CVE-2023-5844: [Improvement]: Check if new password is NOT the same as the old one w… · pimcore/admin-ui-classic-bundle@498ac77

Commit

Permalink

Browse files

Browse the repository at this point in the history

[Improvement]: Check if new password is NOT the same as the old one w…

…hen resetting (#285)

* add check that new passoword is different than old one

* refactor empty old password check

* add CHANGELOG

* Update CHANGELOG.md

---

Co-authored-by: Divesh Pahuja [email protected]

• Loading branch information

Showing 2 changed files with 6 additions and 0 deletions.

• CHANGELOG.md
• • UserController.php

1 change: 1 addition & 0 deletions CHANGELOG.md

@@ -1,5 +1,6 @@

#### v1.2.0

- DataObject used to automatically reload version after save, but now it’s triggered only on successfull save. The reload can be forced by setting `forceReloadVersionsAfterSave` to `true` in a `postSaveObject` event listener.

- [User -> Settings] When resetting password, setting the new password same as the old one would throw an error.

#### v1.1.0

- `Pimcore\Bundle\AdminBundle\Service\ElementService` is marked as internal.

Expand Down

5 changes: 5 additions & 0 deletions src/Controller/Admin/UserController.php

Expand Up

@@ -589,6 +589,11 @@ public function updateCurrentUserAction(Request $request, ValidatorInterface $va

}

if ($oldPasswordCheck && $values[‘new_password’] == $values[‘retype_password’]) {

if (Tool\Authentication::verifyPassword($user, $values[‘new_password’])) {

throw new \Exception(‘The new password cannot be the same as the old one’);

}

$values[‘password’] = Tool\Authentication::getPasswordHash($user->getName(), $values[‘new_password’]);

} else {

if (!$oldPasswordCheck) {

Expand Down

0 comments on commit 498ac77

Please sign in to comment.