Forgotten password page does not check secret MDL-7755

diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php
index 191c65558a43e8be5803ad25fd41d77b3e8ca6a2..a0ffd64f594fb07a258b3ac94fc10c85c4fbfb04 100644 (file)
--- a/lang/en_utf8/moodle.php
+++ b/lang/en_utf8/moodle.php
@@ -570,6 +570,7 @@ $string['forcepasswordchangenotice'] = 'You must change your password to proceed
 $string['forcetheme'] = 'Force theme';
 $string['forgotaccount'] = 'Lost password?';
 $string['forgotten'] = 'Forgotten your username or password?';
+$string['forgotteninvalidurl'] = 'Invalid password reset URL';
 $string['format'] = 'Format';
 $string['formathtml'] = 'HTML format';
 $string['formatlams'] = 'LAMS course format';

diff --git a/login/forgot_password.php b/login/forgot_password.php
index 154a075b7405aff9649e9c5f5f37bc209b66f593..c3348a52fb1b99603c7f1793f6ab901a296e1be0 100644 (file)
--- a/login/forgot_password.php
+++ b/login/forgot_password.php
@@ -39,6 +39,7 @@ $txt->senddetails = get_string('senddetails');
 $txt->username = get_string('username');
 $txt->usernameemailmatch = get_string('usernameemailmatch');
 $txt->usernamenotfound = get_string('usernamenotfound');
+$txt->invalidurl = get_string('forgotteninvalidurl');
 
 $sesskey = sesskey();
 $errors = array();
@@ -179,7 +180,7 @@ if (!empty($param->p) and !empty($param->s)) {
     $user = get_complete_user_data('username',$param->s);
 
     // make sure that url relates to a valid user
-    if (!empty($user)) {
+    if (!empty($user) and $user->secret == $param->p) {
         // check this isn't guest user
         if (isguest( $user->id )) {
             error('You cannot change the guest password');
@@ -198,6 +199,8 @@ if (!empty($param->p) and !empty($param->s)) {
         $a->email = $user->email;
         $a->link = $changepasswordurl;
         $txt->emailpasswordsent = get_string( 'emailpasswordsent', '', $a );
+    } else {
+       $errors[] = $txt->invalidurl;
     }
 
 }