From 4569cae57f127afd093794310ccd290d2d9fdf36 Mon Sep 17 00:00:00 2001 From: Marius Burkard <m.burkard@pixcept.de> Date: Wed, 20 Apr 2016 10:58:46 -0400 Subject: [PATCH] Merge branch 'stable-3.1' --- interface/web/login/password_reset.php | 96 +++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 87 insertions(+), 9 deletions(-) diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php index 683a4bc..dbb545d 100644 --- a/interface/web/login/password_reset.php +++ b/interface/web/login/password_reset.php @@ -1,7 +1,7 @@ <?php /* -Copyright (c) 2008, Till Brehm, projektfarm Gmbh +Copyright (c) 2008 - 2015, Till Brehm, ISPConfig UG All rights reserved. Redistribution and use in source and binary forms, with or without modification, @@ -38,27 +38,88 @@ // Loading the template $app->uses('tpl'); -$app->tpl->newTemplate("form.tpl.htm"); +$app->tpl->newTemplate('main_login.tpl.htm'); $app->tpl->setInclude('content_tpl', 'templates/password_reset.htm'); $app->tpl_defaults(); include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng'; $app->tpl->setVar($wb); +$continue = true; if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') { - - if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error')); - if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error')); + if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) { + $app->tpl->setVar("error", $wb['user_regex_error']); + $continue = false; + } + if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) { + $app->tpl->setVar("error", $wb['email_error']); + $continue = false; + } $username = $_POST['username']; $email = $_POST['email']; - $client = $app->db->queryOneRecord("SELECT client.*, sys_user.lost_password_function FROM client,sys_user WHERE client.username = ? AND client.email = ? AND client.client_id = sys_user.client_id", $username, $email); + $client = $app->db->queryOneRecord("SELECT client.*, sys_user.lost_password_function, sys_user.lost_password_hash, IF(sys_user.lost_password_reqtime IS NOT NULL AND DATE_SUB(NOW(), INTERVAL 15 MINUTE) < sys_user.lost_password_reqtime, 1, 0) as `lost_password_wait` FROM client,sys_user WHERE client.username = ? AND client.email = ? AND client.client_id = sys_user.client_id", $username, $email); if($client['lost_password_function'] == 0) { $app->tpl->setVar("error", $wb['lost_password_function_disabled_txt']); - } else { + } elseif($client['lost_password_wait'] == 1) { + $app->tpl->setVar("error", $wb['lost_password_function_wait_txt']); + } elseif ($continue) { + if($client['client_id'] > 0) { + $username = $client['username']; + $password_hash = sha1(uniqid('ispc_pw')); + $app->db->query("UPDATE sys_user SET lost_password_reqtime = NOW(), lost_password_hash = ? WHERE username = ?", $password_hash, $username); + $app->tpl->setVar("message", $wb['pw_reset_act']); + + $server_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']); + if($server_domain == '_') { + $tmp = explode(':',$_SERVER["HTTP_HOST"]); + $server_domain = $tmp[0]; + unset($tmp); + } + if(!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') $server_domain = 'http://' . $server_domain; + else $server_domain = 'https://' . $server_domain; + + if(isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] != '443') $server_domain .= ':' . $_SERVER['SERVER_PORT']; + + $app->uses('getconf,ispcmail'); + $mail_config = $server_config_array['mail']; + if($mail_config['smtp_enabled'] == 'y') { + $mail_config['use_smtp'] = true; + $app->ispcmail->setOptions($mail_config); + } + $app->ispcmail->setSender($mail_config['admin_mail'], $mail_config['admin_name']); + $app->ispcmail->setSubject($wb['pw_reset_act_mail_title']); + $app->ispcmail->setMailText($wb['pw_reset_act_mail_msg'].$server_domain . '/login/password_reset.php?username=' . urlencode($username) . '&hash=' . urlencode($password_hash)); + $app->ispcmail->send(array($client['contact_name'] => $client['email'])); + $app->ispcmail->finish(); + + $app->tpl->setVar("msg", $wb['pw_reset_act']); + } else { + $app->tpl->setVar("error", $wb['pw_error']); + } + } +} elseif(isset($_GET['username']) && $_GET['username'] != '' && $_GET['hash'] != '') { + + if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_GET['username'])) { + $app->tpl->setVar("error", $wb['user_regex_error']); + $continue = false; + } + + $username = $_GET['username']; + $hash = $_GET['hash']; + + $client = $app->db->queryOneRecord("SELECT client.*, sys_user.lost_password_function, sys_user.lost_password_hash, IF(sys_user.lost_password_reqtime IS NULL OR DATE_SUB(NOW(), INTERVAL 1 DAY) > sys_user.lost_password_reqtime, 1, 0) as `lost_password_expired` FROM client,sys_user WHERE client.username = ? AND client.client_id = sys_user.client_id", $username); + + if($client['lost_password_function'] == 0) { + $app->tpl->setVar("error", $wb['lost_password_function_disabled_txt']); + } elseif($client['lost_password_expired'] == 1) { + $app->tpl->setVar("error", $wb['lost_password_function_expired_txt']); + } elseif($client['lost_password_hash'] != $hash) { + $app->tpl->setVar("error", $wb['lost_password_function_denied_txt']); + } elseif ($continue) { if($client['client_id'] > 0) { $server_config_array = $app->getconf->get_global_config(); $min_password_length = 8; @@ -68,7 +129,7 @@ $new_password_encrypted = $app->auth->crypt_password($new_password); $username = $client['username']; - $app->db->query("UPDATE sys_user SET passwort = ? WHERE username = ?", $new_password_encrypted, $username); + $app->db->query("UPDATE sys_user SET passwort = ?, lost_password_hash = '', lost_password_reqtime = NULL WHERE username = ?", $new_password_encrypted, $username); $app->db->query("UPDATE client SET password = ? WHERE username = ?", $new_password_encrypted, $username); $app->tpl->setVar("message", $wb['pw_reset']); @@ -91,9 +152,26 @@ } } } else { - $app->tpl->setVar("msg", $wb['pw_error_noinput']); + if(isset($_POST) && count($_POST) > 0) $app->tpl->setVar("msg", $wb['pw_error_noinput']); } +$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default'); + +// Logo +$logo = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1"); +if($logo['custom_logo'] != ''){ + $base64_logo_txt = $logo['custom_logo']; +} else { + $base64_logo_txt = $logo['default_logo']; +} +$tmp_base64 = explode(',', $base64_logo_txt, 2); +$logo_dimensions = $app->functions->getimagesizefromstring(base64_decode($tmp_base64[1])); +$app->tpl->setVar('base64_logo_width', $logo_dimensions[0].'px'); +$app->tpl->setVar('base64_logo_height', $logo_dimensions[1].'px'); +$app->tpl->setVar('base64_logo_txt', $base64_logo_txt); + +// Title +$app->tpl->setVar('company_name', $sys_config['company_name']. ' :: '); $app->tpl_defaults(); $app->tpl->pparse(); -- Gitblit v1.9.1