From patchwork Thu Jan 30 09:34:26 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lukas Fleischer <lfleischer@archlinux.org>
X-Patchwork-Id: 1470
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id 9592516BADC2C
	for <patchwork@archlinux.org>; Thu, 30 Jan 2020 09:34:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIMWL_WL_HIGH=-0.001,
	DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
	MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_NONE=-0.0001,SPF_HELO_NONE=0.001,
	TVD_PH_BODY_ACCOUNTS_PRE=0.001,T_DMARC_POLICY_NONE=0.01,
	WEIRD_QUOTING=0.001 autolearn=ham autolearn_force=no version=3.4.3
X-Spam-BL-Results: 
 <dns:1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.8.0.6.0.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org>
	[127.0.9.0]
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Thu, 30 Jan 2020 09:34:24 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id D46791884626C1;
	Thu, 30 Jan 2020 09:34:22 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id 929631884626BB;
	Thu, 30 Jan 2020 09:34:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=orion; t=1580376862;
	bh=ez9jauLzsjRzNoK4iMMA5QxO66PJ/y45G/Dp9dkJgsw=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=AxoEuq/zX0+wEmvfWgfWGJ+EVU2UjgmsZn6rrCH8Sm9S/14BWTy6nLALFbURkLTUj
	 PLtVhzBMIRW/t0r8omsjAKydkCmPiJV0DJnqkdNP/1nzUTtvDMrGZEpU8eHpTOLckV
	 RD7AIO3xLoz4mCZ//HGjUiv/cZyh0vdxzuE9qs2B3CLJ3kht0g2DcCIRWONcwW0r7L
	 wa0gH7QenWzUXivteUnt2CmQRaqz+Oqz6PVqn1nYr9f8U7hO56COe+9dadDM0tFMto
	 2oPbaFaQFle97Vmblh6KNB3wJpRdKRKv5K2BYwu3I8oNkOhZI4CXtmE9VWiAZHydnH
	 h9LRKRonHsvKs02cyjIT0SRrlsnv/B2MkOU1FBCgUsLPZJb9fUZ42ZyBfdXFHzR5dq
	 Xl5zVZlq+KMbR/u8OaogMZB9KKkaOwl9yORiFEa9r1MJw2/0Gh8s+SOq9NPq4Z3GBQ
	 pLPgDVlleOouUuplhWar4yURBMIPPuGrlLALgqRihf1JA4lITYh82ZhsAfPa718b1y
	 mQ6ix9ZVzt3YFCzNMrzVg0RlgKj4T25IhC6AXwBVJzNL7xvPdurRzLYg5LwnR1wW++
	 jwK7tj1Jc8F5h2rtH410r3oXLsKJ+x+joEQg/V82gW+ZbocZYZLwUvO22MYI/vWpbk
	 /GQH6+hLt/O3IzJpbkNp/UQo=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 82E3A2BE4F;
	Thu, 30 Jan 2020 09:34:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=luna2; t=1580376862;
	bh=ez9jauLzsjRzNoK4iMMA5QxO66PJ/y45G/Dp9dkJgsw=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=ES5vSLb+V9XpmfKvvZ1+0K8Y9vE/K+1ZODejpaHSx1T8akHisM3VOqAsey0PiVyOC
	 Rkxa+jR+Pg9ZffNrkptNucQkoMtcRcAHwItyvBaQ/gGi9c6+/PMrHxeqtXp3TvBPm4
	 XVsdgK4UnwC6qH+9fMTPHTV5Dh5Pmfj46HLxghDs9QKOwDhmXo89Pkp9lUsfAZwKKg
	 Bl3M/VWRNqdUw37a767fnDzM729RLZk0gPAfAZ1bt55I8bWF4lV7+tup4Xeuh1P7AH
	 wNhBDxhxJQaLvOCJB64EYchZCJwMeGAo7S4I89I71MDuObOTbDK1BIXNraPDK3TKO0
	 tQI5XQhf+zWPcs+ALKvjdrkts+7fwWPjt3A/52taBC3Pto3qzfZc7NS0UX6SoJn9dW
	 BK7cnWV21DzkDMctLHsvt13lifN1LzzLNONU4+m+YY0w1ZnKcJ79M3d7KIq/bqIhJQ
	 R3x7+7JHXGfD1OiFTBNQ+MNUNEPz+NWlW7WRFLRK3CfCN5dVG/EvNDew4ZdNccId3l
	 gNzqpQZ2eooDpCm/yw320K8PI+J5JNtByGtMTcux5w7tgaYE/S1fs0REXeeVvKYD9T
	 XBQVxpxSFwXn2H2HVH6W0D6x0TJ74di6fbIet12N+Jr/lynBGqEqBNFvHnXhSDUWwH
	 tPShsMNlzXe0uYJ0YUGRnUxU=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id C10542BA6A
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 09:34:19 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 09:34:19 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 53B061884626B6
 for <aur-dev@lists.archlinux.org>; Thu, 30 Jan 2020 09:34:18 +0000 (UTC)
Received: from localhost (unknown
 [IPv6:2a02:8070:24e4:b800:b66b:fcff:fe3e:6273])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 (Authenticated sender: lfleischer)
 by orion.archlinux.org (Postfix) with ESMTPSA id 313241884626B5
 for <aur-dev@archlinux.org>; Thu, 30 Jan 2020 09:34:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
 s=orion; t=1580376858;
 bh=ez9jauLzsjRzNoK4iMMA5QxO66PJ/y45G/Dp9dkJgsw=;
 h=From:To:Subject:Date;
 b=ad+eXYCTtRvC16CGQVjoB782v45gseUl6UvqfhtDyMjw9iZMZlIzJItvAtMvaT4Ru
 BHym+Pos5TZtniozIgD+sKZEVyJnBlRTzVh3onAr829hLFINfCEo6OOKEc80XCJ0p1
 +GTtIi9qreHVM4RFZE212DaKW6nZrhnCcLk9xuvxwG66per0eYnq5GLsTS0+zG1M99
 p0yHV+nkzaPe1J4O71h/ZwBqXVqhS/kSluB6uxCVQUVrWymaJLXBNzRBjw373zUfeQ
 FYmfbokuq48MWuv7OH8Vv1DS4fk76/IM+tiA3CCsFTifoTzjeiocdi2c76oUHDFTIg
 Z8EplE7DgFOPFFw918l33Qtn8pnLgnn3uQs+vYppcV/ieaN1UB47nDLIRER7Jd0k4J
 wYYGsyLaP0w+Me7ujLxh2FkzWHauSMWHwGEXdwr8sRUtX/GPJK8fbYhvnvxZfvBlP6
 RVwr+6HwW6mLzQ0YqhynNAIHh84OUHVnmbSiz3TABBTuAisWTKJS70Ue+otPiBZ+rO
 XWuZVpyWgKM61/leEeNO0kMT6R/Jq/j7+/ebOpBMnHkWWHW9Dkb13PVeeeplgGPPeL
 M5RvnhBGjBG2R0B6Wt6IKdl8dy/gF2G5X9R70Uhby7npGE2QNoFV2htzY+LramFOBH
 JtXC00KQhlN9X5JrQDJXXpnQ=
From: Lukas Fleischer <lfleischer@archlinux.org>
To: aur-dev@archlinux.org
Subject: [PATCH] Require current password when setting a new one
Date: Thu, 30 Jan 2020 10:34:26 +0100
Message-Id: <20200130093426.5174-1-lfleischer@archlinux.org>
X-Mailer: git-send-email 2.25.0
MIME-Version: 1.0
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

