From 130257c96a2392ada795785a91178e656e27015c Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Fri, 14 Apr 2023 18:44:23 +0200
Subject: [PATCH] Fixed security issue with password update.

---
 modoboa/core/forms.py           | 5 +++++
 modoboa/core/tests/test_core.py | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/modoboa/core/forms.py b/modoboa/core/forms.py
index b98e53175..a52bb8610 100644
--- a/modoboa/core/forms.py
+++ b/modoboa/core/forms.py
@@ -92,6 +92,11 @@ def clean(self):
                         confirmation, self.instance)
             else:
                 self.add_error("oldpassword", _("This field is required."))
+        elif newpassword or confirmation:
+            if not confirmation:
+                self.add_error("confirmation", _("This field is required."))
+            else:
+                self.add_error("newpassword", _("This field is required."))
         return self.cleaned_data
 
     def save(self, commit=True):
diff --git a/modoboa/core/tests/test_core.py b/modoboa/core/tests/test_core.py
index ef7b99688..a0c6a36bf 100644
--- a/modoboa/core/tests/test_core.py
+++ b/modoboa/core/tests/test_core.py
@@ -146,6 +146,13 @@ def test_update_password(self):
             self.client.login(username="user@test.com", password="toto"), True
         )
 
+        self.ajax_post(
+            reverse("core:user_profile"),
+            {"oldpassword": "toto",
+             "confirmation": "tutu"},
+            status=400
+        )
+
         self.ajax_post(
             reverse("core:user_profile"),
             {"oldpassword": "toto",