Issues in user_util.inc (master) - Issues in master - BOINC/boinc - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1839)

html/inc/user_util.inc (1 issue)

Labels

Best Practice 1

Severity

Major 1

Kevin Reed 1

<?php
// This file is part of BOINC.
// http://boinc.berkeley.edu
// Copyright (C) 2017 University of California
//
// BOINC is free software; you can redistribute it and/or modify it
// under the terms of the GNU Lesser General Public License
// as published by the Free Software Foundation,
// either version 3 of the License, or (at your option) any later version.
//
// BOINC is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
// See the GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License
// along with BOINC.  If not, see <http://www.gnu.org/licenses/>.

// functions for creating and deleting users


include_once("../inc/boinc_db.inc");
include_once("../inc/util.inc");
include_once("../inc/email.inc");
include_once("../inc/recaptchalib.php");
require_once("../inc/password_compat/password.inc");
require_once("../inc/consent.inc");

// Password hash has old format.
// Update user record with new format
//
function do_passwd_rehash($user, $passwd_hash) {
    $database_passwd_hash = password_hash($passwd_hash, PASSWORD_DEFAULT);
    $result = $user->update(" passwd_hash='$database_passwd_hash' ");
}

// return true if the passwd hash (old format)
// matches the user's passwd hash (possibly new format)
//
function check_passwd_hash($user, $passwd_hash) {
    if (password_verify($passwd_hash, $user->passwd_hash)) {
        // on valid login, rehash password to upgrade hash overtime
        // as the defaults change.
        //
        if (password_needs_rehash($user->passwd_hash, PASSWORD_DEFAULT)) {
            do_passwd_rehash($user, $passwd_hash);
        }
    } else if ($passwd_hash == $user->passwd_hash) {
        // user record has old format.  Change to new.
        //
        do_passwd_rehash($user, $passwd_hash);
    } else {
        return false;
    }
    return true;
}

function check_passwd_ui($user, $passwd) {
    $passwd_hash = md5($passwd.$user->email_addr);
    if(!check_passwd_hash($user, $passwd_hash)) {
        sleep(LOGIN_FAIL_SLEEP_SEC);
        page_head("Password incorrect");
        echo "The password you entered is incorrect. Please go back and try again.\n";
        page_tail();
        exit;

    }
}

function is_banned_email_addr($email_addr) {
    global $banned_email_domains;
    if (isset($banned_email_domains)) {
        foreach($banned_email_domains as $d) {
            $x = strstr($email_addr, $d);
            if ($x == $d) return true;
        }
    }
    return false;
}

function is_valid_user_name($name, &$reason) {
    if (trim($name) !== $name) {
        $reason = tra("user name cannot have leading or trailing white space");
        return false;
    }
    if (strlen($name) == 0) {
        $reason = tra("user name must be nonempty");
        return false;
    }
    if (sanitize_tags($name) !== $name) {
        $reason = tra("user name may not contain HTML tags");
        return false;
    }
    if (is_numeric($name)) {
        $reason = tra("user name may not be a number");
        return false;
    }
    return true;
}

function default_show_hosts() {
    global $config;
    // If enable privacy by default is TRUE, then show_hosts' default
    // is FALSE.
    return parse_bool($config, "enable_privacy_by_default") ? 0 : 1;
}

// the following DB-escapes its args
//
function make_user(
    $email_addr, $name, $passwd_hash,
    $country=null, $postal_code=null, $project_prefs=null, $teamid=0
) {
    if (!is_valid_email_addr($email_addr)) return null;
    if (is_banned_email_addr($email_addr)) return null;

    $authenticator = random_string();
    $cross_project_id = random_string();
    $now = time();
    if (!is_valid_country($country)) return null;

    $email_addr = BoincDb::escape_string($email_addr);
    $name = sanitize_tags($name);
    $name = BoincDb::escape_string($name);
    $database_passwd_hash = password_hash($passwd_hash, PASSWORD_DEFAULT);

    $country = BoincDb::escape_string($country);
    $postal_code = sanitize_tags(BoincDb::escape_string($postal_code));

    $show_hosts = default_show_hosts();
    $uid = BoincUser::insert("(create_time, email_addr, name, authenticator, country, postal_code, total_credit, expavg_credit, expavg_time, project_prefs, teamid,  venue, send_email, show_hosts, posts, seti_id, seti_nresults, seti_last_result_time, seti_total_cpu, has_profile, cross_project_id, passwd_hash, email_validated, donated) values($now, '$email_addr', '$name', '$authenticator', '$country', '$postal_code', 0, 0, unix_timestamp(), '$project_prefs', $teamid, '', 1, $show_hosts, 0, 0, 0, 0, 0, 0, '$cross_project_id', '$database_passwd_hash', 0, 0)");

    if (!$uid) {
        return null;
    }
    $user = BoincUser::lookup_id($uid);
    if (defined('RECORD_USER_IP')) {
        $ip = $_SERVER['REMOTE_ADDR'];
        $ip = BoincDb::escape_string($ip);
        $user->update("venue='$ip'");
    }
    return $user;
}

function make_user_ldap($email_addr, $name) {
    $email_addr = BoincDb::escape_string($email_addr);
    $name = sanitize_tags($name);
    $name = BoincDb::escape_string($name);
    $authenticator = random_string();
    $cross_project_id = random_string();
    $passwd_hash = random_string();
    $now = time();

    $show_hosts = default_show_hosts();
    $uid = BoincUser::insert("(create_time, email_addr, name, authenticator, country, postal_code, total_credit, expavg_credit, expavg_time, project_prefs, teamid,  send_email, show_hosts, cross_project_id, passwd_hash) values($now, '$email_addr', '$name', '$authenticator', '', '', 0, 0, unix_timestamp(), '', 0, 1, $show_hosts, '$cross_project_id', '$passwd_hash')");

    if ($uid) {
        return BoincUser::lookup_id($uid);
    } else {
        return null;
    }
}

function show_error($str) {
    page_head(tra("Can't create account"));
    echo "$str<br>\n";
    echo BoincDb::error();
    echo "<p>".tra("Click your browser's <b>Back</b> button to try again.")."\n</p>\n";
    page_tail();
    exit();
}

// validate POST args and make user.
// If error show error page and exit.
// Else return user object
//
function validate_post_make_user() {
    global $recaptcha_private_key;
    $config = get_config();
    if (parse_bool($config, "disable_account_creation")
        || parse_bool($config, "no_web_account_creation")
    ) {
        error_page("Account creation is disabled");
    }

    if ($recaptcha_private_key) {
        if (!boinc_recaptcha_isValidated($recaptcha_private_key)) {
            show_error(
                tra("Your reCAPTCHA response was not correct. Please try again.")
            );
        }
    }

    // Check if consent to terms of use has been given.
    //
    $myconsent = FALSE;
    list($checkct, $ctid) = check_consent_type(CONSENT_TYPE_ENROLL);
    if ($checkct and check_termsofuse()) {
        $agree = post_str("agree_to_terms_of_use", true);
        if (!$agree) {
            error_page(tra("You have not agreed to our terms of use. Please agree to the terms of use by navigating back to the previous page, in order to create your account"));
        }
        $myconsent = TRUE;
    }

    // see whether the new account should be pre-enrolled in a team,
    // and initialized with its founder's project prefs
    //
    $teamid = post_int("teamid", true);
    if ($teamid) {
        $team = BoincTeam::lookup_id($teamid);
        $clone_user = BoincUser::lookup_id($team->userid);
        if (!$clone_user) {
            error_page("User $userid not found");
        }
        $project_prefs = $clone_user->project_prefs;
    } else {
        $teamid = 0;
        $project_prefs = "";
    }

    if (defined('INVITE_CODES')) {
        $invite_code = post_str("invite_code");
        if (strlen($invite_code) == 0) {
            show_error(tra("You must supply an invitation code to create an account."));
        }
        if (!preg_match(INVITE_CODES, $invite_code)) {
            show_error(tra("The invitation code you gave is not valid."));
        }
    }

    $new_name = post_str("new_name");
    if (!is_valid_user_name($new_name, $reason)) {
        show_error($reason);
    }
    if (UNIQUE_USER_NAME) {
        $u = BoincUser::lookup_name($new_name);
        if ($u) {
            page_head("That name is in use");
            echo "<p>The following user names are taken;
                please go back and use a different one.<p>
            ";
            $users = BoincUser::enum(
                sprintf("name like '%s%%'", $new_name)
            );
            foreach ($users as $u){
                echo "<p>$u->name\n";
            }
            page_tail();
            exit;
        }
    }

    $new_email_addr = strtolower(post_str("new_email_addr"));
    if (!is_valid_email_addr($new_email_addr)) {
        show_error(tra("Invalid email address: please enter a valid address of the form [email protected]"));
    }
    $user = BoincUser::lookup_email_addr($new_email_addr);
    if ($user) {
        show_error(tra("There's already an account with that email address."));
    }
    $tmpuser = BoincUser::lookup_prev_email_addr($new_email_addr);
    if ($tmpuser) {
        show_error(tra("There's already an account with that email address."));
    }

    $passwd = post_str("passwd");

    $min_passwd_length = parse_config($config, "<min_passwd_length>");
    if (!$min_passwd_length) $min_passwd_length = 6;

    if (!is_ascii($passwd)) {
        show_error(tra("Passwords may only include ASCII characters."));
    }

    if (strlen($passwd)<$min_passwd_length) {
        show_error(
            tra("New password is too short: minimum password length is %1 characters.", $min_passwd_length)
        );
    }

    $passwd_hash = md5($passwd.$new_email_addr);

    $country = "";
    if (USER_COUNTRY) {
        $country = post_str("country", true);
        if ($country && !is_valid_country($country)) {
            error_page("bad country");
        }
    }

    if (POSTAL_CODE) {
        $postal_code = sanitize_tags(post_str("postal_code", true));
    } else {
        $postal_code = '';
    }

    $user = make_user(
        $new_email_addr, $new_name, $passwd_hash,
        $country, $postal_code, $project_prefs, $teamid
    );
    if (!$user) {
        show_error(
            tra("Couldn't create account").": ".BoincDb::error()
        );
    }

    if ($myconsent) {
        $rc = consent_to_a_policy($user, $ctid, 1, 0, 'Webreg');
        if (!$rc) {
            show_error(tra("database error, please contact site administrators"));
        }
    }

    if (defined('INVITE_CODES')) {
        error_log("Account '$new_email_addr' created using invitation code '$invite_code'");
    }
    return $user;
}

// delete a user and all associated records except
// result
// host
// batch
// team
// user_submit
// user_submit_app
// credited_job
// donation_paypal
// sent_email
//
function delete_user($user) {
    delete_profile($user);
    forum_delete_user($user);
        // deletes post, thread, subscription, forum_preferences, forum_logging
    BoincPrivateMessage::delete_aux("userid=$user->id or senderid=$user->id");
    BoincNotify::delete_aux("userid=$user->id");
    BoincCreditUser::delete_user($user);
    BoincBadgeUser::delete("user_id=$user->id");
    BoincFriend::delete_aux("user_src=$user->id or user_dest=$user->id");
    BoincToken::delete_for_user($user->id);
    $user->delete();
}
?>


1			<?php
2			// This file is part of BOINC.
3			// http://boinc.berkeley.edu
4			// Copyright (C) 2017 University of California
5			//
6			// BOINC is free software; you can redistribute it and/or modify it
7			// under the terms of the GNU Lesser General Public License
8			// as published by the Free Software Foundation,
9			// either version 3 of the License, or (at your option) any later version.
10			//
11			// BOINC is distributed in the hope that it will be useful,
12			// but WITHOUT ANY WARRANTY; without even the implied warranty of
13			// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
14			// See the GNU Lesser General Public License for more details.
15			//
16			// You should have received a copy of the GNU Lesser General Public License
17			// along with BOINC. If not, see <http://www.gnu.org/licenses/>.
18
19			// functions for creating and deleting users
20
21
22			include_once("../inc/boinc_db.inc");
23			include_once("../inc/util.inc");
24			include_once("../inc/email.inc");
25			include_once("../inc/recaptchalib.php");
26			require_once("../inc/password_compat/password.inc");
27			require_once("../inc/consent.inc");
28
29			// Password hash has old format.
30			// Update user record with new format
31			//
32			function do_passwd_rehash($user, $passwd_hash) {
33			$database_passwd_hash = password_hash($passwd_hash, PASSWORD_DEFAULT);
34			$result = $user->update(" passwd_hash='$database_passwd_hash' ");
35			}
36
37			// return true if the passwd hash (old format)
38			// matches the user's passwd hash (possibly new format)
39			//
40			function check_passwd_hash($user, $passwd_hash) {
41			if (password_verify($passwd_hash, $user->passwd_hash)) {
42			// on valid login, rehash password to upgrade hash overtime
43			// as the defaults change.
44			//
45			if (password_needs_rehash($user->passwd_hash, PASSWORD_DEFAULT)) {
46			do_passwd_rehash($user, $passwd_hash);
47			}
48			} else if ($passwd_hash == $user->passwd_hash) {
49			// user record has old format. Change to new.
50			//
51			do_passwd_rehash($user, $passwd_hash);
52			} else {
53			return false;
54			}
55			return true;
56			}
57
58			function check_passwd_ui($user, $passwd) {
59			$passwd_hash = md5($passwd.$user->email_addr);
60			if(!check_passwd_hash($user, $passwd_hash)) {
61			sleep(LOGIN_FAIL_SLEEP_SEC);
62			page_head("Password incorrect");
63			echo "The password you entered is incorrect. Please go back and try again.\n";
64			page_tail();
65			exit;
			0 ignored issues – show Best Practice introduced 2018-08-30 19:19 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
66			}
67			}
68
69			function is_banned_email_addr($email_addr) {
70			global $banned_email_domains;
71			if (isset($banned_email_domains)) {
72			foreach($banned_email_domains as $d) {
73			$x = strstr($email_addr, $d);
74			if ($x == $d) return true;
75			}
76			}
77			return false;
78			}
79
80			function is_valid_user_name($name, &$reason) {
81			if (trim($name) !== $name) {
82			$reason = tra("user name cannot have leading or trailing white space");
83			return false;
84			}
85			if (strlen($name) == 0) {
86			$reason = tra("user name must be nonempty");
87			return false;
88			}
89			if (sanitize_tags($name) !== $name) {
90			$reason = tra("user name may not contain HTML tags");
91			return false;
92			}
93			if (is_numeric($name)) {
94			$reason = tra("user name may not be a number");
95			return false;
96			}
97			return true;
98			}
99
100			function default_show_hosts() {
101			global $config;
102			// If enable privacy by default is TRUE, then show_hosts' default
103			// is FALSE.
104			return parse_bool($config, "enable_privacy_by_default") ? 0 : 1;
105			}
106
107			// the following DB-escapes its args
108			//
109			function make_user(
110			$email_addr, $name, $passwd_hash,
111			$country=null, $postal_code=null, $project_prefs=null, $teamid=0
112			) {
113			if (!is_valid_email_addr($email_addr)) return null;
114			if (is_banned_email_addr($email_addr)) return null;
115
116			$authenticator = random_string();
117			$cross_project_id = random_string();
118			$now = time();
119			if (!is_valid_country($country)) return null;
120
121			$email_addr = BoincDb::escape_string($email_addr);
122			$name = sanitize_tags($name);
123			$name = BoincDb::escape_string($name);
124			$database_passwd_hash = password_hash($passwd_hash, PASSWORD_DEFAULT);
125
126			$country = BoincDb::escape_string($country);
127			$postal_code = sanitize_tags(BoincDb::escape_string($postal_code));
128
129			$show_hosts = default_show_hosts();
130			$uid = BoincUser::insert("(create_time, email_addr, name, authenticator, country, postal_code, total_credit, expavg_credit, expavg_time, project_prefs, teamid, venue, send_email, show_hosts, posts, seti_id, seti_nresults, seti_last_result_time, seti_total_cpu, has_profile, cross_project_id, passwd_hash, email_validated, donated) values($now, '$email_addr', '$name', '$authenticator', '$country', '$postal_code', 0, 0, unix_timestamp(), '$project_prefs', $teamid, '', 1, $show_hosts, 0, 0, 0, 0, 0, 0, '$cross_project_id', '$database_passwd_hash', 0, 0)");
131
132			if (!$uid) {
133			return null;
134			}
135			$user = BoincUser::lookup_id($uid);
136			if (defined('RECORD_USER_IP')) {
137			$ip = $_SERVER['REMOTE_ADDR'];
138			$ip = BoincDb::escape_string($ip);
139			$user->update("venue='$ip'");
140			}
141			return $user;
142			}
143
144			function make_user_ldap($email_addr, $name) {
145			$email_addr = BoincDb::escape_string($email_addr);
146			$name = sanitize_tags($name);
147			$name = BoincDb::escape_string($name);
148			$authenticator = random_string();
149			$cross_project_id = random_string();
150			$passwd_hash = random_string();
151			$now = time();
152
153			$show_hosts = default_show_hosts();
154			$uid = BoincUser::insert("(create_time, email_addr, name, authenticator, country, postal_code, total_credit, expavg_credit, expavg_time, project_prefs, teamid, send_email, show_hosts, cross_project_id, passwd_hash) values($now, '$email_addr', '$name', '$authenticator', '', '', 0, 0, unix_timestamp(), '', 0, 1, $show_hosts, '$cross_project_id', '$passwd_hash')");
155
156			if ($uid) {
157			return BoincUser::lookup_id($uid);
158			} else {
159			return null;
160			}
161			}
162
163			function show_error($str) {
164			page_head(tra("Can't create account"));
165			echo "$str<br>\n";
166			echo BoincDb::error();
167			echo "<p>".tra("Click your browser's <b>Back</b> button to try again.")."\n</p>\n";
168			page_tail();
169			exit();
170			}
171
172			// validate POST args and make user.
173			// If error show error page and exit.
174			// Else return user object
175			//
176			function validate_post_make_user() {
177			global $recaptcha_private_key;
178			$config = get_config();
179			if (parse_bool($config, "disable_account_creation")
180			\|\| parse_bool($config, "no_web_account_creation")
181			) {
182			error_page("Account creation is disabled");
183			}
184
185			if ($recaptcha_private_key) {
186			if (!boinc_recaptcha_isValidated($recaptcha_private_key)) {
187			show_error(
188			tra("Your reCAPTCHA response was not correct. Please try again.")
189			);
190			}
191			}
192
193			// Check if consent to terms of use has been given.
194			//
195			$myconsent = FALSE;
196			list($checkct, $ctid) = check_consent_type(CONSENT_TYPE_ENROLL);
197			if ($checkct and check_termsofuse()) {
198			$agree = post_str("agree_to_terms_of_use", true);
199			if (!$agree) {
200			error_page(tra("You have not agreed to our terms of use. Please agree to the terms of use by navigating back to the previous page, in order to create your account"));
201			}
202			$myconsent = TRUE;
203			}
204
205			// see whether the new account should be pre-enrolled in a team,
206			// and initialized with its founder's project prefs
207			//
208			$teamid = post_int("teamid", true);
209			if ($teamid) {
210			$team = BoincTeam::lookup_id($teamid);
211			$clone_user = BoincUser::lookup_id($team->userid);
212			if (!$clone_user) {
213			error_page("User $userid not found");
214			}
215			$project_prefs = $clone_user->project_prefs;
216			} else {
217			$teamid = 0;
218			$project_prefs = "";
219			}
220
221			if (defined('INVITE_CODES')) {
222			$invite_code = post_str("invite_code");
223			if (strlen($invite_code) == 0) {
224			show_error(tra("You must supply an invitation code to create an account."));
225			}
226			if (!preg_match(INVITE_CODES, $invite_code)) {
227			show_error(tra("The invitation code you gave is not valid."));
228			}
229			}
230
231			$new_name = post_str("new_name");
232			if (!is_valid_user_name($new_name, $reason)) {
233			show_error($reason);
234			}
235			if (UNIQUE_USER_NAME) {
236			$u = BoincUser::lookup_name($new_name);
237			if ($u) {
238			page_head("That name is in use");
239			echo "<p>The following user names are taken;
240			please go back and use a different one.<p>
241			";
242			$users = BoincUser::enum(
243			sprintf("name like '%s%%'", $new_name)
244			);
245			foreach ($users as $u){
246			echo "<p>$u->name\n";
247			}
248			page_tail();
249			exit;
250			}
251			}
252
253			$new_email_addr = strtolower(post_str("new_email_addr"));
254			if (!is_valid_email_addr($new_email_addr)) {
255			show_error(tra("Invalid email address: please enter a valid address of the form [email protected]"));
256			}
257			$user = BoincUser::lookup_email_addr($new_email_addr);
258			if ($user) {
259			show_error(tra("There's already an account with that email address."));
260			}
261			$tmpuser = BoincUser::lookup_prev_email_addr($new_email_addr);
262			if ($tmpuser) {
263			show_error(tra("There's already an account with that email address."));
264			}
265
266			$passwd = post_str("passwd");
267
268			$min_passwd_length = parse_config($config, "<min_passwd_length>");
269			if (!$min_passwd_length) $min_passwd_length = 6;
270
271			if (!is_ascii($passwd)) {
272			show_error(tra("Passwords may only include ASCII characters."));
273			}
274
275			if (strlen($passwd)<$min_passwd_length) {
276			show_error(
277			tra("New password is too short: minimum password length is %1 characters.", $min_passwd_length)
278			);
279			}
280
281			$passwd_hash = md5($passwd.$new_email_addr);
282
283			$country = "";
284			if (USER_COUNTRY) {
285			$country = post_str("country", true);
286			if ($country && !is_valid_country($country)) {
287			error_page("bad country");
288			}
289			}
290
291			if (POSTAL_CODE) {
292			$postal_code = sanitize_tags(post_str("postal_code", true));
293			} else {
294			$postal_code = '';
295			}
296
297			$user = make_user(
298			$new_email_addr, $new_name, $passwd_hash,
299			$country, $postal_code, $project_prefs, $teamid
300			);
301			if (!$user) {
302			show_error(
303			tra("Couldn't create account").": ".BoincDb::error()
304			);
305			}
306
307			if ($myconsent) {
308			$rc = consent_to_a_policy($user, $ctid, 1, 0, 'Webreg');
309			if (!$rc) {
310			show_error(tra("database error, please contact site administrators"));
311			}
312			}
313
314			if (defined('INVITE_CODES')) {
315			error_log("Account '$new_email_addr' created using invitation code '$invite_code'");
316			}
317			return $user;
318			}
319
320			// delete a user and all associated records except
321			// result
322			// host
323			// batch
324			// team
325			// user_submit
326			// user_submit_app
327			// credited_job
328			// donation_paypal
329			// sent_email
330			//
331			function delete_user($user) {
332			delete_profile($user);
333			forum_delete_user($user);
334			// deletes post, thread, subscription, forum_preferences, forum_logging
335			BoincPrivateMessage::delete_aux("userid=$user->id or senderid=$user->id");
336			BoincNotify::delete_aux("userid=$user->id");
337			BoincCreditUser::delete_user($user);
338			BoincBadgeUser::delete("user_id=$user->id");
339			BoincFriend::delete_aux("user_src=$user->id or user_dest=$user->id");
340			BoincToken::delete_for_user($user->id);
341			$user->delete();
342			}
343			?>
344

BOINC / boinc

Issues (1839)

html/inc/user_util.inc (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like