From 384ee53a36f95696a8a457b8160da05ca203f425 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Thu, 8 Dec 2016 17:36:51 +0800 Subject: [PATCH] lwsgt: fix check against forgot password flow defeating existing pw check https://github.com/warmcat/libwebsockets/issues/706 This fixes a problem where the check for the existing pw was skipped when a logged-in user is changing his password. It's not good but because the user has to be logged in, it only affected the situation someone changes his password on his logged in session. --- plugins/generic-sessions/handlers.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/plugins/generic-sessions/handlers.c b/plugins/generic-sessions/handlers.c index ccea5446..f80c8819 100644 --- a/plugins/generic-sessions/handlers.c +++ b/plugins/generic-sessions/handlers.c @@ -289,14 +289,19 @@ lwsgs_handler_change_password(struct per_vhost_data__gs *vhd, struct lws *wsi, return 1; /* did a forgot pw ? */ - if (u.last_forgot_validated > lws_now_secs() - 300) + if (u.last_forgot_validated > lws_now_secs() - 300) { n |= LWSGS_AUTH_FORGOT_FLOW; + lwsl_debug("within forgot password flow\n"); + } } } + lwsl_debug("auth value %d\n", n); + /* if he just did forgot pw flow, don't need old pw */ - if (!(n & (LWSGS_AUTH_FORGOT_FLOW | 1))) { + if ((n & (LWSGS_AUTH_FORGOT_FLOW | 1)) != (LWSGS_AUTH_FORGOT_FLOW | 1)) { /* otherwise user:pass must be right */ + lwsl_debug("checking pw\n"); if (lwsgs_check_credentials(vhd, lws_spa_get_string(pss->spa, FGS_USERNAME), lws_spa_get_string(pss->spa, FGS_CURPW))) { @@ -304,6 +309,8 @@ lwsgs_handler_change_password(struct per_vhost_data__gs *vhd, struct lws *wsi, return 1; } + lwsl_debug("current pw checks out\n"); + strncpy(u.username, lws_spa_get_string(pss->spa, FGS_USERNAME), sizeof(u.username) - 1); u.username[sizeof(u.username) - 1] = '\0'; }