From b5544b2f471ce4c93b08d19919ab062725545ce8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gae=CC=88tan=20Muller?= Date: Sat, 3 Jan 2015 11:39:29 +0100 Subject: [ticket/13450] Type-hint return value of $phpbb_container->get() PHPBB3-13450 --- phpBB/includes/ucp/ucp_remind.php | 1 + 1 file changed, 1 insertion(+) (limited to 'phpBB/includes/ucp/ucp_remind.php') diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 415bf0e84d..8c96955b14 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -92,6 +92,7 @@ class ucp_remind $user_actkey = gen_rand_string(mt_rand(6, 10)); // Instantiate passwords manager + /* @var $manager \phpbb\passwords\manager */ $passwords_manager = $phpbb_container->get('passwords.manager'); $sql = 'UPDATE ' . USERS_TABLE . " -- cgit v1.2.1 From f6e06da4c68917dafb057bf7fe19f884a3e148c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gae=CC=88tan=20Muller?= Date: Sun, 4 Jan 2015 20:41:04 +0100 Subject: [ticket/13455] Update calls to `request_var()` PHPBB3-13455 --- phpBB/includes/ucp/ucp_remind.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/ucp/ucp_remind.php') diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 8c96955b14..2342aa2137 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -29,7 +29,7 @@ class ucp_remind function main($id, $mode) { - global $config, $phpbb_root_path, $phpEx; + global $config, $phpbb_root_path, $phpEx, $request; global $db, $user, $auth, $template, $phpbb_container; if (!$config['allow_password_reset']) @@ -37,8 +37,8 @@ class ucp_remind trigger_error($user->lang('UCP_PASSWORD_RESET_DISABLED', '', '')); } - $username = request_var('username', '', true); - $email = strtolower(request_var('email', '')); + $username = $request->variable('username', '', true); + $email = strtolower($request->variable('email', '')); $submit = (isset($_POST['submit'])) ? true : false; if ($submit) -- cgit v1.2.1 From 73e6e5b77faadbb7676961bf38122d669de111db Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 3 Dec 2015 17:50:29 +0100 Subject: [ticket/13454] Remove unused variables This is the first part of the changes. More to come. PHPBB3-13454 --- phpBB/includes/ucp/ucp_remind.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/ucp/ucp_remind.php') diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 2342aa2137..0a46674fb1 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -30,7 +30,7 @@ class ucp_remind function main($id, $mode) { global $config, $phpbb_root_path, $phpEx, $request; - global $db, $user, $auth, $template, $phpbb_container; + global $db, $user, $template, $phpbb_container; if (!$config['allow_password_reset']) { -- cgit v1.2.1 From 4b6c2c8cde0b87d32f8df8af87239580ddc340c4 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Sun, 29 May 2016 12:42:57 +0200 Subject: [ticket/10961] Send HTTP 403 when applicable PHPBB3-10961 --- phpBB/includes/ucp/ucp_remind.php | 1 + 1 file changed, 1 insertion(+) (limited to 'phpBB/includes/ucp/ucp_remind.php') diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 0a46674fb1..a44f077693 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -79,6 +79,7 @@ class ucp_remind if (!$auth2->acl_get('u_chgpasswd')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_PASSWORD_REMINDER'); } -- cgit v1.2.1 From 101d3b763308efe823d03c09bd0a4a109d19fc26 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Mon, 14 Mar 2016 14:42:48 +0100 Subject: [ticket/10432] Don't require username when user forgets password PHPBB3-10432 --- phpBB/includes/ucp/ucp_remind.php | 122 ++++++++++++++++++++++---------------- 1 file changed, 70 insertions(+), 52 deletions(-) (limited to 'phpBB/includes/ucp/ucp_remind.php') diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index f46df99edb..0843d6c249 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -50,11 +50,16 @@ class ucp_remind trigger_error('FORM_INVALID'); } + if (empty($email)) + { + trigger_error('NO_EMAIL_USER'); + } + $sql_array = array( 'SELECT' => 'user_id, username, user_permissions, user_email, user_jabber, user_notify_type, user_type, user_lang, user_inactive_reason', 'FROM' => array(USERS_TABLE => 'u'), - 'WHERE' => "user_email_hash = '" . $db->sql_escape(phpbb_email_hash($email)) . "' - AND username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'" + 'WHERE' => "user_email_hash = '" . $db->sql_escape(phpbb_email_hash($email)) . "'" . + (!empty($username) ? " AND username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'" : ''), ); /** @@ -75,81 +80,94 @@ class ucp_remind $sql = $db->sql_build_query('SELECT', $sql_array); $result = $db->sql_query($sql); - $user_row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - if (!