From patchwork Thu Jan 30 09:34:26 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lukas Fleischer
X-Patchwork-Id: 1470
Return-Path:
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
by apollo.archlinux.org (Postfix) with ESMTP id 9592516BADC2C
for ; Thu, 30 Jan 2020 09:34:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on
apollo.archlinux.org
X-Spam-Level:
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIMWL_WL_HIGH=-0.001,
DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_NONE=-0.0001,SPF_HELO_NONE=0.001,
TVD_PH_BODY_ACCOUNTS_PRE=0.001,T_DMARC_POLICY_NONE=0.01,
WEIRD_QUOTING=0.001 autolearn=ham autolearn_force=no version=3.4.3
X-Spam-BL-Results:
[127.0.9.0]
Received: from orion.archlinux.org (orion.archlinux.org
[IPv6:2a01:4f8:160:6087::1])
by apollo.archlinux.org (Postfix) with ESMTPS
for ; Thu, 30 Jan 2020 09:34:24 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
by orion.archlinux.org (Postfix) with ESMTP id D46791884626C1;
Thu, 30 Jan 2020 09:34:22 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
(No client certificate requested)
(Authenticated sender: luna)
by orion.archlinux.org (Postfix) with ESMTPSA id 929631884626BB;
Thu, 30 Jan 2020 09:34:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
s=orion; t=1580376862;
bh=ez9jauLzsjRzNoK4iMMA5QxO66PJ/y45G/Dp9dkJgsw=;
h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe;
b=AxoEuq/zX0+wEmvfWgfWGJ+EVU2UjgmsZn6rrCH8Sm9S/14BWTy6nLALFbURkLTUj
PLtVhzBMIRW/t0r8omsjAKydkCmPiJV0DJnqkdNP/1nzUTtvDMrGZEpU8eHpTOLckV
RD7AIO3xLoz4mCZ//HGjUiv/cZyh0vdxzuE9qs2B3CLJ3kht0g2DcCIRWONcwW0r7L
wa0gH7QenWzUXivteUnt2CmQRaqz+Oqz6PVqn1nYr9f8U7hO56COe+9dadDM0tFMto
2oPbaFaQFle97Vmblh6KNB3wJpRdKRKv5K2BYwu3I8oNkOhZI4CXtmE9VWiAZHydnH
h9LRKRonHsvKs02cyjIT0SRrlsnv/B2MkOU1FBCgUsLPZJb9fUZ42ZyBfdXFHzR5dq
Xl5zVZlq+KMbR/u8OaogMZB9KKkaOwl9yORiFEa9r1MJw2/0Gh8s+SOq9NPq4Z3GBQ
pLPgDVlleOouUuplhWar4yURBMIPPuGrlLALgqRihf1JA4lITYh82ZhsAfPa718b1y
mQ6ix9ZVzt3YFCzNMrzVg0RlgKj4T25IhC6AXwBVJzNL7xvPdurRzLYg5LwnR1wW++
jwK7tj1Jc8F5h2rtH410r3oXLsKJ+x+joEQg/V82gW+ZbocZYZLwUvO22MYI/vWpbk
/GQH6+hLt/O3IzJpbkNp/UQo=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
by luna.archlinux.org (Postfix) with ESMTP id 82E3A2BE4F;
Thu, 30 Jan 2020 09:34:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
s=luna2; t=1580376862;
bh=ez9jauLzsjRzNoK4iMMA5QxO66PJ/y45G/Dp9dkJgsw=;
h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe;
b=ES5vSLb+V9XpmfKvvZ1+0K8Y9vE/K+1ZODejpaHSx1T8akHisM3VOqAsey0PiVyOC
Rkxa+jR+Pg9ZffNrkptNucQkoMtcRcAHwItyvBaQ/gGi9c6+/PMrHxeqtXp3TvBPm4
XVsdgK4UnwC6qH+9fMTPHTV5Dh5Pmfj46HLxghDs9QKOwDhmXo89Pkp9lUsfAZwKKg
Bl3M/VWRNqdUw37a767fnDzM729RLZk0gPAfAZ1bt55I8bWF4lV7+tup4Xeuh1P7AH
wNhBDxhxJQaLvOCJB64EYchZCJwMeGAo7S4I89I71MDuObOTbDK1BIXNraPDK3TKO0
tQI5XQhf+zWPcs+ALKvjdrkts+7fwWPjt3A/52taBC3Pto3qzfZc7NS0UX6SoJn9dW
BK7cnWV21DzkDMctLHsvt13lifN1LzzLNONU4+m+YY0w1ZnKcJ79M3d7KIq/bqIhJQ
R3x7+7JHXGfD1OiFTBNQ+MNUNEPz+NWlW7WRFLRK3CfCN5dVG/EvNDew4ZdNccId3l
gNzqpQZ2eooDpCm/yw320K8PI+J5JNtByGtMTcux5w7tgaYE/S1fs0REXeeVvKYD9T
XBQVxpxSFwXn2H2HVH6W0D6x0TJ74di6fbIet12N+Jr/lynBGqEqBNFvHnXhSDUWwH
tPShsMNlzXe0uYJ0YUGRnUxU=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
by luna.archlinux.org (Postfix) with ESMTP id C10542BA6A
for ; Thu, 30 Jan 2020 09:34:19 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
[IPv6:2a01:4f8:160:6087::1])
by luna.archlinux.org (Postfix) with ESMTPS
for ; Thu, 30 Jan 2020 09:34:19 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
by orion.archlinux.org (Postfix) with ESMTP id 53B061884626B6
for ; Thu, 30 Jan 2020 09:34:18 +0000 (UTC)
Received: from localhost (unknown
[IPv6:2a02:8070:24e4:b800:b66b:fcff:fe3e:6273])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
SHA256) (No client certificate requested)
(Authenticated sender: lfleischer)
by orion.archlinux.org (Postfix) with ESMTPSA id 313241884626B5
for ; Thu, 30 Jan 2020 09:34:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
s=orion; t=1580376858;
bh=ez9jauLzsjRzNoK4iMMA5QxO66PJ/y45G/Dp9dkJgsw=;
h=From:To:Subject:Date;
b=ad+eXYCTtRvC16CGQVjoB782v45gseUl6UvqfhtDyMjw9iZMZlIzJItvAtMvaT4Ru
BHym+Pos5TZtniozIgD+sKZEVyJnBlRTzVh3onAr829hLFINfCEo6OOKEc80XCJ0p1
+GTtIi9qreHVM4RFZE212DaKW6nZrhnCcLk9xuvxwG66per0eYnq5GLsTS0+zG1M99
p0yHV+nkzaPe1J4O71h/ZwBqXVqhS/kSluB6uxCVQUVrWymaJLXBNzRBjw373zUfeQ
FYmfbokuq48MWuv7OH8Vv1DS4fk76/IM+tiA3CCsFTifoTzjeiocdi2c76oUHDFTIg
Z8EplE7DgFOPFFw918l33Qtn8pnLgnn3uQs+vYppcV/ieaN1UB47nDLIRER7Jd0k4J
wYYGsyLaP0w+Me7ujLxh2FkzWHauSMWHwGEXdwr8sRUtX/GPJK8fbYhvnvxZfvBlP6
RVwr+6HwW6mLzQ0YqhynNAIHh84OUHVnmbSiz3TABBTuAisWTKJS70Ue+otPiBZ+rO
XWuZVpyWgKM61/leEeNO0kMT6R/Jq/j7+/ebOpBMnHkWWHW9Dkb13PVeeeplgGPPeL
M5RvnhBGjBG2R0B6Wt6IKdl8dy/gF2G5X9R70Uhby7npGE2QNoFV2htzY+LramFOBH
JtXC00KQhlN9X5JrQDJXXpnQ=
From: Lukas Fleischer
To: aur-dev@archlinux.org
Subject: [PATCH] Require current password when setting a new one
Date: Thu, 30 Jan 2020 10:34:26 +0100
Message-Id: <20200130093426.5174-1-lfleischer@archlinux.org>
X-Mailer: git-send-email 2.25.0
MIME-Version: 1.0
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development"
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev"
Prevent from easily taking over an account by changing the password with
a stolen session ID.
Fixes FS#65325.
Signed-off-by: Lukas Fleischer
---
web/html/account.php | 1 +
web/html/register.php | 2 ++
web/lib/acctfuncs.inc.php | 15 ++++++++++++--
web/template/account_edit_form.php | 32 +++++++++++++++++++-----------
4 files changed, 36 insertions(+), 14 deletions(-)
diff --git a/web/html/account.php b/web/html/account.php
index 1d59e9c..7c6c424 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -34,6 +34,7 @@ if ($action == "UpdateAccount") {
in_request("S"),
in_request("E"),
in_request("H"),
+ in_request("PO"),
in_request("P"),
in_request("C"),
in_request("R"),
diff --git a/web/html/register.php b/web/html/register.php
index a426482..8174e34 100644
--- a/web/html/register.php
+++ b/web/html/register.php
@@ -26,6 +26,7 @@ if (in_request("Action") == "NewAccount") {
in_request("H"),
'',
'',
+ '',
in_request("R"),
in_request("L"),
in_request("TZ"),
@@ -54,6 +55,7 @@ if (in_request("Action") == "NewAccount") {
in_request("H"),
'',
'',
+ '',
in_request("R"),
in_request("L"),
in_request("TZ"),
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index e754989..1de49b0 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -96,6 +96,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
* @param string $S Whether or not the account is suspended
* @param string $E The e-mail address for the user
* @param string $H Whether or not the e-mail address should be hidden
+ * @param string $PO The old password of the user
* @param string $P The password for the user
* @param string $C The confirmed password for the user
* @param string $R The real name of the user
@@ -116,7 +117,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
*
* @return array Boolean indicating success and message to be printed
*/
-function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",
+function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="",
$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") {
global $SUPPORTED_LANGS;
@@ -134,6 +135,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
if(isset($_COOKIE['AURSID'])) {
$editor_user = uid_from_sid($_COOKIE['AURSID']);
+ $row = account_details(in_request("ID"), in_request("U"));
}
else {
$editor_user = null;
@@ -159,9 +161,18 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
. "\n";
}
- if (!$error && $P && $C && ($P != $C)) {
+ if (!$error && $P && !$C) {
+ $error = __("Please confirm your new password.");
+ }
+ if (!$error && $P && !$PO) {
+ $error = __("Please enter your old password in order to set a new one.");
+ }
+ if (!$error && $P && $P != $C) {
$error = __("Password fields do not match.");
}
+ if (!$error && $P && check_passwd($UID, $PO) != 1) {
+ $error = __("The old password is invalid.");
+ }
if (!$error && $P != '' && !good_passwd($P)) {
$length_min = config_get_int('options', 'passwd_min_len');
$error = __("Your password must be at least %s characters.",
diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php
index 5e84aa7..25e9185 100644
--- a/web/template/account_edit_form.php
+++ b/web/template/account_edit_form.php
@@ -86,18 +86,6 @@
/>
-
-
-
-
-
-
-
-
-
-
-
-
@@ -150,6 +138,26 @@
+
+
+
+