Re: [SM-DEVEL] Problems with Change Password

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Temporarily fixed for now with...


Index: functions.php
===================================================================

--- functions.php	(revision 13876)
+++ functions.php	(working copy)
@@ -22,6 +22,8 @@
 {
     global $cpw_pass_min_length, $cpw_pass_max_length;
 
+    // security token
+    sqgetGlobalVar('smtoken',     $submitted_token, SQ_FORM, '');
     // formdata
     sqgetGlobalVar('cpw_curpass', $currentpw, SQ_POST);
     sqgetGlobalVar('cpw_newpass', $newpw,     SQ_POST);
@@ -32,6 +34,9 @@
 
     $msg = array();
 
+    // verify the security token first
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     if(!$newpw) {
         $msg[] = _("You must type in a new password.");
     }
@@ -76,6 +81,7 @@
 function cpw_do_change()
 {
     global $cpw_backend;
+    sqgetGlobalVar('smtoken',     $submitted_token, SQ_FORM, '');
     sqgetGlobalVar('cpw_curpass', $curpw,      SQ_POST);
     sqgetGlobalVar('cpw_newpass', $newpw,      SQ_POST);
     sqgetGlobalVar('base_uri',    $base_uri,   SQ_SESSION);
@@ -84,6 +90,9 @@
     sqgetGlobalVar('username',    $username,   SQ_SESSION);
 
     require_once(SM_PATH .
'plugins/change_password/backend/'.$cpw_backend.'.php');
+    
+    // verify the security token first
+    sm_validate_security_token($submitted_token, 3600, TRUE);
 
     $msgs = do_hook('change_password_dochange',
         $temp=array (
@@ -105,7 +114,7 @@
 
     /* make sure we write the session data before we redirect */
     session_write_close();
-    header('Location: '.SM_PATH.
'src/options.php?optmode=submit&optpage=change_password&plugin_change_password=1');
+    header('Location: '.SM_PATH. 'src/options.php');
     exit;
 }
 
Index: options.php
===================================================================
--- options.php	(revision 13876)
+++ options.php	(working copy)
@@ -82,7 +82,7 @@
 }
 
 ?><tr><td>
-    <?php echo addForm($_SERVER['PHP_SELF'], 'post'); ?>
+    <?php echo addForm($_SERVER['PHP_SELF'], 'post') .
addHidden('smtoken', sm_generate_security_token()); ?>
     <table>
       <tr>
         <th align="right"><?php echo _("Current Password:")?></th>


On Sun, 2009-11-29 at 01:05 +0000, Craig Shelley wrote:
> Hi,
> 
> Error message: "This page request could not be verified and appears to
> have expired" is displayed immediately after a password change.
> The password successfully gets changed, but the error message is a bit
> alarming.
> 
> This issue appeared at revision with SVN revision;
> 
> r13817 | pdontthink | 2009-08-12 09:28:38 +0100 (Wed, 12 Aug 2009)
> Implemented security token system. (Secunia Advisory SA34627)
> 
> Any ideas about how to work around this?
> 
> 
> Regards,
> Craig
> 
> 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> ----- squirrelmail-devel mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squ...@li... List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
