[geeklog-cvs] geeklog-1.3/public_html usersettings.php,1.81,1.82
dhaun at geeklog.net
dhaun at geeklog.net
Wed Jan 21 14:58:02 EST 2004
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv24747
Modified Files:
usersettings.php
Log Message:
Added check for a random hash before accepting account changes.
Index: usersettings.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/usersettings.php,v
retrieving revision 1.81
retrieving revision 1.82
diff -C2 -d -r1.81 -r1.82
*** usersettings.php 18 Jan 2004 14:47:16 -0000 1.81
--- usersettings.php 21 Jan 2004 19:58:00 -0000 1.82
***************
*** 154,160 ****
$A = DB_fetchArray($result);
$preferences->set_var ('about_value', $A['about']);
$preferences->set_var ('pgpkey_value', $A['pgpkey']);
! $preferences->set_var ('uid_value', $_USER['uid']);
$preferences->set_var ('username_value', $_USER['username']);
--- 154,164 ----
$A = DB_fetchArray($result);
+ $reqid = substr (md5 (uniqid (rand (), 1)), 1, 16);
+ DB_change ($_TABLES['users'], 'pwrequestid', "$reqid",
+ 'username', $username);
+
$preferences->set_var ('about_value', $A['about']);
$preferences->set_var ('pgpkey_value', $A['pgpkey']);
! $preferences->set_var ('uid_value', $reqid);
$preferences->set_var ('username_value', $_USER['username']);
***************
*** 644,648 ****
if ($_US_VERBOSE) {
COM_errorLog('**** Inside saveuser in usersettings.php ****', 1);
! }
if ($_CONF['allow_username_change'] == 1) {
--- 648,661 ----
if ($_US_VERBOSE) {
COM_errorLog('**** Inside saveuser in usersettings.php ****', 1);
! }
!
! $reqid = DB_getItem ($_TABLES['users'], 'pwrequestid',
! "uid = {$_USER['uid']}");
! if ($reqid != $A['uid']) {
! DB_change ($_TABLES['users'], 'pwrequestid', "NULL",
! 'uid', $_USER['uid']);
! COM_accessLog ("An attempt was made to illegally change the account information of user {$_USER['uid']}.");
! return COM_refresh ($_CONF['site_url'] . '/index.php');
! }
if ($_CONF['allow_username_change'] == 1) {
***************
*** 661,666 ****
}
! if (!empty($A["passwd"])) {
! $passwd = md5($A["passwd"]);
DB_change($_TABLES['users'],'passwd',"$passwd","uid",$_USER['uid']);
}
--- 674,679 ----
}
! if (!empty($A['passwd'])) {
! $passwd = md5($A['passwd']);
DB_change($_TABLES['users'],'passwd',"$passwd","uid",$_USER['uid']);
}
More information about the geeklog-cvs
mailing list