Commit 27ff9a47 authored by Benjamin Sonntag's avatar Benjamin Sonntag

putting a real csrf ;) + fixing the lost pass (not requiring captcha) + adding...

putting a real csrf ;) + fixing the lost pass (not requiring captcha) + adding time to the password recovery key
parent d2c34e1d
......@@ -35,7 +35,7 @@ while ($c=readdir($d)) {
}
$r=mysql_query("SELECT * FROM accounts WHERE lastlogin<DATE_SUB(NOW(), INTERVAL ".$disable_timeout." DAY) AND createdate<DATE_SUB(NOW(), INTERVAL ".$firstlogin_timeout." DAY) AND disabledate IS NULL;");
$r=mysql_query("SELECT * FROM accounts WHERE lastlogin<DATE_SUB(NOW(), INTERVAL ".$disable_timeout." DAY) AND createdate<DATE_SUB(NOW(), INTERVAL ".$firstlogin_timeout." DAY) AND disabledate IS NULL AND ack=1;");
echo mysql_error();
$isconnected=false;
$timeout=12; // 2 minutes total timeout, enough right?
......@@ -80,7 +80,7 @@ if ($isconnected) {
}
$r=mysql_query("SELECT * FROM accounts WHERE lastlogin<DATE_SUB(NOW(), INTERVAL ".$destroy_timeout." DAY) AND createdate<DATE_SUB(NOW(), INTERVAL ".$firstlogin_timeout." DAY) AND disabledate IS NOT NULL;");
$r=mysql_query("SELECT * FROM accounts WHERE lastlogin<DATE_SUB(NOW(), INTERVAL ".$destroy_timeout." DAY) AND createdate<DATE_SUB(NOW(), INTERVAL ".$firstlogin_timeout." DAY) AND disabledate IS NOT NULL AND ack=1;");
echo mysql_error();
$isconnected=false;
$timeout=12; // 2 minutes total timeout, enough right?
......
......@@ -32,9 +32,6 @@ if ($found==6 && $_POST["url"]=="") {
$_GET["id"]=$_POST["id"];
$_GET["key"]=$_POST["key"];
if ($_SESSION["captcha"]!=$_POST["cap"]) {
$error[]=_("The captcha is incorrect, please try again");
}
if (!csrf_check($_POST["csrf"])) {
$error[]=_("The captcha is incorrect, please try again (2)");
}
......@@ -48,8 +45,9 @@ if ($found==6 && $_POST["url"]=="") {
if (!$already) {
$error[]=sprintf(_("This account doesn't exist, or have been permanently destroyed. <a href=\"%s\">Click here to create a new account with this login</a>."),"create.php");
}
$key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]),0,16);
if ($key!=$_POST["key"]) {
$key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval(time()/14400) ),0,16);
$key2=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval((time()-14400)/14400) ),0,16);
if ($key!=$_POST["key"] && $key2!=$_POST["key"]) {
$error[]=_("The provided key is incorrect, please check your mail or contact us.");
}
$pass=fixlogin($_POST["pass1"]);
......@@ -89,5 +87,12 @@ if ($found==6 && $_POST["url"]=="") {
}
} // still no error ?
} // no error ?
} // isset ?
} else { // isset ?
// not a post? we should come here with key & id at least
if (!isset($id) || !isset($key)) {
$error[]=_("You should never be here. Please recover your password normally.");
unset($_POST); unset($_REQUEST);
require_once("lost.php");
exit();
}
}
......@@ -25,8 +25,8 @@ $debug=false;
$fields=array("email","login","csrf","cap","url");
$found=0;
foreach($fields as $f) if (isset($_POST[$f])) $found++;
$error=array();
$info=array();
if (!count($error)) $error=array();
if (!count($info)) $info=array();
if ($found==5 && $_POST["url"]=="") {
if ($_SESSION["captcha"]!=$_POST["cap"]) {
......@@ -53,12 +53,13 @@ if ($found==5 && $_POST["url"]=="") {
if ($already["email"]!=hashmail($_POST["email"],$already["email"])) {
$error[]=_("This account's email address is not the one you entered. Please try again with another email address.");
}
$key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]),0,16);
$key=substr(md5($csrf_key."-".$already["id"]."-".$already["jabberid"]."-".intval(time()/14400) ),0,16);
if (count($error)==0) {
require_once("class.phpmailer.php");
require_once("class.smtp.php");
$mail = new PHPMailer;
$mail->isSMTP();
$mail->CharSet='UTF-8';
$mail->Host = 'localhost';
$mail->From = $mail_from;
$mail->FromName = $mail_fromname;
......@@ -99,7 +100,7 @@ if (isset($_GET["id"]) && isset($_GET["key"])) {
if (count($error)==0) {
// change the password (form)
$info[]=sprintf(_("Please enter a new password (twice) for your account %s"),$already["jabberid"]);
require_once("changepass.php");
require("changepass.php");
exit();
} // still no error ?
} // no error ?
......
......@@ -35,17 +35,24 @@ function eher($str) { if (isset($_REQUEST[$str])) ehe($_REQUEST[$str]); }
function csrf_gen() {
global $csrf_key;
if (!isset($_SESSION["csrf"])) {
$_SESSION["csrf"]=rand();
}
$i=substr(md5(rand()),0,10);
return $i.md5($csrf_key."-".$i);
return $i.md5($csrf_key."-".$i."-".$_SESSION["csrf"]);
}
function csrf_check($str) {
global $csrf_key;
if (!isset($_SESSION["csrf"])) {
// should not happen, but at least prevent a warning...
$_SESSION["csrf"]=rand();
}
$str=strtolower($str);
if (!preg_match('#[0-9a-f]{42}#',$str)) {
return false;
}
return ( $str == substr($str,0,10).md5($csrf_key."-".substr($str,0,10)) );
return ( $str == substr($str,0,10).md5($csrf_key."-".substr($str,0,10)."-".$_SESSION["csrf"]) );
}
function hashmail($mail,$salt="") {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment