stable
Clone or download
Read-only
request #11217 Account takeover due to a missing CSRF protection
Change email CSRF challenge was generated but never checked. Added another round of protection by ensuring that users are logged in when they confirm their change. The confirmation hash generation was also replace for a true random source. Change-Id: Ic0ef04f2fac95c5d501dd42b257dbf519c1482ff
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | site-content/en_US/account/account.tab | +0 | −23 | Go to diff View file |
| M | site-content/fr_FR/LC_MESSAGES/tuleap-core.po | +94 | −1 | Go to diff View file |
| M | site-content/fr_FR/account/account.tab | +0 | −23 | Go to diff View file |
| M | site-content/tuleap-core.pot | +72 | −0 | Go to diff View file |
| M | src/common/autoload.php | +5 | −2 | Go to diff View file |
| M | src/common/dao/UserDao.class.php | +10 | −0 | Go to diff View file |
| M | src/common/event/Event.class.php | +0 | −10 | Go to diff View file |
| M | src/common/system_event/SystemEventManager.class.php | +0 | −6 | Go to diff View file |
| A | src/common/user/Account/ChangePasswordController.php | +171 | −0 | Go to diff View file |
| A | src/common/user/Account/ChangePasswordPresenter.php | +40 | −0 | Go to diff View file |
| M | src/common/user/UserManager.class.php | +5 | −0 | Go to diff View file |
| A | src/templates/user/change-email-complete.mustache | +9 | −0 | Go to diff View file |
| A | src/templates/user/change-email-confirm.mustache | +7 | −0 | Go to diff View file |
| A | src/templates/user/change-email.mustache | +17 | −0 | Go to diff View file |
| M | src/www/account/change_email-complete.php | +7 | −43 | Go to diff View file |
| M | src/www/account/change_email-confirm.php | +23 | −57 | Go to diff View file |
| M | src/www/account/change_email.php | +23 | −41 | Go to diff View file |
| M | src/www/project/admin/editgenericmember.php | +1 | −1 | Go to diff View file |