X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Frecoverpassword.php;h=38c42f41d1b056ac303f723dd324ce7391d3fd82;hb=2abe10b8ea4b5d69fc7f6513bf465541454ca2cf;hp=eb1d8ff923a635b0beb877f2e14da651982dce2f;hpb=f2203d1df626d4c5d4a364958e15b938ca4fcb84;p=quix0rs-gnu-social.git

diff --git a/actions/recoverpassword.php b/actions/recoverpassword.php
index eb1d8ff923..38c42f41d1 100644
--- a/actions/recoverpassword.php
+++ b/actions/recoverpassword.php
@@ -50,7 +50,7 @@ class RecoverpasswordAction extends Action {
 	function check_code() {
 
 		$code = $this->trimmed('code');
-		$confirm = Confirm_address::staticGet($code);
+		$confirm = Confirm_address::staticGet('code', $code);
 
 		if (!$confirm) {
 			$this->client_error(_('No such recovery code.'));
@@ -85,6 +85,9 @@ class RecoverpasswordAction extends Action {
 		# Note: it's still deleted; let's avoid a second attempt!
 
 		if ((time() - $touched) > MAX_RECOVERY_TIME) {
+			common_log(LOG_WARNING, 
+					   'Attempted redemption on recovery code ' .
+					   'that is ' . $touched . ' seconds old. ');
 			$this->client_error(_('This confirmation code is too old. ' .
 			                       'Please start again.'));
 			return;
@@ -133,11 +136,13 @@ class RecoverpasswordAction extends Action {
 		if ($msg) {
             common_element('div', 'error', $msg);
 		} else {
-			common_element('div', 'instructions',
+			common_element_start('div', 'instructions');
+			common_element('p', NULL, 
 						   _('If you\'ve forgotten or lost your' .
-						      ' password, you can get a new one sent ' .
+						      ' password, you can get a new one sent to' .
 						      ' the email address you have stored ' .
 						      ' in your account.'));
+			common_element_end('div');
 		}
 	}
 
@@ -176,6 +181,7 @@ class RecoverpasswordAction extends Action {
 		common_element_start('form', array('method' => 'post',
 										   'id' => 'recoverpassword',
 										   'action' => common_local_url('recoverpassword')));
+		common_hidden('token', common_session_token());
 		common_password('newpassword', _('New password'),
 						_('6 or more characters, and don\'t forget it!'));
 		common_password('confirm', _('Confirm'),
@@ -270,6 +276,13 @@ class RecoverpasswordAction extends Action {
 
 	function reset_password() {
 
+		# CSRF protection
+		$token = $this->trimmed('token');
+		if (!$token || $token != common_session_token()) {
+			$this->show_form(_('There was a problem with your session token. Try again, please.'));
+			return;
+		}
+
 		$user = $this->get_temp_user();
 
 		if (!$user) {