block channel removal for 48 hours after changing the account password, since the password is required to remove a channel. Somebody looking at an open session on somebody else's computer can simply change the password and then proceed to maliciously remove the channel. This change gives the owner 2 days to discover that something is wrong and recover his/her password and potentially save their channel from getting erased by the vandal. This is most likely to happen if a relationship has gone bad, or something incriminating was found in your private messages when you left your computer briefly unattended.
This commit is contained in:
friendica
parent
c8829e7243
commit
35ed18967a
2
boot.php
2
boot.php
@ -47,7 +47,7 @@ define ( 'RED_PLATFORM', 'Red Matrix' );
|
||||
define ( 'RED_VERSION', trim(file_get_contents('version.inc')) . 'R');
|
||||
define ( 'ZOT_REVISION', 1 );
|
||||
|
||||
define ( 'DB_UPDATE_VERSION', 1118 );
|
||||
define ( 'DB_UPDATE_VERSION', 1119 );
|
||||
|
||||
define ( 'EOL', '<br />' . "\r\n" );
|
||||
define ( 'ATOM_TIME', 'Y-m-d\TH:i:s\Z' );
|
||||
|
||||
@ -55,6 +55,7 @@ CREATE TABLE IF NOT EXISTS `account` (
|
||||
`account_expire_notified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
|
||||
`account_service_class` char(32) NOT NULL DEFAULT '',
|
||||
`account_level` int(10) unsigned NOT NULL DEFAULT '0',
|
||||
`account_password_changed` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
|
||||
PRIMARY KEY (`account_id`),
|
||||
KEY `account_email` (`account_email`),
|
||||
KEY `account_service_class` (`account_service_class`),
|
||||
@ -65,7 +66,8 @@ CREATE TABLE IF NOT EXISTS `account` (
|
||||
KEY `account_expires` (`account_expires`),
|
||||
KEY `account_default_channel` (`account_default_channel`),
|
||||
KEY `account_external` (`account_external`),
|
||||
KEY `account_level` (`account_level`)
|
||||
KEY `account_level` (`account_level`),
|
||||
KEY `account_password_changed` (`account_password_changed`)
|
||||
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
|
||||
|
||||
CREATE TABLE IF NOT EXISTS `addon` (
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
|
||||
define( 'UPDATE_VERSION' , 1118 );
|
||||
define( 'UPDATE_VERSION' , 1119 );
|
||||
|
||||
/**
|
||||
*
|
||||
@ -1314,3 +1314,12 @@ DROP INDEX `channel_a_bookmark` , ADD INDEX `channel_w_like` ( `channel_w_like`
|
||||
|
||||
}
|
||||
|
||||
function update_r1118() {
|
||||
$r = q("ALTER TABLE `account` ADD `account_password_changed` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
|
||||
ADD INDEX ( `account_password_changed` )");
|
||||
if($r)
|
||||
return UPDATE_SUCCESS;
|
||||
return UPDATE_FAILED;
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -23,6 +23,14 @@ function removeme_post(&$a) {
|
||||
if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
|
||||
return;
|
||||
|
||||
if($account['account_password_changed'] != '0000-00-00 00:00:00') {
|
||||
$d1 = datetime_convert('UTC','UTC','now - 48 hours');
|
||||
if($account['account_password_changed'] > d1) {
|
||||
notice( t('Channel removals are not allowed within 48 hours of changing the account password.') . EOL);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
require_once('include/Contact.php');
|
||||
|
||||
$global_remove = intval($_POST['global']);
|
||||
|
||||
@ -202,10 +202,11 @@ function settings_post(&$a) {
|
||||
if(! $errs) {
|
||||
$salt = random_string(32);
|
||||
$password_encoded = hash('whirlpool', $salt . $newpass);
|
||||
$r = q("update account set account_salt = '%s', account_password = '%s'
|
||||
$r = q("update account set account_salt = '%s', account_password = '%s', account_password_changed = '%s'
|
||||
where account_id = %d limit 1",
|
||||
dbesc($salt),
|
||||
dbesc($password_encoded),
|
||||
dbesc(datetime_convert()),
|
||||
intval(get_account_id())
|
||||
);
|
||||
if($r)
|
||||
|
||||
Reference in New Issue
Block a user