From: justdave%bugzilla.org <> Date: Mon, 25 Oct 2004 14:14:33 +0000 (+0000) Subject: Bug 250897: Enforce a 10 minute waiting period between password reset attempts to... X-Git-Tag: bugzilla-2.16.7~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=814bb4e9c8b0028ea988a382f5559218b7f4e3f8;p=thirdparty%2Fbugzilla.git Bug 250897: Enforce a 10 minute waiting period between password reset attempts to prevent the user getting mailbombed if the form is submitted multiple times. Patch by Joel Peshkin r=kiko, a=justdave --- diff --git a/Token.pm b/Token.pm index 78eef9335f..9823124812 100644 --- a/Token.pm +++ b/Token.pm @@ -114,11 +114,19 @@ sub IssuePasswordToken { # Retrieve the user's ID from the database. my $quotedloginname = &::SqlQuote($loginname); - &::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname"); - my ($userid) = &::FetchSQLData(); + &::SendSQL("SELECT profiles.userid, tokens.issuedate FROM profiles + LEFT JOIN tokens + ON tokens.userid = profiles.userid + AND tokens.tokentype = 'password' + AND tokens.issuedate > DATE_SUB(NOW(), INTERVAL 10 MINUTE) + WHERE login_name = $quotedloginname"); + my ($userid, $toosoon) = &::FetchSQLData(); + + if ($toosoon) { + &::DisplayError('Too Soon For Another Password Token') && exit; + }; my $token_ts = time(); - my $issuedate = time2str("%Y-%m-%d %H:%M", $token_ts); # Generate a unique token and insert it into the tokens table. # We have to lock the tokens table before generating the token, @@ -128,7 +136,7 @@ sub IssuePasswordToken { my $quotedtoken = &::SqlQuote($token); my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'}); &::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata ) - VALUES ( $userid , '$issuedate' , $quotedtoken , 'password' , $quotedipaddr )"); + VALUES ( $userid , NOW() , $quotedtoken , 'password' , $quotedipaddr )"); &::SendSQL("UNLOCK TABLES"); # Mail the user the token along with instructions for using it.