Further reduce the attack surface in case of a stolen session ID.
Signed-off-by: Lukas Fleischer <[email protected]>
---
web/html/account.php | 17 +++++++++++++----
web/template/account_delete.php | 11 +++++++++--
2 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/web/html/account.php b/web/html/account.php
index 7c6c424..03af8d4 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -120,12 +120,21 @@ if (isset($_COOKIE["AURSID"])) {
} elseif ($action == "DeleteAccount") {
/* Details for account being deleted. */
if (can_edit_account($row)) {
- $UID = $row['ID'];
+ $uid_removal = $row['ID'];
+ $uid_session = uid_from_sid($_COOKIE['AURSID']);
+ $username = $row['Username'];
+
if (in_request('confirm') && check_token()) {
- user_delete($UID);
- header('Location: /');
+ if (check_passwd($uid_session,
$_REQUEST['passwd']) == 1) {
+ user_delete($uid_removal);
+ header('Location: /');
+ } else {
+ echo "<ul class='errorlist'><li>";
+ echo __("Invalid password.");
+ echo "</li></ul>";
+ include("account_delete.php");
+ }
} else {
- $username = $row['Username'];
include("account_delete.php");
}
} else {
diff --git a/web/template/account_delete.php b/web/template/account_delete.php
index 718b172..d0c6e74 100644
--- a/web/template/account_delete.php
+++ b/web/template/account_delete.php
@@ -12,8 +12,15 @@
<input type="hidden" name="token" value="<?=
htmlspecialchars($_COOKIE['AURSID']) ?>" />
</fieldset>
<fieldset>
- <p><label class="confirmation"><input type="checkbox"
name="confirm" value="1" />
- <?= __("Confirm deletion") ?></label></p>
+ <p>
+ <label for="id_passwd"><?= __("Password") ?>:</label>
+ <input type="password" size="30" name="passwd"
id="id_passwd" value="" />
+ </p>
+
+ <p>
+ <label class="confirmation"><input type="checkbox"
name="confirm" value="1" />
+ <?= __("Confirm deletion") ?></label>
+ </p>
<p>
<input type="submit" class="button" value="<?=
__("Delete") ?>" />
--
2.25.0
