MDL-15218 reset change password secret if somebody just tries to guess it; merged...

author skodak <skodak>

Mon, 1 Sep 2008 08:16:41 +0000 (08:16 +0000)

committer skodak <skodak>

Mon, 1 Sep 2008 08:16:41 +0000 (08:16 +0000)
author skodak <skodak>
Mon, 1 Sep 2008 08:16:41 +0000 (08:16 +0000)
committer skodak <skodak>
Mon, 1 Sep 2008 08:16:41 +0000 (08:16 +0000)
diff --git a/login/forgot_password.php b/login/forgot_password.php

index 123861f82f1f04d42dae8be8271674a9bbfee624..3c5d8f67c011964b23419aed9e4493dfc9e7f964 100644 (file)
--- a/login/forgot_password.php
+++ b/login/forgot_password.php
@@ -77,6 +77,10 @@ if ($p_secret !== false) {
          notice(get_string('emailpasswordsent', '', $a), $changepasswordurl);
  
      } else {
+        if (!empty($user) and strlen($p_secret) === 15) {
+            // somebody probably tries to hack in by guessing secret - stop them!
+            $DB->set_field('user', 'secret', '', array('id'=>$user->id));
+        }
          print_header($strforgotten, $strforgotten, $navigation);
          print_error('forgotteninvalidurl');
      }