diff options
author | Brett Profitt <brett.profitt@gmail.com> | 2012-04-18 20:22:54 -0700 |
---|---|---|
committer | Brett Profitt <brett.profitt@gmail.com> | 2012-04-18 20:22:54 -0700 |
commit | 8aad9f081b9fd83f8cd8358547234fbdcdaf9611 (patch) | |
tree | 98ec37f919182a4c0c582752614443ea4d648ca1 | |
parent | f2a80038cddec5ed86b3dd9edb31cf07e3376de8 (diff) | |
download | elgg-8aad9f081b9fd83f8cd8358547234fbdcdaf9611.tar.gz elgg-8aad9f081b9fd83f8cd8358547234fbdcdaf9611.tar.bz2 |
Fixes #1301. Not filtering passwords.
-rw-r--r-- | actions/login.php | 8 | ||||
-rw-r--r-- | actions/register.php | 4 | ||||
-rw-r--r-- | actions/useradd.php | 4 | ||||
-rw-r--r-- | engine/lib/upgrades/2012041800-1.8.3-dont_filter_passwords-c0ca4a18b38ae2bc.php | 11 | ||||
-rw-r--r-- | engine/lib/user_settings.php | 6 | ||||
-rw-r--r-- | mod/twitter_api/actions/twitter_api/interstitial_settings.php | 4 | ||||
-rw-r--r-- | version.php | 2 |
7 files changed, 25 insertions, 14 deletions
diff --git a/actions/login.php b/actions/login.php index 256e78acb..ea7fb3508 100644 --- a/actions/login.php +++ b/actions/login.php @@ -18,9 +18,9 @@ if (isset($_SESSION['last_forward_from']) && $_SESSION['last_forward_from']) { } $username = get_input('username'); -$password = get_input("password"); -$persistent = get_input("persistent", FALSE); -$result = FALSE; +$password = get_input('password', null, false); +$persistent = get_input("persistent", false); +$result = false; if (empty($username) || empty($password)) { register_error(elgg_echo('login:empty')); @@ -28,7 +28,7 @@ if (empty($username) || empty($password)) { } // check if logging in with email address -if (strpos($username, '@') !== FALSE && ($users = get_user_by_email($username))) { +if (strpos($username, '@') !== false && ($users = get_user_by_email($username))) { $username = $users[0]->username; } diff --git a/actions/register.php b/actions/register.php index 360b7cb4b..f23d5b381 100644 --- a/actions/register.php +++ b/actions/register.php @@ -10,8 +10,8 @@ elgg_make_sticky_form('register'); // Get variables $username = get_input('username'); -$password = get_input('password'); -$password2 = get_input('password2'); +$password = get_input('password', null, false); +$password2 = get_input('password2', null, false); $email = get_input('email'); $name = get_input('name'); $friend_guid = (int) get_input('friend_guid', 0); diff --git a/actions/useradd.php b/actions/useradd.php index fdcd7e438..17459021b 100644 --- a/actions/useradd.php +++ b/actions/useradd.php @@ -10,8 +10,8 @@ elgg_make_sticky_form('useradd'); // Get variables $username = get_input('username'); -$password = get_input('password'); -$password2 = get_input('password2'); +$password = get_input('password', null, false); +$password2 = get_input('password2', null, false); $email = get_input('email'); $name = get_input('name'); diff --git a/engine/lib/upgrades/2012041800-1.8.3-dont_filter_passwords-c0ca4a18b38ae2bc.php b/engine/lib/upgrades/2012041800-1.8.3-dont_filter_passwords-c0ca4a18b38ae2bc.php new file mode 100644 index 000000000..b82ffbebf --- /dev/null +++ b/engine/lib/upgrades/2012041800-1.8.3-dont_filter_passwords-c0ca4a18b38ae2bc.php @@ -0,0 +1,11 @@ +<?php +/** + * Elgg 1.8.3 upgrade 2012041800 + * dont_filter_passwords + * + * Add admin notice that password handling has changed and if + * users can't login to have them reset their passwords. + */ +elgg_add_admin_notice('dont_filter_passwords', 'Password handling has been updated to be more secure and flexible. ' + . 'This change may prevent a small number of users from logging in with their existing passwords. ' + . 'If a user is unable to log in, please advise him or her to reset their password, or reset it as an admin user.'); diff --git a/engine/lib/user_settings.php b/engine/lib/user_settings.php index af30d8f0d..e4069fb53 100644 --- a/engine/lib/user_settings.php +++ b/engine/lib/user_settings.php @@ -33,9 +33,9 @@ function users_settings_save() { * @access private */ function elgg_set_user_password() { - $current_password = get_input('current_password'); - $password = get_input('password'); - $password2 = get_input('password2'); + $current_password = get_input('current_password', null, false); + $password = get_input('password', null, false); + $password2 = get_input('password2', null, false); $user_guid = get_input('guid'); if (!$user_guid) { diff --git a/mod/twitter_api/actions/twitter_api/interstitial_settings.php b/mod/twitter_api/actions/twitter_api/interstitial_settings.php index 5f742efd8..880623973 100644 --- a/mod/twitter_api/actions/twitter_api/interstitial_settings.php +++ b/mod/twitter_api/actions/twitter_api/interstitial_settings.php @@ -6,8 +6,8 @@ elgg_make_sticky_form('twitter_api_interstitial'); $display_name = get_input('display_name'); $email = get_input('email'); -$password_1 = get_input('password_1'); -$password_2 = get_input('password_2'); +$password_1 = get_input('password_1', null, false); +$password_2 = get_input('password_2', null, false); if (!$display_name) { register_error(elgg_echo('twitter_api:interstitial:no_display_name')); diff --git a/version.php b/version.php index dc6897c18..cc4415228 100644 --- a/version.php +++ b/version.php @@ -11,7 +11,7 @@ // YYYYMMDD = Elgg Date // XX = Interim incrementer -$version = 2012012100; +$version = 2012041800; // Human-friendly version name $release = '1.8.3'; |