boinc/html/user/edit_passwd_action.php

<?php
// This file is part of BOINC.
// http://boinc.berkeley.edu
// Copyright (C) 2014 University of California
//
// BOINC is free software; you can redistribute it and/or modify it
// under the terms of the GNU Lesser General Public License
// as published by the Free Software Foundation,
// either version 3 of the License, or (at your option) any later version.
//
// BOINC is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
// See the GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License
// along with BOINC.  If not, see <http://www.gnu.org/licenses/>.

require_once("../inc/boinc_db.inc");
require_once("../inc/util.inc");
require_once("../inc/user.inc");
require_once("../inc/password_compat/password.inc");

check_get_args(array());

$user = get_logged_in_user();
$email_addr = strtolower(post_str("email_addr", true));

$passwd = post_str("passwd");

$config = get_config();
$min_passwd_length = parse_config($config, "<min_passwd_length>");
if (!$min_passwd_length) $min_passwd_length = 6;

if (!is_ascii($passwd)) {
    error_page(tra("Passwords may only include ASCII characters."));
}

if (strlen($passwd) < $min_passwd_length) {
    error_page(tra("New password is too short: minimum password length is %1 characters.", $min_passwd_length));
}

$passwd_hash = md5($passwd.$user->email_addr);
$database_passwd_hash = password_hash($passwd_hash, PASSWORD_DEFAULT);
$result = $user->update(" passwd_hash='$database_passwd_hash' ");
if (!$result) {
    error_page(tra("We can't update your password due to a database problem. Please try again later."));
}

page_head(tra("Change password"));
echo tra("Your password has been changed.");
page_tail();

?>
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`<?php`
- web: added copyright and license info to PHP files svn path=/trunk/boinc/; revision=15758 2008-08-05 22:43:14 +00:00			`// This file is part of BOINC.`
			`// http://boinc.berkeley.edu`
web: clean up "change password" pages For some reason these pages had their own login logic. Remove this; you must be logged in first. 2014-12-23 18:47:18 +00:00			`// Copyright (C) 2014 University of California`
- web: added copyright and license info to PHP files svn path=/trunk/boinc/; revision=15758 2008-08-05 22:43:14 +00:00			`//`
			`// BOINC is free software; you can redistribute it and/or modify it`
			`// under the terms of the GNU Lesser General Public License`
			`// as published by the Free Software Foundation,`
			`// either version 3 of the License, or (at your option) any later version.`
			`//`
			`// BOINC is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.`
			`// See the GNU Lesser General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Lesser General Public License`
			`// along with BOINC. If not, see <http://www.gnu.org/licenses/>.`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
- user web: update other code to use new-style DB interfaces svn path=/trunk/boinc/; revision=14164 2007-11-12 22:28:17 +00:00			`require_once("../inc/boinc_db.inc");`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`require_once("../inc/util.inc");`
			`require_once("../inc/user.inc");`
web: refactor password hashing changes to move compatibility library as a .inc file and to move common functions into user_util.inc 2018-04-04 18:47:26 +00:00			`require_once("../inc/password_compat/password.inc");`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
- user web: finish dealing with get args spam svn path=/trunk/boinc/; revision=23010 2011-02-09 22:11:34 +00:00			`check_get_args(array());`

web: clean up "change password" pages For some reason these pages had their own login logic. Remove this; you must be logged in first. 2014-12-23 18:47:18 +00:00			`$user = get_logged_in_user();`
- web: cleaned up logic of string processing. There are two aspects: 1) undoing magic quotes (if it's being used). This must be done for all GET and POST string inputs. It is now done automatically by get_str() and post_str(). The places that refer to $_GET and $_POST directly must do it themselves using undo_magic_quotes(). 2) Escaping user-supplied strings before using them in DB queries. This is done by process_user_text() (which should be renamed db_escape_string()). The new principle: call process_user_text() in the function that does the DB query (not at any higher level). svn path=/trunk/boinc/; revision=15389 2008-06-11 19:36:10 +00:00			`$email_addr = strtolower(post_str("email_addr", true));`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
- web: cleaned up logic of string processing. There are two aspects: 1) undoing magic quotes (if it's being used). This must be done for all GET and POST string inputs. It is now done automatically by get_str() and post_str(). The places that refer to $_GET and $_POST directly must do it themselves using undo_magic_quotes(). 2) Escaping user-supplied strings before using them in DB queries. This is done by process_user_text() (which should be renamed db_escape_string()). The new principle: call process_user_text() in the function that does the DB query (not at any higher level). svn path=/trunk/boinc/; revision=15389 2008-06-11 19:36:10 +00:00			`$passwd = post_str("passwd");`
add elements fo config file svn path=/trunk/boinc/; revision=8550 2005-10-07 19:19:07 +00:00
			`$config = get_config();`
			`$min_passwd_length = parse_config($config, "<min_passwd_length>");`
			`if (!$min_passwd_length) $min_passwd_length = 6;`

* empty log message * svn path=/trunk/boinc/; revision=8562 2005-10-08 19:12:43 +00:00			`if (!is_ascii($passwd)) {`
- validator: update credit statistics even if credit_from_wu is being used. - web: make almost everything translatable. From Christian Beer. svn path=/trunk/boinc/; revision=24048 2011-08-25 22:12:48 +00:00			`error_page(tra("Passwords may only include ASCII characters."));`
* empty log message * svn path=/trunk/boinc/; revision=8558 2005-10-07 23:19:20 +00:00			`}`

web: clean up "change password" pages For some reason these pages had their own login logic. Remove this; you must be logged in first. 2014-12-23 18:47:18 +00:00			`if (strlen($passwd) < $min_passwd_length) {`
- validator: update credit statistics even if credit_from_wu is being used. - web: make almost everything translatable. From Christian Beer. svn path=/trunk/boinc/; revision=24048 2011-08-25 22:12:48 +00:00			`error_page(tra("New password is too short: minimum password length is %1 characters.", $min_passwd_length));`
Emergency fix: prevent users from creating password<6 chars long using web-page interface. David, Janus, the min password length needs to be parsed from a single place, eg config.xml, and used consistently in both PHP and client-side ops. svn path=/trunk/boinc/; revision=8541 2005-10-07 14:28:08 +00:00			`}`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
			`$passwd_hash = md5($passwd.$user->email_addr);`
web: Fix style incompatibilities 2018-03-13 21:49:14 +00:00			`$database_passwd_hash = password_hash($passwd_hash, PASSWORD_DEFAULT);`
			`$result = $user->update(" passwd_hash='$database_passwd_hash' ");`
web: clean up "change password" pages For some reason these pages had their own login logic. Remove this; you must be logged in first. 2014-12-23 18:47:18 +00:00			`if (!$result) {`
			`error_page(tra("We can't update your password due to a database problem. Please try again later."));`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`}`

web: clean up "change password" pages For some reason these pages had their own login logic. Remove this; you must be logged in first. 2014-12-23 18:47:18 +00:00			`page_head(tra("Change password"));`
			`echo tra("Your password has been changed.");`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`page_tail();`
web: clean up "change password" pages For some reason these pages had their own login logic. Remove this; you must be logged in first. 2014-12-23 18:47:18 +00:00
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`?>`