web: fix CSRF vulnerability in edit passwd function

BOINC · Dec 13, 2024 · f2f305f · f2f305f
1 parent 743e6f3
commit f2f305f
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/html/inc/account.inc b/html/inc/account.inc
@@ -31,7 +31,7 @@ function make_login_token($user) {
         $user->update("login_token_time=$now");
         return $user->login_token;
     }
-    $token = substr(random_string(), 0, 8);
+    $token = substr(random_string(), 0, 16);
     $user->update("login_token='$token', login_token_time=$now");
     return $token;
 }

diff --git a/html/user/edit_passwd_action.php b/html/user/edit_passwd_action.php
@@ -24,7 +24,14 @@
 check_get_args(array());
 
 $user = get_logged_in_user();
-$email_addr = strtolower(post_str("email_addr", true));
+
+$token = post_str("token");
+if ($token != $user->login_token) {
+    error_page("bad token");
+}
+if (time() - $user->login_token_time > 86400) {
+    error_page("expired token");
+}
 
 $passwd = post_str("passwd");
 

diff --git a/html/user/edit_passwd_form.php b/html/user/edit_passwd_form.php
@@ -25,8 +25,17 @@
 
 page_head(tra("Change password"));
 
+
 form_start(secure_url_base()."edit_passwd_action.php", "post");
-form_input_text(tra("New password"), "passwd", "", "password",'id="passwd"',passwd_visible_checkbox("passwd"));
+form_input_hidden('token', make_login_token($user));
+form_input_text(tra(
+    "New password"),
+    "passwd",
+    "",
+    "password",
+    'id="passwd"',
+    passwd_visible_checkbox("passwd")
+);
 form_submit(tra("Change password"));
 form_end();
 page_tail();