Verify account only if a request is in progress

dregad · dregad · commit 14c61a8c4413 · 2017-04-16T18:27:55.000+02:00
The account verification page should only proceed and allow updating the user's profile (including resetting their password) when there is an active activation token. Fixes #22690 Backported from cfbc5e5
diff --git a/verify.php b/verify.php
@@ -63,7 +63,7 @@
 
 $t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $f_user_id );
 
-if( $f_confirm_hash != $t_token_confirm_hash ) {
+if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {
 	trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
 }
 

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@`
`63`	`63`
`64`	`64`	`$t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $f_user_id );`
`65`	`65`
`66`		`-if( $f_confirm_hash != $t_token_confirm_hash ) {`
	`66`	`+if( $t_token_confirm_hash == null \|\| $f_confirm_hash !== $t_token_confirm_hash ) {`
`67`	`67`	`trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );`
`68`	`68`	`}`
`69`	`69`