From daee20c694000e1e85a98760773bcbbdc0709527 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer
Date: Thu, 30 Jan 2020 10:23:50 +0100
Subject: Require current password when setting a new one
Prevent from easily taking over an account by changing the password with
a stolen session ID.
Fixes FS#65325.
Signed-off-by: Lukas Fleischer
---
web/html/account.php | 1 +
web/html/register.php | 2 ++
web/lib/acctfuncs.inc.php | 15 +++++++++++++--
web/template/account_edit_form.php | 32 ++++++++++++++++++++------------
4 files changed, 36 insertions(+), 14 deletions(-)
(limited to 'web')
diff --git a/web/html/account.php b/web/html/account.php
index 1d59e9c9..7c6c424a 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -34,6 +34,7 @@ if ($action == "UpdateAccount") {
in_request("S"),
in_request("E"),
in_request("H"),
+ in_request("PO"),
in_request("P"),
in_request("C"),
in_request("R"),
diff --git a/web/html/register.php b/web/html/register.php
index a4264829..8174e342 100644
--- a/web/html/register.php
+++ b/web/html/register.php
@@ -26,6 +26,7 @@ if (in_request("Action") == "NewAccount") {
in_request("H"),
'',
'',
+ '',
in_request("R"),
in_request("L"),
in_request("TZ"),
@@ -54,6 +55,7 @@ if (in_request("Action") == "NewAccount") {
in_request("H"),
'',
'',
+ '',
in_request("R"),
in_request("L"),
in_request("TZ"),
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index e754989a..1de49b01 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -96,6 +96,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
* @param string $S Whether or not the account is suspended
* @param string $E The e-mail address for the user
* @param string $H Whether or not the e-mail address should be hidden
+ * @param string $PO The old password of the user
* @param string $P The password for the user
* @param string $C The confirmed password for the user
* @param string $R The real name of the user
@@ -116,7 +117,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
*
* @return array Boolean indicating success and message to be printed
*/
-function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",
+function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="",
$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") {
global $SUPPORTED_LANGS;
@@ -134,6 +135,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
if(isset($_COOKIE['AURSID'])) {
$editor_user = uid_from_sid($_COOKIE['AURSID']);
+ $row = account_details(in_request("ID"), in_request("U"));
}
else {
$editor_user = null;
@@ -159,9 +161,18 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
. "\n";
}
- if (!$error && $P && $C && ($P != $C)) {
+ if (!$error && $P && !$C) {
+ $error = __("Please confirm your new password.");
+ }
+ if (!$error && $P && !$PO) {
+ $error = __("Please enter your old password in order to set a new one.");
+ }
+ if (!$error && $P && $P != $C) {
$error = __("Password fields do not match.");
}
+ if (!$error && $P && check_passwd($UID, $PO) != 1) {
+ $error = __("The old password is invalid.");
+ }
if (!$error && $P != '' && !good_passwd($P)) {
$length_min = config_get_int('options', 'passwd_min_len');
$error = __("Your password must be at least %s characters.",
diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php
index 5e84aa71..25e91853 100644
--- a/web/template/account_edit_form.php
+++ b/web/template/account_edit_form.php
@@ -86,18 +86,6 @@
/>