Require current password when setting a new one

Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2025-02-03 10:43:03 +01:00 · 2020-01-30 10:23:50 +01:00 · 2020-01-30 10:23:50 +01:00 · daee20c694
commit daee20c694
parent eeaa1c3a32
4 changed files with 36 additions and 14 deletions
--- a/web/html/account.php
+++ b/web/html/account.php
@ -34,6 +34,7 @@ if ($action == "UpdateAccount") {
 			in_request("S"),
 			in_request("E"),
 			in_request("H"),
+			in_request("PO"),
 			in_request("P"),
 			in_request("C"),
 			in_request("R"),