From: Andrew Dolgov <fox@fakecake.org>
Date: Thu, 16 Aug 2012 14:27:26 +0000 (+0400)
Subject: auth_internal.change_password: do not rely on session
X-Git-Tag: 1.6.0~135
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=dc0374df2ba76876765fac373e0de69e642a98dc;p=tt-rss.git

auth_internal.change_password: do not rely on session
---

diff --git a/classes/auth_internal.php b/classes/auth_internal.php
index eb376568..8890d445 100644
--- a/classes/auth_internal.php
+++ b/classes/auth_internal.php
@@ -75,14 +75,15 @@ class Auth_Internal extends Auth_Base {
 	function change_password($owner_uid, $old_password, $new_password) {
 		$owner_uid = db_escape_string($owner_uid);
 
-		$result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE
+		$result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE
 			id = '$owner_uid'");
 
 		$salt = db_fetch_result($result, 0, "salt");
+		$login = db_fetch_result($result, 0, "login");
 
 		if (!$salt) {
 			$old_password_hash1 = encrypt_password($old_password);
-			$old_password_hash2 = encrypt_password($old_password, $_SESSION["name"]);
+			$old_password_hash2 = encrypt_password($old_password, $login);
 
 			$query = "SELECT id FROM ttrss_users WHERE
 				id = '$owner_uid' AND (pwd_hash = '$old_password_hash1' OR