Commit 27ff9a47 authored by Benjamin Sonntag's avatar Benjamin Sonntag
Browse files

putting a real csrf ;) + fixing the lost pass (not requiring captcha) + adding...

putting a real csrf ;) + fixing the lost pass (not requiring captcha) + adding time to the password recovery key
parent d2c34e1d
...@@ -35,7 +35,7 @@ while ($c=readdir($d)) { ...@@ -35,7 +35,7 @@ while ($c=readdir($d)) {
} }
$r=mysql_query("SELECT * FROM accounts WHERE lastlogin<DATE_SUB(NOW(), INTERVAL ".$disable_timeout." DAY) AND createdate<DATE_SUB(NOW(), INTERVAL ".$firstlogin_timeout." DAY) AND disabledate IS NULL;"); $r=mysql_query("SELECT * FROM accounts WHERE lastlogin<DATE_SUB(NOW(), INTERVAL ".$disable_timeout." DAY) AND createdate<DATE_SUB(NOW(), INTERVAL ".$firstlogin_timeout." DAY) AND disabledate IS NULL AND ack=1;");
echo mysql_error(); echo mysql_error();
$isconnected=false; $isconnected=false;
$timeout=12; // 2 minutes total timeout, enough right? $timeout=12; // 2 minutes total timeout, enough right?
...@@ -80,7 +80,7 @@ if ($isconnected) { ...@@ -80,7 +80,7 @@ if ($isconnected) {
} }
$r=mysql_query("SELECT * FROM accounts WHERE lastlogin<DATE_SUB(NOW(), INTERVAL ".$destroy_timeout." DAY) AND createdate<DATE_SUB(NOW(), INTERVAL ".$firstlogin_timeout." DAY) AND disabledate IS NOT NULL;"); $r=mysql_query("SELECT * FROM accounts WHERE lastlogin<DATE_SUB(NOW(), INTERVAL ".$destroy_timeout." DAY) AND createdate<DATE_SUB(NOW(), INTERVAL ".$firstlogin_timeout." DAY) AND disabledate IS NOT NULL AND ack=1;");
echo mysql_error(); echo mysql_error();
$isconnected=false; $isconnected=false;
$timeout=12; // 2 minutes total timeout, enough right? $timeout=12; // 2 minutes total timeout, enough right?
......
...@@ -32,9 +32,6 @@ if ($found==6 && $_POST["url"]=="") { ...@@ -32,9 +32,6 @@ if ($found==6 && $_POST["url"]=="") {
$_GET["id"]=$_POST["id"]; $_GET["id"]=$_POST["id"];
$_GET["key"]=$_POST["key"]; $_GET["key"]=$_POST["key"];
if ($_SESSION["captcha"]!=$_POST["cap"]) {
$error[]=_("The captcha is incorrect, please try again");
}
if (!csrf_check($_POST["csrf"])) { if (!csrf_check($_POST["csrf"])) {
$error[]=_("The captcha is incorrect, please try again (2)"); $error[]=_("The captcha is incorrect, please try again (2)");
} }
...@@ -48,8 +45,9 @@ if ($found==6 && $_POST["url"]=="") { ...@@ -48,8 +45,9 @@ if ($found==6 && $_POST["url"]=="") {
if (!$already) { if (!$already) {
$error[]=sprintf(_("This account doesn't exist, or have been permanently destroyed. <a href=\"%s\">Click here to create a new account with this login</a>."),"create.php"); $error[]=sprintf(_("This account doesn't exist, or have been permanently destroyed. <a href=\"%s\">Click here to create a new account with this login</a>."),"create.php");
} }
$key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]),0,16); $key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval(time()/14400) ),0,16);
if ($key!=$_POST["key"]) { $key2=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval((time()-14400)/14400) ),0,16);
if ($key!=$_POST["key"] && $key2!=$_POST["key"]) {
$error[]=_("The provided key is incorrect, please check your mail or contact us."); $error[]=_("The provided key is incorrect, please check your mail or contact us.");
} }
$pass=fixlogin($_POST["pass1"]); $pass=fixlogin($_POST["pass1"]);
...@@ -89,5 +87,12 @@ if ($found==6 && $_POST["url"]=="") { ...@@ -89,5 +87,12 @@ if ($found==6 && $_POST["url"]=="") {
} }
} // still no error ? } // still no error ?
} // no error ? } // no error ?
} // isset ? } else { // isset ?
// not a post? we should come here with key & id at least
if (!isset($id) || !isset($key)) {
$error[]=_("You should never be here. Please recover your password normally.");
unset($_POST); unset($_REQUEST);
require_once("lost.php");
exit();
}
}
...@@ -25,8 +25,8 @@ $debug=false; ...@@ -25,8 +25,8 @@ $debug=false;
$fields=array("email","login","csrf","cap","url"); $fields=array("email","login","csrf","cap","url");
$found=0; $found=0;
foreach($fields as $f) if (isset($_POST[$f])) $found++; foreach($fields as $f) if (isset($_POST[$f])) $found++;
$error=array(); if (!count($error)) $error=array();
$info=array(); if (!count($info)) $info=array();
if ($found==5 && $_POST["url"]=="") { if ($found==5 && $_POST["url"]=="") {
if ($_SESSION["captcha"]!=$_POST["cap"]) { if ($_SESSION["captcha"]!=$_POST["cap"]) {
...@@ -53,12 +53,13 @@ if ($found==5 && $_POST["url"]=="") { ...@@ -53,12 +53,13 @@ if ($found==5 && $_POST["url"]=="") {
if ($already["email"]!=hashmail($_POST["email"],$already["email"])) { if ($already["email"]!=hashmail($_POST["email"],$already["email"])) {
$error[]=_("This account's email address is not the one you entered. Please try again with another email address."); $error[]=_("This account's email address is not the one you entered. Please try again with another email address.");
} }
$key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]),0,16); $key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval(time()/14400) ),0,16);
if (count($error)==0) { if (count($error)==0) {
require_once("class.phpmailer.php"); require_once("class.phpmailer.php");
require_once("class.smtp.php"); require_once("class.smtp.php");
$mail = new PHPMailer; $mail = new PHPMailer;
$mail->isSMTP(); $mail->isSMTP();
$mail->CharSet='UTF-8';
$mail->Host = 'localhost'; $mail->Host = 'localhost';
$mail->From = $mail_from; $mail->From = $mail_from;
$mail->FromName = $mail_fromname; $mail->FromName = $mail_fromname;
...@@ -99,7 +100,7 @@ if (isset($_GET["id"]) && isset($_GET["key"])) { ...@@ -99,7 +100,7 @@ if (isset($_GET["id"]) && isset($_GET["key"])) {
if (count($error)==0) { if (count($error)==0) {
// change the password (form) // change the password (form)
$info[]=sprintf(_("Please enter a new password (twice) for your account %s"),$already["jabberid"]); $info[]=sprintf(_("Please enter a new password (twice) for your account %s"),$already["jabberid"]);
require_once("changepass.php"); require("changepass.php");
exit(); exit();
} // still no error ? } // still no error ?
} // no error ? } // no error ?
......
...@@ -35,17 +35,24 @@ function eher($str) { if (isset($_REQUEST[$str])) ehe($_REQUEST[$str]); } ...@@ -35,17 +35,24 @@ function eher($str) { if (isset($_REQUEST[$str])) ehe($_REQUEST[$str]); }
function csrf_gen() { function csrf_gen() {
global $csrf_key; global $csrf_key;
if (!isset($_SESSION["csrf"])) {
$_SESSION["csrf"]=rand();
}
$i=substr(md5(rand()),0,10); $i=substr(md5(rand()),0,10);
return $i.md5($csrf_key."-".$i); return $i.md5($csrf_key."-".$i."-".$_SESSION["csrf"]);
} }
function csrf_check($str) { function csrf_check($str) {
global $csrf_key; global $csrf_key;
if (!isset($_SESSION["csrf"])) {
// should not happen, but at least prevent a warning...
$_SESSION["csrf"]=rand();
}
$str=strtolower($str); $str=strtolower($str);
if (!preg_match('#[0-9a-f]{42}#',$str)) { if (!preg_match('#[0-9a-f]{42}#',$str)) {
return false; return false;
} }
return ( $str == substr($str,0,10).md5($csrf_key."-".substr($str,0,10)) ); return ( $str == substr($str,0,10).md5($csrf_key."-".substr($str,0,10)."-".$_SESSION["csrf"]) );
} }
function hashmail($mail,$salt="") { function hashmail($mail,$salt="") {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment