blob: abef5d7dadfc0e85c29545d7223b8bf8b98ed63e [file] [log] [blame]
* Copyright (c) 2014, 2015 Eclipse Foundation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* Contributors:
* Christopher Guindon (Eclipse Foundation) - initial API and implementation
require_once($_SERVER['DOCUMENT_ROOT'] . "/");
require_once($_SERVER['DOCUMENT_ROOT'] . "/");
require_once($_SERVER['DOCUMENT_ROOT'] . "/");
require_once($_SERVER['DOCUMENT_ROOT'] . "/");
require_once($_SERVER['DOCUMENT_ROOT'] . "/");
require_once($_SERVER['DOCUMENT_ROOT'] . "/");
define('SITELOGIN_EMAIL_REGEXP', '/^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/');
define('SITELOGIN_NAME_REGEXP', '/[^\p{L}\p{N}\-\.\' ]/u');
class Sitelogin {
private $App = NULL;
private $agree = "";
private $bio = "";
private $Captcha = NULL;
private $country = "";
private $country_list = NULL;
private $githubid = "";
private $Friend = NULL;
private $fname = "";
private $gender = "";
private $exipred_pass_token = FALSE;
private $interests = "";
private $jobtitle = "";
private $Ldapconn = NULL;
private $lname = "";
private $messages = array();
private $organization = "";
private $p = "";
private $page = "";
private $password = "";
private $password1 = "";
private $password2 = "";
private $password_update = 0;
private $password_expired = "";
private $path_public_key = "";
private $profile_default = array();
private $referer = "";
private $remember = "";
private $Session = NULL;
private $stage = "";
private $submit = "";
private $takemeback = "";
private $t = "";
private $twitter_handle = "";
private $username = "";
private $user_uid = "";
private $user_mail = "";
private $website = "";
private $xss_patterns = array();
private $is_committer = "";
private $changed_employer = "";
function Sitelogin($stage = NULL) {
$this->xss_patterns = array(
'/<![\s\S]*?–[ \t\n\r]*>/'
$this->path_public_key = "/home/data/httpd/";
global $App;
$this->App = $App;
$this->Captcha = New Captcha();
$this->Session = $this->App->useSession();
$this->Friend = $this->Session->getFriend();
$this->Ldapconn = new LDAPConnection();
$this->user_uid = $this->Ldapconn->getUIDFromMail($this->Friend->getEmail());
$this->user_mail = $this->Friend->getEmail();
$this->is_committer = $this->Friend->getIsCommitter();
$this->password_expired = $this->_verifyIfPasswordExpired();
switch ($this->stage) {
case 'login':
case 'create':
case 'reset':
case 'reset2':
case 'reset3':
case 'confirm':
case 'save':
case 'save-account':
case 'save-profile':
public function getStage(){
return $this->stage;
public function getIsCommitter(){
return $this->is_committer;
public function getCountryList() {
if (is_null($this->country_list)) {
return $this->country_list;
public function getSystemMessage() {
$return = "";
$allowed_type = array(
foreach ($this->messages as $type) {
foreach ($type as $key => $value) {
if (!in_array($key, $allowed_type)) {
$list = '<ul>';
if (count($value) == 1) {
if ($key == 'danger'){
$org_value = $value[0];
$value[0] = '<p><strong>' . $org_value . '</strong></p>';
$return .= $this->_getMessageContainer($value[0], $key);
foreach ($value as $msg) {
$list .= '<li><strong>' . $msg . '</strong></li>';
$list .= '</ul>';
$return .= $this->_getMessageContainer($list, $key);
return $return;
public function getVariables($type = NULL){
$return = array(
'agree' => "",
'username' => "",
'password' => "",
'remember' => "",
'submit' => "",
'takemeback' => "",
'githubid' => "",
'referer' => "",
'password1' => "",
'password2' => "",
'password_update' => "",
'fname' => "",
'lname' => "",
'githubid' => "",
'organization' => "",
'jobtitle' => "",
'website' => "",
'bio' => "",
'interests' => "",
'twitter_handle' => "",
'country' => "",
'gender' => "",
# Bug 428032 - Multiple XSS on site_login
$username = filter_var($this->username, FILTER_SANITIZE_EMAIL);
$takemeback = filter_var($this->takemeback, FILTER_SANITIZE_ENCODED);
$remember = filter_var($this->remember, FILTER_SANITIZE_NUMBER_INT);
$agree = filter_var($this->agree, FILTER_SANITIZE_NUMBER_INT);
$password_update = filter_var($this->password_update, FILTER_SANITIZE_NUMBER_INT);
$githubid = filter_var($this->Ldapconn->getGithubIDFromMail($this->Friend->getEmail()), FILTER_SANITIZE_STRING);
$website = filter_var($this->website, FILTER_SANITIZE_URL);
switch ($type) {
case 'login':
$return['username'] = $username;
$return['remember'] = ($remember) ? 'checked="checked"' : "";
$return['takemeback'] = $takemeback;
case 'welcomeback':
$return['username'] = $this->_get_default_field_value('username', $username);
$return['fname'] = $this->_get_default_field_value('fname', $fname);
$return['lname'] = $this->_get_default_field_value('lname', $lname);
$return['githubid'] = $this->_get_default_field_value('githubid', $githubid);
$return['takemeback'] = $takemeback;
$return['organization'] = $organization;
$return['jobtitle'] = $jobtitle;
$return['website'] = $website;
$return['bio'] = $bio;
$return['gender'] = $gender;
$return['country'] = $country;
$return['interests'] = $interests;
$return['twitter_handle'] = $twitter_handle;
$return['friend'] = array(
'uid' => $this->Friend->getUID(),
'is_committer' => $this->Friend->getIsCommitter(),
'is_benefit' => $this->Friend->getIsBenefit(),
'date_joined' => substr($this->Friend->getDateJoined(), 0, 10),
'date_expired' => substr($this->Friend->getBenefitExpires(), 0, 10),
case 'create':
if ($this->stage == 'create') {
$return['username'] = $username;
$return['fname'] = $fname;
$return['lname'] = $lname;
$return['organization'] = $organization;
$return['gender'] = $gender;
$return['country'] = $country;
$return['agree'] = $agree;
$return['takemeback'] = $takemeback;
case 'reset':
$return['token'] = $token;
case 'logout':
$return['password_update'] = $password_update;
return $return;
public function logout() {
$referer = "";
if (isset($_SERVER['HTTP_REFERER'])) {
$referer = $_SERVER['HTTP_REFERER'];
$eclipse_domains = array(
'' => '',
'' => '',
'' => '',
'' => '',
'' => '',
'' => '',
'' => '',
$redirect = '';
foreach ($eclipse_domains as $key => $value) {
if (strpos($referer, $key)){
$redirect = $value;
// Destroy the session for the user.
// Bug 443883 - [site_login] Password change should invalidate all active sessions
if ($this->Session->isLoggedIn()) {
$this->messages['logout']['info'][] = 'You have been logged out.';
$this->messages['logout']['danger'][] = 'You are currently not logged in.';
$redirect = '';
return $redirect;
public function password_update() {
$this->messages['logout']['success'][] = "Your account details have been updated successfully.";
$this->messages['logout']['warning'][] = 'Please login to confirm your new password.';
public function showCountries() {
$options = "";
$continents = $this->_fetchcontinents();
$countries = $this->_fetchCountries();
foreach ($continents as $continent) {
$options .= '<optgroup label="'. $continent .'">';
foreach ($countries as $country) {
if ($country['continent'] == $continent) {
$selected = "";
if (!empty($this->country) && $this->country == $country['ccode']) {
$selected = "selected";
$options .= '<option value="'. $country['ccode'] .'" ' . $selected.'>'. $country['description'] .'</option>';
$options .= '</optgroup>';
return $options;
public function showGender() {
$options = array(
'M' => 'Male',
'F' => 'Female',
'X' => 'Prefer not to say'
foreach ($options as $option_code => $option_name){
$checked = "";
if(!empty($this->gender) && $this->gender == $option_code) {
$checked = 'checked';
$buttons .= '<input type="radio" name="gender" value="' . $option_code . '" ' . $checked . '> ' . $option_name . '&nbsp;&nbsp';
return $buttons;
function verifyUserStatus() {
# bug 432822 - if someone is already logged in, send them to their account info page
if (empty($this->takemeback)) {
$this->takemeback = 'myaccount.php';
if ($this->Session->getGID() != "") {
header("Location: " . $this->takemeback, 302);
* Validate takemeback Url
* Bug 421097
* @return boolean
public function validateTakemebackUrl($takemeback = "") {
if ($takemeback == "") {
$takemeback = $this->takemeback;
$domains = array(
foreach ($domains as $d) {
if (preg_match('#^(http(s)?:\/\/)(www\.)?([\w+0-9-]{0,}\.)?' . $d . '(:\d{1,5})?(\/)?#', $takemeback) &&
strpos($takemeback, $d . ".") === FALSE){
return TRUE;
return FALSE;
private function _confirmAccount() {
$sql = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE token IN ('TOKEN_FAILED', 'CONFIRM_SUCCESS') AND ip = " . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']);
$rs = $this->App->eclipse_sql($sql);
$myrow = mysql_fetch_assoc($rs);
if ($myrow['RecordCount'] > 0) {
$this->messages['confirm']['danger'][] = "<b>You have already submitted a request. Please check your email inbox and spam folders to respond to the previous request.</b> (8728s)";
else {
if ($this->t != "") {
$sql = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->t));
$rs = $this->App->eclipse_sql($sql);
$myrow = mysql_fetch_assoc($rs);
if ($myrow['RecordCount'] <= 0) {
$this->messages['confirm']['danger'][] = "We were unable to validate your request. The supplied token is invalid; perhaps it has expired? Please try creating your account again, and contact if the problem persists. (8729s)";
# If we can't find a record, insert a record preventing this dude from bombing us
$this->t = $this->App->getAlphaCode(64);
$this->App->eclipse_sql("INSERT INTO account_requests VALUES (" . $this->App->returnQuotedString($this->App->sqlSanitize($this->t)) . ",
" . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
$EventLog = new EvtLog();
else {
# Update this row, change IP address to reflect that of the person who successfully confirmed this email to avoid bombing
$sql = "UPDATE account_requests SET token = 'CONFIRM_SUCCESS', ip = " . $this->App->returnQuotedString($this->App->sqlSanitize($_SERVER['REMOTE_ADDR']))
. " WHERE token = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->t));
$rs = $this->App->eclipse_sql($sql);
$this->messages['confirm']['success'][] = "Thank you for confirming your email address.
Your account is now active and you may now </strong>log in</strong></a>.
Please note that some pages may require you to provide your login
$EventLog = new EvtLog();
else {
$this->messages['confirm']['danger'][] = "We were unable to validate your request. The supplied token is invalid. Please contact";
private function _createAccount(){
if ($this->username != "" && $this->fname != "" && $this->lname != "" && $this->password1 != "") {
# Create an account. Check to ensure this IP address hasn't flooded us with requests
# or that this email address doesn't already have an account
$sql = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE ip = " . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']);
$rs = $this->App->eclipse_sql($sql);
$myrow = mysql_fetch_assoc($rs);
if ($myrow['RecordCount'] >= 25) {
$this->messages['create']['danger'][] = "You have already submitted a request. Please check your email inbox and spam folders to respond to the previous request. (8723s)";
else {
# Check LDAP
if(!$this->Ldapconn->checkEmailAvailable($this->username)) {
$this->messages['create']['danger'][] = "That account already exists. If you cannot remember your password, please use the password reset option below. (8725s)";
# Jot this down to avoid repetitively polling ldap
$this->App->eclipse_sql("INSERT INTO account_requests VALUES (" . $this->App->returnQuotedString($this->App->sqlSanitize($this->username)) . ",
" . $this->App->returnQuotedString($this->App->sqlSanitize($this->fname)) . ",
" . $this->App->returnQuotedString($this->App->sqlSanitize($this->lname)) . ",
" . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
" . $this->App->returnQuotedString("CREATE_FAILED") . ")");
$EventLog = new EvtLog();
else {
if ($this->agree != 1) {
$this->messages['create']['danger'][] = "- You must agree to the terms and contitions of use<br />";
if (!preg_match(SITELOGIN_EMAIL_REGEXP, $this->username)) {
$this->messages['create']['danger'][] = "- Your email address is not formatted correctly<br />";
if (!$this->Captcha->validate()) {
$this->messages['create']['danger'][] = "- You haven't answered the captcha question correctly<br />";
if (!preg_match("/(?=^.{6,}$)(?=.*[\d|\W])(?=.*[A-Za-z]).*$/", $this->password1)) {
$this->messages['create']['danger'][] = "- Your password does not meet the complexity requirements. It must be at least 6 characters long, and contain one number or one symbol.<br />";
if (!$cryptopass = $this->_generateCryptotext($this->App->sqlSanitize($this->password1))) {
$this->messages['create']['danger'][] = "- An error occurred while processing your request. (8730s)";
if (empty($this->gender)) {
$this->messages['create']['danger'][] = "- You must select your gender.";
if (empty($this->country)) {
$this->messages['create']['danger'][] = "- You must select your country of residence.";
if (empty($this->messages['create']['danger'])) {
# Add request to database
$this->t = $this->App->getAlphaCode(64);
$this->App->eclipse_sql("INSERT INTO account_requests VALUES (" . $this->App->returnQuotedString($this->App->sqlSanitize(trim($this->username))) . ",
" . $this->App->returnQuotedString($this->App->sqlSanitize(trim($this->fname))) . ",
" . $this->App->returnQuotedString($this->App->sqlSanitize(trim($this->lname))) . ",
'" . $cryptopass . "',
" . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
" . $this->App->returnQuotedString($this->t) . ")");
$this->App->eclipse_sql("INSERT INTO users_profiles
". $this->App->returnQuotedString($this->App->sqlSanitize($this->t)) .",
". $this->App->returnQuotedString($this->App->sqlSanitize($this->username)) .",
". $this->App->returnQuotedString($this->App->sqlSanitize($this->country)) .",
". $this->App->returnQuotedString($this->App->sqlSanitize($this->gender)) .",
". $this->App->returnQuotedString($this->App->sqlSanitize($this->organization)) .",
$EventLog = new EvtLog();
# Send mail to dest
$mail = "Dear $this->fname,\n\n";
$mail .= "Thank you for registering for an account at Before we can activate your account one last step must be taken to complete your registration.\n\n";
$mail .= "To complete your registration, please visit this URL:\n$this->t\n\n";
$mail .= "Your Username is: $this->username\n\n";
$mail .= "If you have any problems signing up please contact\n\n";
$mail .= " -- Eclipse webmaster\n";
$headers = 'From: Eclipse Webmaster (automated) <>' . "\n" . 'Content-Type: text/plain; charset=UTF-8';
mail($this->username, "Eclipse Account Registration", $mail, $headers);
# Debug
//print $mail;
$this->messages['create']['success'][] = "<p>Welcome to the community! We've sent a confirmation to the email address
you have provided. In that email there are instructions you must follow in order to activate your account.</p>
<p>If you have not received the email within a few hours, and you've made sure it's not in your Junk, Spam or trash folders, please contact</p>";
else {
$this->messages['create']['danger'][] = "An error occurred while processing your request. Please ensure that all the required fields are entered correctly and try again. (5496s)";
else {
$this->messages['create']['danger'][] = "An error occurred while processing your request. Please ensure that all the required fields are entered correctly and try again. (8726s)";
private function _generateBugzillaSHA256Password($_password) {
$cp = 0;
if ($_password != "") {
# Generate random salt
$hash = "{SHA-256}";
$salt = $this->App->getAlphaCode(8);
$cp = str_replace("=", "", $salt . base64_encode(hash("sha256", $_password . $salt, true))) . $hash;
return $cp;
private function _generateCryptotext($plaintext) {
if (empty($plaintext) || !is_readable($this->path_public_key)) {
return FALSE;
#load public key
$fp = fopen($this->path_public_key, "r");
$pub_key = fread($fp, 8192);
$key = openssl_pkey_get_public($pub_key);
openssl_public_encrypt($plaintext, $cryptotext, $key, OPENSSL_PKCS1_OAEP_PADDING);
#encode the output
return base64_encode($cryptotext);
private function _generatePassword($_num_chars) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1023456789,.;:/@#$%^&*()-_=+";
$loopcount = 0;
$rValue = "";
while (!preg_match("/(?=^.{6,}$)(?=.*\d)(?=.*[A-Za-z]).*$/", $rValue)) {
$rValue = "";
$i = 0;
while ($i <= $_num_chars) {
$num = rand() % strlen($chars);
$rValue .= substr($chars, $num, 1);
# antilooper
if($loopcount > 1000) {
$rValue = "aA1$" . $this->App->getAlphaCode(4);
return $rValue;
private function _getMessageContainer($message = '', $type = 'alert') {
$class = "alert alert-" . $type;
return '<div class="' . $class . '" role="alert">' . $message . '</div>';
private function _get_default_field_value($id, $value, $default_values = TRUE) {
// If the value is not empty and the user is not requesting the default values,
// return the updated values.
