mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login
This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
This commit is contained in:
parent
298f61521c
commit
6606d98663
@ -98,16 +98,19 @@ class ChangePasswordForm extends Form {
|
||||
else if($data['NewPassword1'] == $data['NewPassword2']) {
|
||||
$isValid = $member->changePassword($data['NewPassword1']);
|
||||
if($isValid->valid()) {
|
||||
$member->logIn();
|
||||
|
||||
// TODO Add confirmation message to login redirect
|
||||
Session::clear('AutoLoginHash');
|
||||
|
||||
// Clear locked out status
|
||||
$member->LockedOutUntil = null;
|
||||
$member->FailedLoginCount = null;
|
||||
$member->write();
|
||||
|
||||
|
||||
if ($member->canLogIn()->valid()) {
|
||||
$member->logIn();
|
||||
}
|
||||
|
||||
// TODO Add confirmation message to login redirect
|
||||
Session::clear('AutoLoginHash');
|
||||
|
||||
if (!empty($_REQUEST['BackURL'])
|
||||
// absolute redirection URLs may cause spoofing
|
||||
&& Director::is_site_url($_REQUEST['BackURL'])
|
||||
|
Loading…
Reference in New Issue
Block a user