RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gave password reset its own csrf token

Browse Source
This commit is contained in:
xisi 2014-01-18 17:05:13 -05:00
parent bd2999526e
commit 36f3a16cc3
2 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
public/include/pages/password.inc.php
View File

@ -6,8 +6,7 @@ if (!defined('SECURITY'))
// csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
// we have to use editaccount token because this can be called from 2 places
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount');
$smarty->assign('CTOKEN', $token);
}
// Tempalte specifics

5
public/include/pages/password/reset.inc.php
View File

@ -6,8 +6,7 @@ if (!defined('SECURITY')) die('Hacking attempt');
// csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) {
// we have to use editaccount token because this can be called from 2 separate places
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'resetaccount') == @$_POST['ctoken']) ? 1 : 0;
}
// Process password reset request
@ -24,7 +23,7 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
// csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount');
$smarty->assign('CTOKEN', $token);
}
// Tempalte specifics, user default template by parent page