $_SESSION['_config']['description']= "";
-               }
 +              $_SESSION['_config']['hash_alg'] = HashAlgorithms::clean($_REQUEST['hash_alg']);
 +
+               $_SESSION['_config']['description']= trim(stripslashes($_REQUEST['description']));
  
                if(@count($_SESSION['_config']['emails']) > 0)
                        $id = 17;
  
                        $query = "insert into `orgemailcerts` set
                                                `CN`='$defaultemail',
-                                               `ou`='".$_SESSION['_config']['OU']."',
+                                               `ou`='".mysql_real_escape_string($_SESSION['_config']['OU'])."',
                                                `keytype`='NS',
-                                               `orgid`='".$org['orgid']."',
+                                               `orgid`='".intval($org['orgid'])."',
                                                `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
-                                               `codesign`='".$_SESSION['_config']['codesign']."',
-                                               `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                               `codesign`='".intval($_SESSION['_config']['codesign'])."',
+                                               `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
 +                                              `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
-                                               `description`='".$_SESSION['_config']['description']."'";
+                                               `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
                        mysql_query($query);
                        $emailid = mysql_insert_id();
  
  
                        $query = "insert into `orgemailcerts` set
                                                `CN`='$defaultemail',
-                                               `ou`='".$_SESSION['_config']['OU']."',
+                                               `ou`='".mysql_real_escape_string($_SESSION['_config']['OU'])."',
                                                `keytype`='" . sanitizeHTML($_REQUEST['keytype']) . "',
-                                               `orgid`='".$org['orgid']."',
+                                               `orgid`='".intval($org['orgid'])."',
                                                `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
-                                               `subject`='$csrsubject',
-                                               `codesign`='".$_SESSION['_config']['codesign']."',
-                                               `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                               `subject`='".mysql_real_escape_string($csrsubject)."',
+                                               `codesign`='".intval($_SESSION['_config']['codesign'])."',
+                                               `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
 +                                              `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
-                                               `description`='".$_SESSION['_config']['description']."'";
+                                               `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
                        mysql_query($query);
                        $emailid = mysql_insert_id();
  
                if($_SESSION['_config']['rowid']['0'] > 0)
                {
                        $query = "insert into `orgdomaincerts` set
-                                       `CN`='".$_SESSION['_config']['rows']['0']."',
-                                       `orgid`='".$org['id']."',
+                                       `CN`='".mysql_real_escape_string($_SESSION['_config']['rows']['0'])."',
+                                       `orgid`='".intval($org['id'])."',
                                        `created`=NOW(),
-                                       `subject`='$csrsubject',
-                                       `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                       `subject`='".mysql_real_escape_string($csrsubject)."',
+                                       `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
 +                                      `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
-                                       `type`='$type',
-                                       `description`='".$_SESSION['_config']['description']."'";
+                                       `type`='".$type."',
+                                       `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
                } else {
                        $query = "insert into `orgdomaincerts` set
-                                       `CN`='".$_SESSION['_config']['altrows']['0']."',
-                                       `orgid`='".$org['id']."',
+                                       `CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."',
+                                       `orgid`='".intval($org['id'])."',
                                        `created`=NOW(),
-                                       `subject`='$csrsubject',
-                                       `rootcert`='".$_SESSION['_config']['rootcert']."',
+                                       `subject`='".mysql_real_escape_string($csrsubject)."',
+                                       `rootcert`='".intval($_SESSION['_config']['rootcert'])."',
 +                                      `md`='".mysql_real_escape_string($_SESSION['_config']['hash_alg'])."',
-                                       `type`='$type',
-                                       `description`='".$_SESSION['_config']['description']."'";
+                                       `type`='".$type."',
+                                       `description`='".mysql_real_escape_string($_SESSION['_config']['description'])."'";
                }
                mysql_query($query);
                $CSRid = mysql_insert_id();
@@@ -96,54 -98,3 +98,53 @@@ function fix_assurer_flag($userID = NUL
  
