diff options
| author | friendica <info@friendica.com> | 2014-07-29 20:13:01 -0700 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2014-07-29 20:13:01 -0700 |
| commit | 35ed18967a61e9871becbe6676603ce8e43eeec3 (patch) | |
| tree | 1c2694dbbd956db6e5fc5dfce3a1d980203b4fb9 | |
| parent | c8829e72434c4d5342d9b2c4a4f22b33e8ea1887 (diff) | |
| download | volse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.tar.gz volse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.tar.bz2 volse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.zip | |
block channel removal for 48 hours after changing the account password, since the password is required to remove a channel. Somebody looking at an open session on somebody else's computer can simply change the password and then proceed to maliciously remove the channel. This change gives the owner 2 days to discover that something is wrong and recover his/her password and potentially save their channel from getting erased by the vandal. This is most likely to happen if a relationship has gone bad, or something incriminating was found in your private messages when you left your computer briefly unattended.
| -rwxr-xr-x | boot.php | 2 | ||||
| -rw-r--r-- | install/database.sql | 4 | ||||
| -rw-r--r-- | install/update.php | 11 | ||||
| -rw-r--r-- | mod/removeme.php | 8 | ||||
| -rw-r--r-- | mod/settings.php | 3 |
5 files changed, 24 insertions, 4 deletions
@@ -47,7 +47,7 @@ define ( 'RED_PLATFORM', 'Red Matrix' ); define ( 'RED_VERSION', trim(file_get_contents('version.inc')) . 'R'); define ( 'ZOT_REVISION', 1 ); -define ( 'DB_UPDATE_VERSION', 1118 ); +define ( 'DB_UPDATE_VERSION', 1119 ); define ( 'EOL', '<br />' . "\r\n" ); define ( 'ATOM_TIME', 'Y-m-d\TH:i:s\Z' ); diff --git a/install/database.sql b/install/database.sql index c0440c035..9d0401a44 100644 --- a/install/database.sql +++ b/install/database.sql @@ -55,6 +55,7 @@ CREATE TABLE IF NOT EXISTS `account` ( `account_expire_notified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', `account_service_class` char(32) NOT NULL DEFAULT '', `account_level` int(10) unsigned NOT NULL DEFAULT '0', + `account_password_changed` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', PRIMARY KEY (`account_id`), KEY `account_email` (`account_email`), KEY `account_service_class` (`account_service_class`), @@ -65,7 +66,8 @@ CREATE TABLE IF NOT EXISTS `account` ( KEY `account_expires` (`account_expires`), KEY `account_default_channel` (`account_default_channel`), KEY `account_external` (`account_external`), - KEY `account_level` (`account_level`) + KEY `account_level` (`account_level`), + KEY `account_password_changed` (`account_password_changed`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; CREATE TABLE IF NOT EXISTS `addon` ( diff --git a/install/update.php b/install/update.php index 5bc5c9aa3..0818cc888 100644 --- a/install/update.php +++ b/install/update.php @@ -1,6 +1,6 @@ <?php -define( 'UPDATE_VERSION' , 1118 ); +define( 'UPDATE_VERSION' , 1119 ); /** * @@ -1314,3 +1314,12 @@ DROP INDEX `channel_a_bookmark` , ADD INDEX `channel_w_like` ( `channel_w_like` } +function update_r1118() { + $r = q("ALTER TABLE `account` ADD `account_password_changed` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00', +ADD INDEX ( `account_password_changed` )"); + if($r) + return UPDATE_SUCCESS; + return UPDATE_FAILED; +} + + diff --git a/mod/removeme.php b/mod/removeme.php index f0b4ae3c0..095570480 100644 --- a/mod/removeme.php +++ b/mod/removeme.php @@ -23,6 +23,14 @@ function removeme_post(&$a) { if(! account_verify_password($account['account_email'],$_POST['qxz_password'])) return; + if($account['account_password_changed'] != '0000-00-00 00:00:00') { + $d1 = datetime_convert('UTC','UTC','now - 48 hours'); + if($account['account_password_changed'] > d1) { + notice( t('Channel removals are not allowed within 48 hours of changing the account password.') . EOL); + return; + } + } + require_once('include/Contact.php'); $global_remove = intval($_POST['global']); diff --git a/mod/settings.php b/mod/settings.php index e036755fc..6c11fbc9b 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -202,10 +202,11 @@ function settings_post(&$a) { if(! $errs) { $salt = random_string(32); $password_encoded = hash('whirlpool', $salt . $newpass); - $r = q("update account set account_salt = '%s', account_password = '%s' + $r = q("update account set account_salt = '%s', account_password = '%s', account_password_changed = '%s' where account_id = %d limit 1", dbesc($salt), dbesc($password_encoded), + dbesc(datetime_convert()), intval(get_account_id()) ); if($r) |