account activation security fix
This commit is contained in:
following
12
htdocs/a.php
Normal file
12
htdocs/a.php
Normal file
@@ -0,0 +1,12 @@
|
||||
<?php
|
||||
/***************************************************************************
|
||||
* For license information see doc/license.txt
|
||||
*
|
||||
* Unicode Reminder メモ
|
||||
*
|
||||
* Activation page shortcut to keep URLs in activation Emails short
|
||||
***************************************************************************/
|
||||
|
||||
require "activation.php";
|
||||
|
||||
?>
|
||||
@@ -14,22 +14,17 @@
|
||||
// We use short param codes 'u' and 'c' to generate short-enough activation
|
||||
// url that will not be wrapped in plain-text emails.
|
||||
|
||||
if (isset($_REQUEST['email']))
|
||||
$email = trim($_REQUEST['email']);
|
||||
else if (isset($_REQUEST['u']))
|
||||
$email = sql_value("SELECT `email` FROM `user` WHERE `user_id`='&1'", '', $_REQUEST['u']);
|
||||
else
|
||||
$email = '';
|
||||
|
||||
$code = isset($_REQUEST['code']) ? trim($_REQUEST['code']) :
|
||||
(isset($_REQUEST['c']) ? trim($_REQUEST['c']) : '');
|
||||
$email = isset($_REQUEST['email']) ? trim($_REQUEST['email']) :
|
||||
(isset($_REQUEST['e']) ? trim($_REQUEST['e']) : '');
|
||||
|
||||
$tpl->assign('errorEMail', false);
|
||||
$tpl->assign('errorCode', false);
|
||||
$tpl->assign('errorAlreadyActivated', false);
|
||||
$tpl->assign('sucess', false);
|
||||
|
||||
if (isset($_REQUEST['submit']) || isset($_REQUEST['u']))
|
||||
if (isset($_REQUEST['submit']) || ($code != '' && $email != ''))
|
||||
{
|
||||
$email_not_ok = is_valid_email_address($email) ? false : true;
|
||||
|
||||
|
||||
@@ -601,6 +601,7 @@ class user
|
||||
$mail->subject = $translate->t('Registration confirmation', '', basename(__FILE__), __LINE__);
|
||||
$mail->assign('domain', $opt['page']['domain']);
|
||||
$mail->assign('activation_page', $opt['page']['absolute_url'] . 'activation.php');
|
||||
$mail->assign('short_activation_page', $opt['page']['absolute_url'] . 'a.php');
|
||||
$mail->assign('username', $this->getUsername());
|
||||
$mail->assign('userid', $this->getUserId());
|
||||
$mail->assign('last_name', $this->getLastName());
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
|
||||
{t}Before you can login for the first time, you have to activate your account by clicking on the following link:{/t}
|
||||
|
||||
{$activation_page}?u={$userid}&c={$code}
|
||||
{$short_activation_page}?e={$to|urlencode}&c={$code}
|
||||
|
||||
{t 1=$activation_page}Alternatively, you can visit %1 and enter the following code manually:{/t}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user