diff --git a/ajax/bandwidth/get_bandwidth.php b/ajax/bandwidth/get_bandwidth.php index a784b4d7..1f11b556 100644 --- a/ajax/bandwidth/get_bandwidth.php +++ b/ajax/bandwidth/get_bandwidth.php @@ -1,8 +1,10 @@ diff --git a/ajax/networking/get_int_config.php b/ajax/networking/get_int_config.php index d29ee735..21f41ed6 100644 --- a/ajax/networking/get_int_config.php +++ b/ajax/networking/get_int_config.php @@ -1,10 +1,12 @@ addMessage('New passwords do not match', 'danger'); - } elseif ($new_username == '') { - $status->addMessage('Username must not be empty', 'danger'); - } else { - if (!file_exists(RASPI_ADMIN_DETAILS)) { - $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w'); - fclose($tmpauth); - } - - if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) { - fwrite($auth_file, $new_username.PHP_EOL); - fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL); - fclose($auth_file); - $username = $new_username; - $status->addMessage('Admin password updated'); - } else { - $status->addMessage('Failed to update admin password', 'danger'); - } - } + if (password_verify($_POST['oldpass'], $password)) { + $new_username=trim($_POST['username']); + if ($_POST['newpass'] !== $_POST['newpassagain']) { + $status->addMessage('New passwords do not match', 'danger'); + } elseif ($new_username == '') { + $status->addMessage('Username must not be empty', 'danger'); } else { - $status->addMessage('Old password does not match', 'danger'); + if (!file_exists(RASPI_ADMIN_DETAILS)) { + $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w'); + fclose($tmpauth); + } + + if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) { + fwrite($auth_file, $new_username.PHP_EOL); + fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL); + fclose($auth_file); + $username = $new_username; + $status->addMessage('Admin password updated'); + } else { + $status->addMessage('Failed to update admin password', 'danger'); + } } } else { - error_log('CSRF violation'); + $status->addMessage('Old password does not match', 'danger'); } } ?> @@ -44,7 +40,7 @@ function DisplayAuthConfig($username, $password)
showMessages(); ?>