applied security relevant patch from nikolaus.jeremic-at-pro-inform.de: checking old password before changeing for a regular user

This commit is contained in:
Ralf Becker 2005-04-28 13:16:09 +00:00
parent 31fe84bd6f
commit 0ac70368cc
4 changed files with 60 additions and 2 deletions

View File

@ -22,6 +22,7 @@
$n_passwd = $_POST['n_passwd'];
$n_passwd_2 = $_POST['n_passwd_2'];
$o_passwd_2 = $_POST['o_passwd_2'];
if(!$GLOBALS['phpgw']->acl->check('changepassword', 1) || $_POST['cancel'])
{
@ -34,6 +35,7 @@
));
$GLOBALS['phpgw']->template->set_var('lang_enter_password',lang('Enter your new password'));
$GLOBALS['phpgw']->template->set_var('lang_reenter_password',lang('Re-enter your password'));
$GLOBALS['phpgw']->template->set_var('lang_enter_old_password',lang('Enter your old password'));
$GLOBALS['phpgw']->template->set_var('lang_change',lang('Change'));
$GLOBALS['phpgw']->template->set_var('lang_cancel',lang('Cancel'));
$GLOBALS['phpgw']->template->set_var('form_action',$GLOBALS['phpgw']->link('/preferences/changepassword.php'));
@ -46,6 +48,13 @@
if ($_POST['change'])
{
$o_passwd = $GLOBALS['phpgw_info']['user']['passwd'];
if ($o_passwd != $o_passwd_2)
{
$errors[] = lang('The old password is not correct');
}
if ($n_passwd != $n_passwd_2)
{
$errors[] = lang('The two passwords are not the same');
@ -65,7 +74,6 @@
$GLOBALS['phpgw']->common->phpgw_exit(True);
}
$o_passwd = $GLOBALS['phpgw_info']['user']['passwd'];
$passwd_changed = $GLOBALS['phpgw']->auth->change_password($o_passwd, $n_passwd);
if(!$passwd_changed)
{
@ -83,7 +91,11 @@
$GLOBALS['hook_values']['account_id'] = $GLOBALS['phpgw_info']['user']['account_id'];
$GLOBALS['hook_values']['old_passwd'] = $o_passwd;
$GLOBALS['hook_values']['new_passwd'] = $n_passwd;
$GLOBALS['phpgw']->hooks->process('changepassword');
// called for every app now, not only for the ones enabled for the user
$GLOBALS['phpgw']->hooks->process($GLOBALS['hook_values']+array(
'location' => 'changepassword',
),False,True);
$GLOBALS['phpgw']->redirect_link('/preferences/index.php','cd=18');
}
}

View File

@ -25,6 +25,7 @@ disable the execution a bugfixscript for internet explorer 5.5 and higher to sho
do you prefer a 24 hour time format, or a 12 hour one with am/pm attached. preferences de Bevorzugen Sie ein 24 Stunden Zeitformat oder 12 Stunden mit angehängtem Vor-/Nachmittag.
edit custom fields preferences de Benutzerdefinierte Felder editieren
enter your new password preferences de Neues Passwort eingeben
enter your old password preferences de Altes Passwort eingeben
error: there was a problem finding the preference file for %1 in %2 preferences de Fehler: Es gab ein Problem, die Einstellungen für %1 in %2 zu finden
failed to change password. please contact your administrator. preferences de Passwortänderung fehlgeschlagen. Bitte kontaktieren Sie Ihren Administrator!
forced preferences preferences de Erzwungene Einstellungen
@ -66,6 +67,7 @@ show text on navigation icons preferences de Text zu Icons in der Navigationslei
show_more_apps common de Mehr Anwendungen anzeigen
text only preferences de nur Text
the default application will be started when you enter phpgroupware or click on the homepage icon.<br>you can also have more than one application showing up on the homepage, if you don't choose a specific application here (has to be configured in the preferences of each application). preferences de Diese Anwendung wird gestartet, wenn sie phpGroupWare neu starten oder auf das Symbol der Startseite klicken. Sie können auch mehrere Anwendungen auf Ihrer Startseite anzeigen, dazu wählen sie keine Anwendung aus. Welche Anwendungen dann angezeigt werden, wird in den Einstellungen der jeweiligen Anwendungen konfiguriert.
the old password is not correct preferences de Das alte Passwort ist nicht korrekt
the selectbox shows all available users (can be very slow on big installs with many users). the popup can search users by name or group. preferences de Das Auswahlfeld zeigt alle verfügbaren Benutzer (kann sehr langsam sein bei großen Installationen mit vielen Benutzern). Das Popup ist ein extra Fenster, in dem nach Namen oder Gruppen gesucht werden kann.
the two passwords are not the same preferences de Die beiden Passworte sind nicht identisch
theme (colors/fonts) selection preferences de Auswahl des Themas (Farben/Schriften)

View File

@ -22,6 +22,7 @@ description can not exceed 255 characters in length ! preferences en Description
do you prefer a 24 hour time format, or a 12 hour one with am/pm attached. preferences en Do you prefer a 24 hour time format, or a 12 hour one with am/pm attached.
edit custom fields preferences en edit custom fields
enter your new password preferences en Enter your new password
enter your old password preferences en Enter your old password
error: there was a problem finding the preference file for %1 in %2 preferences en Error: There was a problem finding the preference file for %1 in %2
failed to change password. please contact your administrator. preferences en Failed to change password. Please contact your administrator.
forced preferences preferences en Forced Preferences
@ -60,6 +61,7 @@ show text on navigation icons preferences en Show text on navigation icons
show_more_apps common en Show More Applications
text only preferences en Text only
the default application will be started when you enter phpgroupware or click on the homepage icon.<br>you can also have more than one application showing up on the homepage, if you don't choose a specific application here (has to be configured in the preferences of each application). preferences en The default application will be started when you enter eGroupWare or click on the homepage icon.<br>You can also have more than one application showing up on the homepage, if you don't choose a specific application here (has to be configured in the preferences of each application).
the old password is not correct preferences en The old password is not correct
the selectbox shows all available users (can be very slow on big installs with many users). the popup can search users by name or group. preferences en The selectbox shows all available users (can be very slow on big installs with many users). The popup can search users by name or group.
the two passwords are not the same preferences en The two passwords are not the same
theme (colors/fonts) selection preferences en Theme (colors/fonts) Selection

View File

@ -0,0 +1,42 @@
<br>
<center>{messages}</center>
<form method="POST" action="{form_action}">
<table border="0">
<tr>
<td>
{lang_enter_old_password}
</td>
<td>
<input type="password" name="o_passwd_2">
</td>
</tr>
<tr>
<td>
{lang_enter_password}
</td>
<td>
<input type="password" name="n_passwd">
</td>
</tr>
<tr>
<td>
{lang_reenter_password}
</td>
<td>
<input type="password" name="n_passwd_2">
</td>
</tr>
<tr>
<td colspan="2">
<table cellspacing="5"><tr>
<td><input type="submit" name="change" value="{lang_change}"></td>
<td><input type="submit" name="cancel" value="{lang_cancel}"></td>
</tr></table>
</td>
</tr>
</table>
</form>
<br>
<pre>{sql_message}</pre>