forgotpass: slightly better anti-bot protection

This commit is contained in:
Andrew Dolgov 2019-02-19 20:25:48 +03:00
parent 3b057d5f02
commit 59df261fb8
1 changed files with 6 additions and 2 deletions

View File

@ -838,6 +838,7 @@ class Handler_Public extends Handler {
function forgotpass() { function forgotpass() {
startup_gettext(); startup_gettext();
session_start();
@$hash = clean($_REQUEST["hash"]); @$hash = clean($_REQUEST["hash"]);
@ -916,8 +917,11 @@ class Handler_Public extends Handler {
print "<input class='input input-text' type='email' name='email' value='' required>"; print "<input class='input input-text' type='email' name='email' value='' required>";
print "</fieldset>"; print "</fieldset>";
$_SESSION["pwdreset:testvalue1"] = rand(1,10);
$_SESSION["pwdreset:testvalue2"] = rand(1,10);
print "<fieldset>"; print "<fieldset>";
print "<label>".__("How much is two plus two:")."</label>"; print "<label>".T_sprintf("How much is %d + %d:", $_SESSION["pwdreset:testvalue1"], $_SESSION["pwdreset:testvalue2"])."</label>";
print "<input class='input input-text' type='text' name='test' value='' required>"; print "<input class='input input-text' type='text' name='test' value='' required>";
print "</fieldset>"; print "</fieldset>";
@ -933,7 +937,7 @@ class Handler_Public extends Handler {
$email = clean($_POST["email"]); $email = clean($_POST["email"]);
$test = clean($_POST["test"]); $test = clean($_POST["test"]);
if (($test != 4 && $test != 'four') || !$email || !$login) { if ($test != ($_SESSION["pwdreset:testvalue1"] + $_SESSION["pwdreset:testvalue2"]) || !$email || !$login) {
print_error(__('Some of the required form parameters are missing or incorrect.')); print_error(__('Some of the required form parameters are missing or incorrect.'));
print "<form method=\"GET\" action=\"public.php\"> print "<form method=\"GET\" action=\"public.php\">