| <?php require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/app.class.php"); require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/nav.class.php"); require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/menu.class.php"); $App = new App(); $Nav = new Nav(); $Menu = new Menu(); include("_projectCommon.php"); # All on the same line to unclutter the user's desktop' |
| /******************************************************************************* |
| * Copyright (c) 2012 Eclipse Foundation and others. |
| * All rights reserved. This program and the accompanying materials |
| * are made available under the terms of the Eclipse Public License v1.0 |
| * which accompanies this distribution, and is available at |
| * http://www.eclipse.org/legal/epl-v10.html |
| * |
| * Contributors: |
| * Denis Roy (Eclipse Foundation)- initial API and implementation |
| *******************************************************************************/ |
| $App->preventCaching(); |
| |
| $pageTitle = "Eclipse.org account"; |
| $pageKeywords = "eclipse,friends,login,account,signon,sign-on,register"; |
| $pageAuthor = "Eclipse Foundation, Inc."; |
| header("Content-type: text/html; charset=utf-8"); |
| header("Cache-Control: no-cache, must-revalidate"); |
| |
| $username = $App->getHTTPParameter("username", "POST"); |
| $submit = $App->getHTTPParameter("submit", "POST"); |
| $fname = $App->getHTTPParameter("fname", "POST"); |
| $lname = $App->getHTTPParameter("lname", "POST"); |
| $password1 = $App->getHTTPParameter("password1", "POST"); |
| $password2 = $App->getHTTPParameter("password2", "POST"); |
| $skill = $App->getHTTPParameter("skill", "POST"); |
| $agree = $App->getHTTPParameter("agree", "POST"); |
| $stage = $App->getHTTPParameter("stage"); |
| $token = $App->getHTTPParameter("t"); |
| $p = $App->getHTTPParameter("p"); |
| |
| $error = ""; |
| $reset_error = ""; |
| |
| |
| # Sanitize for XSS |
| $username = preg_replace($xss_patterns, '', $username); |
| $fname = preg_replace($name_regexp, '', $fname); |
| $lname = preg_replace($name_regexp, '', $lname); |
| $password1 = preg_replace($xss_patterns, '', $password1); |
| $password2 = preg_replace($xss_patterns, '', $password2); |
| $token = preg_replace("/[^a-zA-Z0-9]/", "", $token); |
| |
| if($token != "" && $stage == "") { |
| $stage = "confirm"; |
| } |
| |
| if($token != "" && $p == "p") { |
| $stage = "reset2"; |
| } |
| if($token != "" && $password1 != "") { |
| $stage = "reset3"; |
| } |
| |
| $includefile = "content/en_" . $App->getScriptName(); |
| if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { |
| $password1 = stripslashes($password1); |
| } |
| |
| require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/classes/friends/friend.class.php"); |
| require_once($_SERVER['DOCUMENT_ROOT'] . "/eclipse.org-common/system/session.class.php"); |
| require_once '/home/data/httpd/eclipse-php-classes/system/ldapconnection.class.php'; |
| $Friend = new Friend(); |
| |
| if($stage == "create") { |
| if($username != "" && $fname != "" && $lname != "" && $password1 != "") { |
| # Create an account. Check to ensure this IP address hasn't flooded us with requests |
| # or that this email address doesn't already have an account |
| $SQL = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE ip = " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']); |
| $rs = $App->eclipse_sql($SQL); |
| $myrow = mysql_fetch_assoc($rs); |
| if($myrow['RecordCount'] >= 25) { |
| $error = "<b>You have already submitted a request. Please check your email inbox and spam folders to respond to the previous request.</b> (8723s)"; |
| } |
| else { |
| $error = "<b>An unknown error has ocurred. Please try later."; |
| # Check LDAP |
| $ldap = new LDAPConnection(); |
| if(! $ldap->checkEmailAvailable($username)) { |
| $error = "<b>That account already exists. If you cannot remember your password, please use the password reset option below.</b> (8725s)"; |
| # Jot this down to avoid repetitively polling ldap |
| $App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($username)) . ", |
| '', |
| " . $App->returnQuotedString($App->sqlSanitize($fname)) . ", |
| " . $App->returnQuotedString($App->sqlSanitize($lname)) . ", |
| '', |
| " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ", |
| NOW(), |
| " . $App->returnQuotedString("CREATE_FAILED") . ")"); |
| |
| $EventLog = new EvtLog(); |
| $EventLog->setLogTable("__ldap"); |
| $EventLog->setPK1($username); |
| $EventLog->setPK2($_SERVER['REMOTE_ADDR']); |
| $EventLog->setLogAction("ACCT_CREATE_ALREADY_EXISTS"); |
| $EventLog->insertModLog("apache"); |
| } |
| else { |
| $error = ""; |
| if($agree != 1) { |
| $error .= "- You must agree to the terms and contitions of use<br />"; |
| } |
| |
| if(!preg_match($email_regexp, $username)) { |
| $error .= "- Your email address is not formatted correctly<br />"; |
| } |
| |
| if($skill != 16) { |
| $error .= "- You haven't answered the mathematical question correctly<br />"; |
| } |
| if(!preg_match("/(?=^.{6,}$)(?=.*[\d|\W])(?=.*[A-Za-z]).*$/", $password1)) { |
| $error .= "- Your password does not meet the complexity requirements. It must be at least 6 characters long, and contain one number or one symbol.<br />"; |
| } |
| |
| # Houston, we have a problem. |
| if($error != "") { |
| $error = "<b>Your request could not be processed for the following reason(s):<br/>" . $error . "</b>"; |
| } |
| else { |
| # Add request to database |
| $token = $App->getAlphaCode(64); |
| mysql_set_charset('utf8'); |
| $App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize(trim($username))) . ", |
| '', |
| " . $App->returnQuotedString($App->sqlSanitize(trim($fname))) . ", |
| " . $App->returnQuotedString($App->sqlSanitize(trim($lname))) . ", |
| '" . $App->sqlSanitize($password1) . "', |
| " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ", |
| NOW(), |
| " . $App->returnQuotedString($token) . ")"); |
| |
| $EventLog = new EvtLog(); |
| $EventLog->setLogTable("__ldap"); |
| $EventLog->setPK1($token); |
| $EventLog->setPK2($_SERVER['REMOTE_ADDR']); |
| $EventLog->setLogAction("ACCT_CREATE_REQ_SUCCESS"); |
| $EventLog->insertModLog($username); |
| |
| # Send mail to dest |
| $mail = "Dear $fname,\n\n"; |
| $mail .= "Thank you for registering for an account at Eclipse.org. Before we can activate your account one last step must be taken to complete your registration.\n\n"; |
| $mail .= "To complete your registration, please visit this URL:\nhttps://dev.eclipse.org/site_login/r.php?t=$token\n\n"; |
| $mail .= "Your Username is: $username\n\n"; |
| $mail .= "If you have any problems signing up please contact webmaster@eclipse.org\n\n"; |
| $mail .= " -- Eclipse webmaster\n"; |
| $headers = 'From: Eclipse Webmaster (automated) <webmaster@eclipse.org>' . "\n" . 'Content-Type: text/plain; charset=UTF-8'; |
| mail($username, "Eclipse Account Registration", $mail, $headers); |
| |
| $includefile = "content/en_createsuccess.php"; |
| } |
| } |
| ldap_close($ds); |
| } |
| } |
| else { |
| $error = "An error occurred while processing your request. Please ensure that all the required fields are entered correctly and try again. (8726s)"; |
| } |
| } |
| if($stage == "reset") { |
| # reset stage 1. We got an email address, create token and email to user |
| # make sure someone isn't blasting us. We disregard "token failed" since a common use-case |
| # is to click the reset link after it has expired. |
| $SQL = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE token <> 'TOKEN_FAILED' AND fname = 'RESET' AND lname = 'RESET' AND ip = " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']); |
| $rs = $App->eclipse_sql($SQL); |
| $myrow = mysql_fetch_assoc($rs); |
| if($myrow['RecordCount'] >= 13) { |
| $error = "<b>We were unable to determine your identity after several attempts. Subsequent inquiries will be ignored for our protection. Please try later, or contact webmaster@eclipse.org for support.</b> (8727s)"; |
| $includefile = "content/en_reset_error.php"; |
| } |
| else { |
| # Check to see if we're trying to reset the password of a valid account. |
| $ldap = new LDAPConnection(); |
| $token = $App->getAlphaCode(64); |
| $App->eclipse_sql("INSERT IGNORE INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($username)) . ", |
| '', |
| " . $App->returnQuotedString("RESET") . ", |
| " . $App->returnQuotedString("RESET") . ", |
| '" . $App->sqlSanitize($password1) . "', |
| " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ", |
| NOW(), |
| " . $App->returnQuotedString($token) . ")"); |
| |
| if(!preg_match($email_regexp, $username)) { |
| $reset_error = "<b>Your email address is not formatted correctly.</b><br />"; |
| } |
| elseif($ldap->checkEmailAvailable($username)) { |
| $reset_error = "<b>We were unable to determine your identity with the information you've supplied.</b> Perhaps you don't have an Eclipse.org account, or your account is under a different email address.(8x27s)"; |
| } |
| else { |
| # Send mail to dest |
| $mail = "You (or someone pretending to be you) has requested a password reset from:\n"; |
| $mail .= " " . $_SERVER['REMOTE_ADDR'] . "\n\n"; |
| $mail .= "To change your password, please visit this URL:\nhttps://dev.eclipse.org/site_login/p.php?t=$token\n\n"; |
| $mail .= "If you have not requested this change, you can safely let it expire. If you have any problems signing in please contact webmaster@eclipse.org\n\n"; |
| $mail .= " -- Eclipse webmaster\n"; |
| $headers = 'From: Eclipse Webmaster (automated) <webmaster@eclipse.org>'; |
| mail($username, "Eclipse Account Password Reset", $mail, $headers); |
| $pageTitle = "Password reset"; |
| $includefile = "content/en_reset.php"; |
| |
| $EventLog = new EvtLog(); |
| $EventLog->setLogTable("__ldap"); |
| $EventLog->setPK1($token); |
| $EventLog->setPK2($_SERVER['REMOTE_ADDR']); |
| $EventLog->setLogAction("PASSWD_RESET_REQ"); |
| $EventLog->insertModLog($username); |
| } |
| } |
| } |
| if($stage == "reset2") { |
| # reset stage 2. We got an token back. If we find a record, allow user to reset password, then proceed to stage3 |
| $includefile = "content/en_reset.php"; |
| if($token != "") { |
| $SQL = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token)); |
| $rs = $App->eclipse_sql($SQL); |
| $myrow = mysql_fetch_assoc($rs); |
| if($myrow['RecordCount'] <= 0) { |
| $error = "<b>The supplied reset token is invalid; perhaps it has expired? Please wait 5 minutes and try to <a href='createaccount.php'>reset your password again</a>. If the problem persits, please contact webmaster@eclipse.org.</b> (8129rs)"; |
| $includefile = "content/en_reset_error.php"; |
| # If we can't find a record, insert a record preventing this dude from bombing us |
| $token = $App->getAlphaCode(64); |
| $App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($token)) . ", |
| '', |
| 'token_failed', |
| 'token_failed', |
| 'token_failed', |
| " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ", |
| NOW(), |
| 'TOKEN_FAILED')" |
| ); |
| } |
| else { |
| # display password reset page. |
| $includefile = "content/en_reset.php"; |
| $EventLog = new EvtLog(); |
| $EventLog->setLogTable("__ldap"); |
| $EventLog->setPK1($token); |
| $EventLog->setPK2($_SERVER['REMOTE_ADDR']); |
| $EventLog->setLogAction("PASSWD_RESET_CONF"); |
| $EventLog->insertModLog($myrow['email']); |
| # Update this row, change IP address to reflect that of the person who successfully confirmed this email to avoid bombing |
| # $SQL = "UPDATE account_requests SET token = 'CONFIRM_SUCCESS', ip = " . $App->returnQuotedString($App->sqlSanitize($_SERVER['REMOTE_ADDR'])) |
| # . " WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token)); |
| #$rs = $App->eclipse_sql($SQL); |
| } |
| } |
| } |
| if($stage == "reset3") { |
| # reset stage 3. We got a token back, and user is submitting a password. |
| $includefile = "content/en_reset.php"; |
| if($token != "" && $password1 != "") { |
| $SQL = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token)); |
| $rs = $App->eclipse_sql($SQL); |
| $myrow = mysql_fetch_assoc($rs); |
| if($myrow['RecordCount'] <= 0) { |
| $error = "<b>We were unable to validate your request. The supplied token is invalid; perhaps it has expired? Please try to <a href='createaccount.php'>reset your password again</a>. If the problem persits, please contact webmaster@eclipse.org.</b> (8329rs)"; |
| # If we can't find a record, insert a record preventing this dude from bombing us |
| $token = $App->getAlphaCode(64); |
| $App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($token)) . ", |
| '', |
| 'token_failed', |
| 'token_failed', |
| 'token_failed', |
| " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ", |
| NOW(), |
| 'TOKEN_FAILED')" |
| ); |
| } |
| else { |
| if(!preg_match("/(?=^.{6,}$)(?=.*\d)(?=.*[A-Za-z]).*$/", $password1)) { |
| $error .= "- Your password does not meet the complexity requirements<br />"; |
| } |
| else { |
