Exemplo n.º 1
0
function authenticate($username, $password, $givenname)
{
    // Authenticates user's password by binding to LDAP server using the password
    // If successful, password is correct
    global $ldap_host;
    // Connects to LDAP server
    $ds = ldap_connect($ldap_host);
    // Performs bind to LDAP server with user's paasword
    // Error messages are supressed if wrong password is entered
    if (@ldap_bind($ds, $username, $password)) {
        // Bind is successful - password is correct
        // Sets cookie with user's givenname
        setLoginCookie($givenname);
    } else {
        // Bind is unsuccessful - password is incorrect
        echo "Log in failed. Details incorrect.";
        echo "<p>Click <a href='../../login.php'>here</a> to go back.</p>";
    }
}
 public function action_register2()
 {
     global $txt, $modSettings, $context, $user_info;
     // Start collecting together any errors.
     $reg_errors = Error_Context::context('register', 0);
     // Check they are who they should be
     checkSession();
     if (!validateToken('register', 'post', true, false)) {
         $reg_errors->addError('token_verification');
     }
     // You can't register if it's disabled.
     if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) {
         fatal_lang_error('registration_disabled', false);
     }
     // Well, if you don't agree, you can't register.
     if (!empty($modSettings['requireAgreement']) && !isset($_POST['checkbox_agreement'])) {
         $reg_errors->addError('agreement_unchecked');
     }
     // Make sure they came from *somewhere*, have a session.
     if (!isset($_SESSION['old_url'])) {
         redirectexit('action=register');
     }
     // Check their provider deatils match up correctly in case they're pulling something funny
     if ($_POST['provider'] != $_SESSION['extauth_info']['provider']) {
         redirectexit('action=register');
     }
     // Clean up
     foreach ($_POST as $key => $value) {
         if (!is_array($_POST[$key])) {
             $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key]));
         }
     }
     // Needed for isReservedName() and registerMember()
     require_once SUBSDIR . '/Members.subs.php';
     // Needed for generateValidationCode()
     require_once SUBSDIR . '/Auth.subs.php';
     // Set the options needed for registration.
     $regOptions = array('interface' => 'guest', 'username' => !empty($_POST['user']) ? $_POST['user'] : '', 'email' => !empty($_POST['email']) ? $_POST['email'] : '', 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval'));
     // Lets check for other errors before trying to register the member.
     if ($reg_errors->hasErrors()) {
         return $this->action_register();
     }
     mt_srand(time() + 1277);
     $regOptions['password'] = generateValidationCode();
     $regOptions['password_check'] = $regOptions['password'];
     // Registration needs to know your IP
     $req = request();
     $regOptions['ip'] = $user_info['ip'];
     $regOptions['ip2'] = $req->ban_ip();
     $memberID = registerMember($regOptions, 'register');
     // If there are "important" errors and you are not an admin: log the first error
     // Otherwise grab all of them and don't log anything
     if ($reg_errors->hasErrors(1) && !$user_info['is_admin']) {
         foreach ($reg_errors->prepareErrors(1) as $error) {
             fatal_error($error, 'general');
         }
     }
     // One last error check
     if ($reg_errors->hasErrors()) {
         return $this->action_register();
     }
     // Do our spam protection now.
     spamProtection('register');
     // Since all is well, we'll go ahead and associate the member's external account
     addAuth($memberID, $_SESSION['extauth_info']['provider'], $_SESSION['extauth_info']['uid'], $_SESSION['extauth_info']['name']);
     // Basic template variable setup.
     if (!empty($modSettings['registration_method'])) {
         loadTemplate('Register');
         $context += array('page_title' => $txt['register'], 'title' => $txt['registration_successful'], 'sub_template' => 'after', 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']);
     } else {
         call_integration_hook('integrate_activate', array($regOptions['username']));
         setLoginCookie(60 * $modSettings['cookieTime'], $memberID, hash('sha256', Util::strtolower($regOptions['username']) . $regOptions['password'] . $regOptions['register_vars']['password_salt']));
         redirectexit('action=auth;sa=check;member=' . $memberID, $context['server']['needs_login_fix']);
     }
 }
Exemplo n.º 3
0
function DeleteInstall()
{
    global $txt, $HTTP_SESSION_VARS, $incontext;
    global $current_smf_version, $sourcedir, $forum_version, $modSettings, $user_info, $db_type;
    $incontext['page_title'] = $txt['congratulations'];
    $incontext['sub_template'] = 'delete_install';
    $incontext['continue'] = 0;
    require dirname(__FILE__) . '/Settings.php';
    load_database();
    chdir(dirname(__FILE__));
    require_once $sourcedir . '/Errors.php';
    require_once $sourcedir . '/lib/Subs.php';
    require_once $sourcedir . '/CommonAPI.php';
    require_once $sourcedir . '/Load.php';
    require_once $sourcedir . '/Security.php';
    require_once $sourcedir . '/lib/Subs-Auth.php';
    // Bring a warning over.
    if (!empty($incontext['account_existed'])) {
        $incontext['warning'] = $incontext['account_existed'];
    }
    smf_db_query('
		SET NAMES utf8', array());
    // As track stats is by default enabled let's add some activity.
    smf_db_insert('ignore', '{db_prefix}log_activity', array('date' => 'date', 'topics' => 'int', 'posts' => 'int', 'registers' => 'int'), array(strftime('%Y-%m-%d', time()), 1, 1, !empty($incontext['member_id']) ? 1 : 0), array('date'));
    // Automatically log them in ;)
    if (isset($incontext['member_id']) && isset($incontext['member_salt'])) {
        setLoginCookie(3153600 * 60, $incontext['member_id'], sha1(sha1(strtolower($_POST['username']) . $_POST['password1']) . $incontext['member_salt']));
    }
    $result = smf_db_query('
		SELECT value
		FROM {db_prefix}settings
		WHERE variable = {string:db_sessions}', array('db_sessions' => 'databaseSession_enable', 'db_error_skip' => true));
    if (mysql_num_rows($result) != 0) {
        list($db_sessions) = mysql_fetch_row($result);
    }
    mysql_free_result($result);
    if (empty($db_sessions)) {
        if (@version_compare(PHP_VERSION, '4.2.0') == -1) {
            $HTTP_SESSION_VARS['php_412_bugfix'] = true;
        }
        $_SESSION['admin_time'] = time();
    } else {
        $_SERVER['HTTP_USER_AGENT'] = substr($_SERVER['HTTP_USER_AGENT'], 0, 211);
        smf_db_insert('replace', '{db_prefix}sessions', array('session_id' => 'string', 'last_update' => 'int', 'data' => 'string'), array(session_id(), time(), 'USER_AGENT|s:' . strlen($_SERVER['HTTP_USER_AGENT']) . ':"' . $_SERVER['HTTP_USER_AGENT'] . '";admin_time|i:' . time() . ';'), array('session_id'));
    }
    // We're going to want our lovely $modSettings now.
    $request = smf_db_query('
		SELECT variable, value
		FROM {db_prefix}settings', array('db_error_skip' => true));
    // Only proceed if we can load the data.
    if ($request) {
        while ($row = mysql_fetch_row($request)) {
            $modSettings[$row[0]] = $row[1];
        }
        mysql_free_result($request);
    }
    updateStats('member');
    updateStats('message');
    updateStats('topic');
    $request = smf_db_query('
		SELECT id_msg
		FROM {db_prefix}messages
		WHERE id_msg = 1
			AND modified_time = 0
		LIMIT 1', array('db_error_skip' => true));
    if (mysql_num_rows($request) > 0) {
        updateStats('subject', 1, htmlspecialchars($txt['default_topic_subject']));
    }
    mysql_free_result($request);
    // Now is the perfect time to fetch the SM files.
    require_once $sourcedir . '/ScheduledTasks.php';
    // Sanity check that they loaded earlier!
    if (isset($modSettings['recycle_board'])) {
        $forum_version = $current_smf_version;
        // The variable is usually defined in index.php so lets just use our variable to do it for us.
        scheduled_fetchSMfiles();
        // Now go get those files!
        // We've just installed!
        $user_info['ip'] = $_SERVER['REMOTE_ADDR'];
        $user_info['id'] = isset($incontext['member_id']) ? $incontext['member_id'] : 0;
        logAction('install', array('version' => $forum_version), 'admin');
    }
    // Check if we need some stupid MySQL fix.
    $server_version = smf_db_get_version();
    if ($db_type == 'mysql' && in_array(substr($server_version, 0, 6), array('5.0.50', '5.0.51'))) {
        updateSettings(array('db_mysql_group_by_fix' => '1'));
    }
    // Some final context for the template.
    $incontext['dir_still_writable'] = is_writable(dirname(__FILE__)) && substr(__FILE__, 1, 2) != ':\\';
    $incontext['probably_delete_install'] = isset($_SESSION['installer_temp_ftp']) || is_writable(dirname(__FILE__)) || is_writable(__FILE__);
    return false;
}
Exemplo n.º 4
0
function set_smf_cookie($id, $passhash, $salt)
{
    global $THIS_BASEPATH;
    require $THIS_BASEPATH . '/smf/SSI.php';
    if (!function_exists(setLoginCookie)) {
        require $THIS_BASEPATH . '/smf/Sources/Subs-Auth.php';
    }
    setLoginCookie(189216000, $id, sha1($passhash . $salt));
}
Exemplo n.º 5
0
    /*
    NOTE: Following code adapted from http://elbertf.com/2010/01/store-passwords-safely-with-php-and-mysql/
        A random salt is generated and appended to the given password to generate a hash
        This is then hashed 100000 times for extra security
        The salt is then appended to the hash, so that the salt can be retrieved later (i.e. on log in)
    */
    // Create a 256 bit (64 characters) long random salt
    // Add 'something random' and the username to the salt as well for added security
    $salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username));
    // Prefix the password with the salt
    $hash = $salt . $password;
    // Hash the salted password 100000 times
    for ($i = 0; $i < 100000; $i++) {
        $hash = hash('sha256', $hash);
    }
    // Prefix the hash with the salt so we can get it back later
    $hash = $salt . $hash;
    // Insert the username and hashed password into the DB
    $query = "INSERT INTO Users (username, password) VALUES ('{$username}', '{$hash}')";
    // If the insertion was successful, then set the log in cookie
    if (mysql_query($query)) {
        // Calls the setLoginCookie function, which sets a cookie for the username
        setLoginCookie($username);
    } else {
        // Insertion was unsuccessful
        if (mysql_errno() == 1062) {
            // Insertion failed because the username is already being used
            echo "Oh no! The username '{$username}' is already taken!";
        }
    }
}
Exemplo n.º 6
0
 /**
  * Actually register the member.
  * @todo split this function in two functions:
  *  - a function that handles action=register2, which needs no parameter;
  *  - a function that processes the case of OpenID verification.
  *
  * @param bool $verifiedOpenID = false
  */
 public function action_register2($verifiedOpenID = false)
 {
     global $txt, $modSettings, $context, $user_info;
     // Start collecting together any errors.
     $reg_errors = Error_Context::context('register', 0);
     // We can't validate the token and the session with OpenID enabled.
     if (!$verifiedOpenID) {
         checkSession();
         if (!validateToken('register', 'post', true, false)) {
             $reg_errors->addError('token_verification');
         }
     }
     // Did we save some open ID fields?
     if ($verifiedOpenID && !empty($context['openid_save_fields'])) {
         foreach ($context['openid_save_fields'] as $id => $value) {
             $_POST[$id] = $value;
         }
     }
     // You can't register if it's disabled.
     if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) {
         fatal_lang_error('registration_disabled', false);
     }
     // If we're using an agreement checkbox, did they check it?
     if (!empty($modSettings['checkboxAgreement']) && !empty($_POST['checkbox_agreement'])) {
         $_SESSION['registration_agreed'] = true;
     }
     // Things we don't do for people who have already confirmed their OpenID allegances via register.
     if (!$verifiedOpenID) {
         // Well, if you don't agree, you can't register.
         if (!empty($modSettings['requireAgreement']) && empty($_SESSION['registration_agreed'])) {
             redirectexit();
         }
         // Make sure they came from *somewhere*, have a session.
         if (!isset($_SESSION['old_url'])) {
             redirectexit('action=register');
         }
         // If we don't require an agreement, we need a extra check for coppa.
         if (empty($modSettings['requireAgreement']) && !empty($modSettings['coppaAge'])) {
             $_SESSION['skip_coppa'] = !empty($_POST['accept_agreement']);
         }
         // Are they under age, and under age users are banned?
         if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && empty($_SESSION['skip_coppa'])) {
             loadLanguage('Login');
             fatal_lang_error('under_age_registration_prohibited', false, array($modSettings['coppaAge']));
         }
         // Check the time gate for miscreants. First make sure they came from somewhere that actually set it up.
         if (empty($_SESSION['register']['timenow']) || empty($_SESSION['register']['limit'])) {
             redirectexit('action=register');
         }
         // Failing that, check the time limit for exessive speed.
         if (time() - $_SESSION['register']['timenow'] < $_SESSION['register']['limit']) {
             loadLanguage('Login');
             $reg_errors->addError('too_quickly');
         }
         // Check whether the visual verification code was entered correctly.
         if (!empty($modSettings['reg_verification'])) {
             require_once SUBSDIR . '/VerificationControls.class.php';
             $verificationOptions = array('id' => 'register');
             $context['visual_verification'] = create_control_verification($verificationOptions, true);
             if (is_array($context['visual_verification'])) {
                 foreach ($context['visual_verification'] as $error) {
                     $reg_errors->addError($error);
                 }
             }
         }
     }
     foreach ($_POST as $key => $value) {
         if (!is_array($_POST[$key])) {
             $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key]));
         }
     }
     // Collect all extra registration fields someone might have filled in.
     $possible_strings = array('birthdate', 'time_format', 'buddy_list', 'pm_ignore_list', 'smiley_set', 'personal_text', 'avatar', 'lngfile', 'location', 'secret_question', 'secret_answer', 'website_url', 'website_title');
     $possible_ints = array('pm_email_notify', 'notify_types', 'id_theme', 'gender');
     $possible_floats = array('time_offset');
     $possible_bools = array('notify_announcements', 'notify_regularity', 'notify_send_body', 'hide_email', 'show_online');
     if (isset($_POST['secret_answer']) && $_POST['secret_answer'] != '') {
         $_POST['secret_answer'] = md5($_POST['secret_answer']);
     }
     // Needed for isReservedName() and registerMember().
     require_once SUBSDIR . '/Members.subs.php';
     // Validation... even if we're not a mall.
     if (isset($_POST['real_name']) && (!empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'))) {
         $_POST['real_name'] = trim(preg_replace('~[\\t\\n\\r \\x0B\\0\\x{A0}\\x{AD}\\x{2000}-\\x{200F}\\x{201F}\\x{202F}\\x{3000}\\x{FEFF}]+~u', ' ', $_POST['real_name']));
         if (trim($_POST['real_name']) != '' && !isReservedName($_POST['real_name']) && Util::strlen($_POST['real_name']) < 60) {
             $possible_strings[] = 'real_name';
         }
     }
     // Handle a string as a birthdate...
     if (isset($_POST['birthdate']) && $_POST['birthdate'] != '') {
         $_POST['birthdate'] = strftime('%Y-%m-%d', strtotime($_POST['birthdate']));
     } elseif (!empty($_POST['bday1']) && !empty($_POST['bday2'])) {
         $_POST['birthdate'] = sprintf('%04d-%02d-%02d', empty($_POST['bday3']) ? 0 : (int) $_POST['bday3'], (int) $_POST['bday1'], (int) $_POST['bday2']);
     }
     // By default assume email is hidden, only show it if we tell it to.
     $_POST['hide_email'] = !empty($_POST['allow_email']) ? 0 : 1;
     // Validate the passed language file.
     if (isset($_POST['lngfile']) && !empty($modSettings['userLanguage'])) {
         // Do we have any languages?
         $context['languages'] = getLanguages();
         // Did we find it?
         if (isset($context['languages'][$_POST['lngfile']])) {
             $_SESSION['language'] = $_POST['lngfile'];
         } else {
             unset($_POST['lngfile']);
         }
     } else {
         unset($_POST['lngfile']);
     }
     // Some of these fields we may not want.
     if (!empty($modSettings['registration_fields'])) {
         // But we might want some of them if the admin asks for them.
         $standard_fields = array('location', 'gender');
         $reg_fields = explode(',', $modSettings['registration_fields']);
         $exclude_fields = array_diff($standard_fields, $reg_fields);
         // Website is a little different
         if (!in_array('website', $reg_fields)) {
             $exclude_fields = array_merge($exclude_fields, array('website_url', 'website_title'));
         }
         // We used to accept signature on registration but it's being abused by spammers these days, so no more.
         $exclude_fields[] = 'signature';
     } else {
         $exclude_fields = array('signature', 'location', 'gender', 'website_url', 'website_title');
     }
     $possible_strings = array_diff($possible_strings, $exclude_fields);
     $possible_ints = array_diff($possible_ints, $exclude_fields);
     $possible_floats = array_diff($possible_floats, $exclude_fields);
     $possible_bools = array_diff($possible_bools, $exclude_fields);
     // Set the options needed for registration.
     $regOptions = array('interface' => 'guest', 'username' => !empty($_POST['user']) ? $_POST['user'] : '', 'email' => !empty($_POST['email']) ? $_POST['email'] : '', 'password' => !empty($_POST['passwrd1']) ? $_POST['passwrd1'] : '', 'password_check' => !empty($_POST['passwrd2']) ? $_POST['passwrd2'] : '', 'openid' => !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : '', 'auth_method' => !empty($_POST['authenticate']) ? $_POST['authenticate'] : '', 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => !empty($modSettings['coppaAge']) && !$verifiedOpenID && empty($_SESSION['skip_coppa']) ? 'coppa' : (empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')), 'extra_register_vars' => array(), 'theme_vars' => array());
     // Include the additional options that might have been filled in.
     foreach ($possible_strings as $var) {
         if (isset($_POST[$var])) {
             $regOptions['extra_register_vars'][$var] = Util::htmlspecialchars($_POST[$var], ENT_QUOTES);
         }
     }
     foreach ($possible_ints as $var) {
         if (isset($_POST[$var])) {
             $regOptions['extra_register_vars'][$var] = (int) $_POST[$var];
         }
     }
     foreach ($possible_floats as $var) {
         if (isset($_POST[$var])) {
             $regOptions['extra_register_vars'][$var] = (double) $_POST[$var];
         }
     }
     foreach ($possible_bools as $var) {
         if (isset($_POST[$var])) {
             $regOptions['extra_register_vars'][$var] = empty($_POST[$var]) ? 0 : 1;
         }
     }
     // Registration options are always default options...
     if (isset($_POST['default_options'])) {
         $_POST['options'] = isset($_POST['options']) ? $_POST['options'] + $_POST['default_options'] : $_POST['default_options'];
     }
     $regOptions['theme_vars'] = isset($_POST['options']) && is_array($_POST['options']) ? $_POST['options'] : array();
     // Make sure they are clean, dammit!
     $regOptions['theme_vars'] = htmlspecialchars__recursive($regOptions['theme_vars']);
     // Check whether we have fields that simply MUST be displayed?
     require_once SUBSDIR . '/Profile.subs.php';
     loadCustomFields(0, 'register');
     foreach ($context['custom_fields'] as $row) {
         // Don't allow overriding of the theme variables.
         if (isset($regOptions['theme_vars'][$row['colname']])) {
             unset($regOptions['theme_vars'][$row['colname']]);
         }
         // Prepare the value!
         $value = isset($_POST['customfield'][$row['colname']]) ? trim($_POST['customfield'][$row['colname']]) : '';
         // We only care for text fields as the others are valid to be empty.
         if (!in_array($row['type'], array('check', 'select', 'radio'))) {
             // Is it too long?
             if ($row['field_length'] && $row['field_length'] < Util::strlen($value)) {
                 $reg_errors->addError(array('custom_field_too_long', array($row['name'], $row['field_length'])));
             }
             // Any masks to apply?
             if ($row['type'] == 'text' && !empty($row['mask']) && $row['mask'] != 'none') {
                 // @todo We never error on this - just ignore it at the moment...
                 if ($row['mask'] == 'email' && !isValidEmail($value)) {
                     $reg_errors->addError(array('custom_field_invalid_email', array($row['name'])));
                 } elseif ($row['mask'] == 'number' && preg_match('~[^\\d]~', $value)) {
                     $reg_errors->addError(array('custom_field_not_number', array($row['name'])));
                 } elseif (substr($row['mask'], 0, 5) == 'regex' && trim($value) !== '' && preg_match(substr($row['mask'], 5), $value) === 0) {
                     $reg_errors->addError(array('custom_field_inproper_format', array($row['name'])));
                 }
             }
         }
         // Is this required but not there?
         if (trim($value) == '' && $row['show_reg'] > 1) {
             $reg_errors->addError(array('custom_field_empty', array($row['name'])));
         }
     }
     // Lets check for other errors before trying to register the member.
     if ($reg_errors->hasErrors()) {
         $_REQUEST['step'] = 2;
         // If they've filled in some details but made an error then they need less time to finish
         $_SESSION['register']['limit'] = 4;
         return $this->action_register();
     }
     // If they're wanting to use OpenID we need to validate them first.
     if (empty($_SESSION['openid']['verified']) && !empty($_POST['authenticate']) && $_POST['authenticate'] == 'openid') {
         // What do we need to save?
         $save_variables = array();
         foreach ($_POST as $k => $v) {
             if (!in_array($k, array('sc', 'sesc', $context['session_var'], 'passwrd1', 'passwrd2', 'regSubmit'))) {
                 $save_variables[$k] = $v;
             }
         }
         require_once SUBSDIR . '/OpenID.subs.php';
         $openID = new OpenID();
         $openID->validate($_POST['openid_identifier'], false, $save_variables);
     } elseif ($verifiedOpenID || (!empty($_POST['openid_identifier']) || !empty($_SESSION['openid']['openid_uri'])) && $_POST['authenticate'] == 'openid') {
         $regOptions['username'] = !empty($_POST['user']) && trim($_POST['user']) != '' ? $_POST['user'] : $_SESSION['openid']['nickname'];
         $regOptions['email'] = !empty($_POST['email']) && trim($_POST['email']) != '' ? $_POST['email'] : $_SESSION['openid']['email'];
         $regOptions['auth_method'] = 'openid';
         $regOptions['openid'] = !empty($_SESSION['openid']['openid_uri']) ? $_SESSION['openid']['openid_uri'] : (!empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : '');
     }
     // Registration needs to know your IP
     $req = request();
     $regOptions['ip'] = $user_info['ip'];
     $regOptions['ip2'] = $req->ban_ip();
     $memberID = registerMember($regOptions, 'register');
     // If there are "important" errors and you are not an admin: log the first error
     // Otherwise grab all of them and don't log anything
     if ($reg_errors->hasErrors(1) && !$user_info['is_admin']) {
         foreach ($reg_errors->prepareErrors(1) as $error) {
             fatal_error($error, 'general');
         }
     }
     // Was there actually an error of some kind dear boy?
     if ($reg_errors->hasErrors()) {
         $_REQUEST['step'] = 2;
         return $this->action_register();
     }
     // Do our spam protection now.
     spamProtection('register');
     // We'll do custom fields after as then we get to use the helper function!
     if (!empty($_POST['customfield'])) {
         require_once SUBSDIR . '/Profile.subs.php';
         makeCustomFieldChanges($memberID, 'register');
     }
     // If COPPA has been selected then things get complicated, setup the template.
     if (!empty($modSettings['coppaAge']) && empty($_SESSION['skip_coppa'])) {
         redirectexit('action=coppa;member=' . $memberID);
     } elseif (!empty($modSettings['registration_method'])) {
         loadTemplate('Register');
         $context += array('page_title' => $txt['register'], 'title' => $txt['registration_successful'], 'sub_template' => 'after', 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']);
     } else {
         call_integration_hook('integrate_activate', array($regOptions['username']));
         setLoginCookie(60 * $modSettings['cookieTime'], $memberID, hash('sha256', Util::strtolower($regOptions['username']) . $regOptions['password'] . $regOptions['register_vars']['password_salt']));
         redirectexit('action=auth;sa=check;member=' . $memberID, $context['server']['needs_login_fix']);
     }
 }
Exemplo n.º 7
0
/**
 * Final step, clean up and a complete message!
 */
function action_deleteInstall()
{
    global $txt, $incontext, $db_character_set;
    global $current_version, $databases, $forum_version, $modSettings, $user_info, $db_type;
    // A few items we will load in from settings and make avaialble.
    global $boardurl, $db_prefix, $cookiename, $mbname, $language;
    $incontext['page_title'] = $txt['congratulations'];
    $incontext['sub_template'] = 'delete_install';
    $incontext['continue'] = 0;
    require dirname(__FILE__) . '/Settings.php';
    if (!defined('ELK')) {
        define('ELK', 1);
    }
    definePaths();
    $db = load_database();
    if (!defined('SUBSDIR')) {
        define('SUBSDIR', dirname(__FILE__) . '/sources/subs');
    }
    chdir(dirname(__FILE__));
    require_once SOURCEDIR . '/Errors.php';
    require_once SOURCEDIR . '/Logging.php';
    require_once SOURCEDIR . '/Subs.php';
    require_once SOURCEDIR . '/Load.php';
    require_once SUBSDIR . '/Cache.subs.php';
    require_once SOURCEDIR . '/Security.php';
    require_once SUBSDIR . '/Auth.subs.php';
    require_once SUBSDIR . '/Util.class.php';
    // Bring a warning over.
    if (!empty($incontext['account_existed'])) {
        $incontext['warning'] = $incontext['account_existed'];
    }
    if (!empty($db_character_set) && !empty($databases[$db_type]['utf8_support'])) {
        $db->query('', '
			SET NAMES {raw:db_character_set}', array('db_character_set' => $db_character_set, 'db_error_skip' => true));
    }
    // As track stats is by default enabled let's add some activity.
    $db->insert('ignore', '{db_prefix}log_activity', array('date' => 'date', 'topics' => 'int', 'posts' => 'int', 'registers' => 'int'), array(strftime('%Y-%m-%d', time()), 1, 1, !empty($incontext['member_id']) ? 1 : 0), array('date'));
    // We're going to want our lovely $modSettings now.
    $request = $db->query('', '
		SELECT variable, value
		FROM {db_prefix}settings', array('db_error_skip' => true));
    // Only proceed if we can load the data.
    if ($request) {
        while ($row = $db->fetch_row($request)) {
            $modSettings[$row[0]] = $row[1];
        }
        $db->free_result($request);
    }
    // Automatically log them in ;)
    if (isset($incontext['member_id']) && isset($incontext['member_salt'])) {
        setLoginCookie(3153600 * 60, $incontext['member_id'], hash('sha256', $incontext['passwd'] . $incontext['member_salt']));
    }
    $result = $db->query('', '
		SELECT value
		FROM {db_prefix}settings
		WHERE variable = {string:db_sessions}', array('db_sessions' => 'databaseSession_enable', 'db_error_skip' => true));
    if ($db->num_rows($result) != 0) {
        list($db_sessions) = $db->fetch_row($result);
    }
    $db->free_result($result);
    if (empty($db_sessions)) {
        $_SESSION['admin_time'] = time();
    } else {
        $_SERVER['HTTP_USER_AGENT'] = substr($_SERVER['HTTP_USER_AGENT'], 0, 211);
        $db->insert('replace', '{db_prefix}sessions', array('session_id' => 'string', 'last_update' => 'int', 'data' => 'string'), array(session_id(), time(), 'USER_AGENT|s:' . strlen($_SERVER['HTTP_USER_AGENT']) . ':"' . $_SERVER['HTTP_USER_AGENT'] . '";admin_time|i:' . time() . ';'), array('session_id'));
    }
    updateStats('member');
    updateStats('message');
    updateStats('topic');
    $request = $db->query('', '
		SELECT id_msg
		FROM {db_prefix}messages
		WHERE id_msg = 1
			AND modified_time = 0
		LIMIT 1', array('db_error_skip' => true));
    if ($db->num_rows($request) > 0) {
        updateStats('subject', 1, htmlspecialchars($txt['default_topic_subject']));
    }
    $db->free_result($request);
    // Now is the perfect time to fetch remote files.
    require_once SUBSDIR . '/ScheduledTask.class.php';
    // Sanity check that they loaded earlier!
    if (isset($modSettings['recycle_board'])) {
        // The variable is usually defined in index.php so lets just use our variable to do it for us.
        $forum_version = $current_version;
        // Now go get those files!
        $task = new Scheduled_Task();
        $task->fetchFiles();
        // We've just installed!
        $user_info['ip'] = $_SERVER['REMOTE_ADDR'];
        $user_info['id'] = isset($incontext['member_id']) ? $incontext['member_id'] : 0;
        logAction('install', array('version' => $forum_version), 'admin');
    }
    // Check if we need some stupid MySQL fix.
    $server_version = $db->db_server_info();
    if ($db_type == 'mysql' && in_array(substr($server_version, 0, 6), array('5.0.50', '5.0.51'))) {
        updateSettings(array('db_mysql_group_by_fix' => '1'));
    }
    // Some final context for the template.
    $incontext['dir_still_writable'] = is_writable(dirname(__FILE__)) && substr(__FILE__, 1, 2) != ':\\';
    $incontext['probably_delete_install'] = isset($_SESSION['installer_temp_ftp']) || is_writable(dirname(__FILE__)) || is_writable(__FILE__);
    return false;
}
Exemplo n.º 8
0
if (isset($_POST["jumpto"])) {
    $jumpto = $_POST["jumpto"];
} else {
    if (isset($_GET["jumpto"])) {
        $jumpto = $_GET["jumpto"];
    } else {
        $jumpto = "home.php";
    }
}
$msg = "";
if (isset($_POST["un"]) && isset($_POST["pwd"])) {
    $msg = parseCredentials($_POST["un"], $_POST["pwd"], $token, $expires);
    //echo $token;
    //exit;
    if (isset($token) && strlen($token) == 32 && isset($expires)) {
        setLoginCookie($token, $expires->getTimestamp());
        header("Location: {$jumpto}");
    }
}
?>






<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="" />
Exemplo n.º 9
0
function Register2()
{
    global $scripturl, $txt, $modSettings, $db_prefix, $context, $sourcedir;
    global $user_info, $options, $settings, $func;
    // Well, if you don't agree, you can't register.
    if (!empty($modSettings['requireAgreement']) && (empty($_POST['regagree']) || $_POST['regagree'] == 'no')) {
        redirectexit();
    }
    // Make sure they came from *somewhere*, have a session.
    if (!isset($_SESSION['old_url'])) {
        redirectexit('action=register');
    }
    // You can't register if it's disabled.
    if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) {
        fatal_lang_error('registration_disabled', false);
    }
    foreach ($_POST as $key => $value) {
        if (!is_array($_POST[$key])) {
            $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key]));
        }
    }
    // Did they answer the verification questions correctly?
    if (!empty($modSettings['anti_spam_ver_enable'])) {
        if (!empty($modSettings['anti_spam_ver_ques_1']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_1']), isset($_POST['anti_spam_ver_resp_1']) ? strtolower($_POST['anti_spam_ver_resp_1']) : '') || !empty($modSettings['anti_spam_ver_ques_2']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_2']), isset($_POST['anti_spam_ver_resp_2']) ? strtolower($_POST['anti_spam_ver_resp_2']) : '') || !empty($modSettings['anti_spam_ver_ques_3']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_3']), isset($_POST['anti_spam_ver_resp_3']) ? strtolower($_POST['anti_spam_ver_resp_3']) : '') || !empty($modSettings['anti_spam_ver_ques_4']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_4']), isset($_POST['anti_spam_ver_resp_4']) ? strtolower($_POST['anti_spam_ver_resp_4']) : '') || !empty($modSettings['anti_spam_ver_ques_5']) && strcmp(strtolower($modSettings['anti_spam_ver_ans_5']), isset($_POST['anti_spam_ver_resp_5']) ? strtolower($_POST['anti_spam_ver_resp_5']) : '')) {
            fatal_lang_error('anti_spam_ver_failed', false);
        }
    }
    // Are they under age, and under age users are banned?
    if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && !isset($_POST['skip_coppa'])) {
        // !!! This should be put in Errors, imho.
        loadLanguage('Login');
        fatal_lang_error('under_age_registration_prohibited', false, array($modSettings['coppaAge']));
    }
    // Check whether the visual verification code was entered correctly.
    if ((empty($modSettings['disable_visual_verification']) || $modSettings['disable_visual_verification'] != 1) && (empty($_REQUEST['visual_verification_code']) || strtoupper($_REQUEST['visual_verification_code']) !== $_SESSION['visual_verification_code'])) {
        $_SESSION['visual_errors'] = isset($_SESSION['visual_errors']) ? $_SESSION['visual_errors'] + 1 : 1;
        if ($_SESSION['visual_errors'] > 3 && isset($_SESSION['visual_verification_code'])) {
            unset($_SESSION['visual_verification_code']);
        }
        fatal_lang_error('visual_verification_failed', false);
    } elseif (isset($_SESSION['visual_errors'])) {
        unset($_SESSION['visual_errors']);
    }
    // Collect all extra registration fields someone might have filled in.
    $possible_strings = array('websiteUrl', 'websiteTitle', 'AIM', 'YIM', 'location', 'birthdate', 'timeFormat', 'buddy_list', 'pm_ignore_list', 'smileySet', 'signature', 'personalText', 'avatar', 'lngfile', 'secretQuestion', 'secretAnswer');
    $possible_ints = array('pm_email_notify', 'notifyTypes', 'ICQ', 'gender', 'ID_THEME');
    $possible_floats = array('timeOffset');
    $possible_bools = array('notifyAnnouncements', 'notifyOnce', 'notifySendBody', 'hideEmail', 'showOnline');
    if (isset($_POST['secretAnswer']) && $_POST['secretAnswer'] != '') {
        $_POST['secretAnswer'] = md5($_POST['secretAnswer']);
    }
    // Needed for isReservedName() and registerMember().
    require_once $sourcedir . '/Subs-Members.php';
    // Validation... even if we're not a mall.
    if (isset($_POST['realName']) && (!empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'))) {
        $_POST['realName'] = trim(preg_replace('~[\\s]~' . ($context['utf8'] ? 'u' : ''), ' ', $_POST['realName']));
        if (trim($_POST['realName']) != '' && !isReservedName($_POST['realName']) && $func['strlen']($_POST['realName']) <= 60) {
            $possible_strings[] = 'realName';
        }
    }
    if (isset($_POST['MSN']) && preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', $_POST['MSN']) != 0) {
        $profile_strings[] = 'MSN';
    }
    // Handle a string as a birthdate...
    if (isset($_POST['birthdate']) && $_POST['birthdate'] != '') {
        $_POST['birthdate'] = strftime('%Y-%m-%d', strtotime($_POST['birthdate']));
    } elseif (!empty($_POST['bday1']) && !empty($_POST['bday2'])) {
        $_POST['birthdate'] = sprintf('%04d-%02d-%02d', empty($_POST['bday3']) ? 0 : (int) $_POST['bday3'], (int) $_POST['bday1'], (int) $_POST['bday2']);
    }
    // Validate the passed langauge file.
    if (isset($_POST['lngfile']) && !empty($modSettings['userLanguage'])) {
        $language_directories = array($settings['default_theme_dir'] . '/languages', $settings['actual_theme_dir'] . '/languages');
        if (!empty($settings['base_theme_dir'])) {
            $language_directories[] = $settings['base_theme_dir'] . '/languages';
        }
        $language_directories = array_unique($language_directories);
        foreach ($language_directories as $language_dir) {
            if (!file_exists($language_dir)) {
                continue;
            }
            $dir = dir($language_dir);
            while ($entry = $dir->read()) {
                if (preg_match('~^index\\.(.+)\\.php$~', $entry, $matches) && $matches[1] == $_POST['lngfile']) {
                    // Got it!
                    $found = true;
                    $_SESSION['language'] = $_POST['lngfile'];
                    break 2;
                }
            }
            $dir->close();
        }
        if (empty($found)) {
            unset($_POST['lngfile']);
        }
    } else {
        unset($_POST['lngfile']);
    }
    // Set the options needed for registration.
    $regOptions = array('interface' => 'guest', 'username' => $_POST['user'], 'email' => $_POST['email'], 'password' => $_POST['passwrd1'], 'password_check' => $_POST['passwrd2'], 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => !empty($modSettings['coppaAge']) && !isset($_POST['skip_coppa']) ? 'coppa' : (empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')), 'extra_register_vars' => array(), 'theme_vars' => array());
    // Include the additional options that might have been filled in.
    foreach ($possible_strings as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = '\'' . $func['htmlspecialchars']($_POST[$var]) . '\'';
        }
    }
    foreach ($possible_ints as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = (int) $_POST[$var];
        }
    }
    foreach ($possible_floats as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = (double) $_POST[$var];
        }
    }
    foreach ($possible_bools as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = empty($_POST[$var]) ? 0 : 1;
        }
    }
    // Registration options are always default options...
    if (isset($_POST['default_options'])) {
        $_POST['options'] = isset($_POST['options']) ? $_POST['options'] + $_POST['default_options'] : $_POST['default_options'];
    }
    $regOptions['theme_vars'] = isset($_POST['options']) && is_array($_POST['options']) ? htmlspecialchars__recursive($_POST['options']) : array();
    $memberID = registerMember($regOptions);
    // If COPPA has been selected then things get complicated, setup the template.
    if (!empty($modSettings['coppaAge']) && !isset($_POST['skip_coppa'])) {
        redirectexit('action=coppa;member=' . $memberID);
    } elseif (!empty($modSettings['registration_method'])) {
        loadTemplate('Register');
        $context += array('page_title' => &$txt[97], 'sub_template' => 'after', 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']);
    } else {
        setLoginCookie(60 * $modSettings['cookieTime'], $memberID, sha1(sha1(strtolower($regOptions['username']) . $regOptions['password']) . substr($regOptions['register_vars']['passwordSalt'], 1, -1)));
        redirectexit('action=login2;sa=check;member=' . $memberID, $context['server']['needs_login_fix']);
    }
}
Exemplo n.º 10
0
 public function fb_log()
 {
     global $fb_hook_object, $smcFunc, $fb_object, $user_info, $scripturl, $modSettings, $sourcedir;
     $face_userid['id_member'] = $fb_hook_object->face_USettings($fb_object->user_info_fbid, 'id_member', 'fbid');
     $face_pass['passwd'] = $fb_hook_object->face_USettings($face_userid['id_member'], 'passwd', 'id_member');
     $face_passsalt['password_salt'] = $fb_hook_object->face_USettings($face_userid['id_member'], 'password_salt', 'id_member');
     $modSettings['cookieTime'] = 3153600;
     require_once $sourcedir . '/Subs-Auth.php';
     include_once $sourcedir . '/LogInOut.php';
     setLoginCookie(60 * $modSettings['cookieTime'], $face_userid['id_member'], sha1($face_pass['passwd'] . $face_passsalt['password_salt']));
     $face_pwp['fbpw'] = $fb_hook_object->face_USettings($face_userid['id_member'], 'fbpw', 'id_member');
     if (!empty($face_pwp['fbpw'])) {
         setcookie("pwdone", 1);
     } else {
         setcookie("pwdone", 0);
     }
     if (empty($_SESSION['login_url'])) {
         $fb_log_url = !empty($fb_hook_object->modSettings['fb_log_url']) ? $fb_hook_object->modSettings['fb_log_url'] : $fb_hook_object->scripturl;
         header('Location: ' . $fb_log_url . '');
     } else {
         $temp = $_SESSION['login_url'];
         $fb_log_url = !empty($fb_hook_object->modSettings['fb_log_url']) ? $fb_hook_object->modSettings['fb_log_url'] : $temp;
         unset($_SESSION['login_url']);
         header('Location: ' . $fb_log_url . '');
     }
 }
Exemplo n.º 11
0
<?php

include_once "db.php";
include_once "dertyn.php";
if ($_POST['checksubmit']) {
    $user = $_POST['user'];
    $pass = $_POST['pass'];
    $logincheck = checkLogin($user, $pass);
    if ($logincheck == 0) {
        setLoginCookie($user);
        header("Location: {$siteurl}");
    }
}
include_once "header.php";
echo "<p>\n";
if (!$_POST['checksubmit']) {
    showLoginform();
} else {
    if ($logincheck == 0) {
        echo "thanks for logging in {$user}!<br /><b>return to <a href='{$siteurl}'>{$sitename}</a></b>.";
    } else {
        $errmsg = $user;
        echo "login failed.  try again.";
        logerr($errmsg, "login");
    }
}
echo "</p>\n";
?>

<?php 
include_once "footer.php";
Exemplo n.º 12
0
function Logout($internal = false)
{
    global $db_prefix, $sourcedir, $ID_MEMBER, $user_info, $user_settings, $context, $modSettings;
    // Make sure they aren't being auto-logged out.
    if (!$internal) {
        checkSession('get');
    }
    require_once $sourcedir . '/Subs-Auth.php';
    if (isset($_SESSION['pack_ftp'])) {
        $_SESSION['pack_ftp'] = null;
    }
    // Just ensure they aren't a guest!
    if (!$user_info['is_guest']) {
        if (isset($modSettings['integrate_logout']) && function_exists($modSettings['integrate_logout'])) {
            call_user_func($modSettings['integrate_logout'], $user_settings['memberName']);
        }
        // If you log out, you aren't online anymore :P.
        db_query("\n\t\t\tDELETE FROM {$db_prefix}log_online\n\t\t\tWHERE ID_MEMBER = {$ID_MEMBER}\n\t\t\tLIMIT 1", __FILE__, __LINE__);
    }
    $_SESSION['log_time'] = 0;
    // Empty the cookie! (set it in the past, and for ID_MEMBER = 0)
    setLoginCookie(-3600, 0);
    // Off to the merry board index we go!
    if (empty($_SESSION['logout_url'])) {
        redirectexit('', $context['server']['needs_login_fix']);
    } else {
        $temp = $_SESSION['logout_url'];
        unset($_SESSION['logout_url']);
        redirectexit($temp, $context['server']['needs_login_fix']);
    }
}
Exemplo n.º 13
0
function gplus_connectlog()
{
    global $scripturl, $modSettings, $sourcedir;
    $_SESSION['gplus']['id'] = $_SESSION['gplus']['idm'];
    if (empty($_SESSION['gplus']['id'])) {
        fatal_lang_error('gp__app_error3', false);
    }
    $member_load = gplus_loadUser($_SESSION['gplus']['id'], 'gpid');
    $modSettings['cookieTime'] = 3153600;
    require_once $sourcedir . '/Subs-Auth.php';
    include_once $sourcedir . '/LogInOut.php';
    setLoginCookie(60 * $modSettings['cookieTime'], $member_load['id_member'], sha1($member_load['passwd'] . $member_load['password_salt']));
    unset($_SESSION['gplus']['id']);
    unset($_SESSION['gplus']['name']);
    unset($_SESSION['gplusdata']);
    $gplus_log_url = !empty($modSettings['gp_app_custon_logurl']) ? $modSettings['gp_app_custon_logurl'] : $scripturl;
    redirectexit($gplus_log_url);
}
Exemplo n.º 14
0
    /**
     * Modify cookies settings.
     *
     * This method handles the display, allows to edit, and saves the result
     * for the _cookieSettings form.
     */
    public function action_cookieSettings_display()
    {
        global $context, $scripturl, $txt, $modSettings, $cookiename, $user_settings, $boardurl;
        // Initialize the form
        $this->_initCookieSettingsForm();
        $context['post_url'] = $scripturl . '?action=admin;area=serversettings;sa=cookie;save';
        $context['settings_title'] = $txt['cookies_sessions_settings'];
        // Saving settings?
        if (isset($_REQUEST['save'])) {
            call_integration_hook('integrate_save_cookie_settings');
            // Its either local or global cookies
            if (!empty($_POST['localCookies']) && empty($_POST['globalCookies'])) {
                unset($_POST['globalCookies']);
            }
            if (!empty($_POST['globalCookiesDomain']) && strpos($boardurl, $_POST['globalCookiesDomain']) === false) {
                fatal_lang_error('invalid_cookie_domain', false);
            }
            //Settings_Form::save_db($config_vars);
            $this->_cookieSettingsForm->save();
            // If the cookie name was changed, reset the cookie.
            if ($cookiename != $_POST['cookiename']) {
                require_once SUBSDIR . '/Auth.subs.php';
                $original_session_id = $context['session_id'];
                // Remove the old cookie, nom nom nom
                setLoginCookie(-3600, 0);
                // Set the new one.
                $cookiename = $_POST['cookiename'];
                setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['id_member'], hash('sha256', $user_settings['passwd'] . $user_settings['password_salt']));
                redirectexit('action=admin;area=serversettings;sa=cookie;' . $context['session_var'] . '=' . $original_session_id, $context['server']['needs_login_fix']);
            }
            redirectexit('action=admin;area=serversettings;sa=cookie;' . $context['session_var'] . '=' . $context['session_id'] . ';msg=' . (!empty($context['settings_message']) ? $context['settings_message'] : 'core_settings_saved'));
        }
        addInlineJavascript('
		// Initial state
		hideGlobalCookies();

		// Update when clicked
		$("#localCookies, #globalCookies").click(function() {
			hideGlobalCookies();
		});', true);
        // Fill the config array.
        $this->_cookieSettingsForm->prepare_file();
    }
Exemplo n.º 15
0
function method_logout_user()
{
    global $context, $mobdb, $mobsettings, $modSettings, $user_info, $sourcedir, $ID_MEMBER, $user_settings;
    require_once $sourcedir . '/Subs-Auth.php';
    if (isset($_SESSION['pack_ftp'])) {
        $_SESSION['pack_ftp'] = null;
    }
    // Just ensure they aren't a guest!
    if (!$user_info['is_guest']) {
        if (isset($modSettings['integrate_logout']) && function_exists($modSettings['integrate_logout'])) {
            call_user_func($modSettings['integrate_logout'], $user_settings['memberName']);
        }
        // If you log out, you aren't online anymore :P.
        $mobdb->query("\n            DELETE FROM {db_prefix}log_online\n            WHERE ID_MEMBER = {int:current_member}\n            LIMIT 1", array('current_member' => $ID_MEMBER));
    }
    $_SESSION['log_time'] = 0;
    // Empty the cookie! (set it in the past, and for ID_MEMBER = 0)
    setLoginCookie(-3600, 0);
}
Exemplo n.º 16
0
function ModifyProfile2()
{
    global $txt, $modSettings;
    global $cookiename, $context;
    global $sourcedir, $scripturl, $db_prefix;
    global $ID_MEMBER, $user_info;
    global $context, $newpassemail, $user_profile, $validationCode;
    loadLanguage('Profile');
    /* Set allowed sub-actions.
    
    	 The format of $sa_allowed is as follows:
    
    	$sa_allowed = array(
    		'sub-action' => array(permission_array_for_editing_OWN_profile, permission_array_for_editing_ANY_profile, session_validation_method[, require_password]),
    		...
    	);
    
    	*/
    $sa_allowed = array('account' => array(array('manage_membergroups', 'profile_identity_any', 'profile_identity_own'), array('manage_membergroups', 'profile_identity_any'), 'post', true), 'forumProfile' => array(array('profile_extra_any', 'profile_extra_own'), array('profile_extra_any'), 'post'), 'theme' => array(array('profile_extra_any', 'profile_extra_own'), array('profile_extra_any'), 'post'), 'notification' => array(array('profile_extra_any', 'profile_extra_own'), array('profile_extra_any'), 'post'), 'pmprefs' => array(array('profile_extra_any', 'profile_extra_own'), array('profile_extra_any'), 'post'), 'deleteAccount' => array(array('profile_remove_any', 'profile_remove_own'), array('profile_remove_any'), 'post', true), 'activateAccount' => array(array(), array('moderate_forum'), 'get'));
    // Is the current sub-action allowed?
    if (empty($_REQUEST['sa']) || !isset($sa_allowed[$_REQUEST['sa']])) {
        fatal_lang_error(453, false);
    }
    checkSession($sa_allowed[$_REQUEST['sa']][2]);
    // Start with no updates and no errors.
    $profile_vars = array();
    $post_errors = array();
    // Normally, don't send an email.
    $newpassemail = false;
    // Clean up the POST variables.
    $_POST = htmltrim__recursive($_POST);
    $_POST = stripslashes__recursive($_POST);
    $_POST = htmlspecialchars__recursive($_POST);
    $_POST = addslashes__recursive($_POST);
    // Search for the member being edited and put the information in $user_profile.
    $memberResult = loadMemberData((int) $_REQUEST['userID'], false, 'profile');
    if (!is_array($memberResult)) {
        fatal_lang_error(453, false);
    }
    list($memID) = $memberResult;
    // Are you modifying your own, or someone else's?
    if ($ID_MEMBER == $memID) {
        $context['user']['is_owner'] = true;
    } else {
        $context['user']['is_owner'] = false;
        validateSession();
    }
    // Check profile editing permissions.
    isAllowedTo($sa_allowed[$_REQUEST['sa']][$context['user']['is_owner'] ? 0 : 1]);
    // If this is yours, check the password.
    if ($context['user']['is_owner'] && !empty($sa_allowed[$_REQUEST['sa']][3])) {
        // You didn't even enter a password!
        if (trim($_POST['oldpasswrd']) == '') {
            $post_errors[] = 'no_password';
        }
        // Since the password got modified due to all the $_POST cleaning, lets undo it so we can get the correct password
        $_POST['oldpasswrd'] = addslashes(un_htmlspecialchars(stripslashes($_POST['oldpasswrd'])));
        // Does the integration want to check passwords?
        $good_password = false;
        if (isset($modSettings['integrate_verify_password']) && function_exists($modSettings['integrate_verify_password'])) {
            if (call_user_func($modSettings['integrate_verify_password'], $user_profile[$memID]['memberName'], $_POST['oldpasswrd'], false) === true) {
                $good_password = true;
            }
        }
        // Bad password!!!
        if (!$good_password && $user_info['passwd'] != sha1(strtolower($user_profile[$memID]['memberName']) . $_POST['oldpasswrd'])) {
            $post_errors[] = 'bad_password';
        }
    }
    // No need for the sub action array.
    unset($sa_allowed);
    // If the user is an admin - see if they are resetting someones username.
    if ($user_info['is_admin'] && isset($_POST['memberName'])) {
        // We'll need this...
        require_once $sourcedir . '/Subs-Auth.php';
        // Do the reset... this will send them an email too.
        resetPassword($memID, $_POST['memberName']);
    }
    // Change the IP address in the database.
    if ($context['user']['is_owner']) {
        $profile_vars['memberIP'] = "'{$user_info['ip']}'";
    }
    // Now call the sub-action function...
    if (isset($_POST['sa']) && $_POST['sa'] == 'deleteAccount') {
        deleteAccount2($profile_vars, $post_errors, $memID);
        if (empty($post_errors)) {
            redirectexit();
        }
    } else {
        saveProfileChanges($profile_vars, $post_errors, $memID);
    }
    // There was a problem, let them try to re-enter.
    if (!empty($post_errors)) {
        // Load the language file so we can give a nice explanation of the errors.
        loadLanguage('Errors');
        $context['post_errors'] = $post_errors;
        $_REQUEST['sa'] = $_POST['sa'];
        $_REQUEST['u'] = $memID;
        return ModifyProfile($post_errors);
    }
    if (!empty($profile_vars)) {
        // If we've changed the password, notify any integration that may be listening in.
        if (isset($profile_vars['passwd']) && isset($modSettings['integrate_reset_pass']) && function_exists($modSettings['integrate_reset_pass'])) {
            call_user_func($modSettings['integrate_reset_pass'], $user_profile[$memID]['memberName'], $user_profile[$memID]['memberName'], $_POST['passwrd1']);
        }
        updateMemberData($memID, $profile_vars);
    }
    // What if this is the newest member?
    if ($modSettings['latestMember'] == $memID) {
        updateStats('member');
    } elseif (isset($profile_vars['realName'])) {
        updateSettings(array('memberlist_updated' => time()));
    }
    // If the member changed his/her birthdate, update calendar statistics.
    if (isset($profile_vars['birthdate']) || isset($profile_vars['realName'])) {
        updateStats('calendar');
    }
    // Send an email?
    if ($newpassemail) {
        require_once $sourcedir . '/Subs-Post.php';
        // Send off the email.
        sendmail($_POST['emailAddress'], $txt['activate_reactivate_title'] . ' ' . $context['forum_name'], "{$txt['activate_reactivate_mail']}\n\n" . "{$scripturl}?action=activate;u={$memID};code={$validationCode}\n\n" . "{$txt['activate_code']}: {$validationCode}\n\n" . $txt[130]);
        // Log the user out.
        db_query("\n\t\t\tDELETE FROM {$db_prefix}log_online\n\t\t\tWHERE ID_MEMBER = {$memID}", __FILE__, __LINE__);
        $_SESSION['log_time'] = 0;
        $_SESSION['login_' . $cookiename] = serialize(array(0, '', 0));
        if (isset($_COOKIE[$cookiename])) {
            $_COOKIE[$cookiename] = '';
        }
        loadUserSettings();
        $context['user']['is_logged'] = false;
        $context['user']['is_guest'] = true;
        // Send them to the done-with-registration-login screen.
        loadTemplate('Register');
        $context += array('page_title' => &$txt[79], 'sub_template' => 'after', 'description' => &$txt['activate_changed_email']);
        return;
    } elseif ($context['user']['is_owner']) {
        // Log them back in.
        if (isset($_POST['passwrd1']) && $_POST['passwrd1'] != '') {
            require_once $sourcedir . '/Subs-Auth.php';
            setLoginCookie(60 * $modSettings['cookieTime'], $memID, sha1(sha1(strtolower($user_profile[$memID]['memberName']) . un_htmlspecialchars(stripslashes($_POST['passwrd1']))) . $user_profile[$memID]['passwordSalt']));
        }
        loadUserSettings();
        writeLog();
    }
    // Back to same subaction page..
    redirectexit('action=profile;u=' . $memID . ';sa=' . $_REQUEST['sa'], isset($_POST['passwrd1']) && $context['server']['needs_login_fix'] || $context['browser']['is_ie'] && isset($_FILES['attachment']));
}
Exemplo n.º 17
0
 /**
  * Logs the current user out of their account.
  *
  * What it does:
  * - It requires that the session hash is sent as well, to prevent automatic logouts by images or javascript.
  * - It redirects back to $_SESSION['logout_url'], if it exists.
  * - It is accessed via ?action=logout;session_var=...
  *
  * @param boolean $internal if true, it doesn't check the session
  * @param boolean $redirect
  */
 public function action_logout($internal = false, $redirect = true)
 {
     global $user_info, $user_settings, $context;
     // Make sure they aren't being auto-logged out.
     if (!$internal) {
         checkSession('get');
     }
     require_once SUBSDIR . '/Auth.subs.php';
     if (isset($_SESSION['pack_ftp'])) {
         $_SESSION['pack_ftp'] = null;
     }
     // They cannot be open ID verified any longer.
     if (isset($_SESSION['openid'])) {
         unset($_SESSION['openid']);
     }
     // It won't be first login anymore.
     unset($_SESSION['first_login']);
     // Just ensure they aren't a guest!
     if (!$user_info['is_guest']) {
         // Pass the logout information to integrations.
         call_integration_hook('integrate_logout', array($user_settings['member_name']));
         // If you log out, you aren't online anymore :P.
         logOnline($user_info['id'], false);
     }
     // Logout? Let's kill the admin/moderate/other sessions, too.
     $types = array('admin', 'moderate');
     call_integration_hook('integrate_validateSession', array(&$types));
     foreach ($types as $type) {
         unset($_SESSION[$type . '_time']);
     }
     $_SESSION['log_time'] = 0;
     // Empty the cookie! (set it in the past, and for id_member = 0)
     setLoginCookie(-3600, 0);
     // And some other housekeeping while we're at it.
     session_destroy();
     if (!empty($user_info['id'])) {
         updateMemberData($user_info['id'], array('password_salt' => substr(md5(mt_rand()), 0, 4)));
     }
     // Off to the merry board index we go!
     if ($redirect) {
         if (empty($_SESSION['logout_url'])) {
             redirectexit('', $context['server']['needs_login_fix']);
         } elseif (!empty($_SESSION['logout_url']) && (substr($_SESSION['logout_url'], 0, 7) !== 'http://' && substr($_SESSION['logout_url'], 0, 8) !== 'https://')) {
             unset($_SESSION['logout_url']);
             redirectexit();
         } else {
             $temp = $_SESSION['logout_url'];
             unset($_SESSION['logout_url']);
             redirectexit($temp, $context['server']['needs_login_fix']);
         }
     }
 }
Exemplo n.º 18
0
function Register2($verifiedOpenID = false)
{
    global $scripturl, $txt, $modSettings, $context, $sourcedir;
    global $user_info, $options, $settings, $smcFunc;
    // Start collecting together any errors.
    $reg_errors = array();
    // Did we save some open ID fields?
    if ($verifiedOpenID && !empty($context['openid_save_fields'])) {
        foreach ($context['openid_save_fields'] as $id => $value) {
            $_POST[$id] = $value;
        }
    }
    // You can't register if it's disabled.
    if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) {
        fatal_lang_error('registration_disabled', false);
    }
    // Things we don't do for people who have already confirmed their OpenID allegances via register.
    if (!$verifiedOpenID) {
        // Well, if you don't agree, you can't register.
        if (!empty($modSettings['requireAgreement']) && empty($_SESSION['registration_agreed'])) {
            redirectexit();
        }
        // Make sure they came from *somewhere*, have a session.
        if (!isset($_SESSION['old_url'])) {
            redirectexit('action=register');
        }
        // Are they under age, and under age users are banned?
        if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && empty($_SESSION['skip_coppa'])) {
            // !!! This should be put in Errors, imho.
            loadLanguage('Login');
            fatal_lang_error('under_age_registration_prohibited', false, array($modSettings['coppaAge']));
        }
        // Check whether the visual verification code was entered correctly.
        if (!empty($modSettings['reg_verification'])) {
            require_once $sourcedir . '/Subs-Editor.php';
            $verificationOptions = array('id' => 'register');
            $context['visual_verification'] = create_control_verification($verificationOptions, true);
            if (is_array($context['visual_verification'])) {
                loadLanguage('Errors');
                foreach ($context['visual_verification'] as $error) {
                    $reg_errors[] = $txt['error_' . $error];
                }
            }
        }
    }
    foreach ($_POST as $key => $value) {
        if (!is_array($_POST[$key])) {
            $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key]));
        }
    }
    // Collect all extra registration fields someone might have filled in.
    $possible_strings = array('website_url', 'website_title', 'aim', 'yim', 'skype', 'gtalk', 'location', 'birthdate', 'time_format', 'buddy_list', 'pm_ignore_list', 'smiley_set', 'signature', 'personal_text', 'avatar', 'lngfile', 'secret_question', 'secret_answer');
    $possible_ints = array('pm_email_notify', 'notify_types', 'icq', 'gender', 'id_theme');
    $possible_floats = array('time_offset');
    $possible_bools = array('notify_announcements', 'notify_regularity', 'notify_send_body', 'hide_email', 'show_online');
    if (isset($_POST['secret_answer']) && $_POST['secret_answer'] != '') {
        $_POST['secret_answer'] = md5($_POST['secret_answer']);
    }
    // Needed for isReservedName() and registerMember().
    require_once $sourcedir . '/Subs-Members.php';
    // Validation... even if we're not a mall.
    if (isset($_POST['real_name']) && (!empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'))) {
        $_POST['real_name'] = trim(preg_replace('~[\\t\\n\\r \\x0B\\0' . ($context['utf8'] ? $context['server']['complex_preg_chars'] ? '\\x{A0}\\x{AD}\\x{2000}-\\x{200F}\\x{201F}\\x{202F}\\x{3000}\\x{FEFF}' : " ­ -‏‟ ‟ " : '\\x00-\\x08\\x0B\\x0C\\x0E-\\x19\\xA0') . ']+~' . ($context['utf8'] ? 'u' : ''), ' ', $_POST['real_name']));
        if (trim($_POST['real_name']) != '' && !isReservedName($_POST['real_name']) && $smcFunc['strlen']($_POST['real_name']) < 60) {
            $possible_strings[] = 'real_name';
        }
    }
    if (isset($_POST['msn']) && preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', $_POST['msn']) != 0) {
        $profile_strings[] = 'msn';
    }
    // Handle a string as a birthdate...
    if (isset($_POST['birthdate']) && $_POST['birthdate'] != '') {
        $_POST['birthdate'] = strftime('%Y-%m-%d', strtotime($_POST['birthdate']));
    } elseif (!empty($_POST['bday1']) && !empty($_POST['bday2'])) {
        $_POST['birthdate'] = sprintf('%04d-%02d-%02d', empty($_POST['bday3']) ? 0 : (int) $_POST['bday3'], (int) $_POST['bday1'], (int) $_POST['bday2']);
    }
    // By default assume email is hidden, only show it if we tell it to.
    $_POST['hide_email'] = !empty($_POST['allow_email']) ? 0 : 1;
    // Validate the passed language file.
    if (isset($_POST['lngfile']) && !empty($modSettings['userLanguage'])) {
        // Do we have any languages?
        if (empty($context['languages'])) {
            getLanguages();
        }
        // Did we find it?
        if (isset($context['languages'][$_POST['lngfile']])) {
            $_SESSION['language'] = $_POST['lngfile'];
        } else {
            unset($_POST['lngfile']);
        }
    } else {
        unset($_POST['lngfile']);
    }
    // Some of these fields we may not want.
    if (!empty($modSettings['registration_fields'])) {
        // But we might want some of them if the admin asks for them.
        $standard_fields = array('icq', 'msn', 'aim', 'yim', 'location', 'gender');
        $reg_fields = explode(',', $modSettings['registration_fields']);
        $exclude_fields = array_diff($standard_fields, $reg_fields);
        // Website is a little different
        if (!in_array('website', $reg_fields)) {
            $exclude_fields = array_merge($exclude_fields, array('website_url', 'website_title'));
        }
        // We used to accept signature on registration but it's being abused by spammers these days, so no more.
        $exclude_fields[] = 'signature';
    } else {
        $exclude_fields = array('signature', 'icq', 'msn', 'aim', 'yim', 'location', 'gender', 'website_url', 'website_title');
    }
    $possible_strings = array_diff($possible_strings, $exclude_fields);
    $possible_ints = array_diff($possible_ints, $exclude_fields);
    $possible_floats = array_diff($possible_floats, $exclude_fields);
    $possible_bools = array_diff($possible_bools, $exclude_fields);
    // Set the options needed for registration.
    $regOptions = array('interface' => 'guest', 'username' => !empty($_POST['user']) ? $_POST['user'] : '', 'email' => !empty($_POST['email']) ? $_POST['email'] : '', 'password' => !empty($_POST['passwrd1']) ? $_POST['passwrd1'] : '', 'password_check' => !empty($_POST['passwrd2']) ? $_POST['passwrd2'] : '', 'openid' => !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : '', 'auth_method' => !empty($_POST['authenticate']) ? $_POST['authenticate'] : '', 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => !empty($modSettings['coppaAge']) && !$verifiedOpenID && empty($_SESSION['skip_coppa']) ? 'coppa' : (empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')), 'extra_register_vars' => array(), 'theme_vars' => array());
    // Include the additional options that might have been filled in.
    foreach ($possible_strings as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = $smcFunc['htmlspecialchars']($_POST[$var], ENT_QUOTES);
        }
    }
    foreach ($possible_ints as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = (int) $_POST[$var];
        }
    }
    foreach ($possible_floats as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = (double) $_POST[$var];
        }
    }
    foreach ($possible_bools as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = empty($_POST[$var]) ? 0 : 1;
        }
    }
    // Registration options are always default options...
    if (isset($_POST['default_options'])) {
        $_POST['options'] = isset($_POST['options']) ? $_POST['options'] + $_POST['default_options'] : $_POST['default_options'];
    }
    $regOptions['theme_vars'] = isset($_POST['options']) && is_array($_POST['options']) ? $_POST['options'] : array();
    // Make sure they are clean, dammit!
    $regOptions['theme_vars'] = htmlspecialchars__recursive($regOptions['theme_vars']);
    // If Quick Reply hasn't been set then set it to be shown but collapsed.
    if (!isset($regOptions['theme_vars']['display_quick_reply'])) {
        $regOptions['theme_vars']['display_quick_reply'] = 1;
    }
    // Check whether we have fields that simply MUST be displayed?
    $request = $smcFunc['db_query']('', '
		SELECT col_name, field_name, field_type, field_length, mask, show_reg
		FROM {db_prefix}custom_fields
		WHERE active = {int:is_active}', array('is_active' => 1));
    $custom_field_errors = array();
    while ($row = $smcFunc['db_fetch_assoc']($request)) {
        // Don't allow overriding of the theme variables.
        if (isset($regOptions['theme_vars'][$row['col_name']])) {
            unset($regOptions['theme_vars'][$row['col_name']]);
        }
        // Not actually showing it then?
        if (!$row['show_reg']) {
            continue;
        }
        // Prepare the value!
        $value = isset($_POST['customfield'][$row['col_name']]) ? trim($_POST['customfield'][$row['col_name']]) : '';
        // We only care for text fields as the others are valid to be empty.
        if (!in_array($row['field_type'], array('check', 'select', 'radio'))) {
            // Is it too long?
            if ($row['field_length'] && $row['field_length'] < $smcFunc['strlen']($value)) {
                $custom_field_errors[] = array('custom_field_too_long', array($row['field_name'], $row['field_length']));
            }
            // Any masks to apply?
            if ($row['field_type'] == 'text' && !empty($row['mask']) && $row['mask'] != 'none') {
                //!!! We never error on this - just ignore it at the moment...
                if ($row['mask'] == 'email' && (preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', $value) === 0 || strlen($value) > 255)) {
                    $custom_field_errors[] = array('custom_field_invalid_email', array($row['field_name']));
                } elseif ($row['mask'] == 'number' && preg_match('~[^\\d]~', $value)) {
                    $custom_field_errors[] = array('custom_field_not_number', array($row['field_name']));
                } elseif (substr($row['mask'], 0, 5) == 'regex' && trim($value) != '' && preg_match(substr($row['mask'], 5), $value) === 0) {
                    $custom_field_errors[] = array('custom_field_inproper_format', array($row['field_name']));
                }
            }
        }
        // xxx if we are editing our minecraft name, make sure there are no duplicates
        if (($row['col_name'] == "cust_minecra" || $row['col_name'] == "cust_rscnam") && $value != '') {
            $already_taken_memID = -1;
            $already_taken_memName = 'This user';
            // first check the custom names
            $mc_request = $smcFunc['db_query']('', '
						SELECT `id_member`
						FROM `{db_prefix}themes`
						WHERE `variable` = {string:col_name}
							AND `value` = {string:value}', array('col_name' => $row['col_name'], 'value' => strtolower($value)));
            if ($mc_row = $smcFunc['db_fetch_assoc']($mc_request)) {
                $already_taken_memID = $mc_row['id_member'];
            }
            $smcFunc['db_free_result']($mc_request);
            // if custom name is not taken, compare it to account names, or just grab name
            $mc_request = $smcFunc['db_query']('', '
						SELECT `id_member`, `real_name`
						FROM `{db_prefix}members`
						WHERE id_member = {int:already_taken_memID} OR 
								(
									(
										`real_name` = {string:value}
										OR `member_name` = {string:value}
									)
								)', array('already_taken_memID' => $already_taken_memID, 'value' => strtolower($value)));
            if ($mc_row = $smcFunc['db_fetch_assoc']($mc_request)) {
                $already_taken_memID = $mc_row['id_member'];
                $already_taken_memName = $mc_row['real_name'];
            }
            $smcFunc['db_free_result']($mc_request);
            if ($already_taken_memID != -1) {
                // then someone already is using this name
                global $boardurl;
                $what_name = $row['col_name'] == "cust_minecra" ? 'Minecraft' : 'RSC';
                die('<html>Error: <a href="' . $boardurl . '/index.php?action=profile;u=' . $already_taken_memID . "\">{$already_taken_memName}</a> has already registered this {$what_name} name!</html>");
            }
        }
        if ($row['col_name'] == "cust_moparcr" && $value != '' && strlen($value) != 40) {
            if (strlen($value) > 30) {
                die("<html>Error: Maximum length for MoparCraft server password is 30 characters.</html>");
            }
            if ($value == $regOptions['password']) {
                die("<html>Error: You can't set your MoparCraft server password to be the same as your forum password, if you want to use your forum password, leave this blank.</html>");
            }
            $value = sha1(strtolower($regOptions['username']) . htmlspecialchars_decode($value));
            $_POST['customfield'][$row['col_name']] = $value;
        }
        // xxx end if we are editing our minecraft name, make sure there are no duplicates
        // Is this required but not there?
        if (trim($value) == '' && $row['show_reg'] > 1) {
            $custom_field_errors[] = array('custom_field_empty', array($row['field_name']));
        }
    }
    $smcFunc['db_free_result']($request);
    // Process any errors.
    if (!empty($custom_field_errors)) {
        loadLanguage('Errors');
        foreach ($custom_field_errors as $error) {
            $reg_errors[] = vsprintf($txt['error_' . $error[0]], $error[1]);
        }
    }
    // Lets check for other errors before trying to register the member.
    if (!empty($reg_errors)) {
        $_REQUEST['step'] = 2;
        return Register($reg_errors);
    }
    // If they're wanting to use OpenID we need to validate them first.
    if (empty($_SESSION['openid']['verified']) && !empty($_POST['authenticate']) && $_POST['authenticate'] == 'openid') {
        // What do we need to save?
        $save_variables = array();
        foreach ($_POST as $k => $v) {
            if (!in_array($k, array('sc', 'sesc', $context['session_var'], 'passwrd1', 'passwrd2', 'regSubmit'))) {
                $save_variables[$k] = $v;
            }
        }
        require_once $sourcedir . '/Subs-OpenID.php';
        smf_openID_validate($_POST['openid_identifier'], false, $save_variables);
    } elseif ($verifiedOpenID || !empty($_POST['openid_identifier']) && $_POST['authenticate'] == 'openid') {
        $regOptions['username'] = !empty($_POST['user']) && trim($_POST['user']) != '' ? $_POST['user'] : $_SESSION['openid']['nickname'];
        $regOptions['email'] = !empty($_POST['email']) && trim($_POST['email']) != '' ? $_POST['email'] : $_SESSION['openid']['email'];
        $regOptions['auth_method'] = 'openid';
        $regOptions['openid'] = !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : $_SESSION['openid']['openid_uri'];
    }
    $memberID = registerMember($regOptions, true);
    // What there actually an error of some kind dear boy?
    if (is_array($memberID)) {
        $reg_errors = array_merge($reg_errors, $memberID);
        $_REQUEST['step'] = 2;
        return Register($reg_errors);
    }
    // Do our spam protection now.
    spamProtection('register');
    // We'll do custom fields after as then we get to use the helper function!
    if (!empty($_POST['customfield'])) {
        require_once $sourcedir . '/Profile.php';
        require_once $sourcedir . '/Profile-Modify.php';
        makeCustomFieldChanges($memberID, 'register');
    }
    // If COPPA has been selected then things get complicated, setup the template.
    if (!empty($modSettings['coppaAge']) && empty($_SESSION['skip_coppa'])) {
        redirectexit('action=coppa;member=' . $memberID);
    } elseif (!empty($modSettings['registration_method'])) {
        loadTemplate('Register');
        $context += array('page_title' => $txt['register'], 'title' => $txt['registration_successful'], 'sub_template' => 'after', 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']);
    } else {
        call_integration_hook('integrate_activate', array($row['member_name']));
        setLoginCookie(60 * $modSettings['cookieTime'], $memberID, sha1(sha1(strtolower($regOptions['username']) . $regOptions['password']) . $regOptions['register_vars']['password_salt']));
        redirectexit('action=login2;sa=check;member=' . $memberID, $context['server']['needs_login_fix']);
    }
}
Exemplo n.º 19
0
function doStep2()
{
    global $txt, $db_prefix, $db_connection, $HTTP_SESSION_VARS, $cookiename;
    global $func, $db_character_set, $mbname, $context, $scripturl, $boardurl;
    global $current_smf_version;
    // Load the SQL server login information.
    require_once dirname(__FILE__) . '/Settings.php';
    if (!isset($_POST['password3'])) {
        return doStep2a();
    }
    $db_connection = @mysql_connect($db_server, $db_user, $_POST['password3']);
    if (!$db_connection) {
        echo '
				<div class="error_message">
					<div style="color: red;">', $txt['error_mysql_connect'], '</div>
				</div>';
        return doStep2a();
    }
    if (!mysql_select_db($db_name, $db_connection)) {
        echo '
				<div class="error_message">
					<div style="color: red;">', sprintf($txt['error_mysql_database'], $db_name), '</div>
				</div>
				<br />';
        return doStep2a();
    }
    // Let them try again...
    if ($_POST['password1'] != $_POST['password2']) {
        echo '
				<div class="error_message">
					<div style="color: red;">', $txt['error_user_settings_again_match'], '</div>
				</div>
				<br />';
        return doStep2a();
    }
    if (!file_exists($sourcedir . '/Subs.php')) {
        echo '
				<div class="error_message">
					<div style="color: red;">', $txt['error_subs_missing'], '</div>
				</div>
				<br />';
        return doStep2a();
    }
    updateSettingsFile(array('webmaster_email' => $_POST['email']));
    chdir(dirname(__FILE__));
    define('SMF', 1);
    require_once $sourcedir . '/Subs.php';
    require_once $sourcedir . '/Load.php';
    require_once $sourcedir . '/Security.php';
    require_once $sourcedir . '/Subs-Auth.php';
    // Define the sha1 function, if it doesn't exist.
    if (!function_exists('sha1')) {
        require_once $sourcedir . '/Subs-Compat.php';
    }
    if (isset($db_character_set)) {
        mysql_query("\n\t\t\tSET NAMES {$db_character_set}");
    }
    $result = mysql_query("\n\t\tSELECT ID_MEMBER, passwordSalt\n\t\tFROM {$db_prefix}members\n\t\tWHERE memberName = '{$_POST['username']}' OR emailAddress = '{$_POST['email']}'\n\t\tLIMIT 1");
    if (mysql_num_rows($result) != 0) {
        list($id, $salt) = mysql_fetch_row($result);
        mysql_free_result($result);
        echo '
				<div class="error_message">
					<div style="color: red;">', $txt['error_user_settings_taken'], '</div>
				</div>
				<br />';
    } elseif (preg_match('~[<>&"\'=\\\\]~', $_POST['username']) != 0 || strlen($_POST['username']) > 25 || $_POST['username'] == '_' || $_POST['username'] == '|' || strpos($_POST['username'], '[code') !== false || strpos($_POST['username'], '[/code') !== false) {
        // Initialize some variables needed for the language file.
        $context = array('forum_name' => $mbname);
        $modSettings = array('lastActive' => '15', 'hotTopicPosts' => '15', 'hotTopicVeryPosts' => '25', 'smfVersion' => $current_smf_version);
        $scripturl = $boardurl . '/index.php';
        require_once dirname(__FILE__) . '/Themes/default/languages/' . strtr($_SESSION['installer_temp_lang'], array('Install' => 'index'));
        echo '
				<div class="error_message">
					<div style="color: red;">', $txt[240], '</div>
				</div>
				<br />';
        // Try the previous step again.
        return doStep2a();
    } elseif (empty($_POST['email']) || preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', stripslashes($_POST['email'])) === 0 || strlen(stripslashes($_POST['email'])) > 255) {
        // Artificially fill some of the globals needed for the language files.
        $context = array('forum_name' => $mbname);
        $modSettings = array('lastActive' => '15', 'hotTopicPosts' => '15', 'hotTopicVeryPosts' => '25', 'smfVersion' => $current_smf_version);
        $scripturl = $boardurl . '/index.php';
        require_once dirname(__FILE__) . '/Themes/default/languages/' . strtr($_SESSION['installer_temp_lang'], array('Install' => 'index'));
        require_once dirname(__FILE__) . '/Themes/default/languages/' . strtr($_SESSION['installer_temp_lang'], array('Install' => 'Login'));
        echo '
				<div class="error_message">
					<div style="color: red;">', sprintf($txt[500], $_POST['username']), '</div>
				</div>
				<br />';
        // One step back, this time fill out a proper email address.
        return doStep2a();
    } elseif ($_POST['username'] != '') {
        $salt = substr(md5(mt_rand()), 0, 4);
        // Format the username properly.
        $_POST['username'] = preg_replace('~[\\t\\n\\r\\x0B\\0\\xA0]+~', ' ', $_POST['username']);
        $ip = isset($_SERVER['REMOTE_ADDR']) ? addslashes(substr(stripslashes($_SERVER['REMOTE_ADDR']), 0, 255)) : '';
        $request = mysql_query("\n\t\t\tINSERT INTO {$db_prefix}members\n\t\t\t\t(memberName, realName, passwd, emailAddress, ID_GROUP, posts, dateRegistered, hideEmail, passwordSalt, lngfile, personalText, avatar, memberIP, memberIP2, buddy_list, pm_ignore_list, messageLabels, websiteTitle, websiteUrl, location, ICQ, MSN, signature, usertitle, secretQuestion, additionalGroups)\n\t\t\tVALUES (SUBSTRING('{$_POST['username']}', 1, 25), SUBSTRING('{$_POST['username']}', 1, 25), '" . sha1(strtolower($_POST['username']) . $_POST['password1']) . "', '{$_POST['email']}', 1, '0', '" . time() . "', '0', '{$salt}', '', '', '', '{$ip}', '{$ip}', '', '', '', '', '', '', '', '', '', '', '', '')");
        // Awww, crud!
        if ($request === false) {
            echo '
				<div class="error_message">
					<div style="color: red;">', $txt['error_user_settings_query'], '</div>

					<div style="margin: 2ex;">', nl2br(htmlspecialchars(mysql_error($db_connection))), '</div>

					<a href="', $_SERVER['PHP_SELF'], '?step=2">', $txt['error_message_click'], '</a> ', $txt['error_message_try_again'], '
				</div>';
            return false;
        }
        $id = mysql_insert_id();
    }
    // Automatically log them in ;).
    if (isset($id) && isset($salt)) {
        setLoginCookie(3153600 * 60, $id, sha1(sha1(strtolower($_POST['username']) . $_POST['password1']) . $salt));
    }
    $result = mysql_query("\n\t\tSELECT value\n\t\tFROM {$db_prefix}settings\n\t\tWHERE variable = 'databaseSession_enable'");
    if (mysql_num_rows($result) != 0) {
        list($db_sessions) = mysql_fetch_row($result);
    }
    mysql_free_result($result);
    if (empty($db_sessions)) {
        if (@version_compare(PHP_VERSION, '4.2.0') == -1) {
            $HTTP_SESSION_VARS['php_412_bugfix'] = true;
        }
        $_SESSION['admin_time'] = time();
    } else {
        $_SERVER['HTTP_USER_AGENT'] = addslashes(substr($_SERVER['HTTP_USER_AGENT'], 0, 211));
        mysql_query("\n\t\t\tINSERT INTO {$db_prefix}sessions\n\t\t\t\t(session_id, last_update, data)\n\t\t\tVALUES ('" . session_id() . "', " . time() . ",\n\t\t\t\t'USER_AGENT|s:" . strlen(stripslashes($_SERVER['HTTP_USER_AGENT'])) . ":\"{$_SERVER['HTTP_USER_AGENT']}\";admin_time|i:" . time() . ";')");
    }
    updateStats('member');
    updateStats('message');
    updateStats('topic');
    // This function is needed to do the updateStats('subject') call.
    $func['strtolower'] = $db_character_set === 'utf8' || $txt['lang_character_set'] === 'UTF-8' ? create_function('$string', '
		return $string;') : 'strtolower';
    $request = mysql_query("\n\t\tSELECT ID_MSG\n\t\tFROM {$db_prefix}messages\n\t\tWHERE ID_MSG = 1\n\t\t\tAND modifiedTime = 0\n\t\tLIMIT 1");
    if (mysql_num_rows($request) > 0) {
        updateStats('subject', 1, addslashes(htmlspecialchars($txt['default_topic_subject'])));
    }
    mysql_free_result($request);
    echo '
				<div class="panel">
					<h2>', $txt['congratulations'], '</h2>
					<br />
					', $txt['congratulations_help'], '<br />
					<br />';
    if (is_writable(dirname(__FILE__)) && substr(__FILE__, 1, 2) != ':\\') {
        echo '
					<i>', $txt['still_writable'], '</i><br />
					<br />';
    }
    // Don't show the box if it's like 99% sure it won't work :P.
    if (isset($_SESSION['installer_temp_ftp']) || is_writable(dirname(__FILE__)) || is_writable(__FILE__)) {
        echo '
					<div style="margin: 1ex; font-weight: bold;">
						<label for="delete_self"><input type="checkbox" id="delete_self" onclick="doTheDelete();" /> ', $txt['delete_installer'], !isset($_SESSION['installer_temp_ftp']) ? ' ' . $txt['delete_installer_maybe'] : '', '</label>
					</div>
					<script language="JavaScript" type="text/javascript"><!-- // --><![CDATA[
						function doTheDelete()
						{
							var theCheck = document.getElementById ? document.getElementById("delete_self") : document.all.delete_self;
							var tempImage = new Image();

							tempImage.src = "', $_SERVER['PHP_SELF'], '?delete=1&ts=" + (new Date().getTime());
							tempImage.width = 0;
							theCheck.disabled = true;
						}
					// ]]></script>
					<br />';
    }
    echo '
					', sprintf($txt['go_to_your_forum'], $boardurl . '/index.php'), '<br />
					<br />
					', $txt['good_luck'], '
				</div>';
    return true;
}
Exemplo n.º 20
0
function mob_update_password($rpcmsg)
{
    global $txt, $modSettings;
    global $cookiename, $context;
    global $sourcedir, $scripturl, $db_prefix;
    global $ID_MEMBER, $user_info;
    global $newpassemail, $user_profile, $validationCode;
    loadLanguage('Profile');
    // Start with no updates and no errors.
    $profile_vars = array();
    $post_errors = array();
    $good_password = false;
    // reset directly with tapatalk id credential
    if ($rpcmsg->getParam(2)) {
        $_POST['passwrd1'] = $rpcmsg->getParam(0) ? $rpcmsg->getScalarValParam(0) : '';
        $_POST['passwrd1'] = utf8ToAscii($_POST['passwrd1']);
        $token = $rpcmsg->getParam(1) ? $rpcmsg->getScalarValParam(1) : '';
        $code = $rpcmsg->getParam(2) ? $rpcmsg->getScalarValParam(2) : '';
        // verify Tapatalk Authorization
        if ($token && $code) {
            $ttid = TapatalkSsoVerification($token, $code);
            if ($ttid && $ttid->result) {
                $tapatalk_id_email = $ttid->email;
                if (empty($ID_MEMBER) && ($ID_MEMBER = emailExists($tapatalk_id_email))) {
                    loadMemberData($ID_MEMBER, false, 'profile');
                    $user_info = $user_profile[$ID_MEMBER];
                    $user_info['is_guest'] = false;
                    $user_info['is_admin'] = $user_info['id_group'] == 1 || in_array(1, explode(',', $user_info['additionalGroups']));
                    $user_info['id'] = $ID_MEMBER;
                    if (empty($user_info['additionalGroups'])) {
                        $user_info['groups'] = array($user_info['ID_GROUP'], $user_info['ID_POST_GROUP']);
                    } else {
                        $user_info['groups'] = array_merge(array($user_info['ID_GROUP'], $user_info['ID_POST_GROUP']), explode(',', $user_info['additionalGroups']));
                    }
                    $user_info['groups'] = array_unique(array_map('intval', $user_info['groups']));
                    loadPermissions();
                }
                if (strtolower($user_info['emailAddress']) == strtolower($tapatalk_id_email) && $user_info['ID_GROUP'] != 1) {
                    $good_password = true;
                }
            }
        }
        if (!$good_password) {
            get_error('Failed to update password');
        }
    } else {
        $_POST['oldpasswrd'] = $rpcmsg->getParam(0) ? $rpcmsg->getScalarValParam(0) : '';
        $_POST['passwrd1'] = $rpcmsg->getParam(1) ? $rpcmsg->getScalarValParam(1) : '';
        $_POST['passwrd1'] = utf8ToAscii($_POST['passwrd1']);
    }
    // Clean up the POST variables.
    $_POST = htmltrim__recursive($_POST);
    $_POST = stripslashes__recursive($_POST);
    $_POST = htmlspecialchars__recursive($_POST);
    $_POST = addslashes__recursive($_POST);
    $memberResult = loadMemberData($ID_MEMBER, false, 'profile');
    if (!is_array($memberResult)) {
        fatal_lang_error(453, false);
    }
    $memID = $ID_MEMBER;
    $context['user']['is_owner'] = true;
    isAllowedTo(array('manage_membergroups', 'profile_identity_any', 'profile_identity_own'));
    // You didn't even enter a password!
    if (trim($_POST['oldpasswrd']) == '' && !$good_password) {
        fatal_error($txt['profile_error_no_password']);
    }
    // Since the password got modified due to all the $_POST cleaning, lets undo it so we can get the correct password
    $_POST['oldpasswrd'] = addslashes(un_htmlspecialchars(stripslashes($_POST['oldpasswrd'])));
    // Does the integration want to check passwords?
    if (isset($modSettings['integrate_verify_password']) && function_exists($modSettings['integrate_verify_password'])) {
        if (call_user_func($modSettings['integrate_verify_password'], $user_profile[$memID]['memberName'], $_POST['oldpasswrd'], false) === true) {
            $good_password = true;
        }
    }
    // Bad password!!!
    if (!$good_password && $user_info['passwd'] != sha1(strtolower($user_profile[$memID]['memberName']) . $_POST['oldpasswrd'])) {
        fatal_error($txt['profile_error_bad_password']);
    }
    // Let's get the validation function into play...
    require_once $sourcedir . '/Subs-Auth.php';
    $passwordErrors = validatePassword($_POST['passwrd1'], $user_info['username'], array($user_info['name'], $user_info['email']));
    // Were there errors?
    if ($passwordErrors != null) {
        fatal_error($txt['profile_error_password_' . $passwordErrors]);
    }
    // Set up the new password variable... ready for storage.
    $profile_vars['passwd'] = '\'' . sha1(strtolower($user_profile[$memID]['memberName']) . un_htmlspecialchars(stripslashes($_POST['passwrd1']))) . '\'';
    // If we've changed the password, notify any integration that may be listening in.
    if (isset($modSettings['integrate_reset_pass']) && function_exists($modSettings['integrate_reset_pass'])) {
        call_user_func($modSettings['integrate_reset_pass'], $user_profile[$memID]['memberName'], $user_profile[$memID]['memberName'], $_POST['passwrd1']);
    }
    updateMemberData($memID, $profile_vars);
    require_once $sourcedir . '/Subs-Auth.php';
    setLoginCookie(60 * $modSettings['cookieTime'], $memID, sha1(sha1(strtolower($user_profile[$memID]['memberName']) . un_htmlspecialchars(stripslashes($_POST['passwrd1']))) . $user_profile[$memID]['passwordSalt']));
    $response = array('result' => new xmlrpcval(true, 'boolean'), 'result_text' => new xmlrpcval('', 'base64'));
    return new xmlrpcresp(new xmlrpcval($response, 'struct'));
}
Exemplo n.º 21
0
function Register2($verifiedOpenID = false)
{
    global $txt, $modSettings, $context, $sourcedir;
    // Start collecting together any errors.
    $reg_errors = array();
    // Did we save some open ID fields?
    if ($verifiedOpenID && !empty($context['openid_save_fields'])) {
        foreach ($context['openid_save_fields'] as $id => $value) {
            $_POST[$id] = $value;
        }
    }
    // You can't register if it's disabled.
    if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 3) {
        fatal_lang_error('registration_disabled', false);
    }
    // Things we don't do for people who have already confirmed their OpenID allegances via register.
    if (!$verifiedOpenID) {
        // Well, if you don't agree, you can't register.
        if (!empty($modSettings['requireAgreement']) && empty($_SESSION['registration_agreed'])) {
            redirectexit();
        }
        // Make sure they came from *somewhere*, have a session.
        if (!isset($_SESSION['old_url'])) {
            redirectexit('action=register');
        }
        // Are they under age, and under age users are banned?
        if (!empty($modSettings['coppaAge']) && empty($modSettings['coppaType']) && empty($_SESSION['skip_coppa'])) {
            // !!! This should be put in Errors, imho.
            loadLanguage('Login');
            fatal_lang_error('under_age_registration_prohibited', false, array($modSettings['coppaAge']));
        }
        // Check whether the visual verification code was entered correctly.
        if (!empty($modSettings['reg_verification'])) {
            require_once $sourcedir . '/lib/Subs-Editor.php';
            $verificationOptions = array('id' => 'register');
            $context['visual_verification'] = create_control_verification($verificationOptions, true);
            if (is_array($context['visual_verification'])) {
                loadLanguage('Errors');
                foreach ($context['visual_verification'] as $error) {
                    $reg_errors[] = $txt['error_' . $error];
                }
            }
        }
    }
    foreach ($_POST as $key => $value) {
        if (!is_array($_POST[$key])) {
            $_POST[$key] = htmltrim__recursive(str_replace(array("\n", "\r"), '', $_POST[$key]));
        }
    }
    // Collect all extra registration fields someone might have filled in.
    $possible_strings = array('location', 'birthdate', 'time_format', 'buddy_list', 'pm_ignore_list', 'smiley_set', 'signature', 'personal_text', 'avatar', 'lngfile', 'secret_question', 'secret_answer');
    $possible_ints = array('pm_email_notify', 'notify_types', 'gender', 'id_theme');
    $possible_floats = array('time_offset');
    $possible_bools = array('notify_announcements', 'notify_regularity', 'notify_send_body', 'hide_email', 'show_online');
    if (isset($_POST['secret_answer']) && $_POST['secret_answer'] != '') {
        $_POST['secret_answer'] = md5($_POST['secret_answer']);
    }
    // Needed for isReservedName() and registerMember().
    require_once $sourcedir . '/lib/Subs-Members.php';
    // Validation... even if we're not a mall.
    if (isset($_POST['real_name']) && (!empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'))) {
        $_POST['real_name'] = trim(preg_replace('~[\\s]~u', ' ', $_POST['real_name']));
        if (trim($_POST['real_name']) != '' && !isReservedName($_POST['real_name']) && commonAPI::strlen($_POST['real_name']) < 60) {
            $possible_strings[] = 'real_name';
        }
    }
    // Handle a string as a birthdate...
    if (isset($_POST['birthdate']) && $_POST['birthdate'] != '') {
        $_POST['birthdate'] = strftime('%Y-%m-%d', strtotime($_POST['birthdate']));
    } elseif (!empty($_POST['bday1']) && !empty($_POST['bday2'])) {
        $_POST['birthdate'] = sprintf('%04d-%02d-%02d', empty($_POST['bday3']) ? 0 : (int) $_POST['bday3'], (int) $_POST['bday1'], (int) $_POST['bday2']);
    }
    // By default assume email is hidden, only show it if we tell it to.
    $_POST['hide_email'] = !empty($_POST['allow_email']) ? 0 : 1;
    // Validate the passed language file.
    if (isset($_POST['lngfile']) && !empty($modSettings['userLanguage'])) {
        // Do we have any languages?
        if (empty($context['languages'])) {
            getLanguages();
        }
        // Did we find it?
        if (isset($context['languages'][$_POST['lngfile']])) {
            $_SESSION['language'] = $_POST['lngfile'];
        } else {
            unset($_POST['lngfile']);
        }
    } else {
        unset($_POST['lngfile']);
    }
    // Set the options needed for registration.
    $regOptions = array('interface' => 'guest', 'username' => !empty($_POST['user']) ? $_POST['user'] : '', 'email' => !empty($_POST['email']) ? $_POST['email'] : '', 'password' => !empty($_POST['passwrd1']) ? $_POST['passwrd1'] : '', 'password_check' => !empty($_POST['passwrd2']) ? $_POST['passwrd2'] : '', 'openid' => !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : '', 'auth_method' => !empty($_POST['authenticate']) ? $_POST['authenticate'] : '', 'check_reserved_name' => true, 'check_password_strength' => true, 'check_email_ban' => true, 'send_welcome_email' => !empty($modSettings['send_welcomeEmail']), 'require' => !empty($modSettings['coppaAge']) && !$verifiedOpenID && empty($_SESSION['skip_coppa']) ? 'coppa' : (empty($modSettings['registration_method']) ? 'nothing' : ($modSettings['registration_method'] == 1 ? 'activation' : 'approval')), 'extra_register_vars' => array(), 'theme_vars' => array());
    // Include the additional options that might have been filled in.
    foreach ($possible_strings as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = commonAPI::htmlspecialchars($_POST[$var], ENT_QUOTES);
        }
    }
    foreach ($possible_ints as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = (int) $_POST[$var];
        }
    }
    foreach ($possible_floats as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = (double) $_POST[$var];
        }
    }
    foreach ($possible_bools as $var) {
        if (isset($_POST[$var])) {
            $regOptions['extra_register_vars'][$var] = empty($_POST[$var]) ? 0 : 1;
        }
    }
    // Registration options are always default options...
    if (isset($_POST['default_options'])) {
        $_POST['options'] = isset($_POST['options']) ? $_POST['options'] + $_POST['default_options'] : $_POST['default_options'];
    }
    $regOptions['theme_vars'] = isset($_POST['options']) && is_array($_POST['options']) ? $_POST['options'] : array();
    // Make sure they are clean, dammit!
    $regOptions['theme_vars'] = htmlspecialchars__recursive($regOptions['theme_vars']);
    // If Quick Reply hasn't been set then set it to be shown but collapsed.
    if (!isset($regOptions['theme_vars']['display_quick_reply'])) {
        $regOptions['theme_vars']['display_quick_reply'] = 1;
    }
    // Check whether we have fields that simply MUST be displayed?
    $request = smf_db_query('
		SELECT col_name, field_name, field_type, field_length, mask, show_reg
		FROM {db_prefix}custom_fields
		WHERE active = {int:is_active}', array('is_active' => 1));
    $custom_field_errors = array();
    while ($row = mysql_fetch_assoc($request)) {
        // Don't allow overriding of the theme variables.
        if (isset($regOptions['theme_vars'][$row['col_name']])) {
            unset($regOptions['theme_vars'][$row['col_name']]);
        }
        // Not actually showing it then?
        if (!$row['show_reg']) {
            continue;
        }
        // Prepare the value!
        $value = isset($_POST['customfield'][$row['col_name']]) ? trim($_POST['customfield'][$row['col_name']]) : '';
        // We only care for text fields as the others are valid to be empty.
        if (!in_array($row['field_type'], array('check', 'select', 'radio'))) {
            // Is it too long?
            if ($row['field_length'] && $row['field_length'] < commonAPI::strlen($value)) {
                $custom_field_errors[] = array('custom_field_too_long', array($row['field_name'], $row['field_length']));
            }
            // Any masks to apply?
            if ($row['field_type'] == 'text' && !empty($row['mask']) && $row['mask'] != 'none') {
                //!!! We never error on this - just ignore it at the moment...
                if ($row['mask'] == 'email' && (preg_match('~^[0-9A-Za-z=_+\\-/][0-9A-Za-z=_\'+\\-/\\.]*@[\\w\\-]+(\\.[\\w\\-]+)*(\\.[\\w]{2,6})$~', $value) === 0 || strlen($value) > 255)) {
                    $custom_field_errors[] = array('custom_field_invalid_email', array($row['field_name']));
                } elseif ($row['mask'] == 'number' && preg_match('~[^\\d]~', $value)) {
                    $custom_field_errors[] = array('custom_field_not_number', array($row['field_name']));
                } elseif (substr($row['mask'], 0, 5) == 'regex' && preg_match(substr($row['mask'], 5), $value) === 0) {
                    $custom_field_errors[] = array('custom_field_inproper_format', array($row['field_name']));
                }
            }
        }
        // Is this required but not there?
        if (trim($value) == '' && $row['show_reg'] > 1) {
            $custom_field_errors[] = array('custom_field_empty', array($row['field_name']));
        }
    }
    mysql_free_result($request);
    // Process any errors.
    if (!empty($custom_field_errors)) {
        loadLanguage('Errors');
        foreach ($custom_field_errors as $error) {
            $reg_errors[] = vsprintf($txt['error_' . $error[0]], $error[1]);
        }
    }
    // Lets check for other errors before trying to register the member.
    if (!empty($reg_errors)) {
        $_REQUEST['step'] = 2;
        return Register($reg_errors);
    }
    // If they're wanting to use OpenID we need to validate them first.
    if (empty($_SESSION['openid']['verified']) && !empty($_POST['authenticate']) && $_POST['authenticate'] == 'openid') {
        // What do we need to save?
        $save_variables = array();
        foreach ($_POST as $k => $v) {
            if (!in_array($k, array('sc', 'sesc', $context['session_var'], 'passwrd1', 'passwrd2', 'regSubmit'))) {
                $save_variables[$k] = $v;
            }
        }
        require_once $sourcedir . '/lib/Subs-OpenID.php';
        smf_openID_validate($_POST['openid_identifier'], false, $save_variables);
    } elseif ($verifiedOpenID || !empty($_POST['openid_identifier']) && $_POST['authenticate'] == 'openid') {
        $regOptions['username'] = !empty($_POST['user']) && trim($_POST['user']) != '' ? $_POST['user'] : $_SESSION['openid']['nickname'];
        $regOptions['email'] = !empty($_POST['email']) && trim($_POST['email']) != '' ? $_POST['email'] : $_SESSION['openid']['email'];
        $regOptions['auth_method'] = 'openid';
        $regOptions['openid'] = !empty($_POST['openid_identifier']) ? $_POST['openid_identifier'] : $_SESSION['openid']['openid_uri'];
    }
    $memberID = registerMember($regOptions, true);
    // What there actually an error of some kind dear boy?
    if (is_array($memberID)) {
        $reg_errors = array_merge($reg_errors, $memberID);
        $_REQUEST['step'] = 2;
        return Register($reg_errors);
    }
    // Do our spam protection now.
    spamProtection('register');
    HookAPI::callHook('register_process');
    // We'll do custom fields after as then we get to use the helper function!
    if (!empty($_POST['customfield'])) {
        require_once $sourcedir . '/Profile.php';
        require_once $sourcedir . '/Profile-Modify.php';
        makeCustomFieldChanges($memberID, 'register');
    }
    // If COPPA has been selected then things get complicated, setup the template.
    if (!empty($modSettings['coppaAge']) && empty($_SESSION['skip_coppa'])) {
        redirectexit('action=coppa;member=' . $memberID);
    } elseif (!empty($modSettings['registration_method'])) {
        EoS_Smarty::loadTemplate('register/base');
        EoS_Smarty::getConfigInstance()->registerHookTemplate('register_content_area', 'register/done');
        $context += array('page_title' => $txt['register'], 'title' => $txt['registration_successful'], 'description' => $modSettings['registration_method'] == 2 ? $txt['approval_after_registration'] : $txt['activate_after_registration']);
    } else {
        HookAPI::callHook('integrate_activate', array($row['member_name']));
        setLoginCookie(60 * $modSettings['cookieTime'], $memberID, sha1(sha1(strtolower($regOptions['username']) . $regOptions['password']) . $regOptions['register_vars']['password_salt']));
        redirectexit('action=login2;sa=check;member=' . $memberID, $context['server']['needs_login_fix']);
    }
}
Exemplo n.º 22
0
function ModifyCoreSettings2()
{
    global $boarddir, $sc, $cookiename, $modSettings, $user_settings, $sourcedir;
    global $context;
    // Strip the slashes off of the post vars.
    foreach ($_POST as $key => $val) {
        $_POST[$key] = stripslashes__recursive($val);
    }
    // Fix the darn stupid cookiename! (more may not be allowed, but these for sure!)
    if (isset($_POST['cookiename'])) {
        $_POST['cookiename'] = preg_replace('~[,;\\s\\.$]+~' . ($context['utf8'] ? 'u' : ''), '', $_POST['cookiename']);
    }
    // Fix the forum's URL if necessary.
    if (substr($_POST['boardurl'], -10) == '/index.php') {
        $_POST['boardurl'] = substr($_POST['boardurl'], 0, -10);
    } elseif (substr($_POST['boardurl'], -1) == '/') {
        $_POST['boardurl'] = substr($_POST['boardurl'], 0, -1);
    }
    if (substr($_POST['boardurl'], 0, 7) != 'http://' && substr($_POST['boardurl'], 0, 7) != 'file://' && substr($_POST['boardurl'], 0, 8) != 'https://') {
        $_POST['boardurl'] = 'http://' . $_POST['boardurl'];
    }
    // Any passwords?
