From 07552f5577ff8b1e6f7cdefafcce9b2a744d3a24 Mon Sep 17 00:00:00 2001
From: Thorsten Rinne <thorsten@phpmyfaq.de>
Date: Wed, 12 Apr 2023 14:08:17 +0200
Subject: [PATCH] fix: avoid possible email address manipulation

---
 phpmyfaq/ajaxservice.php       | 5 +++++
 phpmyfaq/src/phpMyFAQ/User.php | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/phpmyfaq/ajaxservice.php b/phpmyfaq/ajaxservice.php
index ccb3c3e3c2..9b123a0b12 100644
--- a/phpmyfaq/ajaxservice.php
+++ b/phpmyfaq/ajaxservice.php
@@ -774,6 +774,11 @@
             break;
         }
 
+        if ($userId !== $user->getUserIdByEmail($email)) {
+            $message = ['error' => 'User ID / email mismatch!'];
+            break;
+        }
+
         if (strlen($password) <= 7 || strlen($confirm) <= 7) {
             $message = ['error' => $PMF_LANG['ad_passwd_fail']];
             break;
diff --git a/phpmyfaq/src/phpMyFAQ/User.php b/phpmyfaq/src/phpMyFAQ/User.php
index 2ad5324322..f82f8eff77 100644
--- a/phpmyfaq/src/phpMyFAQ/User.php
+++ b/phpmyfaq/src/phpMyFAQ/User.php
@@ -908,7 +908,7 @@ public function getUserIdByEmail(string $email): int
 
         $userData = $this->userdata->fetchAll('email', $email);
 
-        return (int)$userData['user_id'];
+        return $userData['user_id'];
     }
 
     /**