diff --git a/classes/script_start.php b/classes/script_start.php index e70d73a7..b06c6cf3 100644 --- a/classes/script_start.php +++ b/classes/script_start.php @@ -328,6 +328,20 @@ function logout() { die(); } +/** + * Logout all sessions + */ +function logout_all_sessions() { + $UserID = G::$LoggedUser['ID']; + + G::$DB->query(" + DELETE FROM users_sessions + WHERE UserID = '$UserID'"); + + G::$Cache->delete_value('users_sessions_' . $UserID); + logout(); +} + function enforce_login() { global $SessionID; if (!$SessionID || !G::$LoggedUser) { diff --git a/sections/friends/index.php b/sections/friends/index.php index 2dd51736..81662be7 100644 --- a/sections/friends/index.php +++ b/sections/friends/index.php @@ -18,9 +18,7 @@ authorize(); include(SERVER_ROOT.'/sections/friends/comment.php'); break; - case 'whois': - include(SERVER_ROOT.'/sections/friends/whois.php'); - break; + case 'Contact': header('Location: inbox.php?action=compose&to='.$_POST['friendid']); break; diff --git a/sections/login/index.php b/sections/login/index.php index 630324d5..a255f702 100644 --- a/sections/login/index.php +++ b/sections/login/index.php @@ -46,7 +46,7 @@ if ($UserID && strtotime($Expires) > time()) { // If the user has requested a password change, and his key has not expired - $Validate->SetFields('password', '1', 'regex', 'You entered an invalid password. A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, contains at least a number or symbol', array('regex' => '/(?=^.{8,}$)(?=.*[^a-zA-Z])(?=.*[A-Z])(?=.*[a-z]).*$/')); + $Validate->SetFields('password', '1', 'regex', 'You entered an invalid password. A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or symbol, or is 20 characters or longer', array('regex' => '/(?=^.{8,}$)(?=.*[^a-zA-Z])(?=.*[A-Z])(?=.*[a-z]).*$|.{20,}/')); $Validate->SetFields('verifypassword', '1', 'compare', 'Your passwords did not match.', array('comparefield' => 'password')); if (!empty($_REQUEST['password'])) { @@ -65,6 +65,7 @@ i.ResetExpires = '0000-00-00 00:00:00' WHERE m.ID = '$UserID' AND i.UserID = m.ID"); + $DB->query(" INSERT INTO users_history_passwords (UserID, ChangerIP, ChangeTime) diff --git a/sections/login/recover_step2.php b/sections/login/recover_step2.php index 21f9a3fa..02f0e8bf 100644 --- a/sections/login/recover_step2.php +++ b/sections/login/recover_step2.php @@ -13,7 +13,7 @@ if (!empty($Err)) { ?>

- A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or symbol.

+ A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or symbol, or is 20 characters or longer.

diff --git a/sections/register/index.php b/sections/register/index.php index 80696742..dd810c3a 100644 --- a/sections/register/index.php +++ b/sections/register/index.php @@ -34,7 +34,7 @@ } elseif (OPEN_REGISTRATION || !empty($_REQUEST['invite'])) { $Val->SetFields('username', true, 'regex', 'You did not enter a valid username.', array('regex' => USERNAME_REGEX)); $Val->SetFields('email', true, 'email', 'You did not enter a valid email address.'); - $Val->SetFields('password', true, 'regex', 'A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or symbol', array('regex'=>'/(?=^.{8,}$)(?=.*[^a-zA-Z])(?=.*[A-Z])(?=.*[a-z]).*$/')); + $Val->SetFields('password', true, 'regex', 'A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or symbol, or is 20 characters or longer', array('regex'=>'/(?=^.{8,}$)(?=.*[^a-zA-Z])(?=.*[A-Z])(?=.*[a-z]).*$|.{20,}/')); $Val->SetFields('confirm_password', true, 'compare', 'Your passwords do not match.', array('comparefield' => 'password')); $Val->SetFields('readrules', true, 'checkbox', 'You did not select the box that says you will read the rules.'); $Val->SetFields('readwiki', true, 'checkbox', 'You did not select the box that says you will read the wiki.'); diff --git a/sections/register/step1.php b/sections/register/step1.php index 4c370f74..53ce0be0 100644 --- a/sections/register/step1.php +++ b/sections/register/step1.php @@ -41,7 +41,7 @@ diff --git a/sections/user/edit.php b/sections/user/edit.php index 0918928d..6cef827e 100644 --- a/sections/user/edit.php +++ b/sections/user/edit.php @@ -810,9 +810,8 @@ function checked($Checked) {
A strong password:
diff --git a/sections/user/invite.php b/sections/user/invite.php index 13159fe8..7548a079 100644 --- a/sections/user/invite.php +++ b/sections/user/invite.php @@ -1,4 +1,5 @@ next_record(); -if (!$Sneaky - && !$LoggedUser['RatioWatch'] - && $CanLeech - && empty($LoggedUser['DisableInvites']) - && ($LoggedUser['Invites'] > 0 || check_perms('site_send_unlimited_invites')) - && ($UserCount <= USER_LIMIT || USER_LIMIT == 0 || check_perms('site_can_invite_always')) + + if (!$Sneaky + && !$LoggedUser['RatioWatch'] + && $CanLeech + && empty($LoggedUser['DisableInvites']) + && ($LoggedUser['Invites'] > 0 || check_perms('site_send_unlimited_invites')) + && ($UserCount <= USER_LIMIT || USER_LIMIT == 0 || check_perms('site_can_invite_always')) ) { ?>