| # Update this row, change IP address to reflect that of the person who successfully confirmed this password to avoid bombing |
| $SQL = "UPDATE account_requests SET token = 'PASSWORD_SUCCESS', password='" . $App->sqlSanitize($password1) . "', ip = " . $App->returnQuotedString($App->sqlSanitize($_SERVER['REMOTE_ADDR'])) |
| . " WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token)); |
| $rs = $App->eclipse_sql($SQL); |
| |
| $bzpass = &generateBugzillaSHA256Password($password1); |
| $SQL = "UPDATE profiles SET cryptpassword='" . $App->sqlSanitize($bzpass) . "' WHERE login_name = " . $App->returnQuotedString($App->sqlSanitize($myrow['email'])) . " LIMIT 1"; |
| $App->bugzilla_sql($SQL); |
| $App->ipzilla_sql($SQL); |
| |
| $EventLog = new EvtLog(); |
| $EventLog->setLogTable("__ldap"); |
| $EventLog->setPK1($token); |
| $EventLog->setPK2($_SERVER['REMOTE_ADDR']); |
| $EventLog->setLogAction("PASSWD_RESET_SUCCESS"); |
| $EventLog->insertModLog($myrow['email']); |
| } |
| } |
| } |
| } |
| if($stage == "confirm") { |
| $includefile = "content/en_confirm.php"; |
| $SQL = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE token IN ('TOKEN_FAILED', 'CONFIRM_SUCCESS') AND ip = " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']); |
| $rs = $App->eclipse_sql($SQL); |
| $myrow = mysql_fetch_assoc($rs); |
| if($myrow['RecordCount'] > 0) { |
| $error = "<b>You have already submitted a request. Please check your email inbox and spam folders to respond to the previous request.</b> (8728s)"; |
| } |
| else { |
| if($token != "") { |
| $SQL = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token)); |
| $rs = $App->eclipse_sql($SQL); |
| $myrow = mysql_fetch_assoc($rs); |
| if($myrow['RecordCount'] <= 0) { |
| $error = "<b>We were unable to validate your request. The supplied token is invalid; perhaps it has expired? Please try creating your account again, and contact webmaster@eclipse.org if the problem persists.</b> (8729s)"; |
| # If we can't find a record, insert a record preventing this dude from bombing us |
| $token = $App->getAlphaCode(64); |
| $App->eclipse_sql("INSERT INTO account_requests VALUES (" . $App->returnQuotedString($App->sqlSanitize($token)) . ", |
| '', |
| 'token_failed', |
| 'token_failed', |
| 'token_failed', |
| " . $App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ", |
| NOW(), |
| 'TOKEN_FAILED')" |
| ); |
| $EventLog = new EvtLog(); |
| $EventLog->setLogTable("__ldap"); |
| $EventLog->setPK1($App->sqlSanitize($token)); |
| $EventLog->setPK2($_SERVER['REMOTE_ADDR']); |
| $EventLog->setLogAction("ACCT_CREATE_TOKEN_FAILED"); |
| $EventLog->insertModLog("apache"); |
| } |
| else { |
| # Update this row, change IP address to reflect that of the person who successfully confirmed this email to avoid bombing |
| $SQL = "UPDATE account_requests SET token = 'CONFIRM_SUCCESS', ip = " . $App->returnQuotedString($App->sqlSanitize($_SERVER['REMOTE_ADDR'])) |
| . " WHERE token = " . $App->returnQuotedString($App->sqlSanitize($token)); |
| $rs = $App->eclipse_sql($SQL); |
| |
| $EventLog = new EvtLog(); |
| $EventLog->setLogTable("__ldap"); |
| $EventLog->setPK1($App->sqlSanitize($token)); |
| $EventLog->setPK2($_SERVER['REMOTE_ADDR']); |
| $EventLog->setLogAction("ACCT_CREATE_CONFIRM_SUCCESS"); |
| $EventLog->insertModLog($myrow['email']); |
| } |
| } |
| else { |
| $error = "<b>We were unable to validate your request. The supplied token is invalid. Please contact webmaster@eclipse.org.</b>"; |
| } |
| } |
| } |
| |
| include($includefile); |
| # Generate the web page |
| $App->generatePage($theme, $Menu, $Nav, $pageAuthor, $pageKeywords, $pageTitle, $html); |
| |
| function generatePassword($_num_chars) { |
| global $App; |
| $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1023456789,.;:/@#$%^&*()-_=+"; |
| srand((double)microtime()*1000000); |
| $loopcount = 0; |
| $rValue = ""; |
| while (!preg_match("/(?=^.{6,}$)(?=.*\d)(?=.*[A-Za-z]).*$/", $rValue)) { |
| $rValue = ""; |
| $i = 0; |
| $loopcount++; |
| srand((double)microtime()*1000000); |
| while ($i <= $_num_chars) { |
| $num = rand() % strlen($chars); |
| $rValue .= substr($chars, $num, 1); |
| $i++; |
| } |
| # antilooper |
| if($loopcount > 1000) { |
| $rValue = "aA1$" . $App->getAlphaCode(4); |
| } |
| } |
| return $rValue; |
| } |
| |
| |
| ?> |