open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

csrf protection

Browse Source
remotes/origin/stable4
Frank Karlitschek 14 years ago
parent 1277962183
commit 6bdefef31e
2 changed files with 14 additions and 6 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 19
      core/lostpassword/index.php
  2. 1
      core/lostpassword/templates/lostpassword.php

19
core/lostpassword/index.php
Unescape View File

@ -9,13 +9,14 @@
$RUNTIME_NOAPPS = TRUE; //no apps
require_once('../../lib/base.php');
// Someone lost their password:
if (isset($_POST['user'])) {
if (OC_User::userExists($_POST['user'])) {
$token = sha1($_POST['user'].md5(uniqid(rand(), true)));
OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
if (!empty($email)) {
if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.$_POST['user'].'&token='.$token;
$tmpl = new OC_Template('core/lostpassword', 'email');
$tmpl->assign('link', $link);
@ -23,14 +24,20 @@ if (isset($_POST['user'])) {
$l = OC_L10N::get('core');
$from = 'lostpassword-noreply@' . $_SERVER['HTTP_HOST'];
$r=mail($email, $l->t('Owncloud password reset'), $msg, 'From:' . $from);
//if($r==false) echo('error'); else echo('works!!!!!!!');
OC_MAIL::send($email,$_POST['user'],$l->t('Owncloud password reset'),$msg,$from,'ownCloud');
OC_MAIL::send($email,$_POST['user'],$l->t('ownCloud password reset'),$msg,$from,'ownCloud');
echo('sent');
}
OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => true));
$sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => true, 'sectoken' => $sectoken));
} else {
OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => true, 'requested' => false));
$sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => true, 'requested' => false, 'sectoken' => $sectoken));
}
} else {
OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => false));
$sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => false, 'sectoken' => $sectoken));
}

1
core/lostpassword/templates/lostpassword.php
Unescape View File

@ -10,6 +10,7 @@
<p class="infield">
<label for="user" class="infield"><?php echo $l->t( 'Username' ); ?></label>
<input type="text" name="user" id="user" value="" autocomplete="off" required autofocus />
<input type="hidden" name="sectoken" id="sectoken" value="<?php echo($_['sectoken']); ?>" />
</p>
<input type="submit" id="submit" value="<?php echo $l->t('Request reset'); ?>" />
<?php endif; ?>

Write Preview
Loading…
Cancel
Save