    $config_passwords = array('db_passwd');
    // All the strings to write.
    $config_strs = array('mtitle', 'mmessage', 'language', 'mbname', 'boardurl', 'cookiename', 'webmaster_email', 'db_name', 'db_user', 'db_server', 'db_prefix', 'boarddir', 'sourcedir');
    // All the numeric variables.
    $config_ints = array();
    // All the checkboxes.
    $config_bools = array('db_persist', 'db_error_send', 'maintenance');
    // Now sort everything into a big array, and figure out arrays and etc.
    $config_vars = array();
    foreach ($config_passwords as $config_var) {
        if (isset($_POST[$config_var][1]) && $_POST[$config_var][0] == $_POST[$config_var][1]) {
            $config_vars[$config_var] = '\'' . addcslashes($_POST[$config_var][0], "'\\") . '\'';
        }
    }
    foreach ($config_strs as $config_var) {
        if (isset($_POST[$config_var])) {
            $config_vars[$config_var] = '\'' . addcslashes($_POST[$config_var], "'\\") . '\'';
        }
    }
    foreach ($config_ints as $config_var) {
        if (isset($_POST[$config_var])) {
            $config_vars[$config_var] = (int) $_POST[$config_var];
        }
    }
    foreach ($config_bools as $key) {
        if (!empty($_POST[$key])) {
            $config_vars[$key] = '1';
        } else {
            $config_vars[$key] = '0';
        }
    }
    require_once $sourcedir . '/Admin.php';
    updateSettingsFile($config_vars);
    // If the cookie name was changed, reset the cookie.
    if (isset($config_vars['cookiename']) && $cookiename != $_POST['cookiename']) {
        include_once $sourcedir . '/Subs-Auth.php';
        $cookiename = $_POST['cookiename'];
        setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['ID_MEMBER'], sha1($user_settings['passwd'] . $user_settings['passwordSalt']));
        redirectexit('action=serversettings;sa=core;sesc=' . $sc, $context['server']['needs_login_fix']);
    }
    redirectexit('action=serversettings;sa=core;sesc=' . $sc);
}
Exemplo n.º 23
0
function guiLogout(&$session)
{
    clearLoginCookie($session);
    setLoginCookie($session, '?', '?');
    $session->clearSessionData();
    $session->fUserId = null;
    $name = $session->fUserName;
    $session->fUserName = null;
    guiLogin($session, 'Daten für automatische Anmeldung wurden gelöscht: ' . $name);
}
Exemplo n.º 24
0
/**
 * Reload a users settings.
 */
function profileReloadUser()
{
    global $modSettings, $context, $cur_profile;
    // Log them back in - using the verify password as they must have matched and this one doesn't get changed by anyone!
    if (isset($_POST['passwrd2']) && $_POST['passwrd2'] != '') {
        require_once SUBSDIR . '/Auth.subs.php';
        setLoginCookie(60 * $modSettings['cookieTime'], $context['id_member'], hash('sha256', Util::strtolower($cur_profile['member_name']) . un_htmlspecialchars($_POST['passwrd2']) . $cur_profile['password_salt']));
    }
    loadUserSettings();
    writeLog();
}
Exemplo n.º 25
0
function validatePasswordFlood($id_member, $password_flood_value = false, $was_correct = false)
{
    global $smcFunc, $cookiename, $sourcedir;
    // As this is only brute protection, we allow 5 attempts every 10 seconds.
    // Destroy any session or cookie data about this member, as they validated wrong.
    require_once $sourcedir . '/Subs-Auth.php';
    setLoginCookie(-3600, 0);
    if (isset($_SESSION['login_' . $cookiename])) {
        unset($_SESSION['login_' . $cookiename]);
    }
    // We need a member!
    if (!$id_member) {
        // Redirect back!
        redirectexit();
        // Probably not needed, but still make sure...
        fatal_lang_error('no_access', false);
    }
    // Right, have we got a flood value?
    if ($password_flood_value !== false) {
        @(list($time_stamp, $number_tries) = explode('|', $password_flood_value));
    }
    // Timestamp or number of tries invalid?
    if (empty($number_tries) || empty($time_stamp)) {
        $number_tries = 0;
        $time_stamp = time();
    }
    // They've failed logging in already
    if (!empty($number_tries)) {
        // Give them less chances if they failed before
        $number_tries = $time_stamp < time() - 20 ? 2 : $number_tries;
        // They are trying too fast, make them wait longer
        if ($time_stamp < time() - 10) {
            $time_stamp = time();
        }
    }
    $number_tries++;
    // Broken the law?
    if ($number_tries > 5) {
        fatal_lang_error('login_threshold_brute_fail', 'critical');
    }
    // Otherwise set the members data. If they correct on their first attempt then we actually clear it, otherwise we set it!
    updateMemberData($id_member, array('passwd_flood' => $was_correct && $number_tries == 1 ? '' : $time_stamp . '|' . $number_tries));
}
Exemplo n.º 26
0
//      this list of conditions and the following disclaimer in the documentation
//      and/or other materials provided with the distribution.
//   3. The name of the author may not be used to endorse or promote products
//      derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
// WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
// IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
// TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
// EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
////////////////////////////////////////////////////////////////////////////////////
$THIS_BASEPATH = dirname(__FILE__);
require "include/functions.php";
logoutcookie();
dbconn();
if (substr($GLOBALS["FORUMLINK"], 0, 3) == "smf") {
    require $THIS_BASEPATH . '/smf/SSI.php';
    if (!function_exists(setLoginCookie)) {
        require $THIS_BASEPATH . '/smf/Sources/Subs-Auth.php';
    }
    setLoginCookie(-3600, 0);
} elseif ($GLOBALS["FORUMLINK"] == "ipb") {
    kill_ipb_cookie();
}
header("Location: index.php");
Exemplo n.º 27
0
function ModifyCookieSettings($return_config = false)
{
    global $context, $scripturl, $txt, $sourcedir, $modSettings, $cookiename, $user_settings;
    // Define the variables we want to edit.
    $config_vars = array(array('cookiename', $txt['cookie_name'], 'file', 'text', 20), array('cookieTime', $txt['cookieTime'], 'db', 'int'), array('localCookies', $txt['localCookies'], 'db', 'check', false, 'localCookies'), array('globalCookies', $txt['globalCookies'], 'db', 'check', false, 'globalCookies'), array('secureCookies', $txt['secureCookies'], 'db', 'check', false, 'secureCookies', 'disabled' => !isset($_SERVER['HTTPS']) || !(strtolower($_SERVER['HTTPS']) == 'on' || strtolower($_SERVER['HTTPS']) == '1')), '', array('databaseSession_enable', $txt['databaseSession_enable'], 'db', 'check', false, 'databaseSession_enable'), array('databaseSession_loose', $txt['databaseSession_loose'], 'db', 'check', false, 'databaseSession_loose'), array('databaseSession_lifetime', $txt['databaseSession_lifetime'], 'db', 'int', false, 'databaseSession_lifetime'));
    if ($return_config) {
        return $config_vars;
    }
    $context['post_url'] = $scripturl . '?action=admin;area=serversettings;sa=cookie;save';
    $context['settings_title'] = $txt['cookies_sessions_settings'];
    // Saving settings?
    if (isset($_REQUEST['save'])) {
        saveSettings($config_vars);
        // If the cookie name was changed, reset the cookie.
        if ($cookiename != $_POST['cookiename']) {
            $original_session_id = $context['session_id'];
            include_once $sourcedir . '/Subs-Auth.php';
            // Remove the old cookie.
            setLoginCookie(-3600, 0);
            // Set the new one.
            $cookiename = $_POST['cookiename'];
            setLoginCookie(60 * $modSettings['cookieTime'], $user_settings['id_member'], sha1($user_settings['passwd'] . $user_settings['password_salt']));
            redirectexit('action=admin;area=serversettings;sa=cookie;' . $context['session_var'] . '=' . $original_session_id, $context['server']['needs_login_fix']);
        }
        redirectexit('action=admin;area=serversettings;sa=cookie;' . $context['session_var'] . '=' . $context['session_id']);
    }
    // Fill the config array.
    prepareServerSettingsContext($config_vars);
}
Exemplo n.º 28
0
function profileReloadUser()
{
    global $sourcedir, $modSettings, $context, $cur_profile, $smcFunc, $profile_vars;
    // Log them back in - using the verify password as they must have matched and this one doesn't get changed by anyone!
    if (isset($_POST['passwrd2']) && $_POST['passwrd2'] != '') {
        require_once $sourcedir . '/Subs-Auth.php';
        setLoginCookie(60 * $modSettings['cookieTime'], $context['id_member'], sha1(sha1(strtolower($cur_profile['member_name']) . un_htmlspecialchars($_POST['passwrd2'])) . $cur_profile['password_salt']));
    }
    loadUserSettings();
    writeLog();
}
Exemplo n.º 29
0
function validatePasswordFlood($id_member, $password_flood_value = false, $was_correct = false)
{
    global $smcFunc, $cookiename, $sourcedir;
    // As this is only brute protection, we allow 5 attempts every 10 seconds.
    // Destroy any session or cookie data about this member, as they validated wrong.
    require_once $sourcedir . '/Subs-Auth.php';
    setLoginCookie(-3600, 0);
    if (isset($_SESSION['login_' . $cookiename])) {
        unset($_SESSION['login_' . $cookiename]);
    }
    // We need a member!
    if (!$id_member) {
        fatal_lang_error('no_access', false);
    }
    // Right, have we got a flood value?
    if ($password_flood_value !== false) {
        @(list($time_stamp, $number_tries) = explode('|', $password_flood_value));
    }
    // Timestamp invalid or non-existent?
    if (empty($number_tries) || $time_stamp < time() - 10) {
        // If it wasn't *that* long ago, don't give them another five goes.
        $number_tries = !empty($number_tries) && $time_stamp < time() - 20 ? 2 : 0;
        $time_stamp = time();
    }
    $number_tries++;
    // Broken the law?
    if ($number_tries > 5) {
        fatal_lang_error('login_threshold_brute_fail', 'critical');
    }
    // Otherwise set the members data. If they correct on their first attempt then we actually clear it, otherwise we set it!
    updateMemberData($id_member, array('passwd_flood' => $was_correct && $number_tries == 1 ? '' : $time_stamp . '|' . $number_tries));
}
Exemplo n.º 30
0
 /**
  * Changing authentication method?
  * Only appropriate for people using OpenID.
  *
  * @param bool $saving = false
  */
 public function action_authentication($saving = false)
 {
     global $context, $cur_profile, $post_errors, $modSettings;
     $memID = currentMemberID();
     loadLanguage('Login');
     loadTemplate('ProfileOptions');
     // We are saving?
     if ($saving) {
         // Moving to password passed authentication?
         if ($_POST['authenticate'] == 'passwd') {
             // Didn't enter anything?
             if ($_POST['passwrd1'] == '') {
                 $post_errors[] = 'no_password';
             } elseif (!isset($_POST['passwrd2']) || $_POST['passwrd1'] != $_POST['passwrd2']) {
                 $post_errors[] = 'bad_new_password';
             } else {
                 require_once SUBSDIR . '/Auth.subs.php';
                 $passwordErrors = validatePassword($_POST['passwrd1'], $cur_profile['member_name'], array($cur_profile['real_name'], $cur_profile['email_address']));
                 // Were there errors?
                 if ($passwordErrors != null) {
                     $post_errors[] = 'password_' . $passwordErrors;
                 }
             }
             if (empty($post_errors)) {
                 // Integration?
                 call_integration_hook('integrate_reset_pass', array($cur_profile['member_name'], $cur_profile['member_name'], $_POST['passwrd1']));
                 // Go then.
                 require_once SUBSDIR . '/Auth.subs.php';
                 $new_pass = $_POST['passwrd1'];
                 $passwd = validateLoginPassword($new_pass, '', $cur_profile['member_name'], true);
                 // Do the important bits.
                 updateMemberData($memID, array('openid_uri' => '', 'passwd' => $passwd));
                 if ($context['user']['is_owner']) {
                     setLoginCookie(60 * $modSettings['cookieTime'], $memID, hash('sha256', $new_pass . $cur_profile['password_salt']));
                     redirectexit('action=profile;area=authentication;updated');
                 } else {
                     redirectexit('action=profile;u=' . $memID);
                 }
             }
             return true;
         } elseif ($_POST['authenticate'] == 'openid' && !empty($_POST['openid_identifier'])) {
             require_once SUBSDIR . '/OpenID.subs.php';
             require_once SUBSDIR . '/Members.subs.php';
             $openID = new OpenID();
             $_POST['openid_identifier'] = $openID->canonize($_POST['openid_identifier']);
             if (memberExists($_POST['openid_identifier'])) {
                 $post_errors[] = 'openid_in_use';
             } elseif (empty($post_errors)) {
                 // Authenticate using the new OpenID URI first to make sure they didn't make a mistake.
                 if ($context['user']['is_owner']) {
                     $_SESSION['new_openid_uri'] = $_POST['openid_identifier'];
                     $openID->validate($_POST['openid_identifier'], false, null, 'change_uri');
                 } else {
                     updateMemberData($memID, array('openid_uri' => $_POST['openid_identifier']));
                 }
             }
         }
     }
     // Some stuff.
     $context['member']['openid_uri'] = $cur_profile['openid_uri'];
     $context['auth_method'] = empty($cur_profile['openid_uri']) ? 'password' : 'openid';
     $context['sub_template'] = 'authentication_method';
     loadJavascriptFile('register.js');
 }