From: Benny Baumann <BenBE@geshi.org>
Date: Wed, 29 Jul 2015 17:28:04 +0000 (+0200)
Subject: Merge branch 'bug-1394' into testserver-stable
X-Git-Url: https://git.cacert.org/gitweb/?p=cacert-devel.git;a=commitdiff_plain;h=008a344ffb238e916db4556a4e9cadf689ab38fd;hp=-c

Merge branch 'bug-1394' into testserver-stable
---

008a344ffb238e916db4556a4e9cadf689ab38fd
diff --combined includes/account.php
index 2eeca730,72db5093..bc903143
--- a/includes/account.php
+++ b/includes/account.php
@@@ -116,7 -116,8 +116,8 @@@ function buildSubjectFromSession() 
  		if(strstr($_REQUEST['newemail'], "xn--") && $_SESSION['profile']['codesign'] <= 0)
  		{
  			showheader(_("My CAcert.org Account!"));
- 			echo _("Due to the possibility for punycode domain exploits we currently do not allow any certificates to sign punycode domains or email addresses.");
+ 			echo _("Due to the possibility for punycode domain exploits we currently only offer the use of IDN domains if your account has the code signing flag.") . "\n";
+ 			printf(_("More information can be found %sin our wiki%s."), '<a href="//wiki.cacert.org/FAQ/Privilege">', '</a>');
  			showfooter();
  			exit;
  		}
@@@ -541,7 -542,8 +542,8 @@@
  		if(strstr($newdomain, "xn--") && $_SESSION['profile']['codesign'] <= 0)
  		{
  			showheader(_("My CAcert.org Account!"));
- 			echo _("Due to the possibility for punycode domain exploits we currently do not allow any certificates to sign punycode domains or email addresses.");
+ 			echo _("Due to the possibility for punycode domain exploits we currently only offer the use of IDN domains if your account has the code signing flag.") . "\n";
+ 			printf(_("More information can be found %sin our wiki%s."),'<a href="//wiki.cacert.org/FAQ/Privilege">', '</a>');
  			showfooter();
  			exit;
  		}
@@@ -905,8 -907,7 +907,8 @@@
  						`rootcert`='".intval($row['rootcert'])."',
  						`type`='".intval($row['type'])."',
  						`pkhash`='".mysql_real_escape_string($row['pkhash'])."',
 -						`description`='".mysql_real_escape_string($row['description'])."'";
 +						`description`='".mysql_real_escape_string($row['description'])."',
 +						`md`='".HashAlgorithms::clean($row['md'])."'";
  				mysql_query($query);
  				$newid = mysql_insert_id();
  				$newfile=generatecertpath("csr","server",$newid);
@@@ -1086,8 -1087,7 +1088,8 @@@
  						`disablelogin`='".intval($row['disablelogin'])."',
  						`codesign`='".intval($row['codesign'])."',
  						`rootcert`='".intval($row['rootcert'])."',
 -						`description`='".mysql_real_escape_string($row['description'])."'";
 +						`description`='".mysql_real_escape_string($row['description'])."',
 +						`md`='".HashAlgorithms::clean($row['md'])."'";
  				mysql_query($query);
  				$newid = mysql_insert_id();
  				$newfile=generatecertpath("csr","client",$newid);
@@@ -1212,23 -1212,6 +1214,23 @@@
  		exit;
  	}
  
 +	if($oldid == 6 && $_REQUEST['certid'] != "")
 +	{
 +		if(trim($_REQUEST['description']) != ""){
 +			$description= trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
 +		}else{
 +			$description= "";
 +		}
 +
 +		if(trim($_REQUEST['disablelogin']) == "1"){
 +			$disablelogin = 1;
 +		}else{
 +			$disablelogin = 0;
 +		}
 +
 +		mysql_query("update `emailcerts` set `disablelogin`='$disablelogin', `description`='$description' where `id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
 +	}
 +
  	if($oldid == 13 && $process != "" && $showdetails!="")
  	{
  		csrf_check("perschange");
@@@ -1294,7 -1277,10 +1296,7 @@@
  
  	if($oldid == 13 && $process != "")
  	{
 -		$ddquery = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`";
 -		$ddres = mysql_query($ddquery);
 -		$ddrow = mysql_fetch_assoc($ddres);
 -		$_SESSION['profile']['points'] = $ddrow['total'];
 +		update_points_in_profile();
  
  		if($_SESSION['profile']['points'] == 0)
  		{
@@@ -1353,7 -1339,10 +1355,7 @@@
  		$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_SESSION['profile']['id'])."'"));
  		$_SESSION['profile']['loggedin'] = 1;
  
 -		$ddquery = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`";
 -		$ddres = mysql_query($ddquery);
 -		$ddrow = mysql_fetch_assoc($ddres);
 -		$_SESSION['profile']['points'] = $ddrow['total'];
 +		update_points_in_profile();
  
