Commit 34023c6e authored by Robert Lyon's avatar Robert Lyon
Browse files

Stopping the 'key' param being leaked (Bug #1333096)



Turning it to a session variable straight off and reloading the page

Change-Id: Ie3f3a627eadcf0f85f513339b45bd9dc8e0d2432
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent 59b69807
......@@ -28,13 +28,19 @@ if (!empty($_SESSION['pwchangerequested'])) {
}
if (isset($_GET['key'])) {
$_SESSION['forgotpasskey'] = $_GET['key'];
redirect('/forgotpass.php');
}
if (isset($_SESSION['forgotpasskey'])) {
define('TITLE', get_string('changepassword'));
if (!$pwrequest = get_record('usr_password_request', 'key', $_GET['key'])) {
if (!$pwrequest = get_record('usr_password_request', 'key', $_SESSION['forgotpasskey'])) {
unset($_SESSION['forgotpasskey']);
die_info(get_string('nosuchpasswordrequest'));
}
if (strtotime($pwrequest->expiry) < time()) {
unset($_SESSION['forgotpasskey']);
die_info(get_string('passwordresetexpired'));
}
......@@ -199,7 +205,6 @@ function forgotpasschange_validate(Pieform $form, $values) {
password_validate($form, $values, $user);
}
// TODO:
// password_validate to maharalib, use it in places specified, test with a drop/create run
// support autofocus => (true|'id'), remove stuff doing autofocus from where it is, focus error fields
......@@ -207,6 +212,7 @@ function forgotpasschange_validate(Pieform $form, $values) {
function forgotpasschange_submit(Pieform $form, $values) {
global $SESSION, $USER;
unset($_SESSION['forgotpasskey']);
try {
$user = new User();
$user->find_by_id($values['user']);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment