X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=plugins%2Fchange_password%2Foptions.php;h=474fe6194bee27f84ff9febb39a8d18f1a2f2ab6;hb=3047e291f2982efe9501ec790faafd3da843d22d;hp=0695b4428ab09b8eae6bcba5167b3422cb3e87c2;hpb=d4e46166df04792c6b939356ea5dfda8e47bba7b;p=squirrelmail.git

diff --git a/plugins/change_password/options.php b/plugins/change_password/options.php
index 0695b442..474fe619 100644
--- a/plugins/change_password/options.php
+++ b/plugins/change_password/options.php
@@ -3,7 +3,7 @@
 /**
  * options.php - Change Password HTML page
  *
- * @copyright © 2004-2009 The SquirrelMail Project Team
+ * @copyright 2004-2012 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package plugins
@@ -53,6 +53,11 @@ if (file_exists(SM_PATH . 'plugins/change_password/backend/'.$cpw_backend.'.php'
 
 /* the form was submitted, go for it */
 if(sqgetGlobalVar('cpw_go', $cpw_go, SQ_POST)) {
+
+    // security check
+    sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
+    sm_validate_security_token($submitted_token, 3600, TRUE);
+
     /* perform basic checks */
     $Messages = cpw_check_input();
 
@@ -76,13 +81,14 @@ do_hook('change_password_init', $null);
 if (isset($Messages) && count($Messages) > 0) {
     echo "<tr><td>\n";
     foreach ($Messages as $line) {
-        echo htmlspecialchars($line) . "<br />\n";
+        echo sm_encode_html_special_chars($line) . "<br />\n";
     }
     echo "</td></tr>\n";
 }
 
 ?><tr><td>
     <?php echo addForm($_SERVER['PHP_SELF'], 'post'); ?>
+    <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token() ?>" />
     <table>
       <tr>
         <th align="right"><?php echo _("Current Password:")?></th>