  
  		$id = 13;
@@@ -1375,7 -1364,7 +1377,7 @@@
  		showheader(_("My CAcert.org Account!"));
  		if($_SESSION['_config']['user']['pword1'] == "" || $_SESSION['_config']['user']['pword1'] != $_SESSION['_config']['user']['pword2'])
  		{
 -			echo '<h3 style="color:red">', _("Failure: Pass Phrase not Changed"),
 +			echo '<h3 class="error_fatal">', _("Failure: Pass Phrase not Changed"),
  				'</h3>', "\n";
  			echo _("New Pass Phrases specified don't match or were blank.");
  		} else {
@@@ -1393,15 -1382,15 +1395,15 @@@
  			}
  
  			if(strlen($_SESSION['_config']['user']['pword1']) < 6) {
 -				echo '<h3 style="color:red">',
 +				echo '<h3 class="error_fatal">',
  					_("Failure: Pass Phrase not Changed"), '</h3>', "\n";
  				echo _("The Pass Phrase you submitted was too short.");
  			} else if($score < 3) {
 -				echo '<h3 style="color:red">',
 +				echo '<h3 class="error_fatal">',
  					_("Failure: Pass Phrase not Changed"), '</h3>', "\n";
  				printf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
  			} else if($rc <= 0) {
 -				echo '<h3 style="color:red">',
 +				echo '<h3 class="error_fatal">',
  					_("Failure: Pass Phrase not Changed"), '</h3>', "\n";
  				echo _("You failed to correctly enter your current Pass Phrase.");
  			} else {
@@@ -1727,8 -1716,7 +1729,8 @@@
  						`modified`=NOW(),
  						`codesign`='".intval($row['codesign'])."',
  						`rootcert`='".intval($row['rootcert'])."',
 -						`description`='".mysql_real_escape_string($row['description'])."'";
 +						`description`='".mysql_real_escape_string($row['description'])."',
 +						`md`='".HashAlgorithms::clean($row['md'])."'";
  				mysql_query($query);
  				$newid = mysql_insert_id();
  				$newfile=generatecertpath("csr","orgclient",$newid);
@@@ -2080,8 -2068,7 +2082,8 @@@
  						`subject`='".mysql_real_escape_string($row['subject'])."',
  						`type`='".intval($row['type'])."',
  						`rootcert`='".intval($row['rootcert'])."',
 -						`description`='".mysql_real_escape_string($row['description'])."'";
 +						`description`='".mysql_real_escape_string($row['description'])."',
 +						`md`='".HashAlgorithms::clean($row['md'])."'";
  				mysql_query($query);
  				$newid = mysql_insert_id();
  				//echo "NewID: $newid<br/>\n";
@@@ -2249,7 -2236,7 +2251,7 @@@
  						`contact`='".$_SESSION['_config']['contact']."',
  						`L`='".$_SESSION['_config']['L']."',
  						`ST`='".$_SESSION['_config']['ST']."',
 -						`C`='".$_SESSION['_config']['C']."',
 +						`C`='".strtoupper($_SESSION['_config']['C'])."',
  						`comments`='".$_SESSION['_config']['comments']."'");
  			showheader(_("My CAcert.org Account!"));
  			printf(_("'%s' has just been successfully added as an organisation to the database."), sanitizeHTML($_SESSION['_config']['O']));
@@@ -2277,7 -2264,7 +2279,7 @@@
  						`contact`='".$_SESSION['_config']['contact']."',
  						`L`='".$_SESSION['_config']['L']."',
  						`ST`='".$_SESSION['_config']['ST']."',
 -						`C`='".$_SESSION['_config']['C']."',
 +						`C`='".strtoupper($_SESSION['_config']['C'])."',
  						`comments`='".$_SESSION['_config']['comments']."'
  					where `id`='".intval($_SESSION['_config']['orgid'])."'");
  			showheader(_("My CAcert.org Account!"));
@@@ -2800,8 -2787,8 +2802,8 @@@
  			$row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."'"));
  			printf(_("The password for %s has been updated successfully in the system."), sanitizeHTML($row['email']));
  
 -		$my_translation = L10n::get_translation();
 -		L10n::set_recipient_language(intval($_REQUEST['userid']));
 +			$my_translation = L10n::get_translation();
 +			L10n::set_recipient_language(intval($_REQUEST['userid']));
  			$body  = sprintf(_("Hi %s,"),$row['fname'])."\n\n";
  			$body .= _("You are receiving this email because a CAcert administrator ".
  					"has changed the password on your account.")."\n\n";
@@@ -2810,7 -2797,7 +2812,7 @@@
  
  			sendmail($row['email'], "[CAcert.org] "._("Password Update Notification"), $body,
  						"support@cacert.org", "", "", "CAcert Support");
 -		L10n::set_translation($my_translation);
 +			L10n::set_translation($my_translation);
  		}
  
  		showfooter();
@@@ -2917,6 -2904,25 +2919,6 @@@
  		}
  	}
  
 -	/* presently not needed
 -	if($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0 && $ticketvalidation==TRUE)
 -	{
 -		$memid = $_REQUEST['userid'] = intval($_REQUEST['tverify']);
 -		if (!write_se_log($memid, $_SESSION['profile']['id'],'SE Change tverify status',$ticketno)) {
 -			showheader(_("Something went wrong"));
 -			echo _("Writing to the admin log failed. Can't continue.");
 -			showfooter();
 -			exit;
 -		}
 -		$query = "select * from `users` where `id`='$memid'";
 -		$row = mysql_fetch_assoc(mysql_query($query));
 -		$ver = !$row['tverify'];
 -		mysql_query("update `users` set `tverify`='$ver' where `id`='$memid'");
 -	}elseif($id == 43 && array_key_exists('tverify',$_REQUEST) && $_REQUEST['tverify'] > 0 && $ticketvalidation==FALSE){
 -		$_SESSION['ticketmsg']='No action taken. Ticket number is missing!';
 -	}
 -	*/
 -
  	if($id == 43 && array_key_exists('assurer',$_REQUEST) && $_REQUEST['assurer'] > 0 && $ticketvalidation == TRUE)
  	{
  		csrf_check('admsetassuret');