Prevent from easily taking over an account by changing the password with
a stolen session ID.

Fixes FS#65325.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/html/account.php               |  1 +
 web/html/register.php              |  2 ++
 web/lib/acctfuncs.inc.php          | 15 ++++++++++++--
 web/template/account_edit_form.php | 32 +++++++++++++++++++-----------
 4 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/web/html/account.php b/web/html/account.php
index 1d59e9c..7c6c424 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -34,6 +34,7 @@ if ($action == "UpdateAccount") {
 			in_request("S"),
 			in_request("E"),
 			in_request("H"),
+			in_request("PO"),
 			in_request("P"),
 			in_request("C"),
 			in_request("R"),
diff --git a/web/html/register.php b/web/html/register.php
index a426482..8174e34 100644
--- a/web/html/register.php
+++ b/web/html/register.php
@@ -26,6 +26,7 @@ if (in_request("Action") == "NewAccount") {
 		in_request("H"),
 		'',
 		'',
+		'',
 		in_request("R"),
 		in_request("L"),
 		in_request("TZ"),
@@ -54,6 +55,7 @@ if (in_request("Action") == "NewAccount") {
 			in_request("H"),
 			'',
 			'',
+			'',
 			in_request("R"),
 			in_request("L"),
 			in_request("TZ"),
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index e754989..1de49b0 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -96,6 +96,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
  * @param string $S Whether or not the account is suspended
  * @param string $E The e-mail address for the user
  * @param string $H Whether or not the e-mail address should be hidden
+ * @param string $PO The old password of the user
  * @param string $P The password for the user
  * @param string $C The confirmed password for the user
  * @param string $R The real name of the user
@@ -116,7 +117,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R=""
  *
  * @return array Boolean indicating success and message to be printed
  */
-function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",
+function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="",
 		$R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") {
 	global $SUPPORTED_LANGS;
 
@@ -134,6 +135,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
 
 	if(isset($_COOKIE['AURSID'])) {
 		$editor_user = uid_from_sid($_COOKIE['AURSID']);
+	$row = account_details(in_request("ID"), in_request("U"));
 	}
 	else {
 		$editor_user = null;
@@ -159,9 +161,18 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C=""
 			. "</li>\n</ul>";
 	}
 
-	if (!$error && $P && $C && ($P != $C)) {
+	if (!$error && $P && !$C) {
+		$error = __("Please confirm your new password.");
+	}
+	if (!$error && $P && !$PO) {
+		$error = __("Please enter your old password in order to set a new one.");
+	}
+	if (!$error && $P && $P != $C) {
 		$error = __("Password fields do not match.");
 	}
+	if (!$error && $P && check_passwd($UID, $PO) != 1) {
+		$error = __("The old password is invalid.");
+	}
 	if (!$error && $P != '' && !good_passwd($P)) {
 		$length_min = config_get_int('options', 'passwd_min_len');
 		$error = __("Your password must be at least %s characters.",
diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php
index 5e84aa7..25e9185 100644
--- a/web/template/account_edit_form.php
+++ b/web/template/account_edit_form.php
@@ -86,18 +86,6 @@
 			<input type="checkbox" name="H" id="id_hide" <?= $H ? 'checked="checked"' : '' ?> />
 		</p>
 
-		<?php if ($A == "UpdateAccount"): ?>
-		<p>
-			<label for="id_passwd1"><?= __("Password") ?>:</label>
-			<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
-		</p>
-
-		<p>
-			<label for="id_passwd2"><?= __("Re-type password") ?>:</label>
-			<input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" />
-		</p>
-		<?php endif; ?>
-
 		<p>
 			<label for="id_realname"><?= __("Real Name") ?>:</label>
 			<input type="text" size="30" maxlength="32" name="R" id="id_realname" value="<?= htmlspecialchars($R,ENT_QUOTES) ?>" />
@@ -150,6 +138,26 @@
 		</p>
 	</fieldset>
 
+	<?php if ($A == "UpdateAccount"): ?>
+	<fieldset>
+		<legend><?= __("If you want to change your password, enter your current passport, your new password and confirm the new password by entering it again.") ?></legend>
+		<p>
+			<label for="id_passwd_old"><?= __("Old password") ?>:</label>
+			<input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" />
+		</p>
+
+		<p>
+			<label for="id_passwd1"><?= __("Password") ?>:</label>
+			<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
+		</p>
+
+		<p>
+			<label for="id_passwd2"><?= __("Re-type password") ?>:</label>
+			<input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" />
+		</p>
+	</fieldset>
+	<?php endif; ?>
+
 	<fieldset>
 		<legend><?= __("The following information is only required if you want to submit packages to the Arch User Repository.") ?></legend>
 		<p>