/**
* If a file is posted beyond php's posting limits, it will drop the
* POST without an error message. checkOverPost sends the user to an
* overpost error page.
*/
public static function checkOverPost()
{
if (!isset($_GET['check_overpost'])) {
return true;
} elseif (empty($_POST) && isset($_SERVER['CONTENT_LENGTH'])) {
Security::log(_('User tried to post a file beyond server limits.'));
PHPWS_Core::errorPage('overpost');
}
return true;
}
public static function disallow($message = null)
{
if (!isset($message)) {
$message = dgettext('users', 'Improper permission level for action requested.');
}
Security::log($message);
PHPWS_Core::errorPage('403');
}
/* Security against those with register globals = on */
if (ini_get('register_globals')) {
ini_set('register_globals', FALSE);
foreach ($_REQUEST as $requestVarName => $nullIT) {
unset($requestVarName);
}
unset($nullIT);
}
/* Attempts to turn off use_trans_sid if enabled */
if (ini_get('session.use_trans_sid')) {
ini_set('session.use_trans_sid', FALSE);
ini_set('url_rewriter.tags', '');
}
// Attempt to clean out the xss tags
if (!PHPWS_Core::allowScriptTags() && (!checkUserInput($_SERVER['REQUEST_URI']) || !checkUserInput($_REQUEST))) {
Security::log(_('Attempted cross-site scripting attack.'));
PHPWS_Core::errorPage('400');
}
/**
* Checks for <script> embedding and any double-URL-encoded data
*
* @return bool
*/
function checkUserInput($input)
{
$scripting = '/(%3C|<|<|<)\\s*(script|\\?)/iU';
$asciiChars = '/%(0|1)(\\d|[a-f])/i';
// Call recursively if input is an array
if (is_array($input)) {
foreach ($input as $input_val) {
if (!checkUserInput($input_val)) {
public function postForgot(&$content)
{
if (empty($_POST['fg_username']) && empty($_POST['fg_email'])) {
$content = dgettext('users', 'You must enter either a username or email address.');
return false;
}
if (!empty($_POST['fg_username'])) {
$username = $_POST['fg_username'];
if (preg_match('/\'|"/', html_entity_decode(strip_tags($username), ENT_QUOTES))) {
$content = dgettext('users', 'User name not found. Check your spelling or enter an email address instead.');
return false;
}
$db = new PHPWS_DB('users');
$db->addWhere('username', strtolower($username));
$db->addColumn('email');
$db->addColumn('id');
$db->addColumn('deity');
$db->addColumn('authorize');
$user_search = $db->select('row');
if (PHPWS_Error::logIfError($user_search)) {
$content = dgettext('users', 'User name not found. Check your spelling or enter an email address instead.');
return false;
} elseif (empty($user_search)) {
$content = dgettext('users', 'User name not found. Check your spelling or enter an email address instead.');
return false;
} else {
if ($user_search['deity'] && !ALLOW_DEITY_FORGET) {
Security::log(dgettext('users', 'Forgotten password attempt made on a deity account.'));
$content = dgettext('users', 'User name not found. Check your spelling or enter an email address instead.');
return false;
}
if ($user_search['authorize'] != 1) {
$content = sprintf(dgettext('users', 'Sorry but your authorization is not checked on this site. Please contact %s for information on reseting your password.'), PHPWS_User::getUserSetting('site_contact'));
return false;
}
if (PHPWS_Core::isPosted()) {
$content = dgettext('users', 'Please check your email for a response.');
return true;
}
if (empty($user_search['email'])) {
$content = dgettext('users', 'Your email address is missing from your account. Please contact the site administrators.');
PHPWS_Error::log(USER_ERR_NO_EMAIL, 'users', 'User_Action::postForgot');
return true;
}
if (User_Action::emailPasswordReset($user_search['id'], $user_search['email'])) {
$content = dgettext('users', 'We have sent you an email to reset your password.');
return true;
} else {
$content = dgettext('users', 'We are currently unable to send out email reminders. Try again later.');
return true;
}
}
} elseif (!empty($_POST['fg_email'])) {
$email = $_POST['fg_email'];
if (preg_match('/\'|"/', html_entity_decode(strip_tags($email), ENT_QUOTES))) {
$content = dgettext('users', 'Email address not found. Please try again.');
return false;
}
if (!PHPWS_Text::isValidInput($email, 'email')) {
$content = dgettext('users', 'Email address not found. Please try again.');
return false;
}
$db = new PHPWS_DB('users');
$db->addWhere('email', $email);
$db->addColumn('username');
$user_search = $db->select('row');
if (PHPWS_Error::logIfError($user_search)) {
$content = dgettext('users', 'Email address not found. Please try again.');
return false;
} elseif (empty($user_search)) {
$content = dgettext('users', 'Email address not found. Please try again.');
return false;
} else {
if (PHPWS_Core::isPosted()) {
$content = dgettext('users', 'Please check your email for a response.');
return true;
}
if (User_Action::emailUsernameReminder($user_search['username'], $email)) {
$content = dgettext('users', 'We have sent you an user name reminder. Please check your email and return to log in.');
return true;
} else {
$content = dgettext('users', 'We are currently unable to send out email reminders. Try again later.');
return true;
}
}
}
}
public static function rememberLogin()
{
if (!isset($_SESSION['User'])) {
return false;
}
$remember = PHPWS_Cookie::read('remember_me');
if (!$remember) {
return false;
}
$rArray = @unserialize($remember);
if (!is_array($rArray)) {
return false;
}
if (!isset($rArray['username']) || !isset($rArray['password'])) {
return false;
}
if (preg_match('/\\W/', $rArray['password'])) {
return false;
}
$username = strtolower($rArray['username']);
if (preg_match('/\'|"/', html_entity_decode($username, ENT_QUOTES))) {
Security::log(dgettext('users', 'User tried to login using Remember Me with a malformed cookie.'));
return false;
}
$db = new PHPWS_DB('user_authorization');
$db->addWhere('username', $username);
$db->addWhere('password', $rArray['password']);
$result = $db->select('row');
if (!$result) {
return false;
} elseif (PHPWS_Error::isError($result)) {
PHPWS_Error::log($result);
return false;
}
$db2 = new PHPWS_DB('users');
$db2->addWhere('username', $username);
$db2->addWhere('approved', 1);
$db2->addWhere('active', 1);
if (!ALLOW_DEITY_REMEMBER_ME) {
$db2->addWhere('deity', 0);
}
$result = $db2->loadObject($_SESSION['User']);
if (!$result) {
return false;
} elseif (PHPWS_Error::isError($result)) {
PHPWS_Error::log($result);
return false;
}
$_SESSION['User']->login();
return true;
}
