adding a tool to compute a hash for a mail + fixing csrf (for good)

acc33c53 · Benjamin Sonntag · 27ff9a47 · acc33c53 · acc33c53 · acc33c53
Commit acc33c53 authored Aug 26, 2014 by Benjamin Sonntag
--- a/my/dochangepass.php
+++ b/my/dochangepass.php
@@ -25,8 +25,8 @@ $debug=false;
 $fields=array("csrf","id","key","pass1","pass2","url");
 $found=0;
 foreach($fields as $f) if (isset($_POST[$f])) $found++;
-$error=array();
-$info=array();
+if (!count($error)) $error=array();
+if (!count($info)) $info=array();

 if ($found==6 && $_POST["url"]=="") {
  $_GET["id"]=$_POST["id"];

--- a/my/dolost.php
+++ b/my/dolost.php
@@ -93,8 +93,9 @@ if (isset($_GET["id"]) && isset($_GET["key"])) {
    if ($already["disabledate"]!="") {
      $error[]=sprintf(_("This account have been disabled. <a href=\"%s\">Click here to restore it</a>."),"recover.php");
    }
-    $key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]),0,16);
-    if ($key!=$_GET["key"]) {
+    $key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval(time()/14400) ),0,16);
+    $key2=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval((time()-14400)/14400) ),0,16);
+    if ($key!=$_GET["key"] && $key2!=$_GET["key"]) {
      $error[]=_("The provided key is incorrect, please check your mail or contact us.");
    }
    if (count($error)==0) {

--- a/tool_mail.php
+++ b/tool_mail.php
+<?php
+
+require_once("my/config.php");
+
+echo "Hashed email value is :".hashmail($argv[1])."\n";
+