From 8a9735e34dc99c24355e0aee74a3cd49aa3b1492 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sun, 19 Feb 2012 13:38:31 +0100
Subject: added a timelimit for password reset tokens

passwords now need to be reset within 3 days of requesting the password
change mail
---
 inc/auth.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/inc/auth.php b/inc/auth.php
index 437a82a82..4e11288e1 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -860,6 +860,14 @@ function act_resendpwd(){
             unset($_REQUEST['pwauth']);
             return false;
         }
+        // token is only valid for 3 days
+        if( (time() - filemtime($tfile)) > (3*60*60*24) ){
+            msg($lang['resendpwdbadauth'],-1);
+            unset($_REQUEST['pwauth']);
+            @unlink($tfile);
+            return false;
+        }
+
         $user = io_readfile($tfile);
         $userinfo = $auth->getUserData($user);
         if(!$userinfo['mail']) {
-- 
cgit v1.2.3