fix vulnerability in password recovery

This commit is contained in:
alejandro-campos 2020-04-20 18:00:20 +02:00
parent a4bd4a4c5d
commit 9a66359b3c
1 changed files with 5 additions and 4 deletions

View File

@ -731,12 +731,13 @@ if (! isset($config['id_user'])) {
$first = (boolean) get_parameter('first', 0);
$reset_hash = get_parameter('reset_hash', '');
if ($correct_pass_change) {
$pass1 = get_parameter_post('pass1');
$pass2 = get_parameter_post('pass2');
$id_user = get_parameter_post('id_user');
if ($correct_pass_change && !empty($pass1) && !empty($pass2) && !empty($id_user)) {
$correct_reset_pass_process = '';
$process_error_message = '';
$pass1 = get_parameter('pass1');
$pass2 = get_parameter('pass2');
$id_user = get_parameter('id_user');
if ($pass1 == $pass2) {
$res = update_user_password($id_user, $pass1);