fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-09 11:44:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

fix #1105 회원 인증코드가 brute force 공격에 노출될 수 있는 문제 고침

Browse source
This commit is contained in:
bnu 2014-12-29 17:54:33 +09:00
parent 8e645c9120
commit e53f9744ca
1 changed files with 11 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

13
modules/member/member.controller.php
View file

@ -1105,7 +1105,12 @@ class memberController extends member
$args->member_srl = $member_srl;
$args->auth_key = $auth_key;
$output = executeQuery('member.getAuthMail', $args);
if(!$output->toBool() || $output->data->auth_key != $auth_key) return $this->stop('msg_invalid_auth_key');
if(!$output->toBool() || $output->data->auth_key != $auth_key)
{
if(strlen($output->data->auth_key) !== strlen($auth_key)) executeQuery('member.deleteAuthMail', $args);
return $this->stop('msg_invalid_auth_key');
}
// If credentials are correct, change the password to a new one
if($output->data->is_register == 'Y')
{
@ -2491,7 +2496,11 @@ class memberController extends member
$args->member_srl = $member_srl;
$args->auth_key = $auth_key;
$output = executeQuery('member.getAuthMail', $args);
if(!$output->toBool() || $output->data->auth_key != $auth_key) return $this->stop('msg_invalid_modify_email_auth_key');
if(!$output->toBool() || $output->data->auth_key != $auth_key)
{
if(strlen($output->data->auth_key) !== strlen($auth_key)) executeQuery('member.deleteAuthChangeEmailAddress', $args);
return $this->stop('msg_invalid_modify_email_auth_key');
}
$newEmail = $output->data->user_id;
$args->email_address = $newEmail;