Make register.php a bit more robust. This is not complete but works fine.
This commit is contained in:
parent
da4766b350
commit
229cac0de1
|
@ -0,0 +1,15 @@
|
|||
<?php
|
||||
|
||||
$alphabet = array('K', 'g', 'A', 'D', 'R', 'V', 's', 'L', 'Q', 'w');
|
||||
$alphabetsForNumbers = array(
|
||||
array('K', 'g', 'A', 'D', 'R', 'V', 's', 'L', 'Q', 'w'),
|
||||
array('M', 'R', 'o', 'F', 'd', 'X', 'z', 'a', 'K', 'L'),
|
||||
array('H', 'Q', 'O', 'T', 'A', 'B', 'C', 'D', 'e', 'F'),
|
||||
array('T', 'A', 'p', 'H', 'j', 'k', 'l', 'z', 'x', 'v'),
|
||||
array('f', 'b', 'P', 'q', 'w', 'e', 'K', 'N', 'M', 'V'),
|
||||
array('i', 'c', 'Z', 'x', 'W', 'E', 'g', 'h', 'n', 'm'),
|
||||
array('O', 'd', 'q', 'a', 'Z', 'X', 'C', 'b', 't', 'g'),
|
||||
array('p', 'E', 'J', 'k', 'L', 'A', 'S', 'Q', 'W', 'T'),
|
||||
array('f', 'W', 'C', 'G', 'j', 'I', 'O', 'P', 'Q', 'D'),
|
||||
array('A', 'g', 'n', 'm', 'd', 'w', 'u', 'y', 'x', 'r')
|
||||
);
|
|
@ -1,14 +1,29 @@
|
|||
<?php
|
||||
|
||||
include "config.inc.php";
|
||||
include "alphabet.inc.php";
|
||||
include "head.inc";
|
||||
|
||||
$keyfile = $spooldir.'/keys.dat';
|
||||
$keys = unserialize(file_get_contents($keyfile));
|
||||
$email_registry = $spooldir.'/email_registry.dat';
|
||||
unlink($_POST['captchaimage']);
|
||||
|
||||
if((password_verify($keys[0],$_POST['key'])) || (password_verify($keys[1],$_POST['key']))) {
|
||||
$auth_ok = true;
|
||||
} else {
|
||||
$auth_ok = false;
|
||||
unset($_POST['command']);
|
||||
}
|
||||
|
||||
if(!isset($_POST['command'])) {
|
||||
if (isset($_COOKIE["ts_limit"])) {
|
||||
echo "It appears you already have an active account<br/>";
|
||||
echo "More than one account may not be created in 30 days<br/>";
|
||||
echo '<br/><a href="/">Return to Home Page</a>';
|
||||
} else {
|
||||
$captchaImage = '../tmp/captcha'.time().'.png';
|
||||
$captchacode = prepareCaptcha($captchaImage);
|
||||
echo '<table border="0" align="center" cellpadding="0" cellspacing="1">';
|
||||
echo '<tr>';
|
||||
echo '<form name="form1" method="post" action="register.php">';
|
||||
|
@ -16,10 +31,10 @@ if (isset($_COOKIE["ts_limit"])) {
|
|||
echo '<td><strong>Register Username </strong></td>';
|
||||
echo '</tr><tr>';
|
||||
echo '<td>Username:</td>';
|
||||
echo '<td><input name="username" type="text" id="username"></td>';
|
||||
echo '<td><input name="username" type="text" id="username"value="'.$_POST[username].'"></td>';
|
||||
echo '</tr><tr>';
|
||||
echo '<td>Email:</td>';
|
||||
echo '<td><input name="user_email" type="text" id="user_email"></td>';
|
||||
echo '<td><input name="user_email" type="text" id="user_email" value="'.$_POST[user_email].'"></td>';
|
||||
echo '</tr><tr>';
|
||||
echo '<td>Password:</td>';
|
||||
echo '<td><input name="password" type="password" id="password"></td>';
|
||||
|
@ -27,7 +42,13 @@ if (isset($_COOKIE["ts_limit"])) {
|
|||
echo '<td>Re-enter Password:</td>';
|
||||
echo '<td><input name="password2" type="password" id="password2"></td>';
|
||||
echo '</tr><tr>';
|
||||
echo '<td><img src="'.$captchaImage.'" /></td>';
|
||||
echo '<td><input name="captcha" type="text" id="captcha"></td>';
|
||||
echo '</tr><tr>';
|
||||
echo '<td><input name="captchacode" type="hidden" id="captchacode" value="'.$captchacode.'" readonly="readonly"></td>';
|
||||
echo '<td><input name="captchaimage" type="hidden" id="captchaimage" value="'.$captchaImage.'" readonly="readonly"></td>';
|
||||
