From 117ecbc89d8b337885cd59e7990f7fe2f18019c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Thu, 6 Sep 2018 16:29:44 +0200
Subject: [PATCH] :ambulance: fix(recovery) Fix recovery to use new
 standAlonePage workflow

This should fix CSRF crashes with recovery

issue #5854
---
 html/recovery.php                  | 16 +++++-----------
 ihtml/themes/legacy/recovery.tpl   |  1 +
 include/class_passwordRecovery.inc |  6 ++++--
 3 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/html/recovery.php b/html/recovery.php
index ecce93c73..0dd3ec50e 100644
--- a/html/recovery.php
+++ b/html/recovery.php
@@ -1,7 +1,7 @@
 <?php
 /*
   This code is part of FusionDirectory (http://www.fusiondirectory.org/)
-  Copyright (C) 2011-2016  FusionDirectory
+  Copyright (C) 2011-2018  FusionDirectory
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -18,14 +18,8 @@
   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
 */
 
-require_once("../include/php_setup.inc");
-require_once("functions.inc");
-require_once("variables.inc");
+require_once('../include/php_setup.inc');
+require_once('functions.inc');
+require_once('variables.inc');
 
-$pwRecovery = new passwordRecovery();
-
-$pwRecovery->execute();
-
-$pwRecovery->displayPWchanger();
-
-?>
+passwordRecovery::run();
diff --git a/ihtml/themes/legacy/recovery.tpl b/ihtml/themes/legacy/recovery.tpl
index 0351c080f..1f4da0945 100644
--- a/ihtml/themes/legacy/recovery.tpl
+++ b/ihtml/themes/legacy/recovery.tpl
@@ -9,6 +9,7 @@
 <div id="window-div">
 
   <form action='recovery.php{$params}' method='post' name='mainform' onSubmit='js_check(this);return true;'>
+    <input type="hidden" name="CSRFtoken" value="{$CSRFtoken}"/>
 
   <div id="window-titlebar">
     <p>
diff --git a/include/class_passwordRecovery.inc b/include/class_passwordRecovery.inc
index 3d348de45..c6dcddd4d 100644
--- a/include/class_passwordRecovery.inc
+++ b/include/class_passwordRecovery.inc
@@ -66,7 +66,7 @@ class passwordRecovery extends standAlonePage {
     }
   }
 
-  function execute()
+  function save_object()
   {
     if (!$this->activated) {
       return;
@@ -98,8 +98,10 @@ class passwordRecovery extends standAlonePage {
     }
   }
 
-  function displayPWchanger()
+  function execute()
   {
+    $this->save_object();
+
     /* Do we need to show error messages? */
     if (count($this->message) != 0) {
       /* Show error message and continue editing */
-- 
GitLab