        return true;
  }
 +
 +/**
 + * Supported hash algorithms for signing certificates
 + */
 +class HashAlgorithms {
 +      /**
 +       * Default hash algorithm identifier for signing
 +       * @var string
 +       */
 +      public static $default = 'sha256';
 +
 +      /**
 +       * Get display strings for the supported hash algorithms
 +       * @return array(string=>array('name'=>string, 'info'=>string))
 +       *     - [$hash_identifier]['name'] = Name that should be displayed in UI
 +       *     - [$hash_identifier]['info'] = Additional information that can help
 +       *       with the selection of a suitable algorithm
 +       */
 +      public static function getInfo() {
 +              return array(
 +                              'sha256' => array(
 +                                              'name' => 'SHA-256',
 +                                              'info' => _('Currently recommended, because the other algorithms might break on some older versions of the GnuTLS library (older than 3.x) still shipped in Debian for example.'),
 +                                      ),
 +                              'sha384' => array(
 +                                              'name' => 'SHA-384',
 +                                              'info' => '',
 +                                      ),
 +                              'sha512' => array(
 +                                              'name' => 'SHA-512',
 +                                              'info' => _('Highest protection against hash collision attacks of the algorithms offered here.'),
 +                                      ),
 +                      );
 +      }
 +
 +      /**
 +       * Check if the input is a supported hash algorithm identifier otherwise
 +       * return the identifier of the default hash algorithm
 +       *
 +       * @param string $hash_identifier
 +       * @return string The cleaned identifier
 +       */
 +      public static function clean($hash_identifier) {
 +              if (array_key_exists($hash_identifier, self::getInfo() )) {
 +                      return $hash_identifier;
 +              } else {
 +                      return self::$default;
 +              }
 +      }
 +}
    <tr>
      <td class="DataTD"><?=_("Add")?></td>
      <td class="DataTD"><?=_("Address")?></td>
 -<? if(array_key_exists('emails',$_SESSION['_config']) && is_array($_SESSION['_config']['emails']))
 -      foreach($_SESSION['_config']['emails'] as $val) { ?>
 +<?
 +if (array_key_exists('emails',$_SESSION['_config']) && is_array($_SESSION['_config']['emails'])) {
 +      $i = 1;
 +      foreach($_SESSION['_config']['emails'] as $val) {
 +?>
    <tr>
 -    <td class="DataTD"><?=_("Email")?>:</td>
 -    <td class="DataTD"><input type="text" name="emails[]" value="<?=$val?>"/></td>
 +    <td class="DataTD"><label for="email<?=$i?>"><?=_("Email")?></label></td>
 +    <td class="DataTD"><input type="text" id="email<?=$i?>" name="emails[]" value="<?=$val?>"/></td>
    </tr>
 -<? } ?>
 +<?
 +              $i++;
 +      }
 +} ?>
    <tr>
 -    <td class="DataTD"><?=_("Email")?>:</td>
 -    <td class="DataTD"><input type="text" name="emails[]"/></td>
 +    <td class="DataTD"><label for="email0"><?=_("Email")?></td>
 +    <td class="DataTD"><input type="text" id="email0" name="emails[]"/></td>
    </tr>
    <tr>
 -    <td class="DataTD"><?=_("Name")?>:</td>
 -    <td class="DataTD"><input type="text" name="name" value="<?=array_key_exists('name',$_SESSION['_config'])?($_SESSION['_config']['name']):''?>"/></td>
 +    <td class="DataTD"><label for="name"><?=_("Name")?></label></td>
 +    <td class="DataTD"><input type="text" id="name" name="name" value="<?=array_key_exists('name',$_SESSION['_config'])?($_SESSION['_config']['name']):''?>"/></td>
    </tr>
    <tr>
 -    <td class="DataTD"><?=_("Department")?>:</td>