Please note that the selling, trading, or publicly giving away our invitations — or responding to public invite requests — is strictly forbidden, and may result in you and your entire invite tree being banned. This includes offering to give away our invitations on any forum which is not a class-restricted forum on another private tracker.

diff --git a/sections/user/take_edit.php b/sections/user/take_edit.php index 86526d88..49ad00a5 100644 --- a/sections/user/take_edit.php +++ b/sections/user/take_edit.php @@ -31,7 +31,7 @@ $Val->SetFields('avatar', 0, "regex", "You did not enter a valid avatar URL.", array('regex' => "/^".IMAGE_REGEX."$/i")); $Val->SetFields('email', 1, "email", "You did not enter a valid email address."); $Val->SetFields('irckey', 0, "string", "You did not enter a valid IRC key. An IRC key must be between 6 and 32 characters long.", array('minlength' => 6, 'maxlength' => 32)); -$Val->SetFields('new_pass_1', 0, "regex", "You did not enter a valid password. A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or symbol.", array('regex' => '/(?=^.{8,}$)(?=.*[^a-zA-Z])(?=.*[A-Z])(?=.*[a-z]).*$/')); +$Val->SetFields('new_pass_1', 0, "regex", "You did not enter a valid password. A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or symbol.", array('regex' => '/(?=^.{8,}$)(?=.*[^a-zA-Z])(?=.*[A-Z])(?=.*[a-z]).*$|.{20,}/')); $Val->SetFields('new_pass_2', 1, "compare", "Your passwords do not match.", array('comparefield' => 'new_pass_1')); if (check_perms('site_advanced_search')) { $Val->SetFields('searchtype', 1, "number", "You forgot to select your default search preference.", array('minlength' => 0, 'maxlength' => 1)); @@ -184,7 +184,9 @@ list($PassHash, $Secret) = $DB->next_record(); if (Users::check_password($_POST['cur_pass'], $PassHash, $Secret)) { - if ($_POST['new_pass_1'] && $_POST['new_pass_2']) { + if ($_POST['cur_pass'] == $_POST['new_pass_1']) { + $Err = 'Your new password cannot be the same as your old password.'; + } else if ($_POST['new_pass_1'] && $_POST['new_pass_2']) { $ResetPassword = true; } } else { @@ -333,6 +335,7 @@ $ChangerIP = db_string($LoggedUser['IP']); $PassHash = Users::make_crypt_hash($_POST['new_pass_1']); $SQL.= ",m.PassHash = '".db_string($PassHash)."'"; + $DB->query(" INSERT INTO users_history_passwords (UserID, ChangerIP, ChangeTime) @@ -365,7 +368,7 @@ $DB->query($SQL); if ($ResetPassword) { - logout(); + logout_all_sessions(); } header("Location: user.php?action=edit&userid=$UserID"); diff --git a/static/functions/password_validate.js b/static/functions/password_validate.js index e6cb4f84..df1a58df 100644 --- a/static/functions/password_validate.js +++ b/static/functions/password_validate.js @@ -11,6 +11,7 @@ var SHORT = 4; var MATCH_IRCKEY = 5; var MATCH_USERNAME = 6; var COMMON = 7; +var MATCH_OLD_PASSWORD = 8; var USER_PATH = "/user.php"; @@ -85,6 +86,7 @@ function validatePassword(password) { function calculateComplexity(password) { var length = password.length; var username; + var oldPassword; if (isUserPage()) { username = $(".username").text(); @@ -97,12 +99,13 @@ function calculateComplexity(password) { if (isUserPage()) { irckey = $("#irckey").val(); + oldPassword =$("#cur_pass").val(); } - if (length >= 8) { + if (length >= 8 && length < 20) { setStatus(WEAK); } - if (length >= 8 && isStrongPassword(password)) { + if ((length >= 8 && isStrongPassword(password)) || length >= 20) { setStatus(STRONG); } if (length > 0 && length < 8) { @@ -117,6 +120,10 @@ function calculateComplexity(password) { setStatus(MATCH_IRCKEY); } } + + if (oldPassword.length > 0 && password == oldPassword) { + setStatus(MATCH_OLD_PASSWORD); + } } if (username.length > 0) { if (password.toLowerCase() == username.toLowerCase()) { @@ -175,6 +182,10 @@ function setStatus(strength) { disableSubmit(); $("#pass_strength").text("Password is too common").css("color", "red"); } + if (strength == MATCH_OLD_PASSWORD) { + disableSubmit(); + $("#pass_strength").text("New password cannot match old password").css("color", "red"); + } if (strength == CLEAR) { $("#pass_strength").text(""); }
Password Verify password  -

A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or a symbol.

+

A strong password is 8 characters or longer, contains at least 1 lowercase and uppercase letter, and contains at least a number or a symbol, or is 20 characters or longer.