Merge branch 'archwiki'

1 files changed, 16 insertions, 0 deletions

diff --git a/includes/specials/SpecialChangePassword.php b/includes/specials/SpecialChangePassword.php
index c54b5575..a75e7e83 100644
--- a/includes/specials/SpecialChangePassword.php
+++ b/includes/specials/SpecialChangePassword.php
@@ -52,6 +52,11 @@ class SpecialChangePassword extends UnlistedSpecialPage {
 		$this->mDomain = $request->getVal( 'wpDomain' );
 
 		$user = $this->getUser();
+
+		if ( !$user->isLoggedIn() && !LoginForm::getLoginToken() ) {
+			LoginForm::setLoginToken();
+		}
+
 		if ( !$request->wasPosted() && !$user->isLoggedIn() ) {
 			$this->error( $this->msg( 'resetpass-no-info' )->text() );
 
@@ -81,6 +86,14 @@ class SpecialChangePassword extends UnlistedSpecialPage {
 					return;
 				}
 
+				if ( !$user->isLoggedIn()
+					&& $request->getVal( 'wpLoginOnChangeToken' ) !== LoginForm::getLoginToken()
+				) {
+					// Potential CSRF (bug 62497)
+					$this->error( $this->msg( 'sessionfailure' )->text() );
+					return false;
+				}
+
 				$this->attemptReset( $this->mNewpass, $this->mRetype );
 
 				if ( $user->isLoggedIn() ) {
@@ -157,6 +170,9 @@ class SpecialChangePassword extends UnlistedSpecialPage {
 			'wpName' => $this->mUserName,
 			'wpDomain' => $this->mDomain,
 		) + $this->getRequest()->getValues( 'returnto', 'returntoquery' );
+		if ( !$user->isLoggedIn() ) {
+			$hiddenFields['wpLoginOnChangeToken'] = LoginForm::getLoginToken();
+		}
 		$hiddenFieldsStr = '';
 		foreach ( $hiddenFields as $fieldname => $fieldvalue ) {
 			$hiddenFieldsStr .= Html::hidden( $fieldname, $fieldvalue ) . "\n";