 -    <td class="DataTD"><input type="text" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?(sanitizeHTML($_SESSION['_config']['OU'])):''?>"/></td>
 +    <td class="DataTD"><label for="OU"><?=_("Department")?></label></td>
-     <td class="DataTD"><input type="text" id="OU" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?($_SESSION['_config']['OU']):''?>"/></td>
++    <td class="DataTD"><input type="text" id="OU" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?(sanitizeHTML($_SESSION['_config']['OU'])):''?>"/></td>
    </tr>
 -  <tr>
 +
 +  <tr name="expertoff" style="display:none">
 +    <td class="DataTD">
 +      <input type="checkbox" id="expertbox" name="expertbox" onchange="showExpert(this.checked)" />
 +    </td>
 +    <td class="DataTD">
 +      <label for="expertbox"><?=_("Show advanced options")?></label>
 +    </td>
 +  </tr>
 +  <tr name="expert">
 +    <td class="DataTD" colspan="2" align="left">
 +        <input type="radio" id="root1" name="rootcert" value="1" /> <label for="root1"><?=_("Sign by class 1 root certificate")?></label><br />
 +        <input type="radio" id="root2" name="rootcert" value="2" checked="checked" /> <label for="root2"><?=_("Sign by class 3 root certificate")?></label><br />
 +        <?=str_replace("\n", "<br>\n", wordwrap(_("Please note: If you use a certificate signed by the class 3 root, the class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain."), 60))?>
 +    </td>
 +  </tr>
 +
 +  <tr name="expert">
      <td class="DataTD" colspan="2" align="left">
 -        <input type="radio" name="rootcert" value="1" checked /> <?=_("Sign by class 1 root certificate")?><br />
 -        <input type="radio" name="rootcert" value="2" /> <?=_("Sign by class 3 root certificate")?><br />
 -        <?=str_replace("\n", "<br>\n", wordwrap(_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people"), 60))?>
 +      <?=_("Hash algorithm used when signing the certificate:")?><br />
 +      <?
 +      foreach (HashAlgorithms::getInfo() as $algorithm => $display_info) {
 +      ?>
 +        <input type="radio" id="hash_alg_<?=$algorithm?>" name="hash_alg" value="<?=$algorithm?>" <?=(HashAlgorithms::$default === $algorithm)?'checked="checked"':''?> />
 +        <label for="hash_alg_<?=$algorithm?>"><?=$display_info['name']?><?=$display_info['info']?' - '.$display_info['info']:''?></label><br />
 +      <?
 +      }
 +      ?>
      </td>
    </tr>
 +
  <? if($_SESSION['profile']['codesign'] && $_SESSION['profile']['points'] >= 100) { ?>
 -  <tr>
 -    <td class="DataTD" colspan="2" align="left"><input type="checkbox" name="codesign" value="1" /><?=_("Code Signing")?></td>
 +  <tr name="expert">
 +    <td class="DataTD" colspan="2" align="left">
 +      <input type="checkbox" id="codesign" name="codesign" value="1" />
 +      <label for="codesign"><?=_("Code Signing")?></label>
 +    </td>
    </tr>
  <? } ?>
 -   <tr>
 -   <td class="DataTD" colspan="2" align="left">
 -      <?=_("Optional comment, only used in the certificate overview")?><br />
 -       <input type="text" name="description" maxlength="80" size=80 />
 -   </td>
 +  <tr>
 +    <td class="DataTD" colspan="2" align="left">
 +      <label for="description"><?=_("Optional comment, only used in the certificate overview")?></label><br />
 +      <input type="text" id="description" name="description" maxlength="80" size="80" />
 +    </td>
    </tr>
    <tr>
 -    <td class="DataTD" colspan="2"><input type="submit" name="add_email" value="<?=_("Another Email")?>">
 -                      <input type="submit" name="process" value="<?=_("Next")?>" /></td>
 +    <td class="DataTD" colspan="2">
 +      <input type="submit" name="add_email" value="<?=_("Add Another Email Address")?>">
 +      <input type="submit" name="process" value="<?=_("Next")?>" />
 +    </td>
    </tr>
  </table>
  <input type="hidden" name="oldid" value="<?=$id?>">
Simple merge