Skip to Content.
Sympa Menu

cacert-devel - Re: Patch request: Bug #1236

Subject: CAcert Code Development list.

List archive

Re: Patch request: Bug #1236


Chronological Thread 
  • From: Wytze van der Raay <wytze AT cacert.org>
  • To: Michael Tänzer <michael.taenzer AT cacert.org>
  • Cc: "critical-admin AT cacert.org" <critical-admin AT cacert.org>, cacert-devel AT lists.cacert.org, Benny Baumann <benbe AT cacert.org>, Marcus Mängel <inopiae AT cacert.org>, Eva Stöwe <eva.stoewe AT cacert.org>, Martin Gummi <martin.gummi AT cacert.org>
  • Subject: Re: Patch request: Bug #1236
  • Date: Wed, 15 Jan 2014 16:43:52 +0100
  • Organization: CAcert
Hi Michael,

On 15.01.2014 00:11, Michael Tänzer wrote:
> We have a fix for https://bugs.cacert.org/view.php?id=1236
> "Security questions rejected invalid on adding middle name"
>
> The fix was reviewed by Benny Baumann (BenBE) and me (NEOatNHNG) and
> tested by Eva Stöwe (Eva), Martin Gummi and Marcus Mängel (INOPIAE).
>
> Diff is attached. Please also run the locale makefile so that our
> translators see the new strings (if present) on
> https://translations.cacert.org and new translations get imported into
> the system.
>
> Changed files:
> /includes/account.php
> /pages/account/13.php

The patch has been installed on the production server on January 15, 2014.
See also the attached log message.

Regards,
-- wytze


--- Begin Message ---
  • From: Wytze van der Raay <wytze AT cacert.org>
  • To: cacert-systemlog AT lists.cacert.org
  • Subject: Fwd: cvs.cacert.org checkin notification
  • Date: Wed, 15 Jan 2014 16:41:47 +0100
  • Organization: CAcert
Fix for https://bugs.cacert.org/view.php?id=1236
"Security questions rejected invalid on adding middle name"

In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php

-- end
--- Begin Message ---
  • From: "root" <root AT cvs.cacert.org>
  • To: critical-admin AT cacert.org
  • Subject: cvs.cacert.org checkin notification
  • Date: Wed, 15 Jan 2014 16:40:47 +0100 (CET)

uid=0(root) gid=0(root) groups=0(root)
account.php 1.168 1.169
Wed Jan 15 16:40:47 CET 2014
Update of /var/lib/cvs/cacert/includes
In directory webdb:/home/cacert/www/includes

Modified Files:
account.php
Log Message:
Fix for https://bugs.cacert.org/view.php?id=1236
"Security questions rejected invalid on adding middle name"

===================================================================
RCS file: /var/lib/cvs/cacert/includes/account.php,v
retrieving revision 1.168
retrieving revision 1.169
diff -u -r1.168 -r1.169
--- account.php 2013/11/20 16:28:32 1.168
+++ account.php 2014/01/15 15:40:46 1.169
@@ -22,14 +22,16 @@

loadem("account");

- $id = 0; if(array_key_exists("id",$_REQUEST))
$id=intval($_REQUEST['id']);
- $oldid = 0; if(array_key_exists("oldid",$_REQUEST))
$oldid=intval($_REQUEST['oldid']);
- $process = ""; if(array_key_exists("process",$_REQUEST))
$process=$_REQUEST['process'];
-
- $cert=0; if(array_key_exists('cert',$_REQUEST))
$cert=intval($_REQUEST['cert']);
- $orgid=0; if(array_key_exists('orgid',$_REQUEST))
$orgid=intval($_REQUEST['orgid']);
- $memid=0; if(array_key_exists('memid',$_REQUEST))
$memid=intval($_REQUEST['memid']);
- $domid=0; if(array_key_exists('domid',$_REQUEST))
$domid=intval($_REQUEST['domid']);
+ $id = array_key_exists("id",$_REQUEST) ? intval($_REQUEST['id']) : 0;
+ $oldid = array_key_exists("oldid",$_REQUEST) ?
intval($_REQUEST['oldid']) : 0;
+ $process = array_key_exists("process",$_REQUEST) ?
$_REQUEST['process'] : "";
+// $showdetalis refers to Secret Question and Answers from account/13.php
+ $showdetails = array_key_exists("showdetails",$_REQUEST) ?
intval($_REQUEST['showdetails']) : 0;
+
+ $cert = array_key_exists('cert',$_REQUEST) ?
intval($_REQUEST['cert']) : 0;
+ $orgid = array_key_exists('orgid',$_REQUEST) ?
intval($_REQUEST['orgid']) : 0;
+ $memid = array_key_exists('memid',$_REQUEST) ?
intval($_REQUEST['memid']) : 0;
+ $domid = array_key_exists('domid',$_REQUEST) ?
intval($_REQUEST['domid']) : 0;


if(!$_SESSION['mconn'])
@@ -1205,7 +1207,7 @@
mysql_query("update `emailcerts` set
`disablelogin`='$disablelogin', `description`='$description' where
`id`='".$_REQUEST['certid']."' and `memid`='".$_SESSION['profile']['id']."'");
}

- if($oldid == 13 && $process != "")
+ if($oldid == 13 && $process != "" && $showdetails!="")
{
csrf_check("perschange");
$_SESSION['_config']['user'] = $_SESSION['profile'];
@@ -1313,18 +1315,20 @@
where
`id`='".$_SESSION['profile']['id']."'";
mysql_query($query);
}
- $query = "update `users` set
`Q1`='".$_SESSION['_config']['user']['Q1']."',
-
`Q2`='".$_SESSION['_config']['user']['Q2']."',
-
`Q3`='".$_SESSION['_config']['user']['Q3']."',
-
`Q4`='".$_SESSION['_config']['user']['Q4']."',
-
`Q5`='".$_SESSION['_config']['user']['Q5']."',
-
`A1`='".$_SESSION['_config']['user']['A1']."',
-
`A2`='".$_SESSION['_config']['user']['A2']."',
-
`A3`='".$_SESSION['_config']['user']['A3']."',
-
`A4`='".$_SESSION['_config']['user']['A4']."',
-
`A5`='".$_SESSION['_config']['user']['A5']."'
- where
`id`='".$_SESSION['profile']['id']."'";
- mysql_query($query);
+ if ($showdetails!="") {
+ $query = "update `users` set
`Q1`='".$_SESSION['_config']['user']['Q1']."',
+
`Q2`='".$_SESSION['_config']['user']['Q2']."',
+
`Q3`='".$_SESSION['_config']['user']['Q3']."',
+
`Q4`='".$_SESSION['_config']['user']['Q4']."',
+
`Q5`='".$_SESSION['_config']['user']['Q5']."',
+
`A1`='".$_SESSION['_config']['user']['A1']."',
+
`A2`='".$_SESSION['_config']['user']['A2']."',
+
`A3`='".$_SESSION['_config']['user']['A3']."',
+
`A4`='".$_SESSION['_config']['user']['A4']."',
+
`A5`='".$_SESSION['_config']['user']['A5']."'
+ where
`id`='".$_SESSION['profile']['id']."'";
+ mysql_query($query);
+ }

//!!!Should be rewritten
$_SESSION['_config']['user']['otphash'] =
trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['otphash']))));

--- End Message ---
--- Begin Message ---
  • From: "root" <root AT cvs.cacert.org>
  • To: critical-admin AT cacert.org
  • Subject: cvs.cacert.org checkin notification
  • Date: Wed, 15 Jan 2014 16:40:51 +0100 (CET)

uid=0(root) gid=0(root) groups=0(root)
13.php 1.17 1.18
Wed Jan 15 16:40:51 CET 2014
Update of /var/lib/cvs/cacert/pages/account
In directory webdb:/home/cacert/www/pages/account

Modified Files:
13.php
Log Message:
Fix for https://bugs.cacert.org/view.php?id=1236
"Security questions rejected invalid on adding middle name"

===================================================================
RCS file: /var/lib/cvs/cacert/pages/account/13.php,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- 13.php 2013/08/29 10:20:30 1.17
+++ 13.php 2014/01/15 15:40:51 1.18
@@ -23,7 +23,8 @@
$year = intval(substr($user['dob'], 0, 4));
$month = intval(substr($user['dob'], 5, 2));
$day = intval(substr($user['dob'], 8, 2));
- $showdetails = array_key_exists('showdetails', $_REQUEST) &&
!!intval($_REQUEST['showdetails']);
+ $showdetails = array_key_exists("showdetails",$_REQUEST) ?
intval($_REQUEST['showdetails']) : 0;
+
if($showdetails){
$body = sprintf(_("Hi %s,"),$user['fname'])."\n\n";
$body .= _("You receive this automatic mail since you yourself or
someone ".
@@ -160,6 +161,7 @@
<td class="DataTD"><input type="text" name="A5"
value="<?=sanitizeHTML($user['A5'])?>"></td>
</tr>
<tr>
+ <input type="hidden" name="showdetails" value="1" />
<? } ?>
<td class="DataTD" colspan="2"><input type="submit" name="process"
value="<?=_("Update")?>"></td>
</tr>

--- End Message ---

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


--- End Message ---

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Archive powered by MHonArc 2.6.18.

Top of Page