$user_row) + if ($db->sql_affectedrows() > 1) { - trigger_error('NO_EMAIL_USER'); - } + $db->sql_freeresult($result); - if ($user_row['user_type'] == USER_IGNORE) - { - trigger_error('NO_USER'); + $template->assign_vars(array( + 'USERNAME_REQUIRED' => true, + 'EMAIL' => $email, + )); } - - if ($user_row['user_type'] == USER_INACTIVE) + else { - if ($user_row['user_inactive_reason'] == INACTIVE_MANUAL) + $user_row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if (!$user_row) + { + trigger_error('NO_EMAIL_USER'); + } + + if ($user_row['user_type'] == USER_IGNORE) { - trigger_error('ACCOUNT_DEACTIVATED'); + trigger_error('NO_USER'); } - else + + if ($user_row['user_type'] == USER_INACTIVE) { - trigger_error('ACCOUNT_NOT_ACTIVATED'); + if ($user_row['user_inactive_reason'] == INACTIVE_MANUAL) + { + trigger_error('ACCOUNT_DEACTIVATED'); + } + else + { + trigger_error('ACCOUNT_NOT_ACTIVATED'); + } } - } - // Check users permissions - $auth2 = new \phpbb\auth\auth(); - $auth2->acl($user_row); + // Check users permissions + $auth2 = new \phpbb\auth\auth(); + $auth2->acl($user_row); - if (!$auth2->acl_get('u_chgpasswd')) - { - send_status_line(403, 'Forbidden'); - trigger_error('NO_AUTH_PASSWORD_REMINDER'); - } + if (!$auth2->acl_get('u_chgpasswd')) + { + send_status_line(403, 'Forbidden'); + trigger_error('NO_AUTH_PASSWORD_REMINDER'); + } - $server_url = generate_board_url(); + $server_url = generate_board_url(); - // Make password at least 8 characters long, make it longer if admin wants to. - // gen_rand_string() however has a limit of 12 or 13. - $user_password = gen_rand_string_friendly(max(8, mt_rand((int) $config['min_pass_chars'], (int) $config['max_pass_chars']))); + // Make password at least 8 characters long, make it longer if admin wants to. + // gen_rand_string() however has a limit of 12 or 13. + $user_password = gen_rand_string_friendly(max(8, mt_rand((int) $config['min_pass_chars'], (int) $config['max_pass_chars']))); - // For the activation key a random length between 6 and 10 will do. - $user_actkey = gen_rand_string(mt_rand(6, 10)); + // For the activation key a random length between 6 and 10 will do. + $user_actkey = gen_rand_string(mt_rand(6, 10)); - // Instantiate passwords manager - /* @var $manager \phpbb\passwords\manager */ - $passwords_manager = $phpbb_container->get('passwords.manager'); + // Instantiate passwords manager + /* @var $manager \phpbb\passwords\manager */ + $passwords_manager = $phpbb_container->get('passwords.manager'); - $sql = 'UPDATE ' . USERS_TABLE . " - SET user_newpasswd = '" . $db->sql_escape($passwords_manager->hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "' - WHERE user_id = " . $user_row['user_id']; - $db->sql_query($sql); + $sql = 'UPDATE ' . USERS_TABLE . " + SET user_newpasswd = '" . $db->sql_escape($passwords_manager->hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "' + WHERE user_id = " . $user_row['user_id']; + $db->sql_query($sql); - include_once($phpbb_root_path . 'includes/functions_messenger.' . $phpEx); + include_once($phpbb_root_path . 'includes/functions_messenger.' . $phpEx); - $messenger = new messenger(false); + $messenger = new messenger(false); - $messenger->template('user_activate_passwd', $user_row['user_lang']); + $messenger->template('user_activate_passwd', $user_row['user_lang']); - $messenger->set_addresses($user_row); + $messenger->set_addresses($user_row); - $messenger->anti_abuse_headers($config, $user); + $messenger->anti_abuse_headers($config, $user); - $messenger->assign_vars(array( - 'USERNAME' => htmlspecialchars_decode($user_row['username']), - 'PASSWORD' => htmlspecialchars_decode($user_password), - 'U_ACTIVATE' => "$server_url/ucp.$phpEx?mode=activate&u={$user_row['user_id']}&k=$user_actkey") - ); + $messenger->assign_vars(array( + 'USERNAME' => htmlspecialchars_decode($user_row['username']), + 'PASSWORD' => htmlspecialchars_decode($user_password), + 'U_ACTIVATE' => "$server_url/ucp.$phpEx?mode=activate&u={$user_row['user_id']}&k=$user_actkey") + ); - $messenger->send($user_row['user_notify_type']); + $messenger->send($user_row['user_notify_type']); - meta_refresh(3, append_sid("{$phpbb_root_path}index.$phpEx")); + meta_refresh(3, append_sid("{$phpbb_root_path}index.$phpEx")); - $message = $user->lang['PASSWORD_UPDATED'] . '

' . sprintf($user->lang['RETURN_INDEX'], '', ''); - trigger_error($message); + $message = $user->lang['PASSWORD_UPDATED'] . '

' . sprintf($user->lang['RETURN_INDEX'], '', ''); + trigger_error($message); + } } $template->assign_vars(array( -- cgit v1.2.1 From 30d1048c8e3b66f3a3144974f9f3fc87054b2be2 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Tue, 23 Oct 2018 15:18:57 +0200 Subject: [ticket/10432] Fix for SQLite PHPBB3-10432 --- phpBB/includes/ucp/ucp_remind.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/ucp/ucp_remind.php') diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 0843d6c249..8cf7ea268d 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -80,8 +80,9 @@ class ucp_remind $sql = $db->sql_build_query('SELECT', $sql_array); $result = $db->sql_query($sql); + $rowset = $db->sql_fetchrowset($result); - if ($db->sql_affectedrows() > 1) + if (count($rowset) > 1) { $db->sql_freeresult($result); @@ -92,7 +93,7 @@ class ucp_remind } else { - $user_row = $db->sql_fetchrow($result); + $user_row = $rowset[0]; $db->sql_freeresult($result); if (!$user_row) -- cgit v1.2.1 From 1d2a654ad7f34367cc5f8c8b3d5893e617b92f3f Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Sun, 28 Oct 2018 10:12:13 +0100 Subject: [ticket/10432] Fix errors and address privacy concern PHPBB3-10432 --- phpBB/includes/ucp/ucp_remind.php | 33 ++++++++++++--------------------- 1 file changed, 12 insertions(+), 21 deletions(-) (limited to 'phpBB/includes/ucp/ucp_remind.php') diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 8cf7ea268d..e50428bfea 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -79,7 +79,7 @@ class ucp_remind extract($phpbb_dispatcher->trigger_event('core.ucp_remind_modify_select_sql', compact($vars))); $sql = $db->sql_build_query('SELECT', $sql_array); - $result = $db->sql_query($sql); + $result = $db->sql_query_limit($sql, 2); // don't waste resources on more rows than we need $rowset = $db->sql_fetchrowset($result); if (count($rowset) > 1) @@ -93,29 +93,24 @@ class ucp_remind } else { - $user_row = $rowset[0]; - $db->sql_freeresult($result); + $message = $user->lang['PASSWORD_UPDATED_IF_EXISTED'] . '

' . sprintf($user->lang['RETURN_INDEX'], '', ''); - if (!$user_row) + if (empty($rowset)) { - trigger_error('NO_EMAIL_USER'); + trigger_error($message); } - if ($user_row['user_type'] == USER_IGNORE) + $user_row = $rowset[0]; + $db->sql_freeresult($result); + + if (!$user_row) { - trigger_error('NO_USER'); + trigger_error($message); } - if ($user_row['user_type'] == USER_INACTIVE) + if ($user_row['user_type'] == USER_IGNORE || $user_row['user_type'] == USER_INACTIVE) { - if ($user_row['user_inactive_reason'] == INACTIVE_MANUAL) - { - trigger_error('ACCOUNT_DEACTIVATED'); - } - else - { - trigger_error('ACCOUNT_NOT_ACTIVATED'); - } + trigger_error($message); } // Check users permissions @@ -124,8 +119,7 @@ class ucp_remind if (!$auth2->acl_get('u_chgpasswd')) { - send_status_line(403, 'Forbidden'); - trigger_error('NO_AUTH_PASSWORD_REMINDER'); + trigger_error($message); } $server_url = generate_board_url(); @@ -164,9 +158,6 @@ class ucp_remind $messenger->send($user_row['user_notify_type']); - meta_refresh(3, append_sid("{$phpbb_root_path}index.$phpEx")); - - $message = $user->lang['PASSWORD_UPDATED'] . '

' . sprintf($user->lang['RETURN_INDEX'], '', ''); trigger_error($message); } } -- cgit v1.2.1