diff options
author | Lukas Fleischer <lfleischer@archlinux.org> | 2020-01-30 10:23:50 +0100 |
---|---|---|
committer | Lukas Fleischer <lfleischer@archlinux.org> | 2020-01-30 10:31:26 +0100 |
commit | daee20c694000e1e85a98760773bcbbdc0709527 (patch) | |
tree | 939c7d7f57ffd3b2aab1dbe7a4e25f27d929cd9d | |
parent | eeaa1c3a3220e3735445d094dc7d2cd9ac07b621 (diff) | |
download | aur-daee20c694000e1e85a98760773bcbbdc0709527.tar.gz aur-daee20c694000e1e85a98760773bcbbdc0709527.tar.xz |
Require current password when setting a new one
Prevent from easily taking over an account by changing the password with
a stolen session ID.
Fixes FS#65325.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
-rw-r--r-- | web/html/account.php | 1 | ||||
-rw-r--r-- | web/html/register.php | 2 | ||||
-rw-r--r-- | web/lib/acctfuncs.inc.php | 15 | ||||
-rw-r--r-- | web/template/account_edit_form.php | 32 |
4 files changed, 36 insertions, 14 deletions
diff --git a/web/html/account.php b/web/html/account.php index 1d59e9c9..7c6c424a 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -34,6 +34,7 @@ if ($action == "UpdateAccount") { in_request("S"), in_request("E"), in_request("H"), + in_request("PO"), in_request("P"), in_request("C"), in_request("R"), diff --git a/web/html/register.php b/web/html/register.php index a4264829..8174e342 100644 --- a/web/html/register.php +++ b/web/html/register.php @@ -26,6 +26,7 @@ if (in_request("Action") == "NewAccount") { in_request("H"), '', '', + '', in_request("R"), in_request("L"), in_request("TZ"), @@ -54,6 +55,7 @@ if (in_request("Action") == "NewAccount") { in_request("H"), '', '', + '', in_request("R"), in_request("L"), in_request("TZ"), diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index e754989a..1de49b01 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -96,6 +96,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" * @param string $S Whether or not the account is suspended * @param string $E The e-mail address for the user * @param string $H Whether or not the e-mail address should be hidden + * @param string $PO The old password of the user * @param string $P The password for the user * @param string $C The confirmed password for the user * @param string $R The real name of the user @@ -116,7 +117,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" * * @return array Boolean indicating success and message to be printed */ -function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="", +function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="", $R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") { global $SUPPORTED_LANGS; @@ -134,6 +135,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" if(isset($_COOKIE['AURSID'])) { $editor_user = uid_from_sid($_COOKIE['AURSID']); + $row = account_details(in_request("ID"), in_request("U")); } else { $editor_user = null; @@ -159,9 +161,18 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" . "</li>\n</ul>"; } - if (!$error && $P && $C && ($P != $C)) { + if (!$error && $P && !$C) { + $error = __("Please confirm your new password."); + } + if (!$error && $P && !$PO) { + $error = __("Please enter your old password in order to set a new one."); + } + if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } + if (!$error && $P && check_passwd($UID, $PO) != 1) { + $error = __("The old password is invalid."); + } if (!$error && $P != '' && !good_passwd($P)) { $length_min = config_get_int('options', 'passwd_min_len'); $error = __("Your password must be at least %s characters.", diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 5e84aa71..25e91853 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -86,18 +86,6 @@ <input type="checkbox" name="H" id="id_hide" <?= $H ? 'checked="checked"' : '' ?> /> </p> - <?php if ($A == "UpdateAccount"): ?> - <p> - <label for="id_passwd1"><?= __("Password") ?>:</label> - <input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" /> - </p> - - <p> - <label for="id_passwd2"><?= __("Re-type password") ?>:</label> - <input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" /> - </p> - <?php endif; ?> - <p> <label for="id_realname"><?= __("Real Name") ?>:</label> <input type="text" size="30" maxlength="32" name="R" id="id_realname" value="<?= htmlspecialchars($R,ENT_QUOTES) ?>" /> @@ -150,6 +138,26 @@ </p> </fieldset> + <?php if ($A == "UpdateAccount"): ?> + <fieldset> + <legend><?= __("If you want to change your password, enter your current passport, your new password and confirm the new password by entering it again.") ?></legend> + <p> + <label for="id_passwd_old"><?= __("Old password") ?>:</label> + <input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" /> + </p> + + <p> + <label for="id_passwd1"><?= __("Password") ?>:</label> + <input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" /> + </p> + + <p> + <label for="id_passwd2"><?= __("Re-type password") ?>:</label> + <input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" /> + </p> + </fieldset> + <?php endif; ?> + <fieldset> <legend><?= __("The following information is only required if you want to submit packages to the Arch User Repository.") ?></legend> <p> |