From f2f305f62fc322a446e26ce31fa130e221dbce54 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 13 Dec 2024 10:41:54 -0800 Subject: [PATCH] web: fix CSRF vulnerability in edit passwd function --- html/inc/account.inc | 2 +- html/user/edit_passwd_action.php | 9 ++++++++- html/user/edit_passwd_form.php | 11 ++++++++++- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/html/inc/account.inc b/html/inc/account.inc index 64713e75e34..9b55e2bc360 100644 --- a/html/inc/account.inc +++ b/html/inc/account.inc @@ -31,7 +31,7 @@ function make_login_token($user) { $user->update("login_token_time=$now"); return $user->login_token; } - $token = substr(random_string(), 0, 8); + $token = substr(random_string(), 0, 16); $user->update("login_token='$token', login_token_time=$now"); return $token; } diff --git a/html/user/edit_passwd_action.php b/html/user/edit_passwd_action.php index 736a5a0e51c..5c31300fa3c 100644 --- a/html/user/edit_passwd_action.php +++ b/html/user/edit_passwd_action.php @@ -24,7 +24,14 @@ check_get_args(array()); $user = get_logged_in_user(); -$email_addr = strtolower(post_str("email_addr", true)); + +$token = post_str("token"); +if ($token != $user->login_token) { + error_page("bad token"); +} +if (time() - $user->login_token_time > 86400) { + error_page("expired token"); +} $passwd = post_str("passwd"); diff --git a/html/user/edit_passwd_form.php b/html/user/edit_passwd_form.php index 478ec110c89..5bac4c2a78a 100644 --- a/html/user/edit_passwd_form.php +++ b/html/user/edit_passwd_form.php @@ -25,8 +25,17 @@ page_head(tra("Change password")); + form_start(secure_url_base()."edit_passwd_action.php", "post"); -form_input_text(tra("New password"), "passwd", "", "password",'id="passwd"',passwd_visible_checkbox("passwd")); +form_input_hidden('token', make_login_token($user)); +form_input_text(tra( + "New password"), + "passwd", + "", + "password", + 'id="passwd"', + passwd_visible_checkbox("passwd") +); form_submit(tra("Change password")); form_end(); page_tail();