echo '<td><input name="command" type="hidden" id="command" value="Create" readonly="readonly"></td>';
|
||||
echo '<td><input name="key" type="hidden" value="'.password_hash($keys[0], PASSWORD_DEFAULT).'"></td>';
|
||||
echo '</tr><tr>';
|
||||
echo '<td> </td>';
|
||||
echo '<td><input type="submit" name="Submit" value="Create"></td>';
|
||||
|
@ -58,7 +79,6 @@ if(isset($_POST['command']) && $_POST['command'] == 'CreateNew') {
|
|||
$keyFilename = $keypath.$username;
|
||||
@mkdir($workpath.'new/');
|
||||
$verified = 0;
|
||||
|
||||
$no_verify=explode(' ', $CONFIG['no_verify']);
|
||||
foreach($no_verify as $no) {
|
||||
if (strlen($_SERVER['HTTP_HOST']) - strlen($no) === strrpos($_SERVER['HTTP_HOST'],$no)) {
|
||||
|
@ -76,6 +96,7 @@ if(isset($_POST['command']) && $_POST['command'] == 'CreateNew') {
|
|||
echo '<input name="command" type="hidden" id="command" value="CreateNew" readonly="readonly">';
|
||||
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
|
||||
echo '<input type="submit" name="Submit" value="Click Here to Create"></td>';
|
||||
echo '<input name="key" type="hidden" value="'.password_hash($keys[0], PASSWORD_DEFAULT).'">';
|
||||
echo '<br/><br/><a href="'.$CONFIG['default_content'].'">Cancel and return to home page</a>';
|
||||
exit(2);
|
||||
}
|
||||
|
@ -145,13 +166,27 @@ $keyFilename = $keypath.$username;
|
|||
# Check all input
|
||||
if (empty($_POST['username'])) {
|
||||
echo "Please enter a Username\r\n";
|
||||
echo '<br /><a href="register.php">Back</a>';
|
||||
echo '<form name="return1" method="post" action="register.php">';
|
||||
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
|
||||
echo '<input type="submit" name="Submit" value="Back"></td>';
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if ($_POST['password'] !== $_POST['password2']) {
|
||||
if (($_POST['password'] !== $_POST['password2']) || $_POST['password'] == '') {
|
||||
echo "Your passwords entered do not match\r\n";
|
||||
echo '<br /><a href="register.php">Back</a>';
|
||||
echo '<form name="return1" method="post" action="register.php">';
|
||||
echo '<input name="username" type="hidden" id="username" value="'.$username.'" readonly="readonly">';
|
||||
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
|
||||
echo '<input type="submit" name="Submit" value="Back"></td>';
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (getExpressionResult($_POST['captchacode']) != $_POST['captcha']) {
|
||||
echo "Incorrect captcha response\r\n";
|
||||
echo '<form name="return1" method="post" action="register.php">';
|
||||
echo '<input name="username" type="hidden" id="username" value="'.$username.'" readonly="readonly">';
|
||||
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
|
||||
echo '<input type="submit" name="Submit" value="Back"></td>';
|
||||
exit(2);
|
||||
}
|
||||
|
||||
|
@ -161,23 +196,25 @@ foreach($users as $user) {
|
|||
if(!is_file($config_dir."/userconfig/".$user)) {
|
||||
continue;
|
||||
}
|
||||
if ($userFileHandle = @fopen($config_dir."/userconfig/".$user, 'r')) {
|
||||
while (!feof($userFileHandle))
|
||||
{
|
||||
$buffer = fgets($userFileHandle);
|
||||
if(strpos($buffer, 'email:') !== FALSE) {
|
||||
if(stripos($buffer, $user_email) !== FALSE) {
|
||||
fclose($userFileHandle);
|
||||
echo "Email exists in database\r\n";
|
||||
echo '<br /><a href="register.php">Back</a>';
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
}
|
||||
fclose($userFileHandle);
|
||||
if(strcmp(get_user_config($user, 'mail'), $user_email) == 0) {
|
||||
echo "Email exists in database\r\n";
|
||||
echo '<form name="return1" method="post" action="register.php">';
|
||||
echo '<input name="username" type="hidden" id="username" value="'.$username.'" readonly="readonly">';
|
||||
echo '<input type="submit" name="Submit" value="Back"></td>';
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
|
||||
# Check email address attempts to avoid abuse
|
||||
$tried_email = unserialize(file_get_contents($email_registry));
|
||||
if(isset($tried_email[$user_email])) {
|
||||
echo "Email address already used\r\n";
|
||||
echo '<form name="return1" method="post" action="register.php">';
|
||||
echo '<input name="username" type="hidden" id="username" value="'.$username.'" readonly="readonly">';
|
||||
echo '<input type="submit" name="Submit" value="Back"></td>';
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (!preg_match("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z0-9]{2,3})$^",$user_email)) {
|
||||
echo "Email must be in the form of an email address\r\n";
|
||||
echo '<br /><a href="register.php">Back</a>';
|
||||
|
@ -237,7 +274,13 @@ if ($ok || ($command == "Create") )
|
|||
$CONFIG['verify_email'] = false;
|
||||
}
|
||||
}
|
||||
if($CONFIG['verify_email']) {
|
||||
|
||||
if($CONFIG['verify_email']) {
|
||||
|
||||
# Log email address attempts to avoid abuse
|
||||
$tried_email = unserialize(file_get_contents($email_registry));
|
||||
$tried_email[$user_email]['time'] = time();
|
||||
file_put_contents($email_registry, serialize($tried_email));
|
||||
|
||||
$mail->SMTPOptions = array(
|
||||
'ssl' => array(
|
||||
|
@ -263,7 +306,11 @@ $mail->addAddress($user_email);
|
|||
$mail->Subject = "Confirmation code for ".$_SERVER['HTTP_HOST'];
|
||||
|
||||
$mycode = create_code($username);
|
||||
$msg="A request to create an account on ".$_SERVER['HTTP_HOST']." has been made using ".$user_email.".\n\nIf you did not request this, please ignore and the request will fail.\n\nThis is your account creation code: ".$mycode."\n\nNote: replies to this email address are not monitored";
|
||||
$msg="A request to create an account on ".$_SERVER['HTTP_HOST'];
|
||||
$msg.=" has been made using ".$user_email.".\n\n";
|
||||
$msg.="If you did not request this, please ignore and the request will fail.\n\n";
|
||||
$msg.="This is your account creation code: ".$mycode."\n\n";
|
||||
$msg.="Note: replies to this email address are checked daily.";
|
||||
$mail->Body = wordwrap($msg,70);
|
||||
|
||||
$mail->send();
|
||||
|
@ -279,6 +326,7 @@ $mail->send();
|
|||
echo '<input name="password" type="hidden" id="password" value="'.$password.'" readonly="readonly">';
|
||||
echo '<input name="command" type="hidden" id="command" value="CreateNew" readonly="readonly">';
|
||||
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
|
||||
echo '<input name="key" type="hidden" value="'.password_hash($keys[0], PASSWORD_DEFAULT).'">';
|
||||
echo '<input type="submit" name="Submit" value="Click Here to Create"></td>';
|
||||
echo '<br/><br/><a href="'.$CONFIG['default_content'].'">Cancel and return to home page</a>';
|
||||
} else {
|
||||
|
@ -286,6 +334,31 @@ $mail->send();
|
|||
exit(1);
|
||||
}
|
||||
|
||||
function get_user_config($username,$request) {
|
||||
global $config_dir;
|
||||
$userconfigpath = $config_dir."userconfig/";
|
||||
$username = strtolower($username);
|
||||
$userFilename = $userconfigpath.$username;
|
||||
|
||||
if ($userFileHandle = @fopen($userFilename, 'r'))
|
||||
{
|
||||
while (!feof($userFileHandle))
|
||||
{
|
||||
$buffer = fgets($userFileHandle);
|
||||
if(strpos($buffer, $request.':') !== FALSE) {
|
||||
$userdataline=$buffer;
|
||||
fclose($userFileHandle);
|
||||
$userdatafound = explode(':',$userdataline);
|
||||
return trim($userdatafound[1]);
|
||||
}
|
||||
}
|
||||
fclose($userFileHandle);
|
||||
return FALSE;
|
||||
} else {
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
function make_key($username) {
|
||||
$key = openssl_random_pseudo_bytes(44);
|
||||
return base64_encode($key);
|
||||
|
@ -320,4 +393,43 @@ function get_config_value($configfile,$request) {
|
|||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
function generateImage($text, $file) {
|
||||
$im = @imagecreate(74, 25) or die("Cannot Initialize new GD image stream");
|
||||
$background_color = imagecolorallocate($im, 200, 200, 200);
|
||||
$text_color = imagecolorallocate($im, 0, 0, 0);
|
||||
imagestring($im, 5, 5, 5, $text, $text_color);
|
||||
imagepng($im, $file);
|
||||
imagedestroy($im);
|
||||
}
|
||||
|
||||
function getIndex($alphabet, $letter) {
|
||||
for($i=0; $i<count($alphabet); $i++) {
|
||||
$l = $alphabet[$i];
|
||||
if($l === $letter) return $i;
|
||||
}
|
||||
}
|
||||
function getExpressionResult($code) {
|
||||
global $alphabet, $alphabetsForNumbers;
|
||||
$userAlphabetIndex = getIndex($alphabet, substr($code, 0, 1));
|
||||
$number1 = (int) getIndex($alphabetsForNumbers[$userAlphabetIndex], substr($code, 1, 1));
|
||||
$number2 = (int) getIndex($alphabetsForNumbers[$userAlphabetIndex], substr($code, 2, 1));
|
||||
return $number1 + $number2;
|
||||
}
|
||||
|
||||
function prepareCaptcha($captchaImage) {
|
||||
global $alphabet, $alphabetsForNumbers;
|
||||
// generating expression
|
||||
$expression = (object) array(
|
||||
"n1" => rand(0, 9),
|
||||
"n2" => rand(0, 9)
|
||||
);
|
||||
generateImage($expression->n1.' + '.$expression->n2.' =', $captchaImage);
|
||||
|
||||
$usedAlphabet = rand(0, 9);
|
||||
$code = $alphabet[$usedAlphabet].
|
||||
$alphabetsForNumbers[$usedAlphabet][$expression->n1].
|
||||
$alphabetsForNumbers[$usedAlphabet][$expression->n2];
|
||||
return($code);
|
||||
}
|
||||
?>
|
||||
|
|
|
@ -2,16 +2,9 @@
|
|||
# Server info and credentials for sending email
|
||||
# (sending mail requires PHPMailer package installed)
|
||||
|
||||
if(is_file('/usr/share/php/libphp-phpmailer/src/PHPMailer.php')) {
|
||||
$phpmailer['phpmailer'] = '/usr/share/php/libphp-phpmailer/src/PHPMailer.php';
|
||||
$phpmailer['smtp'] = '/usr/share/php/libphp-phpmailer/src/SMTP.php';
|
||||
} elseif(is_file('/usr/share/php/libphp-phpmailer/class.phpmailer.php')) {
|
||||
$phpmailer['phpmailer'] = '/usr/share/php/libphp-phpmailer/class.phpmailer.php';
|
||||
$phpmailer['smtp'] = '/usr/share/php/libphp-phpmailer/class.smtp.php';
|
||||
} elseif(is_file('/usr/local/share/phpmailer/class.phpmailer.php')) {
|
||||
$phpmailer['phpmailer'] = '/usr/local/share/phpmailer/class.phpmailer.php';
|
||||
$phpmailer['smtp'] = '/usr/local/share/phpmailer/class.smtp.php';
|
||||
}
|
||||
$phpmailer['exception'] = '/usr/share/php/libphp-phpmailer/src/Exception.php';
|
||||
|
||||
$mailer = array();
|
||||
$mailer['host'] = "mail.example.com";
|
||||
|
|
Loading…
Reference in New Issue