CMSimple_XH: enforce non-default password
From 80c86159e47d06b1af60b0d714a9af0586916f99 Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Sun, 24 May 2020 16:12:16 +0200 | |
Subject: [PATCH] Enforce non-default password | |
Running any publicly available software with a default password is | |
certainly a bad idea. Therefore, on login with the default password, | |
we set a flag in the session, so any further access to CMSimple_XH | |
will be redirected to the change password dialog. To convey to users | |
that they have to change their password, we add a respective message | |
to the dialog, which is currently hard-coded for simplicity. | |
--- | |
cmsimple/classes/ChangePassword.php | 4 ++++ | |
cmsimple/classes/Controller.php | 9 ++++++++- | |
2 files changed, 12 insertions(+), 1 deletion(-) | |
diff --git a/cmsimple/classes/ChangePassword.php b/cmsimple/classes/ChangePassword.php | |
index 76bd1e64..487e29a1 100644 | |
--- a/cmsimple/classes/ChangePassword.php | |
+++ b/cmsimple/classes/ChangePassword.php | |
@@ -84,6 +84,9 @@ class ChangePassword | |
{ | |
global $o; | |
+ if (!empty($_SESSION['xh_must_change_password'])) { | |
+ $o .= '<p>You have to change your password!</p>'; | |
+ } | |
$o .= $this->render(); | |
} | |
@@ -153,6 +156,7 @@ class ChangePassword | |
if ($hash = $this->validate($error)) { | |
$this->config['security']['password'] = $hash; | |
$this->savePassword(); | |
+ unset($_SESSION['xh_must_change_password']); | |
header('Location: ' . CMSIMPLE_URL); | |
exit; | |
} else { | |
diff --git a/cmsimple/classes/Controller.php b/cmsimple/classes/Controller.php | |
index e03fe852..cd596eb9 100644 | |
--- a/cmsimple/classes/Controller.php | |
+++ b/cmsimple/classes/Controller.php | |
@@ -148,7 +148,7 @@ class Controller | |
*/ | |
public function handleLoginAndLogout() | |
{ | |
- global $adm, $login, $logout, $keycut, $f; | |
+ global $adm, $login, $logout, $keycut, $f, $xh_change_password; | |
$adm = gc('status') == 'adm' && logincheck(); | |
$keycut = stsl($keycut); | |
@@ -162,6 +162,10 @@ class Controller | |
} elseif ($logout && $adm) { | |
$this->handleLogout(); | |
} | |
+ if ($adm && !empty($_SESSION['xh_must_change_password']) && $xh_change_password != 'true') { | |
+ header('Location: ' . CMSIMPLE_URL . '?&xh_change_password'); | |
+ exit; | |
+ } | |
} | |
/** | |
@@ -185,6 +189,9 @@ class Controller | |
if (!$written) { | |
e('cntwriteto', 'log', $pth['file']['log']); | |
} | |
+ if ($keycut == 'test') { | |
+ $_SESSION['xh_must_change_password'] = true; | |
+ } | |
} else { | |
$login = null; | |
$f = 'xh_login_failed'; | |
-- | |
2.26.2.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment