From patchwork Thu Jan 30 11:57:15 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lukas Fleischer <lfleischer@archlinux.org>
X-Patchwork-Id: 1474
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id A577916BB8811
	for <patchwork@archlinux.org>; Thu, 30 Jan 2020 11:57:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIMWL_WL_HIGH=-0.001,
	DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
	MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_NONE=-0.0001,SPF_HELO_NONE=0.001,
	T_DMARC_POLICY_NONE=0.01 autolearn=ham autolearn_force=no version=3.4.3
X-Spam-BL-Results: 
 <dns:1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.8.0.6.0.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org>
	[127.0.9.0]
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Thu, 30 Jan 2020 11:57:31 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id C75A61884ABF50;
	Thu, 30 Jan 2020 11:57:30 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id 927E21884ABF4E;
	Thu, 30 Jan 2020 11:57:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=orion; t=1580385450;
	bh=6lR0p6jfGdWEBTmRuN+GoShpQNgljec2sNiMRMc4+PI=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=fJo9hcsZJ9yO7jJ2mB5XNmVhMB8e3Wf93rvluzX0TFUUzj9H8uawSlLt2644w0KN+
	 nHxpeo3r7hyiW7CK9mKfYki1Qan9f6UGegC2984XmyCChJ9cnxF9DzndaYb7D0UO4v
	 XydKi6ti70ddO4fbhGQcXVoEpyy4Jvx0YOMMF7YlMvz8tJw7Qk3zHs39G4aVDUZ9za
	 Qk8KyFPE7Ud+fiLqfkZpwYEPc1qTZMLOef46IVQKftYVunv0NXNiYbE5pbfH0vuXyR
	 RSK2e/f7u8CEKodKMK8zzor3PHhjAZAb5IHtZjxA7uYNGgzO+4hZCh9/+KMVleD5v6
	 2QbWlTlT+TphXWWOEQ4mBFKeTfPSx56lEySPRlQiNFbtXPh8p+UZ71B2CoRpUiKsRu
	 JwrntrML7qDPa2NtE9FyEru44fXgsn2OSzgucOFz0tKeNC+R0eBmEnys2Xs8B6yhR+
	 fRnBUwJr/yiHq7swo/7FMhzbHmU3CQfq5DzIfmoDUgqMgrRIcHI02HibAQ8Q0801Cy
	 5A8fGbmcbHUDrL8A26jTn4IlWMHzaAEG/xK2AZ2rJc8gGzaIXZ6TNRW2sg/Ycg+cjJ
	 dr1ZByENn24mSCANjWScJhAEhcJmTejeFIJwJNqPkdqxtHcBSxcVs7dBPRTl90ljC3
	 jIZN+5KSVU0iMjoo+I8ZDsZk=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id CC2932BE52;
	Thu, 30 Jan 2020 11:57:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=luna2; t=1580385447;
	bh=6lR0p6jfGdWEBTmRuN+GoShpQNgljec2sNiMRMc4+PI=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=kMGjC17c2KaWGTi0eOxnDzf8jB3RgLVLyFYBPcQyT6HbZQKxHr28hBhLlmJfdj8nr
	 2VkfenQSkAm4Tq6LowDqEdCW+YVSwkVgBH2ncGfDvA5Xxj01GFcdOgethH0260II+W
	 VOXEvgIz/z8LWL+jpuzYVPP4VRR/iFpvLCw1YIsGGBWpPu4jOH9mlwEvNUiI9vr73O
	 jnH0Neyj+RZzkXPCuIbgFknZvjln6S9H05k3axfH9Sggtl3Cq+SDtqUvFIvDpTmYgP
	 KApO12rwm6xqxVMemKCBVICH1NcIcWDqcD8huYtjsl3CzalcvqvNVp8mpUreKVimGT
	 +bQP5CUOODH41wurPyLAOWZfvtow+nTZULIKye7LdB6gVMNQjZIAH58g9ER2ZtSugr
	 yqsiHkwkLEdU2oZXl84eA3xIiX8gznPFN557jgtX9PdrXZ8rkPheMdmxGu+BgxfAGp
	 I7LzJbR1GgrIQ3ob32MzMrw8bdUsNEqkraGsAaX34yDxL9Ti3MMu9UTXPIWyf+m5qL
	 HozQoIfNb2c5QgkANN0HaKVjgJAgQeuK3hgBfi/2nIyteHrDJlgmGIXN/pIXn1QRcw
	 WWHlyx2zZBSbaynpQbPHL5lEg7bfiVKZRG9V65iY2FWwpO7cAdSnvLjqoQ82xsaUUn
	 jPBH0Toa66BIMJxHs6BnWBe0=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 2F7AA2069D
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 11:57:25 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 11:57:25 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 793791884ABF1D
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 11:57:21 +0000 (UTC)
Received: from localhost (unknown
 [IPv6:2a02:8070:24e4:b800:b66b:fcff:fe3e:6273])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 (Authenticated sender: lfleischer)
