Commit daee20c6 authored by Lukas Fleischer's avatar Lukas Fleischer
Browse files

Require current password when setting a new one



Prevent from easily taking over an account by changing the password with
a stolen session ID.

Fixes FS#65325.
Signed-off-by: Lukas Fleischer's avatarLukas Fleischer <lfleischer@archlinux.org>
parent eeaa1c3a
...@@ -34,6 +34,7 @@ if ($action == "UpdateAccount") { ...@@ -34,6 +34,7 @@ if ($action == "UpdateAccount") {
in_request("S"), in_request("S"),
in_request("E"), in_request("E"),
in_request("H"), in_request("H"),
in_request("PO"),
in_request("P"), in_request("P"),
in_request("C"), in_request("C"),
in_request("R"), in_request("R"),
......
...@@ -26,6 +26,7 @@ if (in_request("Action") == "NewAccount") { ...@@ -26,6 +26,7 @@ if (in_request("Action") == "NewAccount") {
in_request("H"), in_request("H"),
'', '',
'', '',
'',
in_request("R"), in_request("R"),
in_request("L"), in_request("L"),
in_request("TZ"), in_request("TZ"),
...@@ -54,6 +55,7 @@ if (in_request("Action") == "NewAccount") { ...@@ -54,6 +55,7 @@ if (in_request("Action") == "NewAccount") {
in_request("H"), in_request("H"),
'', '',
'', '',
'',
in_request("R"), in_request("R"),
in_request("L"), in_request("L"),
in_request("TZ"), in_request("TZ"),
......
...@@ -96,6 +96,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" ...@@ -96,6 +96,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
* @param string $S Whether or not the account is suspended * @param string $S Whether or not the account is suspended
* @param string $E The e-mail address for the user * @param string $E The e-mail address for the user
* @param string $H Whether or not the e-mail address should be hidden * @param string $H Whether or not the e-mail address should be hidden
* @param string $PO The old password of the user
* @param string $P The password for the user * @param string $P The password for the user
* @param string $C The confirmed password for the user * @param string $C The confirmed password for the user
* @param string $R The real name of the user * @param string $R The real name of the user
...@@ -116,7 +117,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" ...@@ -116,7 +117,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
* *
* @return array Boolean indicating success and message to be printed * @return array Boolean indicating success and message to be printed
*/ */
function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="", function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="",
$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") { $R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") {
global $SUPPORTED_LANGS; global $SUPPORTED_LANGS;
...@@ -134,6 +135,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" ...@@ -134,6 +135,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
if(isset($_COOKIE['AURSID'])) { if(isset($_COOKIE['AURSID'])) {
$editor_user = uid_from_sid($_COOKIE['AURSID']); $editor_user = uid_from_sid($_COOKIE['AURSID']);
$row = account_details(in_request("ID"), in_request("U"));
} }
else { else {
$editor_user = null; $editor_user = null;
...@@ -159,9 +161,18 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" ...@@ -159,9 +161,18 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
. "</li>\n</ul>"; . "</li>\n</ul>";
} }
if (!$error && $P && $C && ($P != $C)) { if (!$error && $P && !$C) {
$error = __("Please confirm your new password.");
}
if (!$error && $P && !$PO) {
$error = __("Please enter your old password in order to set a new one.");
}
if (!$error && $P && $P != $C) {
$error = __("Password fields do not match."); $error = __("Password fields do not match.");
} }
if (!$error && $P && check_passwd($UID, $PO) != 1) {
$error = __("The old password is invalid.");
}
if (!$error && $P != '' && !good_passwd($P)) { if (!$error && $P != '' && !good_passwd($P)) {
$length_min = config_get_int('options', 'passwd_min_len'); $length_min = config_get_int('options', 'passwd_min_len');
$error = __("Your password must be at least %s characters.", $error = __("Your password must be at least %s characters.",
......
...@@ -86,18 +86,6 @@ ...@@ -86,18 +86,6 @@
<input type="checkbox" name="H" id="id_hide" <?= $H ? 'checked="checked"' : '' ?> /> <input type="checkbox" name="H" id="id_hide" <?= $H ? 'checked="checked"' : '' ?> />
</p> </p>
<?php if ($A == "UpdateAccount"): ?>
<p>
<label for="id_passwd1"><?= __("Password") ?>:</label>
<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
</p>
<p>
<label for="id_passwd2"><?= __("Re-type password") ?>:</label>
<input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" />
</p>
<?php endif; ?>
<p> <p>
<label for="id_realname"><?= __("Real Name") ?>:</label> <label for="id_realname"><?= __("Real Name") ?>:</label>
<input type="text" size="30" maxlength="32" name="R" id="id_realname" value="<?= htmlspecialchars($R,ENT_QUOTES) ?>" /> <input type="text" size="30" maxlength="32" name="R" id="id_realname" value="<?= htmlspecialchars($R,ENT_QUOTES) ?>" />
...@@ -150,6 +138,26 @@ ...@@ -150,6 +138,26 @@
</p> </p>
</fieldset> </fieldset>
<?php if ($A == "UpdateAccount"): ?>
<fieldset>
<legend><?= __("If you want to change your password, enter your current passport, your new password and confirm the new password by entering it again.") ?></legend>
<p>
<label for="id_passwd_old"><?= __("Old password") ?>:</label>
<input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" />
</p>
<p>
<label for="id_passwd1"><?= __("Password") ?>:</label>
<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
</p>
<p>
<label for="id_passwd2"><?= __("Re-type password") ?>:</label>
<input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" />
</p>
</fieldset>
<?php endif; ?>
<fieldset> <fieldset>
<legend><?= __("The following information is only required if you want to submit packages to the Arch User Repository.") ?></legend> <legend><?= __("The following information is only required if you want to submit packages to the Arch User Repository.") ?></legend>
<p> <p>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment