gave password reset its own csrf token

2014-01-18 17:05:13 -05:00 · 2014-01-18 17:05:13 -05:00 · 36f3a16cc3
commit 36f3a16cc3
parent bd2999526e
2 changed files with 3 additions and 5 deletions
--- a/public/include/pages/password.inc.php
+++ b/public/include/pages/password.inc.php
@ -6,8 +6,7 @@ if (!defined('SECURITY'))
 // csrf token
 if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
-  // we have to use editaccount token because this can be called from 2 places
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount');
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
  $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics
--- a/public/include/pages/password/reset.inc.php
+++ b/public/include/pages/password/reset.inc.php
@ -6,8 +6,7 @@ if (!defined('SECURITY')) die('Hacking attempt');
 // csrf stuff
 $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
 if ($csrfenabled) {
-  // we have to use editaccount token because this can be called from 2 separate places
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'resetaccount') == @$_POST['ctoken']) ? 1 : 0;
  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
 }
 // Process password reset request
@ -24,7 +23,7 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
 // csrf token
 if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
-  $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount');
  $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics, user default template by parent page