 by orion.archlinux.org (Postfix) with ESMTPSA id 959C41884ABED6
 for <aur-dev@archlinux.org>; Thu, 30 Jan 2020 11:57:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
 s=orion; t=1580385426;
 bh=6lR0p6jfGdWEBTmRuN+GoShpQNgljec2sNiMRMc4+PI=;
 h=From:To:Subject:Date;
 b=f/RSu0DQjageFjAhLl9sEUBotdIAhR2vAVsWzsm6AIwb9RkvspdK8zMgTKV9YoKgD
 5e/GKRyZDUlGj61qE5E2hjPivxqdymvhbdh5LxKh2aYASD81HSrT5uMaSG/inbV309
 PKwPZ/eajeRc3q4KuEUowbrwU+R8Z46T6T1H6VVtWcem2pC8BvZAr5tTjhDXYsFISs
 Sqm+CVC6kG1CO+3OdD6SYSlIrHb9zQl+jFrD21TX5mCv5fw3wj3gcHsRYO5t3PPXYd
 7W8FBi0PqEWS2nq7Dk3hOE3G7Ow8GtECAzBXx2xonwsA+6Pf2ddv3BVM0gte+MTfkw
 vGhlcSFwBtYYpgMc1WQgO6RM4thd8hRN+hw5XcjLyUn3Melo/RxbeTWd4BIMNPW5xs
 ypSvVdsxMWi7pVa4nYOIx6EvQR/zLEEXyzT9G1vlicg8puZ2mpy3eqRHP1I3HtsqrN
 jD4Fvk9VZuiO9t2YG5vLIrDzbLmy3m+Ti4l3iHOkFVa3ioD0YVm78kcZ4hFoh2yjOt
 z59hmk2zwtGXRVPWGUt188HmZZzERw4lqf90kF3o+sgo9ziZ1LcY2Vpm/eVQh8aXTl
 bM9rXF8/RNDLcceliy42FA/q+1rCrODDf3ycVfTfsylt6It6P9tFasziJdNyq1J+Vt
 KBx9GPp1cONiuD+gcO30/Hdw=
From: Lukas Fleischer <lfleischer@archlinux.org>
To: aur-dev@archlinux.org
Subject: [PATCH] Require password when deleting an account
Date: Thu, 30 Jan 2020 12:57:15 +0100
Message-Id: <20200130115715.19362-1-lfleischer@archlinux.org>
X-Mailer: git-send-email 2.25.0
MIME-Version: 1.0
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

Further reduce the attack surface in case of a stolen session ID.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/html/account.php            | 17 +++++++++++++----
 web/template/account_delete.php | 11 +++++++++--
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/web/html/account.php b/web/html/account.php
index 7c6c424..03af8d4 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -120,12 +120,21 @@ if (isset($_COOKIE["AURSID"])) {
 	} elseif ($action == "DeleteAccount") {
 		/* Details for account being deleted. */
 		if (can_edit_account($row)) {
-			$UID = $row['ID'];
+			$uid_removal = $row['ID'];
+			$uid_session = uid_from_sid($_COOKIE['AURSID']);
+			$username = $row['Username'];
+
 			if (in_request('confirm') && check_token()) {
-				user_delete($UID);
-				header('Location: /');
+				if (check_passwd($uid_session, $_REQUEST['passwd']) == 1) {
+					user_delete($uid_removal);
+					header('Location: /');
+				} else {
+					echo "<ul class='errorlist'><li>";
+					echo __("Invalid password.");
+					echo "</li></ul>";
+					include("account_delete.php");
+				}
 			} else {
-				$username = $row['Username'];
 				include("account_delete.php");
 			}
 		} else {
diff --git a/web/template/account_delete.php b/web/template/account_delete.php
index 718b172..d0c6e74 100644
--- a/web/template/account_delete.php
+++ b/web/template/account_delete.php
@@ -12,8 +12,15 @@
 		<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 	</fieldset>
 	<fieldset>
-		<p><label class="confirmation"><input type="checkbox" name="confirm" value="1" />
-		<?= __("Confirm deletion") ?></label></p>
+		<p>
+			<label for="id_passwd"><?= __("Password") ?>:</label>
+			<input type="password" size="30" name="passwd" id="id_passwd" value="" />
+		</p>
+
+		<p>
+			<label class="confirmation"><input type="checkbox" name="confirm" value="1" />
+			<?= __("Confirm deletion") ?></label>
+		</p>
 
 		<p>
 			<input type="submit" class="button" value="<?= __("Delete") ?>" />