| matheusfillipe | abd513e | 2021-05-11 03:29:11 -0300 | [diff] [blame] | 1 | <?php |
| 2 | require_once 'vendor/autoload.php'; |
| 3 | include_once 'config.php'; |
| 4 | include_once 'redis.php'; |
| 5 | include_once 'utils.php'; |
| 6 | |
| 7 | if (!$DEBUG) error_reporting(0); |
| 8 | session_start(); |
| 9 | |
| 10 | |
| 11 | use Gregwar\Captcha\PhraseBuilder; |
| 12 | |
| 13 | |
| 14 | function register_page($error=false){ |
| 15 | include 'config.php'; |
| 16 | if ($error) |
| 17 | include 'html/error.htm'; |
| 18 | $_SESSION["captcha_token"] = generateRandomString(12); |
| 19 | include "html/register.htm"; |
| 20 | echo ' |
| 21 | <script> |
| 22 | const reload_captcha = async (e) => { |
| 23 | var cont = document.getElementById("reload_captcha"); |
| 24 | cont.innerHTML = "<div class=\'spinner-border text-info\' role=\'status\'><span class=\'sr-only\'>Loading...</span></div>"; |
| 25 | var img = document.getElementById("captcha") |
| 26 | var url = "'.$BASE_URL.'/captcha.php?token='.$_SESSION["captcha_token"].'" |
| 27 | await fetch(url, { cache: "reload", mode: "no-cors" }) |
| 28 | .then(() => { |
| 29 | img.src = url+"&t=" + new Date().getTime(); |
| 30 | setTimeout( () => { |
| 31 | cont.innerHTML = "<button id=\'reload\' class=\'btn btn-outline-info\' type=\'button\'> <span class=\'glyphicon glyphicon-refresh\' aria-hidden=\'true\'></span></button>"; |
| 32 | bindButton() |
| 33 | }, 500); |
| 34 | }) |
| 35 | } |
| 36 | function bindButton(){ |
| 37 | var button = document.getElementById("reload"); |
| 38 | button.addEventListener("click", reload_captcha) |
| 39 | } |
| 40 | bindButton() |
| 41 | </script> |
| 42 | '; |
| 43 | } |
| 44 | |
| 45 | |
| 46 | function verify_request($user){ |
| 47 | unset($_SESSION['captcha_token']); |
| 48 | include "config.php"; |
| 49 | $error = ""; |
| 50 | if (ldap_user_count($user->user_name)) { |
| 51 | $error = $error."This username is already in use! Please choose another username<br>"; |
| 52 | unset($_POST["username"]); |
| 53 | } |
| 54 | if (preg_match("/\s/", $user->user_name)) { |
| 55 | $error = $error."Username cannot contain whitespaces<br>"; |
| 56 | unset($_POST["username"]); |
| 57 | } |
| 58 | if (strlen($user->user_name) > $VAL_USER->max_username) { |
| 59 | $error = $error."Username has to be smaller than ".($VAL_USER->max_username+1)." characters<br>"; |
| 60 | unset($_POST["username"]); |
| 61 | } |
| 62 | if (strlen($user->user_name) < $VAL_USER->min_username) { |
| 63 | $error = $error."Username has to be bigger than ".($VAL_USER->min_username-1)." characters<br>"; |
| 64 | unset($_POST["username"]); |
| 65 | } |
| matheusfillipe | dd1cbd0 | 2021-05-11 16:21:27 -0300 | [diff] [blame] | 66 | if (preg_match('/[\'\/~`\!@#\$%\^&\*\(\)_\-\+=\{\}\[\]\|;:"\<\>,\.\?\\\]/',$user->user_name)) { |
| matheusfillipe | abd513e | 2021-05-11 03:29:11 -0300 | [diff] [blame] | 67 | $error = $error."The username cannot contain special characters<br>"; |
| 68 | unset($_POST["username"]); |
| 69 | } |
| 70 | if (preg_match('/^\d/',$user->user_name)) { |
| 71 | $error = $error."The username cannot begin with a number<br>"; |
| 72 | unset($_POST["username"]); |
| 73 | } |
| 74 | include "blacklists/usernames.php"; |
| 75 | if(in_array($user->user_name, $USERNAME_BLACKLIST)) { |
| 76 | $error = $error."That Username is not allowed!<br>"; |
| 77 | unset($_POST["username"]); |
| 78 | } |
| 79 | |
| 80 | |
| 81 | if (preg_match("/\s/", $user->name)) { |
| 82 | $error = $error."First Name cannot contain whitespaces<br>"; |
| 83 | unset($_POST["name"]); |
| 84 | } |
| 85 | if (strlen($user->name) > $VAL_USER->max_first_name) { |
| 86 | $error = $error."First Name has to be smaller than ".($VAL_USER->max_first_name+1)." characters<br>"; |
| 87 | unset($_POST["name"]); |
| 88 | } |
| 89 | if (strlen($user->name) < $VAL_USER->min_first_name) { |
| 90 | $error = $error."First Name has to be bigger than ".($VAL_USER->min_first_name-1)." characters<br>"; |
| 91 | unset($_POST["name"]); |
| 92 | } |
| matheusfillipe | dd1cbd0 | 2021-05-11 16:21:27 -0300 | [diff] [blame] | 93 | if (preg_match('/[\'\/~`\!@#\$%\^&\*\(\)_\-\+=\{\}\[\]\|;:"\<\>,\.\?\\\0-9]/',$user->name)) { |
| matheusfillipe | abd513e | 2021-05-11 03:29:11 -0300 | [diff] [blame] | 94 | $error = $error."The first name cannot contain special characters or numbers<br>"; |
| 95 | unset($_POST["name"]); |
| 96 | } |
| 97 | |
| 98 | |
| 99 | if (preg_match("/\s/", $user->last_name)) { |
| 100 | $error = $error."Last Name cannot contain whitespaces<br>"; |
| 101 | unset($_POST["last_name"]); |
| 102 | } |
| 103 | if (strlen($user->last_name) > $VAL_USER->max_last_name) { |
| 104 | $error = $error."Last Name has to be smaller than ".($VAL_USER->max_last_name+1)." characters<br>"; |
| 105 | unset($_POST["last_name"]); |
| 106 | } |
| 107 | if (strlen($user->last_name) < $VAL_USER->min_last_name) { |
| 108 | $error = $error."Last Name has to be bigger than ".($VAL_USER->min_last_name-1)." characters<br>"; |
| 109 | unset($_POST["last_name"]); |
| 110 | } |
| 111 | if (preg_match('/[\'\/~`\!@#\$%\^&\*\(\)_\-\+=\{\}\[\]\|;:"\<\>,\.\?\\\ 0-9]/',$user->last_name)) { |
| 112 | $error = $error."The last name cannot contain special characters or numbers<br>"; |
| 113 | unset($_POST["last_name"]); |
| 114 | } |
| 115 | |
| 116 | |
| 117 | if (ldap_mail_count($user->email)) { |
| 118 | $error = $error."This email is already has an account. Did you forget your password?<br>"; |
| 119 | unset($_POST["email"]); |
| 120 | } |
| 121 | if (!filter_var($user->email, FILTER_VALIDATE_EMAIL)) { |
| 122 | $error = $error."Invalid email format<br>"; |
| 123 | unset($_POST["email"]); |
| 124 | }elseif(in_array(explode("@", $user->email)[1], $MAIL_HOST_BLACKLIST )){ |
| 125 | $error = $error."This email service is not allowed<br>"; |
| 126 | unset($_POST["email"]); |
| 127 | } |
| 128 | $pending = redis_get("pending"); |
| 129 | if ($pending){ |
| 130 | $maillist = $pending->mails; |
| 131 | if (in_array($user->email, $maillist)){ |
| 132 | $error = $error."This email is already pending approval, check your mailbox or try to register with a different email<br>"; |
| 133 | unset($_POST["email"]); |
| 134 | } |
| 135 | } |
| 136 | |
| 137 | |
| 138 | if ($_POST["password"] != $_POST["password_confirm"]) {; |
| 139 | $error = $error."Passwords do not match!<br>"; |
| 140 | unset($_POST["password_confirm"]); |
| 141 | } |
| 142 | $password = $_POST["password"]; |
| 143 | if (strlen($password) < $VAL_USER->min_password) { |
| 144 | $error = $error."Password should have at least ".$VAL_USER->min_password." characters<br>"; |
| 145 | unset($_POST["password"]); |
| 146 | unset($_POST["password_confirm"]); |
| 147 | } |
| 148 | if (strlen($password) > $VAL_USER->max_password) { |
| 149 | $error = $error."Your password is too big!<br>"; |
| 150 | unset($_POST["password"]); |
| 151 | unset($_POST["password_confirm"]); |
| 152 | } |
| 153 | include "blacklists/password.php"; |
| 154 | if(in_array($password, $PASSWORD_BLACKLIST)) { |
| 155 | $error = $error."That password is not allowed!<br>"; |
| 156 | unset($_POST["password"]); |
| 157 | unset($_POST["password_confirm"]); |
| 158 | } |
| 159 | foreach (array("username", "name", "last_name", "email") as &$field) { |
| 160 | if (!isset($_POST[$field])) |
| 161 | continue; |
| 162 | $value = strtoupper($_POST[$field]); |
| 163 | $PASSWORD = strtoupper($password); |
| 164 | if(strpos($value, $PASSWORD) !== false || strpos($PASSWORD, $value) !== false){ |
| 165 | $error = $error."Your password cannot contain any of your names or email neither the names can contain the password<br>"; |
| 166 | unset($_POST["password"]); |
| 167 | unset($_POST["password_confirm"]); |
| 168 | break; |
| 169 | } |
| 170 | } |
| 171 | |
| 172 | if (!(isset($_SESSION['captcha']) && PhraseBuilder::comparePhrases($_SESSION['captcha'], $_POST['captcha']))) { |
| 173 | $error = $error."Wrong captcha!<br>"; |
| 174 | } |
| 175 | unset($_SESSION["captcha"]); |
| 176 | |
| 177 | return $error; |
| 178 | } |
| 179 | |
| 180 | function approve_request($user){ |
| 181 | include "mail.php"; |
| 182 | echo "<h2>Almost there! Confirm your email</h2>"; |
| 183 | $token = generateRandomString(); |
| 184 | redis_set($token, $user, $MAIL_CONFIRMATION_AWAIT_DELAY); |
| 185 | $pending = redis_get("pending"); |
| 186 | if ($pending){ |
| 187 | $maillist = $pending->mails; |
| 188 | array_push($maillist, $user->email); |
| 189 | } |
| 190 | else |
| 191 | $maillist = [$user->email]; |
| 192 | redis_set("pending", (object)["mails"=>$maillist], $MAIL_CONFIRMATION_AWAIT_DELAY); |
| 193 | |
| 194 | $url = $BASE_URL."?type=confirmation&token=".$token; |
| 195 | if (in_array(explode("@", $user->email)[1], $MAIL_HOST_DIRECT_FALLBACK)) |
| 196 | $smtp = $FALLBACK_SMTP; |
| 197 | else |
| 198 | $smtp = $SMTP; |
| 199 | send_mail($user->email, $smtp, (object) [ |
| 200 | "subject" => $MAIL_TEMPLATE->subject, |
| 201 | "text" => str_replace("{{url}}", $url, $MAIL_TEMPLATE->text), |
| 202 | "html" => str_replace("{{url}}", $url, $MAIL_TEMPLATE->html) |
| 203 | ]); |
| 204 | $_SESSION['resend'] = generateRandomString(12); |
| 205 | $_SESSION['token'] = $token; |
| 206 | $_SESSION['email'] = $user->email; |
| 207 | echo "<p>Didn't receive anything yet? <a href='".$BASE_URL."/?type=resend&token=".$_SESSION['resend']."'>Click here</a> to resend the confirmation email.</p>"; |
| 208 | } |
| 209 | |
| 210 | |
| 211 | // PAGE |
| 212 | include "html/header.htm"; |
| 213 | |
| 214 | if ($_SERVER["REQUEST_METHOD"] == "POST") { |
| 215 | include 'ldap.php'; |
| 216 | if (isset($_POST['type'])) { |
| 217 | switch ($_POST['type']) { |
| 218 | case "register": |
| 219 | $user = new User($_POST["username"], $_POST["name"], $_POST["last_name"], $_POST["email"], $_POST["password"]); |
| 220 | if (redis_inc_ipdata(getClientIP(), "register", true) > $HOURLY_REGISTRATIONS){ |
| 221 | include "html/registration_limit.htm"; |
| 222 | }else{ |
| 223 | $error = verify_request($user); |
| 224 | if ($error) |
| 225 | register_page($error); |
| 226 | else |
| 227 | approve_request($user); |
| 228 | } |
| 229 | break; |
| 230 | } |
| 231 | } |
| 232 | } elseif (isset($_GET['type'])) { |
| 233 | switch ($_GET['type']) { |
| 234 | case "confirmation": |
| 235 | if (!isset($_GET["token"])){ |
| 236 | echo "INVALID REQUEST!"; |
| 237 | }else{ |
| 238 | include "ldap.php"; |
| 239 | $token = $_GET["token"]; |
| 240 | $user = redis_get($token); |
| 241 | if ($user){ |
| 242 | echo "<h1>Email Confirmation</h1>"; |
| 243 | if (ldap_add_user($user)){ |
| 244 | if ($REDIRECT_TO) |
| 245 | header("Location: ".$REDIRECT_TO); |
| 246 | |
| 247 | $pending = redis_get("pending"); |
| 248 | if ($pending){ |
| 249 | $maillist = $pending->mails; |
| 250 | if (in_array($user->email, $maillist)){ |
| 251 | unset($maillist[array_search($user->email, $maillist)]); |
| 252 | redis_set("pending", (object)["mails"=>$maillist], $MAIL_CONFIRMATION_AWAIT_DELAY); |
| 253 | } |
| 254 | } |
| 255 | redis_inc_ipdata(getClientIP(), "register"); |
| 256 | include "html/mail_confirmed.htm"; |
| 257 | }else{ |
| 258 | include "html/registration_error.htm"; |
| 259 | } |
| 260 | redis_delete($token); |
| 261 | }else{ |
| 262 | include "html/token_expired.htm"; |
| 263 | } |
| 264 | } |
| 265 | break; |
| 266 | case "resend": |
| 267 | if (isset($_GET['token']) && isset($_SESSION['resend']) && $_GET['token'] == $_SESSION['resend']){ |
| 268 | include "mail.php"; |
| 269 | include "html/resend_mail.htm"; |
| 270 | $token = $_SESSION['token']; |
| 271 | $url = $BASE_URL."?type=confirmation&token=".$token; |
| 272 | $smtp = $FALLBACK_SMTP; |
| 273 | $mail = $_SESSION["email"]; |
| 274 | send_mail($mail, $smtp, (object) [ |
| 275 | "subject" => $MAIL_TEMPLATE->subject, |
| 276 | "text" => str_replace("{{url}}", $url, $MAIL_TEMPLATE->text), |
| 277 | "html" => str_replace("{{url}}", $url, $MAIL_TEMPLATE->html) |
| 278 | ]); |
| 279 | unset($_SESSION['resend']); |
| 280 | unset($_SESSION['token']); |
| 281 | unset($_SESSION['email']); |
| 282 | } |
| 283 | break; |
| 284 | } |
| 285 | |
| 286 | |
| 287 | } else { |
| 288 | unset($_SESSION['captcha_token']); |
| 289 | register_page(); |
| 290 | } |
| 291 | |
| 292 | include "html/bottom.htm"; |
| 293 | ?> |