Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Revamp the /register page for added security. Require entry of a display name and email address. Validate the email address format and check for duplicate email addresses. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | forum-v2 |
Files: | files | file ages | folders |
SHA3-256: |
d8b20a555fba69212893102e08f71e15 |
User & Date: | drh 2018-07-24 13:30:14.906 |
Context
2018-07-24
| ||
19:44 | Work toward pages to enter forum posts. This is an incremental check-in to save state and definitely does not work. ... (check-in: 7b5099ea user: drh tags: forum-v2) | |
13:30 | Revamp the /register page for added security. Require entry of a display name and email address. Validate the email address format and check for duplicate email addresses. ... (check-in: d8b20a55 user: drh tags: forum-v2) | |
02:14 | Typo fixes. ... (check-in: 452be61b user: drh tags: forum-v2) | |
Changes
Changes to src/email.c.
︙ | ︙ | |||
566 567 568 569 570 571 572 | } } return 0; } /* ** Make a copy of the input string up to but not including the | | | | | | | | 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 | } } return 0; } /* ** Make a copy of the input string up to but not including the ** first cTerm character. ** ** Verify that the string really that is to be copied really is a ** valid email address. If it is not, then return NULL. ** ** This routine is more restrictive than necessary. It does not ** allow comments, IP address, quoted strings, or certain uncommon ** characters. The only non-alphanumerics allowed in the local ** part are "_", "+", "-" and "+". */ char *email_copy_addr(const char *z, char cTerm ){ int i; int nAt = 0; int nDot = 0; char c; if( z[0]=='.' ) return 0; /* Local part cannot begin with "." */ for(i=0; (c = z[i])!=0 && c!=cTerm; i++){ if( fossil_isalnum(c) ){ /* Alphanumerics are always ok */ }else if( c=='@' ){ if( nAt ) return 0; /* Only a single "@" allowed */ if( i>64 ) return 0; /* Local part too big */ nAt = 1; nDot = 0; if( i==0 ) return 0; /* Disallow empty local part */ if( z[i-1]=='.' ) return 0; /* Last char of local cannot be "." */ if( z[i+1]=='.' || z[i+1]=='-' ){ return 0; /* Domain cannot begin with "." or "-" */ } }else if( c=='-' ){ if( z[i+1]==cTerm ) return 0; /* Last character cannot be "-" */ }else if( c=='.' ){ if( z[i+1]=='.' ) return 0; /* Do not allow ".." */ if( z[i+1]==cTerm ) return 0; /* Domain may not end with . */ nDot++; }else if( (c=='_' || c=='+') && nAt==0 ){ /* _ and + are ok in the local part */ }else{ return 0; /* Anything else is an error */ } } if( c!=cTerm ) return 0; /* Missing terminator */ if( nAt==0 ) return 0; /* No "@" found anywhere */ if( nDot==0 ) return 0; /* No "." in the domain */ /* If we reach this point, the email address is valid */ return mprintf("%.*s", i, z); } |
︙ | ︙ | |||
629 630 631 632 633 634 635 | Blob v; char *z, *zAddr; int i; email_header_value(pMsg, "to", &v); z = blob_str(&v); for(i=0; z[i]; i++){ | | | 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 | Blob v; char *z, *zAddr; int i; email_header_value(pMsg, "to", &v); z = blob_str(&v); for(i=0; z[i]; i++){ if( z[i]=='<' && (zAddr = email_copy_addr(&z[i+1],'>'))!=0 ){ azTo = fossil_realloc(azTo, sizeof(azTo[0])*(nTo+1) ); azTo[nTo++] = zAddr; } } *pnTo = nTo; *pazTo = azTo; } |
︙ | ︙ |
Changes to src/login.c.
︙ | ︙ | |||
1455 1456 1457 1458 1459 1460 1461 | /* ** WEBPAGE: register ** ** Page to allow users to self-register. The "self-register" setting ** must be enabled for this page to operate. */ void register_page(void){ | > | > > | | | | | < | | > | < | | < | | | > | > | | < | | | | < | > | | | | < < | | > | | | > | | < | | | > > | | | < < > > | | < | | | < < < | | > > > > > > > > > > > > > > > > > | > > > | | < < | > | > > > | 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 | /* ** WEBPAGE: register ** ** Page to allow users to self-register. The "self-register" setting ** must be enabled for this page to operate. */ void register_page(void){ const char *zUserID, *zPasswd, *zConfirm, *zEAddr; const char *zDName; unsigned int uSeed; const char *zDecoded; char *zCaptcha; int iErrLine = -1; const char *zErr; if( !db_get_boolean("self-register", 0) ){ style_header("Registration not possible"); @ <p>This project does not allow user self-registration. Please contact the @ project administrator to obtain an account.</p> style_footer(); return; } style_header("Register"); zUserID = PDT("u",""); zPasswd = PDT("p",""); zConfirm = PDT("cp",""); zEAddr = PDT("ea",""); zDName = PDT("dn",""); /* Try to make any sense from user input. */ if( P("new")==0 || !cgi_csrf_safe(1) ){ /* This is not a valid form submission. Fall through into ** the form display */ }else if( !captcha_is_correct(1) ){ iErrLine = 6; zErr = "Incorrect CAPTCHA"; }else if( strlen(zUserID)<3 ){ iErrLine = 1; zErr = "User ID too short. Must be at least 3 characters."; }else if( sqlite3_strglob("*[^-a-zA-Z0-9_.]*",zUserID)==0 ){ iErrLine = 1; zErr = "User ID may not contain spaces or special characters."; }else if( zDName[0]==0 ){ iErrLine = 2; zErr = "Required"; }else if( zEAddr[0]==0 ){ iErrLine = 3; zErr = "Required"; }else if( email_copy_addr(zEAddr,0)==0 ){ iErrLine = 3; zErr = "Not a valid email address"; }else if( strlen(zPasswd)<6 ){ iErrLine = 4; zErr = "Password must be at least 6 characters long"; }else if( fossil_strcmp(zPasswd,zConfirm)!=0 ){ iErrLine = 5; zErr = "Passwords do not match"; }else if( db_exists("SELECT 1 FROM user WHERE login=%Q", zUserID) ){ iErrLine = 1; zErr = "This User ID is already taken. Choose something different."; }else if( db_exists("SELECT 1 FROM user WHERE info LIKE '%%%q%%'", zEAddr) ){ iErrLine = 3; zErr = "This address is already used."; }else{ Blob sql; int uid; char *zPass = sha1_shared_secret(zPasswd, zUserID, 0); blob_init(&sql, 0, 0); blob_append_sql(&sql, "INSERT INTO user(login,pw,cap,info,mtime)\n" "VALUES(%Q,%Q,%Q," "'%q <%q>\nself-register from ip %q on '||datetime('now'),now())", zUserID, zPass, db_get("default-perms","u"), zDName, zEAddr, g.zIpAddr); fossil_free(zPass); db_multi_exec("%s", blob_sql_text(&sql)); uid = db_int(0, "SELECT uid FROM user WHERE login=%Q", zUserID); login_set_user_cookie(zUserID, uid, NULL); redirect_to_g(); } /* Prepare the captcha. */ uSeed = captcha_seed(); zDecoded = captcha_decode(uSeed); zCaptcha = captcha_render(zDecoded); /* Print out the registration form. */ form_begin(0, "%R/register"); if( P("g") ){ @ <input type="hidden" name="g" value="%h(P("g"))" /> } @ <p><input type="hidden" name="captchaseed" value="%u(uSeed)" /> @ <table class="login_out"> @ <tr> @ <td class="form_label" align="right">User ID:</td> @ <td><input type="text" name="u" value="%h(zUserID)" size="30"></td> if( iErrLine==1 ){ @ <td><span class='loginError'>← %h(zErr)</span></td> } @ </tr> @ <tr> @ <td class="form_label" align="right">Display Name:</td> @ <td><input type="text" name="dn" value="%h(zDName)" size="30"></td> if( iErrLine==2 ){ @ <td><span class='loginError'>← %h(zErr)</span></td> } @ </tr> @ <tr> @ <td class="form_label" align="right">Email Address:</td> @ <td><input type="text" name="ea" value="%h(zEAddr)" size="30"></td> if( iErrLine==3 ){ @ <td><span class='loginError'>← %h(zErr)</span></td> } @ </tr> @ <tr> @ <td class="form_label" align="right">Password:</td> @ <td><input type="password" name="p" value="%h(zPasswd)" size="30"></td> if( iErrLine==4 ){ @ <td><span class='loginError'>← %h(zErr)</span></td> } @ </tr> @ <tr> @ <td class="form_label" align="right">Confirm password:</td> @ <td><input type="password" name="cp" value="%h(zConfirm)" size="30"></td> if( iErrLine==5 ){ @ <td><span class='loginError'>← %h(zErr)</span></td> } @ </tr> @ <tr> @ <td class="form_label" align="right">Captcha text (below):</td> @ <td><input type="text" name="captcha" value="" size="30"></td> if( iErrLine==6 ){ @ <td><span class='loginError'>← %h(zErr)</span></td> } @ </tr> @ <tr><td></td> @ <td><input type="submit" name="new" value="Register" /></td></tr> @ </table> @ <div class="captcha"><table class="captcha"><tr><td><pre> @ %h(zCaptcha) @ </pre></td></tr></table></div> |
︙ | ︙ |
Changes to src/setup.c.
︙ | ︙ | |||
1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 | @ <hr /> entry_attribute("Default privileges", 10, "default-perms", "defaultperms", "u", 0); @ <p>Permissions given to users that... <ul><li>register themselves using @ the self-registration procedure (if enabled), or <li>access "public" @ pages identified by the public-pages glob pattern above, or <li> @ are users newly created by the administrator.</ul> @ (Property: "default-perms") @ </p> @ <hr /> onoff_attribute("Show javascript button to fill in CAPTCHA", "auto-captcha", "autocaptcha", 0, 0); @ <p>When enabled, a button appears on the login screen for user | > > | 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 | @ <hr /> entry_attribute("Default privileges", 10, "default-perms", "defaultperms", "u", 0); @ <p>Permissions given to users that... <ul><li>register themselves using @ the self-registration procedure (if enabled), or <li>access "public" @ pages identified by the public-pages glob pattern above, or <li> @ are users newly created by the administrator.</ul> @ <p>Recommended value: "u" for Reader. @ <a href="%R/setup_ucap_list">Capability Key</a>. @ (Property: "default-perms") @ </p> @ <hr /> onoff_attribute("Show javascript button to fill in CAPTCHA", "auto-captcha", "autocaptcha", 0, 0); @ <p>When enabled, a button appears on the login screen for user |
︙ | ︙ |
Changes to src/smtp.c.
︙ | ︙ | |||
1269 1270 1271 1272 1273 1274 1275 | }else if( strncmp(z, "HELO", 4)==0 && fossil_isspace(z[4]) ){ smtp_server_send(&x, "250 ok\r\n"); }else if( strncmp(z, "MAIL FROM:<", 11)==0 ){ smtp_server_route_incoming(&x, 0); smtp_server_clear(&x, SMTPSRV_CLEAR_MSG); | | | | 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 | }else if( strncmp(z, "HELO", 4)==0 && fossil_isspace(z[4]) ){ smtp_server_send(&x, "250 ok\r\n"); }else if( strncmp(z, "MAIL FROM:<", 11)==0 ){ smtp_server_route_incoming(&x, 0); smtp_server_clear(&x, SMTPSRV_CLEAR_MSG); x.zFrom = email_copy_addr(z+11,'>'); if( x.zFrom==0 ){ smtp_server_send(&x, "500 unacceptable email address\r\n"); }else{ smtp_server_send(&x, "250 ok\r\n"); } }else if( strncmp(z, "RCPT TO:<", 9)==0 ){ char *zAddr; if( x.zFrom==0 ){ smtp_server_send(&x, "500 missing MAIL FROM\r\n"); continue; } zAddr = email_copy_addr(z+9, '>'); if( zAddr==0 ){ smtp_server_send(&x, "505 no such user\r\n"); continue; } smtp_append_to(&x, zAddr, 0); if( x.nTo>=100 ){ smtp_server_send(&x, "452 too many recipients\r\n"); |
︙ | ︙ |