From: Craig S. <cr...@mi...> - 2009-11-29 11:31:06
|
Temporarily fixed for now with... Index: functions.php =================================================================== --- functions.php (revision 13876) +++ functions.php (working copy) @@ -22,6 +22,8 @@ { global $cpw_pass_min_length, $cpw_pass_max_length; + // security token + sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, ''); // formdata sqgetGlobalVar('cpw_curpass', $currentpw, SQ_POST); sqgetGlobalVar('cpw_newpass', $newpw, SQ_POST); @@ -32,6 +34,9 @@ $msg = array(); + // verify the security token first + sm_validate_security_token($submitted_token, 3600, TRUE); + if(!$newpw) { $msg[] = _("You must type in a new password."); } @@ -76,6 +81,7 @@ function cpw_do_change() { global $cpw_backend; + sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, ''); sqgetGlobalVar('cpw_curpass', $curpw, SQ_POST); sqgetGlobalVar('cpw_newpass', $newpw, SQ_POST); sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION); @@ -84,6 +90,9 @@ sqgetGlobalVar('username', $username, SQ_SESSION); require_once(SM_PATH . 'plugins/change_password/backend/'.$cpw_backend.'.php'); + + // verify the security token first + sm_validate_security_token($submitted_token, 3600, TRUE); $msgs = do_hook('change_password_dochange', $temp=array ( @@ -105,7 +114,7 @@ /* make sure we write the session data before we redirect */ session_write_close(); - header('Location: '.SM_PATH. 'src/options.php?optmode=submit&optpage=change_password&plugin_change_password=1'); + header('Location: '.SM_PATH. 'src/options.php'); exit; } Index: options.php =================================================================== --- options.php (revision 13876) +++ options.php (working copy) @@ -82,7 +82,7 @@ } ?><tr><td> - <?php echo addForm($_SERVER['PHP_SELF'], 'post'); ?> + <?php echo addForm($_SERVER['PHP_SELF'], 'post') . addHidden('smtoken', sm_generate_security_token()); ?> <table> <tr> <th align="right"><?php echo _("Current Password:")?></th> On Sun, 2009-11-29 at 01:05 +0000, Craig Shelley wrote: > Hi, > > Error message: "This page request could not be verified and appears to > have expired" is displayed immediately after a password change. > The password successfully gets changed, but the error message is a bit > alarming. > > This issue appeared at revision with SVN revision; > > r13817 | pdontthink | 2009-08-12 09:28:38 +0100 (Wed, 12 Aug 2009) > Implemented security token system. (Secunia Advisory SA34627) > > Any ideas about how to work around this? > > > Regards, > Craig > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > ----- squirrelmail-devel mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squ...@li... List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel |