Google Git
Sign in
eclipse / gerrit / websites / dev.eclipse.org / refs/heads/staging / . / site_login / createaccount.php
blob: 198ca040f5b36ae9ae0fac23541d7f8ac1433c85 [file] [log] [blame]
<?php require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php"); require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php"); require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/menu.class.php"); $App = new App(); $Nav = new Nav(); $Menu = new Menu(); include("_projectCommon.php"); # All on the same line to unclutter the user's desktop'
/*******************************************************************************
* Copyright (c) 2012 Eclipse Foundation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* Denis Roy (Eclipse Foundation)- initial API and implementation
*******************************************************************************/
$App->preventCaching();
$pageTitle = "Eclipse.org account";
$pageKeywords = "eclipse,friends,login,account,signon,sign-on,register";
$pageAuthor = "Eclipse Foundation, Inc.";
header("Content-type: text/html; charset=utf-8");
header("Cache-Control: no-cache, must-revalidate");
$username = $App->getHTTPParameter("username", "POST");
$submit = $App->getHTTPParameter("submit", "POST");
$fname = $App->getHTTPParameter("fname", "POST");
$lname = $App->getHTTPParameter("lname", "POST");
$password1 = $App->getHTTPParameter("password1", "POST");
$password2 = $App->getHTTPParameter("password2", "POST");
$skill = $App->getHTTPParameter("skill", "POST");
$agree = $App->getHTTPParameter("agree", "POST");
$stage = $App->getHTTPParameter("stage");
$token = $App->getHTTPParameter("t");
$p = $App->getHTTPParameter("p");
$error = "";
$reset_error = "";
# Sanitize for XSS
$username = preg_replace($xss_patterns, '', $username);
$fname = preg_replace($name_regexp, '', $fname);
$lname = preg_replace($name_regexp, '', $lname);
$password1 = preg_replace($xss_patterns, '', $password1);
$password2 = preg_replace($xss_patterns, '', $password2);
$token = preg_replace("/[^a-zA-Z0-9]/", "", $token);
if($token != "" && $stage == "") {
$stage = "confirm";
}
if($token != "" && $p == "p") {
$stage = "reset2";
}
if($token != "" && $password1 != "") {
$stage = "reset3";
}
$includefile = "content/en_" . $App->getScriptName();
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
$password1 = stripslashes($password1);
}
require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/classes/friends/friend.class.php");
require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/session.class.php");
require_once '/home/data/httpd/eclipse-php-classes/system/ldapconnection.class.php';
$Friend = new Friend();
if($stage == "create") {
if($username != "" && $fname != "" && $lname != "" && $password1 != "") {
# Create an account. Check to ensure this IP address hasn't flooded us with requests
# or that this email address doesn't already have an account
$SQL = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE ip = " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']);
$rs = $App->eclipse_sql($SQL);
$myrow = mysql_fetch_assoc($rs);
if($myrow['RecordCount'] >= 25) {
$error = "<b>You have already submitted a request. Please check your email inbox and spam folders to respond to the previous request.</b> (8723s)";
}
else {
$error = "<b>An unknown error has ocurred. Please try later.";
# Check LDAP
$ldap = new LDAPConnection();
if(! $ldap->checkEmailAvailable($username)) {
$error = "<b>That account already exists. If you cannot remember your password, please use the password reset option below.</b> (8725s)";
# Jot this down to avoid repetitively polling ldap
$App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($username)) . ",
'',
" . $App->returnQuotedString($App->sqlSanitize($fname)) . ",
" . $App->returnQuotedString($App->sqlSanitize($lname)) . ",
'',
" . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
NOW(),
" . $App->returnQuotedString("CREATE_FAILED") . ")");
$EventLog = new EvtLog();
$EventLog->setLogTable("__ldap");
$EventLog->setPK1($username);
$EventLog->setPK2($_SERVER['REMOTE_ADDR']);
$EventLog->setLogAction("ACCT_CREATE_ALREADY_EXISTS");
$EventLog->insertModLog("apache");
}
else {
$error = "";
if($agree != 1) {
$error .= "- You must agree to the terms and contitions of use<br />";
}
if(!preg_match($email_regexp, $username)) {
$error .= "- Your email address is not formatted correctly<br />";
}
if($skill != 16) {
$error .= "- You haven't answered the mathematical question correctly<br />";
}
if(!preg_match("/(?=^.{6,}$)(?=.*[\d|\W])(?=.*[A-Za-z]).*$/", $password1)) {
$error .= "- Your password does not meet the complexity requirements. It must be at least 6 characters long, and contain one number or one symbol.<br />";
