Merge pull request #66 from phpbb/ticket/security-273

[ticket/security-273] Reset reset token info when re-activating account

phpBB/includes/ucp/ucp_activate.php

@@ -76,10 +76,12 @@ class ucp_activate
 		if ($update_password)
 		{
 			$sql_ary = array(
-				'user_actkey'		=> '',
-				'user_password'		=> $user_row['user_newpasswd'],
-				'user_newpasswd'	=> '',
-				'user_login_attempts'	=> 0,
+				'user_actkey'				=> '',
+				'user_password'				=> $user_row['user_newpasswd'],
+				'user_newpasswd'			=> '',
+				'user_login_attempts'		=> 0,
+				'reset_token'				=> '',
+				'reset_token_expiration'	=> 0,
 			);
 
 			$sql = 'UPDATE ' . USERS_TABLE . '
@@ -101,8 +103,14 @@ class ucp_activate
 
 			user_active_flip('activate', $user_row['user_id']);
 
-			$sql = 'UPDATE ' . USERS_TABLE . "
-				SET user_actkey = ''
+			$sql_ary = [
+				'user_actkey'				=> '',
+				'reset_token'				=> '',
+				'reset_token_expiration'	=> 0,
+			];
+
+			$sql = 'UPDATE ' . USERS_TABLE . '
+				SET ' . $db->sql_build_array('UPDATE', $sql_ary) . "
 				WHERE user_id = {$user_row['user_id']}";
 			$db->sql_query($sql);