From: <pdo...@us...> - 2009-12-18 06:46:24
|
Revision: 13878 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13878&view=rev Author: pdontthink Date: 2009-12-18 06:46:16 +0000 (Fri, 18 Dec 2009) Log Message: ----------- Add security tokens to change password plugin Modified Paths: -------------- trunk/squirrelmail/plugins/change_password/functions.php trunk/squirrelmail/plugins/change_password/options.php Modified: trunk/squirrelmail/plugins/change_password/functions.php =================================================================== --- trunk/squirrelmail/plugins/change_password/functions.php 2009-12-14 21:18:29 UTC (rev 13877) +++ trunk/squirrelmail/plugins/change_password/functions.php 2009-12-18 06:46:16 UTC (rev 13878) @@ -105,7 +105,7 @@ /* make sure we write the session data before we redirect */ session_write_close(); - header('Location: '.SM_PATH. 'src/options.php?optmode=submit&optpage=change_password&plugin_change_password=1'); + header('Location: '.SM_PATH. 'src/options.php?optmode=submit&optpage=change_password&plugin_change_password=1&smtoken=' . sm_generate_security_token()); exit; } Modified: trunk/squirrelmail/plugins/change_password/options.php =================================================================== --- trunk/squirrelmail/plugins/change_password/options.php 2009-12-14 21:18:29 UTC (rev 13877) +++ trunk/squirrelmail/plugins/change_password/options.php 2009-12-18 06:46:16 UTC (rev 13878) @@ -53,6 +53,11 @@ /* the form was submitted, go for it */ if(sqgetGlobalVar('cpw_go', $cpw_go, SQ_POST)) { + + // security check + sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); + sm_validate_security_token($submitted_token, 3600, TRUE); + /* perform basic checks */ $Messages = cpw_check_input(); @@ -83,6 +88,7 @@ ?><tr><td> <?php echo addForm($_SERVER['PHP_SELF'], 'post'); ?> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token() ?>" /> <table> <tr> <th align="right"><?php echo _("Current Password:")?></th> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |