From 229cac0de17f4debd701dd18b27bc41728679936 Mon Sep 17 00:00:00 2001 From: Retro_Guy Date: Sun, 30 Oct 2022 03:37:15 +0000 Subject: [PATCH] Make register.php a bit more robust. This is not complete but works fine. --- Rocksolid_Light/common/alphabet.inc.php | 15 ++ Rocksolid_Light/common/register.php | 158 ++++++++++++++++++---- Rocksolid_Light/rslight/phpmailer.inc.php | 9 +- 3 files changed, 151 insertions(+), 31 deletions(-) create mode 100644 Rocksolid_Light/common/alphabet.inc.php diff --git a/Rocksolid_Light/common/alphabet.inc.php b/Rocksolid_Light/common/alphabet.inc.php new file mode 100644 index 0000000..5128782 --- /dev/null +++ b/Rocksolid_Light/common/alphabet.inc.php @@ -0,0 +1,15 @@ +"; echo "More than one account may not be created in 30 days
"; echo '
Return to Home Page'; } else { + $captchaImage = '../tmp/captcha'.time().'.png'; + $captchacode = prepareCaptcha($captchaImage); echo ''; echo ''; echo ''; @@ -16,10 +31,10 @@ if (isset($_COOKIE["ts_limit"])) { echo ''; echo ''; echo ''; - echo ''; + echo ''; echo ''; echo ''; - echo ''; + echo ''; echo ''; echo ''; echo ''; @@ -27,7 +42,13 @@ if (isset($_COOKIE["ts_limit"])) { echo ''; echo ''; echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; echo ''; + echo ''; echo ''; echo ''; echo ''; @@ -58,7 +79,6 @@ if(isset($_POST['command']) && $_POST['command'] == 'CreateNew') { $keyFilename = $keypath.$username; @mkdir($workpath.'new/'); $verified = 0; - $no_verify=explode(' ', $CONFIG['no_verify']); foreach($no_verify as $no) { if (strlen($_SERVER['HTTP_HOST']) - strlen($no) === strrpos($_SERVER['HTTP_HOST'],$no)) { @@ -76,6 +96,7 @@ if(isset($_POST['command']) && $_POST['command'] == 'CreateNew') { echo ''; echo ''; echo ''; + echo ''; echo '

Cancel and return to home page'; exit(2); } @@ -145,13 +166,27 @@ $keyFilename = $keypath.$username; # Check all input if (empty($_POST['username'])) { echo "Please enter a Username\r\n"; - echo '
Back'; + echo ''; + echo ''; + echo ''; exit(2); } -if ($_POST['password'] !== $_POST['password2']) { +if (($_POST['password'] !== $_POST['password2']) || $_POST['password'] == '') { echo "Your passwords entered do not match\r\n"; - echo '
Back'; + echo ''; + echo ''; + echo ''; + echo ''; + exit(2); +} + +if (getExpressionResult($_POST['captchacode']) != $_POST['captcha']) { + echo "Incorrect captcha response\r\n"; + echo ''; + echo ''; + echo ''; + echo ''; exit(2); } @@ -161,21 +196,23 @@ foreach($users as $user) { if(!is_file($config_dir."/userconfig/".$user)) { continue; } - if ($userFileHandle = @fopen($config_dir."/userconfig/".$user, 'r')) { - while (!feof($userFileHandle)) - { - $buffer = fgets($userFileHandle); - if(strpos($buffer, 'email:') !== FALSE) { - if(stripos($buffer, $user_email) !== FALSE) { - fclose($userFileHandle); - echo "Email exists in database\r\n"; - echo '
Back'; - exit(2); - } - } - } - fclose($userFileHandle); - } + if(strcmp(get_user_config($user, 'mail'), $user_email) == 0) { + echo "Email exists in database\r\n"; + echo ''; + echo ''; + echo ''; + exit(2); + } +} + +# Check email address attempts to avoid abuse +$tried_email = unserialize(file_get_contents($email_registry)); +if(isset($tried_email[$user_email])) { + echo "Email address already used\r\n"; + echo ''; + echo ''; + echo ''; + exit(2); } if (!preg_match("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z0-9]{2,3})$^",$user_email)) { @@ -237,8 +274,14 @@ if ($ok || ($command == "Create") ) $CONFIG['verify_email'] = false; } } - if($CONFIG['verify_email']) { +if($CONFIG['verify_email']) { + +# Log email address attempts to avoid abuse + $tried_email = unserialize(file_get_contents($email_registry)); + $tried_email[$user_email]['time'] = time(); + file_put_contents($email_registry, serialize($tried_email)); + $mail->SMTPOptions = array( 'ssl' => array( 'verify_peer' => false, @@ -263,7 +306,11 @@ $mail->addAddress($user_email); $mail->Subject = "Confirmation code for ".$_SERVER['HTTP_HOST']; $mycode = create_code($username); - $msg="A request to create an account on ".$_SERVER['HTTP_HOST']." has been made using ".$user_email.".\n\nIf you did not request this, please ignore and the request will fail.\n\nThis is your account creation code: ".$mycode."\n\nNote: replies to this email address are not monitored"; +$msg="A request to create an account on ".$_SERVER['HTTP_HOST']; +$msg.=" has been made using ".$user_email.".\n\n"; +$msg.="If you did not request this, please ignore and the request will fail.\n\n"; +$msg.="This is your account creation code: ".$mycode."\n\n"; +$msg.="Note: replies to this email address are checked daily."; $mail->Body = wordwrap($msg,70); $mail->send(); @@ -279,6 +326,7 @@ $mail->send(); echo ''; echo ''; echo ''; + echo ''; echo ''; echo '

Cancel and return to home page'; } else { @@ -286,6 +334,31 @@ $mail->send(); exit(1); } +function get_user_config($username,$request) { + global $config_dir; + $userconfigpath = $config_dir."userconfig/"; + $username = strtolower($username); + $userFilename = $userconfigpath.$username; + + if ($userFileHandle = @fopen($userFilename, 'r')) + { + while (!feof($userFileHandle)) + { + $buffer = fgets($userFileHandle); + if(strpos($buffer, $request.':') !== FALSE) { + $userdataline=$buffer; + fclose($userFileHandle); + $userdatafound = explode(':',$userdataline); + return trim($userdatafound[1]); + } + } + fclose($userFileHandle); + return FALSE; + } else { + return FALSE; + } +} + function make_key($username) { $key = openssl_random_pseudo_bytes(44); return base64_encode($key); @@ -320,4 +393,43 @@ function get_config_value($configfile,$request) { return FALSE; } } + + function generateImage($text, $file) { + $im = @imagecreate(74, 25) or die("Cannot Initialize new GD image stream"); + $background_color = imagecolorallocate($im, 200, 200, 200); + $text_color = imagecolorallocate($im, 0, 0, 0); + imagestring($im, 5, 5, 5, $text, $text_color); + imagepng($im, $file); + imagedestroy($im); + } + + function getIndex($alphabet, $letter) { + for($i=0; $i rand(0, 9), + "n2" => rand(0, 9) + ); + generateImage($expression->n1.' + '.$expression->n2.' =', $captchaImage); + + $usedAlphabet = rand(0, 9); + $code = $alphabet[$usedAlphabet]. + $alphabetsForNumbers[$usedAlphabet][$expression->n1]. + $alphabetsForNumbers[$usedAlphabet][$expression->n2]; + return($code); + } ?> diff --git a/Rocksolid_Light/rslight/phpmailer.inc.php b/Rocksolid_Light/rslight/phpmailer.inc.php index 967cec6..8444e1d 100644 --- a/Rocksolid_Light/rslight/phpmailer.inc.php +++ b/Rocksolid_Light/rslight/phpmailer.inc.php @@ -2,16 +2,9 @@ # Server info and credentials for sending email # (sending mail requires PHPMailer package installed) -if(is_file('/usr/share/php/libphp-phpmailer/src/PHPMailer.php')) { $phpmailer['phpmailer'] = '/usr/share/php/libphp-phpmailer/src/PHPMailer.php'; $phpmailer['smtp'] = '/usr/share/php/libphp-phpmailer/src/SMTP.php'; -} elseif(is_file('/usr/share/php/libphp-phpmailer/class.phpmailer.php')) { - $phpmailer['phpmailer'] = '/usr/share/php/libphp-phpmailer/class.phpmailer.php'; - $phpmailer['smtp'] = '/usr/share/php/libphp-phpmailer/class.smtp.php'; -} elseif(is_file('/usr/local/share/phpmailer/class.phpmailer.php')) { - $phpmailer['phpmailer'] = '/usr/local/share/phpmailer/class.phpmailer.php'; - $phpmailer['smtp'] = '/usr/local/share/phpmailer/class.smtp.php'; -} + $phpmailer['exception'] = '/usr/share/php/libphp-phpmailer/src/Exception.php'; $mailer = array(); $mailer['host'] = "mail.example.com";
Register Username
Username:
Email:
Password:Re-enter Password: