Require password when deleting an account

Further reduce the attack surface in case of a stolen session ID.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

2 files changed, 22 insertions, 6 deletions

diff --git a/web/html/account.php b/web/html/account.php
index 7c6c424a..03af8d43 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -120,12 +120,21 @@ if (isset($_COOKIE["AURSID"])) {
 	} elseif ($action == "DeleteAccount") {
 		/* Details for account being deleted. */
 		if (can_edit_account($row)) {
-			$UID = $row['ID'];
+			$uid_removal = $row['ID'];
+			$uid_session = uid_from_sid($_COOKIE['AURSID']);
+			$username = $row['Username'];
+
 			if (in_request('confirm') && check_token()) {
-				user_delete($UID);
-				header('Location: /');
+				if (check_passwd($uid_session, $_REQUEST['passwd']) == 1) {
+					user_delete($uid_removal);
+					header('Location: /');
+				} else {
+					echo "<ul class='errorlist'><li>";
+					echo __("Invalid password.");
+					echo "</li></ul>";
+					include("account_delete.php");
+				}
 			} else {
-				$username = $row['Username'];
 				include("account_delete.php");
 			}
 		} else {
diff --git a/web/template/account_delete.php b/web/template/account_delete.php
index 718b172f..d0c6e74d 100644
--- a/web/template/account_delete.php
+++ b/web/template/account_delete.php
@@ -12,8 +12,15 @@
 		<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 	</fieldset>
 	<fieldset>
-		<p><label class="confirmation"><input type="checkbox" name="confirm" value="1" />
-		<?= __("Confirm deletion") ?></label></p>
+		<p>
+			<label for="id_passwd"><?= __("Password") ?>:</label>
+			<input type="password" size="30" name="passwd" id="id_passwd" value="" />
+		</p>
+
+		<p>
+			<label class="confirmation"><input type="checkbox" name="confirm" value="1" />
+			<?= __("Confirm deletion") ?></label>
+		</p>
 
 		<p>
 			<input type="submit" class="button" value="<?= __("Delete") ?>" />