2018-06-09 03:17:35 +00:00
|
|
|
<?php
|
2021-01-03 23:57:28 +00:00
|
|
|
$filepath = __FILE__;
|
2018-06-09 03:17:35 +00:00
|
|
|
require __DIR__.'/../vendor/autoload.php';
|
2019-01-14 19:45:37 +00:00
|
|
|
require_once "email/smtp.php";
|
2018-06-09 03:17:35 +00:00
|
|
|
|
2020-01-16 19:49:37 +00:00
|
|
|
function getUserIpAddr() {
|
|
|
|
if(!empty($_SERVER['HTTP_CLIENT_IP'])) {
|
|
|
|
//ip from share internet
|
|
|
|
$ip = $_SERVER['HTTP_CLIENT_IP'];
|
|
|
|
} elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
|
|
|
|
//ip pass from proxy
|
|
|
|
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
|
|
|
|
} else {
|
|
|
|
$ip = $_SERVER['REMOTE_ADDR'];
|
|
|
|
}
|
|
|
|
return $ip;
|
|
|
|
}
|
|
|
|
|
2022-09-29 16:04:12 +00:00
|
|
|
function add_ban_info($name, $email): void
|
|
|
|
{
|
2020-02-02 09:17:45 +00:00
|
|
|
$user_ip = getUserIpAddr();
|
|
|
|
$user_info = "$name - $email - $user_ip";
|
|
|
|
file_put_contents("/var/signups_banned", $user_info.PHP_EOL, FILE_APPEND);
|
|
|
|
}
|
|
|
|
|
2022-09-29 16:04:12 +00:00
|
|
|
function is_ssh_pubkey($string): bool
|
2022-03-08 17:47:56 +00:00
|
|
|
{
|
|
|
|
// list from sshd(8)
|
|
|
|
$valid_pubkeys = [
|
|
|
|
'sk-ecdsa-sha2-nistp256@openssh.com',
|
|
|
|
'ecdsa-sha2-nistp256',
|
|
|
|
'ecdsa-sha2-nistp384',
|
|
|
|
'ecdsa-sha2-nistp521',
|
|
|
|
'sk-ssh-ed25519@openssh.com',
|
|
|
|
'ssh-ed25519',
|
|
|
|
'ssh-dss',
|
|
|
|
'ssh-rsa',
|
|
|
|
];
|
|
|
|
|
|
|
|
foreach ($valid_pubkeys as $pub)
|
2022-09-29 16:04:12 +00:00
|
|
|
if (str_starts_with($string, $pub)) return true;
|
|
|
|
|
2022-03-08 17:47:56 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2022-02-17 18:55:19 +00:00
|
|
|
function forbidden_name($name): bool
|
|
|
|
{
|
2020-01-17 03:28:15 +00:00
|
|
|
$badnames = [
|
2018-10-29 19:07:09 +00:00
|
|
|
'0x0',
|
|
|
|
'abuse',
|
|
|
|
'admin',
|
|
|
|
'administrator',
|
|
|
|
'auth',
|
|
|
|
'autoconfig',
|
|
|
|
'bbj',
|
|
|
|
'broadcasthost',
|
2019-02-17 21:18:22 +00:00
|
|
|
'cloud',
|
2018-10-29 19:07:09 +00:00
|
|
|
'forum',
|
|
|
|
'ftp',
|
|
|
|
'git',
|
|
|
|
'gopher',
|
|
|
|
'hostmaster',
|
|
|
|
'imap',
|
|
|
|
'info',
|
|
|
|
'irc',
|
|
|
|
'is',
|
|
|
|
'isatap',
|
|
|
|
'it',
|
|
|
|
'localdomain',
|
|
|
|
'localhost',
|
|
|
|
'lounge',
|
|
|
|
'mail',
|
|
|
|
'mailer-daemon',
|
|
|
|
'marketing',
|
|
|
|
'marketting',
|
|
|
|
'mis',
|
|
|
|
'news',
|
|
|
|
'nobody',
|
|
|
|
'noc',
|
|
|
|
'noreply',
|
|
|
|
'pop',
|
|
|
|
'pop3',
|
|
|
|
'postmaster',
|
|
|
|
'retro',
|
|
|
|
'root',
|
|
|
|
'sales',
|
|
|
|
'security',
|
|
|
|
'smtp',
|
|
|
|
'ssladmin',
|
|
|
|
'ssladministrator',
|
|
|
|
'sslwebmaster',
|
|
|
|
'support',
|
|
|
|
'sysadmin',
|
|
|
|
'team',
|
|
|
|
'usenet',
|
|
|
|
'uucp',
|
|
|
|
'webmaster',
|
|
|
|
'wpad',
|
|
|
|
'www',
|
2019-02-17 21:18:22 +00:00
|
|
|
'znc',
|
2020-01-17 03:28:15 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
return in_array(
|
|
|
|
$name,
|
|
|
|
array_merge(
|
|
|
|
$badnames,
|
|
|
|
file("/var/signups_current", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES),
|
|
|
|
file("/var/banned_names.txt", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES)
|
|
|
|
)
|
|
|
|
);
|
2018-10-29 19:07:09 +00:00
|
|
|
}
|
2018-06-20 16:02:28 +00:00
|
|
|
|
2022-02-17 18:55:19 +00:00
|
|
|
function forbidden_email($email): bool
|
|
|
|
{
|
2020-01-16 19:49:37 +00:00
|
|
|
$femail = file("/var/banned_emails.txt", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
|
|
|
|
return in_array($email, $femail);
|
|
|
|
}
|
|
|
|
|
2022-02-17 18:55:19 +00:00
|
|
|
function forbidden_sshkey($sshkey): bool
|
|
|
|
{
|
2020-02-02 09:17:45 +00:00
|
|
|
$fsshkey = file("/var/banned_sshkeys.txt", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
|
2022-02-17 18:55:19 +00:00
|
|
|
$fsk = [];
|
|
|
|
foreach ($fsshkey as $line) {
|
2020-02-02 09:17:45 +00:00
|
|
|
$fsk_line = explode(' ',trim($line));
|
|
|
|
$fsk[] = $fsk_line[1];
|
|
|
|
}
|
|
|
|
|
|
|
|
$sk = explode(' ',trim($sshkey));
|
|
|
|
|
|
|
|
return in_array($sk[1], $fsk);
|
|
|
|
}
|
|
|
|
|
2020-01-16 19:49:37 +00:00
|
|
|
|
2018-06-09 03:17:35 +00:00
|
|
|
$message = "";
|
|
|
|
if (isset($_REQUEST["username"]) && isset($_REQUEST["email"])) {
|
|
|
|
// Check the name.
|
|
|
|
$name = trim($_REQUEST["username"]);
|
|
|
|
if ($name == "")
|
2020-01-16 19:49:37 +00:00
|
|
|
$message .= "<li>fill in your desired username</li>\n";
|
2020-02-02 11:06:02 +00:00
|
|
|
else {
|
2022-02-17 18:55:19 +00:00
|
|
|
if (strlen($name) < 2)
|
2020-02-02 11:06:02 +00:00
|
|
|
$message .= "<li>username is too short (2 character min)</li>\n";
|
2019-06-28 15:34:20 +00:00
|
|
|
|
2020-02-02 11:06:02 +00:00
|
|
|
if (strlen($name) > 32)
|
|
|
|
$message .= "<li>username too long (32 character max)</li>\n";
|
2019-06-28 15:34:20 +00:00
|
|
|
|
2020-02-02 11:06:02 +00:00
|
|
|
if (strlen($name) > 1 && !preg_match('/^[a-z][a-z0-9]{1,31}$/', $name))
|
|
|
|
$message .= "<li>username contains invalid characters (lowercase only, must start with a letter).</li>\n";
|
2019-06-28 15:34:20 +00:00
|
|
|
|
2020-02-02 11:06:02 +00:00
|
|
|
if (posix_getpwnam($name) || forbidden_name($name))
|
|
|
|
$message .= "<li>sorry, the username $name is unavailable</li>\n";
|
|
|
|
}
|
2020-01-16 19:49:37 +00:00
|
|
|
|
2018-06-09 03:17:35 +00:00
|
|
|
// Check the e-mail address.
|
|
|
|
$email = trim($_REQUEST["email"]);
|
|
|
|
if ($email == "")
|
|
|
|
$message .= "<li>please fill in your email address</li>";
|
|
|
|
else {
|
|
|
|
$result = SMTP::MakeValidEmailAddress($_REQUEST["email"]);
|
|
|
|
if (!$result["success"])
|
|
|
|
$message .= "<li>invalid email address: " . htmlspecialchars($result["error"]) . "</li>";
|
|
|
|
elseif ($result["email"] != $email)
|
|
|
|
$message .= "<li>invalid email address. did you mean: " . htmlspecialchars($result["email"]) . "</li>";
|
2020-01-16 19:49:37 +00:00
|
|
|
|
2020-02-02 11:06:02 +00:00
|
|
|
elseif ($name != "" && forbidden_email($email)) {
|
2020-01-17 03:28:15 +00:00
|
|
|
$message .= "<li>your email is banned!</li><br />";
|
2020-02-02 09:17:45 +00:00
|
|
|
add_ban_info($name, $email);
|
2020-01-16 19:49:37 +00:00
|
|
|
}
|
2018-06-09 03:17:35 +00:00
|
|
|
}
|
|
|
|
|
2020-01-16 19:49:37 +00:00
|
|
|
if ($_REQUEST["interest"] == "")
|
|
|
|
$message .= "<li>please explain why you're interested so we can make sure you're a real human being</li>";
|
|
|
|
|
2020-02-02 09:17:45 +00:00
|
|
|
$sshkey = trim($_REQUEST["sshkey"]);
|
2022-03-08 17:47:56 +00:00
|
|
|
if ($sshkey == "" || !is_ssh_pubkey($sshkey))
|
2020-01-16 19:49:37 +00:00
|
|
|
$message .= '<li>ssh key required: please create one and submit the public key. '
|
2022-03-08 17:47:56 +00:00
|
|
|
. 'see our <a href="https://tilde.team/wiki/ssh">ssh wiki</a> or '
|
|
|
|
. 'hop on <a href="https://tilde.chat/kiwi/#team">irc</a> and ask for help</li>';
|
2020-02-02 09:17:45 +00:00
|
|
|
else {
|
2020-02-02 10:51:51 +00:00
|
|
|
if ($name != "" && $email != "") {
|
|
|
|
if (forbidden_sshkey($sshkey)) {
|
|
|
|
$message .= "<li>your sshkey is banned!</li>\n";
|
|
|
|
add_ban_info($name, $email);
|
|
|
|
}
|
2020-02-02 09:17:45 +00:00
|
|
|
}
|
|
|
|
}
|
2020-01-16 19:49:37 +00:00
|
|
|
|
2018-06-09 03:17:35 +00:00
|
|
|
|
2019-06-28 15:34:20 +00:00
|
|
|
// no validation errors
|
2020-01-16 19:49:37 +00:00
|
|
|
if ($message == "") {
|
2022-01-15 21:52:46 +00:00
|
|
|
$makeuser = "makeuser {$_REQUEST["username"]} {$_REQUEST["email"]} \"$sshkey\"";
|
2019-10-03 14:09:20 +00:00
|
|
|
|
2018-06-12 00:22:34 +00:00
|
|
|
$msgbody = "
|
2019-06-28 15:34:20 +00:00
|
|
|
username: {$_REQUEST["username"]}
|
|
|
|
email: {$_REQUEST["email"]}
|
2018-06-12 00:22:34 +00:00
|
|
|
reason: {$_REQUEST["interest"]}
|
2018-09-24 18:28:47 +00:00
|
|
|
|
2019-10-03 14:09:20 +00:00
|
|
|
$makeuser
|
2018-06-12 00:22:34 +00:00
|
|
|
";
|
2018-06-09 03:17:35 +00:00
|
|
|
|
2019-01-24 22:23:28 +00:00
|
|
|
if (mail('sudoers', 'new tilde.team signup', $msgbody)) {
|
2018-06-11 22:36:01 +00:00
|
|
|
echo '<div class="alert alert-success" role="alert">
|
2022-03-08 17:47:56 +00:00
|
|
|
email sent! we\'ll get back to you soon (usually within a day) with login instructions! <a href="/">back to tilde.team home</a>
|
|
|
|
</div>';
|
2020-01-16 19:49:37 +00:00
|
|
|
// temp. add to forbidden to prevent double signups (cleanup after user creation)
|
|
|
|
file_put_contents("/var/signups_current", $name.PHP_EOL, FILE_APPEND);
|
2019-10-03 14:09:20 +00:00
|
|
|
file_put_contents("/var/signups", $makeuser.PHP_EOL, FILE_APPEND);
|
2022-09-29 16:32:49 +00:00
|
|
|
// clear form fields
|
|
|
|
$_REQUEST["email"] = $_REQUEST["username"] = $_REQUEST["sshkey"] = $_REQUEST["interest"] = "";
|
2018-06-11 22:36:01 +00:00
|
|
|
} else {
|
|
|
|
echo '<div class="alert alert-danger" role="alert">
|
2022-03-08 17:47:56 +00:00
|
|
|
something went wrong... please send an email to <a href="mailto:sudoers@tilde.team">sudoers@tilde.team</a> with details of what happened
|
|
|
|
</div>';
|
2018-06-11 22:36:01 +00:00
|
|
|
}
|
2018-06-09 03:17:35 +00:00
|
|
|
|
|
|
|
} else {
|
2022-03-08 17:47:56 +00:00
|
|
|
?>
|
2018-06-09 03:17:35 +00:00
|
|
|
<div class="alert alert-warning" role="alert">
|
2020-01-16 20:04:52 +00:00
|
|
|
<strong>notice: </strong>
|
2018-06-09 03:17:35 +00:00
|
|
|
<?=$message?>
|
|
|
|
</div>
|
2022-03-08 17:47:56 +00:00
|
|
|
<?php
|
2018-06-09 03:17:35 +00:00
|
|
|
}
|
|
|
|
}
|
2019-01-14 19:45:37 +00:00
|
|
|
?>
|
2019-06-28 15:21:33 +00:00
|
|
|
|