Merge pull request #5950 from BOINC/dpa_pwd

web: fix CSRF vulnerability in edit passwd function
2024-12-13 20:50:15 +01:00 · 2024-12-13 20:50:15 +01:00 · c67393e6d1
parent 3bbf02e10e 2ac322f197
commit c67393e6d1
3 changed files with 19 additions and 3 deletions
--- a/html/inc/account.inc
+++ b/html/inc/account.inc
@ -31,7 +31,7 @@ function make_login_token($user) {
        $user->update("login_token_time=$now");
        return $user->login_token;
    }
-    $token = substr(random_string(), 0, 8);
+    $token = substr(random_string(), 0, 16);
    $user->update("login_token='$token', login_token_time=$now");
    return $token;
 }
--- a/html/user/edit_passwd_action.php
+++ b/html/user/edit_passwd_action.php
@ -24,7 +24,14 @@ require_once("../inc/password_compat/password.inc");
 check_get_args(array());

 $user = get_logged_in_user();
-$email_addr = strtolower(post_str("email_addr", true));
+
+$token = post_str("token");
+if ($token != $user->login_token) {
+    error_page("bad token");
+}
+if (time() - $user->login_token_time > 86400) {
+    error_page("expired token");
+}

 $passwd = post_str("passwd");

--- a/html/user/edit_passwd_form.php
+++ b/html/user/edit_passwd_form.php
@ -27,8 +27,17 @@ page_head(tra("Change password"));
 echo tra("Note: if you change your password, your %1weak account key%2 will change.", "<a href=weak_auth.php>", "</a>");
 echo "<p>";

+
 form_start(secure_url_base()."edit_passwd_action.php", "post");
-form_input_text(tra("New password"), "passwd", "", "password",'id="passwd"',passwd_visible_checkbox("passwd"));
+form_input_hidden('token', make_login_token($user));
+form_input_text(tra(
+    "New password"),
+    "passwd",
+    "",
+    "password",
+    'id="passwd"',
+    passwd_visible_checkbox("passwd")
+);
 form_submit(tra("Change password"));
 form_end();
 page_tail();