Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Validate the email address in the subscription editing form. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
32a8d1102527724a43977c05f18d105f |
| User & Date: | drh 2020-03-26 13:53:08 |
Context
|
2020-03-26
| ||
| 14:48 | Set the autocomplete="off" parameter on the password input to the user editing screen. (check-in: a0238542 user: drh tags: trunk) | |
| 13:53 | Validate the email address in the subscription editing form. (check-in: 32a8d110 user: drh tags: trunk) | |
| 13:18 | Add the "Send a message to ..." link for administrators on the subscription configuration page. (check-in: bb05299e user: drh tags: trunk) | |
Changes
Changes to src/alerts.c.
573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 ... 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 .... 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 .... 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 .... 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 .... 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 |
return 1;
}
}
return 0;
}
/*
** Make a copy of the input string up to but not including the
** first cTerm character.
**
** Verify that the string really that is to be copied really is a
** valid email address. If it is not, then return NULL.
**
** This routine is more restrictive than necessary. It does not
** allow comments, IP address, quoted strings, or certain uncommon
** characters. The only non-alphanumerics allowed in the local
** part are "_", "+", "-" and "+".
*/
char *email_copy_addr(const char *z, char cTerm ){
int i;
int nAt = 0;
int nDot = 0;
char c;
if( z[0]=='.' ) return 0; /* Local part cannot begin with "." */
for(i=0; (c = z[i])!=0 && c!=cTerm; i++){
if( fossil_isalnum(c) ){
................................................................................
}else{
return 0; /* Anything else is an error */
}
}
if( c!=cTerm ) return 0; /* Missing terminator */
if( nAt==0 ) return 0; /* No "@" found anywhere */
if( nDot==0 ) return 0; /* No "." in the domain */
/* If we reach this point, the email address is valid */
return mprintf("%.*s", i, z);
}
/*
** Scan the input string for a valid email address enclosed in <...>
** If the string contains one or more email addresses, extract the first
** one into memory obtained from mprintf() and return a pointer to it.
** If no valid email address can be found, return NULL.
................................................................................
*/
void alert_page(void){
const char *zName = P("name");
Stmt q;
int sa, sc, sf, st, sw;
int sdigest, sdonotcall, sverified;
int isLogin; /* Logged in as an individual */
const char *ssub;
const char *semail;
const char *smip;
const char *suname;
const char *mtime;
const char *sctime;
int eErr = 0;
char *zErr = 0;
if( alert_webpages_disabled() ) return;
login_check_credentials();
................................................................................
}
if( zName==0 || !validate16(zName, -1) ){
cgi_redirect("subscribe");
return;
}
alert_submenu_common();
if( P("submit")!=0 && cgi_csrf_safe(1) ){
int sdonotcall = PB("sdonotcall");
int sdigest = PB("sdigest");
const char *zEmail = P("semail");
char ssub[10];
int nsub = 0;
Blob update;
if( PB("sa") ) ssub[nsub++] = 'a';
if( g.perm.Read && PB("sc") ) ssub[nsub++] = 'c';
if( g.perm.RdForum && PB("sf") ) ssub[nsub++] = 'f';
if( g.perm.RdTkt && PB("st") ) ssub[nsub++] = 't';
if( g.perm.RdWiki && PB("sw") ) ssub[nsub++] = 'w';
ssub[nsub] = 0;
blob_init(&update, "UPDATE subscriber SET", -1);
blob_append_sql(&update,
" sdonotcall=%d,"
" sdigest=%d,"
" ssub=%Q,"
" mtime=strftime('%%s','now'),"
" smip=%Q",
sdonotcall,
sdigest,
ssub,
g.zIpAddr
);
if( g.perm.Admin ){
const char *suname = PT("suname");
int sverified = PB("sverified");
if( suname && suname[0]==0 ) suname = 0;
blob_append_sql(&update,
", suname=%Q,"
" sverified=%d",
suname,
sverified
);
}
if( isLogin && zEmail && zEmail[0] ){
blob_append_sql(&update, ", semail=%Q", zEmail);
}
blob_append_sql(&update," WHERE subscriberCode=hextoblob(%Q)", zName);
db_exec_sql(blob_str(&update));
blob_reset(&update);
}
if( P("delete")!=0 && cgi_csrf_safe(1) ){
if( !PB("dodelete") ){
eErr = 9;
zErr = mprintf("Select this checkbox and press \"Unsubscribe\" again to"
" unsubscribe");
}else{
alert_unsubscribe(zName);
return;
}
}
db_prepare(&q,
"SELECT"
" semail," /* 0 */
" sverified," /* 1 */
" sdonotcall," /* 2 */
" sdigest," /* 3 */
" ssub," /* 4 */
................................................................................
" datetime(sctime,'unixepoch')" /* 8 */
" FROM subscriber WHERE subscriberCode=hextoblob(%Q)", zName);
if( db_step(&q)!=SQLITE_ROW ){
db_finalize(&q);
cgi_redirect("subscribe");
return;
}
style_header("Update Subscription");
semail = db_column_text(&q, 0);
sverified = db_column_int(&q, 1);
sdonotcall = db_column_int(&q, 2);
sdigest = db_column_int(&q, 3);
ssub = db_column_text(&q, 4);
sa = strchr(ssub,'a')!=0;
sc = strchr(ssub,'c')!=0;
sf = strchr(ssub,'f')!=0;
st = strchr(ssub,'t')!=0;
sw = strchr(ssub,'w')!=0;
smip = db_column_text(&q, 5);
suname = db_column_text(&q, 6);
mtime = db_column_text(&q, 7);
sctime = db_column_text(&q, 8);
if( !g.perm.Admin && !sverified ){
db_multi_exec(
"UPDATE subscriber SET sverified=1 WHERE subscriberCode=hextoblob(%Q)",
zName);
@ <h1>Your email alert subscription has been verified!</h1>
................................................................................
form_begin(0, "%R/alerts");
@ <input type="hidden" name="name" value="%h(zName)">
@ <table class="subscribe">
@ <tr>
@ <td class="form_label">Email Address:</td>
if( isLogin ){
@ <td><input type="text" name="semail" value="%h(semail)" size="30">\
if( g.perm.Admin ){
@ <a href="%R/announce?to=%t(semail)">\
@ (Send a message to %h(semail))</a>\
}
@ </td>
}else{
@ <td>%h(semail)</td>
}
@ </tr>
if( g.perm.Admin ){
|
> | | < | | < < < < | > | < > > > > > > > > > > > > > > > | | | > > > > | | | < < < | | | | | | > | | | > > > | > | > > > | | < | | | > > > > > < > > | | | |
573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 ... 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 .... 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 .... 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 .... 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 .... 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 |
return 1;
}
}
return 0;
}
/*
** Determine whether or not the input string is a valid email address.
** Only look at character up to but not including the first \000 or
** the first cTerm character, whichever comes first.
**
** Return the length of the email addresss string in bytes if the email
** address is valid. If the email address is misformed, return 0.
*/
int email_address_is_valid(const char *z, char cTerm){
int i;
int nAt = 0;
int nDot = 0;
char c;
if( z[0]=='.' ) return 0; /* Local part cannot begin with "." */
for(i=0; (c = z[i])!=0 && c!=cTerm; i++){
if( fossil_isalnum(c) ){
................................................................................
}else{
return 0; /* Anything else is an error */
}
}
if( c!=cTerm ) return 0; /* Missing terminator */
if( nAt==0 ) return 0; /* No "@" found anywhere */
if( nDot==0 ) return 0; /* No "." in the domain */
return i;
}
/*
** Make a copy of the input string up to but not including the
** first cTerm character.
**
** Verify that the string really that is to be copied really is a
** valid email address. If it is not, then return NULL.
**
** This routine is more restrictive than necessary. It does not
** allow comments, IP address, quoted strings, or certain uncommon
** characters. The only non-alphanumerics allowed in the local
** part are "_", "+", "-" and "+".
*/
char *email_copy_addr(const char *z, char cTerm ){
int i = email_address_is_valid(z, cTerm);
return i==0 ? 0 : mprintf("%.*s", i, z);
}
/*
** Scan the input string for a valid email address enclosed in <...>
** If the string contains one or more email addresses, extract the first
** one into memory obtained from mprintf() and return a pointer to it.
** If no valid email address can be found, return NULL.
................................................................................
*/
void alert_page(void){
const char *zName = P("name");
Stmt q;
int sa, sc, sf, st, sw;
int sdigest, sdonotcall, sverified;
int isLogin; /* Logged in as an individual */
const char *ssub = 0;
const char *semail;
const char *smip;
const char *suname = 0;
const char *mtime;
const char *sctime;
int eErr = 0;
char *zErr = 0;
if( alert_webpages_disabled() ) return;
login_check_credentials();
................................................................................
}
if( zName==0 || !validate16(zName, -1) ){
cgi_redirect("subscribe");
return;
}
alert_submenu_common();
if( P("submit")!=0 && cgi_csrf_safe(1) ){
char newSsub[10];
int nsub = 0;
Blob update;
sdonotcall = PB("sdonotcall");
sdigest = PB("sdigest");
semail = P("semail");
if( PB("sa") ) newSsub[nsub++] = 'a';
if( g.perm.Read && PB("sc") ) newSsub[nsub++] = 'c';
if( g.perm.RdForum && PB("sf") ) newSsub[nsub++] = 'f';
if( g.perm.RdTkt && PB("st") ) newSsub[nsub++] = 't';
if( g.perm.RdWiki && PB("sw") ) newSsub[nsub++] = 'w';
newSsub[nsub] = 0;
ssub = newSsub;
blob_init(&update, "UPDATE subscriber SET", -1);
blob_append_sql(&update,
" sdonotcall=%d,"
" sdigest=%d,"
" ssub=%Q,"
" mtime=strftime('%%s','now'),"
" smip=%Q",
sdonotcall,
sdigest,
ssub,
g.zIpAddr
);
if( g.perm.Admin ){
suname = PT("suname");
sverified = PB("sverified");
if( suname && suname[0]==0 ) suname = 0;
blob_append_sql(&update,
", suname=%Q,"
" sverified=%d",
suname,
sverified
);
}
if( isLogin ){
if( semail==0 || email_address_is_valid(semail,0)==0 ){
eErr = 8;
}
blob_append_sql(&update, ", semail=%Q", semail);
}
blob_append_sql(&update," WHERE subscriberCode=hextoblob(%Q)", zName);
if( eErr==0 ){
db_exec_sql(blob_str(&update));
ssub = 0;
}
blob_reset(&update);
}
if( P("delete")!=0 && cgi_csrf_safe(1) ){
if( !PB("dodelete") ){
eErr = 9;
zErr = mprintf("Select this checkbox and press \"Unsubscribe\" again to"
" unsubscribe");
}else{
alert_unsubscribe(zName);
return;
}
}
style_header("Update Subscription");
db_prepare(&q,
"SELECT"
" semail," /* 0 */
" sverified," /* 1 */
" sdonotcall," /* 2 */
" sdigest," /* 3 */
" ssub," /* 4 */
................................................................................
" datetime(sctime,'unixepoch')" /* 8 */
" FROM subscriber WHERE subscriberCode=hextoblob(%Q)", zName);
if( db_step(&q)!=SQLITE_ROW ){
db_finalize(&q);
cgi_redirect("subscribe");
return;
}
if( ssub==0 ){
semail = db_column_text(&q, 0);
sdonotcall = db_column_int(&q, 2);
sdigest = db_column_int(&q, 3);
ssub = db_column_text(&q, 4);
}
if( suname==0 ){
suname = db_column_text(&q, 6);
sverified = db_column_int(&q, 1);
}
sa = strchr(ssub,'a')!=0;
sc = strchr(ssub,'c')!=0;
sf = strchr(ssub,'f')!=0;
st = strchr(ssub,'t')!=0;
sw = strchr(ssub,'w')!=0;
smip = db_column_text(&q, 5);
mtime = db_column_text(&q, 7);
sctime = db_column_text(&q, 8);
if( !g.perm.Admin && !sverified ){
db_multi_exec(
"UPDATE subscriber SET sverified=1 WHERE subscriberCode=hextoblob(%Q)",
zName);
@ <h1>Your email alert subscription has been verified!</h1>
................................................................................
form_begin(0, "%R/alerts");
@ <input type="hidden" name="name" value="%h(zName)">
@ <table class="subscribe">
@ <tr>
@ <td class="form_label">Email Address:</td>
if( isLogin ){
@ <td><input type="text" name="semail" value="%h(semail)" size="30">\
if( eErr==8 ){
@ <span class='loginError'>← not a valid email address!</span>
}else if( g.perm.Admin ){
@ <a href="%R/announce?to=%t(semail)">\
@ (Send a message to %h(semail))</a>\
}
@ </td>
}else{
@ <td>%h(semail)</td>
}
@ </tr>
if( g.perm.Admin ){
|
Changes to src/login.c.
1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 |
zErr = "User ID may not contain spaces or special characters.";
}else if( zDName[0]==0 ){
iErrLine = 2;
zErr = "Required";
}else if( zEAddr[0]==0 ){
iErrLine = 3;
zErr = "Required";
}else if( email_copy_addr(zEAddr,0)==0 ){
iErrLine = 3;
zErr = "Not a valid email address";
}else if( strlen(zPasswd)<6 ){
iErrLine = 4;
zErr = "Password must be at least 6 characters long";
}else if( fossil_strcmp(zPasswd,zConfirm)!=0 ){
iErrLine = 5;
|
| |
1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 |
zErr = "User ID may not contain spaces or special characters.";
}else if( zDName[0]==0 ){
iErrLine = 2;
zErr = "Required";
}else if( zEAddr[0]==0 ){
iErrLine = 3;
zErr = "Required";
}else if( email_address_is_valid(zEAddr,0)==0 ){
iErrLine = 3;
zErr = "Not a valid email address";
}else if( strlen(zPasswd)<6 ){
iErrLine = 4;
zErr = "Password must be at least 6 characters long";
}else if( fossil_strcmp(zPasswd,zConfirm)!=0 ){
iErrLine = 5;
|