cmb69/0001-Enforce-non-default-password.patch Secret

## 0001-Enforce-non-default-password.patch
From 80c86159e47d06b1af60b0d714a9af0586916f99 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sun, 24 May 2020 16:12:16 +0200
Subject: [PATCH] Enforce non-default password

Running any publicly available software with a default password is
certainly a bad idea.  Therefore, on login with the default password,
we set a flag in the session, so any further access to CMSimple_XH
will be redirected to the change password dialog.  To convey to users
that they have to change their password, we add a respective message
to the dialog, which is currently hard-coded for simplicity.
---
 cmsimple/classes/ChangePassword.php | 4 ++++
 cmsimple/classes/Controller.php     | 9 ++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/cmsimple/classes/ChangePassword.php b/cmsimple/classes/ChangePassword.php
index 76bd1e64..487e29a1 100644
--- a/cmsimple/classes/ChangePassword.php
+++ b/cmsimple/classes/ChangePassword.php
@@ -84,6 +84,9 @@ class ChangePassword
     {
         global $o;

+        if (!empty($_SESSION['xh_must_change_password'])) {
+            $o .= '<p>You have to change your password!</p>';
+        }
         $o .= $this->render();
     }

@@ -153,6 +156,7 @@ class ChangePassword
         if ($hash = $this->validate($error)) {
             $this->config['security']['password'] = $hash;
             $this->savePassword();
+            unset($_SESSION['xh_must_change_password']);
             header('Location: ' . CMSIMPLE_URL);
             exit;
         } else {
diff --git a/cmsimple/classes/Controller.php b/cmsimple/classes/Controller.php
index e03fe852..cd596eb9 100644
--- a/cmsimple/classes/Controller.php
+++ b/cmsimple/classes/Controller.php
@@ -148,7 +148,7 @@ class Controller
      */
     public function handleLoginAndLogout()
     {
-        global $adm, $login, $logout, $keycut, $f;
+        global $adm, $login, $logout, $keycut, $f, $xh_change_password;

         $adm = gc('status') == 'adm' && logincheck();
         $keycut = stsl($keycut);
@@ -162,6 +162,10 @@ class Controller
         } elseif ($logout && $adm) {
             $this->handleLogout();
         }
+        if ($adm && !empty($_SESSION['xh_must_change_password']) && $xh_change_password != 'true') {
+            header('Location: ' . CMSIMPLE_URL . '?&xh_change_password');
+            exit;
+        }
     }

     /**
@@ -185,6 +189,9 @@ class Controller
             if (!$written) {
                 e('cntwriteto', 'log', $pth['file']['log']);
             }
+            if ($keycut == 'test') {
+                $_SESSION['xh_must_change_password'] = true;
+            }
         } else {
             $login = null;
             $f = 'xh_login_failed';
--
2.26.2.windows.1
	From 80c86159e47d06b1af60b0d714a9af0586916f99 Mon Sep 17 00:00:00 2001
	From: "Christoph M. Becker" <cmbecker69@gmx.de>
	Date: Sun, 24 May 2020 16:12:16 +0200
	Subject: [PATCH] Enforce non-default password

	Running any publicly available software with a default password is
	certainly a bad idea. Therefore, on login with the default password,
	we set a flag in the session, so any further access to CMSimple_XH
	will be redirected to the change password dialog. To convey to users
	that they have to change their password, we add a respective message
	to the dialog, which is currently hard-coded for simplicity.
	---
	cmsimple/classes/ChangePassword.php \| 4 ++++
	cmsimple/classes/Controller.php \| 9 ++++++++-
	2 files changed, 12 insertions(+), 1 deletion(-)

	diff --git a/cmsimple/classes/ChangePassword.php b/cmsimple/classes/ChangePassword.php
	index 76bd1e64..487e29a1 100644
	--- a/cmsimple/classes/ChangePassword.php
	+++ b/cmsimple/classes/ChangePassword.php
	@@ -84,6 +84,9 @@ class ChangePassword
	{
	global $o;

	+ if (!empty($_SESSION['xh_must_change_password'])) {
	+ $o .= '<p>You have to change your password!</p>';
	+ }
	$o .= $this->render();
	}

	@@ -153,6 +156,7 @@ class ChangePassword
	if ($hash = $this->validate($error)) {
	$this->config['security']['password'] = $hash;
	$this->savePassword();
	+ unset($_SESSION['xh_must_change_password']);
	header('Location: ' . CMSIMPLE_URL);
	exit;
	} else {
	diff --git a/cmsimple/classes/Controller.php b/cmsimple/classes/Controller.php
	index e03fe852..cd596eb9 100644
	--- a/cmsimple/classes/Controller.php
	+++ b/cmsimple/classes/Controller.php
	@@ -148,7 +148,7 @@ class Controller
	*/
	public function handleLoginAndLogout()
	{
	- global $adm, $login, $logout, $keycut, $f;
	+ global $adm, $login, $logout, $keycut, $f, $xh_change_password;

	$adm = gc('status') == 'adm' && logincheck();
	$keycut = stsl($keycut);
	@@ -162,6 +162,10 @@ class Controller
	} elseif ($logout && $adm) {
	$this->handleLogout();
	}
	+ if ($adm && !empty($_SESSION['xh_must_change_password']) && $xh_change_password != 'true') {
	+ header('Location: ' . CMSIMPLE_URL . '?&xh_change_password');
	+ exit;
	+ }
	}

	/**
	@@ -185,6 +189,9 @@ class Controller
	if (!$written) {
	e('cntwriteto', 'log', $pth['file']['log']);
	}
	+ if ($keycut == 'test') {
	+ $_SESSION['xh_must_change_password'] = true;
	+ }
	} else {
	$login = null;
	$f = 'xh_login_failed';
	--
	2.26.2.windows.1