$ git clone https://thingshare.ion.nu/thingshare.git
commit 2ceec92beff608786098cd5842382dfd4dd911d4
Author: Alicia <...>
Date: Sat Mar 14 17:55:15 2020 +0100
Added missing file.
diff --git a/changepassword.php b/changepassword.php
new file mode 100644
index 0000000..c670391
--- /dev/null
+++ b/changepassword.php
@@ -0,0 +1,67 @@
+<...>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+include_once('config.php');
+if(isset($_COOKIE['PHPSESSID'])){session_start();}
+if(!isset($_SESSION['id'])){header('Location: '.BASEURL.'/login?returnto='.urlencode($_SERVER['REQUEST_URI']));}
+include_once('db.php');
+include_once('nonce.php');
+include_once('head.php');
+$error='';
+$msg='';
+$oldpass='';
+$pass='';
+$pass2='';
+if(isset($_POST['oldpass']) && isset($_POST['newpass']) && isset($_POST['newpass2']) && checknonce())
+{
+ $oldpass=$_POST['oldpass'];
+ $pass=$_POST['newpass'];
+ $pass2=$_POST['newpass2'];
+ if(strlen($pass)<8){$error=_('Please use a safe password. Less than 8 characters is too short');}
+ if($pass!=$pass2){$error=_('The new passwords don\'t match');}
+ // Check oldpass
+ $res=mysqli_query($db, 'select salt, password from users where id='.(int)$_SESSION['id']);
+ $res=mysqli_fetch_assoc($res);
+ if(!$res){die(_('DB error, changes have not been saved'));}
+ $hash=explode(':', $res['password']);
+ $oldhash=hash($hash[0], $oldpass.$res['salt']);
+ if($oldhash!=$hash[1]){$error=_('Wrong password');}
+ if($error=='')
+ {
+ $salt=bin2hex(random_bytes(32));
+ $hash=HASH.':'.hash(HASH, $pass.$salt);
+ mysqli_query($db, 'update users set salt="'.$salt.'", password="'.$hash.'" where id='.(int)$_SESSION['id']);
+ $msg=_('Changed password');
+ $oldpass='';
+ $pass='';
+ $pass2='';
+ }
+}
+if($error!=''){$msg='<span class="error">'.$error.'</span>';}
+?>
+<center>
+ <h1><?=_('Change password')?></h1>
+ <?=$msg?>
+</center>
+<form method="post"><?=nonce();?>
+ <div class="c2" style="text-align:right;"><?=_('Old password')?></div><div class="c2"><input type="password" name="oldpass" value="<?=$oldpass?>" /></div>
+ <div class="c2" style="text-align:right;"><?=_('New password')?></div><div class="c2"><input type="password" name="newpass" value="<?=$pass?>" /></div>
+ <div class="c2" style="text-align:right;"><?=_('New password again')?></div><div class="c2"><input type="password" name="newpass2" value="<?=$pass2?>" /></div>
+ <center><button><?=_('Change')?></button></center>
+</form>