Hello, I've just thought that we could use registered GPG keys to send the links encrypted.
What do people think?
From 77ebda6eb54b1d6e6b4e1428bcc3ef7807995d37 Mon Sep 17 00:00:00 2001
From: Ineiev <ine...@gnu.org>
Date: Fri, 10 Feb 2017 12:10:55 +0000
Subject: [PATCH] Encrypt message to GPG key when available.
---
frontend/php/account/lostpw-confirm.php | 54 +++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
diff --git a/frontend/php/account/lostpw-confirm.php b/frontend/php/account/lostpw-confirm.php
index a4dc5cd..96a90c3 100644
--- a/frontend/php/account/lostpw-confirm.php
+++ b/frontend/php/account/lostpw-confirm.php
@@ -4,6 +4,7 @@
# Copyright 1999-2000 (c) The SourceForge Crew
# Copyright 2004-2005 (c) Mathieu Roy <yeupou--gnu.org>
# Joxean Koret <joxeankoret--yahoo.es>
+# Copyright 2017 (c) Ineiev <ineiev--gnu.org>
#
# This file is part of Savane.
#
@@ -140,6 +141,55 @@ $message_for_admin =
. gmdate('D, d M Y H:i:s \G\M\T')
. "\n";
+$message_enc = "";
+$temp_dir = shell_exec('echo -n `mktemp --tmpdir -d lostpw.XXXXXXXX`');
+if($temp_dir != "")
+ {
+ # Import registered GPG key to temporary directory.
+ $temp_dir = "'".$temp_dir."'";
+ $res_gpg = db_execute("SELECT gpg_key FROM user WHERE user_id=?",
+ array($row_user['user_id']));
+ $row_gpg = db_fetch_array($res_gpg);
+
+ $gpg_process = popen('gpg --homedir '.$temp_dir.' --import 2>/dev/null >/dev/null',
+ 'w');
+ fwrite($gpg_process, $row_gpg['gpg_key']);
+ pclose($gpg_process);
+
+ # Find first key with encryption capability; get its ID.
+ $gpg_command = 'gpg --homedir '.$temp_dir.' --list-keys --with-colons 2>/dev/null';
+ $gpg_command = $gpg_command." | awk -F ':' '";
+ $gpg_command = $gpg_command.'$1 == "pub" { if($12 !~ /[eE]/) next; ';
+ $gpg_command = $gpg_command.'if($5 == "") next; printf("%s", $5); exit(0); }';
+ $gpg_command = $gpg_command."'";
+ $key_id = shell_exec($gpg_command);
+
+ if($key_id != "")
+ {
+ $temp_file = shell_exec('echo -n `mktemp --tmpdir lostpw.XXXXXXXX`');
+ if($temp_file != "")
+ {
+ # Encrypt message.
+ $temp_file = "'".$temp_file."'";
+ $gpg_command = 'gpg --homedir '.$temp_dir.' --batch -a --encrypt ';
+ $gpg_command = $gpg_command.'--trust-model always -r '.$key_id;
+ $gpg_command = $gpg_command." > ".$temp_file;
+ $gpg_process = popen($gpg_command, 'w');
+ fwrite($gpg_process, $message);
+ pclose($gpg_process);
+ $message_enc = shell_exec("cat ".$temp_file);
+ shell_exec('rm -f '.$temp_file);
+ }
+ }
+
+ shell_exec('rm -fr '.$temp_dir);
+
+ if($message_enc != "")
+ {
+ $message = $message_enc;
+ }
+ }
+
sendmail_mail($GLOBALS['sys_mail_replyto']."@".$GLOBALS['sys_mail_domain'],
$row_user['email'],
$GLOBALS['sys_default_domain']." Verification",
@@ -159,6 +209,10 @@ $HTML->header(array('title'=>_("Lost Password Confirmation")));
print '<p>'._("An email has been sent to the address you have on file.").'</p>';
print '<p>'._("Follow the instructions in the email to change your account password.").'</p>';
+if($message_enc != "")
+ {
+ print '<p>'._("Note that it was encrypted with your registered GPG key.").'</p>';
+ }
;
$HTML->footer(array());
--
1.7.9.5
signature.asc
Description: Digital signature
