From patchwork Thu Jan 30 11:57:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukas Fleischer X-Patchwork-Id: 1473 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id 2F88F16BB87F4 for ; Thu, 30 Jan 2020 11:57:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on apollo.archlinux.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1, MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001, T_DMARC_POLICY_NONE=0.01,WEIRD_QUOTING=0.001 autolearn=ham autolearn_force=no version=3.4.3 X-Spam-BL-Results: [127.0.9.2] Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Thu, 30 Jan 2020 11:57:25 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 21EDA1884ABF24; Thu, 30 Jan 2020 11:57:23 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [IPv6:2a01:4f8:160:3033::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: luna) by orion.archlinux.org (Postfix) with ESMTPSA id B29EC1884ABEE9; Thu, 30 Jan 2020 11:57:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1580385429; bh=b0wGhmfst63iS01nW+7CYmuTGlDjiQcqHhxCGZHNigY=; h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=hhSexFz9SugAV9yY+YhqykvW8riFSMDTbvpAvP1JnTqj5uL9jnSFdggw/Er5U/3oy ft70w2+gc2urkNqbrYcv1sm8nH8b1ShOAYO3xqJ1WSDtemJh4OzNsxbtzI5l6/Helz yxIiQy86OCXviaCXU8CytEpXQdXPRWJeKoOr/TlSJ7512+BDYmVlD3uc2JkRK5ys6Y srF9v3YG15qgzeksjQNyj5JGzPLXRV3J1MY1COrYcShcPOlRzRAMegSQPKatdlKI3s 1uPpgzzMeAl5QFTS7FH4ManmKLoe9OV5HR4HyArE4R3FUBClm8I4w4Cn4ayKiQSIB9 BtT0lbBROyrZTohS3STVvGokmjYu4lwVaHXvDpVLcJmY7AmaVhEaIUcIGP/+C44x2l XOUEO38jTUC8nxvGDP72KOOxd3IoNuzU/YZJ4MEnAN4xkYluoyPm08lGZqXbPsMnBw jODiP7HtMfQGgkVsUNAzTZ9GmBKhjXf/AuodhxDh44fnWRHZ2HmE4Tqt1sXVGPeATa YphdGD55iy6/kxB03dLVxd/FESO9nN4M1+vHZfUiLcZqEnp8JnESYuq2Cs+3Wcqqpq VH1o//nriMh7AXO3g2q49tMf35NNz0D3DR9YN+KwEAZYZTgjvw5XC0ZIUFB94U2gdd KzKgsuiAAo0Kr3sQbJ6BPmuA= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 7BF192BE51; Thu, 30 Jan 2020 11:57:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=luna2; t=1580385429; bh=b0wGhmfst63iS01nW+7CYmuTGlDjiQcqHhxCGZHNigY=; h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=S7koLUkf3PDwtNFGyd+fF0JebjuTUgTK7qQMSuwHy6OLv09CKibh6bIjylJ5Cexcz 2WA+xZjl9IA01rbW0bm+Zqh36lLHAdC4sJ0QIZdS4COt7rExDv29CBLMgq7Mv8fI1v ThO5aUrGFlz3ys49GHTQVFOsE0dLWfTcGGFeG+4+ZOXB8c4cp91SRQFD+xqBZYVQ3I 2JN/x2UEGd1j5OM5Zs3aGPW2uQVmqlSTddWdFRh7BR52bPpuiRDwnTUSMO4fQIZslU AfpWCAK0vwUBoqE+IFOyxTLmqLs4bFdewvuqb0jSWcUaxaAV99vWw4u4AVA186/wrv Vl08B8wbu6soSKgvFK9qUpq3cft1AGAOjNYnPlrkhD/nBwxDF/3+CXWHRw0wWZixNI EaPGvr4iCKeTD0xmXJsnpKeU8NiRuk2jmwqrASzUYNEkbYKzvwqlND8ZenUmgJiIF2 //aojqS0v2hAIDimYQWjDHWptkFvnEsSof+sIGHllL04NH48RulN0Dwk8CpRnoikJ7 MPVkmVuDIXUPKUI/dDS5UArRxmMcd1LaQxvlNo9aTaRSLF2MoBmPmvI9kegzvPgK1G 5XZVIXBtTUb2oXrAZ9i4ElJuvxdF1DT2DhHUf/R8zgEUWoKimM41ML5eKgHazon7yg IJVEhzsa5lr7gU+Pv0xDccrY= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 78D582069D for ; Thu, 30 Jan 2020 11:57:06 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by luna.archlinux.org (Postfix) with ESMTPS for ; Thu, 30 Jan 2020 11:57:06 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id F29C91884ABEB8 for ; Thu, 30 Jan 2020 11:57:00 +0000 (UTC) Received: from localhost (unknown [IPv6:2a02:8070:24e4:b800:b66b:fcff:fe3e:6273]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: lfleischer) by orion.archlinux.org (Postfix) with ESMTPSA id CD62F1884ABEB7 for ; Thu, 30 Jan 2020 11:57:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1580385420; bh=b0wGhmfst63iS01nW+7CYmuTGlDjiQcqHhxCGZHNigY=; h=From:To:Subject:Date; b=ti9Z2ngdLunC+RKCwOYnOjgQ4HNL4K/bACxMhSoLxTlCdUMKR51NKG0N5hl78EmqB ZWR4O1w/hULXRxvjhE3U/1+iWxkKdxhbMFqaliA8V1eQR8liXelObRdGldsqAvcXeJ j94prv+kaTeggNOyuZeTQEnOQP9aYPfF15+TSLHfkQn6R6xhveS/8J/rzEDSbyIPRR sWd9AP+a3vMeUa0wU7efJsw+l21zkOoc85XYmtRxkXikOr6O8ImXJdUCzJavSlDrXH wosFX8DI4PMTomz0rscos6h9Js6vkBgG4p/vX2jRFVrlhNbapSiArvzf/PKQFrMm0v 7m7xd4yNNTISO3idaK75wI2r6vhparxTJlhlT0EieVAGOeLZLh667t3+y5kx+pFFgG otg8hXX5hwk9kJ6+dSv8aOq1i+F9eJTLP2zQIyN3WWlOiDah7+/3s1Np3c3t9R5lv6 eTtg4NvzYBBCKO9xjq08p/lwZyuujuwBRixsRsIj8lkIC4x9c/N5r30izi/6ZQ1poM NCUmNaHWwl5YUFC+UlhX0mLsxt0ziF7enEWDcD4z8oqi0MzRw2rKPXVwmf0PbMkU81 Z/3nZWHf1YizuXGPjaic1yi5lNqGkjkWIGsfZODGko+F/dxTOE/IHmDSa6yFnn/xXm BsgRJ2yQLSrlOxNc1EKLn7W0= From: Lukas Fleischer To: aur-dev@archlinux.org Subject: [PATCH] Verify current password against logged in user Date: Thu, 30 Jan 2020 12:57:09 +0100 Message-Id: <20200130115709.19303-1-lfleischer@archlinux.org> X-Mailer: git-send-email 2.25.0 MIME-Version: 1.0 X-BeenThere: aur-dev@archlinux.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Arch User Repository \(AUR\) Development" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: aur-dev-bounces@archlinux.org Sender: "aur-dev" When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 9 ++++----- web/template/account_edit_form.php | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 601d4ce..d2144c2 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -134,10 +134,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" $dbh = DB::connect(); if(isset($_COOKIE['AURSID'])) { - $editor_user = uid_from_sid($_COOKIE['AURSID']); - } - else { - $editor_user = null; + $uid_session = uid_from_sid($_COOKIE['AURSID']); + } else { + $uid_session = null; } if (empty($E) || empty($U)) { @@ -169,7 +168,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } - if (!$error && $P && check_passwd($UID, $PO) != 1) { + if (!$error && $P && check_passwd($uid_session, $PO) != 1) { $error = __("The old password is invalid."); } if (!$error && $P != '' && !good_passwd($P)) { diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 25e9185..7bd233a 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -140,9 +140,9 @@
- +

- +