Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CMSimple_XH: enforce non-default password
From 80c86159e47d06b1af60b0d714a9af0586916f99 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sun, 24 May 2020 16:12:16 +0200
Subject: [PATCH] Enforce non-default password
Running any publicly available software with a default password is
certainly a bad idea. Therefore, on login with the default password,
we set a flag in the session, so any further access to CMSimple_XH
will be redirected to the change password dialog. To convey to users
that they have to change their password, we add a respective message
to the dialog, which is currently hard-coded for simplicity.
---
cmsimple/classes/ChangePassword.php | 4 ++++
cmsimple/classes/Controller.php | 9 ++++++++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/cmsimple/classes/ChangePassword.php b/cmsimple/classes/ChangePassword.php
index 76bd1e64..487e29a1 100644
--- a/cmsimple/classes/ChangePassword.php
+++ b/cmsimple/classes/ChangePassword.php
@@ -84,6 +84,9 @@ class ChangePassword
{
global $o;
+ if (!empty($_SESSION['xh_must_change_password'])) {
+ $o .= '<p>You have to change your password!</p>';
+ }
$o .= $this->render();
}
@@ -153,6 +156,7 @@ class ChangePassword
if ($hash = $this->validate($error)) {
$this->config['security']['password'] = $hash;
$this->savePassword();
+ unset($_SESSION['xh_must_change_password']);
header('Location: ' . CMSIMPLE_URL);
exit;
} else {
diff --git a/cmsimple/classes/Controller.php b/cmsimple/classes/Controller.php
index e03fe852..cd596eb9 100644
--- a/cmsimple/classes/Controller.php
+++ b/cmsimple/classes/Controller.php
@@ -148,7 +148,7 @@ class Controller
*/
public function handleLoginAndLogout()
{
- global $adm, $login, $logout, $keycut, $f;
+ global $adm, $login, $logout, $keycut, $f, $xh_change_password;
$adm = gc('status') == 'adm' && logincheck();
$keycut = stsl($keycut);
@@ -162,6 +162,10 @@ class Controller
} elseif ($logout && $adm) {
$this->handleLogout();
}
+ if ($adm && !empty($_SESSION['xh_must_change_password']) && $xh_change_password != 'true') {
+ header('Location: ' . CMSIMPLE_URL . '?&xh_change_password');
+ exit;
+ }
}
/**
@@ -185,6 +189,9 @@ class Controller
if (!$written) {
e('cntwriteto', 'log', $pth['file']['log']);
}
+ if ($keycut == 'test') {
+ $_SESSION['xh_must_change_password'] = true;
+ }
} else {
$login = null;
$f = 'xh_login_failed';
--
2.26.2.windows.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.