Owen Leonard
85c4cd4712
The OPAC change password template enforces the OpacPasswordChange preference by preventing the form from appearing. However, the script doesn't contain any check for OpacPasswordChange so it is vulnerable to someone submitting data to it by some other means. This patch adds a check for OpacPasswordChange to the script and revises the template logic in order to show the right warning in all circumstances. To test, turn off OpacPasswordChange and navigate manually to opac-passwd.pl. You should see a warning that you can't change your password. Turn on OpacPasswordChange load the change password page and save the page to your desktop. Turn off OpacPasswordChange and submit a password change via the saved page. Without the patch this would result in a password change. After the patch it should not. Signed-off-by: Melia Meggs <melia@test.bywatersolutions.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Confirmed bug and made sure patch fixes it. Passes all tests and perlcritic. Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
121 lines
4.4 KiB
Perl
Executable file
121 lines
4.4 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
# This script lets the users change the passwords by themselves.
|
|
#
|
|
# (c) 2005 Universidad ORT Uruguay.
|
|
#
|
|
# This file is part of the extensions and enhacments made to koha by Universidad ORT Uruguay
|
|
#
|
|
# Koha is free software; you can redistribute it and/or modify it under the
|
|
# terms of the GNU General Public License as published by the Free Software
|
|
# Foundation; either version 2 of the License, or (at your option) any later
|
|
# version.
|
|
#
|
|
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
|
|
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License along
|
|
# with Koha; if not, write to the Free Software Foundation, Inc.,
|
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use CGI;
|
|
|
|
use C4::Auth; # checkauth, getborrowernumber.
|
|
use C4::Context;
|
|
use Digest::MD5 qw(md5_base64);
|
|
use C4::Circulation;
|
|
use C4::Members;
|
|
use C4::Output;
|
|
|
|
my $query = new CGI;
|
|
my $dbh = C4::Context->dbh;
|
|
|
|
my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
|
|
{
|
|
template_name => "opac-passwd.tmpl",
|
|
query => $query,
|
|
type => "opac",
|
|
authnotrequired => 0,
|
|
flagsrequired => { borrow => 1 },
|
|
debug => 1,
|
|
}
|
|
);
|
|
|
|
# get borrower information ....
|
|
my ( $borr ) = GetMemberDetails( $borrowernumber );
|
|
my $minpasslen = C4::Context->preference("minPasswordLength");
|
|
if ( C4::Context->preference("OpacPasswordChange") ) {
|
|
my $sth = $dbh->prepare("UPDATE borrowers SET password = ? WHERE borrowernumber=?");
|
|
if ( $query->param('Oldkey')
|
|
&& $query->param('Newkey')
|
|
&& $query->param('Confirm') )
|
|
{
|
|
if ( goodkey( $dbh, $borrowernumber, $query->param('Oldkey') ) ) {
|
|
if ( $query->param('Newkey') eq $query->param('Confirm')
|
|
&& length( $query->param('Confirm') ) >= $minpasslen )
|
|
{ # Record password
|
|
my $clave = md5_base64( $query->param('Newkey') );
|
|
$sth->execute( $clave, $borrowernumber );
|
|
$template->param( 'password_updated' => '1' );
|
|
$template->param( 'borrowernumber' => $borrowernumber );
|
|
}
|
|
elsif ( $query->param('Newkey') ne $query->param('Confirm') ) {
|
|
$template->param( 'Ask_data' => '1' );
|
|
$template->param( 'Error_messages' => '1' );
|
|
$template->param( 'PassMismatch' => '1' );
|
|
}
|
|
elsif ( length( $query->param('Confirm') ) < $minpasslen ) {
|
|
$template->param( 'Ask_data' => '1' );
|
|
$template->param( 'Error_messages' => '1' );
|
|
$template->param( 'ShortPass' => '1' );
|
|
}
|
|
else {
|
|
$template->param( 'Error_messages' => '1' );
|
|
}
|
|
}
|
|
else {
|
|
$template->param( 'Ask_data' => '1' );
|
|
$template->param( 'Error_messages' => '1' );
|
|
$template->param( 'WrongPass' => '1' );
|
|
}
|
|
}
|
|
else {
|
|
|
|
# Called Empty, Ask for data.
|
|
$template->param( 'Ask_data' => '1' );
|
|
if (!$query->param('Oldkey') && ($query->param('Newkey') || $query->param('Confirm'))){
|
|
# Old password is empty but one of the others isnt
|
|
$template->param( 'Error_messages' => '1' );
|
|
$template->param( 'WrongPass' => '1' );
|
|
}
|
|
elsif ($query->param('Oldkey') && (!$query->param('Newkey') || !$query->param('Confirm'))){
|
|
# Oldpassword is entered but one of the other fields is empty
|
|
$template->param( 'Error_messages' => '1' );
|
|
$template->param( 'PassMismatch' => '1' );
|
|
}
|
|
}
|
|
}
|
|
$template->param(firstname => $borr->{'firstname'},
|
|
surname => $borr->{'surname'},
|
|
minpasslen => $minpasslen,
|
|
passwdview => 1,
|
|
);
|
|
|
|
output_html_with_http_headers $query, $cookie, $template->output;
|
|
|
|
sub goodkey {
|
|
my ( $dbh, $borrowernumber, $key ) = @_;
|
|
|
|
my $sth =
|
|
$dbh->prepare("SELECT password FROM borrowers WHERE borrowernumber=?");
|
|
$sth->execute($borrowernumber);
|
|
if ( $sth->rows ) {
|
|
my ($md5password) = $sth->fetchrow;
|
|
if ( md5_base64($key) eq $md5password ) { return 1; }
|
|
else { return 0; }
|
|
}
|
|
else { return 0; }
|
|
}
|