diff -r 0ae1b281a884 -r af0f6ec48de3 plugins/SpecialUserFuncs.php --- a/plugins/SpecialUserFuncs.php Mon Sep 17 11:52:58 2007 -0400 +++ b/plugins/SpecialUserFuncs.php Tue Sep 18 00:30:43 2007 -0400 @@ -333,6 +333,12 @@ function page_Special_Register() { global $db, $session, $paths, $template, $plugins; // Common objects + + // form field trackers + $username = ''; + $email = ''; + $realname = ''; + if(getConfig('account_activation') == 'disable' && ( ( $session->user_level >= USER_LEVEL_ADMIN && !isset($_GET['IWannaPlayToo']) ) || $session->user_level < USER_LEVEL_ADMIN || !$session->user_logged_in )) { $s = ($session->user_level >= USER_LEVEL_ADMIN) ? '

Oops...it seems that you are the administrator...hehe...you can also force account registration to work.

' : ''; @@ -360,9 +366,38 @@ else { $coppa = ( isset($_POST['coppa']) && $_POST['coppa'] == 'yes' ); + $s = false; + + // decrypt password + // as with the change pass form, we aren't going to bother checking the confirmation code because if the passwords didn't match + // and yet the password got encrypted, that means the user screwed with the code, and if the user screwed with the code and thus + // forgot his password, that's his problem. + + if ( $_POST['use_crypt'] == 'yes' ) + { + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + $crypt_key = $session->fetch_public_key($_POST['crypt_key']); + if ( !$crypt_key ) + { + $s = 'Couldn\'t look up public encryption key'; + } + else + { + $data = $_POST['crypt_data']; + $bin_key = hexdecode($crypt_key); + //die("Decrypting with params: key $crypt_key, data $data"); + $password = $aes->decrypt($data, $bin_key, ENC_HEX); + } + } + else + { + $password = $_POST['password']; + } // CAPTCHA code was correct, create the account - $s = $session->create_user($_POST['username'], $_POST['password'], $_POST['email'], $_POST['real_name'], $coppa); + // ... and check for errors returned from the crypto API + if ( !$s ) + $s = $session->create_user($_POST['username'], $password, $_POST['email'], $_POST['real_name'], $coppa); } } if($s == 'success' && !$coppa) @@ -387,6 +422,9 @@ $str = 'However, in compliance with the Childrens\' Online Privacy Protection Act, you must have your parent or legal guardian activate your account. Please ask them to check their e-mail for further information.'; die_friendly('Registration successful', '

Thank you for registering, your user account has been created. '.$str.'

'); } + $username = htmlspecialchars($_POST['username']); + $email = htmlspecialchars($_POST['email']); + $realname = htmlspecialchars($_POST['real_name']); } $template->header(); echo 'A user account enables you to have greater control over your browsing experience.'; @@ -396,9 +434,13 @@ $coppa = ( isset($_GET['coppa']) && $_GET['coppa'] == 'yes' ); $session->kill_captcha(); $captchacode = $session->make_captcha(); + + $pubkey = $session->rijndael_genkey(); + $challenge = $session->dss_rand(); + ?>

Create a user account

-
+
@@ -412,7 +454,7 @@ - - @@ -436,10 +481,20 @@ + + + + + + + + @@ -493,7 +548,7 @@ @@ -501,7 +556,7 @@ @@ -511,6 +566,79 @@ $val = ( $coppa ) ? 'yes' : 'no'; echo ''; ?> + + + + + @@ -525,7 +653,9 @@ // Username if(!namegood) { - if(frm.username.value.match(/^([A-z0-9 \!@\-\(\)]+){2,}$/ig)) + //if(frm.username.value.match(/^([A-z0-9 \!@\-\(\)]+){2,}$/ig)) + var regex = new RegExp('^([^<>_&\?]+){2,}$', 'ig'); + if ( frm.username.value.match(regex) ) { document.getElementById('s_username').src='/images/unknown.gif'; document.getElementById('e_username').innerHTML = ''; // '
Checking availability...'; @@ -616,10 +746,13 @@ } function regenCaptcha() { - var frm = document.forms.regform; document.getElementById('captchaimg').src = ''+frm.captchahash.value+'/'+Math.floor(Math.random() * 100000); return false; } + + var frm = document.forms.regform; + password_score_field(frm.password); + validateForm(); setTimeout('checkUsername();', 1000); // ]]> @@ -898,9 +1031,9 @@ $row = $db->fetchrow(); $db->free_result(); - if ( ( intval($row['temp_password_time']) + 3600 * 24 ) < time() ) + if ( ( intval($row['temp_password_time']) + ( 3600 * 24 ) ) < time() ) { - echo '

Password has expired

'; + echo '

Your temporary password has expired. Please request another one.

'; $template->footer(); return false; } @@ -949,6 +1082,18 @@ $template->footer(); return false; } + if ( getConfig('pw_strength_enable') == '1' ) + { + $min_score = intval(getConfig('pw_strength_minimum')); + $inp_score = password_score($data); + if ( $inp_score < $min_score ) + { + $url = makeUrl($paths->fullpage); + echo "

ERROR: Your password did not pass the complexity score requirement. You need $min_score points to pass; your password received a score of $inp_score. Go back

"; + $template->footer(); + return false; + } + } $encpass = $aes->encrypt($data, $session->private_key, ENC_HEX); $q = $db->sql_query('UPDATE '.table_prefix.'users SET password=\'' . $encpass . '\',temp_password=\'\',temp_password_time=0 WHERE user_id='.$user_id.';'); @@ -969,14 +1114,19 @@ // Password reset form $pubkey = $session->rijndael_genkey(); + $evt_get_score = ( getConfig('pw_strength_enable') == '1' ) ? 'onkeyup="password_score_field(this);" ' : ''; + $pw_meter = ( getConfig('pw_strength_enable') == '1' ) ? '' : ''; + $pw_blurb = ( getConfig('pw_strength_enable') == '1' && intval(getConfig('pw_strength_minimum')) > -10 ) ? '
Your password needs to have a score of at least '.getConfig('pw_strength_minimum').'.' : ''; + ?>
Please tell us a little bit about yourself.
- + Good/bad icon @@ -421,14 +463,17 @@
+ Password: + -10 ): ?> + It needs to score at least for your registration to be accepted. + - + Loading... + Good/bad icon
- Enter your password again to confirm. + Enter your password again to confirm.
+
+
@@ -455,7 +510,7 @@ ?> - + Good/bad icon @@ -469,7 +524,7 @@ Giving your real name is totally optional. If you choose to provide your real name, it will be used to provide attribution for any edits or contributions you may make to this site. - +
Code: - +
- +
Password strength rating:
- + +
Reset password
Password:
Password:/>
Confirm: