diff options
| author | friendica <info@friendica.com> | 2014-07-29 20:13:01 -0700 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2014-07-29 20:13:01 -0700 |
| commit | 35ed18967a61e9871becbe6676603ce8e43eeec3 (patch) | |
| tree | 1c2694dbbd956db6e5fc5dfce3a1d980203b4fb9 /mod/settings.php | |
| parent | c8829e72434c4d5342d9b2c4a4f22b33e8ea1887 (diff) | |
| download | volse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.tar.gz volse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.tar.bz2 volse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.zip | |
block channel removal for 48 hours after changing the account password, since the password is required to remove a channel. Somebody looking at an open session on somebody else's computer can simply change the password and then proceed to maliciously remove the channel. This change gives the owner 2 days to discover that something is wrong and recover his/her password and potentially save their channel from getting erased by the vandal. This is most likely to happen if a relationship has gone bad, or something incriminating was found in your private messages when you left your computer briefly unattended.
Diffstat (limited to 'mod/settings.php')
| -rw-r--r-- | mod/settings.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/mod/settings.php b/mod/settings.php index e036755fc..6c11fbc9b 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -202,10 +202,11 @@ function settings_post(&$a) { if(! $errs) { $salt = random_string(32); $password_encoded = hash('whirlpool', $salt . $newpass); - $r = q("update account set account_salt = '%s', account_password = '%s' + $r = q("update account set account_salt = '%s', account_password = '%s', account_password_changed = '%s' where account_id = %d limit 1", dbesc($salt), dbesc($password_encoded), + dbesc(datetime_convert()), intval(get_account_id()) ); if($r) |