Commit 5d5e80b9 authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review

Merge "Security Bug 1701978: fix session cookie issues" into 16.10_STABLE

parents b5642c83 69bcdb52
...@@ -265,6 +265,7 @@ function profileform_submit(Pieform $form, $values) { ...@@ -265,6 +265,7 @@ function profileform_submit(Pieform $form, $values) {
$email_errors = array(); $email_errors = array();
$lockedfields = locked_profile_fields(); $lockedfields = locked_profile_fields();
$alertuserofnewemail = array();
foreach ($element_list as $element => $type) { foreach ($element_list as $element => $type) {
...@@ -290,6 +291,8 @@ function profileform_submit(Pieform $form, $values) { ...@@ -290,6 +291,8 @@ function profileform_submit(Pieform $form, $values) {
$key_url_decline = $key_url . '&decline=1'; $key_url_decline = $key_url . '&decline=1';
try { try {
$alertuserofnewemail[] = $email;
$sitename = get_config('sitename'); $sitename = get_config('sitename');
email_user( email_user(
(object)array( (object)array(
...@@ -323,6 +326,33 @@ function profileform_submit(Pieform $form, $values) { ...@@ -323,6 +326,33 @@ function profileform_submit(Pieform $form, $values) {
); );
} }
// alert user that new email addresses have been added
if (!empty($alertuserofnewemail)) {
$emails = implode(', ', $alertuserofnewemail);
try {
$sitename = get_config('sitename');
email_user(
(object)array(
'id' => $USER->get('id'),
'username' => $USER->get('username'),
'firstname' => $USER->get('firstname'),
'lastname' => $USER->get('lastname'),
'preferredname' => $USER->get('preferredname'),
'admin' => $USER->get('admin'),
'staff' => $USER->get('staff'),
'email' => $profilefields['email']['default'],
),
null,
get_string('newemailalert_subject', 'artefact.internal', $sitename),
get_string('newemailalert_body_text', 'artefact.internal', $USER->get('firstname'), $sitename, $emails, $sitename, get_config('wwwroot')),
get_string('newemailalert_body_html', 'artefact.internal', hsc($USER->get('firstname')), hsc($sitename), hsc($emails), hsc($sitename), get_config('wwwroot'))
);
}
catch (EmailException $e) {
$email_errors[] = $profilefields['email']['default'];
}
}
// remove old addresses // remove old addresses
foreach ($profilefields['email']['validated'] as $email) { foreach ($profilefields['email']['validated'] as $email) {
if (in_array($email, $values['email']['validated'])) { if (in_array($email, $values['email']['validated'])) {
...@@ -393,10 +423,7 @@ function profileform_submit(Pieform $form, $values) { ...@@ -393,10 +423,7 @@ function profileform_submit(Pieform $form, $values) {
$USER->commit(); $USER->commit();
} }
} }
else if ($element == 'maildisabled') { else if (in_array($element, array('maildisabled', 'socialprofile'))) {
continue;
}
else if ($element == 'socialprofile') {
continue; continue;
} }
else { else {
......
...@@ -96,6 +96,29 @@ You have added the email address %s to your user account in %s. Please visit the ...@@ -96,6 +96,29 @@ You have added the email address %s to your user account in %s. Please visit the
If this email belongs to you, but you have not requested adding it to your %s account, follow the link below to decline the email activation. If this email belongs to you, but you have not requested adding it to your %s account, follow the link below to decline the email activation.
%s %s
EOF;
$string['newemailalert_subject'] = 'New email address added to your %s account';
$string['newemailalert_body_text'] = <<<EOF
Hello %s,
You have added the email addresses to your user account in %s:
%s
If you have not requested this change in your %s account, please contact the site administrator
%scontact.php
EOF;
$string['newemailalert_body_html'] = <<<EOF
<p>Hello %s,</p>
<p>You have added the email addresses to your user account in %s:</p>
<p>%s</p>
<p>If you have not requested this change in your %s account, please <a href="%scontact.php">contact the site administrator</a></p>
EOF; EOF;
$string['validationemailwillbesent'] = 'A validation email will be sent when you save your profile.'; $string['validationemailwillbesent'] = 'A validation email will be sent when you save your profile.';
......
...@@ -417,7 +417,9 @@ function auth_setup () { ...@@ -417,7 +417,9 @@ function auth_setup () {
// reset the password clearing the session from usr_session. // reset the password clearing the session from usr_session.
$sessionexists = get_record('usr_session', 'usr', $USER->id, 'session', $USER->get('sessionid')); $sessionexists = get_record('usr_session', 'usr', $USER->id, 'session', $USER->get('sessionid'));
$parentuser = $USER->get('parentuser'); $parentuser = $USER->get('parentuser');
if (($sessionlogouttime && isset($_GET['logout'])) || ($sessionexists === false && $USER->get('sessionid') != '' && empty($parentuser))) { if (($sessionlogouttime && isset($_GET['logout']))
|| ($sessionexists === false && $USER->get('sessionid') != '' && empty($parentuser))
|| ($sessionexists && isset($sessionexists->useragent) && $sessionexists->useragent != $_SERVER['HTTP_USER_AGENT'])) {
// Call the authinstance' logout hook // Call the authinstance' logout hook
$authinstance = $SESSION->get('authinstance'); $authinstance = $SESSION->get('authinstance');
if ($authinstance) { if ($authinstance) {
......
...@@ -1843,12 +1843,17 @@ class LiveUser extends User { ...@@ -1843,12 +1843,17 @@ class LiveUser extends User {
private function store_sessionid() { private function store_sessionid() {
$sessionid = $this->get('sessionid'); $sessionid = $this->get('sessionid');
delete_records('usr_session', 'session', $sessionid); delete_records('usr_session', 'usr', $this->get('id'));
$useragent = 'unknown';
if (isset($_SERVER['HTTP_USER_AGENT'])) {
$useragent = $_SERVER['HTTP_USER_AGENT'];
}
insert_record('usr_session', (object) array( insert_record('usr_session', (object) array(
'usr' => $this->get('id'), 'usr' => $this->get('id'),
'session' => $sessionid, 'session' => $sessionid,
'ctime' => db_format_timestamp(time()), 'ctime' => db_format_timestamp(time()),
'mtime' => db_format_timestamp(time()), 'mtime' => db_format_timestamp(time()),
'useragent' => $useragent,
)); ));
} }
......
...@@ -227,6 +227,7 @@ ...@@ -227,6 +227,7 @@
<FIELD NAME="session" TYPE="char" LENGTH="255" NOTNULL="true" /> <FIELD NAME="session" TYPE="char" LENGTH="255" NOTNULL="true" />
<FIELD NAME="ctime" TYPE="datetime" NOTNULL="true"/> <FIELD NAME="ctime" TYPE="datetime" NOTNULL="true"/>
<FIELD NAME="mtime" TYPE="datetime" NOTNULL="false"/> <FIELD NAME="mtime" TYPE="datetime" NOTNULL="false"/>
<FIELD NAME="useragent" TYPE="text" LENGTH="small" NOTNULL="false"/>
</FIELDS> </FIELDS>
<KEYS> <KEYS>
<KEY NAME="primary" TYPE="primary" FIELDS="session" /> <KEY NAME="primary" TYPE="primary" FIELDS="session" />
......
...@@ -4956,5 +4956,16 @@ function xmldb_core_upgrade($oldversion=0) { ...@@ -4956,5 +4956,16 @@ function xmldb_core_upgrade($oldversion=0) {
} }
} }
if ($oldversion < 2016090229) {
log_debug('Add an "useragent" field to usr_session table');
$table = new XMLDBTable('usr_session');
$field = new XMLDBField('useragent');
$field->setType(XMLDB_TYPE_TEXT);
$field->setLength('small');
if (!field_exists($table, $field)) {
add_field($table, $field);
}
}
return $status; return $status;
} }
...@@ -16,7 +16,7 @@ $config = new stdClass(); ...@@ -16,7 +16,7 @@ $config = new stdClass();
// See https://wiki.mahara.org/wiki/Developer_Area/Version_Numbering_Policy // See https://wiki.mahara.org/wiki/Developer_Area/Version_Numbering_Policy
// For upgrades on stable branches, increment the version by one. On master, use the date. // For upgrades on stable branches, increment the version by one. On master, use the date.
$config->version = 2016090228; $config->version = 2016090229;
$config->series = '16.10'; $config->series = '16.10';
$config->release = '16.10.6testing'; $config->release = '16.10.6testing';
$config->minupgradefrom = 2012080604; $config->minupgradefrom = 2012080604;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment