diff --git a/common/bottom.php b/common/bottom.php deleted file mode 100644 index 5d16aea..0000000 --- a/common/bottom.php +++ /dev/null @@ -1,13 +0,0 @@ - - - - diff --git a/common/top.php b/common/html.php similarity index 81% rename from common/top.php rename to common/html.php index eddf8d4..d54c703 100644 --- a/common/top.php +++ b/common/html.php @@ -9,14 +9,14 @@ function antiCSRF() { // Session initialisation (with cookies) if ( - isset($_COOKIE['niver']) // Resume session + isset($_COOKIE['niver-session-key']) // Resume session OR (SERVICE === "auth" // Create new session AND (PAGE === "login" OR PAGE === "register") AND isset($_POST['username'])) ) { session_start([ - 'name' => 'niver', + 'name' => 'niver-session-key', 'sid_length' => 64, 'sid_bits_per_character' => 6, 'cookie_secure' => true, @@ -104,3 +104,21 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
+ +
+ + + + + diff --git a/common/init.php b/common/init.php index 20b2c83..00485f7 100644 --- a/common/init.php +++ b/common/init.php @@ -16,11 +16,15 @@ if (SERVICE !== "") require "pages.php"; function userError($msg) { - http_response_code(422); - exit("User error: The server refused to process this request: " . $msg . ""); + http_response_code(403); + echo "

Erreur utilisataire : " . $msg . "

"; + closeHTML(); + exit(); } function serverError($msg) { http_response_code(500); - exit("Server error: The server encountered an error: " . $msg . ""); + echo "

Server error: The server encountered an error: " . $msg . "

"; + closeHTML(); + exit(); } diff --git a/public/auth/index.php b/public/auth/index.php index 7e79dc5..42598a8 100644 --- a/public/auth/index.php +++ b/public/auth/index.php @@ -1,4 +1,4 @@ - + @@ -14,4 +14,4 @@ Se connecter - + diff --git a/public/auth/login.php b/public/auth/login.php index 2cbe066..c835581 100644 --- a/public/auth/login.php +++ b/public/auth/login.php @@ -1,4 +1,4 @@ - +

@@ -24,27 +24,26 @@ if (isset($_POST['username']) AND isset($_POST['password'])) { checkUsernameFormat($_POST['username']); - if (checkPassword($_POST['username'], $_POST['password'])) { + if (userExist($_POST['username']) !== true) + userError("Connexion impossible : ce compte n'existe pas."); - $_SESSION['username'] = htmlspecialchars($_POST['username']); + if (checkPassword($_POST['username'], $_POST['password']) !== true) + userError("Connexion impossible : clé de passe invalide."); - if (outdatedPasswordHash($_SESSION['username'])) - changePassword($_SESSION['username'], $_POST['password']); + $_SESSION['username'] = $_POST['username']; - if (isset($_GET['redir'])) { - if (preg_match("/^[0-9a-z\/-]+$/", $_GET['redir'])) - header("Location: " . CONF['common']['prefix'] . "/" . $_GET['redir']); - else - userError("Wrong character in redir."); - } else { - header("Location: " . CONF['common']['prefix'] . "/"); - } + if (outdatedPasswordHash($_SESSION['username'])) + changePassword($_SESSION['username'], $_POST['password']); + + if (isset($_GET['redir'])) { + if (preg_match("/^[0-9a-z\/-]+$/", $_GET['redir']) !== 1) + userError("Wrong character in redir."); + header("Location: " . CONF['common']['prefix'] . "/" . $_GET['redir']); } else { - echo "
Connexion impossible : mot de passe invalide"; + header("Location: " . CONF['common']['prefix'] . "/"); } - } ?> - + diff --git a/public/auth/logout.php b/public/auth/logout.php index 185698a..f666f14 100644 --- a/public/auth/logout.php +++ b/public/auth/logout.php @@ -1,4 +1,4 @@ - + - + diff --git a/public/auth/password.php b/public/auth/password.php index 9979314..b601308 100644 --- a/public/auth/password.php +++ b/public/auth/password.php @@ -1,4 +1,4 @@ - +

Vous pouvez ici changer le mot de passe permettant d'accéder à votre compte Niver. @@ -22,26 +22,21 @@ if (isset($_SESSION['username']) AND isset($_POST['newPassword']) AND isset($_PO checkPasswordFormat($_POST['newPassword']); - if (checkPassword($_SESSION['username'], $_POST['currentPassword'])) { + if (checkPassword($_SESSION['username'], $_POST['currentPassword']) !== true) + userError("Changement impossible : clé de passe invalide."); - $username = $_SESSION['username']; - $newPassword = password_hash($_POST['newPassword'], PASSWORD_DEFAULT); + $newPassword = hashPassword($_POST['newPassword']); - $db = new PDO('sqlite:' . DB_PATH); + $db = new PDO('sqlite:' . DB_PATH); - $stmt = $db->prepare("UPDATE users SET password = :password WHERE username = :username"); + $stmt = $db->prepare("UPDATE users SET password = :password WHERE username = :username"); - $stmt->bindParam(':username', $username); - $stmt->bindParam(':password', $newPassword); - - $stmt->execute(); - - } else { - echo "
Le mot de passe actuel n'est pas bon !"; - } + $stmt->bindParam(':username', $_SESSION['username']); + $stmt->bindParam(':password', $newPassword); + $stmt->execute(); } ?> - + diff --git a/public/auth/register.php b/public/auth/register.php index f32e6d6..7e61ee6 100644 --- a/public/auth/register.php +++ b/public/auth/register.php @@ -1,4 +1,4 @@ - + Se connecter - + diff --git a/public/ht/http-onion.php b/public/ht/http-onion.php index 3506769..778a243 100644 --- a/public/ht/http-onion.php +++ b/public/ht/http-onion.php @@ -1,4 +1,4 @@ - +

Ajouter un accès en .onion sur un dossier

@@ -81,4 +81,4 @@ HiddenServicePort 80 [::1]:" . CONF['ht']['internal_onion_http_port'] . " ?> - + diff --git a/public/ht/https-domain.php b/public/ht/https-domain.php index 246acf6..492bd35 100644 --- a/public/ht/https-domain.php +++ b/public/ht/https-domain.php @@ -1,4 +1,4 @@ - +

Ajouter un domaine sur un dossier de site
@@ -67,4 +67,4 @@ if (isset($_POST['domain']) AND isset($_POST['dir']) AND isset($_SESSION['userna ?> - + diff --git a/public/ht/index.php b/public/ht/index.php index bf5ca49..a0ecd96 100644 --- a/public/ht/index.php +++ b/public/ht/index.php @@ -1,4 +1,4 @@ - +

Vous avez accès à un espace SFTP. Vous pouvez téléverser vos sites dans /<nom du site>/*. Indiquez les données ci-dessous à votre client SFTP pour y accéder. @@ -67,4 +67,4 @@ - + diff --git a/public/ht/le.php b/public/ht/le.php index 9bd41d6..f37c933 100644 --- a/public/ht/le.php +++ b/public/ht/le.php @@ -1,4 +1,4 @@ - +

Installer un certificat Let's Encrypt

@@ -51,4 +51,4 @@ if (isset($_POST['domain']) AND isset($_SESSION['username'])) { ?> - + diff --git a/public/index.php b/public/index.php index 7233576..9496892 100644 --- a/public/index.php +++ b/public/index.php @@ -1,4 +1,4 @@ - +
Registre
@@ -19,4 +19,4 @@
- + diff --git a/public/ns/caa.php b/public/ns/caa.php index 77434bc..a4f9238 100644 --- a/public/ns/caa.php +++ b/public/ns/caa.php @@ -1,4 +1,4 @@ - + @@ -49,4 +49,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/dnssec.php b/public/ns/dnssec.php index a722042..d1e2256 100644 --- a/public/ns/dnssec.php +++ b/public/ns/dnssec.php @@ -1,4 +1,4 @@ - + Afin d'activer DNSSEC, vous devez indiquer un enregistrement DS à la zone parente. @@ -75,4 +75,4 @@ if (isset($_POST['zone']) AND isset($_SESSION['username'])) { - + diff --git a/public/ns/index.php b/public/ns/index.php index d9f1cbc..5bfc1f8 100644 --- a/public/ns/index.php +++ b/public/ns/index.php @@ -1,4 +1,4 @@ - +
Gérer ses zones
@@ -58,4 +58,4 @@ -->
- + diff --git a/public/ns/ip.php b/public/ns/ip.php index 0160ab0..5e9d10d 100644 --- a/public/ns/ip.php +++ b/public/ns/ip.php @@ -1,4 +1,4 @@ - +

Ici vous pouvez ajouter ou enlever des adresses IP dans une zone déjà enregistrée sur le serveur de noms de Niver @@ -30,4 +30,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/loc.php b/public/ns/loc.php index 77434bc..a4f9238 100644 --- a/public/ns/loc.php +++ b/public/ns/loc.php @@ -1,4 +1,4 @@ - + @@ -49,4 +49,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/mx.php b/public/ns/mx.php index 2b74893..bd2a5a7 100644 --- a/public/ns/mx.php +++ b/public/ns/mx.php @@ -1,4 +1,4 @@ - + @@ -42,4 +42,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/ns.php b/public/ns/ns.php index 6e1d9bc..c40db7c 100644 --- a/public/ns/ns.php +++ b/public/ns/ns.php @@ -1,4 +1,4 @@ - + @@ -27,4 +27,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/srv.php b/public/ns/srv.php index a22a270..93761b1 100644 --- a/public/ns/srv.php +++ b/public/ns/srv.php @@ -1,4 +1,4 @@ - + @@ -62,4 +62,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/sshfp.php b/public/ns/sshfp.php index 29e103b..0a2a0a6 100644 --- a/public/ns/sshfp.php +++ b/public/ns/sshfp.php @@ -1,4 +1,4 @@ - + @@ -59,4 +59,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/tlsa.php b/public/ns/tlsa.php index b0aaf99..9df26bf 100644 --- a/public/ns/tlsa.php +++ b/public/ns/tlsa.php @@ -1,4 +1,4 @@ - + @@ -75,4 +75,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/txt.php b/public/ns/txt.php index d13582f..dab1fd4 100644 --- a/public/ns/txt.php +++ b/public/ns/txt.php @@ -1,4 +1,4 @@ - + @@ -28,4 +28,4 @@ if (nsCommonRequirements() ?> - + diff --git a/public/ns/zone.php b/public/ns/zone.php index 898510e..7f6d874 100644 --- a/public/ns/zone.php +++ b/public/ns/zone.php @@ -1,4 +1,4 @@ - +

Ajouter une zone

@@ -91,4 +91,4 @@ if (isset($_POST['zone']) AND isset($_SESSION['username'])) { ?> - + diff --git a/public/reg/ds.php b/public/reg/ds.php index c3216f1..cd6c2d4 100644 --- a/public/reg/ds.php +++ b/public/reg/ds.php @@ -1,4 +1,4 @@ - + @@ -104,4 +104,4 @@ if (isset($_POST['zone']) AND isset($_POST['keytag']) AND isset($_POST['algo']) ?> - + diff --git a/public/reg/glue.php b/public/reg/glue.php index d1e3ce4..6dc4e47 100644 --- a/public/reg/glue.php +++ b/public/reg/glue.php @@ -1,4 +1,4 @@ - + @@ -66,4 +66,4 @@ if (isset($_POST['action']) AND isset($_POST['subdomain']) AND isset($_POST['suf ?> - + diff --git a/public/reg/index.php b/public/reg/index.php index 8d2b3d0..2a550af 100644 --- a/public/reg/index.php +++ b/public/reg/index.php @@ -1,4 +1,4 @@ - +
Enregistrer un nouveau domaine
@@ -19,4 +19,4 @@
- + diff --git a/public/reg/ns.php b/public/reg/ns.php index a33acf8..1a1dbd8 100644 --- a/public/reg/ns.php +++ b/public/reg/ns.php @@ -1,4 +1,4 @@ - + @@ -49,6 +49,7 @@ if (isset($_POST['domain']) AND isset($_POST['action']) AND isset($_POST['ns']) exec(CONF['reg']['knotc_path'] . " zone-" . $action . "set " . $suffix . " " . $_POST['domain'] . " 86400 IN NS " . $_POST['ns'], $output); exec(CONF['reg']['knotc_path'] . " zone-commit " . $suffix, $output); $error = false; + var_dump($output); foreach ($output as $line) { if ($line !== "OK") { $error = true; @@ -63,4 +64,4 @@ if (isset($_POST['domain']) AND isset($_POST['action']) AND isset($_POST['ns']) ?> - + diff --git a/public/reg/register.php b/public/reg/register.php index a2072ae..cdc2680 100644 --- a/public/reg/register.php +++ b/public/reg/register.php @@ -1,4 +1,4 @@ - + Enregistrer la possession d'un domaine sur son compte.
Ce domaine doit être composé uniquement d'au moins 4 lettres latines non accentuées. @@ -19,35 +19,30 @@ if (isset($_POST['subdomain']) AND isset($_SESSION['username'])) { antiCSRF(); - if (preg_match("/" . CONF['reg']['subdomain_regex'] . "/", $_POST['subdomain'])) { + if (preg_match("/" . CONF['reg']['subdomain_regex'] . "/", $_POST['subdomain']) !== 1) + userError("Erreur : Le nom de domaine doit être composé uniquement d'entre 4 et 63 lettres minuscules (a-z)"); - $domain = $_POST['subdomain'] . "." . CONF['reg']['registry']; + $domain = $_POST['subdomain'] . "." . CONF['reg']['registry']; - checkAbsoluteDomainFormat($domain); + checkAbsoluteDomainFormat($domain); - if (regIsFree($domain)) { - $db = new PDO('sqlite:' . DB_PATH); - $stmt = $db->prepare("INSERT INTO registry(domain, username, last_renewal) VALUES(:domain, :username, :last_renewal)"); - $username = $_SESSION['username']; + if (regIsFree($domain) !== true) + userError("Ce domaine n'est pas disponible à l'enregistrement. Il est réservé ou déjà enregistré."); - $time = date("Y-m-d H:i:s"); + $db = new PDO('sqlite:' . DB_PATH); + $stmt = $db->prepare("INSERT INTO registry(domain, username, last_renewal) VALUES(:domain, :username, :last_renewal)"); - $stmt->bindParam(':domain', $domain); - $stmt->bindParam(':username', $username); - $stmt->bindParam(':last_renewal', $time); + $time = date("Y-m-d H:i:s"); - $stmt->execute(); + $stmt->bindParam(':domain', $domain); + $stmt->bindParam(':username', $_SESSION['username']); + $stmt->bindParam(':last_renewal', $time); - echo "Nouveau domaine enregistré"; + $stmt->execute(); - } else { - echo "Le domaine " . $domain . " n'est pas disponible à l'enregistrement. Il est réservé ou déjà enregistré."; - } - } else { - echo "Erreur : Le nom de domaine doit être composé uniquement d'entre 4 et 63 lettres minuscules (a-z)"; - } + echo "Nouveau domaine enregistré"; } ?> - +