From a789fb73f4eeeaa11819ee52fcb4c3175dfa8ce6 Mon Sep 17 00:00:00 2001 From: martin Date: Tue, 10 Sep 2002 12:54:01 +0000 Subject: [PATCH] More security for email confirmation process ... a 15-character random "secret" key is stored the user record on account creation, sent via email and checked again during confirmation. --- lib/db/mysql.sql | 2 +- login/confirm.php | 4 ++-- login/signup.php | 19 ++++++++++++++++++- version.php | 5 ++++- 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/lib/db/mysql.sql b/lib/db/mysql.sql index c135dc346e..3092783bd0 100644 --- a/lib/db/mysql.sql +++ b/lib/db/mysql.sql @@ -167,7 +167,7 @@ CREATE TABLE `user` ( `lastlogin` int(10) unsigned NOT NULL default '0', `currentlogin` int(10) unsigned NOT NULL default '0', `lastIP` varchar(15) default NULL, - `personality` varchar(5) default NULL, + `secret` varchar(15) default NULL, `picture` tinyint(1) default NULL, `url` varchar(255) default NULL, `description` text, diff --git a/login/confirm.php b/login/confirm.php index 45fa7b193f..c3223acde9 100644 --- a/login/confirm.php +++ b/login/confirm.php @@ -2,9 +2,9 @@ require("../config.php"); - if ( isset($x) && isset($s) ) { # x = user.id s = user.username + if ( isset($p) && isset($s) ) { # p = user.secret s = user.username - $user = get_user_info_from_db("id", "$x"); + $user = get_user_info_from_db("secret", "$p"); if ($user) { if ($user->username == $s) { diff --git a/login/signup.php b/login/signup.php index 44990b0b59..564be9129f 100644 --- a/login/signup.php +++ b/login/signup.php @@ -13,6 +13,9 @@ $user->password = md5($user->password); $user->confirmed = 0; $user->firstaccess = time(); + $user->secret = random_string(15); + echo $user->secret; + $db->debug = true; if (! ($user->id = insert_record("user", $user)) ) { error("Could not add your record to the database!"); @@ -96,6 +99,20 @@ function validate_form($user, &$err) { } +function random_string ($length=15) { + $pool = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + $pool .= "abcdefghijklmnopqrstuvwxyz"; + $pool .= "0123456789"; + $poollen = strlen($pool); + mt_srand ((double) microtime() * 1000000); + $string = ""; + for ($i = 0; $i < $length; $i++) { + $string .= substr($pool, (mt_rand()%($poollen)), 1); + } + return $string; +} + + function send_confirmation_email($user) { global $CFG; @@ -105,7 +122,7 @@ function send_confirmation_email($user) { $data->firstname = $user->firstname; $data->sitename = $site->fullname; - $data->link = "$CFG->wwwroot/login/confirm.php?x=$user->id&s=$user->username"; + $data->link = "$CFG->wwwroot/login/confirm.php?p=$user->secret&s=$user->username"; $data->admin = "$from->firstname $from->lastname ($from->email)"; $message = get_string("emailconfirmation", "", $data); diff --git a/version.php b/version.php index 809b48dbdb..7d81ae9230 100644 --- a/version.php +++ b/version.php @@ -18,7 +18,7 @@ // If there's something it cannot do itself, it // will tell you what you need to do. -$version = 2002090900; // The current version is a date (YYYYMMDDXX) where +$version = 2002091000; // The current version is a date (YYYYMMDDXX) where // XX is a number that increments during the day $release = "1.0.4"; // For humans only, not used for the upgrade process @@ -71,6 +71,9 @@ function upgrade_moodle($oldversion=0) { execute_sql(" ALTER TABLE `course` ADD `teachers` VARCHAR( 100 ) DEFAULT 'Teachers' NOT NULL AFTER `teacher` "); execute_sql(" ALTER TABLE `course` ADD `students` VARCHAR( 100 ) DEFAULT 'Students' NOT NULL AFTER `student` "); } + if ($oldversion < 2002091000) { + execute_sql(" ALTER TABLE `user` CHANGE `personality` `secret` VARCHAR( 15 ) DEFAULT NULL "); + } return true; } -- 2.39.5