From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001 From: Marius Cramer <m.cramer@pixcept.de> Date: Thu, 06 Aug 2015 03:18:44 -0400 Subject: [PATCH] - don't set password via remoting if field is empty --- interface/web/login/password_reset.php | 19 +++++++++++-------- 1 files changed, 11 insertions(+), 8 deletions(-) diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php index 5eac46a..683a4bc 100644 --- a/interface/web/login/password_reset.php +++ b/interface/web/login/password_reset.php @@ -51,8 +51,8 @@ if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error')); if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error')); - $username = $app->db->quote($_POST['username']); - $email = $app->db->quote($_POST['email']); + $username = $_POST['username']; + $email = $_POST['email']; $client = $app->db->queryOneRecord("SELECT client.*, sys_user.lost_password_function FROM client,sys_user WHERE client.username = ? AND client.email = ? AND client.client_id = sys_user.client_id", $username, $email); @@ -60,17 +60,20 @@ $app->tpl->setVar("error", $wb['lost_password_function_disabled_txt']); } else { if($client['client_id'] > 0) { - $new_password = $app->auth->get_random_password(); + $server_config_array = $app->getconf->get_global_config(); + $min_password_length = 8; + if(isset($server_config_array['misc']['min_password_length'])) $min_password_length = $server_config_array['misc']['min_password_length']; + + $new_password = $app->auth->get_random_password($min_password_length, true); $new_password_encrypted = $app->auth->crypt_password($new_password); - $new_password_encrypted = $app->db->quote($new_password_encrypted); - $username = $app->db->quote($client['username']); - $app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'"); - $app->db->query("UPDATE client SET password = '$new_password_encrypted' WHERE username = '$username'"); + $username = $client['username']; + $app->db->query("UPDATE sys_user SET passwort = ? WHERE username = ?", $new_password_encrypted, $username); + $app->db->query("UPDATE client SET password = ? WHERE username = ?", $new_password_encrypted, $username); $app->tpl->setVar("message", $wb['pw_reset']); $app->uses('getconf,ispcmail'); - $mail_config = $app->getconf->get_global_config('mail'); + $mail_config = $server_config_array['mail']; if($mail_config['smtp_enabled'] == 'y') { $mail_config['use_smtp'] = true; $app->ispcmail->setOptions($mail_config); -- Gitblit v1.9.1