boinc/html/user/edit_passwd_action.php

<?php

require_once("../inc/db.inc");
require_once("../inc/util.inc");
require_once("../inc/user.inc");

db_init();

$auth = process_user_text(post_str("auth", true));
$email_addr = strtolower(process_user_text(post_str("email_addr", true)));

// Note: don't call process_user_text() on passwords.
// This is not needed, and will break passwords containing punctuation

$old_passwd = stripslashes(post_str("old_passwd", true));
$passwd = stripslashes(post_str("passwd"));
$passwd2 = stripslashes(post_str("passwd2"));

if ($passwd != $passwd2) {
    error_page("New passwords are different");
}
if (strlen($passwd)<6) {
    error_page("New password is too short: minimum password length is 6 characters");
}
if ($auth) {
    $user = lookup_user_auth($auth);
    if (!$user) {
        error_page("Invalid account key");
    }
} else {
    $user = lookup_user_email_addr($email_addr);
    if (!$user) {
        error_page("No account with that email address was found");
    }
    $passwd_hash = md5($old_passwd.$email_addr);
    if ($user->passwd_hash != $passwd_hash) {
        error_page("Invalid password");
    }
}

page_head("Change password");
$passwd_hash = md5($passwd.$user->email_addr);
$query = "update user set passwd_hash='$passwd_hash' where id=$user->id";
$result = mysql_query($query);
if ($result) {
    echo "Your password has been changed.";
} else {
    echo "
        We can't update your password due to a database problem.
        Please try again later.
    ";
}

page_tail();
?>
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`<?php`

			`require_once("../inc/db.inc");`
			`require_once("../inc/util.inc");`
			`require_once("../inc/user.inc");`

			`db_init();`

remove email munge code svn path=/trunk/boinc/; revision=7518 2005-08-26 22:26:26 +00:00			`$auth = process_user_text(post_str("auth", true));`
			`$email_addr = strtolower(process_user_text(post_str("email_addr", true)));`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
* empty log message * svn path=/trunk/boinc/; revision=7929 2005-09-08 20:33:04 +00:00			`// Note: don't call process_user_text() on passwords.`
			`// This is not needed, and will break passwords containing punctuation`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
* empty log message * svn path=/trunk/boinc/; revision=8154 2005-09-23 05:38:38 +00:00			`$old_passwd = stripslashes(post_str("old_passwd", true));`
			`$passwd = stripslashes(post_str("passwd"));`
			`$passwd2 = stripslashes(post_str("passwd2"));`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00
			`if ($passwd != $passwd2) {`
remove email munge code svn path=/trunk/boinc/; revision=7518 2005-08-26 22:26:26 +00:00			`error_page("New passwords are different");`
			`}`
Emergency fix: prevent users from creating password<6 chars long using web-page interface. David, Janus, the min password length needs to be parsed from a single place, eg config.xml, and used consistently in both PHP and client-side ops. svn path=/trunk/boinc/; revision=8541 2005-10-07 14:28:08 +00:00			`if (strlen($passwd)<6) {`
			`error_page("New password is too short: minimum password length is 6 characters");`
			`}`
remove email munge code svn path=/trunk/boinc/; revision=7518 2005-08-26 22:26:26 +00:00			`if ($auth) {`
			`$user = lookup_user_auth($auth);`
			`if (!$user) {`
			`error_page("Invalid account key");`
			`}`
			`} else {`
			`$user = lookup_user_email_addr($email_addr);`
			`if (!$user) {`
			`error_page("No account with that email address was found");`
			`}`
			`$passwd_hash = md5($old_passwd.$email_addr);`
			`if ($user->passwd_hash != $passwd_hash) {`
			`error_page("Invalid password");`
			`}`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`}`

remove email munge code svn path=/trunk/boinc/; revision=7518 2005-08-26 22:26:26 +00:00			`page_head("Change password");`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`$passwd_hash = md5($passwd.$user->email_addr);`
remove email munge code svn path=/trunk/boinc/; revision=7518 2005-08-26 22:26:26 +00:00			`$query = "update user set passwd_hash='$passwd_hash' where id=$user->id";`
			`$result = mysql_query($query);`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`if ($result) {`
remove email munge code svn path=/trunk/boinc/; revision=7518 2005-08-26 22:26:26 +00:00			`echo "Your password has been changed.";`
* empty log message * svn path=/trunk/boinc/; revision=7216 2005-08-09 18:46:53 +00:00			`} else {`
			`echo "`
			`We can't update your password due to a database problem.`
			`Please try again later.`
			`";`
			`}`

			`page_tail();`
			`?>`