}
# Houston, we have a problem.
if($error != "") {
$error = "<b>Your request could not be processed for the following reason(s):<br/>" . $error . "</b>";
}
else {
# Add request to database
$token = $App->getAlphaCode(64);
mysql_set_charset('utf8');
$App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize(trim($username))) . ",
'',
" . $App->returnQuotedString($App->sqlSanitize(trim($fname))) . ",
" . $App->returnQuotedString($App->sqlSanitize(trim($lname))) . ",
'" . $App->sqlSanitize($password1) . "',
" . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
NOW(),
" . $App->returnQuotedString($token) . ")");
$EventLog = new EvtLog();
$EventLog->setLogTable("__ldap");
$EventLog->setPK1($token);
$EventLog->setPK2($_SERVER['REMOTE_ADDR']);
$EventLog->setLogAction("ACCT_CREATE_REQ_SUCCESS");
$EventLog->insertModLog($username);
# Send mail to dest
$mail = "Dear $fname,\n\n";
$mail .= "Thank you for registering for an account at Eclipse.org. Before we can activate your account one last step must be taken to complete your registration.\n\n";
$mail .= "To complete your registration, please visit this URL:\nhttps://dev.eclipse.org/site_login/r.php?t=$token\n\n";
$mail .= "Your Username is: $username\n\n";
$mail .= "If you have any problems signing up please contact webmaster@eclipse.org\n\n";
$mail .= " -- Eclipse webmaster\n";
$headers = 'From: Eclipse Webmaster (automated) <webmaster@eclipse.org>' . "\n" . 'Content-Type: text/plain; charset=UTF-8';
mail($username, "Eclipse Account Registration", $mail, $headers);
$includefile = "content/en_createsuccess.php";
}
}
ldap_close($ds);
}
}
else {
$error = "An error occurred while processing your request. Please ensure that all the required fields are entered correctly and try again. (8726s)";
}
}
if($stage == "reset") {
# reset stage 1. We got an email address, create token and email to user
# make sure someone isn't blasting us. We disregard "token failed" since a common use-case
# is to click the reset link after it has expired.
$SQL = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE token <> 'TOKEN_FAILED' AND fname = 'RESET' AND lname = 'RESET' AND ip = " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']);
$rs = $App->eclipse_sql($SQL);
$myrow = mysql_fetch_assoc($rs);
if($myrow['RecordCount'] >= 13) {
$error = "<b>We were unable to determine your identity after several attempts. Subsequent inquiries will be ignored for our protection. Please try later, or contact webmaster@eclipse.org for support.</b> (8727s)";
$includefile = "content/en_reset_error.php";
}
else {
# Check to see if we're trying to reset the password of a valid account.
$ldap = new LDAPConnection();
$token = $App->getAlphaCode(64);
$App->eclipse_sql("INSERT IGNORE INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($username)) . ",
'',
" . $App->returnQuotedString("RESET") . ",
" . $App->returnQuotedString("RESET") . ",
'" . $App->sqlSanitize($password1) . "',
" . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
NOW(),
" . $App->returnQuotedString($token) . ")");
if(!preg_match($email_regexp, $username)) {
$reset_error = "<b>Your email address is not formatted correctly.</b><br />";
}
elseif($ldap->checkEmailAvailable($username)) {
$reset_error = "<b>We were unable to determine your identity with the information you've supplied.</b> Perhaps you don't have an Eclipse.org account, or your account is under a different email address.(8x27s)";
}
else {
# Send mail to dest
$mail = "You (or someone pretending to be you) has requested a password reset from:\n";
$mail .= " " . $_SERVER['REMOTE_ADDR'] . "\n\n";
$mail .= "To change your password, please visit this URL:\nhttps://dev.eclipse.org/site_login/p.php?t=$token\n\n";
$mail .= "If you have not requested this change, you can safely let it expire. If you have any problems signing in please contact webmaster@eclipse.org\n\n";
$mail .= " -- Eclipse webmaster\n";
$headers = 'From: Eclipse Webmaster (automated) <webmaster@eclipse.org>';
mail($username, "Eclipse Account Password Reset", $mail, $headers);
$pageTitle = "Password reset";
$includefile = "content/en_reset.php";
$EventLog = new EvtLog();
$EventLog->setLogTable("__ldap");
$EventLog->setPK1($token);
$EventLog->setPK2($_SERVER['REMOTE_ADDR']);
$EventLog->setLogAction("PASSWD_RESET_REQ");
$EventLog->insertModLog($username);
}
}
}
if($stage == "reset2") {
# reset stage 2. We got an token back. If we find a record, allow user to reset password, then proceed to stage3
$includefile = "content/en_reset.php";
if($token != "") {
$SQL = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token));
$rs = $App->eclipse_sql($SQL);
$myrow = mysql_fetch_assoc($rs);
if($myrow['RecordCount'] <= 0) {
$error = "<b>The supplied reset token is invalid; perhaps it has expired? Please wait 5 minutes and try to <a href='createaccount.php'>reset your password again</a>. If the problem persits, please contact webmaster@eclipse.org.</b> (8129rs)";
$includefile = "content/en_reset_error.php";
# If we can't find a record, insert a record preventing this dude from bombing us
$token = $App->getAlphaCode(64);
$App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($token)) . ",
'',
'token_failed',
'token_failed',
'token_failed',
" . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
NOW(),
'TOKEN_FAILED')"
);
}
else {
# display password reset page.
$includefile = "content/en_reset.php";
$EventLog = new EvtLog();
$EventLog->setLogTable("__ldap");
$EventLog->setPK1($token);
$EventLog->setPK2($_SERVER['REMOTE_ADDR']);
$EventLog->setLogAction("PASSWD_RESET_CONF");
$EventLog->insertModLog($myrow['email']);
# Update this row, change IP address to reflect that of the person who successfully confirmed this email to avoid bombing
# $SQL = "UPDATE account_requests SET token = 'CONFIRM_SUCCESS', ip = " . $App->returnQuotedString($App->sqlSanitize($_SERVER['REMOTE_ADDR']))
# . " WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token));
#$rs = $App->eclipse_sql($SQL);
}
}
}
if($stage == "reset3") {
# reset stage 3. We got a token back, and user is submitting a password.
$includefile = "content/en_reset.php";
if($token != "" && $password1 != "") {
$SQL = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token));
$rs = $App->eclipse_sql($SQL);
$myrow = mysql_fetch_assoc($rs);
if($myrow['RecordCount'] <= 0) {
$error = "<b>We were unable to validate your request. The supplied token is invalid; perhaps it has expired? Please try to <a href='createaccount.php'>reset your password again</a>. If the problem persits, please contact webmaster@eclipse.org.</b> (8329rs)";
# If we can't find a record, insert a record preventing this dude from bombing us
$token = $App->getAlphaCode(64);
$App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($token)) . ",
'',
'token_failed',
'token_failed',
'token_failed',
" . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
NOW(),
'TOKEN_FAILED')"
);
}
else {
if(!preg_match("/(?=^.{6,}$)(?=.*\d)(?=.*[A-Za-z]).*$/", $password1)) {
$error .= "- Your password does not meet the complexity requirements<br />";
}
else {
# Update this row, change IP address to reflect that of the person who successfully confirmed this password to avoid bombing
$SQL = "UPDATE account_requests SET token = 'PASSWORD_SUCCESS', password='" . $App->sqlSanitize($password1) . "', ip = " . $App->returnQuotedString($App->sqlSanitize($_SERVER['REMOTE_ADDR']))
. " WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token));
$rs = $App->eclipse_sql($SQL);
$bzpass = &generateBugzillaSHA256Password($password1);
$SQL = "UPDATE profiles SET cryptpassword='" . $App->sqlSanitize($bzpass) . "' WHERE login_name = " . $App->returnQuotedString($App->sqlSanitize($myrow['email'])) . " LIMIT 1";
$App->bugzilla_sql($SQL);
$App->ipzilla_sql($SQL);
$EventLog = new EvtLog();
$EventLog->setLogTable("__ldap");
$EventLog->setPK1($token);
$EventLog->setPK2($_SERVER['REMOTE_ADDR']);
$EventLog->setLogAction("PASSWD_RESET_SUCCESS");
$EventLog->insertModLog($myrow['email']);
}
}
}
}
if($stage == "confirm") {
$includefile = "content/en_confirm.php";
$SQL = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE token IN ('TOKEN_FAILED', 'CONFIRM_SUCCESS') AND ip = " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']);
$rs = $App->eclipse_sql($SQL);
$myrow = mysql_fetch_assoc($rs);
if($myrow['RecordCount'] > 0) {
$error = "<b>You have already submitted a request. Please check your email inbox and spam folders to respond to the previous request.</b> (8728s)";
}
else {
if($token != "") {
$SQL = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token));
$rs = $App->eclipse_sql($SQL);
$myrow = mysql_fetch_assoc($rs);
if($myrow['RecordCount'] <= 0) {
$error = "<b>We were unable to validate your request. The supplied token is invalid; perhaps it has expired? Please try creating your account again, and contact webmaster@eclipse.org if the problem persists.</b> (8729s)";
# If we can't find a record, insert a record preventing this dude from bombing us
$token = $App->getAlphaCode(64);
$App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($token)) . ",
'',
'token_failed',
'token_failed',
'token_failed',
" . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
NOW(),
'TOKEN_FAILED')"
);
$EventLog = new EvtLog();
$EventLog->setLogTable("__ldap");
$EventLog->setPK1($App->sqlSanitize($token));
$EventLog->setPK2($_SERVER['REMOTE_ADDR']);
$EventLog->setLogAction("ACCT_CREATE_TOKEN_FAILED");
$EventLog->insertModLog("apache");
}
else {
# Update this row, change IP address to reflect that of the person who successfully confirmed this email to avoid bombing
$SQL = "UPDATE account_requests SET token = 'CONFIRM_SUCCESS', ip = " . $App->returnQuotedString($App->sqlSanitize($_SERVER['REMOTE_ADDR']))
. " WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token));
$rs = $App->eclipse_sql($SQL);
$EventLog = new EvtLog();
$EventLog->setLogTable("__ldap");
$EventLog->setPK1($App->sqlSanitize($token));
$EventLog->setPK2($_SERVER['REMOTE_ADDR']);
$EventLog->setLogAction("ACCT_CREATE_CONFIRM_SUCCESS");
$EventLog->insertModLog($myrow['email']);
}
}
else {
$error = "<b>We were unable to validate your request. The supplied token is invalid. Please contact webmaster@eclipse.org.</b>";
}
}
}
include($includefile);
# Generate the web page
$App->generatePage($theme, $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html);
function generatePassword($_num_chars) {
global $App;
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1023456789,.;:/@#$%^&*()-_=+";
srand((double)microtime()*1000000);
$loopcount = 0;
$rValue = "";
while (!preg_match("/(?=^.{6,}$)(?=.*\d)(?=.*[A-Za-z]).*$/", $rValue)) {
$rValue = "";
$i = 0;
$loopcount++;
srand((double)microtime()*1000000);
while ($i <= $_num_chars) {
$num = rand() % strlen($chars);
$rValue .= substr($chars, $num, 1);
$i++;
}
# antilooper
if($loopcount > 1000) {
$rValue = "aA1$" . $App->getAlphaCode(4);
}
}
return $rValue;
}
?>