mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-30 21:40:43 +02:00
Code Issues Releases Wiki Activity

[ticket/security/276] Prevent sending activation emails multiple times per day

Browse Source 
SECURITY-276
This commit is contained in:
Marc Alexander
2024-04-28 13:46:25 +02:00
parent a63a1913fa
commit f853f6523f
8 changed files with 103 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
phpBB/includes/acp/acp_inactive.php
View File

@@ -238,10 +238,11 @@ class acp_inactive
$messenger->save_queue();
// Add the remind state to the database
// Add the remind state to the database and increase activation expiration by one day
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_reminded = user_reminded + 1,
user_reminded_time = ' . time() . '
user_reminded_time = ' . time() . ',
user_actkey_expiration = ' . (int) strtotime('+1 day') . '
WHERE ' . $db->sql_in_set('user_id', $user_ids);
$db->sql_query($sql);

18
phpBB/includes/acp/acp_users.php
View File

@@ -385,14 +385,18 @@ class acp_users
$user_actkey = empty($user_activation_key) ? $user_actkey : $user_activation_key;
}
if ($user_row['user_type'] == USER_NORMAL || empty($user_activation_key))
{
$sql = 'UPDATE ' . USERS_TABLE . "
SET user_actkey = '" . $db->sql_escape($user_actkey) . "'
WHERE user_id = $user_id";
$db->sql_query($sql);
}
// Always update actkey even if same and also update actkey expiration to 24 hours from now
$sql_ary = [
'user_actkey' => $user_actkey,
'user_actkey_expiration' => strtotime('+1 day'),
];
$sql = 'UPDATE ' . USERS_TABLE . '
SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
WHERE user_id = ' . $user_id;
$db->sql_query($sql);
// Start sending email
$messenger = new messenger(false);
$messenger->template($email_template, $user_row['user_lang']);

23
phpBB/includes/functions_user.php
View File

@@ -210,18 +210,19 @@ function user_add($user_row, $cp_data = false, $notifications_data = null)
// These are the additional vars able to be specified
$additional_vars = array(
'user_permissions' => '',
'user_timezone' => $config['board_timezone'],
'user_dateformat' => $config['default_dateformat'],
'user_lang' => $config['default_lang'],
'user_style' => (int) $config['default_style'],
'user_actkey' => '',
'user_ip' => '',
'user_regdate' => time(),
'user_passchg' => time(),
'user_options' => 230271,
'user_permissions' => '',
'user_timezone' => $config['board_timezone'],
'user_dateformat' => $config['default_dateformat'],
'user_lang' => $config['default_lang'],
'user_style' => (int) $config['default_style'],
'user_actkey' => '',
'user_actkey_expiration' => 0,
'user_ip' => '',
'user_regdate' => time(),
'user_passchg' => time(),
'user_options' => 230271,
// We do not set the new flag here - registration scripts need to specify it
'user_new' => 0,
'user_new' => 0,
'user_inactive_reason' => 0,
'user_inactive_time' => 0,

7
phpBB/includes/ucp/ucp_profile.php
View File

@@ -196,9 +196,10 @@ class ucp_profile
{
$notifications_manager = $phpbb_container->get('notification_manager');
$notifications_manager->add_notifications('notification.type.admin_activate_user', array(
'user_id' => $user->data['user_id'],
'user_actkey' => $user_actkey,
'user_regdate' => time(), // Notification time
'user_id' => $user->data['user_id'],
'user_actkey' => $user_actkey,
'user_actkey_expiration' => strtotime('+1 day'), // 24 hours until activation can be resent
'user_regdate' => time(), // Notification time
));
}

25
phpBB/includes/ucp/ucp_register.php
View File

@@ -381,18 +381,19 @@ class ucp_register
$passwords_manager = $phpbb_container->get('passwords.manager');
$user_row = array(
'username' => $data['username'],
'user_password' => $passwords_manager->hash($data['new_password']),
'user_email' => $data['email'],
'group_id' => (int) $group_id,
'user_timezone' => $data['tz'],
'user_lang' => $data['lang'],
'user_type' => $user_type,
'user_actkey' => $user_actkey,
'user_ip' => $user->ip,
'user_regdate' => time(),
'user_inactive_reason' => $user_inactive_reason,
'user_inactive_time' => $user_inactive_time,
'username' => $data['username'],
'user_password' => $passwords_manager->hash($data['new_password']),
'user_email' => $data['email'],
'group_id' => (int) $group_id,
'user_timezone' => $data['tz'],
'user_lang' => $data['lang'],
'user_type' => $user_type,
'user_actkey' => $user_actkey,
'user_actkey_expiration' => strtotime('+1 day'), // 24 hours until activation can be resent
'user_ip' => $user->ip,
'user_regdate' => time(),
'user_inactive_reason' => $user_inactive_reason,
'user_inactive_time' => $user_inactive_time,
);
if ($config['new_member_post_limit'])

27
phpBB/includes/ucp/ucp_resend.php
View File

@@ -73,6 +73,12 @@ class ucp_resend
trigger_error('ACCOUNT_DEACTIVATED');
}
// Do not resend activation email if valid one still exists
if (!empty($user_row['user_actkey']) && (int) $user_row['user_actkey_expiration'] >= time())
{
trigger_error('ACTIVATION_EMAIL_ALREADY_SENT');
}
// Determine coppa status on group (REGISTERED(_COPPA))
$sql = 'SELECT group_name, group_type
FROM ' . GROUPS_TABLE . '
@@ -144,6 +150,8 @@ class ucp_resend
$db->sql_freeresult($result);
}
$this->update_activation_expiration();
meta_refresh(3, append_sid("{$phpbb_root_path}index.$phpEx"));
$message = ($config['require_activation'] == USER_ACTIVATION_ADMIN) ? $user->lang['ACTIVATION_EMAIL_SENT_ADMIN'] : $user->lang['ACTIVATION_EMAIL_SENT'];
@@ -160,4 +168,23 @@ class ucp_resend
$this->tpl_name = 'ucp_resend';
$this->page_title = 'UCP_RESEND';
}
/**
* Update activation expiration to 1 day from now
*
* @return void
*/
protected function update_activation_expiration(): void
{
global $db, $user;
$sql_ary = [
'user_actkey_expiration' => strtotime('+1 day'),
];
$sql = 'UPDATE ' . USERS_TABLE . '
SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
WHERE user_id = ' . (int) $user->id();
$db->sql_query($sql);
}
}