[geeklog-cvs] geeklog-1.3/public_html usersettings.php,1.81,1.82

dhaun at geeklog.net dhaun at geeklog.net
Wed Jan 21 14:58:02 EST 2004 

Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv24747

Modified Files:
	usersettings.php 
Log Message:
Added check for a random hash before accepting account changes.


Index: usersettings.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/usersettings.php,v
retrieving revision 1.81
retrieving revision 1.82
diff -C2 -d -r1.81 -r1.82
*** usersettings.php	18 Jan 2004 14:47:16 -0000	1.81
--- usersettings.php	21 Jan 2004 19:58:00 -0000	1.82
***************
*** 154,160 ****
      $A = DB_fetchArray($result);
  
      $preferences->set_var ('about_value', $A['about']);
      $preferences->set_var ('pgpkey_value', $A['pgpkey']);
!     $preferences->set_var ('uid_value', $_USER['uid']);
      $preferences->set_var ('username_value', $_USER['username']);
  
--- 154,164 ----
      $A = DB_fetchArray($result);
  
+     $reqid = substr (md5 (uniqid (rand (), 1)), 1, 16);
+     DB_change ($_TABLES['users'], 'pwrequestid', "$reqid",
+                                   'username', $username);
+ 
      $preferences->set_var ('about_value', $A['about']);
      $preferences->set_var ('pgpkey_value', $A['pgpkey']);
!     $preferences->set_var ('uid_value', $reqid);
      $preferences->set_var ('username_value', $_USER['username']);
  
***************
*** 644,648 ****
      if ($_US_VERBOSE) {
          COM_errorLog('**** Inside saveuser in usersettings.php ****', 1);
!     } 
  
      if ($_CONF['allow_username_change'] == 1) {
--- 648,661 ----
      if ($_US_VERBOSE) {
          COM_errorLog('**** Inside saveuser in usersettings.php ****', 1);
!     }
! 
!     $reqid = DB_getItem ($_TABLES['users'], 'pwrequestid',
!                          "uid = {$_USER['uid']}");
!     if ($reqid != $A['uid']) {
!         DB_change ($_TABLES['users'], 'pwrequestid', "NULL",
!                    'uid', $_USER['uid']);
!         COM_accessLog ("An attempt was made to illegally change the account information of user {$_USER['uid']}.");
!         return COM_refresh ($_CONF['site_url'] . '/index.php');
!     }
  
      if ($_CONF['allow_username_change'] == 1) {
***************
*** 661,666 ****
      }
  
!     if (!empty($A["passwd"])) {
!         $passwd = md5($A["passwd"]);
          DB_change($_TABLES['users'],'passwd',"$passwd","uid",$_USER['uid']);
      }
--- 674,679 ----
      }
  
!     if (!empty($A['passwd'])) {
!         $passwd = md5($A['passwd']);
          DB_change($_TABLES['users'],'passwd',"$passwd","uid",$_USER['uid']);
      }

More information about the geeklog-cvs mailing list