官方的人来看看，难道这不BUG吗？

gxuc · 发表于 2013-3-14 11:05:25

后台设置密码长度为8。但点首页的找回密码，然后打开收到的邮件重设密码地址，再设置新密码时，
可以设置任意长度的密码，刚测试过新密码为空也能提交成功。这个难道不是BUG吗？

gxuc · 发表于 2013-3-14 11:08:06

以下代码写也也太不严谨咯，嘻嘻！

if($dateline < TIMESTAMP - 86400 * 3 || $operation != 1 || $idstring != $_GET['id']) {
showmessage('getpasswd_illegal', NULL);
}

if(!submitcheck('getpwsubmit') || $_GET['newpasswd1'] != $_GET['newpasswd2']) {
$hashid = $_GET['id'];
$uid = $_GET['uid'];
include template('member/getpasswd');
} else {
if($_GET['newpasswd1'] != addslashes($_GET['newpasswd1'])) {
showmessage('profile_passwd_illegal');
}

loaducenter();
uc_user_edit(addslashes($member['username']), $_GET['newpasswd1'], $_GET['newpasswd1'], addslashes($member['email']), 1, 0);
$password = md5(random(10));

if(isset($member['_inarchive'])) {
C::t('common_member_archive')->move_to_master($member['uid']);
}
C::t('common_member')->update($_GET['uid'], array('password' => $password));
C::t('common_member_field_forum')->update($_GET['uid'], array('authstr' => ''));
showmessage('getpasswd_succeed', 'index.php', array(), array('login' => 1));
}

下砂 · 发表于 2013-3-14 14:41:07

已反馈

anamxa · 发表于 2013-3-27 12:33:27

相逢一醉是前缘，风雨散、飘然何处。

gxuc · 发表于 2013-3-29 10:46:28

修复方法

if(!submitcheck('getpwsubmit') || $_GET['newpasswd1'] != $_GET['newpasswd2']) {
$hashid = $_GET['id'];
$uid = $_GET['uid'];
include template('member/getpasswd');
} else {
if($_GET['newpasswd1'] != addslashes($_GET['newpasswd1'])) {
showmessage('profile_passwd_illegal');
}

复制代码

改为

if(!submitcheck('getpwsubmit')) {
$hashid = $_GET['id'];
$uid = $_GET['uid'];
include template('member/getpasswd');
}elseif ($_GET['newpasswd1'] != $_GET['newpasswd2']) {
showmessage('profile_passwd_notmatch');
}else{
if(empty($_GET['newpasswd1']) || $_GET['newpasswd1'] != addslashes($_GET['newpasswd1'])) {
showmessage('profile_passwd_illegal');
}
if(!empty($_GET['newpasswd1']) && $_G['setting']['strongpw']) {
$strongpw_str = array();
if(in_array(1, $_G['setting']['strongpw']) && !preg_match("/\d+/", $_GET['newpasswd1'])) {
$strongpw_str[] = lang('member/template', 'strongpw_1');
}
if(in_array(2, $_G['setting']['strongpw']) && !preg_match("/[a-z]+/", $_GET['newpasswd1'])) {
$strongpw_str[] = lang('member/template', 'strongpw_2');
}
if(in_array(3, $_G['setting']['strongpw']) && !preg_match("/[A-Z]+/", $_GET['newpasswd1'])) {
$strongpw_str[] = lang('member/template', 'strongpw_3');
}
if(in_array(4, $_G['setting']['strongpw']) && !preg_match("/[^a-zA-z0-9]+/", $_GET['newpasswd1'])) {
$strongpw_str[] = lang('member/template', 'strongpw_4');
}
if($strongpw_str) {
showmessage(lang('member/template', 'password_weak').implode(',', $strongpw_str));
}
}
if($_G['setting']['pwlength']) {
if(strlen($_GET['newpasswd1']) < $_G['setting']['pwlength']) {
showmessage('profile_password_tooshort', '', array('pwlength' => $_G['setting']['pwlength']));
}
}

复制代码

imoko · 发表于 2013-4-6 11:28:44

这都被你发现了啊厉害

		自动登录	找回密码
密码			立即注册

官方的人来看看，难道这不BUG吗？

本帖子中包含更多资源