xref: /web-master/forgot.php (revision 369ff201) 
1<?php // vim: et ts=2 sw=2
2require dirname(__FILE__) . '/include/functions.inc';
3require dirname(__FILE__) . "/include/cvs-auth.inc";
4require dirname(__FILE__) . "/include/mailer.php";
5
6$id = isset($_REQUEST['id']) ? $_REQUEST['id'] : false;
7$user = isset($_REQUEST['user']) ? $_REQUEST['user'] : false;
8$key = isset($_REQUEST['key']) ? $_REQUEST['key'] : false;
9$n1 = isset($_REQUEST['n1']) ? $_REQUEST['n1'] : false;
10$n2 = isset($_REQUEST['n2']) ? $_REQUEST['n2'] : false;
11
12$ts = $_SERVER["REQUEST_TIME"];
13
14function random_password() {
15  $alphanum = array_merge(range("a","z"),range("A","Z"),range(0,9));
16
17  $return = '';
18  for ($i = 0; $i < 12; $i++) {
19    $return .= $alphanum[rand(0,count($alphanum)-1)];
20  }
21  return $return;
22}
23
24function username_from_forgotten($key, $id) {
25  $res = db_query_safe("SELECT username FROM users WHERE userid=? AND forgot=?", [$id, $key]);
26  if ($res && ($row = mysql_fetch_array($res,MYSQL_ASSOC))) {
27    return $row["username"];
28  }
29}
30head("forgotten password");
31
32db_connect();
33
34if ($id && $key) {
35  if ($n1 && $n2) {
36    if ($n1 == $n2) {
37      $svnpasswd = gen_svn_pass(username_from_forgotten($key, $id), $n1);
38      $res = db_query_safe("UPDATE users SET forgot=NULL,svnpasswd=?,pchanged=? WHERE userid=? AND forgot=?", [$svnpasswd, $ts, $id, $key]);
39      if ($res && mysql_affected_rows()) {
40        echo '<p>Okay, your password has been changed. It could take as long as an hour before this change makes it to the VCS server and other services. To change your password again, you\'ll have to start this process over to get a new key.</p>';
41        foot();
42        exit;
43      }
44      else {
45        echo '<p class="warning">Naughty you, the key you used to access this page doesn\'t match what we have on file for that userid.</p>';
46      }
47    }
48    else {
49      echo '<p class="warning">Those two passwords didn\'t match!</p>';
50    }
51  }
52?>
53<p>You're in the home stretch now. Just choose a new password
54(typing it twice, to avoid typos and another trip around this
55merry-go-round).</p>
56<form method="post" action="<?php echo htmlentities($_SERVER['PHP_SELF']) ?>">
57password: <input type="password" name="n1" value="<?= hsc($n1)?>" />
58<br />again: <input type="password" name="n2" value="<?= hsc($n1)?>" />
59<br /><input type="submit" value="do it!" />
60<input type="hidden" name="id" value="<?= hsc($id)?>" />
61<input type="hidden" name="key" value="<?= hsc($key)?>" />
62</form>
63<?php
64  foot();
65  exit;
66}
67elseif ($user) {
68  $res = db_query_safe("SELECT * FROM users WHERE username = ?", [$user]);
69  if ($res && ($row = mysql_fetch_array($res,MYSQL_ASSOC))) {
70    $newpass = random_password();
71    $query = "UPDATE users SET forgot=? WHERE userid=?";
72    $res = db_query_safe($query, [$newpass, $row['userid']]);
73    if ($res) {
74      $body =
75"Someone filled out the form that says you forgot your php.net VCS
76password. If it wasn't you, don't worry too much about it. Unless
77someone is reading your mail, there's not much they can do. (But you
78may want to change your password using the instructions below, just to
79be safe.)
80
81To change your password, simply use the URL below and choose a new
82password.
83
84  https://master.php.net/forgot.php?id=$row[userid]&key=$newpass
85
86Let us know if you have any further problems.
87--
88group@php.net
89";
90      mailer(
91        $row['username'] . '@php.net',
92        "Password change instructions for $row[username]", $body,
93        new MailAddress('group@php.net', 'PHP Group'));
94      echo '<p>Okay, instructions on how to change your password have been sent to your email address. If you don\'t receive them, you\'ll have to contact group@php.net for help.</p>';
95      foot();
96      exit;
97    }
98    else {
99      echo '<p class="warning">Something strange happened. You\'ll have to contact group@php.net for help.</p>';
100    }
101  }
102  else {?>
103<p class="warning">There's nobody named <?php echo hsc($user)?> around here. Perhaps you need to contact
104group@php.net for help.</p>
105<?php
106  }
107}
108?>
109<p>Forgot your <acronym title="Version Control System">VCS</acronym> password, huh? Just fill in your VCS username, and
110instructions will be sent to you on how to change your password.</p>
111<form method="post" action="<?= $_SERVER['PHP_SELF'] ?>">
112 <label for="user">username:</label>
113 <input type="text" id="user" name="user" value="<?php echo hsc($user)?>" />
114 <input type="submit" value="send help" />
115</form>
116<?php
117foot();
118
119