diff --git a/signup/signup-handler.php b/signup/signup-handler.php
index 7961499..61bd989 100644
--- a/signup/signup-handler.php
+++ b/signup/signup-handler.php
@@ -2,6 +2,19 @@
require __DIR__.'/../vendor/autoload.php';
require_once "email/smtp.php";
+function getUserIpAddr() {
+ if(!empty($_SERVER['HTTP_CLIENT_IP'])) {
+ //ip from share internet
+ $ip = $_SERVER['HTTP_CLIENT_IP'];
+ } elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+ //ip pass from proxy
+ $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+ } else {
+ $ip = $_SERVER['REMOTE_ADDR'];
+ }
+ return $ip;
+}
+
function forbidden_name($name) {
return in_array($name, [
'0x0',
@@ -57,31 +70,43 @@ function forbidden_name($name) {
'www',
'znc',
]);
+
+ $current = file("/var/signups_current", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+ $banned = file("/var/banned_names.txt", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+
+ $tmp = array_merge($forbidden, $current);
+ $fname = array_merge($tmp, $banned);
+
}
+function forbidden_email($email) {
+ $femail = file("/var/banned_emails.txt", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+
+ return in_array($email, $femail);
+}
+
+
$message = "";
if (isset($_REQUEST["username"]) && isset($_REQUEST["email"])) {
// Check the name.
$name = trim($_REQUEST["username"]);
if ($name == "")
- $message .= "
please fill in your desired username";
+ $message .= "fill in your desired username\n";
if (strlen($name) > 32)
- $message .= "username too long (32 character max)";
+ $message .= "username too long (32 character max)\n";
- if (!preg_match('/^[a-z][a-z0-9]{2,31}$/', $name))
- $message .= "username contains invalid characters (lowercase only, must start with a letter)";
+ if ($name != "" && strlen($name) < 2)
+ $message .= "username is too short (2 character min)\n";
- if ($_REQUEST["sshkey"] == "" || mb_substr($_REQUEST["sshkey"], 0, 4) !== "ssh-")
- $message .= 'ssh key required: please create one and submit the public key. '
- . 'see our ssh wiki or '
- . 'hop on irc and ask for help';
-
- if ($_REQUEST["interest"] == "")
- $message .= "please explain why you're interested so we can make sure you're a real human being";
+ if (strlen($name) > 1 && !preg_match('/^[a-z][a-z0-9]{1,31}$/', $name))
+ $message .= "username contains invalid characters (lowercase only, must start with a letter).\n";
if (posix_getpwnam($name) || forbidden_name($name))
- $message .= "sorry, the username $name is unavailable";
+ $message .= "sorry, the username $name is unavailable\n";
+
+ if ($email == "")
+ $message .= "fill in your email address\n";
// Check the e-mail address.
$email = trim($_REQUEST["email"]);
@@ -93,11 +118,26 @@ if (isset($_REQUEST["username"]) && isset($_REQUEST["email"])) {
$message .= "invalid email address: " . htmlspecialchars($result["error"]) . "";
elseif ($result["email"] != $email)
$message .= "invalid email address. did you mean: " . htmlspecialchars($result["email"]) . "";
+
+ if (forbidden_email($email)) {
+ $user_ip = getUserIpAddr();
+ $user_info = "$name - $email - $user_ip";
+ $message .= "your email is banned!
IP: $user_ip\n";
+ file_put_contents("/var/signups_banned", $user_info.PHP_EOL, FILE_APPEND);
+ }
}
+ if ($_REQUEST["interest"] == "")
+ $message .= "please explain why you're interested so we can make sure you're a real human being";
+
+ if ($_REQUEST["sshkey"] == "" || mb_substr($_REQUEST["sshkey"], 0, 4) !== "ssh-")
+ $message .= 'ssh key required: please create one and submit the public key. '
+ . 'see our ssh wiki or '
+ . 'hop on irc and ask for help';
+
// no validation errors
- if ($message == "") {
+ if ($message == "") {
$sshkey = trim($_REQUEST["sshkey"]);
$makeuser = "makeuser {$_REQUEST["username"]} {$_REQUEST["email"]} \"{$sshkey}\"";
@@ -113,6 +153,8 @@ $makeuser
echo '';
+ // temp. add to forbidden to prevent double signups (cleanup after user creation)
+ file_put_contents("/var/signups_current", $name.PHP_EOL, FILE_APPEND);
file_put_contents("/var/signups", $makeuser.PHP_EOL, FILE_APPEND);
} else {
echo '