[ticket/security/276] Prevent sending activation emails multiple times per day

SECURITY-276
2025-07-30 21:40:43 +02:00 · 2024-04-28 13:46:25 +02:00
parent a63a1913fa
commit f853f6523f
8 changed files with 103 additions and 40 deletions
--- a/phpBB/includes/acp/acp_inactive.php
+++ b/phpBB/includes/acp/acp_inactive.php
@@ -238,10 +238,11 @@ class acp_inactive

 						$messenger->save_queue();

-						// Add the remind state to the database
+						// Add the remind state to the database and increase activation expiration by one day
 						$sql = 'UPDATE ' . USERS_TABLE . '
 							SET user_reminded = user_reminded + 1,
-								user_reminded_time = ' . time() . '
+								user_reminded_time = ' . time() . ',
+								user_actkey_expiration = ' . (int) strtotime('+1 day') . '
 							WHERE ' . $db->sql_in_set('user_id', $user_ids);
 						$db->sql_query($sql);

--- a/phpBB/includes/acp/acp_users.php
+++ b/phpBB/includes/acp/acp_users.php
@@ -385,14 +385,18 @@ class acp_users
 									$user_actkey = empty($user_activation_key) ? $user_actkey : $user_activation_key;
 								}

-								if ($user_row['user_type'] == USER_NORMAL || empty($user_activation_key))
-								{
-									$sql = 'UPDATE ' . USERS_TABLE . "
-										SET user_actkey = '" . $db->sql_escape($user_actkey) . "'
-										WHERE user_id = $user_id";
-									$db->sql_query($sql);
-								}
+								// Always update actkey even if same and also update actkey expiration to 24 hours from now
+								$sql_ary = [
+									'user_actkey'				=> $user_actkey,
+									'user_actkey_expiration'	=> strtotime('+1 day'),
+								];

+								$sql = 'UPDATE ' . USERS_TABLE . '
+									SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
+									WHERE user_id = ' . $user_id;
+								$db->sql_query($sql);
+
+								// Start sending email
 								$messenger = new messenger(false);

 								$messenger->template($email_template, $user_row['user_lang']);