Minor security improvements

board.php

@@ -139,6 +139,7 @@
 if ( $Game->watched() && isset($_REQUEST['unwatch'])) {
 	print '<div class="content-notice gameTimeRemaining">'
 		.'<form method="post" action="redirect.php">'
+		.libAuth::formTokenHTML()
 		.'Are you sure you wish to remove this game from your spectated games list? '
 		.'<input type="hidden" name="gameID" value="'.$Game->id.'">'
 		.'<input type="submit" class="form-submit" name="unwatch" value="Confirm">

gamepanel/game.php

@@ -537,6 +537,7 @@ function joinBar()
 			if( $User->type['User'] && $this->phase != 'Finished')
 			{
 				$buf .= '<form method="post" action="redirect.php">'
+						.libAuth::formTokenHTML()
 				       .'<input type="hidden" name="gameID" value="'.$this->id.'">';
 				if( ! $this->watched() ) {
 					$buf .= '<input style="margin-top: 0.5em;" type="submit" title="'.l_t('Adds this game to the watched games list on your home page, and subscribes you to game notifications').'" '

lib/auth.php

@@ -150,10 +150,10 @@ public static function formTokenHTML()
 	 */
 	public static function email_validateURL($email)
 	{
-		$thisURL = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF'];
+		$thisURL = 'https://'.$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF'];
 
 		// %7C = | , but some webmail clients think that | is the end of the link
-		$emailToken = substr(md5(Config::$secret.$email),0,5).'%7C'.urlencode($email);
+		$emailToken = substr(md5(Config::$secret.$email.$timestamp),0,8).'%7C'.$timestamp.'%7C'.urlencode($email);
 
 		return $thisURL.'?emailToken='.$emailToken;
 	}
@@ -167,14 +167,16 @@ public static function email_validateURL($email)
 	 */
 	public static function emailToken_email($emailToken)
 	{
-		$emailToken = explode('|',$emailToken,2);
+		$emailToken = explode('|',$emailToken,3);
 
-		if ( count($emailToken) != 2 )
+		if ( count($emailToken) != 3 )
 			return false;
 
-		list($key, $email) = $emailToken;
+		list($key, $timestamp, $email) = $emailToken;
 
-		if ( $key !== substr(md5(Config::$secret.$email),0,5) )
+		if( (time() - $timestamp) > 60*60 ) throw new Exception("The given e-mail token link has expired; please request another one and click the link within an hour.");
+
+		if ( $key !== substr(md5(Config::$secret.$email.$timestamp),0,8) )
 			return false;
 		else
 			return $email;

logon.php

@@ -79,8 +79,15 @@
 		}
 		elseif ( $_REQUEST['forgotPassword'] == 3 && isset($_REQUEST['emailToken']) )
 		{
-			$email = $DB->escape(libAuth::emailToken_email($_REQUEST['emailToken']));
+			$validatedEmail = libAuth::emailToken_email($_REQUEST['emailToken']);
+			if( $validatedEmail === false )
+				throw new Exception(l_t("Account not found"));
+
+			$email = $DB->escape();
 			$userID = User::findEmail($email);
+			if( $userID == 0 )
+				throw new Exception(l_t("Account not found"));
+
 			$newPassword = base64_encode(rand(1000000000,2000000000));
 
 			$DB->sql_put("UPDATE wD_Users

redirect.php

@@ -23,6 +23,7 @@
 if ((isset($_POST['watch']) || isset($_POST['unwatch'])) && isset($_POST['gameID'])) {
 	require_once(l_r('objects/game.php'));
 	require_once(l_r('gamepanel/gameboard.php'));
+	libAuth::formToken_Valid();
 
 	$gameID = (int)$_POST['gameID'];
 	// Get the game object, if this fails, then someone has entered some rubbish for the gameID