X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/disorder/blobdiff_plain/fb6aa8d1be147ccb9f82238f7531bf334ea801f7..91370169de7f552f3a54e5ef9e079a202a5efbfa:/server/dcgi.c

diff --git a/server/dcgi.c b/server/dcgi.c
index caaea64..19e25e0 100644
--- a/server/dcgi.c
+++ b/server/dcgi.c
@@ -1,6 +1,6 @@
 /*
  * This file is part of DisOrder.
- * Copyright (C) 2004, 2005, 2006, 2007 Richard Kettlewell
+ * Copyright (C) 2004-2008 Richard Kettlewell
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -57,6 +57,7 @@
 #include "url.h"
 #include "mime.h"
 #include "sendmail.h"
+#include "base64.h"
 
 char *login_cookie;
 
@@ -73,15 +74,23 @@ struct entry {
   const char *display;
 };
 
+static const char nonce_base64_table[] =
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/*";
+
 static const char *nonce(void) {
-  static unsigned long count;
-  char *s;
+  static uint32_t count;
+
+  struct ndata {
+    uint16_t count;
+    uint16_t pid;
+    uint32_t when;
+  } nd;
 
-  byte_xasprintf(&s, "%lx%lx%lx",
-	   (unsigned long)time(0),
-	   (unsigned long)getpid(),
-	   count++);
-  return s;
+  nd.count = count++;
+  nd.pid = (uint32_t)getpid();
+  nd.when = (uint32_t)time(0);
+  return generic_to_base64((void *)&nd, sizeof nd,
+			   nonce_base64_table);
 }
 
 static int compare_entry(const void *a, const void *b) {
@@ -113,7 +122,7 @@ static void header_cookie(struct sink *output) {
   parse_url(config->url, &u);
   if(login_cookie) {
     dynstr_append_string(d, "disorder=");
-    dynstr_append_string(d, quote822(login_cookie, 0));
+    dynstr_append_string(d, login_cookie);
   } else {
     /* Force browser to discard cookie */
     dynstr_append_string(d, "disorder=none;Max-Age=0");
@@ -123,8 +132,14 @@ static void header_cookie(struct sink *output) {
      * that.  But the default path only goes up to the rightmost /, which would
      * cause the browser to expose the cookie to other CGI programs on the same
      * web server. */
-    dynstr_append_string(d, ";Path=");
-    dynstr_append_string(d, quote822(u.path, 0));
+    dynstr_append_string(d, ";Version=1;Path=");
+    /* Formally we are supposed to quote the path, since it invariably has a
+     * slash in it.  However Safari does not parse quoted paths correctly, so
+     * this won't work.  Fortunately nothing else seems to care about proper
+     * quoting of paths, so in practice we get with it.  (See also
+     * parse_cookie() where we are liberal about cookie paths on the way back
+     * in.) */
+    dynstr_append_string(d, u.path);
   }
   dynstr_terminate(d);
   cgi_header(output, "Set-Cookie", d->vec);
@@ -503,12 +518,13 @@ static void act_logout(cgi_sink *output,
 
 static void act_register(cgi_sink *output,
 			 dcgi_state *ds) {
-  const char *username, *password, *email;
+  const char *username, *password, *password2, *email;
   char *confirm, *content_type;
   const char *text, *encoding, *charset;
 
   username = cgi_get("username");
-  password = cgi_get("password");
+  password = cgi_get("password1");
+  password2 = cgi_get("password2");
   email = cgi_get("email");
 
   if(!username || !*username) {
@@ -521,6 +537,11 @@ static void act_register(cgi_sink *output,
     expand_template(ds, output, "login");
     return;
   }
+  if(!password2 || !*password2 || strcmp(password, password2)) {
+    cgi_set_option("error", "passwordmismatch");
+    expand_template(ds, output, "login");
+    return;
+  }
   if(!email || !*email) {
     cgi_set_option("error", "noemail");
     expand_template(ds, output, "login");
@@ -563,20 +584,107 @@ static void act_confirm(cgi_sink *output,
     cgi_set_option("error", "noconfirm");
     expand_template(ds, output, "login");
   }
+  /* Confirm our registration */
   if(disorder_confirm(ds->g->client, confirmation)) {
     cgi_set_option("error", "badconfirm");
     expand_template(ds, output, "login");
   }
+  /* Get a cookie */
+  if(disorder_make_cookie(ds->g->client, &login_cookie)) {
+    cgi_set_option("error", "cookiefailed");
+    expand_template(ds, output, "login");
+    return;
+  }
+  /* Discard any cached data JIC */
+  ds->g->flags = 0;
+  /* We have a new cookie */
+  header_cookie(output->sink);
   cgi_set_option("status", "confirmed");
   expand_template(ds, output, "login");
 }
 
+static void act_edituser(cgi_sink *output,
+			 dcgi_state *ds) {
+  const char *email = cgi_get("email"), *password = cgi_get("changepassword1");
+  const char *password2 = cgi_get("changepassword2");
+  int newpassword = 0;
+  disorder_client *c;
+
+  if((password && *password) || (password && *password2)) {
+    if(!password || !password2 || strcmp(password, password2)) {
+      cgi_set_option("error", "passwordmismatch");
+      expand_template(ds, output, "login");
+      return;
+    }
+  } else
+    password = password2 = 0;
+  
+  if(email) {
+    if(disorder_edituser(ds->g->client, disorder_user(ds->g->client),
+			 "email", email)) {
+      cgi_set_option("error", "badedit");
+      expand_template(ds, output, "login");
+      return;
+    }
+  }
+  if(password) {
+    if(disorder_edituser(ds->g->client, disorder_user(ds->g->client),
+			 "password", password)) {
+      cgi_set_option("error", "badedit");
+      expand_template(ds, output, "login");
+      return;
+    }
+    newpassword = 1;
+  }
+  if(newpassword) {
+    login_cookie = 0;			/* it'll be invalid now */
+    /* This is a bit duplicative of act_login() */
+    c = disorder_new(0);
+    if(disorder_connect_user(c, disorder_user(ds->g->client), password)) {
+      cgi_set_option("error", "loginfailed");
+      expand_template(ds, output, "login");
+      return;
+    }
+    if(disorder_make_cookie(c, &login_cookie)) {
+      cgi_set_option("error", "cookiefailed");
+      expand_template(ds, output, "login");
+      return;
+    }
+    /* Use the new connection henceforth */
+    ds->g->client = c;
+    ds->g->flags = 0;
+    /* We have a new cookie */
+    header_cookie(output->sink);
+  }
+  cgi_set_option("status", "edited");
+  expand_template(ds, output, "login");  
+}
+
+static void act_reminder(cgi_sink *output,
+			 dcgi_state *ds) {
+  const char *const username = cgi_get("username");
+
+  if(!username || !*username) {
+    cgi_set_option("error", "nousername");
+    expand_template(ds, output, "login");
+    return;
+  }
+  if(disorder_reminder(ds->g->client, username)) {
+    cgi_set_option("error", "reminderfailed");
+    expand_template(ds, output, "login");
+    return;
+  }
+  cgi_set_option("status", "reminded");
+  expand_template(ds, output, "login");  
+}
+
 static const struct action {
   const char *name;
   void (*handler)(cgi_sink *output, dcgi_state *ds);
 } actions[] = {
   { "confirm", act_confirm },
   { "disable", act_disable },
+  { "edituser", act_edituser },
   { "enable", act_enable },
   { "login", act_login },
   { "logout", act_logout },
@@ -588,6 +696,7 @@ static const struct action {
   { "random-disable", act_random_disable },
   { "random-enable", act_random_enable },
   { "register", act_register },
+  { "reminder", act_reminder },
   { "remove", act_remove },
   { "resume", act_resume },
   { "scratch", act_scratch },
@@ -1608,6 +1717,39 @@ static void exp_right(int attribute((unused)) nargs,
     expandstring(output, args[2], ds);
 }
 
+static void exp_userinfo(int attribute((unused)) nargs,
+			 char **args,
+			 cgi_sink *output,
+			 void *u) {
+  dcgi_state *const ds = u;
+  const char *value;
+
+  if(disorder_userinfo(ds->g->client, disorder_user(ds->g->client), args[0],
+		       (char **)&value))
+    value = "";
+  cgi_output(output, "%s", value);
+}
+
+static void exp_image(int attribute((unused)) nargs,
+		      char **args,
+		      cgi_sink *output,
+		      void attribute((unused)) *u) {
+  char *labelname;
+  const char *imagestem;
+
+  byte_xasprintf(&labelname, "images.%s", args[0]);
+  if(cgi_label_exists(labelname))
+    imagestem = cgi_label(labelname);
+  else if(strchr(args[0], '.'))
+    imagestem = args[0];
+  else
+    byte_xasprintf((char **)&imagestem, "%s.png", args[0]);
+  if(cgi_label_exists("url.static"))
+    cgi_output(output, "%s/%s", cgi_label("url.static"), imagestem);
+  else
+    cgi_output(output, "/disorder/%s", imagestem);
+}
+
 static const struct cgi_expansion expansions[] = {
   { "#", 0, INT_MAX, EXP_MAGIC, exp_comment },
   { "action", 0, 0, 0, exp_action },
@@ -1623,6 +1765,7 @@ static const struct cgi_expansion expansions[] = {
   { "fullname", 0, 0, 0, exp_fullname },
   { "id", 0, 0, 0, exp_id },
   { "if", 2, 3, EXP_MAGIC, exp_if },
+  { "image", 1, 1, 0, exp_image },
   { "include", 1, 1, 0, exp_include },
   { "index", 0, 0, 0, exp_index },
   { "isdirectories", 0, 0, 0, exp_isdirectories },
@@ -1670,6 +1813,7 @@ static const struct cgi_expansion expansions[] = {
   { "url", 0, 0, 0, exp_url },
   { "urlquote", 1, 1, 0, exp_urlquote },
   { "user", 0, 0, 0, exp_user },
+  { "userinfo", 1, 1, 0, exp_userinfo },
   { "version", 0, 0, 0, exp_version },
   { "volume", 1, 1, 0, exp_volume },
   { "when", 0, 0, 0, exp_when },