Make register.php a bit more robust. This is not complete but works fine.

This commit is contained in:
Retro_Guy 2022-10-30 03:37:15 +00:00
parent da4766b350
commit 229cac0de1
3 changed files with 151 additions and 31 deletions

View File

@ -0,0 +1,15 @@
<?php
$alphabet = array('K', 'g', 'A', 'D', 'R', 'V', 's', 'L', 'Q', 'w');
$alphabetsForNumbers = array(
array('K', 'g', 'A', 'D', 'R', 'V', 's', 'L', 'Q', 'w'),
array('M', 'R', 'o', 'F', 'd', 'X', 'z', 'a', 'K', 'L'),
array('H', 'Q', 'O', 'T', 'A', 'B', 'C', 'D', 'e', 'F'),
array('T', 'A', 'p', 'H', 'j', 'k', 'l', 'z', 'x', 'v'),
array('f', 'b', 'P', 'q', 'w', 'e', 'K', 'N', 'M', 'V'),
array('i', 'c', 'Z', 'x', 'W', 'E', 'g', 'h', 'n', 'm'),
array('O', 'd', 'q', 'a', 'Z', 'X', 'C', 'b', 't', 'g'),
array('p', 'E', 'J', 'k', 'L', 'A', 'S', 'Q', 'W', 'T'),
array('f', 'W', 'C', 'G', 'j', 'I', 'O', 'P', 'Q', 'D'),
array('A', 'g', 'n', 'm', 'd', 'w', 'u', 'y', 'x', 'r')
);

View File

@ -1,14 +1,29 @@
<?php
include "config.inc.php";
include "alphabet.inc.php";
include "head.inc";
$keyfile = $spooldir.'/keys.dat';
$keys = unserialize(file_get_contents($keyfile));
$email_registry = $spooldir.'/email_registry.dat';
unlink($_POST['captchaimage']);
if((password_verify($keys[0],$_POST['key'])) || (password_verify($keys[1],$_POST['key']))) {
$auth_ok = true;
} else {
$auth_ok = false;
unset($_POST['command']);
}
if(!isset($_POST['command'])) {
if (isset($_COOKIE["ts_limit"])) {
echo "It appears you already have an active account<br/>";
echo "More than one account may not be created in 30 days<br/>";
echo '<br/><a href="/">Return to Home Page</a>';
} else {
$captchaImage = '../tmp/captcha'.time().'.png';
$captchacode = prepareCaptcha($captchaImage);
echo '<table border="0" align="center" cellpadding="0" cellspacing="1">';
echo '<tr>';
echo '<form name="form1" method="post" action="register.php">';
@ -16,10 +31,10 @@ if (isset($_COOKIE["ts_limit"])) {
echo '<td><strong>Register Username </strong></td>';
echo '</tr><tr>';
echo '<td>Username:</td>';
echo '<td><input name="username" type="text" id="username"></td>';
echo '<td><input name="username" type="text" id="username"value="'.$_POST[username].'"></td>';
echo '</tr><tr>';
echo '<td>Email:</td>';
echo '<td><input name="user_email" type="text" id="user_email"></td>';
echo '<td><input name="user_email" type="text" id="user_email" value="'.$_POST[user_email].'"></td>';
echo '</tr><tr>';
echo '<td>Password:</td>';
echo '<td><input name="password" type="password" id="password"></td>';
@ -27,7 +42,13 @@ if (isset($_COOKIE["ts_limit"])) {
echo '<td>Re-enter Password:</td>';
echo '<td><input name="password2" type="password" id="password2"></td>';
echo '</tr><tr>';
echo '<td><img src="'.$captchaImage.'" /></td>';
echo '<td><input name="captcha" type="text" id="captcha"></td>';
echo '</tr><tr>';
echo '<td><input name="captchacode" type="hidden" id="captchacode" value="'.$captchacode.'" readonly="readonly"></td>';
echo '<td><input name="captchaimage" type="hidden" id="captchaimage" value="'.$captchaImage.'" readonly="readonly"></td>';
echo '<td><input name="command" type="hidden" id="command" value="Create" readonly="readonly"></td>';
echo '<td><input name="key" type="hidden" value="'.password_hash($keys[0], PASSWORD_DEFAULT).'"></td>';
echo '</tr><tr>';
echo '<td>&nbsp;</td>';
echo '<td><input type="submit" name="Submit" value="Create"></td>';
@ -58,7 +79,6 @@ if(isset($_POST['command']) && $_POST['command'] == 'CreateNew') {
$keyFilename = $keypath.$username;
@mkdir($workpath.'new/');
$verified = 0;
$no_verify=explode(' ', $CONFIG['no_verify']);
foreach($no_verify as $no) {
if (strlen($_SERVER['HTTP_HOST']) - strlen($no) === strrpos($_SERVER['HTTP_HOST'],$no)) {
@ -76,6 +96,7 @@ if(isset($_POST['command']) && $_POST['command'] == 'CreateNew') {
echo '<input name="command" type="hidden" id="command" value="CreateNew" readonly="readonly">';
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
echo '<input type="submit" name="Submit" value="Click Here to Create"></td>';
echo '<input name="key" type="hidden" value="'.password_hash($keys[0], PASSWORD_DEFAULT).'">';
echo '<br/><br/><a href="'.$CONFIG['default_content'].'">Cancel and return to home page</a>';
exit(2);
}
@ -145,13 +166,27 @@ $keyFilename = $keypath.$username;
# Check all input
if (empty($_POST['username'])) {
echo "Please enter a Username\r\n";
echo '<br /><a href="register.php">Back</a>';
echo '<form name="return1" method="post" action="register.php">';
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
echo '<input type="submit" name="Submit" value="Back"></td>';
exit(2);
}
if ($_POST['password'] !== $_POST['password2']) {
if (($_POST['password'] !== $_POST['password2']) || $_POST['password'] == '') {
echo "Your passwords entered do not match\r\n";
echo '<br /><a href="register.php">Back</a>';
echo '<form name="return1" method="post" action="register.php">';
echo '<input name="username" type="hidden" id="username" value="'.$username.'" readonly="readonly">';
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
echo '<input type="submit" name="Submit" value="Back"></td>';
exit(2);
}
if (getExpressionResult($_POST['captchacode']) != $_POST['captcha']) {
echo "Incorrect captcha response\r\n";
echo '<form name="return1" method="post" action="register.php">';
echo '<input name="username" type="hidden" id="username" value="'.$username.'" readonly="readonly">';
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
echo '<input type="submit" name="Submit" value="Back"></td>';
exit(2);
}
@ -161,23 +196,25 @@ foreach($users as $user) {
if(!is_file($config_dir."/userconfig/".$user)) {
continue;
}
if ($userFileHandle = @fopen($config_dir."/userconfig/".$user, 'r')) {
while (!feof($userFileHandle))
{
$buffer = fgets($userFileHandle);
if(strpos($buffer, 'email:') !== FALSE) {
if(stripos($buffer, $user_email) !== FALSE) {
fclose($userFileHandle);
echo "Email exists in database\r\n";
echo '<br /><a href="register.php">Back</a>';
exit(2);
}
}
}
fclose($userFileHandle);
if(strcmp(get_user_config($user, 'mail'), $user_email) == 0) {
echo "Email exists in database\r\n";
echo '<form name="return1" method="post" action="register.php">';
echo '<input name="username" type="hidden" id="username" value="'.$username.'" readonly="readonly">';
echo '<input type="submit" name="Submit" value="Back"></td>';
exit(2);
}
}
# Check email address attempts to avoid abuse
$tried_email = unserialize(file_get_contents($email_registry));
if(isset($tried_email[$user_email])) {
echo "Email address already used\r\n";
echo '<form name="return1" method="post" action="register.php">';
echo '<input name="username" type="hidden" id="username" value="'.$username.'" readonly="readonly">';
echo '<input type="submit" name="Submit" value="Back"></td>';
exit(2);
}
if (!preg_match("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z0-9]{2,3})$^",$user_email)) {
echo "Email must be in the form of an email address\r\n";
echo '<br /><a href="register.php">Back</a>';
@ -237,7 +274,13 @@ if ($ok || ($command == "Create") )
$CONFIG['verify_email'] = false;
}
}
if($CONFIG['verify_email']) {
if($CONFIG['verify_email']) {
# Log email address attempts to avoid abuse
$tried_email = unserialize(file_get_contents($email_registry));
$tried_email[$user_email]['time'] = time();
file_put_contents($email_registry, serialize($tried_email));
$mail->SMTPOptions = array(
'ssl' => array(
@ -263,7 +306,11 @@ $mail->addAddress($user_email);
$mail->Subject = "Confirmation code for ".$_SERVER['HTTP_HOST'];
$mycode = create_code($username);
$msg="A request to create an account on ".$_SERVER['HTTP_HOST']." has been made using ".$user_email.".\n\nIf you did not request this, please ignore and the request will fail.\n\nThis is your account creation code: ".$mycode."\n\nNote: replies to this email address are not monitored";
$msg="A request to create an account on ".$_SERVER['HTTP_HOST'];
$msg.=" has been made using ".$user_email.".\n\n";
$msg.="If you did not request this, please ignore and the request will fail.\n\n";
$msg.="This is your account creation code: ".$mycode."\n\n";
$msg.="Note: replies to this email address are checked daily.";
$mail->Body = wordwrap($msg,70);
$mail->send();
@ -279,6 +326,7 @@ $mail->send();
echo '<input name="password" type="hidden" id="password" value="'.$password.'" readonly="readonly">';
echo '<input name="command" type="hidden" id="command" value="CreateNew" readonly="readonly">';
echo '<input name="user_email" type="hidden" id="user_email" value="'.$user_email.'" readonly="readonly">';
echo '<input name="key" type="hidden" value="'.password_hash($keys[0], PASSWORD_DEFAULT).'">';
echo '<input type="submit" name="Submit" value="Click Here to Create"></td>';
echo '<br/><br/><a href="'.$CONFIG['default_content'].'">Cancel and return to home page</a>';
} else {
@ -286,6 +334,31 @@ $mail->send();
exit(1);
}
function get_user_config($username,$request) {
global $config_dir;
$userconfigpath = $config_dir."userconfig/";
$username = strtolower($username);
$userFilename = $userconfigpath.$username;
if ($userFileHandle = @fopen($userFilename, 'r'))
{
while (!feof($userFileHandle))
{
$buffer = fgets($userFileHandle);
if(strpos($buffer, $request.':') !== FALSE) {
$userdataline=$buffer;
fclose($userFileHandle);
$userdatafound = explode(':',$userdataline);
return trim($userdatafound[1]);
}
}
fclose($userFileHandle);
return FALSE;
} else {
return FALSE;
}
}
function make_key($username) {
$key = openssl_random_pseudo_bytes(44);
return base64_encode($key);
@ -320,4 +393,43 @@ function get_config_value($configfile,$request) {
return FALSE;
}
}
function generateImage($text, $file) {
$im = @imagecreate(74, 25) or die("Cannot Initialize new GD image stream");
$background_color = imagecolorallocate($im, 200, 200, 200);
$text_color = imagecolorallocate($im, 0, 0, 0);
imagestring($im, 5, 5, 5, $text, $text_color);
imagepng($im, $file);
imagedestroy($im);
}
function getIndex($alphabet, $letter) {
for($i=0; $i<count($alphabet); $i++) {
$l = $alphabet[$i];
if($l === $letter) return $i;
}
}
function getExpressionResult($code) {
global $alphabet, $alphabetsForNumbers;
$userAlphabetIndex = getIndex($alphabet, substr($code, 0, 1));
$number1 = (int) getIndex($alphabetsForNumbers[$userAlphabetIndex], substr($code, 1, 1));
$number2 = (int) getIndex($alphabetsForNumbers[$userAlphabetIndex], substr($code, 2, 1));
return $number1 + $number2;
}
function prepareCaptcha($captchaImage) {
global $alphabet, $alphabetsForNumbers;
// generating expression
$expression = (object) array(
"n1" => rand(0, 9),
"n2" => rand(0, 9)
);
generateImage($expression->n1.' + '.$expression->n2.' =', $captchaImage);
$usedAlphabet = rand(0, 9);
$code = $alphabet[$usedAlphabet].
$alphabetsForNumbers[$usedAlphabet][$expression->n1].
$alphabetsForNumbers[$usedAlphabet][$expression->n2];
return($code);
}
?>

View File

@ -2,16 +2,9 @@
# Server info and credentials for sending email
# (sending mail requires PHPMailer package installed)
if(is_file('/usr/share/php/libphp-phpmailer/src/PHPMailer.php')) {
$phpmailer['phpmailer'] = '/usr/share/php/libphp-phpmailer/src/PHPMailer.php';
$phpmailer['smtp'] = '/usr/share/php/libphp-phpmailer/src/SMTP.php';
} elseif(is_file('/usr/share/php/libphp-phpmailer/class.phpmailer.php')) {
$phpmailer['phpmailer'] = '/usr/share/php/libphp-phpmailer/class.phpmailer.php';
$phpmailer['smtp'] = '/usr/share/php/libphp-phpmailer/class.smtp.php';
} elseif(is_file('/usr/local/share/phpmailer/class.phpmailer.php')) {
$phpmailer['phpmailer'] = '/usr/local/share/phpmailer/class.phpmailer.php';
$phpmailer['smtp'] = '/usr/local/share/phpmailer/class.smtp.php';
}
$phpmailer['exception'] = '/usr/share/php/libphp-phpmailer/src/Exception.php';
$mailer = array();
$mailer['host'] = "mail.example.com";