if (!empty($value) && $default_values === FALSE) {
return $value;
switch ($id) {
case 'fname':
return $this->Friend->getFirstName();
case 'lname':
return $this->Friend->getLastName();
case 'username':
return $this->Friend->getEmail();
case 'githubid':
return $this->Ldapconn->getGithubIDFromMail($this->Friend->getEmail());
private function _get_default_profile_fields($get_default_values = FALSE){
if (empty($this->messages['profile']['danger'])) {
$sql = "SELECT /* USE MASTER */
user_org as organization, user_jobtitle as jobtitle, user_bio as bio, user_interests as interests, user_website as website, user_twitter_handle as twitter_handle, user_country as country, user_gender as gender
FROM users_profiles
WHERE user_uid = " . $this->App->returnQuotedString($this->user_uid) . "
ORDER BY user_update DESC LIMIT 1";
$rs = $this->App->eclipse_sql($sql);
$profile = mysql_fetch_assoc($rs);
$this->profile_default = $profile;
if ($get_default_values) {
return TRUE;
if (!empty($profile)) {
foreach ($profile as $key => $value) {
if (is_null($value)) {
$value = "";
$this->{$key} = $value;
private function _getProfileDefaultValues(){
if (empty($this->profile_default)) {
return $this->profile_default;
private function _processSaveProfile() {
if ($this->password_expired === TRUE) {
$this->messages['password_expired']['danger'][] = "You need to set a new password before you can update your profile.";
return FALSE;
$fname = $this->_get_default_field_value('fname', $this->fname, FALSE);
$lname = $this->_get_default_field_value('lname', $this->lname, FALSE);
$default_values = $this->_getProfileDefaultValues();
$default_org = $default_values['organization'];
$fields = array(
'user_uid' => $this->user_uid,
'user_mail' => $this->user_mail,
'user_org' => $this->organization,
'user_jobtitle' => $this->jobtitle,
'user_website' => $this->website,
'user_bio' => $this->bio,
'user_interests' => $this->interests,
'user_twitter_handle' => $this->twitter_handle,
'user_country' => $this->country,
'user_gender' => $this->gender,
$possible_null_field = array(
# Validate values
if (!empty($fields['user_website']) && !filter_var($fields['user_website'], FILTER_VALIDATE_URL)) {
$this->messages['profile']['danger'][] = 'Invalid website URL<br>';
if (empty($fields['user_country']) && !in_array($fields['user_country'], $this->getCountryList())) {
$this->messages['profile']['danger'][] = 'You must enter a valid country<br>';
if (empty($fields['user_gender']) && !in_array($fields['user_gender'], array('M','F','X'))) {
$this->messages['profile']['danger'][] = 'You must enter you gender<br>';
if (!empty($this->messages['profile']['danger'])) {
return FALSE;
//if they are a committer and have changed employers toss all changes and throw a warning + send a message
if ($this->is_committer) {
if ($default_org !== $fields["user_org"]) {
if ($this->changed_employer === 'Yes') {
// Send mail to dest
$this->messages['myaccount']['danger'][] = "You have indicated a change in employer. As such any changes you made have not been saved. A notice has been sent to you and EMO legal ( so that they can advise what paperwork(if any) needs to be updated.";
return FALSE;
else if ($this->changed_employer !== "No") {
$this->messages['myaccount']['danger'][] = "You must indicate if you have changed employers in order to save changes to your organization.";
return FALSE;
} else {
if ($this->changed_employer === 'Yes') {
// Send mail to dest
$this->messages['myaccount']['danger'][] = "A notice has been sent to you and EMO legal ( so that they can advise what paperwork (if any) needs to be updated due to your change in employers.";
foreach ($possible_null_field as $value) {
if (empty($fields[$value])) {
$fields[$value] = NULL;
$sql = "INSERT INTO users_profiles (";
$columns = array();
$values = array();
foreach ($fields as $key => $value) {
if (!empty($value)) {
$columns[] = $key;
$values[] = '"' . $this->App->sqlSanitize($value) . '"';
else if(in_array($key, $possible_null_field)) {
$columns[] = $key;
$values[] = 'NULL';
$sql .= implode(',', $columns);
$sql .= ') VALUES (';
$sql .= implode(',', $values);
foreach ($columns as $key => $value){
$sql .= ' ' .$value . '=' . $values[$key] . ',';
$sql = rtrim($sql, ',');
$this->messages['profile']['success'][] = 'Your profile have been updated successfully.';
private function _processSave() {
// Check IF the password is expired
// AND if the user is NOT trying to change the password
if ($this->password_expired === TRUE && (empty($this->password1) && empty($this->password2))) {
$this->messages['password_expired']['danger'][] = "You need to set a new password before you can update your Account Settings.";
return FALSE;
$user_is_changing_password = FALSE;
if ($this->username != "" && $this->fname != "" && $this->lname != "" && $this->password != "") {
# update account.
# we must first bind to ldap to be able to change attributes
$dn = $this->Ldapconn->authenticate($this->Friend->getEmail(), $this->password);
if ($dn) {
#work out what's changed
$fname_changed = ($this->Ldapconn->getLDAPAttribute($dn, "givenName") !== $this->fname) ? TRUE : FALSE ;
$lname_changed = ($this->Ldapconn->getLDAPAttribute($dn, "sn") !== $this->lname) ? TRUE : FALSE ;
$email_changed = ($this->Ldapconn->getLDAPAttribute($dn, "mail") !== $this->username) ? TRUE : FALSE ;
//if they are a committer and have changed employers toss all changes and throw a warning + send a message
if ($this->is_committer && $this->changed_employer === 'Yes') {
// Send mail to dest
//notify the user
if ( !$lname_changed && !$email_changed) {
//I guess they just want us to know they've changed employers
$this->messages['myaccount']['danger'][] = "A notice has been sent to you and EMO legal ( so that they can advise what paperwork(if any) needs to be updated due to your change in employers.";
else {
//they've changed something
$this->messages['myaccount']['danger'][] = "You have indicated a change in employer. As such any changes you made have not been saved. A notice has been sent to you and EMO legal ( so that they can advise what paperwork(if any) needs to be updated.";
//reset form data
$update_bz_name = FALSE;
if ($fname_changed) {
$this->Ldapconn->changeAttributeValue($dn, $this->password, "givenName", $this->fname);
$update_bz_name = TRUE;
if ($lname_changed) {
if ($this->changed_employer === 'No' || !$this->is_committer) {
$this->Ldapconn->changeAttributeValue($dn, $this->password, "sn", $this->lname);
$update_bz_name = TRUE;
$this->_sendNotice("surname", "to: " . $this->lname);
} else if($this->is_committer && empty($this->changed_employer)) {
$this->messages['myaccount']['danger'][] = "You must indicate if you have changed employers in order to save changes to your last name.";
//if either the first or last name has changed the cn should be updated.
if ($fname_changed || $lname_changed) {
$this->Ldapconn->changeAttributeValue($dn, $this->password, "cn", $this->fname . " " . $this->lname);
$update_bz_name = TRUE;
if ($update_bz_name) {
$this->App->bugzilla_sql("SET NAMES 'utf8'");
$sql = "UPDATE profiles SET realname='" . $this->App->sqlSanitize($this->fname . " " . $this->lname) . "' WHERE login_name = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->username)) . " LIMIT 1";
# Update GitHub ID?
if ($this->githubid != "") {
$oldgithubid = $this->Ldapconn->getGithubIDFromMail($this->Friend->getEmail());
# we can't change GH ID's automagically
if ($oldgithubid != "") {
$this->messages['myaccount']['danger'][] = "- Your GitHub ID cannot be changed from this form. Please contact to update your GitHub ID.<br />";
else {
$this->Ldapconn->setGithubID($dn, $this->password, $this->githubid);
$this->messages['myaccount']['success'][] = "Your github id was saved successfully.";
# User is trying to update change is password
if (!empty($this->password1) && !empty($this->password2)) {
if (!preg_match("/(?=^.{6,}$)(?=.*[\d|\W])(?=.*[A-Za-z]).*$/", $this->password1)) {
$this->messages['myaccount']['danger'][] = "- Your password does not meet the complexity requirements. It must be at least 6 characters long, and contain one number or one symbol.<br />";
else {
if ($this->password != $this->password1) {
$user_is_changing_password = TRUE;
$this->Ldapconn->changePassword($dn, $this->password, $this->password1);
$bzpass = &$this->_generateBugzillaSHA256Password($this->password1);
$sql = "UPDATE profiles SET cryptpassword='" . $this->App->sqlSanitize($bzpass) . "' WHERE login_name = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->username)) . " LIMIT 1";
$this->messages['myaccount']['success'][] = "Your password was updated successfully.";
// If the user is trying to update password with the current password
$this->messages['myaccount']['danger'][] = "- Your new password must be different than your current password.";
# if email address has changed, we must update Bugzilla DB record too.
$oldmail = $this->Ldapconn->getLDAPAttribute($dn, "mail");
$mailmsg = "";
if($email_changed) {
#Not a committer or didn't change employers?
if (!$this->is_committer || $this->changed_employer === 'No') {
if (!$this->Ldapconn->checkEmailAvailable($this->username)) {
$this->messages['myaccount']['danger'][] = "- Unable to change your email address<br />";
elseif (!preg_match(SITELOGIN_EMAIL_REGEXP, $this->username)) {
$this->messages['myaccount']['danger'][] = "- Your email address is not formatted correctly<br />";
else {
# Check that someone isn't piling on a bunch of requests for mail changes just to piss everyone off
$sql = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE ip = " . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']);
$sql .= "OR email = " . $this->App->returnQuotedString($oldmail);
$rs = $this->App->eclipse_sql($sql);
$myrow = mysql_fetch_assoc($rs);
if ($myrow['RecordCount'] > 3) {
$this->messages['myaccount']['danger'][] = "<b>You have already submitted a request. Please check your email inbox and spam folders to respond to the previous request.</b>";
else {
# Toss in a request to change the email address
$this->messages['myaccount']['success'][] = " Please check your Inbox for a confirmation email with instructions to complete the email address change. Your email address will not be updated until the process is complete.";
$this->t = $this->t = $this->App->getAlphaCode(64);
$sql = "INSERT INTO account_requests (email,new_email,fname,lname,password,ip,req_when,token)VALUES (" . $this->App->returnQuotedString($oldmail) . ",
" . $this->App->returnQuotedString($this->App->sqlSanitize($this->username)) . ",
" . $this->App->returnQuotedString("MAILCHANGE") . ",
" . $this->App->returnQuotedString("MAILCHANGE") . ",
" . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
" . $this->App->returnQuotedString($this->t) . ")";
# Send mail to dest
$mail = "You (or someone pretending to be you) has changed their account email address to this one (" . $this->App->sqlSanitize($this->username) . ") from this IP address:\n";
$mail .= " " . $_SERVER['REMOTE_ADDR'] . "\n\n";
$mail .= "To confirm this email change, please click the link below:\n";
$mail .= "$this->t\n\n";
$mail .= "If you have not issued this request, you can safely ignore it.\n\n";
$mail .= " -- Eclipse webmaster\n";
$headers = 'From: Eclipse Webmaster (automated) <>';
mail($this->username, "Eclipse Account Change", $mail, $headers);
//notify EMO
$this->_sendNotice("Email address","from: " . $oldmail . " to: " . $this->username );
} else if ($this->is_committer && $this->changed_employer === "") {
$this->messages['myaccount']['danger'][] = "You must indicate if you have changed employers in order to save changes to your email address.";
if (empty($this->messages['myaccount']['danger'])) {
$this->messages['myaccount']['success'][] = "Your account details have been updated successfully." . $mailmsg . "";
if ($user_is_changing_password) {
header("Location:", 302);
else {
$this->messages['myaccount']['danger'][] = "Your current password is incorrect.";
else {
$this->messages['myaccount']['danger'][] = "Please ensure that all the required fields are entered correctly and try again.";
private function _resetPassword() {
# reset stage 1. We got an email address, create token and email to user
# make sure someone isn't blasting us. We disregard "token failed" since a common use-case
# is to click the reset link after it has expired.
$sql = "SELECT /* USE MASTER */ COUNT(1) AS RecordCount FROM account_requests WHERE token <> 'TOKEN_FAILED' AND fname = 'RESET' AND lname = 'RESET' AND ip = " . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']);
$rs = $this->App->eclipse_sql($sql);
$myrow = mysql_fetch_assoc($rs);
if ($myrow['RecordCount'] >= 13) {
$this->messages['reset']['danger'][] = "<b>We were unable to determine your identity after several attempts. Subsequent inquiries will be ignored for our protection. Please try later, or contact for support.</b> (8727s)";
else {
# Check to see if we're trying to reset the password of a valid account.
$this->t = $this->App->getAlphaCode(64);
$this->App->eclipse_sql("INSERT IGNORE INTO account_requests VALUES (" . $this->App->returnQuotedString($this->App->sqlSanitize($this->username)) . ",
" . $this->App->returnQuotedString("RESET") . ",
" . $this->App->returnQuotedString("RESET") . ",
" . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
" . $this->App->returnQuotedString($this->t) . ")");
if (!preg_match(SITELOGIN_EMAIL_REGEXP, $this->username)) {
$this->messages['reset']['danger'][] = "<b>Your email address is not formatted correctly.</b><br />";
elseif ($this->Ldapconn->checkEmailAvailable($this->username)) {
$this->messages['reset']['danger'][] = "<b>We were unable to determine your identity with the information you've supplied.</b> Perhaps you don't have an account, or your account is under a different email address.(8x27s)";
else {
# Send mail to dest
$mail = "You (or someone pretending to be you) has requested a password reset from:\n";
$mail .= " " . $_SERVER['REMOTE_ADDR'] . "\n\n";
$mail .= "To change your password, please visit this URL:\n$this->t\n\n";
$mail .= "If you have not requested this change, you can safely let it expire. If you have any problems signing in please contact\n\n";
$mail .= " -- Eclipse webmaster\n";
$headers = 'From: Eclipse Webmaster (automated) <>';
mail($this->username, "Eclipse Account Password Reset", $mail, $headers);
$this->messages['reset']['success'][] = '<strong>Password Recovery:</strong> A token has been emailed to you to allow
you to reset your password. Please check your Trash and Junk/Spam
folders if you do not see this email in your inbox.';
# Debug
//print $mail;
$EventLog = new EvtLog();
private function _resetPassword2() {
# reset stage 2. We got an token back. If we find a record, allow user to reset password, then proceed to stage3
if($this->t != "") {
$sql = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->t));
$rs = $this->App->eclipse_sql($sql);
$myrow = mysql_fetch_assoc($rs);
if($myrow['RecordCount'] <= 0) {
$this->exipred_pass_token = TRUE;
$this->messages['reset2']['danger'][] = "<b>The supplied reset token is invalid; perhaps it has expired? Please wait 5 minutes and try to <a href='password_recovery.php'>reset your password again</a>. If the problem persits, please contact</b> (8129rs)";
# If we can't find a record, insert a record preventing this dude from bombing us
$this->t = $this->App->getAlphaCode(64);
$this->App->eclipse_sql("INSERT INTO account_requests VALUES (" . $this->App->returnQuotedString($this->App->sqlSanitize($this->t)) . ",
" . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
else {
# display password reset page.
$EventLog = new EvtLog();
private function _resetPassword3() {
# reset stage 3. We got a token back, and user is submitting a password.
if ($this->t != "" && $this->password1 != "" ) {
if ($this->password1 != $this->password2) {
$this->messages['reset3']['danger'][] = "Submitted passwords don't match.";
return FALSE;
if (!$this->Captcha->validate()) {
$this->messages['reset3']['danger'][] = "- You haven't answered the captcha question correctly<br />";
return FALSE;
$sql = "SELECT /* USE MASTER */ email, COUNT(1) AS RecordCount FROM account_requests WHERE token = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->t));
$rs = $this->App->eclipse_sql($sql);
$myrow = mysql_fetch_assoc($rs);
if ($myrow['RecordCount'] <= 0) {
$this->messages['reset3']['danger'][] = "We were unable to validate your request. The supplied token is invalid; perhaps it has expired? Please try to <a href='createaccount.php'>reset your password again</a>. If the problem persits, please contact (8329rs)";
# If we can't find a record, insert a record preventing this dude from bombing us
$this->t = $this->App->getAlphaCode(64);
$this->App->eclipse_sql("INSERT INTO account_requests VALUES (" . $this->App->returnQuotedString($this->App->sqlSanitize($this->t)) . ",
" . $this->App->returnQuotedString($_SERVER['REMOTE_ADDR']) . ",
else {
if (!preg_match("/(?=^.{6,}$)(?=.*\d)(?=.*[A-Za-z]).*$/", $this->password1)) {
$this->messages['reset3']['danger'][] = "- Your password does not meet the complexity requirements<br />";
elseif ($cryptopass = $this->_generateCryptotext($this->App->sqlSanitize($this->password1))) {
# Update this row, change IP address to reflect that of the person who successfully confirmed this password to avoid bombing
$sql = "UPDATE account_requests SET token = 'PASSWORD_SUCCESS', password='" . $cryptopass . "', ip = " . $this->App->returnQuotedString($this->App->sqlSanitize($_SERVER['REMOTE_ADDR']))
. " WHERE token = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->t));
$rs = $this->App->eclipse_sql($sql);
$bzpass = &$this->_generateBugzillaSHA256Password($this->password1);
$sql = "UPDATE profiles SET cryptpassword='" . $this->App->sqlSanitize($bzpass) . "' WHERE login_name = " . $this->App->returnQuotedString($this->App->sqlSanitize($myrow['email'])) . " LIMIT 1";
$this->messages['reset']['success'][] = '<strong>Password Recovery:</strong> Your password was reset. You may now <a href="/site_login/index.php">log in</a>. Please note that some sites, such as Bugzilla, Wiki or Forums, may ask you to login again with your new password.';
$EventLog = new EvtLog();
else {
$this->messages['create']['danger'][] = "An error occurred while processing your request. Please ensure that all the required fields are entered correctly and try again. (3543s)";
else {
$this->messages['reset3']['danger'][] = "Please enter a new password.";
return FALSE;
private function _sanitizeVariables() {
$inputs = array(
foreach ($inputs as $field) {
$this->$field = $this->App->getHTTPParameter($field, "POST");
if ($field == 'takemeback' || $field == 'website') {
$this->$field = urldecode($this->$field);
if ($field == 'fname' || $field == 'lname') {
$this->$field = preg_replace(SITELOGIN_NAME_REGEXP, '', $this->$field);
else if ($field == 't') {
$this->$field = preg_replace("/[^a-zA-Z0-9]/", "", $this->t);
else {
$this->$field = preg_replace($this->xss_patterns, '', $this->$field);
# Magic quotes feature is removed from PHP 5.4 but just incase.
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
$this->$field = stripslashes($this->$field);
$this->username = trim($this->username);
if (!is_numeric($this->remember)) {
$this->remember = 0;
# Takemeback processing
$this->referer = "";
if (isset($_SERVER['HTTP_REFERER'])) {
$this->referer = $_SERVER['HTTP_REFERER'];
# Coming from the Wiki? Redirect to Special:Userlogin to finish processign
if(preg_match('/^(http|https):\/\/(wiki|wikitest)\.eclipse\.org\//', $this->referer, $matches)) {
$location = substr($this->referer, strlen($matches[0]));
#strip 'extra' index data bug 308257
$location = preg_replace("/index\.php\?title\=/","",$location);
$this->takemeback = $matches[0] . "index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=" . $location ;
# Forum login process broken with bad redirect
# Bug 430302
if (preg_match('#^https?://.*\?t=login#', $this->referer, $matches)) {
$this->takemeback = "";
# Since we use a secure cookie, anything http should be sent back https.
if (preg_match("#^http://(.*)#", $this->takemeback, $matches)) {
$this->takemeback = "https://" . $matches[1];
if (preg_match('#^https?://', $this->takemeback) || !$this->validateTakemebackUrl()) {
$this->takemeback = "";
private function _setStage($stage){
$possible_values = array(
if ($this->t != "" && $stage == "confirm") {
$this->stage = 'confirm';
elseif ($this->exipred_pass_token) {
$this->stage = "reset";
elseif ($this->t == "" && $this->p == "" && $stage == 'password-recovery' && !empty($this->username)) {
$this->stage = "reset";
elseif ($this->t != "" && $this->p == "p" && $stage == 'password-recovery') {
$this->stage = "reset2";
elseif ($this->t != "" && $stage == 'password-recovery') {
$this->stage = "reset3";
elseif (in_array($stage, $possible_values)){
$this->stage = $stage;
private function _sendNotice($changed="", $details=""){
if ($this->is_committer) {
//do nothing if the changed state isn't yes or no.
if ($this->changed_employer === 'Yes') {
$mail = "Because you have changed employers, you must promptly provide the EMO( with your new employer information.\r\n";
$mail .= "The EMO will determine what, if any, new legal agreements and/or employer consent forms are required for your committer account to remain active.\r\n\r\n";
$mail .= " -- Eclipse webmaster\r\n";
$headers = "From: Eclipse Webmaster (automated) <>\r\n";
$headers .= "CC: EMO-Records <>";
mail($this->user_mail, "Eclipse Account Change", $mail, $headers);
} else if ($this->changed_employer === 'No') {
if ($changed === "" || $details === "" ){
$mail = "Committer: " . $this->user_uid . "\r\n";
$mail .= "Has changed something, but details are incomplete. \r\n";
$mail .= "What changed: " . $changed . " \r\n";
$mail .= "Details: " . $details . "\r\n\r\n";
$mail .= "Committer confirms they have NOT changed employers \r\n\r\n";
} else {
$mail = "Committer: " . $this->user_uid . "\r\n";
$mail .= "Has changed their " . $changed . " " . $details . "\r\n\r\n";
$mail .= "Committer confirms they have NOT changed employers \r\n\r\n";
$headers = "From: Eclipse Webmaster (automated) <>";
mail("", "Eclipse Account Change", $mail, $headers);
public function _showChangedEmployer() {
//show the changed employer buttons
if ($this->is_committer) {
echo <<<END
<div class="form-group clearfix has-feedback">
<label class="col-sm-6 control-label">Have you changed employers<sup>[<a href="" title="Why are we asking this?">?</a>]</sup><span class="required">*</span></label>
<div class="col-sm-16">
<input type="radio" name="changed_employer" value="Yes"> Yes
<input type="radio" name="changed_employer" value="No"> No
private function _userAuthentification() {
if (!preg_match(SITELOGIN_EMAIL_REGEXP, $this->username) && $this->stage == "login") {
$this->messages['login']['danger'][] = "Your email address does not appear to be valid.";
$dn = $this->Ldapconn->authenticate($this->username, $this->password);
if ($dn) {
# If you've logged in with your uid, we need to get the email.
if (!preg_match("/@/", $this->username)) {
$this->username = $this->Ldapconn->getLDAPAttribute($dn, "mail");
# Look up BZ ID
$sql = "SELECT /* USE MASTER */ userid FROM profiles where login_name = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->username));
$rs = $this->App->bugzilla_sql($sql);
if ($myrow = mysql_fetch_assoc($rs)) {
$uid = $this->Ldapconn->getUIDFromMail($this->username);
$this->Friend->selectFriend($this->Friend->selectFriendID("uid", $uid));
else {
# Try to log into Bugzilla using these credentials
# This will create one
# creating one is important, since not all our sites use LDAP auth, and some rely on BZ auth
$AccountCreator = New AccountCreator();
# create/update Gerrit account
# Bug 421319
# sleep(1); # not needed if we take the time to log into Gerrit
$AccountCreator = New AccountCreator();
$http_code = $AccountCreator->execute();
# TODO: verify that account was created (see bugzilla SQL below)
# Get BZ ID now that an acct should be created
$sql = "SELECT /* USE MASTER */ userid FROM profiles where login_name = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->username));
$rs = $this->App->bugzilla_sql($sql);
if ($myrow = mysql_fetch_assoc($rs)) {
$uid = $this->Ldapconn->getUIDFromMail($this->username);
$this->Friend->selectFriend($this->Friend->selectFriendID("uid", $uid));
else {
$EventLog = new EvtLog();
$this->Friend->setBugzillaID(41806); # Nobody.
# Override loaded friends info with LDAP info
$this->Friend->setFirstName($this->Ldapconn->getLDAPAttribute($dn, "givenName"));
$this->Friend->setLastName($this->Ldapconn->getLDAPAttribute($dn, "sn"));
$realname = $this->Friend->getFirstName() . " " . $this->Friend->getLastName();
# Only temporarily, re-hash the password in Bugzilla so that other services can use it
$bzpass = $this->_generateBugzillaSHA256Password($this->password);
$this->App->bugzilla_sql("SET NAMES 'utf8'");
$sql = "UPDATE profiles SET cryptpassword='" . $this->App->sqlSanitize($bzpass) . "', realname='" . $this->App->sqlSanitize($realname) . "' WHERE login_name = " . $this->App->returnQuotedString($this->App->sqlSanitize($this->username)) . " LIMIT 1";
# Begin: Bug 432830 - Remove the continue button in site_login
if ($this->takemeback != "") {
header("Location: " . $this->takemeback, 302);
else {
header("Location: myaccount.php", 302);
# END: Bug 432830 - Remove the continue button in site_login
else {
$this->messages["login"]['danger'][] = "Authentication Failed. Please verify that your email address and password are correct.";
private function _verifyIfPasswordExpired() {
// Check if the user is logged in
// Get the Distinguished Name from UID
$dn = $this->Ldapconn->getDNFromUID($this->user_uid);
// Get shadowLastChange in seconds
$lastChange = ($this->Ldapconn->getLDAPAttribute($dn, "shadowLastChange")) * 86400;
// Get the number of days
$shadowMax = $this->Ldapconn->getLDAPAttribute($dn, "shadowMax");
// Set the expiry date
$expiryDate = strtotime('+'.$shadowMax.' days', $lastChange);
$expireSoon = strtotime('-30 days', $expiryDate);
if ($this->Friend->getIsCommitter()) {
$numberOfDays = round(($expiryDate - time()) / (3600*24));
if ($expiryDate >= time() && time() > $expireSoon) {
$days = $numberOfDays == 1 ? 'day' : 'days';
$this->messages['password_expire_soon']['info'][] = 'Your password expires in <strong>' . $numberOfDays . ' '. $days .'.</strong>';
return FALSE;
if ($expiryDate < time()) {
$this->messages['password_expired']['danger'][] = "Your password is expired. <br>Please update it immediately.";
return TRUE;
return FALSE;
* This function fetches all the countries and continents
* @return array
* */
private function _fetchCountries() {
$sql = "SELECT
countries.en_description as description,
continents.en_description as continent
FROM SYS_countries as countries
LEFT JOIN SYS_continents as continents
ON countries.continent_code = continents.continent_code";
$result = $this->App->foundation_sql($sql);
$countries = array();
while ($row = mysql_fetch_array($result)) {
$countries[] = $row;
$this->country_list = $countries;
return $countries;
* This function fetches all the continents from the SYS_continents table
* @return array
* */
private function _fetchcontinents() {
$sql = "SELECT en_description FROM SYS_continents ORDER BY sort_order DESC";
$result = $this->App->foundation_sql($sql);
$continents = array();
while ($row = mysql_fetch_array($result)) {
$continents[] = $row['en_description'];
return $continents;