aboutsummaryrefslogtreecommitdiffstats
path: root/mod
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-07-29 20:13:01 -0700
committerfriendica <info@friendica.com>2014-07-29 20:13:01 -0700
commit35ed18967a61e9871becbe6676603ce8e43eeec3 (patch)
tree1c2694dbbd956db6e5fc5dfce3a1d980203b4fb9 /mod
parentc8829e72434c4d5342d9b2c4a4f22b33e8ea1887 (diff)
downloadvolse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.tar.gz
volse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.tar.bz2
volse-hubzilla-35ed18967a61e9871becbe6676603ce8e43eeec3.zip
block channel removal for 48 hours after changing the account password, since the password is required to remove a channel. Somebody looking at an open session on somebody else's computer can simply change the password and then proceed to maliciously remove the channel. This change gives the owner 2 days to discover that something is wrong and recover his/her password and potentially save their channel from getting erased by the vandal. This is most likely to happen if a relationship has gone bad, or something incriminating was found in your private messages when you left your computer briefly unattended.
Diffstat (limited to 'mod')
-rw-r--r--mod/removeme.php8
-rw-r--r--mod/settings.php3
2 files changed, 10 insertions, 1 deletions
diff --git a/mod/removeme.php b/mod/removeme.php
index f0b4ae3c0..095570480 100644
--- a/mod/removeme.php
+++ b/mod/removeme.php
@@ -23,6 +23,14 @@ function removeme_post(&$a) {
if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
return;
+ if($account['account_password_changed'] != '0000-00-00 00:00:00') {
+ $d1 = datetime_convert('UTC','UTC','now - 48 hours');
+ if($account['account_password_changed'] > d1) {
+ notice( t('Channel removals are not allowed within 48 hours of changing the account password.') . EOL);
+ return;
+ }
+ }
+
require_once('include/Contact.php');
$global_remove = intval($_POST['global']);
diff --git a/mod/settings.php b/mod/settings.php
index e036755fc..6c11fbc9b 100644
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -202,10 +202,11 @@ function settings_post(&$a) {
if(! $errs) {
$salt = random_string(32);
$password_encoded = hash('whirlpool', $salt . $newpass);
- $r = q("update account set account_salt = '%s', account_password = '%s'
+ $r = q("update account set account_salt = '%s', account_password = '%s', account_password_changed = '%s'
where account_id = %d limit 1",
dbesc($salt),
dbesc($password_encoded),
+ dbesc(datetime_convert()),
intval(get_account_id())
);
if($r)