diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php index 2d820d5e9f9..1f2fa7d68dc 100644 --- a/plugins/Login/Controller.php +++ b/plugins/Login/Controller.php @@ -201,6 +201,9 @@ public function confirmPassword() if (!empty($_POST)) { $nonce = Common::getRequestVar('nonce', null, 'string', $_POST); $password = Common::getRequestVar('password', null, 'string', $_POST); + if ($password) { + $password = Common::unsanitizeInputValue($password); + } if (!Nonce::verifyNonce($nonceKey, $nonce)) { $messageNoAccess = $this->getMessageExceptionNoAccess(); } elseif ($this->passwordVerify->isPasswordCorrect(Piwik::getCurrentUserLogin(), $password)) { diff --git a/plugins/UsersManager/API.php b/plugins/UsersManager/API.php index a3680c4d057..be3ea0d1030 100644 --- a/plugins/UsersManager/API.php +++ b/plugins/UsersManager/API.php @@ -901,6 +901,8 @@ public function updateUser($userLogin, $password = false, $email = false, $alias throw new Exception(Piwik::translate('UsersManager_ConfirmWithPassword')); } + $passwordConfirmation = Common::unsanitizeInputValue($passwordConfirmation); + $loginCurrentUser = Piwik::getCurrentUserLogin(); if (!$this->passwordVerifier->isPasswordCorrect($loginCurrentUser, $passwordConfirmation)) { throw new Exception(Piwik::translate('UsersManager_CurrentPasswordNotCorrect')); diff --git a/plugins/UsersManager/Controller.php b/plugins/UsersManager/Controller.php index 183d9f4a788..439e4cb6e56 100644 --- a/plugins/UsersManager/Controller.php +++ b/plugins/UsersManager/Controller.php @@ -435,7 +435,7 @@ private function processPasswordChange($userLogin) if ($newPassword !== false && !Url::isValidHost()) { throw new Exception("Cannot change password or email with untrusted hostname!"); } - + // UI disables password change on invalid host, but check here anyway Request::processRequest('UsersManager.updateUser', [ 'userLogin' => $userLogin,